brakeman 4.1.1 → 4.2.0

data/lib/brakeman/checks/check_unscoped_find.rb

@@ -10,7 +10,11 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     Brakeman.debug("Finding instances of #find on models with associations")
 
     associated_model_names = active_record_models.keys.select do |name|
-      active_record_models[name].associations[:belongs_to]
+      if belongs_to = active_record_models[name].associations[:belongs_to]
+        not optional_belongs_to? belongs_to
+      else
+        false
+      end
     end
 
     calls = tracker.find_call :method => [:find, :find_by_id, :find_by_id!],
@@ -38,4 +42,16 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       :confidence   => :weak,
       :user_input   => input
   end
+
+  def optional_belongs_to? exp
+    return false unless exp.is_a? Array
+
+    exp.each do |e|
+      if hash? e and true? hash_access(e, :optional)
+        return true
+      end
+    end
+
+    false
+  end
 end

data/lib/brakeman/processors/alias_processor.rb

@@ -431,9 +431,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     match = Sexp.new(:gvar, exp.lhs)
     exp.rhs = process(exp.rhs)
     value = get_rhs(exp)
-    value.line = exp.line
 
-    set_value match, value
+    if value
+      value.line = exp.line
+
+      set_value match, value
+    end
 
     exp
   end

data/lib/brakeman/processors/base_processor.rb

@@ -37,11 +37,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp = exp.dup
 
     exp.each_with_index do |e, i|
-      if sexp? e and not e.empty?
-        exp[i] = process e
-      else
-        e
-      end
+      exp[i] = process e if sexp? e and not e.empty?
     end
 
     exp

data/lib/brakeman/processors/erb_template_processor.rb

@@ -14,7 +14,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
     
     #_erbout is the default output variable for erb
     if node_type? target, :lvar and target.value == :_erbout
-      if method == :concat
+      if method == :concat or method == :<<
         @inside_concat = true
         exp.arglist = process(exp.arglist)
         @inside_concat = false

data/lib/brakeman/processors/library_processor.rb

@@ -13,6 +13,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
+    @intializer_env = nil
   end
 
   def process_library src, file_name = nil
@@ -29,7 +30,14 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_defn exp
-    exp = @alias_processor.process exp
+    if exp.method_name == :initialize
+      @alias_processor.process_safely exp.body_list
+      @initializer_env = @alias_processor.only_ivars
+    elsif node_type? exp, :defn
+      exp = @alias_processor.process_safely exp, @initializer_env
+    else
+      exp = @alias_processor.process exp
+    end
 
     if @current_class
       exp.body = process_all! exp.body

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.1.1"
+  Version = "4.2.0"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -506,6 +506,10 @@ class Sexp
 
     self.slice!(index..-1) #Remove old body
 
+    if exp.first == :rlist
+      exp = exp[1..-1]
+    end
+
     #Insert new body
     exp.each do |e|
       self[index] = e

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.2.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-12-19 00:00:00.000000000 Z
+date: 2018-02-22 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -491,45 +491,47 @@ files:
 - bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_string_extension.rb
 - bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_string_highline.rb
 - bundle/ruby/2.3.0/gems/highline-1.7.10/test/tc_style.rb
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/History.rdoc
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/Manifest.txt
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/README.rdoc
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/Rakefile
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/bin/r2r_show
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib/ruby2ruby.rb
-- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/test/test_ruby2ruby.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/History.rdoc
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/Manifest.txt
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/README.rdoc
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/Rakefile
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/bin/ruby_parse
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/bin/ruby_parse_extract_error
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/compare/normalize.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/rp_extensions.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/rp_stringscanner.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby18_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby18_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby19_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby19_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby20_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby20_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby21_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby21_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby22_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby22_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby23_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby23_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby24_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby24_parser.y
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_lexer.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_lexer.rex
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_lexer.rex.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_parser.yy
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib/ruby_parser_extras.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/test/test_ruby_lexer.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/test/test_ruby_parser.rb
-- bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/test/test_ruby_parser_extras.rb
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/History.rdoc
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/Manifest.txt
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/README.rdoc
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/Rakefile
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/bin/r2r_show
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/lib/ruby2ruby.rb
+- bundle/ruby/2.3.0/gems/ruby2ruby-2.4.1/test/test_ruby2ruby.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/History.rdoc
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/Manifest.txt
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/README.rdoc
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/Rakefile
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/bin/ruby_parse
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/bin/ruby_parse_extract_error
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/compare/normalize.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/rp_extensions.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/rp_stringscanner.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby18_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby18_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby19_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby19_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby20_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby20_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby21_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby21_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby22_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby22_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby23_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby23_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby24_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby24_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby25_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby25_parser.y
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_lexer.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_lexer.rex
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_lexer.rex.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_parser.yy
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/lib/ruby_parser_extras.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/test/test_ruby_lexer.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/test/test_ruby_parser.rb
+- bundle/ruby/2.3.0/gems/ruby_parser-3.11.0/test/test_ruby_parser_extras.rb
 - bundle/ruby/2.3.0/gems/safe_yaml-1.0.4/CHANGES.md
 - bundle/ruby/2.3.0/gems/safe_yaml-1.0.4/Gemfile
 - bundle/ruby/2.3.0/gems/safe_yaml-1.0.4/LICENSE.txt
@@ -888,20 +890,20 @@ files:
 - bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/spec/support/fixtures_helper.rb
 - bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/spec/support/listeners_helper.rb
 - bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/spec/support/platform_helper.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/History.txt
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/Manifest.txt
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/README.txt
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/Rakefile
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/composite_sexp_processor.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/pt_testcase.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/sexp.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/sexp_processor.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/strict_sexp.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib/unique.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/test/test_composite_sexp_processor.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/test/test_environment.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/test/test_sexp.rb
-- bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/test/test_sexp_processor.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/History.rdoc
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/Manifest.txt
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/README.rdoc
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/Rakefile
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/composite_sexp_processor.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/pt_testcase.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/sexp.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/sexp_processor.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/strict_sexp.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/lib/unique.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/test/test_composite_sexp_processor.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/test/test_environment.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/test/test_sexp.rb
+- bundle/ruby/2.3.0/gems/sexp_processor-4.10.1/test/test_sexp_processor.rb
 - bundle/ruby/2.3.0/gems/slim-3.0.7/CHANGES
 - bundle/ruby/2.3.0/gems/slim-3.0.7/Gemfile
 - bundle/ruby/2.3.0/gems/slim-3.0.7/LICENSE
@@ -1408,7 +1410,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.