brakeman 5.0.0 → 5.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -0
- data/README.md +10 -1
- data/bundle/load.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/LICENSE.txt +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/NEWS.md +37 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/README.md +2 -14
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml.rb +3 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/attlistdecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/attribute.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/cdata.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/child.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/comment.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/doctype.rb +55 -31
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/document.rb +194 -34
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/dtd/attlistdecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/dtd/dtd.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/dtd/elementdecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/dtd/entitydecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/dtd/notationdecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/element.rb +2599 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/encoding.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/entity.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/formatters/default.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/formatters/pretty.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/formatters/transitive.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/functions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/instruction.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/light/node.rb +0 -8
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/namespace.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/node.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/output.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parent.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parseexception.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/baseparser.rb +139 -39
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/lightparser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/pullparser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/sax2parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/streamparser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/treeparser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/ultralightparser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/parsers/xpathparser.rb +25 -11
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/quickpath.rb +0 -0
- data/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib/rexml/rexml.rb +37 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/sax2listener.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/security.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/source.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/streamlistener.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/text.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/undefinednamespaceexception.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/validation/relaxng.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/validation/validation.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/validation/validationexception.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/xmldecl.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/xmltokens.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/xpath.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{rexml-3.2.4 → rexml-3.2.5}/lib/rexml/xpath_parser.rb +36 -30
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/debugging.md +133 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby20_parser.rb +2550 -2537
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby20_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby21_parser.rb +2717 -2709
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby21_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby22_parser.rb +2662 -2637
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby22_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby23_parser.rb +2585 -2561
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby23_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby24_parser.rb +2622 -2607
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby24_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby25_parser.rb +2612 -2598
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby25_parser.y +9 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby26_parser.rb +2610 -2594
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby26_parser.y +10 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby27_parser.rb +3446 -3312
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby27_parser.y +47 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rb +19 -0
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rex +1 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_lexer.rex.rb +1 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib/ruby_parser.yy +55 -1
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/tools/munge.rb +2 -2
- data/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/tools/ripper.rb +1 -1
- data/lib/brakeman.rb +11 -4
- data/lib/brakeman/checks/check_mass_assignment.rb +4 -6
- data/lib/brakeman/parsers/template_parser.rb +24 -0
- data/lib/brakeman/processors/alias_processor.rb +21 -10
- data/lib/brakeman/processors/base_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails4_config_processor.rb +2 -1
- data/lib/brakeman/version.rb +1 -1
- metadata +55 -56
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/Gemfile +0 -6
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/element.rb +0 -1269
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/rexml.rb +0 -32
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/rexml.gemspec +0 -84
@@ -22,6 +22,7 @@ token kCLASS kMODULE kDEF kUNDEF kBEGIN kRESCUE kENSURE kEND kIF kUNLESS
|
|
22
22
|
tRATIONAL tIMAGINARY
|
23
23
|
tLABEL_END
|
24
24
|
tLONELY
|
25
|
+
tBDOT2 tBDOT3
|
25
26
|
|
26
27
|
preclow
|
27
28
|
nonassoc tLOWEST
|
@@ -33,7 +34,7 @@ preclow
|
|
33
34
|
right tEQL tOP_ASGN
|
34
35
|
left kRESCUE_MOD
|
35
36
|
right tEH tCOLON
|
36
|
-
nonassoc tDOT2 tDOT3
|
37
|
+
nonassoc tDOT2 tDOT3 tBDOT2 tBDOT3
|
37
38
|
left tOROP
|
38
39
|
left tANDOP
|
39
40
|
nonassoc tCMP tEQ tEQQ tNEQ tMATCH tNMATCH
|
@@ -56,6 +57,9 @@ rule
|
|
56
57
|
top_compstmt
|
57
58
|
{
|
58
59
|
result = new_compstmt val
|
60
|
+
|
61
|
+
lexer.cond.pop # local_pop
|
62
|
+
lexer.cmdarg.pop
|
59
63
|
}
|
60
64
|
|
61
65
|
top_compstmt: top_stmts opt_terms
|
@@ -818,6 +822,22 @@ rule
|
|
818
822
|
|
819
823
|
result = s(:dot3, v1, v2).line v1.line
|
820
824
|
}
|
825
|
+
|
826
|
+
| tBDOT2 arg
|
827
|
+
{
|
828
|
+
_, v2, = val
|
829
|
+
v1 = nil
|
830
|
+
|
831
|
+
result = s(:dot2, v1, v2).line v2.line
|
832
|
+
}
|
833
|
+
| tBDOT3 arg
|
834
|
+
{
|
835
|
+
_, v2 = val
|
836
|
+
v1 = nil
|
837
|
+
|
838
|
+
result = s(:dot3, v1, v2).line v2.line
|
839
|
+
}
|
840
|
+
|
821
841
|
| arg tPLUS arg
|
822
842
|
{
|
823
843
|
result = new_call val[0], :+, argl(val[2])
|
@@ -989,6 +1009,16 @@ rule
|
|
989
1009
|
_, args, _ = val
|
990
1010
|
result = args
|
991
1011
|
}
|
1012
|
+
| tLPAREN2 args_forward rparen
|
1013
|
+
{
|
1014
|
+
if (!self.lexer.is_local_id(:"*") ||
|
1015
|
+
!self.lexer.is_local_id(:"**") ||
|
1016
|
+
!self.lexer.is_local_id(:"&")) then
|
1017
|
+
|
1018
|
+
yyerror("Invalid argument forwarding")
|
1019
|
+
end
|
1020
|
+
result = call_args [s(:forward_args).line(lexer.lineno)]
|
1021
|
+
}
|
992
1022
|
|
993
1023
|
opt_paren_args: none
|
994
1024
|
| paren_args
|
@@ -2269,6 +2299,19 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2269
2299
|
self.lexer.lex_state = EXPR_BEG
|
2270
2300
|
self.lexer.command_start = true
|
2271
2301
|
}
|
2302
|
+
| tLPAREN2 args_forward rparen
|
2303
|
+
{
|
2304
|
+
args_rest = :"*"
|
2305
|
+
kwargs_rest = :"**"
|
2306
|
+
block_fwd = :"&"
|
2307
|
+
self.env[args_rest] = :lvar
|
2308
|
+
self.env[kwargs_rest] = :lvar
|
2309
|
+
self.env[block_fwd] = :lvar
|
2310
|
+
|
2311
|
+
result = s(:args, s(:forward_args)).line lexer.lineno
|
2312
|
+
self.lexer.lex_state = EXPR_BEG
|
2313
|
+
self.lexer.command_start = true
|
2314
|
+
}
|
2272
2315
|
| {
|
2273
2316
|
result = self.in_kwarg
|
2274
2317
|
self.in_kwarg = true
|
@@ -2368,6 +2411,8 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2368
2411
|
result = args val
|
2369
2412
|
}
|
2370
2413
|
|
2414
|
+
args_forward: tBDOT3
|
2415
|
+
|
2371
2416
|
f_bad_arg: tCONSTANT
|
2372
2417
|
{
|
2373
2418
|
yyerror "formal argument cannot be a constant"
|
@@ -2496,6 +2541,7 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2496
2541
|
| kwrest_mark
|
2497
2542
|
{
|
2498
2543
|
result = :"**"
|
2544
|
+
self.env[result] = :lvar
|
2499
2545
|
}
|
2500
2546
|
|
2501
2547
|
f_opt: f_arg_asgn tEQL arg_value
|
@@ -25,6 +25,11 @@ class RubyLexer
|
|
25
25
|
|
26
26
|
HAS_ENC = "".respond_to? :encoding
|
27
27
|
|
28
|
+
BTOKENS = {
|
29
|
+
".." => :tBDOT2,
|
30
|
+
"..." => :tBDOT3,
|
31
|
+
}
|
32
|
+
|
28
33
|
TOKENS = {
|
29
34
|
"!" => :tBANG,
|
30
35
|
"!=" => :tNEQ,
|
@@ -131,6 +136,10 @@ class RubyLexer
|
|
131
136
|
ss.eos?
|
132
137
|
end
|
133
138
|
|
139
|
+
def expr_beg?
|
140
|
+
lex_state =~ EXPR_BEG
|
141
|
+
end
|
142
|
+
|
134
143
|
def expr_dot?
|
135
144
|
lex_state =~ EXPR_DOT
|
136
145
|
end
|
@@ -580,6 +589,12 @@ class RubyLexer
|
|
580
589
|
end
|
581
590
|
end
|
582
591
|
|
592
|
+
def process_dots text
|
593
|
+
tokens = ruby27plus? && expr_beg? ? BTOKENS : TOKENS
|
594
|
+
|
595
|
+
result EXPR_BEG, tokens[text], text
|
596
|
+
end
|
597
|
+
|
583
598
|
def process_float text
|
584
599
|
rb_compile_error "Invalid numeric format" if text =~ /__/
|
585
600
|
|
@@ -1136,6 +1151,10 @@ class RubyLexer
|
|
1136
1151
|
parser.class.version <= 24
|
1137
1152
|
end
|
1138
1153
|
|
1154
|
+
def ruby27plus?
|
1155
|
+
parser.class.version >= 27
|
1156
|
+
end
|
1157
|
+
|
1139
1158
|
def scan re
|
1140
1159
|
ss.scan re
|
1141
1160
|
end
|
@@ -48,7 +48,7 @@ rule
|
|
48
48
|
| /\![=~]?/ { result :arg_state, TOKENS[text], text }
|
49
49
|
|
50
50
|
: /\./
|
51
|
-
| /\.\.\.?/
|
51
|
+
| /\.\.\.?/ process_dots
|
52
52
|
| /\.\d/ { rb_compile_error "no .<digit> floating literal anymore put 0 before dot" }
|
53
53
|
| /\./ { self.lex_state = EXPR_BEG; result EXPR_DOT, :tDOT, "." }
|
54
54
|
|
@@ -138,7 +138,7 @@ class RubyLexer
|
|
138
138
|
when ss.match?(/\./) then
|
139
139
|
case
|
140
140
|
when text = ss.scan(/\.\.\.?/) then
|
141
|
-
|
141
|
+
process_dots text
|
142
142
|
when ss.skip(/\.\d/) then
|
143
143
|
action { rb_compile_error "no .<digit> floating literal anymore put 0 before dot" }
|
144
144
|
when ss.skip(/\./) then
|
@@ -46,6 +46,9 @@ token kCLASS kMODULE kDEF kUNDEF kBEGIN kRESCUE kENSURE kEND kIF kUNLESS
|
|
46
46
|
#if V >= 23
|
47
47
|
tLONELY
|
48
48
|
#endif
|
49
|
+
#if V >= 26
|
50
|
+
tBDOT2 tBDOT3
|
51
|
+
#endif
|
49
52
|
|
50
53
|
preclow
|
51
54
|
nonassoc tLOWEST
|
@@ -57,7 +60,7 @@ preclow
|
|
57
60
|
right tEQL tOP_ASGN
|
58
61
|
left kRESCUE_MOD
|
59
62
|
right tEH tCOLON
|
60
|
-
nonassoc tDOT2 tDOT3
|
63
|
+
nonassoc tDOT2 tDOT3 tBDOT2 tBDOT3
|
61
64
|
left tOROP
|
62
65
|
left tANDOP
|
63
66
|
nonassoc tCMP tEQ tEQQ tNEQ tMATCH tNMATCH
|
@@ -80,6 +83,9 @@ rule
|
|
80
83
|
top_compstmt
|
81
84
|
{
|
82
85
|
result = new_compstmt val
|
86
|
+
|
87
|
+
lexer.cond.pop # local_pop
|
88
|
+
lexer.cmdarg.pop
|
83
89
|
}
|
84
90
|
|
85
91
|
top_compstmt: top_stmts opt_terms
|
@@ -856,6 +862,24 @@ rule
|
|
856
862
|
result = s(:dot3, v1, v2).line v1.line
|
857
863
|
}
|
858
864
|
#endif
|
865
|
+
|
866
|
+
#if V >= 27
|
867
|
+
| tBDOT2 arg
|
868
|
+
{
|
869
|
+
_, v2, = val
|
870
|
+
v1 = nil
|
871
|
+
|
872
|
+
result = s(:dot2, v1, v2).line v2.line
|
873
|
+
}
|
874
|
+
| tBDOT3 arg
|
875
|
+
{
|
876
|
+
_, v2 = val
|
877
|
+
v1 = nil
|
878
|
+
|
879
|
+
result = s(:dot3, v1, v2).line v2.line
|
880
|
+
}
|
881
|
+
#endif
|
882
|
+
|
859
883
|
| arg tPLUS arg
|
860
884
|
{
|
861
885
|
result = new_call val[0], :+, argl(val[2])
|
@@ -1040,6 +1064,18 @@ rule
|
|
1040
1064
|
_, args, _ = val
|
1041
1065
|
result = args
|
1042
1066
|
}
|
1067
|
+
#if V >= 27
|
1068
|
+
| tLPAREN2 args_forward rparen
|
1069
|
+
{
|
1070
|
+
if (!self.lexer.is_local_id(:"*") ||
|
1071
|
+
!self.lexer.is_local_id(:"**") ||
|
1072
|
+
!self.lexer.is_local_id(:"&")) then
|
1073
|
+
|
1074
|
+
yyerror("Invalid argument forwarding")
|
1075
|
+
end
|
1076
|
+
result = call_args [s(:forward_args).line(lexer.lineno)]
|
1077
|
+
}
|
1078
|
+
#endif
|
1043
1079
|
|
1044
1080
|
opt_paren_args: none
|
1045
1081
|
| paren_args
|
@@ -2340,6 +2376,21 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2340
2376
|
self.lexer.lex_state = EXPR_BEG
|
2341
2377
|
self.lexer.command_start = true
|
2342
2378
|
}
|
2379
|
+
#if V >= 27
|
2380
|
+
| tLPAREN2 args_forward rparen
|
2381
|
+
{
|
2382
|
+
args_rest = :"*"
|
2383
|
+
kwargs_rest = :"**"
|
2384
|
+
block_fwd = :"&"
|
2385
|
+
self.env[args_rest] = :lvar
|
2386
|
+
self.env[kwargs_rest] = :lvar
|
2387
|
+
self.env[block_fwd] = :lvar
|
2388
|
+
|
2389
|
+
result = s(:args, s(:forward_args)).line lexer.lineno
|
2390
|
+
self.lexer.lex_state = EXPR_BEG
|
2391
|
+
self.lexer.command_start = true
|
2392
|
+
}
|
2393
|
+
#endif
|
2343
2394
|
| {
|
2344
2395
|
result = self.in_kwarg
|
2345
2396
|
self.in_kwarg = true
|
@@ -2439,6 +2490,8 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2439
2490
|
result = args val
|
2440
2491
|
}
|
2441
2492
|
|
2493
|
+
args_forward: tBDOT3
|
2494
|
+
|
2442
2495
|
f_bad_arg: tCONSTANT
|
2443
2496
|
{
|
2444
2497
|
yyerror "formal argument cannot be a constant"
|
@@ -2587,6 +2640,7 @@ keyword_variable: kNIL { result = s(:nil).line lexer.lineno }
|
|
2587
2640
|
| kwrest_mark
|
2588
2641
|
{
|
2589
2642
|
result = :"**"
|
2643
|
+
self.env[result] = :lvar
|
2590
2644
|
}
|
2591
2645
|
|
2592
2646
|
#if V == 20
|
@@ -197,8 +197,8 @@ ARGF.each_line do |line|
|
|
197
197
|
puts line.gsub("true", "1").gsub("false", "0")
|
198
198
|
when /^lex_state: :?([\w|]+) -> :?([\w|]+)(?: (?:at|from) (.*))?/ then
|
199
199
|
a, b, c = $1.upcase, $2.upcase, $3
|
200
|
-
a.gsub!
|
201
|
-
b.gsub!
|
200
|
+
a.gsub!(/EXPR_/, "")
|
201
|
+
b.gsub!(/EXPR_/, "")
|
202
202
|
if c && $v then
|
203
203
|
puts "lex_state: #{a} -> #{b} at #{c}"
|
204
204
|
else
|
data/lib/brakeman.rb
CHANGED
@@ -157,10 +157,17 @@ module Brakeman
|
|
157
157
|
end
|
158
158
|
end
|
159
159
|
|
160
|
-
CONFIG_FILES =
|
161
|
-
|
162
|
-
|
163
|
-
|
160
|
+
CONFIG_FILES = begin
|
161
|
+
[
|
162
|
+
File.expand_path("~/.brakeman/config.yml"),
|
163
|
+
File.expand_path("/etc/brakeman/config.yml")
|
164
|
+
]
|
165
|
+
rescue ArgumentError
|
166
|
+
# In case $HOME or $USER aren't defined for use of `~`
|
167
|
+
[
|
168
|
+
File.expand_path("/etc/brakeman/config.yml")
|
169
|
+
]
|
170
|
+
end
|
164
171
|
|
165
172
|
def self.config_file custom_location, app_path
|
166
173
|
app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
|
@@ -69,17 +69,15 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
|
|
69
69
|
if check and original? res
|
70
70
|
|
71
71
|
model = tracker.models[res[:chain].first]
|
72
|
-
|
73
72
|
attr_protected = (model and model.attr_protected)
|
73
|
+
first_arg = call.first_arg
|
74
74
|
|
75
75
|
if attr_protected and tracker.options[:ignore_attr_protected]
|
76
76
|
return
|
77
|
+
elsif call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
78
|
+
return
|
77
79
|
elsif input = include_user_input?(call.arglist)
|
78
|
-
|
79
|
-
|
80
|
-
if call? first_arg and (first_arg.method == :slice or first_arg.method == :only)
|
81
|
-
return
|
82
|
-
elsif not node_type? first_arg, :hash
|
80
|
+
if not node_type? first_arg, :hash
|
83
81
|
if attr_protected
|
84
82
|
confidence = :medium
|
85
83
|
else
|
@@ -9,6 +9,7 @@ module Brakeman
|
|
9
9
|
def initialize tracker, file_parser
|
10
10
|
@tracker = tracker
|
11
11
|
@file_parser = file_parser
|
12
|
+
@slim_smart = nil # Load slim/smart ?
|
12
13
|
end
|
13
14
|
|
14
15
|
def parse_template path, text
|
@@ -88,6 +89,14 @@ module Brakeman
|
|
88
89
|
|
89
90
|
def parse_slim path, text
|
90
91
|
Brakeman.load_brakeman_dependency 'slim'
|
92
|
+
|
93
|
+
if @slim_smart.nil? and load_slim_smart?
|
94
|
+
@slim_smart = true
|
95
|
+
Brakeman.load_brakeman_dependency 'slim/smart'
|
96
|
+
else
|
97
|
+
@slim_smart = false
|
98
|
+
end
|
99
|
+
|
91
100
|
require_relative 'slim_embedded'
|
92
101
|
|
93
102
|
Slim::Template.new(path,
|
@@ -95,6 +104,21 @@ module Brakeman
|
|
95
104
|
:generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
|
96
105
|
end
|
97
106
|
|
107
|
+
def load_slim_smart?
|
108
|
+
return !@slim_smart unless @slim_smart.nil?
|
109
|
+
|
110
|
+
# Terrible hack to find
|
111
|
+
# gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
|
112
|
+
if tracker.app_tree.exists? 'Gemfile'
|
113
|
+
gemfile_contents = tracker.app_tree.file_path('Gemfile').read
|
114
|
+
if gemfile_contents.include? 'slim/smart'
|
115
|
+
return true
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
false
|
120
|
+
end
|
121
|
+
|
98
122
|
def self.parse_inline_erb tracker, text
|
99
123
|
fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
|
100
124
|
tp = self.new(tracker, fp)
|
@@ -183,6 +183,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
183
183
|
return exp
|
184
184
|
end
|
185
185
|
|
186
|
+
# If x(*[1,2,3]) change to x(1,2,3)
|
187
|
+
# if that's the only argument
|
188
|
+
if splat_array? exp.first_arg and exp.second_arg.nil?
|
189
|
+
exp.arglist = exp.first_arg[1].sexp_body
|
190
|
+
end
|
191
|
+
|
186
192
|
target = exp.target
|
187
193
|
method = exp.method
|
188
194
|
first_arg = exp.first_arg
|
@@ -195,11 +201,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
195
201
|
res = process_or_simple_operation(exp)
|
196
202
|
return res if res
|
197
203
|
elsif target == ARRAY_CONST and method == :new
|
198
|
-
return Sexp.new(:array, *exp.args)
|
204
|
+
return Sexp.new(:array, *exp.args).line(exp.line)
|
199
205
|
elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
|
200
|
-
return Sexp.new(:hash)
|
206
|
+
return Sexp.new(:hash).line(exp.line)
|
201
207
|
elsif exp == RAILS_TEST or exp == RAILS_DEV
|
202
|
-
return Sexp.new(:false)
|
208
|
+
return Sexp.new(:false).line(exp.line)
|
203
209
|
end
|
204
210
|
|
205
211
|
#See if it is possible to simplify some basic cases
|
@@ -237,7 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
237
243
|
env[target_var] = target
|
238
244
|
return target
|
239
245
|
elsif string? target and string_interp? first_arg
|
240
|
-
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
|
246
|
+
exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)).line(exp.line)
|
241
247
|
env[target_var] = exp
|
242
248
|
elsif string? first_arg and string_interp? target
|
243
249
|
if string? target.last
|
@@ -288,7 +294,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
288
294
|
|
289
295
|
# Painful conversion of Array#join into string interpolation
|
290
296
|
def process_array_join array, join_str
|
291
|
-
result = s()
|
297
|
+
result = s().line(array.line)
|
292
298
|
|
293
299
|
join_value = if string? join_str
|
294
300
|
join_str.value
|
@@ -326,11 +332,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
326
332
|
result.unshift combined_first
|
327
333
|
|
328
334
|
# Have to fix up strings that follow interpolation
|
329
|
-
result.reduce(s(:dstr)) do |memo, e|
|
335
|
+
result.reduce(s(:dstr).line(array.line)) do |memo, e|
|
330
336
|
if string? e and node_type? memo.last, :evstr
|
331
337
|
e.value = "#{join_value}#{e.value}"
|
332
338
|
elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
|
333
|
-
memo << s(:str, join_value)
|
339
|
+
memo << s(:str, join_value).line(e.line)
|
334
340
|
end
|
335
341
|
|
336
342
|
memo << e
|
@@ -341,9 +347,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
341
347
|
if item.is_a? String
|
342
348
|
"#{item}#{join_value}"
|
343
349
|
elsif string? item or symbol? item or number? item
|
344
|
-
s(:str, "#{item.value}#{join_value}")
|
350
|
+
s(:str, "#{item.value}#{join_value}").line(item.line)
|
345
351
|
else
|
346
|
-
s(:evstr, item)
|
352
|
+
s(:evstr, item).line(item.line)
|
347
353
|
end
|
348
354
|
end
|
349
355
|
|
@@ -359,6 +365,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
359
365
|
s(:call, TEMP_FILE_CLASS, :new).line(line)
|
360
366
|
end
|
361
367
|
|
368
|
+
def splat_array? exp
|
369
|
+
node_type? exp, :splat and
|
370
|
+
node_type? exp[1], :array
|
371
|
+
end
|
372
|
+
|
362
373
|
def process_iter exp
|
363
374
|
@exp_context.push exp
|
364
375
|
exp[1] = process exp.block_call
|
@@ -679,7 +690,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
679
690
|
end
|
680
691
|
end
|
681
692
|
else
|
682
|
-
new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value)
|
693
|
+
new_value = process s(:call, s(:call, target_var, :[], index), exp[3], value).line(exp.line)
|
683
694
|
|
684
695
|
env[match] = new_value
|
685
696
|
end
|