brakeman 8.0.2 → 8.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 408455132c50dab2b913428c4532b12e5ef60cd3343935a1b505c8b539b2d5e6
-  data.tar.gz: 86e837f136df2a3916b4288c0f32191b0ac2379b0b90a73286fa0cf2d0aca714
+  metadata.gz: 90b39cd822319fe03d9a0b331239d2ed8fbcfe2db659761d3f0273b3a48e4116
+  data.tar.gz: aff94e8cefaa7e8d54aa8a5d7f9a3c0a9bb532ac758e8c3bd7acd2c30df5c6ee
 SHA512:
-  metadata.gz: c56c3b0598eade85878e6004b49cc6eb5ecc7be6bd011a7d11c1b462192c161d6afc38e2d50b2c088aba0a4ab55c89b4f01d740e6dbf4d84e2276c9cab541415
-  data.tar.gz: b08b76a3d45559215cf5a9d288f9561d25dccd233803346d0a783c36decb9ebba4b8e2c665775cee21fc31b6a60126fb79ea9c98ffdc4d24c9eb2502abfab401
+  metadata.gz: c2f00398efaf4e652a4ae1034facdaa28169a852ebef8464e5723fcd328dba1fb08d8e7b1c75d639f5d7127046eb1aa296d0f1a38d1e563180b59596aa3d5437
+  data.tar.gz: f8131d641b70c662017e6918f669825cc62c766325ac124dee4210dd2fd4a42bb892ef901d4f12dd7245043fb84539694f6de7badf996c19c0f7aa63e27a83c6

data/CHANGES.md

@@ -1,3 +1,24 @@
+# 8.0.5 - 2026-06-12
+
+* Add `quote_schema_name` to safe quote method list (Zsolt Kozaroczy)
+* Fix SQL injection false positive for `compact_blank`/`compact` on permitted params (Arpit Jain)
+* Fix inline render false positive for local named `text` (Arpit Jain)
+* Fix HAML crash on `.raw` calls (Federico Franco)
+* Fix Ruby version parsing - especially for non-CRuby versions (Chris Southerland Jr) 
+* Fix `TemplateAliasProcessor#template_name` arity (viralpraxis)
+* Reduce false positives when using shell escaping
+
+# 8.0.4 - 2026-02-26
+
+* Load 'date' library for `--ensure-latest`
+
+# 8.0.3 - 2026-02-26
+
+* Fix `polymorphic_name` SQLi false positive (Fredrico Franco)
+* Fix logger behavior when loading config files
+* Handle application names with module prefixes
+* Add release age option for `--ensure-latest`
+
 # 8.0.2 - 2026-02-03
 
 * Reline console control should use stderr

data/bundle/load.rb

@@ -3,7 +3,7 @@ $:.unshift "#{path}/bundle/ruby/3.2.0/gems/csv-3.3.5/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/erubi-1.13.1/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/haml-6.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/highline-3.1.2/lib"
-$:.unshift "#{path}/bundle/ruby/3.2.0/gems/parallel-1.27.0/lib"
+$:.unshift "#{path}/bundle/ruby/3.2.0/gems/parallel-1.28.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/reline-0.6.3/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/rexml-3.4.4/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/ruby2ruby-2.5.2/lib"

data/bundle/ruby/3.2.0/gems/parallel-1.28.0/lib/parallel/version.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+module Parallel
+  VERSION = Version = '1.28.0' # rubocop:disable Naming/ConstantName
+end

data/bundle/ruby/3.2.0/gems/{parallel-1.27.0 → parallel-1.28.0}/lib/parallel.rb

@@ -15,6 +15,17 @@ module Parallel
       super()
       @value = value
     end
+
+    # marshal_dump that is used for ruby exceptions
+    # avoid dumping the cause since nobody needs that and it can include undumpable exceptions
+    def _dump(_depth)
+      Marshal.dump(@value)
+    end
+
+    # marshal_load that is used for ruby exceptions
+    def self._load(data)
+      new(Marshal.load(data))
+    end
   end
 
   class Kill < Break

data/lib/brakeman/checks/check_execute.rb

@@ -122,9 +122,14 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # should be ignored
 
       args.pop if hash?(args.last) && args.length > 2
-      failure = include_user_input?(args) ||
-                dangerous_interp?(args) ||
-                dangerous_string_building?(args)
+
+      args.each_sexp do |arg|
+        failure = include_user_input?(arg) ||
+          dangerous_interp?(arg) ||
+          dangerous_string_building?(arg)
+
+        break if failure
+      end
     else
       failure = include_user_input?(args) ||
                 dangerous_interp?(args) ||
@@ -176,6 +181,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   def include_user_input? exp
     if node_type? exp, :arglist, :dstr, :evstr, :dxstr
       exp.each_sexp do |e|
+        next if shell_escape? e
+
         if res = include_user_input?(e)
           return res
         end
@@ -196,7 +203,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       # Check for input at start of string
       exp[1] == "" and
         node_type? exp[2], :evstr and
-        has_immediate_user_input? exp[2]
+        dangerous? exp[2]
     else
       has_immediate_user_input? exp
     end
@@ -266,6 +273,8 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   end
 
   def dangerous_interp? exp
+    return if shell_escape? exp
+
     match = include_interp? exp
     return unless match
     interp = match.match

data/lib/brakeman/checks/check_sql.rb

@@ -311,7 +311,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys, :compact, :compact_blank].include? arg.method
         # Model.where(params[:where])
         arg
       end
@@ -600,7 +600,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string
+    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string,
+    :polymorphic_name
   ]
 
   def ignore_methods_in_sql
@@ -644,7 +645,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       locale_call? exp
   end
 
-  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name]
+  QUOTE_METHODS = [:quote, :quote_column_name, :quoted_date, :quote_string, :quote_table_name, :quote_schema_name]
 
   def quote_call? exp
     if call? exp.target

data/lib/brakeman/commandline.rb

@@ -31,7 +31,7 @@ module Brakeman
         set_interrupt_handler options
         early_exit_options options
         set_options options, default_app_path
-        check_latest if options[:ensure_latest]
+        check_latest(options[:ensure_latest]) if options[:ensure_latest]
         run_report options
 
         quit
@@ -39,9 +39,14 @@ module Brakeman
 
       # Check for the latest version.
       #
-      # If the latest version is newer, quit with a message.
-      def check_latest
-        if error = Brakeman.ensure_latest
+      # If the latest version is newer than the current version
+      # and age, exit.
+      def check_latest(days_old = 0)
+        if days_old == true
+          days_old = 0
+        end
+
+        if error = Brakeman.ensure_latest(days_old:)
           quit Brakeman::Not_Latest_Version_Exit_Code, error
         end
       end

data/lib/brakeman/options.rb

@@ -63,8 +63,12 @@ module Brakeman::Options
           options[:exit_on_error] = exit_on_error
         end
 
-        opts.on "--ensure-latest", "Fail when Brakeman is outdated" do
-          options[:ensure_latest] = true
+        opts.on "--ensure-latest [DAYS]", Integer, "Fail when Brakeman is outdated. Optionally set minimum age in days." do |days|
+          if days and not (1..15).include? days
+            raise OptionParser::InvalidArgument
+          end
+
+          options[:ensure_latest] = days || true
         end
 
         opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do

data/lib/brakeman/processors/base_processor.rb

@@ -258,12 +258,19 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     #Look for "type" of render in options hash
     #For example, render :file => "blah"
     if hash? last_arg
-      hash_iterate(last_arg) do |key, val|
-        if symbol? key and types_in_hash.include? key.value
-          type = key.value
-          value = val
-        else  
-          rest << key << val
+      if type
+        #The render type was already determined by a positional argument, so a
+        #key in the options hash that happens to match a render type name (e.g.
+        #`text:`) is a local passed to the partial/action, not a type directive.
+        rest = last_arg
+      else
+        hash_iterate(last_arg) do |key, val|
+          if symbol? key and types_in_hash.include? key.value
+            type = key.value
+            value = val
+          else
+            rest << key << val
+          end
         end
       end
     end

data/lib/brakeman/processors/gem_processor.rb

@@ -6,7 +6,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
-    @ruby_version = /^\s+ruby (\d\.\d.\d+)/
+    @ruby_version = /^\s+ruby (\d+\.\d+\.\d+)/
   end
 
   def process_gems gem_files

data/lib/brakeman/processors/haml_template_processor.rb

@@ -186,6 +186,8 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   def raw? exp
     call? exp and
-      exp.method == :raw
+      exp.target.nil? and
+      exp.method == :raw and
+      exp.first_arg
   end
 end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -17,6 +17,7 @@ require 'brakeman/processors/lib/basic_processor'
 #Values for tracker.config.rails will still be Sexps.
 class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   RAILS_CONFIG = Sexp.new(:call, nil, :config)
+  RAILS_APPLICATION = Sexp.new(:colon2, s(:const, :Rails), :Application)
 
   def initialize *args
     super
@@ -48,7 +49,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
 
   #Look for class Application < Rails::Application
   def process_class exp
-    if exp.class_name == :Application
+    if application_class? exp
       @inside_config = true
       process_all exp.body if sexp? exp.body
       @inside_config = false
@@ -57,6 +58,14 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
     exp
   end
 
+  def application_class? exp
+    return unless node_type? exp, :class
+
+    exp.class_name == :Application or
+    (node_type? exp.class_name, :colon2 and exp.class_name.rhs == :Application) or
+    (exp.parent_name == RAILS_APPLICATION)
+  end
+
   #Look for configuration settings that
   #are just a call like
   #

data/lib/brakeman/processors/lib/render_helper.rb

@@ -19,7 +19,9 @@ module Brakeman::RenderHelper
       end
     when :default
       begin
-        process_template template_name, exp[3], nil, exp.line
+        # exp[2] is either the action name (from controller) or :default when no explicit arg
+        name_arg = (exp[2].nil? || exp[2] == :default) ? nil : exp[2]
+        process_template template_name(name_arg), exp[3], nil, exp.line
       rescue ArgumentError
         Brakeman.debug "Problem processing render: #{exp}"
       end

data/lib/brakeman/scanner.rb

@@ -187,8 +187,14 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
-        tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
+      contents = @app_tree.file_path(".ruby-version").read
+      # Skip alternative Ruby implementations — the EOL dates Brakeman knows
+      # about are MRI's, so a `.ruby-version` of "jruby-10.0.2.0" should not
+      # be parsed as MRI 0.0.2 / 10.0.2.
+      unless contents =~ /\A\s*(jruby|truffleruby|rbx|rubinius|mruby)\b/i
+        if version = contents[/(\d+\.\d+\.\d+)/]
+          tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
+        end
       end
     end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "8.0.2"
+  Version = "8.0.5"
 end

data/lib/brakeman.rb

@@ -167,7 +167,6 @@ module Brakeman
   #Load options from YAML file
   def self.load_options line_options
     custom_location = line_options[:config_file]
-    quiet = line_options[:quiet]
     app_path = line_options[:app_path]
 
     #Load configuration file
@@ -175,29 +174,28 @@ module Brakeman
       require 'yaml'
       options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
 
-      # Brakeman.logger is probably not set yet
-      logger = Brakeman::Logger.get_logger(options || line_options)
-
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
 
         # After parsing the yaml config file for options, convert any string keys into symbols.
         options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
 
+        # Brakeman.logger is probably not set yet
+        logger = Brakeman::Logger.get_logger(options.merge(line_options))
+
         unless line_options[:allow_check_paths_in_config]
           if options.include? :additional_checks_path
             options.delete :additional_checks_path
 
-            logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow' unless (options[:quiet] || quiet)
+            logger.alert 'Ignoring additional check paths in config file. Use --allow-check-paths-in-config to allow'
           end
         end
 
-        # notify if options[:quiet] and quiet is nil||false
-        # potentially remove these checks now that logger is used
-        logger.alert "Using configuration in #{config}" unless (options[:quiet] || quiet)
+        logger.alert "Using configuration in #{config}"
         options
       else
-        logger.alert "Empty configuration file: #{config}" unless quiet
+        logger = Brakeman::Logger.get_logger(line_options)
+        logger.alert "Empty configuration file: #{config}"
         {}
       end
     else
@@ -416,11 +414,27 @@ module Brakeman
     end
   end
 
-  def self.ensure_latest
+  # Returns quit message unless the latest version
+  # of Brakeman matches the current version.
+  #
+  # Optionally checks that the latest version is at least
+  # the specified number of days old.
+  def self.ensure_latest(days_old: 0)
+    require 'date'
+
     current = Brakeman::Version
-    latest = Gem.latest_version_for('brakeman').to_s
-    if current != latest
-      "Brakeman #{current} is not the latest version #{latest}"
+    latest = Gem.latest_spec_for('brakeman')
+    release_date = latest.date.to_date
+    latest_version = latest.version.to_s
+
+    if (Date.today - latest.date.to_date) >= days_old
+      if current != latest_version
+        return "Brakeman #{current} is not the latest version #{latest_version}"
+      else
+        false
+      end
+    else
+      false
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 8.0.2
+  version: 8.0.5
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-03 00:00:00.000000000 Z
+date: 2026-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: racc
@@ -150,9 +150,9 @@ files:
 - bundle/ruby/3.2.0/gems/highline-3.1.2/lib/highline/terminal/unix_stty.rb
 - bundle/ruby/3.2.0/gems/highline-3.1.2/lib/highline/version.rb
 - bundle/ruby/3.2.0/gems/highline-3.1.2/lib/highline/wrapper.rb
-- bundle/ruby/3.2.0/gems/parallel-1.27.0/MIT-LICENSE.txt
-- bundle/ruby/3.2.0/gems/parallel-1.27.0/lib/parallel.rb
-- bundle/ruby/3.2.0/gems/parallel-1.27.0/lib/parallel/version.rb
+- bundle/ruby/3.2.0/gems/parallel-1.28.0/MIT-LICENSE.txt
+- bundle/ruby/3.2.0/gems/parallel-1.28.0/lib/parallel.rb
+- bundle/ruby/3.2.0/gems/parallel-1.28.0/lib/parallel/version.rb
 - bundle/ruby/3.2.0/gems/reline-0.6.3/BSDL
 - bundle/ruby/3.2.0/gems/reline-0.6.3/COPYING
 - bundle/ruby/3.2.0/gems/reline-0.6.3/README.md
@@ -700,7 +700,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.

data/bundle/ruby/3.2.0/gems/parallel-1.27.0/lib/parallel/version.rb

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-module Parallel
-  VERSION = Version = '1.27.0' # rubocop:disable Naming/ConstantName
-end