brakeman-min 5.1.1 → 5.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '09d15384094bc9f9259cab3f746e95fa0414e637d362ae065bcf65b41935cc6b'
-  data.tar.gz: 8ed59e947dee47869e60729715794ff60271f07a2bcdc557ca3e9a669f8e6787
+  metadata.gz: a7c5bc7fade73f62510eca765f098971bb32244376a61bc20f4dd4160294262a
+  data.tar.gz: bb2b7d7d8f2840387e9de4161551f766b6db882b3eb334d3bcdb8142a5b47806
 SHA512:
-  metadata.gz: 9631a0dc8c23655e561ea2ac1cf45d3c2221f16929fd8e0bba0fbbe44f0ff640e3b0403bb8d8c7e17aeedee34e431876f5b56ebd5ed2382fad75c28c1fbcf099
-  data.tar.gz: c4dfb9c1c75da8b58d5aed44704d4e3ea679b0111c1671c5df18e712ac5050bdd1886571d0334b5b3c01a37963cce5dbf1ec192fedd1132c62ab68ac03eb1c14
+  metadata.gz: f342348930fa65986272ad5bef129d7ef318b630571692b3b6709253124ec5f421692a3545e4dd7d97014f8f200b54c5f98d8434e99ee4eaef79b67bef779f17
+  data.tar.gz: a07cc95cd61003db2ce86f1fd02a9de8ecf72bfc9a75f6a5492a450759c37cd600371b139cf160f5f8cd25845209de809b6796924ed2dd6d7d0e18cb5b972d06

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
 # 5.1.1 - 2021-07-19
 
 * Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
@@ -449,7 +457,7 @@
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 6.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.3.0 to run.
+Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
 
 # Basic Options
 

data/lib/brakeman/app_tree.rb

@@ -28,7 +28,7 @@ module Brakeman
     # Accepts an array of filenames and paths with the following format and
     # returns a Regexp to match them:
     #   * "path1/file1.rb" - Matches a specific filename in the project directory.
-    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
     def self.regex_for_paths(paths)

data/lib/brakeman/checks/check_json_parsing.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     warning_type = "Denial of Service"
     confidence = :medium
     gem_name = "#{name} gem"
-    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
+    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
 
     if version >= "1.7.0"
       confidence = :high

data/lib/brakeman/processors/alias_processor.rb

@@ -324,7 +324,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :values_at
       if node_type? target, :hash
-        exp = hash_values_at target, exp.args
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
       end
     end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
   COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+  ATTRIBUTE_BUILDER = s(:colon2, s(:colon3, :Haml), :AttributeBuilder)
 
   def initialize *args
     super
@@ -133,6 +134,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
         get_pushed_value(exp.first_arg, default)
         @javascript = false
+      elsif haml_attribute_builder? exp
+        ignore # probably safe... seems escaped by default?
       else
         add_output exp, default
       end
@@ -154,6 +157,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.method == :attributes
   end
 
+  def haml_attribute_builder? exp
+    call? exp and
+      exp.target == ATTRIBUTE_BUILDER and
+      exp.method == :build
+  end
+
   def fix_textareas? exp
     call? exp and
       exp.target == HAMLOUT and

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -89,6 +89,8 @@ module Brakeman
       end
     end
 
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
     def hash_values_at hash, keys
       values = keys.map do |key|
         process_hash_access hash, key

data/lib/brakeman/processors/model_processor.rb

@@ -93,6 +93,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   def add_enum_method call
     arg = call.first_arg
     return unless hash? arg
+    return unless symbol? arg[1]
 
     enum_name = arg[1].value # first key
     enums = arg[2] # first value

data/lib/brakeman/report/ignore/config.rb

@@ -126,7 +126,7 @@ module Brakeman
 
         w[:note] = @notes[w[:fingerprint]] || ""
         w
-      end.sort_by { |w| [w[:fingerprint], w[:line]] }
+      end.sort_by { |w| [w[:fingerprint], w[:line] || 0] }
 
       output = {
         :ignored_warnings => warnings,

data/lib/brakeman/report/report_csv.rb

@@ -17,7 +17,7 @@ class Brakeman::Report::CSV < Brakeman::Report::Base
     ]
 
     rows = tracker.filtered_warnings.sort_by do |w|
-      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+      [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
     end.map do |warning|
       generate_row(headers, warning)
     end

data/lib/brakeman/report/report_sarif.rb

@@ -93,7 +93,7 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     end
   end
 
-  # Returns a hash of all check descriptions, keyed by check namne
+  # Returns a hash of all check descriptions, keyed by check name
   def check_descriptions
     @check_descriptions ||= Brakeman::Checks.checks.map do |check|
       [check.name.gsub(/^Check/, ''), check.description]

data/lib/brakeman/report/report_text.rb

@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line || 0, w.fingerprint]
       end.map do |w|
         output_warning w
       end

data/lib/brakeman/scanner.rb

@@ -40,32 +40,32 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems..."
+    Brakeman.notify "Processing gems...                    "
     process_gems
     guess_rails_version
-    Brakeman.notify "Processing configuration..."
+    Brakeman.notify "Processing configuration...           "
     process_config
-    Brakeman.notify "Parsing files..."
+    Brakeman.notify "Parsing files...                      "
     parse_files
-    Brakeman.notify "Detecting file types..."
+    Brakeman.notify "Detecting file types...               "
     detect_file_types
-    Brakeman.notify "Processing initializers..."
+    Brakeman.notify "Processing initializers...            "
     process_initializers
-    Brakeman.notify "Processing libs..."
+    Brakeman.notify "Processing libs...                    "
     process_libs
-    Brakeman.notify "Processing routes...          "
+    Brakeman.notify "Processing routes...                  "
     process_routes
-    Brakeman.notify "Processing templates...       "
+    Brakeman.notify "Processing templates...               "
     process_templates
-    Brakeman.notify "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates...  "
     process_template_data_flows
-    Brakeman.notify "Processing models...          "
+    Brakeman.notify "Processing models...                  "
     process_models
-    Brakeman.notify "Processing controllers...     "
+    Brakeman.notify "Processing controllers...             "
     process_controllers
     Brakeman.notify "Processing data flow in controllers..."
     process_controller_data_flows
-    Brakeman.notify "Indexing call sites...        "
+    Brakeman.notify "Indexing call sites...                "
     index_call_sites
     tracker
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.1.1"
+  Version = "5.1.2"
 end

data/lib/brakeman.rb

@@ -394,7 +394,7 @@ module Brakeman
     if options[:parallel_checks]
       notify "Running checks in parallel..."
     else
-      notify "Runnning checks..."
+      notify "Running checks..."
     end
 
     tracker.run_checks
@@ -479,7 +479,7 @@ module Brakeman
     $stderr.puts message if @debug
   end
 
-  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  # Compare JSON output from a previous scan and return the diff of the two scans
   def self.compare options
     require 'json'
     require 'brakeman/differ'

data/lib/ruby_parser/bm_sexp.rb

@@ -544,7 +544,7 @@ class Sexp
   end
 
   # Number of "statements" in a method.
-  # This is more effecient than `Sexp#body.length`
+  # This is more efficient than `Sexp#body.length`
   # because `Sexp#body` creates a new Sexp.
   def method_length
     expect :defn, :defs
@@ -642,4 +642,14 @@ end
   RUBY
 end
 
+class String
+  ##
+  # This is a hack used by the lexer to sneak in line numbers at the
+  # identifier level. This should be MUCH smaller than making
+  # process_token return [value, lineno] and modifying EVERYTHING that
+  # reduces tIDENTIFIER.
+
+  attr_accessor :lineno
+end
+
 class WrongSexpError < RuntimeError; end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 5.1.1
+  version: 5.1.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-20 00:00:00.000000000 Z
+date: 2021-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.13'
+        version: '3.18'
 - !ruby/object:Gem::Dependency
   name: ruby_parser-legacy
   requirement: !ruby/object:Gem::Requirement