brakeman-min 6.1.0 → 6.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +14 -0
- data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
- data/lib/brakeman/checks/check_render.rb +6 -1
- data/lib/brakeman/checks/check_session_settings.rb +2 -3
- data/lib/brakeman/processors/alias_processor.rb +7 -2
- data/lib/brakeman/report/pager.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman.rb +2 -3
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a70ceb66f3e92c7398df7263029948d7966fea3544def0a9f31493421e326f35
|
|
4
|
+
data.tar.gz: d5a4e01a25ba1f8d4c3db395813501e928edcd9bb2713985623d39abb801bfe1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a399f6eb80e0502a0aab4c859ec2e7a1fbf28b3ce8717f25f0a36c0cce15c827da86c430cae96712e22c424e746ced2dea08733e815dafc5c99dd0af15c357d9
|
|
7
|
+
data.tar.gz: 967f7ceba1997a165ad0dfab64d26ef0338b7694ef53caf0936186d0a47671a2e3e97691b31c649516c2074aba83a791f14bce1733c537df0404c7806c7749b6
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,17 @@
|
|
|
1
|
+
# 6.1.2 - 2024-02-01
|
|
2
|
+
|
|
3
|
+
* Update Highline to 3.0
|
|
4
|
+
* Add EOL date for Ruby 3.3.0
|
|
5
|
+
* Avoid copying Sexps that are too large
|
|
6
|
+
* Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
|
|
7
|
+
* Remove deprecated use of `Kernel#open("|...")`
|
|
8
|
+
* Remove `safe_yaml` gem dependency
|
|
9
|
+
* Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
|
|
10
|
+
|
|
11
|
+
# 6.1.1 - 2023-12-24
|
|
12
|
+
|
|
13
|
+
* Handle racc as a default gem in Ruby 3.3.0
|
|
14
|
+
|
|
1
15
|
# 6.1.0 - 2023-12-04
|
|
2
16
|
|
|
3
17
|
* Add `--timing` to add timing duration for scan steps
|
|
@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
|
|
|
108
108
|
def known_renderable_class? class_name
|
|
109
109
|
klass = tracker.find_class(class_name)
|
|
110
110
|
return false if klass.nil?
|
|
111
|
-
|
|
111
|
+
knowns = [
|
|
112
|
+
:"ViewComponent::Base",
|
|
113
|
+
:"ViewComponentContrib::Base",
|
|
114
|
+
:"Phlex::HTML"
|
|
115
|
+
]
|
|
116
|
+
knowns.any? { |k| klass.ancestor? k }
|
|
112
117
|
end
|
|
113
118
|
end
|
|
@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
|
|
|
116
116
|
|
|
117
117
|
if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
|
|
118
118
|
yaml = secrets_file.read
|
|
119
|
-
require '
|
|
120
|
-
require 'safe_yaml/load'
|
|
119
|
+
require 'yaml'
|
|
121
120
|
begin
|
|
122
|
-
secrets =
|
|
121
|
+
secrets = YAML.safe_load yaml
|
|
123
122
|
rescue Psych::SyntaxError, RuntimeError => e
|
|
124
123
|
Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
|
|
125
124
|
Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
|
|
@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
32
32
|
@or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
|
|
33
33
|
@meth_env = nil
|
|
34
34
|
@current_file = current_file
|
|
35
|
+
@mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
|
|
35
36
|
set_env_defaults
|
|
36
37
|
end
|
|
37
38
|
|
|
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
|
82
83
|
def replace exp, int = 0
|
|
83
84
|
return exp if int > 3
|
|
84
85
|
|
|
85
|
-
if replacement = env[exp]
|
|
86
|
-
|
|
86
|
+
if replacement = env[exp]
|
|
87
|
+
if not duplicate? replacement and replacement.mass < @mass_limit
|
|
88
|
+
replace(replacement.deep_clone(exp.line), int + 1)
|
|
89
|
+
else
|
|
90
|
+
exp
|
|
91
|
+
end
|
|
87
92
|
elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
|
|
88
93
|
replace(replacement.deep_clone(exp.line), int + 1)
|
|
89
94
|
else
|
|
@@ -52,7 +52,7 @@ module Brakeman
|
|
|
52
52
|
def page_via_less text
|
|
53
53
|
# Adapted from https://github.com/piotrmurach/tty-pager/
|
|
54
54
|
|
|
55
|
-
write_io =
|
|
55
|
+
write_io = IO.popen("less #{less_options.join}", 'w')
|
|
56
56
|
pid = write_io.pid
|
|
57
57
|
|
|
58
58
|
write_io.write(text)
|
data/lib/brakeman/version.rb
CHANGED
data/lib/brakeman.rb
CHANGED
|
@@ -128,9 +128,8 @@ module Brakeman
|
|
|
128
128
|
|
|
129
129
|
#Load configuration file
|
|
130
130
|
if config = config_file(custom_location, app_path)
|
|
131
|
-
require '
|
|
132
|
-
|
|
133
|
-
options = SafeYAML.load_file config, :deserialize_symbols => true
|
|
131
|
+
require 'yaml'
|
|
132
|
+
options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
|
|
134
133
|
|
|
135
134
|
if options
|
|
136
135
|
options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-min
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.1.
|
|
4
|
+
version: 6.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-02-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
@@ -123,19 +123,19 @@ dependencies:
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: 2.4.0
|
|
125
125
|
- !ruby/object:Gem::Dependency
|
|
126
|
-
name:
|
|
126
|
+
name: racc
|
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
|
128
128
|
requirements:
|
|
129
129
|
- - ">="
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: '
|
|
131
|
+
version: '0'
|
|
132
132
|
type: :runtime
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - ">="
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: '
|
|
138
|
+
version: '0'
|
|
139
139
|
description: Brakeman detects security vulnerabilities in Ruby on Rails applications
|
|
140
140
|
via static analysis. This version of the gem only requires the minimum number of
|
|
141
141
|
dependencies. Use the 'brakeman' gem for a full install.
|
|
@@ -362,7 +362,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
362
362
|
- !ruby/object:Gem::Version
|
|
363
363
|
version: '0'
|
|
364
364
|
requirements: []
|
|
365
|
-
rubygems_version: 3.
|
|
365
|
+
rubygems_version: 3.5.3
|
|
366
366
|
signing_key:
|
|
367
367
|
specification_version: 4
|
|
368
368
|
summary: Security vulnerability scanner for Ruby on Rails.
|