brakeman-min 3.1.4 → 3.1.5.pre1

data/lib/brakeman/util.rb

@@ -167,7 +167,8 @@ module Brakeman::Util
 
   #Check if _exp_ represents a method call: s(:call, ...)
   def call? exp
-    exp.is_a? Sexp and exp.node_type == :call
+    exp.is_a? Sexp and
+      (exp.node_type == :call or exp.node_type == :safe_call)
   end
 
   #Check if _exp_ represents a Regexp: s(:lit, /.../)
@@ -214,7 +215,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
 
-      if exp.node_type == :call
+      if call? exp
         if params? exp[1]
           return true
         elsif exp[2] == :[]
@@ -230,7 +231,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :cookies or exp == COOKIES
 
-      if exp.node_type == :call
+      if call? exp
         if cookies? exp[1]
           return true
         elsif exp[2] == :[]

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.4"
+  Version = "3.1.5.pre1"
 end

data/lib/brakeman/warning.rb

@@ -1,4 +1,4 @@
-require 'multi_json'
+require 'json'
 require 'digest/sha2'
 require 'brakeman/warning_codes'
 
@@ -241,7 +241,7 @@ class Brakeman::Warning
   end
 
   def to_json
-    MultiJson.dump self.to_hash
+    JSON.generate self.to_hash
   end
 
   private

data/lib/brakeman/warning_codes.rb

@@ -93,6 +93,15 @@ module Brakeman::WarningCodes
     :session_key_manipulation => 89,
     :weak_hash_digest => 90,
     :weak_hash_hmac => 91,
+    :sql_injection_dynamic_finder => 92,
+    :CVE_2015_7576 => 93,
+    :CVE_2016_0751 => 94,
+    :CVE_2015_7577 => 95,
+    :CVE_2015_7578 => 96,
+    :CVE_2015_7580 => 97,
+    :CVE_2015_7579 => 98,
+    :dynamic_render_path_rce => 99,
+    :CVE_2015_7581 => 100,
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -141,13 +141,13 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #         ^-----------target-----------^
   def target
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[1]
   end
 
   #Sets the target of a method call:
   def target= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[1] = exp
   end
@@ -157,10 +157,10 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn, :super, :zsuper, :result
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper, :result
 
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[2]
     when :super, :zsuper
       :super
@@ -170,14 +170,14 @@ class Sexp
   end
 
   def method= name
-    expect :call
+    expect :call, :safe_call
 
     self[2] = name
   end
 
   #Sets the arglist in a method call.
   def arglist= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     start_index = 3
 
@@ -201,10 +201,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                 ^------------ arglist ------------^
   def arglist
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
 
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
@@ -220,10 +220,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                             ^--------args--------^
   def args
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
 
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         self[3..-1]
       else
@@ -239,11 +239,11 @@ class Sexp
   end
 
   def each_arg replace = false
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     range = nil
 
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         range = (3...self.length)
       end
@@ -270,43 +270,43 @@ class Sexp
 
   #Returns first argument of a method call.
   def first_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[3]
   end
 
   #Sets first argument of a method call.
   def first_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[3] = exp
   end
 
   #Returns second argument of a method call.
   def second_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[4]
   end
 
   #Sets second argument of a method call.
   def second_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[4] = exp
   end
 
   def third_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[5]
   end
 
   def third_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[5] = exp
   end
 
   def last_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
 
     if self[3]
       self[-1]
@@ -427,9 +427,9 @@ class Sexp
   #    s(:lasgn, :x, s(:lit, 1))
   #                  ^--rhs---^
   def rhs
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
 
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3]
     else
       self[2]
@@ -438,10 +438,10 @@ class Sexp
 
   #Sets the right hand side of assignment or boolean.
   def rhs= exp
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
     @my_hash_value = nil
 
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3] = exp
     else
       self[2] = exp

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.1.4
+  version: 3.1.5.pre1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2016-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -31,48 +31,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.3.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.3.0
-- !ruby/object:Gem::Dependency
-  name: multi_json
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: safe_yaml
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +88,7 @@ files:
 - lib/brakeman/checks.rb
 - lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_basic_auth_timing_attack.rb
 - lib/brakeman/checks/check_content_tag.rb
 - lib/brakeman/checks/check_create_with.rb
 - lib/brakeman/checks/check_cross_site_scripting.rb
@@ -115,6 +96,7 @@ files:
 - lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
 - lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_dynamic_finders.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
@@ -131,10 +113,12 @@ files:
 - lib/brakeman/checks/check_link_to_href.rb
 - lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_mime_type_dos.rb
 - lib/brakeman/checks/check_model_attr_accessible.rb
 - lib/brakeman/checks/check_model_attributes.rb
 - lib/brakeman/checks/check_model_serialize.rb
 - lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_nested_attributes_bypass.rb
 - lib/brakeman/checks/check_number_to_currency.rb
 - lib/brakeman/checks/check_quote_table_name.rb
 - lib/brakeman/checks/check_redirect.rb
@@ -143,6 +127,7 @@ files:
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
 - lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_route_dos.rb
 - lib/brakeman/checks/check_safe_buffer_manipulation.rb
 - lib/brakeman/checks/check_sanitize_methods.rb
 - lib/brakeman/checks/check_select_tag.rb
@@ -209,8 +194,6 @@ files:
 - lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
@@ -262,9 +245,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.8

data/lib/brakeman/report/initializers/faster_csv.rb

@@ -1,7 +0,0 @@
-# Ruby 1.8 compatible
-if CSV.const_defined? :Reader
-  require 'fastercsv'
-  Object.send(:remove_const, :CSV)
-  CSV = FasterCSV
-end
-

data/lib/brakeman/report/initializers/multi_json.rb

@@ -1,29 +0,0 @@
-#MultiJson interface changed in 1.3.0, but need
-#to support older MultiJson for Rails 3.1.
-mj_engine = nil
-
-if MultiJson.respond_to? :default_adapter
-  mj_engine = MultiJson.default_adapter
-else
-  mj_engine = MultiJson.default_engine
-
-  module MultiJson
-    def self.dump *args
-      encode *args
-    end
-
-    def self.load *args
-      decode *args
-    end
-  end
-end
-
-#This is so OkJson will work with symbol values
-if mj_engine == :ok_json
-  class Symbol
-    def to_json
-      self.to_s.inspect
-    end
-  end
-end
-