RubyGems - brakeman-min - Versions diffs - 3.5.0 → 3.6.0 - Mend

brakeman-min 3.5.0 → 3.6.0

Files changed (12) hide show

checksums.yaml +4 -4
data/CHANGES +15 -4
data/bin/brakeman +6 -1
data/lib/brakeman.rb +4 -0
data/lib/brakeman/checks/check_sql.rb +2 -2
data/lib/brakeman/checks/check_xml_dos.rb +0 -6
data/lib/brakeman/options.rb +4 -0
data/lib/brakeman/parsers/rails3_erubis.rb +7 -0
data/lib/brakeman/processors/alias_processor.rb +101 -0
data/lib/brakeman/processors/controller_processor.rb +3 -1
data/lib/brakeman/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 34207b00cf9b699ce8f8330d267e6bae5fcb5aa3
-  data.tar.gz: 476ddf71d3b65d4a42ce4a0c3797afce2a668dd0
+  metadata.gz: 99b9788e54de6acd40d016e0c30b7edb0a202d32
+  data.tar.gz: 02c4bcf4031cd50ae6580c1dd708c9df346b88e8
 SHA512:
-  metadata.gz: 2ff7b88ba0c48c57ba0add9897e5518ebf95612ad4d0ef6077b473f0c5e074f39bd5622773715e6d21f39413b7bb0c3980c7eaf730392c4727eebdc1112c15f1
-  data.tar.gz: 31087cfd02979e3602e2d642f1594cfdb9439565a7d4295f810730ed48519144e2fb396a3f59da45f6693f5383045bb5e41303b40e2334d6e1dfc5dd502ac01f
+  metadata.gz: 2e222dcc215b4fbb34847f7e582e02aecc2b33800f386e3f5ff3373c8a78762c9b66de29384033c0520c688518002dd44c5a0cbf42bfdbcba08d35900b99ef9d
+  data.tar.gz: ddaccf9b996c26430acd104c5f1cc4b4639bf07b85be3f9885ef7b83b893a92528f3fc3b9b81213812574e024a21cccc7765691924acc4d0d20ad8f682bb65bb

data/CHANGES CHANGED Viewed

@@ -1,3 +1,14 @@
+# 3.6.0
+* Avoid recursive Concerns
+* Branch inside of `case` expressions
+* Print command line option errors without modification
+* Fix issue with nested interpolation inside SQL strings
+* Ignore GraphQL tags inside ERB templates
+* Add `--exit-on-error` (Michael Grosser)
+* Only report CVE-2015-3227 when exact version is known
+* Check targetless SQL calls outside of known models
 # 3.5.0
 * Allow `-t None`
@@ -102,7 +113,7 @@
 * Update ruby_parser dependency to 3.8.1
 * Remove `fastercsv` dependency
 * Fix finding calls with `targets: nil`
-* Remove `multi_json` dependecy
+* Remove `multi_json` dependency
 * Handle CoffeeScript in HAML
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
@@ -118,7 +129,7 @@
 * Add check for mime-type denial of service (CVE-2016-0751)
 * Add check for basic auth timing attack (CVE-2015-7576)
 * Add initial Rails 5 support
-* Check for implict integer comparison in dynamic finders
+* Check for implicit integer comparison in dynamic finders
 * Support directories better in --only-files and --skip-files (Patrick Toomey)
 * Avoid warning about `permit` in SQL
 * Handle guards using `detect`
@@ -235,7 +246,7 @@
 * Remove formatting newlines in HAML template output
 * Ignore case value in XSS checks
 * Fix CSV output when there are no warnings
-* Handle processing of explictly shadowed block arguments
+* Handle processing of explicitly shadowed block arguments
 # 3.0.1
@@ -285,7 +296,7 @@
 * Add `-4` option to force Rails 4 mode
 * Check entire call for `send`
 * Check for .gitignore of secrets in subdirectories
-* Fix block statment endings in Erubis
+* Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe)
 # 2.6.1

data/bin/brakeman CHANGED Viewed

@@ -10,7 +10,7 @@ require 'brakeman/version'
 begin
   options, parser = Brakeman::Options.parse! ARGV
 rescue OptionParser::ParseError => e
-  $stderr.puts e.message.capitalize
+  $stderr.puts e.message
   $stderr.puts "Please see `brakeman --help` for valid options"
   exit(-1)
 end
@@ -90,6 +90,11 @@ begin
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end
+  #Return error code if --exit-on-error is used and errors were found
+  if tracker.options[:exit_on_error] and tracker.errors.any?
+    exit Brakeman::Errors_Found_Exit_Code
+  end
 rescue Brakeman::NoApplication => e
   warn e.message
   exit Brakeman::No_App_Found_Exit_Code

data/lib/brakeman.rb CHANGED Viewed

@@ -15,6 +15,10 @@ module Brakeman
   #Exit code returned when user requests non-existent checks
   Missing_Checks_Exit_Code = 6
+  #Exit code returned when errors were found and the --exit-on-error
+  #option is set
+  Errors_Found_Exit_Code = 7
   @debug = false
   @quiet = false
   @loaded_dependencies = []

data/lib/brakeman/checks/check_sql.rb CHANGED Viewed

@@ -157,8 +157,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #
   def process_result result
     return if duplicate?(result) or result[:call].original_line
-    return if result[:target].nil? && !active_record_models.include?(result[:location][:class])
     call = result[:call]
     method = call.method
@@ -596,6 +594,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       safe_value? exp.last
     when :or
       safe_value? exp.lhs and safe_value? exp.rhs
+    when :dstr
+      not unsafe_string_interp? exp
     else
       false
     end

data/lib/brakeman/checks/check_xml_dos.rb CHANGED Viewed

@@ -17,12 +17,6 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
                     "4.2.2"
                   when version_between?("4.0.0", "4.0.99")
                     "4.2.2"
-                  when (version.nil? and tracker.options[:rails3])
-                    version = "3.x"
-                    "3.2.22"
-                  when (version.nil? and tracker.options[:rails4])
-                    version = "4.x"
-                    "4.2.2"
                   else
                     return
                   end

data/lib/brakeman/options.rb CHANGED Viewed

@@ -43,6 +43,10 @@ module Brakeman::Options
           options[:exit_on_warn] = exit_on_warn
         end
+        opts.on "--[no-]exit-on-error", "Exit code is non-zero if errors found" do |exit_on_error|
+          options[:exit_on_error] = exit_on_error
+        end
         opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
           options[:ensure_latest] = true
         end

data/lib/brakeman/parsers/rails3_erubis.rb CHANGED Viewed

@@ -71,4 +71,11 @@ class Brakeman::Rails3Erubis < ::Erubis::Eruby
       @newline_pending = 0
     end
   end
+  # This is borrowed from graphql's erb plugin:
+  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
+  def convert_input(src, input)
+    input = input.gsub(/<%graphql/, "<%#")
+    super(src, input)
+  end
 end

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -616,6 +616,75 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
+  def simple_when? exp
+    node_type? exp[1], :array and
+      not node_type? exp[1][1], :splat, :array and
+      (exp[1].length == 2 or
+       exp[1].all? { |e| e.is_a? Symbol or node_type? e, :lit, :str })
+  end
+  def process_case exp
+    if @ignore_ifs.nil?
+      @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
+    end
+    if @ignore_ifs
+      process_default exp
+      return exp
+    end
+    branch_scopes = []
+    was_inside = @inside_if
+    @inside_if = true
+    exp[1] = process exp[1] if exp[1]
+    case_value = if node_type? exp[1], :lvar, :ivar, :call
+      exp[1].deep_clone
+    end
+    exp.each_sexp do |e|
+      if node_type? e, :when
+        scope do
+          @branch_env = env.current
+          # set value of case var if possible
+          if case_value and simple_when? e
+            @branch_env[case_value] = e[1][1]
+          end
+          # when blocks aren't blocks, they are lists of expressions
+          process_default e
+          branch_scopes << env.current
+          @branch_env = nil
+        end
+      end
+    end
+    # else clause
+    if sexp? exp.last
+      scope do
+        @branch_env = env.current
+        process_default exp[-1]
+        branch_scopes << env.current
+        @branch_env = nil
+      end
+    end
+    @inside_if = was_inside
+    branch_scopes.each do |s|
+      merge_if_branch s
+    end
+    exp
+  end
   def process_if_branch exp
     if sexp? exp
       if block? exp
@@ -934,6 +1003,36 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
+  def value_from_case exp
+    result = []
+    exp.each do |e|
+      if node_type? e, :when
+        result << e.last
+      end
+    end
+    result << exp.last if exp.last # else
+    result.reduce do |c, e|
+      if c.nil?
+        e
+      elsif node_type? e, :if
+        c.combine(value_from_if e)
+      elsif raise? e
+        c # ignore exceptions
+      elsif e
+        c.combine e
+      else # when e is nil
+        c
+      end
+    end
+  end
+  def raise? exp
+    call? exp and exp.method == :raise
+  end
   #Set variable to given value.
   #Creates "branched" versions of values when appropriate.
   #Avoids creating multiple branched versions inside same
@@ -941,6 +1040,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def set_value var, value
     if node_type? value, :if
       value = value_from_if(value)
+    elsif node_type? value, :case
+      value = value_from_case(value)
     end
     if @ignore_ifs or not @inside_if

data/lib/brakeman/processors/controller_processor.rb CHANGED Viewed

@@ -16,6 +16,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     @current_module = nil
     @visibility = :public
     @file_name = nil
+    @concerns = Set.new
   end
   #Use this method to process a Controller
@@ -65,7 +66,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     return unless @current_class
     if mod = @tracker.find_class(concern_name)
-      if mod.options[:included]
+      if mod.options[:included] and not @concerns.include? concern_name
+        @concerns << concern_name
         process mod.options[:included].deep_clone
       end
     end

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.5.0"
+  Version = "3.6.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.6.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-02-01 00:00:00.000000000 Z
+date: 2017-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest