brakeman 4.10.1 → 5.0.0.pre1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -7
- data/README.md +1 -1
- data/bundle/load.rb +8 -9
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/CHANGELOG.md +1 -8
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/FAQ.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/Gemfile +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/MIT-LICENSE +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/README.md +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/REFERENCE.md +5 -9
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/TODO +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/haml.gemspec +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/attribute_builder.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/attribute_compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/attribute_parser.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/buffer.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/compiler.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/error.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/escapable.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/exec.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/filters.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/generator.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/action_view_extensions.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/action_view_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/action_view_xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/safe_erubi_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/safe_erubis_template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/xss_mods.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/parser.rb +3 -31
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/plugin.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/railtie.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/sass_rails_filter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/template.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/template/options.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/temple_engine.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/temple_line_counter.rb +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/util.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/version.rb +1 -1
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/yard/default/fulldoc/html/css/common.sass +0 -0
- data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/yard/default/layout/html/footer.erb +0 -0
- data/lib/brakeman.rb +6 -0
- data/lib/brakeman/app_tree.rb +36 -3
- data/lib/brakeman/checks/check_execute.rb +1 -1
- data/lib/brakeman/checks/check_regex_dos.rb +1 -1
- data/lib/brakeman/checks/check_unsafe_reflection_methods.rb +68 -0
- data/lib/brakeman/checks/check_verb_confusion.rb +75 -0
- data/lib/brakeman/file_parser.rb +19 -23
- data/lib/brakeman/options.rb +5 -1
- data/lib/brakeman/parsers/template_parser.rb +2 -3
- data/lib/brakeman/processors/alias_processor.rb +2 -2
- data/lib/brakeman/processors/controller_processor.rb +1 -1
- data/lib/brakeman/processors/lib/file_type_detector.rb +64 -0
- data/lib/brakeman/processors/output_processor.rb +1 -1
- data/lib/brakeman/processors/template_alias_processor.rb +0 -5
- data/lib/brakeman/report.rb +8 -0
- data/lib/brakeman/report/report_sonar.rb +38 -0
- data/lib/brakeman/rescanner.rb +7 -5
- data/lib/brakeman/scanner.rb +42 -18
- data/lib/brakeman/tracker.rb +6 -0
- data/lib/brakeman/tracker/controller.rb +1 -1
- data/lib/brakeman/util.rb +9 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -0
- data/lib/ruby_parser/bm_sexp.rb +9 -9
- metadata +49 -99
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/Gemfile +0 -6
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/LICENSE.txt +0 -22
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/NEWS.md +0 -141
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/README.md +0 -60
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attlistdecl.rb +0 -63
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/attribute.rb +0 -205
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/cdata.rb +0 -68
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/child.rb +0 -97
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/comment.rb +0 -80
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/doctype.rb +0 -287
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/document.rb +0 -291
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/attlistdecl.rb +0 -11
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/dtd.rb +0 -47
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/elementdecl.rb +0 -18
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/entitydecl.rb +0 -57
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/dtd/notationdecl.rb +0 -40
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/element.rb +0 -1269
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/encoding.rb +0 -51
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/entity.rb +0 -171
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/default.rb +0 -116
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/pretty.rb +0 -142
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/formatters/transitive.rb +0 -58
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/functions.rb +0 -447
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/instruction.rb +0 -79
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/light/node.rb +0 -196
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/namespace.rb +0 -59
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/node.rb +0 -76
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/output.rb +0 -30
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parent.rb +0 -166
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parseexception.rb +0 -52
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/baseparser.rb +0 -594
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/lightparser.rb +0 -59
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/pullparser.rb +0 -197
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/sax2parser.rb +0 -273
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/streamparser.rb +0 -61
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/treeparser.rb +0 -101
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/ultralightparser.rb +0 -57
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/parsers/xpathparser.rb +0 -675
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/quickpath.rb +0 -266
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/rexml.rb +0 -32
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/sax2listener.rb +0 -98
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/security.rb +0 -28
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/source.rb +0 -298
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/streamlistener.rb +0 -93
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/text.rb +0 -424
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/undefinednamespaceexception.rb +0 -9
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/relaxng.rb +0 -539
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validation.rb +0 -144
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/validation/validationexception.rb +0 -10
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmldecl.rb +0 -130
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xmltokens.rb +0 -85
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath.rb +0 -81
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib/rexml/xpath_parser.rb +0 -968
- data/bundle/ruby/2.7.0/gems/rexml-3.2.4/rexml.gemspec +0 -84
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 83005dc6f5d262579ddf2d249af33cc9ec446e5d187809b1ff2ebe2f99f71ad3
|
4
|
+
data.tar.gz: 899b9f1c9594ce43c9b638e53f948750bb04a3443c0db56254027de09c59203a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1dea78840076e27bf0577b6f81bdc7b28a5a19eea2ce4d1672c318ddaa158f68b49310f5a9df4a6a4ab68d8d15f18fbd8089b1cd9392f5404c82db9111a78c1c
|
7
|
+
data.tar.gz: b7a122f95a49b36470308cf13675536ed7d86af98bbc37a433ada47d5cca68a7dba376fc470308862b2457c4223e8af85b9fafcbe60b16cfa61774b3ff1f9c9e
|
data/CHANGES.md
CHANGED
@@ -1,10 +1,12 @@
|
|
1
|
-
#
|
2
|
-
|
3
|
-
*
|
4
|
-
*
|
5
|
-
*
|
6
|
-
*
|
7
|
-
*
|
1
|
+
# 5.0.0.pre1 - 2020-11-17
|
2
|
+
|
3
|
+
* Add check for (more) unsafe method reflection
|
4
|
+
* Suggest using `--force` if no Rails application is detected
|
5
|
+
* Add Sonarqube report format (Adam England)
|
6
|
+
* Add check for potential HTTP verb confusion
|
7
|
+
* Add `--[no-]skip-vendor` option
|
8
|
+
* Scan (almost) all Ruby files in project
|
9
|
+
* Add support for Haml 5.2.0
|
8
10
|
|
9
11
|
# 4.10.0 - 2020-09-28
|
10
12
|
|
data/README.md
CHANGED
@@ -76,7 +76,7 @@ To specify an output file for the results:
|
|
76
76
|
|
77
77
|
brakeman -o output_file
|
78
78
|
|
79
|
-
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, and `
|
79
|
+
The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, and `sonar`.
|
80
80
|
|
81
81
|
Multiple output files can be specified:
|
82
82
|
|
data/bundle/load.rb
CHANGED
@@ -1,15 +1,14 @@
|
|
1
1
|
path = File.expand_path('../..', __FILE__)
|
2
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/
|
2
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
|
3
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
|
3
4
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/temple-0.8.2/lib"
|
5
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"
|
4
6
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/unicode-display_width-1.7.0/lib"
|
5
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.1/lib"
|
6
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/tilt-2.0.10/lib"
|
7
7
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/slim-4.1.0/lib"
|
8
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/sexp_processor-4.15.1/lib"
|
9
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
|
10
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-3.15.0/lib"
|
11
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/terminal-table-1.8.0/lib"
|
8
12
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/highline-2.0.3/lib"
|
9
13
|
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby2ruby-2.4.4/lib"
|
10
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/
|
11
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/rexml-3.2.4/lib"
|
12
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/ruby_parser-legacy-1.0.0/lib"
|
13
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/erubis-2.7.0/lib"
|
14
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.1/lib"
|
15
|
-
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/safe_yaml-1.0.5/lib"
|
14
|
+
$:.unshift "#{path}/bundle/ruby/2.7.0/gems/haml-5.2.0/lib"
|
@@ -1,16 +1,9 @@
|
|
1
1
|
# Haml Changelog
|
2
2
|
|
3
|
-
## 5.2.1
|
4
|
-
|
5
|
-
Released on November 30, 2020
|
6
|
-
([diff](https://github.com/haml/haml/compare/v5.2.0...v5.2.1)).
|
7
|
-
|
8
|
-
* Add in improved "multiline" support for attributes [#1043](https://github.com/haml/haml/issues/1043)
|
9
|
-
|
10
3
|
## 5.2
|
11
4
|
|
12
5
|
Released on September 28, 2020
|
13
|
-
([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2
|
6
|
+
([diff](https://github.com/haml/haml/compare/v5.1.2...v5.2)).
|
14
7
|
|
15
8
|
* Fix crash in the attribute optimizer when `#inspect` is overridden in TrueClass / FalseClass [#972](https://github.com/haml/haml/issues/972)
|
16
9
|
* Do not HTML-escape templates that are declared to be plaintext [#1014](https://github.com/haml/haml/issues/1014) (Thanks [@cesarizu](https://github.com/cesarizu))
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -228,19 +228,15 @@ is compiled to:
|
|
228
228
|
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'></html>
|
229
229
|
|
230
230
|
Attribute hashes can also be stretched out over multiple lines to accommodate
|
231
|
-
many attributes.
|
231
|
+
many attributes. However, newlines may only be placed immediately after commas.
|
232
|
+
For example:
|
232
233
|
|
233
|
-
%script{
|
234
|
-
|
235
|
-
"src": javascripts/script_#{2 + 7}",
|
236
|
-
"data": {
|
237
|
-
"controller": "reporter",
|
238
|
-
},
|
239
|
-
}
|
234
|
+
%script{:type => "text/javascript",
|
235
|
+
:src => "javascripts/script_#{2 + 7}"}
|
240
236
|
|
241
237
|
is compiled to:
|
242
238
|
|
243
|
-
<script src='javascripts/script_9' type='text/javascript'
|
239
|
+
<script src='javascripts/script_9' type='text/javascript'></script>
|
244
240
|
|
245
241
|
#### `:class` and `:id` Attributes {#class-and-id-attributes}
|
246
242
|
|
File without changes
|
@@ -32,7 +32,7 @@ Gem::Specification.new do |spec|
|
|
32
32
|
spec.add_development_dependency 'rbench'
|
33
33
|
spec.add_development_dependency 'minitest', '>= 4.0'
|
34
34
|
spec.add_development_dependency 'nokogiri'
|
35
|
-
spec.add_development_dependency 'simplecov'
|
35
|
+
spec.add_development_dependency 'simplecov', '0.17.1' # Locked to this version due to https://github.com/codeclimate/test-reporter/issues/418
|
36
36
|
|
37
37
|
spec.description = <<-END
|
38
38
|
Haml (HTML Abstraction Markup Language) is a layer on top of HTML or XML that's
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/action_view_extensions.rb
RENAMED
File without changes
|
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/action_view_xss_mods.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/safe_erubi_template.rb
RENAMED
File without changes
|
data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/lib/haml/helpers/safe_erubis_template.rb
RENAMED
File without changes
|
File without changes
|
File without changes
|
@@ -1,6 +1,5 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require 'ripper'
|
4
3
|
require 'strscan'
|
5
4
|
|
6
5
|
module Haml
|
@@ -91,9 +90,6 @@ module Haml
|
|
91
90
|
ID_KEY = 'id'.freeze
|
92
91
|
CLASS_KEY = 'class'.freeze
|
93
92
|
|
94
|
-
# Used for scanning old attributes, substituting the first '{'
|
95
|
-
METHOD_CALL_PREFIX = 'a('
|
96
|
-
|
97
93
|
def initialize(options)
|
98
94
|
@options = Options.wrap(options)
|
99
95
|
# Record the indent levels of "if" statements to validate the subsequent
|
@@ -655,18 +651,13 @@ module Haml
|
|
655
651
|
# @return [String] rest
|
656
652
|
# @return [Integer] last_line
|
657
653
|
def parse_old_attributes(text)
|
654
|
+
text = text.dup
|
658
655
|
last_line = @line.index + 1
|
659
656
|
|
660
657
|
begin
|
661
|
-
|
662
|
-
# `{ hash, foo: bar }`, which is compiled to `_hamlout.attributes({}, nil, hash, foo: bar)`.
|
663
|
-
#
|
664
|
-
# To scan such code correctly, this scans `a( hash, foo: bar }` instead, stops when there is
|
665
|
-
# 1 more :on_embexpr_end (the last '}') than :on_embexpr_beg, and resurrects '{' afterwards.
|
666
|
-
balanced, rest = balance_tokens(text.sub(?{, METHOD_CALL_PREFIX), :on_embexpr_beg, :on_embexpr_end, count: 1)
|
667
|
-
attributes_hash = balanced.sub(METHOD_CALL_PREFIX, ?{)
|
658
|
+
attributes_hash, rest = balance(text, ?{, ?})
|
668
659
|
rescue SyntaxError => e
|
669
|
-
if e.message == Error.message(:unbalanced_brackets)
|
660
|
+
if text.strip[-1] == ?, && e.message == Error.message(:unbalanced_brackets)
|
670
661
|
text << "\n#{@next_line.text}"
|
671
662
|
last_line += 1
|
672
663
|
next_line
|
@@ -820,25 +811,6 @@ module Haml
|
|
820
811
|
Haml::Util.balance(*args) or raise(SyntaxError.new(Error.message(:unbalanced_brackets)))
|
821
812
|
end
|
822
813
|
|
823
|
-
# Unlike #balance, this balances Ripper tokens to balance something like `{ a: "}" }` correctly.
|
824
|
-
def balance_tokens(buf, start, finish, count: 0)
|
825
|
-
text = ''.dup
|
826
|
-
Ripper.lex(buf).each do |_, token, str|
|
827
|
-
text << str
|
828
|
-
case token
|
829
|
-
when start
|
830
|
-
count += 1
|
831
|
-
when finish
|
832
|
-
count -= 1
|
833
|
-
end
|
834
|
-
|
835
|
-
if count == 0
|
836
|
-
return text, buf.sub(text, '')
|
837
|
-
end
|
838
|
-
end
|
839
|
-
raise SyntaxError.new(Error.message(:unbalanced_brackets))
|
840
|
-
end
|
841
|
-
|
842
814
|
def block_opened?
|
843
815
|
@next_line.tabs > @line.tabs
|
844
816
|
end
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
File without changes
|
@@ -213,7 +213,7 @@ MSG
|
|
213
213
|
scan.scan(/\w+/)
|
214
214
|
end
|
215
215
|
content = eval("\"#{interpolated}\"")
|
216
|
-
content
|
216
|
+
content.prepend(char) if char == '@' || char == '$'
|
217
217
|
content = "Haml::Helpers.html_escape((#{content}))" if escape_html
|
218
218
|
|
219
219
|
res << "\#{#{content}}"
|
data/bundle/ruby/2.7.0/gems/{haml-5.2.1 → haml-5.2.0}/yard/default/fulldoc/html/css/common.sass
RENAMED
File without changes
|
File without changes
|
data/lib/brakeman.rb
CHANGED
@@ -66,6 +66,7 @@ module Brakeman
|
|
66
66
|
# * :run_checks - array of checks to run (run all if not specified)
|
67
67
|
# * :safe_methods - array of methods to consider safe
|
68
68
|
# * :skip_libs - do not process lib/ directory (default: false)
|
69
|
+
# * :skip_vendor - do not process vendor/ directory (default: true)
|
69
70
|
# * :skip_checks - checks not to run (run all if not specified)
|
70
71
|
# * :absolute_paths - show absolute path of each file (default: false)
|
71
72
|
# * :summary_only - only output summary section of report for plain/table (:summary_only, :no_summary, true)
|
@@ -191,6 +192,7 @@ module Brakeman
|
|
191
192
|
:report_progress => true,
|
192
193
|
:safe_methods => Set.new,
|
193
194
|
:skip_checks => Set.new,
|
195
|
+
:skip_vendor => true,
|
194
196
|
}
|
195
197
|
end
|
196
198
|
|
@@ -239,6 +241,8 @@ module Brakeman
|
|
239
241
|
[:to_junit]
|
240
242
|
when :sarif, :to_sarif
|
241
243
|
[:to_sarif]
|
244
|
+
when :sonar, :to_sonar
|
245
|
+
[:to_sonar]
|
242
246
|
else
|
243
247
|
[:to_text]
|
244
248
|
end
|
@@ -270,6 +274,8 @@ module Brakeman
|
|
270
274
|
:to_junit
|
271
275
|
when /\.sarif$/i
|
272
276
|
:to_sarif
|
277
|
+
when /\.sonar$/i
|
278
|
+
:to_sonar
|
273
279
|
else
|
274
280
|
:to_text
|
275
281
|
end
|
data/lib/brakeman/app_tree.rb
CHANGED
@@ -21,6 +21,7 @@ module Brakeman
|
|
21
21
|
end
|
22
22
|
init_options[:additional_libs_path] = options[:additional_libs_path]
|
23
23
|
init_options[:engine_paths] = options[:engine_paths]
|
24
|
+
init_options[:skip_vendor] = options[:skip_vendor]
|
24
25
|
new(root, init_options)
|
25
26
|
end
|
26
27
|
|
@@ -62,6 +63,7 @@ module Brakeman
|
|
62
63
|
@engine_paths = init_options[:engine_paths] || []
|
63
64
|
@absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
|
64
65
|
@relative_engine_paths = @engine_paths - @absolute_engine_paths
|
66
|
+
@skip_vendor = init_options[:skip_vendor]
|
65
67
|
@gemspec = nil
|
66
68
|
@root_search_pattern = nil
|
67
69
|
end
|
@@ -96,6 +98,10 @@ module Brakeman
|
|
96
98
|
end
|
97
99
|
end
|
98
100
|
|
101
|
+
def ruby_file_paths
|
102
|
+
find_paths(".").uniq
|
103
|
+
end
|
104
|
+
|
99
105
|
def initializer_paths
|
100
106
|
@initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
|
101
107
|
end
|
@@ -109,8 +115,8 @@ module Brakeman
|
|
109
115
|
end
|
110
116
|
|
111
117
|
def template_paths
|
112
|
-
@template_paths ||= find_paths("
|
113
|
-
|
118
|
+
@template_paths ||= find_paths(".", "*.{#{VIEW_EXTENSIONS}}") +
|
119
|
+
find_paths("**", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
|
114
120
|
end
|
115
121
|
|
116
122
|
def layout_exists?(name)
|
@@ -163,7 +169,8 @@ module Brakeman
|
|
163
169
|
def select_files(paths)
|
164
170
|
paths = select_only_files(paths)
|
165
171
|
paths = reject_skipped_files(paths)
|
166
|
-
convert_to_file_paths(paths)
|
172
|
+
paths = convert_to_file_paths(paths)
|
173
|
+
reject_global_excludes(paths)
|
167
174
|
end
|
168
175
|
|
169
176
|
def select_only_files(paths)
|
@@ -182,6 +189,32 @@ module Brakeman
|
|
182
189
|
end
|
183
190
|
end
|
184
191
|
|
192
|
+
EXCLUDED_PATHS = %w[
|
193
|
+
/generators/
|
194
|
+
lib/tasks/
|
195
|
+
lib/templates/
|
196
|
+
db/
|
197
|
+
spec/
|
198
|
+
test/
|
199
|
+
tmp/
|
200
|
+
public/
|
201
|
+
log/
|
202
|
+
]
|
203
|
+
|
204
|
+
def reject_global_excludes(paths)
|
205
|
+
paths.reject do |path|
|
206
|
+
relative_path = path.relative
|
207
|
+
|
208
|
+
if @skip_vendor and relative_path.include? 'vendor/'
|
209
|
+
true
|
210
|
+
else
|
211
|
+
EXCLUDED_PATHS.any? do |excluded|
|
212
|
+
relative_path.include? excluded
|
213
|
+
end
|
214
|
+
end
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
185
218
|
def match_path files, path
|
186
219
|
absolute_path = Pathname.new(path)
|
187
220
|
# relative root never has a leading separator. But, we use a leading
|
@@ -208,7 +208,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
|
|
208
208
|
if node_type? e, :if
|
209
209
|
# If we're in a conditional, evaluate the `then` and `else` clauses to
|
210
210
|
# see if they're dangerous.
|
211
|
-
if res = dangerous?(e.
|
211
|
+
if res = dangerous?(e.values[1..-1])
|
212
212
|
return res
|
213
213
|
end
|
214
214
|
elsif node_type? e, :or, :evstr, :dstr
|
@@ -0,0 +1,68 @@
|
|
1
|
+
require 'brakeman/checks/base_check'
|
2
|
+
|
3
|
+
class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
|
4
|
+
Brakeman::Checks.add self
|
5
|
+
|
6
|
+
@description = "Checks for unsafe reflection to access methods"
|
7
|
+
|
8
|
+
def run_check
|
9
|
+
check_method
|
10
|
+
check_tap
|
11
|
+
check_to_proc
|
12
|
+
end
|
13
|
+
|
14
|
+
def check_method
|
15
|
+
tracker.find_call(method: :method, nested: true).each do |result|
|
16
|
+
argument = result[:call].first_arg
|
17
|
+
|
18
|
+
if user_input = include_user_input?(argument)
|
19
|
+
warn_unsafe_reflection(result, user_input)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
def check_tap
|
25
|
+
tracker.find_call(method: :tap, nested: true).each do |result|
|
26
|
+
argument = result[:call].first_arg
|
27
|
+
|
28
|
+
# Argument is passed like a.tap(&argument)
|
29
|
+
if node_type? argument, :block_pass
|
30
|
+
argument = argument.value
|
31
|
+
end
|
32
|
+
|
33
|
+
if user_input = include_user_input?(argument)
|
34
|
+
warn_unsafe_reflection(result, user_input)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def check_to_proc
|
40
|
+
tracker.find_call(method: :to_proc, nested: true).each do |result|
|
41
|
+
target = result[:call].target
|
42
|
+
|
43
|
+
if user_input = include_user_input?(target)
|
44
|
+
warn_unsafe_reflection(result, user_input)
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
def warn_unsafe_reflection result, input
|
50
|
+
return unless original? result
|
51
|
+
method = result[:call].method
|
52
|
+
|
53
|
+
confidence = if input.type == :params
|
54
|
+
:high
|
55
|
+
else
|
56
|
+
:medium
|
57
|
+
end
|
58
|
+
|
59
|
+
message = msg("Unsafe reflection method ", msg_code(method), " called with ", msg_input(input))
|
60
|
+
|
61
|
+
warn :result => result,
|
62
|
+
:warning_type => "Remote Code Execution",
|
63
|
+
:warning_code => :unsafe_method_reflection,
|
64
|
+
:message => message,
|
65
|
+
:user_input => input,
|
66
|
+
:confidence => confidence
|
67
|
+
end
|
68
|
+
end
|