brakeman 5.2.2 → 5.3.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (153) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +17 -0
  3. data/bundle/load.rb +2 -2
  4. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/History.rdoc +6 -0
  5. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/Manifest.txt +0 -0
  6. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/README.rdoc +0 -0
  7. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/composite_sexp_processor.rb +0 -0
  8. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/pt_testcase.rb +7 -3
  9. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp.rb +0 -0
  10. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_matcher.rb +0 -0
  11. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/sexp_processor.rb +1 -1
  12. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/strict_sexp.rb +0 -0
  13. data/bundle/ruby/2.7.0/gems/{sexp_processor-4.16.0 → sexp_processor-4.16.1}/lib/unique.rb +0 -0
  14. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/COPYING +0 -0
  15. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/asciidoc.rb +0 -0
  16. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/babel.rb +0 -0
  17. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/bluecloth.rb +0 -0
  18. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/builder.rb +0 -0
  19. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/coffee.rb +0 -0
  20. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb +11 -1
  21. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/creole.rb +0 -0
  22. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb +1 -1
  23. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/dummy.rb +0 -0
  24. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erb.rb +0 -0
  25. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubi.rb +0 -0
  26. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/erubis.rb +0 -0
  27. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/etanni.rb +0 -0
  28. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/haml.rb +0 -0
  29. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/kramdown.rb +0 -0
  30. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/less.rb +0 -0
  31. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/liquid.rb +0 -0
  32. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/livescript.rb +0 -0
  33. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/mapping.rb +0 -0
  34. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/markaby.rb +0 -0
  35. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/maruku.rb +0 -0
  36. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/nokogiri.rb +0 -0
  37. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb +23 -15
  38. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/plain.rb +0 -0
  39. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/prawn.rb +0 -0
  40. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/radius.rb +0 -0
  41. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdiscount.rb +0 -0
  42. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/rdoc.rb +0 -0
  43. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb +5 -2
  44. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcloth.rb +0 -0
  45. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb +23 -0
  46. data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb +78 -0
  47. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/sigil.rb +0 -0
  48. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/string.rb +0 -0
  49. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb +12 -1
  50. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/typescript.rb +0 -0
  51. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/wikicloth.rb +0 -0
  52. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/yajl.rb +0 -0
  53. data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb +2 -1
  54. data/lib/brakeman/app_tree.rb +9 -1
  55. data/lib/brakeman/checks/check_basic_auth.rb +4 -2
  56. data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +2 -1
  57. data/lib/brakeman/checks/check_content_tag.rb +8 -4
  58. data/lib/brakeman/checks/check_cookie_serialization.rb +2 -1
  59. data/lib/brakeman/checks/check_create_with.rb +4 -2
  60. data/lib/brakeman/checks/check_cross_site_scripting.rb +6 -3
  61. data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb +2 -1
  62. data/lib/brakeman/checks/check_default_routes.rb +6 -3
  63. data/lib/brakeman/checks/check_deserialize.rb +2 -1
  64. data/lib/brakeman/checks/check_detailed_exceptions.rb +4 -2
  65. data/lib/brakeman/checks/check_digest_dos.rb +2 -1
  66. data/lib/brakeman/checks/check_divide_by_zero.rb +2 -1
  67. data/lib/brakeman/checks/check_dynamic_finders.rb +2 -1
  68. data/lib/brakeman/checks/check_escape_function.rb +2 -1
  69. data/lib/brakeman/checks/check_evaluation.rb +2 -1
  70. data/lib/brakeman/checks/check_execute.rb +6 -3
  71. data/lib/brakeman/checks/check_file_access.rb +2 -1
  72. data/lib/brakeman/checks/check_file_disclosure.rb +2 -1
  73. data/lib/brakeman/checks/check_filter_skipping.rb +2 -1
  74. data/lib/brakeman/checks/check_force_ssl.rb +2 -1
  75. data/lib/brakeman/checks/check_forgery_setting.rb +4 -2
  76. data/lib/brakeman/checks/check_header_dos.rb +2 -1
  77. data/lib/brakeman/checks/check_i18n_xss.rb +2 -1
  78. data/lib/brakeman/checks/check_jruby_xml.rb +2 -1
  79. data/lib/brakeman/checks/check_json_encoding.rb +2 -1
  80. data/lib/brakeman/checks/check_json_entity_escape.rb +4 -2
  81. data/lib/brakeman/checks/check_json_parsing.rb +4 -2
  82. data/lib/brakeman/checks/check_link_to.rb +2 -1
  83. data/lib/brakeman/checks/check_link_to_href.rb +4 -2
  84. data/lib/brakeman/checks/check_mail_to.rb +2 -1
  85. data/lib/brakeman/checks/check_mass_assignment.rb +6 -3
  86. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -1
  87. data/lib/brakeman/checks/check_model_attr_accessible.rb +2 -1
  88. data/lib/brakeman/checks/check_model_attributes.rb +4 -2
  89. data/lib/brakeman/checks/check_model_serialize.rb +2 -1
  90. data/lib/brakeman/checks/check_nested_attributes.rb +2 -1
  91. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +2 -1
  92. data/lib/brakeman/checks/check_number_to_currency.rb +4 -2
  93. data/lib/brakeman/checks/check_page_caching_cve.rb +2 -1
  94. data/lib/brakeman/checks/check_permit_attributes.rb +2 -1
  95. data/lib/brakeman/checks/check_quote_table_name.rb +2 -1
  96. data/lib/brakeman/checks/check_redirect.rb +2 -1
  97. data/lib/brakeman/checks/check_regex_dos.rb +2 -1
  98. data/lib/brakeman/checks/check_render.rb +4 -2
  99. data/lib/brakeman/checks/check_render_dos.rb +2 -1
  100. data/lib/brakeman/checks/check_render_inline.rb +4 -2
  101. data/lib/brakeman/checks/check_response_splitting.rb +2 -1
  102. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +2 -1
  103. data/lib/brakeman/checks/check_route_dos.rb +2 -1
  104. data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +2 -1
  105. data/lib/brakeman/checks/check_sanitize_config_cve.rb +120 -0
  106. data/lib/brakeman/checks/check_sanitize_methods.rb +6 -3
  107. data/lib/brakeman/checks/check_secrets.rb +2 -1
  108. data/lib/brakeman/checks/check_select_tag.rb +2 -1
  109. data/lib/brakeman/checks/check_select_vulnerability.rb +2 -1
  110. data/lib/brakeman/checks/check_send.rb +2 -1
  111. data/lib/brakeman/checks/check_session_manipulation.rb +2 -1
  112. data/lib/brakeman/checks/check_session_settings.rb +6 -3
  113. data/lib/brakeman/checks/check_simple_format.rb +4 -2
  114. data/lib/brakeman/checks/check_single_quotes.rb +2 -1
  115. data/lib/brakeman/checks/check_skip_before_filter.rb +4 -2
  116. data/lib/brakeman/checks/check_sprockets_path_traversal.rb +2 -1
  117. data/lib/brakeman/checks/check_sql.rb +4 -2
  118. data/lib/brakeman/checks/check_sql_cves.rb +4 -2
  119. data/lib/brakeman/checks/check_ssl_verify.rb +2 -1
  120. data/lib/brakeman/checks/check_strip_tags.rb +6 -3
  121. data/lib/brakeman/checks/check_symbol_dos.rb +2 -1
  122. data/lib/brakeman/checks/check_symbol_dos_cve.rb +2 -1
  123. data/lib/brakeman/checks/check_template_injection.rb +2 -1
  124. data/lib/brakeman/checks/check_translate_bug.rb +2 -1
  125. data/lib/brakeman/checks/check_unsafe_reflection.rb +2 -1
  126. data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +2 -1
  127. data/lib/brakeman/checks/check_unscoped_find.rb +2 -1
  128. data/lib/brakeman/checks/check_validation_regex.rb +2 -1
  129. data/lib/brakeman/checks/check_verb_confusion.rb +2 -1
  130. data/lib/brakeman/checks/check_weak_hash.rb +6 -3
  131. data/lib/brakeman/checks/check_without_protection.rb +2 -1
  132. data/lib/brakeman/checks/check_xml_dos.rb +2 -1
  133. data/lib/brakeman/checks/check_yaml_parsing.rb +4 -2
  134. data/lib/brakeman/checks/eol_check.rb +4 -2
  135. data/lib/brakeman/options.rb +1 -1
  136. data/lib/brakeman/processors/alias_processor.rb +24 -1
  137. data/lib/brakeman/processors/lib/find_all_calls.rb +1 -0
  138. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  139. data/lib/brakeman/report/report_csv.rb +2 -0
  140. data/lib/brakeman/report/report_junit.rb +2 -2
  141. data/lib/brakeman/report/report_table.rb +5 -5
  142. data/lib/brakeman/report/report_text.rb +2 -0
  143. data/lib/brakeman/report/templates/controller_warnings.html.erb +2 -0
  144. data/lib/brakeman/report/templates/ignored_warnings.html.erb +2 -0
  145. data/lib/brakeman/report/templates/model_warnings.html.erb +2 -0
  146. data/lib/brakeman/report/templates/security_warnings.html.erb +2 -0
  147. data/lib/brakeman/report/templates/view_warnings.html.erb +2 -0
  148. data/lib/brakeman/version.rb +1 -1
  149. data/lib/brakeman/warning.rb +5 -2
  150. data/lib/brakeman/warning_codes.rb +1 -0
  151. metadata +53 -52
  152. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/rst-pandoc.rb +0 -18
  153. data/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib/tilt/sass.rb +0 -52
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7673373d923b1d6b2e4c2158a94681d01de5e5c8eb29561795c9fbe8bd879f6b
4
- data.tar.gz: 44e5c623eb5fd6fe62ec7d0956a32cee82082a2c5983012ff7c172b10c6dc79a
3
+ metadata.gz: 828d560cb256d564c8e79fc7222e7c7edea911639a6c4b45699901371d0c750b
4
+ data.tar.gz: c9e8791df7f77b1e6a8d3bfe9cf0f5b753325171021fdafac3531f96edd3b7e1
5
5
  SHA512:
6
- metadata.gz: 2e3132eaffeb28f50ab40afda87c7a1f2b209044c71614bd6d68f55632479a148e08ac4dc995f370b75de352c896711ed09698056fa763b3449d2776e2ba2fb3
7
- data.tar.gz: 31e069689731927b3f096fd39cb0f1f4bf9c7269e7af4487eed12b34e3a7711de77b353423975b3625f5883c4a3b4c5f9785ddf44ca4d4367007b9d44ee51205
6
+ metadata.gz: 8d29d985cdba9407830c4881372dc4c8ba4cd635c1c48c6cfb16c6fc6b0ef7993816460af301cdf5ca51b096bfdf30699286d6d9fffaae79fff042160b481a87
7
+ data.tar.gz: 5d1824dba9dfd9661eccc7ed2a2bb9d2fd1c8d80e131bf0f97ab31cebc738f920682fe7204a8b84ee49c884c8730c2425ef20bd15f2b53c3ada1a2332d75779e
data/CHANGES.md CHANGED
@@ -1,3 +1,20 @@
1
+ # 5.3.1 - 2022-08-09
2
+
3
+ * Fix version range for CVE-2022-32209
4
+
5
+ # 5.3.0 - 2022-08-09
6
+
7
+ * Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
8
+ * Load rexml as a Brakeman dependency
9
+ * Fix "full call" information propagating unnecessarily
10
+ * Add check for CVE-2022-32209
11
+ * Add CWE information to warnings (Stephen Aghaulor)
12
+
13
+ # 5.2.3 - 2022-05-01
14
+
15
+ * Fix error with hash shorthand syntax
16
+ * Match order of interactive options with help message (Rory O'Kane)
17
+
1
18
  # 5.2.2 - 2022-04-06
2
19
 
3
20
  * Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
data/bundle/load.rb CHANGED
@@ -1,8 +1,6 @@
1
1
  path = File.expand_path('../..', __FILE__)
2
2
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib"
3
3
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
4
- $:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.0/lib"
5
- $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
6
4
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/lib"
7
5
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
8
6
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
@@ -10,6 +8,8 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
10
8
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
11
9
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.2/lib"
12
10
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/parallel-1.22.1/lib"
11
+ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib"
12
+ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.1/lib"
13
13
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
14
14
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
15
15
  $:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.5/lib"
@@ -1,3 +1,9 @@
1
+ === 4.16.1 / 2022-04-09
2
+
3
+ * 1 minor enhancement:
4
+
5
+ * Reworked ParseTreeTestCase's notion of versions to make it easier to extend.
6
+
1
7
  === 4.16.0 / 2021-10-27
2
8
 
3
9
  * 4 minor enhancements:
@@ -34,6 +34,12 @@ class Examples
34
34
  end
35
35
 
36
36
  class ParseTreeTestCase < Minitest::Test
37
+ all_versions = %w[18 19 20 21 22 23 24 25 26 27 30 31]
38
+ most_versions = all_versions.drop(1)
39
+
40
+ TEST_SUFFIX = "_#{most_versions.join "_"}"
41
+ VER_RE = /(#{Regexp.union(*all_versions)})/
42
+
37
43
  attr_accessor :processor # to be defined by subclass
38
44
 
39
45
  def setup
@@ -77,7 +83,7 @@ class ParseTreeTestCase < Minitest::Test
77
83
  end
78
84
 
79
85
  def self.add_19tests name, hash
80
- add_tests "#{name}__19_20_21_22_23_24_25_26_27_30", hash # HACK?
86
+ add_tests "#{name}_#{TEST_SUFFIX}", hash # HACK?
81
87
  end
82
88
 
83
89
  def self.add_19edgecases ruby, sexp, cases
@@ -102,8 +108,6 @@ class ParseTreeTestCase < Minitest::Test
102
108
  testcases[verbose][klass] = testcases[nonverbose][klass]
103
109
  end
104
110
 
105
- VER_RE = "(1[89]|2[01234567]|3[0])"
106
-
107
111
  def self.generate_test klass, node, data, input_name, output_name
108
112
  klass.send :define_method, "test_#{node}" do
109
113
  flunk "Processor is nil" if processor.nil?
@@ -34,7 +34,7 @@ require "sexp"
34
34
  class SexpProcessor
35
35
 
36
36
  # duh
37
- VERSION = "4.16.0"
37
+ VERSION = "4.16.1"
38
38
 
39
39
  ##
40
40
  # Automatically shifts off the Sexp type before handing the
@@ -9,21 +9,31 @@ module Tilt
9
9
  :smartypants => :SMART
10
10
  }
11
11
  PARSE_OPTIONS = [
12
+ :FOOTNOTES,
13
+ :LIBERAL_HTML_TAG,
12
14
  :SMART,
13
15
  :smartypants,
16
+ :STRIKETHROUGH_DOUBLE_TILDE,
17
+ :UNSAFE,
18
+ :VALIDATE_UTF8,
14
19
  ].freeze
15
20
  RENDER_OPTIONS = [
21
+ :FOOTNOTES,
22
+ :FULL_INFO_STRING,
16
23
  :GITHUB_PRE_LANG,
17
24
  :HARDBREAKS,
18
25
  :NOBREAKS,
19
- :SAFE,
26
+ :SAFE, # Removed in v0.18.0 (2018-10-17)
20
27
  :SOURCEPOS,
28
+ :TABLE_PREFER_STYLE_ATTRIBUTES,
29
+ :UNSAFE,
21
30
  ].freeze
22
31
  EXTENSIONS = [
23
32
  :autolink,
24
33
  :strikethrough,
25
34
  :table,
26
35
  :tagfilter,
36
+ :tasklist,
27
37
  ].freeze
28
38
 
29
39
  def extensions
@@ -50,7 +50,7 @@ module Tilt
50
50
 
51
51
  def precompiled_template(locals)
52
52
  <<-RUBY
53
- #{@outvar} = #{self.class.engine}.generate(#{options}) do |csv|
53
+ #{@outvar} = #{self.class.engine}.generate(**#{options}) do |csv|
54
54
  #{data}
55
55
  end
56
56
  RUBY
@@ -7,30 +7,38 @@ module Tilt
7
7
  class PandocTemplate < Template
8
8
  self.default_mime_type = 'text/html'
9
9
 
10
- def tilt_to_pandoc_mapping
11
- { :smartypants => :smart,
12
- :escape_html => { :f => 'markdown-raw_html' },
13
- :commonmark => { :f => 'commonmark' },
14
- :markdown_strict => { :f => 'markdown_strict' }
15
- }
16
- end
17
-
18
10
  # turn options hash into an array
19
11
  # Map tilt options to pandoc options
20
12
  # Replace hash keys with value true with symbol for key
21
13
  # Remove hash keys with value false
22
14
  # Leave other hash keys untouched
23
15
  def pandoc_options
24
- options.reduce([]) do |sum, (k,v)|
25
- case v
26
- when true
27
- sum << (tilt_to_pandoc_mapping[k] || k)
28
- when false
29
- sum
16
+ result = []
17
+ from = "markdown"
18
+ smart_extension = "-smart"
19
+ options.each do |k,v|
20
+ case k
21
+ when :smartypants
22
+ smart_extension = "+smart" if v
23
+ when :escape_html
24
+ from = "markdown-raw_html" if v
25
+ when :commonmark
26
+ from = "commonmark" if v
27
+ when :markdown_strict
28
+ from = "markdown_strict" if v
30
29
  else
31
- sum << { k => v }
30
+ case v
31
+ when true
32
+ result << k
33
+ when false
34
+ # do nothing
35
+ else
36
+ result << { k => v }
37
+ end
32
38
  end
33
39
  end
40
+ result << { :f => from + smart_extension }
41
+ result
34
42
  end
35
43
 
36
44
  def prepare
@@ -75,9 +75,12 @@ module Tilt
75
75
  end
76
76
 
77
77
  if defined? ::Redcarpet::Render and defined? ::Redcarpet::Markdown
78
- RedcarpetTemplate = Redcarpet2Template
78
+ superclass = Redcarpet2Template
79
79
  else
80
- RedcarpetTemplate = Redcarpet1Template
80
+ superclass = Redcarpet1Template
81
+ end
82
+
83
+ class RedcarpetTemplate < superclass
81
84
  end
82
85
  end
83
86
 
@@ -0,0 +1,23 @@
1
+ require 'tilt/template'
2
+ require 'pandoc'
3
+
4
+ module Tilt
5
+ # Pandoc reStructuredText implementation. See:
6
+ # http://pandoc.org/
7
+ class RstPandocTemplate < PandocTemplate
8
+ self.default_mime_type = 'text/html'
9
+
10
+ def prepare
11
+ @engine = PandocRuby.new(data, :f => "rst")
12
+ @output = nil
13
+ end
14
+
15
+ def evaluate(scope, locals, &block)
16
+ @output ||= @engine.to_html.strip
17
+ end
18
+
19
+ def allows_script?
20
+ false
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,78 @@
1
+ require 'tilt/template'
2
+
3
+ module Tilt
4
+ # Sass template implementation. See:
5
+ # http://haml.hamptoncatlin.com/
6
+ #
7
+ # Sass templates do not support object scopes, locals, or yield.
8
+ class SassTemplate < Template
9
+ self.default_mime_type = 'text/css'
10
+
11
+ begin
12
+ require 'sass-embedded'
13
+ require 'uri'
14
+ Engine = nil
15
+ rescue LoadError => err
16
+ begin
17
+ require 'sassc'
18
+ Engine = ::SassC::Engine
19
+ rescue LoadError
20
+ begin
21
+ require 'sass'
22
+ Engine = ::Sass::Engine
23
+ rescue LoadError
24
+ raise err
25
+ end
26
+ end
27
+ end
28
+
29
+ def prepare
30
+ @engine = unless Engine.nil?
31
+ Engine.new(data, sass_options)
32
+ end
33
+ end
34
+
35
+ def evaluate(scope, locals, &block)
36
+ @output ||= if @engine.nil?
37
+ ::Sass.compile_string(data, **sass_embedded_options).css
38
+ else
39
+ @engine.render
40
+ end
41
+ end
42
+
43
+ def allows_script?
44
+ false
45
+ end
46
+
47
+ private
48
+ def eval_file_url
49
+ path = File.absolute_path(eval_file)
50
+ path = '/' + path unless path.start_with?('/')
51
+ ::URI::File.build([nil, ::URI::DEFAULT_PARSER.escape(path)]).to_s
52
+ end
53
+
54
+ def sass_embedded_options
55
+ options.merge(:url => eval_file_url, :syntax => :indented)
56
+ end
57
+
58
+ def sass_options
59
+ options.merge(:filename => eval_file, :line => line, :syntax => :sass)
60
+ end
61
+ end
62
+
63
+ # Sass's new .scss type template implementation.
64
+ class ScssTemplate < SassTemplate
65
+ self.default_mime_type = 'text/css'
66
+
67
+ private
68
+ def sass_embedded_options
69
+ options.merge(:url => eval_file_url, :syntax => :scss)
70
+ end
71
+
72
+ def sass_options
73
+ options.merge(:filename => eval_file, :line => line, :syntax => :scss)
74
+ end
75
+ end
76
+
77
+ end
78
+
@@ -157,6 +157,8 @@ module Tilt
157
157
  raise NotImplementedError
158
158
  end
159
159
 
160
+ CLASS_METHOD = Kernel.instance_method(:class)
161
+
160
162
  # Execute the compiled template and return the result string. Template
161
163
  # evaluation is guaranteed to be performed in the scope object with the
162
164
  # locals specified and with support for yielding to the block.
@@ -166,7 +168,16 @@ module Tilt
166
168
  def evaluate(scope, locals, &block)
167
169
  locals_keys = locals.keys
168
170
  locals_keys.sort!{|x, y| x.to_s <=> y.to_s}
169
- method = compiled_method(locals_keys, scope.is_a?(Module) ? scope : scope.class)
171
+ case scope
172
+ when Object
173
+ method = compiled_method(locals_keys, Module === scope ? scope : scope.class)
174
+ else
175
+ if RUBY_VERSION >= '2'
176
+ method = compiled_method(locals_keys, CLASS_METHOD.bind(scope).call)
177
+ else
178
+ method = compiled_method(locals_keys, Object)
179
+ end
180
+ end
170
181
  method.bind(scope).call(locals, &block)
171
182
  end
172
183
 
@@ -4,7 +4,7 @@ require 'tilt/template'
4
4
  # Namespace for Tilt. This module is not intended to be included anywhere.
5
5
  module Tilt
6
6
  # Current version.
7
- VERSION = '2.0.10'
7
+ VERSION = '2.0.11'
8
8
 
9
9
  @default_mapping = Mapping.new
10
10
 
@@ -161,6 +161,7 @@ module Tilt
161
161
  register_lazy 'Slim::Template', 'slim', 'slim'
162
162
  register_lazy 'Tilt::HandlebarsTemplate', 'tilt/handlebars', 'handlebars', 'hbs'
163
163
  register_lazy 'Tilt::OrgTemplate', 'org-ruby', 'org'
164
+ register_lazy 'Tilt::EmacsOrgTemplate', 'tilt/emacs_org', 'org'
164
165
  register_lazy 'Opal::Processor', 'opal', 'opal', 'rb'
165
166
  register_lazy 'Tilt::JbuilderTemplate', 'tilt/jbuilder', 'jbuilder'
166
167
  end
@@ -205,7 +205,7 @@ module Brakeman
205
205
  paths.reject do |path|
206
206
  relative_path = path.relative
207
207
 
208
- if @skip_vendor and relative_path.include? 'vendor/'
208
+ if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
209
209
  true
210
210
  else
211
211
  EXCLUDED_PATHS.any? do |excluded|
@@ -215,6 +215,14 @@ module Brakeman
215
215
  end
216
216
  end
217
217
 
218
+ def in_engine_paths?(path)
219
+ @engine_paths.any? { |p| path.absolute.include?(p) }
220
+ end
221
+
222
+ def in_add_libs_paths?(path)
223
+ @additional_libs_path.any? { |p| path.absolute.include?(p) }
224
+ end
225
+
218
226
  def match_path files, path
219
227
  absolute_path = Pathname.new(path)
220
228
  # relative root never has a leading separator. But, we use a leading
@@ -31,7 +31,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
31
31
  :message => "Basic authentication password stored in source code",
32
32
  :code => call,
33
33
  :confidence => :high,
34
- :file => controller.file
34
+ :file => controller.file,
35
+ :cwe_id => [259]
35
36
  break
36
37
  end
37
38
  end
@@ -50,7 +51,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
50
51
  :warning_type => "Basic Auth",
51
52
  :warning_code => :basic_auth_password,
52
53
  :message => "Basic authentication password stored in source code",
53
- :confidence => :high
54
+ :confidence => :high,
55
+ :cwe_id => [259]
54
56
  end
55
57
  end
56
58
  end
@@ -27,7 +27,8 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
27
27
  :warning_code => :CVE_2015_7576,
28
28
  :message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
29
29
  :confidence => :high,
30
- :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
30
+ :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
31
+ :cwe_id => [1254]
31
32
  end
32
33
  end
33
34
  end
@@ -117,7 +117,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
117
117
  :message => message,
118
118
  :user_input => input,
119
119
  :confidence => :high,
120
- :link_path => "content_tag"
120
+ :link_path => "content_tag",
121
+ :cwe_id => [79]
121
122
 
122
123
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
123
124
  unless IGNORE_MODEL_METHODS.include? match.method
@@ -135,7 +136,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
135
136
  :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
136
137
  :user_input => match,
137
138
  :confidence => confidence,
138
- :link_path => "content_tag"
139
+ :link_path => "content_tag",
140
+ :cwe_id => [79]
139
141
  end
140
142
 
141
143
  elsif @matched
@@ -151,7 +153,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
151
153
  :message => message,
152
154
  :user_input => @matched,
153
155
  :confidence => :medium,
154
- :link_path => "content_tag"
156
+ :link_path => "content_tag",
157
+ :cwe_id => [79]
155
158
  end
156
159
  end
157
160
 
@@ -195,7 +198,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
195
198
  :message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
196
199
  :confidence => confidence,
197
200
  :gem_info => gemfile_or_environment,
198
- :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
201
+ :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
202
+ :cwe_id => [79]
199
203
  end
200
204
  end
201
205
 
@@ -15,7 +15,8 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
15
15
  :warning_code => :unsafe_cookie_serialization,
16
16
  :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
17
17
  :confidence => :medium,
18
- :link_path => "unsafe_deserialization"
18
+ :link_path => "unsafe_deserialization",
19
+ :cwe_id => [565, 502]
19
20
  end
20
21
  end
21
22
  end
@@ -39,7 +39,8 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
39
39
  :result => result,
40
40
  :message => @message,
41
41
  :confidence => confidence,
42
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
42
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
43
+ :cwe_id => [915]
43
44
  end
44
45
  end
45
46
 
@@ -69,6 +70,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
69
70
  :message => @message,
70
71
  :gem_info => gemfile_or_environment,
71
72
  :confidence => :medium,
72
- :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
73
+ :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
74
+ :cwe_id => [915]
73
75
  end
74
76
  end
@@ -82,7 +82,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
82
82
  :warning_code => :cross_site_scripting,
83
83
  :message => message,
84
84
  :code => input.match,
85
- :confidence => :high
85
+ :confidence => :high,
86
+ :cwe_id => [79]
86
87
 
87
88
  elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
88
89
  method = if call? match
@@ -116,7 +117,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
116
117
  :message => message,
117
118
  :code => match,
118
119
  :confidence => confidence,
119
- :link_path => link_path
120
+ :link_path => link_path,
121
+ :cwe_id => [79]
120
122
  end
121
123
 
122
124
  else
@@ -200,7 +202,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
200
202
  :code => exp,
201
203
  :user_input => @matched,
202
204
  :confidence => confidence,
203
- :link_path => link_path
205
+ :link_path => link_path,
206
+ :cwe_id => [79]
204
207
  end
205
208
  end
206
209
 
@@ -21,7 +21,8 @@ class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
21
21
  :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
22
22
  :confidence => :medium,
23
23
  :gem_info => gemfile_or_environment,
24
- :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
24
+ :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
25
+ :cwe_id => [352]
25
26
  end
26
27
  end
27
28
  end