brakeman-min 5.2.1 → 5.2.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0474c184492e3b757b9ddda53c14a0548769a78c36a104d018a0dcbce8f1befe
4
- data.tar.gz: 219ae2c6e7798bddfac1df4b184b3741c9323bf8075d73acf7de1ac724450d35
3
+ metadata.gz: b7e3bc44c7b0457621cbdd280618d9863d30d98d36a38a8ad4aa1ea9125c5093
4
+ data.tar.gz: 15209823857b9af3355deb504a9823455ffddc4228ece21f316f262f6f6c698b
5
5
  SHA512:
6
- metadata.gz: 51197abef1047d8cb706c552d0c83383755c47152d520eea4278793042955a3be64cdd2790d052febdf67bfea2742a66c5b31eabbbc8f8df2bff0bc9a8f90ff1
7
- data.tar.gz: 27844b61ffdd606325be6eca6c903145a33f21812456e448dc7ec99c314c4e3b2df37869f62c1a59dfb544a8794aaa45f8d1df0f0aee12898deeda1910d9853f
6
+ metadata.gz: 8dfff2ba034c5ae7e8b038a5d2c1157762bb0d3dc65129974d911d16051aa3b7036255b794db9489bd0452d4989030d7fbf3fda0960e072e3805a82d5cfbbcdb
7
+ data.tar.gz: 537937fa11680868e1524b60fe5e2421a4e12fbb52f1e222e931922024539b3bc1e49fc499df92d505da181a4f4217141fa3e9cf983c1989c797ce2c08cc37db
data/CHANGES.md CHANGED
@@ -1,3 +1,11 @@
1
+ # 5.2.2 - 2022-04-06
2
+
3
+ * Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
4
+ * Handle `nil` when joining values (Dan Buettner)
5
+ * Update message for unsafe reflection (Pedro Baracho)
6
+ * Add additional String methods for SQL injection check
7
+ * Respect equality in `if` conditions
8
+
1
9
  # 5.2.1 - 2022-01-30
2
10
 
3
11
  * Add warning codes for EOL software warnings
@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
405
405
  nil
406
406
  end
407
407
 
408
- TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
408
+ TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
409
+ :strip_heredoc, :to_s, :tr]
409
410
 
410
411
  #Returns value if interpolated value is not something safe
411
412
  def unsafe_string_interp? exp
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
744
745
  date_target? exp.target
745
746
  else
746
747
  false
747
- end
748
+ end
748
749
  end
749
750
  end
@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
20
20
  def check_unsafe_reflection result
21
21
  return unless original? result
22
22
 
23
- call = result[:call]
23
+ call = result[:call]
24
24
  method = call.method
25
25
 
26
26
  case method
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
37
37
  end
38
38
 
39
39
  if confidence
40
- message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
40
+ case method
41
+ when :constantize, :safe_constantize
42
+ message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
43
+ else
44
+ message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
45
+ end
41
46
 
42
47
  warn :result => result,
43
48
  :warning_type => "Remote Code Execution",
@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
404
404
  end
405
405
 
406
406
  def join_item item, join_value
407
- if item.is_a? String
407
+ if item.nil? || item.is_a?(String)
408
408
  "#{item}#{join_value}"
409
409
  elsif string? item or symbol? item or number? item
410
410
  s(:str, "#{item.value}#{join_value}").line(item.line)
@@ -864,6 +864,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
864
864
  elsif false? condition
865
865
  no_branch = true
866
866
  exps = [nil, exp.else_clause]
867
+ elsif equality_check? condition and condition.target == condition.first_arg
868
+ no_branch = true
869
+ exps = [exp.then_clause, nil]
867
870
  else
868
871
  no_branch = false
869
872
  exps = [exp.then_clause, exp.else_clause]
@@ -897,6 +900,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
897
900
  env.current[var] = safe_literal(var.line)
898
901
  exp[branch_index] = process_if_branch branch
899
902
  env.current[var] = previous_value
903
+ elsif i == 0 and equality_check? condition
904
+ # For conditions like a == b,
905
+ # set a to b inside the true branch
906
+ var = condition.target
907
+ previous_value = env.current[var]
908
+ env.current[var] = condition.first_arg
909
+ exp[branch_index] = process_if_branch branch
910
+ env.current[var] = previous_value
900
911
  elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
901
912
  var = condition.first_arg
902
913
  env.current[var] = safe_literal(var.line)
@@ -931,6 +942,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
931
942
  end
932
943
  end
933
944
 
945
+ def equality_check? exp
946
+ call? exp and
947
+ exp.method == :==
948
+ end
949
+
934
950
  def simple_when? exp
935
951
  node_type? exp[1], :array and
936
952
  not node_type? exp[1][1], :splat, :array and
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.2.1"
2
+ Version = "5.2.2"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.2.1
4
+ version: 5.2.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-01-30 00:00:00.000000000 Z
11
+ date: 2022-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -86,14 +86,14 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '3.18'
89
+ version: '3.19'
90
90
  type: :runtime
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '3.18'
96
+ version: '3.19'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: ruby_parser-legacy
99
99
  requirement: !ruby/object:Gem::Requirement