brakeman-lib 7.1.0 → 7.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2279f2b84d3be0e168b6b16e59855f5507c0514df39c4fb4b63d76721b7e87d
-  data.tar.gz: 37751126761102664819b8779940ecbc2097caec46176f4fc8d3b0f740585579
+  metadata.gz: 132a7205f3014d6b941fcfd4785bd98778bd15f07e8a9f1c47a417a848d315e8
+  data.tar.gz: '0896504a08989f485b40e35f79f477540dd4aeab24b66212408ae073901fcdca'
 SHA512:
-  metadata.gz: 2c8a2bf6f2f3c2ee11419def7e7e91a4942cf337504db7a6e54c66f7b6a645cef31ac86de9580f78bdfe0ca66d08387d4125d36f106ac63354423e3973917deb
-  data.tar.gz: b77e61957f321cdbdf33a41b057779c5b5f60a41512d538737a8aa0e57e6c6fc13cf9213cc710995ff55de04a57c1640492108529fda616553c6fb7ba5cd81d7
+  metadata.gz: 8c726e8ef155015305d551223b5f9d222b686ecd463ced6f37b0a9b0281624c9215ae93f17b9f28b1f5c55b246e5a7d59d4ad9429d17dccb64ae8c299cbc1902
+  data.tar.gz: c4aaa6f70c52bbc6bb4c5428b7b3f28569946d51efba7166eda4bea55d8d5aabb472141bd560b640e3491a2bd073acf5674556ee4c3d8124cb0c7e4f24883c89

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 7.1.1 - 2025-11-03
+
+* Fix false positive when calling `with_content` on ViewComponents (Peer Allan)
+* Word wrap text output in pager
+* Consider Tempfile.create.path as safe input (Ali Ismayilov)
+* Exclude directories before searching for files
+* Check each side of `or` SQL arguments
+* Ignore attribute builder in Haml 6
+* Add `FilePath#to_path` for Ruby 3.5 compatibility (S-H-GAMELINKS)
+* Fix SQL injection check for calculate method (Rohan Sharma)
+* Fix missing `td` in HTML report (John Hawthorn)
+* Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
+
 # 7.1.0 - 2025-07-18
 
 * Add EOL dates for Rails 8.0 and Ruby 3.4
@@ -7,7 +20,7 @@
 * Improve ignored warnings layout in HTML report (Sebastien Savater)
 * Update JUnit report for CircleCI (Philippe Bernery)
 * Only load escape functionality from cgi library (Earlopain)
-* Add `--ensure-no-obsolete-config-entries` option (viralpraxis)
+* Add `--ensure-no-obsolete-ignore-entries` option (viralpraxis)
 
 # 7.0.2 - 2025-04-04
 

data/README.md

@@ -1,7 +1,7 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
 [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
+[![Code Coverage](https://qlty.sh/gh/presidentbeef/projects/brakeman/coverage.svg)](https://qlty.sh/gh/presidentbeef/projects/brakeman)
 
 # Brakeman
 

data/lib/brakeman/app_tree.rb

@@ -33,6 +33,7 @@ module Brakeman
     #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
+    # TODO: This is wacky and I don't like it.
     def self.regex_for_paths(paths)
       path_regexes = paths.map do |f|
         # If path ends in a file separator then we assume it is a path rather
@@ -192,7 +193,12 @@ module Brakeman
         files = patterns.flat_map { |pattern| Dir.glob(pattern) }
         files.uniq.lazy
       else
-        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        if directory == '.'
+          pattern = File.join(top_directories_pattern, '**', "#{name}#{extensions}")
+        else
+          pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        end
+
         Dir.glob(pattern).lazy
       end
     end
@@ -257,18 +263,47 @@ module Brakeman
     end
 
     def match_path files, path
+      # TODO: Converting to Pathnames and Strings seems like a lot
+      # of converting that could perhaps all be handled in Brakeman::FilePath
+      # instead?
       absolute_path = Pathname.new(path)
+
       # relative root never has a leading separator. But, we use a leading
       # separator in a @skip_files entry to imply that a directory is
       # "absolute" with respect to the project directory.
-      project_relative_path = File.join(
-        File::SEPARATOR,
-        absolute_path.relative_path_from(@project_root_path).to_s
-      )
+      #
+      # Also directories need a trailing separator.
+      project_relative_path = if File.directory?(path)
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s,
+          File::SEPARATOR
+        )
+      else
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s
+        )
+      end
 
       files.match(project_relative_path)
     end
 
+    def top_directories_pattern
+      top_dirs = convert_to_file_paths(Dir.glob(File.join(root_search_pattern, '*/')))
+      top_dirs.reject! { |d| File.symlink?(d) or !File.directory?(d) }
+      top_dirs = reject_global_excludes(top_dirs)
+      top_dirs = reject_skipped_files(top_dirs)
+
+      if top_dirs.empty?
+        # Fall back to searching everything, otherwise the empty pattern
+        # will start searching from the global root
+        root_search_pattern
+      else
+        "{#{top_dirs.join(',')}}"
+      end
+    end
+
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
       @root_search_pattern = search_pattern(@root)

data/lib/brakeman/checks/base_check.rb

@@ -151,10 +151,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     method[-1] == "?"
   end
 
-  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+  TEMP_FILE_PATH = [
+    s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze,
+    s(:call, s(:call, s(:const, :Tempfile), :create), :path).freeze
+  ].freeze
 
   def temp_file_path? exp
-    exp == TEMP_FILE_PATH
+    TEMP_FILE_PATH.include? exp
   end
 
   #Report a warning

data/lib/brakeman/checks/check_render.rb

@@ -101,6 +101,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def renderable? exp
     return false unless call?(exp) and constant?(exp.target)
 
+    if exp.method == :with_content
+      exp = exp.target
+    end
+
+    return false unless constant?(exp.target)
     target_class_name = class_name(exp.target)
     known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
   end

data/lib/brakeman/checks/check_sql.rb

@@ -188,11 +188,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                       when :find_by_sql, :count_by_sql
                         check_by_sql_arguments call.first_arg
                       when :calculate
-                        check_find_arguments call.third_arg
+                        if call.arglist.length > 2
+                          unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
+                        elsif call.arglist.length > 1
+                          unsafe_sql?(call.second_arg)
+                        end
                       when :last, :first, :all
                         check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if call.length > 5
+                        if call.arglist.length > 1
                           unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
                         else
                           check_find_arguments call.last_arg
@@ -315,6 +319,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       check_hash_keys arg
     elsif node_type? arg, :lit, :str
       nil
+    elsif node_type? arg, :or
+      check_query_arguments(arg.lhs) or
+        check_query_arguments(arg.rhs)
     else
       #Hashes are safe...but we check above for hash, so...?
       unsafe_sql? arg, :ignore_hash

data/lib/brakeman/file_path.rb

@@ -68,6 +68,10 @@ module Brakeman
       self.absolute
     end
 
+    # Required for Pathname compatibility.
+    # Ruby 3.5+ requires Pathname#initialize to receive a String or an object with to_path method.
+    alias to_path to_str
+
     # Returns a string with the absolute path.
     def to_s
       self.to_str

data/lib/brakeman/processors/alias_processor.rb

@@ -436,6 +436,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :open
   end
 
+  def temp_file_create? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :create
+  end
+
   def temp_file_new line
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
@@ -465,6 +471,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       elsif temp_file_open? call
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = temp_file_new(exp.line)
+      elsif temp_file_create? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local

data/lib/brakeman/processors/haml_template_processor.rb

@@ -166,7 +166,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   def haml_attribute_builder? exp
     call? exp and
       exp.target == ATTRIBUTE_BUILDER and
-      exp.method == :build
+      (exp.method == :build or exp.method == :build_id)
   end
 
   def fix_textareas? exp

data/lib/brakeman/report/pager.rb

@@ -92,7 +92,7 @@ module Brakeman
       if system("which less > /dev/null")
         less_help = `less -?`
 
-        ["-R ", "-F ", "-X "].each do |opt|
+        ["-R ", "-F ", "-X ", " --wordwrap"].each do |opt|
           if less_help.include? opt
             @less_options << opt
           end

data/lib/brakeman/report/templates/header.html.erb

@@ -51,7 +51,7 @@
     <tr>
       <td><%= tracker.app_path %></td>
       <td><%= rails_version %></td>
-      <td><%= brakeman_version %>
+      <td><%= brakeman_version %></td>
       <td>
         <%= tracker.start_time %><br><br>
         <%= tracker.duration %> seconds

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.1.0"
+  Version = "7.1.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 7.1.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-18 00:00:00.000000000 Z
+date: 2025-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -470,7 +470,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.