brakeman 5.0.4 → 5.2.1

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.16.0 → ruby_parser-3.18.1}/tools/munge.rb

@@ -76,12 +76,31 @@ def munge s
 
              # other
 
+             'kTERMINATOR',     "tSTRING_END",
+             '"kTERMINATOR"',   "tSTRING_END",
+             'kTRCURLY',        "tSTRING_DEND",
+
+             '"symbol literal"',       "tSYMBEG",
+             '"string literal"',       "tSTRING_BEG",
+             '"backtick literal"',     "tXSTRING_BEG",
+             '"regexp literal"',       "tREGEXP_BEG",
+             '"word list"',            "tWORDS_BEG",
+             '"verbatim word list"',   "tQWORDS_BEG",
+             '"symbol list"',          "tSYMBOLS_BEG",
+             '"verbatim symbol list"', "tQSYMBOLS_BEG",
+             '"terminator"',           "tSTRING_END",
+             '"\'}\'"',                  "tSTRING_DEND",
+
+             '"string literal"',"tSTRING_BEG",
+             '"literal content"', "tSTRING_CONTENT",
+             /\$/,              "", # try to remove these lumps?
+
              'tLBRACK2',        "tLBRACK", # HACK
 
              "' '",             "tSPACE", # needs to be later to avoid bad hits
 
              "/* empty */",     "none",
-             /^\s*$/,           "none",
+             /^\s*$/,           "",
 
              "keyword_BEGIN",   "klBEGIN",
              "keyword_END",     "klEND",
@@ -89,6 +108,7 @@ def munge s
              /\bk_([a-z_]+)/,   proc { "k#{$1.upcase}" },
              /modifier_(\w+)/,  proc { "k#{$1.upcase}_MOD" },
              "kVARIABLE",       "keyword_variable", # ugh
+             "tCONST",          "kCONST",
 
              # 2.6 collapses klBEGIN to kBEGIN
              "klBEGIN",   "kBEGIN",
@@ -112,9 +132,11 @@ def munge s
              '"do (for condition)"', "kDO_COND",
              '"do (for lambda)"',    "kDO_LAMBDA",
              '"do (for block)"',     "kDO_BLOCK",
+             '"local variable or method"', "tIDENTIFIER",
 
              /\"(\w+) \(modifier\)\"/, proc { |x| "k#{$1.upcase}_MOD" },
              /\"(\w+)\"/,              proc { |x| "k#{$1.upcase}" },
+             /\"`(\w+)'\"/,            proc { |x| "k#{$1.upcase}" },
 
              /@(\d+)(\s+|$)/,       "",
              /\$?@(\d+) */,         "", # TODO: remove?
@@ -130,7 +152,11 @@ def munge s
     end
   end
 
-  s.strip.squeeze " "
+  if s.empty? then
+    nil
+  else
+    s.strip.squeeze " "
+  end
 end
 
 ARGF.each_line do |line|
@@ -144,19 +170,19 @@ ARGF.each_line do |line|
   when /^Reading a token: Next token is token (.*?) \(\)/ then
     token = munge $1
     next if last_token == token
-    puts "next token is %p (%p)" % [token, last_token]
+    puts "next token is %p" % [token]
     last_token = token
   when /^Reading a token: / then
     next # skip
   when /^read\s+:(\w+)/ then # read    :tNL(tNL) nil
     token = munge $1
     next if last_token == token
-    puts "next token is %p (%p)" % [token, last_token]
+    puts "next token is %p" % [token]
     last_token = token
   when /^Next token is token ("[^"]+"|\S+)/ then
     token = munge $1
     next if last_token == token
-    puts "next token is %p (%p)" % [token, last_token]
+    puts "next token is %p" % [token]
     last_token = token
   when /^read\s+false/ then # read    false($end) "$end"
     puts "next token is EOF"
@@ -164,6 +190,8 @@ ARGF.each_line do |line|
     # do nothing
   when /^.:scan=>\["([^"]+)"/ then
     puts "scan = %p" % [$1]
+  when /^.:getch=>\["([^"]+)/ then
+    puts "SCAN = %p" % [$1]
   when /^Reducing stack by rule (\d+) \(line (\d+)\):/ then
     reduce_line = $2.to_i
   when /^   \$\d+ = (?:token|nterm) (.+) \(.*\)/ then
@@ -172,7 +200,7 @@ ARGF.each_line do |line|
   when /^-> \$\$ = (?:token|nterm) (.+) \(.*\)/ then
     stack << "none" if stack.empty?
     item = munge $1
-    x = stack.map { |s| s.strip }.join " "
+    x = stack.compact.map { |s| munge s.strip }.compact.join " "
     if x != item then # prevent kdef -> kdef
       if $v && reduce_line then
         puts "reduce #{x} --> #{item} at #{reduce_line}".squeeze " "

data/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/tools/ripper.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby -ws
+
+$b ||= false # bug mode -- ripper is buggy, use Ripper.sexp
+$d ||= false # debug -- turn on yydebug
+$p ||= false # Use pp
+
+require "ripper/sexp"
+require "pp" if $p
+
+if ARGV.empty? then
+  warn "reading from stdin"
+  ARGV << "-"
+end
+
+class MySexpBuilder < Ripper::SexpBuilderPP
+  def on_parse_error msg
+    Kernel.warn msg
+  end
+end
+
+ARGV.each do |path|
+  src = path == "-" ? $stdin.read : File.read(path)
+
+  sexp = if $b then
+           Ripper.sexp src
+         else
+           rip = MySexpBuilder.new src
+           rip.yydebug = $d
+           rip.parse
+
+           if rip.error? then
+             warn "skipping"
+             next
+           end
+         end
+
+  puts "accept"
+
+  if $p then
+    pp sexp
+  else
+    p sexp
+  end
+end

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/History.rdoc

@@ -1,3 +1,18 @@
+=== 4.16.0 / 2021-10-27
+
+* 4 minor enhancements:
+
+  * Added Sexp#value (pushed up from ruby_parser).
+  * Aliased Sexp#concat to #_concat and use that so it can be overridden.
+  * Cache the #hash result.
+  * StrictSexp mode (4) now covers concat.
+
+* 3 bug fixes:
+
+  * Fix some doco on each_sexp to clarify that it is not recursive.
+  * Fixed a bug calling enum_for when using each_of_type w/ no block.
+  * Minor fixes to pt_testcase.rb for custom timeouts and better error handling.
+
 === 4.15.3 / 2021-05-15
 
 * 1 minor enhancement:

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/pt_testcase.rb

@@ -150,7 +150,8 @@ class ParseTreeTestCase < Minitest::Test
 
         before_process_hook klass, node, data, input_name, output_name
         refute_nil data[input_name], "testcase does not exist?"
-        @result = processor.process input
+        timeout = (ENV["RP_TIMEOUT"] || 10).to_i
+        @result = processor.process input, "(string)", timeout
         assert_equal(expected, @result,
                      "failed on input: #{data[input_name].inspect}")
         after_process_hook klass, node, data, input_name, output_name
@@ -158,7 +159,11 @@ class ParseTreeTestCase < Minitest::Test
         extra_input.each do |extra|
           processor.process(extra)
         end
-        extra = processor.extra_methods rescue []
+        extra = if processor.respond_to?(:extra_methods) then
+                  processor.extra_methods
+                else
+                  []
+                end
         assert_equal extra_expected, extra
       end
     end

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp.rb

@@ -31,13 +31,15 @@ class Sexp < Array # ZenTest FULL
     super(args)
   end
 
+  alias _concat concat
+
   ##
   # Creates a new Sexp from Array +a+.
 
   def self.from_array a
     ary = Array === a ? a : [a]
 
-    self.new.concat(ary.map { |x|
+    self.new._concat(ary.map { |x|
                case x
                when Sexp
                  x
@@ -54,7 +56,7 @@ class Sexp < Array # ZenTest FULL
   # same +file+, +line+, and +comment+ as self.
 
   def new(*body)
-    r = self.class.new.concat(body) # ensures a sexp from map
+    r = self.class.new._concat(body) # ensures a sexp from map
     r.file     = self.file     if self.file
     r.line     = self.line     if self.line
     r.comments = self.comments if self.comments
@@ -62,7 +64,7 @@ class Sexp < Array # ZenTest FULL
   end
 
   def map &blk # :nodoc:
-    self.new.concat(super(&blk)) # ensures a sexp from map
+    self.new._concat(super(&blk)) # ensures a sexp from map
   end
 
   def == obj # :nodoc:
@@ -74,7 +76,7 @@ class Sexp < Array # ZenTest FULL
   end
 
   def hash
-    [self.class, *self].hash
+    @hash ||= [self.class, *self].hash
   end
 
   ##
@@ -93,7 +95,7 @@ class Sexp < Array # ZenTest FULL
   end
 
   ##
-  # Recursively enumerates the sexp yielding to +block+ for every element.
+  # Recursively enumerates the sexp yielding to +block+ for every sub-Sexp.
   #
   # Returning :skip will stop traversing that subtree:
   #
@@ -122,7 +124,7 @@ class Sexp < Array # ZenTest FULL
   # Enumeratates the sexp yielding to +b+ when the node_type == +t+.
 
   def each_of_type t, &b
-    return enum_for(:each_of_type) unless block_given?
+    return enum_for(:each_of_type, t) unless block_given?
 
     each_sexp do | sexp |
       sexp.each_of_type(t, &b)
@@ -131,7 +133,7 @@ class Sexp < Array # ZenTest FULL
   end
 
   ##
-  # Recursively enumerates all sub-sexps skipping non-Sexp elements.
+  # Enumerates all sub-sexps skipping non-Sexp elements.
 
   def each_sexp
     return enum_for(:each_sexp) unless block_given?
@@ -289,11 +291,11 @@ class Sexp < Array # ZenTest FULL
   # the values without the node type.
 
   def sexp_body from = 1
-    self.new.concat(self[from..-1] || [])
+    self.new._concat(self[from..-1] || [])
   end
 
   ##
-  # Returns the Sexp body, ie the values without the node type.
+  # Sets the Sexp body to new content.
 
   def sexp_body= v
     self[1..-1] = v
@@ -362,6 +364,14 @@ class Sexp < Array # ZenTest FULL
   end
 
   alias to_s inspect # :nodoc:
+
+  ##
+  # Return the value (last item) of a single element sexp (eg `s(:lit, 42)`).
+
+  def value
+    raise "multi item sexp" if size > 2
+    last
+  end
 end
 
 ##

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.15.3"
+  VERSION = "4.16.0"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/bundle/ruby/2.7.0/gems/{sexp_processor-4.15.3 → sexp_processor-4.16.0}/lib/strict_sexp.rb

@@ -36,6 +36,7 @@
 # 4 = sexp <<         => no
 
 class Sexp
+  # alias :_concat     :concat in sexp.rb so we have access to the original
   alias :safe_idx   :[]
   alias :safe_asgn  :[]=
   alias :sexp_type= :sexp_type=
@@ -43,9 +44,10 @@ class Sexp
   alias :shift :shift
 
   def self.nuke_method name, level
+    return unless __strict >= level
     define_method name do |*args|
       raise "no mutation allowed on sexps: %s.%s %s" % [self, name, args]
-    end if __strict >= level
+    end
   end
 
   def self.__strict
@@ -87,7 +89,7 @@ class Sexp
 
   nuke_method :collect!, 4
   nuke_method :compact!, 4
-  # nuke_method :concat,   4 # HACK: using self.class.new.concat(...) for speed 
+  nuke_method :concat,   4 # HACK: using self.class.new.concat(...) for speed
   nuke_method :flatten!, 4
   nuke_method :map!,     4
   nuke_method :pop,      4
@@ -111,7 +113,7 @@ class Sexp
   end
 
   def sexp_body from = 1
-    self.new.concat(safe_idx(from..-1) || [])
+    self.new._concat(safe_idx(from..-1) || [])
   end
 
   def sexp_type= v
@@ -123,4 +125,24 @@ class Sexp
   end
 end unless Sexp.new.respond_to? :safe_asgn if ENV["STRICT_SEXP"]
 
+if ENV["SP_DEBUG"] && !ENV["STRICT_SEXP"] then
+  class Sexp
+    mutators = %i[
+                  []= clear collect! compact! concat delete delete_at
+                  delete_if drop drop_while fill flatten! replace insert
+                  keep_if map! pop push reject! reverse! rotate! select!
+                  shift shuffle! slice! sort! sort_by! transpose uniq!
+                  unshift
+                 ]
+
+    mutators.each do |method|
+      define_method method do |*|
+        warn "Sexp modified by %p at %s" % [__method__, caller.first] if
+          $VERBOSE or (defined?(@hash) and @hash)
+        super
+      end
+    end
+  end
+end
+
 # :startdoc:

data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 1.8.0
+ 
+- Unicode 14.0 (last release of 1.x)
+ 
 ## 1.7.0
 
 - Unicode 13

data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/README.md

@@ -2,7 +2,7 @@
 
 Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
 
-Unicode version: **13.0.0** (March 2020)
+Unicode version: **14.0.0** (September 2021)
 
 Supported Rubies: **2.7**, **2.6**, **2.5**, **2.4**
 

data/bundle/ruby/2.7.0/gems/{unicode-display_width-1.7.0 → unicode-display_width-1.8.0}/lib/unicode/display_width/constants.rb

@@ -1,7 +1,7 @@
 module Unicode
   module DisplayWidth
-    VERSION = '1.7.0'
-    UNICODE_VERSION = "13.0.0".freeze
+    VERSION = '1.8.0'
+    UNICODE_VERSION = "14.0.0"
     DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
     INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
   end

data/lib/brakeman/app_tree.rb

@@ -28,7 +28,7 @@ module Brakeman
     # Accepts an array of filenames and paths with the following format and
     # returns a Regexp to match them:
     #   * "path1/file1.rb" - Matches a specific filename in the project directory.
-    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
     def self.regex_for_paths(paths)

data/lib/brakeman/checks/base_check.rb

@@ -513,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     string_building? exp.target or
     string_building? exp.first_arg
   end
+
+  I18N_CLASS = s(:const, :I18n)
+
+  def locale_call? exp
+    return unless call? exp
+
+    (exp.target == I18N_CLASS and
+     exp.method == :locale) or
+    locale_call? exp.target
+  end
 end

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
   def check_detailed_exceptions
     tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
-        src = definition[:src]
+        src = definition.src
         body = src.body.last
         next unless body
 

data/lib/brakeman/checks/check_eol_rails.rb

@@ -0,0 +1,23 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRails < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Rails"
+
+  def run_check
+    return unless tracker.config.rails_version
+
+    check_eol_version :rails, RAILS_EOL_DATES
+  end
+
+  RAILS_EOL_DATES = {
+    ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
+    ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
+    ['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
+    ['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
+    ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
+    ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
+    ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+  }
+end

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -0,0 +1,26 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Ruby"
+
+  def run_check
+    return unless tracker.config.ruby_version
+
+    check_eol_version :ruby, RUBY_EOL_DATES
+  end
+
+  RUBY_EOL_DATES = {
+    ['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
+    ['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
+    ['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
+    ['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
+    ['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
+    ['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
+    ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
+    ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
+    ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
+    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+  }
+end

data/lib/brakeman/checks/check_evaluation.rb

@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   #Process calls
   def run_check
     Brakeman.debug "Finding eval-like calls"
-    calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
+    calls = tracker.find_call methods: [:eval, :instance_eval, :class_eval, :module_eval], nested: true
 
     Brakeman.debug "Processing eval-like calls"
     calls.each do |call|

data/lib/brakeman/checks/check_execute.rb

@@ -87,6 +87,16 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg) ||
                   dangerous_string_building?(first_arg)
       end
+    when :capture2, :capture2e, :capture3
+      # Open3 capture methods can take a :stdin_data argument which is used as the
+      # the input to the called command so it is not succeptable to command injection.
+      # As such if the last argument is a hash (and therefore execution options) it
+      # should be ignored
+
+      args.pop if hash?(args.last) && args.length > 2
+      failure = include_user_input?(args) ||
+                dangerous_interp?(args) ||
+                dangerous_string_building?(args)
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||

data/lib/brakeman/checks/check_json_parsing.rb

@@ -74,7 +74,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
     warning_type = "Denial of Service"
     confidence = :medium
     gem_name = "#{name} gem"
-    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerablity. Upgrade to ")
+    message = msg(msg_version(version, gem_name), " has a symbol creation vulnerability. Upgrade to ")
 
     if version >= "1.7.0"
       confidence = :high

data/lib/brakeman/checks/check_render.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     view = result[:call][2]
 
     if sexp? view and original? result
+      return if renderable?(view)
 
       if input = has_immediate_user_input?(view)
         if string_interp? view
@@ -94,4 +95,17 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
-end 
+
+  def renderable? exp
+    return false unless call?(exp) and constant?(exp.target)
+
+    target_class_name = class_name(exp.target)
+    known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
+  end
+
+  def known_renderable_class? class_name
+    klass = tracker.find_class(class_name)
+    return false if klass.nil?
+    klass.ancestor? :"ViewComponent::Base"
+  end
+end