brakeman-lib 5.4.1 → 6.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1bd15d1d3f41a0fe1f537728a63f5fe432eae4d4b82cdb07233007e794b4b19a
-  data.tar.gz: 8fd1c274006689e0e391c5586c9bd59c7ce776a998c9313561185216e51f9519
+  metadata.gz: fa04262bdd0adc42cac58526843c33d79a66b439880e8c8df8c6c1df343fcff6
+  data.tar.gz: 7e433c0b3a0ac62bc432bec371432bfacde51c34cd6d2c8ae2e78b698e7c44a4
 SHA512:
-  metadata.gz: d3c99025931ba8a59c7852132cb80100f3f720de1ebfe632899e499a5784d5e92534efc6d9a04729bf3aec0d07c90fc2f69efccfd3d49558c277e370ae3d58f3
-  data.tar.gz: 571f89f8d5eb19b1d2c472517e3d66d819ab715379fd6b5bdd15cd136560499d8d86ff79da19a86a2c03830b8e0b0d0bf0dec3935267f75eacc95396a71d1f81
+  metadata.gz: 2b8220a3968c53ba01ac55034a15a2f7021a0bc7c319fda428ae917bb8eead85388a9995115ea67ec41f8a837d68fb2efaa6cfb907ac3d6a00ce92e2a15e4a87
+  data.tar.gz: d9374e5121036962f6f3ea04478ecffceda79cfbc0c3a30d7d6fcb426ce60c0185d903056ff7231b0ec4b37d3fbd72a899ff49d6a7010f5ca7a1703d948dcd43

data/CHANGES.md

@@ -1,3 +1,17 @@
+# 6.0.1 - 2023-07-20
+
+* Accept strings for `load_defaults` version
+
+# 6.0.0 - 2023-05-24
+
+* Add obsolete fingerprints to comparison report
+* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
+* Scan directories that include the word `public`
+* Raise minimum Ruby version to 3.0
+* Drop support for Ruby 1.8/1.9 syntax
+* Fix end-of-life dates for Ruby
+* Fix false positive with `content_tag` in newer Rails
+
 # 5.4.1 - 2023-02-21
 
 * Fix file/line location for EOL software warnings

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 7.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
+Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 
 # Basic Options
 
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
-There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
 
 # Building
 

data/lib/brakeman/app_tree.rb

@@ -197,7 +197,6 @@ module Brakeman
       spec/
       test/
       tmp/
-      public/
       log/
     ]
 

data/lib/brakeman/checks/check_content_tag.rb

@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       check_argument result, content
     end
 
-    #Attribute keys are never escaped, so check them for user input
-    if not @matched and hash? attributes and not request_value? attributes
-      hash_iterate(attributes) do |k, _v|
-        check_argument result, k
-        return if @matched
+    # This changed in Rails 6.1.6
+    if version_between? '0.0.0', '6.1.5' 
+      #Attribute keys are never escaped, so check them for user input
+      if not @matched and hash? attributes and not request_value? attributes
+        hash_iterate(attributes) do |k, _v|
+          check_argument result, k
+          return if @matched
+        end
       end
     end
 

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
     ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
     ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
-    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+    ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
+    ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
+    ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
   }
 end

data/lib/brakeman/report/report_github.rb

@@ -1,4 +1,4 @@
-# Github Actions Formatter
+# GitHub Actions Formatter
 # Formats warnings as workflow commands to create annotations in GitHub UI
 class Brakeman::Report::Github < Brakeman::Report::Base
   def generate_report

data/lib/brakeman/scanner.rb

@@ -1,6 +1,5 @@
 begin
   Brakeman.load_brakeman_dependency 'ruby_parser'
-  Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'

data/lib/brakeman/tracker/config.rb

@@ -20,9 +20,7 @@ module Brakeman
 
     def default_protect_from_forgery?
       if version_between? "5.2.0.beta1", "9.9.9"
-        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
-          return false
-        else
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
           return true
         end
       end
@@ -191,13 +189,19 @@ module Brakeman
     # Load defaults based on config.load_defaults value
     # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
     def load_rails_defaults
-      return unless number? tracker.config.rails[:load_defaults]
+      return unless node_type? tracker.config.rails[:load_defaults], :lit, :str
+
+      version = tracker.config.rails[:load_defaults].value.to_s
+
+      unless version.match? /^\d+\.\d+$/
+        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        return
+      end
 
-      version = tracker.config.rails[:load_defaults].value
       true_value = Sexp.new(:true)
       false_value = Sexp.new(:false)
 
-      if version >= 5.0
+      if version >= '5.0'
         set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
         set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
         set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
@@ -205,12 +209,12 @@ module Brakeman
         set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
       end
 
-      if version >= 5.1
+      if version >= '5.1'
         set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
         set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
       end
 
-      if version >= 5.2
+      if version >= '5.2'
         set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
         set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
         set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
@@ -219,7 +223,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
       end
 
-      if version >= 6.0
+      if version >= '6.0'
         set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
         set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
         set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
@@ -232,7 +236,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
       end
 
-      if version >= 6.1
+      if version >= '6.1'
         set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
         set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
         set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
@@ -244,7 +248,7 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_storage, :track_variants])
       end
 
-      if version >= 7.0
+      if version >= '7.0'
         video_args =
           Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
         hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.4.1"
+  Version = "6.0.1"
 end

data/lib/brakeman.rb

@@ -493,10 +493,14 @@ module Brakeman
     end
 
     tracker = run(options)
+    new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
 
-    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
+    new_results = new_report[:warnings]
+    obsolete_ignored = tracker.unused_fingerprints
 
-    Brakeman::Differ.new(new_results, previous_results).diff
+    Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
+      diff[:obsolete] = obsolete_ignored
+    end
   end
 
   def self.load_brakeman_dependency name, allow_fail = false

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.4.1
+  version: 6.0.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-21 00:00:00.000000000 Z
+date: 2023-07-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -94,20 +94,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.19'
-- !ruby/object:Gem::Dependency
-  name: ruby_parser-legacy
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement