brakeman-lib 5.1.1 → 5.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 541ef745c1f1e321525f7444fb396c86814eb92769800460869f741de13e1f37
-  data.tar.gz: 2b9bd863f12096df33498a9ce4d1caf03bfb6ade5ce02023dc1e1d9cc5ac9408
+  metadata.gz: 650df7997ecbf4c9bf7c1ea47ef851ec2eac1593d0c9fed8197ca5aa78f8fded
+  data.tar.gz: 9582c10b7cd30496793d5d1b3ddbd88fbf610fa834bdab402267c4ad73962622
 SHA512:
-  metadata.gz: 9b717f148d45e4b704be094cf44696a0982da3fd009557a84dd152830da855ba9e5582fce527ec4ff387fe94248d4bee9c74a4e6a59b22b2afa484efa79b1631
-  data.tar.gz: 11bae8cd4e18aa0252acd8acb3809bfe9f105ed2a147fbaab5b6bd7376d060b32b4b0ed3b896c2e307e40e0e15c3aa9d7e58a8924679877bda697b46ca74e386
+  metadata.gz: bdcc242df0b6e60ba87e1d4445c56bf7ed6c2c2a0dfdd34904fc41369f9b05ed9e370a1c2cf80a6d45d9b1cedcc1f1e56600b96f47437a9ffb6f343a01c41385
+  data.tar.gz: d623285512f64799f9e230289f6c864bcb937770d781a974c1c4ac224ff1a89ac104fd0fc4fcc98c2b840ea68b5f8ddf1b67781b85cbc7257099995848b8f9ef

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
 # 5.1.1 - 2021-07-19
 
 * Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
@@ -449,7 +457,7 @@
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
 
 # Basic Options
 

data/lib/brakeman/app_tree.rb

@@ -28,7 +28,7 @@ module Brakeman
     # Accepts an array of filenames and paths with the following format and
     # returns a Regexp to match them:
     #   * "path1/file1.rb" - Matches a specific filename in the project directory.
-    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
     def self.regex_for_paths(paths)

data/lib/brakeman/checks/check_json_parsing.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     warning_type = "Denial of Service"
     confidence = :medium
     gem_name = "#{name} gem"
-    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
+    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
 
     if version >= "1.7.0"
       confidence = :high

data/lib/brakeman/processors/alias_processor.rb

@@ -324,7 +324,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :values_at
       if node_type? target, :hash
-        exp = hash_values_at target, exp.args
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
       end
     end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
         get_pushed_value(exp.first_arg, default)
         @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.method == :attributes
   end
 
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
   def fix_textareas? exp
     call? exp and
       exp.target == HAMLOUT and

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -89,6 +89,8 @@ module Brakeman
       end
     end
 
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
     def hash_values_at hash, keys
       values = keys.map do |key|
         process_hash_access hash, key

data/lib/brakeman/processors/model_processor.rb

@@ -93,6 +93,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   def add_enum_method call
     arg = call.first_arg
     return unless hash? arg
+    return unless symbol? arg[1]
 
     enum_name = arg[1].value # first key
     enums = arg[2] # first value

data/lib/brakeman/report/ignore/config.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| [w[:fingerprint], w[:line]] }
+      end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_csv.rb

@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     ]
 
     rows = tracker.filtered_warnings.sort_by do |w|
-      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+      [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
     end.map do |warning|
       generate_row(headers, warning)
     end

data/lib/brakeman/report/report_sarif.rb

@@ -93,7 +93,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     end
   end
 
-  # Returns a hash of all check descriptions, keyed by check namne
+  # Returns a hash of all check descriptions, keyed by check name
   def check_descriptions
     @check_descriptions ||= Brakeman::Checks.checks.map do |check|
       [check.name.gsub(/^Check/, ''), check.description]

data/lib/brakeman/report/report_text.rb

@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
       end.map do |w|
         output_warning w
       end

data/lib/brakeman/scanner.rb

@@ -40,32 +40,32 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems..."
+    Brakeman.notify "Processing gems...                    "
     process_gems
     guess_rails_version
-    Brakeman.notify "Processing configuration..."
+    Brakeman.notify "Processing configuration...           "
     process_config
-    Brakeman.notify "Parsing files..."
+    Brakeman.notify "Parsing files...                      "
     parse_files
-    Brakeman.notify "Detecting file types..."
+    Brakeman.notify "Detecting file types...               "
     detect_file_types
-    Brakeman.notify "Processing initializers..."
+    Brakeman.notify "Processing initializers...            "
     process_initializers
-    Brakeman.notify "Processing libs..."
+    Brakeman.notify "Processing libs...                    "
     process_libs
-    Brakeman.notify "Processing routes...          "
+    Brakeman.notify "Processing routes...                  "
     process_routes
-    Brakeman.notify "Processing templates...       "
+    Brakeman.notify "Processing templates...               "
     process_templates
-    Brakeman.notify "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates...  "
     process_template_data_flows
-    Brakeman.notify "Processing models...          "
+    Brakeman.notify "Processing models...                  "
     process_models
-    Brakeman.notify "Processing controllers...     "
+    Brakeman.notify "Processing controllers...             "
     process_controllers
     Brakeman.notify "Processing data flow in controllers..."
     process_controller_data_flows
-    Brakeman.notify "Indexing call sites...        "
+    Brakeman.notify "Indexing call sites...                "
     index_call_sites
     tracker
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.1.1"
+  Version = "5.1.2"
 end

data/lib/brakeman.rb

@@ -394,7 +394,7 @@ module Brakeman
     if options[:parallel_checks]
       notify "Running checks in parallel..."
     else
-      notify "Runnning checks..."
+      notify "Running checks..."
     end
 
     tracker.run_checks
@@ -479,7 +479,7 @@ module Brakeman
     $stderr.puts message if @debug
   end
 
-  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  # Compare JSON output from a previous scan and return the diff of the two scans
   def self.compare options
     require 'json'
     require 'brakeman/differ'

data/lib/ruby_parser/bm_sexp.rb

@@ -544,7 +544,7 @@ class Sexp
   end
 
   # Number of "statements" in a method.
-  # This is more effecient than `Sexp#body.length`
+  # This is more efficient than `Sexp#body.length`
   # because `Sexp#body` creates a new Sexp.
   def method_length
     expect :defn, :defs
@@ -642,4 +642,14 @@ end
   RUBY
 end
 
+class String
+  ##
+  # This is a hack used by the lexer to sneak in line numbers at the
+  # identifier level. This should be MUCH smaller than making
+  # process_token return [value, lineno] and modifying EVERYTHING that
+  # reduces tIDENTIFIER.
+
+  attr_accessor :lineno
+end
+
 class WrongSexpError < RuntimeError; end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 5.1.1
+  version: 5.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-20 00:00:00.000000000 Z
+date: 2021-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
 - !ruby/object:Gem::Dependency
   name: ruby_parser-legacy
   requirement: !ruby/object:Gem::Requirement