RubyGems - brakeman - Versions diffs - 6.0.1 → 6.1.0 - Mend

brakeman 6.0.1 → 6.1.0

Files changed (68) hide show

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/rexml.rb RENAMED Viewed

@@ -26,10 +26,12 @@
 # - REXML::Document.
 # - REXML::Element.
 #
+# There's also an {REXML tutorial}[doc/rexml/tutorial_rdoc.html].
+#
 module REXML
   COPYRIGHT = "Copyright © 2001-2008 Sean Russell <ser@germane-software.com>"
   DATE = "2008/019"
-  VERSION = "3.2.5"
+  VERSION = "3.2.6"
   REVISION = ""
   Copyright = COPYRIGHT

data/bundle/ruby/3.1.0/gems/{rexml-3.2.5 → rexml-3.2.6}/lib/rexml/text.rb RENAMED Viewed

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative 'security'
 require_relative 'entity'
 require_relative 'doctype'
@@ -131,7 +131,7 @@ module REXML
     def Text.check string, pattern, doctype
       # illegal anywhere
-      if string !~ VALID_XML_CHARS
+      if !string.match?(VALID_XML_CHARS)
         if String.method_defined? :encode
           string.chars.each do |c|
             case c.ord
@@ -371,7 +371,7 @@ module REXML
       copy = input.to_s
       # Doing it like this rather than in a loop improves the speed
       #copy = copy.gsub( EREFERENCE, '&amp;' )
-      copy = copy.gsub( "&", "&amp;" )
+      copy = copy.gsub( "&", "&amp;" ) if copy.include?("&")
       if doctype
         # Replace all ampersands that aren't part of an entity
         doctype.entities.each_value do |entity|
@@ -382,7 +382,9 @@ module REXML
       else
         # Replace all ampersands that aren't part of an entity
         DocType::DEFAULT_ENTITIES.each_value do |entity|
-          copy = copy.gsub(entity.value, "&#{entity.name};" )
+          if copy.include?(entity.value)
+            copy = copy.gsub(entity.value, "&#{entity.name};" )
+          end
         end
       end
       copy

data/lib/brakeman/checks/check_ransack.rb ADDED Viewed

@@ -0,0 +1,53 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckRansack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for dangerous use of the Ransack library"
+  def run_check
+    return unless version_between? "0.0.0", "3.99", tracker.config.gem_version(:ransack)
+    check_ransack_calls
+  end
+  def check_ransack_calls
+    tracker.find_call(method: :ransack, nested: true).each do |result|
+      next unless original? result
+      call = result[:call]
+      arg = call.first_arg
+      # If an allow list is defined anywhere in the
+      # class or super classes, consider it safe
+      class_name = result[:chain].first
+      next if ransackable_allow_list?(class_name)
+      if input = has_immediate_user_input?(arg)
+        confidence = if tracker.find_class(class_name).nil?
+                       confidence = :low
+                     elsif result[:location][:file].relative.include? 'admin'
+                       confidence = :medium
+                     else
+                       confidence = :high
+                     end
+        message = msg('Unrestricted search using ', msg_code('ransack'), ' library called with ', msg_input(input), '. Limit search by defining ', msg_code('ransackable_attributes'), ' and ', msg_code('ransackable_associations'), ' methods in class or upgrade Ransack to version 4.0.0 or newer')
+        warn result: result,
+          warning_type: 'Missing Authorization',
+          warning_code: :ransack_search,
+          message: message,
+          user_input: input,
+          confidence: confidence,
+          cwe_id: [862],
+          link: 'https://positive.security/blog/ransack-data-exfiltration'
+      end
+    end
+  end
+  def ransackable_allow_list? class_name
+    tracker.find_method(:ransackable_attributes, class_name, :class) and
+      tracker.find_method(:ransackable_associations, class_name, :class)
+  end
+end

data/lib/brakeman/checks/check_sql.rb CHANGED Viewed

@@ -591,7 +591,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key, :uuid
+    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string
   ]
   def ignore_methods_in_sql

data/lib/brakeman/options.rb CHANGED Viewed

@@ -244,6 +244,10 @@ module Brakeman::Options
           options[:debug] = true
         end
+        opts.on "--timing", "Measure time for scan steps" do
+          options[:show_timing] = true
+        end
         opts.on "-f",
           "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -529,8 +529,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Process a method definition on self.
   def process_defs exp
-    env.scope do
-      set_env_defaults
+    meth_env do
       exp.body = process_all! exp.body
     end
     exp

data/lib/brakeman/processors/lib/module_helper.rb CHANGED Viewed

@@ -84,6 +84,9 @@ module Brakeman::ModuleHelper
     res.line(exp.line)
     @current_method = nil
+    # TODO: if target is not self/nil, then
+    # the method should be added to `target`, not current class
     if @current_class
       @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
@@ -96,7 +99,13 @@ module Brakeman::ModuleHelper
     name = exp.method_name
     @current_method = name
-    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+    if @inside_sclass
+      res = Sexp.new :defs, s(:self), name, exp.formal_args, *process_all!(exp.body)
+    else
+      res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+    end
     res.line(exp.line)
     @current_method = nil
@@ -108,4 +117,25 @@ module Brakeman::ModuleHelper
     res
   end
+  # class << self
+  def process_sclass exp
+    @inside_sclass = true
+    process_all! exp
+    exp
+  ensure
+    @inside_sclass = false
+  end
+  def make_defs exp
+    # 'What if' there was some crazy code that had a
+    # defs inside a def inside an sclass? :|
+    return exp if node_type? exp, :defs
+    raise "Unexpected node type: #{exp.node_type}" unless node_type? exp, :defn
+    Sexp.new(:defs, s(:self), exp.method_name, exp.formal_args, *exp.body).line(exp.line)
+  end
 end

data/lib/brakeman/processors/library_processor.rb CHANGED Viewed

@@ -30,6 +30,12 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
   def process_defn exp
+    # TODO: Why is this different from ModuleHelper?
+    if @inside_sclass
+      exp = make_defs(exp)
+    end
     if exp.method_name == :initialize
       @alias_processor.process_safely exp.body_list
       @initializer_env = @alias_processor.only_ivars

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -30,6 +30,7 @@ class Brakeman::Scanner
     end
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
+    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
   end
   #Returns the Tracker generated from the scan
@@ -37,35 +38,89 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
+  def process_step description
+    Brakeman.notify "#{description}...".ljust(40)
+    if @show_timing
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
+  def process_step_file description
+    if @show_timing
+      Brakeman.notify "Processing #{description}"
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems...                    "
-    process_gems
-    guess_rails_version
-    Brakeman.notify "Processing configuration...           "
-    process_config
-    Brakeman.notify "Parsing files...                      "
-    parse_files
-    Brakeman.notify "Detecting file types...               "
-    detect_file_types
-    Brakeman.notify "Processing initializers...            "
-    process_initializers
-    Brakeman.notify "Processing libs...                    "
-    process_libs
-    Brakeman.notify "Processing routes...                  "
-    process_routes
-    Brakeman.notify "Processing templates...               "
-    process_templates
-    Brakeman.notify "Processing data flow in templates...  "
-    process_template_data_flows
-    Brakeman.notify "Processing models...                  "
-    process_models
-    Brakeman.notify "Processing controllers...             "
-    process_controllers
-    Brakeman.notify "Processing data flow in controllers..."
-    process_controller_data_flows
-    Brakeman.notify "Indexing call sites...                "
-    index_call_sites
+    process_step 'Processing gems' do
+      process_gems
+    end
+    process_step 'Processing configuration' do
+      guess_rails_version
+      process_config
+    end
+    process_step 'Parsing files' do
+      parse_files
+    end
+    process_step 'Detecting file types' do
+      detect_file_types
+    end
+    process_step 'Processing initializers' do
+      process_initializers
+    end
+    process_step 'Processing libs' do
+      process_libs
+    end
+    process_step 'Processing routes' do
+      process_routes
+    end
+    process_step 'Processing templates' do
+      process_templates
+    end
+    process_step 'Processing data flow in templates' do
+      process_template_data_flows
+    end
+    process_step 'Processing models' do
+      process_models
+    end
+    process_step 'Processing controllers' do
+      process_controllers
+    end
+    process_step 'Processing data flow in controllers' do
+      process_controller_data_flows
+    end
+    process_step 'Indexing call sites' do
+      index_call_sites
+    end
     tracker
   end
@@ -214,8 +269,9 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.initializers
   def process_initializers
     track_progress @file_list[:initializers] do |init|
-      Brakeman.debug "Processing #{init[:path]}"
-      process_initializer init
+      process_step_file init[:path] do
+        process_initializer init
+      end
     end
   end
@@ -234,8 +290,9 @@ class Brakeman::Scanner
     end
     track_progress @file_list[:libs] do |lib|
-      Brakeman.debug "Processing #{lib.path}"
-      process_lib lib
+      process_step_file lib.path do
+        process_lib lib
+      end
     end
   end
@@ -266,8 +323,9 @@ class Brakeman::Scanner
   #Adds processed controllers to tracker.controllers
   def process_controllers
     track_progress @file_list[:controllers] do |controller|
-      Brakeman.debug "Processing #{controller.path}"
-      process_controller controller
+      process_step_file controller.path do
+        process_controller controller
+      end
     end
   end
@@ -275,9 +333,10 @@ class Brakeman::Scanner
     controllers = tracker.controllers.sort_by { |name, _| name.to_s }
     track_progress controllers, "controllers" do |name, controller|
-      Brakeman.debug "Processing #{name}"
-      controller.src.each do |file, src|
-        @processor.process_controller_alias name, src, nil, file
+      process_step_file name do
+        controller.src.each do |file, src|
+          @processor.process_controller_alias name, src, nil, file
+        end
       end
     end
@@ -300,8 +359,9 @@ class Brakeman::Scanner
     templates = @file_list[:templates].sort_by { |t| t[:path] }
     track_progress templates, "templates" do |template|
-      Brakeman.debug "Processing #{template[:path]}"
-      process_template template
+      process_step_file template[:path] do
+        process_template template
+      end
     end
   end
@@ -313,8 +373,9 @@ class Brakeman::Scanner
     templates = tracker.templates.sort_by { |name, _| name.to_s }
     track_progress templates, "templates" do |name, template|
-      Brakeman.debug "Processing #{name}"
-      @processor.process_template_alias template
+      process_step_file name do
+        @processor.process_template_alias template
+      end
     end
   end
@@ -323,8 +384,9 @@ class Brakeman::Scanner
   #Adds the processed models to tracker.models
   def process_models
     track_progress @file_list[:models] do |model|
-      Brakeman.debug "Processing #{model[:path]}"
-      process_model model[:path], model[:ast]
+      process_step_file model[:path] do
+        process_model model[:path], model[:ast]
+      end
     end
   end

data/lib/brakeman/tracker/controller.rb CHANGED Viewed

@@ -120,16 +120,20 @@ module Brakeman
         filter[:methods] << a[1] if a.node_type == :lit
       end
-      if args[-1].node_type == :hash
-        option = args[-1][1][1]
-        value = args[-1][2]
-        case value.node_type
-        when :array
-          filter[option] = value.sexp_body.map {|v| v[1] }
-        when :lit, :str
-          filter[option] = value[1]
-        else
-          Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+      options = args.last
+      if hash? options
+        # Probably only one option,
+        # but this also avoids issues with kwsplats
+        hash_iterate(options) do |option, value|
+          case value.node_type
+          when :array
+            filter[option.value] = value.sexp_body.map {|v| v[1] }
+          when :lit, :str
+            filter[option.value] = value[1]
+          else
+            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+          end
         end
       else
         filter[:all] = true

data/lib/brakeman/tracker.rb CHANGED Viewed

@@ -245,7 +245,7 @@ class Brakeman::Tracker
       end
       # Not in any included modules, check the parent
-      @method_cache[cache_key] = find_method(method_name, klass.parent)
+      @method_cache[cache_key] = find_method(method_name, klass.parent, method_type)
     end
   end

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.0.1"
+  Version = "6.1.0"
 end

data/lib/brakeman/warning_codes.rb CHANGED Viewed

@@ -130,6 +130,7 @@ module Brakeman::WarningCodes
     :insecure_rsa_padding_mode => 126,
     :missing_rsa_padding_mode => 127,
     :small_rsa_key_size => 128,
+    :ransack_search => 129,
     :custom_check => 9090,
   }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 6.0.1
+  version: 6.1.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-07-20 00:00:00.000000000 Z
+date: 2023-12-05 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -134,59 +134,59 @@ files:
 - bundle/ruby/3.1.0/gems/parallel-1.23.0/MIT-LICENSE.txt
 - bundle/ruby/3.1.0/gems/parallel-1.23.0/lib/parallel.rb
 - bundle/ruby/3.1.0/gems/parallel-1.23.0/lib/parallel/version.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/LICENSE.txt
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/NEWS.md
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/README.md
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/attlistdecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/attribute.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/cdata.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/child.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/comment.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/doctype.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/document.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/dtd/attlistdecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/dtd/dtd.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/dtd/elementdecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/dtd/entitydecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/dtd/notationdecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/element.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/encoding.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/entity.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/formatters/default.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/formatters/pretty.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/formatters/transitive.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/functions.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/instruction.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/light/node.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/namespace.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/node.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/output.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parent.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parseexception.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/lightparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/streamparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/treeparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/ultralightparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/parsers/xpathparser.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/quickpath.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/rexml.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/sax2listener.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/security.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/source.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/streamlistener.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/text.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/undefinednamespaceexception.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/validation/relaxng.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/validation/validation.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/validation/validationexception.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/xmldecl.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/xmltokens.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/xpath.rb
-- bundle/ruby/3.1.0/gems/rexml-3.2.5/lib/rexml/xpath_parser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/LICENSE.txt
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/NEWS.md
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/README.md
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/attlistdecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/attribute.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/cdata.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/child.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/comment.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/doctype.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/document.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/dtd/attlistdecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/dtd/dtd.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/dtd/elementdecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/dtd/entitydecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/dtd/notationdecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/element.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/encoding.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/entity.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/formatters/default.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/formatters/pretty.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/formatters/transitive.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/functions.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/instruction.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/light/node.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/namespace.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/node.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/output.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parent.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parseexception.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/baseparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/lightparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/pullparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/sax2parser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/streamparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/treeparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/ultralightparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/parsers/xpathparser.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/quickpath.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/rexml.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/sax2listener.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/security.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/source.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/streamlistener.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/text.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/undefinednamespaceexception.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/validation/relaxng.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/validation/validation.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/validation/validationexception.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/xmldecl.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/xmltokens.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/xpath.rb
+- bundle/ruby/3.1.0/gems/rexml-3.2.6/lib/rexml/xpath_parser.rb
 - bundle/ruby/3.1.0/gems/ruby2ruby-2.4.4/History.rdoc
 - bundle/ruby/3.1.0/gems/ruby2ruby-2.4.4/Manifest.txt
 - bundle/ruby/3.1.0/gems/ruby2ruby-2.4.4/README.rdoc
@@ -472,6 +472,7 @@ files:
 - lib/brakeman/checks/check_pathname.rb
 - lib/brakeman/checks/check_permit_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
+- lib/brakeman/checks/check_ransack.rb
 - lib/brakeman/checks/check_redirect.rb
 - lib/brakeman/checks/check_regex_dos.rb
 - lib/brakeman/checks/check_render.rb