brakeman 5.2.3 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2ae08a71e19d6c694a9e567fda5793a56ab174d106f44b178f7e9f69c3057814
-  data.tar.gz: fd24750e512d528b3fd9cecb344f4788a58e1aa8ffd6b28ff7c88bc7f034a3e8
+  metadata.gz: 23126b274e6fc0d754bb60e87016e11f301cb93cccc20680cafa79ea6f3968f4
+  data.tar.gz: 566bf32bdaf947e7acaaaf9129b42b145e374032cce52f52bc6938033728c34d
 SHA512:
-  metadata.gz: e0e2d7fde5907d8158b21803876b0dd77e659ce8cae42c25e23021b46bd2c9d8c5d0dd13edff64f7fd721a8d1bca92af4a9fbbf2505e47c791557a3316c0f3d2
-  data.tar.gz: 38f894b42f893a6ce45db047f2d21c1529b63de0dd19e00a69475a72cbb4c2d9738f0f25edc60460d61607182d5a5c01ccbb77a6ae6eeae69ec4e88f9345a2e1
+  metadata.gz: 2a7c9bb4bfad73e2606cd8ac65876d5efd7d3152c55963810d177959ebf81ebeb376f39274a28181330557487e12f93a469e46647e449319b50a9a4a4030349b
+  data.tar.gz: 99b61b26fab1b6ff01abb2921a7cc1f39d6e226988541ff62087ef9de3b32f48b3a61d2f41b09716e6b991d0bc923fe0476a6dafc4580e6b41797cf9a2378aca

data/CHANGES.md

@@ -1,3 +1,11 @@
+# 5.3.0 - 2022-08-09
+
+* Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
+* Load rexml as a Brakeman dependency
+* Fix "full call" information propagating unnecessarily
+* Add check for CVE-2022-32209
+* Add CWE information to warnings (Stephen Aghaulor)
+
 # 5.2.3 - 2022-05-01
 
 * Fix error with hash shorthand syntax

data/bundle/load.rb

@@ -1,7 +1,6 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.19.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
@@ -9,6 +8,7 @@ $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/parallel-1.22.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.16.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/commonmarker.rb

@@ -9,21 +9,31 @@ module Tilt
       :smartypants => :SMART
     }
     PARSE_OPTIONS = [
+      :FOOTNOTES,
+      :LIBERAL_HTML_TAG,
       :SMART,
       :smartypants,
+      :STRIKETHROUGH_DOUBLE_TILDE,
+      :UNSAFE,
+      :VALIDATE_UTF8,
     ].freeze
     RENDER_OPTIONS = [
+      :FOOTNOTES,
+      :FULL_INFO_STRING,
       :GITHUB_PRE_LANG,
       :HARDBREAKS,
       :NOBREAKS,
-      :SAFE,
+      :SAFE, # Removed in v0.18.0 (2018-10-17)
       :SOURCEPOS,
+      :TABLE_PREFER_STYLE_ATTRIBUTES,
+      :UNSAFE,
     ].freeze
     EXTENSIONS = [
       :autolink,
       :strikethrough,
       :table,
       :tagfilter,
+      :tasklist,
     ].freeze
 
     def extensions

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/csv.rb

@@ -50,7 +50,7 @@ module Tilt
 
     def precompiled_template(locals)
       <<-RUBY
-        #{@outvar} = #{self.class.engine}.generate(#{options}) do |csv|
+        #{@outvar} = #{self.class.engine}.generate(**#{options}) do |csv|
           #{data}
         end
       RUBY

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/pandoc.rb

@@ -7,30 +7,38 @@ module Tilt
   class PandocTemplate < Template
     self.default_mime_type = 'text/html'
 
-    def tilt_to_pandoc_mapping
-      { :smartypants => :smart,
-        :escape_html => { :f => 'markdown-raw_html' },
-        :commonmark => { :f => 'commonmark' },
-        :markdown_strict => { :f => 'markdown_strict' }
-      }
-    end
-
     # turn options hash into an array
     # Map tilt options to pandoc options
     # Replace hash keys with value true with symbol for key
     # Remove hash keys with value false
     # Leave other hash keys untouched
     def pandoc_options
-      options.reduce([]) do |sum, (k,v)|
-        case v
-        when true
-          sum << (tilt_to_pandoc_mapping[k] || k)
-        when false
-          sum
+      result = []
+      from = "markdown"
+      smart_extension = "-smart"
+      options.each do |k,v|
+        case k
+        when :smartypants
+          smart_extension = "+smart" if v
+        when :escape_html
+          from = "markdown-raw_html" if v
+        when :commonmark
+          from = "commonmark" if v
+        when :markdown_strict
+          from = "markdown_strict" if v
         else
-          sum << { k => v }
+          case v
+          when true
+            result << k
+          when false
+            # do nothing
+          else
+            result << { k => v }
+          end
         end
       end
+      result << { :f => from + smart_extension }
+      result
     end
 
     def prepare

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/redcarpet.rb

@@ -75,9 +75,12 @@ module Tilt
   end
 
   if defined? ::Redcarpet::Render and defined? ::Redcarpet::Markdown
-    RedcarpetTemplate = Redcarpet2Template
+    superclass = Redcarpet2Template
   else
-    RedcarpetTemplate = Redcarpet1Template
+    superclass = Redcarpet1Template
+  end
+
+  class RedcarpetTemplate < superclass
   end
 end
 

data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/rst-pandoc.rb

@@ -0,0 +1,23 @@
+require 'tilt/template'
+require 'pandoc'
+
+module Tilt
+  # Pandoc reStructuredText implementation. See:
+  # http://pandoc.org/
+  class RstPandocTemplate < PandocTemplate
+    self.default_mime_type = 'text/html'
+
+    def prepare
+      @engine = PandocRuby.new(data, :f => "rst")
+      @output = nil
+    end
+
+    def evaluate(scope, locals, &block)
+      @output ||= @engine.to_html.strip
+    end
+
+    def allows_script?
+      false
+    end
+  end
+end

data/bundle/ruby/2.7.0/gems/tilt-2.0.11/lib/tilt/sass.rb

@@ -0,0 +1,78 @@
+require 'tilt/template'
+
+module Tilt
+  # Sass template implementation. See:
+  # http://haml.hamptoncatlin.com/
+  #
+  # Sass templates do not support object scopes, locals, or yield.
+  class SassTemplate < Template
+    self.default_mime_type = 'text/css'
+
+    begin
+      require 'sass-embedded'
+      require 'uri'
+      Engine = nil
+    rescue LoadError => err
+      begin
+        require 'sassc'
+        Engine = ::SassC::Engine
+      rescue LoadError
+        begin
+          require 'sass'
+          Engine = ::Sass::Engine
+        rescue LoadError
+          raise err
+        end
+      end
+    end
+
+    def prepare
+      @engine = unless Engine.nil?
+                  Engine.new(data, sass_options)
+                end
+    end
+
+    def evaluate(scope, locals, &block)
+      @output ||= if @engine.nil?
+                    ::Sass.compile_string(data, **sass_embedded_options).css
+                  else
+                    @engine.render
+                  end
+    end
+
+    def allows_script?
+      false
+    end
+
+  private
+    def eval_file_url
+      path = File.absolute_path(eval_file)
+      path = '/' + path unless path.start_with?('/')
+      ::URI::File.build([nil, ::URI::DEFAULT_PARSER.escape(path)]).to_s
+    end
+
+    def sass_embedded_options
+      options.merge(:url => eval_file_url, :syntax => :indented)
+    end
+
+    def sass_options
+      options.merge(:filename => eval_file, :line => line, :syntax => :sass)
+    end
+  end
+
+  # Sass's new .scss type template implementation.
+  class ScssTemplate < SassTemplate
+    self.default_mime_type = 'text/css'
+
+  private
+    def sass_embedded_options
+      options.merge(:url => eval_file_url, :syntax => :scss)
+    end
+
+    def sass_options
+      options.merge(:filename => eval_file, :line => line, :syntax => :scss)
+    end
+  end
+
+end
+

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt/template.rb

@@ -157,6 +157,8 @@ module Tilt
       raise NotImplementedError
     end
 
+    CLASS_METHOD = Kernel.instance_method(:class)
+
     # Execute the compiled template and return the result string. Template
     # evaluation is guaranteed to be performed in the scope object with the
     # locals specified and with support for yielding to the block.
@@ -166,7 +168,16 @@ module Tilt
     def evaluate(scope, locals, &block)
       locals_keys = locals.keys
       locals_keys.sort!{|x, y| x.to_s <=> y.to_s}
-      method = compiled_method(locals_keys, scope.is_a?(Module) ? scope : scope.class)
+      case scope
+      when Object
+        method = compiled_method(locals_keys, Module === scope ? scope : scope.class)
+      else
+        if RUBY_VERSION >= '2'
+          method = compiled_method(locals_keys, CLASS_METHOD.bind(scope).call)
+        else
+          method = compiled_method(locals_keys, Object)
+        end
+      end
       method.bind(scope).call(locals, &block)
     end
 

data/bundle/ruby/2.7.0/gems/{tilt-2.0.10 → tilt-2.0.11}/lib/tilt.rb

@@ -4,7 +4,7 @@ require 'tilt/template'
 # Namespace for Tilt. This module is not intended to be included anywhere.
 module Tilt
   # Current version.
-  VERSION = '2.0.10'
+  VERSION = '2.0.11'
 
   @default_mapping = Mapping.new
 
@@ -161,6 +161,7 @@ module Tilt
   register_lazy 'Slim::Template',            'slim',            'slim'
   register_lazy 'Tilt::HandlebarsTemplate',  'tilt/handlebars', 'handlebars', 'hbs'
   register_lazy 'Tilt::OrgTemplate',         'org-ruby',        'org'
+  register_lazy 'Tilt::EmacsOrgTemplate',    'tilt/emacs_org',  'org'
   register_lazy 'Opal::Processor',           'opal',            'opal', 'rb'
   register_lazy 'Tilt::JbuilderTemplate',    'tilt/jbuilder',   'jbuilder'
 end

data/lib/brakeman/app_tree.rb

@@ -205,7 +205,7 @@ module Brakeman
       paths.reject do |path|
         relative_path = path.relative
 
-        if @skip_vendor and relative_path.include? 'vendor/'
+        if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
           true
         else
           EXCLUDED_PATHS.any? do |excluded|
@@ -215,6 +215,14 @@ module Brakeman
       end
     end
 
+    def in_engine_paths?(path)
+      @engine_paths.any? { |p| path.absolute.include?(p) }
+    end
+
+    def in_add_libs_paths?(path)
+      @additional_libs_path.any? { |p| path.absolute.include?(p) }
+    end
+
     def match_path files, path
       absolute_path = Pathname.new(path)
       # relative root never has a leading separator. But, we use a leading

data/lib/brakeman/checks/check_basic_auth.rb

@@ -31,7 +31,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :message => "Basic authentication password stored in source code",
               :code => call,
               :confidence => :high,
-              :file => controller.file
+              :file => controller.file,
+              :cwe_id => [259]
           break
         end
       end
@@ -50,7 +51,8 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :confidence => :high
+              :confidence => :high,
+              :cwe_id => [259]
       end
     end
   end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -27,7 +27,8 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
         :warning_code => :CVE_2015_7576,
         :message => msg("Basic authentication in ", msg_version(rails_version), " is vulnerable to timing attacks. Upgrade to ", msg_version(@upgrade)),
         :confidence => :high,
-        :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ",
+        :cwe_id => [1254]
     end
   end
 end

data/lib/brakeman/checks/check_content_tag.rb

@@ -117,7 +117,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :message => message,
         :user_input => input,
         :confidence => :high,
-        :link_path => "content_tag"
+        :link_path => "content_tag",
+        :cwe_id => [79]
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       unless IGNORE_MODEL_METHODS.include? match.method
@@ -135,7 +136,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
           :message => msg("Unescaped model attribute in ", msg_code("content_tag")),
           :user_input => match,
           :confidence => confidence,
-          :link_path => "content_tag"
+          :link_path => "content_tag",
+          :cwe_id => [79]
       end
 
     elsif @matched
@@ -151,7 +153,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :message => message,
         :user_input => @matched,
         :confidence => :medium,
-        :link_path => "content_tag"
+        :link_path => "content_tag",
+        :cwe_id => [79]
     end
   end
 
@@ -195,7 +198,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         :message => msg(msg_version(rails_version), " ", msg_code("content_tag"), " does not escape double quotes in attribute values ", msg_cve("CVE-2016-6316"), ". Upgrade to ", msg_version(fix_version)),
         :confidence => confidence,
         :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ",
+        :cwe_id => [79]
     end
   end
 

data/lib/brakeman/checks/check_cookie_serialization.rb

@@ -15,7 +15,8 @@ class Brakeman::CheckCookieSerialization < Brakeman::BaseCheck
           :warning_code => :unsafe_cookie_serialization,
           :message => msg("Use of unsafe cookie serialization strategy ", msg_code(setting.value.inspect), " might lead to remote code execution"),
           :confidence => :medium,
-          :link_path => "unsafe_deserialization"
+          :link_path => "unsafe_deserialization",
+          :cwe_id => [565, 502]
       end
     end
   end

data/lib/brakeman/checks/check_create_with.rb

@@ -39,7 +39,8 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
         :result => result,
         :message => @message,
         :confidence => confidence,
-        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
+        :cwe_id => [915]
     end
   end
 
@@ -69,6 +70,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
         :message => @message,
         :gem_info => gemfile_or_environment,
         :confidence => :medium,
-        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ",
+        :cwe_id => [915]
   end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -82,7 +82,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
-        :confidence => :high
+        :confidence => :high,
+        :cwe_id => [79]
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
       method = if call? match
@@ -116,7 +117,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           :message => message,
           :code => match,
           :confidence => confidence,
-          :link_path => link_path
+          :link_path => link_path,
+          :cwe_id => [79]
       end
 
     else
@@ -200,7 +202,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
             :code => exp,
             :user_input => @matched,
             :confidence => confidence,
-            :link_path => link_path
+            :link_path => link_path,
+            :cwe_id => [79]
         end
       end
 

data/lib/brakeman/checks/check_csrf_token_forgery_cve.rb

@@ -21,7 +21,8 @@ class Brakeman::CheckCSRFTokenForgeryCVE < Brakeman::BaseCheck
         :message => msg(msg_version(rails_version), " has a vulnerability that may allow CSRF token forgery. Upgrade to ", msg_version(fix_version), " or patch"),
         :confidence => :medium,
         :gem_info => gemfile_or_environment,
-        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw"
+        :link => "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
+        :cwe_id => [352]
     end
   end
 end

data/lib/brakeman/checks/check_default_routes.rb

@@ -27,7 +27,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :message => msg("All public methods in controllers are available as actions in ", msg_file("routes.rb")),
         :line => tracker.routes[:allow_all_actions].line,
         :confidence => :high,
-        :file => "#{tracker.app_path}/config/routes.rb"
+        :file => "#{tracker.app_path}/config/routes.rb",
+        :cwe_id => [22]
     end
   end
 
@@ -49,7 +50,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
           :message => msg("Any public method in ", msg_code(name), " can be used as an action for ", msg_code(verb), " requests."),
           :line => actions[2],
           :confidence => :medium,
-          :file => "#{tracker.app_path}/config/routes.rb"
+          :file => "#{tracker.app_path}/config/routes.rb",
+          :cwe_id => [22]
       end
     end
   end
@@ -82,7 +84,8 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
       :message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
       :confidence => confidence,
       :file => "#{tracker.app_path}/config/routes.rb",
-      :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+      :link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf",
+      :cwe_id => [22]
   end
 
   def allow_all_actions?

data/lib/brakeman/checks/check_deserialize.rb

@@ -87,7 +87,8 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
         :message => message,
         :user_input => input,
         :confidence => confidence,
-        :link_path => "unsafe_deserialization"
+        :link_path => "unsafe_deserialization",
+        :cwe_id => [502]
     end
   end
 

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -19,7 +19,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
            :warning_code => :local_request_config,
            :message => "Detailed exceptions are enabled in production",
            :confidence => :high,
-           :file => "config/environments/production.rb"
+           :file => "config/environments/production.rb",
+           :cwe_id => [200]
     end
   end
 
@@ -42,7 +43,8 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
                :message => msg("Detailed exceptions may be enabled in ", msg_code("show_detailed_exceptions?")),
                :confidence => confidence,
                :code => src,
-               :file => definition[:file]
+               :file => definition[:file],
+               :cwe_id => [200]
         end
       end
     end

data/lib/brakeman/checks/check_digest_dos.rb

@@ -29,7 +29,8 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => confidence,
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
-      :gem_info => gemfile_or_environment
+      :gem_info => gemfile_or_environment,
+      :cwe_id => [287]
   end
 
   def with_http_digest?

data/lib/brakeman/checks/check_divide_by_zero.rb

@@ -36,7 +36,8 @@ class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
         :warning_code => :divide_by_zero,
         :message => "Potential division by zero",
         :confidence => confidence,
-        :user_input => denominator
+        :user_input => denominator,
+        :cwe_id => [369]
     end
   end
 end