RubyGems - brakeman-lib - Versions diffs - 5.1.2 → 5.2.0 - Mend

brakeman-lib 5.1.2 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

checksums.yaml +4 -4
data/CHANGES.md +9 -0
data/lib/brakeman/checks/base_check.rb +10 -0
data/lib/brakeman/checks/check_eol_rails.rb +23 -0
data/lib/brakeman/checks/check_eol_ruby.rb +26 -0
data/lib/brakeman/checks/check_sql.rb +3 -2
data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
data/lib/brakeman/checks/eol_check.rb +47 -0
data/lib/brakeman/options.rb +8 -0
data/lib/brakeman/processors/gem_processor.rb +3 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -0
data/lib/brakeman/scanner.rb +3 -1
data/lib/brakeman/tracker/config.rb +8 -1
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning_codes.rb +2 -0
metadata +6 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 650df7997ecbf4c9bf7c1ea47ef851ec2eac1593d0c9fed8197ca5aa78f8fded
-  data.tar.gz: 9582c10b7cd30496793d5d1b3ddbd88fbf610fa834bdab402267c4ad73962622
+  metadata.gz: cf18736db7a992849a30cccc66f741442e05b695f9ad1bd27fe06f6bc25db849
+  data.tar.gz: a884f20cc12305c0856bcc296ddae3aea746b024c232bf11d7988d4e37bd96a3
 SHA512:
-  metadata.gz: bdcc242df0b6e60ba87e1d4445c56bf7ed6c2c2a0dfdd34904fc41369f9b05ed9e370a1c2cf80a6d45d9b1cedcc1f1e56600b96f47437a9ffb6f343a01c41385
-  data.tar.gz: d623285512f64799f9e230289f6c864bcb937770d781a974c1c4ac224ff1a89ac104fd0fc4fcc98c2b840ea68b5f8ddf1b67781b85cbc7257099995848b8f9ef
+  metadata.gz: be93f9f9ba9d808989cbed1bfd450b29c272e806d84707ab0420a8a86b8c797f88d4338f22a1124a462be43ac7bfea605566779321a72d772e9c39d216ded8c3
+  data.tar.gz: cf9aa7f34fa5cc737b2e7bbecf625025b50f72f1b3c43ab8f346832145e3cab2245d2af79fd021584ab0aa5fdbb2f854dd41fee8f5a5c891197f1f1e8a570a65

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,12 @@
+# 5.2.0 - 2021-12-15
+* Initial Rails 7 support
+* Require Ruby 2.5.0+
+* Fix issue with calls to `foo.root` in routes
+* Ignore `I18n.locale` in SQL queries
+* Do not treat `sanitize_sql_like` as safe
+* Add new checks for unsupported Ruby and Rails versions
 # 5.1.2 - 2021-10-28
 * Handle cases where enums are not symbols

data/lib/brakeman/checks/base_check.rb CHANGED Viewed

@@ -513,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     string_building? exp.target or
     string_building? exp.first_arg
   end
+  I18N_CLASS = s(:const, :I18n)
+  def locale_call? exp
+    return unless call? exp
+    (exp.target == I18N_CLASS and
+     exp.method == :locale) or
+    locale_call? exp.target
+  end
 end

data/lib/brakeman/checks/check_eol_rails.rb ADDED Viewed

@@ -0,0 +1,23 @@
+require_relative 'eol_check'
+class Brakeman::CheckEOLRails < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+  @description = "Checks for unsupported versions of Rails"
+  def run_check
+    return unless tracker.config.rails_version
+    check_eol_version :rails, RAILS_EOL_DATES
+  end
+  RAILS_EOL_DATES = {
+    ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
+    ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
+    ['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
+    ['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
+    ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
+    ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
+    ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+  }
+end

data/lib/brakeman/checks/check_eol_ruby.rb ADDED Viewed

@@ -0,0 +1,26 @@
+require_relative 'eol_check'
+class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+  @description = "Checks for unsupported versions of Ruby"
+  def run_check
+    return unless tracker.config.ruby_version
+    check_eol_version :ruby, RUBY_EOL_DATES
+  end
+  RUBY_EOL_DATES = {
+    ['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
+    ['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
+    ['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
+    ['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
+    ['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
+    ['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
+    ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
+    ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
+    ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
+    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+  }
+end

data/lib/brakeman/checks/check_sql.rb CHANGED Viewed

@@ -584,7 +584,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
@@ -628,7 +628,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       arel? exp or
       exp.method.to_s.end_with? "_id" or
       number_target? exp or
-      date_target? exp
+      date_target? exp or
+      locale_call? exp
   end
   QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]

data/lib/brakeman/checks/check_symbol_dos.rb CHANGED Viewed

@@ -9,7 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   def run_check
     return if rails_version and rails_version >= "5.0.0"
-    return if tracker.config.ruby_version >= "2.2"
+    return if tracker.config.ruby_version and tracker.config.ruby_version >= "2.2"
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)

data/lib/brakeman/checks/eol_check.rb ADDED Viewed

@@ -0,0 +1,47 @@
+require 'date'
+require 'brakeman/checks/base_check'
+# Not used directly - base check for EOLRails and EOLRuby
+class Brakeman::EOLCheck < Brakeman::BaseCheck
+  def check_eol_version library, eol_dates
+    version = case library
+              when :rails
+                tracker.config.rails_version
+              when :ruby
+                tracker.config.ruby_version
+              else
+                raise 'Implement using tracker.config.gem_version'
+              end
+    eol_dates.each do |(start_version, end_version), eol_date|
+      if version_between? start_version, end_version, version
+        case
+        when Date.today >= eol_date
+          warn_about_unsupported_version library, eol_date, version
+        when (Date.today + 30) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :medium
+        when (Date.today + 60) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :low
+        end
+        break
+      end
+    end
+  end
+  def warn_about_soon_unsupported_version library, eol_date, version, confidence
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"pending_eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
+      confidence: confidence,
+      gem_info: gemfile_or_environment
+  end
+  def warn_about_unsupported_version library, eol_date, version
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
+      confidence: :high,
+      gem_info: gemfile_or_environment
+  end
+end

data/lib/brakeman/options.rb CHANGED Viewed

@@ -93,6 +93,14 @@ module Brakeman::Options
           options[:rails6] = true
         end
+        opts.on "-7", "--rails7", "Force Rails 7 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+        end
         opts.separator ""
         opts.separator "Scanning options:"

data/lib/brakeman/processors/gem_processor.rb CHANGED Viewed

@@ -6,6 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
+    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
   end
   def process_gems gem_files
@@ -95,6 +96,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def set_gem_version_and_file line, file, line_num
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
+    elsif line =~ @ruby_version
+      @tracker.config.set_ruby_version $1
     end
   end
 end

data/lib/brakeman/processors/lib/rails3_route_processor.rb CHANGED Viewed

@@ -78,6 +78,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
   #TODO: Need test for this
   def process_root exp
+    return exp unless hash? exp.first_arg
     if value = hash_access(exp.first_arg, :to)
       if string? value
         add_route_from_string value

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -137,7 +137,9 @@ class Brakeman::Scanner
     end
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
+      if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
+        tracker.config.set_ruby_version version
+      end
     end
     tracker.config.load_rails_defaults

data/lib/brakeman/tracker/config.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Brakeman
       @settings = {}
       @escape_html = nil
       @erubis = nil
-      @ruby_version = ""
+      @ruby_version = nil
       @rails_version = nil
     end
@@ -106,6 +106,13 @@ module Brakeman
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
             Brakeman.notify "[Notice] Detected Rails 6 application"
+          elsif @rails_version.start_with? "7"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            tracker.options[:rails7] = true
+            Brakeman.notify "[Notice] Detected Rails 7 application"
           end
         end
       end

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.1.2"
+  Version = "5.2.0"
 end

data/lib/brakeman/warning_codes.rb CHANGED Viewed

@@ -121,6 +121,8 @@ module Brakeman::WarningCodes
     :erb_template_injection => 117,
     :http_verb_confusion => 118,
     :unsafe_method_reflection => 119,
+    :eol_rails => 120,
+    :eol_ruby => 121,
     :custom_check => 9090,
   }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.1.2
+  version: 5.2.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-28 00:00:00.000000000 Z
+date: 2021-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -271,6 +271,8 @@ files:
 - lib/brakeman/checks/check_digest_dos.rb
 - lib/brakeman/checks/check_divide_by_zero.rb
 - lib/brakeman/checks/check_dynamic_finders.rb
+- lib/brakeman/checks/check_eol_rails.rb
+- lib/brakeman/checks/check_eol_ruby.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
@@ -337,6 +339,7 @@ files:
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/checks/eol_check.rb
 - lib/brakeman/codeclimate/engine_configuration.rb
 - lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
@@ -452,7 +455,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="