brakeman-lib 5.2.1 → 5.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 142266ec73f5ceb562841d0d9f4c74f4fa4ad29663d1aff64bc1c97d236cae16
4
- data.tar.gz: d562a2f5393b7246fc11510c9bf1e23afa037e6401eb073adef21ae9b0102b9e
3
+ metadata.gz: 45b4ed913efc8767851fa736f69591dad0bd6c26eb2b9c6f84e71acef92670ce
4
+ data.tar.gz: b40f9ee9b0dbd2187e071609193b3df891dd6e462bd3de572ce4a335db063185
5
5
  SHA512:
6
- metadata.gz: b02024bd7793e53b995a43f5e3a38366404f1fc2bbcbe952c49fe36fcda896b860685f0581281dba7c9f98db6ab3f6155aa3a53a05229105aac929fde3ac7a8f
7
- data.tar.gz: e75d5409ab0fcda0a29764545600bb154e03d9baadd4575051cb49a433c27c80b5608d77b06213a13b9460cc4a06294ad8589eeae3df52d2892ab1bbd9a30a98
6
+ metadata.gz: 8966515fb503515fb38a7581061a72464b81a6bcf86b99c58711dbbb88b636b87b5e74a09190b53cd7c09ea1674458bfe874698416c4928dbf44eb46bc234221
7
+ data.tar.gz: ca7309e4b30e14213b1e697e33113737ee8c2da1d6997f6e28c0a68df965dcd348c9b7c7a4bbe285e7dc7356b7c6fceb2171b13aae92338d02d4e5ef4992c9a4
data/CHANGES.md CHANGED
@@ -1,3 +1,11 @@
1
+ # 5.2.2 - 2022-04-06
2
+
3
+ * Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
4
+ * Handle `nil` when joining values (Dan Buettner)
5
+ * Update message for unsafe reflection (Pedro Baracho)
6
+ * Add additional String methods for SQL injection check
7
+ * Respect equality in `if` conditions
8
+
1
9
  # 5.2.1 - 2022-01-30
2
10
 
3
11
  * Add warning codes for EOL software warnings
@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
405
405
  nil
406
406
  end
407
407
 
408
- TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
408
+ TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
409
+ :strip_heredoc, :to_s, :tr]
409
410
 
410
411
  #Returns value if interpolated value is not something safe
411
412
  def unsafe_string_interp? exp
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
744
745
  date_target? exp.target
745
746
  else
746
747
  false
747
- end
748
+ end
748
749
  end
749
750
  end
@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
20
20
  def check_unsafe_reflection result
21
21
  return unless original? result
22
22
 
23
- call = result[:call]
23
+ call = result[:call]
24
24
  method = call.method
25
25
 
26
26
  case method
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
37
37
  end
38
38
 
39
39
  if confidence
40
- message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
40
+ case method
41
+ when :constantize, :safe_constantize
42
+ message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
43
+ else
44
+ message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
45
+ end
41
46
 
42
47
  warn :result => result,
43
48
  :warning_type => "Remote Code Execution",
@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
404
404
  end
405
405
 
406
406
  def join_item item, join_value
407
- if item.is_a? String
407
+ if item.nil? || item.is_a?(String)
408
408
  "#{item}#{join_value}"
409
409
  elsif string? item or symbol? item or number? item
410
410
  s(:str, "#{item.value}#{join_value}").line(item.line)
@@ -864,6 +864,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
864
864
  elsif false? condition
865
865
  no_branch = true
866
866
  exps = [nil, exp.else_clause]
867
+ elsif equality_check? condition and condition.target == condition.first_arg
868
+ no_branch = true
869
+ exps = [exp.then_clause, nil]
867
870
  else
868
871
  no_branch = false
869
872
  exps = [exp.then_clause, exp.else_clause]
@@ -897,6 +900,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
897
900
  env.current[var] = safe_literal(var.line)
898
901
  exp[branch_index] = process_if_branch branch
899
902
  env.current[var] = previous_value
903
+ elsif i == 0 and equality_check? condition
904
+ # For conditions like a == b,
905
+ # set a to b inside the true branch
906
+ var = condition.target
907
+ previous_value = env.current[var]
908
+ env.current[var] = condition.first_arg
909
+ exp[branch_index] = process_if_branch branch
910
+ env.current[var] = previous_value
900
911
  elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
901
912
  var = condition.first_arg
902
913
  env.current[var] = safe_literal(var.line)
@@ -931,6 +942,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
931
942
  end
932
943
  end
933
944
 
945
+ def equality_check? exp
946
+ call? exp and
947
+ exp.method == :==
948
+ end
949
+
934
950
  def simple_when? exp
935
951
  node_type? exp[1], :array and
936
952
  not node_type? exp[1][1], :splat, :array and
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.2.1"
2
+ Version = "5.2.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.1
4
+ version: 5.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-01-30 00:00:00.000000000 Z
11
+ date: 2022-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -86,14 +86,14 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '3.18'
89
+ version: '3.19'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '3.18'
96
+ version: '3.19'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: ruby_parser-legacy
99
99
  requirement: !ruby/object:Gem::Requirement