RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

data/lib/brakeman/parsers/rails2_erubis.rb ADDED

@@ -0,0 +1,6 @@
+Brakeman.load_brakeman_dependency 'erubis'
+#Erubis processor which ignores any output which is plain text.
+class Brakeman::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb ADDED

@@ -0,0 +1,48 @@
+Brakeman.load_brakeman_dependency 'erubis'
+#This is from the rails_xss plugin for Rails 2
+class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/brakeman/parsers/rails3_erubis.rb ADDED

@@ -0,0 +1,74 @@
+Brakeman.load_brakeman_dependency 'erubis'
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
+class Brakeman::Rails3Erubis < ::Erubis::Eruby
+  def add_preamble(src)
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
+  end
+  def add_text(src, text)
+    return if text.empty?
+    if text == "\n"
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
+    else
+      super
+    end
+  end
+  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append=(' << code << ');'
+    end
+  end
+  def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_expr_append= " << code
+    else
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
+    end
+  end
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+  def add_postamble(src)
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
+  end
+end

data/lib/brakeman/parsers/template_parser.rb ADDED

@@ -0,0 +1,89 @@
+module Brakeman
+  class TemplateParser
+    include Brakeman::Util
+    attr_reader :tracker
+    KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+    TemplateFile = Struct.new(:path, :ast, :name, :type)
+    def initialize tracker, file_parser
+      @tracker = tracker
+      @file_parser = file_parser
+      @file_parser.file_list[:templates] ||= []
+    end
+    def parse_template path, text
+      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name path
+      Brakeman.debug "Parsing #{path}"
+      begin
+        src = case type
+              when :erb
+                type = :erubis if erubis?
+                parse_erb text
+              when :haml
+                parse_haml text
+              when :slim
+                parse_slim text
+              else
+                tracker.error "Unknown template type in #{path}"
+                nil
+              end
+        if src and ast = @file_parser.parse_ruby(src, path)
+          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+        end
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{path}"
+      rescue Haml::Error => e
+        tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      rescue StandardError, LoadError => e
+        tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      end
+      nil
+    end
+    def parse_erb text
+      if tracker.config.escape_html?
+        if tracker.options[:rails3]
+          require 'brakeman/parsers/rails3_erubis'
+          Brakeman::Rails3Erubis.new(text).src
+        else
+          require 'brakeman/parsers/rails2_xss_plugin_erubis'
+          Brakeman::Rails2XSSPluginErubis.new(text).src
+        end
+      elsif tracker.config.erubis?
+        require 'brakeman/parsers/rails2_erubis'
+        Brakeman::ScannerErubis.new(text).src
+      else
+        require 'erb'
+        src = ERB.new(text, nil, "-").src
+        src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
+        src
+      end
+    end
+    def erubis?
+      tracker.config.escape_html? or
+        tracker.config.erubis?
+    end
+    def parse_haml text
+      Brakeman.load_brakeman_dependency 'haml'
+      Brakeman.load_brakeman_dependency 'sass'
+      Haml::Engine.new(text,
+                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+    end
+    def parse_slim text
+      Brakeman.load_brakeman_dependency 'slim'
+      Slim::Template.new(:disable_capture => true,
+                         :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+    end
+  end
+end

data/lib/brakeman/processor.rb ADDED

@@ -0,0 +1,102 @@
+#Load all files in processors/
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb").each { |f| require f.match(/brakeman\/processors.*/)[0] }
+require 'brakeman/tracker'
+require 'set'
+require 'pathname'
+module Brakeman
+  #Makes calls to the appropriate processor.
+  #
+  #The ControllerProcessor, TemplateProcessor, and ModelProcessor will
+  #update the Tracker with information about what is parsed.
+  class Processor
+    include Util
+    def initialize(app_tree, options)
+      @app_tree = app_tree
+      @tracker = Tracker.new(@app_tree, self, options)
+    end
+    def tracked_events
+      @tracker
+    end
+    #Process configuration file source
+    def process_config src, file_name
+      ConfigProcessor.new(@tracker).process_config src, file_name
+    end
+    #Process Gemfile
+    def process_gems gem_files
+      GemProcessor.new(@tracker).process_gems gem_files
+    end
+    #Process route file source
+    def process_routes src
+      RoutesProcessor.new(@tracker).process_routes src
+    end
+    #Process controller source. +file_name+ is used for reporting
+    def process_controller src, file_name
+      if contains_class? src
+        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+      else
+        LibraryProcessor.new(@tracker).process_library src, file_name
+      end
+    end
+    #Process variable aliasing in controller source and save it in the
+    #tracker.
+    def process_controller_alias name, src, only_method = nil, file = nil
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+    end
+    #Process a model source
+    def process_model src, file_name
+      result = ModelProcessor.new(@tracker).process_model src, file_name
+      AliasProcessor.new(@tracker).process_all result if result
+    end
+    #Process either an ERB or HAML template
+    def process_template name, src, type, called_from = nil, file_name = nil
+      case type
+      when :erb
+        result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml
+        result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubis
+        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :slim
+        result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      else
+        abort "Unknown template type: #{type} (#{name})"
+      end
+      #Each template which is rendered is stored separately
+      #with a new name.
+      if called_from
+        name = ("#{name}.#{called_from}").to_sym
+      end
+      @tracker.templates[name].src = result
+      @tracker.templates[name].type = type
+    end
+    #Process any calls to render() within a template
+    def process_template_alias template
+      TemplateAliasProcessor.new(@tracker, template).process_safely template.src
+    end
+    #Process source for initializing files
+    def process_initializer file_name, src
+      res = BaseProcessor.new(@tracker).process_file src, file_name
+      res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
+      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+    end
+    #Process source for a library file
+    def process_lib src, file_name
+      LibraryProcessor.new(@tracker).process_library src, file_name
+    end
+  end
+end

data/lib/brakeman/processors/alias_processor.rb ADDED

@@ -0,0 +1,1013 @@
+require 'brakeman/util'
+require 'ruby_parser/bm_sexp_processor'
+require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
+#Returns an s-expression with aliases replaced with their value.
+#This does not preserve semantics (due to side effects, etc.), but it makes
+#processing easier when searching for various things.
+class Brakeman::AliasProcessor < Brakeman::SexpProcessor
+  include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
+  include Brakeman::Util
+  attr_reader :result, :tracker
+  #Returns a new AliasProcessor with an empty environment.
+  #
+  #The recommended usage is:
+  #
+  # AliasProcessor.new.process_safely src
+  def initialize tracker = nil, file_name = nil
+    super()
+    @env = SexpProcessor::Environment.new
+    @inside_if = false
+    @ignore_ifs = nil
+    @exp_context = []
+    @current_module = nil
+    @tracker = tracker #set in subclass as necessary
+    @helper_method_cache = {}
+    @helper_method_info = Hash.new({})
+    @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
+    @meth_env = nil
+    @file_name = file_name
+    set_env_defaults
+  end
+  #This method processes the given Sexp, but copies it first so
+  #the original argument will not be modified.
+  #
+  #_set_env_ should be an instance of SexpProcessor::Environment. If provided,
+  #it will be used as the starting environment.
+  #
+  #This method returns a new Sexp with variables replaced with their values,
+  #where possible.
+  def process_safely src, set_env = nil, file_name = nil
+    @file_name = file_name
+    @env = set_env || SexpProcessor::Environment.new
+    @result = src.deep_clone
+    process @result
+    @result
+  end
+  #Process a Sexp. If the Sexp has a value associated with it in the
+  #environment, that value will be returned.
+  def process_default exp
+    @exp_context.push exp
+    begin
+      exp.map! do |e|
+        if sexp? e and not e.empty?
+          process e
+        else
+          e
+        end
+      end
+    rescue => err
+      @tracker.error err if @tracker
+    end
+    result = replace(exp)
+    @exp_context.pop
+    result
+  end
+  def replace exp, int = 0
+    return exp if int > 3
+    if replacement = env[exp] and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
+    elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
+      replace(replacement.deep_clone(exp.line), int + 1)
+    else
+      exp
+    end
+  end
+  ARRAY_CONST = s(:const, :Array)
+  HASH_CONST = s(:const, :Hash)
+  RAILS_TEST = s(:call, s(:call, s(:const, :Rails), :env), :test?)
+  #Process a method call.
+  def process_call exp
+    return exp if process_call_defn? exp
+    target_var = exp.target
+    target_var &&= target_var.deep_clone
+    if exp.node_type == :safe_call
+      exp.node_type = :call
+    end
+    exp = process_default exp
+    #In case it is replaced with something else
+    unless call? exp
+      return exp
+    end
+    target = exp.target
+    method = exp.method
+    first_arg = exp.first_arg
+    if method == :send or method == :try
+      collapse_send_call exp, first_arg
+    end
+    if node_type? target, :or and [:+, :-, :*, :/].include? method
+      res = process_or_simple_operation(exp)
+      return res if res
+    elsif target == ARRAY_CONST and method == :new
+      return Sexp.new(:array, *exp.args)
+    elsif target == HASH_CONST and method == :new and first_arg.nil? and !node_type?(@exp_context.last, :iter)
+      return Sexp.new(:hash)
+    elsif exp == RAILS_TEST
+      return Sexp.new(:false)
+    end
+    #See if it is possible to simplify some basic cases
+    #of addition/concatenation.
+    case method
+    when :+
+      if array? target and array? first_arg
+        joined = join_arrays target, first_arg
+        joined.line(exp.line)
+        exp = joined
+      elsif string? first_arg
+        if string? target # "blah" + "blah"
+          joined = join_strings target, first_arg
+          joined.line(exp.line)
+          exp = joined
+        elsif call? target and target.method == :+ and string? target.first_arg
+          joined = join_strings target.first_arg, first_arg
+          joined.line(exp.line)
+          target.first_arg = joined
+          exp = target
+        end
+      elsif number? first_arg
+        if number? target
+          exp = Sexp.new(:lit, target.value + first_arg.value)
+        elsif call? target and target.method == :+ and number? target.first_arg
+          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
+          exp = target
+        end
+      end
+    when :-
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value - first_arg.value)
+      end
+    when :*
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value * first_arg.value)
+      end
+    when :/
+      if number? target and number? first_arg
+        if first_arg.value == 0 and not target.value.is_a? Float
+          if @tracker
+            location = [@current_class, @current_method, "line #{first_arg.line}"].compact.join(' ')
+            require 'brakeman/processors/output_processor'
+            code = Brakeman::OutputProcessor.new.format(exp)
+            @tracker.error Exception.new("Potential divide by zero: #{code} (#{location})")
+          end
+        else
+          exp = Sexp.new(:lit, target.value / first_arg.value)
+        end
+      end
+    when :[]
+      if array? target
+        temp_exp = process_array_access target, exp.args
+        exp = temp_exp if temp_exp
+      elsif hash? target
+        temp_exp = process_hash_access target, first_arg
+        exp = temp_exp if temp_exp
+      end
+    when :merge!, :update
+      if hash? target and hash? first_arg
+         target = process_hash_merge! target, first_arg
+         env[target_var] = target
+         return target
+      end
+    when :merge
+      if hash? target and hash? first_arg
+        return process_hash_merge(target, first_arg)
+      end
+    when :<<
+      if string? target and string? first_arg
+        target.value << first_arg.value
+        env[target_var] = target
+        return target
+      elsif string? target and string_interp? first_arg
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        env[target_var] = exp
+      elsif string? first_arg and string_interp? target
+        if string? target.last
+          target.last.value << first_arg.value
+        elsif target.last.is_a? String
+          target.last << first_arg.value
+        else
+          target << first_arg
+        end
+        env[target_var] = target
+        return first_arg
+      elsif array? target
+        target << first_arg
+        env[target_var] = target
+        return target
+      else
+        target = find_push_target(target_var)
+        env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
+      end
+    when :first
+      if array? target and first_arg.nil? and sexp? target[1]
+        exp = target[1]
+      end
+    end
+    exp
+  end
+  def process_iter exp
+    @exp_context.push exp
+    exp[1] = process exp.block_call
+    if array_detect_all_literals? exp[1]
+      return exp.block_call.target[1]
+    end
+    @exp_context.pop
+    env.scope do
+      exp.block_args.each do |e|
+        #Force block arg(s) to be local
+        if node_type? e, :lasgn
+          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
+        elsif node_type? e, :kwarg
+          env.current[Sexp.new(:lvar, e[1])] = e[2]
+        elsif node_type? e, :masgn, :shadow
+          e[1..-1].each do |var|
+            local = Sexp.new(:lvar, var)
+            env.current[local] = local
+          end
+        elsif e.is_a? Symbol
+          local = Sexp.new(:lvar, e)
+          env.current[local] = local
+        else
+          raise "Unexpected value in block args: #{e.inspect}"
+        end
+      end
+      block = exp.block
+      if block? block
+        process_all! block
+      else
+        exp[3] = process block
+      end
+    end
+    exp
+  end
+  #Process a new scope.
+  def process_scope exp
+    env.scope do
+      process exp.block
+    end
+    exp
+  end
+  #Start new scope for block.
+  def process_block exp
+    env.scope do
+      process_default exp
+    end
+  end
+  #Process a method definition.
+  def process_defn exp
+    meth_env do
+      exp.body = process_all! exp.body
+    end
+    exp
+  end
+  def meth_env
+    begin
+      env.scope do
+        set_env_defaults
+        @meth_env = env.current
+        yield
+      end
+    ensure
+      @meth_env = nil
+    end
+  end
+  #Process a method definition on self.
+  def process_defs exp
+    env.scope do
+      set_env_defaults
+      exp.body = process_all! exp.body
+    end
+    exp
+  end
+  # Handles x = y = z = 1
+  def get_rhs exp
+    if node_type? exp, :lasgn, :iasgn, :gasgn, :attrasgn, :safe_attrasgn, :cvdecl, :cdecl
+      get_rhs(exp.rhs)
+    else
+      exp
+    end
+  end
+  #Local assignment
+  # x = 1
+  def process_lasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
+    exp.rhs = process exp.rhs if sexp? exp.rhs
+    return exp if exp.rhs.nil?
+    local = Sexp.new(:lvar, exp.lhs).line(exp.line || -2)
+    if self_assign
+      # Skip branching
+      env[local] = get_rhs(exp)
+    else
+      set_value local, get_rhs(exp)
+    end
+    exp
+  end
+  #Instance variable assignment
+  # @x = 1
+  def process_iasgn exp
+    self_assign = self_assign?(exp.lhs, exp.rhs)
+    exp.rhs = process exp.rhs
+    ivar = Sexp.new(:ivar, exp.lhs).line(exp.line)
+    if self_assign
+      if env[ivar].nil? and @meth_env
+        @meth_env[ivar] = get_rhs(exp)
+      else
+        env[ivar] = get_rhs(exp)
+      end
+    else
+      set_value ivar, get_rhs(exp)
+    end
+    exp
+  end
+  #Global assignment
+  # $x = 1
+  def process_gasgn exp
+    match = Sexp.new(:gvar, exp.lhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
+    value.line = exp.line
+    set_value match, value
+    exp
+  end
+  #Class variable assignment
+  # @@x = 1
+  def process_cvdecl exp
+    match = Sexp.new(:cvar, exp.lhs)
+    exp.rhs = process(exp.rhs)
+    value = get_rhs(exp)
+    set_value match, value
+    exp
+  end
+  #'Attribute' assignment
+  # x.y = 1
+  #or
+  # x[:y] = 1
+  def process_attrasgn exp
+    tar_variable = exp.target
+    target = exp.target = process(exp.target)
+    method = exp.method
+    index_arg = exp.first_arg
+    value_arg = exp.second_arg
+    if method == :[]=
+      index = exp.first_arg = process(index_arg)
+      value = exp.second_arg = process(value_arg)
+      match = Sexp.new(:call, target, :[], index)
+      set_value match, value
+      if hash? target
+        env[tar_variable] = hash_insert target.deep_clone, index, value
+      end
+    elsif method.to_s[-1,1] == "="
+      exp.first_arg = process(index_arg)
+      value = get_rhs(exp)
+      #This is what we'll replace with the value
+      match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
+      set_value match, value
+    else
+      raise "Unrecognized assignment: #{exp}"
+    end
+    exp
+  end
+  # Multiple/parallel assignment:
+  #
+  # x, y = z, w
+  def process_masgn exp
+    unless array? exp[1] and array? exp[2] and exp[1].length == exp[2].length
+      return process_default(exp)
+    end
+    vars = exp[1].dup
+    vals = exp[2].dup
+    vars.shift
+    vals.shift
+    # Call each assignment as if it is normal
+    vars.each_with_index do |var, i|
+      val = vals[i]
+      if val
+        assign = var.dup
+        assign.rhs = val
+        process assign
+      end
+    end
+    exp
+  end
+  #Merge values into hash when processing
+  #
+  # h.merge! :something => "value"
+  def process_hash_merge! hash, args
+    hash = hash.deep_clone
+    hash_iterate args do |key, replacement|
+      hash_insert hash, key, replacement
+      match = Sexp.new(:call, hash, :[], key)
+      env[match] = replacement
+    end
+    hash
+  end
+  #Return a new hash Sexp with the given values merged into it.
+  #
+  #+args+ should be a hash Sexp as well.
+  def process_hash_merge hash, args
+    hash = hash.deep_clone
+    hash_iterate args do |key, replacement|
+      hash_insert hash, key, replacement
+    end
+    hash
+  end
+  #Assignments like this
+  # x[:y] ||= 1
+  def process_op_asgn1 exp
+    return process_default(exp) if exp[3] != :"||"
+    target = exp[1] = process(exp[1])
+    index = exp[2][1] = process(exp[2][1])
+    value = exp[4] = process(exp[4])
+    match = Sexp.new(:call, target, :[], index)
+    unless env[match]
+      if request_value? target
+        env[match] = match.combine(value)
+      else
+        env[match] = value
+      end
+    end
+    exp
+  end
+  #Assignments like this
+  # x.y ||= 1
+  def process_op_asgn2 exp
+    return process_default(exp) if exp[3] != :"||"
+    target = exp[1] = process(exp[1])
+    value = exp[4] = process(exp[4])
+    method = exp[2]
+    match = Sexp.new(:call, target, method.to_s[0..-2].to_sym)
+    unless env[match]
+      env[match] = value
+    end
+    exp
+  end
+  #This is the right hand side value of a multiple assignment,
+  #like `x = y, z`
+  def process_svalue exp
+    exp.value
+  end
+  #Constant assignments like
+  # BIG_CONSTANT = 234810983
+  def process_cdecl exp
+    if sexp? exp.rhs
+      exp.rhs = process exp.rhs
+    end
+    file = case
+           when @file_name
+             @file_name
+           when @current_class.is_a?(Brakeman::Collection)
+             @current_class.file
+           when @current_module.is_a?(Brakeman::Collection)
+             @current_module.file
+           else
+             nil
+           end
+    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+    if exp.lhs.is_a? Symbol
+      match = Sexp.new(:const, exp.lhs)
+    else
+      match = exp.lhs
+    end
+    env[match] = get_rhs(exp)
+    exp
+  end
+  # Check if exp is a call to Array#include? on an array literal
+  # that contains all literal values. For example:
+  #
+  #    [1, 2, "a"].include? x
+  #
+  def array_include_all_literals? exp
+    call? exp and
+    exp.method == :include? and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+  def array_detect_all_literals? exp
+    call? exp and
+    [:detect, :find].include? exp.method and
+    node_type? exp.target, :array and
+    exp.target.length > 1 and
+    exp.first_arg.nil? and
+    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+  end
+  #Sets @inside_if = true
+  def process_if exp
+    if @ignore_ifs.nil?
+      @ignore_ifs = @tracker && @tracker.options[:ignore_ifs]
+    end
+    condition = exp.condition = process exp.condition
+    #Check if a branch is obviously going to be taken
+    if true? condition
+      no_branch = true
+      exps = [exp.then_clause, nil]
+    elsif false? condition
+      no_branch = true
+      exps = [nil, exp.else_clause]
+    else
+      no_branch = false
+      exps = [exp.then_clause, exp.else_clause]
+    end
+    if @ignore_ifs or no_branch
+      exps.each_with_index do |branch, i|
+        exp[2 + i] = process_if_branch branch
+      end
+    else
+      was_inside = @inside_if
+      @inside_if = true
+      branch_scopes = []
+      exps.each_with_index do |branch, i|
+        scope do
+          @branch_env = env.current
+          branch_index = 2 + i # s(:if, condition, then_branch, else_branch)
+          if i == 0 and array_include_all_literals? condition
+            # If the condition is ["a", "b"].include? x
+            # set x to "a" inside the true branch
+            var = condition.first_arg
+            previous_value = env.current[var]
+            env.current[var] = condition.target[1]
+            exp[branch_index] = process_if_branch branch
+            env.current[var] = previous_value
+          else
+            exp[branch_index] = process_if_branch branch
+          end
+          branch_scopes << env.current
+          @branch_env = nil
+        end
+      end
+      @inside_if = was_inside
+      branch_scopes.each do |s|
+        merge_if_branch s
+      end
+    end
+    exp
+  end
+  def process_if_branch exp
+    if sexp? exp
+      if block? exp
+        process_default exp
+      else
+        process exp
+      end
+    end
+  end
+  def merge_if_branch branch_env
+    branch_env.each do |k, v|
+      next if v.nil?
+      current_val = env[k]
+      if current_val
+        unless same_value?(current_val, v)
+          if too_deep? current_val
+            # Give up branching, start over with latest value
+            env[k] = v
+          else
+            env[k] = current_val.combine(v, k.line)
+          end
+        end
+      else
+        env[k] = v
+      end
+    end
+  end
+  def too_deep? exp
+    @or_depth_limit >= 0 and
+    node_type? exp, :or and
+    exp.or_depth and
+    exp.or_depth >= @or_depth_limit
+  end
+  #Process single integer access to an array.
+  #
+  #Returns the value inside the array, if possible.
+  def process_array_access target, args
+    if args.length == 1 and integer? args.first
+      index = args.first.value
+      #Have to do this because first element is :array and we have to skip it
+      target[1..-1][index]
+    else
+      nil
+    end
+  end
+  #Process hash access by returning the value associated
+  #with the given argument.
+  def process_hash_access target, index
+    hash_access(target, index)
+  end
+  #Join two array literals into one.
+  def join_arrays array1, array2
+    result = Sexp.new(:array)
+    result.concat array1[1..-1]
+    result.concat array2[1..-1]
+  end
+  #Join two string literals into one.
+  def join_strings string1, string2
+    result = Sexp.new(:str)
+    result.value = string1.value + string2.value
+    if result.value.length > 50
+      string1
+    else
+      result
+    end
+  end
+  # Change x.send(:y, 1) to x.y(1)
+  def collapse_send_call exp, first_arg
+    # Handle try(&:id)
+    if node_type? first_arg, :block_pass
+      first_arg = first_arg[1]
+    end
+    return unless symbol? first_arg or string? first_arg
+    exp.method = first_arg.value.to_sym
+    args = exp.args
+    exp.pop # remove last arg
+    if args.length > 1
+      exp.arglist = args[1..-1]
+    end
+  end
+  #Returns a new SexpProcessor::Environment containing only instance variables.
+  #This is useful, for example, when processing views.
+  def only_ivars include_request_vars = false, lenv = nil
+    lenv ||= env
+    res = SexpProcessor::Environment.new
+    if include_request_vars
+      lenv.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if (k.node_type == :ivar or request_value? k) and not v.nil?
+          res[k] = v.dup
+        end
+      end
+    else
+      lenv.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if k.node_type == :ivar and not v.nil?
+          res[k] = v.dup
+        end
+      end
+    end
+    res
+  end
+  def only_request_vars
+    res = SexpProcessor::Environment.new
+    env.all.each do |k, v|
+      if request_value? k and not v.nil?
+        res[k] = v.dup
+      end
+    end
+    res
+  end
+  def get_call_value call
+    method_name = call.method
+    #Look for helper methods and see if we can get a return value
+    if found_method = find_method(method_name, @current_class)
+      helper = found_method[:method]
+      if sexp? helper
+        value = process_helper_method helper, call.args
+        value.line(call.line)
+        return value
+      else
+        raise "Unexpected value for method: #{found_method}"
+      end
+    else
+      call
+    end
+  end
+  def process_helper_method method_exp, args
+    method_name = method_exp.method_name
+    Brakeman.debug "Processing method #{method_name}"
+    info = @helper_method_info[method_name]
+    #If method uses instance variables, then include those and request
+    #variables (params, etc) in the method environment. Otherwise,
+    #only include request variables.
+    if info[:uses_ivars]
+      meth_env = only_ivars(:include_request_vars)
+    else
+      meth_env = only_request_vars
+    end
+    #Add arguments to method environment
+    assign_args method_exp, args, meth_env
+    #Find return values if method does not depend on environment/args
+    values = @helper_method_cache[method_name]
+    unless values
+      #Serialize environment for cache key
+      meth_values = meth_env.instance_variable_get(:@env).to_a
+      meth_values.sort!
+      meth_values = meth_values.to_s
+      digest = Digest::SHA1.new.update(meth_values << method_name.to_s).to_s.to_sym
+      values = @helper_method_cache[digest]
+    end
+    if values
+      #Use values from cache
+      values[:ivar_values].each do |var, val|
+        env[var] = val
+      end
+      values[:return_value]
+    else
+      #Find return value for method
+      frv = Brakeman::FindReturnValue.new
+      value = frv.get_return_value(method_exp.body_list, meth_env)
+      ivars = {}
+      only_ivars(false, meth_env).all.each do |var, val|
+        env[var] = val
+        ivars[var] = val
+      end
+      if not frv.uses_ivars? and args.length == 0
+        #Store return value without ivars and args if they are not used
+        @helper_method_cache[method_exp.method_name] = { :return_value => value, :ivar_values => ivars }
+      else
+        @helper_method_cache[digest] = { :return_value => value, :ivar_values => ivars }
+      end
+      #Store information about method, just ivar usage for now
+      @helper_method_info[method_name] = { :uses_ivars => frv.uses_ivars? }
+      value
+    end
+  end
+  def assign_args method_exp, args, meth_env = SexpProcessor::Environment.new
+    formal_args = method_exp.formal_args
+    formal_args.each_with_index do |arg, index|
+      next if index == 0
+      if arg.is_a? Symbol and sexp? args[index - 1]
+        meth_env[Sexp.new(:lvar, arg)] = args[index - 1]
+      end
+    end
+    meth_env
+  end
+  #Finds the inner most call target which is not the target of a call to <<
+  def find_push_target exp
+    if call? exp and exp.method == :<<
+      find_push_target exp.target
+    else
+      exp
+    end
+  end
+  def duplicate? exp
+    @exp_context[0..-2].reverse_each do |e|
+      return true if exp == e
+    end
+    false
+  end
+  def find_method *args
+    nil
+  end
+  #Return true if lhs == rhs or lhs is an or expression and
+  #rhs is one of its values
+  def same_value? lhs, rhs
+    if lhs == rhs
+      true
+    elsif node_type? lhs, :or
+      lhs.rhs == rhs or lhs.lhs == rhs
+    else
+      false
+    end
+  end
+  def self_assign? var, value
+    self_assign_var?(var, value) or self_assign_target?(var, value)
+  end
+  #Return true if for x += blah or @x += blah
+  def self_assign_var? var, value
+    call? value and
+    value.method == :+ and
+    node_type? value.target, :lvar, :ivar and
+    value.target.value == var
+  end
+  #Return true for x = x.blah
+  def self_assign_target? var, value
+    target = top_target(value)
+    if node_type? target, :lvar, :ivar
+      target = target.value
+    end
+    var == target
+  end
+  #Returns last non-nil target in a call chain
+  def top_target exp, last = nil
+    if call? exp
+      top_target exp.target, exp
+    elsif node_type? exp, :iter
+      top_target exp.block_call, last
+    else
+      exp || last
+    end
+  end
+  def value_from_if exp
+    if block? exp.else_clause or block? exp.then_clause
+      #If either clause is more than a single expression, just use entire
+      #if expression for now
+      exp
+    elsif exp.else_clause.nil?
+      exp.then_clause
+    elsif exp.then_clause.nil?
+      exp.else_clause
+    else
+      condition = exp.condition
+      if true? condition
+        exp.then_clause
+      elsif false? condition
+        exp.else_clause
+      else
+        exp.then_clause.combine(exp.else_clause, exp.line)
+      end
+    end
+  end
+  #Set variable to given value.
+  #Creates "branched" versions of values when appropriate.
+  #Avoids creating multiple branched versions inside same
+  #if branch.
+  def set_value var, value
+    if node_type? value, :if
+      value = value_from_if(value)
+    end
+    if @ignore_ifs or not @inside_if
+      if @meth_env and node_type? var, :ivar and env[var].nil?
+        @meth_env[var] = value
+      else
+        env[var] = value
+      end
+    elsif env.current[var]
+      env.current[var] = value
+    elsif @branch_env and @branch_env[var]
+      @branch_env[var] = value
+    elsif @branch_env and @meth_env and node_type? var, :ivar
+      @branch_env[var] = value
+    else
+      env.current[var] = value
+    end
+  end
+  #If possible, distribute operation over both sides of an or.
+  #For example,
+  #
+  #    (1 or 2) * 5
+  #
+  #Becomes
+  #
+  #    (5 or 10)
+  #
+  #Only works for strings and numbers right now.
+  def process_or_simple_operation exp
+    arg = exp.first_arg
+    return nil unless string? arg or number? arg
+    target = exp.target
+    lhs = process_or_target(target.lhs, exp.dup)
+    rhs = process_or_target(target.rhs, exp.dup)
+    if lhs and rhs
+      if same_value? lhs, rhs
+        lhs
+      else
+        exp.target.lhs = lhs
+        exp.target.rhs = rhs
+        exp.target
+      end
+    else
+      nil
+    end
+  end
+  def process_or_target value, copy
+    if string? value or number? value
+      copy.target = value
+      process copy
+    else
+      false
+    end
+  end
+end