brakeman 6.0.1 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3bfe97a2a21052a6b89113eba0488d389790be712085e953b0661bfdad31f5ea
-  data.tar.gz: 9155ab4eb06b34c7e8294a63bc1878f4e754087f4c7eebc10ff0232f9b62ad14
+  metadata.gz: 52bfaf604bda47973161eb7bb9fd6d1dd2aa7e4d280561b282e68d41e738856d
+  data.tar.gz: 80718f17fda4fb4b405a238f54476e5d400aa8e8af15e4a4527860f3a4fb15dc
 SHA512:
-  metadata.gz: 67f98784f2eff71cde186b940d6c7bae38495529d1f3882eee6f92103b9c44fb06caa62dd5e6ed2cfaab82b01e7a1c41b951b2529fd4b04e54e6c2ca89a65a91
-  data.tar.gz: a35a4a539a877bdf2eb2150ef4556d31f995be90ce23a2b2d9697ffae41bb2ec2d7fefbfcb853c10897849f554d87b6c03e9a24265fd965158815df8f445a79b
+  metadata.gz: 619b6e399bc20989df267e7d3485ba785507aa3a7e459708abf0ba9922ef073ab056946e569228b30d6edba620231de3b337b414ca5102922d479a12c4bf93b8
+  data.tar.gz: ff2f0f6a6df45abe51acbb304c525276a285235054c498d06967331ffc586980f1ec2d98b00ffc5bbaaaf808d0dfb36fdc7ba90ed621c3088a6871f2195b120a

data/CHANGES.md

@@ -1,3 +1,12 @@
+# 6.1.0 - 2023-12-04
+
+* Add `--timing` to add timing duration for scan steps
+* Fix keyword splats in filter arguments
+* Add check for unfiltered search with Ransack
+* Fix class method lookup in parent classes
+* Handle `class << self`
+* Add `PG::Connection.escape_string` as a SQL sanitization method (Joévin Soulenq)
+
 # 6.0.1 - 2023-07-20
 
 * Accept strings for `load_defaults` version

data/bundle/load.rb

@@ -3,7 +3,7 @@ $:.unshift "#{path}/bundle/ruby/3.1.0/gems/erubis-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/haml-5.2.2/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/highline-2.1.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/parallel-1.23.0/lib"
-$:.unshift "#{path}/bundle/ruby/3.1.0/gems/rexml-3.2.5/lib"
+$:.unshift "#{path}/bundle/ruby/3.1.0/gems/rexml-3.2.6/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby2ruby-2.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby_parser-3.20.3/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/safe_yaml-1.0.5/lib"

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/NEWS.md

@@ -1,15 +1,113 @@
 # News
 
+## 3.2.6 - 2023-07-27 {#version-3-2-6}
+
+### Improvements
+
+  * Required Ruby 2.5 or later explicitly.
+    [GH-69][gh-69]
+    [Patch by Ivo Anjo]
+
+  * Added documentation for maintenance cycle.
+    [GH-71][gh-71]
+    [Patch by Ivo Anjo]
+
+  * Added tutorial.
+    [GH-77][gh-77]
+    [GH-78][gh-78]
+    [Patch by Burdette Lamar]
+
+  * Improved performance and memory usage.
+    [GH-94][gh-94]
+    [Patch by fatkodima]
+
+  * `REXML::Parsers::XPathParser#abbreviate`: Added support for
+    function arguments.
+    [GH-95][gh-95]
+    [Reported by pulver]
+
+  * `REXML::Parsers::XPathParser#abbreviate`: Added support for string
+    literal that contains double-quote.
+    [GH-96][gh-96]
+    [Patch by pulver]
+
+  * `REXML::Parsers::XPathParser#abbreviate`: Added missing `/` to
+    `:descendant_or_self/:self/:parent`.
+    [GH-97][gh-97]
+    [Reported by pulver]
+
+  * `REXML::Parsers::XPathParser#abbreviate`: Added support for more patterns.
+    [GH-97][gh-97]
+    [Reported by pulver]
+
+### Fixes
+
+  * Fixed a typo in NEWS.
+    [GH-72][gh-72]
+    [Patch by Spencer Goodman]
+
+  * Fixed a typo in NEWS.
+    [GH-75][gh-75]
+    [Patch by Andrew Bromwich]
+
+  * Fixed documents.
+    [GH-87][gh-87]
+    [Patch by Alexander Ilyin]
+
+  * Fixed a bug that `Attriute` convert `'` and `'` even when
+    `attribute_quote: :quote` is used.
+    [GH-92][gh-92]
+    [Reported by Edouard Brière]
+
+  * Fixed links in tutorial.
+    [GH-99][gh-99]
+    [Patch by gemmaro]
+
+
+### Thanks
+
+  * Ivo Anjo
+
+  * Spencer Goodman
+
+  * Andrew Bromwich
+
+  * Burdette Lamar
+
+  * Alexander Ilyin
+
+  * Edouard Brière
+
+  * fatkodima
+
+  * pulver
+
+  * gemmaro
+
+[gh-69]:https://github.com/ruby/rexml/issues/69
+[gh-71]:https://github.com/ruby/rexml/issues/71
+[gh-72]:https://github.com/ruby/rexml/issues/72
+[gh-75]:https://github.com/ruby/rexml/issues/75
+[gh-77]:https://github.com/ruby/rexml/issues/77
+[gh-87]:https://github.com/ruby/rexml/issues/87
+[gh-92]:https://github.com/ruby/rexml/issues/92
+[gh-94]:https://github.com/ruby/rexml/issues/94
+[gh-95]:https://github.com/ruby/rexml/issues/95
+[gh-96]:https://github.com/ruby/rexml/issues/96
+[gh-97]:https://github.com/ruby/rexml/issues/97
+[gh-98]:https://github.com/ruby/rexml/issues/98
+[gh-99]:https://github.com/ruby/rexml/issues/99
+
 ## 3.2.5 - 2021-04-05 {#version-3-2-5}
 
 ### Improvements
 
   * Add more validations to XPath parser.
 
-  * `require "rexml/docuemnt"` by default.
+  * `require "rexml/document"` by default.
     [GitHub#36][Patch by Koichi ITO]
 
-  * Don't add `#dcloe` method to core classes globally.
+  * Don't add `#dclone` method to core classes globally.
     [GitHub#37][Patch by Akira Matsuda]
 
   * Add more documentations.

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/README.md

@@ -6,7 +6,7 @@ REXML supports both tree and stream document parsing. Stream parsing is faster (
 
 ## API
 
-See the {API documentation}[https://ruby.github.io/rexml/]
+See the [API documentation](https://ruby.github.io/rexml/).
 
 ## Usage
 
@@ -33,6 +33,15 @@ doc = Document.new string
 
 So parsing a string is just as easy as parsing a file.
 
+## Support
+
+REXML support follows the same maintenance cycle as Ruby releases, as shown on <https://www.ruby-lang.org/en/downloads/branches/>.
+
+If you are running on an end-of-life Ruby, do not expect modern REXML releases to be compatible with it; in fact, it's recommended that you DO NOT use this gem, and instead use the REXML version that came bundled with your end-of-life Ruby version.
+
+The `required_ruby_version` on the gemspec is kept updated on a [best-effort basis](https://github.com/ruby/rexml/pull/70) by the community.
+Up to version 3.2.5, this information was not set. That version [is known broken with at least Ruby < 2.3](https://github.com/ruby/rexml/issues/69).
+
 ## Development
 
 After checking out the repo, run `rake test` to run the tests.

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/attribute.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative "namespace"
 require_relative 'text'
 
@@ -13,9 +13,6 @@ module REXML
 
     # The element to which this attribute belongs
     attr_reader :element
-    # The normalized value of this attribute.  That is, the attribute with
-    # entities intact.
-    attr_writer :normalized
     PATTERN = /\s*(#{NAME_STR})\s*=\s*(["'])(.*?)\2/um
 
     NEEDS_A_SECOND_CHECK = /(<|&((#{Entity::NAME});|(#0*((?:\d+)|(?:x[a-fA-F0-9]+)));)?)/um
@@ -122,10 +119,13 @@ module REXML
     #  b = Attribute.new( "ns:x", "y" )
     #  b.to_string     # -> "ns:x='y'"
     def to_string
+      value = to_s
       if @element and @element.context and @element.context[:attribute_quote] == :quote
-        %Q^#@expanded_name="#{to_s().gsub(/"/, '&quot;')}"^
+        value = value.gsub('"', '&quot;') if value.include?('"')
+        %Q^#@expanded_name="#{value}"^
       else
-        "#@expanded_name='#{to_s().gsub(/'/, '&apos;')}'"
+        value = value.gsub("'", '&apos;') if value.include?("'")
+        "#@expanded_name='#{value}'"
       end
     end
 
@@ -141,7 +141,6 @@ module REXML
       return @normalized if @normalized
 
       @normalized = Text::normalize( @unnormalized, doctype )
-      @unnormalized = nil
       @normalized
     end
 
@@ -150,10 +149,16 @@ module REXML
     def value
       return @unnormalized if @unnormalized
       @unnormalized = Text::unnormalize( @normalized, doctype )
-      @normalized = nil
       @unnormalized
     end
 
+    # The normalized value of this attribute.  That is, the attribute with
+    # entities intact.
+    def normalized=(new_normalized)
+      @normalized = new_normalized
+      @unnormalized = nil
+    end
+
     # Returns a copy of this attribute
     def clone
       Attribute.new self
@@ -190,7 +195,7 @@ module REXML
     end
 
     def inspect
-      rv = ""
+      rv = +""
       write( rv )
       rv
     end

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/document.rb

@@ -69,7 +69,7 @@ module REXML
     #   d.to_s # => "<root><foo>Foo</foo><bar>Bar</bar></root>"
     #
     # When argument +document+ is given, it must be an existing
-    # document object, whose context and attributes (but not chidren)
+    # document object, whose context and attributes (but not children)
     # are cloned into the new document:
     #
     #   d = REXML::Document.new(xml_string)

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/element.rb

@@ -989,7 +989,7 @@ module REXML
     # :call-seq:
     #   has_text? -> true or false
     #
-    # Returns +true if the element has one or more text noded,
+    # Returns +true+ if the element has one or more text noded,
     # +false+ otherwise:
     #
     #   d = REXML::Document.new '<a><b/>text<c/></a>'
@@ -1006,7 +1006,7 @@ module REXML
     #   text(xpath = nil) -> text_string or nil
     #
     # Returns the text string from the first text node child
-    # in a specified element, if it exists, # +nil+ otherwise.
+    # in a specified element, if it exists, +nil+ otherwise.
     #
     # With no argument, returns the text from the first text node in +self+:
     #
@@ -1014,7 +1014,7 @@ module REXML
     #   d.root.text.class # => String
     #   d.root.text       # => "some text "
     #
-    # With argument +xpath+, returns text from the the first text node
+    # With argument +xpath+, returns text from the first text node
     # in the element that matches +xpath+:
     #
     #   d.root.text(1) # => "this is bold!"

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/entity.rb

@@ -132,24 +132,34 @@ module REXML
     # then:
     #  doctype.entity('yada').value   #-> "nanoo bar nanoo"
     def value
-      if @value
-        matches = @value.scan(PEREFERENCE_RE)
-        rv = @value.clone
-        if @parent
-          sum = 0
-          matches.each do |entity_reference|
-            entity_value = @parent.entity( entity_reference[0] )
-            if sum + entity_value.bytesize > Security.entity_expansion_text_limit
-              raise "entity expansion has grown too large"
-            else
-              sum += entity_value.bytesize
-            end
-            rv.gsub!( /%#{entity_reference.join};/um, entity_value )
+      @resolved_value ||= resolve_value
+    end
+
+    def parent=(other)
+      @resolved_value = nil
+      super
+    end
+
+    private
+    def resolve_value
+      return nil if @value.nil?
+      return @value unless @value.match?(PEREFERENCE_RE)
+
+      matches = @value.scan(PEREFERENCE_RE)
+      rv = @value.clone
+      if @parent
+        sum = 0
+        matches.each do |entity_reference|
+          entity_value = @parent.entity( entity_reference[0] )
+          if sum + entity_value.bytesize > Security.entity_expansion_text_limit
+            raise "entity expansion has grown too large"
+          else
+            sum += entity_value.bytesize
           end
+          rv.gsub!( /%#{entity_reference.join};/um, entity_value )
         end
-        return rv
       end
-      nil
+      rv
     end
   end
 

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/formatters/pretty.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative 'default'
 
 module REXML
@@ -58,7 +58,7 @@ module REXML
           skip = false
           if compact
             if node.children.inject(true) {|s,c| s & c.kind_of?(Text)}
-              string = ""
+              string = +""
               old_level = @level
               @level = 0
               node.children.each { |child| write( child, string ) }

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/namespace.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 require_relative 'xmltokens'
 
@@ -10,13 +10,17 @@ module REXML
     # The expanded name of the object, valid if name is set
     attr_accessor :prefix
     include XMLTokens
+    NAME_WITHOUT_NAMESPACE = /\A#{NCNAME_STR}\z/
     NAMESPLIT = /^(?:(#{NCNAME_STR}):)?(#{NCNAME_STR})/u
 
     # Sets the name and the expanded name
     def name=( name )
       @expanded_name = name
-      case name
-      when NAMESPLIT
+      if name.match?(NAME_WITHOUT_NAMESPACE)
+        @prefix = ""
+        @namespace = ""
+        @name = name
+      elsif name =~ NAMESPLIT
         if $1
           @prefix = $1
         else
@@ -24,7 +28,7 @@ module REXML
           @namespace = ""
         end
         @name = $2
-      when ""
+      elsif name == ""
         @prefix = nil
         @namespace = nil
         @name = nil

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/parsers/xpathparser.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: false
+
 require_relative '../namespace'
 require_relative '../xmltokens'
 
@@ -38,108 +39,143 @@ module REXML
         parsed
       end
 
-      def abbreviate( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
-        document = false
-        while path.size > 0
-          op = path.shift
+      def abbreviate(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        components = []
+        component = nil
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
+            component << "node()"
           when :attribute
-            string << "/" if string.size > 0
-            string << "@"
+            component = "@"
+            components << component
           when :child
-            string << "/" if string.size > 0
+            component = ""
+            components << component
           when :descendant_or_self
-            string << "/"
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              component = ""
+              components << component
+            else
+              component = "descendant-or-self::"
+              components << component
+            end
           when :self
-            string << "."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << "."
+            else
+              component = "self::"
+              components << component
+            end
           when :parent
-            string << ".."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << ".."
+            else
+              component = "parent::"
+              components << component
+            end
           when :any
-            string << "*"
+            component << "*"
           when :text
-            string << "text()"
+            component << "text()"
           when :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant,
                 :namespace, :preceding, :preceding_sibling
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            component = op.to_s.tr("_", "-") << "::"
+            components << component
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            component << prefix+":" if prefix.size > 0
+            component << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) {|x| abbreviate( x ) }
-            string << ']'
+            component << '['
+            component << predicate_to_path(parsed.shift) {|x| abbreviate(x)}
+            component << ']'
           when :document
-            document = true
+            components << ""
           when :function
-            string << path.shift
-            string << "( "
-            string << predicate_to_string( path.shift[0] ) {|x| abbreviate( x )}
-            string << " )"
+            component << parsed.shift
+            component << "( "
+            component << predicate_to_path(parsed.shift[0]) {|x| abbreviate(x)}
+            component << " )"
           when :literal
-            string << %Q{ "#{path.shift}" }
+            component << quote_literal(parsed.shift)
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            component << "UNKNOWN("
+            component << op.inspect
+            component << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        case components
+        when [""]
+          "/"
+        when ["", ""]
+          "//"
+        else
+          components.join("/")
+        end
       end
 
-      def expand( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
+      def expand(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        path = ""
         document = false
-        while path.size > 0
-          op = path.shift
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
-            string << "node()"
+            path << "node()"
           when :attribute, :child, :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant, :descendant_or_self,
                 :namespace, :preceding, :preceding_sibling, :self, :parent
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            path << "/" unless path.size == 0
+            path << op.to_s.tr("_", "-")
+            path << "::"
           when :any
-            string << "*"
+            path << "*"
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            path << prefix+":" if prefix.size > 0
+            path << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) { |x| expand(x) }
-            string << ']'
+            path << '['
+            path << predicate_to_path( parsed.shift ) { |x| expand(x) }
+            path << ']'
           when :document
             document = true
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            path << "UNKNOWN("
+            path << op.inspect
+            path << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        path = "/"+path if document
+        path
       end
 
-      def predicate_to_string( path, &block )
-        string = ""
-        case path[0]
+      def predicate_to_path(parsed, &block)
+        path = ""
+        case parsed[0]
         when :and, :or, :mult, :plus, :minus, :neq, :eq, :lt, :gt, :lteq, :gteq, :div, :mod, :union
-          op = path.shift
+          op = parsed.shift
           case op
           when :eq
             op = "="
@@ -156,36 +192,50 @@ module REXML
           when :union
             op = "|"
           end
-          left = predicate_to_string( path.shift, &block )
-          right = predicate_to_string( path.shift, &block )
-          string << " "
-          string << left
-          string << " "
-          string << op.to_s
-          string << " "
-          string << right
-          string << " "
+          left = predicate_to_path( parsed.shift, &block )
+          right = predicate_to_path( parsed.shift, &block )
+          path << left
+          path << " "
+          path << op.to_s
+          path << " "
+          path << right
         when :function
-          path.shift
-          name = path.shift
-          string << name
-          string << "( "
-          string << predicate_to_string( path.shift, &block )
-          string << " )"
+          parsed.shift
+          name = parsed.shift
+          path << name
+          path << "("
+          parsed.shift.each_with_index do |argument, i|
+            path << ", " if i > 0
+            path << predicate_to_path(argument, &block)
+          end
+          path << ")"
         when :literal
-          path.shift
-          string << " "
-          string << path.shift.inspect
-          string << " "
+          parsed.shift
+          path << quote_literal(parsed.shift)
         else
-          string << " "
-          string << yield( path )
-          string << " "
+          path << yield( parsed )
         end
-        return string.squeeze(" ")
+        return path.squeeze(" ")
       end
+      # For backward compatibility
+      alias_method :preciate_to_string, :predicate_to_path
 
       private
+      def quote_literal( literal )
+        case literal
+        when String
+          # XPath 1.0 does not support escape characters.
+          # Assumes literal does not contain both single and double quotes.
+          if literal.include?("'")
+            "\"#{literal}\""
+          else
+            "'#{literal}'"
+          end
+        else
+          literal.inspect
+        end
+      end
+
       #LocationPath
       #  | RelativeLocationPath
       #  | '/' RelativeLocationPath?