brakeman-lib 6.1.1 → 6.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0b89b0353523514b8819b4ed449276342d9883af30c3e5423877bdb3e1cabcda
4
- data.tar.gz: '086460da761b50303f40d50c746f6fbfa4d1e13cc10114686070e369f1ede8e5'
3
+ metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
4
+ data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
5
5
  SHA512:
6
- metadata.gz: 6ac67a29e813bedb49ed66f072b55620b79dec4455dedaa7b45e5ceb16f8ce4069f2503ddd573878346c691fef77f58a2406c7c7b98e431f77ea22951931e30b
7
- data.tar.gz: 82463b407d116db17fc8d3c020f560944d22f1feedf88efeb67ab732d414e59d96d258a18e9da19e5868f26c4d45cc536842fe548d07ed3080bb06dd2e5d84d7
6
+ metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
7
+ data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b
data/CHANGES.md CHANGED
@@ -1,3 +1,13 @@
1
+ # 6.1.2 - 2024-02-01
2
+
3
+ * Update Highline to 3.0
4
+ * Add EOL date for Ruby 3.3.0
5
+ * Avoid copying Sexps that are too large
6
+ * Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
7
+ * Remove deprecated use of `Kernel#open("|...")`
8
+ * Remove `safe_yaml` gem dependency
9
+ * Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
10
+
1
11
  # 6.1.1 - 2023-12-24
2
12
 
3
13
  * Handle racc as a default gem in Ruby 3.3.0
@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
24
24
  ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
25
  ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
26
  ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
27
+ ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
27
28
  }
28
29
  end
@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
108
108
  def known_renderable_class? class_name
109
109
  klass = tracker.find_class(class_name)
110
110
  return false if klass.nil?
111
- klass.ancestor? :"ViewComponent::Base"
111
+ knowns = [
112
+ :"ViewComponent::Base",
113
+ :"ViewComponentContrib::Base",
114
+ :"Phlex::HTML"
115
+ ]
116
+ knowns.any? { |k| klass.ancestor? k }
112
117
  end
113
118
  end
@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
116
116
 
117
117
  if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
118
118
  yaml = secrets_file.read
119
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
120
- require 'safe_yaml/load'
119
+ require 'yaml'
121
120
  begin
122
- secrets = SafeYAML.load yaml
121
+ secrets = YAML.safe_load yaml
123
122
  rescue Psych::SyntaxError, RuntimeError => e
124
123
  Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
125
124
  Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
32
32
  @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
33
33
  @meth_env = nil
34
34
  @current_file = current_file
35
+ @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
35
36
  set_env_defaults
36
37
  end
37
38
 
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
82
83
  def replace exp, int = 0
83
84
  return exp if int > 3
84
85
 
85
- if replacement = env[exp] and not duplicate? replacement
86
- replace(replacement.deep_clone(exp.line), int + 1)
86
+ if replacement = env[exp]
87
+ if not duplicate? replacement and replacement.mass < @mass_limit
88
+ replace(replacement.deep_clone(exp.line), int + 1)
89
+ else
90
+ exp
91
+ end
87
92
  elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
88
93
  replace(replacement.deep_clone(exp.line), int + 1)
89
94
  else
@@ -52,7 +52,7 @@ module Brakeman
52
52
  def page_via_less text
53
53
  # Adapted from https://github.com/piotrmurach/tty-pager/
54
54
 
55
- write_io = open("|less #{less_options.join}", 'w')
55
+ write_io = IO.popen("less #{less_options.join}", 'w')
56
56
  pid = write_io.pid
57
57
 
58
58
  write_io.write(text)
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.1.1"
2
+ Version = "6.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -128,9 +128,8 @@ module Brakeman
128
128
 
129
129
  #Load configuration file
130
130
  if config = config_file(custom_location, app_path)
131
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
132
- self.load_brakeman_dependency 'safe_yaml/load'
133
- options = SafeYAML.load_file config, :deserialize_symbols => true
131
+ require 'yaml'
132
+ options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
134
133
 
135
134
  if options
136
135
  options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.1
4
+ version: 6.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-24 00:00:00.000000000 Z
11
+ date: 2024-02-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -122,20 +122,6 @@ dependencies:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
124
  version: 2.4.0
125
- - !ruby/object:Gem::Dependency
126
- name: safe_yaml
127
- requirement: !ruby/object:Gem::Requirement
128
- requirements:
129
- - - ">="
130
- - !ruby/object:Gem::Version
131
- version: '1.0'
132
- type: :runtime
133
- prerelease: false
134
- version_requirements: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - ">="
137
- - !ruby/object:Gem::Version
138
- version: '1.0'
139
125
  - !ruby/object:Gem::Dependency
140
126
  name: racc
141
127
  requirement: !ruby/object:Gem::Requirement
@@ -170,14 +156,14 @@ dependencies:
170
156
  requirements:
171
157
  - - "~>"
172
158
  - !ruby/object:Gem::Version
173
- version: '2.0'
159
+ version: '3.0'
174
160
  type: :runtime
175
161
  prerelease: false
176
162
  version_requirements: !ruby/object:Gem::Requirement
177
163
  requirements:
178
164
  - - "~>"
179
165
  - !ruby/object:Gem::Version
180
- version: '2.0'
166
+ version: '3.0'
181
167
  - !ruby/object:Gem::Dependency
182
168
  name: erubis
183
169
  requirement: !ruby/object:Gem::Requirement
@@ -466,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
466
452
  - !ruby/object:Gem::Version
467
453
  version: '0'
468
454
  requirements: []
469
- rubygems_version: 3.2.3
455
+ rubygems_version: 3.5.3
470
456
  signing_key:
471
457
  specification_version: 4
472
458
  summary: Security vulnerability scanner for Ruby on Rails.