brakeman 5.2.1 → 5.2.2

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser.rb

@@ -80,10 +80,12 @@ require "ruby25_parser"
 require "ruby26_parser"
 require "ruby27_parser"
 require "ruby30_parser"
+require "ruby31_parser"
 
 class RubyParser # HACK
   VERSIONS.clear # also a HACK caused by racc namespace issues
 
+  class V31 < ::Ruby31Parser; end
   class V30 < ::Ruby30Parser; end
   class V27 < ::Ruby27Parser; end
   class V26 < ::Ruby26Parser; end

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser.yy

@@ -767,8 +767,7 @@ rule
 
            cpath: tCOLON3 cname
                     {
-                      _, (name, line) = val
-                      result = s(:colon3, name.to_sym).line line
+                      result = wrap :colon3, val[1]
                     }
                 | cname
                     {
@@ -793,9 +792,7 @@ rule
 
            fitem: fname
                     {
-                      (id, line), = val
-
-                      result = s(:lit, id.to_sym).line line
+                      result = wrap :lit, val[0]
                     }
                 | symbol
 
@@ -864,9 +861,9 @@ rule
                     }
                 | tCOLON3 tCONSTANT tOP_ASGN arg_rhs
                     {
-                      _, (lhs, line), op, rhs = val
+                      _, lhs, op, rhs = val
 
-                      lhs = s(:colon3, lhs.to_sym).line line
+                      lhs = wrap :colon3, lhs
                       result = new_const_op_asgn [lhs, op, rhs]
                     }
                 | backref tOP_ASGN arg_rhs
@@ -1336,9 +1333,7 @@ rule
                     }
                 | tCOLON3 tCONSTANT
                     {
-                      _, (id, line) = val
-
-                      result = s(:colon3, id.to_sym).line line
+                      result = wrap :colon3, val[1]
                     }
                 | tLBRACK { result = lexer.lineno } aref_args tRBRACK
                     {
@@ -1846,8 +1841,7 @@ opt_block_args_tail: tCOMMA block_args_tail
 
             bvar: tIDENTIFIER
                     {
-                      (id, line), = val
-                      result = s(:shadow, id.to_sym).line line
+                      result = wrap :shadow, val[0]
                     }
                 | f_bad_arg
 
@@ -2458,9 +2452,7 @@ opt_block_args_tail: tCOMMA block_args_tail
 
       p_kw_label: tLABEL
                     {
-                      (id, line), = val
-
-                      result = s(:lit, id.to_sym).line line
+                      result = wrap :lit, val[0]
                     }
 
         p_kwrest: kwrest_mark tIDENTIFIER
@@ -2552,26 +2544,20 @@ opt_block_args_tail: tCOMMA block_args_tail
 
       p_variable: tIDENTIFIER
                     {
-                      (id, line), = val
-
                       # TODO: error_duplicate_pattern_variable(p, $1, &@1);
                       # TODO: assignable(p, $1, 0, &@$);
-                      result = s(:lvar, id.to_sym).line line
+                      result = wrap :lvar, val[0]
                     }
 
        p_var_ref: tCARET tIDENTIFIER
                     {
-                      _, (id, line) = val
-
                       # TODO: check id against env for lvar or dvar
-
-                      result = s(:lvar, id.to_sym).line line
+                      result = wrap :lvar, val[1]
                     }
 
          p_const: tCOLON3 cname
                     {
-                      _, (id, line) = val
-                      result = s(:colon3, id.to_sym).line line
+                      result = wrap :colon3, val[1]
                     }
                 | p_const tCOLON2 cname
                     {
@@ -2583,8 +2569,7 @@ opt_block_args_tail: tCOMMA block_args_tail
                 | tCONSTANT
                     {
                       # TODO $$ = gettable(p, $1, &@$);
-                      (id, line), = val
-                      result = s(:const, id.to_sym).line line
+                      result = wrap :const, val[0]
                     }
 ######################################################################
 #endif
@@ -2871,18 +2856,15 @@ regexp_contents: none
 
      string_dvar: tGVAR
                     {
-                      (id, line), = val
-                      result = s(:gvar, id.to_sym).line line
+                      result = wrap :gvar, val[0]
                     }
                 | tIVAR
                     {
-                      (id, line), = val
-                      result = s(:ivar, id.to_sym).line line
+                      result = wrap :ivar, val[0]
                     }
                 | tCVAR
                     {
-                      (id, line), = val
-                      result = s(:cvar, id.to_sym).line line
+                      result = wrap :cvar, val[0]
                     }
                 | backref
 
@@ -2891,17 +2873,13 @@ regexp_contents: none
 
             ssym: tSYMBEG sym
                     {
-                      _, (id, line) = val
-
                       lexer.lex_state = EXPR_END
-                      result = s(:lit, id.to_sym).line line
+                      result = wrap :lit, val[1]
                     }
                 | tSYMBOL
                     {
-                      (id, line), = val
-
                       lexer.lex_state = EXPR_END
-                      result = s(:lit, id.to_sym).line line
+                      result = wrap :lit, val[0]
                     }
 
              sym: fname | tIVAR | tGVAR | tCVAR
@@ -3422,10 +3400,10 @@ keyword_variable: kNIL      { result = s(:nil).line lexer.lineno }
                     }
                 | tLABEL arg_value
                     {
-                      (label, line), arg = val
+                      label, arg = val
 
-                      lit = s(:lit, label.to_sym).line line
-                      result = s(:array, lit, arg).line line
+                      lit = wrap :lit, label
+                      result = s(:array, lit, arg).line lit.line
                     }
 #if V >= 22
                 | tSTRING_BEG string_contents tLABEL_END arg_value

data/bundle/ruby/2.7.0/gems/{ruby_parser-3.18.1 → ruby_parser-3.19.1}/lib/ruby_parser_extras.rb

@@ -30,7 +30,7 @@ class Sexp
 end
 
 module RubyParserStuff
-  VERSION = "3.18.1"
+  VERSION = "3.19.1"
 
   attr_accessor :lexer, :in_def, :in_single, :file
   attr_accessor :in_kwarg
@@ -218,11 +218,15 @@ module RubyParserStuff
     self.args args
   end
 
+  def attrset_id? id
+    id =~ /^\[\]=$|^\w+=$/
+  end
+
   def endless_method_name defn_or_defs
     name = defn_or_defs[1]
     name = defn_or_defs[2] unless Symbol === name
 
-    if name.end_with? "=" then
+    if attrset_id? name then
       yyerror "setter method cannot be defined in an endless method definition"
     end
 
@@ -978,6 +982,49 @@ module RubyParserStuff
     [result, in_def]
   end
 
+  def new_endless_defn val
+    (name, line, in_def), args, _, body, _, resbody = val
+
+    result =
+      if resbody then
+        s(:defn, name, args,
+          new_rescue(body,
+                     new_resbody(s(:array).line(line),
+                                 resbody))).line line
+      else
+        s(:defn, name, args, body).line line
+      end
+
+    local_pop in_def
+    endless_method_name result
+
+    result.comments = self.comments.pop
+
+    result
+  end
+
+  def new_endless_defs val
+    (recv, (name, line, in_def)), args, _, body, _, resbody = val
+
+    result =
+      if resbody then
+        s(:defs, recv, name, args,
+          new_rescue(body,
+                     new_resbody(s(:array).line(line),
+                                 resbody))).line line
+      else
+        s(:defs, recv, name, args, body).line(line)
+      end
+
+    self.in_single -= 1
+    local_pop in_def
+    endless_method_name result
+
+    result.comments = self.comments.pop
+
+    result
+  end
+
   def new_defs val
     _, recv, (name, line), in_def, args, body, _ = val
 
@@ -1613,6 +1660,12 @@ module RubyParserStuff
 
   alias remove_whitespace_width whitespace_width
 
+  def wrap type, node
+    value, line = node
+    value = value.to_sym if value.respond_to? :to_sym
+    s(type, value).line line
+  end
+
   class Keyword
     include RubyLexer::State::Values
 

data/lib/brakeman/checks/check_sql.rb

@@ -405,7 +405,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     nil
   end
 
-  TO_STRING_METHODS = [:chomp, :to_s, :squish, :strip, :strip_heredoc]
+  TO_STRING_METHODS = [:chomp, :chop, :lstrip, :rstrip, :scrub, :squish, :strip,
+                       :strip_heredoc, :to_s, :tr]
 
   #Returns value if interpolated value is not something safe
   def unsafe_string_interp? exp
@@ -744,6 +745,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       date_target? exp.target
     else
      false
-    end 
+    end
   end
 end

data/lib/brakeman/checks/check_unsafe_reflection.rb

@@ -20,7 +20,7 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
   def check_unsafe_reflection result
     return unless original? result
 
-    call = result[:call] 
+    call = result[:call]
     method = call.method
 
     case method
@@ -37,7 +37,12 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
     end
 
     if confidence
-      message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      case method
+      when :constantize, :safe_constantize
+        message = msg("Unsafe reflection method ", msg_code(method), " called on ", msg_input(input))
+      else
+        message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
+      end
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/processors/alias_processor.rb

@@ -404,7 +404,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def join_item item, join_value
-    if item.is_a? String
+    if item.nil? || item.is_a?(String)
       "#{item}#{join_value}"
     elsif string? item or symbol? item or number? item
       s(:str, "#{item.value}#{join_value}").line(item.line)
@@ -864,6 +864,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     elsif false? condition
       no_branch = true
       exps = [nil, exp.else_clause]
+    elsif equality_check? condition and condition.target == condition.first_arg
+      no_branch = true
+      exps = [exp.then_clause, nil]
     else
       no_branch = false
       exps = [exp.then_clause, exp.else_clause]
@@ -897,6 +900,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
+          elsif i == 0 and equality_check? condition
+            # For conditions like a == b,
+            # set a to b inside the true branch
+            var = condition.target
+            previous_value = env.current[var]
+            env.current[var] = condition.first_arg
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
           elsif i == 1 and hash_or_array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
             env.current[var] = safe_literal(var.line)
@@ -931,6 +942,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
   end
 
+  def equality_check? exp
+    call? exp and
+      exp.method == :==
+  end
+
   def simple_when? exp
     node_type? exp[1], :array and
       not node_type? exp[1][1], :splat, :array and

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.2.1"
+  Version = "5.2.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 5.2.1
+  version: 5.2.2
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-30 00:00:00.000000000 Z
+date: 2022-04-06 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -132,10 +132,10 @@ files:
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/terminal/unix_stty.rb
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/version.rb
 - bundle/ruby/2.7.0/gems/highline-2.0.3/lib/highline/wrapper.rb
-- bundle/ruby/2.7.0/gems/parallel-1.21.0/MIT-LICENSE.txt
-- bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel.rb
-- bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/processor_count.rb
-- bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb
+- bundle/ruby/2.7.0/gems/parallel-1.22.1/MIT-LICENSE.txt
+- bundle/ruby/2.7.0/gems/parallel-1.22.1/lib/parallel.rb
+- bundle/ruby/2.7.0/gems/parallel-1.22.1/lib/parallel/processor_count.rb
+- bundle/ruby/2.7.0/gems/parallel-1.22.1/lib/parallel/version.rb
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/LICENSE.txt
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/NEWS.md
 - bundle/ruby/2.7.0/gems/rexml-3.2.5/README.md
@@ -193,42 +193,44 @@ files:
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/Manifest.txt
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/README.rdoc
 - bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib/ruby2ruby.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/History.rdoc
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/Manifest.txt
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/README.rdoc
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/compare/normalize.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/debugging.md
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/gauntlet.md
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/rp_extensions.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/rp_stringscanner.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby20_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby21_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby22_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby23_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby24_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby25_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby26_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby27_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby30_parser.y
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby3_parser.yy
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rex
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer.rex.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_lexer_strings.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser.yy
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/lib/ruby_parser_extras.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/tools/munge.rb
-- bundle/ruby/2.7.0/gems/ruby_parser-3.18.1/tools/ripper.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/History.rdoc
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/Manifest.txt
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/README.rdoc
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/compare/normalize.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/debugging.md
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/gauntlet.md
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/rp_extensions.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/rp_stringscanner.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby20_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby20_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby21_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby21_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby22_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby22_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby23_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby23_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby24_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby24_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby25_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby25_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby26_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby26_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby27_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby27_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby30_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby30_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby31_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby31_parser.y
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby3_parser.yy
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_lexer.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_lexer.rex
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_lexer.rex.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_lexer_strings.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_parser.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_parser.yy
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib/ruby_parser_extras.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/tools/munge.rb
+- bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/tools/ripper.rb
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/History.rdoc
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/Manifest.txt
 - bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/README.rdoc

data/bundle/ruby/2.7.0/gems/parallel-1.21.0/lib/parallel/version.rb

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-module Parallel
-  VERSION = Version = '1.21.0' # rubocop:disable Naming/ConstantName
-end