brakeman 4.7.0 → 4.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 423fdaa947da827893c870cfa05f423bf39eef53fb1e64c09219ae3de15db137
-  data.tar.gz: 9df6cbba5de7da32e9b83755bf41dbe58b3bca3ec30fcb0bff435406a975d00e
+  metadata.gz: cb1a6279fa089c035c1e284d078ba0af21b8a19de58e489dcdc7c3a167d52e43
+  data.tar.gz: 4d163ff4a319363126e9626f8d0d841b1b55abf48fca01f1b5e0581bbda8f69f
 SHA512:
-  metadata.gz: 83a323503d5a222fe30dfe4792728dfe1689a1dcc2a95c2457b044810afa5bc9257482fc8ce406ca1cf7e9f171cd9dd80a51657baf28b784bcfe2cbc521ee8c8
-  data.tar.gz: 138b6fc7cecc0746e5873944035f1ca2286ab7e485445796f48566d6692a6905e4c6f85ae3c10e3efa83fc00de72878958573943b5a62b60b5beb7c363dd3980
+  metadata.gz: 7decb5b6745e654b6e2d7b06503fedad0e9a1c1b89d40ee380e37c23092420e34425357091f47a623508b1cf7e91a114a786f25d5441efe1cd7db80d7d15cc72
+  data.tar.gz: 81651d8ba5958201234b84576a691e5281b3f3af3cbb66500fb847e1873406c8956f8746c062de965b95c76e5c3c9f6810b81ebe73abbfc454cafbd2e93b9c31

data/CHANGES.md

@@ -1,4 +1,14 @@
-# 4.7.0
+# 4.7.1 - 2019-10-29 
+
+* Check string length against limit before joining
+* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
+* Fix flaky rails4 test (Adam Kiczula)
+* Added release dates to each version in CHANGES (TheSpartan1980)
+* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
+* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
+* Sort text report by file and line (Jacob Evelyn)
+
+# 4.7.0 - 2019-10-16
 
 * Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
 * Ignore interpolation in `%W[]`
@@ -9,11 +19,11 @@
 * Catch shell injection from `-c` shell commands (Jacob Evelyn)
 * Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
 
-# 4.6.1
+# 4.6.1 - 2019-07-24
 
 * Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
 
-# 4.6.0
+# 4.6.0 - 2019-07-23
 
 * Skip calls to `dup`
 * Add reverse tabnabbing check (Linos Giannopoulos)
@@ -29,7 +39,7 @@
 * Add special warning code for custom checks
 * Add call matching by regular expression
 
-# 4.5.1 
+# 4.5.1 - 2019-05-11
 
 * Add `Brakeman::FilePath` to represent file paths
 * Handle trailing comma in block args
@@ -44,7 +54,7 @@
 * Add initial Rails 6 support
 * Add SQL injection checks for `destroy_by`/`delete_by`
 
-# 4.5.0
+# 4.5.0 - 2019-03-16
 
 * Update `ruby_parser`, use `ruby_parser-legacy`
 * More thoroughly handle `Shellwords` escaping
@@ -61,7 +71,7 @@
 * Better handling of splat/kwsplat arguments
 * Improve "user input" reported for SQL injection
 
-# 4.4.0
+# 4.4.0 - 2019-01-17
 
 * Set default encoding to UTF-8
 * Update to Slim 4.0.1 (Jake Peterson)
@@ -84,7 +94,7 @@
 * Complete overhaul of warning message construction
 * Deadcode and typo fixes found via Coverity
 
-# 4.3.1
+# 4.3.1 - 2018-06-07
 
 * Ignore `Object#freeze`, use the target instead
 * Ignore `foreign_key` calls in SQL
@@ -97,7 +107,7 @@
 * Improve handling of conditionals in shell commands (Jacob Evelyn)
 * Fix error when setting line number in implicit renders
 
-# 4.3.0
+# 4.3.0 - 2018-05-11
 
 * Check exec-type calls even if they are targets
 * Convert `Array#join` to string interpolation
@@ -113,14 +123,14 @@
 * `--color` can be used to force color output
 * Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
 
-# 4.2.1
+# 4.2.1 - 2018-03-24
 
 * Add warning for CVE-2018-3741
 * Add warning for CVE-2018-8048
 * Scan `app/jobs/` directory
 * Handle `template_exists?` in controllers
 
-# 4.2.0
+# 4.2.0 - 2018-02-22
 
 * Avoid warning about symbol DoS on `Model#attributes`
 * Avoid warning about open redirects with model methods ending with `_path`
@@ -133,12 +143,12 @@
 * Exclude template folders in `lib/` (kru0096)
 * Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
 
-# 4.1.1
+# 4.1.1 - 2017-12-19
 
 * Remove check for use of `permit` with `*_id` keys
 * Avoid duplicate warnings about permitted attributes
 
-# 4.1.0
+# 4.1.0 - 2017-12-14
 
 * Process models as root sexp instead of each sexp
 * Avoid CSRF warning in Rails 5.2 default config
@@ -161,12 +171,12 @@
 * Refactor Code Climate engine options parsing (Noah Davis)
 * Fix upgrade version for CVE-2016-6316
 
-# 4.0.1
+# 4.0.1 - 2017-09-25
 
 * Disable pager when `CI` environment variable is set
 * Fix output when pager fails
 
-# 4.0.0
+# 4.0.0 - 2017-09-25
 
 * Add simple pager for reports output to terminal
 * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
@@ -180,11 +190,11 @@
 * --exit-on-error and --exit-on-warn are now the default
 * Fix --exit-on-error and --exit-on-warn in config files
 
-# 3.7.2
+# 3.7.2 - 2017-08-16
 
 * Fix --ensure-latest (David Guyon)
 
-# 3.7.1
+# 3.7.1 - 2017-08-16
 
 * Handle simple guard with return at end of branch
 * Modularize bin/brakeman
@@ -192,7 +202,7 @@
 * Add more collection methods for iteration detection
 * Update ruby2ruby and ruby_parser
 
-# 3.7.0
+# 3.7.0 - 2017-06-30
 
 * Improve support for rails4/rails5 options in config file
 * Track more information about constant assignments
@@ -201,7 +211,7 @@
 * Fix false positive for redirect_to in Rails 4 (Mário Areias)
 * Avoid interpolating hashes/arrays on failed access
 
-# 3.6.2
+# 3.6.2 - 2017-05-19
 
 * Handle safe call operator in checks
 * Better handling of `if` expressions in HAML rendering
@@ -216,11 +226,11 @@
 * Handle empty `if` expressions when finding return values
 * Fix finding return value from empty `if`
 
-# 3.6.1
+# 3.6.1 - 2017-03-24
 
 * Fix error when using `--compare` (Sean Gransee)
 
-# 3.6.0 
+# 3.6.0 - 2017-03-23
 
 * Avoid recursive Concerns
 * Branch inside of `case` expressions
@@ -231,7 +241,7 @@
 * Only report CVE-2015-3227 when exact version is known
 * Check targetless SQL calls outside of known models
 
-# 3.5.0
+# 3.5.0 - 2017-02-01
 
 * Allow `-t None`
 * Fail on invalid checks specified by `-x` or `-t`
@@ -246,7 +256,7 @@
 * Handle `included` block in concerns
 * Process concerns before controllers
 
-# 3.4.1
+# 3.4.1 - 2016-11-02
 
 * Show action help at start of interactive ignore
 * Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
@@ -256,7 +266,7 @@
 * Avoid warning about `where_values_hash` in SQLi
 * Fix ignoring link interpolation not at beginning of string
 
-# 3.4.0
+# 3.4.0 - 2016-09-08
 
 * Add new `plain` report format
 * Add option to prune ignore file with `-I`
@@ -265,18 +275,18 @@
 * Support creating reports in non-existent paths
 * Add `--no-exit-warn`
 
-# 3.3.5
+# 3.3.5 - 2016-08-12
 
 * Fix bug in reports when using --debug option
 
-# 3.3.4
+# 3.3.4 - 2016-08-12
 
 * Add generic warning for CVE-2016-6316
 * Warn about dangerous use of `content_tag` with CVE-2016-6316
 * Add warning for CVE-2016-6317
 * Use Minitest
 
-# 3.3.3
+# 3.3.3 - 2016-07-21
 
 * Show path when no Rails app found (Neil Matatall)
 * Index calls in view helpers
@@ -289,11 +299,11 @@
 * Sexp#value returns nil when there is no value
 * Improve return value estimation
 
-# 3.3.2
+# 3.3.2 - 2016-06-10
 
 * Fix serious performance regression with global constant tracking
 
-# 3.3.1 
+# 3.3.1 - 2016-06-03
 
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
@@ -304,7 +314,7 @@
 * Add `--force-scan` option (Neil Matatall)
 * Improved line number accuracy in ERB templates (Patrick Toomey)
 
-# 3.3.0
+# 3.3.0 - 2016-05-05
 
 * Skip processing obviously false if branches (more broadly)
 * Skip if branches with `Rails.env.test?`
@@ -322,11 +332,11 @@
 * [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
 * [Code Climate engine] Report end lines for issues (Gordon Diggs)
 
-# 3.2.1
+# 3.2.1 - 2016-02-25
 
 * Remove `multi_json` dependency from `bin/brakeman`
 
-# 3.2.0
+# 3.2.0 - 2016-02-25
 
 * Skip Symbol DoS check on Rails 5
 * Only update ignore config file on changes
@@ -340,7 +350,7 @@
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
 
-# 3.1.5
+# 3.1.5 - 2016-01-28
 
 * Fix CodeClimate construction of --only-files (Will Fleming)
 * Add check for denial of service via routes (CVE-2015-7581)
@@ -359,7 +369,7 @@
 * Handle module names with self methods
 * Add session manipulation documentation
 
-# 3.1.4
+# 3.1.4 - 2015-12-22
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
 * Ignore secrets.yml if in .gitignore
@@ -367,7 +377,7 @@
 * Increase test coverage for option parsing (Zander Mackie)
 * Work around safe_yaml error
 
-# 3.1.3
+# 3.1.3 - 2015-12-03
 
 * Check for session secret in secrets.yml
 * Respect `exit_on_warn` in config file
@@ -381,7 +391,7 @@
 * Depend on safe_yaml 1.0 or later
 * Test coverage improvements for Brakema module (Bethany Rentz)
 
-# 3.1.2
+# 3.1.2 - 2015-10-28
 
 * Treat `current_user` like a model
 * Set user input value for inline renders
@@ -399,7 +409,7 @@
 * Sortable tables in HTML report (David Lanner)
 * Search for config file relative to application root
 
-# 3.1.1
+# 3.1.1 - 2015-09-23
 
 * Add optional check for use of MD5 and SHA1
 * Avoid warning when linking to decorated models
@@ -413,7 +423,7 @@
 * Support newer terminal-table releases
 * Allow searching call index methods by regex (Alex Ianus)
 
-# 3.1.0
+# 3.1.0 - 2015-08-31
 
 * Add support for gems.rb/gems.locked
 * Update render path information in JSON reports
@@ -432,18 +442,18 @@
 * Expand safe methods to match methods with targets
 * Avoid duplicate eval() warnings
 
-# 3.0.5
+# 3.0.5 - 2015-06-20
 
 * Fix check for CVE-2015-3227
 
-# 3.0.4
+# 3.0.4 - 2015-06-18
 
 * Add check for CVE-2015-3226 (XSS via JSON keys)
 * Add check for CVE-2015-3227 (XML DoS)
 * Treat `<%==` as unescaped output
 * Update `ruby_parser` dependency to 3.7.0
 
-# 3.0.3
+# 3.0.3 - 2015-04-20
 
 * Ignore more Arel methods in SQL
 * Warn about protect_from_forgery without exceptions (Neil Matatall)
@@ -454,7 +464,7 @@
 * Do not ignore targets of `to_s` in SQL
 * Add Rake task to exit with error code on warnings (masarakki)
 
-# 3.0.2
+# 3.0.2 - 2015-03-09
 
 * Alias process methods called in class scope on models
 * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
@@ -470,7 +480,7 @@
 * Fix CSV output when there are no warnings
 * Handle processing of explicitly shadowed block arguments
 
-# 3.0.1
+# 3.0.1 - 2015-01-23
 
 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
 * Properly format command interpolation (again)
@@ -479,7 +489,7 @@
 * Add `--add-libs-path` for additional libraries (Patrick Toomey)
 * Properly process libraries (Patrick Toomey)
 
-# 3.0.0
+# 3.0.0 - 2015-01-03
 
 * Add check for CVE-2014-7829
 * Add check for cross-site scripting via inline renders
@@ -498,7 +508,7 @@
 * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
 * Change `--separate-models` to be the default
 
-# 2.6.3
+# 2.6.3 - 2014-10-14
 
 * Whitelist `exists` arel method from SQL injection check
 * Avoid warning about Symbol DoS on safe parameters as method targets
@@ -507,7 +517,7 @@
 * Add framework for optional checks
 * Fix stack overflow for cycles in class ancestors (Jeff Rafter)
 
-# 2.6.2 
+# 2.6.2 - 2014-08-18
 
 * Add check for CVE-2014-3415
 * Avoid warning about symbolizing safe parameters
@@ -521,13 +531,13 @@
 * Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
-# 2.6.1
+# 2.6.1 - 2014-07-02
 
 * Add check for CVE-2014-3482 and CVE-2014-3483
 * Add support for keyword arguments in blocks
 * Remove unused warning codes (Bill Fischer)
 
-# 2.6.0
+# 2.6.0 - 2014-06-06
 
 * Fix detection of `:host` setting in redirects with chained calls
 * Add check for CVE-2014-0130
@@ -541,7 +551,7 @@
 * Ignore more model methods in redirects
 * Fix CheckRender with nested render calls
 
-# 2.5.0
+# 2.5.0 - 2014-04-30
 
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
  * Add support for Rails 4 `before_actions` and friends
@@ -556,11 +566,11 @@
  * Handle more non-literals in routes
  * Add check for regex denial of service (Ben Toews) 
 
-# 2.4.3
+# 2.4.3 - 2014-03-23
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
 
-# 2.4.2
+# 2.4.2 - 2014-03-21
 
  * Remove `rescue Exception`
  * Fix duplicate warnings about sanitize CVE
@@ -569,13 +579,13 @@
  * Skip identically rendered templates
  * Fix HAML template processing
 
-# 2.4.1
+# 2.4.1 - 2014-02-19
 
  * Add check for CVE-2014-0082
  * Add check for CVE-2014-0081, replaces CVE-2013-6415
  * Add check for CVE-2014-0080
 
-# 2.4.0 
+# 2.4.0 - 2014-02-05
 
  * Detect Rails LTS versions
  * Reduce false positives for SQL injection in string building
@@ -590,12 +600,12 @@
  * No longer raise exceptions if a class name cannot be determined
  * Fingerprint attribute warnings individually (Case Taintor)
 
-# 2.3.1
+# 2.3.1 - 2013-12-13
 
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  * Fix link for CVE-2013-6415 (number_to_currency)
 
-# 2.3.0
+# 2.3.0 - 2013-12-12
 
  * Add check for Parameters#permit!
  * Add check for CVE-2013-4491 (i18n XSS)
@@ -609,7 +619,7 @@
  * Whitelist `Model#create` for redirects
  * Fix scoping issues with instance variables and blocks
 
-# 2.2.0 
+# 2.2.0 - 2013-10-28
 
  * Reduce command injection false positives
  * Use Rails version from Gemfile if it is available
@@ -618,14 +628,14 @@
  * Support scanning Rails engines (Geoffrey Hichborn)
  * Add check for detailed exceptions in production
 
-# 2.1.2
+# 2.1.2 - 2013-09-18
 
  * Do not attempt to load custom Haml filters
  * Do not warn about `to_json` XSS in Rails 4
  * Add --table-width option to set width of text reports (ssendev)
  * Remove fuzzy matching on dangerous attr_accessible values
 
-# 2.1.1
+# 2.1.1 - 2013-08-21
 
  * New warning code for dangerous attributes in attr_accessible
  * Do not warn on attr_accessible using roles
@@ -636,7 +646,7 @@
  * Fix infinite loop when run as rake task (Matthew Shanley)
  * Respect ignored warnings in tabs format reports
 
-# 2.1.0
+# 2.1.0 - 2013-07-17
 
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)
  * Support for ignoring warnings
@@ -656,7 +666,7 @@
  * Fix output format detection to be more strict again
  * Allow empty Brakeman configuration file
 
-# 2.0.0
+# 2.0.0 - 2013-05-20
   
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
  * Add Marshal/CSV deserialization check
@@ -686,7 +696,7 @@
  * Use exceptions instead of abort in brakeman lib
  * Update to Ruby2Ruby 2.0.5
 
-# 1.9.5
+# 1.9.5 - 2013-04-05
 
  * Add check for unsafe symbol creation
  * Do not warn on mass assignment with `slice`/`only`
@@ -701,7 +711,7 @@
  * More fixes for assignments inside branches
  * Pin to ruby2ruby version 2.0.3
 
-# 1.9.4
+# 1.9.4 - 2013-03-19
  
  * Add check for CVE-2013-1854
  * Add check for CVE-2013-1855
@@ -713,7 +723,7 @@
  * Slightly faster cloning of Sexps
  * Detect another way to add `strong_parameters`
 
-# 1.9.3
+# 1.9.3 - 2013-03-01
  
  * Add render path to JSON report
  * Add warning fingerprints
@@ -728,7 +738,7 @@
  * Expand HAML dependency to include 4.0
  * Scroll errors into view when expanding in HTML report
 
-# 1.9.2
+# 1.9.2 - 2013-02-14
 
  * Add check for CVE-2013-0269
  * Add check for CVE-2013-0276
@@ -739,7 +749,7 @@
  * Check for more dangerous YAML methods
  * Support MultiJSON 1.2 for Rails 3.0 and 3.1
 
-# 1.9.1
+# 1.9.1 - 2013-01-19
 
  * Update to RubyParser 3.1.1 (neersighted)
  * Remove ActiveSupport dependency (Neil Matatall)
@@ -751,7 +761,7 @@
  * Add check for CVE-2013-0156
  * Add check for unsafe `YAML.load`
 
-# 1.9.0
+# 1.9.0 - 2012-12-25
 
  * Update to RubyParser 3
  * Ignore route information by default
@@ -771,7 +781,7 @@
  * Handle empty model files
  * Remove "find by regex" feature from `CallIndex`
 
-# 1.8.3
+# 1.8.3 - 2012-11-13
 
  * Use `multi_json` gem for better harmony
  * Performance improvement for call indexing
@@ -787,7 +797,7 @@
  * Fix error in rescan of mixins with symbols in method name
  * Do not rescan non-Ruby files in config/
 
-# 1.8.2
+# 1.8.2 - 2012-10-17
 
  * Fixed rescanning problems caused by 1.8.0 changes
  * Fix scope calls with single argument
@@ -796,7 +806,7 @@
  * Much improved test coverage
  * Add CHANGES to gemspec
 
-# 1.8.1
+# 1.8.1 - 2012-09-24
 
  * Recover from errors in output formatting
  * Fix false positive in redirect_to (Neil Matatall)
@@ -808,7 +818,7 @@
  * Handle super calls with blocks
  * Respect `-q` flag for "Rails 3 detected" message
 
-# 1.8.0
+# 1.8.0 - 2012-09-05
 
  * Support relative paths in reports (fsword)
  * Allow Brakeman to be run without tty (fsword)
@@ -824,7 +834,7 @@
  * Treat model attributes in `or` expressions as immediate values
  * Switch to method access for Sexp nodes
 
-# 1.7.1
+# 1.7.1 - 2012-08-13
 
  * Add check for CVE-2012-3463
  * Add check for CVE-2012-3464
@@ -832,7 +842,7 @@
  * Add charset to HTML report (hooopo)
  * Report XSS in select() for Rails 2
 
-# 1.7.0
+# 1.7.0 - 2012-07-31
 
  * Add check for CVE-2012-3424
  * Link report types to descriptions on website
@@ -847,7 +857,7 @@
  * Fix processing of negative array indexes
  * Add line breaks to truncated table rows
 
-# 1.6.2
+# 1.6.2 - 2012-06-13
 
  * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  * Avoid warning when redirecting to a model instance
@@ -859,7 +869,7 @@
  * Cache before_filter lookups
  * Turn off quiet mode by default for `--compare`
 
-# 1.6.1
+# 1.6.1 - 2012-05-23
 
  * Major rewrite of CheckSQL
  * Fix rescanning of deleted templates
@@ -869,7 +879,7 @@
  * Fix highlighting of HTML escaped values in HTML report
  * Report line number of highlighted value, if available
 
-# 1.6.0
+# 1.6.0 - 2012-04-20
 
  * Remove the Ruport dependency (Neil Matatall)
  * Add more informational JSON output (Neil Matatall)
@@ -881,7 +891,7 @@
  * Fix rescanning of deleted files 
  * Properly check for rails_xss in Gemfile
 
-# 1.5.3
+# 1.5.3 - 2012-04-10
 
  * Add check for user input in Object#send (Neil Matatall)
  * Handle render :layout in views
@@ -895,7 +905,7 @@
  * Improve handling of modules and nesting
  * Test for zero errors in test reports
 
-# 1.5.2
+# 1.5.2 - 2012-03-22
 
  * Fix link_to checks for Rails 2.0 and 2.3
  * Fix rescanning of lib files (Neil Matatall)
@@ -906,7 +916,7 @@
  * Fix handling of views when using rails_xss
  * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
 
-# 1.5.1
+# 1.5.1- 2012-03-06
 
  * Fix detection of global mass assignment setting
  * Fix partial rendering in Rails 3
@@ -916,7 +926,7 @@
  * Add tracking of module and class to Brakeman::BaseProcessor
  * Report module when using Brakeman::FindCall
 
-# 1.5.0
+# 1.5.0 - 2012-03-02
 
  * Add version check for SafeBuffer vulnerability
  * Add check for select vulnerability in Rails 3
@@ -927,7 +937,7 @@
  * Standardize methods to check for SQL injection
  * Fix Rails 2 route parsing issue with nested routes
 
-# 1.4.0
+# 1.4.0 - 2012-02-24
 
  * Add check for user input in link_to href parameter
  * Match ERB processing to rails_xss plugin when plugin used
@@ -935,7 +945,7 @@
  * Warnings below minimum confidence are dropped completely
  * Brakeman.run always returns a Tracker
 
-# 1.3.0
+# 1.3.0 - 2012-02-09
 
  * Add file paths to HTML report
  * Add caching of filters
@@ -948,7 +958,7 @@
  * Better variable substitution
  * Table output option for rescan reports
 
-# 1.2.2
+# 1.2.2 - 2012-01-26
 
  * --no-progress works again
  * Make CheckLinkTo a separate check
@@ -956,7 +966,7 @@
  * Handle empty resource(s) blocks
  * Add RescanReport#existing_warnings
 
-## 1.2.1
+## 1.2.1 - 2012-01-20
 
  * Remove link_to warning for Rails 3.x or when using rails_xss
  * Don't warn if first argument to link_to is escaped
@@ -968,7 +978,7 @@
  * Add Brakeman::RescanReport#to_s
  * Add Brakeman::Warning#to_s
 
-## 1.2.0
+## 1.2.0 - 2012-01-14
 
  * Speed improvements for CheckExecute and CheckRender
  * Check named_scope() and scope() for SQL injection
@@ -977,7 +987,7 @@
  * Add --summary option to only output summary
  * Fix a problem with Rails 3 routes
 
-## 1.1.0
+## 1.1.0 - 2011-12-22
 
  * Relax required versions for dependencies
  * Performance improvements for source processing
@@ -987,14 +997,14 @@
  * Compatibility with newer Haml versions
  * Fix some warnings
 
-## 1.0.0
+## 1.0.0 - 2011-12-08
 
  * Better handling of assignments inside ifs
  * Check more expressions for SQL injection
  * Use latest ruby_parser for better 1.9 syntax support
  * Better behavior for Brakeman as a library
 
-## 1.0.0rc1
+## 1.0.0rc1 - 2011-12-06
 
  * Brakeman can now be used as a library
  * Faster call search
@@ -1007,23 +1017,23 @@
  * Ignore mass assignment using all literal arguments
  * Keep expanded context in view with HTML output
 
-## 0.9.2
+## 0.9.2 - 2011-11-22
 
  * Fix Rails 3 configuration parsing
  * Add t() helper to check for translate XSS bug
 
-## 0.9.1
+## 0.9.1 - 2011-11-18
 
  * Add warning for translator helper XSS vulnerability
 
-## 0.9.0
+## 0.9.0 - 2011-11-17
 
  * Process Rails 3 configuration files
  * Fix CSV output
  * Check for config.active_record.whitelist_attributes = true
  * Always produce a warning for without_protection => true
 
-## 0.8.4
+## 0.8.4 - 2011-11-04
 
  * Option for separate attr_accessible warnings
  * Option to set CSS file for HTML output
@@ -1032,23 +1042,23 @@
  * Fix hash_insert()
  * Remove use of Queue from threaded checks
 
-## 0.8.3
+## 0.8.3 - 2011-10-25
  
  * Respect -w flag in .tabs format (tw-ngreen)
  * Escape HTML output of error messages
  * Add --skip-libs option
 
-## 0.8.2
+## 0.8.2 - 2011-10-01
 
  * Run checks in parallel threads by default
  * Fix compatibility with ruby_parser 2.3.1
 
-## 0.8.1
+## 0.8.1 - 2011-09-28
 
  * Add option to assume all controller methods are actions
  * Recover from errors when parsing routes
 
-## 0.8.0
+## 0.8.0 - 2011-09-15
 
  * Add check for mass assignment using without_protection
  * Add check for password in http_basic_authenticate_with
@@ -1059,30 +1069,30 @@
  * Add ruby_parser hack for Ruby 1.9 hash syntax
  * Add a few Rails 3.1 tests
 
-## 0.7.2
+## 0.7.2 - 2011-08-27
 
  * Fix handling of params and cookies with nested access
  * Add CVEs for checks added in 0.7.0
 
-## 0.7.1
+## 0.7.1 - 2011-08-18
 
  * Require BaseProcessor for GemProcessor
 
-## 0.7.0
+## 0.7.0 - 2011-08-17
 
  * Allow local variable as a class name
  * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  * Check for default routes in Rails 3 apps
  * Look in Gemfile or Gemfile.lock for Rails version
 
-## 0.6.1
+## 0.6.1 - 2011-07-29
 
  * Fix XSS check for cookies as parameters in output
  * Don't bother calling super in CheckSessionSettings
  * Add escape_once as a safe method
  * Accept '\Z' or '\z' in model validations
 
-## 0.6.0
+## 0.6.0 - 2011-07-20
 
  * Tests are in place and fully functional
  * Hide errors by default in HTML output
@@ -1095,17 +1105,17 @@
  * Fixes to escaped output scanning
  * Update CSRF CVE-2011-0447 message to be less assertive
 
-## 0.5.2
+## 0.5.2 - 2011-06-29
 
  * Output report file name when finished
  * Add initial tests for Rails 2.x
  * Fix ERB line numbers when using Ruby 1.9
 
-## 0.5.1
+## 0.5.1 - 2011-06-17
 
  * Fix issue with 'has_one' => in routes
 
-## 0.5.0
+## 0.5.0 - 2011-06-08
 
   * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
   * Allow empty blocks in Rails 3 routes
@@ -1113,52 +1123,52 @@
   * Add line numbers to session setting warnings
   * Add --checks option to list checks
 
-## 0.4.1
+## 0.4.1 - 2011-05-23
   
   * Fix reported line numbers when using new Erubis parser
     (Mostly affects Rails 3 apps)
 
-## 0.4.0
+## 0.4.0 - 2011-05-19
 
   * Handle Rails XSS protection properly
   * More detection options for rails_xss
   * Add --escape-html option 
 
-## 0.3.2  
+## 0.3.2 - 2011-05-12  
 
   * Autodetect Rails 3 applications
   * Turn on auto-escaping for Rails 3 apps
   * Check Model.create() for mass assignment
 
-## 0.3.1
+## 0.3.1 - 2011-05-03
 
   * Always output a line number in tabbed output format
   * Restrict characters in category name in tabbed output format to
     word characters and spaces, for Hudson/Jenkins plugin
 
-## 0.3.0
+## 0.3.0 - 2011-03-21
 
   * Check for SQL injection in calls using constantize()
   * Check for SQL injection in calls to count_by_sql()
 
-## 0.2.2
+## 0.2.2 - 2011-02-22
 
   * Fix version_between? when no Rails version is specified
 
-## 0.2.1
+## 0.2.1 - 2011-02-18
 
   * Add code snippet to tab output messages
 
-## 0.2.0
+## 0.2.0 - 2011-02-16
 
   * Add check for mail_to vulnerability - CVE-2011-0446
   * Add check for CSRF weakness - CVE-2011-0447
 
-## 0.1.1
+## 0.1.1 - 2011-01-25
 
   * Be more permissive with ActiveSupport version
 
-## 0.1.0
+## 0.1.0 - 2011-01-18
 
   * Check link_to for XSS (because arguments are not escaped)
   * Process layouts better (although not perfectly yet)

data/lib/brakeman/checks/check_reverse_tabnabbing.rb

@@ -19,7 +19,11 @@ class Brakeman::CheckReverseTabnabbing < Brakeman::BaseCheck
     return unless hash? html_opts
 
     target = hash_access html_opts, :target
-    return unless target && string?(target) && target.value == "_blank"
+    unless target &&
+          (string?(target) && target.value == "_blank" ||
+          symbol?(target) && target.value == :_blank)
+      return
+    end
 
     target_url = result[:block] ? result[:call].first_arg : result[:call].second_arg
 

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -19,16 +19,17 @@ module Brakeman
       end
     end
 
+    STRING_LENGTH_LIMIT = 50
+
     # Join two string literals into one.
     def join_strings lhs, rhs, original_exp = nil
       if string? lhs and string? rhs
-        result = Sexp.new(:str).line(lhs.line)
-        result.value = lhs.value + rhs.value
-
-        if result.value.length > 50
+        if (lhs.value.length + rhs.value.length > STRING_LENGTH_LIMIT)
           # Avoid gigantic strings
           lhs
         else
+          result = Sexp.new(:str).line(lhs.line)
+          result.value = lhs.value + rhs.value
           result
         end
       elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs

data/lib/brakeman/report/report_text.rb

@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
     add_chunk generate_templates if tracker.options[:debug]
     add_chunk generate_obsolete
-    add_chunk generate_errors 
+    add_chunk generate_errors
     add_chunk generate_warnings
   end
 
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   def generate_header
     [
-      header("Brakeman Report"), 
+      header("Brakeman Report"),
       label("Application Path", tracker.app_path),
       label("Rails Version", rails_version),
       label("Brakeman Version", Brakeman::Version),
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
       end.map do |w|
         output_warning w
       end
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     end
 
     double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
-      [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
+      [HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
     }.compact
   end
 
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     double_space "Controller Overview", controllers
   end
 end
-

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.7.0"
+  Version = "4.7.1"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -371,7 +371,12 @@ class Sexp
   #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
   def block_call
     expect :iter
-    self[1]
+
+    if self[1].node_type == :lambda
+      s(:call, nil, :lambda).line(self.line)
+    else
+      self[1]
+    end
   end
 
   #Returns block of a call with a block.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.7.0
+  version: 4.7.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-16 00:00:00.000000000 Z
+date: 2019-10-29 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.