brakeman-lib 7.0.0 → 7.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1312162b44dd8b40558dcfb8cd9d5891ed37f7e46935f12d9890075de7ba41a6
-  data.tar.gz: 1ed9d4308f7c524aafca3d8e058886bc339a12ae9bd761377f57ae5ab2e423c8
+  metadata.gz: 6159d3bde042821529cf3e5200e88de8e8706879cf44fb273e3291bb68d4f2b7
+  data.tar.gz: bf06c105b4c21ca099b017f9407f582a7a47515bebe5a834c8fe8296382b9a6d
 SHA512:
-  metadata.gz: a3679861797e17b76407a24b80318a2395114461138bf9bbd13568dd1218498a34b0945f7f472b6388c09411dc22e9a3cba178bb6dd8cca93913f07c8b9323ed
-  data.tar.gz: de4bffcb73e376aeb00af8489954fe5b5620a7dc4459ed1501c0d665dd0ba7938d1b509f446a7780a487cf827b547a7c80ce07a7e34bc5423a2ac93e102a34e1
+  metadata.gz: baf1296b60acc90093aab77e65fbdc6d2f9ea4c60371b7bfd5d6301b3fd2e7195f46bec8b3d3811a011f144d22d597303a41bf517d4d257eec382d52de0d109f
+  data.tar.gz: f4770665453293c3b06b9bb3bdca5216eb81d8696e929fcc9d4dd2d416a017296664794134022a6812bda18fe16fffaedb17daa2ff93e049eb0ee760eb5e00fc

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 7.0.2 - 2025-04-04
+
+* Fix error with empty `BUNDLE_GEMFILE` env variable
+
+# 7.0.1 - 2025-04-03
+
+* Avoid warning on evaluation of plain strings
+* Enable use of custom/alternative Gemfiles
+* Fix error on directory with `rb` extension (viralpraxis)
+* Support `terminal-table` 4.0 (Chedli Bourguiba)
+* Better support Prism 1.4.0
+* Only output timing for each file when using `--debug`
+
 # 7.0.0 - 2024-12-30
 
 * Always warn about deserializing from Marshal

data/README.md

@@ -63,7 +63,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 7.x.
+Brakeman should work with any version of Rails from 2.3.x to 8.x.
 
 Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 

data/lib/brakeman/app_tree.rb

@@ -190,7 +190,12 @@ module Brakeman
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
-      reject_global_excludes(paths)
+      paths = reject_global_excludes(paths)
+      reject_directories(paths)
+    end
+
+    def reject_directories(paths)
+      paths.reject { |path| File.directory?(path) }
     end
 
     def select_only_files(paths)

data/lib/brakeman/checks/check_evaluation.rb

@@ -22,27 +22,29 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   def process_result result
     return unless original? result
 
-    if input = include_user_input?(result[:call].arglist)
-      confidence = :high
-      message = msg(msg_input(input), " evaluated as code")
-    elsif string_evaluation? result[:call].first_arg
-      confidence = :low
-      message = "Dynamic string evaluated as code"
-    elsif safe_literal? result[:call].first_arg
-      # don't warn
-    elsif result[:call].method == :eval
-      confidence = :low
-      message = "Dynamic code evaluation"
-    end
+    first_arg = result[:call].first_arg
+
+    unless safe_value? first_arg
+      if input = include_user_input?(first_arg)
+        confidence = :high
+        message = msg(msg_input(input), " evaluated as code")
+      elsif string_evaluation? first_arg
+        confidence = :low
+        message = "Dynamic string evaluated as code"
+      elsif result[:call].method == :eval
+        confidence = :low
+        message = "Dynamic code evaluation"
+      end
 
-    if confidence
-      warn :result => result,
-        :warning_type => "Dangerous Eval",
-        :warning_code => :code_eval,
-        :message => message,
-        :user_input => input,
-        :confidence => confidence,
-        :cwe_id => [913, 95]
+      if confidence
+        warn :result => result,
+          :warning_type => "Dangerous Eval",
+          :warning_code => :code_eval,
+          :message => message,
+          :user_input => input,
+          :confidence => confidence,
+          :cwe_id => [913, 95]
+      end
     end
   end
 
@@ -50,4 +52,21 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     string_interp? exp or
       (call? exp and string? exp.target)
   end
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.sexp_type
+    when :dstr
+      exp.all? { |e| safe_value? e}
+    when :evstr
+      safe_value? exp.value
+    when :str, :lit
+      true
+    when :call
+      always_safe_method? exp.method
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -87,7 +87,7 @@ class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
 
     if string? padding_arg
       padding_arg = padding_arg.deep_clone(padding_arg.line)
-      padding_arg.value.downcase!
+      padding_arg.value = padding_arg.value.downcase
     end
 
     case padding_arg

data/lib/brakeman/options.rb

@@ -226,6 +226,10 @@ module Brakeman::Options
           options[:follow_symlinks] = follow_symlinks
         end
 
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb

@@ -270,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -278,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg

data/lib/brakeman/scanner.rb

@@ -32,6 +32,7 @@ class Brakeman::Scanner
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
     @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
+    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -58,7 +59,7 @@ class Brakeman::Scanner
   end
 
   def process_step_file description
-    if @show_timing
+    if @per_file_timing
       Brakeman.notify "Processing #{description}"
 
       start_t = Time.now
@@ -230,21 +231,29 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+    gem_file_names = ['Gemfile', 'gems.rb']
+    lock_file_names = ['Gemfile.lock', 'gems.locked']
 
-    if @app_tree.exists? "Gemfile"
-      file = @app_tree.file_path("Gemfile")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
-    elsif @app_tree.exists? "gems.rb"
-      file = @app_tree.file_path("gems.rb")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+    if tracker.options[:gemfile]
+      name = tracker.options[:gemfile]
+      gem_file_names.unshift name
+      lock_file_names.unshift "#{name}.lock"
     end
 
-    if @app_tree.exists? "Gemfile.lock"
-      file = @app_tree.file_path("Gemfile.lock")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
-    elsif @app_tree.exists? "gems.locked"
-      file = @app_tree.file_path("gems.locked")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
+    gem_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+        break
+      end
+    end
+
+    lock_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemlock] = { :src => file.read, :file => file }
+        break
+      end
     end
 
     if @app_tree.gemspec

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.0.0"
+  Version = "7.0.2"
 end

data/lib/brakeman.rb

@@ -127,6 +127,13 @@ module Brakeman
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 
+
+    # Use ENV value only if option was not already explicitly set
+    # (i.e. prefer commandline option over environment variable).
+    if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE'] and not ENV['BUNDLE_GEMFILE'].empty?
+      options[:gemfile] = ENV['BUNDLE_GEMFILE']
+    end
+
     options
   end
 

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.0.2
 platform: ruby
 authors:
 - Justin Collins
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-31 00:00:00.000000000 Z
+date: 2025-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -141,14 +142,14 @@ dependencies:
     requirements:
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -452,6 +453,7 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -466,7 +468,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []