brakeman 6.2.1 → 6.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +10 -0
- data/README.md +0 -1
- data/bundle/load.rb +3 -4
- data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/Changelog.md +6 -0
- data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/Gemfile +1 -0
- data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/README.md +3 -0
- data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/version.rb +1 -1
- data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline.rb +9 -1
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/config.rb +19 -24
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/face.rb +1 -1
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/io/ansi.rb +8 -0
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/io/windows.rb +24 -14
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/line_editor.rb +39 -48
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/terminfo.rb +1 -1
- data/bundle/ruby/3.1.0/gems/reline-0.5.10/lib/reline/unicode/east_asian_width.rb +1267 -0
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/unicode.rb +14 -39
- data/bundle/ruby/3.1.0/gems/reline-0.5.10/lib/reline/version.rb +3 -0
- data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline.rb +7 -4
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/NEWS.md +43 -0
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/attribute.rb +3 -2
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/document.rb +5 -1
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/entity.rb +5 -2
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/baseparser.rb +9 -4
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/pullparser.rb +8 -0
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/sax2parser.rb +10 -0
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/streamparser.rb +8 -0
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/rexml.rb +1 -1
- data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/text.rb +5 -3
- data/lib/brakeman/checks/check_eol_rails.rb +6 -0
- data/lib/brakeman/checks/check_execute.rb +28 -0
- data/lib/brakeman/version.rb +1 -1
- metadata +115 -133
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/README.md +0 -46
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/Makefile +0 -270
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/console.c +0 -1838
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/console.o +0 -0
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/console.so +0 -0
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/extconf.rb +0 -43
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/ext/io/console/win32_vk.inc +0 -1391
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/lib/io/console/size.rb +0 -23
- data/bundle/ruby/3.1.0/gems/io-console-0.7.2/lib/io/console.so +0 -0
- data/bundle/ruby/3.1.0/gems/reline-0.5.9/lib/reline/unicode/east_asian_width.rb +0 -1196
- data/bundle/ruby/3.1.0/gems/reline-0.5.9/lib/reline/version.rb +0 -3
- data/bundle/ruby/3.1.0/gems/rexml-3.3.6/LICENSE.txt +0 -22
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/COPYING +0 -56
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/LICENSE.txt +0 -22
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/ext/strscan/Makefile +0 -268
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/ext/strscan/extconf.rb +0 -10
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/ext/strscan/strscan.c +0 -1741
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/ext/strscan/strscan.o +0 -0
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/ext/strscan/strscan.so +0 -0
- data/bundle/ruby/3.1.0/gems/strscan-3.1.0/lib/strscan.so +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/AUTHORS +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/COPYING +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/LICENSE +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/TODO +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/highline.gemspec +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/builtin_styles.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/color_scheme.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/compatibility.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/custom_errors.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/import.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/io_console_compatible.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/list.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/list_renderer.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/menu/item.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/menu.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/paginator.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/question/answer_converter.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/question.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/question_asker.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/simulate.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/statement.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/string.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/string_extensions.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/style.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/template_renderer.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/terminal/io_console.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/terminal/ncurses.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/terminal/unix_stty.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/terminal.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{highline-3.1.0 → highline-3.1.1}/lib/highline/wrapper.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/BSDL +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/COPYING +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/README.md +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/history.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/io/dumb.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/io.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor/base.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor/composite.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor/emacs.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor/vi_command.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor/vi_insert.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_actor.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/key_stroke.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/kill_ring.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/license_of_rb-readline +0 -0
- /data/bundle/ruby/3.1.0/gems/{io-console-0.7.2 → rexml-3.3.8}/LICENSE.txt +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/README.md +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/attlistdecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/cdata.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/child.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/comment.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/doctype.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/dtd/attlistdecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/dtd/dtd.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/dtd/elementdecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/dtd/entitydecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/dtd/notationdecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/element.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/encoding.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/formatters/default.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/formatters/pretty.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/formatters/transitive.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/functions.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/instruction.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/light/node.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/namespace.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/node.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/output.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parent.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parseexception.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/lightparser.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/treeparser.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/ultralightparser.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/xpathparser.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/quickpath.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/sax2listener.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/security.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/source.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/streamlistener.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/undefinednamespaceexception.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/validation/relaxng.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/validation/validation.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/validation/validationexception.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/xmldecl.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/xmltokens.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/xpath.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/xpath_parser.rb +0 -0
- /data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml.rb +0 -0
@@ -56,51 +56,26 @@ class Reline::Unicode
|
|
56
56
|
|
57
57
|
require 'reline/unicode/east_asian_width'
|
58
58
|
|
59
|
-
HalfwidthDakutenHandakuten = /[\u{FF9E}\u{FF9F}]/
|
60
|
-
|
61
|
-
MBCharWidthRE = /
|
62
|
-
(?<width_2_1>
|
63
|
-
[#{ EscapedChars.map {|c| "\\x%02x" % c.ord }.join }] (?# ^ + char, such as ^M, ^H, ^[, ...)
|
64
|
-
)
|
65
|
-
| (?<width_3>^\u{2E3B}) (?# THREE-EM DASH)
|
66
|
-
| (?<width_0>^\p{M})
|
67
|
-
| (?<width_2_2>
|
68
|
-
#{ EastAsianWidth::TYPE_F }
|
69
|
-
| #{ EastAsianWidth::TYPE_W }
|
70
|
-
)
|
71
|
-
| (?<width_1>
|
72
|
-
#{ EastAsianWidth::TYPE_H }
|
73
|
-
| #{ EastAsianWidth::TYPE_NA }
|
74
|
-
| #{ EastAsianWidth::TYPE_N }
|
75
|
-
)(?!#{ HalfwidthDakutenHandakuten })
|
76
|
-
| (?<width_2_3>
|
77
|
-
(?: #{ EastAsianWidth::TYPE_H }
|
78
|
-
| #{ EastAsianWidth::TYPE_NA }
|
79
|
-
| #{ EastAsianWidth::TYPE_N })
|
80
|
-
#{ HalfwidthDakutenHandakuten }
|
81
|
-
)
|
82
|
-
| (?<ambiguous_width>
|
83
|
-
#{EastAsianWidth::TYPE_A}
|
84
|
-
)
|
85
|
-
/x
|
86
|
-
|
87
59
|
def self.get_mbchar_width(mbchar)
|
88
60
|
ord = mbchar.ord
|
89
|
-
if
|
61
|
+
if ord <= 0x1F # in EscapedPairs
|
90
62
|
return 2
|
91
|
-
elsif
|
63
|
+
elsif ord <= 0x7E # printable ASCII chars
|
92
64
|
return 1
|
93
65
|
end
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
66
|
+
utf8_mbchar = mbchar.encode(Encoding::UTF_8)
|
67
|
+
ord = utf8_mbchar.ord
|
68
|
+
chunk_index = EastAsianWidth::CHUNK_LAST.bsearch_index { |o| ord <= o }
|
69
|
+
size = EastAsianWidth::CHUNK_WIDTH[chunk_index]
|
70
|
+
if size == -1
|
71
|
+
Reline.ambiguous_width
|
72
|
+
elsif size == 1 && utf8_mbchar.size >= 2
|
73
|
+
second_char_ord = utf8_mbchar[1].ord
|
74
|
+
# Halfwidth Dakuten Handakuten
|
75
|
+
# Only these two character has Letter Modifier category and can be combined in a single grapheme cluster
|
76
|
+
(second_char_ord == 0xFF9E || second_char_ord == 0xFF9F) ? 2 : 1
|
102
77
|
else
|
103
|
-
|
78
|
+
size
|
104
79
|
end
|
105
80
|
end
|
106
81
|
|
@@ -324,14 +324,17 @@ module Reline
|
|
324
324
|
line_editor.prompt_proc = prompt_proc
|
325
325
|
line_editor.auto_indent_proc = auto_indent_proc
|
326
326
|
line_editor.dig_perfect_match_proc = dig_perfect_match_proc
|
327
|
+
|
328
|
+
# Readline calls pre_input_hook just after printing the first prompt.
|
329
|
+
line_editor.print_nomultiline_prompt
|
327
330
|
pre_input_hook&.call
|
331
|
+
|
328
332
|
unless Reline::IOGate.dumb?
|
329
333
|
@dialog_proc_list.each_pair do |name_sym, d|
|
330
334
|
line_editor.add_dialog_proc(name_sym, d.dialog_proc, d.context)
|
331
335
|
end
|
332
336
|
end
|
333
337
|
|
334
|
-
line_editor.print_nomultiline_prompt(prompt)
|
335
338
|
line_editor.update_dialogs
|
336
339
|
line_editor.rerender
|
337
340
|
|
@@ -343,7 +346,7 @@ module Reline
|
|
343
346
|
inputs.each do |key|
|
344
347
|
if key.char == :bracketed_paste_start
|
345
348
|
text = io_gate.read_bracketed_paste
|
346
|
-
line_editor.
|
349
|
+
line_editor.insert_multiline_text(text)
|
347
350
|
line_editor.scroll_into_view
|
348
351
|
else
|
349
352
|
line_editor.update(key)
|
@@ -457,8 +460,8 @@ module Reline
|
|
457
460
|
def_single_delegator :line_editor, :byte_pointer, :point
|
458
461
|
def_single_delegator :line_editor, :byte_pointer=, :point=
|
459
462
|
|
460
|
-
def self.insert_text(
|
461
|
-
line_editor.
|
463
|
+
def self.insert_text(text)
|
464
|
+
line_editor.insert_multiline_text(text)
|
462
465
|
self
|
463
466
|
end
|
464
467
|
|
@@ -1,5 +1,48 @@
|
|
1
1
|
# News
|
2
2
|
|
3
|
+
## 3.3.8 - 2024-09-29 {#version-3-3-8}
|
4
|
+
|
5
|
+
### Improvements
|
6
|
+
|
7
|
+
* SAX2: Improve parse performance.
|
8
|
+
* GH-207
|
9
|
+
* Patch by NAITOH Jun.
|
10
|
+
|
11
|
+
### Fixes
|
12
|
+
|
13
|
+
* Fixed a bug that unexpected attribute namespace conflict error for
|
14
|
+
the predefined "xml" namespace is reported.
|
15
|
+
* GH-208
|
16
|
+
* Patch by KITAITI Makoto
|
17
|
+
|
18
|
+
### Thanks
|
19
|
+
|
20
|
+
* NAITOH Jun
|
21
|
+
|
22
|
+
* KITAITI Makoto
|
23
|
+
|
24
|
+
## 3.3.7 - 2024-09-04 {#version-3-3-7}
|
25
|
+
|
26
|
+
### Improvements
|
27
|
+
|
28
|
+
* Added local entity expansion limit methods
|
29
|
+
* GH-192
|
30
|
+
* GH-202
|
31
|
+
* Reported by takuya kodama.
|
32
|
+
* Patch by NAITOH Jun.
|
33
|
+
|
34
|
+
* Removed explicit strscan dependency
|
35
|
+
* GH-204
|
36
|
+
* Patch by Bo Anderson.
|
37
|
+
|
38
|
+
### Thanks
|
39
|
+
|
40
|
+
* takuya kodama
|
41
|
+
|
42
|
+
* NAITOH Jun
|
43
|
+
|
44
|
+
* Bo Anderson
|
45
|
+
|
3
46
|
## 3.3.6 - 2024-08-22 {#version-3-3-6}
|
4
47
|
|
5
48
|
### Improvements
|
@@ -148,8 +148,9 @@ module REXML
|
|
148
148
|
# have been expanded to their values
|
149
149
|
def value
|
150
150
|
return @unnormalized if @unnormalized
|
151
|
-
|
152
|
-
@unnormalized
|
151
|
+
|
152
|
+
@unnormalized = Text::unnormalize(@normalized, doctype,
|
153
|
+
entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
|
153
154
|
end
|
154
155
|
|
155
156
|
# The normalized value of this attribute. That is, the attribute with
|
@@ -91,6 +91,8 @@ module REXML
|
|
91
91
|
#
|
92
92
|
def initialize( source = nil, context = {} )
|
93
93
|
@entity_expansion_count = 0
|
94
|
+
@entity_expansion_limit = Security.entity_expansion_limit
|
95
|
+
@entity_expansion_text_limit = Security.entity_expansion_text_limit
|
94
96
|
super()
|
95
97
|
@context = context
|
96
98
|
return if source.nil?
|
@@ -431,10 +433,12 @@ module REXML
|
|
431
433
|
end
|
432
434
|
|
433
435
|
attr_reader :entity_expansion_count
|
436
|
+
attr_writer :entity_expansion_limit
|
437
|
+
attr_accessor :entity_expansion_text_limit
|
434
438
|
|
435
439
|
def record_entity_expansion
|
436
440
|
@entity_expansion_count += 1
|
437
|
-
if @entity_expansion_count >
|
441
|
+
if @entity_expansion_count > @entity_expansion_limit
|
438
442
|
raise "number of entity expansions exceeded, processing aborted."
|
439
443
|
end
|
440
444
|
end
|
@@ -71,9 +71,12 @@ module REXML
|
|
71
71
|
# Evaluates to the unnormalized value of this entity; that is, replacing
|
72
72
|
# &ent; entities.
|
73
73
|
def unnormalized
|
74
|
-
document
|
74
|
+
document&.record_entity_expansion
|
75
|
+
|
75
76
|
return nil if @value.nil?
|
76
|
-
|
77
|
+
|
78
|
+
@unnormalized = Text::unnormalize(@value, parent,
|
79
|
+
entity_expansion_text_limit: document&.entity_expansion_text_limit)
|
77
80
|
end
|
78
81
|
|
79
82
|
#once :unnormalized
|
@@ -156,6 +156,7 @@ module REXML
|
|
156
156
|
default_entities.each do |term|
|
157
157
|
DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/
|
158
158
|
end
|
159
|
+
XML_PREFIXED_NAMESPACE = "http://www.w3.org/XML/1998/namespace"
|
159
160
|
end
|
160
161
|
private_constant :Private
|
161
162
|
|
@@ -164,6 +165,8 @@ module REXML
|
|
164
165
|
@listeners = []
|
165
166
|
@prefixes = Set.new
|
166
167
|
@entity_expansion_count = 0
|
168
|
+
@entity_expansion_limit = Security.entity_expansion_limit
|
169
|
+
@entity_expansion_text_limit = Security.entity_expansion_text_limit
|
167
170
|
end
|
168
171
|
|
169
172
|
def add_listener( listener )
|
@@ -172,6 +175,8 @@ module REXML
|
|
172
175
|
|
173
176
|
attr_reader :source
|
174
177
|
attr_reader :entity_expansion_count
|
178
|
+
attr_writer :entity_expansion_limit
|
179
|
+
attr_writer :entity_expansion_text_limit
|
175
180
|
|
176
181
|
def stream=( source )
|
177
182
|
@source = SourceFactory.create_from( source )
|
@@ -181,7 +186,7 @@ module REXML
|
|
181
186
|
@tags = []
|
182
187
|
@stack = []
|
183
188
|
@entities = []
|
184
|
-
@namespaces = {}
|
189
|
+
@namespaces = {"xml" => Private::XML_PREFIXED_NAMESPACE}
|
185
190
|
@namespaces_restore_stack = []
|
186
191
|
end
|
187
192
|
|
@@ -585,7 +590,7 @@ module REXML
|
|
585
590
|
end
|
586
591
|
re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
|
587
592
|
rv.gsub!( re, entity_value )
|
588
|
-
if rv.bytesize >
|
593
|
+
if rv.bytesize > @entity_expansion_text_limit
|
589
594
|
raise "entity expansion has grown too large"
|
590
595
|
end
|
591
596
|
else
|
@@ -627,7 +632,7 @@ module REXML
|
|
627
632
|
|
628
633
|
def record_entity_expansion(delta=1)
|
629
634
|
@entity_expansion_count += delta
|
630
|
-
if @entity_expansion_count >
|
635
|
+
if @entity_expansion_count > @entity_expansion_limit
|
631
636
|
raise "number of entity expansions exceeded, processing aborted."
|
632
637
|
end
|
633
638
|
end
|
@@ -786,7 +791,7 @@ module REXML
|
|
786
791
|
@source.match(/\s*/um, true)
|
787
792
|
if prefix == "xmlns"
|
788
793
|
if local_part == "xml"
|
789
|
-
if value !=
|
794
|
+
if value != Private::XML_PREFIXED_NAMESPACE
|
790
795
|
msg = "The 'xml' prefix must not be bound to any other namespace "+
|
791
796
|
"(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
|
792
797
|
raise REXML::ParseException.new( msg, @source, self )
|
@@ -51,6 +51,14 @@ module REXML
|
|
51
51
|
@parser.entity_expansion_count
|
52
52
|
end
|
53
53
|
|
54
|
+
def entity_expansion_limit=( limit )
|
55
|
+
@parser.entity_expansion_limit = limit
|
56
|
+
end
|
57
|
+
|
58
|
+
def entity_expansion_text_limit=( limit )
|
59
|
+
@parser.entity_expansion_text_limit = limit
|
60
|
+
end
|
61
|
+
|
54
62
|
def each
|
55
63
|
while has_next?
|
56
64
|
yield self.pull
|
@@ -26,6 +26,14 @@ module REXML
|
|
26
26
|
@parser.entity_expansion_count
|
27
27
|
end
|
28
28
|
|
29
|
+
def entity_expansion_limit=( limit )
|
30
|
+
@parser.entity_expansion_limit = limit
|
31
|
+
end
|
32
|
+
|
33
|
+
def entity_expansion_text_limit=( limit )
|
34
|
+
@parser.entity_expansion_text_limit = limit
|
35
|
+
end
|
36
|
+
|
29
37
|
def add_listener( listener )
|
30
38
|
@parser.add_listener( listener )
|
31
39
|
end
|
@@ -251,6 +259,8 @@ module REXML
|
|
251
259
|
end
|
252
260
|
|
253
261
|
def get_namespace( prefix )
|
262
|
+
return nil if @namespace_stack.empty?
|
263
|
+
|
254
264
|
uris = (@namespace_stack.find_all { |ns| not ns[prefix].nil? }) ||
|
255
265
|
(@namespace_stack.find { |ns| not ns[nil].nil? })
|
256
266
|
uris[-1][prefix] unless uris.nil? or 0 == uris.size
|
@@ -18,6 +18,14 @@ module REXML
|
|
18
18
|
@parser.entity_expansion_count
|
19
19
|
end
|
20
20
|
|
21
|
+
def entity_expansion_limit=( limit )
|
22
|
+
@parser.entity_expansion_limit = limit
|
23
|
+
end
|
24
|
+
|
25
|
+
def entity_expansion_text_limit=( limit )
|
26
|
+
@parser.entity_expansion_text_limit = limit
|
27
|
+
end
|
28
|
+
|
21
29
|
def parse
|
22
30
|
# entity string
|
23
31
|
while true
|
@@ -268,7 +268,8 @@ module REXML
|
|
268
268
|
# u = Text.new( "sean russell", false, nil, true )
|
269
269
|
# u.value #-> "sean russell"
|
270
270
|
def value
|
271
|
-
@unnormalized ||= Text::unnormalize(
|
271
|
+
@unnormalized ||= Text::unnormalize(@string, doctype,
|
272
|
+
entity_expansion_text_limit: document&.entity_expansion_text_limit)
|
272
273
|
end
|
273
274
|
|
274
275
|
# Sets the contents of this text node. This expects the text to be
|
@@ -411,11 +412,12 @@ module REXML
|
|
411
412
|
end
|
412
413
|
|
413
414
|
# Unescapes all possible entities
|
414
|
-
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
|
415
|
+
def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
|
416
|
+
entity_expansion_text_limit ||= Security.entity_expansion_text_limit
|
415
417
|
sum = 0
|
416
418
|
string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
|
417
419
|
s = Text.expand($&, doctype, filter)
|
418
|
-
if sum + s.bytesize >
|
420
|
+
if sum + s.bytesize > entity_expansion_text_limit
|
419
421
|
raise "entity expansion has grown too large"
|
420
422
|
else
|
421
423
|
sum += s.bytesize
|
@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
11
11
|
check_eol_version :rails, RAILS_EOL_DATES
|
12
12
|
end
|
13
13
|
|
14
|
+
# https://rubyonrails.org/maintenance
|
15
|
+
# https://endoflife.date/rails
|
14
16
|
RAILS_EOL_DATES = {
|
15
17
|
['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
|
16
18
|
['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
|
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
|
|
19
21
|
['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
|
20
22
|
['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
|
21
23
|
['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
|
24
|
+
['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
|
25
|
+
['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
|
26
|
+
['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
|
27
|
+
['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
|
22
28
|
}
|
23
29
|
end
|
@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
53
53
|
call = result[:call]
|
54
54
|
args = call.arglist
|
55
55
|
first_arg = call.first_arg
|
56
|
+
failure = nil
|
56
57
|
|
57
58
|
case call.method
|
58
59
|
when :popen
|
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
71
72
|
dangerous_interp?(first_arg[3]) ||
|
72
73
|
dangerous_string_building?(first_arg[3])
|
73
74
|
end
|
75
|
+
when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
|
76
|
+
# Since these pipeline commands pipe together several commands,
|
77
|
+
# need to check each argument. If it's an array, check first argument
|
78
|
+
# (the command) and also check for `bash -c`. Otherwise check the argument
|
79
|
+
# as a unit.
|
80
|
+
|
81
|
+
args.each do |arg|
|
82
|
+
next unless sexp? arg
|
83
|
+
|
84
|
+
if array?(arg)
|
85
|
+
# Check first element of array
|
86
|
+
failure = include_user_input?(arg[1]) ||
|
87
|
+
dangerous_interp?(arg[1]) ||
|
88
|
+
dangerous_string_building?(arg[1])
|
89
|
+
|
90
|
+
# Check for ['bash', '-c', user_input]
|
91
|
+
if dash_c_shell_command?(arg[1], arg[2])
|
92
|
+
failure = include_user_input?(arg[3]) ||
|
93
|
+
dangerous_interp?(arg[3]) ||
|
94
|
+
dangerous_string_building?(arg[3])
|
95
|
+
end
|
96
|
+
else
|
97
|
+
failure = include_user_input?(arg)
|
98
|
+
end
|
99
|
+
|
100
|
+
break if failure
|
101
|
+
end
|
74
102
|
when :system, :exec
|
75
103
|
# Normally, if we're in a `system` or `exec` call, we only are worried
|
76
104
|
# about shell injection when there's a single argument, because comma-
|
data/lib/brakeman/version.rb
CHANGED