brakeman 3.5.0 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9c676c07132a5e5df3d4cf679ecc55ee25d27f8f
-  data.tar.gz: 637b645d451d50af8b7538962dfd807b6c8e71ef
+  metadata.gz: c832b4e3f033e2c7c2c73069ac1a84e3099b4d7f
+  data.tar.gz: 9e476ed98544b16559d8d141ac271a43eff9d217
 SHA512:
-  metadata.gz: cdcdfec84f0d1de46bb4b15ca356107eb64252b00462dc38a123582dacb528ed05a5d1097958ff49700be1b6ab41cfe952a59835840e924b9430c225d14ffa2d
-  data.tar.gz: 40ee357bdc5b71bac031cdc694819be263e79b21855f632aa1f8183e7d9276b1197fe9e6f928a67b3f4ba9535c8f4492dd7ff11af7fd2cf9a47442238b468290
+  metadata.gz: 204fc41adbb75f0f0f67f2a0d888c72e188cd907a2a3a4f11ecafefd690c150163d7271313e2eb6c08d9f68db15655d5412a7633e61270ad6e16b5c3b509008d
+  data.tar.gz: b81536ff00f0b5665069aa8528f6f77ef3b20bc1027fb213b6fb386c2376958b21745bbca49102af865cb6b72d95d754798f0ed330c66cc5def6898e54ed8132

data/CHANGES

@@ -1,3 +1,14 @@
+# 3.6.0 
+
+* Avoid recursive Concerns
+* Branch inside of `case` expressions
+* Print command line option errors without modification
+* Fix issue with nested interpolation inside SQL strings
+* Ignore GraphQL tags inside ERB templates
+* Add `--exit-on-error` (Michael Grosser)
+* Only report CVE-2015-3227 when exact version is known
+* Check targetless SQL calls outside of known models
+
 # 3.5.0
 
 * Allow `-t None`
@@ -102,7 +113,7 @@
 * Update ruby_parser dependency to 3.8.1
 * Remove `fastercsv` dependency
 * Fix finding calls with `targets: nil`
-* Remove `multi_json` dependecy
+* Remove `multi_json` dependency
 * Handle CoffeeScript in HAML
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
@@ -118,7 +129,7 @@
 * Add check for mime-type denial of service (CVE-2016-0751)
 * Add check for basic auth timing attack (CVE-2015-7576)
 * Add initial Rails 5 support
-* Check for implict integer comparison in dynamic finders
+* Check for implicit integer comparison in dynamic finders
 * Support directories better in --only-files and --skip-files (Patrick Toomey)
 * Avoid warning about `permit` in SQL
 * Handle guards using `detect`
@@ -235,7 +246,7 @@
 * Remove formatting newlines in HAML template output
 * Ignore case value in XSS checks
 * Fix CSV output when there are no warnings
-* Handle processing of explictly shadowed block arguments
+* Handle processing of explicitly shadowed block arguments
 
 # 3.0.1
 
@@ -285,7 +296,7 @@
 * Add `-4` option to force Rails 4 mode
 * Check entire call for `send`
 * Check for .gitignore of secrets in subdirectories
-* Fix block statment endings in Erubis
+* Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
 # 2.6.1

data/bin/brakeman

@@ -10,7 +10,7 @@ require 'brakeman/version'
 begin
   options, parser = Brakeman::Options.parse! ARGV
 rescue OptionParser::ParseError => e
-  $stderr.puts e.message.capitalize
+  $stderr.puts e.message
   $stderr.puts "Please see `brakeman --help` for valid options"
   exit(-1)
 end
@@ -90,6 +90,11 @@ begin
       exit Brakeman::Warnings_Found_Exit_Code
     end
   end
+
+  #Return error code if --exit-on-error is used and errors were found
+  if tracker.options[:exit_on_error] and tracker.errors.any?
+    exit Brakeman::Errors_Found_Exit_Code
+  end
 rescue Brakeman::NoApplication => e
   warn e.message
   exit Brakeman::No_App_Found_Exit_Code

data/bundle/load.rb

@@ -1,4 +1,5 @@
 path = File.expand_path('../..', __FILE__)
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.23/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.23/vendor/listen/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/haml-4.0.7/lib"
@@ -6,8 +7,7 @@ $:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/terminal-table-1.7.3/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/temple-0.7.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.3.2/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/tilt-2.0.6/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.7.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/tilt-2.0.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/slim-3.0.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.8.4/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.1.3/lib"

data/bundle/ruby/2.3.0/gems/ruby_parser-3.8.4/Manifest.txt

@@ -5,7 +5,10 @@ README.rdoc
 Rakefile
 bin/ruby_parse
 bin/ruby_parse_extract_error
+compare/normalize.rb
 lib/.document
+lib/rp_extensions.rb
+lib/rp_stringscanner.rb
 lib/ruby18_parser.rb
 lib/ruby18_parser.y
 lib/ruby19_parser.rb
@@ -18,6 +21,8 @@ lib/ruby22_parser.rb
 lib/ruby22_parser.y
 lib/ruby23_parser.rb
 lib/ruby23_parser.y
+lib/ruby24_parser.rb
+lib/ruby24_parser.y
 lib/ruby_lexer.rb
 lib/ruby_lexer.rex
 lib/ruby_lexer.rex.rb

data/bundle/ruby/2.3.0/gems/ruby_parser-3.8.4/README.rdoc

@@ -57,6 +57,18 @@ You can also use Ruby19Parser, Ruby18Parser, or RubyParser.for_current_ruby:
   RubyParser.for_current_ruby.parse "1+1"
   # => s(:call, s(:lit, 1), :+, s(:lit, 1))
 
+== DEVELOPER NOTES:
+
+To add a new version:
+
+* New parser should be generated from lib/ruby_parser.yy.
+* Extend lib/ruby_parser.yy with new class name.
+* Add new version number to Rakefile for rule creation.
+* Require generated parser in lib/ruby_parser.rb.
+* Add empty TestRubyParserShared##Plus module and TestRubyParserV## to test/test_ruby_parser.rb.
+* Extend Manifest.txt with generated file names.
+* Extend sexp_processor's pt_testcase.rb to match version
+
 == REQUIREMENTS:
 
 * ruby. woot.

data/bundle/ruby/2.3.0/gems/ruby_parser-3.8.4/Rakefile

@@ -14,6 +14,10 @@ Hoe.add_include_dirs "../../sexp_processor/dev/lib"
 Hoe.add_include_dirs "../../minitest/dev/lib"
 Hoe.add_include_dirs "../../oedipus_lex/dev/lib"
 
+V1   = %w[18 19]
+V2   = %w[20 21 22 23 24]
+V1_2 = V1 + V2
+
 Hoe.spec "ruby_parser" do
   developer "Ryan Davis", "ryand-ruby@zenspider.com"
 
@@ -24,45 +28,33 @@ Hoe.spec "ruby_parser" do
   dependency "oedipus_lex", "~> 2.1", :developer
 
   if plugin? :perforce then     # generated files
-    self.perforce_ignore << "lib/ruby18_parser.rb"
-    self.perforce_ignore << "lib/ruby19_parser.rb"
-    self.perforce_ignore << "lib/ruby20_parser.rb"
-    self.perforce_ignore << "lib/ruby20_parser.y"
-    self.perforce_ignore << "lib/ruby21_parser.rb"
-    self.perforce_ignore << "lib/ruby21_parser.y"
-    self.perforce_ignore << "lib/ruby22_parser.rb"
-    self.perforce_ignore << "lib/ruby22_parser.y"
-    self.perforce_ignore << "lib/ruby23_parser.rb"
-    self.perforce_ignore << "lib/ruby23_parser.y"
-    self.perforce_ignore << "lib/ruby_lexer.rex.rb"
-  end
+    V1_2.each do |n|
+      self.perforce_ignore << "lib/ruby#{n}_parser.rb"
+    end
 
-  self.racc_flags << " -t" if plugin?(:racc) && ENV["DEBUG"]
-end
-
-file "lib/ruby20_parser.y" => "lib/ruby_parser.yy" do |t|
-  sh "unifdef -tk -DRUBY20 -URUBY21 -URUBY22 -URUBY23 -UDEAD #{t.source} > #{t.name} || true"
-end
+    V2.each do |n|
+      self.perforce_ignore << "lib/ruby#{n}_parser.y"
+    end
+  end
 
-file "lib/ruby21_parser.y" => "lib/ruby_parser.yy" do |t|
-  sh "unifdef -tk -URUBY20 -DRUBY21 -URUBY22 -URUBY23 -UDEAD #{t.source} > #{t.name} || true"
+  if plugin?(:racc)
+    self.racc_flags << " -t" if ENV["DEBUG"]
+    self.racc_flags << " --superclass RubyParser::Parser"
+    # self.racc_flags << " --runtime ruby_parser" # TODO: broken in racc
+  end
 end
 
-file "lib/ruby22_parser.y" => "lib/ruby_parser.yy" do |t|
-  sh "unifdef -tk -URUBY20 -URUBY21 -DRUBY22 -URUBY23 -UDEAD #{t.source} > #{t.name} || true"
+V2.each do |n|
+  file "lib/ruby#{n}_parser.y" => "lib/ruby_parser.yy" do |t|
+    cmd = 'unifdef -tk -DV=%s -UDEAD %s > %s || true' % [n, t.source, t.name]
+    sh cmd
+  end
 end
 
-file "lib/ruby23_parser.y" => "lib/ruby_parser.yy" do |t|
-  sh "unifdef -tk -URUBY20 -URUBY21 -URUBY22 -DRUBY23 -UDEAD #{t.source} > #{t.name} || true"
+V1_2.each do |n|
+  file "lib/ruby#{n}_parser.rb" => "lib/ruby#{n}_parser.y"
 end
 
-
-file "lib/ruby18_parser.rb" => "lib/ruby18_parser.y"
-file "lib/ruby19_parser.rb" => "lib/ruby19_parser.y"
-file "lib/ruby20_parser.rb" => "lib/ruby20_parser.y"
-file "lib/ruby21_parser.rb" => "lib/ruby21_parser.y"
-file "lib/ruby22_parser.rb" => "lib/ruby22_parser.y"
-file "lib/ruby23_parser.rb" => "lib/ruby23_parser.y"
 file "lib/ruby_lexer.rex.rb" => "lib/ruby_lexer.rex"
 
 task :clean do
@@ -94,32 +86,110 @@ end
 
 task :isolate => :phony
 
-# to create parseXX.output:
-#
-# 1) check out the XX version of ruby
-# 2) Edit uncommon.mk, find the ".y.c" rule and remove the RM lines
-# 3) run `rm -f parse.c; make parse.c`
-# 4) run `bison -r all parse.tmp.y`
-# 5) mv parse.tmp.output parseXX.output
-
-# possibly new instructions:
-#
-# 1) check out the XX version of ruby
-# 2) YFLAGS="-r all" make parse.c
-# 3) mv y.output parseXX.output
-
-%w[18 19 20 21 22 23].each do |v|
-  task "compare#{v}" do
-    sh "./yack.rb lib/ruby#{v}_parser.output > racc#{v}.txt"
-    sh "./yack.rb parse#{v}.output > yacc#{v}.txt"
-    sh "diff -du racc#{v}.txt yacc#{v}.txt || true"
-    puts
-    sh "diff -du racc#{v}.txt yacc#{v}.txt | wc -l"
+def in_compare
+  Dir.chdir "compare" do
+    yield
   end
 end
 
+def dl v
+  dir = v[/^\d+\.\d+/]
+  url = "https://cache.ruby-lang.org/pub/ruby/#{dir}/ruby-#{v}.tar.bz2"
+  path = File.basename url
+  unless File.exist? path then
+    system "curl -O #{url}"
+  end
+end
+
+def ruby_parse version
+  v         = version[/^\d+\.\d+/].delete "."
+  rp_txt    = "rp#{v}.txt"
+  mri_txt   = "mri#{v}.txt"
+  parse_y   = "parse#{v}.y"
+  tarball   = "ruby-#{version}.tar.bz2"
+  ruby_dir  = "ruby-#{version}"
+  diff      = "diff#{v}.diff"
+  rp_out    = "lib/ruby#{v}_parser.output"
+
+  c_diff    = "compare/#{diff}"
+  c_rp_txt  = "compare/#{rp_txt}"
+  c_mri_txt = "compare/#{mri_txt}"
+  c_parse_y = "compare/#{parse_y}"
+  c_tarball = "compare/#{tarball}"
+
+  file tarball do
+    in_compare do
+      dl version
+    end
+  end
+
+  file c_parse_y => c_tarball do
+    in_compare do
+      system "tar yxf #{tarball} #{ruby_dir}/{id.h,parse.y,tool/{id2token.rb,vpath.rb}}"
+      Dir.chdir ruby_dir do
+        if File.exist? "tool/id2token.rb" then
+          sh "ruby tool/id2token.rb --path-separator=.:./ id.h parse.y > ../#{parse_y}"
+        else
+          cp "parse.y", "../#{parse_y}"
+        end
+      end
+      sh "rm -rf #{ruby_dir}"
+    end
+  end
+
+  file c_mri_txt => c_parse_y do
+    in_compare do
+      sh "bison -r all #{parse_y}"
+      sh "./normalize.rb parse#{v}.output > #{mri_txt}"
+      rm ["parse#{v}.output", "parse#{v}.tab.c"]
+    end
+  end
+
+  file rp_out => :parser
+
+  file c_rp_txt => rp_out do
+    in_compare do
+      sh "./normalize.rb ../#{rp_out} > #{rp_txt}"
+    end
+  end
+
+  compare = "compare#{v}"
+
+  desc "Compare all grammars to MRI"
+  task :compare => compare
+
+  task c_diff => [c_mri_txt, c_rp_txt] do
+    in_compare do
+      system "diff -du #{mri_txt} #{rp_txt} > #{diff}"
+    end
+  end
+
+  desc "Compare #{v} grammar to MRI #{version}"
+  task compare => c_diff do
+    in_compare do
+      system "wc -l #{diff}"
+    end
+  end
+
+  task :clean do
+    rm_f Dir[c_parse_y, c_mri_txt, c_rp_txt]
+  end
+
+  task :realclean do
+    rm_f Dir[tarball]
+  end
+end
+
+ruby_parse "1.8.7-p374"
+ruby_parse "1.9.3-p551"
+ruby_parse "2.0.0-p648"
+ruby_parse "2.1.9"
+ruby_parse "2.2.6"
+ruby_parse "2.3.3"
+# TODO ruby_parse "2.4.0"
+
 task :debug => :isolate do
-  ENV["V"] ||= "23"
+  ENV["V"] ||= V1_2.last
   Rake.application[:parser].invoke # this way we can have DEBUG set
   Rake.application[:lexer].invoke # this way we can have DEBUG set
 
@@ -127,22 +197,9 @@ task :debug => :isolate do
   require "ruby_parser"
   require "pp"
 
-  parser = case ENV["V"]
-           when "18" then
-             Ruby18Parser.new
-           when "19" then
-             Ruby19Parser.new
-           when "20" then
-             Ruby20Parser.new
-           when "21" then
-             Ruby21Parser.new
-           when "22" then
-             Ruby22Parser.new
-           when "23" then
-             Ruby23Parser.new
-           else
-             raise "Unsupported version #{ENV["V"]}"
-           end
+  klass = Object.const_get("Ruby#{ENV["V"]}Parser") rescue nil
+  raise "Unsupported version #{ENV["V"]}" unless klass
+  parser = klass.new
 
   time = (ENV["RP_TIMEOUT"] || 10).to_i
 
@@ -173,7 +230,7 @@ task :debug_ruby do
 end
 
 task :extract => :isolate do
-  ENV["V"] ||= "19"
+  ENV["V"] ||= V1_2.last
   Rake.application[:parser].invoke # this way we can have DEBUG set
 
   file = ENV["F"] || ENV["FILE"]

data/bundle/ruby/2.3.0/gems/ruby_parser-3.8.4/compare/normalize.rb

@@ -0,0 +1,146 @@
+#!/usr/bin/ruby -w
+
+good = false
+
+rules = Hash.new { |h,k| h[k] = [] }
+rule = nil
+order = []
+
+def munge s
+  renames = [
+             "'='",             "tEQL",
+             "'!'",             "tBANG",
+             "'%'",             "tPERCENT",
+             "'&'",             "tAMPER2",
+             "'('",             "tLPAREN2",
+             "')'",             "tRPAREN",
+             "'*'",             "tSTAR2",
+             "'+'",             "tPLUS",
+             "','",             "tCOMMA",
+             "'-'",             "tMINUS",
+             "'.'",             "tDOT",
+             "'/'",             "tDIVIDE",
+             "';'",             "tSEMI",
+             "':'",             "tCOLON",
+             "'<'",             "tLT",
+             "'>'",             "tGT",
+             "'?'",             "tEH",
+             "'['",             "tLBRACK",
+             "'\\n'",           "tNL",
+             "']'",             "tRBRACK",
+             "'^'",             "tCARET",
+             "'`'",             "tBACK_REF2",
+             "'{'",             "tLCURLY",
+             "'|'",             "tPIPE",
+             "'}'",             "tRCURLY",
+             "'~'",             "tTILDE",
+             '"["',             "tLBRACK",
+
+             # 2.0 changes?
+             '"<=>"',            "tCMP",
+             '"=="',             "tEQ",
+             '"==="',            "tEQQ",
+             '"!~"',             "tNMATCH",
+             '"=~"',             "tMATCH",
+             '">="',             "tGEQ",
+             '"<="',             "tLEQ",
+             '"!="',             "tNEQ",
+             '"<<"',             "tLSHFT",
+             '">>"',             "tRSHFT",
+             '"*"',              "tSTAR",
+
+             '".."',             "tDOT2",
+
+             '"&"',              "tAMPER",
+             '"&&"',             "tANDOP",
+             '"||"',             "tOROP",
+
+             '"..."',            "tDOT3",
+             '"**"',             "tPOW",
+             '"unary+"',         "tUPLUS",
+             '"unary-"',         "tUMINUS",
+             '"[]"',             "tAREF",
+             '"[]="',            "tASET",
+             '"::"',             "tCOLON2",
+             '"{ arg"',          "tLBRACE_ARG",
+             '"( arg"',          "tLPAREN_ARG",
+             '"("',              "tLPAREN",
+             'rparen',           "tRPAREN",
+             '"{"',              "tLBRACE",
+             '"=>"',             "tASSOC",
+             '"->"',             "tLAMBDA",
+             '":: at EXPR_BEG"', "tCOLON3",
+             '"**arg"',          "tDSTAR",
+             '","',              "tCOMMA",
+
+             # other
+
+             'tLBRACK2',        "tLBRACK", # HACK
+
+             "' '",             "tSPACE", # needs to be later to avoid bad hits
+
+             "/* empty */",     "none",
+             /^\s*$/,           "none",
+             "keyword_BEGIN",   "klBEGIN",
+             "keyword_END",     "klEND",
+             /keyword_(\w+)/,   proc { "k#{$1.upcase}" },
+             /\bk_([a-z_]+)/,   proc { "k#{$1.upcase}" },
+             /modifier_(\w+)/,  proc { "k#{$1.upcase}_MOD" },
+             "kVARIABLE",       "keyword_variable", # ugh
+
+             /@(\d+)\s+/,       "",
+            ]
+
+  renames.each_slice(2) do |(a, b)|
+    if Proc === b then
+      s.gsub!(a, &b)
+    else
+      s.gsub!(a, b)
+    end
+  end
+
+  s.strip
+end
+
+ARGF.each_line do |line|
+  next unless good or line =~ /^-* ?Grammar|\$accept : /
+
+  case line.strip
+  when /^$/ then
+  when /^(\d+) (\$?\w+): (.*)/ then    # yacc
+    rule = $2
+    order << rule unless rules.has_key? rule
+    rules[rule] << munge($3)
+  when /^(\d+) \s+\| (.*)/ then        # yacc
+    rules[rule] << munge($2)
+  when /^(\d+) (@\d+): (.*)/ then      # yacc
+    rule = $2
+    order << rule unless rules.has_key? rule
+    rules[rule] << munge($3)
+  when /^rule (\d+) (@?\w+):(.*)/ then # racc
+    rule = $2
+    order << rule unless rules.has_key? rule
+    rules[rule] << munge($3)
+  when /\$accept/ then                 # byacc?
+    good = true
+  when /Grammar/ then                  # both
+    good = true
+  when /^-+ Symbols/ then              # racc
+    break
+  when /^Terminals/ then               # yacc
+    break
+  when /^\cL/ then                     # byacc
+    break
+  else
+    warn "unparsed: #{$.}: #{line.chomp}"
+  end
+end
+
+require 'yaml'
+
+order.each do |k|
+  next if k =~ /@/
+  puts
+  puts "#{k}:"
+  puts rules[k].map { |r| "    #{r}" }.join "\n"
+end