RubyGems - brakeman-lib - Versions diffs - 6.1.1 → 6.1.2 - Mend

brakeman-lib 6.1.1 → 6.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGES.md +10 -0
data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
data/lib/brakeman/checks/check_render.rb +6 -1
data/lib/brakeman/checks/check_session_settings.rb +2 -3
data/lib/brakeman/processors/alias_processor.rb +7 -2
data/lib/brakeman/report/pager.rb +1 -1
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman.rb +2 -3
metadata +5 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b89b0353523514b8819b4ed449276342d9883af30c3e5423877bdb3e1cabcda
-  data.tar.gz: '086460da761b50303f40d50c746f6fbfa4d1e13cc10114686070e369f1ede8e5'
+  metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
+  data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
 SHA512:
-  metadata.gz: 6ac67a29e813bedb49ed66f072b55620b79dec4455dedaa7b45e5ceb16f8ce4069f2503ddd573878346c691fef77f58a2406c7c7b98e431f77ea22951931e30b
-  data.tar.gz: 82463b407d116db17fc8d3c020f560944d22f1feedf88efeb67ab732d414e59d96d258a18e9da19e5868f26c4d45cc536842fe548d07ed3080bb06dd2e5d84d7
+  metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
+  data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+# 6.1.2 - 2024-02-01
+* Update Highline to 3.0
+* Add EOL date for Ruby 3.3.0
+* Avoid copying Sexps that are too large
+* Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
+* Remove deprecated use of `Kernel#open("|...")`
+* Remove `safe_yaml` gem dependency
+* Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
 # 6.1.1 - 2023-12-24
 * Handle racc as a default gem in Ruby 3.3.0

data/lib/brakeman/checks/check_eol_ruby.rb CHANGED Viewed

@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
     ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
     ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
+    ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
   }
 end

data/lib/brakeman/checks/check_render.rb CHANGED Viewed

@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def known_renderable_class? class_name
     klass = tracker.find_class(class_name)
     return false if klass.nil?
-    klass.ancestor? :"ViewComponent::Base"
+    knowns = [
+      :"ViewComponent::Base",
+      :"ViewComponentContrib::Base",
+      :"Phlex::HTML"
+    ]
+    knowns.any? { |k| klass.ancestor? k }
   end
 end

data/lib/brakeman/checks/check_session_settings.rb CHANGED Viewed

@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
       yaml = secrets_file.read
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      require 'yaml'
       begin
-        secrets = SafeYAML.load yaml
+        secrets = YAML.safe_load yaml
       rescue Psych::SyntaxError, RuntimeError => e
         Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
     @current_file = current_file
+    @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
     set_env_defaults
   end
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
-    if replacement = env[exp] and not duplicate? replacement
-      replace(replacement.deep_clone(exp.line), int + 1)
+    if replacement = env[exp]
+      if not duplicate? replacement and replacement.mass < @mass_limit
+        replace(replacement.deep_clone(exp.line), int + 1)
+      else
+        exp
+      end
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     else

data/lib/brakeman/report/pager.rb CHANGED Viewed

@@ -52,7 +52,7 @@ module Brakeman
     def page_via_less text
       # Adapted from https://github.com/piotrmurach/tty-pager/
-      write_io = open("|less #{less_options.join}", 'w')
+      write_io = IO.popen("less #{less_options.join}", 'w')
       pid = write_io.pid
       write_io.write(text)

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.1.1"
+  Version = "6.1.2"
 end

data/lib/brakeman.rb CHANGED Viewed

@@ -128,9 +128,8 @@ module Brakeman
     #Load configuration file
     if config = config_file(custom_location, app_path)
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      self.load_brakeman_dependency 'safe_yaml/load'
-      options = SafeYAML.load_file config, :deserialize_symbols => true
+      require 'yaml'
+      options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 6.1.1
+  version: 6.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-24 00:00:00.000000000 Z
+date: 2024-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -122,20 +122,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.4.0
-- !ruby/object:Gem::Dependency
-  name: safe_yaml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: racc
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
@@ -466,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.