brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.4.0"
+  Version = "4.7.0"
 end

data/lib/brakeman/warning.rb

@@ -9,7 +9,7 @@ class Brakeman::Warning
     :line, :method, :model, :template, :user_input, :user_input_type,
     :warning_code, :warning_set, :warning_type
 
-  attr_accessor :code, :context, :file, :message, :relative_path
+  attr_accessor :code, :context, :file, :message
 
   TEXT_CONFIDENCE = {
     0 => "High",
@@ -34,11 +34,11 @@ class Brakeman::Warning
     :file => :@file,
     :gem_info => :@gem_info,
     :line => :@line,
+    :link => :@link,
     :link_path => :@link_path,
     :message => :@message,
     :method => :@method,
     :model => :@model,
-    :relative_path => :@relative_path,
     :template => :@template,
     :user_input => :@user_input,
     :warning_set => :@warning_set,
@@ -100,9 +100,11 @@ class Brakeman::Warning
     unless @warning_set
       if self.model
         @warning_set = :model
+        @file ||= self.model.file
       elsif self.template
         @warning_set = :template
         @called_from = self.template.render_path
+        @file ||= self.template.file
       elsif self.controller
         @warning_set = :controller
       else
@@ -112,6 +114,8 @@ class Brakeman::Warning
 
     if options[:warning_code]
       @warning_code = Brakeman::WarningCodes.code options[:warning_code]
+    else
+      @warning_code = nil
     end
 
     Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
@@ -221,7 +225,7 @@ class Brakeman::Warning
     when :template
       @row["Template"] = self.view_name.to_s
     when :model
-      @row["Model"] = self.model.to_s
+      @row["Model"] = self.model.name.to_s
     when :controller
       @row["Controller"] = self.controller.to_s
     when :warning
@@ -235,7 +239,7 @@ class Brakeman::Warning
   def to_s
    output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
    output << " near line #{self.line}" if self.line
-   output << " in #{self.file}" if self.file
+   output << " in #{self.file.relative}" if self.file
    output << ": #{self.format_code}" if self.code
 
    output
@@ -247,37 +251,47 @@ class Brakeman::Warning
     warning_code_string = sprintf("%03d", @warning_code)
     code_string = @code.inspect
 
-    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
+    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
   end
 
   def location include_renderer = true
     case @warning_set
     when :template
-      location = { :type => :template, :template => self.view_name(include_renderer) }
+      { :type => :template, :template => self.view_name(include_renderer) }
     when :model
-      location = { :type => :model, :model => self.model }
+      { :type => :model, :model => self.model.name }
     when :controller
-      location = { :type => :controller, :controller => self.controller }
+      { :type => :controller, :controller => self.controller }
     when :warning
       if self.class
-        location = { :type => :method, :class => self.class, :method => self.method }
+        { :type => :method, :class => self.class, :method => self.method }
       else
-        location = nil
+        nil
       end
     end
   end
 
-  def to_hash
+  def relative_path
+    self.file.relative
+  end
+
+  def to_hash absolute_paths: true
+    if self.called_from and not absolute_paths
+      render_path = self.called_from.with_relative_paths
+    else
+      render_path = self.called_from
+    end
+
     { :warning_type => self.warning_type,
       :warning_code => @warning_code,
       :fingerprint => self.fingerprint,
       :check_name => self.check.gsub(/^Brakeman::Check/, ''),
       :message => self.message.to_s,
-      :file => self.file,
+      :file => (absolute_paths ? self.file.absolute : self.file.relative),
       :line => self.line,
       :link => self.link,
       :code => (@code && self.format_code(false)),
-      :render_path => self.called_from,
+      :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
       :confidence => TEXT_CONFIDENCE[self.confidence]

data/lib/brakeman/warning_codes.rb

@@ -110,6 +110,10 @@ module Brakeman::WarningCodes
     :CVE_2018_8048 => 106,
     :CVE_2018_3741 => 107,
     :CVE_2018_3760 => 108,
+    :force_ssl_disabled => 109,
+    :unsafe_cookie_serialization => 110,
+    :reverse_tabnabbing => 111,
+    :custom_check => 9090,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -40,7 +40,7 @@ class Sexp
       s.line(line)
     else
       s.original_line = self.original_line
-      s.line(self.line)
+      s.line(self.line) if self.line
     end
 
     s

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -45,6 +45,7 @@ class Brakeman::SexpProcessor
     @expected            = Sexp
     @processors = self.class.processors
     @context    = []
+    @current_class = @current_module = @current_method = @visibility = nil
 
     if @processors.empty?
       public_methods.each do |name|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.7.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2019-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -25,20 +25,62 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-ci
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '3.13'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: ruby_parser-legacy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -99,20 +141,14 @@ dependencies:
   name: highline
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.20
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.20
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
@@ -131,44 +167,18 @@ dependencies:
         version: '2.6'
 - !ruby/object:Gem::Dependency
   name: haml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5.0'
-- !ruby/object:Gem::Dependency
-  name: sass
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 3.5.0
+        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 3.5.0
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement
@@ -210,6 +220,7 @@ files:
 - lib/brakeman/checks/check_basic_auth.rb
 - lib/brakeman/checks/check_basic_auth_timing_attack.rb
 - lib/brakeman/checks/check_content_tag.rb
+- lib/brakeman/checks/check_cookie_serialization.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
 - lib/brakeman/checks/check_default_routes.rb
@@ -224,6 +235,7 @@ files:
 - lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_file_disclosure.rb
 - lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_force_ssl.rb
 - lib/brakeman/checks/check_forgery_setting.rb
 - lib/brakeman/checks/check_header_dos.rb
 - lib/brakeman/checks/check_i18n_xss.rb
@@ -249,6 +261,7 @@ files:
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
 - lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_reverse_tabnabbing.rb
 - lib/brakeman/checks/check_route_dos.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
@@ -281,12 +294,15 @@ files:
 - lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
+- lib/brakeman/file_path.rb
 - lib/brakeman/format/style.css
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
+- lib/brakeman/parsers/haml_embedded.rb
 - lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
 - lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/slim_embedded.rb
 - lib/brakeman/parsers/template_parser.rb
 - lib/brakeman/processor.rb
 - lib/brakeman/processors/alias_processor.rb
@@ -366,7 +382,7 @@ files:
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
 licenses:
-- CC-BY-NC-SA-4.0
+- Brakeman Public Use License
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -383,8 +399,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.