RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

data/lib/brakeman/parsers/rails2_erubis.rb ADDED

@@ -0,0 +1,6 @@
+Brakeman.load_brakeman_dependency 'erubis'
+#Erubis processor which ignores any output which is plain text.
+class Brakeman::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb ADDED

@@ -0,0 +1,48 @@
+Brakeman.load_brakeman_dependency 'erubis'
+#This is from the rails_xss plugin for Rails 2
+class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/brakeman/parsers/rails3_erubis.rb ADDED

@@ -0,0 +1,74 @@
+Brakeman.load_brakeman_dependency 'erubis'
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
+class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  def add_preamble(src)
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
+  end
+  def add_text(src, text)
+    return if text.empty?
+    if text == "\n"
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
+    else
+      super
+    end
+  end
+  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append=(' << code << ');'
+    end
+  end
+  def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_expr_append= " << code
+    else
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
+    end
+  end
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+  def add_postamble(src)
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
+  end
+end

data/lib/brakeman/parsers/template_parser.rb ADDED

@@ -0,0 +1,89 @@
+module Brakeman
+  class TemplateParser
+    include Brakeman::Util
+    attr_reader :tracker
+    KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+    TemplateFile = Struct.new(:path, :ast, :name, :type)
+    def initialize tracker, file_parser
+      @tracker = tracker
+      @file_parser = file_parser
+      @file_parser.file_list[:templates] ||= []
+    end
+    def parse_template path, text
+      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name path
+      Brakeman.debug "Parsing #{path}"
+      begin
+        src = case type
+              when :erb
+                type = :erubis if erubis?
+                parse_erb text
+              when :haml
+                parse_haml text
+              when :slim
+                parse_slim text
+              else
+                tracker.error "Unknown template type in #{path}"
+                nil
+              end
+        if src and ast = @file_parser.parse_ruby(src, path)
+          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+        end
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{path}"
+      rescue Haml::Error => e
+        tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      rescue StandardError, LoadError => e
+        tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      end
+      nil
+    end
+    def parse_erb text
+      if tracker.config.escape_html?
+        if tracker.options[:rails3]
+          require 'brakeman/parsers/rails3_erubis'
+          Brakeman::Rails3Erubis.new(text).src
+        else
+          require 'brakeman/parsers/rails2_xss_plugin_erubis'
+          Brakeman::Rails2XSSPluginErubis.new(text).src
+        end
+      elsif tracker.config.erubis?
+        require 'brakeman/parsers/rails2_erubis'
+        Brakeman::ScannerErubis.new(text).src
+      else
+        require 'erb'
+        src = ERB.new(text, nil, "-").src
+        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src
+      end
+    end
+    def erubis?
+      tracker.config.escape_html? or
+        tracker.config.erubis?
+    end
+    def parse_haml text
+      Brakeman.load_brakeman_dependency 'haml'
+      Brakeman.load_brakeman_dependency 'sass'
+      Haml::Engine.new(text,
+                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+    end
+    def parse_slim text
+      Brakeman.load_brakeman_dependency 'slim'
+      Slim::Template.new(:disable_capture => true,
+                         :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+    end
+  end
+end

data/lib/brakeman/processor.rb ADDED

@@ -0,0 +1,102 @@
+#Load all files in processors/
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb").each { |f| require f.match(/brakeman\/processors.*/)[0] }
+require 'brakeman/tracker'
+require 'set'
+require 'pathname'
+module Brakeman
+  #Makes calls to the appropriate processor.
+  #
+  #The ControllerProcessor, TemplateProcessor, and ModelProcessor will
+  #update the Tracker with information about what is parsed.
+  class Processor
+    include Util
+    def initialize(app_tree, options)
+      @app_tree = app_tree
+      @tracker = Tracker.new(@app_tree, self, options)
+    end
+    def tracked_events
+      @tracker
+    end
+    #Process configuration file source
+    def process_config src, file_name
+      ConfigProcessor.new(@tracker).process_config src, file_name
+    end
+    #Process Gemfile
+    def process_gems gem_files
+      GemProcessor.new(@tracker).process_gems gem_files
+    end
+    #Process route file source
+    def process_routes src
+      RoutesProcessor.new(@tracker).process_routes src
+    end
+    #Process controller source. +file_name+ is used for reporting
+    def process_controller src, file_name
+      if contains_class? src
+        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+      else
+        LibraryProcessor.new(@tracker).process_library src, file_name
+      end
+    end
+    #Process variable aliasing in controller source and save it in the
+    #tracker.
+    def process_controller_alias name, src, only_method = nil, file = nil
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+    end
+    #Process a model source
+    def process_model src, file_name
+      result = ModelProcessor.new(@tracker).process_model src, file_name
+      AliasProcessor.new(@tracker).process_all result if result
+    end
+    #Process either an ERB or HAML template
+    def process_template name, src, type, called_from = nil, file_name = nil
+      case type
+      when :erb
+        result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml
+        result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubis
+        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :slim
+        result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      else
+        abort "Unknown template type: #{type} (#{name})"
+      end
+      #Each template which is rendered is stored separately
+      #with a new name.
+      if called_from
+        name = ("#{name}.#{called_from}").to_sym
+      end
+      @tracker.templates[name].src = result
+      @tracker.templates[name].type = type
+    end
+    #Process any calls to render() within a template
+    def process_template_alias template
+      TemplateAliasProcessor.new(@tracker, template).process_safely template.src
+    end
+    #Process source for initializing files
+    def process_initializer file_name, src
+      res = BaseProcessor.new(@tracker).process_file src, file_name
+      res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
+      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+    end
+    #Process source for a library file
+    def process_lib src, file_name
+      LibraryProcessor.new(@tracker).process_library src, file_name
+    end
+  end
+end

data/lib/brakeman/processors/alias_processor.rb ADDED

@@ -0,0 +1,1013 @@
+require 'brakeman/util'
+require 'ruby_parser/bm_sexp_processor'
+require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
+#Returns an s-expression with aliases replaced with their value.
+#This does not preserve semantics (due to side effects, etc.), but it makes
+#processing easier when searching for various things.
+class Brakeman::AliasProcessor < Brakeman::SexpProcessor
+  include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
+  include Brakeman::Util
+  attr_reader :result, :tracker
+  #Returns a new AliasProcessor with an empty environment.
+  #
+  #The recommended usage is:
+  #
+  # AliasProcessor.new.process_safely src
+  def initialize tracker = nil, file_name = nil
+    super()
+    @env = SexpProcessor::Environment.new
+    @inside_if = false
+    @ignore_ifs = nil
+    @exp_context = []
+    @current_module = nil
+    @tracker = tracker #set in subclass as necessary
+    @helper_method_cache = {}
+    @helper_method_info = Hash.new({})
+    @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
+    @meth_env = nil
+    @file_name = file_name
+    set_env_defaults
+  end
+  #This method processes the given Sexp, but copies it first so
+  #the original argument will not be modified.
+  #
+  #_set_env_ should be an instance of SexpProcessor::Environment. If provided,
+  #it will be used as the starting environment.
+  #
+  #This method returns a new Sexp with variables replaced with their values,
+  #where possible.
+  def process_safely src, set_env = nil, file_name = nil
+    @file_name = file_name
+    @env = set_env || SexpProcessor::Environment.new
+    @result = src.deep_clone
+    process @result
+    @result
+  end
+  #Process a Sexp. If the Sexp has a value associated with it in the
+  #environment, that value will be returned.
+  def process_default exp
+    @exp_context.push exp
+    begin
+      exp.map! do |e|
+        if sexp? e and not e.empty?
+          process e
+        else
+          e
+        end
+      end
+    rescue => err
+      @tracker.error err if @tracker
+    end
+    result = replace(exp)
+    @exp_context.pop
+    result
+  end
+  def replace exp, int = 0
+    return exp if int > 3
+    if replacement = env[exp] and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
+    elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
+    else
+      exp
+    end
+  end
+  ARRAY_CONST = s(:const, :Array)
+  HASH_CONST = s(:const, :Hash)
+  RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
+  #Process a method call.
+  def process_call exp
+    return exp if process_call_defn? exp
+    target_var = exp.target
+    target_var &&= target_var.deep_clone
+    if exp.node_type == :safe_call
+      exp.node_type = :call
+    end
+    exp = process_default exp
+    #In case it is replaced with something else
+    unless call? exp
+      return exp
+    end
+    target = exp.target
+    method = exp.method
+    first_arg = exp.first_arg
+    if method == :send or method == :try
+      collapse_send_call exp, first_arg
+    end
+    if node_type? target, :or and [:+, :-, :*, :/].include? method
+      res = process_or_simple_operation(exp)
+      return res if res
+    elsif target == ARRAY_CONST and method == :new
+      return Sexp.new(:array, *exp.args)
+    elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
+      return Sexp.new(:hash)
+    elsif exp == RAILS_TEST
+      return Sexp.new(:false)
+    end
+    #See if it is possible to simplify some basic cases
+    #of addition/concatenation.
+    case method
+    when :+
+      if array? target and array? first_arg
+        joined = join_arrays target, first_arg
+        joined.line(exp.line)
+        exp = joined
+      elsif string? first_arg
+        if string? target # "blah" + "blah"
+          joined = join_strings target, first_arg
+          joined.line(exp.line)
+          exp = joined
+        elsif call? target and target.method == :+ and string? target.first_arg
+          joined = join_strings target.first_arg, first_arg
+          joined.line(exp.line)
+          target.first_arg = joined
+          exp = target
+        end
+      elsif number? first_arg
+        if number? target
+          exp = Sexp.new(:lit, target.value + first_arg.value)
+        elsif call? target and target.method == :+ and number? target.first_arg
+          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
+          exp = target
+        end
+      end
+    when :-
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value - first_arg.value)
+      end
+    when :*
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value * first_arg.value)
+      end
+    when :/
+      if number? target and number? first_arg
+        if first_arg.value == 0 and not target.value.is_a? Float
+          if @tracker
+            location = [@current_class, @current_method, "line #{first_arg.line}"].compact.join(' ')
+            require 'brakeman/processors/output_processor'
+            code = Brakeman::OutputProcessor.new.format(exp)
+            @tracker.error Exception.new("Potential divide by zero: #{code} (#{location})")
+          end
+        else
+          exp = Sexp.new(:lit, target.value / first_arg.value)
+        end
+      end
+    when :[]
+      if array? target
+        temp_exp = process_array_access target, exp.args
+        exp = temp_exp if temp_exp
+      elsif hash? target
+        temp_exp = process_hash_access target, first_arg
+        exp = temp_exp if temp_exp
+      end
+    when :merge!, :update
+      if hash? target and hash? first_arg
+         target = process_hash_merge! target, first_arg
+         env[target_var] = target
+         return target
+      end
+    when :merge
+      if hash? target and hash? first_arg
+        return process_hash_merge(target, first_arg)
+      end
+    when :<<
+      if string? target and string? first_arg
+        target.value << first_arg.value
+        env[target_var] = target
+        return target
+      elsif string? target and string_interp? first_arg
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        env[target_var] = exp
+      elsif string? first_arg and string_interp? target
+        if string? target.last
+          target.last.value << first_arg.value
+        elsif target.last.is_a? String
+          target.last << first_arg.value
+        else
+          target << first_arg
+        end
+        env[target_var] = target
+        return first_arg
+      elsif array? target
+        target << first_arg
+        env[target_var] = target
+        return target
+      else
+        target = find_push_target(target_var)
+        env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
+      end
+    when :first
+      if array? target and first_arg.nil? and sexp? target[1]
+        exp = target[1]
+      end
+    end
+    exp
+  end
+  def process_iter exp
+    @exp_context.push exp
+    exp[1] = process exp.block_call
+    if array_detect_all_literals? exp[1]
+      return exp.block_call.target[1]
+    end
+    @exp_context.pop
+    env.scope do
+      exp.block_args.each do |e|
+        #Force block arg(s) to be local
+        if node_type? e, :lasgn
+          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
+        elsif node_type? e, :kwarg
+          env.current[Sexp.new(:lvar, e[1])] = e[2]
+        elsif node_type? e, :masgn, :shadow
+          e[1..-1].each do |var|
+            local = Sexp.new(:lvar, var)
+            env.current[local] = local
+          end
+        elsif e.is_a? Symbol
+          local = Sexp.new(:lvar, e)
+          env.current[local] = local
+        else
+          raise "Unexpected value in block args: #{e.inspect}"
+        end
+      end
+      block = exp.block
+      if block? block
+        process_all! block
+      else
+        exp[3] = process block
+      end
+    end
+    exp
+  end
+  #Process a new scope.
+  def process_scope exp
+    env.scope do
+      process exp.block
+    end
+    exp
+  end
+  #Start new scope for block.
+  def process_block exp
+    env.scope do
+      process_default exp
+    end
+  end
+  #Process a method definition.
+  def process_defn exp
+    meth_env do
+      exp.body = process_all! exp.body
+    end
+    exp
+  end
+  def meth_env
+    begin
+      env.scope do
+        set_env_defaults
+        @meth_env = env.current
+        yield
+      end
+    ensure
+      @meth_env = nil
+    end
+  end
+  #Process a method definition on self.
+  def process_defs exp
+    env.scope do
+      set_env_defaults
+      exp.body = process_all! exp.body
+    end
+    exp
+  end
+  # Handles x = y = z = 1
+  def get_rhs exp
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
+      get_rhs(exp.rhs)
+    else
+      exp
+    end
+  end
+  #Local assignment
+  # x = 1
+  def process_lasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
+    exp.rhs = process exp.rhs if sexp? exp.rhs
+    return exp if exp.rhs.nil?
+    local = Sexp.new(:lvar, exp.lhs).line(exp.line || -2)
+    if self_assign
+      # Skip branching
+      env[local] = get_rhs(exp)
+    else
+      set_value local, get_rhs(exp)
+    end
+    exp
+  end
+  #Instance variable assignment
+  # @x = 1
+  def process_iasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
+    exp.rhs = process exp.rhs
+    ivar = Sexp.new(:ivar, exp.lhs).line(exp.line)
+    if self_assign
+      if env[ivar].nil? and @meth_env
+        @meth_env[ivar] = get_rhs(exp)
+      else
+        env[ivar] = get_rhs(exp)
+      end
+    else
+      set_value ivar, get_rhs(exp)
+    end
+    exp
+  end
+  #Global assignment
+  # $x = 1
+  def process_gasgn exp
+    match = Sexp.new(:gvar, exp.lhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
+    value.line = exp.line
+    set_value match, value
+    exp
+  end
+  #Class variable assignment
+  # @@x = 1
+  def process_cvdecl exp
+    match = Sexp.new(:cvar, exp.lhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
+    set_value match, value
+    exp
+  end
+  #'Attribute' assignment
+  # x.y = 1
+  #or
+  # x[:y] = 1
+  def process_attrasgn exp
+    tar_variable = exp.target
+    target = exp.target = process(exp.target)
+    method = exp.method
+    index_arg = exp.first_arg
+    value_arg = exp.second_arg
+    if method == :[]=
+      index = exp.first_arg = process(index_arg)
+      value = exp.second_arg = process(value_arg)
+      match = Sexp.new(:call, target, :[], index)
+      set_value match, value
+      if hash? target
+        env[tar_variable] = hash_insert target.deep_clone, index, value
+      end
+    elsif method.to_s[-1,1] == "="
+      exp.first_arg = process(index_arg)
+      value = get_rhs(exp)
+      #This is what we'll replace with the value
+      match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
+      set_value match, value
+    else
+      raise "Unrecognized assignment: #{exp}"
+    end
+    exp
+  end
+  # Multiple/parallel assignment:
+  #
+  # x, y = z, w
+  def process_masgn exp
+    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
+      return process_default(exp)
+    end
+    vars = exp[1].dup
+    vals = exp[2].dup
+    vars.shift
+    vals.shift
+    # Call each assignment as if it is normal
+    vars.each_with_index do |var, i|
+      val = vals[i]
+      if val
+        assign = var.dup
+        assign.rhs = val
+        process assign
+      end
+    end
+    exp
+  end
+  #Merge values into hash when processing
+  #
+  # h.merge! :something => "value"
+  def process_hash_merge! hash, args
+    hash = hash.deep_clone
+    hash_iterate args do |key, replacement|
+      hash_insert hash, key, replacement
+      match = Sexp.new(:call, hash, :[], key)
+      env[match] = replacement
+    end
+    hash
+  end
+  #Return a new hash Sexp with the given values merged into it.
+  #
+  #+args+ should be a hash Sexp as well.
+  def process_hash_merge hash, args
+    hash = hash.deep_clone
+    hash_iterate args do |key, replacement|
+      hash_insert hash, key, replacement
+    end
+    hash
+  end
+  #Assignments like this
+  # x[:y] ||= 1
+  def process_op_asgn1 exp
+    return process_default(exp) if exp[3] != :"||"
+    target = exp[1] = process(exp[1])
+    index = exp[2][1] = process(exp[2][1])
+    value = exp[4] = process(exp[4])
+    match = Sexp.new(:call, target, :[], index)
+    unless env[match]
+      if request_value? target
+        env[match] = match.combine(value)
+      else
+        env[match] = value
+      end
+    end
+    exp
+  end
+  #Assignments like this
+  # x.y ||= 1
+  def process_op_asgn2 exp
+    return process_default(exp) if exp[3] != :"||"
+    target = exp[1] = process(exp[1])
+    value = exp[4] = process(exp[4])
+    method = exp[2]
+    match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
+    unless env[match]
+      env[match] = value
+    end
+    exp
+  end
+  #This is the right hand side value of a multiple assignment,
+  #like `x = y, z`
+  def process_svalue exp
+    exp.value
+  end
+  #Constant assignments like
+  # BIG_CONSTANT = 234810983
+  def process_cdecl exp
+    if sexp? exp.rhs
+      exp.rhs = process exp.rhs
+    end
+    file = case
+           when @file_name
+             @file_name
+           when @current_class.is_a?(Brakeman::Collection)
+             @current_class.file
+           when @current_module.is_a?(Brakeman::Collection)
+             @current_module.file
+           else
+             nil
+           end
+    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+    if exp.lhs.is_a? Symbol
+      match = Sexp.new(:const, exp.lhs)
+    else
+      match = exp.lhs
+    end
+    env[match] = get_rhs(exp)
+    exp
+  end
+  # Check if exp is a call to Array#include? on an array literal
+  # that contains all literal values. For example:
+  #
+  #    [1, 2, "a"].include? x
+  #
+  def array_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+  def array_detect_all_literals? exp
+    call? exp and
+    [:detect, :find].include? exp.method and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.first_arg.nil? and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+  #Sets @inside_if = true
+  def process_if exp
+    if @ignore_ifs.nil?
+      @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
+    end
+    condition = exp.condition = process exp.condition
+    #Check if a branch is obviously going to be taken
+    if true? condition
+      no_branch = true
+      exps = [exp.then_clause, nil]
+    elsif false? condition
+      no_branch = true
+      exps = [nil, exp.else_clause]
+    else
+      no_branch = false
+      exps = [exp.then_clause, exp.else_clause]
+    end
+    if @ignore_ifs or no_branch
+      exps.each_with_index do |branch, i|
+        exp[2 + i] = process_if_branch branch
+      end
+    else
+      was_inside = @inside_if
+      @inside_if = true
+      branch_scopes = []
+      exps.each_with_index do |branch, i|
+        scope do
+          @branch_env = env.current
+          branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
+          if i == 0 and array_include_all_literals? condition
+            # If the condition is ["a", "b"].include? x
+            # set x to "a" inside the true branch
+            var = condition.first_arg
+            previous_value = env.current[var]
+            env.current[var] = condition.target[1]
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
+          else
+            exp[branch_index] = process_if_branch branch
+          end
+          branch_scopes << env.current
+          @branch_env = nil
+        end
+      end
+      @inside_if = was_inside
+      branch_scopes.each do |s|
+        merge_if_branch s
+      end
+    end
+    exp
+  end
+  def process_if_branch exp
+    if sexp? exp
+      if block? exp
+        process_default exp
+      else
+        process exp
+      end
+    end
+  end
+  def merge_if_branch branch_env
+    branch_env.each do |k, v|
+      next if v.nil?
+      current_val = env[k]
+      if current_val
+        unless same_value?(current_val, v)
+          if too_deep? current_val
+            # Give up branching, start over with latest value
+            env[k] = v
+          else
+            env[k] = current_val.combine(v, k.line)
+          end
+        end
+      else
+        env[k] = v
+      end
+    end
+  end
+  def too_deep? exp
+    @or_depth_limit >= 0 and
+    node_type? exp, :or and
+    exp.or_depth and
+    exp.or_depth >= @or_depth_limit
+  end
+  #Process single integer access to an array.
+  #
+  #Returns the value inside the array, if possible.
+  def process_array_access target, args
+    if args.length == 1 and integer? args.first
+      index = args.first.value
+      #Have to do this because first element is :array and we have to skip it
+      target[1..-1][index]
+    else
+      nil
+    end
+  end
+  #Process hash access by returning the value associated
+  #with the given argument.
+  def process_hash_access target, index
+    hash_access(target, index)
+  end
+  #Join two array literals into one.
+  def join_arrays array1, array2
+    result = Sexp.new(:array)
+    result.concat array1[1..-1]
+    result.concat array2[1..-1]
+  end
+  #Join two string literals into one.
+  def join_strings string1, string2
+    result = Sexp.new(:str)
+    result.value = string1.value + string2.value
+    if result.value.length > 50
+      string1
+    else
+      result
+    end
+  end
+  # Change x.send(:y, 1) to x.y(1)
+  def collapse_send_call exp, first_arg
+    # Handle try(&:id)
+    if node_type? first_arg, :block_pass
+      first_arg = first_arg[1]
+    end
+    return unless symbol? first_arg or string? first_arg
+    exp.method = first_arg.value.to_sym
+    args = exp.args
+    exp.pop # remove last arg
+    if args.length > 1
+      exp.arglist = args[1..-1]
+    end
+  end
+  #Returns a new SexpProcessor::Environment containing only instance variables.
+  #This is useful, for example, when processing views.
+  def only_ivars include_request_vars = false, lenv = nil
+    lenv ||= env
+    res = SexpProcessor::Environment.new
+    if include_request_vars
+      lenv.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if (k.node_type == :ivar or request_value? k) and not v.nil?
+          res[k] = v.dup
+        end
+      end
+    else
+      lenv.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if k.node_type == :ivar and not v.nil?
+          res[k] = v.dup
+        end
+      end
+    end
+    res
+  end
+  def only_request_vars
+    res = SexpProcessor::Environment.new
+    env.all.each do |k, v|
+      if request_value? k and not v.nil?
+        res[k] = v.dup
+      end
+    end
+    res
+  end
+  def get_call_value call
+    method_name = call.method
+    #Look for helper methods and see if we can get a return value
+    if found_method = find_method(method_name, @current_class)
+      helper = found_method[:method]
+      if sexp? helper
+        value = process_helper_method helper, call.args
+        value.line(call.line)
+        return value
+      else
+        raise "Unexpected value for method: #{found_method}"
+      end
+    else
+      call
+    end
+  end
+  def process_helper_method method_exp, args
+    method_name = method_exp.method_name
+    Brakeman.debug "Processing method #{method_name}"
+    info = @helper_method_info[method_name]
+    #If method uses instance variables, then include those and request
+    #variables (params, etc) in the method environment. Otherwise,
+    #only include request variables.
+    if info[:uses_ivars]
+      meth_env = only_ivars(:include_request_vars)
+    else
+      meth_env = only_request_vars
+    end
+    #Add arguments to method environment
+    assign_args method_exp, args, meth_env
+    #Find return values if method does not depend on environment/args
+    values = @helper_method_cache[method_name]
+    unless values
+      #Serialize environment for cache key
+      meth_values = meth_env.instance_variable_get(:@env).to_a
+      meth_values.sort!
+      meth_values = meth_values.to_s
+      digest = Digest::SHA1.new.update(meth_values << method_name.to_s).to_s.to_sym
+      values = @helper_method_cache[digest]
+    end
+    if values
+      #Use values from cache
+      values[:ivar_values].each do |var, val|
+        env[var] = val
+      end
+      values[:return_value]
+    else
+      #Find return value for method
+      frv = Brakeman::FindReturnValue.new
+      value = frv.get_return_value(method_exp.body_list, meth_env)
+      ivars = {}
+      only_ivars(false, meth_env).all.each do |var, val|
+        env[var] = val
+        ivars[var] = val
+      end
+      if not frv.uses_ivars? and args.length == 0
+        #Store return value without ivars and args if they are not used
+        @helper_method_cache[method_exp.method_name] = { :return_value => value, :ivar_values => ivars }
+      else
+        @helper_method_cache[digest] = { :return_value => value, :ivar_values => ivars }
+      end
+      #Store information about method, just ivar usage for now
+      @helper_method_info[method_name] = { :uses_ivars => frv.uses_ivars? }
+      value
+    end
+  end
+  def assign_args method_exp, args, meth_env = SexpProcessor::Environment.new
+    formal_args = method_exp.formal_args
+    formal_args.each_with_index do |arg, index|
+      next if index == 0
+      if arg.is_a? Symbol and sexp? args[index - 1]
+        meth_env[Sexp.new(:lvar, arg)] = args[index - 1]
+      end
+    end
+    meth_env
+  end
+  #Finds the inner most call target which is not the target of a call to <<
+  def find_push_target exp
+    if call? exp and exp.method == :<<
+      find_push_target exp.target
+    else
+      exp
+    end
+  end
+  def duplicate? exp
+    @exp_context[0..-2].reverse_each do |e|
+      return true if exp == e
+    end
+    false
+  end
+  def find_method *args
+    nil
+  end
+  #Return true if lhs == rhs or lhs is an or expression and
+  #rhs is one of its values
+  def same_value? lhs, rhs
+    if lhs == rhs
+      true
+    elsif node_type? lhs, :or
+      lhs.rhs == rhs or lhs.lhs == rhs
+    else
+      false
+    end
+  end
+  def self_assign? var, value
+    self_assign_var?(var, value) or self_assign_target?(var, value)
+  end
+  #Return true if for x += blah or @x += blah
+  def self_assign_var? var, value
+    call? value and
+    value.method == :+ and
+    node_type? value.target, :lvar, :ivar and
+    value.target.value == var
+  end
+  #Return true for x = x.blah
+  def self_assign_target? var, value
+    target = top_target(value)
+    if node_type? target, :lvar, :ivar
+      target = target.value
+    end
+    var == target
+  end
+  #Returns last non-nil target in a call chain
+  def top_target exp, last = nil
+    if call? exp
+      top_target exp.target, exp
+    elsif node_type? exp, :iter
+      top_target exp.block_call, last
+    else
+      exp || last
+    end
+  end
+  def value_from_if exp
+    if block? exp.else_clause or block? exp.then_clause
+      #If either clause is more than a single expression, just use entire
+      #if expression for now
+      exp
+    elsif exp.else_clause.nil?
+      exp.then_clause
+    elsif exp.then_clause.nil?
+      exp.else_clause
+    else
+      condition = exp.condition
+      if true? condition
+        exp.then_clause
+      elsif false? condition
+        exp.else_clause
+      else
+        exp.then_clause.combine(exp.else_clause, exp.line)
+      end
+    end
+  end
+  #Set variable to given value.
+  #Creates "branched" versions of values when appropriate.
+  #Avoids creating multiple branched versions inside same
+  #if branch.
+  def set_value var, value
+    if node_type? value, :if
+      value = value_from_if(value)
+    end
+    if @ignore_ifs or not @inside_if
+      if @meth_env and node_type? var, :ivar and env[var].nil?
+        @meth_env[var] = value
+      else
+        env[var] = value
+      end
+    elsif env.current[var]
+      env.current[var] = value
+    elsif @branch_env and @branch_env[var]
+      @branch_env[var] = value
+    elsif @branch_env and @meth_env and node_type? var, :ivar
+      @branch_env[var] = value
+    else
+      env.current[var] = value
+    end
+  end
+  #If possible, distribute operation over both sides of an or.
+  #For example,
+  #
+  #    (1 or 2) * 5
+  #
+  #Becomes
+  #
+  #    (5 or 10)
+  #
+  #Only works for strings and numbers right now.
+  def process_or_simple_operation exp
+    arg = exp.first_arg
+    return nil unless string? arg or number? arg
+    target = exp.target
+    lhs = process_or_target(target.lhs, exp.dup)
+    rhs = process_or_target(target.rhs, exp.dup)
+    if lhs and rhs
+      if same_value? lhs, rhs
+        lhs
+      else
+        exp.target.lhs = lhs
+        exp.target.rhs = rhs
+        exp.target
+      end
+    else
+      nil
+    end
+  end
+  def process_or_target value, copy
+    if string? value or number? value
+      copy.target = value
+      process copy
+    else
+      false
+    end
+  end
+end