From 1896498bda8ea7c42468484aa43d15c56cf67835 Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Tue, 19 Mar 2024 12:32:23 +1100 Subject: [PATCH 1/3] fixed ERB parsing issue --- lib/brakeman/parsers/template_parser.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/brakeman/parsers/template_parser.rb b/lib/brakeman/parsers/template_parser.rb index 9fbf3b425..4817fa900 100644 --- a/lib/brakeman/parsers/template_parser.rb +++ b/lib/brakeman/parsers/template_parser.rb @@ -59,9 +59,9 @@ def parse_erb path, text else require 'erb' src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+ - ERB.new(text, trim_mode: path).src + ERB.new(text, trim_mode: "-").src else - ERB.new(text, nil, path).src + ERB.new(text, nil, "-").src end src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9 src From b5898355bfd5c2ac7eae068b87f5e19412a60c24 Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Tue, 19 Mar 2024 14:44:00 +1100 Subject: [PATCH 2/3] fixed parser --- gem_common.rb | 1 + lib/brakeman/checks/check_execute.rb | 2 +- lib/brakeman/checks/check_regex_dos.rb | 2 +- lib/brakeman/processors/alias_processor.rb | 4 ++-- lib/brakeman/processors/controller_processor.rb | 2 +- lib/brakeman/processors/output_processor.rb | 2 +- lib/brakeman/tracker/controller.rb | 2 +- lib/brakeman/util.rb | 4 ++-- lib/ruby_parser/bm_sexp.rb | 16 ++++++++-------- 9 files changed, 18 insertions(+), 17 deletions(-) diff --git a/gem_common.rb b/gem_common.rb index 2c088a08f..aeb7a1d9a 100644 --- a/gem_common.rb +++ b/gem_common.rb @@ -18,6 +18,7 @@ def self.extended_dependencies spec spec.add_dependency "haml", ">=3.0", "<5.0" spec.add_dependency "sass", "~>3.0", "<3.5.0" spec.add_dependency "slim", ">=1.3.6", "<3.0.8" + spec.add_dependency "rexml", "~>3.0" end end end diff --git a/lib/brakeman/checks/check_execute.rb b/lib/brakeman/checks/check_execute.rb index c7b4251d9..7db030333 100644 --- a/lib/brakeman/checks/check_execute.rb +++ b/lib/brakeman/checks/check_execute.rb @@ -146,7 +146,7 @@ def dangerous? exp if node_type? e, :if # If we're in a conditional, evaluate the `then` and `else` clauses to # see if they're dangerous. - if res = dangerous?(e.values[1..-1]) + if res = dangerous?(e.sexp_body.sexp_body) return res end elsif node_type? e, :or, :evstr, :dstr diff --git a/lib/brakeman/checks/check_regex_dos.rb b/lib/brakeman/checks/check_regex_dos.rb index 046c0d330..29bb1da5d 100644 --- a/lib/brakeman/checks/check_regex_dos.rb +++ b/lib/brakeman/checks/check_regex_dos.rb @@ -29,7 +29,7 @@ def process_result result return unless original? result call = result[:call] - components = call[1..-1] + components = call.sexp_body components.any? do |component| next unless sexp? component diff --git a/lib/brakeman/processors/alias_processor.rb b/lib/brakeman/processors/alias_processor.rb index f7681fbc0..681db2668 100644 --- a/lib/brakeman/processors/alias_processor.rb +++ b/lib/brakeman/processors/alias_processor.rb @@ -234,7 +234,7 @@ def process_call exp env[target_var] = target return target elsif string? target and string_interp? first_arg - exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1]) + exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2)) env[target_var] = exp elsif string? first_arg and string_interp? target if string? target.last @@ -900,7 +900,7 @@ def collapse_send_call exp, first_arg args = exp.args exp.pop # remove last arg if args.length > 1 - exp.arglist = args[1..-1] + exp.arglist = args.sexp_body end end diff --git a/lib/brakeman/processors/controller_processor.rb b/lib/brakeman/processors/controller_processor.rb index b7dd46180..05964b79b 100644 --- a/lib/brakeman/processors/controller_processor.rb +++ b/lib/brakeman/processors/controller_processor.rb @@ -206,7 +206,7 @@ def add_fake_filter exp end if node_type? exp.block, :block - block_inner = exp.block[1..-1] + block_inner = exp.block.sexp_body else block_inner = [exp.block] end diff --git a/lib/brakeman/processors/output_processor.rb b/lib/brakeman/processors/output_processor.rb index 84ac3de96..8499b1b4c 100644 --- a/lib/brakeman/processors/output_processor.rb +++ b/lib/brakeman/processors/output_processor.rb @@ -83,7 +83,7 @@ def process_defn exp def process_iter exp call = process exp[1] - block = process_rlist exp[3..-1] + block = process_rlist exp.sexp_body(3) out = "#{call} do\n #{block}\n end" out diff --git a/lib/brakeman/tracker/controller.rb b/lib/brakeman/tracker/controller.rb index 699b19acd..5fee87900 100644 --- a/lib/brakeman/tracker/controller.rb +++ b/lib/brakeman/tracker/controller.rb @@ -125,7 +125,7 @@ def before_filter_to_hash processor, args value = args[-1][2] case value.node_type when :array - filter[option] = value[1..-1].map {|v| v[1] } + filter[option] = value.sexp_body.map {|v| v[1] } when :lit, :str filter[option] = value[1] else diff --git a/lib/brakeman/util.rb b/lib/brakeman/util.rb index e2cc41950..cfee6f733 100644 --- a/lib/brakeman/util.rb +++ b/lib/brakeman/util.rb @@ -286,7 +286,7 @@ def contains_class? exp if node_type? current, :class return true elsif sexp? current - todo = current[1..-1].concat todo + todo = current.sexp_body.concat todo end end @@ -299,7 +299,7 @@ def make_call target, method, *args if args.empty? or args.first.empty? #nothing to do elsif node_type? args.first, :arglist - call.concat args.first[1..-1] + call.concat args.first.sexp_body elsif args.first.node_type.is_a? Sexp #just a list of args call.concat args.first else diff --git a/lib/ruby_parser/bm_sexp.rb b/lib/ruby_parser/bm_sexp.rb index 7fab76ae8..efaefb1d2 100644 --- a/lib/ruby_parser/bm_sexp.rb +++ b/lib/ruby_parser/bm_sexp.rb @@ -40,7 +40,7 @@ def deep_clone line = nil s.line(line) else s.original_line = self.original_line - s.line(self.line) + s.line(self.line) if self.line end s @@ -175,7 +175,7 @@ def arglist= exp start_index = 3 if exp.is_a? Sexp and exp.node_type == :arglist - exp = exp[1..-1] + exp = exp.sexp_body end exp.each_with_index do |e, i| @@ -198,10 +198,10 @@ def arglist case self.node_type when :call, :attrasgn, :safe_call, :safe_attrasgn - self[3..-1].unshift :arglist + self.sexp_body(3).unshift :arglist when :super, :zsuper if self[1] - self[1..-1].unshift :arglist + self.sexp_body.unshift :arglist else Sexp.new(:arglist) end @@ -218,13 +218,13 @@ def args case self.node_type when :call, :attrasgn, :safe_call, :safe_attrasgn if self[3] - self[3..-1] + self.sexp_body(3) else Sexp.new end when :super, :zsuper if self[1] - self[1..-1] + self.sexp_body else Sexp.new end @@ -314,7 +314,7 @@ def call_chain chain = [] call = self - while call.class == Sexp and CALLS.include? call.first + while call.class == Sexp and CALLS.include? call.first chain << call.method call = call.target end @@ -507,7 +507,7 @@ def body= exp self.slice!(index..-1) #Remove old body if exp.first == :rlist - exp = exp[1..-1] + exp = exp.sexp_body end #Insert new body From 817d3088767657be3f9eff7f30ee578e3907b1f1 Mon Sep 17 00:00:00 2001 From: Fish-Nullify Date: Tue, 19 Mar 2024 15:23:43 +1100 Subject: [PATCH 3/3] added rexml latest --- gem_common.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gem_common.rb b/gem_common.rb index aeb7a1d9a..d24adba57 100644 --- a/gem_common.rb +++ b/gem_common.rb @@ -18,7 +18,7 @@ def self.extended_dependencies spec spec.add_dependency "haml", ">=3.0", "<5.0" spec.add_dependency "sass", "~>3.0", "<3.5.0" spec.add_dependency "slim", ">=1.3.6", "<3.0.8" - spec.add_dependency "rexml", "~>3.0" + spec.add_dependency "rexml", "~>3.2.6" end end end