brakeman-lib 5.4.1 → 6.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1bd15d1d3f41a0fe1f537728a63f5fe432eae4d4b82cdb07233007e794b4b19a
4
- data.tar.gz: 8fd1c274006689e0e391c5586c9bd59c7ce776a998c9313561185216e51f9519
3
+ metadata.gz: baf72edb48740cecdeb55594386bfa2fd6284a498d1ab7991d24bf30715f424f
4
+ data.tar.gz: 2510eda8d6bc947676d872f3980492c21d227679ae2761a5847ce782f538f628
5
5
  SHA512:
6
- metadata.gz: d3c99025931ba8a59c7852132cb80100f3f720de1ebfe632899e499a5784d5e92534efc6d9a04729bf3aec0d07c90fc2f69efccfd3d49558c277e370ae3d58f3
7
- data.tar.gz: 571f89f8d5eb19b1d2c472517e3d66d819ab715379fd6b5bdd15cd136560499d8d86ff79da19a86a2c03830b8e0b0d0bf0dec3935267f75eacc95396a71d1f81
6
+ metadata.gz: 5a7739712e782e33cbfe5de51fa2e8c2f53e2366983e113c64c0acdc820a5b04034fc9917da0ce999503fdc897e30218860d4534bbc41b164892629bdfbdac31
7
+ data.tar.gz: d9b526f6c7289543c1c0429722e4b99c276fe4ce145ce7ab4bcfadfec9455dba0fe9e3c0aeceab00d8ba790e0f4076a9459c574a138476eb9b344e3cb3ea6e9a
data/CHANGES.md CHANGED
@@ -1,3 +1,13 @@
1
+ # 6.0.0 - 2023-05-24
2
+
3
+ * Add obsolete fingerprints to comparison report
4
+ * Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
5
+ * Scan directories that include the word `public`
6
+ * Raise minimum Ruby version to 3.0
7
+ * Drop support for Ruby 1.8/1.9 syntax
8
+ * Fix end-of-life dates for Ruby
9
+ * Fix false positive with `content_tag` in newer Rails
10
+
1
11
  # 5.4.1 - 2023-02-21
2
12
 
3
13
  * Fix file/line location for EOL software warnings
data/README.md CHANGED
@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
66
66
 
67
67
  Brakeman should work with any version of Rails from 2.3.x to 7.x.
68
68
 
69
- Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
69
+ Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
70
70
 
71
71
  # Basic Options
72
72
 
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
182
182
 
183
183
  For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
184
184
 
185
- There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
185
+ There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
186
186
 
187
187
  # Building
188
188
 
@@ -197,7 +197,6 @@ module Brakeman
197
197
  spec/
198
198
  test/
199
199
  tmp/
200
- public/
201
200
  log/
202
201
  ]
203
202
 
@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
73
73
  check_argument result, content
74
74
  end
75
75
 
76
- #Attribute keys are never escaped, so check them for user input
77
- if not @matched and hash? attributes and not request_value? attributes
78
- hash_iterate(attributes) do |k, _v|
79
- check_argument result, k
80
- return if @matched
76
+ # This changed in Rails 6.1.6
77
+ if version_between? '0.0.0', '6.1.5'
78
+ #Attribute keys are never escaped, so check them for user input
79
+ if not @matched and hash? attributes and not request_value? attributes
80
+ hash_iterate(attributes) do |k, _v|
81
+ check_argument result, k
82
+ return if @matched
83
+ end
81
84
  end
82
85
  end
83
86
 
@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
21
21
  ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
22
22
  ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
23
23
  ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
24
- ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
24
+ ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
+ ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
+ ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
25
27
  }
26
28
  end
@@ -1,4 +1,4 @@
1
- # Github Actions Formatter
1
+ # GitHub Actions Formatter
2
2
  # Formats warnings as workflow commands to create annotations in GitHub UI
3
3
  class Brakeman::Report::Github < Brakeman::Report::Base
4
4
  def generate_report
@@ -1,6 +1,5 @@
1
1
  begin
2
2
  Brakeman.load_brakeman_dependency 'ruby_parser'
3
- Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
4
3
  require 'ruby_parser/bm_sexp.rb'
5
4
  require 'ruby_parser/bm_sexp_processor.rb'
6
5
  require 'brakeman/processor'
@@ -20,9 +20,7 @@ module Brakeman
20
20
 
21
21
  def default_protect_from_forgery?
22
22
  if version_between? "5.2.0.beta1", "9.9.9"
23
- if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
24
- return false
25
- else
23
+ if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
26
24
  return true
27
25
  end
28
26
  end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.4.1"
2
+ Version = "6.0.0"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -493,10 +493,14 @@ module Brakeman
493
493
  end
494
494
 
495
495
  tracker = run(options)
496
+ new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
496
497
 
497
- new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
498
+ new_results = new_report[:warnings]
499
+ obsolete_ignored = tracker.unused_fingerprints
498
500
 
499
- Brakeman::Differ.new(new_results, previous_results).diff
501
+ Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
502
+ diff[:obsolete] = obsolete_ignored
503
+ end
500
504
  end
501
505
 
502
506
  def self.load_brakeman_dependency name, allow_fail = false
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.4.1
4
+ version: 6.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-02-21 00:00:00.000000000 Z
11
+ date: 2023-05-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -94,20 +94,6 @@ dependencies:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
96
  version: '3.19'
97
- - !ruby/object:Gem::Dependency
98
- name: ruby_parser-legacy
99
- requirement: !ruby/object:Gem::Requirement
100
- requirements:
101
- - - "~>"
102
- - !ruby/object:Gem::Version
103
- version: '1.0'
104
- type: :runtime
105
- prerelease: false
106
- version_requirements: !ruby/object:Gem::Requirement
107
- requirements:
108
- - - "~>"
109
- - !ruby/object:Gem::Version
110
- version: '1.0'
111
97
  - !ruby/object:Gem::Dependency
112
98
  name: sexp_processor
113
99
  requirement: !ruby/object:Gem::Requirement
@@ -465,7 +451,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
465
451
  - !ruby/object:Gem::Version
466
452
  version: '0'
467
453
  requirements: []
468
- rubygems_version: 3.3.3
454
+ rubygems_version: 3.2.3
469
455
  signing_key:
470
456
  specification_version: 4
471
457
  summary: Security vulnerability scanner for Ruby on Rails.