brakeman 6.0.1 → 6.1.2

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/attribute.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative "namespace"
 require_relative 'text'
 
@@ -13,9 +13,6 @@ module REXML
 
     # The element to which this attribute belongs
     attr_reader :element
-    # The normalized value of this attribute.  That is, the attribute with
-    # entities intact.
-    attr_writer :normalized
     PATTERN = /\s*(#{NAME_STR})\s*=\s*(["'])(.*?)\2/um
 
     NEEDS_A_SECOND_CHECK = /(<|&((#{Entity::NAME});|(#0*((?:\d+)|(?:x[a-fA-F0-9]+)));)?)/um
@@ -122,10 +119,13 @@ module REXML
     #  b = Attribute.new( "ns:x", "y" )
     #  b.to_string     # -> "ns:x='y'"
     def to_string
+      value = to_s
       if @element and @element.context and @element.context[:attribute_quote] == :quote
-        %Q^#@expanded_name="#{to_s().gsub(/"/, '&quot;')}"^
+        value = value.gsub('"', '&quot;') if value.include?('"')
+        %Q^#@expanded_name="#{value}"^
       else
-        "#@expanded_name='#{to_s().gsub(/'/, '&apos;')}'"
+        value = value.gsub("'", '&apos;') if value.include?("'")
+        "#@expanded_name='#{value}'"
       end
     end
 
@@ -141,7 +141,6 @@ module REXML
       return @normalized if @normalized
 
       @normalized = Text::normalize( @unnormalized, doctype )
-      @unnormalized = nil
       @normalized
     end
 
@@ -150,10 +149,16 @@ module REXML
     def value
       return @unnormalized if @unnormalized
       @unnormalized = Text::unnormalize( @normalized, doctype )
-      @normalized = nil
       @unnormalized
     end
 
+    # The normalized value of this attribute.  That is, the attribute with
+    # entities intact.
+    def normalized=(new_normalized)
+      @normalized = new_normalized
+      @unnormalized = nil
+    end
+
     # Returns a copy of this attribute
     def clone
       Attribute.new self
@@ -190,7 +195,7 @@ module REXML
     end
 
     def inspect
-      rv = ""
+      rv = +""
       write( rv )
       rv
     end

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/document.rb

@@ -69,7 +69,7 @@ module REXML
     #   d.to_s # => "<root><foo>Foo</foo><bar>Bar</bar></root>"
     #
     # When argument +document+ is given, it must be an existing
-    # document object, whose context and attributes (but not chidren)
+    # document object, whose context and attributes (but not children)
     # are cloned into the new document:
     #
     #   d = REXML::Document.new(xml_string)

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/element.rb

@@ -989,7 +989,7 @@ module REXML
     # :call-seq:
     #   has_text? -> true or false
     #
-    # Returns +true if the element has one or more text noded,
+    # Returns +true+ if the element has one or more text noded,
     # +false+ otherwise:
     #
     #   d = REXML::Document.new '<a><b/>text<c/></a>'
@@ -1006,7 +1006,7 @@ module REXML
     #   text(xpath = nil) -> text_string or nil
     #
     # Returns the text string from the first text node child
-    # in a specified element, if it exists, # +nil+ otherwise.
+    # in a specified element, if it exists, +nil+ otherwise.
     #
     # With no argument, returns the text from the first text node in +self+:
     #
@@ -1014,7 +1014,7 @@ module REXML
     #   d.root.text.class # => String
     #   d.root.text       # => "some text "
     #
-    # With argument +xpath+, returns text from the the first text node
+    # With argument +xpath+, returns text from the first text node
     # in the element that matches +xpath+:
     #
     #   d.root.text(1) # => "this is bold!"

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/entity.rb

@@ -132,24 +132,34 @@ module REXML
     # then:
     #  doctype.entity('yada').value   #-> "nanoo bar nanoo"
     def value
-      if @value
-        matches = @value.scan(PEREFERENCE_RE)
-        rv = @value.clone
-        if @parent
-          sum = 0
-          matches.each do |entity_reference|
-            entity_value = @parent.entity( entity_reference[0] )
-            if sum + entity_value.bytesize > Security.entity_expansion_text_limit
-              raise "entity expansion has grown too large"
-            else
-              sum += entity_value.bytesize
-            end
-            rv.gsub!( /%#{entity_reference.join};/um, entity_value )
+      @resolved_value ||= resolve_value
+    end
+
+    def parent=(other)
+      @resolved_value = nil
+      super
+    end
+
+    private
+    def resolve_value
+      return nil if @value.nil?
+      return @value unless @value.match?(PEREFERENCE_RE)
+
+      matches = @value.scan(PEREFERENCE_RE)
+      rv = @value.clone
+      if @parent
+        sum = 0
+        matches.each do |entity_reference|
+          entity_value = @parent.entity( entity_reference[0] )
+          if sum + entity_value.bytesize > Security.entity_expansion_text_limit
+            raise "entity expansion has grown too large"
+          else
+            sum += entity_value.bytesize
           end
+          rv.gsub!( /%#{entity_reference.join};/um, entity_value )
         end
-        return rv
       end
-      nil
+      rv
     end
   end
 

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/formatters/pretty.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative 'default'
 
 module REXML
@@ -58,7 +58,7 @@ module REXML
           skip = false
           if compact
             if node.children.inject(true) {|s,c| s & c.kind_of?(Text)}
-              string = ""
+              string = +""
               old_level = @level
               @level = 0
               node.children.each { |child| write( child, string ) }

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/namespace.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 
 require_relative 'xmltokens'
 
@@ -10,13 +10,17 @@ module REXML
     # The expanded name of the object, valid if name is set
     attr_accessor :prefix
     include XMLTokens
+    NAME_WITHOUT_NAMESPACE = /\A#{NCNAME_STR}\z/
     NAMESPLIT = /^(?:(#{NCNAME_STR}):)?(#{NCNAME_STR})/u
 
     # Sets the name and the expanded name
     def name=( name )
       @expanded_name = name
-      case name
-      when NAMESPLIT
+      if name.match?(NAME_WITHOUT_NAMESPACE)
+        @prefix = ""
+        @namespace = ""
+        @name = name
+      elsif name =~ NAMESPLIT
         if $1
           @prefix = $1
         else
@@ -24,7 +28,7 @@ module REXML
           @namespace = ""
         end
         @name = $2
-      when ""
+      elsif name == ""
         @prefix = nil
         @namespace = nil
         @name = nil

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/parsers/xpathparser.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: false
+
 require_relative '../namespace'
 require_relative '../xmltokens'
 
@@ -38,108 +39,143 @@ module REXML
         parsed
       end
 
-      def abbreviate( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
-        document = false
-        while path.size > 0
-          op = path.shift
+      def abbreviate(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        components = []
+        component = nil
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
+            component << "node()"
           when :attribute
-            string << "/" if string.size > 0
-            string << "@"
+            component = "@"
+            components << component
           when :child
-            string << "/" if string.size > 0
+            component = ""
+            components << component
           when :descendant_or_self
-            string << "/"
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              component = ""
+              components << component
+            else
+              component = "descendant-or-self::"
+              components << component
+            end
           when :self
-            string << "."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << "."
+            else
+              component = "self::"
+              components << component
+            end
           when :parent
-            string << ".."
+            next_op = parsed[0]
+            if next_op == :node
+              parsed.shift
+              components << ".."
+            else
+              component = "parent::"
+              components << component
+            end
           when :any
-            string << "*"
+            component << "*"
           when :text
-            string << "text()"
+            component << "text()"
           when :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant,
                 :namespace, :preceding, :preceding_sibling
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            component = op.to_s.tr("_", "-") << "::"
+            components << component
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            component << prefix+":" if prefix.size > 0
+            component << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) {|x| abbreviate( x ) }
-            string << ']'
+            component << '['
+            component << predicate_to_path(parsed.shift) {|x| abbreviate(x)}
+            component << ']'
           when :document
-            document = true
+            components << ""
           when :function
-            string << path.shift
-            string << "( "
-            string << predicate_to_string( path.shift[0] ) {|x| abbreviate( x )}
-            string << " )"
+            component << parsed.shift
+            component << "( "
+            component << predicate_to_path(parsed.shift[0]) {|x| abbreviate(x)}
+            component << " )"
           when :literal
-            string << %Q{ "#{path.shift}" }
+            component << quote_literal(parsed.shift)
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            component << "UNKNOWN("
+            component << op.inspect
+            component << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        case components
+        when [""]
+          "/"
+        when ["", ""]
+          "//"
+        else
+          components.join("/")
+        end
       end
 
-      def expand( path )
-        path = path.kind_of?(String) ? parse( path ) : path
-        string = ""
+      def expand(path_or_parsed)
+        if path_or_parsed.kind_of?(String)
+          parsed = parse(path_or_parsed)
+        else
+          parsed = path_or_parsed
+        end
+        path = ""
         document = false
-        while path.size > 0
-          op = path.shift
+        while parsed.size > 0
+          op = parsed.shift
           case op
           when :node
-            string << "node()"
+            path << "node()"
           when :attribute, :child, :following, :following_sibling,
                 :ancestor, :ancestor_or_self, :descendant, :descendant_or_self,
                 :namespace, :preceding, :preceding_sibling, :self, :parent
-            string << "/" unless string.size == 0
-            string << op.to_s.tr("_", "-")
-            string << "::"
+            path << "/" unless path.size == 0
+            path << op.to_s.tr("_", "-")
+            path << "::"
           when :any
-            string << "*"
+            path << "*"
           when :qname
-            prefix = path.shift
-            name = path.shift
-            string << prefix+":" if prefix.size > 0
-            string << name
+            prefix = parsed.shift
+            name = parsed.shift
+            path << prefix+":" if prefix.size > 0
+            path << name
           when :predicate
-            string << '['
-            string << predicate_to_string( path.shift ) { |x| expand(x) }
-            string << ']'
+            path << '['
+            path << predicate_to_path( parsed.shift ) { |x| expand(x) }
+            path << ']'
           when :document
             document = true
           else
-            string << "/" unless string.size == 0
-            string << "UNKNOWN("
-            string << op.inspect
-            string << ")"
+            path << "UNKNOWN("
+            path << op.inspect
+            path << ")"
           end
         end
-        string = "/"+string if document
-        return string
+        path = "/"+path if document
+        path
       end
 
-      def predicate_to_string( path, &block )
-        string = ""
-        case path[0]
+      def predicate_to_path(parsed, &block)
+        path = ""
+        case parsed[0]
         when :and, :or, :mult, :plus, :minus, :neq, :eq, :lt, :gt, :lteq, :gteq, :div, :mod, :union
-          op = path.shift
+          op = parsed.shift
           case op
           when :eq
             op = "="
@@ -156,36 +192,50 @@ module REXML
           when :union
             op = "|"
           end
-          left = predicate_to_string( path.shift, &block )
-          right = predicate_to_string( path.shift, &block )
-          string << " "
-          string << left
-          string << " "
-          string << op.to_s
-          string << " "
-          string << right
-          string << " "
+          left = predicate_to_path( parsed.shift, &block )
+          right = predicate_to_path( parsed.shift, &block )
+          path << left
+          path << " "
+          path << op.to_s
+          path << " "
+          path << right
         when :function
-          path.shift
-          name = path.shift
-          string << name
-          string << "( "
-          string << predicate_to_string( path.shift, &block )
-          string << " )"
+          parsed.shift
+          name = parsed.shift
+          path << name
+          path << "("
+          parsed.shift.each_with_index do |argument, i|
+            path << ", " if i > 0
+            path << predicate_to_path(argument, &block)
+          end
+          path << ")"
         when :literal
-          path.shift
-          string << " "
-          string << path.shift.inspect
-          string << " "
+          parsed.shift
+          path << quote_literal(parsed.shift)
         else
-          string << " "
-          string << yield( path )
-          string << " "
+          path << yield( parsed )
         end
-        return string.squeeze(" ")
+        return path.squeeze(" ")
       end
+      # For backward compatibility
+      alias_method :preciate_to_string, :predicate_to_path
 
       private
+      def quote_literal( literal )
+        case literal
+        when String
+          # XPath 1.0 does not support escape characters.
+          # Assumes literal does not contain both single and double quotes.
+          if literal.include?("'")
+            "\"#{literal}\""
+          else
+            "'#{literal}'"
+          end
+        else
+          literal.inspect
+        end
+      end
+
       #LocationPath
       #  | RelativeLocationPath
       #  | '/' RelativeLocationPath?

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/rexml.rb

@@ -26,10 +26,12 @@
 # - REXML::Document.
 # - REXML::Element.
 #
+# There's also an {REXML tutorial}[doc/rexml/tutorial_rdoc.html].
+#
 module REXML
   COPYRIGHT = "Copyright © 2001-2008 Sean Russell <ser@germane-software.com>"
   DATE = "2008/019"
-  VERSION = "3.2.5"
+  VERSION = "3.2.6"
   REVISION = ""
 
   Copyright = COPYRIGHT

data/bundle/ruby/{3.1.0/gems/rexml-3.2.5 → 3.3.0/gems/rexml-3.2.6}/lib/rexml/text.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 require_relative 'security'
 require_relative 'entity'
 require_relative 'doctype'
@@ -131,7 +131,7 @@ module REXML
     def Text.check string, pattern, doctype
 
       # illegal anywhere
-      if string !~ VALID_XML_CHARS
+      if !string.match?(VALID_XML_CHARS)
         if String.method_defined? :encode
           string.chars.each do |c|
             case c.ord
@@ -371,7 +371,7 @@ module REXML
       copy = input.to_s
       # Doing it like this rather than in a loop improves the speed
       #copy = copy.gsub( EREFERENCE, '&' )
-      copy = copy.gsub( "&", "&" )
+      copy = copy.gsub( "&", "&" ) if copy.include?("&")
       if doctype
         # Replace all ampersands that aren't part of an entity
         doctype.entities.each_value do |entity|
@@ -382,7 +382,9 @@ module REXML
       else
         # Replace all ampersands that aren't part of an entity
         DocType::DEFAULT_ENTITIES.each_value do |entity|
-          copy = copy.gsub(entity.value, "&#{entity.name};" )
+          if copy.include?(entity.value)
+            copy = copy.gsub(entity.value, "&#{entity.name};" )
+          end
         end
       end
       copy

data/bundle/ruby/{3.1.0/gems/sexp_processor-4.17.0 → 3.3.0/gems/sexp_processor-4.17.1}/History.rdoc

@@ -1,3 +1,9 @@
+=== 4.17.1 / 2024-01-15
+
+* 1 minor enhancement:
+
+  * Added 3.3 to pt_testcase.rb
+
 === 4.17.0 / 2023-05-03
 
 * 2 minor enhancements:

data/bundle/ruby/{3.1.0/gems/sexp_processor-4.17.0 → 3.3.0/gems/sexp_processor-4.17.1}/lib/pt_testcase.rb

@@ -34,7 +34,7 @@ class Examples
 end
 
 class ParseTreeTestCase < Minitest::Test
-  all_versions  = %w[18 19 20 21 22 23 24 25 26 27 30 31 32]
+  all_versions  = %w[18 19 20 21 22 23 24 25 26 27 30 31 32 33]
   most_versions = all_versions.drop(1)
 
   TEST_SUFFIX = "_#{most_versions.join "_"}"

data/bundle/ruby/{3.1.0/gems/sexp_processor-4.17.0 → 3.3.0/gems/sexp_processor-4.17.1}/lib/sexp_processor.rb

@@ -34,7 +34,7 @@ require "sexp"
 class SexpProcessor
 
   # duh
-  VERSION = "4.17.0"
+  VERSION = "4.17.1"
 
   ##
   # Automatically shifts off the Sexp type before handing the

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -24,5 +24,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
     ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
     ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
+    ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
   }
 end

data/lib/brakeman/checks/check_ransack.rb

@@ -0,0 +1,53 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckRansack < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Checks for dangerous use of the Ransack library"
+
+  def run_check
+    return unless version_between? "0.0.0", "3.99", tracker.config.gem_version(:ransack)
+    check_ransack_calls
+  end
+
+  def check_ransack_calls
+    tracker.find_call(method: :ransack, nested: true).each do |result|
+      next unless original? result
+
+      call = result[:call]
+      arg = call.first_arg
+
+      # If an allow list is defined anywhere in the
+      # class or super classes, consider it safe
+      class_name = result[:chain].first
+
+      next if ransackable_allow_list?(class_name)
+
+      if input = has_immediate_user_input?(arg)
+        confidence = if tracker.find_class(class_name).nil?
+                       confidence = :low
+                     elsif result[:location][:file].relative.include? 'admin'
+                       confidence = :medium
+                     else
+                       confidence = :high
+                     end
+
+        message = msg('Unrestricted search using ', msg_code('ransack'), ' library called with ', msg_input(input), '. Limit search by defining ', msg_code('ransackable_attributes'), ' and ', msg_code('ransackable_associations'), ' methods in class or upgrade Ransack to version 4.0.0 or newer')
+
+        warn result: result,
+          warning_type: 'Missing Authorization',
+          warning_code: :ransack_search,
+          message: message,
+          user_input: input,
+          confidence: confidence,
+          cwe_id: [862],
+          link: 'https://positive.security/blog/ransack-data-exfiltration'
+      end
+    end
+  end
+
+  def ransackable_allow_list? class_name
+    tracker.find_method(:ransackable_attributes, class_name, :class) and
+      tracker.find_method(:ransackable_associations, class_name, :class)
+  end
+end

data/lib/brakeman/checks/check_render.rb

@@ -108,6 +108,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def known_renderable_class? class_name
     klass = tracker.find_class(class_name)
     return false if klass.nil?
-    klass.ancestor? :"ViewComponent::Base"
+    knowns = [
+      :"ViewComponent::Base",
+      :"ViewComponentContrib::Base",
+      :"Phlex::HTML"
+    ]
+    knowns.any? { |k| klass.ancestor? k }
   end
 end

data/lib/brakeman/checks/check_session_settings.rb

@@ -116,10 +116,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
 
     if secrets_file.exists? and not ignored? "secrets.yml" and not ignored? "config/*.yml"
       yaml = secrets_file.read
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      require 'safe_yaml/load'
+      require 'yaml'
       begin
-        secrets = SafeYAML.load yaml
+        secrets = YAML.safe_load yaml
       rescue Psych::SyntaxError, RuntimeError => e
         Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"