RubyGems - brakeman - Versions diffs - 6.2.1 → 6.2.2 - Mend

brakeman 6.2.1 → 6.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline/unicode.rb RENAMED Viewed

@@ -56,51 +56,26 @@ class Reline::Unicode
   require 'reline/unicode/east_asian_width'
-  HalfwidthDakutenHandakuten = /[\u{FF9E}\u{FF9F}]/
-  MBCharWidthRE = /
-    (?<width_2_1>
-      [#{ EscapedChars.map {|c| "\\x%02x" % c.ord }.join }] (?# ^ + char, such as ^M, ^H, ^[, ...)
-    )
-  | (?<width_3>^\u{2E3B}) (?# THREE-EM DASH)
-  | (?<width_0>^\p{M})
-  | (?<width_2_2>
-      #{ EastAsianWidth::TYPE_F }
-    | #{ EastAsianWidth::TYPE_W }
-    )
-  | (?<width_1>
-      #{ EastAsianWidth::TYPE_H }
-    | #{ EastAsianWidth::TYPE_NA }
-    | #{ EastAsianWidth::TYPE_N }
-    )(?!#{ HalfwidthDakutenHandakuten })
-  | (?<width_2_3>
-      (?: #{ EastAsianWidth::TYPE_H }
-        | #{ EastAsianWidth::TYPE_NA }
-        | #{ EastAsianWidth::TYPE_N })
-      #{ HalfwidthDakutenHandakuten }
-    )
-  | (?<ambiguous_width>
-      #{EastAsianWidth::TYPE_A}
-    )
-  /x
   def self.get_mbchar_width(mbchar)
     ord = mbchar.ord
-    if (0x00 <= ord and ord <= 0x1F) # in EscapedPairs
+    if ord <= 0x1F # in EscapedPairs
       return 2
-    elsif (0x20 <= ord and ord <= 0x7E) # printable ASCII chars
+    elsif ord <= 0x7E # printable ASCII chars
       return 1
     end
-    m = mbchar.encode(Encoding::UTF_8).match(MBCharWidthRE)
-    case
-    when m.nil? then 1 # TODO should be U+FFFD � REPLACEMENT CHARACTER
-    when m[:width_2_1], m[:width_2_2], m[:width_2_3] then 2
-    when m[:width_3] then 3
-    when m[:width_0] then 0
-    when m[:width_1] then 1
-    when m[:ambiguous_width] then Reline.ambiguous_width
+    utf8_mbchar = mbchar.encode(Encoding::UTF_8)
+    ord = utf8_mbchar.ord
+    chunk_index = EastAsianWidth::CHUNK_LAST.bsearch_index { |o| ord <= o }
+    size = EastAsianWidth::CHUNK_WIDTH[chunk_index]
+    if size == -1
+      Reline.ambiguous_width
+    elsif size == 1 && utf8_mbchar.size >= 2
+      second_char_ord = utf8_mbchar[1].ord
+      # Halfwidth Dakuten Handakuten
+      # Only these two character has Letter Modifier category and can be combined in a single grapheme cluster
+      (second_char_ord == 0xFF9E || second_char_ord == 0xFF9F) ? 2 : 1
     else
-      nil
+      size
     end
   end

data/bundle/ruby/3.1.0/gems/reline-0.5.10/lib/reline/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module Reline
+  VERSION = '0.5.10'
+end

data/bundle/ruby/3.1.0/gems/{reline-0.5.9 → reline-0.5.10}/lib/reline.rb RENAMED Viewed

@@ -324,14 +324,17 @@ module Reline
       line_editor.prompt_proc = prompt_proc
       line_editor.auto_indent_proc = auto_indent_proc
       line_editor.dig_perfect_match_proc = dig_perfect_match_proc
+      # Readline calls pre_input_hook just after printing the first prompt.
+      line_editor.print_nomultiline_prompt
       pre_input_hook&.call
       unless Reline::IOGate.dumb?
         @dialog_proc_list.each_pair do |name_sym, d|
           line_editor.add_dialog_proc(name_sym, d.dialog_proc, d.context)
         end
       end
-      line_editor.print_nomultiline_prompt(prompt)
       line_editor.update_dialogs
       line_editor.rerender
@@ -343,7 +346,7 @@ module Reline
             inputs.each do |key|
               if key.char == :bracketed_paste_start
                 text = io_gate.read_bracketed_paste
-                line_editor.insert_pasted_text(text)
+                line_editor.insert_multiline_text(text)
                 line_editor.scroll_into_view
               else
                 line_editor.update(key)
@@ -457,8 +460,8 @@ module Reline
   def_single_delegator :line_editor, :byte_pointer, :point
   def_single_delegator :line_editor, :byte_pointer=, :point=
-  def self.insert_text(*args, &block)
-    line_editor.insert_text(*args, &block)
+  def self.insert_text(text)
+    line_editor.insert_multiline_text(text)
     self
   end

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/NEWS.md RENAMED Viewed

@@ -1,5 +1,48 @@
 # News
+## 3.3.8 - 2024-09-29 {#version-3-3-8}
+### Improvements
+  * SAX2: Improve parse performance.
+    * GH-207
+    * Patch by NAITOH Jun.
+### Fixes
+  * Fixed a bug that unexpected attribute namespace conflict error for
+    the predefined "xml" namespace is reported.
+    * GH-208
+    * Patch by KITAITI Makoto
+### Thanks
+  * NAITOH Jun
+  * KITAITI Makoto
+## 3.3.7 - 2024-09-04 {#version-3-3-7}
+### Improvements
+  * Added local entity expansion limit methods
+    * GH-192
+    * GH-202
+    * Reported by takuya kodama.
+    * Patch by NAITOH Jun.
+  * Removed explicit strscan dependency
+    * GH-204
+    * Patch by Bo Anderson.
+### Thanks
+  * takuya kodama
+  * NAITOH Jun
+  * Bo Anderson
 ## 3.3.6 - 2024-08-22 {#version-3-3-6}
 ### Improvements

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/attribute.rb RENAMED Viewed

@@ -148,8 +148,9 @@ module REXML
     # have been expanded to their values
     def value
       return @unnormalized if @unnormalized
-      @unnormalized = Text::unnormalize( @normalized, doctype )
-      @unnormalized
+      @unnormalized = Text::unnormalize(@normalized, doctype,
+                                        entity_expansion_text_limit: @element&.document&.entity_expansion_text_limit)
     end
     # The normalized value of this attribute.  That is, the attribute with

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/document.rb RENAMED Viewed

@@ -91,6 +91,8 @@ module REXML
     #
     def initialize( source = nil, context = {} )
       @entity_expansion_count = 0
+      @entity_expansion_limit = Security.entity_expansion_limit
+      @entity_expansion_text_limit = Security.entity_expansion_text_limit
       super()
       @context = context
       return if source.nil?
@@ -431,10 +433,12 @@ module REXML
     end
     attr_reader :entity_expansion_count
+    attr_writer :entity_expansion_limit
+    attr_accessor :entity_expansion_text_limit
     def record_entity_expansion
       @entity_expansion_count += 1
-      if @entity_expansion_count > Security.entity_expansion_limit
+      if @entity_expansion_count > @entity_expansion_limit
         raise "number of entity expansions exceeded, processing aborted."
       end
     end

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/entity.rb RENAMED Viewed

@@ -71,9 +71,12 @@ module REXML
     # Evaluates to the unnormalized value of this entity; that is, replacing
     # &ent; entities.
     def unnormalized
-      document.record_entity_expansion unless document.nil?
+      document&.record_entity_expansion
       return nil if @value.nil?
-      @unnormalized = Text::unnormalize(@value, parent)
+      @unnormalized = Text::unnormalize(@value, parent,
+                                        entity_expansion_text_limit: document&.entity_expansion_text_limit)
     end
     #once :unnormalized

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/baseparser.rb RENAMED Viewed

@@ -156,6 +156,7 @@ module REXML
         default_entities.each do |term|
           DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/
         end
+        XML_PREFIXED_NAMESPACE = "http://www.w3.org/XML/1998/namespace"
       end
       private_constant :Private
@@ -164,6 +165,8 @@ module REXML
         @listeners = []
         @prefixes = Set.new
         @entity_expansion_count = 0
+        @entity_expansion_limit = Security.entity_expansion_limit
+        @entity_expansion_text_limit = Security.entity_expansion_text_limit
       end
       def add_listener( listener )
@@ -172,6 +175,8 @@ module REXML
       attr_reader :source
       attr_reader :entity_expansion_count
+      attr_writer :entity_expansion_limit
+      attr_writer :entity_expansion_text_limit
       def stream=( source )
         @source = SourceFactory.create_from( source )
@@ -181,7 +186,7 @@ module REXML
         @tags = []
         @stack = []
         @entities = []
-        @namespaces = {}
+        @namespaces = {"xml" => Private::XML_PREFIXED_NAMESPACE}
         @namespaces_restore_stack = []
       end
@@ -585,7 +590,7 @@ module REXML
               end
               re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
               rv.gsub!( re, entity_value )
-              if rv.bytesize > Security.entity_expansion_text_limit
+              if rv.bytesize > @entity_expansion_text_limit
                 raise "entity expansion has grown too large"
               end
             else
@@ -627,7 +632,7 @@ module REXML
       def record_entity_expansion(delta=1)
         @entity_expansion_count += delta
-        if @entity_expansion_count > Security.entity_expansion_limit
+        if @entity_expansion_count > @entity_expansion_limit
           raise "number of entity expansions exceeded, processing aborted."
         end
       end
@@ -786,7 +791,7 @@ module REXML
             @source.match(/\s*/um, true)
             if prefix == "xmlns"
               if local_part == "xml"
-                if value != "http://www.w3.org/XML/1998/namespace"
+                if value != Private::XML_PREFIXED_NAMESPACE
                   msg = "The 'xml' prefix must not be bound to any other namespace "+
                     "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
                   raise REXML::ParseException.new( msg, @source, self )

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/pullparser.rb RENAMED Viewed

@@ -51,6 +51,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def each
         while has_next?
           yield self.pull

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/sax2parser.rb RENAMED Viewed

@@ -26,6 +26,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def add_listener( listener )
         @parser.add_listener( listener )
       end
@@ -251,6 +259,8 @@ module REXML
       end
       def get_namespace( prefix )
+        return nil if @namespace_stack.empty?
         uris = (@namespace_stack.find_all { |ns| not ns[prefix].nil? }) ||
           (@namespace_stack.find { |ns| not ns[nil].nil? })
         uris[-1][prefix] unless uris.nil? or 0 == uris.size

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/parsers/streamparser.rb RENAMED Viewed

@@ -18,6 +18,14 @@ module REXML
         @parser.entity_expansion_count
       end
+      def entity_expansion_limit=( limit )
+        @parser.entity_expansion_limit = limit
+      end
+      def entity_expansion_text_limit=( limit )
+        @parser.entity_expansion_text_limit = limit
+      end
       def parse
         # entity string
         while true

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/rexml.rb RENAMED Viewed

@@ -31,7 +31,7 @@
 module REXML
   COPYRIGHT = "Copyright © 2001-2008 Sean Russell <ser@germane-software.com>"
   DATE = "2008/019"
-  VERSION = "3.3.6"
+  VERSION = "3.3.8"
   REVISION = ""
   Copyright = COPYRIGHT

data/bundle/ruby/3.1.0/gems/{rexml-3.3.6 → rexml-3.3.8}/lib/rexml/text.rb RENAMED Viewed

@@ -268,7 +268,8 @@ module REXML
     #   u = Text.new( "sean russell", false, nil, true )
     #   u.value   #-> "sean russell"
     def value
-      @unnormalized ||= Text::unnormalize( @string, doctype )
+      @unnormalized ||= Text::unnormalize(@string, doctype,
+                                          entity_expansion_text_limit: document&.entity_expansion_text_limit)
     end
     # Sets the contents of this text node.  This expects the text to be
@@ -411,11 +412,12 @@ module REXML
     end
     # Unescapes all possible entities
-    def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil )
+    def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil, entity_expansion_text_limit: nil )
+      entity_expansion_text_limit ||= Security.entity_expansion_text_limit
       sum = 0
       string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) {
         s = Text.expand($&, doctype, filter)
-        if sum + s.bytesize > Security.entity_expansion_text_limit
+        if sum + s.bytesize > entity_expansion_text_limit
           raise "entity expansion has grown too large"
         else
           sum += s.bytesize

data/lib/brakeman/checks/check_eol_rails.rb CHANGED Viewed

@@ -11,6 +11,8 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     check_eol_version :rails, RAILS_EOL_DATES
   end
+  # https://rubyonrails.org/maintenance
+  # https://endoflife.date/rails
   RAILS_EOL_DATES = {
     ['2.0.0', '2.3.99'] => Date.new(2013, 6, 25),
     ['3.0.0', '3.2.99'] => Date.new(2016, 6, 30),
@@ -19,5 +21,9 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     ['5.1.0', '5.1.99'] => Date.new(2019, 8, 25),
     ['5.2.0', '5.2.99'] => Date.new(2022, 6, 1),
     ['6.0.0', '6.0.99'] => Date.new(2023, 6, 1),
+    ['6.1.0', '6.1.99'] => Date.new(2024, 10, 1),
+    ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
+    ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
+    ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
   }
 end

data/lib/brakeman/checks/check_execute.rb CHANGED Viewed

@@ -53,6 +53,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     call = result[:call]
     args = call.arglist
     first_arg = call.first_arg
+    failure = nil
     case call.method
     when :popen
@@ -71,6 +72,33 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
                   dangerous_interp?(first_arg[3]) ||
                   dangerous_string_building?(first_arg[3])
       end
+    when :pipeline, :pipline_r, :pipeline_rw, :pipeline_w, :pipeline_start
+      # Since these pipeline commands pipe together several commands,
+      # need to check each argument. If it's an array, check first argument
+      # (the command) and also check for `bash -c`. Otherwise check the argument
+      # as a unit.
+      args.each do |arg|
+        next unless sexp? arg
+        if array?(arg)
+          # Check first element of array
+          failure = include_user_input?(arg[1]) ||
+            dangerous_interp?(arg[1]) ||
+            dangerous_string_building?(arg[1])
+          # Check for ['bash', '-c', user_input]
+          if dash_c_shell_command?(arg[1], arg[2])
+            failure = include_user_input?(arg[3]) ||
+              dangerous_interp?(arg[3]) ||
+              dangerous_string_building?(arg[3])
+          end
+        else
+          failure = include_user_input?(arg)
+        end
+        break if failure
+      end
     when :system, :exec
       # Normally, if we're in a `system` or `exec` call, we only are worried
       # about shell injection when there's a single argument, because comma-

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "6.2.1"
+  Version = "6.2.2"
 end