brakeman-lib 6.1.2 → 6.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
-  data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
+  metadata.gz: 8505b612200322b0365a1cca12611c581c4e88c8c31e75bf1e0dcea14619b0e3
+  data.tar.gz: b18f6c46731b0ee1c026b01ae5fd1d9eb19c5ceea59e41d50edbe5c327ccfcb2
 SHA512:
-  metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
-  data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b
+  metadata.gz: 3f3b0612e2f45f362784fd26611ae76c2837a612378e7432f7131babca4edea4a1da63bc20d9862adde5309f28557634ebd16a4814749d82c39216e7d4690c56
+  data.tar.gz: af0a5e1edb1762bb76306c7899176f56fd806f02eaeb1c4b92dc1792445f7ebbf9de0c3a57b7c03a20f77d7e6b6452c327850b0ac69a4a10af1f2994dd94c90c

data/CHANGES.md

@@ -1,3 +1,17 @@
+# 6.2.0 - 2024-08-22
+
+* Add `--show-ignored` option (Gabriel Zayas)
+* Add optional support for Prism parser
+* Warn about unscoped finds with `find_by!`
+* Treat `::X` and `X` the same, for now (Jill Klang)
+* Fix compatibility with default frozen string literals (Jean Boussier)
+* Remediation advice for command injection (Nicholas Barone)
+* Fix Ruby warnings in test suite (Jean Boussier)
+* Support YAML aliases in secret configs (Chedli Bourguiba)
+* Add initial Rails 8 support (Ron Shinall)
+* Handle mass assignment with splats
+* Add support for symbolic links (Lu Zhu)
+
 # 6.1.2 - 2024-02-01
 
 * Update Highline to 3.0

data/README.md

@@ -18,7 +18,7 @@ Using Bundler:
 
 ```ruby
 group :development do
-  gem 'brakeman'
+  gem 'brakeman', require: false
 end
 ```
 
@@ -133,6 +133,10 @@ To create and manage this file, use:
 
     brakeman -I
 
+If you want to temporarily see the warnings you ignored without affecting the exit code, use:
+
+    brakeman --show-ignored
+
 # Warning information
 
 See [warning\_types](docs/warning_types) for more information on the warnings reported by this tool.

data/lib/brakeman/app_tree.rb

@@ -50,7 +50,7 @@ module Brakeman
           "#{Regexp.escape f}\\z"
         end
       end
-      Regexp.new("(?:" << path_regexes.join("|") << ")")
+      Regexp.new("(?:#{path_regexes.join("|")})")
     end
     private_class_method(:regex_for_paths)
 
@@ -161,9 +161,21 @@ module Brakeman
     end
 
     def glob_files(directory, name, extensions = ".rb")
-      pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+      root_directory = "#{root_search_pattern}#{directory}"
+      patterns = ["#{root_directory}/**/#{name}#{extensions}"]
+
+      Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
+        if File.symlink?(path) && File.directory?(path)
+          symlink_target = File.readlink(path)
+          if Pathname.new(symlink_target).relative?
+            symlink_target = File.join(File.dirname(path), symlink_target)
+          end
+          patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
+        end
+      end
 
-      Dir.glob(pattern)
+      files = patterns.flat_map { |pattern| Dir.glob(pattern) }
+      files.uniq
     end
 
     def select_files(paths)
@@ -237,13 +249,16 @@ module Brakeman
 
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
+      @root_search_pattern = search_pattern(@root)
+    end
 
+    def search_pattern(root_dir)
       abs = @absolute_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
       rel = @relative_engine_paths.to_a.map { |path| path.gsub(/#{File::SEPARATOR}+$/, '') }
 
-      roots = ([@root] + abs).join(",")
+      roots = ([root_dir] + abs).join(",")
       rel_engines = (rel + [""]).join("/,")
-      @root_search_pattern = "{#{roots}}/{#{rel_engines}}"
+      "{#{roots}}/{#{rel_engines}}"
     end
 
     def prioritize_concerns paths

data/lib/brakeman/checks/check_session_settings.rb

@@ -118,7 +118,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       yaml = secrets_file.read
       require 'yaml'
       begin
-        secrets = YAML.safe_load yaml
+        secrets = YAML.safe_load yaml, aliases: true
       rescue Psych::SyntaxError, RuntimeError => e
         Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -24,7 +24,7 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       process_result call
     end
 
-    tracker.find_call(:method => :find_by, :targets => associated_model_names).each do |result|
+    tracker.find_call(:methods => [:find_by, :find_by!], :targets => associated_model_names).each do |result|
       arg = result[:call].first_arg
 
       if hash? arg and hash_access(arg, :id)

data/lib/brakeman/file_parser.rb

@@ -7,7 +7,18 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
 
-    def initialize app_tree, timeout, parallel = true
+    def initialize app_tree, timeout, parallel = true, use_prism = false
+      @use_prism = use_prism
+
+      if @use_prism
+        begin
+          require 'prism'
+        rescue LoadError => e
+          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
+          @use_prism = false
+        end
+      end
+
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
@@ -73,8 +84,29 @@ module Brakeman
         path = path.relative
       end
 
+      Brakeman.debug "Parsing #{path}"
+
+      if @use_prism
+        begin
+          parse_with_prism input, path
+        rescue => e
+          Brakeman.debug "Prism failed to parse #{path}: #{e}"
+
+          parse_with_ruby_parser input, path
+        end
+      else
+        parse_with_ruby_parser input, path
+      end
+    end
+
+    private
+
+    def parse_with_prism input, path
+      Prism::Translation::RubyParser.parse(input, path)
+    end
+
+    def parse_with_ruby_parser input, path
       begin
-        Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         raise e.exception(e.message + "\nCould not parse #{path}")

data/lib/brakeman/options.rb

@@ -101,6 +101,15 @@ module Brakeman::Options
           options[:rails7] = true
         end
 
+        opts.on "-8", "--rails8", "Force Rails 8 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+          options[:rails8] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 
@@ -150,6 +159,23 @@ module Brakeman::Options
           options[:parser_timeout] = timeout
         end
 
+        opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
+          if use_prism
+            prism_version = '0.30'
+
+            begin
+              # Specifying minimum version here,
+              # since it can't be in the gem dependency list because it is optional
+              gem 'prism', "~>#{prism_version}"
+            rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
+              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              raise e
+            end
+          end
+
+          options[:use_prism] = use_prism
+        end
+
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -202,7 +228,7 @@ module Brakeman::Options
             if check.start_with? "Check"
               check
             else
-              "Check" << check
+              "Check#{check}"
             end
           end
 
@@ -213,7 +239,7 @@ module Brakeman::Options
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"
-              checks[index] = "Check" << s
+              checks[index] = "Check#{s}"
             end
           end
 
@@ -224,7 +250,7 @@ module Brakeman::Options
         opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
           skip.each do |s|
             if s[0,5] != "Check"
-              s = "Check" << s
+              s = "Check#{s}"
             end
 
             options[:skip_checks] ||= Set.new
@@ -254,7 +280,7 @@ module Brakeman::Options
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
-          options[:output_format] = ("to_" << type.to_s).to_sym
+          options[:output_format] = :"to_#{type}"
         end
 
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
@@ -269,6 +295,10 @@ module Brakeman::Options
           options[:interactive_ignore] = true
         end
 
+        opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do
+          options[:show_ignored] = true
+        end
+
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
           options[:combine_locations] = combine
         end

data/lib/brakeman/parsers/erubis_patch.rb

@@ -0,0 +1,11 @@
+module Brakeman::ErubisPatch
+  # Simple patch to make `erubis` compatible with frozen string literals
+  def convert(input)
+    codebuf = +"" # Modified line, the rest is identitical
+    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
+    convert_input(codebuf, input)
+    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
+    @_proc = nil    # clear cached proc object
+    return codebuf  # or codebuf.join()
+  end
+end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,6 +1,9 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby
   include Erubis::NoTextEnhancer
+  include Brakeman::ErubisPatch
 end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,7 +1,11 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
+
   def add_preamble(src)
     #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
   end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,11 +1,15 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
+require 'brakeman/parsers/erubis_patch'
+
 # This is from Rails 5 version of the Erubis handler
 # https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  include Brakeman::ErubisPatch
 
   def add_preamble(src)
     @newline_pending = 0
+    src << "_this_is_to_make_yields_syntactally_correct {"
     src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
 
@@ -62,7 +66,7 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_postamble(src)
     flush_newline_if_pending(src)
-    src << '@output_buffer.to_s'
+    src << '@output_buffer.to_s; }'
   end
 
   def flush_newline_if_pending(src)

data/lib/brakeman/parsers/slim_embedded.rb

@@ -2,6 +2,7 @@
 module Slim
   class Embedded
     class TiltEngine
+      alias_method :on_slim_embedded, :on_slim_embedded # silence redefined method warning
       def on_slim_embedded(engine, body, attrs)
         # Override this method to avoid Slim trying to load sass/scss and failing
         case engine
@@ -22,6 +23,7 @@ module Slim
     class SassEngine
       protected
 
+      alias_method :tilt_render, :tilt_render # silence redefined method warning
       def tilt_render(tilt_engine, tilt_options, text)
         [:dynamic,
          "BrakemanFilter.render(#{text.inspect}, #{self.class})"]

data/lib/brakeman/processors/alias_processor.rb

@@ -373,7 +373,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result << join_item(array.last, nil)
 
     # Combine the strings at the beginning because that's what RubyParser does
-    combined_first = ""
+    combined_first = +""
     result.each do |e|
       if string? e
         combined_first << e.value
@@ -665,7 +665,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp[2] = exp[2][1]
     end
 
-    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
+    unless array? exp[1] and array? exp[2]
       return process_default(exp)
     end
 
@@ -678,21 +678,42 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     # Call each assignment as if it is normal
     vars.each_with_index do |var, i|
       val = vals[i]
-      if val
+      next unless val # TODO: Break if there are no vals left?
 
-        # This happens with nested destructuring like
-        #   x, (a, b) = blah
-        if node_type? var, :masgn
-          # Need to add value to masgn exp
-          m = var.dup
-          m[2] = s(:to_ary, val)
+      # This happens with nested destructuring like
+      #   x, (a, b) = blah
+      if node_type? var, :masgn
+        # Need to add value to masgn exp
+        m = var.dup
+        m[2] = s(:to_ary, val)
 
-          process_masgn m
+        process_masgn m
+      elsif node_type? var, :splat
+        # Assign the rest of the values to the variable:
+        #
+        #   a, *b = 1, 2, 3
+        #
+        #   b == [2, 3]
+
+
+        assign = var[1].dup # var is s(:splat, s(:lasgn, :b))
+
+        if i == vars.length - 1 # Last variable being assigned, slurp up the rest
+          assign.rhs = s(:array, *vals[i..]) # val is the "rest" of the values
         else
-          assign = var.dup
-          assign.rhs = val
-          process assign
+          # Calculate how many values to assign based on how many variables
+          # there are.
+          #
+          # If there are more values than variables, the splat gets an empty array.
+
+          assign.rhs = s(:array, *vals[i, (vals.length - vars.length + 1)]).line(vals.line)
         end
+
+        process assign
+      else
+        assign = var.dup
+        assign.rhs = val
+        process assign
       end
     end
 

data/lib/brakeman/report/report_markdown.rb

@@ -27,7 +27,7 @@ class Brakeman::Report::Markdown < Brakeman::Report::Table
   end
 
   def generate_report
-    out = "# BRAKEMAN REPORT\n\n" <<
+    out = +"# BRAKEMAN REPORT\n\n" <<
     generate_metadata.to_s << "\n\n" <<
     generate_checks.to_s << "\n\n" <<
     "### SUMMARY\n\n" <<

data/lib/brakeman/report/report_table.rb

@@ -8,7 +8,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
 
   def generate_report
     summary_option = tracker.options[:summary_only]
-    out = ""
+    out = +""
 
     unless summary_option == :no_summary
       out << text_header <<
@@ -166,7 +166,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
 
     template_rows = template_rows.sort_by{|name, value| name.to_s}
 
-    output = ''
+    output = +''
     template_rows.each do |template|
       output << template.first.to_s << "\n\n"
       table = @table.new(:headings => ['Output']) do |t|

data/lib/brakeman/report/report_tabs.rb

@@ -9,7 +9,6 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
 
       self.send(meth).map do |w|
         line = w.line || 0
-        w.warning_type.gsub!(/[^\w\s]/, ' ')
         "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
       end.join "\n"
 

data/lib/brakeman/report/report_text.rb

@@ -4,7 +4,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   def generate_report
     HighLine.use_color = !!tracker.options[:output_color]
     summary_option = tracker.options[:summary_only]
-    @output_string = "\n"
+    @output_string = +"\n"
 
     unless summary_option == :no_summary
       add_chunk generate_header
@@ -21,6 +21,9 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     add_chunk generate_obsolete
     add_chunk generate_errors
     add_chunk generate_warnings
+    add_chunk generate_show_ignored_overview if tracker.options[:show_ignored] && ignored_warnings.any?
+
+    @output_string
   end
 
   def add_chunk chunk, out = @output_string
@@ -101,6 +104,10 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     end
   end
 
+  def generate_show_ignored_overview
+    double_space("Ignored Warnings", ignored_warnings.map {|w| output_warning w})
+  end
+
   def generate_errors
     return if tracker.errors.empty?
     full_trace = tracker.options[:debug]

data/lib/brakeman/scanner.rb

@@ -125,7 +125,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks], tracker.options[:use_prism])
 
     fp.parse_files tracker.app_tree.ruby_file_paths
 
@@ -414,7 +414,7 @@ class Brakeman::Scanner
   end
 
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], false, tracker.options[:use_prism])
     fp.parse_ruby(file.read, file)
   rescue Exception => e
     tracker.error(e)

data/lib/brakeman/tracker/config.rb

@@ -111,6 +111,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             Brakeman.notify "[Notice] Detected Rails 7 application"
+          elsif @rails_version.start_with? "8"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            tracker.options[:rails7] = true
+            tracker.options[:rails8] = true
+            Brakeman.notify "[Notice] Detected Rails 8 application"
           end
         end
       end
@@ -193,7 +201,7 @@ module Brakeman
 
       version = tracker.config.rails[:load_defaults].value.to_s
 
-      unless version.match? /^\d+\.\d+$/
+      unless version.match?(/^\d+\.\d+$/)
         Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
         return
       end

data/lib/brakeman/util.rb

@@ -63,14 +63,12 @@ module Brakeman::Util
     case exp
     when Sexp
       case exp.node_type
-      when :const
+      when :const, :colon3
         exp.value
       when :lvar
         exp.value.to_sym
       when :colon2
         "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
-      when :colon3
-        "::#{exp.value}".to_sym
       when :self
         @current_class || @current_module || nil
       else

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.1.2"
+  Version = "6.2.0"
 end

data/lib/brakeman/warning.rb

@@ -317,7 +317,7 @@ class Brakeman::Warning
 
   def format_ruby code, strip
     formatted = Brakeman::OutputProcessor.new.format(code)
-    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+    formatted = formatted.gsub(/(\t|\r|\n)+/, " ") if strip
     formatted
   end
 end

data/lib/brakeman.rb

@@ -65,6 +65,7 @@ module Brakeman
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
   #  * :safe_methods - array of methods to consider safe
+  #  * :show_ignored - Display warnings that are usually ignored
   #  * :sql_safe_methods - array of sql sanitization methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
@@ -198,6 +199,7 @@ module Brakeman
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,
+      :show_ignored => false,
       :sql_safe_methods => Set.new,
       :skip_checks => Set.new,
       :skip_vendor => true,

data/lib/ruby_parser/bm_sexp.rb

@@ -6,6 +6,7 @@ class Sexp
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2, :op_asgn_or]
   CALLS = [:call, :attrasgn, :safe_call, :safe_attrasgn]
 
+  alias_method :method_missing, :method_missing # silence redefined method warning
   def method_missing name, *args
     #Brakeman does not use this functionality,
     #so overriding it to raise a NoMethodError.
@@ -46,10 +47,12 @@ class Sexp
     s
   end
 
+  alias_method :paren, :paren # silence redefined method warning
   def paren
     @paren ||= false
   end
 
+  alias_method :value, :value # silence redefined method warning
   def value
     raise WrongSexpError, "Sexp#value called on multi-item Sexp: `#{self.inspect}`" if size > 2
     self[1]
@@ -98,6 +101,7 @@ class Sexp
     old_push arg
   end
 
+  alias_method :hash, :hash # silence redefined method warning
   def hash
     #There still seems to be some instances in which the hash of the
     #Sexp changes, but I have not found what method call is doing it.
@@ -616,7 +620,7 @@ end
 
 #Invalidate hash cache if the Sexp changes
 [:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
-  :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
+  :delete_if, :drop, :drop_while, :fill, :flatten!, :insert,
   :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
   :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose,
   :uniq!, :unshift].each do |method|

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 6.1.2
+  version: 6.2.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-02 00:00:00.000000000 Z
+date: 2024-08-22 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: 2.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: 2.5.1
 - !ruby/object:Gem::Dependency
   name: racc
   requirement: !ruby/object:Gem::Requirement
@@ -199,9 +213,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.3.6
-    - - "<="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.1'
+        version: '5.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -209,9 +223,9 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.3.6
-    - - "<="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.1'
+        version: '5.3'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -338,6 +352,7 @@ files:
 - lib/brakeman/format/style.css
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
+- lib/brakeman/parsers/erubis_patch.rb
 - lib/brakeman/parsers/haml_embedded.rb
 - lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
@@ -452,7 +467,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.