brakeman 6.2.2 → 7.0.1

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require_relative "emoji/constants"
+
+module Unicode
+  module Emoji
+    autoload :INDEX, File.expand_path('emoji/index', __dir__)
+
+    %w[
+      EMOJI_CHAR
+      EMOJI_PRESENTATION
+      TEXT_PRESENTATION
+      EMOJI_COMPONENT
+      EMOJI_MODIFIER_BASES
+      EMOJI_MODIFIERS
+      EXTENDED_PICTOGRAPHIC
+      EXTENDED_PICTOGRAPHIC_NO_EMOJI
+      EMOJI_KEYCAPS
+      VALID_REGION_FLAGS
+      VALID_SUBDIVISIONS
+      RECOMMENDED_SUBDIVISION_FLAGS
+      RECOMMENDED_ZWJ_SEQUENCES
+    ].each do |const_name|
+      autoload const_name, File.expand_path('emoji/lazy_constants', __dir__)
+    end
+
+    %w[
+      LIST
+      LIST_REMOVED_KEYS
+    ].each do |const_name|
+      autoload const_name, File.expand_path('emoji/list', __dir__)
+    end
+
+    generated_constants_dirpath = File.expand_path(
+      EMOJI_VERSION == RbConfig::CONFIG["UNICODE_EMOJI_VERSION"] ? "emoji/generated_native/" : "emoji/generated/",
+      __dir__
+    )
+
+    %w[
+      REGEX
+      REGEX_INCLUDE_TEXT
+      REGEX_INCLUDE_MQE
+      REGEX_INCLUDE_MQE_UQE
+      REGEX_VALID
+      REGEX_VALID_INCLUDE_TEXT
+      REGEX_WELL_FORMED
+      REGEX_WELL_FORMED_INCLUDE_TEXT
+      REGEX_POSSIBLE
+      REGEX_BASIC
+      REGEX_TEXT
+      REGEX_TEXT_PRESENTATION
+      REGEX_PROP_EMOJI
+      REGEX_PROP_MODIFIER
+      REGEX_PROP_MODIFIER_BASE
+      REGEX_PROP_COMPONENT
+      REGEX_PROP_PRESENTATION
+      REGEX_PICTO
+      REGEX_PICTO_NO_EMOJI
+      REGEX_EMOJI_KEYCAP
+    ].each do |const_name|
+      autoload const_name, File.join(generated_constants_dirpath, const_name.downcase)
+    end
+
+    # Return Emoji properties of character as an Array or nil
+    # See PROPERTY_NAMES constant for possible properties
+    # 
+    # Source: see https://www.unicode.org/Public/16.0.0/ucd/emoji/emoji-data.txt
+    def self.properties(char)
+      ord = get_codepoint_value(char)
+      props = INDEX[:PROPERTIES][ord]
+
+      if props
+        props.map{ |prop| PROPERTY_NAMES[prop] }
+      else
+        # nothing
+      end
+    end
+
+    # Returns ordered list of Emoji, categorized in a three-level deep Hash structure
+    def self.list(key = nil, sub_key = nil)
+      return LIST unless key || sub_key
+      if LIST_REMOVED_KEYS.include?(key)
+        $stderr.puts "Warning(unicode-emoji): The category of #{key} does not exist anymore"
+      end
+      LIST.dig(*[key, sub_key].compact)
+    end
+
+    def self.get_codepoint_value(char)
+      ord = nil
+
+      if char.valid_encoding?
+        ord = char.ord
+      elsif char.encoding.name == "UTF-8"
+        begin
+          ord = char.unpack("U*")[0]
+        rescue ArgumentError
+        end
+      end
+
+      if ord
+        ord
+      else
+        raise(ArgumentError, "Unicode::Emoji must be given a valid string")
+      end
+    end
+
+    class << self
+      private :get_codepoint_value
+    end
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/unicode-emoji.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+
+require File.dirname(__FILE__) + "/lib/unicode/emoji/constants"
+
+Gem::Specification.new do |gem|
+  gem.name          = "unicode-emoji"
+  gem.version       = Unicode::Emoji::VERSION
+  gem.summary       = "Emoji data and regex"
+  gem.description   = "[Emoji #{Unicode::Emoji::EMOJI_VERSION}] Provides Unicode Emoji data and regexes, incorporating the latest Unicode and Emoji standards. Includes a categorized list of recommended Emoji."
+  gem.authors       = ["Jan Lelis"]
+  gem.email         = ["hi@ruby.consulting"]
+  gem.homepage      = "https://github.com/janlelis/unicode-emoji"
+  gem.license       = "MIT"
+
+  gem.files         = Dir["{**/}{.*,*}"].select{ |path| File.file?(path) && path !~ /^pkg/ && path !~ /spec\/data\/[^.]/ }
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.metadata      = { "rubygems_mfa_required" => "true" }
+
+  gem.required_ruby_version = ">= 2.5", "< 4.0"
+end

data/lib/brakeman/app_tree.rb

@@ -22,6 +22,8 @@ module Brakeman
       init_options[:additional_libs_path] = options[:additional_libs_path]
       init_options[:engine_paths] = options[:engine_paths]
       init_options[:skip_vendor] = options[:skip_vendor]
+      init_options[:follow_symlinks] = options[:follow_symlinks]
+
       new(root, init_options)
     end
 
@@ -64,6 +66,7 @@ module Brakeman
       @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
       @relative_engine_paths = @engine_paths - @absolute_engine_paths
       @skip_vendor = init_options[:skip_vendor]
+      @follow_symlinks = init_options[:follow_symlinks]
       @gemspec = nil
       @root_search_pattern = nil
     end
@@ -161,28 +164,38 @@ module Brakeman
     end
 
     def glob_files(directory, name, extensions = ".rb")
-      root_directory = "#{root_search_pattern}#{directory}"
-      patterns = ["#{root_directory}/**/#{name}#{extensions}"]
-
-      Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
-        if File.symlink?(path) && File.directory?(path)
-          symlink_target = File.readlink(path)
-          if Pathname.new(symlink_target).relative?
-            symlink_target = File.join(File.dirname(path), symlink_target)
+      if @follow_symlinks
+        root_directory = "#{root_search_pattern}#{directory}"
+        patterns = ["#{root_directory}/**/#{name}#{extensions}"]
+
+        Dir.glob("#{root_directory}/**/*", File::FNM_DOTMATCH).each do |path|
+          if File.symlink?(path) && File.directory?(path)
+            symlink_target = File.readlink(path)
+            if Pathname.new(symlink_target).relative?
+              symlink_target = File.join(File.dirname(path), symlink_target)
+            end
+            patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
           end
-          patterns << "#{search_pattern(symlink_target)}/**/#{name}#{extensions}"
         end
-      end
 
-      files = patterns.flat_map { |pattern| Dir.glob(pattern) }
-      files.uniq
+        files = patterns.flat_map { |pattern| Dir.glob(pattern) }
+        files.uniq
+      else
+        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        Dir.glob(pattern)
+      end
     end
 
     def select_files(paths)
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
-      reject_global_excludes(paths)
+      paths = reject_global_excludes(paths)
+      reject_directories(paths)
+    end
+
+    def reject_directories(paths)
+      paths.reject { |path| File.directory?(path) }
     end
 
     def select_only_files(paths)
@@ -201,15 +214,14 @@ module Brakeman
       end
     end
 
-    EXCLUDED_PATHS = %w[
-      /generators/
+    EXCLUDED_PATHS = regex_for_paths %w[
+      generators/
       lib/tasks/
       lib/templates/
       db/
       spec/
       test/
       tmp/
-      log/
     ]
 
     def reject_global_excludes(paths)
@@ -219,9 +231,7 @@ module Brakeman
         if @skip_vendor and relative_path.include? 'vendor/' and !in_engine_paths?(path) and !in_add_libs_paths?(path)
           true
         else
-          EXCLUDED_PATHS.any? do |excluded|
-            relative_path.include? excluded
-          end
+          match_path EXCLUDED_PATHS, path
         end
       end
     end

data/lib/brakeman/checks/check_deserialize.rb

@@ -76,10 +76,13 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
       confidence = :high
     elsif input = include_user_input?(arg)
       confidence = :medium
+    elsif target == :Marshal
+      confidence = :low
+      message = msg("Use of ", msg_code("#{target}.#{method}"), " may be dangerous")
     end
 
     if confidence
-      message = msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
+      message ||= msg(msg_code("#{target}.#{method}"), " called with ", msg_input(input))
 
       warn :result => result,
         :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_evaluation.rb

@@ -22,14 +22,51 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   def process_result result
     return unless original? result
 
-    if input = include_user_input?(result[:call].arglist)
-      warn :result => result,
-        :warning_type => "Dangerous Eval",
-        :warning_code => :code_eval,
-        :message => "User input in eval",
-        :user_input => input,
-        :confidence => :high,
-        :cwe_id => [913, 95]
+    first_arg = result[:call].first_arg
+
+    unless safe_value? first_arg
+      if input = include_user_input?(first_arg)
+        confidence = :high
+        message = msg(msg_input(input), " evaluated as code")
+      elsif string_evaluation? first_arg
+        confidence = :low
+        message = "Dynamic string evaluated as code"
+      elsif result[:call].method == :eval
+        confidence = :low
+        message = "Dynamic code evaluation"
+      end
+
+      if confidence
+        warn :result => result,
+          :warning_type => "Dangerous Eval",
+          :warning_code => :code_eval,
+          :message => message,
+          :user_input => input,
+          :confidence => confidence,
+          :cwe_id => [913, 95]
+      end
+    end
+  end
+
+  def string_evaluation? exp
+    string_interp? exp or
+      (call? exp and string? exp.target)
+  end
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.sexp_type
+    when :dstr
+      exp.all? { |e| safe_value? e}
+    when :evstr
+      safe_value? exp.value
+    when :str, :lit
+      true
+    when :call
+      always_safe_method? exp.method
+    else
+      false
     end
   end
 end

data/lib/brakeman/checks/check_model_attr_accessible.rb

@@ -33,6 +33,7 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
               :confidence => confidence,
               :code => Sexp.new(:lit, attribute),
               :cwe_id => [915]
+
             break # Prevent from matching single attr multiple times
           end
         end

data/lib/brakeman/checks/check_weak_rsa_key.rb

@@ -87,7 +87,7 @@ class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
 
     if string? padding_arg
       padding_arg = padding_arg.deep_clone(padding_arg.line)
-      padding_arg.value.downcase!
+      padding_arg.value = padding_arg.value.downcase
     end
 
     case padding_arg

data/lib/brakeman/file_parser.rb

@@ -13,8 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end

data/lib/brakeman/options.rb

@@ -161,14 +161,13 @@ module Brakeman::Options
 
         opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
           if use_prism
-            prism_version = '0.30'
+            min_prism_version = '1.0.0'
 
             begin
-              # Specifying minimum version here,
-              # since it can't be in the gem dependency list because it is optional
-              gem 'prism', "~>#{prism_version}"
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
             rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
-              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
               raise e
             end
           end
@@ -223,6 +222,14 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
 
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
+
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb

@@ -97,6 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target
@@ -268,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -276,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg
@@ -666,7 +669,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     unless array? exp[1] and array? exp[2]
-      return process_default(exp)
+      # Already processed RHS, don't do it again
+      # https://github.com/presidentbeef/brakeman/issues/1877
+      return exp
     end
 
     vars = exp[1].dup

data/lib/brakeman/processors/lib/file_type_detector.rb

@@ -13,7 +13,7 @@ module Brakeman
         @file_type = guess_from_path(file.path.relative)
       end
 
-      @file_type || :libs
+      @file_type || :lib
     end
 
     MODEL_CLASSES = [
@@ -26,10 +26,10 @@ module Brakeman
       parent = class_name(exp.parent_name)
 
       if name.match(/Controller$/)
-        @file_type = :controllers
+        @file_type = :controller
         return exp
       elsif MODEL_CLASSES.include? parent
-        @file_type = :models
+        @file_type = :model
         return exp
       end
 
@@ -39,19 +39,21 @@ module Brakeman
     def guess_from_path path
       case
       when path.include?('app/models')
-        :models
+        :model
       when path.include?('app/controllers')
-        :controllers
+        :controller
       when path.include?('config/initializers')
-        :initializers
+        :initializer
       when path.include?('lib/')
-        :libs
+        :lib
       when path.match?(%r{config/environments/(?!production\.rb)$})
         :skip
       when path.match?(%r{environments/production\.rb$})
         :skip
       when path.match?(%r{application\.rb$})
         :skip
+      when path.match?(%r{config/routes\.rb$})
+        :skip
       end
     end
 

data/lib/brakeman/report/ignore/config.rb

@@ -130,7 +130,6 @@ module Brakeman
 
       output = {
         :ignored_warnings => warnings,
-        :updated => Time.now.to_s,
         :brakeman_version => Brakeman::Version
       }
 

data/lib/brakeman/report/report_sarif.rb

@@ -1,8 +1,10 @@
+require 'uri'
+
 class Brakeman::Report::SARIF < Brakeman::Report::Base
   def generate_report
     sarif_log = {
       :version => '2.1.0',
-      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json',
       :runs => runs,
     }
     JSON.pretty_generate sarif_log
@@ -20,10 +22,122 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
           },
         },
         :results => results,
-      },
+      }.merge(original_uri_base_ids)
     ]
   end
 
+  # Output base URIs
+  # based on what the user specified for the application path
+  # and whether or not --absolute-paths was set.
+  def original_uri_base_ids
+    if tracker.options[:app_path] == '.'
+      # Probably no app_path was specified, as that's the default
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # This avoids any paths appearing in the report
+        # that are not part of the application directory.
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+
+      end
+    elsif tracker.options[:app_path] != tracker.app_tree.root
+      # Path was specified and it was relative
+
+      if absolute_paths?
+        # Include absolute root and relative application path
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Just include relative application path.
+        # Not clear this is 100% valid, but there is one example in the spec like this
+        {
+          originalUriBaseIds: {
+            PROJECTROOT: {
+              description: {
+                text: 'Base path for all project files'
+              }
+            },
+            '%SRCROOT%' => {
+              # Technically should ensure this doesn't have any '..'
+              # but... TODO
+              uri: File.join(tracker.options[:app_path], '/'),
+              uriBaseId: 'PROJECTROOT',
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      end
+    else
+      # app_path was absolute
+
+      if absolute_paths?
+        # Set %SRCROOT% to absolute path
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              uri: file_uri(tracker.app_tree.root),
+              description: {
+                text: 'Base path for application'
+              }
+            }
+          }
+        }
+      else
+        # Empty %SRCROOT%
+        # Seems fine!
+        {
+          originalUriBaseIds: {
+            '%SRCROOT%' => {
+              description: {
+                text: 'Base path for application'
+              }
+            },
+          }
+        }
+      end
+    end
+  end
+
   def rules
     @rules ||= unique_warnings_by_warning_code.map do |warning|
       rule_id = render_id warning
@@ -130,4 +244,10 @@ class Brakeman::Report::SARIF < Brakeman::Report::Base
     })
     @@levels_from_confidence[warning.confidence]
   end
+
+  # File URI as a string with trailing forward-slash
+  # as required by SARIF standard
+  def file_uri(path)
+    URI::File.build(path: File.join(path, '/')).to_s
+  end
 end