brakeman-min 6.1.1 → 6.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +10 -0
  3. data/lib/brakeman/checks/check_eol_ruby.rb +1 -0
  4. data/lib/brakeman/checks/check_render.rb +6 -1
  5. data/lib/brakeman/checks/check_session_settings.rb +2 -3
  6. data/lib/brakeman/processors/alias_processor.rb +7 -2
  7. data/lib/brakeman/report/pager.rb +1 -1
  8. data/lib/brakeman/version.rb +1 -1
  9. data/lib/brakeman.rb +2 -3
  10. metadata +3 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9bda2b7f2e2e83fd353b042c9c11857eb8d7bae3a3d2f3eb6facc97f58f3df06
4
- data.tar.gz: ae4fd6a45a603d654ac5a8477810b5a79ee4041ed73e6f3bb59aea75bdf890a5
3
+ metadata.gz: a70ceb66f3e92c7398df7263029948d7966fea3544def0a9f31493421e326f35
4
+ data.tar.gz: d5a4e01a25ba1f8d4c3db395813501e928edcd9bb2713985623d39abb801bfe1
5
5
  SHA512:
6
- metadata.gz: 933fa4eebb2014b09c59e9bc946db21717cd9ba0b30eeeb3423fff4b8288f686161a5e33fa9e4c97f538e7aaaddc960e9826af77bc8f87dbe2dcfb846b915f7d
7
- data.tar.gz: 131ddf8b1c80d4d113f8255dd2d10101d3e11c904f8ac364dfdca00d63ebd38c477abd7a0f606f3de293a55e4aaf27b61affdd8c1de86d0c26d6653d3a1904ec
6
+ metadata.gz: a399f6eb80e0502a0aab4c859ec2e7a1fbf28b3ce8717f25f0a36c0cce15c827da86c430cae96712e22c424e746ced2dea08733e815dafc5c99dd0af15c357d9
7
+ data.tar.gz: 967f7ceba1997a165ad0dfab64d26ef0338b7694ef53caf0936186d0a47671a2e3e97691b31c649516c2074aba83a791f14bce1733c537df0404c7806c7749b6
data/CHANGES.md CHANGED
@@ -1,3 +1,13 @@
1
+ # 6.1.2 - 2024-02-01
2
+
3
+ * Update Highline to 3.0
4
+ * Add EOL date for Ruby 3.3.0
5
+ * Avoid copying Sexps that are too large
6
+ * Avoid detecting `ViewComponentContrib::Base` as dynamic render paths (vividmuimui)
7
+ * Remove deprecated use of `Kernel#open("|...")`
8
+ * Remove `safe_yaml` gem dependency
9
+ * Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
10
+
1
11
  # 6.1.1 - 2023-12-24
2
12
 
3
13
  * Handle racc as a default gem in Ruby 3.3.0
data/lib/brakeman/checks/check_eol_ruby.rb CHANGED
@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
24
24
  ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
25
25
  ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
26
26
  ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
27
+ ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
27
28
  }
28
29
  end
data/lib/brakeman/checks/check_render.rb CHANGED
@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
108
108
  def known_renderable_class? class_name
109
109
  klass = tracker.find_class(class_name)
110
110
  return false if klass.nil?
111
- klass.ancestor? :"ViewComponent::Base"
111
+ knowns = [
112
+ :"ViewComponent::Base",
113
+ :"ViewComponentContrib::Base",
114
+ :"Phlex::HTML"
115
+ ]
116
+ knowns.any? { |k| klass.ancestor? k }
112
117
  end
113
118
  end
data/lib/brakeman/checks/check_session_settings.rb CHANGED
@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
116
116
 
117
117
  if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
118
118
  yaml = secrets_file.read
119
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
120
- require 'safe_yaml/load'
119
+ require 'yaml'
121
120
  begin
122
- secrets = SafeYAML.load yaml
121
+ secrets = YAML.safe_load yaml
123
122
  rescue Psych::SyntaxError, RuntimeError => e
124
123
  Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
125
124
  Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
data/lib/brakeman/processors/alias_processor.rb CHANGED
@@ -32,6 +32,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
32
32
  @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
33
33
  @meth_env = nil
34
34
  @current_file = current_file
35
+ @mass_limit = (tracker && tracker.options[:mass_limit]) || 1000 # arbitrary default
35
36
  set_env_defaults
36
37
  end
37
38
 
@@ -82,8 +83,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
82
83
  def replace exp, int = 0
83
84
  return exp if int > 3
84
85
 
85
- if replacement = env[exp] and not duplicate? replacement
86
- replace(replacement.deep_clone(exp.line), int + 1)
86
+ if replacement = env[exp]
87
+ if not duplicate? replacement and replacement.mass < @mass_limit
88
+ replace(replacement.deep_clone(exp.line), int + 1)
89
+ else
90
+ exp
91
+ end
87
92
  elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
88
93
  replace(replacement.deep_clone(exp.line), int + 1)
89
94
  else
data/lib/brakeman/report/pager.rb CHANGED
@@ -52,7 +52,7 @@ module Brakeman
52
52
  def page_via_less text
53
53
  # Adapted from https://github.com/piotrmurach/tty-pager/
54
54
 
55
- write_io = open("|less #{less_options.join}", 'w')
55
+ write_io = IO.popen("less #{less_options.join}", 'w')
56
56
  pid = write_io.pid
57
57
 
58
58
  write_io.write(text)
data/lib/brakeman/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "6.1.1"
2
+ Version = "6.1.2"
3
3
  end
data/lib/brakeman.rb CHANGED
@@ -128,9 +128,8 @@ module Brakeman
128
128
 
129
129
  #Load configuration file
130
130
  if config = config_file(custom_location, app_path)
131
- require 'date' # https://github.com/dtao/safe_yaml/issues/80
132
- self.load_brakeman_dependency 'safe_yaml/load'
133
- options = SafeYAML.load_file config, :deserialize_symbols => true
131
+ require 'yaml'
132
+ options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
134
133
 
135
134
  if options
136
135
  options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman-min
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.1
4
+ version: 6.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-24 00:00:00.000000000 Z
11
+ date: 2024-02-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: minitest
@@ -122,20 +122,6 @@ dependencies:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
124
  version: 2.4.0
125
- - !ruby/object:Gem::Dependency
126
- name: safe_yaml
127
- requirement: !ruby/object:Gem::Requirement
128
- requirements:
129
- - - ">="
130
- - !ruby/object:Gem::Version
131
- version: '1.0'
132
- type: :runtime
133
- prerelease: false
134
- version_requirements: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - ">="
137
- - !ruby/object:Gem::Version
138
- version: '1.0'
139
125
  - !ruby/object:Gem::Dependency
140
126
  name: racc
141
127
  requirement: !ruby/object:Gem::Requirement
@@ -376,7 +362,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
376
362
  - !ruby/object:Gem::Version
377
363
  version: '0'
378
364
  requirements: []
379
- rubygems_version: 3.2.3
365
+ rubygems_version: 3.5.3
380
366
  signing_key:
381
367
  specification_version: 4
382
368
  summary: Security vulnerability scanner for Ruby on Rails.