brakeman 4.4.0 → 4.5.0

data/bundle/ruby/2.5.0/gems/{temple-0.8.0 → temple-0.8.1}/CHANGES

@@ -1,3 +1,9 @@
+0.8.1
+
+  * Stop relying on deprecated method in Rails (#121)
+  * Fix issue with --enable-frozen-string-literal
+  * Escape html in markdown
+
 0.8.0
 
   * Add Temple::StaticAnalyzer to analyze Ruby expressions

data/bundle/ruby/2.5.0/gems/{temple-0.8.0 → temple-0.8.1}/EXPRESSIONS.md

@@ -220,7 +220,7 @@ generates:
 ### [:html, :tag, identifier, attributes, optional-sexp]
 
 HTML tag abstraction. Identifier can be a String or a Symbol. If the optional content Sexp is omitted
-the tag is closed (e.g. <br/> <img/>). The tag is also closed if the content Sexp is empty
+the tag is closed (e.g. `<br/>` `<img/>`). The tag is also closed if the content Sexp is empty
 (consists only of :multi and :newline expressions) and the tag is registered as auto-closing.
 
 Example:

data/bundle/ruby/2.5.0/gems/{temple-0.8.0 → temple-0.8.1}/README.md

@@ -1,7 +1,7 @@
 Temple
 ======
 
-[![Build Status](https://secure.travis-ci.org/judofyr/temple.png?branch=master)](http://travis-ci.org/judofyr/temple) [![Dependency Status](https://gemnasium.com/judofyr/temple.png?travis)](https://gemnasium.com/judofyr/temple) [![Code Climate](https://codeclimate.com/github/judofyr/temple.png)](https://codeclimate.com/github/judofyr/temple)
+[![Build Status](https://secure.travis-ci.org/judofyr/temple.svg?branch=master)](http://travis-ci.org/judofyr/temple) [![Dependency Status](https://gemnasium.com/judofyr/temple.svg?travis)](https://gemnasium.com/judofyr/temple) [![Code Climate](https://codeclimate.com/github/judofyr/temple.svg)](https://codeclimate.com/github/judofyr/temple) [![Gem Version](https://badge.fury.io/rb/temple.svg)](https://rubygems.org/gems/temple)
 
 Temple is an abstraction and a framework for compiling templates to pure Ruby.
 It's all about making it easier to experiment, implement and optimize template

data/bundle/ruby/2.5.0/gems/{temple-0.8.0 → temple-0.8.1}/lib/temple/mixins/dispatcher.rb

@@ -90,7 +90,8 @@ module Temple
             raise 'Invalid dispatcher node' unless method
             call_method
           else
-            code = "case(exp[#{level}])\n"
+            code = String.new
+            code << "case(exp[#{level}])\n"
             each do |key, child|
               code << "when #{key.inspect}\n  " <<
                 child.compile(level + 1, call_method).gsub("\n".freeze, "\n  ".freeze) << "\n".freeze

data/bundle/ruby/2.5.0/gems/{temple-0.8.0 → temple-0.8.1}/lib/temple/templates/rails.rb

@@ -3,9 +3,9 @@ module Temple
     class Rails
       extend Mixins::Template
 
-      def call(template)
+      def call(template, source = nil)
         opts = {}.update(self.class.options).update(file: template.identifier)
-        self.class.compile(template.source, opts)
+        self.class.compile((source || template.source), opts)
       end
 
       def supports_streaming?

data/bundle/ruby/2.5.0/gems/temple-0.8.1/lib/temple/version.rb

@@ -0,0 +1,3 @@
+module Temple
+  VERSION = '0.8.1'
+end

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.4.1 → unicode-display_width-1.5.0}/CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 1.5.0
+
+- Unicode 12
+
 ## 1.4.1
 
 - Only bundle required lib/* and data/* files in actual rubygem, patch by @tas50

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.4.1 → unicode-display_width-1.5.0}/MIT-LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT LICENSE
 
-Copyright (c) 2011, 2015-2018 Jan Lelis
+Copyright (c) 2011, 2015-2019 Jan Lelis
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.4.1 → unicode-display_width-1.5.0}/README.md

@@ -1,16 +1,16 @@
-## Unicode::DisplayWidth [![[version]](https://badge.fury.io/rb/unicode-display_width.svg)](http://badge.fury.io/rb/unicode-display_width) [<img src="https://travis-ci.org/janlelis/unicode-display_width.png" />](https://travis-ci.org/janlelis/unicode-display_width)
+## Unicode::DisplayWidth [![[version]](https://badge.fury.io/rb/unicode-display_width.svg)](https://badge.fury.io/rb/unicode-display_width) [<img src="https://travis-ci.org/janlelis/unicode-display_width.png" />](https://travis-ci.org/janlelis/unicode-display_width)
 
-Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
+Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
 
-Unicode version: **11.0.0**
+Unicode version: **12.0.0**
 
-Supported Rubies: **2.5**, **2.4**, **2.3**
+Supported Rubies: **2.6**, **2.5**, **2.4**
 
-Old Rubies that might still work: **2.2**, **2.1**, **2.0**, **1.9**
+Old Rubies that might still work: **2.3**, **2.2**, **2.1**, **2.0**, **1.9**
 
 ## Introduction to Character Widths
 
-Guesing the correct space a character will consume on terminals is not easy. There is no single standard. Most implementations combine data from [East Asian Width](http://www.unicode.org/reports/tr11/), some [General Categories](https://en.wikipedia.org/wiki/Unicode_character_property#General_Category), and hand-picked adjustments.
+Guessing the correct space a character will consume on terminals is not easy. There is no single standard. Most implementations combine data from [East Asian Width](https://www.unicode.org/reports/tr11/), some [General Categories](https://en.wikipedia.org/wiki/Unicode_character_property#General_Category), and hand-picked adjustments.
 
 ### How this Library Handles Widths
 
@@ -53,7 +53,7 @@ Unicode::DisplayWidth.of("一") # => 2
 
 ### Ambiguous Characters
 
-The second parameter defines the value returned by characterrs defined as ambiguous:
+The second parameter defines the value returned by characters defined as ambiguous:
 
 ```ruby
 Unicode::DisplayWidth.of("·", 1) # => 1
@@ -111,14 +111,14 @@ Replace "一" with the actual string to measure
 
 - Python: https://github.com/jquast/wcwidth
 - JavaScript: https://github.com/mycoboco/wcwidth.js
-- C: http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c
+- C: https://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c
 - C for Julia: https://github.com/JuliaLang/utf8proc/issues/2
 
 See [unicode-x](https://github.com/janlelis/unicode-x) for more Unicode related micro libraries.
 
 ## Copyright & Info
 
-- Copyright (c) 2011, 2015-2018 Jan Lelis, http://janlelis.com, released under the MIT
+- Copyright (c) 2011, 2015-2019 Jan Lelis, https://janlelis.com, released under the MIT
 license
 - Early versions based on runpaint's unicode-data interface: Copyright (c) 2009 Run Paint Run Run
-- Unicode data: http://www.unicode.org/copyright.html#Exhibit1
+- Unicode data: https://www.unicode.org/copyright.html#Exhibit1

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.4.1 → unicode-display_width-1.5.0}/lib/unicode/display_width/constants.rb

@@ -1,7 +1,7 @@
 module Unicode
   module DisplayWidth
-    VERSION = '1.4.1'
-    UNICODE_VERSION = "11.0.0".freeze
+    VERSION = '1.5.0'
+    UNICODE_VERSION = "12.0.0".freeze
     DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
     INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
   end

data/lib/brakeman/checks/base_check.rb

@@ -348,6 +348,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       when :or
         has_immediate_user_input? exp.lhs or
         has_immediate_user_input? exp.rhs
+      when :splat, :kwsplat
+        exp.each_sexp do |e|
+          match = has_immediate_user_input?(e)
+          return match if match
+        end
+
+        false
+      when :hash
+        if kwsplat? exp
+          exp[1].each_sexp do |e|
+            match = has_immediate_user_input?(e)
+            return match if match
+          end
+
+          false
+        end
       else
         false
       end

data/lib/brakeman/checks/check_content_tag.rb

@@ -45,6 +45,16 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def process_result result
     return if duplicate? result
 
+    case result[:location][:type]
+    when :template
+      @current_template = result[:location][:template]
+    when :class
+      @current_class = result[:location][:class]
+      @current_method = result[:location][:method]
+    end
+
+    @current_file = result[:location][:file]
+
     call = result[:call] = result[:call].dup
 
     args = call.arglist
@@ -85,6 +95,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         end
       end
     end
+  ensure
+    @current_template = @current_class = @current_method = @current_file = nil
   end
 
   def check_argument result, exp

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -57,12 +57,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     if exp.node_type == :output
       out = exp.value
-    elsif exp.node_type == :escaped_output
-      if raw_call? exp
-        out = exp.value.first_arg
-      elsif html_safe_call? exp
-        out = exp.value.target
-      end
+    end
+
+    if raw_call? exp
+      out = exp.value.first_arg
+    elsif html_safe_call? exp
+      out = exp.value.target
     end
 
     return if call? out and ignore_call? out.target, out.method

data/lib/brakeman/checks/check_evaluation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :warning_type => "Dangerous Eval",
         :warning_code => :code_eval,
         :message => "User input in eval",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_execute.rb

@@ -90,6 +90,24 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  def include_user_input? exp
+    if node_type? exp, :arglist, :dstr, :evstr, :dxstr
+      exp.each_sexp do |e|
+        if res = include_user_input?(e)
+          return res
+        end
+      end
+
+      false
+    else
+      if shell_escape? exp
+        false
+      else
+        super exp
+      end
+    end
+  end
+
   def dangerous_open_arg? exp
     if string_interp? exp
       # Check for input at start of string

data/lib/brakeman/checks/check_send.rb

@@ -28,7 +28,6 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :warning_type => "Dangerous Send",
         :warning_code => :dangerous_send,
         :message => "User controlled method execution",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
         :warning_type => "Session Manipulation",
         :warning_code => :session_key_manipulation,
         :message => msg(msg_input(input), " used as key in session hash"),
-        :code => result[:call],
         :user_input => input,
         :confidence => confidence
     end

data/lib/brakeman/checks/check_sql.rb

@@ -14,7 +14,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   @description = "Check for SQL injection"
 
   def run_check
-    narrow_targets = [:exists?, :select]
+    # Avoid reporting `user_input` on silly values when generating warning.
+    # Note that we retroactively find `user_input` inside the "dangerous" value.
+    @safe_input_attributes.merge IGNORE_METHODS_IN_SQL
 
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
@@ -43,6 +45,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding possible SQL calls on models"
     calls = tracker.find_call(:methods => @sql_targets, :nested => true)
 
+    narrow_targets = [:exists?, :select]
     calls.concat tracker.find_call(:targets => active_record_models.keys, :methods => narrow_targets, :chained => true)
 
     Brakeman.debug "Finding possible SQL calls with no target"
@@ -294,7 +297,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         # Model.where(params[:where])
         arg
       end
-    elsif hash? arg
+    elsif hash? arg and not kwsplat? arg
       #This is generally going to be a hash of column names and values, which
       #would escape the values. But the keys _could_ be user input.
       check_hash_keys arg
@@ -452,7 +455,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :dstr
       check_string_interp exp
     when :hash
-      check_hash_values exp unless ignore_hash
+      if kwsplat? exp and has_immediate_user_input? exp
+        exp
+      elsif not ignore_hash
+        check_hash_values exp
+      else
+        nil
+      end
     when :if
       unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
     when :call

data/lib/brakeman/file_parser.rb

@@ -31,13 +31,17 @@ module Brakeman
       end
     end
 
-    def parse_ruby input, path
+    def parse_ruby input, path, parser = RubyParser.new
       begin
         Brakeman.debug "Parsing #{path}"
-        RubyParser.new.parse input, path, @timeout
+        parser.parse input, path, @timeout
       rescue Racc::ParseError => e
-        @tracker.error e, "Could not parse #{path}"
-        nil
+        if parser.class == RubyParser
+          return parse_ruby(input, path, RubyParser.latest)
+        else
+          @tracker.error e, "Could not parse #{path}"
+          nil
+        end
       rescue Timeout::Error => e
         @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
         nil

data/lib/brakeman/parsers/haml_embedded.rb

@@ -0,0 +1,44 @@
+module Brakeman
+  module FakeHamlFilter
+    # Copied from Haml - force delayed compilation
+    def compile(compiler, text)
+      filter = self
+      compiler.instance_eval do
+        text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+          escapes = $1.size
+          next s if escapes % 2 == 0
+          ("\\" * (escapes - 1)) + "\n"
+        end
+        # We need to add a newline at the beginning to get the
+        # filter lines to line up (since the Haml filter contains
+        # a line that doesn't show up in the source, namely the
+        # filter name). Then we need to escape the trailing
+        # newline so that the whole filter block doesn't take up
+        # too many.
+        text = "\n" + text.sub(/\n"\Z/, "\\n\"")
+        push_script <<RUBY.rstrip, :escape_html => false
+find_and_preserve(#{filter.inspect}.render_with_options(#{text}, _hamlout.options))
+RUBY
+        return
+      end
+    end
+  end
+end
+
+# Fake CoffeeScript filter for Haml
+module Haml::Filters::Coffee
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Markdown filter for Haml
+module Haml::Filters::Markdown
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Sass filter for Haml
+module Haml::Filters::Sass
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end