RubyGems - brakeman-lib - Versions diffs - 6.1.1 → 6.1.2 - Mend

brakeman-lib 6.1.1 → 6.1.2

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGES.md +10 -0
data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
data/lib/brakeman/checks/check_render.rb +6 -1
data/lib/brakeman/checks/check_session_settings.rb +2 -3
data/lib/brakeman/processors/alias_processor.rb +7 -2
data/lib/brakeman/report/pager.rb +1 -1
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman.rb +2 -3
metadata +5 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b89b0353523514b8819b4ed449276342d9883af30c3e5423877bdb3e1cabcda
-  data.tar.gz: '086460da761b50303f40d50c746f6fbfa4d1e13cc10114686070e369f1ede8e5'
+  metadata.gz: 5c304c8cdc5e9e696b5e8780433a1bc611f89e0ea2f0c1c56b3e8a11547a7d1a
+  data.tar.gz: eab139739dbe7b93277f36d8909a8d49a283172879df524fc691386823e2ba68
 SHA512:
-  metadata.gz: 6ac67a29e813bedb49ed66f072b55620b79dec4455dedaa7b45e5ceb16f8ce4069f2503ddd573878346c691fef77f58a2406c7c7b98e431f77ea22951931e30b
-  data.tar.gz: 82463b407d116db17fc8d3c020f560944d22f1feedf88efeb67ab732d414e59d96d258a18e9da19e5868f26c4d45cc536842fe548d07ed3080bb06dd2e5d84d7
+  metadata.gz: d790830a233a7543427ff1236e1929342cf3e4a42b207eb557a3502d237e39f674a27fd74b881acbd92348539f9318eab9ea1718e7fbe570a1cedca3278c5c06
+  data.tar.gz: 23c77975be13a621836f59f2cad832fc94add807b70db5c8809c888a1bf2229345154eb61adb65510c6abf067e10646ba6df1935565defac4753b365ea30fb5b

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+# 6.1.2 - 2024-02-01
+* Update Highline to 3.0
+* Add EOL date for Ruby 3.3.0
+* Avoid copying Sexps that are too large
+* Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
+* Remove deprecated use of `Kernel#open("|...")`
+* Remove `safe_yaml` gem dependency
+* Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
 # 6.1.1 - 2023-12-24
 * Handle racc as a default gem in Ruby 3.3.0

data/lib/brakeman/checks/check_eol_ruby.rb CHANGED Viewed

@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
     ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
     ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
+    ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
   }
 end

data/lib/brakeman/checks/check_render.rb CHANGED Viewed

@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def known_renderable_class? class_name
     klass = tracker.find_class(class_name)
     return false if klass.nil?
-    klass.ancestor? :"ViewComponent::Base"
+    knowns = [
+      :"ViewComponent::Base",
+      :"ViewComponentContrib::Base",
+      :"Phlex::HTML"
+    ]
+    knowns.any? { |k| klass.ancestor? k }
   end
 end

data/lib/brakeman/checks/check_session_settings.rb CHANGED Viewed

@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
     if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
       yaml = secrets_file.read
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      require 'yaml'
       begin
-        secrets = SafeYAML.load yaml
+        secrets = YAML.safe_load yaml
       rescue Psych::SyntaxError, RuntimeError => e
         Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
     @meth_env = nil
     @current_file = current_file
+    @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
     set_env_defaults
   end
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
-    if replacement = env[exp] and not duplicate? replacement
-      replace(replacement.deep_clone(exp.line), int + 1)
+    if replacement = env[exp]
+      if not duplicate? replacement and replacement.mass < @mass_limit
+        replace(replacement.deep_clone(exp.line), int + 1)
+      else
+        exp
+      end
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     else

data/lib/brakeman/report/pager.rb CHANGED Viewed

@@ -52,7 +52,7 @@ module Brakeman
     def page_via_less text
       # Adapted from https://github.com/piotrmurach/tty-pager/
-      write_io = open("|less #{less_options.join}", 'w')
+      write_io = IO.popen("less #{less_options.join}", 'w')
       pid = write_io.pid
       write_io.write(text)

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.1.1"
+  Version = "6.1.2"
 end

data/lib/brakeman.rb CHANGED Viewed

@@ -128,9 +128,8 @@ module Brakeman
     #Load configuration file
     if config = config_file(custom_location, app_path)
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      self.load_brakeman_dependency 'safe_yaml/load'
-      options = SafeYAML.load_file config, :deserialize_symbols => true
+      require 'yaml'
+      options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 6.1.1
+  version: 6.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-24 00:00:00.000000000 Z
+date: 2024-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -122,20 +122,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.4.0
-- !ruby/object:Gem::Dependency
-  name: safe_yaml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: racc
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
@@ -466,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.