RubyGems - brakeman - Versions diffs - 6.2.1 → 6.2.2 - Mend

brakeman 6.2.1 → 6.2.2

Files changed (141) hide show

data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/unicode.rb RENAMED Viewed

@@ -56,51 +56,26 @@ class Reline::Unicode
   require 'reline/unicode/east_asian_width'
-  HalfwidthDakutenHandakuten = /[\u{FF9E}\u{FF9F}]/
-  MBCharWidthRE = /
-    (?<width_2_1>
-      [#{ EscapedChars.map {|c| "\\x%02x" % c.ord }.join }] (?# ^ + char, such as ^M, ^H, ^[, ...)
-    )
-  | (?<width_3>^\u{2E3B}) (?# THREE-EM DASH)
-  | (?<width_0>^\p{M})
-  | (?<width_2_2>
-      #{ EastAsianWidth::TYPE_F }
-    | #{ EastAsianWidth::TYPE_W }
-    )
-  | (?<width_1>
-      #{ EastAsianWidth::TYPE_H }
-    | #{ EastAsianWidth::TYPE_NA }
-    | #{ EastAsianWidth::TYPE_N }
-    )(?!#{ HalfwidthDakutenHandakuten })
-  | (?<width_2_3>
-      (?: #{ EastAsianWidth::TYPE_H }
-        | #{ EastAsianWidth::TYPE_NA }
-        | #{ EastAsianWidth::TYPE_N })
-      #{ HalfwidthDakutenHandakuten }
-    )
-  | (?<ambiguous_width>
-      #{EastAsianWidth::TYPE_A}
-    )
-  /x
   def self.get_mbchar_width(mbchar)
     ord = mbchar.ord
-    if (0x00 <= ord and ord <= 0x1F) # in EscapedPairs
+    if ord <= 0x1F # in EscapedPairs
       return 2
-    elsif (0x20 <= ord and ord <= 0x7E) # printable ASCII chars
+    elsif ord <= 0x7E # printable ASCII chars
       return 1
     end
-    m = mbchar.encode(Encoding::UTF_8).match(MBCharWidthRE)
-    case
-    when m.nil? then 1 # TODO should be U+FFFD � REPLACEMENT CHARACTER
-    when m[:width_2_1], m[:width_2_2], m[:width_2_3] then 2
-    when m[:width_3] then 3
-    when m[:width_0] then 0
-    when m[:width_1] then 1
-    when m[:ambiguous_width] then Reline.ambiguous_width
+    utf8_mbchar = mbchar.encode(Encoding::UTF_8)
+    ord = utf8_mbchar.ord
+    chunk_index = EastAsianWidth::CHUNK_LAST.bsearch_index { |o| ord <= o }
+    size = EastAsianWidth::CHUNK_WIDTH[chunk_index]
+    if size == -1
+      Reline.ambiguous_width
+    elsif size == 1 && utf8_mbchar.size >= 2
+      second_char_ord = utf8_mbchar[1].ord
+      # Halfwidth Dakuten Handakuten
+      # Only these two character has Letter Modifier category and can be combined in a single grapheme cluster
+      (second_char_ord == 0xFF9E || second_char_ord == 0xFF9F) ? 2 : 1
     else
-      nil
+      size
     end
   end

data/bundle/ruby/3.1.0/gems/reline-0.5.10/lib/reline/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module Reline
+  VERSION = '0.5.10'
+end

data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline.rb RENAMED Viewed

@@ -324,14 +324,17 @@ module Reline
       line_editor.prompt_proc = prompt_proc
       line_editor.auto_indent_proc = auto_indent_proc
       line_editor.dig_perfect_match_proc = dig_perfect_match_proc
+      # Readline calls pre_input_hook just after printing the first prompt.
+      line_editor.print_nomultiline_prompt
       pre_input_hook&.call
       unless Reline::IOGate.dumb?
         @dialog_proc_list.each_pair do |name_sym, d|
           line_editor.add_dialog_proc(name_sym, d.dialog_proc, d.context)
         end
       end
-      line_editor.print_nomultiline_prompt(prompt)
       line_editor.update_dialogs
       line_editor.rerender
@@ -343,7 +346,7 @@ module Reline
             inputs.each do |key|
               if key.char == :bracketed_paste_start
                 text = io_gate.read_bracketed_paste
-                line_editor.insert_pasted_text(text)
+                line_editor.insert_multiline_text(text)
                 line_editor.scroll_into_view
               else
                 line_editor.update(key)
@@ -457,8 +460,8 @@ module Reline
   def_single_delegator :line_editor, :byte_pointer, :point
   def_single_delegator :line_editor, :byte_pointer=, :point=
-  def self.insert_text(*args, &block)
-    line_editor.insert_text(*args, &block)
+  def self.insert_text(text)
+    line_editor.insert_multiline_text(text)
     self
   end

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/NEWS.md RENAMED Viewed

@@ -1,5 +1,48 @@
 # News
+## 3.3.8 - 2024-09-29 {#version-3-3-8}
+### Improvements
+  * SAX2: Improve parse performance.
+    * GH-207
+    * Patch by NAITOH Jun.
+### Fixes
+  * Fixed a bug that unexpected attribute namespace conflict error for
+    the predefined "xml" namespace is reported.
+    * GH-208
+    * Patch by KITAITI Makoto
+### Thanks
+  * NAITOH Jun
+  * KITAITI Makoto
+## 3.3.7 - 2024-09-04 {#version-3-3-7}
+### Improvements
+  * Added local entity expansion limit methods
+    * GH-192
+    * GH-202
+    * Reported by takuya kodama.
+    * Patch by NAITOH Jun.
+  * Removed explicit strscan dependency
+    * GH-204
+    * Patch by Bo Anderson.
+### Thanks
+  * takuya kodama
+  * NAITOH Jun
+  * Bo Anderson
 ## 3.3.6 - 2024-08-22 {#version-3-3-6}
 ### Improvements

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/attribute.rb RENAMED Viewed

@@ -148,8 +148,9 @@ module REXML
     # have been expanded to their values
     def value
       return @unnormalized if @unnormalized
-      @unnormalized = Text::unnormalize( @normalized, doctype )
-      @unnormalized
+      @unnormalized = Text::unnormalize(@normalized, doctype,
+                                        entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
     end
     # The normalized value of this attribute.  That is, the attribute with

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/document.rb RENAMED Viewed

@@ -91,6 +91,8 @@ module REXML
     #
     def initialize( source = nil, context = {} )
       @entity_expansion_count = 0
+      @entity_expansion_limit = Security.entity_expansion_limit
+      @entity_expansion_text_limit = Security.entity_expansion_text_limit
       super()
       @context = context
       return if source.nil?
@@ -431,10 +433,12 @@ module REXML
     end
     attr_reader :entity_expansion_count
+    attr_writer :entity_expansion_limit
+    attr_accessor :entity_expansion_text_limit
     def record_entity_expansion
       @entity_expansion_count += 1
-      if @entity_expansion_count > Security.entity_expansion_limit
+      if @entity_expansion_count > @entity_expansion_limit
         raise "number of entity expansions exceeded, processing aborted."
       end
     end

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/entity.rb RENAMED Viewed

@@ -71,9 +71,12 @@ module REXML
     # Evaluates to the unnormalized value of this entity; that is, replacing
     # &ent; entities.
     def unnormalized
-      document.record_entity_expansion unless document.nil?
+      document&.record_entity_expansion
       return nil if @value.nil?
-      @unnormalized = Text::unnormalize(@value, parent)
+      @unnormalized = Text::unnormalize(@value, parent,
+                                        entity_expansion_text_limit: document&.entity_expansion_text_limit)
     end
     #once :unnormalized

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/baseparser.rb RENAMED Viewed

@@ -156,6 +156,7 @@ module REXML
         default_entities.each do |term|
           DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/
         end
+        XML_PREFIXED_NAMESPACE = "http://www.w3.org/XML/1998/namespace"
       end
       private_constant :Private
@@ -164,6 +165,8 @@ module REXML
         @listeners = []
         @prefixes = Set.new
         @entity_expansion_count = 0
+        @entity_expansion_limit = Security.entity_expansion_limit
+        @entity_expansion_text_limit = Security.entity_expansion_text_limit
       end
       def add_listener( listener )
@@ -172,6 +175,8 @@ module REXML
       attr_reader :source
       attr_reader :entity_expansion_count
+      attr_writer :entity_expansion_limit
+      attr_writer :entity_expansion_text_limit
       def stream=( source )
         @source = SourceFactory.create_from( source )
@@ -181,7 +186,7 @@ module REXML
         @tags = []
         @stack = []
         @entities = []
-        @namespaces = {}
+        @namespaces = {"xml" => Private::XML_PREFIXED_NAMESPACE}
         @namespaces_restore_stack = []
       end
@@ -585,7 +590,7 @@ module REXML
               end
               re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
               rv.gsub!( re, entity_value )
-              if rv.bytesize > Security.entity_expansion_text_limit
+              if rv.bytesize > @entity_expansion_text_limit
                 raise "entity expansion has grown too large"
               end
             else
@@ -627,7 +632,7 @@ module REXML
       def record_entity_expansion(delta=1)
         @entity_expansion_count += delta
-        if @entity_expansion_count > Security.entity_expansion_limit
+        if @entity_expansion_count > @entity_expansion_limit
           raise "number of entity expansions exceeded, processing aborted."
         end
       end
@@ -786,7 +791,7 @@ module REXML
             @source.match(/\s*/um, true)
             if prefix == "xmlns"
               if local_part == "xml"
-                if value != "http://www.w3.org/XML/1998/namespace"
+                if value != Private::XML_PREFIXED_NAMESPACE
                   msg = "The 'xml' prefix must not be bound to any other namespace "+
                     "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
                   raise REXML::ParseException.new( msg, @source, self )

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/pullparser.rb RENAMED Viewed

@@ -51,6 +51,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def each
         while has_next?
           yield self.pull

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/sax2parser.rb RENAMED Viewed

@@ -26,6 +26,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def add_listener( listener )
         @parser.add_listener( listener )
       end
@@ -251,6 +259,8 @@ module REXML
       end
       def get_namespace( prefix )
+        return nil if @namespace_stack.empty?
         uris = (@namespace_stack.find_all { |ns| not ns[prefix].nil? }) ||
           (@namespace_stack.find { |ns| not ns[nil].nil? })
         uris[-1][prefix] unless uris.nil? or 0 == uris.size

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/streamparser.rb RENAMED Viewed

@@ -18,6 +18,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def parse
         # entity string
         while true

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/rexml.rb RENAMED Viewed

@@ -31,7 +31,7 @@
 module REXML
   COPYRIGHT = "Copyright © 2001-2008 Sean Russell <ser@germane-software.com>"
   DATE = "2008/019"
-  VERSION = "3.3.6"
+  VERSION = "3.3.8"
   REVISION = ""
   Copyright = COPYRIGHT

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/text.rb RENAMED Viewed

@@ -268,7 +268,8 @@ module REXML
     #   u = Text.new( "sean russell", false, nil, true )
     #   u.value   #-> "sean russell"
     def value
-      @unnormalized ||= Text::unnormalize( @string, doctype )
+      @unnormalized ||= Text::unnormalize(@string, doctype,
+                                          entity_expansion_text_limit: document&.entity_expansion_text_limit)
     end
     # Sets the contents of this text node.  This expects the text to be
@@ -411,11 +412,12 @@ module REXML
     end
     # Unescapes all possible entities
-    def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
+    def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
+      entity_expansion_text_limit ||= Security.entity_expansion_text_limit
       sum = 0
       string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
         s = Text.expand($&, doctype, filter)
-        if sum + s.bytesize > Security.entity_expansion_text_limit
+        if sum + s.bytesize > entity_expansion_text_limit
           raise "entity expansion has grown too large"
         else
           sum += s.bytesize

data/lib/brakeman/checks/check_eol_rails.rb CHANGED Viewed

@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     check_eol_version :rails, RAILS_EOL_DATES
   end
+  # https://rubyonrails.org/maintenance
+  # https://endoflife.date/rails
   RAILS_EOL_DATES = {
     ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
     ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
     ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
     ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+    ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
+    ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
+    ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
+    ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
   }
 end

data/lib/brakeman/checks/check_execute.rb CHANGED Viewed

@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     call = result[:call]
     args = call.arglist
     first_arg = call.first_arg
+    failure = nil
     case call.method
     when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg[3]) ||
                   dangerous_string_building?(first_arg[3])
       end
+    when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
+      # Since these pipeline commands pipe together several commands,
+      # need to check each argument. If it's an array, check first argument
+      # (the command) and also check for `bash -c`. Otherwise check the argument
+      # as a unit.
+      args.each do |arg|
+        next unless sexp? arg
+        if array?(arg)
+          # Check first element of array
+          failure = include_user_input?(arg[1]) ||
+            dangerous_interp?(arg[1]) ||
+            dangerous_string_building?(arg[1])
+          # Check for ['bash', '-c', user_input]
+          if dash_c_shell_command?(arg[1], arg[2])
+            failure = include_user_input?(arg[3]) ||
+              dangerous_interp?(arg[3]) ||
+              dangerous_string_building?(arg[3])
+          end
+        else
+          failure = include_user_input?(arg)
+        end
+        break if failure
+      end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
       # about shell injection when there's a single argument, because comma-

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.2.1"
+  Version = "6.2.2"
 end