brakeman 4.10.0 → 5.0.4

data/bundle/ruby/2.7.0/gems/haml-5.2.1/lib/haml/escapable.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Haml
+  # Like Temple::Filters::Escapable, but with support for escaping by
+  # Haml::Herlpers.html_escape and Haml::Herlpers.escape_once.
+  class Escapable < Temple::Filter
+    # Special value of `flag` to ignore html_safe?
+    EscapeSafeBuffer = Struct.new(:value)
+
+    def initialize(*)
+      super
+      @escape = false
+      @escape_safe_buffer = false
+    end
+
+    def on_escape(flag, exp)
+      old_escape, old_escape_safe_buffer = @escape, @escape_safe_buffer
+      @escape_safe_buffer = flag.is_a?(EscapeSafeBuffer)
+      @escape = @escape_safe_buffer ? flag.value : flag
+      compile(exp)
+    ensure
+      @escape, @escape_safe_buffer = old_escape, old_escape_safe_buffer
+    end
+
+    # The same as Haml::AttributeBuilder.build_attributes
+    def on_static(value)
+      [:static,
+       if @escape == :once
+         escape_once(value)
+       elsif @escape
+         escape(value)
+       else
+         value
+       end
+      ]
+    end
+
+    # The same as Haml::AttributeBuilder.build_attributes
+    def on_dynamic(value)
+      [:dynamic,
+       if @escape == :once
+         escape_once_code(value)
+       elsif @escape
+         escape_code(value)
+       else
+         "(#{value}).to_s"
+       end
+      ]
+    end
+
+    private
+
+    def escape_once(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.escape_once_without_haml_xss(value)
+      else
+        ::Haml::Helpers.escape_once(value)
+      end
+    end
+
+    def escape(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.html_escape_without_haml_xss(value)
+      else
+        ::Haml::Helpers.html_escape(value)
+      end
+    end
+
+    def escape_once_code(value)
+      "::Haml::Helpers.escape_once#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
+
+    def escape_code(value)
+      "::Haml::Helpers.html_escape#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
+  end
+end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers.rb

@@ -607,9 +607,12 @@ MESSAGE
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)
-      ERB::Util.html_escape(text)
+      CGI.escapeHTML(text.to_s)
     end
 
+    # Always escape text regardless of html_safe?
+    alias_method :html_escape_without_haml_xss, :html_escape
+
     HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
 
     # Escapes HTML entities in `text`, but without escaping an ampersand
@@ -622,6 +625,9 @@ MESSAGE
       text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
     end
 
+    # Always escape text once regardless of html_safe?
+    alias_method :escape_once_without_haml_xss, :escape_once
+
     # Returns whether or not the current template is a Haml template.
     #
     # This function, unlike other {Haml::Helpers} functions,

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/xss_mods.rb

@@ -8,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_internal_concat haml_indent
-           escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/parser.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'ripper'
 require 'strscan'
 
 module Haml
@@ -90,6 +91,9 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
+    # Used for scanning old attributes, substituting the first '{'
+    METHOD_CALL_PREFIX = 'a('
+
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -307,7 +311,7 @@ module Haml
         return ParseNode.new(:plain, line.index + 1, :text => line.text)
       end
 
-      escape_html = @options.escape_html if escape_html.nil?
+      escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
       line.text = unescape_interpolation(line.text, escape_html)
       script(line, false)
     end
@@ -651,13 +655,18 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
-      text = text.dup
       last_line = @line.index + 1
 
       begin
-        attributes_hash, rest = balance(text, ?{, ?})
+        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
+        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
+        #
+        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
+        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
+        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
+        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
       rescue SyntaxError => e
-        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
+        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -811,6 +820,25 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
+    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
+    def balance_tokens(buf, start, finish, count: 0)
+      text = ''.dup
+      Ripper.lex(buf).each do |_, token, str|
+        text << str
+        case token
+        when start
+          count += 1
+        when finish
+          count -= 1
+        end
+
+        if count == 0
+          return text, buf.sub(text, '')
+        end
+      end
+      raise SyntaxError.new(Error.message(:unbalanced_brackets))
+    end
+
     def block_opened?
       @next_line.tabs > @line.tabs
     end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/util.rb

@@ -213,7 +213,7 @@ MSG
             scan.scan(/\w+/)
           end
           content = eval("\"#{interpolated}\"")
-          content.prepend(char) if char == '@' || char == '$'
+          content = "#{char}#{content}" if char == '@' || char == '$'
           content = "Haml::Helpers.html_escape((#{content}))" if escape_html
 
           res << "\#{#{content}}"

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Haml
-  VERSION = "5.1.2"
+  VERSION = "5.2.1"
 end

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md

@@ -0,0 +1,178 @@
+# News
+
+## 3.2.5 - 2021-04-05 {#version-3-2-5}
+
+### Improvements
+
+  * Add more validations to XPath parser.
+
+  * `require "rexml/docuemnt"` by default.
+    [GitHub#36][Patch by Koichi ITO]
+
+  * Don't add `#dcloe` method to core classes globally.
+    [GitHub#37][Patch by Akira Matsuda]
+
+  * Add more documentations.
+    [Patch by Burdette Lamar]
+
+  * Added `REXML::Elements#parent`.
+    [GitHub#52][Patch by Burdette Lamar]
+
+### Fixes
+
+  * Fixed a bug that `REXML::DocType#clone` doesn't copy external ID
+    information.
+
+  * Fixed round-trip vulnerability bugs.
+    See also: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
+    [HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]
+
+### Thanks
+
+  * Koichi ITO
+
+  * Akira Matsuda
+
+  * Burdette Lamar
+
+  * Juho Nurminen
+
+## 3.2.4 - 2020-01-31 {#version-3-2-4}
+
+### Improvements
+
+  * Don't use `taint` with Ruby 2.7 or later.
+    [GitHub#21][Patch by Jeremy Evans]
+
+### Fixes
+
+  * Fixed a `elsif` typo.
+    [GitHub#22][Patch by Nobuyoshi Nakada]
+
+### Thanks
+
+  * Jeremy Evans
+
+  * Nobuyoshi Nakada
+
+## 3.2.3 - 2019-10-12 {#version-3-2-3}
+
+### Fixes
+
+  * Fixed a bug that `REXML::XMLDecl#close` doesn't copy `@writethis`.
+    [GitHub#20][Patch by hirura]
+
+### Thanks
+
+  * hirura
+
+## 3.2.2 - 2019-06-03 {#version-3-2-2}
+
+### Fixes
+
+  * xpath: Fixed a bug for equality and relational expressions.
+    [GitHub#17][Reported by Mirko Budszuhn]
+
+  * xpath: Fixed `boolean()` implementation.
+
+  * xpath: Fixed `local_name()` with nonexistent node.
+
+  * xpath: Fixed `number()` implementation with node set.
+    [GitHub#18][Reported by Mirko Budszuhn]
+
+### Thanks
+
+  * Mirko Budszuhn
+
+## 3.2.1 - 2019-05-04 {#version-3-2-1}
+
+### Improvements
+
+  * Improved error message.
+    [GitHub#12][Patch by FUJI Goro]
+
+  * Improved error message.
+    [GitHub#16][Patch by ujihisa]
+
+  * Improved documentation markup.
+    [GitHub#14][Patch by Alyssa Ross]
+
+### Fixes
+
+  * Fixed a bug that `nil` variable value raises an unexpected exception.
+    [GitHub#13][Patch by Alyssa Ross]
+
+### Thanks
+
+  * FUJI Goro
+
+  * Alyssa Ross
+
+  * ujihisa
+
+## 3.2.0 - 2019-01-01 {#version-3-2-0}
+
+### Fixes
+
+  * Fixed a bug that no namespace attribute isn't matched with prefix.
+
+    [ruby-list:50731][Reported by Yasuhiro KIMURA]
+
+  * Fixed a bug that the default namespace is applied to attribute names.
+
+    NOTE: It's a backward incompatible change. If your program has any
+    problem with this change, please report it. We may revert this fix.
+
+    * `REXML::Attribute#prefix` returns `""` for no namespace attribute.
+
+    * `REXML::Attribute#namespace` returns `""` for no namespace attribute.
+
+### Thanks
+
+  * Yasuhiro KIMURA
+
+## 3.1.9 - 2018-12-20 {#version-3-1-9}
+
+### Improvements
+
+  * Improved backward compatibility.
+
+    Restored `REXML::Parsers::BaseParser::UNQME_STR` because it's used
+    by kramdown.
+
+## 3.1.8 - 2018-12-20 {#version-3-1-8}
+
+### Improvements
+
+  * Added support for customizing quote character in prologue.
+    [GitHub#8][Bug #9367][Reported by Takashi Oguma]
+
+    * You can use `"` as quote character by specifying `:quote` to
+      `REXML::Document#context[:prologue_quote]`.
+
+    * You can use `'` as quote character by specifying `:apostrophe`
+      to `REXML::Document#context[:prologue_quote]`.
+
+  * Added processing instruction target check. The target must not nil.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Added name check for element and attribute.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Stopped to use `Exception`.
+    [GitHub#9][Patch by Jean Boussier]
+
+### Fixes
+
+  * Fixed a bug that `REXML::Text#clone` escapes value twice.
+    [ruby-dev:50626][Bug #15058][Reported by Ryosuke Nanba]
+
+### Thanks
+
+  * Takashi Oguma
+
+  * Ariel Zelivansky
+
+  * Jean Boussier
+
+  * Ryosuke Nanba