brakeman 5.0.0.pre1 → 5.0.0

data/bundle/ruby/2.7.0/gems/rexml-3.2.4/rexml.gemspec

@@ -0,0 +1,84 @@
+begin
+  require_relative "lib/rexml/rexml"
+rescue LoadError
+  # for Ruby core repository
+  require_relative "rexml"
+end
+
+Gem::Specification.new do |spec|
+  spec.name          = "rexml"
+  spec.version       = REXML::VERSION
+  spec.authors       = ["Kouhei Sutou"]
+  spec.email         = ["kou@cozmixng.org"]
+
+  spec.summary       = %q{An XML toolkit for Ruby}
+  spec.description   = %q{An XML toolkit for Ruby}
+  spec.homepage      = "https://github.com/ruby/rexml"
+  spec.license       = "BSD-2-Clause"
+
+  spec.files         = [
+    ".gitignore",
+    ".travis.yml",
+    "Gemfile",
+    "LICENSE.txt",
+    "NEWS.md",
+    "README.md",
+    "Rakefile",
+    "lib/rexml/attlistdecl.rb",
+    "lib/rexml/attribute.rb",
+    "lib/rexml/cdata.rb",
+    "lib/rexml/child.rb",
+    "lib/rexml/comment.rb",
+    "lib/rexml/doctype.rb",
+    "lib/rexml/document.rb",
+    "lib/rexml/dtd/attlistdecl.rb",
+    "lib/rexml/dtd/dtd.rb",
+    "lib/rexml/dtd/elementdecl.rb",
+    "lib/rexml/dtd/entitydecl.rb",
+    "lib/rexml/dtd/notationdecl.rb",
+    "lib/rexml/element.rb",
+    "lib/rexml/encoding.rb",
+    "lib/rexml/entity.rb",
+    "lib/rexml/formatters/default.rb",
+    "lib/rexml/formatters/pretty.rb",
+    "lib/rexml/formatters/transitive.rb",
+    "lib/rexml/functions.rb",
+    "lib/rexml/instruction.rb",
+    "lib/rexml/light/node.rb",
+    "lib/rexml/namespace.rb",
+    "lib/rexml/node.rb",
+    "lib/rexml/output.rb",
+    "lib/rexml/parent.rb",
+    "lib/rexml/parseexception.rb",
+    "lib/rexml/parsers/baseparser.rb",
+    "lib/rexml/parsers/lightparser.rb",
+    "lib/rexml/parsers/pullparser.rb",
+    "lib/rexml/parsers/sax2parser.rb",
+    "lib/rexml/parsers/streamparser.rb",
+    "lib/rexml/parsers/treeparser.rb",
+    "lib/rexml/parsers/ultralightparser.rb",
+    "lib/rexml/parsers/xpathparser.rb",
+    "lib/rexml/quickpath.rb",
+    "lib/rexml/rexml.rb",
+    "lib/rexml/sax2listener.rb",
+    "lib/rexml/security.rb",
+    "lib/rexml/source.rb",
+    "lib/rexml/streamlistener.rb",
+    "lib/rexml/text.rb",
+    "lib/rexml/undefinednamespaceexception.rb",
+    "lib/rexml/validation/relaxng.rb",
+    "lib/rexml/validation/validation.rb",
+    "lib/rexml/validation/validationexception.rb",
+    "lib/rexml/xmldecl.rb",
+    "lib/rexml/xmltokens.rb",
+    "lib/rexml/xpath.rb",
+    "lib/rexml/xpath_parser.rb",
+    "rexml.gemspec",
+  ]
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/History.rdoc

@@ -1,3 +1,9 @@
+=== 3.15.1 / 2021-01-10
+
+* 1 bug fix:
+
+  * Bumped ruby version to include < 4 (trunk).
+
 === 3.15.0 / 2020-08-31
 
 * 1 major enhancement:

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.15.0 → ruby_parser-3.15.1}/lib/ruby_parser_extras.rb

@@ -29,7 +29,7 @@ class Sexp
 end
 
 module RubyParserStuff
-  VERSION = "3.15.0"
+  VERSION = "3.15.1"
 
   attr_accessor :lexer, :in_def, :in_single, :file
   attr_accessor :in_kwarg

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/History.rdoc

@@ -1,3 +1,9 @@
+=== 4.15.2 / 2021-01-10
+
+* 1 bug fix:
+
+  * Bumped ruby version to include < 4 (trunk).
+
 === 4.15.1 / 2020-08-31
 
 * 1 bug fix:

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.1 → sexp_processor-4.15.2}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.15.1"
+  VERSION = "4.15.2"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/lib/brakeman/checks/base_check.rb

@@ -40,7 +40,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     @mass_assign_disabled = nil
     @has_user_input = nil
     @in_array = false
-    @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
+    @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id, :uuid]
     @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
@@ -151,6 +151,12 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     method[-1] == "?"
   end
 
+  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+
+  def temp_file_path? exp
+    exp == TEMP_FILE_PATH
+  end
+
   #Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }

data/lib/brakeman/checks/check_execute.rb

@@ -204,11 +204,12 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       next if node_type? e, :lit, :str
       next if SAFE_VALUES.include? e
       next if shell_escape? e
+      next if temp_file_path? e
 
       if node_type? e, :if
         # If we're in a conditional, evaluate the `then` and `else` clauses to
         # see if they're dangerous.
-        if res = dangerous?(e.values[1..-1])
+        if res = dangerous?(e.sexp_body.sexp_body)
           return res
         end
       elsif node_type? e, :or, :evstr, :dstr

data/lib/brakeman/checks/check_regex_dos.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
     return unless original? result
 
     call = result[:call]
-    components = call[1..-1]
+    components = call.sexp_body
 
     components.any? do |component|
       next unless sexp? component

data/lib/brakeman/checks/check_sql.rb

@@ -576,7 +576,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key
+    :where_values_hash, :foreign_key, :uuid
   ]
 
   def safe_value? exp

data/lib/brakeman/file_parser.rb

@@ -32,7 +32,12 @@ module Brakeman
       end
     end
 
+    # _path_ can be a string or a Brakeman::FilePath
     def parse_ruby input, path
+      if path.is_a? Brakeman::FilePath
+        path = path.relative
+      end
+
       begin
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout

data/lib/brakeman/processors/alias_processor.rb

@@ -161,6 +161,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   ARRAY_CONST = s(:const, :Array)
   HASH_CONST = s(:const, :Hash)
   RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
+  RAILS_DEV = s(:call, s(:call, s(:const, :Rails), :env), :development?)
 
   #Process a method call.
   def process_call exp
@@ -186,7 +187,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method = exp.method
     first_arg = exp.first_arg
 
-    if method == :send or method == :try
+    if method == :send or method == :__send__ or method == :try
       collapse_send_call exp, first_arg
     end
 
@@ -197,7 +198,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return Sexp.new(:array, *exp.args)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
       return Sexp.new(:hash)
-    elsif exp == RAILS_TEST
+    elsif exp == RAILS_TEST or exp == RAILS_DEV
       return Sexp.new(:false)
     end
 
@@ -236,7 +237,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -346,6 +347,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  TEMP_FILE_CLASS = s(:const, :Tempfile)
+
+  def temp_file_open? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :open
+  end
+
+  def temp_file_new line
+    s(:call, TEMP_FILE_CLASS, :new).line(line)
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -363,6 +376,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         # Iterating over an array of all literal values
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = safe_literal(exp.line)
+      elsif temp_file_open? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local
@@ -941,7 +957,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args[1..-1]
+      exp.arglist = args.sexp_body
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -57,6 +57,20 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     exp
   end
 
+  #Look for configuration settings that
+  #are just a call like
+  #
+  #  config.load_defaults 5.2
+  def process_call exp
+    return exp unless @inside_config
+
+    if exp.target == RAILS_CONFIG and exp.first_arg
+      @tracker.config.rails[exp.method] = exp.first_arg
+    end
+
+    exp
+  end
+
   #Look for configuration settings
   def process_attrasgn exp
     return exp unless @inside_config
@@ -71,22 +85,8 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
         @tracker.config.rails[attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
-      options = get_rails_config exp
-      level = @tracker.config.rails
-      options[0..-2].each do |o|
-        level[o] ||= {}
-
-        option = level[o]
-
-        if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
-          return exp
-        end
-
-        level = level[o]
-      end
-
-      level[options.last] = exp.first_arg
+      options_path = get_rails_config exp
+      @tracker.config.set_rails_config(exp.first_arg, *options_path)
     end
 
     exp

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
+
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report/report_base.rb

@@ -11,8 +11,6 @@ class Brakeman::Report::Base
 
   attr_reader :tracker, :checks
 
-  TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
-
   def initialize tracker
     @app_tree = tracker.app_tree
     @tracker = tracker

data/lib/brakeman/report/report_csv.rb

@@ -1,72 +1,49 @@
 require 'csv'
-require "brakeman/report/report_table"
 
-class Brakeman::Report::CSV < Brakeman::Report::Table
+class Brakeman::Report::CSV < Brakeman::Report::Base
   def generate_report
-    output = csv_header
-    output << "\nSUMMARY\n"
-
-    output << table_to_csv(generate_overview) << "\n"
-
-    output << table_to_csv(generate_warning_overview) << "\n"
-
-    #Return output early if only summarizing
-    if tracker.options[:summary_only]
-      return output
-    end
-
-    if tracker.options[:report_routes] or tracker.options[:debug]
-      output << "CONTROLLERS\n"
-      output << table_to_csv(generate_controllers) << "\n"
-    end
-
-    if tracker.options[:debug]
-      output << "TEMPLATES\n\n"
-      output << table_to_csv(generate_templates) << "\n"
+    headers = [
+      "Confidence",
+      "Warning Type",
+      "File",
+      "Line",
+      "Message",
+      "Code",
+      "User Input",
+      "Check Name",
+      "Warning Code",
+      "Fingerprint",
+      "Link"
+    ]
+
+    rows = tracker.filtered_warnings.sort_by do |w|
+      [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
+    end.map do |warning|
+      generate_row(headers, warning)
     end
 
-    res = generate_errors
-    output << "ERRORS\n" << table_to_csv(res) << "\n" if res
-
-    res = generate_warnings
-    output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
+    table = CSV::Table.new(rows)
 
-    output << "Controller Warnings\n"
-    res = generate_controller_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    output << "Model Warnings\n"
-    res = generate_model_warnings
-    output << table_to_csv(res) << "\n" if res
-
-    res = generate_template_warnings
-    output << "Template Warnings\n"
-    output << table_to_csv(res) << "\n" if res
-
-    output
+    table.to_csv
   end
 
-  #Generate header for CSV output
-  def csv_header
-    header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << CSV.generate_line([File.expand_path(tracker.app_path), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
-    "BRAKEMAN REPORT\n\n" + header
+  def generate_row headers, warning
+    CSV::Row.new headers, warning_row(warning)
   end
 
-  # rely on Terminal::Table to build the structure, extract the data out in CSV format
-  def table_to_csv table
-    return "" unless table
-
-    Brakeman.load_brakeman_dependency 'terminal-table'
-    headings = table.headings
-    if headings.is_a? Array
-      headings = headings.first
-    end
-
-    output = CSV.generate_line(headings.cells.map{|cell| cell.to_s.strip})
-    table.rows.each do |row|
-      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
-    end
-    output
+  def warning_row warning
+    [
+      warning.confidence_name,
+      warning.warning_type,
+      warning_file(warning),
+      warning.line,
+      warning.message,
+      warning.code && warning.format_code(false),
+      warning.user_input && warning.format_user_input(false),
+      warning.check_name,
+      warning.warning_code,
+      warning.fingerprint,
+      warning.link,
+    ]
   end
 end