brakeman 7.1.2 → 8.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 49ebce7c5b36fd14e30b08390083b297cafca5d188f7b57a50b872c466958479
-  data.tar.gz: 6c71f882538ebef7c9802018793032fe10213be7537b9f88465e1390babc12bb
+  metadata.gz: a39689acbc7c9a29664a0094c4a3d17933f5ad41220d7035d1e6764e0dea5760
+  data.tar.gz: 58ca20c706a0d9c19f422c8e9a63cc81fe65c3f0f6643210315ea64fe911ddac
 SHA512:
-  metadata.gz: c24948824de7bbbb8242acf97bf21c12306e25540cde8510cb292a041573b05309b7db5973caa78e0acda30868d82361e75f6bf1f0c4d8129065b773d4a98917
-  data.tar.gz: e312665bc3680ce63f8b9c416bbf77966b8aba5d9666533252e9b4e8540353a01b49261d21281455a601e7becd3f5bbf068cf8b81edad862d910d7479a6f24c6
+  metadata.gz: 0d880a68afaa34c5efe25c07e9a236b5b08c68ad815c3f020bcbe666c42d5538938a428f0c09c9a1b843b4a98431bf020029931e090c6ebb53f04a3bb99fb743
+  data.tar.gz: 8a08f92273ea6f270f565bf4fd09cb6d811fbf517314f26ce595207f8473696e1a72e15cbd8aae2b79e29a27df93699063b53ae079b24e256106babefeec1da7

data/CHANGES.md

@@ -1,3 +1,14 @@
+# 8.0.0 - 2026-01-29
+
+* No longer produce weak dynamic render path warnings
+* `--skip-libs` removed
+* `--index-libs` removed
+* Revamp of scan progress output and logging
+* Faster file globbing for templates (Mikael Henriksson)
+* Fix singleton method prefixes (viralpraxis)
+* Fix qualified constant lookup to respect module/class context (Mike Dalessio)
+* Replace Erubis with Erubi
+
 # 7.1.2 - 2025-12-25
 
 * Update `ruby_parser` to remove version restriction (Chedli Bourguiba)

data/README.md

@@ -75,7 +75,7 @@ To specify an output file for the results:
 
     brakeman -o output_file
 
-The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github` and `sonar`.
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `junit`, `markdown`, `csv`, `codeclimate`, `github`, `sarif`, and `sonar`.
 
 Multiple output files can be specified:
 

data/bundle/load.rb

@@ -1,6 +1,6 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/csv-3.3.5/lib"
-$:.unshift "#{path}/bundle/ruby/3.2.0/gems/erubis-2.7.0/lib"
+$:.unshift "#{path}/bundle/ruby/3.2.0/gems/erubi-1.13.1/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/haml-6.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/highline-3.1.2/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/parallel-1.27.0/lib"
@@ -12,6 +12,6 @@ $:.unshift "#{path}/bundle/ruby/3.2.0/gems/sexp_processor-4.17.5/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/slim-5.2.1/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/temple-0.10.4/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/terminal-table-4.0.0/lib"
-$:.unshift "#{path}/bundle/ruby/3.2.0/gems/tilt-2.6.1/lib"
+$:.unshift "#{path}/bundle/ruby/3.2.0/gems/tilt-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/unicode-display_width-3.2.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.2.0/gems/unicode-emoji-4.2.0/lib"

data/bundle/ruby/3.2.0/gems/erubi-1.13.1/CHANGELOG

@@ -0,0 +1,111 @@
+=== 1.13.1 (2024-12-19)
+
+* Avoid spurious frozen string literal warnings for chilled strings when using Ruby 3.4 (jeremyevans)
+
+=== 1.13.0 (2024-06-13)
+
+* Define Erubi.h as a module function (jeremyevans)
+
+* Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags (jeremyevans)
+
+=== 1.12.0 (2022-12-22)
+
+* Use erb/escape for faster html escaping if available (jeremyevans)
+
+* Default :freeze_template_literals option to false if running with --enable-frozen-string-literal (casperisfine) (#35)
+
+=== 1.11.0 (2022-08-02)
+
+* Support :freeze_template_literals option for configuring whether to add .freeze to template literal strings (casperisfine) (#33)
+
+* Support :chain_appends option for chaining appends to the buffer variable (casperisfine, jeremyevans) (#32)
+
+* Avoid unnecessary defined? usage on Ruby 3+ when using the :ensure option (jeremyevans)
+
+=== 1.10.0 (2020-11-13)
+
+* Improve template parsing, mostly by reducing allocations (jeremyevans)
+
+* Do not ship tests in the gem, reducing gem size about 20% (jeremyevans)
+
+* Support :literal_prefix and :literal_postfix options for how to output literal tags (e.g. <%% code %>) (jaredcwhite) (#26, #27)
+
+=== 1.9.0 (2019-09-25)
+
+* Change default :bufvar from 'String.new' to '::String.new' to work with BasicObject (jeremyevans)
+
+=== 1.8.0 (2018-12-18)
+
+* Support :yield_returns_buffer option in capture_end for always returning the (potentially modified) buffer in <%|= tags (evanleck) (#15)
+
+=== 1.7.1 (2018-03-05)
+
+* Make whitespace handling for <%# %> tags more compatible with Erubis (jeremyevans) (#14)
+
+=== 1.7.0 (2017-10-09)
+
+* Fix escaping in erubi/capture_end, the setting was previously inverted (jeremyevans) (#10)
+
+=== 1.6.1 (2017-06-27)
+
+* Fix usage on newer versions of JRuby 9.1 (jeremyevans)
+
+=== 1.6.0 (2017-02-27)
+
+* Use cgi/escape if available for 6x faster HTML escaping (k0kubun, jeremyevans) (#4)
+
+=== 1.5.0 (2017-01-26)
+
+* Drop tilt/erubi file, as tilt now ships with Erubi support (jeremyevans)
+
+* Drop erubi/capture file, Erubi::CaptureEngine support (jeremyevans)
+
+=== 1.4.0 (2017-01-20)
+
+* Allow postambles to depend on internal state of engine (jeremyevans)
+
+* Allow overriding of behavior for <%= and <%== tags to depend on which indicator was used (jeremyevans)
+
+* Make whitespace handling for <% %> tags more compatible with Erubis for subclasses overriding add_text (jeremyevans)
+
+=== 1.3.0 (2016-12-29)
+
+* Support :capture=>:explicit option in tilt support to use Erubi::CaptureEndEngine (jeremyevans)
+
+* Add erubi/capture_end containing Erubi::CaptureEndEngine, allowing <%|= and <%|== for opening capture tags, and <%| for closing capture tags (jeremyevans)
+
+=== 1.2.1 (2016-11-21)
+
+* Don't automatically freeze template text strings on ruby 1.9 or 2.0 (jeremyevans)
+
+=== 1.2.0 (2016-11-21)
+
+* Engine#src now returns a frozen string (jeremyevans)
+
+* Automatically freeze template text strings on ruby 2.1+, reducing garbage generated (jeremyevans)
+
+* Allow overriding of behavior for <%= and <%== tags (ujifgc) (#1)
+
+=== 1.1.0 (2016-11-14)
+
+* Add :ensure option to supporting restoring bufvar to original value (jeremyevans)
+
+* Don't have tilt support require erb (jeremyevans)
+
+* Support :engine_class option in tilt support to override engine class used (jeremyevans)
+
+* Support :capture option in tilt support to use Erubi::CaptureEngine (jeremyevans)
+
+* Add erubi/capture file containing Erubi::CaptureEngine, allowing <%|= and <%|== for capture (and escaping) blocks in templates (jeremyevans)
+
+* Raise ArgumentError if template source code contains indicators matched by regexp but not handled (jeremyevans)
+
+* Add :bufval option to support arbitrary buffer values (jeremyevans)
+
+* Add :regexp option to specify regexp used for scanning (jeremyevans)
+
+* Add :src option to specify initial template source (jeremyevans)
+
+=== 1.0.0 (2016-11-10)
+
+* Initial Public Release

data/bundle/ruby/3.2.0/gems/{erubis-2.7.0 → erubi-1.13.1}/MIT-LICENSE

@@ -1,4 +1,5 @@
 copyright(c) 2006-2011 kuwata-lab.com all rights reserved.
+copyright(c) 2016-2021 Jeremy Evans
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/bundle/ruby/3.2.0/gems/erubi-1.13.1/README.rdoc

@@ -0,0 +1,151 @@
+= Erubi
+
+Erubi is a ERB template engine for ruby. It is a simplified fork of Erubis, using
+the same basic algorithm, with the following differences:
+
+* Handles postfix conditionals when using escaping (e.g. <tt><%= foo if bar %></tt>)
+* Supports frozen_string_literal: true in templates via :freeze option
+* Works with ruby's <tt>--enable-frozen-string-literal</tt> option
+* Automatically freezes strings for template text when ruby optimizes it (on ruby 2.1+)
+* Escapes <tt>'</tt> (apostrophe) when escaping for better XSS protection 
+* Has 15x-6x faster escaping by using erb/escape or cgi/escape
+* Has 81% smaller memory footprint (calculated using +ObjectSpace.memsize_of_all+)
+* Does no monkey patching (Erubis adds a method to Kernel)
+* Uses an immutable design (all options passed to the constructor, which returns a frozen object)
+* Has simpler internals (1 file, <150 lines of code)
+* Is not dead (Erubis hasn't been updated since 2011)
+
+It is not designed with Erubis API compatibility in mind, though most Erubis
+ERB syntax works, with the following exceptions:
+
+* No support for <tt><%===</tt> for debug output
+
+= Installation
+
+  gem install erubi
+
+= Source Code
+
+Source code is available on GitHub at https://github.com/jeremyevans/erubi
+
+= Usage
+
+Erubi only has built in support for retrieving the generated source for a
+file:
+
+  require 'erubi'
+  eval(Erubi::Engine.new(File.read('filename.erb')).src)
+
+Most users will probably use Erubi via Rails or Tilt.  Erubi is the default
+erb template handler in Tilt 2.0.6+ and Rails 5.1+.
+
+== Capturing
+
+Erubi does not support capturing block output into the template by default.
+It currently ships with two implementations that allow it.
+
+=== Erubi::CaptureBlockEngine
+
+The recommended implementation can be required via +erubi/capture_block+,
+which allows capturing to work with normal <tt><%=</tt> and <tt><%==</tt>
+tags.
+
+  <%= form do %>
+    <input>
+  <% end %>
+
+When using the capture_block support, capture methods should just return
+the text it emit into the template, and call +capture+ on the buffer value.
+Since the buffer variable is a local variable and not an instance variable
+by default, you'll probably want to set the +:bufvar+ variable when using
+the capture_block support to an instance variable, and have any methods
+used call capture on that instance variable.  Example:
+
+  def form(&block)
+    "<form>#{@_buf.capture(&block)}</form>"
+  end
+
+  puts eval(Erubi::CaptureBlockEngine.new(<<-END, bufvar: '@_buf', trim: false).src)
+  before
+  <%= form do %>
+  inside
+  <% end %>
+  after
+  END
+
+  # Output:
+  # before
+  # <form>
+  # inside
+  # </form>
+  # after
+
+To use the capture_block support with tilt:
+
+  require 'tilt'
+  require 'erubi/capture_block'
+  Tilt.new("filename.erb", :engine_class=>Erubi::CaptureBlockEngine).render
+
+Note that the capture_block support, while very compatible with the default
+support, is not 100% compatible.  One area where behavior differs is when
+using multiple statements inside <tt><%=</tt> and <tt><%==</tt> tags:
+
+  <%= 1; 2 %>
+
+The default support will output 2, but the capture_block support will output
+1.
+
+=== Erubi::CaptureEndEngine
+
+An alternative capture implementation can be required via +erubi/capture_end+,
+which supports it via <tt><%|=</tt> and <tt><%|==</tt> tags which are
+closed with a <tt><%|</tt> tag:
+
+  <%|= form do %>
+    <input>
+  <%| end %>
+
+It is only recommended to use +erubi/capture_end+ for backwards
+compatibilty.
+
+When using the capture_end support, capture methods (such as +form+ in the example
+above) should return the (potentially modified) buffer. Similar to the
+capture_block support, using an instance variable is recommended. Example:
+
+  def form
+    @_buf << "<form>"
+    yield
+    @_buf << "</form>"
+    @_buf
+  end
+
+  puts eval(Erubi::CaptureEndEngine.new(<<-END, bufvar: '@_buf').src)
+  before
+  <%|= form do %>
+  inside
+  <%| end %>
+  after
+  END
+
+  # Output:
+  # before
+  # <form>
+  # inside
+  # </form>
+  # after
+
+Alternatively, passing the option <tt>:yield_returns_buffer => true</tt> will return the
+buffer captured by the block instead of the last expression in the block.
+
+= Reporting Bugs
+
+The bug tracker is located at https://github.com/jeremyevans/erubi/issues
+
+= License
+
+MIT
+
+= Authors
+
+Jeremy Evans <code@jeremyevans.net>
+kuwata-lab.com

data/bundle/ruby/3.2.0/gems/erubi-1.13.1/lib/erubi/capture_block.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'erubi'
+
+module Erubi
+  # An engine class that supports capturing blocks via the <tt><%=</tt> and <tt><%==</tt> tags:
+  #
+  #   <%= upcase_form do %>
+  #     <%= 'foo' %>
+  #   <% end %>
+  #
+  # Where +upcase_form+ is defined like:
+  #
+  #   def upcase_form(&block)
+  #     "<form>#{@bufvar.capture(&block).upcase}</form>"
+  #   end
+  #
+  # With output being:
+  #
+  #   <form>
+  #     FOO
+  #   </form>
+  #
+  # This requires using a string subclass as the buffer value, provided by the
+  # CaptureBlockEngine::Buffer class.
+  #
+  # This engine does not support the :escapefunc option.  To change the escaping function,
+  # use a subclass of CaptureBlockEngine::Buffer and override the #| method.
+  #
+  # This engine does not support the :chain_appends option, and ignores it if present.
+  class CaptureBlockEngine < Engine
+    class Buffer < ::String
+    
+      # Convert argument to string when concatening
+      def <<(v)
+        concat(v.to_s)
+      end
+
+      # Escape argument using Erubi.h then then concatenate it to the receiver.
+      def |(v)
+        concat(h(v))
+      end
+
+      # Temporarily clear the receiver before yielding to the block, yield the
+      # given args to the block, return any data captured by the receiver, and
+      # restore the original data the receiver contained before returning.
+      def capture(*args)
+        prev = dup
+        replace("") # 1.8 support!
+        yield(*args)
+        dup
+      ensure
+        replace(prev)
+      end
+
+      private
+
+      if RUBY_VERSION >= '2'
+        define_method(:h, ::Erubi.instance_method(:h))
+      # :nocov:
+      else
+        def h(v)
+          ::Erubi.h(v)
+        end
+      end
+      # :nocov:
+    end
+
+    def initialize(input, properties={})
+      properties = Hash[properties]
+      properties[:bufval] ||= '::Erubi::CaptureBlockEngine::Buffer.new'
+      properties[:chain_appends] = false
+      super
+    end
+
+    private
+
+    def add_expression_result(code)
+      add_expression_op(' <<= ', code)
+    end
+
+    def add_expression_result_escaped(code)
+      add_expression_op(' |= ', code)
+    end
+
+    def add_expression_op(op, code)
+      check = /\A\s*\z/.send(MATCH_METHOD, code) ? "''" : ''
+      with_buffer{@src << op  << check << code}
+    end
+  end
+end

data/bundle/ruby/3.2.0/gems/erubi-1.13.1/lib/erubi/capture_end.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'erubi'
+
+module Erubi
+  # An engine class that supports capturing blocks via the <tt><%|=</tt> and <tt><%|==</tt> tags,
+  # explicitly ending the captures using <tt><%|</tt> end <tt>%></tt> blocks.
+  class CaptureEndEngine < Engine
+    # Initializes the engine.  Accepts the same arguments as ::Erubi::Engine, and these
+    # additional options:
+    # :escape_capture :: Whether to make <tt><%|=</tt> escape by default, and <tt><%|==</tt> not escape by default,
+    #                    defaults to the same value as :escape.
+    # :yield_returns_buffer :: Whether to have <tt><%|</tt> tags insert the buffer as an expression, so that
+    #                          <tt><%| end %></tt> tags will have the buffer be the last expression inside
+    #                          the block, and therefore have the buffer be returned by the yield
+    #                          expression.  Normally the buffer will be returned anyway, but there
+    #                          are cases where the last expression will not be the buffer,
+    #                          and therefore a different object will be returned.
+    def initialize(input, properties={})
+      properties = Hash[properties]
+      escape = properties.fetch(:escape){properties.fetch(:escape_html, false)}
+      @escape_capture = properties.fetch(:escape_capture, escape)
+      @yield_returns_buffer = properties.fetch(:yield_returns_buffer, false)
+      @bufval = properties[:bufval] ||= '::String.new'
+      @bufstack = '__erubi_stack'
+      properties[:regexp] ||= /<%(\|?={1,2}|-|\#|%|\|)?(.*?)([-=])?%>([ \t]*\r?\n)?/m
+      super
+    end
+
+    private
+
+    # Handle the <%|= and <%|== tags
+    def handle(indicator, code, tailch, rspace, lspace)
+      case indicator
+      when '|=', '|=='
+        rspace = nil if tailch && !tailch.empty?
+        add_text(lspace) if lspace
+        escape_capture = !((indicator == '|=') ^ @escape_capture)
+        terminate_expression
+        @src << "begin; (#{@bufstack} ||= []) << #{@bufvar}; #{@bufvar} = #{@bufval}; #{@bufstack}.last << #{@escapefunc if escape_capture}((" << code
+        @buffer_on_stack = false
+        add_text(rspace) if rspace
+      when '|'
+        rspace = nil if tailch && !tailch.empty?
+        add_text(lspace) if lspace
+        if @yield_returns_buffer
+          terminate_expression
+          @src << " #{@bufvar}; "
+        end
+        @src << code << ")).to_s; ensure; #{@bufvar} = #{@bufstack}.pop; end;"
+        @buffer_on_stack = false
+        add_text(rspace) if rspace
+      else
+        super
+      end
+    end
+  end
+end