brakeman 4.9.1 → 5.0.1

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers.rb

@@ -607,9 +607,12 @@ MESSAGE
     # @param text [String] The string to sanitize
     # @return [String] The sanitized string
     def html_escape(text)
-      ERB::Util.html_escape(text)
+      CGI.escapeHTML(text.to_s)
     end
 
+    # Always escape text regardless of html_safe?
+    alias_method :html_escape_without_haml_xss, :html_escape
+
     HTML_ESCAPE_ONCE_REGEX = /['"><]|&(?!(?:[a-zA-Z]+|#(?:\d+|[xX][0-9a-fA-F]+));)/
 
     # Escapes HTML entities in `text`, but without escaping an ampersand
@@ -622,6 +625,9 @@ MESSAGE
       text.gsub(HTML_ESCAPE_ONCE_REGEX, HTML_ESCAPE)
     end
 
+    # Always escape text once regardless of html_safe?
+    alias_method :escape_once_without_haml_xss, :escape_once
+
     # Returns whether or not the current template is a Haml template.
     #
     # This function, unlike other {Haml::Helpers} functions,

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/helpers/xss_mods.rb

@@ -8,12 +8,15 @@ module Haml
     # to work with Rails' XSS protection methods.
     module XssMods
       def self.included(base)
-        %w[html_escape find_and_preserve preserve list_of surround
-           precede succeed capture_haml haml_concat haml_internal_concat haml_indent
-           escape_once].each do |name|
+        %w[find_and_preserve preserve list_of surround
+           precede succeed capture_haml haml_concat haml_internal_concat haml_indent].each do |name|
           base.send(:alias_method, "#{name}_without_haml_xss", name)
           base.send(:alias_method, name, "#{name}_with_haml_xss")
         end
+        # Those two always have _without_haml_xss
+        %w[html_escape escape_once].each do |name|
+          base.send(:alias_method, name, "#{name}_with_haml_xss")
+        end
       end
 
       # Don't escape text that's already safe,

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/parser.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'ripper'
 require 'strscan'
 
 module Haml
@@ -90,6 +91,9 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
+    # Used for scanning old attributes, substituting the first '{'
+    METHOD_CALL_PREFIX = 'a('
+
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -307,7 +311,7 @@ module Haml
         return ParseNode.new(:plain, line.index + 1, :text => line.text)
       end
 
-      escape_html = @options.escape_html if escape_html.nil?
+      escape_html = @options.escape_html && @options.mime_type != 'text/plain' if escape_html.nil?
       line.text = unescape_interpolation(line.text, escape_html)
       script(line, false)
     end
@@ -651,13 +655,18 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
-      text = text.dup
       last_line = @line.index + 1
 
       begin
-        attributes_hash, rest = balance(text, ?{, ?})
+        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
+        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
+        #
+        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
+        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
+        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
+        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
       rescue SyntaxError => e
-        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
+        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -811,6 +820,25 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
+    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
+    def balance_tokens(buf, start, finish, count: 0)
+      text = ''.dup
+      Ripper.lex(buf).each do |_, token, str|
+        text << str
+        case token
+        when start
+          count += 1
+        when finish
+          count -= 1
+        end
+
+        if count == 0
+          return text, buf.sub(text, '')
+        end
+      end
+      raise SyntaxError.new(Error.message(:unbalanced_brackets))
+    end
+
     def block_opened?
       @next_line.tabs > @line.tabs
     end

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/util.rb

@@ -213,7 +213,7 @@ MSG
             scan.scan(/\w+/)
           end
           content = eval("\"#{interpolated}\"")
-          content.prepend(char) if char == '@' || char == '$'
+          content = "#{char}#{content}" if char == '@' || char == '$'
           content = "Haml::Helpers.html_escape((#{content}))" if escape_html
 
           res << "\#{#{content}}"

data/bundle/ruby/2.7.0/gems/{haml-5.1.2 → haml-5.2.1}/lib/haml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Haml
-  VERSION = "5.1.2"
+  VERSION = "5.2.1"
 end

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md

@@ -0,0 +1,178 @@
+# News
+
+## 3.2.5 - 2021-04-05 {#version-3-2-5}
+
+### Improvements
+
+  * Add more validations to XPath parser.
+
+  * `require "rexml/docuemnt"` by default.
+    [GitHub#36][Patch by Koichi ITO]
+
+  * Don't add `#dcloe` method to core classes globally.
+    [GitHub#37][Patch by Akira Matsuda]
+
+  * Add more documentations.
+    [Patch by Burdette Lamar]
+
+  * Added `REXML::Elements#parent`.
+    [GitHub#52][Patch by Burdette Lamar]
+
+### Fixes
+
+  * Fixed a bug that `REXML::DocType#clone` doesn't copy external ID
+    information.
+
+  * Fixed round-trip vulnerability bugs.
+    See also: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
+    [HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]
+
+### Thanks
+
+  * Koichi ITO
+
+  * Akira Matsuda
+
+  * Burdette Lamar
+
+  * Juho Nurminen
+
+## 3.2.4 - 2020-01-31 {#version-3-2-4}
+
+### Improvements
+
+  * Don't use `taint` with Ruby 2.7 or later.
+    [GitHub#21][Patch by Jeremy Evans]
+
+### Fixes
+
+  * Fixed a `elsif` typo.
+    [GitHub#22][Patch by Nobuyoshi Nakada]
+
+### Thanks
+
+  * Jeremy Evans
+
+  * Nobuyoshi Nakada
+
+## 3.2.3 - 2019-10-12 {#version-3-2-3}
+
+### Fixes
+
+  * Fixed a bug that `REXML::XMLDecl#close` doesn't copy `@writethis`.
+    [GitHub#20][Patch by hirura]
+
+### Thanks
+
+  * hirura
+
+## 3.2.2 - 2019-06-03 {#version-3-2-2}
+
+### Fixes
+
+  * xpath: Fixed a bug for equality and relational expressions.
+    [GitHub#17][Reported by Mirko Budszuhn]
+
+  * xpath: Fixed `boolean()` implementation.
+
+  * xpath: Fixed `local_name()` with nonexistent node.
+
+  * xpath: Fixed `number()` implementation with node set.
+    [GitHub#18][Reported by Mirko Budszuhn]
+
+### Thanks
+
+  * Mirko Budszuhn
+
+## 3.2.1 - 2019-05-04 {#version-3-2-1}
+
+### Improvements
+
+  * Improved error message.
+    [GitHub#12][Patch by FUJI Goro]
+
+  * Improved error message.
+    [GitHub#16][Patch by ujihisa]
+
+  * Improved documentation markup.
+    [GitHub#14][Patch by Alyssa Ross]
+
+### Fixes
+
+  * Fixed a bug that `nil` variable value raises an unexpected exception.
+    [GitHub#13][Patch by Alyssa Ross]
+
+### Thanks
+
+  * FUJI Goro
+
+  * Alyssa Ross
+
+  * ujihisa
+
+## 3.2.0 - 2019-01-01 {#version-3-2-0}
+
+### Fixes
+
+  * Fixed a bug that no namespace attribute isn't matched with prefix.
+
+    [ruby-list:50731][Reported by Yasuhiro KIMURA]
+
+  * Fixed a bug that the default namespace is applied to attribute names.
+
+    NOTE: It's a backward incompatible change. If your program has any
+    problem with this change, please report it. We may revert this fix.
+
+    * `REXML::Attribute#prefix` returns `""` for no namespace attribute.
+
+    * `REXML::Attribute#namespace` returns `""` for no namespace attribute.
+
+### Thanks
+
+  * Yasuhiro KIMURA
+
+## 3.1.9 - 2018-12-20 {#version-3-1-9}
+
+### Improvements
+
+  * Improved backward compatibility.
+
+    Restored `REXML::Parsers::BaseParser::UNQME_STR` because it's used
+    by kramdown.
+
+## 3.1.8 - 2018-12-20 {#version-3-1-8}
+
+### Improvements
+
+  * Added support for customizing quote character in prologue.
+    [GitHub#8][Bug #9367][Reported by Takashi Oguma]
+
+    * You can use `"` as quote character by specifying `:quote` to
+      `REXML::Document#context[:prologue_quote]`.
+
+    * You can use `'` as quote character by specifying `:apostrophe`
+      to `REXML::Document#context[:prologue_quote]`.
+
+  * Added processing instruction target check. The target must not nil.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Added name check for element and attribute.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Stopped to use `Exception`.
+    [GitHub#9][Patch by Jean Boussier]
+
+### Fixes
+
+  * Fixed a bug that `REXML::Text#clone` escapes value twice.
+    [ruby-dev:50626][Bug #15058][Reported by Ryosuke Nanba]
+
+### Thanks
+
+  * Takashi Oguma
+
+  * Ariel Zelivansky
+
+  * Jean Boussier
+
+  * Ryosuke Nanba

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/README.md

@@ -0,0 +1,48 @@
+# REXML
+
+REXML was inspired by the Electric XML library for Java, which features an easy-to-use API, small size, and speed. Hopefully, REXML, designed with the same philosophy, has these same features. I've tried to keep the API as intuitive as possible, and have followed the Ruby methodology for method naming and code flow, rather than mirroring the Java API.
+
+REXML supports both tree and stream document parsing. Stream parsing is faster (about 1.5 times as fast). However, with stream parsing, you don't get access to features such as XPath.
+
+## API
+
+See the {API documentation}[https://ruby.github.io/rexml/]
+
+## Usage
+
+We'll start with parsing an XML document
+
+```ruby
+require "rexml/document"
+file = File.new( "mydoc.xml" )
+doc = REXML::Document.new file
+```
+
+Line 3 creates a new document and parses the supplied file. You can also do the following
+
+```ruby
+require "rexml/document"
+include REXML  # so that we don't have to prefix everything with REXML::...
+string = <<EOF
+  <mydoc>
+    <someelement attribute="nanoo">Text, text, text</someelement>
+  </mydoc>
+EOF
+doc = Document.new string
+```
+
+So parsing a string is just as easy as parsing a file.
+
+## Development
+
+After checking out the repo, run `rake test` to run the tests.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ruby/rexml.
+
+## License
+
+The gem is available as open source under the terms of the [BSD-2-Clause](LICENSE.txt).

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative "rexml/document"

data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/attlistdecl.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: false
+#vim:ts=2 sw=2 noexpandtab:
+require_relative 'child'
+require_relative 'source'
+
+module REXML
+  # This class needs:
+  # * Documentation
+  # * Work!  Not all types of attlists are intelligently parsed, so we just
+  # spew back out what we get in.  This works, but it would be better if
+  # we formatted the output ourselves.
+  #
+  # AttlistDecls provide *just* enough support to allow namespace
+  # declarations.  If you need some sort of generalized support, or have an
+  # interesting idea about how to map the hideous, terrible design of DTD
+  # AttlistDecls onto an intuitive Ruby interface, let me know.  I'm desperate
+  # for anything to make DTDs more palateable.
+  class AttlistDecl < Child
+    include Enumerable
+
+    # What is this?  Got me.
+    attr_reader :element_name
+
+    # Create an AttlistDecl, pulling the information from a Source.  Notice
+    # that this isn't very convenient; to create an AttlistDecl, you basically
+    # have to format it yourself, and then have the initializer parse it.
+    # Sorry, but for the foreseeable future, DTD support in REXML is pretty
+    # weak on convenience.  Have I mentioned how much I hate DTDs?
+    def initialize(source)
+      super()
+      if (source.kind_of? Array)
+        @element_name, @pairs, @contents = *source
+      end
+    end
+
+    # Access the attlist attribute/value pairs.
+    #  value = attlist_decl[ attribute_name ]
+    def [](key)
+      @pairs[key]
+    end
+
+    # Whether an attlist declaration includes the given attribute definition
+    #  if attlist_decl.include? "xmlns:foobar"
+    def include?(key)
+      @pairs.keys.include? key
+    end
+
+    # Iterate over the key/value pairs:
+    #  attlist_decl.each { |attribute_name, attribute_value| ... }
+    def each(&block)
+      @pairs.each(&block)
+    end
+
+    # Write out exactly what we got in.
+    def write out, indent=-1
+      out << @contents
+    end
+
+    def node_type
+      :attlistdecl
+    end
+  end
+end