brakeman-lib 6.2.1 → 6.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b4180d78dba5897e7117534051ba6f4b80a1a8b4d1466fe2b880520649105fa
-  data.tar.gz: 3c10945788262ea9242aa0eb0ef00e856a11190d02cca058e0ee13a1fb6f264d
+  metadata.gz: 43bb8b6197d17937fa07b7d6b69afaf5a0d4c0fad6332f2126a6f317e5e49262
+  data.tar.gz: 29698bd867c9bfd2dc13baf27c463da77132be4f13d93fd1448428977241c9a2
 SHA512:
-  metadata.gz: b74abc3a86bf25d76e535586fad633eb36687ce7f4de8b1f466a7f4675a84855787a2a136771d157e916787986a891cf839d7a4df8064ab47d6b1daae7f7227d
-  data.tar.gz: 7ad9548050bcfaddd78a9d974ddb97c085558b842093d2cc6cd0171a5404f8c2388c79519f87f9b0121edace58dcd8417a52cb6db31a6d848d990c267f258c61
+  metadata.gz: 8513e27561f8608fca48561c64ceaa42bf43042fee54d1b3102f1ad4dc855eb980c5cf963ed7cc48e8056d91b3d168553efab52f86c5064075b53aa49c1278af
+  data.tar.gz: da6eef18fb43bfcb014f46e86cbd5df82c97b359f53abf18f263366940f45cb621bc85f1dc4933ac2319c063c963b2469c1eb936d26fec36e351c89577c822d9

data/CHANGES.md

@@ -1,3 +1,9 @@
+# 6.2.2 - 2024-10-15
+
+* Ignore more native gems when building gem
+* Revamp command injection in `pipeline*` calls
+* New end-of-support dates for Rails
+
 # 6.2.1 - 2024-08-22
 
 Just a packaging fix for brakeman.gem

data/README.md

@@ -2,7 +2,6 @@
 
 [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
-[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
 # Brakeman
 

data/lib/brakeman/checks/check_eol_rails.rb

@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     check_eol_version :rails, RAILS_EOL_DATES
   end
 
+  # https://rubyonrails.org/maintenance
+  # https://endoflife.date/rails
   RAILS_EOL_DATES = {
     ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
     ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
     ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
     ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+    ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
+    ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
+    ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
+    ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
   }
 end

data/lib/brakeman/checks/check_execute.rb

@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     call = result[:call]
     args = call.arglist
     first_arg = call.first_arg
+    failure = nil
 
     case call.method
     when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg[3]) ||
                   dangerous_string_building?(first_arg[3])
       end
+    when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
+      # Since these pipeline commands pipe together several commands,
+      # need to check each argument. If it's an array, check first argument
+      # (the command) and also check for `bash -c`. Otherwise check the argument
+      # as a unit.
+
+      args.each do |arg|
+        next unless sexp? arg
+
+        if array?(arg)
+          # Check first element of array
+          failure = include_user_input?(arg[1]) ||
+            dangerous_interp?(arg[1]) ||
+            dangerous_string_building?(arg[1])
+
+          # Check for ['bash', '-c', user_input]
+          if dash_c_shell_command?(arg[1], arg[2])
+            failure = include_user_input?(arg[3]) ||
+              dangerous_interp?(arg[3]) ||
+              dangerous_string_building?(arg[3])
+          end
+        else
+          failure = include_user_input?(arg)
+        end
+
+        break if failure
+      end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
       # about shell injection when there's a single argument, because comma-

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.2.1"
+  Version = "6.2.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 6.2.1
+  version: 6.2.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 2024-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: csv
@@ -467,7 +467,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.11
+rubygems_version: 3.3.27
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.