brakeman-lib 4.6.1 → 4.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6eaaa0c21996b84e6ae73284cb743a1801428f643a757e09c25d1f907c2f6c66
-  data.tar.gz: e0ee33be554dcc58b89926d709625afd4df0834f20a374ec210630992108e615
+  metadata.gz: e29d6575b47438b336589ce753da72098ad1b7465a4bb78625d5c666d8c1d0a3
+  data.tar.gz: 073d249eb7c1915c3c3be01345c25d050127eec929ff2dd77e276433f94606c1
 SHA512:
-  metadata.gz: c3cef641ef58cb656a1f11706fd7da8e36ebaff5cc8e0473c901368c46eec1333775a58eac4a5f3c5b0b8f38786e698aae38e9d50685d34a34953a0bdf2558e7
-  data.tar.gz: 68f49be644f4aa8de6b7cef78c8b9948984f73f265052b12d861a06231d5aa3620b4c227e7129606dba71a6498a0da4cafd37d0212875b37a9c1fbe03d9c9f5d
+  metadata.gz: 87488f856d5b69554147a900ea4a5e0f8826b8a4a1ca95090c472f279d3014a80d28acfa36e131b07c2a9d78a80ec807fa20b45f7e2c133575da164b8ccf3506
+  data.tar.gz: b73fe208fc26c26428b4883aa36e2b0c310f7b271fe9db0111cd5fc23d3fc040b8f90c0875f4736724685515ee6c3a6d20faf4cb1246042fab0fe66a6de41c61

data/CHANGES.md

@@ -1,3 +1,14 @@
+# 4.7.0
+
+* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
+* Ignore interpolation in `%W[]`
+* Fix `version_between?` (Andrey Glushkov)
+* Add support for `ruby_parser` 3.14.0
+* Ignore `form_for` for XSS check
+* Update Haml support to Haml 5.x
+* Catch shell injection from `-c` shell commands (Jacob Evelyn)
+* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
+
 # 4.6.1
 
 * Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)

data/lib/brakeman/checks/base_check.rb

@@ -39,6 +39,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = nil
     @mass_assign_disabled = nil
     @has_user_input = nil
+    @in_array = false
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
@@ -109,9 +110,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     exp
   end
 
+  def process_array exp
+    @in_array = true
+    process_default exp
+  ensure
+    @in_array = false
+  end
+
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    unless @string_interp # don't overwrite existing value
+    unless array_interp? exp or @string_interp # don't overwrite existing value
       @string_interp = Match.new(:interp, exp)
     end
 
@@ -120,6 +128,20 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   private
 
+  # Checking for
+  #
+  #   %W[#{a}]
+  #
+  # which will be parsed as
+  #
+  #    s(:array, s(:dstr, "", s(:evstr, s(:call, nil, :a))))
+  def array_interp? exp
+    @in_array and
+      string_interp? exp and
+      exp[1] == "".freeze and
+      exp.length == 3 # only one interpolated value
+  end
+
   def always_safe_method? meth
     @safe_input_attributes.include? meth or
       @comparison_ops.include? meth

data/lib/brakeman/checks/check_cookie_serialization.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
     tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
       setting = result[:call].first_arg
 
-      if symbol? setting and setting.value == :marshal or setting.value == :hybrid
+      if symbol? setting and [:marshal, :hybrid].include? setting.value
         warn :result => result,
           :warning_type => "Remote Code Execution",
           :warning_code => :unsafe_cookie_serialization,

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -287,7 +287,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   def setup
     @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
+                           :field_field, :fields_for, :form_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,

data/lib/brakeman/checks/check_execute.rb

@@ -21,6 +21,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   SHELL_ESCAPE_MODULE_METHODS = Set[:escape, :join, :shellescape, :shelljoin]
   SHELL_ESCAPE_MIXIN_METHODS = Set[:shellescape, :shelljoin]
 
+  # These are common shells that are known to allow the execution of commands
+  # via a -c flag. See dash_c_shell_command? for more info.
+  KNOWN_SHELL_COMMANDS = Set["sh", "bash", "ksh", "csh", "tcsh", "zsh"]
+
   SHELLWORDS = s(:const, :Shellwords)
 
   #Check models, controllers, and views for command injection.
@@ -42,6 +46,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  private
+
   #Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
@@ -54,7 +60,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         failure = include_user_input?(args) || dangerous_interp?(args)
       end
     when :system, :exec
-      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      # Normally, if we're in a `system` or `exec` call, we only are worried
+      # about shell injection when there's a single argument, because comma-
+      # separated arguments are always escaped by Ruby. However, an exception is
+      # when the first two arguments are something like "bash -c" because then
+      # the third argument is effectively the command being run and might be
+      # a malicious executable if it comes (partially or fully) from user input.
+      if dash_c_shell_command?(first_arg, call.second_arg)
+        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+      else
+        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      end
     else
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
@@ -77,6 +93,15 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  # @return [Boolean] true iff the command given by `first_arg`, `second_arg`
+  #   invokes a new shell process via `<shell_command> -c` (like `bash -c`)
+  def dash_c_shell_command?(first_arg, second_arg)
+    string?(first_arg) &&
+    KNOWN_SHELL_COMMANDS.include?(first_arg.value) &&
+    string?(second_arg) &&
+    second_arg.value == "-c"
+  end
+
   def check_open_calls
     tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
       if match = dangerous_open_arg?(result[:call].first_arg)

data/lib/brakeman/differ.rb

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
 
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
 
     warnings
   end
 
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning 
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-
-      true
+      warning[:fingerprint]
     end
   end
 end

data/lib/brakeman/parsers/haml_embedded.rb

@@ -1,6 +1,6 @@
 module Brakeman
   module FakeHamlFilter
-    # Copied from Haml - force delayed compilation
+    # Copied from Haml 4 - force delayed compilation
     def compile(compiler, text)
       filter = self
       compiler.instance_eval do

data/lib/brakeman/parsers/template_parser.rb

@@ -79,7 +79,9 @@ module Brakeman
 
       Haml::Engine.new(text,
                        :filename => path,
-                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+                       :escape_html => tracker.config.escape_html?,
+                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                      ).precompiled.gsub(/([^\\])\\n/, '\1')
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil

data/lib/brakeman/processors/alias_processor.rb

@@ -249,6 +249,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
         env[target_var] = target
         return first_arg
+      elsif new_string? target
+        env[target_var] = first_arg
+        return first_arg
       elsif array? target
         target << first_arg
         env[target_var] = target
@@ -1198,6 +1201,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     call? exp and exp.method == :raise
   end
 
+  STRING_NEW = s(:call, s(:const, :String), :new)
+
+  # String.new ?
+  def new_string? exp
+    exp == STRING_NEW
+  end
+
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same

data/lib/brakeman/processors/base_processor.rb

@@ -114,6 +114,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp.unshift :rlist
   end
 
+  alias process_rlist process_block
+
   #Processes the inside of an interpolated String.
   def process_evstr exp
     exp = exp.dup

data/lib/brakeman/processors/haml_template_processor.rb

@@ -2,8 +2,10 @@ require 'brakeman/processors/template_processor'
 
 #Processes HAML templates.
 class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
-  HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
+  HAMLOUT = s(:call, nil, :_hamlout)
+  HAML_BUFFER = s(:call, HAMLOUT, :buffer)
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
+  HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
 
@@ -14,130 +16,46 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   #Processes call, looking for template output
   def process_call exp
-    target = exp.target
-    if sexp? target
-      target = process target
+    exp = process_default exp
+
+    if buffer_append? exp
+      output = normalize_output(exp.first_arg)
+      res = get_pushed_value(output)
     end
 
-    method = exp.method
-
-    if (call? target and target.method == :_hamlout)
-      res = case method
-            when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
-              ignore
-            when :options, :buffer
-              exp
-            when :open_tag
-              process_call_args exp
-            else
-              arg = exp.first_arg
-
-              if arg
-                @inside_concat = true
-                exp.first_arg = process(arg)
-                out = normalize_output(exp.first_arg)
-                @inside_concat = false
-              else
-                raise "Empty _hamlout.#{method}()?"
-              end
-
-              if string? out
-                ignore
-              else
-                r = case method.to_s
-                    when "push_text"
-                      build_output_from_push_text(out)
-                    when HAML_FORMAT_METHOD
-                      if $4 == "true"
-                        if string_interp? out
-                          build_output_from_push_text(out, :escaped_output)
-                        else
-                          Sexp.new :format_escaped, out
-                        end
-                      else
-                        if string_interp? out
-                          build_output_from_push_text(out)
-                        else
-                          Sexp.new :format, out
-                        end
-                      end
-
-                    else
-                      raise "Unrecognized action on _hamlout: #{method}"
-                    end
-
-                @javascript = false
-                r
-              end
-            end
-
-      res.line(exp.line)
-      res
-
-      #_hamlout.buffer <<
-      #This seems to be used rarely, but directly appends args to output buffer.
-      #Has something to do with values of blocks?
-    elsif sexp? target and method == :<< and is_buffer_target? target
-      @inside_concat = true
-      exp.first_arg = process(exp.first_arg)
-      out = normalize_output(exp.first_arg)
-      @inside_concat = false
-
-      if out.node_type == :str #ignore plain strings
-        ignore
-      else
-        add_output out
-      end
-    elsif target == nil and method == :render
-      #Process call to render()
-      exp.arglist = process exp.arglist
-      make_render_in_view exp
-    elsif target == nil and method == :find_and_preserve and exp.first_arg
-      process exp.first_arg
-    elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
-        @javascript = true
-      end
+    res or exp
+  end
 
-      process exp.first_arg
-    else
-      exp.target = target
-      exp.arglist = process exp.arglist
-      exp
-    end
+  # _haml_out.buffer << ...
+  def buffer_append? exp
+    call? exp and
+      exp.target == HAML_BUFFER and
+      exp.method == :<<
+  end
+
+  PRESERVE_METHODS = [:find_and_preserve, :preserve]
+
+  def find_and_preserve? exp
+    call? exp and
+      PRESERVE_METHODS.include?(exp.method) and
+      exp.first_arg
   end
 
   #If inside an output stream, only return the final expression
   def process_block exp
     exp = exp.dup
     exp.shift
-    if @inside_concat
-      @inside_concat = false
-      exp[0..-2].each do |e|
-        process e
-      end
-      @inside_concat = true
-      process exp[-1]
-    else
-      exp.map! do |e|
-        res = process e
-        if res.empty?
-          nil
-        else
-          res
-        end
+
+    exp.map! do |e|
+      res = process e
+      if res.empty?
+        nil
+      else
+        res
       end
-      Sexp.new(:rlist).concat(exp).compact
     end
-  end
 
-  #Checks if the buffer is the target in a method call Sexp.
-  #TODO: Test this
-  def is_buffer_target? exp
-    exp.node_type == :call and
-    node_type? exp.target, :lvar and
-    exp.target.value == :_hamlout and
-    exp.method == :buffer
+    Sexp.new(:rlist).concat(exp).compact
   end
 
   #HAML likes to put interpolated values into _hamlout.push_text
@@ -158,7 +76,6 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
-  #Gets outputs from values interpolated into _hamlout.push_text
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -173,24 +90,71 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp
     when :str, :ignore, :output, :escaped_output
       exp
-    when :block, :rlist, :dstr
-      exp.map! { |e| get_pushed_value e }
+    when :block, :rlist
+      exp.map! { |e| get_pushed_value(e, default) }
+    when :dstr
+      build_output_from_push_text(exp, default)
     when :if
-      clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
+      clauses = [get_pushed_value(exp.then_clause, default), get_pushed_value(exp.else_clause, default)].compact
 
       if clauses.length > 1
         s(:or, *clauses).line(exp.line)
       else
         clauses.first
       end
-    else
-      if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
-        add_escaped_output exp.first_arg
-      elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
-        add_escaped_output exp.first_arg
+    when :call
+      if exp.method == :to_s or exp.method == :strip
+        get_pushed_value(exp.target, default)
+      elsif haml_helpers? exp.target and exp.method == :html_escape
+        get_pushed_value(exp.first_arg, :escaped_output)
+      elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
+        get_pushed_value(exp.first_arg, :escaped_output)
+      elsif find_and_preserve? exp or fix_textareas? exp
+        get_pushed_value(exp.first_arg, default)
+      elsif raw? exp
+        get_pushed_value(exp.first_arg, :output)
+      elsif hamlout_attributes? exp
+        ignore # ignore _hamlout.attributes calls
+      elsif exp.target.nil? and exp.method == :render
+        #Process call to render()
+        exp.arglist = process exp.arglist
+        make_render_in_view exp
+      elsif exp.method == :render_with_options
+        if exp.target == JAVASCRIPT_FILTER or exp.target == COFFEE_FILTER
+          @javascript = true
+        end
+
+        get_pushed_value(exp.first_arg, default)
+        @javascript = false
       else
         add_output exp, default
       end
+    else
+      add_output exp, default
     end
   end
+
+  def haml_helpers? exp
+    # Sometimes its Haml::Helpers and
+    # sometimes its ::Haml::Helpers
+    exp == HAML_HELPERS or
+      exp == HAML_HELPERS2
+  end
+
+  def hamlout_attributes? exp
+    call? exp and
+      exp.target == HAMLOUT and
+      exp.method == :attributes
+  end
+
+  def fix_textareas? exp
+    call? exp and
+      exp.target == HAMLOUT and
+      exp.method == :fix_textareas! 
+  end
+
+  def raw? exp
+    call? exp and
+      exp.method == :raw
+  end
 end

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -75,7 +75,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config.rails_version = exp.rhs.value
+      @tracker.config.set_rails_version exp.rhs.value
     end
 
     exp

data/lib/brakeman/processors/template_alias_processor.rb

@@ -32,6 +32,34 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     end
   end
 
+  def process_lasgn exp
+    if exp.lhs == :haml_temp or haml_capture? exp.rhs
+      exp.rhs = process exp.rhs
+
+      # Avoid propagating contents of block
+      if node_type? exp.rhs, :iter
+        new_exp = exp.dup
+        new_exp.rhs = exp.rhs.block_call
+
+        super new_exp
+
+        exp # Still save the original, though
+      else
+        super exp
+      end
+    else
+      super exp
+    end
+  end
+
+  HAML_CAPTURE = [:capture, :capture_haml]
+
+  def haml_capture? exp
+    node_type? exp, :iter and
+      call? exp.block_call and
+      HAML_CAPTURE.include? exp.block_call.method
+  end
+
   #Determine template name
   def template_name name
     if !name.to_s.include?('/') && @template.name.to_s.include?('/')

data/lib/brakeman/tracker/config.rb

@@ -4,10 +4,8 @@ module Brakeman
   class Config
     include Util
 
-    attr_reader :rails, :tracker
-    attr_accessor :rails_version, :ruby_version
+    attr_reader :gems, :rails, :ruby_version, :tracker
     attr_writer :erubis, :escape_html
-    attr_reader :gems
 
     def initialize tracker
       @tracker = tracker
@@ -20,7 +18,7 @@ module Brakeman
     end
 
     def default_protect_from_forgery?
-      if version_between? "5.2.0", "9.9.9"
+      if version_between? "5.2.0.beta1", "9.9.9"
         if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
           return false
         else
@@ -44,12 +42,18 @@ module Brakeman
       true? @rails.dig(:active_support, :escape_html_entities_in_json)
     end
 
+    def escape_filter_interpolations?
+      # TODO see if app is actually turning this off itself
+      has_gem?(:haml) and
+        version_between? "5.0.0", "5.99", gem_version(:haml)
+    end
+
     def whitelist_attributes?
       @rails.dig(:active_record, :whitelist_attributes) == Sexp.new(:true)
     end
 
     def gem_version name
-      @gems.dig(name, :version)
+      extract_version @gems.dig(name, :version)
     end
 
     def add_gem name, version, file, line
@@ -69,11 +73,16 @@ module Brakeman
       @gems[name]
     end
 
-    def set_rails_version
-      # Ignore ~>, etc. when using values from Gemfile
-      version = gem_version(:rails) || gem_version(:railties)
-      if version and version.match(/(\d+\.\d+(\.\d+.*)?)/)
-        @rails_version = $1
+    def set_rails_version version = nil
+      version = if version
+                  # Only used by Rails2ConfigProcessor right now
+                  extract_version(version)
+                else
+                  gem_version(:rails) || gem_version(:railties)
+                end
+
+      if version
+        @rails_version = version
 
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
@@ -102,16 +111,22 @@ module Brakeman
         @escape_html = true
         Brakeman.notify "[Notice] Escaping HTML by default"
       end
+    end
 
-      check_haml_version
+    def rails_version
+      # This needs to be here because Util#rails_version calls Tracker::Config#rails_version
+      # but Tracker::Config includes Util...
+      @rails_version
     end
 
     def set_ruby_version version
+      @ruby_version = extract_version(version)
+    end
+
+    def extract_version version
       return unless version.is_a? String
 
-      if version =~ /(\d+\.\d+\.\d+)/
-        self.ruby_version = $1
-      end
+      version[/\d+\.\d+(\.\d+.*)?/]
     end
 
     #Returns true if low_version <= RAILS_VERSION <= high_version
@@ -121,89 +136,15 @@ module Brakeman
       current_version ||= rails_version
       return false unless current_version
 
-      version = current_version.split(".").map! { |v| convert_version_number v }
-      low_version = low_version.split(".").map! { |v| convert_version_number v }
-      high_version = high_version.split(".").map! { |v| convert_version_number v }
-
-      version.each_with_index do |v, i|
-        if lower? v, low_version.fetch(i, 0)
-          return false
-        elsif higher? v, low_version.fetch(i, 0)
-          break
-        end
-      end
-
-      version.each_with_index do |v, i|
-        if higher? v, high_version.fetch(i, 0)
-          return false
-        elsif lower? v, high_version.fetch(i, 0)
-          break
-        end
-      end
+      low = Gem::Version.new(low_version)
+      high = Gem::Version.new(high_version)
+      current = Gem::Version.new(current_version)
 
-      true
+      current.between?(low, high)
     end
 
     def session_settings
       @rails.dig(:action_controller, :session)
     end
-
-    private
-
-    # Brakeman does not support Haml 5 yet.
-    # (https://github.com/presidentbeef/brakeman/issues/1370) Fortunately, Haml
-    # 5 doesn't add much new syntax, and brakeman (which uses the haml 4 parser)
-    # will parse most Haml 5 files without errors. Therefore, we only print a
-    # warning here, instead of raising an error.
-    def check_haml_version
-      return if supported_haml_version?
-      Brakeman.notify <<~EOS
-        Brakeman does not fully support Haml 5 yet. Your Gemfile (or gemspec)
-        allows Haml 5. Brakeman uses the Haml 4 parser and thus may produce
-        errors when parsing Haml 5 syntax. If Brakeman encounters such an error,
-        it will be unable to scan that file.
-      EOS
-    end
-
-    def convert_version_number value
-      if value.match(/\A\d+\z/)
-        value.to_i
-      else
-        value
-      end
-    end
-
-    def lower? lhs, rhs
-      if lhs.class == rhs.class
-        lhs < rhs
-      else
-        false
-      end
-    end
-
-    # Brakeman does not support Haml 5 yet. See `check_haml_version`.
-    #
-    # This method is messy because all we have is a version `Requirement` (like
-    # `~> 5.0.3`, or `> 4.99`) The only way I could think of was to loop over
-    # known Haml 5 versions and test whether the `Requirement` is satisfied. I
-    # included '5.99.99' in the list so that this method might stand a chance of
-    # working in the future.
-    def supported_haml_version?
-      haml_version = gem_version(:haml)
-      return true unless haml_version
-
-      requirement = Gem::Requirement.new(haml_version)
-      ['5.99.99', '5.1.1', '5.1.0', '5.0.4', '5.0.3', '5.0.2', '5.0.1', '5.0.0'].none? do |v|
-        requirement.satisfied_by?(Gem::Version.new(v))
-      end
-    end
-
-    def higher? lhs, rhs
-      if lhs.class == rhs.class
-        lhs > rhs
-      else
-        false
-      end
-    end
   end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.6.1"
+  Version = "4.7.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 4.6.1
+  version: 4.7.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2019-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -169,22 +169,16 @@ dependencies:
   name: haml
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '5.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.0'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: slim
   requirement: !ruby/object:Gem::Requirement