brakeman 4.6.1 → 4.7.0

data/bundle/ruby/2.6.0/gems/{sexp_processor-4.12.1 → sexp_processor-4.13.0}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.12.1"
+  VERSION = "4.13.0"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/bundle/ruby/2.6.0/gems/{temple-0.8.1 → temple-0.8.2}/CHANGES

@@ -1,3 +1,8 @@
+0.8.2
+
+  * Support TruffleRuby in Temple::Filters::StaticAnalyzer (#127)
+  * Support TruffleRuby in Temple::Filters::StringSplitter (#127)
+
 0.8.1
 
   * Stop relying on deprecated method in Rails (#121)

data/bundle/ruby/2.6.0/gems/{temple-0.8.1 → temple-0.8.2}/README.md

@@ -1,7 +1,7 @@
 Temple
 ======
 
-[![Build Status](https://secure.travis-ci.org/judofyr/temple.svg?branch=master)](http://travis-ci.org/judofyr/temple) [![Dependency Status](https://gemnasium.com/judofyr/temple.svg?travis)](https://gemnasium.com/judofyr/temple) [![Code Climate](https://codeclimate.com/github/judofyr/temple.svg)](https://codeclimate.com/github/judofyr/temple) [![Gem Version](https://badge.fury.io/rb/temple.svg)](https://rubygems.org/gems/temple)
+[![Build Status](https://secure.travis-ci.org/judofyr/temple.svg?branch=master)](http://travis-ci.org/judofyr/temple) [![Code Climate](https://codeclimate.com/github/judofyr/temple.svg)](https://codeclimate.com/github/judofyr/temple) [![Gem Version](https://badge.fury.io/rb/temple.svg)](https://rubygems.org/gems/temple)
 
 Temple is an abstraction and a framework for compiling templates to pure Ruby.
 It's all about making it easier to experiment, implement and optimize template

data/bundle/ruby/2.6.0/gems/{temple-0.8.1 → temple-0.8.2}/lib/temple/filters/string_splitter.rb

@@ -7,7 +7,7 @@ module Temple
   module Filters
     # Compile [:dynamic, "foo#{bar}"] to [:multi, [:static, 'foo'], [:dynamic, 'bar']]
     class StringSplitter < Filter
-      if defined?(Ripper) && RUBY_VERSION >= "2.0.0"
+      if defined?(Ripper) && RUBY_VERSION >= "2.0.0" && Ripper.respond_to?(:lex)
         class << self
           # `code` param must be valid string literal
           def compile(code)

data/bundle/ruby/2.6.0/gems/{temple-0.8.1 → temple-0.8.2}/lib/temple/static_analyzer.rb

@@ -30,7 +30,7 @@ module Temple
 
     class << self
       def available?
-        defined?(Ripper)
+        defined?(Ripper) && Ripper.respond_to?(:lex)
       end
 
       def static?(code)

data/bundle/ruby/2.6.0/gems/temple-0.8.2/lib/temple/version.rb

@@ -0,0 +1,3 @@
+module Temple
+  VERSION = '0.8.2'
+end

data/bundle/ruby/2.6.0/gems/{tilt-2.0.9 → tilt-2.0.10}/lib/tilt.rb

@@ -4,7 +4,7 @@ require 'tilt/template'
 # Namespace for Tilt. This module is not intended to be included anywhere.
 module Tilt
   # Current version.
-  VERSION = '2.0.9'
+  VERSION = '2.0.10'
 
   @default_mapping = Mapping.new
 

data/bundle/ruby/2.6.0/gems/{tilt-2.0.9 → tilt-2.0.10}/lib/tilt/template.rb

@@ -166,7 +166,7 @@ module Tilt
     def evaluate(scope, locals, &block)
       locals_keys = locals.keys
       locals_keys.sort!{|x, y| x.to_s <=> y.to_s}
-      method = compiled_method(locals_keys)
+      method = compiled_method(locals_keys, scope.is_a?(Module) ? scope : scope.class)
       method.bind(scope).call(locals, &block)
     end
 
@@ -231,9 +231,9 @@ module Tilt
     end
 
     # The compiled method for the locals keys provided.
-    def compiled_method(locals_keys)
+    def compiled_method(locals_keys, scope_class=nil)
       LOCK.synchronize do
-        @compiled_method[locals_keys] ||= compile_template_method(locals_keys)
+        @compiled_method[[scope_class, locals_keys]] ||= compile_template_method(locals_keys, scope_class)
       end
     end
 
@@ -247,7 +247,7 @@ module Tilt
       end.join("\n")
     end
 
-    def compile_template_method(local_keys)
+    def compile_template_method(local_keys, scope_class=nil)
       source, offset = precompiled(local_keys)
       local_code = local_extraction(local_keys)
 
@@ -261,17 +261,12 @@ module Tilt
       method_source << <<-RUBY
         TOPOBJECT.class_eval do
           def #{method_name}(locals)
-            Thread.current[:tilt_vars] = [self, locals]
-            class << self
-              this, locals = Thread.current[:tilt_vars]
-              locals = locals
-              this.instance_eval do
-                #{local_code}
+            #{local_code}
       RUBY
       offset += method_source.count("\n")
       method_source << source
-      method_source << "\nend;end;end;end"
-      Object.class_eval(method_source, eval_file, line - offset)
+      method_source << "\nend;end;"
+      (scope_class || Object).class_eval(method_source, eval_file, line - offset)
       unbind_compiled_method(method_name)
     end
 

data/lib/brakeman/checks/base_check.rb

@@ -39,6 +39,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @active_record_models = nil
     @mass_assign_disabled = nil
     @has_user_input = nil
+    @in_array = false
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
@@ -109,9 +110,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     exp
   end
 
+  def process_array exp
+    @in_array = true
+    process_default exp
+  ensure
+    @in_array = false
+  end
+
   #Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
-    unless @string_interp # don't overwrite existing value
+    unless array_interp? exp or @string_interp # don't overwrite existing value
       @string_interp = Match.new(:interp, exp)
     end
 
@@ -120,6 +128,20 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   private
 
+  # Checking for
+  #
+  #   %W[#{a}]
+  #
+  # which will be parsed as
+  #
+  #    s(:array, s(:dstr, "", s(:evstr, s(:call, nil, :a))))
+  def array_interp? exp
+    @in_array and
+      string_interp? exp and
+      exp[1] == "".freeze and
+      exp.length == 3 # only one interpolated value
+  end
+
   def always_safe_method? meth
     @safe_input_attributes.include? meth or
       @comparison_ops.include? meth

data/lib/brakeman/checks/check_cookie_serialization.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
     tracker.find_call(target: :'Rails.application.config.action_dispatch', method: :cookies_serializer=).each do |result|
       setting = result[:call].first_arg
 
-      if symbol? setting and setting.value == :marshal or setting.value == :hybrid
+      if symbol? setting and [:marshal, :hybrid].include? setting.value
         warn :result => result,
           :warning_type => "Remote Code Execution",
           :warning_code => :unsafe_cookie_serialization,

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -287,7 +287,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   def setup
     @ignore_methods = Set[:==, :!=, :button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
+                           :field_field, :fields_for, :form_for, :h, :hidden_field,
                            :hidden_field, :hidden_field_tag, :image_tag, :label,
                            :link_to, :mail_to, :radio_button, :select,
                            :submit_tag, :text_area, :text_field,

data/lib/brakeman/checks/check_execute.rb

@@ -21,6 +21,10 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   SHELL_ESCAPE_MODULE_METHODS = Set[:escape, :join, :shellescape, :shelljoin]
   SHELL_ESCAPE_MIXIN_METHODS = Set[:shellescape, :shelljoin]
 
+  # These are common shells that are known to allow the execution of commands
+  # via a -c flag. See dash_c_shell_command? for more info.
+  KNOWN_SHELL_COMMANDS = Set["sh", "bash", "ksh", "csh", "tcsh", "zsh"]
+
   SHELLWORDS = s(:const, :Shellwords)
 
   #Check models, controllers, and views for command injection.
@@ -42,6 +46,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  private
+
   #Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
@@ -54,7 +60,17 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         failure = include_user_input?(args) || dangerous_interp?(args)
       end
     when :system, :exec
-      failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      # Normally, if we're in a `system` or `exec` call, we only are worried
+      # about shell injection when there's a single argument, because comma-
+      # separated arguments are always escaped by Ruby. However, an exception is
+      # when the first two arguments are something like "bash -c" because then
+      # the third argument is effectively the command being run and might be
+      # a malicious executable if it comes (partially or fully) from user input.
+      if dash_c_shell_command?(first_arg, call.second_arg)
+        failure = include_user_input?(args[3]) || dangerous_interp?(args[3])
+      else
+        failure = include_user_input?(first_arg) || dangerous_interp?(first_arg)
+      end
     else
       failure = include_user_input?(args) || dangerous_interp?(args)
     end
@@ -77,6 +93,15 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  # @return [Boolean] true iff the command given by `first_arg`, `second_arg`
+  #   invokes a new shell process via `<shell_command> -c` (like `bash -c`)
+  def dash_c_shell_command?(first_arg, second_arg)
+    string?(first_arg) &&
+    KNOWN_SHELL_COMMANDS.include?(first_arg.value) &&
+    string?(second_arg) &&
+    second_arg.value == "-c"
+  end
+
   def check_open_calls
     tracker.find_call(:targets => [nil, :Kernel], :method => :open).each do |result|
       if match = dangerous_open_arg?(result[:call].first_arg)

data/lib/brakeman/differ.rb

@@ -24,43 +24,31 @@ class Brakeman::Differ
   # second pass to cleanup any vulns which have changed in line number only.
   # Given a list of new warnings, delete pairs of new/fixed vulns that differ
   # only by line number.
-  # Horrible O(n^2) performance.  Keep n small :-/
   def second_pass(warnings)
-    # keep track of the number of elements deleted because the index numbers
-    # won't update as the list is modified
-    elements_deleted_offset = 0
+    new_fingerprints = Set.new(warnings[:new].map(&method(:fingerprint)))
+    fixed_fingerprints = Set.new(warnings[:fixed].map(&method(:fingerprint)))
 
-    # dup this list since we will be deleting from it and the iterator gets confused.
-    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
-    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
-      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
-        if eql_except_line_number new_warning, fixed_warning
-          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
-          elements_deleted_offset += 1
-          warnings[:fixed].delete_at(fixed_warning_id)
-          break
-        end
+    # Remove warnings which fingerprints are both in :new and :fixed
+    shared_fingerprints = new_fingerprints.intersection(fixed_fingerprints)
+
+    unless shared_fingerprints.empty?
+      warnings[:new].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
+      end
+
+      warnings[:fixed].delete_if do |warning|
+        shared_fingerprints.include?(fingerprint(warning))
       end
     end
 
     warnings
   end
 
-  def eql_except_line_number new_warning, fixed_warning
-    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
-    if new_warning.is_a? Brakeman::Warning 
-      new_warning = new_warning.to_hash
-      fixed_warning = fixed_warning.to_hash
-    end
-
-    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
-      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+  def fingerprint(warning)
+    if warning.is_a?(Brakeman::Warning)
+      warning.fingerprint
     else
-     OLD_WARNING_KEYS.each do |attr|
-        return false if new_warning[attr] != fixed_warning[attr]
-      end
-
-      true
+      warning[:fingerprint]
     end
   end
 end