brakeman-lib 8.0.4 → 8.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d07db98e56b03b45fd3347a5982628ab3421d8bba0c1a1d55a3b685432ef8375
-  data.tar.gz: 1245d911d4356d014e616bb387810c3879e8a68919fd1f1f173a4a21cf6c8fe9
+  metadata.gz: '081816b1dce310635af2372f9bd944fe3efc4e28a89e5f32be39a83b7abff137'
+  data.tar.gz: a1984f13bf1ffedb4999f5f3b761788f6fd01eb3abbedcfb72fd2be0aa6a5b00
 SHA512:
-  metadata.gz: 48540c3c00cf275afe01c3194302d48bd0e8e12602f1abd5a81bc99c1cc13ca5fb48fcf630879dc6a851e88559404d210fb6e0d6324a7203a3ad274b18116504
-  data.tar.gz: 056150df12092b1d16a1b56214d7a268627fe58d7249071c0ef4871aa0c289c184753f2c8468374dd1046beb77515d306c9416033901f0424452ca920ac71993
+  metadata.gz: a9f099212f13d0897ed9a17a5281da9b8b2f0a983123f0204d72990c7747c1a3ef11db38bbe846cb48a9c99c8e84adb8d20763377fa9279bae17371629d74b9c
+  data.tar.gz: 88d203ec8ce92493f2192658589ba47c9a41543c1e4b7bc78da3aacaf485eaa005fb5beef49ce0f04d02ad3dffbe7c40b65b57aed35bc35baf150928fc3fea25

data/CHANGES.md

@@ -1,3 +1,13 @@
+# 8.0.5 - 2026-06-12
+
+* Add `quote_schema_name` to safe quote method list (Zsolt Kozaroczy)
+* Fix SQL injection false positive for `compact_blank`/`compact` on permitted params (Arpit Jain)
+* Fix inline render false positive for local named `text` (Arpit Jain)
+* Fix HAML crash on `.raw` calls (Federico Franco)
+* Fix Ruby version parsing - especially for non-CRuby versions (Chris Southerland Jr) 
+* Fix `TemplateAliasProcessor#template_name` arity (viralpraxis)
+* Reduce false positives when using shell escaping
+
 # 8.0.4 - 2026-02-26
 
 * Load 'date' library for `--ensure-latest`

data/lib/brakeman/checks/check_execute.rb

@@ -122,9 +122,14 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # should be ignored
 
       args.pop if hash?(args.last) && args.length > 2
-      failure = include_user_input?(args) ||
-                dangerous_interp?(args) ||
-                dangerous_string_building?(args)
+
+      args.each_sexp do |arg|
+        failure = include_user_input?(arg) ||
+          dangerous_interp?(arg) ||
+          dangerous_string_building?(arg)
+
+        break if failure
+      end
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||
@@ -176,6 +181,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   def include_user_input? exp
     if node_type? exp, :arglist, :dstr, :evstr, :dxstr
       exp.each_sexp do |e|
+        next if shell_escape? e
+
         if res = include_user_input?(e)
           return res
         end
@@ -196,7 +203,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # Check for input at start of string
       exp[1] == "" and
         node_type? exp[2], :evstr and
-        has_immediate_user_input? exp[2]
+        dangerous? exp[2]
     else
       has_immediate_user_input? exp
     end
@@ -266,6 +273,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   end
 
   def dangerous_interp? exp
+    return if shell_escape? exp
+
     match = include_interp? exp
     return unless match
     interp = match.match

data/lib/brakeman/checks/check_sql.rb

@@ -311,7 +311,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys, :compact, :compact_blank].include? arg.method
         # Model.where(params[:where])
         arg
       end
@@ -645,7 +645,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       locale_call? exp
   end
 
-  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
+  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name, :quote_schema_name]
 
   def quote_call? exp
     if call? exp.target

data/lib/brakeman/processors/base_processor.rb

@@ -258,12 +258,19 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     #Look for "type" of render in options hash
     #For example, render :file => "blah"
     if hash? last_arg
-      hash_iterate(last_arg) do |key, val|
-        if symbol? key and types_in_hash.include? key.value
-          type = key.value
-          value = val
-        else  
-          rest << key << val
+      if type
+        #The render type was already determined by a positional argument, so a
+        #key in the options hash that happens to match a render type name (e.g.
+        #`text:`) is a local passed to the partial/action, not a type directive.
+        rest = last_arg
+      else
+        hash_iterate(last_arg) do |key, val|
+          if symbol? key and types_in_hash.include? key.value
+            type = key.value
+            value = val
+          else
+            rest << key << val
+          end
         end
       end
     end

data/lib/brakeman/processors/gem_processor.rb

@@ -6,7 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
-    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
+    @ruby_version = /^\s+ruby (\d+\.\d+\.\d+)/
   end
 
   def process_gems gem_files

data/lib/brakeman/processors/haml_template_processor.rb

@@ -186,6 +186,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   def raw? exp
     call? exp and
-      exp.method == :raw
+      exp.target.nil? and
+      exp.method == :raw and
+      exp.first_arg
   end
 end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -19,7 +19,9 @@ module Brakeman::RenderHelper
       end
     when :default
       begin
-        process_template template_name, exp[3], nil, exp.line
+        # exp[2] is either the action name (from controller) or :default when no explicit arg
+        name_arg = (exp[2].nil? || exp[2] == :default) ? nil : exp[2]
+        process_template template_name(name_arg), exp[3], nil, exp.line
       rescue ArgumentError
         Brakeman.debug "Problem processing render: #{exp}"
       end

data/lib/brakeman/scanner.rb

@@ -187,8 +187,14 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
-        tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
+      contents = @app_tree.file_path(".ruby-version").read
+      # Skip alternative Ruby implementations — the EOL dates Brakeman knows
+      # about are MRI's, so a `.ruby-version` of "jruby-10.0.2.0" should not
+      # be parsed as MRI 0.0.2 / 10.0.2.
+      unless contents =~ /\A\s*(jruby|truffleruby|rbx|rubinius|mruby)\b/i
+        if version = contents[/(\d+\.\d+\.\d+)/]
+          tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
+        end
       end
     end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "8.0.4"
+  Version = "8.0.5"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 8.0.4
+  version: 8.0.5
 platform: ruby
 authors:
 - Justin Collins
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-27 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -482,7 +481,6 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -497,8 +495,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []