brakeman-lib 5.1.1 → 5.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 541ef745c1f1e321525f7444fb396c86814eb92769800460869f741de13e1f37
4
- data.tar.gz: 2b9bd863f12096df33498a9ce4d1caf03bfb6ade5ce02023dc1e1d9cc5ac9408
3
+ metadata.gz: 650df7997ecbf4c9bf7c1ea47ef851ec2eac1593d0c9fed8197ca5aa78f8fded
4
+ data.tar.gz: 9582c10b7cd30496793d5d1b3ddbd88fbf610fa834bdab402267c4ad73962622
5
5
  SHA512:
6
- metadata.gz: 9b717f148d45e4b704be094cf44696a0982da3fd009557a84dd152830da855ba9e5582fce527ec4ff387fe94248d4bee9c74a4e6a59b22b2afa484efa79b1631
7
- data.tar.gz: 11bae8cd4e18aa0252acd8acb3809bfe9f105ed2a147fbaab5b6bd7376d060b32b4b0ed3b896c2e307e40e0e15c3aa9d7e58a8924679877bda697b46ca74e386
6
+ metadata.gz: bdcc242df0b6e60ba87e1d4445c56bf7ed6c2c2a0dfdd34904fc41369f9b05ed9e370a1c2cf80a6d45d9b1cedcc1f1e56600b96f47437a9ffb6f343a01c41385
7
+ data.tar.gz: d623285512f64799f9e230289f6c864bcb937770d781a974c1c4ac224ff1a89ac104fd0fc4fcc98c2b840ea68b5f8ddf1b67781b85cbc7257099995848b8f9ef
data/CHANGES.md CHANGED
@@ -1,3 +1,11 @@
1
+ # 5.1.2 - 2021-10-28
2
+
3
+ * Handle cases where enums are not symbols
4
+ * Support newer Haml with ::Haml::AttributeBuilder.build
5
+ * Fix issue where the previous output is still visible (Jason Frey)
6
+ * Fix warning sorting with nil line numbers
7
+ * Update for latest RubyParser (Ryan Davis)
8
+
1
9
  # 5.1.1 - 2021-07-19
2
10
 
3
11
  * Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
@@ -449,7 +457,7 @@
449
457
  * Delay loading vendored gems and modifying load path
450
458
  * Avoid warning about SQL injection with `quoted_primary_key`
451
459
  * Support more safe `&.` operations
452
- * Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
460
+ * Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
453
461
  * Only consider `if` branches in templates
454
462
  * Avoid overwriting instance/class methods with same name (Tim Wade)
455
463
  * Add `--force-scan` option (Neil Matatall)
data/README.md CHANGED
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
66
66
 
67
67
  Brakeman should work with any version of Rails from 2.3.x to 6.x.
68
68
 
69
- Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
69
+ Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
70
70
 
71
71
  # Basic Options
72
72
 
@@ -28,7 +28,7 @@ module Brakeman
28
28
  # Accepts an array of filenames and paths with the following format and
29
29
  # returns a Regexp to match them:
30
30
  # * "path1/file1.rb" - Matches a specific filename in the project directory.
31
- # * "path1/" - Matches any path that conatains "path1" in the project directory.
31
+ # * "path1/" - Matches any path that contains "path1" in the project directory.
32
32
  # * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
33
33
  #
34
34
  def self.regex_for_paths(paths)
@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
74
74
  warning_type = "Denial of Service"
75
75
  confidence = :medium
76
76
  gem_name = "#{name} gem"
77
- message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
77
+ message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
78
78
 
79
79
  if version >= "1.7.0"
80
80
  confidence = :high
@@ -324,7 +324,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
324
324
  end
325
325
  when :values_at
326
326
  if node_type? target, :hash
327
- exp = hash_values_at target, exp.args
327
+ res = hash_values_at target, exp.args
328
+
329
+ # Only convert to array of values if _all_ keys
330
+ # are present in the hash.
331
+ unless res.any?(&:nil?)
332
+ exp = res
333
+ end
328
334
  end
329
335
  end
330
336
 
@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
8
8
  HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
9
9
  JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
10
10
  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
11
+ ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
11
12
 
12
13
  def initialize *args
13
14
  super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
133
134
 
134
135
  get_pushed_value(exp.first_arg, default)
135
136
  @javascript = false
137
+ elsif haml_attribute_builder? exp
138
+ ignore # probably safe... seems escaped by default?
136
139
  else
137
140
  add_output exp, default
138
141
  end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
154
157
  exp.method == :attributes
155
158
  end
156
159
 
160
+ def haml_attribute_builder? exp
161
+ call? exp and
162
+ exp.target == ATTRIBUTE_BUILDER and
163
+ exp.method == :build
164
+ end
165
+
157
166
  def fix_textareas? exp
158
167
  call? exp and
159
168
  exp.target == HAMLOUT and
@@ -89,6 +89,8 @@ module Brakeman
89
89
  end
90
90
  end
91
91
 
92
+ # You must check the return value for `nil`s -
93
+ # which indicate a key could not be found.
92
94
  def hash_values_at hash, keys
93
95
  values = keys.map do |key|
94
96
  process_hash_access hash, key
@@ -93,6 +93,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
93
93
  def add_enum_method call
94
94
  arg = call.first_arg
95
95
  return unless hash? arg
96
+ return unless symbol? arg[1]
96
97
 
97
98
  enum_name = arg[1].value # first key
98
99
  enums = arg[2] # first value
@@ -126,7 +126,7 @@ module Brakeman
126
126
 
127
127
  w[:note] = @notes[w[:fingerprint]] || ""
128
128
  w
129
- end.sort_by { |w| [w[:fingerprint], w[:line]] }
129
+ end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
130
130
 
131
131
  output = {
132
132
  :ignored_warnings => warnings,
@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
17
17
  ]
18
18
 
19
19
  rows = tracker.filtered_warnings.sort_by do |w|
20
- [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
20
+ [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
21
21
  end.map do |warning|
22
22
  generate_row(headers, warning)
23
23
  end
@@ -93,7 +93,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
93
93
  end
94
94
  end
95
95
 
96
- # Returns a hash of all check descriptions, keyed by check namne
96
+ # Returns a hash of all check descriptions, keyed by check name
97
97
  def check_descriptions
98
98
  @check_descriptions ||= Brakeman::Checks.checks.map do |check|
99
99
  [check.name.gsub(/^Check/, ''), check.description]
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
92
92
  HighLine.color("No warnings found", :bold, :green)
93
93
  else
94
94
  warnings = tracker.filtered_warnings.sort_by do |w|
95
- [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
95
+ [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
96
96
  end.map do |w|
97
97
  output_warning w
98
98
  end
@@ -40,32 +40,32 @@ class Brakeman::Scanner
40
40
 
41
41
  #Process everything in the Rails application
42
42
  def process
43
- Brakeman.notify "Processing gems..."
43
+ Brakeman.notify "Processing gems... "
44
44
  process_gems
45
45
  guess_rails_version
46
- Brakeman.notify "Processing configuration..."
46
+ Brakeman.notify "Processing configuration... "
47
47
  process_config
48
- Brakeman.notify "Parsing files..."
48
+ Brakeman.notify "Parsing files... "
49
49
  parse_files
50
- Brakeman.notify "Detecting file types..."
50
+ Brakeman.notify "Detecting file types... "
51
51
  detect_file_types
52
- Brakeman.notify "Processing initializers..."
52
+ Brakeman.notify "Processing initializers... "
53
53
  process_initializers
54
- Brakeman.notify "Processing libs..."
54
+ Brakeman.notify "Processing libs... "
55
55
  process_libs
56
- Brakeman.notify "Processing routes... "
56
+ Brakeman.notify "Processing routes... "
57
57
  process_routes
58
- Brakeman.notify "Processing templates... "
58
+ Brakeman.notify "Processing templates... "
59
59
  process_templates
60
- Brakeman.notify "Processing data flow in templates..."
60
+ Brakeman.notify "Processing data flow in templates... "
61
61
  process_template_data_flows
62
- Brakeman.notify "Processing models... "
62
+ Brakeman.notify "Processing models... "
63
63
  process_models
64
- Brakeman.notify "Processing controllers... "
64
+ Brakeman.notify "Processing controllers... "
65
65
  process_controllers
66
66
  Brakeman.notify "Processing data flow in controllers..."
67
67
  process_controller_data_flows
68
- Brakeman.notify "Indexing call sites... "
68
+ Brakeman.notify "Indexing call sites... "
69
69
  index_call_sites
70
70
  tracker
71
71
  end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.1.1"
2
+ Version = "5.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -394,7 +394,7 @@ module Brakeman
394
394
  if options[:parallel_checks]
395
395
  notify "Running checks in parallel..."
396
396
  else
397
- notify "Runnning checks..."
397
+ notify "Running checks..."
398
398
  end
399
399
 
400
400
  tracker.run_checks
@@ -479,7 +479,7 @@ module Brakeman
479
479
  $stderr.puts message if @debug
480
480
  end
481
481
 
482
- # Compare JSON ouptut from a previous scan and return the diff of the two scans
482
+ # Compare JSON output from a previous scan and return the diff of the two scans
483
483
  def self.compare options
484
484
  require 'json'
485
485
  require 'brakeman/differ'
@@ -544,7 +544,7 @@ class Sexp
544
544
  end
545
545
 
546
546
  # Number of "statements" in a method.
547
- # This is more effecient than `Sexp#body.length`
547
+ # This is more efficient than `Sexp#body.length`
548
548
  # because `Sexp#body` creates a new Sexp.
549
549
  def method_length
550
550
  expect :defn, :defs
@@ -642,4 +642,14 @@ end
642
642
  RUBY
643
643
  end
644
644
 
645
+ class String
646
+ ##
647
+ # This is a hack used by the lexer to sneak in line numbers at the
648
+ # identifier level. This should be MUCH smaller than making
649
+ # process_token return [value, lineno] and modifying EVERYTHING that
650
+ # reduces tIDENTIFIER.
651
+
652
+ attr_accessor :lineno
653
+ end
654
+
645
655
  class WrongSexpError < RuntimeError; end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.1.1
4
+ version: 5.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-07-20 00:00:00.000000000 Z
11
+ date: 2021-10-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -86,14 +86,14 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '3.13'
89
+ version: '3.18'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '3.13'
96
+ version: '3.18'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: ruby_parser-legacy
99
99
  requirement: !ruby/object:Gem::Requirement