brakeman 5.0.2 → 5.0.4

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -76,8 +76,6 @@ module Brakeman
 
         #Have to do this because first element is :array and we have to skip it
         array[1..-1][index] or original_exp
-      elsif all_literals? array
-        safe_literal(array.line)
       else
         original_exp
       end
@@ -94,13 +92,5 @@ module Brakeman
         original_exp
       end
     end
-
-    def hash_values_at hash, keys
-      values = keys.map do |key|
-        process_hash_access hash, key
-      end
-
-      Sexp.new(:array).concat(values).line(hash.line)
-    end
   end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -54,15 +54,6 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if process_call_defn? exp
-      exp
-    elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
-      # Methods called inside class / module
-      case exp.method
-      when :include
-        module_name = class_name(exp.first_arg)
-        (@current_class || @current_module).add_include module_name
-      end
-
       exp
     else
       process_default exp

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit, :to_github]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
 
   def initialize tracker
     @app_tree = tracker.app_tree
@@ -48,9 +48,6 @@ class Brakeman::Report
     when :to_sonar
       require_report 'sonar'
       Brakeman::Report::Sonar
-    when :to_github
-      require_report 'github'
-      Brakeman::Report::Github
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end

data/lib/brakeman/report/ignore/interactive.rb

@@ -62,7 +62,7 @@ module Brakeman
           process_warnings
         end
 
-        m.choice "Inspect new warnings" do
+        m.choice "Hide previously ignored warnings" do
           @skip_ignored = true
           pre_show_help
           process_warnings

data/lib/brakeman/scanner.rb

@@ -353,9 +353,6 @@ class Brakeman::Scanner
   def parse_ruby_file file
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
-  rescue Exception => e
-    tracker.error(e)
-    nil
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -35,7 +35,6 @@ class Brakeman::Tracker
     #class they are.
     @models = {}
     @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
-    @method_cache = {}
     @routes = {}
     @initializers = {}
     @errors = []
@@ -100,8 +99,8 @@ class Brakeman::Tracker
     classes.each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
-          src = definition.src
-          yield src, set_name, method_name, definition.file
+          src = definition[:src]
+          yield src, set_name, method_name, definition[:file]
         end
       end
     end
@@ -221,34 +220,6 @@ class Brakeman::Tracker
     nil
   end
 
-  def find_method method_name, class_name, method_type = :instance
-    return nil unless method_name.is_a? Symbol
-
-    klass = find_class(class_name)
-    return nil unless klass
-
-    cache_key = [klass, method_name, method_type]
-
-    if method = @method_cache[cache_key]
-      return method
-    end
-
-    if method = klass.get_method(method_name, method_type)
-      return method
-    else
-      # Check modules included for method definition
-      # TODO: only for instance methods, otherwise check extends!
-      klass.includes.each do |included_name|
-        if method = find_method(method_name, included_name, method_type)
-          return (@method_cache[cache_key] = method)
-        end
-      end
-
-      # Not in any included modules, check the parent
-      @method_cache[cache_key] = find_method(method_name, klass.parent)
-    end
-  end
-
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 
@@ -314,8 +285,8 @@ class Brakeman::Tracker
     method_sets.each do |set|
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
-          src = definition.src
-          finder.process_source src, :class => set_name, :method => method_name, :file => definition.file
+          src = definition[:src]
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
         end
       end
     end

data/lib/brakeman/tracker/collection.rb

@@ -1,5 +1,4 @@
 require 'brakeman/util'
-require 'brakeman/tracker/method_info'
 
 module Brakeman
   class Collection
@@ -14,7 +13,6 @@ module Brakeman
       @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
-      @class_methods = {}
       @options = {}
       @tracker = tracker
 
@@ -48,16 +46,11 @@ module Brakeman
     end
 
     def add_method visibility, name, src, file_name
-      meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
-
       if src.node_type == :defs
-        @class_methods[name] = meth_info
-
-        # TODO fix this weirdness
         name = :"#{src[1]}.#{name}"
       end
 
-      @methods[visibility][name] = meth_info
+      @methods[visibility][name] = { :src => src, :file => file_name }
     end
 
     def each_method
@@ -68,31 +61,16 @@ module Brakeman
       end
     end
 
-    def get_method name, type = :instance
-      case type
-      when :class
-        get_class_method name
-      when :instance
-        get_instance_method name
-      else
-        raise "Unexpected method type: #{type.inspect}"
-      end
-    end
-
-    def get_instance_method name
-      @methods.each do |_vis, meths|
-        if meths[name]
-          return meths[name]
+    def get_method name
+      each_method do |n, info|
+        if n == name
+          return info
         end
       end
 
       nil
     end
 
-    def get_class_method name
-      @class_methods[name]
-    end
-
     def file
       @files.first
     end

data/lib/brakeman/util.rb

@@ -142,14 +142,6 @@ module Brakeman::Util
     nil
   end
 
-  def hash_values hash
-    values = hash.each_sexp.each_slice(2).map do |_, value|
-      value
-    end
-
-    Sexp.new(:array).concat(values).line(hash.line)
-  end
-
   #These are never modified
   PARAMS_SEXP = Sexp.new(:params)
   SESSION_SEXP = Sexp.new(:session)

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.0.2"
+  Version = "5.0.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 5.0.2
+  version: 5.0.4
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-07 00:00:00.000000000 Z
+date: 2021-06-08 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -132,10 +132,6 @@ files:
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/terminal/unix_stty.rb
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/version.rb
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/wrapper.rb
-- bundle/ruby/2.7.0/gems/parallel-1.20.1/MIT-LICENSE.txt
-- bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel.rb
-- bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/processor_count.rb
-- bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel/version.rb
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/README.md
@@ -572,7 +568,6 @@ files:
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
 - lib/brakeman/report/report_csv.rb
-- lib/brakeman/report/report_github.rb
 - lib/brakeman/report/report_hash.rb
 - lib/brakeman/report/report_html.rb
 - lib/brakeman/report/report_json.rb
@@ -602,7 +597,6 @@ files:
 - lib/brakeman/tracker/constants.rb
 - lib/brakeman/tracker/controller.rb
 - lib/brakeman/tracker/library.rb
-- lib/brakeman/tracker/method_info.rb
 - lib/brakeman/tracker/model.rb
 - lib/brakeman/tracker/template.rb
 - lib/brakeman/util.rb

data/bundle/ruby/2.7.0/gems/parallel-1.20.1/MIT-LICENSE.txt

@@ -1,20 +0,0 @@
-Copyright (C) 2013 Michael Grosser <michael@grosser.it>
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/bundle/ruby/2.7.0/gems/parallel-1.20.1/lib/parallel.rb

@@ -1,523 +0,0 @@
-require 'rbconfig'
-require 'parallel/version'
-require 'parallel/processor_count'
-
-module Parallel
-  extend ProcessorCount
-
-  Stop = Object.new.freeze
-
-  class DeadWorker < StandardError
-  end
-
-  class Break < StandardError
-    attr_reader :value
-    def initialize(value = nil)
-      @value = value
-    end
-  end
-
-  class Kill < Break
-  end
-
-  class UndumpableException < StandardError
-    attr_reader :backtrace
-    def initialize(original)
-      super "#{original.class}: #{original.message}"
-      @backtrace = original.backtrace
-    end
-  end
-
-  class ExceptionWrapper
-    attr_reader :exception
-    def initialize(exception)
-      # Remove the bindings stack added by the better_errors gem,
-      # because it cannot be marshalled
-      if exception.instance_variable_defined? :@__better_errors_bindings_stack
-        exception.send :remove_instance_variable, :@__better_errors_bindings_stack
-      end
-
-      @exception =
-        begin
-          Marshal.dump(exception) && exception
-        rescue
-          UndumpableException.new(exception)
-        end
-    end
-  end
-
-  class Worker
-    attr_reader :pid, :read, :write
-    attr_accessor :thread
-    def initialize(read, write, pid)
-      @read, @write, @pid = read, write, pid
-    end
-
-    def stop
-      close_pipes
-      wait # if it goes zombie, rather wait here to be able to debug
-    end
-
-    # might be passed to started_processes and simultaneously closed by another thread
-    # when running in isolation mode, so we have to check if it is closed before closing
-    def close_pipes
-      read.close unless read.closed?
-      write.close unless write.closed?
-    end
-
-    def work(data)
-      begin
-        Marshal.dump(data, write)
-      rescue Errno::EPIPE
-        raise DeadWorker
-      end
-
-      result = begin
-        Marshal.load(read)
-      rescue EOFError
-        raise DeadWorker
-      end
-      raise result.exception if ExceptionWrapper === result
-      result
-    end
-
-    private
-
-    def wait
-      Process.wait(pid)
-    rescue Interrupt
-      # process died
-    end
-  end
-
-  class JobFactory
-    def initialize(source, mutex)
-      @lambda = (source.respond_to?(:call) && source) || queue_wrapper(source)
-      @source = source.to_a unless @lambda # turn Range and other Enumerable-s into an Array
-      @mutex = mutex
-      @index = -1
-      @stopped = false
-    end
-
-    def next
-      if producer?
-        # - index and item stay in sync
-        # - do not call lambda after it has returned Stop
-        item, index = @mutex.synchronize do
-          return if @stopped
-          item = @lambda.call
-          @stopped = (item == Stop)
-          return if @stopped
-          [item, @index += 1]
-        end
-      else
-        index = @mutex.synchronize { @index += 1 }
-        return if index >= size
-        item = @source[index]
-      end
-      [item, index]
-    end
-
-    def size
-      if producer?
-        Float::INFINITY
-      else
-        @source.size
-      end
-    end
-
-    # generate item that is sent to workers
-    # just index is faster + less likely to blow up with unserializable errors
-    def pack(item, index)
-      producer? ? [item, index] : index
-    end
-
-    # unpack item that is sent to workers
-    def unpack(data)
-      producer? ? data : [@source[data], data]
-    end
-
-    private
-
-    def producer?
-      @lambda
-    end
-
-    def queue_wrapper(array)
-      array.respond_to?(:num_waiting) && array.respond_to?(:pop) && lambda { array.pop(false) }
-    end
-  end
-
-  class UserInterruptHandler
-    INTERRUPT_SIGNAL = :SIGINT
-
-    class << self
-      # kill all these pids or threads if user presses Ctrl+c
-      def kill_on_ctrl_c(pids, options)
-        @to_be_killed ||= []
-        old_interrupt = nil
-        signal = options.fetch(:interrupt_signal, INTERRUPT_SIGNAL)
-
-        if @to_be_killed.empty?
-          old_interrupt = trap_interrupt(signal) do
-            $stderr.puts 'Parallel execution interrupted, exiting ...'
-            @to_be_killed.flatten.each { |pid| kill(pid) }
-          end
-        end
-
-        @to_be_killed << pids
-
-        yield
-      ensure
-        @to_be_killed.pop # do not kill pids that could be used for new processes
-        restore_interrupt(old_interrupt, signal) if @to_be_killed.empty?
-      end
-
-      def kill(thing)
-        Process.kill(:KILL, thing)
-      rescue Errno::ESRCH
-        # some linux systems already automatically killed the children at this point
-        # so we just ignore them not being there
-      end
-
-      private
-
-      def trap_interrupt(signal)
-        old = Signal.trap signal, 'IGNORE'
-
-        Signal.trap signal do
-          yield
-          if !old || old == "DEFAULT"
-            raise Interrupt
-          else
-            old.call
-          end
-        end
-
-        old
-      end
-
-      def restore_interrupt(old, signal)
-        Signal.trap signal, old
-      end
-    end
-  end
-
-  class << self
-    def in_threads(options={:count => 2})
-      threads = []
-      count, _ = extract_count_from_options(options)
-
-      Thread.handle_interrupt(Exception => :never) do
-        begin
-          Thread.handle_interrupt(Exception => :immediate) do
-            count.times do |i|
-              threads << Thread.new { yield(i) }
-            end
-            threads.map(&:value)
-          end
-        ensure
-          threads.each(&:kill)
-        end
-      end
-    end
-
-    def in_processes(options = {}, &block)
-      count, options = extract_count_from_options(options)
-      count ||= processor_count
-      map(0...count, options.merge(:in_processes => count), &block)
-    end
-
-    def each(array, options={}, &block)
-      map(array, options.merge(:preserve_results => false), &block)
-    end
-
-    def any?(*args, &block)
-      raise "You must provide a block when calling #any?" if block.nil?
-      !each(*args) { |*a| raise Kill if block.call(*a) }
-    end
-
-    def all?(*args, &block)
-      raise "You must provide a block when calling #all?" if block.nil?
-      !!each(*args) { |*a| raise Kill unless block.call(*a) }
-    end
-
-    def each_with_index(array, options={}, &block)
-      each(array, options.merge(:with_index => true), &block)
-    end
-
-    def map(source, options = {}, &block)
-      options = options.dup
-      options[:mutex] = Mutex.new
-
-      if options[:in_processes] && options[:in_threads]
-        raise ArgumentError.new("Please specify only one of `in_processes` or `in_threads`.")
-      elsif RUBY_PLATFORM =~ /java/ and not options[:in_processes]
-        method = :in_threads
-        size = options[method] || processor_count
-      elsif options[:in_threads]
-        method = :in_threads
-        size = options[method]
-      else
-        method = :in_processes
-        if Process.respond_to?(:fork)
-          size = options[method] || processor_count
-        else
-          warn "Process.fork is not supported by this Ruby"
-          size = 0
-        end
-      end
-
-      job_factory = JobFactory.new(source, options[:mutex])
-      size = [job_factory.size, size].min
-
-      options[:return_results] = (options[:preserve_results] != false || !!options[:finish])
-      add_progress_bar!(job_factory, options)
-
-      result =
-        if size == 0
-          work_direct(job_factory, options, &block)
-        elsif method == :in_threads
-          work_in_threads(job_factory, options.merge(:count => size), &block)
-        else
-          work_in_processes(job_factory, options.merge(:count => size), &block)
-        end
-
-      return result.value if result.is_a?(Break)
-      raise result if result.is_a?(Exception)
-      options[:return_results] ? result : source
-    end
-
-    def map_with_index(array, options={}, &block)
-      map(array, options.merge(:with_index => true), &block)
-    end
-
-    def flat_map(*args, &block)
-      map(*args, &block).flatten(1)
-    end
-
-    def worker_number
-      Thread.current[:parallel_worker_number]
-    end
-
-    # TODO: this does not work when doing threads in forks, so should remove and yield the number instead if needed
-    def worker_number=(worker_num)
-      Thread.current[:parallel_worker_number] = worker_num
-    end
-
-    private
-
-    def add_progress_bar!(job_factory, options)
-      if progress_options = options[:progress]
-        raise "Progressbar can only be used with array like items" if job_factory.size == Float::INFINITY
-        require 'ruby-progressbar'
-
-        if progress_options == true
-          progress_options = { title: "Progress" }
-        elsif progress_options.respond_to? :to_str
-          progress_options = { title: progress_options.to_str }
-        end
-
-        progress_options = {
-          total: job_factory.size,
-          format: '%t |%E | %B | %a'
-        }.merge(progress_options)
-
-        progress = ProgressBar.create(progress_options)
-        old_finish = options[:finish]
-        options[:finish] = lambda do |item, i, result|
-          old_finish.call(item, i, result) if old_finish
-          progress.increment
-        end
-      end
-    end
-
-    def work_direct(job_factory, options, &block)
-      self.worker_number = 0
-      results = []
-      exception = nil
-      begin
-        while set = job_factory.next
-          item, index = set
-          results << with_instrumentation(item, index, options) do
-            call_with_index(item, index, options, &block)
-          end
-        end
-      rescue
-        exception = $!
-      end
-      exception || results
-    ensure
-      self.worker_number = nil
-    end
-
-    def work_in_threads(job_factory, options, &block)
-      raise "interrupt_signal is no longer supported for threads" if options[:interrupt_signal]
-      results = []
-      results_mutex = Mutex.new # arrays are not thread-safe on jRuby
-      exception = nil
-
-      in_threads(options) do |worker_num|
-        self.worker_number = worker_num
-        # as long as there are more jobs, work on one of them
-        while !exception && set = job_factory.next
-          begin
-            item, index = set
-            result = with_instrumentation item, index, options do
-              call_with_index(item, index, options, &block)
-            end
-            results_mutex.synchronize { results[index] = result }
-          rescue
-            exception = $!
-          end
-        end
-      end
-
-      exception || results
-    end
-
-    def work_in_processes(job_factory, options, &blk)
-      workers = create_workers(job_factory, options, &blk)
-      results = []
-      results_mutex = Mutex.new # arrays are not thread-safe
-      exception = nil
-
-      UserInterruptHandler.kill_on_ctrl_c(workers.map(&:pid), options) do
-        in_threads(options) do |i|
-          worker = workers[i]
-          worker.thread = Thread.current
-          worked = false
-
-          begin
-            loop do
-              break if exception
-              item, index = job_factory.next
-              break unless index
-
-              if options[:isolation]
-                worker = replace_worker(job_factory, workers, i, options, blk) if worked
-                worked = true
-                worker.thread = Thread.current
-              end
-
-              begin
-                result = with_instrumentation item, index, options do
-                  worker.work(job_factory.pack(item, index))
-                end
-                results_mutex.synchronize { results[index] = result } # arrays are not threads safe on jRuby
-              rescue StandardError => e
-                exception = e
-                if Kill === exception
-                  (workers - [worker]).each do |w|
-                    w.thread.kill if w.thread
-                    UserInterruptHandler.kill(w.pid)
-                  end
-                end
-              end
-            end
-          ensure
-            worker.stop
-          end
-        end
-      end
-      exception || results
-    end
-
-    def replace_worker(job_factory, workers, i, options, blk)
-      options[:mutex].synchronize do
-        # old worker is no longer used ... stop it
-        worker = workers[i]
-        worker.stop
-
-        # create a new replacement worker
-        running = workers - [worker]
-        workers[i] = worker(job_factory, options.merge(started_workers: running, worker_number: i), &blk)
-      end
-    end
-
-    def create_workers(job_factory, options, &block)
-      workers = []
-      Array.new(options[:count]).each_with_index do |_, i|
-        workers << worker(job_factory, options.merge(started_workers: workers, worker_number: i), &block)
-      end
-      workers
-    end
-
-    def worker(job_factory, options, &block)
-      child_read, parent_write = IO.pipe
-      parent_read, child_write = IO.pipe
-
-      pid = Process.fork do
-        self.worker_number = options[:worker_number]
-
-        begin
-          options.delete(:started_workers).each(&:close_pipes)
-
-          parent_write.close
-          parent_read.close
-
-          process_incoming_jobs(child_read, child_write, job_factory, options, &block)
-        ensure
-          child_read.close
-          child_write.close
-        end
-      end
-
-      child_read.close
-      child_write.close
-
-      Worker.new(parent_read, parent_write, pid)
-    end
-
-    def process_incoming_jobs(read, write, job_factory, options, &block)
-      until read.eof?
-        data = Marshal.load(read)
-        item, index = job_factory.unpack(data)
-        result = begin
-          call_with_index(item, index, options, &block)
-        # https://github.com/rspec/rspec-support/blob/673133cdd13b17077b3d88ece8d7380821f8d7dc/lib/rspec/support.rb#L132-L140
-        rescue NoMemoryError, SignalException, Interrupt, SystemExit
-          raise $!
-        rescue Exception
-          ExceptionWrapper.new($!)
-        end
-        begin
-          Marshal.dump(result, write)
-        rescue Errno::EPIPE
-          return # parent thread already dead
-        end
-      end
-    end
-
-    # options is either a Integer or a Hash with :count
-    def extract_count_from_options(options)
-      if options.is_a?(Hash)
-        count = options[:count]
-      else
-        count = options
-        options = {}
-      end
-      [count, options]
-    end
-
-    def call_with_index(item, index, options, &block)
-      args = [item]
-      args << index if options[:with_index]
-      if options[:return_results]
-        block.call(*args)
-      else
-        block.call(*args)
-        nil # avoid GC overhead of passing large results around
-      end
-    end
-
-    def with_instrumentation(item, index, options)
-      on_start = options[:start]
-      on_finish = options[:finish]
-      options[:mutex].synchronize { on_start.call(item, index) } if on_start
-      result = yield
-      options[:mutex].synchronize { on_finish.call(item, index, result) } if on_finish
-      result unless options[:preserve_results] == false
-    end
-  end
-end