brakeman 5.0.0.pre1 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83005dc6f5d262579ddf2d249af33cc9ec446e5d187809b1ff2ebe2f99f71ad3
-  data.tar.gz: 899b9f1c9594ce43c9b638e53f948750bb04a3443c0db56254027de09c59203a
+  metadata.gz: 1d660b98db2252a6aa69d39bb56c6950aa7d9713f10831807d6ab837df54657d
+  data.tar.gz: 6999959ba9f8380f36c1d999e04b0d79e48ea9536fd9820485c4960bce769d60
 SHA512:
-  metadata.gz: 1dea78840076e27bf0577b6f81bdc7b28a5a19eea2ce4d1672c318ddaa158f68b49310f5a9df4a6a4ab68d8d15f18fbd8089b1cd9392f5404c82db9111a78c1c
-  data.tar.gz: b7a122f95a49b36470308cf13675536ed7d86af98bbc37a433ada47d5cca68a7dba376fc470308862b2457c4223e8af85b9fafcbe60b16cfa61774b3ff1f9c9e
+  metadata.gz: b6738f567478a47fd36de992706968c1c42a237dd97d4527434a60fa9ddea5b7a7acb54d8b72e6bc282fd1805126953a358e399a19dab4c0c5e7fd92b4a857ed
+  data.tar.gz: 43f16437835dabb65a7b73981779460e7648e1fa2ba772320132e7500af55c8861effda46f3b181310bdd753dbf1c59af12b3ecdfed5844505e2cf5cbff866fa

data/CHANGES.md

@@ -1,3 +1,26 @@
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
 # 5.0.0.pre1 - 2020-11-17
 
 * Add check for (more) unsafe method reflection

data/bundle/load.rb

@@ -1,14 +1,15 @@
 path = File.expand_path('../..', __FILE__)
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.1/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.2/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
 $:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
-$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/CHANGELOG.md

@@ -1,9 +1,16 @@
 # Haml Changelog
 
+## 5.2.1
+
+Released on November 30, 2020
+([diff](https://github.com/haml/haml/compare/v5.2.0...v5.2.1)).
+
+* Add in improved "multiline" support for attributes [#1043](https://github.com/haml/haml/issues/1043)
+
 ## 5.2
 
 Released on September 28, 2020
-([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2)).
+([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2.0)).
 
 * Fix crash in the attribute optimizer when `#inspect` is overridden in TrueClass / FalseClass [#972](https://github.com/haml/haml/issues/972)
 * Do not HTML-escape templates that are declared to be plaintext [#1014](https://github.com/haml/haml/issues/1014) (Thanks [@cesarizu](https://github.com/cesarizu))

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/REFERENCE.md

@@ -228,15 +228,19 @@ is compiled to:
     <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'></html>
 
 Attribute hashes can also be stretched out over multiple lines to accommodate
-many attributes. However, newlines may only be placed immediately after commas.
-For example:
+many attributes.
 
-    %script{:type => "text/javascript",
-            :src  => "javascripts/script_#{2 + 7}"}
+    %script{
+      "type": text/javascript",
+      "src": javascripts/script_#{2 + 7}",
+      "data": {
+        "controller": "reporter",
+      },
+    }
 
 is compiled to:
 
-    <script src='javascripts/script_9' type='text/javascript'></script>
+    <script src='javascripts/script_9' type='text/javascript' data-controller='reporter'></script>
 
 #### `:class` and `:id` Attributes {#class-and-id-attributes}
 

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/haml.gemspec

@@ -32,7 +32,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rbench'
   spec.add_development_dependency 'minitest', '>= 4.0'
   spec.add_development_dependency 'nokogiri'
-  spec.add_development_dependency 'simplecov', '0.17.1' # Locked to this version due to https://github.com/codeclimate/test-reporter/issues/418
+  spec.add_development_dependency 'simplecov'
 
   spec.description = <<-END
 Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/parser.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'ripper'
 require 'strscan'
 
 module Haml
@@ -90,6 +91,9 @@ module Haml
     ID_KEY    = 'id'.freeze
     CLASS_KEY = 'class'.freeze
 
+    # Used for scanning old attributes, substituting the first '{'
+    METHOD_CALL_PREFIX = 'a('
+
     def initialize(options)
       @options = Options.wrap(options)
       # Record the indent levels of "if" statements to validate the subsequent
@@ -651,13 +655,18 @@ module Haml
     # @return [String] rest
     # @return [Integer] last_line
     def parse_old_attributes(text)
-      text = text.dup
       last_line = @line.index + 1
 
       begin
-        attributes_hash, rest = balance(text, ?{, ?})
+        # Old attributes often look like a valid Hash literal, but it sometimes allow code like
+        # `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
+        #
+        # To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
+        # 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
+        balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
+        attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
       rescue SyntaxError => e
-        if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
+        if e.message == Error.message(:unbalanced_brackets) && !@template.empty?
           text << "\n#{@next_line.text}"
           last_line += 1
           next_line
@@ -811,6 +820,25 @@ module Haml
       Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
     end
 
+    # Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
+    def balance_tokens(buf, start, finish, count: 0)
+      text = ''.dup
+      Ripper.lex(buf).each do |_, token, str|
+        text << str
+        case token
+        when start
+          count += 1
+        when finish
+          count -= 1
+        end
+
+        if count == 0
+          return text, buf.sub(text, '')
+        end
+      end
+      raise SyntaxError.new(Error.message(:unbalanced_brackets))
+    end
+
     def block_opened?
       @next_line.tabs > @line.tabs
     end

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/util.rb

@@ -213,7 +213,7 @@ MSG
             scan.scan(/\w+/)
           end
           content = eval("\"#{interpolated}\"")
-          content.prepend(char) if char == '@' || char == '$'
+          content = "#{char}#{content}" if char == '@' || char == '$'
           content = "Haml::Helpers.html_escape((#{content}))" if escape_html
 
           res << "\#{#{content}}"

data/bundle/ruby/2.7.0/gems/{haml-5.2.0 → haml-5.2.1}/lib/haml/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Haml
-  VERSION = "5.2.0"
+  VERSION = "5.2.1"
 end

data/bundle/ruby/2.7.0/gems/rexml-3.2.4/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in rexml.gemspec
+gemspec

data/bundle/ruby/2.7.0/gems/rexml-3.2.4/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+notice, this list of conditions and the following disclaimer in the
+documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

data/bundle/ruby/2.7.0/gems/rexml-3.2.4/NEWS.md

@@ -0,0 +1,141 @@
+# News
+
+## 3.2.4 - 2020-01-31 {#version-3-2-4}
+
+### Improvements
+
+  * Don't use `taint` with Ruby 2.7 or later.
+    [GitHub#21][Patch by Jeremy Evans]
+
+### Fixes
+
+  * Fixed a `elsif` typo.
+    [GitHub#22][Patch by Nobuyoshi Nakada]
+
+### Thanks
+
+  * Jeremy Evans
+
+  * Nobuyoshi Nakada
+
+## 3.2.3 - 2019-10-12 {#version-3-2-3}
+
+### Fixes
+
+  * Fixed a bug that `REXML::XMLDecl#close` doesn't copy `@writethis`.
+    [GitHub#20][Patch by hirura]
+
+### Thanks
+
+  * hirura
+
+## 3.2.2 - 2019-06-03 {#version-3-2-2}
+
+### Fixes
+
+  * xpath: Fixed a bug for equality and relational expressions.
+    [GitHub#17][Reported by Mirko Budszuhn]
+
+  * xpath: Fixed `boolean()` implementation.
+
+  * xpath: Fixed `local_name()` with nonexistent node.
+
+  * xpath: Fixed `number()` implementation with node set.
+    [GitHub#18][Reported by Mirko Budszuhn]
+
+### Thanks
+
+  * Mirko Budszuhn
+
+## 3.2.1 - 2019-05-04 {#version-3-2-1}
+
+### Improvements
+
+  * Improved error message.
+    [GitHub#12][Patch by FUJI Goro]
+
+  * Improved error message.
+    [GitHub#16][Patch by ujihisa]
+
+  * Improved documentation markup.
+    [GitHub#14][Patch by Alyssa Ross]
+
+### Fixes
+
+  * Fixed a bug that `nil` variable value raises an unexpected exception.
+    [GitHub#13][Patch by Alyssa Ross]
+
+### Thanks
+
+  * FUJI Goro
+
+  * Alyssa Ross
+
+  * ujihisa
+
+## 3.2.0 - 2019-01-01 {#version-3-2-0}
+
+### Fixes
+
+  * Fixed a bug that no namespace attribute isn't matched with prefix.
+
+    [ruby-list:50731][Reported by Yasuhiro KIMURA]
+
+  * Fixed a bug that the default namespace is applied to attribute names.
+
+    NOTE: It's a backward incompatible change. If your program has any
+    problem with this change, please report it. We may revert this fix.
+
+    * `REXML::Attribute#prefix` returns `""` for no namespace attribute.
+
+    * `REXML::Attribute#namespace` returns `""` for no namespace attribute.
+
+### Thanks
+
+  * Yasuhiro KIMURA
+
+## 3.1.9 - 2018-12-20 {#version-3-1-9}
+
+### Improvements
+
+  * Improved backward compatibility.
+
+    Restored `REXML::Parsers::BaseParser::UNQME_STR` because it's used
+    by kramdown.
+
+## 3.1.8 - 2018-12-20 {#version-3-1-8}
+
+### Improvements
+
+  * Added support for customizing quote character in prologue.
+    [GitHub#8][Bug #9367][Reported by Takashi Oguma]
+
+    * You can use `"` as quote character by specifying `:quote` to
+      `REXML::Document#context[:prologue_quote]`.
+
+    * You can use `'` as quote character by specifying `:apostrophe`
+      to `REXML::Document#context[:prologue_quote]`.
+
+  * Added processing instruction target check. The target must not nil.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Added name check for element and attribute.
+    [GitHub#7][Reported by Ariel Zelivansky]
+
+  * Stopped to use `Exception`.
+    [GitHub#9][Patch by Jean Boussier]
+
+### Fixes
+
+  * Fixed a bug that `REXML::Text#clone` escapes value twice.
+    [ruby-dev:50626][Bug #15058][Reported by Ryosuke Nanba]
+
+### Thanks
+
+  * Takashi Oguma
+
+  * Ariel Zelivansky
+
+  * Jean Boussier
+
+  * Ryosuke Nanba

data/bundle/ruby/2.7.0/gems/rexml-3.2.4/README.md

@@ -0,0 +1,60 @@
+# REXML
+
+REXML was inspired by the Electric XML library for Java, which features an easy-to-use API, small size, and speed. Hopefully, REXML, designed with the same philosophy, has these same features. I've tried to keep the API as intuitive as possible, and have followed the Ruby methodology for method naming and code flow, rather than mirroring the Java API.
+
+REXML supports both tree and stream document parsing. Stream parsing is faster (about 1.5 times as fast). However, with stream parsing, you don't get access to features such as XPath.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rexml'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rexml
+
+## Usage
+
+We'll start with parsing an XML document
+
+```ruby
+require "rexml/document"
+file = File.new( "mydoc.xml" )
+doc = REXML::Document.new file
+```
+
+Line 3 creates a new document and parses the supplied file. You can also do the following
+
+```ruby
+require "rexml/document"
+include REXML  # so that we don't have to prefix everything with REXML::...
+string = <<EOF
+  <mydoc>
+    <someelement attribute="nanoo">Text, text, text</someelement>
+  </mydoc>
+EOF
+doc = Document.new string
+```
+
+So parsing a string is just as easy as parsing a file.
+
+## Development
+
+After checking out the repo, run `rake test` to run the tests.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ruby/rexml.
+
+## License
+
+The gem is available as open source under the terms of the [BSD-2-Clause](LICENSE.txt).