brakeman-min 4.9.0 → 5.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (42) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +44 -0
  3. data/README.md +1 -1
  4. data/lib/brakeman.rb +10 -0
  5. data/lib/brakeman/app_tree.rb +36 -3
  6. data/lib/brakeman/checks/base_check.rb +7 -1
  7. data/lib/brakeman/checks/check_execute.rb +2 -1
  8. data/lib/brakeman/checks/check_model_attributes.rb +1 -1
  9. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  10. data/lib/brakeman/checks/check_sql.rb +2 -2
  11. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
  12. data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
  13. data/lib/brakeman/file_parser.rb +24 -18
  14. data/lib/brakeman/options.rb +5 -1
  15. data/lib/brakeman/parsers/template_parser.rb +2 -3
  16. data/lib/brakeman/processors/alias_processor.rb +20 -4
  17. data/lib/brakeman/processors/controller_processor.rb +1 -1
  18. data/lib/brakeman/processors/haml_template_processor.rb +8 -1
  19. data/lib/brakeman/processors/lib/call_conversion_helper.rb +1 -1
  20. data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
  21. data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
  22. data/lib/brakeman/processors/output_processor.rb +1 -1
  23. data/lib/brakeman/processors/template_alias_processor.rb +5 -0
  24. data/lib/brakeman/report.rb +15 -0
  25. data/lib/brakeman/report/report_base.rb +0 -2
  26. data/lib/brakeman/report/report_csv.rb +37 -60
  27. data/lib/brakeman/report/report_junit.rb +2 -2
  28. data/lib/brakeman/report/report_sarif.rb +114 -0
  29. data/lib/brakeman/report/report_sonar.rb +38 -0
  30. data/lib/brakeman/report/report_tabs.rb +1 -1
  31. data/lib/brakeman/report/report_text.rb +1 -1
  32. data/lib/brakeman/rescanner.rb +7 -5
  33. data/lib/brakeman/scanner.rb +44 -18
  34. data/lib/brakeman/tracker.rb +6 -0
  35. data/lib/brakeman/tracker/config.rb +76 -1
  36. data/lib/brakeman/tracker/controller.rb +1 -1
  37. data/lib/brakeman/util.rb +9 -4
  38. data/lib/brakeman/version.rb +1 -1
  39. data/lib/brakeman/warning.rb +10 -2
  40. data/lib/brakeman/warning_codes.rb +2 -0
  41. data/lib/ruby_parser/bm_sexp.rb +9 -9
  42. metadata +8 -3
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.9.0"
2
+ Version = "5.0.0"
3
3
  end
data/lib/brakeman/warning.rb CHANGED
@@ -275,6 +275,14 @@ class Brakeman::Warning
275
275
  self.file.relative
276
276
  end
277
277
 
278
+ def check_name
279
+ @check_name ||= self.check.sub(/^Brakeman::Check/, '')
280
+ end
281
+
282
+ def confidence_name
283
+ TEXT_CONFIDENCE[self.confidence]
284
+ end
285
+
278
286
  def to_hash absolute_paths: true
279
287
  if self.called_from and not absolute_paths
280
288
  render_path = self.called_from.with_relative_paths
@@ -285,7 +293,7 @@ class Brakeman::Warning
285
293
  { :warning_type => self.warning_type,
286
294
  :warning_code => @warning_code,
287
295
  :fingerprint => self.fingerprint,
288
- :check_name => self.check.gsub(/^Brakeman::Check/, ''),
296
+ :check_name => self.check_name,
289
297
  :message => self.message.to_s,
290
298
  :file => (absolute_paths ? self.file.absolute : self.file.relative),
291
299
  :line => self.line,
@@ -294,7 +302,7 @@ class Brakeman::Warning
294
302
  :render_path => render_path,
295
303
  :location => self.location(false),
296
304
  :user_input => (@user_input && self.format_user_input(false)),
297
- :confidence => TEXT_CONFIDENCE[self.confidence]
305
+ :confidence => self.confidence_name
298
306
  }
299
307
  end
300
308
 
data/lib/brakeman/warning_codes.rb CHANGED
@@ -119,6 +119,8 @@ module Brakeman::WarningCodes
119
119
  :CVE_2020_8159 => 115,
120
120
  :CVE_2020_8166 => 116,
121
121
  :erb_template_injection => 117,
122
+ :http_verb_confusion => 118,
123
+ :unsafe_method_reflection => 119,
122
124
 
123
125
  :custom_check => 9090,
124
126
  }
data/lib/ruby_parser/bm_sexp.rb CHANGED
@@ -175,7 +175,7 @@ class Sexp
175
175
  start_index = 3
176
176
 
177
177
  if exp.is_a? Sexp and exp.node_type == :arglist
178
- exp = exp[1..-1]
178
+ exp = exp.sexp_body
179
179
  end
180
180
 
181
181
  exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
198
198
 
199
199
  case self.node_type
200
200
  when :call, :attrasgn, :safe_call, :safe_attrasgn
201
- self[3..-1].unshift :arglist
201
+ self.sexp_body(3).unshift :arglist
202
202
  when :super, :zsuper
203
203
  if self[1]
204
- self[1..-1].unshift :arglist
204
+ self.sexp_body.unshift :arglist
205
205
  else
206
206
  Sexp.new(:arglist)
207
207
  end
@@ -218,13 +218,13 @@ class Sexp
218
218
  case self.node_type
219
219
  when :call, :attrasgn, :safe_call, :safe_attrasgn
220
220
  if self[3]
221
- self[3..-1]
221
+ self.sexp_body(3)
222
222
  else
223
223
  Sexp.new
224
224
  end
225
225
  when :super, :zsuper
226
226
  if self[1]
227
- self[1..-1]
227
+ self.sexp_body
228
228
  else
229
229
  Sexp.new
230
230
  end
@@ -512,7 +512,7 @@ class Sexp
512
512
  self.slice!(index..-1) #Remove old body
513
513
 
514
514
  if exp.first == :rlist
515
- exp = exp[1..-1]
515
+ exp = exp.sexp_body
516
516
  end
517
517
 
518
518
  #Insert new body
@@ -529,11 +529,11 @@ class Sexp
529
529
 
530
530
  case self.node_type
531
531
  when :defn, :class
532
- self[3..-1]
532
+ self.sexp_body(3)
533
533
  when :defs
534
- self[4..-1]
534
+ self.sexp_body(4)
535
535
  when :module
536
- self[2..-1]
536
+ self.sexp_body(2)
537
537
  end
538
538
  end
539
539
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.9.0
4
+ version: 5.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-08-04 00:00:00.000000000 Z
11
+ date: 2021-01-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -225,8 +225,10 @@ files:
225
225
  - lib/brakeman/checks/check_template_injection.rb
226
226
  - lib/brakeman/checks/check_translate_bug.rb
227
227
  - lib/brakeman/checks/check_unsafe_reflection.rb
228
+ - lib/brakeman/checks/check_unsafe_reflection_methods.rb
228
229
  - lib/brakeman/checks/check_unscoped_find.rb
229
230
  - lib/brakeman/checks/check_validation_regex.rb
231
+ - lib/brakeman/checks/check_verb_confusion.rb
230
232
  - lib/brakeman/checks/check_weak_hash.rb
231
233
  - lib/brakeman/checks/check_without_protection.rb
232
234
  - lib/brakeman/checks/check_xml_dos.rb
@@ -257,6 +259,7 @@ files:
257
259
  - lib/brakeman/processors/haml_template_processor.rb
258
260
  - lib/brakeman/processors/lib/basic_processor.rb
259
261
  - lib/brakeman/processors/lib/call_conversion_helper.rb
262
+ - lib/brakeman/processors/lib/file_type_detector.rb
260
263
  - lib/brakeman/processors/lib/find_all_calls.rb
261
264
  - lib/brakeman/processors/lib/find_call.rb
262
265
  - lib/brakeman/processors/lib/find_return_value.rb
@@ -292,6 +295,8 @@ files:
292
295
  - lib/brakeman/report/report_json.rb
293
296
  - lib/brakeman/report/report_junit.rb
294
297
  - lib/brakeman/report/report_markdown.rb
298
+ - lib/brakeman/report/report_sarif.rb
299
+ - lib/brakeman/report/report_sonar.rb
295
300
  - lib/brakeman/report/report_table.rb
296
301
  - lib/brakeman/report/report_tabs.rb
297
302
  - lib/brakeman/report/report_text.rb
@@ -341,7 +346,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
341
346
  requirements:
342
347
  - - ">="
343
348
  - !ruby/object:Gem::Version
344
- version: '0'
349
+ version: 2.4.0
345
350
  required_rubygems_version: !ruby/object:Gem::Requirement
346
351
  requirements:
347
352
  - - ">="