brakeman 5.1.2 → 5.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ef8f26e0f7cab3cc6efd385a098689a8d420a79baf7a2a12a8847cc738e9a1c
-  data.tar.gz: 3fa59694d9477237ed04ed9bfe0c51d51e0798f0862692e3707097f8a363a761
+  metadata.gz: b6672aa0a7532078f913b27574846fc26abd9fc624af178b9017f2de885f5505
+  data.tar.gz: a3eeda0729d72d601bc94f4296f4f878e2cd970ef089f38dd0fcaad2e361f36c
 SHA512:
-  metadata.gz: b7de9d2175a4008cde987ff7645cbbae0da20b242d0833e9f9a981bed3a2c44cdf49cb1f248ac860451af6afbfe04c0a8feb9cad392972fb9f018c89529aefda
-  data.tar.gz: 3e8cdc432ccfc6a614fc8facb59ea4a1e90134ae59763cc223fe265b5923995d62a0a52e96f0922b8063ed2caf96b72c20397c58e14b9dbd94a375c0b2ca7ef8
+  metadata.gz: 700ed2e62792a1d2a38222199f2030f29aafee865f79e0b57be17fbbc718f6bbc1dadc1f5e3ceab4b961635f165f1fdcd9303520a4e5a897044e682319aca200
+  data.tar.gz: 2f030bd82e1c7bccd70610151c8baec7a0ed4723226e41f9cd0104d56c51cc443ace66ac9ac43381aaee4f27d5ffad807476060eca2d308d5f878370e0bd7874

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 5.2.1 - 2022-01-30
+
+* Add warning codes for EOL software warnings
+
+# 5.2.0 - 2021-12-15
+
+* Initial Rails 7 support
+* Require Ruby 2.5.0+
+* Fix issue with calls to `foo.root` in routes
+* Ignore `I18n.locale` in SQL queries
+* Do not treat `sanitize_sql_like` as safe
+* Add new checks for unsupported Ruby and Rails versions
+
 # 5.1.2 - 2021-10-28
 
 * Handle cases where enums are not symbols

data/bundle/load.rb

@@ -1,4 +1,5 @@
 path = File.expand_path('../..', __FILE__)
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
@@ -8,7 +9,6 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.2/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/History.rdoc

@@ -1,3 +1,15 @@
+=== 3.18.1 / 2021-11-10
+
+* 1 minor enhancement:
+
+  * All parser tests are now explicitly testing line numbers at every level.
+
+* 3 bug fixes:
+
+  * Fixed endless method with noargs. (mitsuru)
+  * Fixed line numbers on some yield forms.
+  * Handle and clearly report if unifdef is missing.
+
 === 3.18.0 / 2021-10-27
 
 Holy crap... 58 commits! 2.7 and 3.0 are feature complete. Strings

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby20_parser.rb

@@ -5131,19 +5131,25 @@ def _reduce_306(val, _values, result)
 end
 
 def _reduce_307(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby20_parser.y

@@ -1208,15 +1208,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby21_parser.rb

@@ -5162,19 +5162,25 @@ def _reduce_306(val, _values, result)
 end
 
 def _reduce_307(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby21_parser.y

@@ -1206,15 +1206,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby22_parser.rb

@@ -5196,19 +5196,25 @@ def _reduce_306(val, _values, result)
 end
 
 def _reduce_307(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby22_parser.y

@@ -1207,15 +1207,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby23_parser.rb

@@ -5203,19 +5203,25 @@ def _reduce_306(val, _values, result)
 end
 
 def _reduce_307(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby23_parser.y

@@ -1208,15 +1208,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby24_parser.rb

@@ -5234,19 +5234,25 @@ def _reduce_307(val, _values, result)
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_310(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby24_parser.y

@@ -1216,15 +1216,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby25_parser.rb

@@ -5234,19 +5234,25 @@ def _reduce_307(val, _values, result)
 end
 
 def _reduce_308(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_309(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_310(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby25_parser.y

@@ -1216,15 +1216,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby26_parser.rb

@@ -5253,19 +5253,25 @@ def _reduce_309(val, _values, result)
 end
 
 def _reduce_310(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_311(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_312(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby26_parser.y

@@ -1231,15 +1231,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby27_parser.rb

@@ -5794,19 +5794,25 @@ def _reduce_316(val, _values, result)
 end
 
 def _reduce_317(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_318(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_319(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby27_parser.y

@@ -1294,15 +1294,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby30_parser.rb

@@ -3424,7 +3424,7 @@ racc_reduce_table = [
   4, 277, :_reduce_658,
   1, 277, :_reduce_659,
   1, 235, :_reduce_none,
-  1, 235, :_reduce_none,
+  1, 235, :_reduce_661,
   3, 394, :_reduce_662,
   5, 394, :_reduce_663,
   3, 394, :_reduce_664,
@@ -6008,19 +6008,25 @@ def _reduce_326(val, _values, result)
 end
 
 def _reduce_327(val, _values, result)
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
 
     result
 end
 
 def _reduce_328(val, _values, result)
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
 
     result
 end
 
 def _reduce_329(val, _values, result)
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
 
     result
 end
@@ -8164,7 +8170,11 @@ end
 
 # reduce 660 omitted
 
-# reduce 661 omitted
+def _reduce_661(val, _values, result)
+                      result = end_args val
+
+    result
+end
 
 def _reduce_662(val, _values, result)
                       result = end_args val

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby30_parser.y

@@ -1392,15 +1392,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {
@@ -3035,6 +3041,9 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
 
 f_opt_paren_args: f_paren_args
                 | none
+                    {
+                      result = end_args val
+                    }
 
     f_paren_args: tLPAREN2 f_args rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby3_parser.yy

@@ -1396,15 +1396,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {
@@ -3039,6 +3045,9 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
 
 f_opt_paren_args: f_paren_args
                 | none
+                    {
+                      result = end_args val
+                    }
 
     f_paren_args: tLPAREN2 f_args rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby_parser.yy

@@ -1362,15 +1362,21 @@ rule
                     }
                 | kYIELD tLPAREN2 call_args rparen
                     {
-                      result = new_yield val[2]
+                      (_, line), _, args, _ = val
+
+                      result = new_yield(args).line line
                     }
                 | kYIELD tLPAREN2 rparen
                     {
-                      result = new_yield
+                      (_, line), _, _ = val
+
+                      result = new_yield.line line
                     }
                 | kYIELD
                     {
-                      result = new_yield
+                      (_, line), = val
+
+                      result = new_yield.line line
                     }
                 | kDEFINED opt_nl tLPAREN2 expr rparen
                     {

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.0 → ruby_parser-3.18.1}/lib/ruby_parser_extras.rb

@@ -30,7 +30,7 @@ class Sexp
 end
 
 module RubyParserStuff
-  VERSION = "3.18.0"
+  VERSION = "3.18.1"
 
   attr_accessor :lexer, :in_def, :in_single, :file
   attr_accessor :in_kwarg

data/lib/brakeman/checks/base_check.rb

@@ -513,4 +513,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     string_building? exp.target or
     string_building? exp.first_arg
   end
+
+  I18N_CLASS = s(:const, :I18n)
+
+  def locale_call? exp
+    return unless call? exp
+
+    (exp.target == I18N_CLASS and
+     exp.method == :locale) or
+    locale_call? exp.target
+  end
 end

data/lib/brakeman/checks/check_eol_rails.rb

@@ -0,0 +1,23 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRails < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Rails"
+
+  def run_check
+    return unless tracker.config.rails_version
+
+    check_eol_version :rails, RAILS_EOL_DATES
+  end
+
+  RAILS_EOL_DATES = {
+    ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
+    ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
+    ['4.0.0', '4.2.99'] => Date.new(2017, 4, 27),
+    ['5.0.0', '5.0.99'] => Date.new(2018, 5, 9),
+    ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
+    ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
+    ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+  }
+end

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -0,0 +1,26 @@
+require_relative 'eol_check'
+
+class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for unsupported versions of Ruby"
+
+  def run_check
+    return unless tracker.config.ruby_version
+
+    check_eol_version :ruby, RUBY_EOL_DATES
+  end
+
+  RUBY_EOL_DATES = {
+    ['0.0.0', '1.9.3'] => Date.new(2015, 2, 23),
+    ['2.0.0', '2.0.99'] => Date.new(2016, 2, 24),
+    ['2.1.0', '2.1.99'] => Date.new(2017, 3, 31),
+    ['2.2.0', '2.2.99'] => Date.new(2018, 3, 31),
+    ['2.3.0', '2.3.99'] => Date.new(2019, 3, 31),
+    ['2.4.0', '2.4.99'] => Date.new(2020, 3, 31),
+    ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
+    ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
+    ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
+    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+  }
+end

data/lib/brakeman/checks/check_sql.rb

@@ -584,7 +584,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
@@ -628,7 +628,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       arel? exp or
       exp.method.to_s.end_with? "_id" or
       number_target? exp or
-      date_target? exp
+      date_target? exp or
+      locale_call? exp
   end
 
   QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
 
   def run_check
     return if rails_version and rails_version >= "5.0.0"
-    return if tracker.config.ruby_version >= "2.2"
+    return if tracker.config.ruby_version and tracker.config.ruby_version >= "2.2"
 
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)

data/lib/brakeman/checks/eol_check.rb

@@ -0,0 +1,47 @@
+require 'date'
+require 'brakeman/checks/base_check'
+
+# Not used directly - base check for EOLRails and EOLRuby
+class Brakeman::EOLCheck < Brakeman::BaseCheck
+  def check_eol_version library, eol_dates
+    version = case library
+              when :rails
+                tracker.config.rails_version
+              when :ruby
+                tracker.config.ruby_version
+              else
+                raise 'Implement using tracker.config.gem_version'
+              end
+
+    eol_dates.each do |(start_version, end_version), eol_date|
+      if version_between? start_version, end_version, version
+        case
+        when Date.today >= eol_date
+          warn_about_unsupported_version library, eol_date, version
+        when (Date.today + 30) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :medium
+        when (Date.today + 60) >= eol_date
+          warn_about_soon_unsupported_version library, eol_date, version, :low
+        end
+
+        break
+      end
+    end
+  end
+
+  def warn_about_soon_unsupported_version library, eol_date, version, confidence
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"pending_eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
+      confidence: confidence,
+      gem_info: gemfile_or_environment
+  end
+
+  def warn_about_unsupported_version library, eol_date, version
+    warn warning_type: 'Unmaintained Dependency',
+      warning_code: :"eol_#{library}",
+      message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
+      confidence: :high,
+      gem_info: gemfile_or_environment
+  end
+end

data/lib/brakeman/options.rb

@@ -93,6 +93,14 @@ module Brakeman::Options
           options[:rails6] = true
         end
 
+        opts.on "-7", "--rails7", "Force Rails 7 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+        end
+
         opts.separator ""
         opts.separator "Scanning options:"
 

data/lib/brakeman/processors/gem_processor.rb

@@ -6,6 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
+    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
   end
 
   def process_gems gem_files
@@ -95,6 +96,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def set_gem_version_and_file line, file, line_num
     if line =~ @gem_name_version
       @tracker.config.add_gem $1, $2, file, line_num
+    elsif line =~ @ruby_version
+      @tracker.config.set_ruby_version $1
     end
   end
 end

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -78,6 +78,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
 
   #TODO: Need test for this
   def process_root exp
+    return exp unless hash? exp.first_arg
+
     if value = hash_access(exp.first_arg, :to)
       if string? value
         add_route_from_string value

data/lib/brakeman/scanner.rb

@@ -137,7 +137,9 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
+      if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
+        tracker.config.set_ruby_version version
+      end
     end
 
     tracker.config.load_rails_defaults

data/lib/brakeman/tracker/config.rb

@@ -14,7 +14,7 @@ module Brakeman
       @settings = {}
       @escape_html = nil
       @erubis = nil
-      @ruby_version = ""
+      @ruby_version = nil
       @rails_version = nil
     end
 
@@ -106,6 +106,13 @@ module Brakeman
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
             Brakeman.notify "[Notice] Detected Rails 6 application"
+          elsif @rails_version.start_with? "7"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            tracker.options[:rails7] = true
+            Brakeman.notify "[Notice] Detected Rails 7 application"
           end
         end
       end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.1.2"
+  Version = "5.2.1"
 end

data/lib/brakeman/warning_codes.rb

@@ -121,6 +121,10 @@ module Brakeman::WarningCodes
     :erb_template_injection => 117,
     :http_verb_confusion => 118,
     :unsafe_method_reflection => 119,
+    :eol_rails => 120,
+    :eol_ruby => 121,
+    :pending_eol_rails => 122,
+    :pending_eol_ruby => 123,
 
     :custom_check => 9090,
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 5.1.2
+  version: 5.2.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-28 00:00:00.000000000 Z
+date: 2022-01-30 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -193,42 +193,42 @@ files:
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/Manifest.txt
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/README.rdoc
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib/ruby2ruby.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/History.rdoc
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/Manifest.txt
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/README.rdoc
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/compare/normalize.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/debugging.md
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/gauntlet.md
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/rp_extensions.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/rp_stringscanner.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby20_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby20_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby21_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby21_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby22_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby23_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby23_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby24_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby24_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby25_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby25_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby26_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby26_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby27_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby27_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby30_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby3_parser.yy
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer.rex
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer.rex.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_lexer_strings.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_parser.yy
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/lib/ruby_parser_extras.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/tools/munge.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.0/tools/ripper.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/History.rdoc
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/Manifest.txt
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/README.rdoc
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/compare/normalize.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/debugging.md
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/gauntlet.md
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/rp_extensions.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/rp_stringscanner.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby3_parser.yy
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rex
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rex.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer_strings.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser.yy
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser_extras.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/tools/munge.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/tools/ripper.rb
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/History.rdoc
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/Manifest.txt
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/README.rdoc
@@ -452,6 +452,8 @@ files:
 - lib/brakeman/checks/check_digest_dos.rb
 - lib/brakeman/checks/check_divide_by_zero.rb
 - lib/brakeman/checks/check_dynamic_finders.rb
+- lib/brakeman/checks/check_eol_rails.rb
+- lib/brakeman/checks/check_eol_ruby.rb
 - lib/brakeman/checks/check_escape_function.rb
 - lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
@@ -518,6 +520,7 @@ files:
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks/check_xml_dos.rb
 - lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/checks/eol_check.rb
 - lib/brakeman/codeclimate/engine_configuration.rb
 - lib/brakeman/commandline.rb
 - lib/brakeman/differ.rb
@@ -633,7 +636,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="