brakeman-min 7.0.0 → 7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b159c25a22da361d14ae94e15d853ab400ebe40ff34e0f1c470c5610cf61d5e
-  data.tar.gz: 6a98f78676960d8e6a3dcf5050ede72aa2cef27f1231fc398b7588d349e2cfb7
+  metadata.gz: baa16f18d1ceaf0c04654b5b84547e3bb0cd23368409b980742df987f88df059
+  data.tar.gz: 90b31d54feaad0b87250d7e7599c8bcbe4d290a4bca3132e4e60ea2b83af6e25
 SHA512:
-  metadata.gz: 1401beac1441fa1c04f7bea0d439b366098ce8dcffedb8b633904752b4db081bd5d3fab8d29ba2fa6935c1ca7c3f3a7540ff154a9e79f1f66630cf964981953d
-  data.tar.gz: 31e5590f94a8ce1744709c6442990c0e00b831ddf91e985d30d116cdb2d180a2c96acfb30bfd66a6aeb72feb0b1cb895793e76f558fafb2f340303208e8b6306
+  metadata.gz: ac5c7a446bd842ccf61292ac59505b95f9fc5840ef5749f08f39ce9c4a905d8bf24045377b1ccb035d0f3b5810984c9564d962d1ba27da89f0129044e522f81d
+  data.tar.gz: 54e8dd54503821cb93b9c11aa6e69aaec2da4ba81308d507df9721fe50e2f21cb2124a8d2f46b9e907696f642c137dc05d8d51bcc4d8fb8e794b51b30b186b6d

data/CHANGES.md

@@ -1,3 +1,12 @@
+# 7.0.1 - 2025-04-03
+
+* Avoid warning on evaluation of plain strings
+* Enable use of custom/alternative Gemfiles
+* Fix error on directory with `rb` extension (viralpraxis)
+* Support `terminal-table` 4.0 (Chedli Bourguiba)
+* Better support Prism 1.4.0
+* Only output timing for each file when using `--debug`
+
 # 7.0.0 - 2024-12-30
 
 * Always warn about deserializing from Marshal

data/README.md

@@ -63,7 +63,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 # Compatibility
 
-Brakeman should work with any version of Rails from 2.3.x to 7.x.
+Brakeman should work with any version of Rails from 2.3.x to 8.x.
 
 Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 

data/lib/brakeman/app_tree.rb

@@ -190,7 +190,12 @@ module Brakeman
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
-      reject_global_excludes(paths)
+      paths = reject_global_excludes(paths)
+      reject_directories(paths)
+    end
+
+    def reject_directories(paths)
+      paths.reject { |path| File.directory?(path) }
     end
 
     def select_only_files(paths)

data/lib/brakeman/checks/check_evaluation.rb

@@ -22,27 +22,29 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   def process_result result
     return unless original? result
 
-    if input = include_user_input?(result[:call].arglist)
-      confidence = :high
-      message = msg(msg_input(input), " evaluated as code")
-    elsif string_evaluation? result[:call].first_arg
-      confidence = :low
-      message = "Dynamic string evaluated as code"
-    elsif safe_literal? result[:call].first_arg
-      # don't warn
-    elsif result[:call].method == :eval
-      confidence = :low
-      message = "Dynamic code evaluation"
-    end
+    first_arg = result[:call].first_arg
+
+    unless safe_value? first_arg
+      if input = include_user_input?(first_arg)
+        confidence = :high
+        message = msg(msg_input(input), " evaluated as code")
+      elsif string_evaluation? first_arg
+        confidence = :low
+        message = "Dynamic string evaluated as code"
+      elsif result[:call].method == :eval
+        confidence = :low
+        message = "Dynamic code evaluation"
+      end
 
-    if confidence
-      warn :result => result,
-        :warning_type => "Dangerous Eval",
-        :warning_code => :code_eval,
-        :message => message,
-        :user_input => input,
-        :confidence => confidence,
-        :cwe_id => [913, 95]
+      if confidence
+        warn :result => result,
+          :warning_type => "Dangerous Eval",
+          :warning_code => :code_eval,
+          :message => message,
+          :user_input => input,
+          :confidence => confidence,
+          :cwe_id => [913, 95]
+      end
     end
   end
 
@@ -50,4 +52,21 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     string_interp? exp or
       (call? exp and string? exp.target)
   end
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.sexp_type
+    when :dstr
+      exp.all? { |e| safe_value? e}
+    when :evstr
+      safe_value? exp.value
+    when :str, :lit
+      true
+    when :call
+      always_safe_method? exp.method
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -87,7 +87,7 @@ class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
 
     if string? padding_arg
       padding_arg = padding_arg.deep_clone(padding_arg.line)
-      padding_arg.value.downcase!
+      padding_arg.value = padding_arg.value.downcase
     end
 
     case padding_arg

data/lib/brakeman/options.rb

@@ -226,6 +226,10 @@ module Brakeman::Options
           options[:follow_symlinks] = follow_symlinks
         end
 
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb

@@ -270,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -278,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg

data/lib/brakeman/scanner.rb

@@ -32,6 +32,7 @@ class Brakeman::Scanner
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
     @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
+    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -58,7 +59,7 @@ class Brakeman::Scanner
   end
 
   def process_step_file description
-    if @show_timing
+    if @per_file_timing
       Brakeman.notify "Processing #{description}"
 
       start_t = Time.now
@@ -230,21 +231,29 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+    gem_file_names = ['Gemfile', 'gems.rb']
+    lock_file_names = ['Gemfile.lock', 'gems.locked']
 
-    if @app_tree.exists? "Gemfile"
-      file = @app_tree.file_path("Gemfile")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
-    elsif @app_tree.exists? "gems.rb"
-      file = @app_tree.file_path("gems.rb")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+    if tracker.options[:gemfile]
+      name = tracker.options[:gemfile]
+      gem_file_names.unshift name
+      lock_file_names.unshift "#{name}.lock"
     end
 
-    if @app_tree.exists? "Gemfile.lock"
-      file = @app_tree.file_path("Gemfile.lock")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
-    elsif @app_tree.exists? "gems.locked"
-      file = @app_tree.file_path("gems.locked")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
+    gem_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+        break
+      end
+    end
+
+    lock_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemlock] = { :src => file.read, :file => file }
+        break
+      end
     end
 
     if @app_tree.gemspec

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.0.0"
+  Version = "7.0.1"
 end

data/lib/brakeman.rb

@@ -127,6 +127,13 @@ module Brakeman
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 
+
+    # Use ENV value only if option was not already explicitly set
+    # (i.e. prefer commandline option over environment variable).
+    if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE']
+      options[:gemfile] = ENV['BUNDLE_GEMFILE']
+    end
+
     options
   end
 

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.0.1
 platform: ruby
 authors:
 - Justin Collins
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-31 00:00:00.000000000 Z
+date: 2025-04-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -334,6 +335,7 @@ metadata:
   mailing_list_uri: https://gitter.im/presidentbeef/brakeman
   source_code_uri: https://github.com/presidentbeef/brakeman
   wiki_uri: https://github.com/presidentbeef/brakeman/wiki
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -348,7 +350,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []