brakeman 3.6.2 → 3.7.0

data/bundle/ruby/2.3.0/gems/ruby_parser-3.9.0/test/test_ruby_lexer.rb

@@ -1153,6 +1153,47 @@ class TestRubyLexer < Minitest::Test
                 :tNL,             nil,             :expr_beg)
   end
 
+  def test_yylex_heredoc_double_squiggly
+    setup_lexer_class Ruby23Parser
+
+    assert_lex3("a = <<~\"EOF\"\n  blah blah\n  EOF\n\n",
+                nil,
+                :tIDENTIFIER,     "a",           :expr_cmdarg,
+                :tEQL,            "=",           :expr_beg,
+                :tSTRING_BEG,     "\"",          :expr_beg,
+                :tSTRING_CONTENT, "blah blah\n", :expr_beg,
+                :tSTRING_END,     "EOF",         :expr_end,
+                :tNL,             nil,           :expr_beg)
+  end
+
+  # mri handles tabs in a pretty specific way:
+  # https://github.com/ruby/ruby/blob/trunk/parse.y#L5925
+  def test_yylex_heredoc_double_squiggly_with_tab_indentation_remaining
+    setup_lexer_class Ruby23Parser
+
+    assert_lex3("a = <<~\"EOF\"\n  blah blah\n \tblah blah\n  EOF\n\n",
+                nil,
+                :tIDENTIFIER,     "a",                        :expr_cmdarg,
+                :tEQL,            "=",                        :expr_beg,
+                :tSTRING_BEG,     "\"",                       :expr_beg,
+                :tSTRING_CONTENT, "blah blah\n\tblah blah\n", :expr_beg,
+                :tSTRING_END,     "EOF",                      :expr_end,
+                :tNL,             nil,                        :expr_beg)
+  end
+
+  def test_yylex_heredoc_double_squiggly_with_tab_indentation_removed
+    setup_lexer_class Ruby23Parser
+
+    assert_lex3("a = <<~\"EOF\"\n        blah blah\n\t blah blah\n  EOF\n\n",
+                nil,
+                :tIDENTIFIER,     "a",                       :expr_cmdarg,
+                :tEQL,            "=",                       :expr_beg,
+                :tSTRING_BEG,     "\"",                      :expr_beg,
+                :tSTRING_CONTENT, "blah blah\n blah blah\n", :expr_beg,
+                :tSTRING_END,     "EOF",                     :expr_end,
+                :tNL,             nil,                       :expr_beg)
+  end
+
   def test_yylex_heredoc_double_eos
     refute_lex("a = <<\"EOF\"\nblah",
                :tIDENTIFIER, "a",
@@ -1223,6 +1264,19 @@ class TestRubyLexer < Minitest::Test
                 :tNL,             nil,            :expr_beg)
   end
 
+  def test_yylex_heredoc_none_squiggly
+    setup_lexer_class Ruby23Parser
+
+    assert_lex3("a = <<~EOF\n  blah\n  blah\n  EOF\n",
+                nil,
+                :tIDENTIFIER,     "a",            :expr_cmdarg,
+                :tEQL,            "=",            :expr_beg,
+                :tSTRING_BEG,     "\"",           :expr_beg,
+                :tSTRING_CONTENT, "blah\nblah\n", :expr_beg,
+                :tSTRING_END,     "EOF",          :expr_end,
+                :tNL,             nil,            :expr_beg)
+  end
+
   def test_yylex_heredoc_single
     assert_lex3("a = <<'EOF'\n  blah blah\nEOF\n\n",
                 nil,
@@ -1273,6 +1327,19 @@ class TestRubyLexer < Minitest::Test
                 :tNL,             nil,             :expr_beg)
   end
 
+  def test_yylex_heredoc_single_squiggly
+    setup_lexer_class Ruby23Parser
+
+    assert_lex3("a = <<~'EOF'\n  blah blah\n  EOF\n\n",
+                nil,
+                :tIDENTIFIER,     "a",           :expr_cmdarg,
+                :tEQL,            "=",           :expr_beg,
+                :tSTRING_BEG,     "\"",          :expr_beg,
+                :tSTRING_CONTENT, "blah blah\n", :expr_beg,
+                :tSTRING_END,     "EOF",         :expr_end,
+                :tNL,             nil,           :expr_beg)
+  end
+
   def test_yylex_identifier
     assert_lex3("identifier",
                 nil,

data/bundle/ruby/2.3.0/gems/ruby_parser-3.9.0/test/test_ruby_parser.rb

@@ -571,6 +571,14 @@ module TestRubyParserShared
     assert_parse rb, pt
   end
 
+  def test_str_newline_hash_line_number
+    rb = "\"\\n\\n\\n\\n#\"\n1"
+    pt = s(:block, s(:str, "\n\n\n\n#").line(1),
+                   s(:lit, 1).line(2))
+
+    assert_parse rb, pt
+  end
+
   def after_process_hook klass, node, data, input_name, output_name
     assert_equal 1, @result.line, "should have proper line number"
   end
@@ -811,7 +819,6 @@ module TestRubyParserShared
   end
 
   def test_parse_line_rescue
-    skip "not yet"
     rb = "begin\n a\n rescue\n b\n rescue\n c\n end\n"
     pt = s(:rescue,
            s(:call, nil, :a).line(2),
@@ -1709,6 +1716,16 @@ module TestRubyParserShared
     assert_parse rb, pt
   end
 
+  def test_defs_as_arg_with_do_block_inside
+    rb = "p def self.b; x.y do; end; end"
+    pt = s(:call,
+           nil,
+           :p,
+           s(:defs, s(:self), :b, s(:args),
+             s(:iter, s(:call, s(:call, nil, :x), :y), 0)))
+
+    assert_parse rb, pt
+  end
 end
 
 module TestRubyParserShared19Plus
@@ -3239,6 +3256,20 @@ module TestRubyParserShared20Plus
 
     assert_parse rb, pt
   end
+
+  def test_bug_249
+    rb = "mount (Class.new do\ndef initialize\nend\n end).new, :at => 'endpoint'"
+    pt = s(:call, nil, :mount,
+           s(:call,
+             s(:iter,
+               s(:call, s(:const, :Class), :new),
+               0,
+               s(:defn, :initialize, s(:args), s(:nil))),
+             :new),
+           s(:hash, s(:lit, :at), s(:str, "endpoint")))
+
+    assert_parse rb, pt
+  end
 end
 
 module TestRubyParserShared22Plus

data/bundle/ruby/2.3.0/gems/{unicode-display_width-1.2.1 → unicode-display_width-1.3.0}/CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 1.3.0
+
+- Unicode 10
+
 ## 1.2.1
 
 - Fix bug that `emoji: true` would fail for emoji without modifier

data/bundle/ruby/2.3.0/gems/{unicode-display_width-1.2.1 → unicode-display_width-1.3.0}/README.md

@@ -2,7 +2,7 @@
 
 Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
 
-Unicode version: **9.0.0**
+Unicode version: **10.0.0**
 
 ## Introduction to Character Widths
 

data/bundle/ruby/2.3.0/gems/{unicode-display_width-1.2.1 → unicode-display_width-1.3.0}/lib/unicode/display_width/constants.rb

@@ -1,7 +1,7 @@
 module Unicode
   module DisplayWidth
-    VERSION = '1.2.1'
-    UNICODE_VERSION = "9.0.0".freeze
+    VERSION = '1.3.0'
+    UNICODE_VERSION = "10.0.0".freeze
     DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
     INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
   end

data/lib/brakeman.rb

@@ -90,6 +90,13 @@ module Brakeman
       options[:quiet] = true
     end
 
+    if options[:rails4]
+      options[:rails3] = true
+    elsif options[:rails5]
+      options[:rails3] = true
+      options[:rails4] = true
+    end
+
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
 

data/lib/brakeman/checks/check_redirect.rb

@@ -105,11 +105,34 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     arg = call.first_arg
 
     if hash? arg
-      if value = hash_access(arg, :only_path)
-        return true if true?(value)
-      end
+      return has_only_path? arg
     elsif call? arg and arg.method == :url_for
       return check_url_for(arg)
+    elsif call? arg and hash? arg.first_arg and use_unsafe_hash_method? arg
+      return has_only_path? arg.first_arg
+    end
+
+    false
+  end
+
+  def use_unsafe_hash_method? arg
+    return call_has_param(arg, :to_unsafe_hash) || call_has_param(arg, :to_unsafe_h)
+  end
+
+  def call_has_param arg, key
+    if call? arg and call? arg.target
+      target = arg.target
+      method = target.method
+
+      node_type? target.target, :params and method == key
+    else
+      false
+    end
+  end
+
+  def has_only_path? arg
+    if value = hash_access(arg, :only_path)
+      return true if true?(value)
     end
 
     false

data/lib/brakeman/processors/alias_processor.rb

@@ -87,6 +87,73 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def process_bracket_call exp
+    r = replace(exp)
+
+    if r != exp
+      return r
+    end
+
+    exp.arglist = process_default(exp.arglist)
+
+    r = replace(exp)
+
+    if r != exp
+      return r
+    end
+
+    t = process(exp.target.deep_clone)
+
+    # sometimes t[blah] has a match in the env
+    # but we don't want to actually set the target
+    # in case the target is big...which is what this
+    # whole method is trying to avoid
+    if t != exp.target
+      e = exp.deep_clone
+      e.target = t
+
+      r = replace(e)
+
+      if r != e
+        return r
+      end
+    else
+      t = nil
+    end
+
+    if hash? t
+      if v = hash_access(t, exp.first_arg)
+        v.deep_clone(exp.line)
+      else
+        case t.node_type
+        when :params
+          exp.target = PARAMS_SEXP.deep_clone(exp.target.line)
+        when :session
+          exp.target = SESSION_SEXP.deep_clone(exp.target.line)
+        when :cookies
+          exp.target = COOKIES_SEXP.deep_clone(exp.target.line)
+        end
+
+        exp
+      end
+    elsif array? t
+      if v = process_array_access(t, exp.args)
+        v.deep_clone(exp.line)
+      else
+        exp
+      end
+    elsif t
+      exp.target = t
+      exp
+    else
+      if exp.target # `self` target is reported as `nil` https://github.com/seattlerb/ruby_parser/issues/250
+        exp.target = process_default exp.target
+      end
+
+      exp
+    end
+  end
+
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
   RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
@@ -99,7 +166,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if exp.node_type == :safe_call
       exp.node_type = :call
     end
-    exp = process_default exp
+
+    if exp.method == :[]
+      return process_bracket_call exp
+    else
+      exp = process_default exp
+    end
 
     #In case it is replaced with something else
     unless call? exp
@@ -391,7 +463,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # x[:y] = 1
   def process_attrasgn exp
     tar_variable = exp.target
-    target = exp.target = process(exp.target)
+    target = process(exp.target)
     method = exp.method
     index_arg = exp.first_arg
     value_arg = exp.second_arg
@@ -406,6 +478,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if hash? target
         env[tar_variable] = hash_insert target.deep_clone, index, value
       end
+
+      unless node_type? target, :hash
+        exp.target = target
+      end
     elsif method.to_s[-1,1] == "="
       exp.first_arg = process(index_arg)
       value = get_rhs(exp)
@@ -413,6 +489,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
 
       set_value match, value
+      exp.target = target
     else
       raise "Unrecognized assignment: #{exp}"
     end
@@ -522,7 +599,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.rhs = process exp.rhs
     end
 
-    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
+    if @tracker
+      @tracker.add_constant exp.lhs,
+        exp.rhs,
+        :file => current_file_name,
+        :module => @current_module,
+        :class => @current_class,
+        :method => @current_method
+    end
 
     if exp.lhs.is_a? Symbol
       match = Sexp.new(:const, exp.lhs)
@@ -598,6 +682,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = condition.target[1]
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
+          elsif i == 1 and array_include_all_literals? condition and node_type? branch, :return
+            var = condition.first_arg
+            env.current[var] = condition.target[1]
+            exp[branch_index] = process_if_branch branch
           else
             exp[branch_index] = process_if_branch branch
           end

data/lib/brakeman/processors/base_processor.rb

@@ -183,7 +183,15 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   end
 
   def process_cdecl exp
-    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
+    if @tracker
+      @tracker.add_constant exp.lhs,
+        exp.rhs,
+        :file => current_file_name,
+        :module => @current_module,
+        :class => @current_class,
+        :method => @current_method
+    end
+
     exp
   end
 

data/lib/brakeman/report/ignore/interactive.rb

@@ -101,7 +101,7 @@ module Brakeman
     end
 
     def pre_show_help
-      say "-" * 20
+      say "-" * 30
       say "Actions:", :cyan
       show_help
     end
@@ -189,7 +189,11 @@ q - Quit, do not update ignored warnings
     end
 
     def process_warnings
-      @new_warnings.each do |w|
+      @warning_count = @new_warnings.length
+
+      @new_warnings.each_with_index do |w, index|
+        @current_index = index
+
         if skip_ignored? w or @skip_rest
           next
         elsif @ignore_rest
@@ -261,7 +265,8 @@ q - Quit, do not update ignored warnings
     end
 
     def pretty_display warning
-      say "-" * 20
+      progress = "#{@current_index + 1}/#{@warning_count}"
+      say "-------- #{progress} #{"-" * (20 - progress.length)}", :cyan
       show_confidence warning
 
       label "Category"
@@ -302,7 +307,7 @@ q - Quit, do not update ignored warnings
     end
 
     def summarize_changes
-      say "-" * 20
+      say "-" * 30
 
       say "Ignoring #{@ignore_config.ignored_warnings.length} warnings", :yellow
       say "Showing #{@ignore_config.shown_warnings.length} warnings", :green