RubyGems - brakeman-lib - Versions diffs - 5.0.0 → 5.0.1 - Mend

brakeman-lib 5.0.0 → 5.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGES.md +9 -0
data/README.md +10 -1
data/lib/brakeman.rb +11 -4
data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
data/lib/brakeman/parsers/template_parser.rb +24 -0
data/lib/brakeman/processors/alias_processor.rb +21 -10
data/lib/brakeman/processors/base_processor.rb +4 -4
data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
data/lib/brakeman/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59808cb56d2701ba4806eaf3e8fdaa70e3b15d3578badb1a93177ae60a03fe16
-  data.tar.gz: d74f4ffa7620d6ae48cddc85ad661548c6c21fa807306a987e31343990e33a09
+  metadata.gz: d3dc2339132662438de0f96b04c56b445ba69e60ca3e0b58db4c1e3e803e6c1b
+  data.tar.gz: c1b340eb481e9b182f4bed44d709656fde4405a04bc11c63681b06ad0fa4ec6c
 SHA512:
-  metadata.gz: 1319c8e5a981305d8ab91885a9edfe475240014e7f3e19d2f4e24da8eabc0c0cf355cd8ef387091291dd4a7d3a29fc35309531e6edce6606100b5a7c48f24b64
-  data.tar.gz: 02356cced5a4aaae709a3f237319af4bf4f511224762c41bb61d1130813385d27e922722771d037ef1773271db642431be689f249b72396f7800730606ad3ba3
+  metadata.gz: fc6e90801ce54677dc85db3c6d0b1b70414462cb54629e4af369007ac5477e0f7f31bafebea54a0120a0f3316a582686e65a9ad4851c51ea50e531f3b8936bb2
+  data.tar.gz: 4c0184c78d871d814d5a098526d785bdd62efc2a898bbbc0c3f2d71af6fd4250cfe9ed5e49fe8c42b3c84d93887ebca71729a3d934f324a93df6652d276ba307

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,12 @@
+# 5.0.1 - 2021-04-27
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
 # 5.0.0 - 2021-01-26
 * Ignore `uuid` as a safe attribute

data/README.md CHANGED Viewed

@@ -159,7 +159,16 @@ The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and
 # Configuration files
-Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+Brakeman options can be stored and read from YAML files.
+To simplify the process of writing a configuration file, the `-C` option will output the currently set options:
+```sh
+$ brakeman -C --skip-files plugins/
+---
+:skip_files:
+- plugins/
+```
 Options passed in on the commandline have priority over configuration files.

data/lib/brakeman.rb CHANGED Viewed

@@ -157,10 +157,17 @@ module Brakeman
     end
   end
-  CONFIG_FILES = [
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
+  CONFIG_FILES = begin
+                   [
+                     File.expand_path("~/.brakeman/config.yml"),
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 rescue ArgumentError
+                   # In case $HOME or $USER aren't defined for use of `~`
+                   [
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 end
   def self.config_file custom_location, app_path
     app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))

data/lib/brakeman/checks/check_mass_assignment.rb CHANGED Viewed

@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and original? res
       model = tracker.models[res[:chain].first]
       attr_protected = (model and model.attr_protected)
+      first_arg = call.first_arg
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
+      elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+        return
       elsif input = include_user_input?(call.arglist)
-        first_arg = call.first_arg
-        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
-          return
-        elsif not node_type? first_arg, :hash
+        if not node_type? first_arg, :hash
           if attr_protected
             confidence = :medium
           else

data/lib/brakeman/parsers/template_parser.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
+      @slim_smart = nil # Load slim/smart ?
     end
     def parse_template path, text
@@ -88,6 +89,14 @@ module Brakeman
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+      if @slim_smart.nil? and load_slim_smart?
+        @slim_smart = true
+        Brakeman.load_brakeman_dependency 'slim/smart'
+      else
+        @slim_smart = false
+      end
       require_relative 'slim_embedded'
       Slim::Template.new(path,
@@ -95,6 +104,21 @@ module Brakeman
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
+    def load_slim_smart?
+      return !@slim_smart unless @slim_smart.nil?
+      # Terrible hack to find
+      #   gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
+      if tracker.app_tree.exists? 'Gemfile'
+        gemfile_contents = tracker.app_tree.file_path('Gemfile').read
+        if gemfile_contents.include? 'slim/smart'
+          return true
+        end
+      end
+      false
+    end
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return exp
     end
+    # If x(*[1,2,3]) change to x(1,2,3)
+    # if that's the only argument
+    if splat_array? exp.first_arg and exp.second_arg.nil?
+      exp.arglist = exp.first_arg[1].sexp_body
+    end
     target = exp.target
     method = exp.method
     first_arg = exp.first_arg
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       res = process_or_simple_operation(exp)
       return res if res
     elsif target == ARRAY_CONST and method == :new
-      return Sexp.new(:array, *exp.args)
+      return Sexp.new(:array, *exp.args).line(exp.line)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
-      return Sexp.new(:hash)
+      return Sexp.new(:hash).line(exp.line)
     elsif exp == RAILS_TEST or exp == RAILS_DEV
-      return Sexp.new(:false)
+      return Sexp.new(:false).line(exp.line)
     end
     #See if it is possible to simplify some basic cases
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
-    result = s()
+    result = s().line(array.line)
     join_value = if string? join_str
                    join_str.value
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr)) do |memo, e|
+    result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
-        memo << s(:str, join_value)
+        memo << s(:str, join_value).line(e.line)
       end
       memo << e
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if item.is_a? String
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
-      s(:str, "#{item.value}#{join_value}")
+      s(:str, "#{item.value}#{join_value}").line(item.line)
     else
-      s(:evstr, item)
+      s(:evstr, item).line(item.line)
     end
   end
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
+  def splat_array? exp
+    node_type? exp, :splat and
+      node_type? exp[1], :array
+  end
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     else
-      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
+      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
       env[match] = new_value
     end

data/lib/brakeman/processors/base_processor.rb CHANGED Viewed

@@ -8,7 +8,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::SafeCallHelper
   include Brakeman::Util
-  IGNORE = Sexp.new :ignore
+  IGNORE = Sexp.new(:ignore).line(0)
   #Return a new Processor.
   def initialize tracker
@@ -216,7 +216,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #
   #And also :layout for inside templates
   def find_render_type call, in_view = false
-    rest = Sexp.new(:hash)
+    rest = Sexp.new(:hash).line(call.line)
     type = nil
     value = nil
     first_arg = call.first_arg
@@ -236,7 +236,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, first_arg.to_sym)
+      value = Sexp.new(:lit, first_arg.to_sym).line(call.line)
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
@@ -293,6 +293,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
     @tracker.processor.process_template_alias(@tracker.templates[template_name])
-    return s(:lit, template_name), options
+    return s(:lit, template_name).line(value.line), options
   end
 end

data/lib/brakeman/processors/lib/rails4_config_processor.rb CHANGED Viewed

@@ -2,10 +2,11 @@ require 'brakeman/processors/lib/rails3_config_processor'
 class Brakeman::Rails4ConfigProcessor < Brakeman::Rails3ConfigProcessor
   APPLICATION_CONFIG = s(:call, s(:call, s(:const, :Rails), :application), :configure)
+  ALT_APPLICATION_CONFIG = s(:call, s(:call, s(:colon3, :Rails), :application), :configure)
   # Look for Rails.application.configure do ... end
   def process_iter exp
-    if exp.block_call == APPLICATION_CONFIG
+    if exp.block_call == APPLICATION_CONFIG or exp.block_call == ALT_APPLICATION_CONFIG
       @inside_config = true
       process exp.block if sexp? exp.block
       @inside_config = false

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.0.0"
+  Version = "5.0.1"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-27 00:00:00.000000000 Z
+date: 2021-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest