brakeman-lib 4.8.0 → 4.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 34099e8abef9a4c7108905ea8d956d01afbb6037cab597d2ad0beab8790a9060
-  data.tar.gz: 982be6bfad0eef60f17627001fef1873bad5a23eef76f687ea434d23773ba9b4
+  metadata.gz: a2e421e421971f6309de15b50d5305a37acf839e4023cd5b976cfb644f62b635
+  data.tar.gz: cb219b5f4cac1dd286e88b6048dd675adb062be8d273d960364f830ed3fa9493
 SHA512:
-  metadata.gz: ce68529ca660b85d86b9569b4f8ddfe41c4b7b3bc724d1afc9860f91fa0a945eb473bbd5bb83b4c9d8e61ac6255ab0b11a42878921671a03a0964d2440912178
-  data.tar.gz: 1fbd104e129d5fce136d4c4984296a7daa6c88ffd8f22edbb576613cb6519547676f38364a2f728dcc2c9a322119d0024ae845baf7383ecf38b43038e9e129c6
+  metadata.gz: b7f76e5da87ef345f47de2a8c489e94f07ba5892a5ab796d9cc5ad147036d599d273d1b339e126ed4f6288efd1b6bfa3a77201787afbcbf83b0279acb6a57459
+  data.tar.gz: 1544f86037df9fd49e3674c7bd39b4eec1f1e41378078a6077647506f7ba257db4aaa48191df5b8c11c736bc44ac054fc0e96e6b67d21e155977a2f8b7ce44f0

data/CHANGES.md

@@ -1,4 +1,11 @@
-# Unreleased
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
 
 * Add JUnit-XML report format (Naoki Kimura)
 * Sort ignore files by fingerprint and line (Ngan Pham)

data/README.md

@@ -74,12 +74,16 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
 
 Multiple output files can be specified:
 
     brakeman -o output.html -o output.json
 
+To output to both a file and to the console, with color:
+
+    brakeman --color -o /dev/stdout -o output.json
+
 To suppress informational warnings and just output the report:
 
     brakeman -q
@@ -167,6 +171,8 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
+There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+
 # Building
 
     git clone git://github.com/presidentbeef/brakeman.git

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   def run_check
     check_mass_assignment
     check_permit!
+    check_permit_all_parameters
   end
 
   def find_mass_assign_calls
@@ -193,4 +194,18 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       :message => "Parameters should be whitelisted for mass assignment",
       :confidence => confidence
   end
+
+  def check_permit_all_parameters
+    tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
+      call = result[:call]
+
+      if true? call.first_arg
+        warn :result => result,
+          :warning_type => "Mass Assignment",
+          :warning_code => :mass_assign_permit_all,
+          :message => "Parameters should be whitelisted for mass assignment",
+          :confidence => :high
+      end
+    end
+  end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
-  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+  TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -89,7 +89,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
 
     add_simple_call :render, exp
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
 
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value)] = value
+          if symbol? key
+            template_env[Sexp.new(:call, nil, key.value)] = value
+          end
         end
       end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.0"
+  Version = "4.8.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -113,6 +113,7 @@ module Brakeman::WarningCodes
     :force_ssl_disabled => 109,
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
+    :mass_assign_permit_all => 112,
     :custom_check => 9090,
   }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.8.0
+  version: 4.8.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-18 00:00:00.000000000 Z
+date: 2020-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -406,7 +406,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.