RubyGems - brakeman-lib - Versions diffs - 5.0.0 → 5.0.1 - Diffend - OSS supply chain security and management platform

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGES.md +9 -0
data/README.md +10 -1
data/lib/brakeman.rb +11 -4
data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
data/lib/brakeman/parsers/template_parser.rb +24 -0
data/lib/brakeman/processors/alias_processor.rb +21 -10
data/lib/brakeman/processors/base_processor.rb +4 -4
data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
data/lib/brakeman/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59808cb56d2701ba4806eaf3e8fdaa70e3b15d3578badb1a93177ae60a03fe16
-  data.tar.gz: d74f4ffa7620d6ae48cddc85ad661548c6c21fa807306a987e31343990e33a09
+  metadata.gz: d3dc2339132662438de0f96b04c56b445ba69e60ca3e0b58db4c1e3e803e6c1b
+  data.tar.gz: c1b340eb481e9b182f4bed44d709656fde4405a04bc11c63681b06ad0fa4ec6c
 SHA512:
-  metadata.gz: 1319c8e5a981305d8ab91885a9edfe475240014e7f3e19d2f4e24da8eabc0c0cf355cd8ef387091291dd4a7d3a29fc35309531e6edce6606100b5a7c48f24b64
-  data.tar.gz: 02356cced5a4aaae709a3f237319af4bf4f511224762c41bb61d1130813385d27e922722771d037ef1773271db642431be689f249b72396f7800730606ad3ba3
+  metadata.gz: fc6e90801ce54677dc85db3c6d0b1b70414462cb54629e4af369007ac5477e0f7f31bafebea54a0120a0f3316a582686e65a9ad4851c51ea50e531f3b8936bb2
+  data.tar.gz: 4c0184c78d871d814d5a098526d785bdd62efc2a898bbbc0c3f2d71af6fd4250cfe9ed5e49fe8c42b3c84d93887ebca71729a3d934f324a93df6652d276ba307

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,12 @@
+# 5.0.1 - 2021-04-27
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
 # 5.0.0 - 2021-01-26
 * Ignore `uuid` as a safe attribute

data/README.md CHANGED Viewed

@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
 # Configuration files
-Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+Brakeman options can be stored and read from YAML files.
+To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
+```sh
+$ brakeman -C --skip-files plugins/
+---
+:skip_files:
+- plugins/
+```
 Options passed in on the commandline have priority over configuration files.

data/lib/brakeman.rb CHANGED Viewed

@@ -157,10 +157,17 @@ module Brakeman
     end
   end
-  CONFIG_FILES = [
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
+  CONFIG_FILES = begin
+                   [
+                     File.expand_path("~/.brakeman/config.yml"),
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 rescue ArgumentError
+                   # In case $HOME or $USER aren't defined for use of `~`
+                   [
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 end
   def self.config_file custom_location, app_path
     app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))

data/lib/brakeman/checks/check_mass_assignment.rb CHANGED Viewed

@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and original? res
       model = tracker.models[res[:chain].first]
       attr_protected = (model and model.attr_protected)
+      first_arg = call.first_arg
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
+      elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+        return
       elsif input = include_user_input?(call.arglist)
-        first_arg = call.first_arg
-        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
-          return
-        elsif not node_type? first_arg, :hash
+        if not node_type? first_arg, :hash
           if attr_protected
             confidence = :medium
           else

data/lib/brakeman/parsers/template_parser.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
+      @slim_smart = nil # Load slim/smart ?
     end
     def parse_template path, text
@@ -88,6 +89,14 @@ module Brakeman
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+      if @slim_smart.nil? and load_slim_smart?
+        @slim_smart = true
+        Brakeman.load_brakeman_dependency 'slim/smart'
+      else
+        @slim_smart = false
+      end
       require_relative 'slim_embedded'
       Slim::Template.new(path,
@@ -95,6 +104,21 @@ module Brakeman
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
+    def load_slim_smart?
+      return !@slim_smart unless @slim_smart.nil?
+      # Terrible hack to find
+      #   gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
+      if tracker.app_tree.exists? 'Gemfile'
+        gemfile_contents = tracker.app_tree.file_path('Gemfile').read
+        if gemfile_contents.include? 'slim/smart'
+          return true
+        end
+      end
+      false
+    end
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return exp
     end
+    # If x(*[1,2,3]) change to x(1,2,3)
+    # if that's the only argument
+    if splat_array? exp.first_arg and exp.second_arg.nil?
+      exp.arglist = exp.first_arg[1].sexp_body
+    end
     target = exp.target
     method = exp.method
     first_arg = exp.first_arg
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       res = process_or_simple_operation(exp)
       return res if res
     elsif target == ARRAY_CONST and method == :new
-      return Sexp.new(:array, *exp.args)
+      return Sexp.new(:array, *exp.args).line(exp.line)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
-      return Sexp.new(:hash)
+      return Sexp.new(:hash).line(exp.line)
     elsif exp == RAILS_TEST or exp == RAILS_DEV
-      return Sexp.new(:false)
+      return Sexp.new(:false).line(exp.line)
     end
     #See if it is possible to simplify some basic cases
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
-    result = s()
+    result = s().line(array.line)
     join_value = if string? join_str
                    join_str.value
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr)) do |memo, e|
+    result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
-        memo << s(:str, join_value)
+        memo << s(:str, join_value).line(e.line)
       end
       memo << e
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if item.is_a? String
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
-      s(:str, "#{item.value}#{join_value}")
+      s(:str, "#{item.value}#{join_value}").line(item.line)
     else
-      s(:evstr, item)
+      s(:evstr, item).line(item.line)
     end
   end
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
+  def splat_array? exp
+    node_type? exp, :splat and
+      node_type? exp[1], :array
+  end
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     else
-      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
+      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
       env[match] = new_value
     end

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::SafeCallHelper
   include Brakeman::Util
-  IGNORE = Sexp.new :ignore
+  IGNORE = Sexp.new(:ignore).line(0)
   #Return a new Processor.
   def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #
   #And also :layout for inside templates
   def find_render_type call, in_view = false
-    rest = Sexp.new(:hash)
+    rest = Sexp.new(:hash).line(call.line)
     type = nil
     value = nil
     first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, first_arg.to_sym)
+      value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
-    return s(:lit, template_name), options
+    return s(:lit, template_name).line(value.line), options
   end
 end

data/lib/brakeman/processors/lib/rails4_config_processor.rb CHANGED Viewed

@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
 class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
   APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
   # Look for Rails.application.configure do ... end
   def process_iter exp
-    if exp.block_call == APPLICATION_CONFIG
+    if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
       @inside_config = true
       process exp.block if sexp? exp.block
       @inside_config = false

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.0.0"
+  Version = "5.0.1"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-27 00:00:00.000000000 Z
+date: 2021-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest

brakeman-lib 5.0.0 → 5.0.1