brakeman 3.3.0 → 3.3.1

data/bundle/ruby/2.3.0/gems/tilt-2.0.5/test/tilt_pandoctemplate_test.rb

@@ -0,0 +1,67 @@
+# encoding: utf-8
+
+require 'test_helper'
+require 'tilt'
+
+begin
+  require 'tilt/pandoc'
+
+  class PandocTemplateTest < Minitest::Test
+    test "preparing and evaluating templates on #render" do
+      template = Tilt::PandocTemplate.new { |t| "# Hello World!" }
+      assert_equal "<h1 id=\"hello-world\">Hello World!</h1>", template.render
+    end
+
+    test "can be rendered more than once" do
+      template = Tilt::PandocTemplate.new { |t| "# Hello World!" }
+      3.times { assert_equal "<h1 id=\"hello-world\">Hello World!</h1>", template.render }
+    end
+
+    test "smartypants when :smartypants is set" do
+      template = Tilt::PandocTemplate.new(:smartypants => true) { |t| "OKAY -- 'Smarty Pants'" }
+      assert_equal "<p>OKAY – ‘Smarty Pants’</p>", template.render
+    end
+
+    test "stripping HTML when :escape_html is set" do
+      template = Tilt::PandocTemplate.new(:escape_html => true) { |t| "HELLO <blink>WORLD</blink>" }
+      assert_equal "<p>HELLO &lt;blink&gt;WORLD&lt;/blink&gt;</p>", template.render
+    end
+
+    # Pandoc has tons of additional markdown features (see http://pandoc.org/README.html#pandocs-markdown).
+    # The test for footnotes should be seen as a general representation for all of them.
+    # use markdown_strict => true to disable additional markdown features
+    describe "passing in Pandoc options" do
+      test "generates footnotes" do
+        template = Tilt::PandocTemplate.new { |t| "Here is an inline note.^[Inlines notes are cool!]" }
+        assert_equal "<p>Here is an inline note.<a href=\"#fn1\" class=\"footnoteRef\" id=\"fnref1\"><sup>1</sup></a></p>\n<div class=\"footnotes\">\n<hr />\n<ol>\n<li id=\"fn1\"><p>Inlines notes are cool!<a href=\"#fnref1\">↩</a></p></li>\n</ol>\n</div>", template.render
+      end
+
+      test "doesn't generate footnotes with markdown_strict option" do
+        template = Tilt::PandocTemplate.new(:markdown_strict => true) { |t| "Here is an inline note.^[Inlines notes are cool!]" }
+        assert_equal "<p>Here is an inline note.^[Inlines notes are cool!]</p>", template.render
+      end
+
+      test "doesn't generate footnotes with commonmark option" do
+        template = Tilt::PandocTemplate.new(:commonmark => true) { |t| "Here is an inline note.^[Inlines notes are cool!]" }
+        assert_equal "<p>Here is an inline note.^[Inlines notes are cool!]</p>", template.render
+      end
+
+      test "accepts arguments with values (e.g. :id_prefix => 'xyz')" do
+        # Table of contents isn't on by default
+        template = Tilt::PandocTemplate.new { |t| "# This is a heading" }
+        assert_equal "<h1 id=\"this-is-a-heading\">This is a heading</h1>", template.render
+
+        # But it can be activated
+        template = Tilt::PandocTemplate.new(:id_prefix => 'test-') { |t| "# This is a heading" }
+        assert_equal "<h1 id=\"test-this-is-a-heading\">This is a heading</h1>", template.render
+      end
+
+      test "requires arguments without value (e.g. --standalone) to be passed as hash keys (:standalone => true)" do
+        template = Tilt::PandocTemplate.new(:standalone => true) { |t| "# This is a heading" }
+        assert_match /^<!DOCTYPE html.*<h1 id="this-is-a-heading">This is a heading<\/h1>.*<\/html>$/m, template.render
+      end
+    end
+  end
+rescue LoadError => boom
+  warn "Tilt::PandocTemplate (disabled)"
+end

data/bundle/ruby/2.3.0/gems/tilt-2.0.5/test/tilt_rstpandoctemplate_test.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+require 'tilt'
+
+begin
+  require 'tilt/rst-pandoc'
+
+  class RstPandocTemplateTest < Minitest::Test
+    test "is registered for '.rst' files" do
+      assert_equal Tilt::RstPandocTemplate, Tilt['test.rst']
+    end
+
+    test "compiles and evaluates the template on #render" do
+      template = Tilt::RstPandocTemplate.new { |t| "Hello World!\n============" }
+      assert_equal "<h1 id=\"hello-world\">Hello World!</h1>", template.render
+    end
+
+    test "can be rendered more than once" do
+      template = Tilt::RstPandocTemplate.new { |t| "Hello World!\n============" }
+      3.times do
+        assert_equal "<h1 id=\"hello-world\">Hello World!</h1>", template.render
+      end
+    end
+
+    test "doens't use markdown options" do
+      template = Tilt::RstPandocTemplate.new(:escape_html => true) { |t| "HELLO <blink>WORLD</blink>" }
+      err = assert_raises(RuntimeError) { template.render }
+      assert_match /pandoc: unrecognized option `--escape-html/, err.message
+    end
+  end
+rescue LoadError => boom
+  warn "Tilt::RstPandocTemplate (disabled) [#{boom}]"
+end

data/bundle/ruby/2.3.0/gems/tilt-2.0.5/test/tilt_typescript_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'tilt'
+
+begin
+  require 'tilt/typescript'
+
+  class TypeScriptTemplateTest < Minitest::Test
+    def setup
+      @ts = "var x:number = 5"
+      @js = /var x = 5;\s*/
+    end
+
+    test "is registered for '.ts' files" do
+      assert_equal Tilt::TypeScriptTemplate, Tilt['test.ts']
+    end
+
+    test "compiles and evaluates the template on #render" do
+      template = Tilt::TypeScriptTemplate.new { @ts }
+      assert_match @js, template.render
+    end
+
+    test "supports source map" do
+      template = Tilt::TypeScriptTemplate.new(inlineSourceMap: true)  { @ts }
+      assert_match /sourceMappingURL/, template.render
+    end
+
+    test "can be rendered more than once" do
+      template = Tilt::TypeScriptTemplate.new { @ts }
+      3.times { assert_match @js, template.render }
+    end
+  end
+rescue LoadError => boom
+  warn "Tilt::TypeScriptTemplate (disabled)"
+end

data/bundle/ruby/2.3.0/gems/{tilt-2.0.2 → tilt-2.0.5}/tilt.gemspec

@@ -3,8 +3,8 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
 
   s.name = 'tilt'
-  s.version = '2.0.2'
-  s.date = '2016-01-05'
+  s.version = '2.0.5'
+  s.date = '2016-06-02'
 
   s.description = "Generic interface to multiple Ruby template engines"
   s.summary     = s.description
@@ -30,8 +30,10 @@ Gem::Specification.new do |s|
     lib/tilt/bluecloth.rb
     lib/tilt/builder.rb
     lib/tilt/coffee.rb
+    lib/tilt/commonmarker.rb
     lib/tilt/creole.rb
     lib/tilt/csv.rb
+    lib/tilt/dummy.rb
     lib/tilt/erb.rb
     lib/tilt/erubis.rb
     lib/tilt/etanni.rb
@@ -43,6 +45,7 @@ Gem::Specification.new do |s|
     lib/tilt/markaby.rb
     lib/tilt/maruku.rb
     lib/tilt/nokogiri.rb
+    lib/tilt/pandoc.rb
     lib/tilt/plain.rb
     lib/tilt/prawn.rb
     lib/tilt/radius.rb
@@ -50,9 +53,11 @@ Gem::Specification.new do |s|
     lib/tilt/rdoc.rb
     lib/tilt/redcarpet.rb
     lib/tilt/redcloth.rb
+    lib/tilt/rst-pandoc.rb
     lib/tilt/sass.rb
     lib/tilt/string.rb
     lib/tilt/template.rb
+    lib/tilt/typescript.rb
     lib/tilt/wikicloth.rb
     lib/tilt/yajl.rb
     man/index.txt
@@ -63,6 +68,7 @@ Gem::Specification.new do |s|
     test/markaby/render_twice.mab
     test/markaby/scope.mab
     test/markaby/yielding.mab
+    test/mytemplate.rb
     test/test_helper.rb
     test/tilt_asciidoctor_test.rb
     test/tilt_babeltemplate.rb
@@ -70,6 +76,7 @@ Gem::Specification.new do |s|
     test/tilt_buildertemplate_test.rb
     test/tilt_cache_test.rb
     test/tilt_coffeescripttemplate_test.rb
+    test/tilt_commonmarkertemplate_test.rb
     test/tilt_compilesite_test.rb
     test/tilt_creoletemplate_test.rb
     test/tilt_csv_test.rb
@@ -87,6 +94,7 @@ Gem::Specification.new do |s|
     test/tilt_marukutemplate_test.rb
     test/tilt_metadata_test.rb
     test/tilt_nokogiritemplate_test.rb
+    test/tilt_pandoctemplate_test.rb
     test/tilt_prawntemplate.prawn
     test/tilt_prawntemplate_test.rb
     test/tilt_radiustemplate_test.rb
@@ -94,10 +102,12 @@ Gem::Specification.new do |s|
     test/tilt_rdoctemplate_test.rb
     test/tilt_redcarpettemplate_test.rb
     test/tilt_redclothtemplate_test.rb
+    test/tilt_rstpandoctemplate_test.rb
     test/tilt_sasstemplate_test.rb
     test/tilt_stringtemplate_test.rb
     test/tilt_template_test.rb
     test/tilt_test.rb
+    test/tilt_typescript_test.rb
     test/tilt_wikiclothtemplate_test.rb
     test/tilt_yajltemplate_test.rb
     tilt.gemspec

data/lib/brakeman.rb

@@ -1,11 +1,5 @@
 require 'set'
 
-path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
-
-if File.exist? path_load
-  require path_load
-end
-
 module Brakeman
 
   #This exit code is used when warnings are found and the --exit-on-warn
@@ -18,6 +12,7 @@ module Brakeman
   @debug = false
   @quiet = false
   @loaded_dependencies = []
+  @vendored_paths = false
 
   #Run Brakeman scan. Returns Tracker object.
   #
@@ -101,7 +96,7 @@ module Brakeman
     #Load configuration file
     if config = config_file(custom_location, app_path)
       require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      self.load_brakeman_dependency 'safe_yaml/load'
       options = SafeYAML.load_file config, :deserialize_symbols => true
 
       if options
@@ -167,7 +162,7 @@ module Brakeman
       get_formats_from_output_files options[:output_files]
     else
       begin
-        require 'terminal-table'
+        self.load_brakeman_dependency 'terminal-table', :allow_fail
         return [:to_s]
       rescue LoadError
         return [:to_json]
@@ -433,15 +428,29 @@ module Brakeman
     Brakeman::Differ.new(new_results, previous_results).diff
   end
 
-  def self.load_brakeman_dependency name
+  def self.load_brakeman_dependency name, allow_fail = false
     return if @loaded_dependencies.include? name
 
+    unless @vendored_paths
+      path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
+
+      if File.exist? path_load
+        require path_load
+      end
+
+      @vendored_paths = true
+    end
+
     begin
       require name
     rescue LoadError => e
-      $stderr.puts e.message
-      $stderr.puts "Please install the appropriate dependency: #{name}."
-      exit!(-1)
+      if allow_fail
+        raise e
+      else
+        $stderr.puts e.message
+        $stderr.puts "Please install the appropriate dependency: #{name}."
+        exit!(-1)
+      end
     end
   end
 

data/lib/brakeman/checks/check_sql.rb

@@ -545,9 +545,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     string_building? exp.first_arg
   end
 
-  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name, :to_i, :to_f,
-    :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
-    :sanitize_sql_for_conditions, :sanitize_sql_hash,
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix]
 

data/lib/brakeman/checks/check_validation_regex.rb

@@ -59,17 +59,37 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
     end
   end
 
+  # Match secure regexp without extended option
+  SECURE_REGEXP_PATTERN = %r{
+    \A
+    \\A
+    .*
+    \\[zZ]
+    \z
+  }x
+
+  # Match secure of regexp with extended option
+  EXTENDED_SECURE_REGEXP_PATTERN = %r{
+    \A
+    \s*
+    \\A
+    .*
+    \\[zZ]
+    \s*
+    \z
+  }mx
+
   #Issue warning if the regular expression does not use
   #+\A+ and +\z+
   def check_regex value, validator
     return unless regexp? value
 
-    regex = value.value.inspect
-    unless regex =~ /\A\/\\A.*\\(z|Z)\/(m|i|x|n|e|u|s|o)*\z/
+    regex = value.value
+    unless secure_regex?(regex)
       warn :model => @current_model,
       :warning_type => "Format Validation",
       :warning_code => :validation_regex,
-      :message => "Insufficient validation for '#{get_name validator}' using #{regex}. Use \\A and \\z as anchors",
+      :message => "Insufficient validation for '#{get_name validator}' using #{regex.inspect}. Use \\A and \\z as anchors",
       :line => value.line,
       :confidence => CONFIDENCE[:high]
     end
@@ -85,4 +105,12 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
       name
     end
   end
+
+  private
+
+  def secure_regex?(regex)
+    extended_regex = Regexp::EXTENDED == regex.options & Regexp::EXTENDED
+    regex_pattern = extended_regex ? EXTENDED_SECURE_REGEXP_PATTERN : SECURE_REGEXP_PATTERN
+    regex_pattern =~ regex.source
+  end
 end

data/lib/brakeman/options.rb

@@ -276,6 +276,10 @@ module Brakeman::Options
           options[:show_version] = true
         end
 
+        opts.on "--force-scan", "Scan application even if rails is not detected" do
+          options[:force_scan] = true
+        end
+
         opts.on_tail "-h", "--help", "Display this message" do
           options[:show_help] = true
         end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -1,54 +1,74 @@
 Brakeman.load_brakeman_dependency 'erubis'
 
-#This is from Rails 3 version of the Erubis handler
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
 class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_preamble(src)
-    # src << "_buf = ActionView::SafeBuffer.new;\n"
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
   end
 
-  #This is different from Rails 3 - fixes some line number issues
   def add_text(src, text)
+    return if text.empty?
+
     if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-
-        src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
-      end
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+
+      @newline_pending = 0
+    end
+  end
+
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
     else
-      src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+      super
     end
   end
 
   BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
 
   def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
     if code =~ BLOCK_EXPR
       src << '@output_buffer.append= ' << code
     else
-      src << '@output_buffer.append= (' << code << ');'
+      src << '@output_buffer.append=(' << code << ');'
     end
   end
 
   def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
     if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_append= " << code
+      src << "@output_buffer.safe_expr_append= " << code
     else
-      src << "@output_buffer.safe_append= (" << code << ");"
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
     end
   end
 
-  #Add code to output buffer.
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+
   def add_postamble(src)
-    # src << '_buf.to_s'
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
   end
 end