RubyGems - brakeman-min - Versions diffs - 4.8.0 → 4.8.1 - Mend

brakeman-min 4.8.0 → 4.8.1

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5df247822922b2eb40924d6fc0f4c5ce34b11a49f06a1d1dd8fce1aeea96dff7
-  data.tar.gz: 559f77dde2d0539c0e2a3f24b10de1e1c63dee0f51ddfbeaf1b7a02bb1ac333c
+  metadata.gz: 92ecc405f5d8aa44662d99820f962df8e9b2fe6391837b06639511c7cb7a24bc
+  data.tar.gz: e991cb7e2732104d3859973aedad74ddce99157f5143c0799c90c2c489289e44
 SHA512:
-  metadata.gz: 6b236f461c09d6a3d90f2be348e641028f44f3776fb4372a18a542c5735c5453c9e9a451c959ab31f565afb61dba96fb5837b957f16185dc84516d080a010948
-  data.tar.gz: 58a8c876b73cf7d02b27aa4e438f0092f0ce8487d3458c311016c500ac1961a55b7b22af303c7c1db67e007a887f841661cdd2a2e005d5db7dd117938329794d
+  metadata.gz: 6fc22f32bfead785a7fe0b5ac06289b323b2a047528f4d1da238b8e0d233ecfabb37a869a51c72698974d9b15e7818d47ef2fafc8dd57fc578bce46c3f3a29b3
+  data.tar.gz: 5b96b57238d6e2813dbd83744c32ba546e116e205d0b3546bc52010621394ee7c8f012c258155aed021010e535c8f8ee706108059f7c8ef54019a66a25658d03

data/CHANGES.md CHANGED

@@ -1,4 +1,11 @@
-# Unreleased
+# 4.8.1 - 2020-04-06
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+# 4.8.0 - 2020-02-18
 * Add JUnit-XML report format (Naoki Kimura)
 * Sort ignore files by fingerprint and line (Ngan Pham)

data/README.md CHANGED

@@ -74,12 +74,16 @@ To specify an output file for the results:
     brakeman -o output_file
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
 Multiple output files can be specified:
     brakeman -o output.html -o output.json
+To output to both a file and to the console, with color:
+    brakeman --color -o /dev/stdout -o output.json
 To suppress informational warnings and just output the report:
     brakeman -q
@@ -167,6 +171,8 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
+There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
 # Building
     git clone git://github.com/presidentbeef/brakeman.git

@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
   def run_check
     check_mass_assignment
     check_permit!
+    check_permit_all_parameters
   end
   def find_mass_assign_calls
@@ -193,4 +194,18 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       :message => "Parameters should be whitelisted for mass assignment",
       :confidence => confidence
   end
+  def check_permit_all_parameters
+    tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
+      call = result[:call]
+      if true? call.first_arg
+        warn :result => result,
+          :warning_type => "Mass Assignment",
+          :warning_code => :mass_assign_permit_all,
+          :message => "Parameters should be whitelisted for mass assignment",
+          :confidence => :high
+      end
+    end
+  end
 end

@@ -393,7 +393,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
-  TO_STRING_METHODS = [:to_s, :strip_heredoc]
+  TO_STRING_METHODS = [:to_s, :squish, :strip, :strip_heredoc]
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp

@@ -89,7 +89,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp.last if sexp? exp.last
+    process_all exp
     add_simple_call :render, exp

@@ -98,7 +98,9 @@ module Brakeman::RenderHelper
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value)] = value
+          if symbol? key
+            template_env[Sexp.new(:call, nil, key.value)] = value
+          end
         end
       end

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.8.0"
+  Version = "4.8.1"
 end

@@ -113,6 +113,7 @@ module Brakeman::WarningCodes
     :force_ssl_disabled => 109,
     :unsafe_cookie_serialization => 110,
     :reverse_tabnabbing => 111,
+    :mass_assign_permit_all => 112,
     :custom_check => 9090,
   }

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.8.0
+  version: 4.8.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-18 00:00:00.000000000 Z
+date: 2020-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -330,7 +330,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.