brakeman 3.1.3 → 3.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0a5242c2a00eaa622ccfd793730c516642f1835c
-  data.tar.gz: 9e684857baaddfc23a7c8b517797e9361fd9d0a1
+  metadata.gz: e2f73f15176bd0a6f4d9dfcc629f2c058b30d837
+  data.tar.gz: b3eb152ea1d579034ccae53d8c0ae2a5765533af
 SHA512:
-  metadata.gz: 75051e388396af7a75b9f9773ba4f16971f1033441fc74dcc2968a0b5421e8cd4117d6f0e18b23d61c891aba78dcd02a24bb255786e559bd12f1b661be984089
-  data.tar.gz: 403638a85e9dff267149e9204cf4789a439112cbebb35df79191f8a036d981f916dc7dfb1a22488f677cda45ffee21f29e18123136db834be2febd0d82962fb7
+  metadata.gz: 9b576a52670e2fe3b3ae035d6f4da88c94635da2c20bab6214fdec4301ae19b30d056a8541742e6ef4abaac801214c65a6438ca94588c44d8cf5b3546602125b
+  data.tar.gz: 1d807d4acc2b35e8aaa6d938a669d953347be9aace422fdd5ce2c9fb4e6b840665b916d34cc52dee2c37d25caab0b6642e1de26b6c37cead2619f14e4cc665a0

data/CHANGES

@@ -1,3 +1,11 @@
+# 3.1.4
+
+* Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
+* Ignore secrets.yml if in .gitignore
+* Clean up Ruby warnings (Andy Waite)
+* Increase test coverage for option parsing (Zander Mackie)
+* Work around safe_yaml error
+
 # 3.1.3
 
 * Check for session secret in secrets.yml

data/bin/brakeman

@@ -12,7 +12,7 @@ begin
 rescue OptionParser::ParseError => e
   $stderr.puts e.message.capitalize
   $stderr.puts "Please see `brakeman --help` for valid options"
-  exit -1
+  exit(-1)
 end
 
 #Exit early for these options

data/lib/brakeman.rb

@@ -1,5 +1,4 @@
 require 'rubygems'
-require 'safe_yaml/load'
 require 'set'
 
 module Brakeman
@@ -93,6 +92,8 @@ module Brakeman
 
     #Load configuration file
     if config = config_file(custom_location, app_path)
+      require 'date' # https://github.com/dtao/safe_yaml/issues/80
+      require 'safe_yaml/load'
       options = SafeYAML.load_file config, :deserialize_symbols => true
 
       if options
@@ -262,15 +263,15 @@ module Brakeman
       task_path = File.join("lib", "tasks", "brakeman.rake")
     end
 
-    if not File.exists? rake_path
+    if not File.exist? rake_path
       raise RakeInstallError, "No Rakefile detected"
-    elsif File.exists? task_path
+    elsif File.exist? task_path
       raise RakeInstallError, "Task already exists"
     end
 
     require 'fileutils'
 
-    if not File.exists? "lib/tasks"
+    if not File.exist? "lib/tasks"
       notify "Creating lib/tasks"
       FileUtils.mkdir_p "lib/tasks"
     end
@@ -279,7 +280,7 @@ module Brakeman
 
     FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
 
-    if File.exists? task_path
+    if File.exist? task_path
       notify "Task created in #{task_path}"
       notify "Usage: rake brakeman:run[output_file]"
     else
@@ -289,6 +290,7 @@ module Brakeman
 
   #Output configuration to YAML
   def self.dump_config options
+    require 'yaml'
     if options[:create_config].is_a? String
       file = options[:create_config]
     else
@@ -407,7 +409,7 @@ module Brakeman
   def self.compare options
     require 'multi_json'
     require 'brakeman/differ'
-    raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]
+    raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
 
     begin
       previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
@@ -431,7 +433,7 @@ module Brakeman
     rescue LoadError => e
       $stderr.puts e.message
       $stderr.puts "Please install the appropriate dependency: #{name}."
-      exit! -1
+      exit!(-1)
     end
   end
 

data/lib/brakeman/app_tree.rb

@@ -43,12 +43,12 @@ module Brakeman
     end
 
     def exists?(path)
-      File.exists?(File.join(@root, path))
+      File.exist?(File.join(@root, path))
     end
 
     # This is a pair for #read_path. Again, would like to kill these
     def path_exists?(path)
-      File.exists?(path)
+      File.exist?(path)
     end
 
     def initializer_paths

data/lib/brakeman/checks/base_check.rb

@@ -348,7 +348,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       if @safe_input_attributes.include? method
         false
       elsif call? target and not method.to_s[-1,1] == "?"
-        if res = has_immediate_model?(target, out)
+        if has_immediate_model?(target, out)
           exp
         else
           false

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -105,12 +105,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warning_code = :xss_to_json
         end
 
-        code = if match == out
-                 nil
-               else
-                 match
-               end
-
         warn :template => @current_template,
           :warning_type => "Cross Site Scripting",
           :warning_code => warning_code,
@@ -314,7 +308,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
     initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
 
-    if tracker.config.escape_html_entities_in_json? 
+    if tracker.config.escape_html_entities_in_json?
         json_escape_on = true
     elsif version_between? "4.0.0", "5.0.0"
       json_escape_on = true

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -25,12 +25,12 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
 
   def check_detailed_exceptions
     tracker.controllers.each do |name, controller|
-      controller.methods_public.each do |name, definition|
+      controller.methods_public.each do |method_name, definition|
         src = definition[:src]
         body = src.body.last
         next unless body
 
-        if name == :show_detailed_exceptions? and not safe? body
+        if method_name == :show_detailed_exceptions? and not safe? body
           if true? body
             confidence = CONFIDENCE[:high]
           else

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -9,6 +9,11 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   @description = "Finds instances of mass assignment"
 
+  def initialize(*)
+    super
+    @mass_assign_calls = nil
+  end
+
   def run_check
     check_mass_assignment
     check_permit!

data/lib/brakeman/checks/check_number_to_currency.rb

@@ -5,6 +5,11 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
 
   @description = "Checks for number helpers XSS vulnerabilities in certain versions"
 
+  def initialize(*)
+    super
+    @found_any = false
+  end
+
   def run_check
     if version_between? "2.0.0", "2.3.18" or
       version_between? "3.0.0", "3.2.16" or
@@ -35,7 +40,7 @@ class Brakeman::CheckNumberToCurrency < Brakeman::BaseCheck
   end
 
   def check_number_helper_usage
-    number_methods = [:number_to_currency, :number_to_percentage, :number_to_human] 
+    number_methods = [:number_to_currency, :number_to_percentage, :number_to_human]
     tracker.find_call(:target => false, :methods => number_methods).each do |result|
       arg = result[:call].second_arg
       next unless arg

data/lib/brakeman/checks/check_send.rb

@@ -22,7 +22,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
 
     send_call = get_send result[:call]
     process_call_args send_call
-    target = process send_call.target
+    process send_call.target
 
     if input = has_immediate_user_input?(send_call.first_arg)
       warn :result => result,

data/lib/brakeman/checks/check_session_settings.rb

@@ -111,8 +111,9 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   def check_secrets_yaml
     secrets_file = "config/secrets.yml"
 
-    if @app_tree.exists? secrets_file
+    if @app_tree.exists? secrets_file and not ignored? "secrets.yml" and not ignored? "config/*.yml"
       yaml = @app_tree.read secrets_file
+      require 'date' # https://github.com/dtao/safe_yaml/issues/80
       require 'safe_yaml/load'
       secrets = SafeYAML.load yaml
 

data/lib/brakeman/processors/alias_processor.rb

@@ -27,6 +27,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @helper_method_cache = {}
     @helper_method_info = Hash.new({})
     @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
+    @meth_env = nil
     set_env_defaults
   end
 
@@ -63,7 +64,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     result = replace(exp)
-  
+
     @exp_context.pop
 
     result

data/lib/brakeman/processors/lib/render_path.rb

@@ -60,11 +60,11 @@ module Brakeman
     end
 
     def each &block
-      @path.each &block
+      @path.each(&block)
     end
 
     def join *args
-      self.to_a.join *args
+      self.to_a.join(*args)
     end
 
     def length

data/lib/brakeman/report/ignore/config.rb

@@ -119,7 +119,7 @@ module Brakeman
       @already_ignored.each do |w|
         fingerprint = w[:fingerprint]
 
-        unless @ignored_warnings.find { |w| w.fingerprint == fingerprint }
+        unless @ignored_warnings.find { |ignored_warning| ignored_warning.fingerprint == fingerprint }
           warnings << w
         end
       end

data/lib/brakeman/report/report_base.rb

@@ -142,17 +142,17 @@ class Brakeman::Report::Base
       w = warning.to_row type
 
       case type
-        when :warning
-          convert_warning w, warning
-        when :template
-          convert_template_warning w, warning
-        when :model
-          convert_model_warning w, warning
-        when :controller
-          convert_controller_warning w, warning
-        when :ignored
-          convert_ignored_warning w, warning
-        end
+      when :warning
+        convert_warning w, warning
+      when :template
+        convert_template_warning w, warning
+      when :model
+        convert_model_warning w, warning
+      when :controller
+        convert_controller_warning w, warning
+      when :ignored
+        convert_ignored_warning w, warning
+      end
     end
   end
 

data/lib/brakeman/report/report_codeclimate.rb

@@ -19,6 +19,7 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
       type: "Issue",
       check_name: warning_code_name,
       description: warning.message,
+      fingerprint: warning.fingerprint,
       categories: ["Security"],
       severity: severity_level_for(warning.confidence),
       remediation_points: remediation_points_for(warning_code_name),

data/lib/brakeman/rescanner.rb

@@ -329,7 +329,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :initializer
     when /config\/routes\.rb/
       :routes
-    when /\/config\/.+\.rb/
+    when /\/config\/.+\.(rb|yml)/
       :config
     when /Gemfile|gems\./
       :gemfile

data/lib/brakeman/scanner.rb

@@ -11,7 +11,7 @@ begin
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
-  exit -1
+  exit(-1)
 end
 
 #Scans the Rails application.

data/lib/brakeman/tracker/config.rb

@@ -13,6 +13,8 @@ module Brakeman
       @rails = {}
       @gems = {}
       @settings = {}
+      @escape_html = nil
+      @erubis = nil
     end
 
     def allow_forgery_protection?

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.3"
+  Version = "3.1.4"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -2,7 +2,6 @@
 #and some changes for caching hash value and tracking 'original' line number
 #of a Sexp.
 class Sexp
-  attr_reader :paren
   attr_accessor :original_line, :or_depth
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
 
@@ -412,13 +411,13 @@ class Sexp
   #    s(:lasgn, :x, s(:lit, 1))
   #               ^--lhs
   def lhs
-    expect *ASSIGNMENT_BOOL
+    expect(*ASSIGNMENT_BOOL)
     self[1]
   end
 
   #Sets the left hand side of assignment or boolean.
   def lhs= exp
-    expect *ASSIGNMENT_BOOL
+    expect(*ASSIGNMENT_BOOL)
     @my_hash_value = nil
     self[1] = exp
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.3
+  version: 3.1.4
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-12-03 00:00:00.000000000 Z
+date: 2015-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit