RubyGems - brakeman - Versions diffs - 3.1.5 → 3.2.0.pre1 - Mend

brakeman 3.1.5 → 3.2.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

checksums.yaml +4 -4
data/CHANGES +11 -0
data/lib/brakeman.rb +4 -4
data/lib/brakeman/call_index.rb +22 -31
data/lib/brakeman/checks.rb +59 -73
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +0 -21
data/lib/brakeman/checks/check_cross_site_scripting.rb +2 -2
data/lib/brakeman/checks/check_render.rb +9 -1
data/lib/brakeman/checks/check_sql.rb +3 -3
data/lib/brakeman/processors/alias_processor.rb +1 -1
data/lib/brakeman/processors/base_processor.rb +8 -0
data/lib/brakeman/processors/erb_template_processor.rb +1 -1
data/lib/brakeman/processors/erubis_template_processor.rb +1 -1
data/lib/brakeman/processors/haml_template_processor.rb +2 -1
data/lib/brakeman/processors/lib/basic_processor.rb +16 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +4 -2
data/lib/brakeman/processors/lib/find_call.rb +1 -1
data/lib/brakeman/processors/lib/render_path.rb +2 -1
data/lib/brakeman/report/ignore/config.rb +3 -3
data/lib/brakeman/report/report_csv.rb +1 -2
data/lib/brakeman/report/report_json.rb +1 -4
data/lib/brakeman/tracker.rb +21 -0
data/lib/brakeman/util.rb +4 -3
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +2 -2
data/lib/ruby_parser/bm_sexp.rb +23 -23
metadata +8 -44
data/lib/brakeman/report/initializers/faster_csv.rb +0 -7
data/lib/brakeman/report/initializers/multi_json.rb +0 -29

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 449a20c68813d646031a349e4ef3144c387462f1
-  data.tar.gz: 65f2ed189a51bfc5e9b3d7bbe0d04d7fdfc8ae39
+  metadata.gz: 1e770766f6b12a78d68bb5578ca2f03edc16dbb0
+  data.tar.gz: d16b6325409502c5828ce379e364e43fbc10ec9e
 SHA512:
-  metadata.gz: fe400de4fdfe2d81dc1dfab9e5ff9f0b6f8c53f4c30f868b8e605185e74a907b2932ab3dbe5b793425fd90c5e55fb3f34efdd7d755f04223939ba38d4e5bb3ef
-  data.tar.gz: 1a7e2f419f4c8a2fdfc438406700220b2aba13409a5371db909a571d7a51bde96b1a231fbcd12d19fce49b463288b4d65100d35ba7e4879ed8fd04b729a037a7
+  metadata.gz: 79dbc7972a53fd175306dd50e21943b1825870fa2273b489bb2fef00c7870c5f0c5fc48e90b919d78b57dd2ff46b1a1be7fdee40f55f545d8a0cbecfe0878826
+  data.tar.gz: 647e2c2f42057c5f2d64a4e5166f3541ed1764062d4b6bed7668e6ba31429214486dbb8a495435dc144a98f52ec7357330640cb2730c71157a236b23bd7fdbb4

data/CHANGES CHANGED

@@ -1,3 +1,14 @@
+# 3.2.0.pre1
+* Support calls using `&.` operator
+* Update ruby_parser dependency to 3.8.1
+* Remove `fastercsv` dependency
+* Fix finding calls with `targets: nil`
+* Remove `multi-json` dependecy
+* Handle CoffeeScript in HAML
+* Avoid render warnings about params[:action]/params[:controller]
+* Index calls in class bodies but outside methods
 # 3.1.5
 * Fix CodeClimate construction of --only-files (Will Fleming)

data/lib/brakeman.rb CHANGED

@@ -407,20 +407,20 @@ module Brakeman
   # Compare JSON ouptut from a previous scan and return the diff of the two scans
   def self.compare options
-    require 'multi_json'
+    require 'json'
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
     begin
-      previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
-    rescue MultiJson::DecodeError
+      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
+    rescue JSON::ParserError
       self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
     tracker = run(options)
-    new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings]
+    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
     Brakeman::Differ.new(new_results, previous_results).diff
   end

data/lib/brakeman/call_index.rb CHANGED

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new
-    @calls_by_target = Hash.new
+    @calls_by_method = Hash.new { |h, k| h[k] = [] }
+    @calls_by_target = Hash.new { |h, k| h[k] = [] }
     index_calls calls
   end
@@ -45,7 +45,7 @@ class Brakeman::CallIndex
     #Find calls with no explicit target
     #with either :target => nil or :target => false
-    elsif options.key? :target and not target and method
+    elsif (options.key? :target or options.key? :targets) and not target and method
       calls = calls_by_method method
       calls = filter_by_target calls, nil
@@ -66,44 +66,35 @@ class Brakeman::CallIndex
   end
   def remove_template_indexes template_name = nil
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
-      end
-    end
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          from_template call, template_name
+        end
       end
     end
   end
   def remove_indexes_by_class classes
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
-      end
-    end
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          call[:location][:type] == :class and classes.include? call[:location][:class]
+        end
       end
     end
   end
   def index_calls calls
     calls.each do |call|
-      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
-      if not call[:target].is_a? Sexp
-        @calls_by_target[call[:target]] ||= []
-        @calls_by_target[call[:target]] << call
-      elsif call[:target].node_type == :params or call[:target].node_type == :session
-        @calls_by_target[call[:target].node_type] ||= []
-        @calls_by_target[call[:target].node_type] << call
+      target = call[:target]
+      if not target.is_a? Sexp
+        @calls_by_target[target] << call
+      elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] << call
       end
     end
   end
@@ -115,7 +106,7 @@ class Brakeman::CallIndex
     method = options[:method] || options[:methods]
     calls = calls_by_method method
     return [] if calls.nil?
     calls = filter_by_chain calls, target
@@ -145,7 +136,7 @@ class Brakeman::CallIndex
     elsif method.is_a? Regexp
       calls_by_methods_regex method
     else
-      @calls_by_method[method.to_sym] || []
+      @calls_by_method[method.to_sym]
     end
   end
@@ -169,7 +160,7 @@ class Brakeman::CallIndex
   end
   def calls_with_no_target
-    @calls_by_target[nil] || []
+    @calls_by_target[nil]
   end
   def filter calls, key, value

data/lib/brakeman/checks.rb CHANGED

@@ -93,91 +93,49 @@ class Brakeman::Checks
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
   def self.run_checks(app_tree, tracker)
-    if tracker.options[:parallel_checks]
-      self.run_checks_parallel(app_tree, tracker)
-    else
-      self.run_checks_sequential(app_tree, tracker)
-    end
-  end
-  #Run checks sequentially
-  def self.run_checks_sequential(app_tree, tracker)
+    checks = self.checks_to_run(tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.checks_to_run(tracker).each do |c|
-      check_name = get_check_name c
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-        Brakeman.notify " - #{check_name}"
-        check = c.new(app_tree, tracker)
-        begin
-          check.run_check
-        rescue => e
-          tracker.error e
-        end
-        check.warnings.each do |w|
-          check_runner.add_warning w
-        end
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
-      end
-    end
-    check_runner
+    self.actually_run_checks(checks, check_runner, app_tree, tracker)
   end
-  #Run checks in parallel threads
-  def self.run_checks_parallel(app_tree, tracker)
-    threads = []
+  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    threads = [] # Results for parallel
+    results = [] # Results for sequential
+    parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
-    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.checks_to_run(tracker).each do |c|
+    checks.each do |c|
       check_name = get_check_name c
+      Brakeman.notify " - #{check_name}"
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-        Brakeman.notify " - #{check_name}"
+      if parallel
         threads << Thread.new do
-          check = c.new(app_tree, tracker)
-          begin
-            check.run_check
-          rescue => e
-            error_mutex.synchronize do
-              tracker.error e
-            end
-          end
-          check.warnings
+          self.run_a_check(c, error_mutex, app_tree, tracker)
         end
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
+      else
+        results << self.run_a_check(c, error_mutex, app_tree, tracker)
       end
+      #Maintain list of which checks were run
+      #mainly for reporting purposes
+      check_runner.checks_run << check_name[5..-1]
     end
     threads.each { |t| t.join }
     Brakeman.notify "Checks finished, collecting results..."
-    #Collect results
-    threads.each do |thread|
-      thread.value.each do |warning|
-        check_runner.add_warning warning
+    if parallel
+      threads.each do |thread|
+        thread.value.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    else
+      results.each do |warnings|
+        warnings.each do |warning|
+          check_runner.add_warning warning
+        end
       end
     end
@@ -191,11 +149,39 @@ class Brakeman::Checks
   end
   def self.checks_to_run tracker
-    if tracker.options[:run_all_checks] or tracker.options[:run_checks]
-      @checks + @optional_checks
-    else
-      @checks
+    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+               @checks + @optional_checks
+             else
+               @checks
+             end
+    self.filter_checks to_run, tracker
+  end
+  def self.filter_checks checks, tracker
+    skipped = tracker.options[:skip_checks]
+    explicit = tracker.options[:run_checks]
+    checks.reject do |c|
+      check_name = self.get_check_name(c)
+      skipped.include? check_name or
+        (explicit and not explicit.include? check_name)
+    end
+  end
+  def self.run_a_check klass, mutex, app_tree, tracker
+    check = klass.new(app_tree, tracker)
+    begin
+      check.run_check
+    rescue => e
+      mutex.synchronize do
+        tracker.error e
+      end
     end
+    check.warnings
   end
 end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb CHANGED

@@ -17,31 +17,10 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
                  return
                end
-    check_basic_auth_filter
     check_basic_auth_call
   end
-  def check_basic_auth_filter
-    controllers = tracker.controllers.select do |name, c|
-      c.options[:http_basic_authenticate_with]
-    end
-    Hash[controllers].each do |name, controller|
-      controller.options[:http_basic_authenticate_with].each do |call|
-        warn :controller => name,
-          :warning_type => "Timing Attack",
-          :warning_code => :CVE_2015_7576,
-          :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-          :code => call,
-          :confidence => CONFIDENCE[:high],
-          :file => controller.file,
-          :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
-      end
-    end
-  end
   def check_basic_auth_call
-    # This is relatively unusual, but found in the wild
     tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
       warn :result => result,
         :warning_type => "Timing Attack",

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED

@@ -99,7 +99,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         link_path = "cross_site_scripting"
         warning_code = :cross_site_scripting
-        if node_type?(out, :call, :attrasgn) && out.method == :to_json
+        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
           message += " in JSON hash"
           link_path += "_to_json"
           warning_code = :xss_to_json
@@ -334,7 +334,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
   def html_safe_call? exp
-    exp.value.node_type == :call and exp.value.method == :html_safe
+    call? exp.value and exp.value.method == :html_safe
   end
   def ignore_call? target, method

data/lib/brakeman/checks/check_render.rb CHANGED

@@ -35,7 +35,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       add_result result
       if input = has_immediate_user_input?(view)
         if string_interp? view
           confidence = CONFIDENCE[:med]
@@ -49,6 +48,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
       return if input.type == :model #skip models
+      return if safe_param? input.match
       message = "Render path contains #{friendly_type_of input}"
@@ -71,6 +71,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       if params? view
         add_result result
+        return if safe_param? view
         warn :result => result,
           :warning_type => "Remote Code Execution",
@@ -81,4 +82,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
+  def safe_param? exp
+    if params? exp and call? exp and exp.method == :[]
+      arg = exp.first_arg
+      symbol? arg and [:controller, :action].include? arg.value
+    end
+  end
 end

data/lib/brakeman/checks/check_sql.rb CHANGED

@@ -64,9 +64,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         second_arg = args[2]
         next unless sexp? second_arg
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
+        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
           process_scope_with_block(name, args)
-        elsif second_arg.node_type == :call
+        elsif call? second_arg
           call = second_arg
           scope_calls << scope_call_hash(call, name, call.method)
         else
@@ -107,7 +107,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls = Brakeman::FindAllCalls.new(tracker)
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
-    elsif block.node_type == :call
+    elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
          :location => { :type => :class, :class => model_name, :method => scope_name }

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -296,7 +296,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # Handles x = y = z = 1
   def get_rhs exp
-    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :cvdecl, :cdecl
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
       get_rhs(exp.rhs)
     else
       exp

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -68,6 +68,14 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     call
   end
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
   #String with interpolation.
   def process_dstr exp
     exp = exp.dup

data/lib/brakeman/processors/erb_template_processor.rb CHANGED

@@ -25,7 +25,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
-        if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
+        if call? arg and arg.method == :to_s #erb always calls to_s on output
           arg = arg.target
         end

data/lib/brakeman/processors/erubis_template_processor.rb CHANGED

@@ -21,7 +21,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
         #We want the actual content
-        if arg.node_type == :call and (arg.method == :to_s or arg.method == :html_safe!)
+        if call? arg and (arg.method == :to_s or arg.method == :html_safe!)
           arg = arg.target
         end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -5,6 +5,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
+  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
   #Processes call, looking for template output
   def process_call exp
@@ -90,7 +91,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     elsif target == nil and method == :find_and_preserve
       process exp.first_arg
     elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER
+      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
         @javascript = true
       end

data/lib/brakeman/processors/lib/basic_processor.rb CHANGED

@@ -14,4 +14,20 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
   def process_default exp
     process_all exp
   end
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
+  def process_safe_attrasgn exp
+    if self.respond_to? :process_attrasgn
+      process_attrasgn exp
+    else
+      process_default exp
+    end
+  end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED

@@ -24,11 +24,13 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Process body of method
   def process_defn exp
+    return exp unless @current_method
     process_all exp.body
   end
   #Process body of method
   def process_defs exp
+    return exp unless @current_method
     process_all exp.body
   end
@@ -139,7 +141,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
         @current_class || @current_module || nil
       when :params, :session, :cookies
         exp.node_type
-      when :call
+      when :call, :safe_call
         if include_calls
           if exp.target.nil?
             exp.method
@@ -165,7 +167,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Returns method chain as an array
   #For example, User.human.alive.all would return [:User, :human, :alive, :all]
   def get_chain call
-    if node_type? call, :call, :attrasgn
+    if node_type? call, :call, :attrasgn, :safe_call, :safe_attrasgn
       get_chain(call.target) + [call.method]
     elsif call.nil?
       []

data/lib/brakeman/processors/lib/find_call.rb CHANGED

@@ -102,7 +102,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     #  User.find(:first, :conditions => "user = '#{params['user']}').name
     #
     #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and node_type? exp.target, :call
+    if @in_depth and call? exp.target
       process exp.target
     end

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -95,7 +95,8 @@ module Brakeman
     end
     def to_json *args
-      MultiJson.dump(@path)
+      require 'json'
+      JSON.generate(@path)
     end
     def initialize_copy original

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -1,5 +1,5 @@
 require 'set'
-require 'multi_json'
+require 'json'
 module Brakeman
   class IgnoreConfig
@@ -75,7 +75,7 @@ module Brakeman
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = MultiJson.load(File.read(file), :symbolize_keys => true)[:ignored_warnings]
+        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -107,7 +107,7 @@ module Brakeman
       }
       File.open file, "w" do |f|
-        f.puts MultiJson.dump(output, :pretty => true)
+        f.puts JSON.pretty_generate(output)
       end
     end

data/lib/brakeman/report/report_csv.rb CHANGED

@@ -1,5 +1,4 @@
-Brakeman.load_brakeman_dependency 'csv'
-require "brakeman/report/initializers/faster_csv"
+require 'csv'
 require "brakeman/report/report_table"
 class Brakeman::Report::CSV < Brakeman::Report::Table

data/lib/brakeman/report/report_json.rb CHANGED

@@ -1,6 +1,3 @@
-Brakeman.load_brakeman_dependency 'multi_json'
-require 'brakeman/report/initializers/multi_json'
 class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
@@ -32,7 +29,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
       :errors => errors
     }
-    MultiJson.dump(report_info, :pretty => true)
+    JSON.pretty_generate report_info
   end
   def convert_to_hashes warnings

data/lib/brakeman/tracker.rb CHANGED

@@ -115,6 +115,23 @@ class Brakeman::Tracker
     end
   end
+  def each_class
+    classes = [self.controllers, self.models]
+    if @options[:index_libs]
+      classes << self.libs
+    end
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.src.each do |file, src|
+          yield src, set_name, file
+        end
+      end
+    end
+  end
   #Find a method call.
   #
   #Options:
@@ -178,6 +195,10 @@ class Brakeman::Tracker
       finder.process_source definition, :class => set_name, :method => method_name, :file => file
     end
+    self.each_class do |definition, set_name, file|
+      finder.process_source definition, :class => set_name, :file => file
+    end
     self.each_template do |name, template|
       finder.process_source template.src, :template => template, :file => template.file
     end

data/lib/brakeman/util.rb CHANGED

@@ -167,7 +167,8 @@ module Brakeman::Util
   #Check if _exp_ represents a method call: s(:call, ...)
   def call? exp
-    exp.is_a? Sexp and exp.node_type == :call
+    exp.is_a? Sexp and
+      (exp.node_type == :call or exp.node_type == :safe_call)
   end
   #Check if _exp_ represents a Regexp: s(:lit, /.../)
@@ -214,7 +215,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
-      if exp.node_type == :call
+      if call? exp
         if params? exp[1]
           return true
         elsif exp[2] == :[]
@@ -230,7 +231,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :cookies or exp == COOKIES
-      if exp.node_type == :call
+      if call? exp
         if cookies? exp[1]
           return true
         elsif exp[2] == :[]

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.5"
+  Version = "3.2.0.pre1"
 end

data/lib/brakeman/warning.rb CHANGED

@@ -1,4 +1,4 @@
-require 'multi_json'
+require 'json'
 require 'digest/sha2'
 require 'brakeman/warning_codes'
@@ -241,7 +241,7 @@ class Brakeman::Warning
   end
   def to_json
-    MultiJson.dump self.to_hash
+    JSON.generate self.to_hash
   end
   private

data/lib/ruby_parser/bm_sexp.rb CHANGED

@@ -141,13 +141,13 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #         ^-----------target-----------^
   def target
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[1]
   end
   #Sets the target of a method call:
   def target= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[1] = exp
   end
@@ -157,10 +157,10 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn, :super, :zsuper, :result
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper, :result
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[2]
     when :super, :zsuper
       :super
@@ -170,14 +170,14 @@ class Sexp
   end
   def method= name
-    expect :call
+    expect :call, :safe_call
     self[2] = name
   end
   #Sets the arglist in a method call.
   def arglist= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     start_index = 3
@@ -201,10 +201,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                 ^------------ arglist ------------^
   def arglist
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
@@ -220,10 +220,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                             ^--------args--------^
   def args
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         self[3..-1]
       else
@@ -239,11 +239,11 @@ class Sexp
   end
   def each_arg replace = false
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     range = nil
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         range = (3...self.length)
       end
@@ -270,43 +270,43 @@ class Sexp
   #Returns first argument of a method call.
   def first_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[3]
   end
   #Sets first argument of a method call.
   def first_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[3] = exp
   end
   #Returns second argument of a method call.
   def second_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[4]
   end
   #Sets second argument of a method call.
   def second_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[4] = exp
   end
   def third_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[5]
   end
   def third_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[5] = exp
   end
   def last_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     if self[3]
       self[-1]
@@ -427,9 +427,9 @@ class Sexp
   #    s(:lasgn, :x, s(:lit, 1))
   #                  ^--rhs---^
   def rhs
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3]
     else
       self[2]
@@ -438,10 +438,10 @@ class Sexp
   #Sets the right hand side of assignment or boolean.
   def rhs= exp
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
     @my_hash_value = nil
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3] = exp
     else
       self[2] = exp

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.5
+  version: 3.2.0.pre1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-01-28 00:00:00.000000000 Z
+date: 2016-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -31,32 +31,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.3.0
 - !ruby/object:Gem::Dependency
@@ -73,20 +67,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
-- !ruby/object:Gem::Dependency
-  name: fastercsv
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -175,20 +155,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '4.0'
-- !ruby/object:Gem::Dependency
-  name: multi_json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: safe_yaml
   requirement: !ruby/object:Gem::Requirement
@@ -329,8 +295,6 @@ files:
 - lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
@@ -382,9 +346,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 2.4.8

data/lib/brakeman/report/initializers/faster_csv.rb DELETED

@@ -1,7 +0,0 @@
-# Ruby 1.8 compatible
-if CSV.const_defined? :Reader
-  require 'fastercsv'
-  Object.send(:remove_const, :CSV)
-  CSV = FasterCSV
-end

data/lib/brakeman/report/initializers/multi_json.rb DELETED

@@ -1,29 +0,0 @@
-#MultiJson interface changed in 1.3.0, but need
-#to support older MultiJson for Rails 3.1.
-mj_engine = nil
-if MultiJson.respond_to? :default_adapter
-  mj_engine = MultiJson.default_adapter
-else
-  mj_engine = MultiJson.default_engine
-  module MultiJson
-    def self.dump *args
-      encode *args
-    end
-    def self.load *args
-      decode *args
-    end
-  end
-end
-#This is so OkJson will work with symbol values
-if mj_engine == :ok_json
-  class Symbol
-    def to_json
-      self.to_s.inspect
-    end
-  end
-end