brakeman-min 7.1.1 → 7.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +8 -0
- data/README.md +2 -2
- data/lib/brakeman/checks/check_sql.rb +7 -5
- data/lib/brakeman/processors/haml_template_processor.rb +10 -1
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +1 -1
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +1 -1
- data/lib/brakeman/version.rb +1 -1
- data/lib/ruby_parser/bm_sexp.rb +14 -0
- metadata +21 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7795329b27bb6a83f78b1467d74ff72d9241a4707871f03fa9901ca1118c861c
|
|
4
|
+
data.tar.gz: bcd9483bcd146a04cbe91164947ba4819f8eb828b73270886d15d4bd29521064
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4ab8e958b3bbb9d9678a6fc0927a704914db827ce97f097ca3a9154aacaa4931913b11213d1360ff4f5ad3623c8ad80590aa935f37d5d9720e099d300f95b9d9
|
|
7
|
+
data.tar.gz: 0d62642d8ff249f550b9d8a7187237325e438310b9009894c71f4b92282a49af020d31f377b4c09bca7f291443843832f48ed326c680c870a42c24b854e1956f
|
data/CHANGES.md
CHANGED
|
@@ -1,3 +1,11 @@
|
|
|
1
|
+
# 7.1.2 - 2025-12-25
|
|
2
|
+
|
|
3
|
+
* Update `ruby_parser` to remove version restriction (Chedli Bourguiba)
|
|
4
|
+
* Raise minimum required Ruby to 3.2.0
|
|
5
|
+
* Use Minitest 6.0
|
|
6
|
+
* Reduce SQL injection false positives from `count` calls
|
|
7
|
+
* Ignore more Haml attribute builder methods
|
|
8
|
+
|
|
1
9
|
# 7.1.1 - 2025-11-03
|
|
2
10
|
|
|
3
11
|
* Fix false positive when calling `with_content` on ViewComponents (Peer Allan)
|
data/README.md
CHANGED
|
@@ -65,7 +65,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
|
|
|
65
65
|
|
|
66
66
|
Brakeman should work with any version of Rails from 2.3.x to 8.x.
|
|
67
67
|
|
|
68
|
-
Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.
|
|
68
|
+
Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.2.0 to run.
|
|
69
69
|
|
|
70
70
|
# Basic Options
|
|
71
71
|
|
|
@@ -75,7 +75,7 @@ To specify an output file for the results:
|
|
|
75
75
|
|
|
76
76
|
brakeman -o output_file
|
|
77
77
|
|
|
78
|
-
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
|
|
78
|
+
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github` and `sonar`.
|
|
79
79
|
|
|
80
80
|
Multiple output files can be specified:
|
|
81
81
|
|
|
@@ -188,18 +188,20 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
|
188
188
|
when :find_by_sql, :count_by_sql
|
|
189
189
|
check_by_sql_arguments call.first_arg
|
|
190
190
|
when :calculate
|
|
191
|
-
if call.
|
|
191
|
+
if call.num_args > 2
|
|
192
192
|
unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
|
|
193
|
-
elsif call.
|
|
193
|
+
elsif call.num_args > 1
|
|
194
194
|
unsafe_sql?(call.second_arg)
|
|
195
195
|
end
|
|
196
196
|
when :last, :first, :all
|
|
197
197
|
check_find_arguments call.first_arg
|
|
198
198
|
when :average, :count, :maximum, :minimum, :sum
|
|
199
|
-
if call.
|
|
200
|
-
|
|
199
|
+
if call.num_args > 1
|
|
200
|
+
if version_between?("0.0.0", "4.9.9") # In Rails 5+ these do not accept multiple arguments
|
|
201
|
+
check_find_arguments(call.first_arg) or check_find_arguments(call.second_arg)
|
|
202
|
+
end
|
|
201
203
|
else
|
|
202
|
-
check_find_arguments call.
|
|
204
|
+
check_find_arguments call.first_arg
|
|
203
205
|
end
|
|
204
206
|
when :where, :rewhere, :having, :find_by, :find_by!, :find_or_create_by, :find_or_create_by!, :find_or_initialize_by,:not, :delete_by, :destroy_by
|
|
205
207
|
check_query_arguments call.arglist
|
|
@@ -166,7 +166,16 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
|
|
|
166
166
|
def haml_attribute_builder? exp
|
|
167
167
|
call? exp and
|
|
168
168
|
exp.target == ATTRIBUTE_BUILDER and
|
|
169
|
-
|
|
169
|
+
escaped_builder_method? exp
|
|
170
|
+
end
|
|
171
|
+
|
|
172
|
+
def escaped_builder_method? exp
|
|
173
|
+
case exp.method
|
|
174
|
+
when :build, :build_aria, :build_boolean, :build_data, :build_id, :escape_html
|
|
175
|
+
true? exp.first_arg
|
|
176
|
+
else
|
|
177
|
+
false
|
|
178
|
+
end
|
|
170
179
|
end
|
|
171
180
|
|
|
172
181
|
def fix_textareas? exp
|
|
@@ -51,7 +51,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
|
|
|
51
51
|
if exp.target == RAILS_CONFIG
|
|
52
52
|
#Get rid of '=' at end
|
|
53
53
|
attribute = exp.method.to_s[0..-2].to_sym
|
|
54
|
-
if exp.
|
|
54
|
+
if exp.num_args > 1
|
|
55
55
|
#Multiple arguments?...not sure if this will ever happen
|
|
56
56
|
@tracker.config.rails[attribute] = exp.args
|
|
57
57
|
else
|
|
@@ -78,7 +78,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
|
|
|
78
78
|
if exp.target == RAILS_CONFIG
|
|
79
79
|
#Get rid of '=' at end
|
|
80
80
|
attribute = exp.method.to_s[0..-2].to_sym
|
|
81
|
-
if exp.
|
|
81
|
+
if exp.num_args > 1
|
|
82
82
|
#Multiple arguments?...not sure if this will ever happen
|
|
83
83
|
@tracker.config.rails[attribute] = exp.args
|
|
84
84
|
else
|
data/lib/brakeman/version.rb
CHANGED
data/lib/ruby_parser/bm_sexp.rb
CHANGED
|
@@ -172,6 +172,20 @@ class Sexp
|
|
|
172
172
|
self[2] = name
|
|
173
173
|
end
|
|
174
174
|
|
|
175
|
+
# Number of arguments in a method call.
|
|
176
|
+
def num_args
|
|
177
|
+
expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
|
|
178
|
+
|
|
179
|
+
case self.node_type
|
|
180
|
+
when :call, :attrasgn, :safe_call, :safe_attrasgn
|
|
181
|
+
self.length - 3
|
|
182
|
+
when :super
|
|
183
|
+
self.length - 1
|
|
184
|
+
when :zsuper
|
|
185
|
+
0
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
|
|
175
189
|
#Sets the arglist in a method call.
|
|
176
190
|
def arglist= exp
|
|
177
191
|
expect :call, :attrasgn, :safe_call, :safe_attrasgn
|
metadata
CHANGED
|
@@ -1,17 +1,31 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: brakeman-min
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.1.
|
|
4
|
+
version: 7.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Collins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-
|
|
11
|
+
date: 2025-12-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: minitest
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '6.0'
|
|
20
|
+
type: :development
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '6.0'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: minitest-ci
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|
|
16
30
|
requirements:
|
|
17
31
|
- - ">="
|
|
@@ -25,7 +39,7 @@ dependencies:
|
|
|
25
39
|
- !ruby/object:Gem::Version
|
|
26
40
|
version: '0'
|
|
27
41
|
- !ruby/object:Gem::Dependency
|
|
28
|
-
name: minitest-
|
|
42
|
+
name: minitest-mock
|
|
29
43
|
requirement: !ruby/object:Gem::Requirement
|
|
30
44
|
requirements:
|
|
31
45
|
- - ">="
|
|
@@ -72,14 +86,14 @@ dependencies:
|
|
|
72
86
|
requirements:
|
|
73
87
|
- - "~>"
|
|
74
88
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: 3.
|
|
89
|
+
version: 3.22.0
|
|
76
90
|
type: :runtime
|
|
77
91
|
prerelease: false
|
|
78
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
93
|
requirements:
|
|
80
94
|
- - "~>"
|
|
81
95
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: 3.
|
|
96
|
+
version: 3.22.0
|
|
83
97
|
- !ruby/object:Gem::Dependency
|
|
84
98
|
name: sexp_processor
|
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -345,14 +359,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
345
359
|
requirements:
|
|
346
360
|
- - ">="
|
|
347
361
|
- !ruby/object:Gem::Version
|
|
348
|
-
version: 2.
|
|
362
|
+
version: 3.2.0
|
|
349
363
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
350
364
|
requirements:
|
|
351
365
|
- - ">="
|
|
352
366
|
- !ruby/object:Gem::Version
|
|
353
367
|
version: '0'
|
|
354
368
|
requirements: []
|
|
355
|
-
rubygems_version: 3.
|
|
369
|
+
rubygems_version: 3.4.1
|
|
356
370
|
signing_key:
|
|
357
371
|
specification_version: 4
|
|
358
372
|
summary: Security vulnerability scanner for Ruby on Rails.
|