brakeman-min 5.0.0.pre1 → 5.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ef344d29a0b41b77d931c49ce79ad88e4f17c4e69c51de28a850016029691d35
4
- data.tar.gz: b2c7ddb17560b73213f8923e99c8dc96a37be8cd7697bf417d06f66368bfdf98
3
+ metadata.gz: b3d0b0856b2f8155f922380024dd8055b7a670779da0e2b0fe537296284eedb3
4
+ data.tar.gz: d53d4b2c2d115e9a37d7f13213d36ea0ee6d74d89f8ff9fa859d769c98335d87
5
5
  SHA512:
6
- metadata.gz: 7eb5af1fffd3fe230ddf3ea70d826a3eaf82cfc43090cde0b452f24f3382e2c6b1bfcfc84b997b3f4c0bb8088f635965e5297c78fd17a21e87d9aa11dc115d3e
7
- data.tar.gz: 6edc3a49f3426c0a215afa6a99ddaf5d531a514df23bd51101f13b800b28640a6b0384f8343c26748e1fe1476159e5a229f904e0728784eb4648de85d22d9be8
6
+ metadata.gz: 0e2a7a095d2cf2becccd75bb34e3c60924116f91d42bd82ea9327bbdf2ccbc14f27ec735d871ffb4e04ada389a801c54b282029b4b160a75e1cffa5eac0c7812
7
+ data.tar.gz: 7e8a88f62a20bfbff098321310aa29d901460a91977c0604b4a90b9767447fda738d8604ac72a4ee486d32c250e5fb1f3ad590385d8006a62dd84a2d74948bb0
data/CHANGES.md CHANGED
@@ -1,3 +1,26 @@
1
+ # 5.0.0 - 2021-01-26
2
+
3
+ * Ignore `uuid` as a safe attribute
4
+ * Collapse `__send__` calls
5
+ * Ignore `Tempfile#path` in shell commands
6
+ * Ignore development environment
7
+ * Revamp CSV report to a CSV list of warnings
8
+ * Set Rails configuration defaults based on `load_defaults` version
9
+ * Add check for (more) unsafe method reflection
10
+ * Suggest using `--force` if no Rails application is detected
11
+ * Add Sonarqube report format (Adam England)
12
+ * Add check for potential HTTP verb confusion
13
+ * Add `--[no-]skip-vendor` option
14
+ * Scan (almost) all Ruby files in project
15
+
16
+ # 4.10.1 - 2020-12-24
17
+
18
+ * Declare REXML as a dependency (Ruby 3.0 compatibility)
19
+ * Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
20
+ * Prevent render loops when template names are absolute paths
21
+ * Ensure RubyParser is passed file path as a String
22
+ * Support new Haml 5.2.0 escaping method
23
+
1
24
  # 5.0.0.pre1 - 2020-11-17
2
25
 
3
26
  * Add check for (more) unsafe method reflection
@@ -40,7 +40,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
40
40
  @mass_assign_disabled = nil
41
41
  @has_user_input = nil
42
42
  @in_array = false
43
- @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
43
+ @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
44
44
  @comparison_ops = Set[:==, :!=, :>, :<, :>=, :<=]
45
45
  end
46
46
 
@@ -151,6 +151,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
151
151
  method[-1] == "?"
152
152
  end
153
153
 
154
+ TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
155
+
156
+ def temp_file_path? exp
157
+ exp == TEMP_FILE_PATH
158
+ end
159
+
154
160
  #Report a warning
155
161
  def warn options
156
162
  extra_opts = { :check => self.class.to_s }
@@ -204,11 +204,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
204
204
  next if node_type? e, :lit, :str
205
205
  next if SAFE_VALUES.include? e
206
206
  next if shell_escape? e
207
+ next if temp_file_path? e
207
208
 
208
209
  if node_type? e, :if
209
210
  # If we're in a conditional, evaluate the `then` and `else` clauses to
210
211
  # see if they're dangerous.
211
- if res = dangerous?(e.values[1..-1])
212
+ if res = dangerous?(e.sexp_body.sexp_body)
212
213
  return res
213
214
  end
214
215
  elsif node_type? e, :or, :evstr, :dstr
@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
29
29
  return unless original? result
30
30
 
31
31
  call = result[:call]
32
- components = call[1..-1]
32
+ components = call.sexp_body
33
33
 
34
34
  components.any? do |component|
35
35
  next unless sexp? component
@@ -576,7 +576,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
576
576
  :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
577
577
  :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
578
578
  :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
579
- :where_values_hash, :foreign_key
579
+ :where_values_hash, :foreign_key, :uuid
580
580
  ]
581
581
 
582
582
  def safe_value? exp
@@ -32,7 +32,12 @@ module Brakeman
32
32
  end
33
33
  end
34
34
 
35
+ # _path_ can be a string or a Brakeman::FilePath
35
36
  def parse_ruby input, path
37
+ if path.is_a? Brakeman::FilePath
38
+ path = path.relative
39
+ end
40
+
36
41
  begin
37
42
  Brakeman.debug "Parsing #{path}"
38
43
  RubyParser.new.parse input, path, @timeout
@@ -161,6 +161,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
161
161
  ARRAY_CONST = s(:const, :Array)
162
162
  HASH_CONST = s(:const, :Hash)
163
163
  RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
164
+ RAILS_DEV = s(:call, s(:call, s(:const, :Rails), :env), :development?)
164
165
 
165
166
  #Process a method call.
166
167
  def process_call exp
@@ -186,7 +187,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
186
187
  method = exp.method
187
188
  first_arg = exp.first_arg
188
189
 
189
- if method == :send or method == :try
190
+ if method == :send or method == :__send__ or method == :try
190
191
  collapse_send_call exp, first_arg
191
192
  end
192
193
 
@@ -197,7 +198,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
197
198
  return Sexp.new(:array, *exp.args)
198
199
  elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
199
200
  return Sexp.new(:hash)
200
- elsif exp == RAILS_TEST
201
+ elsif exp == RAILS_TEST or exp == RAILS_DEV
201
202
  return Sexp.new(:false)
202
203
  end
203
204
 
@@ -236,7 +237,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
236
237
  env[target_var] = target
237
238
  return target
238
239
  elsif string? target and string_interp? first_arg
239
- exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
240
+ exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
240
241
  env[target_var] = exp
241
242
  elsif string? first_arg and string_interp? target
242
243
  if string? target.last
@@ -346,6 +347,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
346
347
  end
347
348
  end
348
349
 
350
+ TEMP_FILE_CLASS = s(:const, :Tempfile)
351
+
352
+ def temp_file_open? exp
353
+ call? exp and
354
+ exp.target == TEMP_FILE_CLASS and
355
+ exp.method == :open
356
+ end
357
+
358
+ def temp_file_new line
359
+ s(:call, TEMP_FILE_CLASS, :new).line(line)
360
+ end
361
+
349
362
  def process_iter exp
350
363
  @exp_context.push exp
351
364
  exp[1] = process exp.block_call
@@ -363,6 +376,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
363
376
  # Iterating over an array of all literal values
364
377
  local = Sexp.new(:lvar, block_args.last)
365
378
  env.current[local] = safe_literal(exp.line)
379
+ elsif temp_file_open? call
380
+ local = Sexp.new(:lvar, block_args.last)
381
+ env.current[local] = temp_file_new(exp.line)
366
382
  else
367
383
  block_args.each do |e|
368
384
  #Force block arg(s) to be local
@@ -941,7 +957,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
941
957
  args = exp.args
942
958
  exp.pop # remove last arg
943
959
  if args.length > 1
944
- exp.arglist = args[1..-1]
960
+ exp.arglist = args.sexp_body
945
961
  end
946
962
  end
947
963
 
@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
202
202
  end
203
203
 
204
204
  if node_type? exp.block, :block
205
- block_inner = exp.block[1..-1]
205
+ block_inner = exp.block.sexp_body
206
206
  else
207
207
  block_inner = [exp.block]
208
208
  end
@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
57
57
  exp
58
58
  end
59
59
 
60
+ #Look for configuration settings that
61
+ #are just a call like
62
+ #
63
+ # config.load_defaults 5.2
64
+ def process_call exp
65
+ return exp unless @inside_config
66
+
67
+ if exp.target == RAILS_CONFIG and exp.first_arg
68
+ @tracker.config.rails[exp.method] = exp.first_arg
69
+ end
70
+
71
+ exp
72
+ end
73
+
60
74
  #Look for configuration settings
61
75
  def process_attrasgn exp
62
76
  return exp unless @inside_config
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
71
85
  @tracker.config.rails[attribute] = exp.first_arg
72
86
  end
73
87
  elsif include_rails_config? exp
74
- options = get_rails_config exp
75
- level = @tracker.config.rails
76
- options[0..-2].each do |o|
77
- level[o] ||= {}
78
-
79
- option = level[o]
80
-
81
- if not option.is_a? Hash
82
- Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
83
- return exp
84
- end
85
-
86
- level = level[o]
87
- end
88
-
89
- level[options.last] = exp.first_arg
88
+ options_path = get_rails_config exp
89
+ @tracker.config.set_rails_config(exp.first_arg, *options_path)
90
90
  end
91
91
 
92
92
  exp
@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
88
88
 
89
89
  def process_iter exp
90
90
  call = process exp[1]
91
- block = process_rlist exp[3..-1]
91
+ block = process_rlist exp.sexp_body(3)
92
92
  out = "#{call} do\n #{block}\n end"
93
93
 
94
94
  out
@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
20
20
 
21
21
  #Process template
22
22
  def process_template name, args, _, line = nil
23
+ # Strip forward slash from beginning of template path.
24
+ # This also happens in RenderHelper#process_template but
25
+ # we need it here too to accurately avoid circular renders below.
26
+ name = name.to_s.gsub(/^\//, "")
27
+
23
28
  if @called_from
24
29
  if @called_from.include_template? name
25
30
  Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
@@ -11,8 +11,6 @@ class Brakeman::Report::Base
11
11
 
12
12
  attr_reader :tracker, :checks
13
13
 
14
- TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
15
-
16
14
  def initialize tracker
17
15
  @app_tree = tracker.app_tree
18
16
  @tracker = tracker
@@ -1,72 +1,49 @@
1
1
  require 'csv'
2
- require "brakeman/report/report_table"
3
2
 
4
- class Brakeman::Report::CSV < Brakeman::Report::Table
3
+ class Brakeman::Report::CSV < Brakeman::Report::Base
5
4
  def generate_report
6
- output = csv_header
7
- output << "\nSUMMARY\n"
8
-
9
- output << table_to_csv(generate_overview) << "\n"
10
-
11
- output << table_to_csv(generate_warning_overview) << "\n"
12
-
13
- #Return output early if only summarizing
14
- if tracker.options[:summary_only]
15
- return output
16
- end
17
-
18
- if tracker.options[:report_routes] or tracker.options[:debug]
19
- output << "CONTROLLERS\n"
20
- output << table_to_csv(generate_controllers) << "\n"
21
- end
22
-
23
- if tracker.options[:debug]
24
- output << "TEMPLATES\n\n"
25
- output << table_to_csv(generate_templates) << "\n"
5
+ headers = [
6
+ "Confidence",
7
+ "Warning Type",
8
+ "File",
9
+ "Line",
10
+ "Message",
11
+ "Code",
12
+ "User Input",
13
+ "Check Name",
14
+ "Warning Code",
15
+ "Fingerprint",
16
+ "Link"
17
+ ]
18
+
19
+ rows = tracker.filtered_warnings.sort_by do |w|
20
+ [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
21
+ end.map do |warning|
22
+ generate_row(headers, warning)
26
23
  end
27
24
 
28
- res = generate_errors
29
- output << "ERRORS\n" << table_to_csv(res) << "\n" if res
30
-
31
- res = generate_warnings
32
- output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
25
+ table = CSV::Table.new(rows)
33
26
 
34
- output << "Controller Warnings\n"
35
- res = generate_controller_warnings
36
- output << table_to_csv(res) << "\n" if res
37
-
38
- output << "Model Warnings\n"
39
- res = generate_model_warnings
40
- output << table_to_csv(res) << "\n" if res
41
-
42
- res = generate_template_warnings
43
- output << "Template Warnings\n"
44
- output << table_to_csv(res) << "\n" if res
45
-
46
- output
27
+ table.to_csv
47
28
  end
48
29
 
49
- #Generate header for CSV output
50
- def csv_header
51
- header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
52
- header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
53
- "BRAKEMAN REPORT\n\n" + header
30
+ def generate_row headers, warning
31
+ CSV::Row.new headers, warning_row(warning)
54
32
  end
55
33
 
56
- # rely on Terminal::Table to build the structure, extract the data out in CSV format
57
- def table_to_csv table
58
- return "" unless table
59
-
60
- Brakeman.load_brakeman_dependency 'terminal-table'
61
- headings = table.headings
62
- if headings.is_a? Array
63
- headings = headings.first
64
- end
65
-
66
- output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
67
- table.rows.each do |row|
68
- output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
69
- end
70
- output
34
+ def warning_row warning
35
+ [
36
+ warning.confidence_name,
37
+ warning.warning_type,
38
+ warning_file(warning),
39
+ warning.line,
40
+ warning.message,
41
+ warning.code && warning.format_code(false),
42
+ warning.user_input && warning.format_user_input(false),
43
+ warning.check_name,
44
+ warning.warning_code,
45
+ warning.fingerprint,
46
+ warning.link,
47
+ ]
71
48
  end
72
49
  end
@@ -47,7 +47,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
47
47
  warning.add_attribute 'brakeman:file', warning_file(w)
48
48
  warning.add_attribute 'brakeman:line', w.line
49
49
  warning.add_attribute 'brakeman:fingerprint', w.fingerprint
50
- warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
50
+ warning.add_attribute 'brakeman:confidence', w.confidence_name
51
51
  warning.add_attribute 'brakeman:code', w.format_code
52
52
  warning.add_text w.to_s
53
53
  }
@@ -88,7 +88,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
88
88
  failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
89
89
  failure.add_attribute 'brakeman:file', warning_file(warning)
90
90
  failure.add_attribute 'brakeman:line', warning.line
91
- failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
91
+ failure.add_attribute 'brakeman:confidence', warning.confidence_name
92
92
  failure.add_attribute 'brakeman:code', warning.format_code
93
93
  failure.add_text warning.to_s
94
94
  }
@@ -27,7 +27,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
27
27
  def rules
28
28
  @rules ||= unique_warnings_by_warning_code.map do |warning|
29
29
  rule_id = render_id warning
30
- check_name = warning.check.gsub(/^Brakeman::Check/, '')
30
+ check_name = warning.check_name
31
31
  check_description = render_message check_descriptions[check_name]
32
32
  {
33
33
  :id => rule_id,
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
10
10
  self.send(meth).map do |w|
11
11
  line = w.line || 0
12
12
  w.warning_type.gsub!(/[^\w\s]/, ' ')
13
- "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
13
+ "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
14
14
  end.join "\n"
15
15
 
16
16
  end.join "\n"
@@ -160,7 +160,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
160
160
  when :category
161
161
  label('Category', w.warning_type.to_s)
162
162
  when :check
163
- label('Check', w.check.gsub(/^Brakeman::Check/, ''))
163
+ label('Check', w.check_name)
164
164
  when :message
165
165
  label('Message', w.message)
166
166
  when :code
@@ -25,7 +25,7 @@ class Brakeman::Scanner
25
25
 
26
26
  if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
27
27
  message = "Please supply the path to a Rails application (looking in #{@app_tree.root}).\n" <<
28
- " Use `--force` to run a scan anyway - for example if there are many applications in one directory."
28
+ " Use `--force` to run a scan anyway."
29
29
 
30
30
  raise Brakeman::NoApplication, message
31
31
  end
@@ -139,6 +139,8 @@ class Brakeman::Scanner
139
139
  if @app_tree.exists? ".ruby-version"
140
140
  tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
141
141
  end
142
+
143
+ tracker.config.load_rails_defaults
142
144
  end
143
145
 
144
146
  def process_config_file file
@@ -149,5 +149,78 @@ module Brakeman
149
149
  def session_settings
150
150
  @rails.dig(:action_controller, :session)
151
151
  end
152
+
153
+
154
+ # Set Rails config option value
155
+ # where path is an array of attributes, e.g.
156
+ #
157
+ # :action_controller, :perform_caching
158
+ #
159
+ # then this will set
160
+ #
161
+ # rails[:action_controller][:perform_caching] = value
162
+ def set_rails_config value, *path
163
+ config = self.rails
164
+
165
+ path[0..-2].each do |o|
166
+ config[o] ||= {}
167
+
168
+ option = config[o]
169
+
170
+ if not option.is_a? Hash
171
+ Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
172
+ return
173
+ end
174
+
175
+ config = option
176
+ end
177
+
178
+ config[path.last] = value
179
+ end
180
+
181
+ # Load defaults based on config.load_defaults value
182
+ # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
183
+ def load_rails_defaults
184
+ return unless number? tracker.config.rails[:load_defaults]
185
+
186
+ version = tracker.config.rails[:load_defaults].value
187
+ true_value = Sexp.new(:true)
188
+ false_value = Sexp.new(:false)
189
+
190
+ if version >= 5.0
191
+ set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
192
+ set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
193
+ set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
194
+ # Note: this may need to be changed, because ssl_options is a Hash
195
+ set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
196
+ end
197
+
198
+ if version >= 5.1
199
+ set_rails_config(false_value, :assets, :unknown_asset_fallback)
200
+ set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
201
+ end
202
+
203
+ if version >= 5.2
204
+ set_rails_config(true_value, :active_record, :cache_versioning)
205
+ set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
206
+ set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
207
+ set_rails_config(true_value, :active_support, :use_sha1_digests)
208
+ set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
209
+ set_rails_config(true_value, :action_view, :form_with_generates_ids)
210
+ end
211
+
212
+ if version >= 6.0
213
+ set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
214
+ set_rails_config(false_value, :action_view, :default_enforce_utf8)
215
+ set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
216
+ set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
217
+ set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
218
+ set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
219
+ set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
220
+ set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
221
+ set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
222
+ set_rails_config(true_value, :active_record, :collection_cache_versioning)
223
+ end
224
+ end
152
225
  end
153
226
  end
@@ -125,7 +125,7 @@ module Brakeman
125
125
  value = args[-1][2]
126
126
  case value.node_type
127
127
  when :array
128
- filter[option] = value[1..-1].map {|v| v[1] }
128
+ filter[option] = value.sexp_body.map {|v| v[1] }
129
129
  when :lit, :str
130
130
  filter[option] = value[1]
131
131
  else
@@ -321,7 +321,7 @@ module Brakeman::Util
321
321
  if node_type? current, :class
322
322
  return true
323
323
  elsif sexp? current
324
- todo = current[1..-1].concat todo
324
+ todo = current.sexp_body.concat todo
325
325
  end
326
326
  end
327
327
 
@@ -334,7 +334,7 @@ module Brakeman::Util
334
334
  if args.empty? or args.first.empty?
335
335
  #nothing to do
336
336
  elsif node_type? args.first, :arglist
337
- call.concat args.first[1..-1]
337
+ call.concat args.first.sexp_body
338
338
  elsif args.first.node_type.is_a? Sexp #just a list of args
339
339
  call.concat args.first
340
340
  else
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "5.0.0.pre1"
2
+ Version = "5.0.0"
3
3
  end
@@ -275,6 +275,14 @@ class Brakeman::Warning
275
275
  self.file.relative
276
276
  end
277
277
 
278
+ def check_name
279
+ @check_name ||= self.check.sub(/^Brakeman::Check/, '')
280
+ end
281
+
282
+ def confidence_name
283
+ TEXT_CONFIDENCE[self.confidence]
284
+ end
285
+
278
286
  def to_hash absolute_paths: true
279
287
  if self.called_from and not absolute_paths
280
288
  render_path = self.called_from.with_relative_paths
@@ -285,7 +293,7 @@ class Brakeman::Warning
285
293
  { :warning_type => self.warning_type,
286
294
  :warning_code => @warning_code,
287
295
  :fingerprint => self.fingerprint,
288
- :check_name => self.check.gsub(/^Brakeman::Check/, ''),
296
+ :check_name => self.check_name,
289
297
  :message => self.message.to_s,
290
298
  :file => (absolute_paths ? self.file.absolute : self.file.relative),
291
299
  :line => self.line,
@@ -294,7 +302,7 @@ class Brakeman::Warning
294
302
  :render_path => render_path,
295
303
  :location => self.location(false),
296
304
  :user_input => (@user_input && self.format_user_input(false)),
297
- :confidence => TEXT_CONFIDENCE[self.confidence]
305
+ :confidence => self.confidence_name
298
306
  }
299
307
  end
300
308
 
@@ -175,7 +175,7 @@ class Sexp
175
175
  start_index = 3
176
176
 
177
177
  if exp.is_a? Sexp and exp.node_type == :arglist
178
- exp = exp[1..-1]
178
+ exp = exp.sexp_body
179
179
  end
180
180
 
181
181
  exp.each_with_index do |e, i|
@@ -198,10 +198,10 @@ class Sexp
198
198
 
199
199
  case self.node_type
200
200
  when :call, :attrasgn, :safe_call, :safe_attrasgn
201
- self[3..-1].unshift :arglist
201
+ self.sexp_body(3).unshift :arglist
202
202
  when :super, :zsuper
203
203
  if self[1]
204
- self[1..-1].unshift :arglist
204
+ self.sexp_body.unshift :arglist
205
205
  else
206
206
  Sexp.new(:arglist)
207
207
  end
@@ -218,13 +218,13 @@ class Sexp
218
218
  case self.node_type
219
219
  when :call, :attrasgn, :safe_call, :safe_attrasgn
220
220
  if self[3]
221
- self[3..-1]
221
+ self.sexp_body(3)
222
222
  else
223
223
  Sexp.new
224
224
  end
225
225
  when :super, :zsuper
226
226
  if self[1]
227
- self[1..-1]
227
+ self.sexp_body
228
228
  else
229
229
  Sexp.new
230
230
  end
@@ -512,7 +512,7 @@ class Sexp
512
512
  self.slice!(index..-1) #Remove old body
513
513
 
514
514
  if exp.first == :rlist
515
- exp = exp[1..-1]
515
+ exp = exp.sexp_body
516
516
  end
517
517
 
518
518
  #Insert new body
@@ -529,11 +529,11 @@ class Sexp
529
529
 
530
530
  case self.node_type
531
531
  when :defn, :class
532
- self[3..-1]
532
+ self.sexp_body(3)
533
533
  when :defs
534
- self[4..-1]
534
+ self.sexp_body(4)
535
535
  when :module
536
- self[2..-1]
536
+ self.sexp_body(2)
537
537
  end
538
538
  end
539
539
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.0.pre1
4
+ version: 5.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-11-18 00:00:00.000000000 Z
11
+ date: 2021-01-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -349,9 +349,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
349
349
  version: 2.4.0
350
350
  required_rubygems_version: !ruby/object:Gem::Requirement
351
351
  requirements:
352
- - - ">"
352
+ - - ">="
353
353
  - !ruby/object:Gem::Version
354
- version: 1.3.1
354
+ version: '0'
355
355
  requirements: []
356
356
  rubygems_version: 3.1.2
357
357
  signing_key: