brakeman-lib 5.4.1 → 6.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +10 -0
  3. data/README.md +2 -2
  4. data/lib/brakeman/app_tree.rb +0 -1
  5. data/lib/brakeman/checks/check_content_tag.rb +8 -5
  6. data/lib/brakeman/checks/check_eol_ruby.rb +3 -1
  7. data/lib/brakeman/report/report_github.rb +1 -1
  8. data/lib/brakeman/scanner.rb +0 -1
  9. data/lib/brakeman/tracker/config.rb +1 -3
  10. data/lib/brakeman/version.rb +1 -1
  11. data/lib/brakeman.rb +6 -2
  12. metadata +3 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1bd15d1d3f41a0fe1f537728a63f5fe432eae4d4b82cdb07233007e794b4b19a
4
- data.tar.gz: 8fd1c274006689e0e391c5586c9bd59c7ce776a998c9313561185216e51f9519
3
+ metadata.gz: baf72edb48740cecdeb55594386bfa2fd6284a498d1ab7991d24bf30715f424f
4
+ data.tar.gz: 2510eda8d6bc947676d872f3980492c21d227679ae2761a5847ce782f538f628
5
5
  SHA512:
6
- metadata.gz: d3c99025931ba8a59c7852132cb80100f3f720de1ebfe632899e499a5784d5e92534efc6d9a04729bf3aec0d07c90fc2f69efccfd3d49558c277e370ae3d58f3
7
- data.tar.gz: 571f89f8d5eb19b1d2c472517e3d66d819ab715379fd6b5bdd15cd136560499d8d86ff79da19a86a2c03830b8e0b0d0bf0dec3935267f75eacc95396a71d1f81
6
+ metadata.gz: 5a7739712e782e33cbfe5de51fa2e8c2f53e2366983e113c64c0acdc820a5b04034fc9917da0ce999503fdc897e30218860d4534bbc41b164892629bdfbdac31
7
+ data.tar.gz: d9b526f6c7289543c1c0429722e4b99c276fe4ce145ce7ab4bcfadfec9455dba0fe9e3c0aeceab00d8ba790e0f4076a9459c574a138476eb9b344e3cb3ea6e9a
data/CHANGES.md CHANGED
@@ -1,3 +1,13 @@
1
+ # 6.0.0 - 2023-05-24
2
+
3
+ * Add obsolete fingerprints to comparison report
4
+ * Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
5
+ * Scan directories that include the word `public`
6
+ * Raise minimum Ruby version to 3.0
7
+ * Drop support for Ruby 1.8/1.9 syntax
8
+ * Fix end-of-life dates for Ruby
9
+ * Fix false positive with `content_tag` in newer Rails
10
+
1
11
  # 5.4.1 - 2023-02-21
2
12
 
3
13
  * Fix file/line location for EOL software warnings
data/README.md CHANGED
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
66
66
 
67
67
  Brakeman should work with any version of Rails from 2.3.x to 7.x.
68
68
 
69
- Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
69
+ Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
70
70
 
71
71
  # Basic Options
72
72
 
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
182
182
 
183
183
  For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
184
184
 
185
- There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
185
+ There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
186
186
 
187
187
  # Building
188
188
 
data/lib/brakeman/app_tree.rb CHANGED
@@ -197,7 +197,6 @@ module Brakeman
197
197
  spec/
198
198
  test/
199
199
  tmp/
200
- public/
201
200
  log/
202
201
  ]
203
202
 
data/lib/brakeman/checks/check_content_tag.rb CHANGED
@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
73
73
  check_argument result, content
74
74
  end
75
75
 
76
- #Attribute keys are never escaped, so check them for user input
77
- if not @matched and hash? attributes and not request_value? attributes
78
- hash_iterate(attributes) do |k, _v|
79
- check_argument result, k
80
- return if @matched
76
+ # This changed in Rails 6.1.6
77
+ if version_between? '0.0.0', '6.1.5'
78
+ #Attribute keys are never escaped, so check them for user input
79
+ if not @matched and hash? attributes and not request_value? attributes
80
+ hash_iterate(attributes) do |k, _v|
81
+ check_argument result, k
82
+ return if @matched
83
+ end
81
84
  end
82
85
  end
83
86
 
data/lib/brakeman/checks/check_eol_ruby.rb CHANGED
@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
21
21
  ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
22
22
  ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
23
23
  ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
24
- ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
24
+ ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
+ ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
+ ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
25
27
  }
26
28
  end
data/lib/brakeman/report/report_github.rb CHANGED
@@ -1,4 +1,4 @@
1
- # Github Actions Formatter
1
+ # GitHub Actions Formatter
2
2
  # Formats warnings as workflow commands to create annotations in GitHub UI
3
3
  class Brakeman::Report::Github < Brakeman::Report::Base
4
4
  def generate_report
data/lib/brakeman/scanner.rb CHANGED
@@ -1,6 +1,5 @@
1
1
  begin
2
2
  Brakeman.load_brakeman_dependency 'ruby_parser'
3
- Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
4
3
  require 'ruby_parser/bm_sexp.rb'
5
4
  require 'ruby_parser/bm_sexp_processor.rb'
6
5
  require 'brakeman/processor'
data/lib/brakeman/tracker/config.rb CHANGED
@@ -20,9 +20,7 @@ module Brakeman
20
20
 
21
21
  def default_protect_from_forgery?
22
22
  if version_between? "5.2.0.beta1", "9.9.9"
23
- if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
24
- return false
25
- else
23
+ if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
26
24
  return true
27
25
  end
28
26
  end
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.4.1"
2
+ Version = "6.0.0"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -493,10 +493,14 @@ module Brakeman
493
493
  end
494
494
 
495
495
  tracker = run(options)
496
+ new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
496
497
 
497
- new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
498
+ new_results = new_report[:warnings]
499
+ obsolete_ignored = tracker.unused_fingerprints
498
500
 
499
- Brakeman::Differ.new(new_results, previous_results).diff
501
+ Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
502
+ diff[:obsolete] = obsolete_ignored
503
+ end
500
504
  end
501
505
 
502
506
  def self.load_brakeman_dependency name, allow_fail = false
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.4.1
4
+ version: 6.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-02-21 00:00:00.000000000 Z
11
+ date: 2023-05-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -94,20 +94,6 @@ dependencies:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
96
  version: '3.19'
97
- - !ruby/object:Gem::Dependency
98
- name: ruby_parser-legacy
99
- requirement: !ruby/object:Gem::Requirement
100
- requirements:
101
- - - "~>"
102
- - !ruby/object:Gem::Version
103
- version: '1.0'
104
- type: :runtime
105
- prerelease: false
106
- version_requirements: !ruby/object:Gem::Requirement
107
- requirements:
108
- - - "~>"
109
- - !ruby/object:Gem::Version
110
- version: '1.0'
111
97
  - !ruby/object:Gem::Dependency
112
98
  name: sexp_processor
113
99
  requirement: !ruby/object:Gem::Requirement
@@ -465,7 +451,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
465
451
  - !ruby/object:Gem::Version
466
452
  version: '0'
467
453
  requirements: []
468
- rubygems_version: 3.3.3
454
+ rubygems_version: 3.2.3
469
455
  signing_key:
470
456
  specification_version: 4
471
457
  summary: Security vulnerability scanner for Ruby on Rails.