brakeman-lib 6.1.0 → 6.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +14 -0
  3. data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
  4. data/lib/brakeman/checks/check_render.rb +6 -1
  5. data/lib/brakeman/checks/check_session_settings.rb +2 -3
  6. data/lib/brakeman/processors/alias_processor.rb +7 -2
  7. data/lib/brakeman/report/pager.rb +1 -1
  8. data/lib/brakeman/version.rb +1 -1
  9. data/lib/brakeman.rb +2 -3
  10. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 121dc05b33eccbae05d0ff68b37baec12e2e3fbbc7c575a7cfe3e5c36cfb557b
4
- data.tar.gz: bb7c6fe91660f3f766a23fdf6a54398c4f417b8be05d6354bdbe3a36e7fe3761
3
+ metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
4
+ data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
5
5
  SHA512:
6
- metadata.gz: 2d8e948cb8cf55ad27d4760e391c6b028a921b4c4b171aef41bcb9420f100a38792ea28816e653446aeceec950f94b6cbb367d089c90bc20ed574be4d7490293
7
- data.tar.gz: ee6425b330db3397bd4c5a53e4c096b5affb39c91936408493f270277a6cce93f796809a11c8f407300e741f279b03aa5555c05306a73049982d01034ae28018
6
+ metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
7
+ data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b
data/CHANGES.md CHANGED
@@ -1,3 +1,17 @@
1
+ # 6.1.2 - 2024-02-01
2
+
3
+ * Update Highline to 3.0
4
+ * Add EOL date for Ruby 3.3.0
5
+ * Avoid copying Sexps that are too large
6
+ * Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
7
+ * Remove deprecated use of `Kernel#open("|...")`
8
+ * Remove `safe_yaml` gem dependency
9
+ * Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
10
+
11
+ # 6.1.1 - 2023-12-24
12
+
13
+ * Handle racc as a default gem in Ruby 3.3.0
14
+
1
15
  # 6.1.0 - 2023-12-04
2
16
 
3
17
  * Add `--timing` to add timing duration for scan steps
data/lib/brakeman/checks/check_eol_ruby.rb CHANGED
@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
24
24
  ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
25
  ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
26
  ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
27
+ ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
27
28
  }
28
29
  end
data/lib/brakeman/checks/check_render.rb CHANGED
@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
108
108
  def known_renderable_class? class_name
109
109
  klass = tracker.find_class(class_name)
110
110
  return false if klass.nil?
111
- klass.ancestor? :"ViewComponent::Base"
111
+ knowns = [
112
+ :"ViewComponent::Base",
113
+ :"ViewComponentContrib::Base",
114
+ :"Phlex::HTML"
115
+ ]
116
+ knowns.any? { |k| klass.ancestor? k }
112
117
  end
113
118
  end
data/lib/brakeman/checks/check_session_settings.rb CHANGED
@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
116
116
 
117
117
  if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
118
118
  yaml = secrets_file.read
119
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
120
- require 'safe_yaml/load'
119
+ require 'yaml'
121
120
  begin
122
- secrets = SafeYAML.load yaml
121
+ secrets = YAML.safe_load yaml
123
122
  rescue Psych::SyntaxError, RuntimeError => e
124
123
  Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
125
124
  Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
32
32
  @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
33
33
  @meth_env = nil
34
34
  @current_file = current_file
35
+ @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
35
36
  set_env_defaults
36
37
  end
37
38
 
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
82
83
  def replace exp, int = 0
83
84
  return exp if int > 3
84
85
 
85
- if replacement = env[exp] and not duplicate? replacement
86
- replace(replacement.deep_clone(exp.line), int + 1)
86
+ if replacement = env[exp]
87
+ if not duplicate? replacement and replacement.mass < @mass_limit
88
+ replace(replacement.deep_clone(exp.line), int + 1)
89
+ else
90
+ exp
91
+ end
87
92
  elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
88
93
  replace(replacement.deep_clone(exp.line), int + 1)
89
94
  else
data/lib/brakeman/report/pager.rb CHANGED
@@ -52,7 +52,7 @@ module Brakeman
52
52
  def page_via_less text
53
53
  # Adapted from https://github.com/piotrmurach/tty-pager/
54
54
 
55
- write_io = open("|less #{less_options.join}", 'w')
55
+ write_io = IO.popen("less #{less_options.join}", 'w')
56
56
  pid = write_io.pid
57
57
 
58
58
  write_io.write(text)
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.1.0"
2
+ Version = "6.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -128,9 +128,8 @@ module Brakeman
128
128
 
129
129
  #Load configuration file
130
130
  if config = config_file(custom_location, app_path)
131
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
132
- self.load_brakeman_dependency 'safe_yaml/load'
133
- options = SafeYAML.load_file config, :deserialize_symbols => true
131
+ require 'yaml'
132
+ options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
134
133
 
135
134
  if options
136
135
  options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.0
4
+ version: 6.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-05 00:00:00.000000000 Z
11
+ date: 2024-02-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -123,19 +123,19 @@ dependencies:
123
123
  - !ruby/object:Gem::Version
124
124
  version: 2.4.0
125
125
  - !ruby/object:Gem::Dependency
126
- name: safe_yaml
126
+ name: racc
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - ">="
130
130
  - !ruby/object:Gem::Version
131
- version: '1.0'
131
+ version: '0'
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - ">="
137
137
  - !ruby/object:Gem::Version
138
- version: '1.0'
138
+ version: '0'
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: terminal-table
141
141
  requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
156
156
  requirements:
157
157
  - - "~>"
158
158
  - !ruby/object:Gem::Version
159
- version: '2.0'
159
+ version: '3.0'
160
160
  type: :runtime
161
161
  prerelease: false
162
162
  version_requirements: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - "~>"
165
165
  - !ruby/object:Gem::Version
166
- version: '2.0'
166
+ version: '3.0'
167
167
  - !ruby/object:Gem::Dependency
168
168
  name: erubis
169
169
  requirement: !ruby/object:Gem::Requirement
@@ -452,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
452
452
  - !ruby/object:Gem::Version
453
453
  version: '0'
454
454
  requirements: []
455
- rubygems_version: 3.3.3
455
+ rubygems_version: 3.5.3
456
456
  signing_key:
457
457
  specification_version: 4
458
458
  summary: Security vulnerability scanner for Ruby on Rails.