brakeman 6.0.1 → 6.1.1

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.0.0/gems/rexml-3.2.6}/lib/rexml/parsers/xpathparser.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: false
+
 require_relative '../namespace'
 require_relative '../xmltokens'
 
@@ -38,108 +39,143 @@ module REXML
         parsed
       end
 
-      def abbreviate( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
-        document = false
-        while path.size > 0
-          op = path.shift
+      def abbreviate(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        components = []
+        component = nil
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
+            component << "node()"
           when :attribute
-            string << "/" if string.size > 0
-            string << "@"
+            component = "@"
+            components << component
           when :child
-            string << "/" if string.size > 0
+            component = ""
+            components << component
           when :descendant_or_self
-            string << "/"
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              component = ""
+              components << component
+            else
+              component = "descendant-or-self::"
+              components << component
+            end
           when :self
-            string << "."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << "."
+            else
+              component = "self::"
+              components << component
+            end
           when :parent
-            string << ".."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << ".."
+            else
+              component = "parent::"
+              components << component
+            end
           when :any
-            string << "*"
+            component << "*"
           when :text
-            string << "text()"
+            component << "text()"
           when :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant,
                 :namespace, :preceding, :preceding_sibling
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            component = op.to_s.tr("_", "-") << "::"
+            components << component
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            component << prefix+":" if prefix.size > 0
+            component << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) {|x| abbreviate( x ) }
-            string << ']'
+            component << '['
+            component << predicate_to_path(parsed.shift) {|x| abbreviate(x)}
+            component << ']'
           when :document
-            document = true
+            components << ""
           when :function
-            string << path.shift
-            string << "( "
-            string << predicate_to_string( path.shift[0] ) {|x| abbreviate( x )}
-            string << " )"
+            component << parsed.shift
+            component << "( "
+            component << predicate_to_path(parsed.shift[0]) {|x| abbreviate(x)}
+            component << " )"
           when :literal
-            string << %Q{ "#{path.shift}" }
+            component << quote_literal(parsed.shift)
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            component << "UNKNOWN("
+            component << op.inspect
+            component << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        case components
+        when [""]
+          "/"
+        when ["", ""]
+          "//"
+        else
+          components.join("/")
+        end
       end
 
-      def expand( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
+      def expand(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        path = ""
         document = false
-        while path.size > 0
-          op = path.shift
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
-            string << "node()"
+            path << "node()"
           when :attribute, :child, :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant, :descendant_or_self,
                 :namespace, :preceding, :preceding_sibling, :self, :parent
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            path << "/" unless path.size == 0
+            path << op.to_s.tr("_", "-")
+            path << "::"
           when :any
-            string << "*"
+            path << "*"
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            path << prefix+":" if prefix.size > 0
+            path << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) { |x| expand(x) }
-            string << ']'
+            path << '['
+            path << predicate_to_path( parsed.shift ) { |x| expand(x) }
+            path << ']'
           when :document
             document = true
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            path << "UNKNOWN("
+            path << op.inspect
+            path << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        path = "/"+path if document
+        path
       end
 
-      def predicate_to_string( path, &block )
-        string = ""
-        case path[0]
+      def predicate_to_path(parsed, &block)
+        path = ""
+        case parsed[0]
         when :and, :or, :mult, :plus, :minus, :neq, :eq, :lt, :gt, :lteq, :gteq, :div, :mod, :union
-          op = path.shift
+          op = parsed.shift
           case op
           when :eq
             op = "="
@@ -156,36 +192,50 @@ module REXML
           when :union
             op = "|"
           end
-          left = predicate_to_string( path.shift, &block )
-          right = predicate_to_string( path.shift, &block )
-          string << " "
-          string << left
-          string << " "
-          string << op.to_s
-          string << " "
-          string << right
-          string << " "
+          left = predicate_to_path( parsed.shift, &block )
+          right = predicate_to_path( parsed.shift, &block )
+          path << left
+          path << " "
+          path << op.to_s
+          path << " "
+          path << right
         when :function
-          path.shift
-          name = path.shift
-          string << name
-          string << "( "
-          string << predicate_to_string( path.shift, &block )
-          string << " )"
+          parsed.shift
+          name = parsed.shift
+          path << name
+          path << "("
+          parsed.shift.each_with_index do |argument, i|
+            path << ", " if i > 0
+            path << predicate_to_path(argument, &block)
+          end
+          path << ")"
         when :literal
-          path.shift
-          string << " "
-          string << path.shift.inspect
-          string << " "
+          parsed.shift
+          path << quote_literal(parsed.shift)
         else
-          string << " "
-          string << yield( path )
-          string << " "
+          path << yield( parsed )
         end
-        return string.squeeze(" ")
+        return path.squeeze(" ")
       end
+      # For backward compatibility
+      alias_method :preciate_to_string, :predicate_to_path
 
       private
+      def quote_literal( literal )
+        case literal
+        when String
+          # XPath 1.0 does not support escape characters.
+          # Assumes literal does not contain both single and double quotes.
+          if literal.include?("'")
+            "\"#{literal}\""
+          else
+            "'#{literal}'"
+          end
+        else
+          literal.inspect
+        end
+      end
+
       #LocationPath
       #  | RelativeLocationPath
       #  | '/' RelativeLocationPath?

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.0.0/gems/rexml-3.2.6}/lib/rexml/rexml.rb

@@ -26,10 +26,12 @@
 # - REXML::Document.
 # - REXML::Element.
 #
+# There's also an {REXML tutorial}[doc/rexml/tutorial_rdoc.html].
+#
 module REXML
   COPYRIGHT = "Copyright © 2001-2008 Sean Russell <ser@germane-software.com>"
   DATE = "2008/019"
-  VERSION = "3.2.5"
+  VERSION = "3.2.6"
   REVISION = ""
 
   Copyright = COPYRIGHT

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.0.0/gems/rexml-3.2.6}/lib/rexml/text.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative 'security'
 require_relative 'entity'
 require_relative 'doctype'
@@ -131,7 +131,7 @@ module REXML
     def Text.check string, pattern, doctype
 
       # illegal anywhere
-      if string !~ VALID_XML_CHARS
+      if !string.match?(VALID_XML_CHARS)
         if String.method_defined? :encode
           string.chars.each do |c|
             case c.ord
@@ -371,7 +371,7 @@ module REXML
       copy = input.to_s
       # Doing it like this rather than in a loop improves the speed
       #copy = copy.gsub( EREFERENCE, '&' )
-      copy = copy.gsub( "&", "&" )
+      copy = copy.gsub( "&", "&" ) if copy.include?("&")
       if doctype
         # Replace all ampersands that aren't part of an entity
         doctype.entities.each_value do |entity|
@@ -382,7 +382,9 @@ module REXML
       else
         # Replace all ampersands that aren't part of an entity
         DocType::DEFAULT_ENTITIES.each_value do |entity|
-          copy = copy.gsub(entity.value, "&#{entity.name};" )
+          if copy.include?(entity.value)
+            copy = copy.gsub(entity.value, "&#{entity.name};" )
+          end
         end
       end
       copy

data/lib/brakeman/checks/check_ransack.rb

@@ -0,0 +1,53 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRansack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for dangerous use of the Ransack library"
+
+  def run_check
+    return unless version_between? "0.0.0", "3.99", tracker.config.gem_version(:ransack)
+    check_ransack_calls
+  end
+
+  def check_ransack_calls
+    tracker.find_call(method: :ransack, nested: true).each do |result|
+      next unless original? result
+
+      call = result[:call]
+      arg = call.first_arg
+
+      # If an allow list is defined anywhere in the
+      # class or super classes, consider it safe
+      class_name = result[:chain].first
+
+      next if ransackable_allow_list?(class_name)
+
+      if input = has_immediate_user_input?(arg)
+        confidence = if tracker.find_class(class_name).nil?
+                       confidence = :low
+                     elsif result[:location][:file].relative.include? 'admin'
+                       confidence = :medium
+                     else
+                       confidence = :high
+                     end
+
+        message = msg('Unrestricted search using ', msg_code('ransack'), ' library called with ', msg_input(input), '. Limit search by defining ', msg_code('ransackable_attributes'), ' and ', msg_code('ransackable_associations'), ' methods in class or upgrade Ransack to version 4.0.0 or newer')
+
+        warn result: result,
+          warning_type: 'Missing Authorization',
+          warning_code: :ransack_search,
+          message: message,
+          user_input: input,
+          confidence: confidence,
+          cwe_id: [862],
+          link: 'https://positive.security/blog/ransack-data-exfiltration'
+      end
+    end
+  end
+
+  def ransackable_allow_list? class_name
+    tracker.find_method(:ransackable_attributes, class_name, :class) and
+      tracker.find_method(:ransackable_associations, class_name, :class)
+  end
+end

data/lib/brakeman/checks/check_sql.rb

@@ -591,7 +591,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key, :uuid
+    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string
   ]
 
   def ignore_methods_in_sql

data/lib/brakeman/options.rb

@@ -244,6 +244,10 @@ module Brakeman::Options
           options[:debug] = true
         end
 
+        opts.on "--timing", "Measure time for scan steps" do
+          options[:show_timing] = true
+        end
+
         opts.on "-f",
           "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],

data/lib/brakeman/processors/alias_processor.rb

@@ -529,8 +529,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   #Process a method definition on self.
   def process_defs exp
-    env.scope do
-      set_env_defaults
+    meth_env do
       exp.body = process_all! exp.body
     end
     exp

data/lib/brakeman/processors/lib/module_helper.rb

@@ -84,6 +84,9 @@ module Brakeman::ModuleHelper
     res.line(exp.line)
     @current_method = nil
 
+    # TODO: if target is not self/nil, then
+    # the method should be added to `target`, not current class
+
     if @current_class
       @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
@@ -96,7 +99,13 @@ module Brakeman::ModuleHelper
     name = exp.method_name
 
     @current_method = name
-    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+
+    if @inside_sclass
+      res = Sexp.new :defs, s(:self), name, exp.formal_args, *process_all!(exp.body)
+    else
+      res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+    end
+
     res.line(exp.line)
     @current_method = nil
 
@@ -108,4 +117,25 @@ module Brakeman::ModuleHelper
 
     res
   end
+
+  # class << self
+  def process_sclass exp
+    @inside_sclass = true
+
+    process_all! exp
+
+    exp
+  ensure
+    @inside_sclass = false
+  end
+
+  def make_defs exp
+    # 'What if' there was some crazy code that had a
+    # defs inside a def inside an sclass? :|
+    return exp if node_type? exp, :defs
+
+    raise "Unexpected node type: #{exp.node_type}" unless node_type? exp, :defn
+
+    Sexp.new(:defs, s(:self), exp.method_name, exp.formal_args, *exp.body).line(exp.line)
+  end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -30,6 +30,12 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_defn exp
+    # TODO: Why is this different from ModuleHelper?
+
+    if @inside_sclass
+      exp = make_defs(exp)
+    end
+
     if exp.method_name == :initialize
       @alias_processor.process_safely exp.body_list
       @initializer_env = @alias_processor.only_ivars