RubyGems - brakeman-min - Versions diffs - 3.1.5.pre1 → 3.1.5 - Mend

brakeman-min 3.1.5.pre1 → 3.1.5

Files changed (29) hide show

checksums.yaml +4 -4
data/CHANGES +0 -11
data/lib/brakeman.rb +4 -4
data/lib/brakeman/call_index.rb +31 -22
data/lib/brakeman/checks.rb +73 -59
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +21 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +2 -2
data/lib/brakeman/checks/check_render.rb +1 -9
data/lib/brakeman/checks/check_sql.rb +3 -3
data/lib/brakeman/processors/alias_processor.rb +1 -1
data/lib/brakeman/processors/base_processor.rb +0 -8
data/lib/brakeman/processors/erb_template_processor.rb +1 -1
data/lib/brakeman/processors/erubis_template_processor.rb +1 -1
data/lib/brakeman/processors/haml_template_processor.rb +1 -2
data/lib/brakeman/processors/lib/basic_processor.rb +0 -16
data/lib/brakeman/processors/lib/find_all_calls.rb +2 -4
data/lib/brakeman/processors/lib/find_call.rb +1 -1
data/lib/brakeman/processors/lib/render_path.rb +1 -2
data/lib/brakeman/report/ignore/config.rb +3 -3
data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
data/lib/brakeman/report/initializers/multi_json.rb +29 -0
data/lib/brakeman/report/report_csv.rb +2 -1
data/lib/brakeman/report/report_json.rb +4 -1
data/lib/brakeman/tracker.rb +0 -21
data/lib/brakeman/util.rb +3 -4
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +2 -2
data/lib/ruby_parser/bm_sexp.rb +23 -23
metadata +30 -8

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f7ed8514bb16d1d30d4f7b640dfbab79a6e8d034
-  data.tar.gz: 460ed07d68c8a3af9eb3b2f5034310b29bc4bda5
+  metadata.gz: 7cb551015cbef2ba7f9fdc3c08b3ff4263116544
+  data.tar.gz: 667a81c5f75bccd9c39bfc4089f1261a601cf80d
 SHA512:
-  metadata.gz: 6c986dcecf527e256507f89e60d93fb72c02f6c534cf04ca30412e05a07a8f5364928d3b1886b0787efdfbf2952d057d6e7dc45db4f89e9fe437fa7aafeeddf9
-  data.tar.gz: 795321abc425629d277e8babc82d7d79e63ffe2bd0ab9da57f6e7451c3da1e6acfcd566932c78cd6f8c3c91ed69b787b93373a11e81d3dd6f6f9d97769eb3c1f
+  metadata.gz: 05a344e79c4b52d06d9e76c1875ac9a79aea718646caf1fef4a07e7d40d64609befd09db6733ba7630840f198db02ce4f0f4f4818dd7a9e4dd1f42d9ae9a36dd
+  data.tar.gz: a8307a36a59955e671753ebcb7776d22fd1cd5a7cdccb91654e99fc49f030805c603806efe47dbdf9b82bbc67bcf18f63ded4fe177ee546ff34887d363e0dc12

data/CHANGES CHANGED

@@ -1,14 +1,3 @@
-# 3.2.0.pre1
-* Support calls using `&.` operator
-* Update ruby_parser dependency to 3.8.1
-* Remove `fastercsv` dependency
-* Fix finding calls with `targets: nil`
-* Remove `multi-json` dependecy
-* Handle CoffeeScript in HAML
-* Avoid render warnings about params[:action]/params[:controller]
-* Index calls in class bodies but outside methods
 # 3.1.5
 * Fix CodeClimate construction of --only-files (Will Fleming)

data/lib/brakeman.rb CHANGED

@@ -407,20 +407,20 @@ module Brakeman
   # Compare JSON ouptut from a previous scan and return the diff of the two scans
   def self.compare options
-    require 'json'
+    require 'multi_json'
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
     begin
-      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
-    rescue JSON::ParserError
+      previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
+    rescue MultiJson::DecodeError
       self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
     tracker = run(options)
-    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
+    new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings]
     Brakeman::Differ.new(new_results, previous_results).diff
   end

data/lib/brakeman/call_index.rb CHANGED

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new { |h, k| h[k] = [] }
-    @calls_by_target = Hash.new { |h, k| h[k] = [] }
+    @calls_by_method = Hash.new
+    @calls_by_target = Hash.new
     index_calls calls
   end
@@ -45,7 +45,7 @@ class Brakeman::CallIndex
     #Find calls with no explicit target
     #with either :target => nil or :target => false
-    elsif (options.key? :target or options.key? :targets) and not target and method
+    elsif options.key? :target and not target and method
       calls = calls_by_method method
       calls = filter_by_target calls, nil
@@ -66,35 +66,44 @@ class Brakeman::CallIndex
   end
   def remove_template_indexes template_name = nil
-    [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
-        calls.delete_if do |call|
-          from_template call, template_name
-        end
+    @calls_by_method.each do |name, calls|
+      calls.delete_if do |call|
+        from_template call, template_name
+      end
+    end
+    @calls_by_target.each do |name, calls|
+      calls.delete_if do |call|
+        from_template call, template_name
       end
     end
   end
   def remove_indexes_by_class classes
-    [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
-        calls.delete_if do |call|
-          call[:location][:type] == :class and classes.include? call[:location][:class]
-        end
+    @calls_by_method.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][:type] == :class and classes.include? call[:location][:class]
+      end
+    end
+    @calls_by_target.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][:type] == :class and classes.include? call[:location][:class]
       end
     end
   end
   def index_calls calls
     calls.each do |call|
+      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
-      target = call[:target]
-      if not target.is_a? Sexp
-        @calls_by_target[target] << call
-      elsif target.node_type == :params or target.node_type == :session
-        @calls_by_target[target.node_type] << call
+      if not call[:target].is_a? Sexp
+        @calls_by_target[call[:target]] ||= []
+        @calls_by_target[call[:target]] << call
+      elsif call[:target].node_type == :params or call[:target].node_type == :session
+        @calls_by_target[call[:target].node_type] ||= []
+        @calls_by_target[call[:target].node_type] << call
       end
     end
   end
@@ -106,7 +115,7 @@ class Brakeman::CallIndex
     method = options[:method] || options[:methods]
     calls = calls_by_method method
     return [] if calls.nil?
     calls = filter_by_chain calls, target
@@ -136,7 +145,7 @@ class Brakeman::CallIndex
     elsif method.is_a? Regexp
       calls_by_methods_regex method
     else
-      @calls_by_method[method.to_sym]
+      @calls_by_method[method.to_sym] || []
     end
   end
@@ -160,7 +169,7 @@ class Brakeman::CallIndex
   end
   def calls_with_no_target
-    @calls_by_target[nil]
+    @calls_by_target[nil] || []
   end
   def filter calls, key, value

data/lib/brakeman/checks.rb CHANGED

@@ -93,49 +93,91 @@ class Brakeman::Checks
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
   def self.run_checks(app_tree, tracker)
-    checks = self.checks_to_run(tracker)
+    if tracker.options[:parallel_checks]
+      self.run_checks_parallel(app_tree, tracker)
+    else
+      self.run_checks_sequential(app_tree, tracker)
+    end
+  end
+  #Run checks sequentially
+  def self.run_checks_sequential(app_tree, tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    self.checks_to_run(tracker).each do |c|
+      check_name = get_check_name c
+      #Run or don't run check based on options
+      unless tracker.options[:skip_checks].include? check_name or
+        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
+        Brakeman.notify " - #{check_name}"
+        check = c.new(app_tree, tracker)
+        begin
+          check.run_check
+        rescue => e
+          tracker.error e
+        end
+        check.warnings.each do |w|
+          check_runner.add_warning w
+        end
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        check_runner.checks_run << check_name[5..-1]
+      end
+    end
+    check_runner
   end
-  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
-    threads = [] # Results for parallel
-    results = [] # Results for sequential
-    parallel = tracker.options[:parallel_checks]
+  #Run checks in parallel threads
+  def self.run_checks_parallel(app_tree, tracker)
+    threads = []
     error_mutex = Mutex.new
-    checks.each do |c|
+    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
+    self.checks_to_run(tracker).each do |c|
       check_name = get_check_name c
-      Brakeman.notify " - #{check_name}"
-      if parallel
+      #Run or don't run check based on options
+      unless tracker.options[:skip_checks].include? check_name or
+        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
+        Brakeman.notify " - #{check_name}"
         threads << Thread.new do
-          self.run_a_check(c, error_mutex, app_tree, tracker)
+          check = c.new(app_tree, tracker)
+          begin
+            check.run_check
+          rescue => e
+            error_mutex.synchronize do
+              tracker.error e
+            end
+          end
+          check.warnings
         end
-      else
-        results << self.run_a_check(c, error_mutex, app_tree, tracker)
-      end
-      #Maintain list of which checks were run
-      #mainly for reporting purposes
-      check_runner.checks_run << check_name[5..-1]
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        check_runner.checks_run << check_name[5..-1]
+      end
     end
     threads.each { |t| t.join }
     Brakeman.notify "Checks finished, collecting results..."
-    if parallel
-      threads.each do |thread|
-        thread.value.each do |warning|
-          check_runner.add_warning warning
-        end
-      end
-    else
-      results.each do |warnings|
-        warnings.each do |warning|
-          check_runner.add_warning warning
-        end
+    #Collect results
+    threads.each do |thread|
+      thread.value.each do |warning|
+        check_runner.add_warning warning
       end
     end
@@ -149,39 +191,11 @@ class Brakeman::Checks
   end
   def self.checks_to_run tracker
-    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
-               @checks + @optional_checks
-             else
-               @checks
-             end
-    self.filter_checks to_run, tracker
-  end
-  def self.filter_checks checks, tracker
-    skipped = tracker.options[:skip_checks]
-    explicit = tracker.options[:run_checks]
-    checks.reject do |c|
-      check_name = self.get_check_name(c)
-      skipped.include? check_name or
-        (explicit and not explicit.include? check_name)
-    end
-  end
-  def self.run_a_check klass, mutex, app_tree, tracker
-    check = klass.new(app_tree, tracker)
-    begin
-      check.run_check
-    rescue => e
-      mutex.synchronize do
-        tracker.error e
-      end
+    if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+      @checks + @optional_checks
+    else
+      @checks
     end
-    check.warnings
   end
 end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb CHANGED

@@ -17,10 +17,31 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
                  return
                end
+    check_basic_auth_filter
     check_basic_auth_call
   end
+  def check_basic_auth_filter
+    controllers = tracker.controllers.select do |name, c|
+      c.options[:http_basic_authenticate_with]
+    end
+    Hash[controllers].each do |name, controller|
+      controller.options[:http_basic_authenticate_with].each do |call|
+        warn :controller => name,
+          :warning_type => "Timing Attack",
+          :warning_code => :CVE_2015_7576,
+          :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
+          :code => call,
+          :confidence => CONFIDENCE[:high],
+          :file => controller.file,
+          :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+      end
+    end
+  end
   def check_basic_auth_call
+    # This is relatively unusual, but found in the wild
     tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
       warn :result => result,
         :warning_type => "Timing Attack",

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED

@@ -99,7 +99,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         link_path = "cross_site_scripting"
         warning_code = :cross_site_scripting
-        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
+        if node_type?(out, :call, :attrasgn) && out.method == :to_json
           message += " in JSON hash"
           link_path += "_to_json"
           warning_code = :xss_to_json
@@ -334,7 +334,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
   def html_safe_call? exp
-    call? exp.value and exp.value.method == :html_safe
+    exp.value.node_type == :call and exp.value.method == :html_safe
   end
   def ignore_call? target, method

data/lib/brakeman/checks/check_render.rb CHANGED

@@ -35,6 +35,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       add_result result
       if input = has_immediate_user_input?(view)
         if string_interp? view
           confidence = CONFIDENCE[:med]
@@ -48,7 +49,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
       return if input.type == :model #skip models
-      return if safe_param? input.match
       message = "Render path contains #{friendly_type_of input}"
@@ -71,7 +71,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       if params? view
         add_result result
-        return if safe_param? view
         warn :result => result,
           :warning_type => "Remote Code Execution",
@@ -82,11 +81,4 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
-  def safe_param? exp
-    if params? exp and call? exp and exp.method == :[]
-      arg = exp.first_arg
-      symbol? arg and [:controller, :action].include? arg.value
-    end
-  end
 end

data/lib/brakeman/checks/check_sql.rb CHANGED

@@ -64,9 +64,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         second_arg = args[2]
         next unless sexp? second_arg
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
+        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
           process_scope_with_block(name, args)
-        elsif call? second_arg
+        elsif second_arg.node_type == :call
           call = second_arg
           scope_calls << scope_call_hash(call, name, call.method)
         else
@@ -107,7 +107,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls = Brakeman::FindAllCalls.new(tracker)
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
-    elsif call? block
+    elsif block.node_type == :call
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
          :location => { :type => :class, :class => model_name, :method => scope_name }

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -296,7 +296,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # Handles x = y = z = 1
   def get_rhs exp
-    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :cvdecl, :cdecl
       get_rhs(exp.rhs)
     else
       exp

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -68,14 +68,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     call
   end
-  def process_safe_call exp
-    if self.respond_to? :process_call
-      process_call exp
-    else
-      process_default exp
-    end
-  end
   #String with interpolation.
   def process_dstr exp
     exp = exp.dup

data/lib/brakeman/processors/erb_template_processor.rb CHANGED

@@ -25,7 +25,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
-        if call? arg and arg.method == :to_s #erb always calls to_s on output
+        if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
           arg = arg.target
         end

data/lib/brakeman/processors/erubis_template_processor.rb CHANGED

@@ -21,7 +21,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
         #We want the actual content
-        if call? arg and (arg.method == :to_s or arg.method == :html_safe!)
+        if arg.node_type == :call and (arg.method == :to_s or arg.method == :html_safe!)
           arg = arg.target
         end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -5,7 +5,6 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
-  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
   #Processes call, looking for template output
   def process_call exp
@@ -91,7 +90,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     elsif target == nil and method == :find_and_preserve
       process exp.first_arg
     elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
+      if target == JAVASCRIPT_FILTER
         @javascript = true
       end

data/lib/brakeman/processors/lib/basic_processor.rb CHANGED

@@ -14,20 +14,4 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
   def process_default exp
     process_all exp
   end
-  def process_safe_call exp
-    if self.respond_to? :process_call
-      process_call exp
-    else
-      process_default exp
-    end
-  end
-  def process_safe_attrasgn exp
-    if self.respond_to? :process_attrasgn
-      process_attrasgn exp
-    else
-      process_default exp
-    end
-  end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED

@@ -24,13 +24,11 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Process body of method
   def process_defn exp
-    return exp unless @current_method
     process_all exp.body
   end
   #Process body of method
   def process_defs exp
-    return exp unless @current_method
     process_all exp.body
   end
@@ -141,7 +139,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
         @current_class || @current_module || nil
       when :params, :session, :cookies
         exp.node_type
-      when :call, :safe_call
+      when :call
         if include_calls
           if exp.target.nil?
             exp.method
@@ -167,7 +165,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Returns method chain as an array
   #For example, User.human.alive.all would return [:User, :human, :alive, :all]
   def get_chain call
-    if node_type? call, :call, :attrasgn, :safe_call, :safe_attrasgn
+    if node_type? call, :call, :attrasgn
       get_chain(call.target) + [call.method]
     elsif call.nil?
       []

data/lib/brakeman/processors/lib/find_call.rb CHANGED

@@ -102,7 +102,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     #  User.find(:first, :conditions => "user = '#{params['user']}').name
     #
     #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and call? exp.target
+    if @in_depth and node_type? exp.target, :call
       process exp.target
     end

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -95,8 +95,7 @@ module Brakeman
     end
     def to_json *args
-      require 'json'
-      JSON.generate(@path)
+      MultiJson.dump(@path)
     end
     def initialize_copy original

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -1,5 +1,5 @@
 require 'set'
-require 'json'
+require 'multi_json'
 module Brakeman
   class IgnoreConfig
@@ -75,7 +75,7 @@ module Brakeman
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
+        @already_ignored = MultiJson.load(File.read(file), :symbolize_keys => true)[:ignored_warnings]
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -107,7 +107,7 @@ module Brakeman
       }
       File.open file, "w" do |f|
-        f.puts JSON.pretty_generate(output)
+        f.puts MultiJson.dump(output, :pretty => true)
       end
     end

data/lib/brakeman/report/initializers/faster_csv.rb ADDED

@@ -0,0 +1,7 @@
+# Ruby 1.8 compatible
+if CSV.const_defined? :Reader
+  require 'fastercsv'
+  Object.send(:remove_const, :CSV)
+  CSV = FasterCSV
+end

data/lib/brakeman/report/initializers/multi_json.rb ADDED

@@ -0,0 +1,29 @@
+#MultiJson interface changed in 1.3.0, but need
+#to support older MultiJson for Rails 3.1.
+mj_engine = nil
+if MultiJson.respond_to? :default_adapter
+  mj_engine = MultiJson.default_adapter
+else
+  mj_engine = MultiJson.default_engine
+  module MultiJson
+    def self.dump *args
+      encode *args
+    end
+    def self.load *args
+      decode *args
+    end
+  end
+end
+#This is so OkJson will work with symbol values
+if mj_engine == :ok_json
+  class Symbol
+    def to_json
+      self.to_s.inspect
+    end
+  end
+end

data/lib/brakeman/report/report_csv.rb CHANGED

@@ -1,4 +1,5 @@
-require 'csv'
+Brakeman.load_brakeman_dependency 'csv'
+require "brakeman/report/initializers/faster_csv"
 require "brakeman/report/report_table"
 class Brakeman::Report::CSV < Brakeman::Report::Table

data/lib/brakeman/report/report_json.rb CHANGED

@@ -1,3 +1,6 @@
+Brakeman.load_brakeman_dependency 'multi_json'
+require 'brakeman/report/initializers/multi_json'
 class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
@@ -29,7 +32,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
       :errors => errors
     }
-    JSON.pretty_generate report_info
+    MultiJson.dump(report_info, :pretty => true)
   end
   def convert_to_hashes warnings

data/lib/brakeman/tracker.rb CHANGED

@@ -115,23 +115,6 @@ class Brakeman::Tracker
     end
   end
-  def each_class
-    classes = [self.controllers, self.models]
-    if @options[:index_libs]
-      classes << self.libs
-    end
-    classes.each do |set|
-      set.each do |set_name, collection|
-        collection.src.each do |file, src|
-          yield src, set_name, file
-        end
-      end
-    end
-  end
   #Find a method call.
   #
   #Options:
@@ -195,10 +178,6 @@ class Brakeman::Tracker
       finder.process_source definition, :class => set_name, :method => method_name, :file => file
     end
-    self.each_class do |definition, set_name, file|
-      finder.process_source definition, :class => set_name, :file => file
-    end
     self.each_template do |name, template|
       finder.process_source template.src, :template => template, :file => template.file
     end

data/lib/brakeman/util.rb CHANGED

@@ -167,8 +167,7 @@ module Brakeman::Util
   #Check if _exp_ represents a method call: s(:call, ...)
   def call? exp
-    exp.is_a? Sexp and
-      (exp.node_type == :call or exp.node_type == :safe_call)
+    exp.is_a? Sexp and exp.node_type == :call
   end
   #Check if _exp_ represents a Regexp: s(:lit, /.../)
@@ -215,7 +214,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
-      if call? exp
+      if exp.node_type == :call
         if params? exp[1]
           return true
         elsif exp[2] == :[]
@@ -231,7 +230,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :cookies or exp == COOKIES
-      if call? exp
+      if exp.node_type == :call
         if cookies? exp[1]
           return true
         elsif exp[2] == :[]

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.5.pre1"
+  Version = "3.1.5"
 end

data/lib/brakeman/warning.rb CHANGED

@@ -1,4 +1,4 @@
-require 'json'
+require 'multi_json'
 require 'digest/sha2'
 require 'brakeman/warning_codes'
@@ -241,7 +241,7 @@ class Brakeman::Warning
   end
   def to_json
-    JSON.generate self.to_hash
+    MultiJson.dump self.to_hash
   end
   private

data/lib/ruby_parser/bm_sexp.rb CHANGED

@@ -141,13 +141,13 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #         ^-----------target-----------^
   def target
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     self[1]
   end
   #Sets the target of a method call:
   def target= exp
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     @my_hash_value = nil
     self[1] = exp
   end
@@ -157,10 +157,10 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper, :result
+    expect :call, :attrasgn, :super, :zsuper, :result
     case self.node_type
-    when :call, :attrasgn, :safe_call, :safe_attrasgn
+    when :call, :attrasgn
       self[2]
     when :super, :zsuper
       :super
@@ -170,14 +170,14 @@ class Sexp
   end
   def method= name
-    expect :call, :safe_call
+    expect :call
     self[2] = name
   end
   #Sets the arglist in a method call.
   def arglist= exp
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     @my_hash_value = nil
     start_index = 3
@@ -201,10 +201,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                 ^------------ arglist ------------^
   def arglist
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn, :safe_call, :safe_attrasgn
+    when :call, :attrasgn
       self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
@@ -220,10 +220,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                             ^--------args--------^
   def args
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn, :safe_call, :safe_attrasgn
+    when :call, :attrasgn
       if self[3]
         self[3..-1]
       else
@@ -239,11 +239,11 @@ class Sexp
   end
   def each_arg replace = false
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :super, :zsuper
     range = nil
     case self.node_type
-    when :call, :attrasgn, :safe_call, :safe_attrasgn
+    when :call, :attrasgn
       if self[3]
         range = (3...self.length)
       end
@@ -270,43 +270,43 @@ class Sexp
   #Returns first argument of a method call.
   def first_arg
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     self[3]
   end
   #Sets first argument of a method call.
   def first_arg= exp
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     @my_hash_value = nil
     self[3] = exp
   end
   #Returns second argument of a method call.
   def second_arg
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     self[4]
   end
   #Sets second argument of a method call.
   def second_arg= exp
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     @my_hash_value = nil
     self[4] = exp
   end
   def third_arg
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     self[5]
   end
   def third_arg= exp
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     @my_hash_value = nil
     self[5] = exp
   end
   def last_arg
-    expect :call, :attrasgn, :safe_call, :safe_attrasgn
+    expect :call, :attrasgn
     if self[3]
       self[-1]
@@ -427,9 +427,9 @@ class Sexp
   #    s(:lasgn, :x, s(:lit, 1))
   #                  ^--rhs---^
   def rhs
-    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, *ASSIGNMENT_BOOL
-    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
+    if self.node_type == :attrasgn
       self[3]
     else
       self[2]
@@ -438,10 +438,10 @@ class Sexp
   #Sets the right hand side of assignment or boolean.
   def rhs= exp
-    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, *ASSIGNMENT_BOOL
     @my_hash_value = nil
-    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
+    if self.node_type == :attrasgn
       self[3] = exp
     else
       self[2] = exp

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 3.1.5.pre1
+  version: 3.1.5
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-02-22 00:00:00.000000000 Z
+date: 2016-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -31,28 +31,48 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.1
+        version: 3.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.8.1
+        version: 3.7.0
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+    - - "<"
       - !ruby/object:Gem::Version
         version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+    - - "<"
       - !ruby/object:Gem::Version
         version: 2.3.0
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: safe_yaml
   requirement: !ruby/object:Gem::Requirement
@@ -194,6 +214,8 @@ files:
 - lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
@@ -245,9 +267,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project:
 rubygems_version: 2.4.8