brakeman 5.0.2 → 5.0.4

data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby30_parser.y

@@ -1009,6 +1009,16 @@ rule
                       _, args, _ = val
                       result = args
                     }
+                | tLPAREN2 args_forward rparen
+                    {
+                      if (!self.lexer.is_local_id(:"*") ||
+                            !self.lexer.is_local_id(:"**") ||
+                            !self.lexer.is_local_id(:"&")) then
+
+                        yyerror("Invalid argument forwarding")
+                      end
+                      result = call_args [s(:forward_args).line(lexer.lineno)]
+                    }
 
   opt_paren_args: none
                 | paren_args
@@ -2289,6 +2299,19 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       self.lexer.lex_state = EXPR_BEG
                       self.lexer.command_start = true
                     }
+                | tLPAREN2 args_forward rparen
+                    {
+                      args_rest = :"*"
+                      kwargs_rest = :"**"
+                      block_fwd = :"&"
+                      self.env[args_rest] = :lvar
+                      self.env[kwargs_rest] = :lvar
+                      self.env[block_fwd] = :lvar
+
+                      result = s(:args, s(:forward_args)).line lexer.lineno
+                      self.lexer.lex_state = EXPR_BEG
+                      self.lexer.command_start = true
+                    }
                 |   {
                       result = self.in_kwarg
                       self.in_kwarg = true
@@ -2388,6 +2411,8 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       result = args val
                     }
 
+       args_forward: tBDOT3
+
        f_bad_arg: tCONSTANT
                     {
                       yyerror "formal argument cannot be a constant"
@@ -2516,6 +2541,7 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                 | kwrest_mark
                     {
                       result = :"**"
+                      self.env[result] = :lvar
                     }
 
            f_opt: f_arg_asgn tEQL arg_value

data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/lib/ruby_parser.yy

@@ -1066,6 +1066,18 @@ rule
                       _, args, _ = val
                       result = args
                     }
+#if V >= 27
+                | tLPAREN2 args_forward rparen
+                    {
+                      if (!self.lexer.is_local_id(:"*") ||
+                            !self.lexer.is_local_id(:"**") ||
+                            !self.lexer.is_local_id(:"&")) then
+
+                        yyerror("Invalid argument forwarding")
+                      end
+                      result = call_args [s(:forward_args).line(lexer.lineno)]
+                    }
+#endif
 
   opt_paren_args: none
                 | paren_args
@@ -2366,6 +2378,21 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       self.lexer.lex_state = EXPR_BEG
                       self.lexer.command_start = true
                     }
+#if V >= 27
+                | tLPAREN2 args_forward rparen
+                    {
+                      args_rest = :"*"
+                      kwargs_rest = :"**"
+                      block_fwd = :"&"
+                      self.env[args_rest] = :lvar
+                      self.env[kwargs_rest] = :lvar
+                      self.env[block_fwd] = :lvar
+
+                      result = s(:args, s(:forward_args)).line lexer.lineno
+                      self.lexer.lex_state = EXPR_BEG
+                      self.lexer.command_start = true
+                    }
+#endif
                 |   {
                       result = self.in_kwarg
                       self.in_kwarg = true
@@ -2465,6 +2492,8 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                       result = args val
                     }
 
+       args_forward: tBDOT3
+
        f_bad_arg: tCONSTANT
                     {
                       yyerror "formal argument cannot be a constant"
@@ -2613,6 +2642,7 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                 | kwrest_mark
                     {
                       result = :"**"
+                      self.env[result] = :lvar
                     }
 
 #if V == 20

data/bundle/ruby/2.7.0/gems/ruby_parser-3.16.0/tools/ripper.rb

@@ -1,4 +1,4 @@
-#!/usr/bin/env ruby -ws
+#!/Users/ryan/.rubies/ruby-2.7.1/bin/ruby -ws
 
 $d ||= false
 $p ||= false

data/lib/brakeman.rb

@@ -250,8 +250,6 @@ module Brakeman
       [:to_sarif]
     when :sonar, :to_sonar
       [:to_sonar]
-    when :github, :to_github
-      [:to_github]
     else
       [:to_text]
     end
@@ -285,8 +283,6 @@ module Brakeman
         :to_sarif
       when /\.sonar$/i
         :to_sonar
-      when /\.github$/i
-        :to_github
       else
         :to_text
       end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   def check_detailed_exceptions
     tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
-        src = definition.src
+        src = definition[:src]
         body = src.body.last
         next unless body
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"
-    calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
+    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
 
     Brakeman.debug "Processing eval-like calls"
     calls.each do |call|

data/lib/brakeman/checks/check_sql.rb

@@ -572,7 +572,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
@@ -592,8 +592,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         IGNORE_METHODS_IN_SQL.include? exp.method or
         quote_call? exp or
         arel? exp or
-        exp.method.to_s.end_with? "_id" or
-        number_target? exp
+        exp.method.to_s.end_with? "_id"
       end
     when :if
       safe_value? exp.then_clause and safe_value? exp.else_clause
@@ -696,16 +695,4 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       active_record_models.include? klass
     end
   end
-
-  def number_target? exp
-    return unless call? exp
-
-    if number? exp.target
-      true
-    elsif call? exp.target
-      number_target? exp.target
-    else
-      false
-    end
-  end
 end

data/lib/brakeman/checks/check_verb_confusion.rb

@@ -32,7 +32,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
       return
     end
 
-    process method.src
+    process method[:src]
   end
 
   def process_if exp

data/lib/brakeman/file_parser.rb

@@ -1,5 +1,3 @@
-require 'parallel'
-
 module Brakeman
   ASTFile = Struct.new(:path, :ast)
 
@@ -15,46 +13,21 @@ module Brakeman
     end
 
     def parse_files list
-      # Parse the files in parallel.
-      # By default, the parsing will be in separate processes.
-      # So we map the result to ASTFiles and/or Exceptions
-      # then partition them into ASTFiles and Exceptions
-      # and add the Exceptions to @errors
-      #
-      # Basically just a funky way to deal with two possible
-      # return types that are returned from isolated processes.
-      #
-      # Note this method no longer uses read_files
-      @file_list, new_errors = Parallel.map(list) do |file_name|
-        file_path = @app_tree.file_path(file_name)
-        contents = file_path.read
-
-        begin
-          if ast = parse_ruby(contents, file_path.relative)
-            ASTFile.new(file_name, ast)
-          end
-        rescue Exception => e
-          e
+      read_files list do |path, contents|
+        if ast = parse_ruby(contents, path.relative)
+          ASTFile.new(path, ast)
         end
-      end.compact.partition do |result|
-        result.is_a? ASTFile
       end
-
-      errors.concat new_errors
     end
 
     def read_files list
       list.each do |path|
         file = @app_tree.file_path(path)
 
-        begin
-          result = yield file, file.read
+        result = yield file, file.read
 
-          if result
-            @file_list << result
-          end
-        rescue Exception => e
-          @errors << e
+        if result
+          @file_list << result
         end
       end
     end
@@ -69,12 +42,17 @@ module Brakeman
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
-        raise e.exception(e.message + "\nCould not parse #{path}")
+        error e.exception(e.message + "\nCould not parse #{path}")
       rescue Timeout::Error => e
-        raise Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
+        error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
       rescue => e
-        raise e.exception(e.message + "\nWhile processing #{path}")
+        error e.exception(e.message + "\nWhile processing #{path}")
       end
     end
+
+    def error exception
+      @errors << exception
+      nil
+    end
   end
 end

data/lib/brakeman/options.rb

@@ -233,7 +233,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text

data/lib/brakeman/processors/alias_processor.rb

@@ -220,28 +220,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(:+, target, first_arg, exp)
       end
     when :-, :*, :/
-      if method == :* and array? target
-        if string? first_arg
-          exp = process_array_join(target, first_arg)
-        end
-      else
-        exp = math_op(method, target, first_arg, exp)
-      end
+      exp = math_op(method, target, first_arg, exp)
     when :[]
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
         exp = process_hash_access(target, first_arg, exp)
       end
-    when :fetch
-      if array? target
-        # Not dealing with default value
-        # so just pass in first argument, but process_array_access expects
-        # an array of arguments.
-        exp = process_array_access(target, [first_arg], exp)
-      elsif hash? target
-        exp = process_hash_access(target, first_arg, exp)
-      end
     when :merge!, :update
       if hash? target and hash? first_arg
          target = process_hash_merge! target, first_arg
@@ -281,12 +266,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         target = find_push_target(target_var)
         env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
       end
-    when :push
-      if array? target
-        target << first_arg
-        env[target_var] = target
-        return target
-      end
     when :first
       if array? target and first_arg.nil? and sexp? target[1]
         exp = target[1]
@@ -300,7 +279,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target
       end
     when :join
-      if array? target and (string? first_arg or first_arg.nil?)
+      if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
         exp = process_array_join(target, first_arg)
       end
     when :!
@@ -308,15 +287,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       if call? target and target.method == :!
         exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
       end
-    when :values
-      # Hash literal
-      if node_type? target, :hash
-        exp = hash_values(target)
-      end
-    when :values_at
-      if hash? target
-        exp = hash_values_at target, exp.args
-      end
     end
 
     exp
@@ -324,11 +294,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   # Painful conversion of Array#join into string interpolation
   def process_array_join array, join_str
-    # Empty array
-    if array.length == 1
-      return s(:str, '').line(array.line)
-    end
-
     result = s().line(array.line)
 
     join_value = if string? join_str
@@ -337,10 +302,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
                    nil
                  end
 
-    if array.length > 2
-      array[1..-2].each do |e|
-        result << join_item(e, join_value)
-      end
+    array[1..-2].each do |e|
+      result << join_item(e, join_value)
     end
 
     result << join_item(array.last, nil)
@@ -369,7 +332,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     result.unshift combined_first
 
     # Have to fix up strings that follow interpolation
-    string = result.reduce(s(:dstr).line(array.line)) do |memo, e|
+    result.reduce(s(:dstr).line(array.line)) do |memo, e|
       if string? e and node_type? memo.last, :evstr
         e.value = "#{join_value}#{e.value}"
       elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
@@ -378,14 +341,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
       memo << e
     end
-
-    # Convert (:dstr, "hello world")
-    # to (:str, "hello world")
-    if string.length == 2 and string.last.is_a? String
-      string[0] = :str
-    end
-
-    string
   end
 
   def join_item item, join_value
@@ -1058,8 +1013,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     method_name = call.method
 
     #Look for helper methods and see if we can get a return value
-    if found_method = tracker.find_method(method_name, @current_class)
-      helper = found_method.src
+    if found_method = find_method(method_name, @current_class)
+      helper = found_method[:method]
 
       if sexp? helper
         value = process_helper_method helper, call.args

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
-        method = mixin.get_method(name).src.deep_clone
+        method = mixin.get_method(name)[:src].deep_clone
 
         if node_type? method, :defn
           method = processor.process_defn method
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
   def process_before_filter name
-    filter = tracker.find_method name, @current_class
+    filter = find_method name, @current_class
 
     if filter.nil?
       Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
-    method = filter.src
+    method = filter[:method]
 
-    if ivars = @tracker.filter_cache[[filter.owner, name]]
+    if ivars = @tracker.filter_cache[[filter[:controller], name]]
       ivars.each do |variable, value|
         env[variable] = value
       end
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
       ivars = processor.only_ivars(:include_request_vars).all
 
-      @tracker.filter_cache[[filter.owner, name]] = ivars
+      @tracker.filter_cache[[filter[:controller], name]] = ivars
 
       ivars.each do |variable, value|
         env[variable] = value
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        if line = meth.src && meth.src.last && meth.src.last.line
+        if line = meth[:src] && meth[:src].last && meth[:src].last.line
           line += 1
         else
           line = 1
@@ -241,4 +241,41 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       []
     end
   end
+
+  #Finds a method in the given class or a parent class
+  #
+  #Returns nil if the method could not be found.
+  #
+  #If found, returns hash table with controller name and method sexp.
+  def find_method method_name, klass
+    return nil if sexp? method_name
+    method_name = method_name.to_sym
+
+    if method = @method_cache[method_name]
+      return method
+    end
+
+    controller = @tracker.controllers[klass]
+    controller ||= @tracker.libs[klass]
+
+    if klass and controller
+      method = controller.get_method method_name
+
+      if method.nil?
+        controller.includes.each do |included|
+          method = find_method method_name, included
+          if method
+            @method_cache[method_name] = method
+            return method
+          end
+       end
+
+        @method_cache[method_name] = find_method method_name, controller.parent
+      else
+        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
+      end
+    else
+      nil
+    end
+  end
 end