brakeman 4.1.1 → 4.2.0

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/lib/ruby_lexer.rb

@@ -548,7 +548,7 @@ class RubyLexer
     self.lineno += matched.lines.to_a.size if scan(/\n+/)
 
     return if in_lex_state?(:expr_beg, :expr_value, :expr_class,
-                            :expr_fname, :expr_dot, :expr_labelarg)
+                            :expr_fname, :expr_dot)
 
     if scan(/([\ \t\r\f\v]*)(\.|&)/) then
       self.space_seen = true unless ss[1].empty?
@@ -1042,7 +1042,13 @@ class RubyLexer
     when scan(/\\[McCx]/) then
       rb_compile_error "Invalid escape character syntax"
     when scan(/\\(.)/m) then
-      self.string_buffer << matched
+      chr = ss[1]
+      prev = self.string_buffer.last
+      if term == chr && prev && prev.end_with?("(?") then
+        self.string_buffer << chr
+      else
+        self.string_buffer << matched
+      end
     else
       rb_compile_error "Invalid escape character syntax"
     end

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/lib/ruby_parser.rb

@@ -72,10 +72,12 @@ require "ruby21_parser"
 require "ruby22_parser"
 require "ruby23_parser"
 require "ruby24_parser"
+require "ruby25_parser"
 
 class RubyParser # HACK
   VERSIONS.clear # also a HACK caused by racc namespace issues
 
+  class V25 < ::Ruby25Parser; end
   class V24 < ::Ruby24Parser; end
   class V23 < ::Ruby23Parser; end
   class V22 < ::Ruby22Parser; end

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/lib/ruby_parser.yy

@@ -10,6 +10,8 @@ class Ruby22Parser
 class Ruby23Parser
 #elif V == 24
 class Ruby24Parser
+#elif V == 25
+class Ruby25Parser
 #else
 fail "version not specified or supported on code generation"
 #endif
@@ -2418,9 +2420,9 @@ keyword_variable: kNIL      { result = s(:nil)   }
                     {
                       result = s(:array, val[0], val[2])
                     }
-                | tLABEL arg_value
+                | tLABEL opt_nl arg_value
                     {
-                      result = s(:array, s(:lit, val[0][0].to_sym), val[1])
+                      result = s(:array, s(:lit, val[0][0].to_sym), val.last)
                     }
 #if V >= 22
                 | tSTRING_BEG string_contents tLABEL_END arg_value

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/lib/ruby_parser_extras.rb

@@ -7,7 +7,7 @@ require "rp_extensions"
 require "rp_stringscanner"
 
 module RubyParserStuff
-  VERSION = "3.10.1"
+  VERSION = "3.11.0"
 
   attr_accessor :lexer, :in_def, :in_single, :file
   attr_reader :env, :comments
@@ -437,12 +437,7 @@ module RubyParserStuff
   def new_aref val
     val[2] ||= s(:arglist)
     val[2].sexp_type = :arglist if val[2].sexp_type == :array # REFACTOR
-    if val[0].node_type == :self then
-      result = new_call nil, :"[]", val[2]
-    else
-      result = new_call val[0], :"[]", val[2]
-    end
-    result
+    new_call val[0], :"[]", val[2]
   end
 
   def new_body val

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/test/test_ruby_lexer.rb

@@ -2053,6 +2053,14 @@ class TestRubyLexer < Minitest::Test
                 :tREGEXP_END,     "",            :expr_end)
   end
 
+  def test_yylex_regexp_escaped_delim
+    assert_lex3("%r!blah(?\\!blah)!",
+                nil,
+                :tREGEXP_BEG,     "%r\000",       :expr_beg,
+                :tSTRING_CONTENT, "blah(?!blah)", :expr_beg,
+                :tREGEXP_END,     "",             :expr_end)
+  end
+
   def test_yylex_regexp_escape_backslash_terminator_meta1
     assert_lex3("%r{blah\\}blah}",
                 nil,
@@ -2797,6 +2805,20 @@ class TestRubyLexer < Minitest::Test
                :tRCURLY, "}", :expr_endarg,   0, 0)
   end
 
+  def test_yylex_required_kwarg_no_value_22
+    setup_lexer_class RubyParser::V22
+
+    assert_lex3("def foo a:, b:\nend",
+                nil,
+                :kDEF, "def", :expr_fname,
+                :tIDENTIFIER, "foo", :expr_endfn,
+                :tLABEL, "a",   :expr_labelarg,
+                :tCOMMA, ",", :expr_beg,
+                :tLABEL, "b",   :expr_labelarg,
+                :tNL, nil, :expr_beg,
+                :kEND, "end", :expr_end)
+  end
+
   def test_ruby21_rational_literal
     setup_lexer_class RubyParser::V21
 

data/bundle/ruby/2.3.0/gems/{ruby_parser-3.10.1 → ruby_parser-3.11.0}/test/test_ruby_parser.rb

@@ -171,6 +171,13 @@ module TestRubyParserShared
     assert_parse rb, pt
   end
 
+  def test_call_self_brackets
+    rb = "self[1]"
+    pt = s(:call, s(:self), :[], s(:lit, 1))
+
+    assert_parse rb, pt
+  end
+
   def test_dasgn_icky2
     rb = "a do\n  v = nil\n  begin\n    yield\n  rescue Exception => v\n    break\n  end\nend"
     pt = s(:iter,
@@ -3419,6 +3426,17 @@ module TestRubyParserShared23Plus
     assert_parse rb, pt
   end
 
+  def test_required_kwarg_no_value
+    rb = "def x a:, b:\nend"
+    pt = s(:defn, :x,
+           s(:args,
+             s(:kwarg, :a),
+             s(:kwarg, :b)),
+           s(:nil))
+
+    assert_parse rb, pt
+  end
+
   def test_slashy_newlines_within_string
     rb = %(puts "hello\\
  my\\
@@ -3443,6 +3461,10 @@ module TestRubyParserShared24Plus
   # ...version specific tests to go here...
 end
 
+module TestRubyParserShared25Plus
+  # ...version specific tests to go here...
+end
+
 class TestRubyParser < Minitest::Test
   def test_cls_version
     assert_equal 18, RubyParser::V18.version
@@ -3729,6 +3751,23 @@ class TestRubyParserV24 < RubyParserTestCase
   end
 end
 
+class TestRubyParserV25 < RubyParserTestCase
+  include TestRubyParserShared
+  include TestRubyParserShared19Plus
+  include TestRubyParserShared20Plus
+  include TestRubyParserShared21Plus
+  include TestRubyParserShared22Plus
+  include TestRubyParserShared23Plus
+  include TestRubyParserShared24Plus
+  include TestRubyParserShared25Plus
+
+  def setup
+    super
+
+    self.processor = RubyParser::V25.new
+  end
+end
+
 RubyParser::VERSIONS.each do |klass|
   v = klass.version
   describe "block args arity #{v}" do

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0/History.txt → sexp_processor-4.10.1/History.rdoc}

@@ -1,3 +1,9 @@
+=== 4.10.1 / 2018-02-15
+
+* 1 minor enhancement:
+
+  * Tweaked pt_testcase for ruby 2.5 and better ruby2ruby test data.
+
 === 4.10.0 / 2017-07-17
 
 * 2 major enhancements:

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0 → sexp_processor-4.10.1}/Manifest.txt

@@ -1,6 +1,6 @@
-History.txt
+History.rdoc
 Manifest.txt
-README.txt
+README.rdoc
 Rakefile
 lib/composite_sexp_processor.rb
 lib/pt_testcase.rb

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0 → sexp_processor-4.10.1}/Rakefile

@@ -4,6 +4,7 @@ require 'rubygems'
 require 'hoe'
 
 Hoe.plugin :seattlerb
+Hoe.plugin :rdoc
 
 Hoe.add_include_dirs("../../ruby_parser/dev/lib")
 

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0 → sexp_processor-4.10.1}/lib/pt_testcase.rb

@@ -77,7 +77,7 @@ class ParseTreeTestCase < Minitest::Test
   end
 
   def self.add_19tests name, hash
-    add_tests "#{name}__19_20_21_22_23_24", hash # HACK?
+    add_tests "#{name}__19_20_21_22_23_24_25", hash # HACK?
   end
 
   def self.add_19edgecases ruby, sexp, cases
@@ -102,7 +102,7 @@ class ParseTreeTestCase < Minitest::Test
     testcases[verbose][klass] = testcases[nonverbose][klass]
   end
 
-  VER_RE = "(1[89]|2[01234])"
+  VER_RE = "(1[89]|2[012345])"
 
   def self.generate_test klass, node, data, input_name, output_name
     klass.send :define_method, "test_#{node}" do
@@ -441,11 +441,13 @@ class ParseTreeTestCase < Minitest::Test
               "Ruby"         => "!a",
               "ParseTree"    => s(:call,
                                   s(:call, nil, :a),
-                                  :"!"))
+                                  :"!"),
+              "Ruby2Ruby"    => "(not a)")
 
   add_19tests("call_bang_empty",
               "Ruby"         => "! ()",
-              "ParseTree"    => s(:call, s(:nil), :"!"))
+              "ParseTree"    => s(:call, s(:nil), :"!"),
+              "Ruby2Ruby"    => "(not nil)")
 
   add_19tests("call_fonz",
               "Ruby"         => "a.()",
@@ -459,7 +461,8 @@ class ParseTreeTestCase < Minitest::Test
 
   add_19tests("call_not",
               "Ruby"      => "not (42)",
-              "ParseTree" => s(:call, s(:lit, 42), :"!"))
+              "ParseTree" => s(:call, s(:lit, 42), :"!"),
+              "Ruby2Ruby" => "(not 42)")
 
   # add_19tests("call_not_empty",
   #             "Ruby"      => "not ()",
@@ -470,7 +473,8 @@ class ParseTreeTestCase < Minitest::Test
             "ParseTree"    => s(:call,
                                 s(:call, nil, :a),
                                 :"!=",
-                                s(:call, nil, :b)))
+                                s(:call, nil, :b)),
+            "Ruby2Ruby"    => "(a != b)")
 
   add_19tests("call_splat_mid",
               "Ruby"      => "def f(a = nil, *b, c)\n  # do nothing\nend",
@@ -589,15 +593,18 @@ class ParseTreeTestCase < Minitest::Test
 
   add_19tests("str_question_control",
               "Ruby"         => '?\M-\C-a',
-              "ParseTree"    => s(:str, "\x81"))
+              "ParseTree"    => s(:str, "\x81"),
+              "Ruby2Ruby"    => "\"\\x81\"")
 
   add_19tests("str_question_escape",
               "Ruby"         => '?\n',
-              "ParseTree"    => s(:str, "\n"))
+              "ParseTree"    => s(:str, "\n"),
+              "Ruby2Ruby"    => "\"\\n\"")
 
   add_19tests("str_question_literal",
               "Ruby"         => "?a",
-              "ParseTree"    => s(:str, "a"))
+              "ParseTree"    => s(:str, "a"),
+              "Ruby2Ruby"    => '"a"')
 
   add_19tests("unless_post_not",
               "Ruby"         => "a unless not b",

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0 → sexp_processor-4.10.1}/lib/sexp.rb

@@ -582,7 +582,6 @@ class Sexp #:nodoc:
   #
   # * For pattern creation, see factory methods: Sexp::_, Sexp::___, etc.
   # * For matching returning truthy/falsey results, see Sexp#=~.
-  # * See Sexp#=~ for matching returning truthy/falsey results.
   # * For case expressions, see Matcher#===.
   # * For getting all subtree matches, see Sexp#/.
   #
@@ -758,7 +757,7 @@ class Sexp #:nodoc:
       # Converts +s+ into a stream of tokens and adds them to +tokens+.
 
       def lex s
-        tokens.concat s.scan(%r%[()\[\]]|\"[^"]*\"|/[^/]*/|[\w-]+%)
+        tokens.concat s.scan(%r%[()\[\]]|\"[^"]*\"|/[^/]*/|[\w-]+%) # "
       end
 
       ##

data/bundle/ruby/2.3.0/gems/{sexp_processor-4.10.0 → sexp_processor-4.10.1}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.10.0"
+  VERSION = "4.10.1"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/lib/brakeman/app_tree.rb

@@ -110,7 +110,7 @@ module Brakeman
     end
 
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" } +
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
                      find_additional_lib_paths +
                      find_helper_paths
     end

data/lib/brakeman/checks/base_check.rb

@@ -62,12 +62,8 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Default Sexp processing. Iterates over each value in the Sexp
   #and processes them if they are also Sexps.
   def process_default exp
-    exp.each_with_index do |e, _i|
-      if sexp? e
-        process e
-      else
-        e
-      end
+    exp.each do |e|
+      process e if sexp? e
     end
 
     exp

data/lib/brakeman/checks/check_execute.rb

@@ -17,6 +17,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   s(:call, s(:const, :Rails), :root),
                   s(:call, s(:const, :Rails), :env)]
 
+  SHELL_ESCAPES = [:escape, :shellescape, :join]
+
+  SHELLWORDS = s(:const, :Shellwords)
+
   #Check models, controllers, and views for command injection.
   def run_check
     Brakeman.debug "Finding system calls using ``"
@@ -127,15 +131,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       :confidence => confidence
   end
 
+  # This method expects a :dstr or :evstr node
   def dangerous? exp
     exp.each_sexp do |e|
-      next if node_type? e, :lit, :str
-      next if SAFE_VALUES.include? e
-
       if call? e and e.method == :to_s
         e = e.target
       end
 
+      next if node_type? e, :lit, :str
+      next if SAFE_VALUES.include? e
+      next if shell_escape? e
+
       if node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
@@ -161,4 +167,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     false
   end
+
+  def shell_escape? exp
+    return false unless call? exp
+
+    if exp.target == SHELLWORDS and SHELL_ESCAPES.include? exp.method
+      true
+    elsif exp.method == :shelljoin
+      true
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_redirect.rb

@@ -79,7 +79,9 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
     end
 
     if res = has_immediate_model?(arg)
-      return Match.new(immediate, res)
+      unless call? arg and arg.method.to_s =~ /_path/
+        return Match.new(immediate, res)
+      end
     elsif call? arg
       if request_value? arg
         return Match.new(immediate, arg)

data/lib/brakeman/checks/check_sql.rb

@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
     @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! if tracker.options[:rails4]
+    @sql_targets << :find_by << :find_by! << :not if tracker.options[:rails4]
 
     if version_between?("2.0.0", "3.9.9") or tracker.config.rails_version.nil?
       @sql_targets << :first << :last << :all
@@ -184,7 +184,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                         else
                           check_find_arguments call.last_arg
                         end
-                      when :where, :having, :find_by, :find_by!
+                      when :where, :having, :find_by, :find_by!, :not
                         check_query_arguments call.arglist
                       when :order, :group, :reorder
                         check_order_arguments call.arglist

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -33,8 +33,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       confidence = :medium
     end
 
+
     if confidence
       return if safe_parameter? input.match
+      return if symbolizing_attributes? input
 
       message = "Symbol conversion from unsafe string (#{friendly_type_of input})"
 
@@ -60,4 +62,10 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
       false
     end
   end
+
+  def symbolizing_attributes? input
+    input.type == :model and
+      call? input.match and
+      input.match.method == :attributes
+  end
 end