brakeman-min 7.1.2 → 8.0.1

data/lib/brakeman.rb

@@ -1,4 +1,5 @@
 require 'set'
+require 'brakeman/logger'
 require 'brakeman/version'
 
 module Brakeman
@@ -32,6 +33,7 @@ module Brakeman
   @quiet = false
   @loaded_dependencies = []
   @vendored_paths = false
+  @logger = nil
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -52,7 +54,6 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
-  #  * :index_libs - add libraries to call index (default: true)
   #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
@@ -71,7 +72,6 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :show_ignored - Display warnings that are usually ignored
   #  * :sql_safe_methods - array of sql sanitization methods to consider safe
-  #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_vendor - do not process vendor/ directory (default: true)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :absolute_paths - show absolute path of each file (default: false)
@@ -79,6 +79,10 @@ module Brakeman
   #
   #Alternatively, just supply a path as a string.
   def self.run options
+    if not $stderr.tty? and options[:report_progress].nil?
+      options[:report_progress] = false
+    end
+
     options = set_options options
 
     @quiet = !!options[:quiet]
@@ -88,18 +92,37 @@ module Brakeman
       options[:report_progress] = false
     end
 
+    @logger = options[:logger] || set_default_logger(options)
+
     if options[:use_prism]
       begin
         require 'prism'
-        notify '[Notice] Using Prism parser'
       rescue LoadError => e
-        Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+        Brakeman.alert "Asked to use Prism, but failed to load: #{e}"
       end
     end
 
+    Brakeman.announce "Brakeman v#{Brakeman::Version}"
+
     scan options
   end
 
+  def self.logger
+    @logger
+  end
+
+  def self.logger= log
+    @logger = log
+  end
+
+  def self.set_default_logger(options = {})
+    @logger = Brakeman::Logger.get_logger(options)
+  end
+
+  def self.cleanup(newline = true)
+    @logger.cleanup(newline) if @logger
+  end
+
   #Sets up options for run, checks given application path
   def self.set_options options
     if options.is_a? String
@@ -152,6 +175,9 @@ module Brakeman
       require 'yaml'
       options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
 
+      # Brakeman.logger is probably not set yet
+      logger = Brakeman::Logger.get_logger(options || line_options)
+
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
 
@@ -162,15 +188,16 @@ module Brakeman
           if options.include? :additional_checks_path
             options.delete :additional_checks_path
 
-            notify "[Notice] Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow" unless (options[:quiet] || quiet)
+            logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow' unless (options[:quiet] || quiet)
           end
         end
 
         # notify if options[:quiet] and quiet is nil||false
-        notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
+        # potentially remove these checks now that logger is used
+        logger.alert "Using configuration in #{config}" unless (options[:quiet] || quiet)
         options
       else
-        notify "[Notice] Empty configuration file: #{config}" unless quiet
+        logger.alert "Empty configuration file: #{config}" unless quiet
         {}
       end
     else
@@ -209,7 +236,6 @@ module Brakeman
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
       :ignore_model_output => false,
       :ignore_redirect_to_model => true,
-      :index_libs => true,
       :message_limit => 100,
       :min_confidence => 2,
       :output_color => true,
@@ -367,6 +393,12 @@ module Brakeman
 
     options.delete :create_config
 
+    if options[:logger]
+      @logger = options.delete(:logger)
+    else
+      set_default_logger(options)
+    end
+
     options.each do |k,v|
       if v.is_a? Set
         options[k] = v.to_a
@@ -377,9 +409,10 @@ module Brakeman
       File.open file, "w" do |f|
         YAML.dump options, f
       end
-      notify "Output configuration to #{file}"
+
+      announce "Output configuration to #{file}"
     else
-      notify YAML.dump(options)
+      $stdout.puts YAML.dump(options)
     end
   end
 
@@ -394,43 +427,39 @@ module Brakeman
   #Run a scan. Generally called from Brakeman.run instead of directly.
   def self.scan options
     #Load scanner
-    notify "Loading scanner..."
+    scanner, tracker = nil
 
-    begin
-      require 'brakeman/scanner'
-    rescue LoadError
-      raise NoBrakemanError, "Cannot find lib/ directory."
-    end
+    process_step 'Loading scanner' do
+      begin
+        require 'brakeman/scanner'
+      rescue LoadError
+        raise NoBrakemanError, 'Cannot find lib/ directory.'
+      end
 
-    add_external_checks options
+      add_external_checks options
 
-    #Start scanning
-    scanner = Scanner.new options
-    tracker = scanner.tracker
+      #Start scanning
+      scanner = Scanner.new options
+      tracker = scanner.tracker
 
-    check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+      check_for_missing_checks options[:run_checks], options[:skip_checks], options[:enable_checks]
+    end
 
-    notify "Processing application in #{tracker.app_path}"
+    logger.announce "Scanning #{tracker.app_path}"
     scanner.process
 
-    if options[:parallel_checks]
-      notify "Running checks in parallel..."
-    else
-      notify "Running checks..."
-    end
-
     tracker.run_checks
 
     self.filter_warnings tracker, options
 
     if options[:output_files]
-      notify "Generating report..."
-
-      write_report_to_files tracker, options[:output_files]
+      process_step 'Generating report' do
+        write_report_to_files tracker, options[:output_files]
+      end
     elsif options[:print_report]
-      notify "Generating report..."
-
-      write_report_to_formats tracker, options[:output_formats]
+      process_step 'Generating report' do
+        write_report_to_formats tracker, options[:output_formats]
+      end
     end
 
     tracker
@@ -449,7 +478,8 @@ module Brakeman
       File.open output_file, "w" do |f|
         f.write tracker.report.format(tracker.options[:output_formats][idx])
       end
-      notify "Report saved in '#{output_file}'"
+
+      logger.announce "Report saved in '#{output_file}'"
     end
   end
   private_class_method :write_report_to_files
@@ -493,12 +523,16 @@ module Brakeman
     Rescanner.new(options, tracker.processor, files).recheck
   end
 
-  def self.notify message
-    $stderr.puts message unless @quiet
+  def self.announce message
+    logger.announce message
+  end
+
+  def self.alert message
+    logger.alert message
   end
 
   def self.debug message
-    $stderr.puts message if @debug
+    logger.debug message
   end
 
   # Compare JSON output from a previous scan and return the diff of the two scans
@@ -510,7 +544,7 @@ module Brakeman
     begin
       previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
     rescue JSON::ParserError
-      self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
+      self.alert "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
 
@@ -565,6 +599,7 @@ module Brakeman
 
   def self.filter_warnings tracker, options
     require 'brakeman/report/ignore/config'
+    config = nil
 
     app_tree = Brakeman::AppTree.from_options(options)
 
@@ -576,16 +611,17 @@ module Brakeman
       return
     end
 
-    notify "Filtering warnings..."
-
-    if options[:interactive_ignore]
-      require 'brakeman/report/ignore/interactive'
-      config = InteractiveIgnorer.new(file, tracker.warnings).start
-    else
-      notify "[Notice] Using '#{file}' to filter warnings"
-      config = IgnoreConfig.new(file, tracker.warnings)
-      config.read_from_file
-      config.filter_ignored
+    process_step "Filtering warnings..." do
+      if options[:interactive_ignore]
+        require 'brakeman/report/ignore/interactive'
+        logger.cleanup
+        config = InteractiveIgnorer.new(file, tracker.warnings).start
+      else
+        logger.announce "Using '#{file}' to filter warnings"
+        config = IgnoreConfig.new(file, tracker.warnings)
+        config.read_from_file
+        config.filter_ignored
+      end
     end
 
     tracker.ignored_filter = config
@@ -615,6 +651,10 @@ module Brakeman
     @quiet = val
   end
 
+  def self.process_step(description, &)
+    logger.context(description, &)
+  end
+
   class DependencyError < RuntimeError; end
   class NoBrakemanError < RuntimeError; end
   class NoApplication < RuntimeError; end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 7.1.2
+  version: 8.0.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-12-25 00:00:00.000000000 Z
+date: 2026-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -204,6 +204,7 @@ files:
 - lib/brakeman/checks/check_render.rb
 - lib/brakeman/checks/check_render_dos.rb
 - lib/brakeman/checks/check_render_inline.rb
+- lib/brakeman/checks/check_render_rce.rb
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_reverse_tabnabbing.rb
 - lib/brakeman/checks/check_route_dos.rb
@@ -246,14 +247,12 @@ files:
 - lib/brakeman/file_parser.rb
 - lib/brakeman/file_path.rb
 - lib/brakeman/format/style.css
+- lib/brakeman/logger.rb
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
-- lib/brakeman/parsers/erubis_patch.rb
 - lib/brakeman/parsers/haml6_embedded.rb
 - lib/brakeman/parsers/haml_embedded.rb
-- lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
-- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/rails_erubi.rb
 - lib/brakeman/parsers/slim_embedded.rb
 - lib/brakeman/parsers/template_parser.rb
 - lib/brakeman/processor.rb
@@ -263,7 +262,7 @@ files:
 - lib/brakeman/processors/controller_alias_processor.rb
 - lib/brakeman/processors/controller_processor.rb
 - lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/erubi_template_procesor.rb
 - lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml6_template_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb

data/lib/brakeman/parsers/erubis_patch.rb

@@ -1,11 +0,0 @@
-module Brakeman::ErubisPatch
-  # Simple patch to make `erubis` compatible with frozen string literals
-  def convert(input)
-    codebuf = +"" # Modified line, the rest is identitical
-    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
-    convert_input(codebuf, input)
-    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
-    @_proc = nil    # clear cached proc object
-    return codebuf  # or codebuf.join()
-  end
-end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -1,9 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-#Erubis processor which ignores any output which is plain text.
-class Brakeman::ScannerErubis < Erubis::Eruby
-  include Erubis::NoTextEnhancer
-  include Brakeman::ErubisPatch
-end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -1,52 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-#This is from the rails_xss plugin for Rails 2
-class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
-  include Brakeman::ErubisPatch
-
-  def add_preamble(src)
-    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
-  end
-
-  #This is different from rails_xss - fixes some line number issues
-  def add_text(src, text)
-    if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-
-        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
-      end
-    else
-      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-    end
-  end
-
-  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
-    else
-      src << '@output_buffer << ((' << code << ').to_s);'
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    src << '@output_buffer << ' << escaped_expr(code) << ';'
-  end
-
-  def add_postamble(src)
-    #src << '@output_buffer.to_s'
-  end
-end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,85 +0,0 @@
-Brakeman.load_brakeman_dependency 'erubis'
-
-require 'brakeman/parsers/erubis_patch'
-
-# This is from Rails 5 version of the Erubis handler
-# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
-class Brakeman::Rails3Erubis < ::Erubis::Eruby
-  include Brakeman::ErubisPatch
-
-  def add_preamble(src)
-    @newline_pending = 0
-    src << "_this_is_to_make_yields_syntactally_correct {"
-    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
-  end
-
-  def add_text(src, text)
-    return if text.empty?
-
-    if text == "\n"
-      @newline_pending += 1
-    else
-      src << "@output_buffer.safe_append='"
-      src << "\n" * @newline_pending if @newline_pending > 0
-      src << escape_text(text)
-      src << "'.freeze;"
-
-      @newline_pending = 0
-    end
-  end
-
-  # Erubis toggles <%= and <%== behavior when escaping is enabled.
-  # We override to always treat <%== as escaped.
-  def add_expr(src, code, indicator)
-    case indicator
-    when '=='
-      add_expr_escaped(src, code)
-    else
-      super
-    end
-  end
-
-  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    flush_newline_if_pending(src)
-    if code =~ BLOCK_EXPR
-      src << '@output_buffer.append= ' << code
-    else
-      src << '@output_buffer.append=(' << code << ');'
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    flush_newline_if_pending(src)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_expr_append= " << code
-    else
-      src << "@output_buffer.safe_expr_append=(" << code << ");"
-    end
-  end
-
-  def add_stmt(src, code)
-    flush_newline_if_pending(src)
-    super
-  end
-
-  def add_postamble(src)
-    flush_newline_if_pending(src)
-    src << '@output_buffer.to_s; }'
-  end
-
-  def flush_newline_if_pending(src)
-    if @newline_pending > 0
-      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
-      @newline_pending = 0
-    end
-  end
-
-  # This is borrowed from graphql's erb plugin:
-  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
-  def convert_input(src, input)
-    input = input.gsub(/<%graphql/, "<%#")
-    super(src, input)
-  end
-end