brakeman 4.8.0 → 5.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +144 -2
- data/README.md +23 -6
- data/bundle/load.rb +7 -5
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/CHANGELOG.md +24 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/FAQ.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/Gemfile +1 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/MIT-LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/README.md +21 -16
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/REFERENCE.md +39 -10
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/TODO +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/haml.gemspec +2 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/attribute_builder.rb +58 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/attribute_compiler.rb +45 -32
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/attribute_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/buffer.rb +0 -56
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/error.rb +0 -0
- data/bundle/ruby/2.7.0/gems/haml-5.2.2/lib/haml/escapable.rb +77 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/exec.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/filters.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/generator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/action_view_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/action_view_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/safe_erubi_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/safe_erubis_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers/xss_mods.rb +6 -3
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/helpers.rb +7 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/parser.rb +32 -4
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/plugin.rb +18 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/railtie.rb +5 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/sass_rails_filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/template/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/temple_engine.rb +2 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/temple_line_counter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/util.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/lib/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/yard/default/fulldoc/html/css/common.sass +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.2}/yard/default/layout/html/footer.erb +0 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/MIT-LICENSE.txt +20 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/processor_count.rb +45 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb +4 -0
- data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel.rb +532 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt +22 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md +178 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/README.md +48 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/attlistdecl.rb +63 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/attribute.rb +205 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/cdata.rb +68 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/child.rb +97 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/comment.rb +80 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/doctype.rb +311 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/document.rb +451 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/attlistdecl.rb +11 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/dtd.rb +47 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/elementdecl.rb +18 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/entitydecl.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/dtd/notationdecl.rb +40 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/element.rb +2599 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/encoding.rb +51 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/entity.rb +171 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/default.rb +116 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/pretty.rb +142 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/formatters/transitive.rb +58 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/functions.rb +447 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/instruction.rb +79 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/light/node.rb +188 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/namespace.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/node.rb +76 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/output.rb +30 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parent.rb +166 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parseexception.rb +52 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb +694 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/lightparser.rb +59 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb +197 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb +273 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/streamparser.rb +61 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/treeparser.rb +101 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/ultralightparser.rb +57 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb +689 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/quickpath.rb +266 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/rexml.rb +37 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/sax2listener.rb +98 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/security.rb +28 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/source.rb +298 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/streamlistener.rb +93 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/text.rb +424 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/undefinednamespaceexception.rb +9 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/relaxng.rb +539 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/validation.rb +144 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/validation/validationexception.rb +10 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xmldecl.rb +130 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xmltokens.rb +85 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xpath.rb +81 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb +974 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml.rb +3 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/History.rdoc +148 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/Manifest.txt +7 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/README.rdoc +1 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/compare/normalize.rb +51 -6
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/debugging.md +190 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/gauntlet.md +106 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/rp_extensions.rb +15 -36
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/rp_stringscanner.rb +33 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.rb +7128 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby20_parser.y +420 -296
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.rb +7182 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby21_parser.y +415 -293
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.rb +7228 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby22_parser.y +419 -295
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.rb +7237 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby23_parser.y +419 -295
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.rb +7268 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby24_parser.y +419 -295
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.rb +7268 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby26_parser.y → ruby_parser-3.18.1/lib/ruby25_parser.y} +418 -308
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.rb +7287 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby_parser.yy → ruby_parser-3.18.1/lib/ruby26_parser.y} +419 -399
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.rb +8517 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2/lib/ruby25_parser.y → ruby_parser-3.18.1/lib/ruby27_parser.y} +1030 -294
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.rb +8751 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.y +3472 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby3_parser.yy +3476 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby_lexer.rb +308 -605
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby_lexer.rex +33 -27
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby_lexer.rex.rb +65 -31
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer_strings.rb +638 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby_parser.rb +4 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser.yy +3487 -0
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/lib/ruby_parser_extras.rb +341 -127
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/tools/munge.rb +43 -10
- data/bundle/ruby/2.7.0/gems/{ruby_parser-3.14.2 → ruby_parser-3.18.1}/tools/ripper.rb +15 -10
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/History.rdoc +39 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/Manifest.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/README.rdoc +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/composite_sexp_processor.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/pt_testcase.rb +9 -4
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/sexp.rb +19 -9
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/sexp_matcher.rb +4 -7
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/sexp_processor.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/strict_sexp.rb +25 -3
- data/bundle/ruby/2.7.0/gems/{sexp_processor-4.14.1 → sexp_processor-4.16.0}/lib/unique.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/CHANGES +4 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/Gemfile +12 -13
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/README.jp.md +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/README.md +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/code_attributes.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/command.rb +13 -13
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/controls.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/do_inserter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/embedded.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/end_inserter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/erb_converter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/grammar.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/include.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/interpolation.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/logic_less/context.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/logic_less/filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/logic_less.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/parser.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/smart/escaper.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/smart/filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/smart/parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/smart.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/splat/builder.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/splat/filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/translator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/lib/slim.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{slim-4.0.1 → slim-4.1.0}/slim.gemspec +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/CHANGELOG.md +8 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/MIT-LICENSE.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/README.md +1 -1
- data/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/data/display_width.marshal.gz +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/lib/unicode/display_width/constants.rb +2 -2
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/lib/unicode/display_width/index.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/lib/unicode/display_width/no_string_ext.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/lib/unicode/display_width/string_ext.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/lib/unicode/display_width.rb +0 -0
- data/lib/brakeman/app_tree.rb +37 -4
- data/lib/brakeman/checks/base_check.rb +18 -2
- data/lib/brakeman/checks/check_basic_auth.rb +2 -0
- data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +28 -0
- data/lib/brakeman/checks/check_deserialize.rb +21 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
- data/lib/brakeman/checks/check_eol_rails.rb +23 -0
- data/lib/brakeman/checks/check_eol_ruby.rb +26 -0
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +12 -1
- data/lib/brakeman/checks/check_json_entity_escape.rb +38 -0
- data/lib/brakeman/checks/check_json_parsing.rb +1 -1
- data/lib/brakeman/checks/check_mass_assignment.rb +37 -9
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +1 -1
- data/lib/brakeman/checks/check_page_caching_cve.rb +37 -0
- data/lib/brakeman/checks/check_permit_attributes.rb +1 -1
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_render.rb +15 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -1
- data/lib/brakeman/checks/check_skip_before_filter.rb +4 -4
- data/lib/brakeman/checks/check_sql.rb +60 -9
- data/lib/brakeman/checks/check_symbol_dos.rb +1 -1
- data/lib/brakeman/checks/check_template_injection.rb +32 -0
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/checks/eol_check.rb +47 -0
- data/lib/brakeman/commandline.rb +25 -1
- data/lib/brakeman/file_parser.rb +58 -22
- data/lib/brakeman/options.rb +39 -2
- data/lib/brakeman/parsers/template_parser.rb +26 -3
- data/lib/brakeman/processors/alias_processor.rb +132 -24
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/controller_alias_processor.rb +6 -43
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/gem_processor.rb +3 -0
- data/lib/brakeman/processors/haml_template_processor.rb +17 -1
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +13 -7
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +28 -13
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +16 -16
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -0
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/processors/lib/render_helper.rb +3 -1
- data/lib/brakeman/processors/library_processor.rb +9 -0
- data/lib/brakeman/processors/model_processor.rb +32 -0
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +5 -0
- data/lib/brakeman/report/ignore/config.rb +5 -1
- data/lib/brakeman/report/ignore/interactive.rb +1 -1
- data/lib/brakeman/report/report_base.rb +0 -2
- data/lib/brakeman/report/report_csv.rb +37 -60
- data/lib/brakeman/report/report_github.rb +31 -0
- data/lib/brakeman/report/report_junit.rb +2 -2
- data/lib/brakeman/report/report_sarif.rb +133 -0
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +38 -17
- data/lib/brakeman/report.rb +19 -1
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +65 -31
- data/lib/brakeman/tracker/collection.rb +57 -7
- data/lib/brakeman/tracker/config.rb +87 -5
- data/lib/brakeman/tracker/constants.rb +8 -7
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/tracker/method_info.rb +70 -0
- data/lib/brakeman/tracker.rb +42 -5
- data/lib/brakeman/util.rb +58 -21
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +10 -2
- data/lib/brakeman/warning_codes.rb +13 -0
- data/lib/brakeman.rb +45 -6
- data/lib/ruby_parser/bm_sexp.rb +33 -9
- metadata +201 -123
- data/bundle/ruby/2.7.0/gems/haml-5.1.2/lib/haml/escapable.rb +0 -50
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/debugging.md +0 -18
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/rp_stringscanner.rb +0 -64
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby20_parser.rb +0 -7042
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby21_parser.rb +0 -7113
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby22_parser.rb +0 -7146
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby23_parser.rb +0 -7163
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby24_parser.rb +0 -7175
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby25_parser.rb +0 -7175
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib/ruby26_parser.rb +0 -7195
- data/bundle/ruby/2.7.0/gems/unicode-display_width-1.6.1/data/display_width.marshal.gz +0 -0
data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.6.1 → unicode-display_width-1.8.0}/README.md
RENAMED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
|
4
4
|
|
5
|
-
Unicode version: **
|
5
|
+
Unicode version: **14.0.0** (September 2021)
|
6
6
|
|
7
7
|
Supported Rubies: **2.7**, **2.6**, **2.5**, **2.4**
|
8
8
|
|
Binary file
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module Unicode
|
2
2
|
module DisplayWidth
|
3
|
-
VERSION = '1.
|
4
|
-
UNICODE_VERSION = "
|
3
|
+
VERSION = '1.8.0'
|
4
|
+
UNICODE_VERSION = "14.0.0"
|
5
5
|
DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
|
6
6
|
INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
|
7
7
|
end
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -21,13 +21,14 @@ module Brakeman
|
|
21
21
|
end
|
22
22
|
init_options[:additional_libs_path] = options[:additional_libs_path]
|
23
23
|
init_options[:engine_paths] = options[:engine_paths]
|
24
|
+
init_options[:skip_vendor] = options[:skip_vendor]
|
24
25
|
new(root, init_options)
|
25
26
|
end
|
26
27
|
|
27
28
|
# Accepts an array of filenames and paths with the following format and
|
28
29
|
# returns a Regexp to match them:
|
29
30
|
# * "path1/file1.rb" - Matches a specific filename in the project directory.
|
30
|
-
# * "path1/" - Matches any path that
|
31
|
+
# * "path1/" - Matches any path that contains "path1" in the project directory.
|
31
32
|
# * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
|
32
33
|
#
|
33
34
|
def self.regex_for_paths(paths)
|
@@ -62,6 +63,7 @@ module Brakeman
|
|
62
63
|
@engine_paths = init_options[:engine_paths] || []
|
63
64
|
@absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
|
64
65
|
@relative_engine_paths = @engine_paths - @absolute_engine_paths
|
66
|
+
@skip_vendor = init_options[:skip_vendor]
|
65
67
|
@gemspec = nil
|
66
68
|
@root_search_pattern = nil
|
67
69
|
end
|
@@ -96,6 +98,10 @@ module Brakeman
|
|
96
98
|
end
|
97
99
|
end
|
98
100
|
|
101
|
+
def ruby_file_paths
|
102
|
+
find_paths(".").uniq
|
103
|
+
end
|
104
|
+
|
99
105
|
def initializer_paths
|
100
106
|
@initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
|
101
107
|
end
|
@@ -109,8 +115,8 @@ module Brakeman
|
|
109
115
|
end
|
110
116
|
|
111
117
|
def template_paths
|
112
|
-
@template_paths ||= find_paths("
|
113
|
-
|
118
|
+
@template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
|
119
|
+
find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
|
114
120
|
end
|
115
121
|
|
116
122
|
def layout_exists?(name)
|
@@ -163,7 +169,8 @@ module Brakeman
|
|
163
169
|
def select_files(paths)
|
164
170
|
paths = select_only_files(paths)
|
165
171
|
paths = reject_skipped_files(paths)
|
166
|
-
convert_to_file_paths(paths)
|
172
|
+
paths = convert_to_file_paths(paths)
|
173
|
+
reject_global_excludes(paths)
|
167
174
|
end
|
168
175
|
|
169
176
|
def select_only_files(paths)
|
@@ -182,6 +189,32 @@ module Brakeman
|
|
182
189
|
end
|
183
190
|
end
|
184
191
|
|
192
|
+
EXCLUDED_PATHS = %w[
|
193
|
+
/generators/
|
194
|
+
lib/tasks/
|
195
|
+
lib/templates/
|
196
|
+
db/
|
197
|
+
spec/
|
198
|
+
test/
|
199
|
+
tmp/
|
200
|
+
public/
|
201
|
+
log/
|
202
|
+
]
|
203
|
+
|
204
|
+
def reject_global_excludes(paths)
|
205
|
+
paths.reject do |path|
|
206
|
+
relative_path = path.relative
|
207
|
+
|
208
|
+
if @skip_vendor and relative_path.include? 'vendor/'
|
209
|
+
true
|
210
|
+
else
|
211
|
+
EXCLUDED_PATHS.any? do |excluded|
|
212
|
+
relative_path.include? excluded
|
213
|
+
end
|
214
|
+
end
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
185
218
|
def match_path files, path
|
186
219
|
absolute_path = Pathname.new(path)
|
187
220
|
# relative root never has a leading separator. But, we use a leading
|
@@ -40,7 +40,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
40
40
|
@mass_assign_disabled = nil
|
41
41
|
@has_user_input = nil
|
42
42
|
@in_array = false
|
43
|
-
@safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
|
43
|
+
@safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
|
44
44
|
@comparison_ops = Set[:==, :!=, :>, :<, :>=, :<=]
|
45
45
|
end
|
46
46
|
|
@@ -151,6 +151,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
151
151
|
method[-1] == "?"
|
152
152
|
end
|
153
153
|
|
154
|
+
TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
|
155
|
+
|
156
|
+
def temp_file_path? exp
|
157
|
+
exp == TEMP_FILE_PATH
|
158
|
+
end
|
159
|
+
|
154
160
|
#Report a warning
|
155
161
|
def warn options
|
156
162
|
extra_opts = { :check => self.class.to_s }
|
@@ -467,7 +473,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
467
473
|
end
|
468
474
|
|
469
475
|
def gemfile_or_environment gem_name = :rails
|
470
|
-
if gem_name and info = tracker.config.get_gem(gem_name)
|
476
|
+
if gem_name and info = tracker.config.get_gem(gem_name.to_sym)
|
471
477
|
info
|
472
478
|
elsif @app_tree.exists?("Gemfile")
|
473
479
|
@app_tree.file_path "Gemfile"
|
@@ -507,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
|
|
507
513
|
string_building? exp.target or
|
508
514
|
string_building? exp.first_arg
|
509
515
|
end
|
516
|
+
|
517
|
+
I18N_CLASS = s(:const, :I18n)
|
518
|
+
|
519
|
+
def locale_call? exp
|
520
|
+
return unless call? exp
|
521
|
+
|
522
|
+
(exp.target == I18N_CLASS and
|
523
|
+
exp.method == :locale) or
|
524
|
+
locale_call? exp.target
|
525
|
+
end
|
510
526
|
end
|
@@ -57,6 +57,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
|
|
57
57
|
|
58
58
|
# Check if the block of a result contains a comparison of password to string
|
59
59
|
def include_password_literal? result
|
60
|
+
return false if result[:block_args].nil?
|
61
|
+
|
60
62
|
@password_var = result[:block_args].last
|
61
63
|
@include_password = false
|
62
64
|
process result[:block]
|
@@ -0,0 +1,28 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for versions with CSRF token forgery vulnerability (CVE-2020-8166)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
fix_version = case
|
10
|
+
when version_between?('0.0.0', '5.2.4.2')
|
11
|
+
'5.2.4.3'
|
12
|
+
when version_between?('6.0.0', '6.0.3')
|
13
|
+
'6.0.3.1'
|
14
|
+
else
|
15
|
+
nil
|
16
|
+
end
|
17
|
+
|
18
|
+
if fix_version
|
19
|
+
warn :warning_type => "Cross-Site Request Forgery",
|
20
|
+
:warning_code => :CVE_2020_8166,
|
21
|
+
:message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
|
22
|
+
:confidence => :medium,
|
23
|
+
:gem_info => gemfile_or_environment,
|
24
|
+
:link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
@@ -13,7 +13,23 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
|
|
13
13
|
end
|
14
14
|
|
15
15
|
def check_yaml
|
16
|
-
check_methods :YAML, :
|
16
|
+
check_methods :YAML, :load_documents, :load_stream, :parse_documents, :parse_stream
|
17
|
+
|
18
|
+
# Check for safe_yaml gem use with YAML.load(..., safe: true)
|
19
|
+
if uses_safe_yaml?
|
20
|
+
tracker.find_call(target: :YAML, method: :load).each do |result|
|
21
|
+
call = result[:call]
|
22
|
+
options = call.second_arg
|
23
|
+
|
24
|
+
if hash? options and true? hash_access(options, :safe)
|
25
|
+
next
|
26
|
+
else
|
27
|
+
check_deserialize result, :YAML
|
28
|
+
end
|
29
|
+
end
|
30
|
+
else
|
31
|
+
check_methods :YAML, :load
|
32
|
+
end
|
17
33
|
end
|
18
34
|
|
19
35
|
def check_csv
|
@@ -102,4 +118,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
|
|
102
118
|
|
103
119
|
false
|
104
120
|
end
|
121
|
+
|
122
|
+
def uses_safe_yaml?
|
123
|
+
tracker.config.has_gem? :safe_yaml
|
124
|
+
end
|
105
125
|
end
|
@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
26
26
|
def check_detailed_exceptions
|
27
27
|
tracker.controllers.each do |_name, controller|
|
28
28
|
controller.methods_public.each do |method_name, definition|
|
29
|
-
src = definition
|
29
|
+
src = definition.src
|
30
30
|
body = src.body.last
|
31
31
|
next unless body
|
32
32
|
|
@@ -0,0 +1,23 @@
|
|
1
|
+
require_relative 'eol_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for unsupported versions of Rails"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
return unless tracker.config.rails_version
|
10
|
+
|
11
|
+
check_eol_version :rails, RAILS_EOL_DATES
|
12
|
+
end
|
13
|
+
|
14
|
+
RAILS_EOL_DATES = {
|
15
|
+
['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
|
16
|
+
['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
|
17
|
+
['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
|
18
|
+
['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
|
19
|
+
['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
|
20
|
+
['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
|
21
|
+
['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
|
22
|
+
}
|
23
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
require_relative 'eol_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for unsupported versions of Ruby"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
return unless tracker.config.ruby_version
|
10
|
+
|
11
|
+
check_eol_version :ruby, RUBY_EOL_DATES
|
12
|
+
end
|
13
|
+
|
14
|
+
RUBY_EOL_DATES = {
|
15
|
+
['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
|
16
|
+
['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
|
17
|
+
['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
|
18
|
+
['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
|
19
|
+
['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
|
20
|
+
['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
|
21
|
+
['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
|
22
|
+
['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
|
23
|
+
['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
|
24
|
+
['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
|
25
|
+
}
|
26
|
+
end
|
@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
|
|
10
10
|
#Process calls
|
11
11
|
def run_check
|
12
12
|
Brakeman.debug "Finding eval-like calls"
|
13
|
-
calls = tracker.find_call :
|
13
|
+
calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
|
14
14
|
|
15
15
|
Brakeman.debug "Processing eval-like calls"
|
16
16
|
calls.each do |call|
|
@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
87
87
|
dangerous_interp?(first_arg) ||
|
88
88
|
dangerous_string_building?(first_arg)
|
89
89
|
end
|
90
|
+
when :capture2, :capture2e, :capture3
|
91
|
+
# Open3 capture methods can take a :stdin_data argument which is used as the
|
92
|
+
# the input to the called command so it is not succeptable to command injection.
|
93
|
+
# As such if the last argument is a hash (and therefore execution options) it
|
94
|
+
# should be ignored
|
95
|
+
|
96
|
+
args.pop if hash?(args.last) && args.length > 2
|
97
|
+
failure = include_user_input?(args) ||
|
98
|
+
dangerous_interp?(args) ||
|
99
|
+
dangerous_string_building?(args)
|
90
100
|
else
|
91
101
|
failure = include_user_input?(args) ||
|
92
102
|
dangerous_interp?(args) ||
|
@@ -204,11 +214,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
204
214
|
next if node_type? e, :lit, :str
|
205
215
|
next if SAFE_VALUES.include? e
|
206
216
|
next if shell_escape? e
|
217
|
+
next if temp_file_path? e
|
207
218
|
|
208
219
|
if node_type? e, :if
|
209
220
|
# If we're in a conditional, evaluate the `then` and `else` clauses to
|
210
221
|
# see if they're dangerous.
|
211
|
-
if res = dangerous?(e.
|
222
|
+
if res = dangerous?(e.sexp_body.sexp_body)
|
212
223
|
return res
|
213
224
|
end
|
214
225
|
elsif node_type? e, :or, :evstr, :dstr
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckJSONEntityEscape < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Check if HTML escaping is disabled for JSON output"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
check_config_setting
|
10
|
+
check_manual_disable
|
11
|
+
end
|
12
|
+
|
13
|
+
def check_config_setting
|
14
|
+
if false? tracker.config.rails.dig(:active_support, :escape_html_entities_in_json)
|
15
|
+
warn :warning_type => "Cross-Site Scripting",
|
16
|
+
:warning_code => :json_html_escape_config,
|
17
|
+
:message => msg("HTML entities in JSON are not escaped by default"),
|
18
|
+
:confidence => :medium,
|
19
|
+
:file => "config/environments/production.rb",
|
20
|
+
:line => 1
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def check_manual_disable
|
25
|
+
tracker.find_call(targets: [:ActiveSupport, :'ActiveSupport::JSON::Encoding'], method: :escape_html_entities_in_json=).each do |result|
|
26
|
+
setting = result[:call].first_arg
|
27
|
+
|
28
|
+
if false? setting
|
29
|
+
warn :result => result,
|
30
|
+
:warning_type => "Cross-Site Scripting",
|
31
|
+
:warning_code => :json_html_escape_module,
|
32
|
+
:message => msg("HTML entities in JSON are not escaped by default"),
|
33
|
+
:confidence => :medium,
|
34
|
+
:file => "config/environments/production.rb"
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
|
|
74
74
|
warning_type = "Denial of Service"
|
75
75
|
confidence = :medium
|
76
76
|
gem_name = "#{name} gem"
|
77
|
-
message = msg(msg_version(version, gem_name), " has a symbol creation
|
77
|
+
message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
|
78
78
|
|
79
79
|
if version >= "1.7.0"
|
80
80
|
confidence = :high
|
@@ -17,6 +17,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
17
17
|
def run_check
|
18
18
|
check_mass_assignment
|
19
19
|
check_permit!
|
20
|
+
check_permit_all_parameters
|
20
21
|
end
|
21
22
|
|
22
23
|
def find_mass_assign_calls
|
@@ -68,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
68
69
|
if check and original? res
|
69
70
|
|
70
71
|
model = tracker.models[res[:chain].first]
|
71
|
-
|
72
72
|
attr_protected = (model and model.attr_protected)
|
73
|
+
first_arg = call.first_arg
|
73
74
|
|
74
75
|
if attr_protected and tracker.options[:ignore_attr_protected]
|
75
76
|
return
|
77
|
+
elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
78
|
+
return
|
76
79
|
elsif input = include_user_input?(call.arglist)
|
77
|
-
|
78
|
-
|
79
|
-
if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
80
|
-
return
|
81
|
-
elsif not node_type? first_arg, :hash
|
80
|
+
if not node_type? first_arg, :hash
|
82
81
|
if attr_protected
|
83
82
|
confidence = :medium
|
84
83
|
else
|
@@ -159,12 +158,27 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
159
158
|
# Look for and warn about uses of Parameters#permit! for mass assignment
|
160
159
|
def check_permit!
|
161
160
|
tracker.find_call(:method => :permit!, :nested => true).each do |result|
|
162
|
-
if params? result[:call].target
|
163
|
-
|
161
|
+
if params? result[:call].target
|
162
|
+
unless inside_safe_method? result or calls_slice? result
|
163
|
+
warn_on_permit! result
|
164
|
+
end
|
164
165
|
end
|
165
166
|
end
|
166
167
|
end
|
167
168
|
|
169
|
+
# Ignore blah_some_path(params.permit!)
|
170
|
+
def inside_safe_method? result
|
171
|
+
parent_call = result.dig(:parent, :call)
|
172
|
+
|
173
|
+
call? parent_call and
|
174
|
+
parent_call.method.match(/_path$/)
|
175
|
+
end
|
176
|
+
|
177
|
+
def calls_slice? result
|
178
|
+
result[:chain].include? :slice or
|
179
|
+
(result[:full_call] and result[:full_call][:chain].include? :slice)
|
180
|
+
end
|
181
|
+
|
168
182
|
# Look for actual use of params in mass assignment to avoid
|
169
183
|
# warning about uses of Parameters#permit! without any mass assignment
|
170
184
|
# or when mass assignment is restricted by model instead.
|
@@ -190,7 +204,21 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
190
204
|
warn :result => result,
|
191
205
|
:warning_type => "Mass Assignment",
|
192
206
|
:warning_code => :mass_assign_permit!,
|
193
|
-
:message =>
|
207
|
+
:message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
|
194
208
|
:confidence => confidence
|
195
209
|
end
|
210
|
+
|
211
|
+
def check_permit_all_parameters
|
212
|
+
tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
|
213
|
+
call = result[:call]
|
214
|
+
|
215
|
+
if true? call.first_arg
|
216
|
+
warn :result => result,
|
217
|
+
:warning_type => "Mass Assignment",
|
218
|
+
:warning_code => :mass_assign_permit_all,
|
219
|
+
:message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
|
220
|
+
:confidence => :high
|
221
|
+
end
|
222
|
+
end
|
223
|
+
end
|
196
224
|
end
|
@@ -8,7 +8,7 @@ require 'brakeman/checks/base_check'
|
|
8
8
|
class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
|
9
9
|
Brakeman::Checks.add self
|
10
10
|
|
11
|
-
@description = "Reports models which have dangerous attributes defined
|
11
|
+
@description = "Reports models which have dangerous attributes defined via attr_accessible"
|
12
12
|
|
13
13
|
SUSP_ATTRS = [
|
14
14
|
[:admin, :high], # Very dangerous unless some Rails authorization used
|
@@ -8,7 +8,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
|
|
8
8
|
@description = "Reports models which do not use attr_restricted and warns on models that use attr_protected"
|
9
9
|
|
10
10
|
def run_check
|
11
|
-
return if mass_assign_disabled?
|
11
|
+
return if mass_assign_disabled? or tracker.config.has_gem?(:protected_attributes)
|
12
12
|
|
13
13
|
#Roll warnings into one warning for all models
|
14
14
|
if tracker.options[:collapse_mass_assignment]
|
@@ -0,0 +1,37 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckPageCachingCVE < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Check for page caching vulnerability (CVE-2020-8159)"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
gem_name = 'actionpack-page_caching'
|
10
|
+
gem_version = tracker.config.gem_version(gem_name.to_sym)
|
11
|
+
upgrade_version = '1.2.2'
|
12
|
+
cve = 'CVE-2020-8159'
|
13
|
+
|
14
|
+
return unless gem_version and version_between?('0.0.0', '1.2.1', gem_version)
|
15
|
+
|
16
|
+
message = msg("Directory traversal vulnerability in ", msg_version(gem_version, gem_name), " ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version, gem_name))
|
17
|
+
|
18
|
+
if uses_caches_page?
|
19
|
+
confidence = :high
|
20
|
+
else
|
21
|
+
confidence = :weak
|
22
|
+
end
|
23
|
+
|
24
|
+
warn :warning_type => 'Directory Traversal',
|
25
|
+
:warning_code => :CVE_2020_8159,
|
26
|
+
:message => message,
|
27
|
+
:confidence => confidence,
|
28
|
+
:link_path => 'https://groups.google.com/d/msg/rubyonrails-security/CFRVkEytdP8/c5gmICECAgAJ',
|
29
|
+
:gem_info => gemfile_or_environment(gem_name)
|
30
|
+
end
|
31
|
+
|
32
|
+
def uses_caches_page?
|
33
|
+
tracker.controllers.any? do |name, controller|
|
34
|
+
controller.options.has_key? :caches_page
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -3,7 +3,7 @@ require 'brakeman/checks/base_check'
|
|
3
3
|
class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
|
4
4
|
Brakeman::Checks.add self
|
5
5
|
|
6
|
-
@description = "Warn on potentially dangerous attributes
|
6
|
+
@description = "Warn on potentially dangerous attributes allowed via permit"
|
7
7
|
|
8
8
|
SUSPICIOUS_KEYS = {
|
9
9
|
admin: :high,
|
@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
|
|
33
33
|
view = result[:call][2]
|
34
34
|
|
35
35
|
if sexp? view and original? result
|
36
|
+
return if renderable?(view)
|
36
37
|
|
37
38
|
if input = has_immediate_user_input?(view)
|
38
39
|
if string_interp? view
|
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
|
|
94
95
|
end
|
95
96
|
end
|
96
97
|
end
|
97
|
-
|
98
|
+
|
99
|
+
def renderable? exp
|
100
|
+
return false unless call?(exp) and constant?(exp.target)
|
101
|
+
|
102
|
+
target_class_name = class_name(exp.target)
|
103
|
+
known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
|
104
|
+
end
|
105
|
+
|
106
|
+
def known_renderable_class? class_name
|
107
|
+
klass = tracker.find_class(class_name)
|
108
|
+
return false if klass.nil?
|
109
|
+
klass.ancestor? :"ViewComponent::Base"
|
110
|
+
end
|
111
|
+
end
|
@@ -90,7 +90,8 @@ class Brakeman::CheckSanitizeMethods < Brakeman::BaseCheck
|
|
90
90
|
def loofah_vulnerable_cve_2018_8048?
|
91
91
|
loofah_version = tracker.config.gem_version(:loofah)
|
92
92
|
|
93
|
-
|
93
|
+
# 2.2.1 is fix version
|
94
|
+
loofah_version and version_between?("0.0.0", "2.2.0", loofah_version)
|
94
95
|
end
|
95
96
|
|
96
97
|
def warn_sanitizer_cve cve, link, upgrade_version
|
@@ -4,8 +4,8 @@ require 'brakeman/checks/base_check'
|
|
4
4
|
#
|
5
5
|
# skip_before_filter :verify_authenticity_token, :except => [...]
|
6
6
|
#
|
7
|
-
#which is essentially a
|
8
|
-
#ones listed) versus a
|
7
|
+
#which is essentially a skip-by-default approach (no actions are checked EXCEPT the
|
8
|
+
#ones listed) versus a enforce-by-default approach (ONLY the actions listed will skip
|
9
9
|
#the check)
|
10
10
|
class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
11
11
|
Brakeman::Checks.add self
|
@@ -26,7 +26,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
26
26
|
warn :class => controller.name, #ugh this should be a controller warning, too
|
27
27
|
:warning_type => "Cross-Site Request Forgery",
|
28
28
|
:warning_code => :csrf_blacklist,
|
29
|
-
:message => msg("
|
29
|
+
:message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping CSRF check"),
|
30
30
|
:code => filter,
|
31
31
|
:confidence => :medium,
|
32
32
|
:file => controller.file
|
@@ -35,7 +35,7 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
|
|
35
35
|
warn :controller => controller.name,
|
36
36
|
:warning_code => :auth_blacklist,
|
37
37
|
:warning_type => "Authentication",
|
38
|
-
:message => msg("
|
38
|
+
:message => msg("List specific actions (", msg_code(":only => [..]"), ") when skipping authentication"),
|
39
39
|
:code => filter,
|
40
40
|
:confidence => :medium,
|
41
41
|
:link_path => "authentication_whitelist",
|