brakeman-lib 6.1.0 → 6.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +14 -0
  3. data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
  4. data/lib/brakeman/checks/check_render.rb +6 -1
  5. data/lib/brakeman/checks/check_session_settings.rb +2 -3
  6. data/lib/brakeman/processors/alias_processor.rb +7 -2
  7. data/lib/brakeman/report/pager.rb +1 -1
  8. data/lib/brakeman/version.rb +1 -1
  9. data/lib/brakeman.rb +2 -3
  10. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 121dc05b33eccbae05d0ff68b37baec12e2e3fbbc7c575a7cfe3e5c36cfb557b
4
- data.tar.gz: bb7c6fe91660f3f766a23fdf6a54398c4f417b8be05d6354bdbe3a36e7fe3761
3
+ metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
4
+ data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
5
5
  SHA512:
6
- metadata.gz: 2d8e948cb8cf55ad27d4760e391c6b028a921b4c4b171aef41bcb9420f100a38792ea28816e653446aeceec950f94b6cbb367d089c90bc20ed574be4d7490293
7
- data.tar.gz: ee6425b330db3397bd4c5a53e4c096b5affb39c91936408493f270277a6cce93f796809a11c8f407300e741f279b03aa5555c05306a73049982d01034ae28018
6
+ metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
7
+ data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b
data/CHANGES.md CHANGED
@@ -1,3 +1,17 @@
1
+ # 6.1.2 - 2024-02-01
2
+
3
+ * Update Highline to 3.0
4
+ * Add EOL date for Ruby 3.3.0
5
+ * Avoid copying Sexps that are too large
6
+ * Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
7
+ * Remove deprecated use of `Kernel#open("|...")`
8
+ * Remove `safe_yaml` gem dependency
9
+ * Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
10
+
11
+ # 6.1.1 - 2023-12-24
12
+
13
+ * Handle racc as a default gem in Ruby 3.3.0
14
+
1
15
  # 6.1.0 - 2023-12-04
2
16
 
3
17
  * Add `--timing` to add timing duration for scan steps
data/lib/brakeman/checks/check_eol_ruby.rb CHANGED
@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
24
24
  ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
25
  ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
26
  ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
27
+ ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
27
28
  }
28
29
  end
data/lib/brakeman/checks/check_render.rb CHANGED
@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
108
108
  def known_renderable_class? class_name
109
109
  klass = tracker.find_class(class_name)
110
110
  return false if klass.nil?
111
- klass.ancestor? :"ViewComponent::Base"
111
+ knowns = [
112
+ :"ViewComponent::Base",
113
+ :"ViewComponentContrib::Base",
114
+ :"Phlex::HTML"
115
+ ]
116
+ knowns.any? { |k| klass.ancestor? k }
112
117
  end
113
118
  end
data/lib/brakeman/checks/check_session_settings.rb CHANGED
@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
116
116
 
117
117
  if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
118
118
  yaml = secrets_file.read
119
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
120
- require 'safe_yaml/load'
119
+ require 'yaml'
121
120
  begin
122
- secrets = SafeYAML.load yaml
121
+ secrets = YAML.safe_load yaml
123
122
  rescue Psych::SyntaxError, RuntimeError => e
124
123
  Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
125
124
  Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
32
32
  @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
33
33
  @meth_env = nil
34
34
  @current_file = current_file
35
+ @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
35
36
  set_env_defaults
36
37
  end
37
38
 
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
82
83
  def replace exp, int = 0
83
84
  return exp if int > 3
84
85
 
85
- if replacement = env[exp] and not duplicate? replacement
86
- replace(replacement.deep_clone(exp.line), int + 1)
86
+ if replacement = env[exp]
87
+ if not duplicate? replacement and replacement.mass < @mass_limit
88
+ replace(replacement.deep_clone(exp.line), int + 1)
89
+ else
90
+ exp
91
+ end
87
92
  elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
88
93
  replace(replacement.deep_clone(exp.line), int + 1)
89
94
  else
data/lib/brakeman/report/pager.rb CHANGED
@@ -52,7 +52,7 @@ module Brakeman
52
52
  def page_via_less text
53
53
  # Adapted from https://github.com/piotrmurach/tty-pager/
54
54
 
55
- write_io = open("|less #{less_options.join}", 'w')
55
+ write_io = IO.popen("less #{less_options.join}", 'w')
56
56
  pid = write_io.pid
57
57
 
58
58
  write_io.write(text)
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.1.0"
2
+ Version = "6.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -128,9 +128,8 @@ module Brakeman
128
128
 
129
129
  #Load configuration file
130
130
  if config = config_file(custom_location, app_path)
131
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
132
- self.load_brakeman_dependency 'safe_yaml/load'
133
- options = SafeYAML.load_file config, :deserialize_symbols => true
131
+ require 'yaml'
132
+ options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
134
133
 
135
134
  if options
136
135
  options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.0
4
+ version: 6.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-05 00:00:00.000000000 Z
11
+ date: 2024-02-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -123,19 +123,19 @@ dependencies:
123
123
  - !ruby/object:Gem::Version
124
124
  version: 2.4.0
125
125
  - !ruby/object:Gem::Dependency
126
- name: safe_yaml
126
+ name: racc
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - ">="
130
130
  - !ruby/object:Gem::Version
131
- version: '1.0'
131
+ version: '0'
132
132
  type: :runtime
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - ">="
137
137
  - !ruby/object:Gem::Version
138
- version: '1.0'
138
+ version: '0'
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: terminal-table
141
141
  requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
156
156
  requirements:
157
157
  - - "~>"
158
158
  - !ruby/object:Gem::Version
159
- version: '2.0'
159
+ version: '3.0'
160
160
  type: :runtime
161
161
  prerelease: false
162
162
  version_requirements: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - "~>"
165
165
  - !ruby/object:Gem::Version
166
- version: '2.0'
166
+ version: '3.0'
167
167
  - !ruby/object:Gem::Dependency
168
168
  name: erubis
169
169
  requirement: !ruby/object:Gem::Requirement
@@ -452,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
452
452
  - !ruby/object:Gem::Version
453
453
  version: '0'
454
454
  requirements: []
455
- rubygems_version: 3.3.3
455
+ rubygems_version: 3.5.3
456
456
  signing_key:
457
457
  specification_version: 4
458
458
  summary: Security vulnerability scanner for Ruby on Rails.