brakeman-min 4.10.0 → 4.10.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +8 -0
  3. data/lib/brakeman/checks/check_execute.rb +1 -1
  4. data/lib/brakeman/checks/check_regex_dos.rb +1 -1
  5. data/lib/brakeman/file_parser.rb +5 -0
  6. data/lib/brakeman/processors/alias_processor.rb +2 -2
  7. data/lib/brakeman/processors/controller_processor.rb +1 -1
  8. data/lib/brakeman/processors/haml_template_processor.rb +8 -1
  9. data/lib/brakeman/processors/output_processor.rb +1 -1
  10. data/lib/brakeman/processors/template_alias_processor.rb +5 -0
  11. data/lib/brakeman/tracker/controller.rb +1 -1
  12. data/lib/brakeman/util.rb +2 -2
  13. data/lib/brakeman/version.rb +1 -1
  14. data/lib/ruby_parser/bm_sexp.rb +9 -9
  15. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7bfea3fcc26490216cb839ad7e23f3db30312439b996719bc36e446d81ee6c21
4
- data.tar.gz: 0ec67a45a20be3d85c28ebf4250abf4528fc30e661c9bd4bd149ce024b0b8e81
3
+ metadata.gz: d0d7f92e4d46129b7c1861da8af2bd27a0127640865d04dacc07e92dfcc2457a
4
+ data.tar.gz: a917080c19ddeed2b76e9509e9ffc9cfde9ff103f506085ee22681c5d5feef4c
5
5
  SHA512:
6
- metadata.gz: a356ae3757074a222d1b8044e228b6d0848942bffbe7bbcf84bd08bd1793767c66e8e71d93bea0053281efeda5aabcca968482d7dde65f7490fe6091e5857e8c
7
- data.tar.gz: d233b34ddf6c0d85b0f44fb32b02e782750b0dc50bc476606719777f73ecaf7c49639114947942cbac9ef9c1ba671a874584b651fc06162482296279aa118aef
6
+ metadata.gz: 16bfcae603909f9a89719fdb3f92e7d5d75cabe4285e5b40bdff759da2cbc82f361b6c190a7b9f0d5fa1199e1bd9f39e17e9894966ddf646fba9463db1089a5f
7
+ data.tar.gz: 766484db48898d8495a3ade3930edf52d508267f134b581938f426d43684c0bdd1929c3c0bc96cd73ce7e9c16e975e5b3fa24e7911f83c84fb396bf30349b830
data/CHANGES.md CHANGED
@@ -1,3 +1,11 @@
1
+ # 4.10.1 - 2020-12-24
2
+
3
+ * Declare REXML as a dependency (Ruby 3.0 compatibility)
4
+ * Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
5
+ * Prevent render loops when template names are absolute paths
6
+ * Ensure RubyParser is passed file path as a String
7
+ * Support new Haml 5.2.0 escaping method
8
+
1
9
  # 4.10.0 - 2020-09-28
2
10
 
3
11
  * Add SARIF report format (Steve Winton)
data/lib/brakeman/checks/check_execute.rb CHANGED
@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
208
208
  if node_type? e, :if
209
209
  # If we're in a conditional, evaluate the `then` and `else` clauses to
210
210
  # see if they're dangerous.
211
- if res = dangerous?(e.values[1..-1])
211
+ if res = dangerous?(e.sexp_body.sexp_body)
212
212
  return res
213
213
  end
214
214
  elsif node_type? e, :or, :evstr, :dstr
data/lib/brakeman/checks/check_regex_dos.rb CHANGED
@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
29
29
  return unless original? result
30
30
 
31
31
  call = result[:call]
32
- components = call[1..-1]
32
+ components = call.sexp_body
33
33
 
34
34
  components.any? do |component|
35
35
  next unless sexp? component
data/lib/brakeman/file_parser.rb CHANGED
@@ -33,7 +33,12 @@ module Brakeman
33
33
  end
34
34
  end
35
35
 
36
+ # _path_ can be a string or a Brakeman::FilePath
36
37
  def parse_ruby input, path
38
+ if path.is_a? Brakeman::FilePath
39
+ path = path.relative
40
+ end
41
+
37
42
  begin
38
43
  Brakeman.debug "Parsing #{path}"
39
44
  RubyParser.new.parse input, path, @timeout
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -236,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
236
236
  env[target_var] = target
237
237
  return target
238
238
  elsif string? target and string_interp? first_arg
239
- exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
239
+ exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
240
240
  env[target_var] = exp
241
241
  elsif string? first_arg and string_interp? target
242
242
  if string? target.last
@@ -941,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
941
941
  args = exp.args
942
942
  exp.pop # remove last arg
943
943
  if args.length > 1
944
- exp.arglist = args[1..-1]
944
+ exp.arglist = args.sexp_body
945
945
  end
946
946
  end
947
947
 
data/lib/brakeman/processors/controller_processor.rb CHANGED
@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
202
202
  end
203
203
 
204
204
  if node_type? exp.block, :block
205
- block_inner = exp.block[1..-1]
205
+ block_inner = exp.block.sexp_body
206
206
  else
207
207
  block_inner = [exp.block]
208
208
  end
data/lib/brakeman/processors/haml_template_processor.rb CHANGED
@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
76
76
  end
77
77
  end
78
78
 
79
+ ESCAPE_METHODS = [
80
+ :html_escape,
81
+ :html_escape_without_haml_xss,
82
+ :escape_once,
83
+ :escape_once_without_haml_xss
84
+ ]
85
+
79
86
  def get_pushed_value exp, default = :output
80
87
  return exp unless sexp? exp
81
88
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
105
112
  when :call
106
113
  if exp.method == :to_s or exp.method == :strip
107
114
  get_pushed_value(exp.target, default)
108
- elsif haml_helpers? exp.target and exp.method == :html_escape
115
+ elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
109
116
  get_pushed_value(exp.first_arg, :escaped_output)
110
117
  elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
111
118
  get_pushed_value(exp.first_arg, :escaped_output)
data/lib/brakeman/processors/output_processor.rb CHANGED
@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
88
88
 
89
89
  def process_iter exp
90
90
  call = process exp[1]
91
- block = process_rlist exp[3..-1]
91
+ block = process_rlist exp.sexp_body(3)
92
92
  out = "#{call} do\n #{block}\n end"
93
93
 
94
94
  out
data/lib/brakeman/processors/template_alias_processor.rb CHANGED
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
20
20
 
21
21
  #Process template
22
22
  def process_template name, args, _, line = nil
23
+ # Strip forward slash from beginning of template path.
24
+ # This also happens in RenderHelper#process_template but
25
+ # we need it here too to accurately avoid circular renders below.
26
+ name = name.to_s.gsub(/^\//, "")
27
+
23
28
  if @called_from
24
29
  if @called_from.include_template? name
25
30
  Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
data/lib/brakeman/tracker/controller.rb CHANGED
@@ -125,7 +125,7 @@ module Brakeman
125
125
  value = args[-1][2]
126
126
  case value.node_type
127
127
  when :array
128
- filter[option] = value[1..-1].map {|v| v[1] }
128
+ filter[option] = value.sexp_body.map {|v| v[1] }
129
129
  when :lit, :str
130
130
  filter[option] = value[1]
131
131
  else
data/lib/brakeman/util.rb CHANGED
@@ -321,7 +321,7 @@ module Brakeman::Util
321
321
  if node_type? current, :class
322
322
  return true
323
323
  elsif sexp? current
324
- todo = current[1..-1].concat todo
324
+ todo = current.sexp_body.concat todo
325
325
  end
326
326
  end
327
327
 
@@ -334,7 +334,7 @@ module Brakeman::Util
334
334
  if args.empty? or args.first.empty?
335
335
  #nothing to do
336
336
  elsif node_type? args.first, :arglist
337
- call.concat args.first[1..-1]
337
+ call.concat args.first.sexp_body
338
338
  elsif args.first.node_type.is_a? Sexp #just a list of args
339
339
  call.concat args.first
340
340
  else
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.10.0"
2
+ Version = "4.10.1"
3
3
  end
data/lib/ruby_parser/bm_sexp.rb CHANGED
@@ -175,7 +175,7 @@ class Sexp
175
175
  start_index = 3
176
176
 
177
177
  if exp.is_a? Sexp and exp.node_type == :arglist
178
- exp = exp[1..-1]
178
+ exp = exp.sexp_body
179
179
  end
180
180
 
181
181
  exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
198
198
 
199
199
  case self.node_type
200
200
  when :call, :attrasgn, :safe_call, :safe_attrasgn
201
- self[3..-1].unshift :arglist
201
+ self.sexp_body(3).unshift :arglist
202
202
  when :super, :zsuper
203
203
  if self[1]
204
- self[1..-1].unshift :arglist
204
+ self.sexp_body.unshift :arglist
205
205
  else
206
206
  Sexp.new(:arglist)
207
207
  end
@@ -218,13 +218,13 @@ class Sexp
218
218
  case self.node_type
219
219
  when :call, :attrasgn, :safe_call, :safe_attrasgn
220
220
  if self[3]
221
- self[3..-1]
221
+ self.sexp_body(3)
222
222
  else
223
223
  Sexp.new
224
224
  end
225
225
  when :super, :zsuper
226
226
  if self[1]
227
- self[1..-1]
227
+ self.sexp_body
228
228
  else
229
229
  Sexp.new
230
230
  end
@@ -512,7 +512,7 @@ class Sexp
512
512
  self.slice!(index..-1) #Remove old body
513
513
 
514
514
  if exp.first == :rlist
515
- exp = exp[1..-1]
515
+ exp = exp.sexp_body
516
516
  end
517
517
 
518
518
  #Insert new body
@@ -529,11 +529,11 @@ class Sexp
529
529
 
530
530
  case self.node_type
531
531
  when :defn, :class
532
- self[3..-1]
532
+ self.sexp_body(3)
533
533
  when :defs
534
- self[4..-1]
534
+ self.sexp_body(4)
535
535
  when :module
536
- self[2..-1]
536
+ self.sexp_body(2)
537
537
  end
538
538
  end
539
539
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.10.0
4
+ version: 4.10.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-28 00:00:00.000000000 Z
11
+ date: 2020-12-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -349,7 +349,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
349
349
  - !ruby/object:Gem::Version
350
350
  version: '0'
351
351
  requirements: []
352
- rubygems_version: 3.1.2
352
+ rubygems_version: 3.2.2
353
353
  signing_key:
354
354
  specification_version: 4
355
355
  summary: Security vulnerability scanner for Ruby on Rails.