RubyGems - brakeman - Versions diffs - 3.1.5 → 3.2.0.pre1 - Mend

brakeman 3.1.5 → 3.2.0.pre1

Files changed (29) hide show

checksums.yaml +4 -4
data/CHANGES +11 -0
data/lib/brakeman.rb +4 -4
data/lib/brakeman/call_index.rb +22 -31
data/lib/brakeman/checks.rb +59 -73
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +0 -21
data/lib/brakeman/checks/check_cross_site_scripting.rb +2 -2
data/lib/brakeman/checks/check_render.rb +9 -1
data/lib/brakeman/checks/check_sql.rb +3 -3
data/lib/brakeman/processors/alias_processor.rb +1 -1
data/lib/brakeman/processors/base_processor.rb +8 -0
data/lib/brakeman/processors/erb_template_processor.rb +1 -1
data/lib/brakeman/processors/erubis_template_processor.rb +1 -1
data/lib/brakeman/processors/haml_template_processor.rb +2 -1
data/lib/brakeman/processors/lib/basic_processor.rb +16 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +4 -2
data/lib/brakeman/processors/lib/find_call.rb +1 -1
data/lib/brakeman/processors/lib/render_path.rb +2 -1
data/lib/brakeman/report/ignore/config.rb +3 -3
data/lib/brakeman/report/report_csv.rb +1 -2
data/lib/brakeman/report/report_json.rb +1 -4
data/lib/brakeman/tracker.rb +21 -0
data/lib/brakeman/util.rb +4 -3
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +2 -2
data/lib/ruby_parser/bm_sexp.rb +23 -23
metadata +8 -44
data/lib/brakeman/report/initializers/faster_csv.rb +0 -7
data/lib/brakeman/report/initializers/multi_json.rb +0 -29

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 449a20c68813d646031a349e4ef3144c387462f1
-  data.tar.gz: 65f2ed189a51bfc5e9b3d7bbe0d04d7fdfc8ae39
+  metadata.gz: 1e770766f6b12a78d68bb5578ca2f03edc16dbb0
+  data.tar.gz: d16b6325409502c5828ce379e364e43fbc10ec9e
 SHA512:
-  metadata.gz: fe400de4fdfe2d81dc1dfab9e5ff9f0b6f8c53f4c30f868b8e605185e74a907b2932ab3dbe5b793425fd90c5e55fb3f34efdd7d755f04223939ba38d4e5bb3ef
-  data.tar.gz: 1a7e2f419f4c8a2fdfc438406700220b2aba13409a5371db909a571d7a51bde96b1a231fbcd12d19fce49b463288b4d65100d35ba7e4879ed8fd04b729a037a7
+  metadata.gz: 79dbc7972a53fd175306dd50e21943b1825870fa2273b489bb2fef00c7870c5f0c5fc48e90b919d78b57dd2ff46b1a1be7fdee40f55f545d8a0cbecfe0878826
+  data.tar.gz: 647e2c2f42057c5f2d64a4e5166f3541ed1764062d4b6bed7668e6ba31429214486dbb8a495435dc144a98f52ec7357330640cb2730c71157a236b23bd7fdbb4

data/CHANGES CHANGED

@@ -1,3 +1,14 @@
+# 3.2.0.pre1
+* Support calls using `&.` operator
+* Update ruby_parser dependency to 3.8.1
+* Remove `fastercsv` dependency
+* Fix finding calls with `targets: nil`
+* Remove `multi-json` dependecy
+* Handle CoffeeScript in HAML
+* Avoid render warnings about params[:action]/params[:controller]
+* Index calls in class bodies but outside methods
 # 3.1.5
 * Fix CodeClimate construction of --only-files (Will Fleming)

data/lib/brakeman.rb CHANGED

@@ -407,20 +407,20 @@ module Brakeman
   # Compare JSON ouptut from a previous scan and return the diff of the two scans
   def self.compare options
-    require 'multi_json'
+    require 'json'
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
     begin
-      previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
-    rescue MultiJson::DecodeError
+      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
+    rescue JSON::ParserError
       self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
       exit!
     end
     tracker = run(options)
-    new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings]
+    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
     Brakeman::Differ.new(new_results, previous_results).diff
   end

data/lib/brakeman/call_index.rb CHANGED

@@ -5,8 +5,8 @@ class Brakeman::CallIndex
   #Initialize index with calls from FindAllCalls
   def initialize calls
-    @calls_by_method = Hash.new
-    @calls_by_target = Hash.new
+    @calls_by_method = Hash.new { |h, k| h[k] = [] }
+    @calls_by_target = Hash.new { |h, k| h[k] = [] }
     index_calls calls
   end
@@ -45,7 +45,7 @@ class Brakeman::CallIndex
     #Find calls with no explicit target
     #with either :target => nil or :target => false
-    elsif options.key? :target and not target and method
+    elsif (options.key? :target or options.key? :targets) and not target and method
       calls = calls_by_method method
       calls = filter_by_target calls, nil
@@ -66,44 +66,35 @@ class Brakeman::CallIndex
   end
   def remove_template_indexes template_name = nil
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
-      end
-    end
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        from_template call, template_name
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          from_template call, template_name
+        end
       end
     end
   end
   def remove_indexes_by_class classes
-    @calls_by_method.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
-      end
-    end
-    @calls_by_target.each do |name, calls|
-      calls.delete_if do |call|
-        call[:location][:type] == :class and classes.include? call[:location][:class]
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          call[:location][:type] == :class and classes.include? call[:location][:class]
+        end
       end
     end
   end
   def index_calls calls
     calls.each do |call|
-      @calls_by_method[call[:method]] ||= []
       @calls_by_method[call[:method]] << call
-      if not call[:target].is_a? Sexp
-        @calls_by_target[call[:target]] ||= []
-        @calls_by_target[call[:target]] << call
-      elsif call[:target].node_type == :params or call[:target].node_type == :session
-        @calls_by_target[call[:target].node_type] ||= []
-        @calls_by_target[call[:target].node_type] << call
+      target = call[:target]
+      if not target.is_a? Sexp
+        @calls_by_target[target] << call
+      elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] << call
       end
     end
   end
@@ -115,7 +106,7 @@ class Brakeman::CallIndex
     method = options[:method] || options[:methods]
     calls = calls_by_method method
     return [] if calls.nil?
     calls = filter_by_chain calls, target
@@ -145,7 +136,7 @@ class Brakeman::CallIndex
     elsif method.is_a? Regexp
       calls_by_methods_regex method
     else
-      @calls_by_method[method.to_sym] || []
+      @calls_by_method[method.to_sym]
     end
   end
@@ -169,7 +160,7 @@ class Brakeman::CallIndex
   end
   def calls_with_no_target
-    @calls_by_target[nil] || []
+    @calls_by_target[nil]
   end
   def filter calls, key, value

data/lib/brakeman/checks.rb CHANGED

@@ -93,91 +93,49 @@ class Brakeman::Checks
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
   def self.run_checks(app_tree, tracker)
-    if tracker.options[:parallel_checks]
-      self.run_checks_parallel(app_tree, tracker)
-    else
-      self.run_checks_sequential(app_tree, tracker)
-    end
-  end
-  #Run checks sequentially
-  def self.run_checks_sequential(app_tree, tracker)
+    checks = self.checks_to_run(tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.checks_to_run(tracker).each do |c|
-      check_name = get_check_name c
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-        Brakeman.notify " - #{check_name}"
-        check = c.new(app_tree, tracker)
-        begin
-          check.run_check
-        rescue => e
-          tracker.error e
-        end
-        check.warnings.each do |w|
-          check_runner.add_warning w
-        end
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
-      end
-    end
-    check_runner
+    self.actually_run_checks(checks, check_runner, app_tree, tracker)
   end
-  #Run checks in parallel threads
-  def self.run_checks_parallel(app_tree, tracker)
-    threads = []
+  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    threads = [] # Results for parallel
+    results = [] # Results for sequential
+    parallel = tracker.options[:parallel_checks]
     error_mutex = Mutex.new
-    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
-    self.checks_to_run(tracker).each do |c|
+    checks.each do |c|
       check_name = get_check_name c
+      Brakeman.notify " - #{check_name}"
-      #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or
-        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
-        Brakeman.notify " - #{check_name}"
+      if parallel
         threads << Thread.new do
-          check = c.new(app_tree, tracker)
-          begin
-            check.run_check
-          rescue => e
-            error_mutex.synchronize do
-              tracker.error e
-            end
-          end
-          check.warnings
+          self.run_a_check(c, error_mutex, app_tree, tracker)
         end
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        check_runner.checks_run << check_name[5..-1]
+      else
+        results << self.run_a_check(c, error_mutex, app_tree, tracker)
       end
+      #Maintain list of which checks were run
+      #mainly for reporting purposes
+      check_runner.checks_run << check_name[5..-1]
     end
     threads.each { |t| t.join }
     Brakeman.notify "Checks finished, collecting results..."
-    #Collect results
-    threads.each do |thread|
-      thread.value.each do |warning|
-        check_runner.add_warning warning
+    if parallel
+      threads.each do |thread|
+        thread.value.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    else
+      results.each do |warnings|
+        warnings.each do |warning|
+          check_runner.add_warning warning
+        end
       end
     end
@@ -191,11 +149,39 @@ class Brakeman::Checks
   end
   def self.checks_to_run tracker
-    if tracker.options[:run_all_checks] or tracker.options[:run_checks]
-      @checks + @optional_checks
-    else
-      @checks
+    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+               @checks + @optional_checks
+             else
+               @checks
+             end
+    self.filter_checks to_run, tracker
+  end
+  def self.filter_checks checks, tracker
+    skipped = tracker.options[:skip_checks]
+    explicit = tracker.options[:run_checks]
+    checks.reject do |c|
+      check_name = self.get_check_name(c)
+      skipped.include? check_name or
+        (explicit and not explicit.include? check_name)
+    end
+  end
+  def self.run_a_check klass, mutex, app_tree, tracker
+    check = klass.new(app_tree, tracker)
+    begin
+      check.run_check
+    rescue => e
+      mutex.synchronize do
+        tracker.error e
+      end
     end
+    check.warnings
   end
 end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb CHANGED

@@ -17,31 +17,10 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
                  return
                end
-    check_basic_auth_filter
     check_basic_auth_call
   end
-  def check_basic_auth_filter
-    controllers = tracker.controllers.select do |name, c|
-      c.options[:http_basic_authenticate_with]
-    end
-    Hash[controllers].each do |name, controller|
-      controller.options[:http_basic_authenticate_with].each do |call|
-        warn :controller => name,
-          :warning_type => "Timing Attack",
-          :warning_code => :CVE_2015_7576,
-          :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-          :code => call,
-          :confidence => CONFIDENCE[:high],
-          :file => controller.file,
-          :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
-      end
-    end
-  end
   def check_basic_auth_call
-    # This is relatively unusual, but found in the wild
     tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
       warn :result => result,
         :warning_type => "Timing Attack",

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED

@@ -99,7 +99,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         link_path = "cross_site_scripting"
         warning_code = :cross_site_scripting
-        if node_type?(out, :call, :attrasgn) && out.method == :to_json
+        if node_type?(out, :call, :safe_call, :attrasgn, :safe_attrasgn) && out.method == :to_json
           message += " in JSON hash"
           link_path += "_to_json"
           warning_code = :xss_to_json
@@ -334,7 +334,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   end
   def html_safe_call? exp
-    exp.value.node_type == :call and exp.value.method == :html_safe
+    call? exp.value and exp.value.method == :html_safe
   end
   def ignore_call? target, method

data/lib/brakeman/checks/check_render.rb CHANGED

@@ -35,7 +35,6 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       add_result result
       if input = has_immediate_user_input?(view)
         if string_interp? view
           confidence = CONFIDENCE[:med]
@@ -49,6 +48,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
       return if input.type == :model #skip models
+      return if safe_param? input.match
       message = "Render path contains #{friendly_type_of input}"
@@ -71,6 +71,7 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     if sexp? view and not duplicate? result
       if params? view
         add_result result
+        return if safe_param? view
         warn :result => result,
           :warning_type => "Remote Code Execution",
@@ -81,4 +82,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
       end
     end
   end
+  def safe_param? exp
+    if params? exp and call? exp and exp.method == :[]
+      arg = exp.first_arg
+      symbol? arg and [:controller, :action].include? arg.value
+    end
+  end
 end

data/lib/brakeman/checks/check_sql.rb CHANGED

@@ -64,9 +64,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         second_arg = args[2]
         next unless sexp? second_arg
-        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
+        if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call, :safe_call
           process_scope_with_block(name, args)
-        elsif second_arg.node_type == :call
+        elsif call? second_arg
           call = second_arg
           scope_calls << scope_call_hash(call, name, call.method)
         else
@@ -107,7 +107,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls = Brakeman::FindAllCalls.new(tracker)
       find_calls.process_source(block, :class => model_name, :method => scope_name)
       find_calls.calls.each { |call| process_result(call) if @sql_targets.include?(call[:method]) }
-    elsif block.node_type == :call
+    elsif call? block
       while call? block
         process_result :target => block.target, :method => block.method, :call => block,
          :location => { :type => :class, :class => model_name, :method => scope_name }

data/lib/brakeman/processors/alias_processor.rb CHANGED

@@ -296,7 +296,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   # Handles x = y = z = 1
   def get_rhs exp
-    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :cvdecl, :cdecl
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
       get_rhs(exp.rhs)
     else
       exp

data/lib/brakeman/processors/base_processor.rb CHANGED

@@ -68,6 +68,14 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     call
   end
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
   #String with interpolation.
   def process_dstr exp
     exp = exp.dup

data/lib/brakeman/processors/erb_template_processor.rb CHANGED

@@ -25,7 +25,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
-        if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
+        if call? arg and arg.method == :to_s #erb always calls to_s on output
           arg = arg.target
         end

data/lib/brakeman/processors/erubis_template_processor.rb CHANGED

@@ -21,7 +21,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         arg = exp.first_arg
         #We want the actual content
-        if arg.node_type == :call and (arg.method == :to_s or arg.method == :html_safe!)
+        if call? arg and (arg.method == :to_s or arg.method == :html_safe!)
           arg = arg.target
         end

data/lib/brakeman/processors/haml_template_processor.rb CHANGED

@@ -5,6 +5,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
   HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
   JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
+  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
   #Processes call, looking for template output
   def process_call exp
@@ -90,7 +91,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     elsif target == nil and method == :find_and_preserve
       process exp.first_arg
     elsif method == :render_with_options
-      if target == JAVASCRIPT_FILTER
+      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
         @javascript = true
       end

data/lib/brakeman/processors/lib/basic_processor.rb CHANGED

@@ -14,4 +14,20 @@ class Brakeman::BasicProcessor < Brakeman::SexpProcessor
   def process_default exp
     process_all exp
   end
+  def process_safe_call exp
+    if self.respond_to? :process_call
+      process_call exp
+    else
+      process_default exp
+    end
+  end
+  def process_safe_attrasgn exp
+    if self.respond_to? :process_attrasgn
+      process_attrasgn exp
+    else
+      process_default exp
+    end
+  end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb CHANGED

@@ -24,11 +24,13 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Process body of method
   def process_defn exp
+    return exp unless @current_method
     process_all exp.body
   end
   #Process body of method
   def process_defs exp
+    return exp unless @current_method
     process_all exp.body
   end
@@ -139,7 +141,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
         @current_class || @current_module || nil
       when :params, :session, :cookies
         exp.node_type
-      when :call
+      when :call, :safe_call
         if include_calls
           if exp.target.nil?
             exp.method
@@ -165,7 +167,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Returns method chain as an array
   #For example, User.human.alive.all would return [:User, :human, :alive, :all]
   def get_chain call
-    if node_type? call, :call, :attrasgn
+    if node_type? call, :call, :attrasgn, :safe_call, :safe_attrasgn
       get_chain(call.target) + [call.method]
     elsif call.nil?
       []

data/lib/brakeman/processors/lib/find_call.rb CHANGED

@@ -102,7 +102,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     #  User.find(:first, :conditions => "user = '#{params['user']}').name
     #
     #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and node_type? exp.target, :call
+    if @in_depth and call? exp.target
       process exp.target
     end

data/lib/brakeman/processors/lib/render_path.rb CHANGED

@@ -95,7 +95,8 @@ module Brakeman
     end
     def to_json *args
-      MultiJson.dump(@path)
+      require 'json'
+      JSON.generate(@path)
     end
     def initialize_copy original

data/lib/brakeman/report/ignore/config.rb CHANGED

@@ -1,5 +1,5 @@
 require 'set'
-require 'multi_json'
+require 'json'
 module Brakeman
   class IgnoreConfig
@@ -75,7 +75,7 @@ module Brakeman
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file
-        @already_ignored = MultiJson.load(File.read(file), :symbolize_keys => true)[:ignored_warnings]
+        @already_ignored = JSON.parse(File.read(file), :symbolize_names => true)[:ignored_warnings]
       else
         Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
         @already_ignored = []
@@ -107,7 +107,7 @@ module Brakeman
       }
       File.open file, "w" do |f|
-        f.puts MultiJson.dump(output, :pretty => true)
+        f.puts JSON.pretty_generate(output)
       end
     end

data/lib/brakeman/report/report_csv.rb CHANGED

@@ -1,5 +1,4 @@
-Brakeman.load_brakeman_dependency 'csv'
-require "brakeman/report/initializers/faster_csv"
+require 'csv'
 require "brakeman/report/report_table"
 class Brakeman::Report::CSV < Brakeman::Report::Table

data/lib/brakeman/report/report_json.rb CHANGED

@@ -1,6 +1,3 @@
-Brakeman.load_brakeman_dependency 'multi_json'
-require 'brakeman/report/initializers/multi_json'
 class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
@@ -32,7 +29,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
       :errors => errors
     }
-    MultiJson.dump(report_info, :pretty => true)
+    JSON.pretty_generate report_info
   end
   def convert_to_hashes warnings

data/lib/brakeman/tracker.rb CHANGED

@@ -115,6 +115,23 @@ class Brakeman::Tracker
     end
   end
+  def each_class
+    classes = [self.controllers, self.models]
+    if @options[:index_libs]
+      classes << self.libs
+    end
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.src.each do |file, src|
+          yield src, set_name, file
+        end
+      end
+    end
+  end
   #Find a method call.
   #
   #Options:
@@ -178,6 +195,10 @@ class Brakeman::Tracker
       finder.process_source definition, :class => set_name, :method => method_name, :file => file
     end
+    self.each_class do |definition, set_name, file|
+      finder.process_source definition, :class => set_name, :file => file
+    end
     self.each_template do |name, template|
       finder.process_source template.src, :template => template, :file => template.file
     end

data/lib/brakeman/util.rb CHANGED

@@ -167,7 +167,8 @@ module Brakeman::Util
   #Check if _exp_ represents a method call: s(:call, ...)
   def call? exp
-    exp.is_a? Sexp and exp.node_type == :call
+    exp.is_a? Sexp and
+      (exp.node_type == :call or exp.node_type == :safe_call)
   end
   #Check if _exp_ represents a Regexp: s(:lit, /.../)
@@ -214,7 +215,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
-      if exp.node_type == :call
+      if call? exp
         if params? exp[1]
           return true
         elsif exp[2] == :[]
@@ -230,7 +231,7 @@ module Brakeman::Util
     if exp.is_a? Sexp
       return true if exp.node_type == :cookies or exp == COOKIES
-      if exp.node_type == :call
+      if call? exp
         if cookies? exp[1]
           return true
         elsif exp[2] == :[]

data/lib/brakeman/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.5"
+  Version = "3.2.0.pre1"
 end

data/lib/brakeman/warning.rb CHANGED

@@ -1,4 +1,4 @@
-require 'multi_json'
+require 'json'
 require 'digest/sha2'
 require 'brakeman/warning_codes'
@@ -241,7 +241,7 @@ class Brakeman::Warning
   end
   def to_json
-    MultiJson.dump self.to_hash
+    JSON.generate self.to_hash
   end
   private

data/lib/ruby_parser/bm_sexp.rb CHANGED

@@ -141,13 +141,13 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #         ^-----------target-----------^
   def target
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[1]
   end
   #Sets the target of a method call:
   def target= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[1] = exp
   end
@@ -157,10 +157,10 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn, :super, :zsuper, :result
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper, :result
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[2]
     when :super, :zsuper
       :super
@@ -170,14 +170,14 @@ class Sexp
   end
   def method= name
-    expect :call
+    expect :call, :safe_call
     self[2] = name
   end
   #Sets the arglist in a method call.
   def arglist= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     start_index = 3
@@ -201,10 +201,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                 ^------------ arglist ------------^
   def arglist
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
@@ -220,10 +220,10 @@ class Sexp
   #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
   #                                                             ^--------args--------^
   def args
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         self[3..-1]
       else
@@ -239,11 +239,11 @@ class Sexp
   end
   def each_arg replace = false
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn, :super, :zsuper
     range = nil
     case self.node_type
-    when :call, :attrasgn
+    when :call, :attrasgn, :safe_call, :safe_attrasgn
       if self[3]
         range = (3...self.length)
       end
@@ -270,43 +270,43 @@ class Sexp
   #Returns first argument of a method call.
   def first_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[3]
   end
   #Sets first argument of a method call.
   def first_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[3] = exp
   end
   #Returns second argument of a method call.
   def second_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[4]
   end
   #Sets second argument of a method call.
   def second_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[4] = exp
   end
   def third_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     self[5]
   end
   def third_arg= exp
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     @my_hash_value = nil
     self[5] = exp
   end
   def last_arg
-    expect :call, :attrasgn
+    expect :call, :attrasgn, :safe_call, :safe_attrasgn
     if self[3]
       self[-1]
@@ -427,9 +427,9 @@ class Sexp
   #    s(:lasgn, :x, s(:lit, 1))
   #                  ^--rhs---^
   def rhs
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3]
     else
       self[2]
@@ -438,10 +438,10 @@ class Sexp
   #Sets the right hand side of assignment or boolean.
   def rhs= exp
-    expect :attrasgn, *ASSIGNMENT_BOOL
+    expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
     @my_hash_value = nil
-    if self.node_type == :attrasgn
+    if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
       self[3] = exp
     else
       self[2] = exp

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.5
+  version: 3.2.0.pre1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-01-28 00:00:00.000000000 Z
+date: 2016-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -31,32 +31,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.8.1
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.1
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 2.3.0
 - !ruby/object:Gem::Dependency
@@ -73,20 +67,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.4'
-- !ruby/object:Gem::Dependency
-  name: fastercsv
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -175,20 +155,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '4.0'
-- !ruby/object:Gem::Dependency
-  name: multi_json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: safe_yaml
   requirement: !ruby/object:Gem::Requirement
@@ -329,8 +295,6 @@ files:
 - lib/brakeman/report/config/remediation.yml
 - lib/brakeman/report/ignore/config.rb
 - lib/brakeman/report/ignore/interactive.rb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
 - lib/brakeman/report/report_codeclimate.rb
@@ -382,9 +346,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 2.4.8

data/lib/brakeman/report/initializers/faster_csv.rb DELETED

@@ -1,7 +0,0 @@
-# Ruby 1.8 compatible
-if CSV.const_defined? :Reader
-  require 'fastercsv'
-  Object.send(:remove_const, :CSV)
-  CSV = FasterCSV
-end

data/lib/brakeman/report/initializers/multi_json.rb DELETED

@@ -1,29 +0,0 @@
-#MultiJson interface changed in 1.3.0, but need
-#to support older MultiJson for Rails 3.1.
-mj_engine = nil
-if MultiJson.respond_to? :default_adapter
-  mj_engine = MultiJson.default_adapter
-else
-  mj_engine = MultiJson.default_engine
-  module MultiJson
-    def self.dump *args
-      encode *args
-    end
-    def self.load *args
-      decode *args
-    end
-  end
-end
-#This is so OkJson will work with symbol values
-if mj_engine == :ok_json
-  class Symbol
-    def to_json
-      self.to_s.inspect
-    end
-  end
-end