brakeman 7.1.2 → 8.0.0

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/rdoc.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# = RDoc (<tt>rdoc</tt>)
+#
+# {RDoc}[http://rdoc.rubyforge.org] is the simple text markup system that comes with Ruby's standard
+# library.
+#
+# === Example
+#
+#     = Hello RDoc Templates
+#
+#     Hello World. This is a paragraph.
+#
+# === Usage
+#
+# __NOTE:__ It's suggested that your program <tt>require 'rdoc'</tt>,
+# <tt>require 'rdoc/markup'</tt>, and <tt>require 'rdoc/markup/to_html'</tt> at load time
+# when using this template engine in a threaded environment.
+#
+# === See also
+#
+# * {RDoc}[http://rdoc.rubyforge.org]
+# * {RDoc Github}[https://github.com/ruby/rdoc]
+
+require_relative 'template'
+require 'rdoc'
+require 'rdoc/markup'
+require 'rdoc/markup/to_html'
+require 'rdoc/options'
+
+Tilt::RDocTemplate = Tilt::StaticTemplate.subclass do
+  RDoc::Markup::ToHtml.new(RDoc::Options.new, nil).convert(@data).to_s
+end

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/redcarpet.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# = Markdown (<tt>markdown</tt>, <tt>md</tt>, <tt>mkd</tt>)
+#
+# {Markdown}[http://daringfireball.net/projects/markdown/syntax] is a
+# lightweight markup language, created by John Gruber and Aaron Swartz.
+# For any markup that is not covered by Markdown’s syntax, HTML is used.
+# Marking up plain text with Markdown markup is easy and Markdown
+# formatted texts are readable.
+#
+# === Example
+#
+#     Hello Markdown Templates
+#     ========================
+#
+#     Hello World. This is a paragraph.
+#
+# === Usage
+#
+# To wrap a Markdown formatted document with a layout:
+#
+#     layout = Tilt['erb'].new do
+#       "<!doctype html><title></title><%= yield %>"
+#     end
+#     data = Tilt['md'].new { "# hello tilt" }
+#     layout.render { data.render }
+#     # => "<!doctype html><title></title><h1>hello tilt</h1>\n"
+#
+# === Options
+#
+# ==== <tt>:smartypants => true|false</tt>
+#
+# Set <tt>true</tt> to enable [Smarty Pants][smartypants] style punctuation replacement.
+#
+# ==== <tt>:escape_html => true|false</tt>
+#
+# Set <tt>true</tt> disallow raw HTML in Markdown contents. HTML is converted to
+# literal text by escaping <tt><</tt> characters.
+#
+# === See also
+#
+# * {Markdown Syntax Documentation}[http://daringfireball.net/projects/markdown/syntax]
+
+require_relative 'template'
+require 'redcarpet'
+
+aliases = {:escape_html => :filter_html, :smartypants => :smart}.freeze
+
+Tilt::RedcarpetTemplate = Tilt::StaticTemplate.subclass do
+  aliases.each do |opt, aka|
+    if options.key?(aka) || !@options.key?(opt)
+      @options[opt] = @options.delete(aka)
+    end
+  end
+
+  # only raise an exception if someone is trying to enable :escape_html
+  @options.delete(:escape_html) unless @options[:escape_html]
+
+  renderer = @options.delete(:renderer) || ::Redcarpet::Render::HTML.new(@options)
+  if options.delete(:smartypants) && !(renderer.is_a?(Class) && renderer <= ::Redcarpet::Render::SmartyPants)
+    renderer = if renderer == ::Redcarpet::Render::XHTML
+      ::Redcarpet::Render::SmartyHTML.new(:xhtml => true)
+    elsif renderer == ::Redcarpet::Render::HTML
+      ::Redcarpet::Render::SmartyHTML
+    elsif renderer.is_a? Class
+      Class.new(renderer) { include ::Redcarpet::Render::SmartyPants }
+    else
+      renderer.extend ::Redcarpet::Render::SmartyPants
+    end
+  end
+
+  Redcarpet::Markdown.new(renderer, @options).render(@data)
+end

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/redcloth.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+# = Textile (<tt>textile</tt>)
+#
+# Textile is a lightweight markup language originally developed by Dean Allen and
+# billed as a "humane Web text generator". Textile converts its marked-up text
+# input to valid, well-formed XHTML and also inserts character entity references
+# for apostrophes, opening and closing single and double quotation marks,
+# ellipses and em dashes.
+#
+# Textile formatted texts are converted to HTML with the {RedCloth}[http://redcloth.org]
+# engine, which is a Ruby extension written in C.
+#
+# === Example
+#
+#     h1. Hello Textile Templates
+#
+#     Hello World. This is a paragraph.
+#
+# === Usage
+#
+# __NOTE:__ It's suggested that your program <tt>require 'redcloth'</tt> at load time
+# when using this template engine in a threaded environment.
+#
+# === See Also
+#
+# * {RedCloth}[http://redcloth.org]
+# * https://github.com/jgarber/redcloth
+
+require_relative 'template'
+require 'redcloth'
+
+Tilt::RedClothTemplate = Tilt::StaticTemplate.subclass do
+  engine = RedCloth.new(@data)
+  @options.each  do |k, v|
+    m = :"#{k}="
+    engine.send(m, v) if engine.respond_to? m
+  end
+  engine.to_html
+end

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/rst-pandoc.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# = reStructuredText (<tt>rst</tt>)
+#
+# reStructuredText is a lightweight markup language originally developed by David Goodger,
+# based on StructuredText and Setext. reStructuredText is primarily used for technical
+# documentation in the Python programming language community, e.g. by the
+# {Sphinx}[http://www.sphinx-doc.org/en/stable/rest.html] Python documentation generator.
+#
+# reStructuredText formatted texts are converted to HTML with {Pandoc}[http://pandoc.org/], which
+# is an application written in Haskell, with a Ruby wrapper provided by the
+# {pandoc-ruby}[https://github.com/alphabetum/pandoc-ruby] gem.
+#
+# === Example
+#
+#     Hello Rst Templates
+#     ===================
+#
+#     Hello World. This is a paragraph.
+#
+# === See Also
+#
+# * {Pandoc}[http://pandoc.org/]
+# * {pandoc-ruby}[https://github.com/alphabetum/pandoc-ruby]
+
+require_relative 'template'
+require_relative 'pandoc'
+
+rst = {:f => "rst"}.freeze
+
+Tilt::RstPandocTemplate = Tilt::StaticTemplate.subclass do
+  PandocRuby.new(@data, rst).to_html.strip
+end

data/bundle/ruby/3.2.0/gems/{tilt-2.6.1 → tilt-2.7.0}/lib/tilt/sass.rb

@@ -1,10 +1,23 @@
 # frozen_string_literal: true
+
+# = Sass / Scss
+#
+# Sass/Scss template implementation for generating CSS.
+#
+# Sass templates do not support object scopes, locals, or yield.
+#
+# === See also
+#
+# * https://sass-lang.com/
+#
+# === Related modules
+#
+# * Tilt::SassTemplate
+# * Tilt::ScssTemplate
+
 require_relative 'template'
 
 module Tilt
-  # Sass template implementation for generating CSS. See: https://sass-lang.com/
-  #
-  # Sass templates do not support object scopes, locals, or yield.
   class SassTemplate < StaticTemplate
     self.default_mime_type = 'text/css'
 

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/slim.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# = Slim (<tt>slim</tt>)
+#
+# === Embedded locals
+#
+# In slim templates, the comment format looks like this:
+#
+#   //# locals: ()
+#
+# === See also
+#
+# * https://slim-template.github.io
+
+require_relative 'template'
+require 'slim'
+
+Tilt::SlimTemplate = Slim::Template

data/bundle/ruby/3.2.0/gems/{tilt-2.6.1 → tilt-2.7.0}/lib/tilt/string.rb

@@ -1,9 +1,17 @@
 # frozen_string_literal: true
+
+# = String
+#
+# The template source is evaluated as a Ruby string. The #{} interpolation
+# syntax can be used to generated dynamic output.
+#
+# === Related module
+#
+# * Tilt::StringTemplate
+
 require_relative 'template'
 
 module Tilt
-  # The template source is evaluated as a Ruby string. The #{} interpolation
-  # syntax can be used to generated dynamic output.
   class StringTemplate < Template
     def prepare
       hash = "TILT#{@data.hash.abs}"

data/bundle/ruby/3.2.0/gems/{tilt-2.6.1 → tilt-2.7.0}/lib/tilt/template.rb

@@ -41,12 +41,12 @@ module Tilt
         @metadata ||= {}
       end
 
-      # Use `.metadata[:mime_type]` instead.
+      # Use <tt>.metadata[:mime_type]</tt> instead.
       def default_mime_type
         metadata[:mime_type]
       end
 
-      # Use `.metadata[:mime_type] = val` instead.
+      # Use <tt>.metadata[:mime_type] = val</tt> instead.
       def default_mime_type=(value)
         metadata[:mime_type] = value
       end
@@ -376,10 +376,10 @@ module Tilt
 
       s = "locals = locals[:locals]"
       if assignments.delete(s)
-        # If there is a locals key itself named `locals`, delete it from the ordered keys so we can
+        # If there is a locals key itself named <tt>locals</tt>, delete it from the ordered keys so we can
         # assign it last. This is important because the assignment of all other locals depends on the
-        # `locals` local variable still matching the `locals` method argument given to the method
-        # created in `#compile_template_method`.
+        # <tt>locals</tt> local variable still matching the <tt>locals</tt> method argument given to the method
+        # created in <tt>#compile_template_method</tt>.
         assignments << s
       end
 

data/bundle/ruby/3.2.0/gems/{tilt-2.6.1 → tilt-2.7.0}/lib/tilt/typescript.rb

@@ -1,4 +1,9 @@
 # frozen_string_literal: true
+
+# = Typescript
+#
+# TypeScript implementation.
+
 require_relative 'template'
 require 'typescript-node'
 

data/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib/tilt/yajl.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+# = Yajl
+#
+# Yajl Template implementation
+#
+# Yajl is a fast JSON parsing and encoding library for Ruby
+#
+# The template source is evaluated as a Ruby string,
+# and the result is converted #to_json.
+#
+# === Example
+#
+#    # This is a template example.
+#    # The template can contain any Ruby statement.
+#    tpl <<-EOS
+#      @counter = 0
+#
+#      # The json variable represents the buffer
+#      # and holds the data to be serialized into json.
+#      # It defaults to an empty hash, but you can override it at any time.
+#      json = {
+#        :"user#{@counter += 1}" => { :name => "Joshua Peek", :id => @counter },
+#        :"user#{@counter += 1}" => { :name => "Ryan Tomayko", :id => @counter },
+#        :"user#{@counter += 1}" => { :name => "Simone Carletti", :id => @counter },
+#      }
+#
+#      # Since the json variable is a Hash,
+#      # you can use conditional statements or any other Ruby statement
+#      # to populate it.
+#      json[:"user#{@counter += 1}"] = { :name => "Unknown" } if 1 == 2
+#
+#      # The last line doesn't affect the returned value.
+#      nil
+#    EOS
+#
+#    template = Tilt::YajlTemplate.new { tpl }
+#    template.render(self)
+#
+# === See also
+#
+# * https://github.com/brianmario/yajl-ruby
+#
+# === Related module
+#
+# * Tilt::YajlTemplate
+
+require_relative 'template'
+require 'yajl'
+
+module Tilt
+  class YajlTemplate < Template
+    self.default_mime_type = 'application/json'
+
+    def evaluate(scope, locals, &block)
+      decorate(super)
+    end
+
+    def precompiled_preamble(locals)
+      return super if locals.include? :json
+      "json = {}\n#{super}"
+    end
+
+    def precompiled_postamble(locals)
+      "Yajl::Encoder.new.encode(json)"
+    end
+
+    def precompiled_template(locals)
+      @data.to_str
+    end
+
+    # Decorates the +json+ input according to given +options+.
+    #
+    # json    - The json String to decorate.
+    # options - The option Hash to customize the behavior.
+    #
+    # Returns the decorated String.
+    def decorate(json)
+      callback, variable = @options[:callback], @options[:variable]
+      if callback && variable
+        "var #{variable} = #{json}; #{callback}(#{variable});"
+      elsif variable
+        "var #{variable} = #{json};"
+      elsif callback
+        "#{callback}(#{json});"
+      else
+        json
+      end
+    end
+  end
+end

data/bundle/ruby/3.2.0/gems/{tilt-2.6.1 → tilt-2.7.0}/lib/tilt.rb

@@ -5,7 +5,7 @@ require_relative 'tilt/template'
 # Namespace for Tilt. This module is not intended to be included anywhere.
 module Tilt
   # Current version.
-  VERSION = '2.6.1'
+  VERSION = '2.7.0'
 
   EMPTY_ARRAY = [].freeze
   private_constant :EMPTY_ARRAY
@@ -163,7 +163,6 @@ module Tilt
   register_lazy :CSVTemplate,          'tilt/csv',       'rcsv'
   register_lazy :CoffeeScriptTemplate, 'tilt/coffee',    'coffee'
   register_lazy :CoffeeScriptLiterateTemplate, 'tilt/coffee', 'litcoffee'
-  register_lazy :CreoleTemplate,       'tilt/creole',    'wiki', 'creole'
   register_lazy :EtanniTemplate,       'tilt/etanni',    'etn', 'etanni'
   register_lazy :HamlTemplate,         'tilt/haml',      'haml'
   register_lazy :LiquidTemplate,       'tilt/liquid',    'liquid'

data/lib/brakeman/app_tree.rb

@@ -120,7 +120,7 @@ module Brakeman
 
     def template_paths
       @template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
-        find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+        find_paths(".", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
     end
 
     def layout_exists?(name)
@@ -213,13 +213,17 @@ module Brakeman
     end
 
     def reject_directories(paths)
-      paths.reject { |path| File.directory?(path) }
+      paths.reject do |path|
+        Brakeman.logger.spin
+        File.directory?(path)
+      end
     end
 
     def select_only_files(paths)
       return paths unless @only_files
 
       paths.select do |path|
+        Brakeman.logger.spin
         match_path @only_files, path
       end
     end
@@ -228,6 +232,7 @@ module Brakeman
       return paths unless @skip_files
 
       paths.reject do |path|
+        Brakeman.logger.spin
         match_path @skip_files, path
       end
     end

data/lib/brakeman/checks/check_model_attributes.rb

@@ -12,7 +12,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
     #Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
-      Brakeman.notify "[Notice] The `collapse_mass_assignment` option has been removed."
+      Brakeman.alert "The `collapse_mass_assignment` option has been removed."
     end
 
     check_models do |name, model|

data/lib/brakeman/checks/check_render.rb

@@ -17,8 +17,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
     case result[:call].render_type
     when :partial, :template, :action, :file
-      check_for_rce(result) or
-        check_for_dynamic_path(result)
+      check_for_dynamic_path(result)
     when :inline
     when :js
     when :json
@@ -41,8 +40,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
         else
           confidence = :high
         end
-      elsif input = include_user_input?(view)
-        confidence = :weak
       else
         return
       end
@@ -62,29 +59,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     end
   end
 
-  def check_for_rce result
-    return unless version_between? "0.0.0", "3.2.22" or
-                  version_between? "4.0.0", "4.1.14" or
-                  version_between? "4.2.0", "4.2.5"
-
-
-    view = result[:call][2]
-    if sexp? view and not duplicate? result
-      if params? view
-        add_result result
-        return if safe_param? view
-
-        warn :result => result,
-          :warning_type => "Remote Code Execution",
-          :warning_code => :dynamic_render_path_rce,
-          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
-          :user_input => view,
-          :confidence => :high,
-          :cwe_id => [22]
-      end
-    end
-  end
-
   def safe_param? exp
     if params? exp and call? exp
       method_name = exp.method

data/lib/brakeman/checks/check_render_rce.rb

@@ -0,0 +1,43 @@
+require 'brakeman/checks/check_render'
+
+class Brakeman::CheckRenderRCE < Brakeman::CheckRender
+  Brakeman::Checks.add self
+
+  @description = "Finds calls to render that might be vulnerable to CVE-2016-0752"
+
+  def run_check
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render_result result
+    end
+  end
+
+  def process_render_result result
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
+    when :partial, :template, :action, :file
+      check_for_rce(result)
+    end
+  end
+
+  def check_for_rce result
+    return unless version_between? "0.0.0", "3.2.22" or
+                  version_between? "4.0.0", "4.1.14" or
+                  version_between? "4.2.0", "4.2.5"
+
+    view = result[:call][2]
+    if sexp? view and not duplicate? result
+      if params? view and not safe_param? view
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Remote Code Execution",
+          :warning_code => :dynamic_render_path_rce,
+          :message => msg("Passing query parameters to ", msg_code("render"), " is vulnerable in ", msg_version(rails_version), " ", msg_cve("CVE-2016-0752")),
+          :user_input => view,
+          :confidence => :high,
+          :cwe_id => [22]
+      end
+    end
+  end
+end

data/lib/brakeman/checks/check_session_settings.rb

@@ -120,7 +120,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       begin
         secrets = YAML.safe_load yaml, aliases: true
       rescue Psych::SyntaxError, RuntimeError => e
-        Brakeman.notify "[Notice] #{self.class}: Unable to parse `#{secrets_file}`"
+        Brakeman.alert "#{self.class}: Unable to parse `#{secrets_file}`"
         Brakeman.debug "Failed to parse #{secrets_file}: #{e.inspect}"
         return
       end

data/lib/brakeman/checks.rb

@@ -121,37 +121,43 @@ class Brakeman::Checks
     parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
 
-    checks.each do |c|
-      check_name = get_check_name c
-      Brakeman.notify " - #{check_name}"
+    message = if parallel
+      "Running #{checks.length} checks in parallel"
+    else
+      "Running #{checks.length} checks"
+    end
 
-      if parallel
-        threads << Thread.new do
-          self.run_a_check(c, error_mutex, tracker)
+    Brakeman.process_step(message) do
+      checks.each do |c|
+        check_name = get_check_name c
+        Brakeman.debug " - #{check_name}"
+
+        if parallel
+          threads << Thread.new do
+            self.run_a_check(c, error_mutex, tracker)
+          end
+        else
+          results << self.run_a_check(c, error_mutex, tracker)
         end
-      else
-        results << self.run_a_check(c, error_mutex, tracker)
-      end
-
-      #Maintain list of which checks were run
-      #mainly for reporting purposes
-      check_runner.checks_run << check_name[5..-1]
-    end
 
-    threads.each { |t| t.join }
+        #Maintain list of which checks were run
+        #mainly for reporting purposes
+        check_runner.checks_run << check_name[5..-1]
+      end
 
-    Brakeman.notify "Checks finished, collecting results..."
+      threads.each { |t| t.join }
 
-    if parallel
-      threads.each do |thread|
-        thread.value.each do |warning|
-          check_runner.add_warning warning
+      if parallel
+        threads.each do |thread|
+          thread.value.each do |warning|
+            check_runner.add_warning warning
+          end
         end
-      end
-    else
-      results.each do |warnings|
-        warnings.each do |warning|
-          check_runner.add_warning warning
+      else
+        results.each do |warnings|
+          warnings.each do |warning|
+            check_runner.add_warning warning
+          end
         end
       end
     end

data/lib/brakeman/commandline.rb

@@ -54,11 +54,13 @@ module Brakeman
             f.puts JSON.pretty_generate(vulns)
           end
 
-          Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+          Brakeman.announce "Comparison saved in '#{options[:comparison_output_file]}'"
         else
           puts JSON.pretty_generate(vulns)
         end
 
+        Brakeman.cleanup(false)
+
         if options[:exit_on_warn] && vulns[:new].count > 0
           quit Brakeman::Warnings_Found_Exit_Code
         end
@@ -117,6 +119,7 @@ module Brakeman
       # Override this method for different behavior.
       def quit exit_code = 0, message = nil
         warn message if message
+        Brakeman.cleanup
         exit exit_code
       end
 
@@ -186,6 +189,8 @@ module Brakeman
             warn caller
           end
 
+          Brakeman.cleanup
+
           exit!
         end
       end

data/lib/brakeman/file_parser.rb

@@ -13,9 +13,9 @@ module Brakeman
       if @use_prism
         begin
           require 'prism'
-          Brakeman.debug '[Notice] Using Prism parser'
+          Brakeman.debug 'Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end
@@ -46,6 +46,7 @@ module Brakeman
       #
       # Note this method no longer uses read_files
       @file_list, new_errors = Parallel.map(list, parallel_options) do |file_name|
+        Brakeman.logger.spin
         file_path = @app_tree.file_path(file_name)
         contents = file_path.read