brakeman-lib 5.2.1 → 5.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 142266ec73f5ceb562841d0d9f4c74f4fa4ad29663d1aff64bc1c97d236cae16
-  data.tar.gz: d562a2f5393b7246fc11510c9bf1e23afa037e6401eb073adef21ae9b0102b9e
+  metadata.gz: 45b4ed913efc8767851fa736f69591dad0bd6c26eb2b9c6f84e71acef92670ce
+  data.tar.gz: b40f9ee9b0dbd2187e071609193b3df891dd6e462bd3de572ce4a335db063185
 SHA512:
-  metadata.gz: b02024bd7793e53b995a43f5e3a38366404f1fc2bbcbe952c49fe36fcda896b860685f0581281dba7c9f98db6ab3f6155aa3a53a05229105aac929fde3ac7a8f
-  data.tar.gz: e75d5409ab0fcda0a29764545600bb154e03d9baadd4575051cb49a433c27c80b5608d77b06213a13b9460cc4a06294ad8589eeae3df52d2892ab1bbd9a30a98
+  metadata.gz: 8966515fb503515fb38a7581061a72464b81a6bcf86b99c58711dbbb88b636b87b5e74a09190b53cd7c09ea1674458bfe874698416c4928dbf44eb46bc234221
+  data.tar.gz: ca7309e4b30e14213b1e697e33113737ee8c2da1d6997f6e28c0a68df965dcd348c9b7c7a4bbe285e7dc7356b7c6fceb2171b13aae92338d02d4e5ef4992c9a4

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 5.2.2 - 2022-04-06
+
+* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
+* Handle `nil` when joining values (Dan Buettner)
+* Update message for unsafe reflection (Pedro Baracho)
+* Add additional String methods for SQL injection check
+* Respect equality in `if` conditions
+
 # 5.2.1 - 2022-01-30
 
 * Add warning codes for EOL software warnings

data/lib/brakeman/checks/check_sql.rb

@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
-  TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
+  TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
+                       :strip_heredoc, :to_s, :tr]
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       date_target? exp.target
     else
      false
-    end 
+    end
   end
 end

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   def check_unsafe_reflection result
     return unless original? result
 
-    call = result[:call] 
+    call = result[:call]
     method = call.method
 
     case method
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
     end
 
     if confidence
-      message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      case method
+      when :constantize, :safe_constantize
+        message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
+      else
+        message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      end
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/processors/alias_processor.rb

@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def join_item item, join_value
-    if item.is_a? String
+    if item.nil? || item.is_a?(String)
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
       s(:str, "#{item.value}#{join_value}").line(item.line)
@@ -864,6 +864,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     elsif false? condition
       no_branch = true
       exps = [nil, exp.else_clause]
+    elsif equality_check? condition and condition.target == condition.first_arg
+      no_branch = true
+      exps = [exp.then_clause, nil]
     else
       no_branch = false
       exps = [exp.then_clause, exp.else_clause]
@@ -897,6 +900,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
+          elsif i == 0 and equality_check? condition
+            # For conditions like a == b,
+            # set a to b inside the true branch
+            var = condition.target
+            previous_value = env.current[var]
+            env.current[var] = condition.first_arg
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
           elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
@@ -931,6 +942,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def equality_check? exp
+    call? exp and
+      exp.method == :==
+  end
+
   def simple_when? exp
     node_type? exp[1], :array and
       not node_type? exp[1][1], :splat, :array and

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.2.1"
+  Version = "5.2.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.2.1
+  version: 5.2.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-30 00:00:00.000000000 Z
+date: 2022-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.19'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.19'
 - !ruby/object:Gem::Dependency
   name: ruby_parser-legacy
   requirement: !ruby/object:Gem::Requirement