brakeman-lib 5.0.0 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 59808cb56d2701ba4806eaf3e8fdaa70e3b15d3578badb1a93177ae60a03fe16
4
- data.tar.gz: d74f4ffa7620d6ae48cddc85ad661548c6c21fa807306a987e31343990e33a09
3
+ metadata.gz: d3dc2339132662438de0f96b04c56b445ba69e60ca3e0b58db4c1e3e803e6c1b
4
+ data.tar.gz: c1b340eb481e9b182f4bed44d709656fde4405a04bc11c63681b06ad0fa4ec6c
5
5
  SHA512:
6
- metadata.gz: 1319c8e5a981305d8ab91885a9edfe475240014e7f3e19d2f4e24da8eabc0c0cf355cd8ef387091291dd4a7d3a29fc35309531e6edce6606100b5a7c48f24b64
7
- data.tar.gz: 02356cced5a4aaae709a3f237319af4bf4f511224762c41bb61d1130813385d27e922722771d037ef1773271db642431be689f249b72396f7800730606ad3ba3
6
+ metadata.gz: fc6e90801ce54677dc85db3c6d0b1b70414462cb54629e4af369007ac5477e0f7f31bafebea54a0120a0f3316a582686e65a9ad4851c51ea50e531f3b8936bb2
7
+ data.tar.gz: 4c0184c78d871d814d5a098526d785bdd62efc2a898bbbc0c3f2d71af6fd4250cfe9ed5e49fe8c42b3c84d93887ebca71729a3d934f324a93df6652d276ba307
data/CHANGES.md CHANGED
@@ -1,3 +1,12 @@
1
+ # 5.0.1 - 2021-04-27
2
+
3
+ * Detect `::Rails.application.configure` too
4
+ * Set more line numbers on Sexps
5
+ * Support loading `slim/smart`
6
+ * Don't fail if $HOME/$USER are not defined
7
+ * Always ignore slice/only calls for mass assignment
8
+ * Convert splat array arguments to arguments
9
+
1
10
  # 5.0.0 - 2021-01-26
2
11
 
3
12
  * Ignore `uuid` as a safe attribute
data/README.md CHANGED
@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
159
159
 
160
160
  # Configuration files
161
161
 
162
- Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
162
+ Brakeman options can be stored and read from YAML files.
163
+
164
+ To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
165
+
166
+ ```sh
167
+ $ brakeman -C --skip-files plugins/
168
+ ---
169
+ :skip_files:
170
+ - plugins/
171
+ ```
163
172
 
164
173
  Options passed in on the commandline have priority over configuration files.
165
174
 
data/lib/brakeman.rb CHANGED
@@ -157,10 +157,17 @@ module Brakeman
157
157
  end
158
158
  end
159
159
 
160
- CONFIG_FILES = [
161
- File.expand_path("~/.brakeman/config.yml"),
162
- File.expand_path("/etc/brakeman/config.yml")
163
- ]
160
+ CONFIG_FILES = begin
161
+ [
162
+ File.expand_path("~/.brakeman/config.yml"),
163
+ File.expand_path("/etc/brakeman/config.yml")
164
+ ]
165
+ rescue ArgumentError
166
+ # In case $HOME or $USER aren't defined for use of `~`
167
+ [
168
+ File.expand_path("/etc/brakeman/config.yml")
169
+ ]
170
+ end
164
171
 
165
172
  def self.config_file custom_location, app_path
166
173
  app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
69
69
  if check and original? res
70
70
 
71
71
  model = tracker.models[res[:chain].first]
72
-
73
72
  attr_protected = (model and model.attr_protected)
73
+ first_arg = call.first_arg
74
74
 
75
75
  if attr_protected and tracker.options[:ignore_attr_protected]
76
76
  return
77
+ elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
78
+ return
77
79
  elsif input = include_user_input?(call.arglist)
78
- first_arg = call.first_arg
79
-
80
- if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
81
- return
82
- elsif not node_type? first_arg, :hash
80
+ if not node_type? first_arg, :hash
83
81
  if attr_protected
84
82
  confidence = :medium
85
83
  else
@@ -9,6 +9,7 @@ module Brakeman
9
9
  def initialize tracker, file_parser
10
10
  @tracker = tracker
11
11
  @file_parser = file_parser
12
+ @slim_smart = nil # Load slim/smart ?
12
13
  end
13
14
 
14
15
  def parse_template path, text
@@ -88,6 +89,14 @@ module Brakeman
88
89
 
89
90
  def parse_slim path, text
90
91
  Brakeman.load_brakeman_dependency 'slim'
92
+
93
+ if @slim_smart.nil? and load_slim_smart?
94
+ @slim_smart = true
95
+ Brakeman.load_brakeman_dependency 'slim/smart'
96
+ else
97
+ @slim_smart = false
98
+ end
99
+
91
100
  require_relative 'slim_embedded'
92
101
 
93
102
  Slim::Template.new(path,
@@ -95,6 +104,21 @@ module Brakeman
95
104
  :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
96
105
  end
97
106
 
107
+ def load_slim_smart?
108
+ return !@slim_smart unless @slim_smart.nil?
109
+
110
+ # Terrible hack to find
111
+ # gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
112
+ if tracker.app_tree.exists? 'Gemfile'
113
+ gemfile_contents = tracker.app_tree.file_path('Gemfile').read
114
+ if gemfile_contents.include? 'slim/smart'
115
+ return true
116
+ end
117
+ end
118
+
119
+ false
120
+ end
121
+
98
122
  def self.parse_inline_erb tracker, text
99
123
  fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
100
124
  tp = self.new(tracker, fp)
@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
183
183
  return exp
184
184
  end
185
185
 
186
+ # If x(*[1,2,3]) change to x(1,2,3)
187
+ # if that's the only argument
188
+ if splat_array? exp.first_arg and exp.second_arg.nil?
189
+ exp.arglist = exp.first_arg[1].sexp_body
190
+ end
191
+
186
192
  target = exp.target
187
193
  method = exp.method
188
194
  first_arg = exp.first_arg
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
195
201
  res = process_or_simple_operation(exp)
196
202
  return res if res
197
203
  elsif target == ARRAY_CONST and method == :new
198
- return Sexp.new(:array, *exp.args)
204
+ return Sexp.new(:array, *exp.args).line(exp.line)
199
205
  elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
200
- return Sexp.new(:hash)
206
+ return Sexp.new(:hash).line(exp.line)
201
207
  elsif exp == RAILS_TEST or exp == RAILS_DEV
202
- return Sexp.new(:false)
208
+ return Sexp.new(:false).line(exp.line)
203
209
  end
204
210
 
205
211
  #See if it is possible to simplify some basic cases
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
237
243
  env[target_var] = target
238
244
  return target
239
245
  elsif string? target and string_interp? first_arg
240
- exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
246
+ exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
241
247
  env[target_var] = exp
242
248
  elsif string? first_arg and string_interp? target
243
249
  if string? target.last
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
288
294
 
289
295
  # Painful conversion of Array#join into string interpolation
290
296
  def process_array_join array, join_str
291
- result = s()
297
+ result = s().line(array.line)
292
298
 
293
299
  join_value = if string? join_str
294
300
  join_str.value
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
326
332
  result.unshift combined_first
327
333
 
328
334
  # Have to fix up strings that follow interpolation
329
- result.reduce(s(:dstr)) do |memo, e|
335
+ result.reduce(s(:dstr).line(array.line)) do |memo, e|
330
336
  if string? e and node_type? memo.last, :evstr
331
337
  e.value = "#{join_value}#{e.value}"
332
338
  elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
333
- memo << s(:str, join_value)
339
+ memo << s(:str, join_value).line(e.line)
334
340
  end
335
341
 
336
342
  memo << e
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
341
347
  if item.is_a? String
342
348
  "#{item}#{join_value}"
343
349
  elsif string? item or symbol? item or number? item
344
- s(:str, "#{item.value}#{join_value}")
350
+ s(:str, "#{item.value}#{join_value}").line(item.line)
345
351
  else
346
- s(:evstr, item)
352
+ s(:evstr, item).line(item.line)
347
353
  end
348
354
  end
349
355
 
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
359
365
  s(:call, TEMP_FILE_CLASS, :new).line(line)
360
366
  end
361
367
 
368
+ def splat_array? exp
369
+ node_type? exp, :splat and
370
+ node_type? exp[1], :array
371
+ end
372
+
362
373
  def process_iter exp
363
374
  @exp_context.push exp
364
375
  exp[1] = process exp.block_call
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
679
690
  end
680
691
  end
681
692
  else
682
- new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
693
+ new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
683
694
 
684
695
  env[match] = new_value
685
696
  end
@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
8
8
  include Brakeman::SafeCallHelper
9
9
  include Brakeman::Util
10
10
 
11
- IGNORE = Sexp.new :ignore
11
+ IGNORE = Sexp.new(:ignore).line(0)
12
12
 
13
13
  #Return a new Processor.
14
14
  def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
216
216
  #
217
217
  #And also :layout for inside templates
218
218
  def find_render_type call, in_view = false
219
- rest = Sexp.new(:hash)
219
+ rest = Sexp.new(:hash).line(call.line)
220
220
  type = nil
221
221
  value = nil
222
222
  first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
236
236
  end
237
237
  elsif first_arg.is_a? Symbol or first_arg.is_a? String
238
238
  type = :action
239
- value = Sexp.new(:lit, first_arg.to_sym)
239
+ value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
240
240
  elsif first_arg.nil?
241
241
  type = :default
242
242
  elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
293
293
  @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
294
294
  @tracker.processor.process_template_alias(@tracker.templates[template_name])
295
295
 
296
- return s(:lit, template_name), options
296
+ return s(:lit, template_name).line(value.line), options
297
297
  end
298
298
  end
@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
2
2
 
3
3
  class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
4
4
  APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
5
+ ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
5
6
 
6
7
  # Look for Rails.application.configure do ... end
7
8
  def process_iter exp
8
- if exp.block_call == APPLICATION_CONFIG
9
+ if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
9
10
  @inside_config = true
10
11
  process exp.block if sexp? exp.block
11
12
  @inside_config = false
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.0.0"
2
+ Version = "5.0.1"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.0
4
+ version: 5.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-27 00:00:00.000000000 Z
11
+ date: 2021-04-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest