brakeman 5.0.0 → 5.0.1

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby27_parser.y

@@ -22,6 +22,7 @@ token kCLASS kMODULE kDEF kUNDEF kBEGIN kRESCUE kENSURE kEND kIF kUNLESS
       tRATIONAL tIMAGINARY
       tLABEL_END
        tLONELY
+       tBDOT2 tBDOT3
 
 preclow
   nonassoc tLOWEST
@@ -33,7 +34,7 @@ preclow
   right    tEQL tOP_ASGN
   left     kRESCUE_MOD
   right    tEH tCOLON
-  nonassoc tDOT2 tDOT3
+  nonassoc tDOT2 tDOT3 tBDOT2 tBDOT3
   left     tOROP
   left     tANDOP
   nonassoc tCMP tEQ tEQQ tNEQ tMATCH tNMATCH
@@ -56,6 +57,9 @@ rule
                     top_compstmt
                     {
                       result = new_compstmt val
+
+                      lexer.cond.pop # local_pop
+                      lexer.cmdarg.pop
                     }
 
     top_compstmt: top_stmts opt_terms
@@ -818,6 +822,22 @@ rule
 
                       result = s(:dot3, v1, v2).line v1.line
                     }
+
+                | tBDOT2 arg
+                    {
+                      _, v2, = val
+                      v1 = nil
+
+                      result = s(:dot2, v1, v2).line v2.line
+                    }
+                | tBDOT3 arg
+                    {
+                      _, v2 = val
+                      v1 = nil
+
+                      result = s(:dot3, v1, v2).line v2.line
+                    }
+
                 | arg tPLUS arg
                     {
                       result = new_call val[0], :+, argl(val[2])
@@ -989,6 +1009,16 @@ rule
                       _, args, _ = val
                       result = args
                     }
+                | tLPAREN2 args_forward rparen
+                    {
+                      if (!self.lexer.is_local_id(:"*") ||
+                            !self.lexer.is_local_id(:"**") ||
+                            !self.lexer.is_local_id(:"&")) then
+
+                        yyerror("Invalid argument forwarding")
+                      end
+                      result = call_args [s(:forward_args).line(lexer.lineno)]
+                    }
 
   opt_paren_args: none
                 | paren_args
@@ -2269,6 +2299,19 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       self.lexer.lex_state = EXPR_BEG
                       self.lexer.command_start = true
                     }
+                | tLPAREN2 args_forward rparen
+                    {
+                      args_rest = :"*"
+                      kwargs_rest = :"**"
+                      block_fwd = :"&"
+                      self.env[args_rest] = :lvar
+                      self.env[kwargs_rest] = :lvar
+                      self.env[block_fwd] = :lvar
+
+                      result = s(:args, s(:forward_args)).line lexer.lineno
+                      self.lexer.lex_state = EXPR_BEG
+                      self.lexer.command_start = true
+                    }
                 |   {
                       result = self.in_kwarg
                       self.in_kwarg = true
@@ -2368,6 +2411,8 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       result = args val
                     }
 
+       args_forward: tBDOT3
+
        f_bad_arg: tCONSTANT
                     {
                       yyerror "formal argument cannot be a constant"
@@ -2496,6 +2541,7 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                 | kwrest_mark
                     {
                       result = :"**"
+                      self.env[result] = :lvar
                     }
 
            f_opt: f_arg_asgn tEQL arg_value

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rb

@@ -25,6 +25,11 @@ class RubyLexer
 
   HAS_ENC = "".respond_to? :encoding
 
+  BTOKENS = {
+    ".."  => :tBDOT2,
+    "..." => :tBDOT3,
+  }
+
   TOKENS = {
     "!"   => :tBANG,
     "!="  => :tNEQ,
@@ -131,6 +136,10 @@ class RubyLexer
     ss.eos?
   end
 
+  def expr_beg?
+    lex_state =~ EXPR_BEG
+  end
+
   def expr_dot?
     lex_state =~ EXPR_DOT
   end
@@ -580,6 +589,12 @@ class RubyLexer
     end
   end
 
+  def process_dots text
+    tokens = ruby27plus? && expr_beg? ? BTOKENS : TOKENS
+
+    result EXPR_BEG, tokens[text], text
+  end
+
   def process_float text
     rb_compile_error "Invalid numeric format" if text =~ /__/
 
@@ -1136,6 +1151,10 @@ class RubyLexer
     parser.class.version <= 24
   end
 
+  def ruby27plus?
+    parser.class.version >= 27
+  end
+
   def scan re
     ss.scan re
   end

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rex

@@ -48,7 +48,7 @@ rule
 |               /\![=~]?/               { result :arg_state, TOKENS[text], text }
 
 : /\./
-|               /\.\.\.?/               { result EXPR_BEG, TOKENS[text], text }
+|               /\.\.\.?/               process_dots
 |               /\.\d/                  { rb_compile_error "no .<digit> floating literal anymore put 0 before dot" }
 |               /\./                    { self.lex_state = EXPR_BEG; result EXPR_DOT, :tDOT, "." }
 

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rex.rb

@@ -138,7 +138,7 @@ class RubyLexer
           when ss.match?(/\./) then
             case
             when text = ss.scan(/\.\.\.?/) then
-              action { result EXPR_BEG, TOKENS[text], text }
+              process_dots text
             when ss.skip(/\.\d/) then
               action { rb_compile_error "no .<digit> floating literal anymore put 0 before dot" }
             when ss.skip(/\./) then

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_parser.yy

@@ -46,6 +46,9 @@ token kCLASS kMODULE kDEF kUNDEF kBEGIN kRESCUE kENSURE kEND kIF kUNLESS
 #if V >= 23
        tLONELY
 #endif
+#if V >= 26
+       tBDOT2 tBDOT3
+#endif
 
 preclow
   nonassoc tLOWEST
@@ -57,7 +60,7 @@ preclow
   right    tEQL tOP_ASGN
   left     kRESCUE_MOD
   right    tEH tCOLON
-  nonassoc tDOT2 tDOT3
+  nonassoc tDOT2 tDOT3 tBDOT2 tBDOT3
   left     tOROP
   left     tANDOP
   nonassoc tCMP tEQ tEQQ tNEQ tMATCH tNMATCH
@@ -80,6 +83,9 @@ rule
                     top_compstmt
                     {
                       result = new_compstmt val
+
+                      lexer.cond.pop # local_pop
+                      lexer.cmdarg.pop
                     }
 
     top_compstmt: top_stmts opt_terms
@@ -856,6 +862,24 @@ rule
                       result = s(:dot3, v1, v2).line v1.line
                     }
 #endif
+
+#if V >= 27
+                | tBDOT2 arg
+                    {
+                      _, v2, = val
+                      v1 = nil
+
+                      result = s(:dot2, v1, v2).line v2.line
+                    }
+                | tBDOT3 arg
+                    {
+                      _, v2 = val
+                      v1 = nil
+
+                      result = s(:dot3, v1, v2).line v2.line
+                    }
+#endif
+
                 | arg tPLUS arg
                     {
                       result = new_call val[0], :+, argl(val[2])
@@ -1040,6 +1064,18 @@ rule
                       _, args, _ = val
                       result = args
                     }
+#if V >= 27
+                | tLPAREN2 args_forward rparen
+                    {
+                      if (!self.lexer.is_local_id(:"*") ||
+                            !self.lexer.is_local_id(:"**") ||
+                            !self.lexer.is_local_id(:"&")) then
+
+                        yyerror("Invalid argument forwarding")
+                      end
+                      result = call_args [s(:forward_args).line(lexer.lineno)]
+                    }
+#endif
 
   opt_paren_args: none
                 | paren_args
@@ -2340,6 +2376,21 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       self.lexer.lex_state = EXPR_BEG
                       self.lexer.command_start = true
                     }
+#if V >= 27
+                | tLPAREN2 args_forward rparen
+                    {
+                      args_rest = :"*"
+                      kwargs_rest = :"**"
+                      block_fwd = :"&"
+                      self.env[args_rest] = :lvar
+                      self.env[kwargs_rest] = :lvar
+                      self.env[block_fwd] = :lvar
+
+                      result = s(:args, s(:forward_args)).line lexer.lineno
+                      self.lexer.lex_state = EXPR_BEG
+                      self.lexer.command_start = true
+                    }
+#endif
                 |   {
                       result = self.in_kwarg
                       self.in_kwarg = true
@@ -2439,6 +2490,8 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       result = args val
                     }
 
+       args_forward: tBDOT3
+
        f_bad_arg: tCONSTANT
                     {
                       yyerror "formal argument cannot be a constant"
@@ -2587,6 +2640,7 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                 | kwrest_mark
                     {
                       result = :"**"
+                      self.env[result] = :lvar
                     }
 
 #if V == 20

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/tools/munge.rb

@@ -197,8 +197,8 @@ ARGF.each_line do |line|
     puts line.gsub("true", "1").gsub("false", "0")
   when /^lex_state: :?([\w|]+) -> :?([\w|]+)(?: (?:at|from) (.*))?/ then
     a, b, c = $1.upcase, $2.upcase, $3
-    a.gsub! /EXPR_/, ""
-    b.gsub! /EXPR_/, ""
+    a.gsub!(/EXPR_/, "")
+    b.gsub!(/EXPR_/, "")
     if c && $v then
       puts "lex_state: #{a} -> #{b} at #{c}"
     else

data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/tools/ripper.rb

@@ -1,4 +1,4 @@
-#!/usr/bin/env ruby -ws
+#!/Users/ryan/.rubies/ruby-2.7.1/bin/ruby -ws
 
 $d ||= false
 $p ||= false

data/lib/brakeman.rb

@@ -157,10 +157,17 @@ module Brakeman
     end
   end
 
-  CONFIG_FILES = [
-    File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml")
-  ]
+  CONFIG_FILES = begin
+                   [
+                     File.expand_path("~/.brakeman/config.yml"),
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 rescue ArgumentError
+                   # In case $HOME or $USER aren't defined for use of `~`
+                   [
+                     File.expand_path("/etc/brakeman/config.yml")
+                   ]
+                 end
 
   def self.config_file custom_location, app_path
     app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
     if check and original? res
 
       model = tracker.models[res[:chain].first]
-
       attr_protected = (model and model.attr_protected)
+      first_arg = call.first_arg
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
+      elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
+        return
       elsif input = include_user_input?(call.arglist)
-        first_arg = call.first_arg
-
-        if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
-          return
-        elsif not node_type? first_arg, :hash
+        if not node_type? first_arg, :hash
           if attr_protected
             confidence = :medium
           else

data/lib/brakeman/parsers/template_parser.rb

@@ -9,6 +9,7 @@ module Brakeman
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
+      @slim_smart = nil # Load slim/smart ?
     end
 
     def parse_template path, text
@@ -88,6 +89,14 @@ module Brakeman
 
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+
+      if @slim_smart.nil? and load_slim_smart?
+        @slim_smart = true
+        Brakeman.load_brakeman_dependency 'slim/smart'
+      else
+        @slim_smart = false
+      end
+
       require_relative 'slim_embedded'
 
       Slim::Template.new(path,
@@ -95,6 +104,21 @@ module Brakeman
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
 
+    def load_slim_smart?
+      return !@slim_smart unless @slim_smart.nil?
+
+      # Terrible hack to find
+      #   gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
+      if tracker.app_tree.exists? 'Gemfile'
+        gemfile_contents = tracker.app_tree.file_path('Gemfile').read
+        if gemfile_contents.include? 'slim/smart'
+          return true
+        end
+      end
+
+      false
+    end
+
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)

data/lib/brakeman/processors/alias_processor.rb

@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return exp
     end
 
+    # If x(*[1,2,3]) change to x(1,2,3)
+    # if that's the only argument
+    if splat_array? exp.first_arg and exp.second_arg.nil?
+      exp.arglist = exp.first_arg[1].sexp_body
+    end
+
     target = exp.target
     method = exp.method
     first_arg = exp.first_arg
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       res = process_or_simple_operation(exp)
       return res if res
     elsif target == ARRAY_CONST and method == :new
-      return Sexp.new(:array, *exp.args)
+      return Sexp.new(:array, *exp.args).line(exp.line)
     elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
-      return Sexp.new(:hash)
+      return Sexp.new(:hash).line(exp.line)
     elsif exp == RAILS_TEST or exp == RAILS_DEV
-      return Sexp.new(:false)
+      return Sexp.new(:false).line(exp.line)
     end
 
     #See if it is possible to simplify some basic cases
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
-    result = s()
+    result = s().line(array.line)
 
     join_value = if string? join_str
                    join_str.value
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
 
     # Have to fix up strings that follow interpolation
-    result.reduce(s(:dstr)) do |memo, e|
+    result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
-        memo << s(:str, join_value)
+        memo << s(:str, join_value).line(e.line)
       end
 
       memo << e
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     if item.is_a? String
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
-      s(:str, "#{item.value}#{join_value}")
+      s(:str, "#{item.value}#{join_value}").line(item.line)
     else
-      s(:evstr, item)
+      s(:evstr, item).line(item.line)
     end
   end
 
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
 
+  def splat_array? exp
+    node_type? exp, :splat and
+      node_type? exp[1], :array
+  end
+
   def process_iter exp
     @exp_context.push exp
     exp[1] = process exp.block_call
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     else
-      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
+      new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
 
       env[match] = new_value
     end