RubyGems - brakeman - Versions diffs - 7.0.0 → 7.0.1 - Mend

brakeman 7.0.0 → 7.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (244) hide show

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji/generated_native/regex_well_formed.rb ADDED Viewed

@@ -0,0 +1,8 @@
+# This file was generated by a script, please do not edit it by hand.
+# See `$ rake generate_constants` and data/generate_constants.rb for more info.
+module Unicode
+  module Emoji
+    REGEX_WELL_FORMED = /(?:(?:(?:(?:\p{EBase}\p{EMod}|(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{Emoji})‍)+(?:\p{EBase}\p{EMod}|(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{Emoji}))|(?:(?:(?!\p{EComp})(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{EBase}\p{EMod})[󠀰-󠀹󠁡-󠁺]{1,30}󠁿)|\p{RI}{2}|(?:[\#\*0-9]️⃣|\p{EBase}\p{EMod}|(?!\p{EComp})(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?))|[🏻-🏿🦰-🦳])/
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji/generated_native/regex_well_formed_include_text.rb ADDED Viewed

@@ -0,0 +1,8 @@
+# This file was generated by a script, please do not edit it by hand.
+# See `$ rake generate_constants` and data/generate_constants.rb for more info.
+module Unicode
+  module Emoji
+    REGEX_WELL_FORMED_INCLUDE_TEXT = /(?:(?:(?:(?:\p{EBase}\p{EMod}|(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{Emoji})‍)+(?:\p{EBase}\p{EMod}|(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{Emoji}))|(?:(?:(?!\p{EComp})(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?)|\p{EBase}\p{EMod})[󠀰-󠀹󠁡-󠁺]{1,30}󠁿)|\p{RI}{2}|(?:[\#\*0-9]️⃣|\p{EBase}\p{EMod}|(?!\p{EComp})(?:[\p{Emoji}&&\P{EPres}]️|\p{EPres}(?!︎)️?))|[🏻-🏿🦰-🦳]|(?:(?!\p{EComp})(?:[\p{Emoji}&&\P{EPres}](?!(?:\p{EMod}|️))︎?|\p{EPres}︎)|[\#\*0-9]⃣))/
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji/index.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+require "zlib"
+require_relative "constants"
+module Unicode
+  module Emoji
+    File.open(INDEX_FILENAME, "rb") do |file|
+      serialized_data = Zlib::GzipReader.new(file).read
+      serialized_data.force_encoding Encoding::BINARY
+      INDEX = Marshal.load(serialized_data)
+    end
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji/lazy_constants.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Unicode
+  module Emoji
+    # The current list of codepoints with the "Emoji" property
+    # Same characters as \p{Emoji}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EMOJI_CHAR                    = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:E) }.keys.freeze
+    # The current list of codepoints with the "Emoji_Presentation" property
+    # Same characters as \p{Emoji Presentation} or \p{EPres}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EMOJI_PRESENTATION            = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:P) }.keys.freeze
+    # The current list of codepoints with the "Emoji" property that lack the "Emoji Presentation" property
+    TEXT_PRESENTATION             = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:E) && !props.include?(:P) }.keys.freeze
+    # The current list of codepoints with the "Emoji_Component" property
+    # Same characters as \p{Emoji Component} or \p{EComp}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EMOJI_COMPONENT               = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:C) }.keys.freeze
+    # The current list of codepoints with the "Emoji_Modifier_Base" property
+    # Same characters as \p{Emoji Modifier Base} or \p{EBase}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EMOJI_MODIFIER_BASES          = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:B) }.keys.freeze
+    # The current list of codepoints with the "Emoji_Modifier" property
+    # Same characters as \p{Emoji Modifier} or \p{EMod}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EMOJI_MODIFIERS               = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:M) }.keys.freeze
+    # The current list of codepoints with the "Extended_Pictographic" property
+    # Same characters as \p{Extended Pictographic} or \p{ExtPict}
+    # (Emoji version of this gem might be more recent than Ruby's Emoji version)
+    EXTENDED_PICTOGRAPHIC         = INDEX[:PROPERTIES].select{ |ord, props| props.include?(:X) }.keys.freeze
+    # The current list of codepoints with the "Extended_Pictographic" property that don't have the "Emoji" property
+    EXTENDED_PICTOGRAPHIC_NO_EMOJI= INDEX[:PROPERTIES].select{ |ord, props| props.include?(:X) && !props.include?(:E) }.keys.freeze
+    # The list of characters that can be used as base for keycap sequences
+    EMOJI_KEYCAPS                 = INDEX[:KEYCAPS].freeze
+    # The list of valid regions
+    VALID_REGION_FLAGS            = INDEX[:FLAGS].freeze
+    # The list of valid subdivisions in regex character class syntax
+    VALID_SUBDIVISIONS            = INDEX[:SD].map{_1.sub(/(.)~(.)/, '[\1-\2]') }
+    # The list RGI tag sequence flags
+    RECOMMENDED_SUBDIVISION_FLAGS = INDEX[:TAGS].freeze
+    # The list of fully-qualified RGI Emoji ZWJ sequences
+    RECOMMENDED_ZWJ_SEQUENCES     = INDEX[:ZWJ].freeze
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji/list.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Unicode
+  module Emoji
+    # Contains an ordered and group list of all currently recommended Emoji (RGI/FQE)
+    LIST                          = INDEX[:LIST].freeze.each_value(&:freeze)
+    # Sometimes, categories change, we issue a warning in these cases
+    LIST_REMOVED_KEYS             = [
+      "Smileys & People",
+    ].freeze
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/lib/unicode/emoji.rb ADDED Viewed

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+require_relative "emoji/constants"
+module Unicode
+  module Emoji
+    autoload :INDEX, File.expand_path('emoji/index', __dir__)
+    %w[
+      EMOJI_CHAR
+      EMOJI_PRESENTATION
+      TEXT_PRESENTATION
+      EMOJI_COMPONENT
+      EMOJI_MODIFIER_BASES
+      EMOJI_MODIFIERS
+      EXTENDED_PICTOGRAPHIC
+      EXTENDED_PICTOGRAPHIC_NO_EMOJI
+      EMOJI_KEYCAPS
+      VALID_REGION_FLAGS
+      VALID_SUBDIVISIONS
+      RECOMMENDED_SUBDIVISION_FLAGS
+      RECOMMENDED_ZWJ_SEQUENCES
+    ].each do |const_name|
+      autoload const_name, File.expand_path('emoji/lazy_constants', __dir__)
+    end
+    %w[
+      LIST
+      LIST_REMOVED_KEYS
+    ].each do |const_name|
+      autoload const_name, File.expand_path('emoji/list', __dir__)
+    end
+    generated_constants_dirpath = File.expand_path(
+      EMOJI_VERSION == RbConfig::CONFIG["UNICODE_EMOJI_VERSION"] ? "emoji/generated_native/" : "emoji/generated/",
+      __dir__
+    )
+    %w[
+      REGEX
+      REGEX_INCLUDE_TEXT
+      REGEX_INCLUDE_MQE
+      REGEX_INCLUDE_MQE_UQE
+      REGEX_VALID
+      REGEX_VALID_INCLUDE_TEXT
+      REGEX_WELL_FORMED
+      REGEX_WELL_FORMED_INCLUDE_TEXT
+      REGEX_POSSIBLE
+      REGEX_BASIC
+      REGEX_TEXT
+      REGEX_TEXT_PRESENTATION
+      REGEX_PROP_EMOJI
+      REGEX_PROP_MODIFIER
+      REGEX_PROP_MODIFIER_BASE
+      REGEX_PROP_COMPONENT
+      REGEX_PROP_PRESENTATION
+      REGEX_PICTO
+      REGEX_PICTO_NO_EMOJI
+      REGEX_EMOJI_KEYCAP
+    ].each do |const_name|
+      autoload const_name, File.join(generated_constants_dirpath, const_name.downcase)
+    end
+    # Return Emoji properties of character as an Array or nil
+    # See PROPERTY_NAMES constant for possible properties
+    #
+    # Source: see https://www.unicode.org/Public/16.0.0/ucd/emoji/emoji-data.txt
+    def self.properties(char)
+      ord = get_codepoint_value(char)
+      props = INDEX[:PROPERTIES][ord]
+      if props
+        props.map{ |prop| PROPERTY_NAMES[prop] }
+      else
+        # nothing
+      end
+    end
+    # Returns ordered list of Emoji, categorized in a three-level deep Hash structure
+    def self.list(key = nil, sub_key = nil)
+      return LIST unless key || sub_key
+      if LIST_REMOVED_KEYS.include?(key)
+        $stderr.puts "Warning(unicode-emoji): The category of #{key} does not exist anymore"
+      end
+      LIST.dig(*[key, sub_key].compact)
+    end
+    def self.get_codepoint_value(char)
+      ord = nil
+      if char.valid_encoding?
+        ord = char.ord
+      elsif char.encoding.name == "UTF-8"
+        begin
+          ord = char.unpack("U*")[0]
+        rescue ArgumentError
+        end
+      end
+      if ord
+        ord
+      else
+        raise(ArgumentError, "Unicode::Emoji must be given a valid string")
+      end
+    end
+    class << self
+      private :get_codepoint_value
+    end
+  end
+end

data/bundle/ruby/3.1.0/gems/unicode-emoji-4.0.4/unicode-emoji.gemspec ADDED Viewed

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.dirname(__FILE__) + "/lib/unicode/emoji/constants"
+Gem::Specification.new do |gem|
+  gem.name          = "unicode-emoji"
+  gem.version       = Unicode::Emoji::VERSION
+  gem.summary       = "Emoji data and regex"
+  gem.description   = "[Emoji #{Unicode::Emoji::EMOJI_VERSION}] Provides Unicode Emoji data and regexes, incorporating the latest Unicode and Emoji standards. Includes a categorized list of recommended Emoji."
+  gem.authors       = ["Jan Lelis"]
+  gem.email         = ["hi@ruby.consulting"]
+  gem.homepage      = "https://github.com/janlelis/unicode-emoji"
+  gem.license       = "MIT"
+  gem.files         = Dir["{**/}{.*,*}"].select{ |path| File.file?(path) && path !~ /^pkg/ && path !~ /spec\/data\/[^.]/ }
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+  gem.metadata      = { "rubygems_mfa_required" => "true" }
+  gem.required_ruby_version = ">= 2.5", "< 4.0"
+end

data/lib/brakeman/app_tree.rb CHANGED Viewed

@@ -190,7 +190,12 @@ module Brakeman
       paths = select_only_files(paths)
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
-      reject_global_excludes(paths)
+      paths = reject_global_excludes(paths)
+      reject_directories(paths)
+    end
+    def reject_directories(paths)
+      paths.reject { |path| File.directory?(path) }
     end
     def select_only_files(paths)

data/lib/brakeman/checks/check_evaluation.rb CHANGED Viewed

@@ -22,27 +22,29 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
   def process_result result
     return unless original? result
-    if input = include_user_input?(result[:call].arglist)
-      confidence = :high
-      message = msg(msg_input(input), " evaluated as code")
-    elsif string_evaluation? result[:call].first_arg
-      confidence = :low
-      message = "Dynamic string evaluated as code"
-    elsif safe_literal? result[:call].first_arg
-      # don't warn
-    elsif result[:call].method == :eval
-      confidence = :low
-      message = "Dynamic code evaluation"
-    end
+    first_arg = result[:call].first_arg
+    unless safe_value? first_arg
+      if input = include_user_input?(first_arg)
+        confidence = :high
+        message = msg(msg_input(input), " evaluated as code")
+      elsif string_evaluation? first_arg
+        confidence = :low
+        message = "Dynamic string evaluated as code"
+      elsif result[:call].method == :eval
+        confidence = :low
+        message = "Dynamic code evaluation"
+      end
-    if confidence
-      warn :result => result,
-        :warning_type => "Dangerous Eval",
-        :warning_code => :code_eval,
-        :message => message,
-        :user_input => input,
-        :confidence => confidence,
-        :cwe_id => [913, 95]
+      if confidence
+        warn :result => result,
+          :warning_type => "Dangerous Eval",
+          :warning_code => :code_eval,
+          :message => message,
+          :user_input => input,
+          :confidence => confidence,
+          :cwe_id => [913, 95]
+      end
     end
   end
@@ -50,4 +52,21 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     string_interp? exp or
       (call? exp and string? exp.target)
   end
+  def safe_value? exp
+    return true unless sexp? exp
+    case exp.sexp_type
+    when :dstr
+      exp.all? { |e| safe_value? e}
+    when :evstr
+      safe_value? exp.value
+    when :str, :lit
+      true
+    when :call
+      always_safe_method? exp.method
+    else
+      false
+    end
+  end
 end

data/lib/brakeman/checks/check_weak_rsa_key.rb CHANGED Viewed

@@ -87,7 +87,7 @@ class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
     if string? padding_arg
       padding_arg = padding_arg.deep_clone(padding_arg.line)
-      padding_arg.value.downcase!
+      padding_arg.value = padding_arg.value.downcase
     end
     case padding_arg

data/lib/brakeman/options.rb CHANGED Viewed

@@ -226,6 +226,10 @@ module Brakeman::Options
           options[:follow_symlinks] = follow_symlinks
         end
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"

data/lib/brakeman/processors/alias_processor.rb CHANGED Viewed

@@ -270,7 +270,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       end
     when :<<
       if string? target and string? first_arg
-        target.value << first_arg.value
+        target.value += first_arg.value
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
@@ -278,8 +278,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
-          target.last.value << first_arg.value
+          target.last.value += first_arg.value
         elsif target.last.is_a? String
+          # TODO Use target.last += ?
           target.last << first_arg.value
         else
           target << first_arg

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -32,6 +32,7 @@ class Brakeman::Scanner
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
     @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
+    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
   #Returns the Tracker generated from the scan
@@ -58,7 +59,7 @@ class Brakeman::Scanner
   end
   def process_step_file description
-    if @show_timing
+    if @per_file_timing
       Brakeman.notify "Processing #{description}"
       start_t = Time.now
@@ -230,21 +231,29 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+    gem_file_names = ['Gemfile', 'gems.rb']
+    lock_file_names = ['Gemfile.lock', 'gems.locked']
-    if @app_tree.exists? "Gemfile"
-      file = @app_tree.file_path("Gemfile")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
-    elsif @app_tree.exists? "gems.rb"
-      file = @app_tree.file_path("gems.rb")
-      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+    if tracker.options[:gemfile]
+      name = tracker.options[:gemfile]
+      gem_file_names.unshift name
+      lock_file_names.unshift "#{name}.lock"
     end
-    if @app_tree.exists? "Gemfile.lock"
-      file = @app_tree.file_path("Gemfile.lock")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
-    elsif @app_tree.exists? "gems.locked"
-      file = @app_tree.file_path("gems.locked")
-      gem_files[:gemlock] = { :src => file.read, :file => file }
+    gem_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
+        break
+      end
+    end
+    lock_file_names.each do |name|
+      if @app_tree.exists? name
+        file = @app_tree.file_path(name)
+        gem_files[:gemlock] = { :src => file.read, :file => file }
+        break
+      end
     end
     if @app_tree.gemspec

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.0.0"
+  Version = "7.0.1"
 end

data/lib/brakeman.rb CHANGED Viewed

@@ -127,6 +127,13 @@ module Brakeman
     options[:output_formats] = get_output_formats options
     options[:github_url] = get_github_url options
+    # Use ENV value only if option was not already explicitly set
+    # (i.e. prefer commandline option over environment variable).
+    if options[:gemfile].nil? and ENV['BUNDLE_GEMFILE']
+      options[:gemfile] = ENV['BUNDLE_GEMFILE']
+    end
     options
   end