brakeman 4.9.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c34a5dde886bb8433eaf2b407a3be4a53cf7cde9c6c439a1438b25caf359096
-  data.tar.gz: 46689fbf4debd45a041ac0eaff08b06bee7f03c90707332a0ee145ba18884328
+  metadata.gz: 1d660b98db2252a6aa69d39bb56c6950aa7d9713f10831807d6ab837df54657d
+  data.tar.gz: 6999959ba9f8380f36c1d999e04b0d79e48ea9536fd9820485c4960bce769d60
 SHA512:
-  metadata.gz: 5efc78c8ae5aa23e9557fd60e97799119d0a124ba70c5f7fb8dea801e4273071cad44aebc8bd8b019cb01790f17dcdc737998d52835332ac705898582084eb3e
-  data.tar.gz: 1c503845173d3f1b199f60451f7a7ce3f0844689097cfbd650cca058934cbbfd6cc8de0f292de5f562359dcc845acaa070d0b6aad626faf5bed28405c82b8622
+  metadata.gz: b6738f567478a47fd36de992706968c1c42a237dd97d4527434a60fa9ddea5b7a7acb54d8b72e6bc282fd1805126953a358e399a19dab4c0c5e7fd92b4a857ed
+  data.tar.gz: 43f16437835dabb65a7b73981779460e7648e1fa2ba772320132e7500af55c8861effda46f3b181310bdd753dbf1c59af12b3ecdfed5844505e2cf5cbff866fa

data/CHANGES.md

@@ -1,3 +1,47 @@
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
 # 4.9.0 - 2020-08-04
 
 * Add check for CVE-2020-8166 (Jamie Finnigan)

data/README.md

@@ -76,7 +76,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `codeclimate`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
 
 Multiple output files can be specified:
 

data/bundle/load.rb

@@ -3,12 +3,13 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.14.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.1.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Haml Changelog
 
+## 5.2.1
+
+Released on November 30, 2020
+([diff](https://github.com/haml/haml/compare/v5.2.0...v5.2.1)).
+
+* Add in improved "multiline" support for attributes [#1043](https://github.com/haml/haml/issues/1043)
+
+## 5.2
+
+Released on September 28, 2020
+([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2.0)).
+
+* Fix crash in the attribute optimizer when `#inspect` is overridden in TrueClass / FalseClass [#972](https://github.com/haml/haml/issues/972)
+* Do not HTML-escape templates that are declared to be plaintext [#1014](https://github.com/haml/haml/issues/1014) (Thanks [@cesarizu](https://github.com/cesarizu))
+* Class names are no longer ordered alphabetically, and now follow a new specification as laid out in REFERENCE [#306](https://github.com/haml/haml/issues/306)
+
 ## 5.1.2
 
 Released on August 6, 2019

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/Gemfile

@@ -3,6 +3,7 @@ gemspec
 
 gem "m"
 gem "pry"
+gem "simplecov"
 
 group :docs do
   gem "yard"
@@ -13,7 +14,3 @@ end
 platform :mri do
   gem "ruby-prof"
 end
-
-platform :mri_21 do
-  gem "simplecov"
-end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/README.md

@@ -1,9 +1,8 @@
 # Haml
 
 [![Gem Version](https://badge.fury.io/rb/haml.svg)](http://rubygems.org/gems/haml)
-[![Build Status](https://travis-ci.org/haml/haml.svg?branch=master)](http://travis-ci.org/haml/haml)
+[![Build Status](https://travis-ci.org/haml/haml.svg?branch=main)](http://travis-ci.org/haml/haml)
 [![Code Climate](https://codeclimate.com/github/haml/haml/badges/gpa.svg)](https://codeclimate.com/github/haml/haml)
-[![Coverage Status](http://img.shields.io/coveralls/haml/haml.svg)](https://coveralls.io/r/haml/haml)
 [![Inline docs](http://inch-ci.org/github/haml/haml.png)](http://inch-ci.org/github/haml/haml)
 
 Haml is a templating engine for HTML. It's designed to make it both easier and
@@ -32,7 +31,7 @@ to compile it to HTML. For more information on these commands, check out
 haml --help
 ~~~
 
-To use Haml programatically, check out the [YARD documentation](http://haml.info/docs/yardoc/).
+To use Haml programmatically, check out the [YARD documentation](http://haml.info/docs/yardoc/).
 
 ## Using Haml with Rails
 

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/REFERENCE.md

@@ -228,15 +228,19 @@ is compiled to:
     <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'></html>
 
 Attribute hashes can also be stretched out over multiple lines to accommodate
-many attributes. However, newlines may only be placed immediately after commas.
-For example:
+many attributes.
 
-    %script{:type => "text/javascript",
-            :src  => "javascripts/script_#{2 + 7}"}
+    %script{
+      "type": text/javascript",
+      "src": javascripts/script_#{2 + 7}",
+      "data": {
+        "controller": "reporter",
+      },
+    }
 
 is compiled to:
 
-    <script src='javascripts/script_9' type='text/javascript'></script>
+    <script src='javascripts/script_9' type='text/javascript' data-controller='reporter'></script>
 
 #### `:class` and `:id` Attributes {#class-and-id-attributes}
 
@@ -517,6 +521,24 @@ and is compiled to:
       </div>
     </div>
 
+#### Class Name Merging and Ordering
+
+Class names are ordered in the following way:
+
+1) Tag identifiers in order (aka, ".alert.me" => "alert me")
+2) Classes appearing in HTML-style attributes
+3) Classes appearing in Hash-style attributes
+
+For instance, this is a complicated and unintuitive test case illustrating the ordering
+
+    .foo.moo{:class => ['bar', 'alpha']}(class='baz')
+
+The resulting HTML would be as follows:
+
+    <div class='foo moo baz bar alpha'></div>
+
+*Versions of Haml prior to 5.0 would alphabetically sort class names.*
+
 ### Empty (void) Tags: `/`
 
 The forward slash character, when placed at the end of a tag definition, causes
@@ -853,7 +875,7 @@ is compiled to:
 
 ## Ruby Evaluation
 
-### Inserting Ruby: `=`
+### Inserting Ruby: `=` {#inserting_ruby}
 
 The equals character is followed by Ruby code. This code is evaluated and the
 output is inserted into the document. For example:
@@ -1323,7 +1345,7 @@ that just need a lot of template information.
 So data structures and  functions that require lots of arguments
 can be wrapped over multiple lines,
 as long as each line but the last ends in a comma
-(see [Inserting Ruby](#inserting_ruby_)).
+(see [Inserting Ruby](#inserting_ruby)).
 
 ## Whitespace Preservation
 

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/haml.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.license     = "MIT"
   spec.metadata    = {
     "bug_tracker_uri"   => "https://github.com/haml/haml/issues",
-    "changelog_uri"     => "https://github.com/haml/haml/blob/master/CHANGELOG.md",
+    "changelog_uri"     => "https://github.com/haml/haml/blob/main/CHANGELOG.md",
     "documentation_uri" => "http://haml.info/docs.html",
     "homepage_uri"      => "http://haml.info",
     "mailing_list_uri"  => "https://groups.google.com/forum/?fromgroups#!forum/haml",
@@ -32,6 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rbench'
   spec.add_development_dependency 'minitest', '>= 4.0'
   spec.add_development_dependency 'nokogiri'
+  spec.add_development_dependency 'simplecov'
 
   spec.description = <<-END
 Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_builder.rb

@@ -36,9 +36,9 @@ module Haml
 
           value =
             if escape_attrs == :once
-              Haml::Helpers.escape_once(value.to_s)
+              Haml::Helpers.escape_once_without_haml_xss(value.to_s)
             elsif escape_attrs
-              Haml::Helpers.html_escape(value.to_s)
+              Haml::Helpers.html_escape_without_haml_xss(value.to_s)
             else
               value.to_s
             end
@@ -126,7 +126,7 @@ module Haml
         elsif key == 'class'
           merged_class = filter_and_join(from, ' ')
           if to && merged_class
-            merged_class = (merged_class.split(' ') | to.split(' ')).sort.join(' ')
+            merged_class = (to.split(' ') | merged_class.split(' ')).join(' ')
           elsif to || merged_class
             merged_class ||= to
           end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/attribute_compiler.rb

@@ -7,27 +7,7 @@ module Haml
     # @param type [Symbol] :static or :dynamic
     # @param key [String]
     # @param value [String] Actual string value for :static type, value's Ruby literal for :dynamic type.
-    AttributeValue = Struct.new(:type, :key, :value) do
-      # @return [String] A Ruby literal of value.
-      def to_literal
-        case type
-        when :static
-          Haml::Util.inspect_obj(value)
-        when :dynamic
-          value
-        end
-      end
-    end
-
-    # Returns a script to render attributes on runtime.
-    #
-    # @param attributes [Hash]
-    # @param object_ref [String,:nil]
-    # @param dynamic_attributes [DynamicAttributes]
-    # @return [String] Attributes rendering code
-    def self.runtime_build(attributes, object_ref, dynamic_attributes)
-      "_hamlout.attributes(#{Haml::Util.inspect_obj(attributes)}, #{object_ref},#{dynamic_attributes.to_literal})"
-    end
+    AttributeValue = Struct.new(:type, :key, :value)
 
     # @param options [Haml::Options]
     def initialize(options)
@@ -41,16 +21,16 @@ module Haml
     #
     # @param attributes [Hash]
     # @param object_ref [String,:nil]
-    # @param dynamic_attributes [DynamicAttributes]
+    # @param dynamic_attributes [Haml::Parser::DynamicAttributes]
     # @return [Array] Temple expression
     def compile(attributes, object_ref, dynamic_attributes)
       if object_ref != :nil || !AttributeParser.available?
-        return [:dynamic, AttributeCompiler.runtime_build(attributes, object_ref, dynamic_attributes)]
+        return [:dynamic, compile_runtime_build(attributes, object_ref, dynamic_attributes)]
       end
 
       parsed_hashes = [dynamic_attributes.new, dynamic_attributes.old].compact.map do |attribute_hash|
         unless (hash = AttributeParser.parse(attribute_hash))
-          return [:dynamic, AttributeCompiler.runtime_build(attributes, object_ref, dynamic_attributes)]
+          return [:dynamic, compile_runtime_build(attributes, object_ref, dynamic_attributes)]
         end
         hash
       end
@@ -64,6 +44,16 @@ module Haml
 
     private
 
+    # Returns a script to render attributes on runtime.
+    #
+    # @param attributes [Hash]
+    # @param object_ref [String,:nil]
+    # @param dynamic_attributes [Haml::Parser::DynamicAttributes]
+    # @return [String] Attributes rendering code
+    def compile_runtime_build(attributes, object_ref, dynamic_attributes)
+      "_hamlout.attributes(#{to_literal(attributes)}, #{object_ref}, #{dynamic_attributes.to_literal})"
+    end
+
     # Build array of grouped values whose sort order may go back and forth, which is also sorted with key name.
     # This method needs to group values with the same start because it can be changed in `Haml::AttributeBuidler#build_data_keys`.
     # @param values [Array<Haml::AttributeCompiler::AttributeValue>]
@@ -130,7 +120,7 @@ module Haml
 
       arguments = [@is_html, @attr_wrapper, @escape_attrs, @hyphenate_data_attrs]
       code = "::Haml::AttributeBuilder.build_attributes"\
-        "(#{arguments.map { |a| Haml::Util.inspect_obj(a) }.join(', ')}, { #{hash_content} })"
+        "(#{arguments.map(&method(:to_literal)).join(', ')}, { #{hash_content} })"
       [:static, eval(code).to_s]
     end
 
@@ -139,16 +129,16 @@ module Haml
     # @return [String]
     def merged_value(key, values)
       if values.size == 1
-        values.first.to_literal
+        attr_literal(values.first)
       else
-        "::Haml::AttributeBuilder.merge_values(#{frozen_string(key)}, #{values.map(&:to_literal).join(', ')})"
+        "::Haml::AttributeBuilder.merge_values(#{frozen_string(key)}, #{values.map(&method(:attr_literal)).join(', ')})"
       end
     end
 
     # @param str [String]
     # @return [String]
     def frozen_string(str)
-      "#{Haml::Util.inspect_obj(str)}.freeze"
+      "#{to_literal(str)}.freeze"
     end
 
     # Compiles attribute values for one key to Temple expression that generates ` key='value'`.
@@ -157,7 +147,7 @@ module Haml
     # @param values [Array<AttributeValue>]
     # @return [Array] Temple expression
     def compile_attribute(key, values)
-      if values.all? { |v| Temple::StaticAnalyzer.static?(v.to_literal) }
+      if values.all? { |v| Temple::StaticAnalyzer.static?(attr_literal(v)) }
         return static_build(values)
       end
 
@@ -181,7 +171,7 @@ module Haml
         ['false, nil', [:multi]],
         [:else, [:multi,
                  [:static, " #{id_or_class}=#{@attr_wrapper}"],
-                 [:escape, @escape_attrs, [:dynamic, var]],
+                 [:escape, Escapable::EscapeSafeBuffer.new(@escape_attrs), [:dynamic, var]],
                  [:static, @attr_wrapper]],
         ]
        ],
@@ -201,7 +191,7 @@ module Haml
         ['false, nil', [:multi]],
         [:else, [:multi,
                  [:static, " #{key}=#{@attr_wrapper}"],
-                 [:escape, @escape_attrs, [:dynamic, var]],
+                 [:escape, Escapable::EscapeSafeBuffer.new(@escape_attrs), [:dynamic, var]],
                  [:static, @attr_wrapper]],
         ]
        ],
@@ -220,5 +210,26 @@ module Haml
       @unique_name ||= 0
       "_haml_attribute_compiler#{@unique_name += 1}"
     end
+
+    # @param [Haml::AttributeCompiler::AttributeValue] attr
+    def attr_literal(attr)
+      case attr.type
+      when :static
+        to_literal(attr.value)
+      when :dynamic
+        attr.value
+      end
+    end
+
+    # For haml/haml#972
+    # @param [Object] value
+    def to_literal(value)
+      case value
+      when true, false
+        value.to_s
+      else
+        Haml::Util.inspect_obj(value)
+      end
+    end
   end
 end

data/bundle/ruby/2.7.0/gems/haml-5.2.1/lib/haml/escapable.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Haml
+  # Like Temple::Filters::Escapable, but with support for escaping by
+  # Haml::Herlpers.html_escape and Haml::Herlpers.escape_once.
+  class Escapable < Temple::Filter
+    # Special value of `flag` to ignore html_safe?
+    EscapeSafeBuffer = Struct.new(:value)
+
+    def initialize(*)
+      super
+      @escape = false
+      @escape_safe_buffer = false
+    end
+
+    def on_escape(flag, exp)
+      old_escape, old_escape_safe_buffer = @escape, @escape_safe_buffer
+      @escape_safe_buffer = flag.is_a?(EscapeSafeBuffer)
+      @escape = @escape_safe_buffer ? flag.value : flag
+      compile(exp)
+    ensure
+      @escape, @escape_safe_buffer = old_escape, old_escape_safe_buffer
+    end
+
+    # The same as Haml::AttributeBuilder.build_attributes
+    def on_static(value)
+      [:static,
+       if @escape == :once
+         escape_once(value)
+       elsif @escape
+         escape(value)
+       else
+         value
+       end
+      ]
+    end
+
+    # The same as Haml::AttributeBuilder.build_attributes
+    def on_dynamic(value)
+      [:dynamic,
+       if @escape == :once
+         escape_once_code(value)
+       elsif @escape
+         escape_code(value)
+       else
+         "(#{value}).to_s"
+       end
+      ]
+    end
+
+    private
+
+    def escape_once(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.escape_once_without_haml_xss(value)
+      else
+        ::Haml::Helpers.escape_once(value)
+      end
+    end
+
+    def escape(value)
+      if @escape_safe_buffer
+        ::Haml::Helpers.html_escape_without_haml_xss(value)
+      else
+        ::Haml::Helpers.html_escape(value)
+      end
+    end
+
+    def escape_once_code(value)
+      "::Haml::Helpers.escape_once#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
+
+    def escape_code(value)
+      "::Haml::Helpers.html_escape#{('_without_haml_xss' if @escape_safe_buffer)}((#{value}))"
+    end
+  end
+end