brakeman-lib 3.3.1

data/lib/brakeman/processors/controller_processor.rb

@@ -0,0 +1,326 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/controller'
+
+#Processes controller. Results are put in tracker.controllers
+class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
+  FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
+
+  def initialize app_tree, tracker
+    super(tracker)
+    @app_tree = app_tree
+    @current_class = nil
+    @current_method = nil
+    @current_module = nil
+    @visibility = :public
+    @file_name = nil
+  end
+
+  #Use this method to process a Controller
+  def process_controller src, file_name = nil
+    @file_name = file_name
+    process src
+  end
+
+  #s(:class, NAME, PARENT, s(:scope ...))
+  def process_class exp
+    name = class_name(exp.class_name)
+    parent = class_name(exp.parent_name)
+
+    #If inside a real controller, treat any other classes as libraries.
+    #But if not inside a controller already, then the class may include
+    #a real controller, so we can't take this shortcut.
+    if @current_class and @current_class.name.to_s.end_with? "Controller"
+      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      return exp
+    end
+
+    if not name.to_s.end_with? "Controller"
+      Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
+      #Set the class to be a module in order to get the right namespacing.
+      #Add class to libraries, in case it is needed later (e.g. it's used
+      #as a parent class for a controller.)
+      #However, still want to process it in this class, so have to set
+      #@current_class to this not-really-a-controller thing.
+      process_module exp, parent
+
+      return exp
+    end
+
+    if @current_class
+      outer_class = @current_class
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @current_module
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @tracker.controllers[name]
+      @current_class = @tracker.controllers[name]
+      @current_class.add_file @file_name, exp
+    else
+      @current_class = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
+      @tracker.controllers[name] = @current_class
+    end
+
+    exp.body = process_all! exp.body
+    set_layout_name
+
+    if outer_class
+      @current_class = outer_class
+    else
+      @current_class = nil
+    end
+
+    exp
+  end
+
+  def process_module exp, parent = nil
+    name = class_name(exp.module_name)
+
+    if @current_module
+      outer_module = @current_module
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @current_class
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @tracker.libs[name]
+      @current_module = @tracker.libs[name]
+      @current_module.add_file @file_name, exp
+    else
+      @current_module = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
+      @tracker.libs[name] = @current_module
+    end
+
+    exp.body = process_all! exp.body
+
+    if outer_module
+      @current_module = outer_module
+    else
+      @current_module = nil
+    end
+
+    exp
+  end
+
+  #Look for specific calls inside the controller
+  def process_call exp
+    return exp if process_call_defn? exp
+
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+
+    method = exp.method
+    first_arg = exp.first_arg
+    last_arg = exp.last_arg
+
+    #Methods called inside class definition
+    #like attr_* and other settings
+    if @current_method.nil? and target.nil? and @current_class
+      if first_arg.nil? #No args
+        case method
+        when :private, :protected, :public
+          @visibility = method
+        when :protect_from_forgery
+          @current_class.options[:protect_from_forgery] = true
+        else
+          #??
+        end
+      else
+        case method
+        when :include
+          @current_class.add_include class_name(first_arg) if @current_class
+        when :before_filter, :append_before_filter, :before_action, :append_before_action
+          if node_type? exp.first_arg, :iter
+            add_lambda_filter exp
+          else
+            @current_class.add_before_filter exp
+          end
+        when :prepend_before_filter, :prepend_before_action
+          if node_type? exp.first_arg, :iter
+            add_lambda_filter exp
+          else
+            @current_class.prepend_before_filter exp
+          end
+        when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
+          @current_class.skip_filter exp
+        when :layout
+          if string? last_arg
+            #layout "some_layout"
+
+            name = last_arg.value.to_s
+            if @app_tree.layout_exists?(name)
+              @current_class.layout = "layouts/#{name}"
+            else
+              Brakeman.debug "[Notice] Layout not found: #{name}"
+            end
+          elsif node_type? last_arg, :nil, :false
+            #layout :false or layout nil
+            @current_class.layout = false
+          end
+        else
+          @current_class.add_option method, exp
+        end
+      end
+
+      exp
+    elsif target == nil and method == :render
+      make_render exp
+    elsif exp == FORMAT_HTML and context[1] != :iter
+      #This is an empty call to
+      # format.html
+      #Which renders the default template if no arguments
+      #Need to make more generic, though.
+      call = Sexp.new :render, :default, @current_method
+      call.line(exp.line)
+      call
+    else
+      call = make_call target, method, process_all!(exp.args)
+      call.line(exp.line)
+      call
+    end
+  end
+
+  #Process method definition and store in Tracker
+  def process_defn exp
+    name = exp.method_name
+    @current_method = name
+    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+    res.line(exp.line)
+    @current_method = nil
+
+    if @current_class
+      @current_class.add_method @visibility, name, res, @file_name
+    elsif @current_module
+      @current_module.add_method @visibility, name, res, @file_name
+    end
+
+    res
+  end
+
+  #Process self.method definition and store in Tracker
+  def process_defs exp
+    name = exp.method_name
+
+    if node_type? exp[1], :self
+      if @current_class
+        target = @current_class.name
+      elsif @current_module
+        target = @current_module.name
+      else
+        target = nil
+      end
+    else
+      target = class_name exp[1]
+    end
+
+    @current_method = name
+    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
+    res.line(exp.line)
+    @current_method = nil
+
+    if @current_class
+      @current_class.add_method @visibility, name, res, @file_name
+    elsif @current_module
+      @current_module.add_method @visibility, name, res, @file_name
+    end
+
+    res
+  end
+
+  #Look for before_filters and add fake ones if necessary
+  def process_iter exp
+    if @current_method.nil? and call? exp.block_call
+      block_call_name = exp.block_call.method
+
+      if block_call_name == :before_filter  or block_call_name == :before_action
+        add_fake_filter exp
+      else
+        super
+      end
+    else
+      super
+    end
+  end
+
+  #Sets default layout for renders inside Controller
+  def set_layout_name
+    return if @current_class.layout
+
+    name = underscore(@current_class.name.to_s.split("::")[-1].gsub("Controller", ''))
+
+    #There is a layout for this Controller
+    if @app_tree.layout_exists?(name)
+      @current_class.layout = "layouts/#{name}"
+    end
+  end
+
+  #This is to handle before_filter do |controller| ... end
+  #
+  #We build a new method and process that the same way as usual
+  #methods and filters.
+  def add_fake_filter exp
+    unless @current_class
+      Brakeman.debug "Skipping before_filter outside controller: #{exp}"
+      return exp
+    end
+
+    filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
+    args = exp.block_call.arglist
+    args.insert(1, Sexp.new(:lit, filter_name))
+    before_filter_call = make_call(nil, :before_filter, args)
+
+    if exp.block_args.length > 1
+      block_variable = exp.block_args[1]
+    else
+      block_variable = :temp
+    end
+
+    if node_type? exp.block, :block
+      block_inner = exp.block[1..-1]
+    else
+      block_inner = [exp.block]
+    end
+
+    #Build Sexp for filter method
+    body = Sexp.new(:lasgn,
+                    block_variable,
+                    Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
+
+    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
+
+    vis = @visibility
+    @visibility = :private
+    process_defn filter_method
+    @visibility = vis
+    process before_filter_call
+    exp
+  end
+
+  def add_lambda_filter exp
+    # Convert into regular block call
+    e = exp.dup
+    lambda_node = e.delete_at(3)
+    result = Sexp.new(:iter, e).line(e.line)
+
+    # Add block arguments
+    if node_type? lambda_node[2], :args
+      result << lambda_node[2].last
+    else
+      result << s(:args)
+    end
+
+    # Add block contents
+    if sexp? lambda_node[3]
+      result << lambda_node[3]
+    end
+
+    add_fake_filter result
+  end
+end

data/lib/brakeman/processors/erb_template_processor.rb

@@ -0,0 +1,80 @@
+require 'brakeman/processors/template_processor'
+
+#Processes ERB templates
+#(those ending in .html.erb or .rthml).
+class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
+  
+  #s(:call, TARGET, :method, ARGS)
+  def process_call exp
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+    method = exp.method
+    
+    #_erbout is the default output variable for erb
+    if node_type? target, :lvar and target.value == :_erbout
+      if method == :concat
+        @inside_concat = true
+        exp.arglist = process(exp.arglist)
+        @inside_concat = false
+
+        if exp.second_arg
+          raise "Did not expect more than a single argument to _erbout.concat"
+        end
+
+        arg = normalize_output(exp.first_arg)
+
+        if arg.node_type == :str #ignore plain strings
+          ignore
+        else
+          s = Sexp.new :output, arg
+          s.line(exp.line)
+          @current_template.add_output s
+          s
+        end
+      elsif method == :force_encoding
+        ignore
+      else
+        abort "Unrecognized action on _erbout: #{method}"
+      end
+    elsif target == nil and method == :render
+      exp.arglist = process(exp.arglist)
+      make_render_in_view exp
+    else
+      exp.target = target
+      exp.arglist = process(exp.arglist)
+      exp
+    end
+  end
+
+  #Process block, removing irrelevant expressions
+  def process_block exp
+    exp = exp.dup
+    exp.shift
+    if @inside_concat
+      @inside_concat = false
+      exp[0..-2].each do |e|
+        process e
+      end
+      @inside_concat = true
+      process exp.last
+    else
+      exp.map! do |e|
+        res = process e
+        if res.empty? or res == ignore
+          nil
+        elsif node_type?(res, :lvar) and res.value == :_erbout
+          nil
+
+        else
+          res
+        end
+      end
+      block = Sexp.new(:rlist).concat(exp).compact
+      block.line(exp.line)
+      block
+    end
+  end
+
+end

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -0,0 +1,104 @@
+require 'brakeman/processors/template_processor'
+
+#Processes ERB templates using Erubis instead of erb.
+class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
+
+  #s(:call, TARGET, :method, ARGS)
+  def process_call exp
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+
+    exp.target = target
+    exp.arglist = process exp.arglist
+    method = exp.method
+
+    #_buf is the default output variable for Erubis
+    if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
+      if method == :<< or method == :safe_concat
+
+        arg = normalize_output(exp.first_arg)
+
+        if arg.node_type == :str #ignore plain strings
+          ignore
+        elsif node_type? target, :ivar and target.value == :@output_buffer
+          s = Sexp.new :escaped_output, arg
+          s.line(exp.line)
+          @current_template.add_output s
+          s
+        else
+          s = Sexp.new :output, arg
+          s.line(exp.line)
+          @current_template.add_output s
+          s
+        end
+      elsif method == :to_s
+        ignore
+      else
+        abort "Unrecognized action on buffer: #{method}"
+      end
+    elsif target == nil and method == :render
+      make_render_in_view exp
+    else
+      exp
+    end
+  end
+
+  #Process blocks, ignoring :ignore exps
+  def process_block exp
+    exp = exp.dup
+    exp.shift
+    exp.map! do |e|
+      res = process e
+      if res.empty? or res == ignore
+        nil
+      else
+        res
+      end
+    end
+    block = Sexp.new(:rlist).concat(exp).compact
+    block.line(exp.line)
+    block
+  end
+
+  #Look for assignments to output buffer that look like this:
+  #  @output_buffer.append = some_output
+  #  @output_buffer.safe_append = some_output
+  #  @output_buffer.safe_expr_append = some_output
+  def process_attrasgn exp
+    if exp.target.node_type == :ivar and exp.target.value == :@output_buffer
+      if append_method?(exp.method)
+        exp.first_arg = process(exp.first_arg)
+        arg = normalize_output(exp.first_arg)
+
+        if arg.node_type == :str
+          ignore
+        elsif safe_append_method?(exp.method)
+          s = Sexp.new :output, arg
+          s.line(exp.line)
+          @current_template.add_output s
+          s
+        else
+          s = Sexp.new :escaped_output, arg
+          s.line(exp.line)
+          @current_template.add_output s
+          s
+        end
+      else
+        super
+      end
+    else
+      super
+    end
+  end
+
+  private
+  def append_method?(method)
+    method == :append= || safe_append_method?(method)
+  end
+
+  def safe_append_method?(method)
+    method == :safe_append= || method == :safe_expr_append=
+  end
+end