Only convert Hash#values_at if all keys are known

Fixes #1635

Author: presidentbeef

lib/brakeman/processors/alias_processor.rb

@@ -324,7 +324,13 @@ def process_call exp
       end
     when :values_at
       if node_type? target, :hash
-        exp = hash_values_at target, exp.args
+        res = hash_values_at target, exp.args
+
+        # Only convert to array of values if _all_ keys
+        # are present in the hash.
+        unless res.any?(&:nil?)
+          exp = res
+        end
       end
     end
 

lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -89,6 +89,8 @@ def process_hash_access hash, index, original_exp = nil
       end
     end
 
+    # You must check the return value for `nil`s -
+    # which indicate a key could not be found.
     def hash_values_at hash, keys
       values = keys.map do |key|
         process_hash_access hash, key

test/tests/alias_processor.rb

@@ -273,6 +273,13 @@ def test_hash_values_at
   end
 
   def test_hash_values_at_missing
+    assert_alias '{ a: 1, b: 2, c: x }.values_at(:a, :b, :z)', <<-RUBY
+      h = { a: 1, b: 2, c: x }
+      h.values_at(:a, :b, :z)
+    RUBY
+  end
+
+  def test_hash_values_at_missing_safe
     assert_alias '[1, 2, :BRAKEMAN_SAFE_LITERAL]', <<-RUBY
       h = { a: 1, b: 2, c: 3 }
       h.values_at(:a, :b, :z)