brakeman-lib 3.3.1

data/lib/brakeman/processors/gem_processor.rb

@@ -0,0 +1,57 @@
+require 'brakeman/processors/lib/basic_processor'
+
+#Processes Gemfile and Gemfile.lock
+class Brakeman::GemProcessor < Brakeman::BasicProcessor
+
+  def initialize *args
+    super
+    @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
+  end
+
+  def process_gems gem_files
+    @gem_files = gem_files
+    @gemfile = gem_files[:gemfile][:file]
+    process gem_files[:gemfile][:src]
+
+    if gem_files[:gemlock]
+      process_gem_lock
+    end
+
+    @tracker.config.set_rails_version
+  end
+
+  def process_call exp
+    if exp.target == nil and exp.method == :gem
+      gem_name = exp.first_arg
+      return exp unless string? gem_name
+
+      gem_version = exp.second_arg
+
+      version = if string? gem_version
+                  gem_version.value
+                else
+                  nil
+                end
+
+      @tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
+    end
+
+    exp
+  end
+
+  def process_gem_lock
+    line_num = 1
+    file = @gem_files[:gemlock][:file]
+    @gem_files[:gemlock][:src].each_line do |line|
+      set_gem_version_and_file line, file, line_num
+      line_num += 1
+    end
+  end
+
+  # Supports .rc2 but not ~>, >=, or <=
+  def set_gem_version_and_file line, file, line_num
+    if line =~ @gem_name_version
+      @tracker.config.add_gem $1, $2, file, line_num
+    end
+  end
+end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -0,0 +1,190 @@
+require 'brakeman/processors/template_processor'
+
+#Processes HAML templates.
+class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
+  HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
+  HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
+  JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
+  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
+
+  #Processes call, looking for template output
+  def process_call exp
+    target = exp.target
+    if sexp? target
+      target = process target
+    end
+
+    method = exp.method
+
+    if (call? target and target.method == :_hamlout)
+      res = case method
+            when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
+              ignore
+            when :options, :buffer
+              exp
+            when :open_tag
+              process_call_args exp
+            else
+              arg = exp.first_arg
+
+              if arg
+                @inside_concat = true
+                exp.first_arg = process(arg)
+                out = normalize_output(exp.first_arg)
+                @inside_concat = false
+              else
+                raise "Empty _hamlout.#{method}()?"
+              end
+
+              if string? out
+                ignore
+              else
+                r = case method.to_s
+                    when "push_text"
+                      build_output_from_push_text(out)
+                    when HAML_FORMAT_METHOD
+                      if $4 == "true"
+                        if string_interp? out
+                          build_output_from_push_text(out, :escaped_output)
+                        else
+                          Sexp.new :format_escaped, out
+                        end
+                      else
+                        if string_interp? out
+                          build_output_from_push_text(out)
+                        else
+                          Sexp.new :format, out
+                        end
+                      end
+
+                    else
+                      raise "Unrecognized action on _hamlout: #{method}"
+                    end
+
+                @javascript = false
+                r
+              end
+            end
+
+      res.line(exp.line)
+      res
+
+      #_hamlout.buffer <<
+      #This seems to be used rarely, but directly appends args to output buffer.
+      #Has something to do with values of blocks?
+    elsif sexp? target and method == :<< and is_buffer_target? target
+      @inside_concat = true
+      exp.first_arg = process(exp.first_arg)
+      out = normalize_output(exp.first_arg)
+      @inside_concat = false
+
+      if out.node_type == :str #ignore plain strings
+        ignore
+      else
+        s = Sexp.new(:output, out)
+        @current_template.add_output s
+        s.line(exp.line)
+        s
+      end
+    elsif target == nil and method == :render
+      #Process call to render()
+      exp.arglist = process exp.arglist
+      make_render_in_view exp
+    elsif target == nil and method == :find_and_preserve and exp.first_arg
+      process exp.first_arg
+    elsif method == :render_with_options
+      if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
+        @javascript = true
+      end
+
+      process exp.first_arg
+    else
+      exp.target = target
+      exp.arglist = process exp.arglist
+      exp
+    end
+  end
+
+  #If inside an output stream, only return the final expression
+  def process_block exp
+    exp = exp.dup
+    exp.shift
+    if @inside_concat
+      @inside_concat = false
+      exp[0..-2].each do |e|
+        process e
+      end
+      @inside_concat = true
+      process exp[-1]
+    else
+      exp.map! do |e|
+        res = process e
+        if res.empty?
+          nil
+        else
+          res
+        end
+      end
+      Sexp.new(:rlist).concat(exp).compact
+    end
+  end
+
+  #Checks if the buffer is the target in a method call Sexp.
+  #TODO: Test this
+  def is_buffer_target? exp
+    exp.node_type == :call and
+    node_type? exp.target, :lvar and
+    exp.target.value == :_hamlout and
+    exp.method == :buffer
+  end
+
+  #HAML likes to put interpolated values into _hamlout.push_text
+  #but we want to handle those individually
+  def build_output_from_push_text exp, default = :output
+    if string_interp? exp
+      exp.map! do |e|
+        if sexp? e
+          if node_type? e, :evstr and e[1]
+            e = e.value
+          end
+
+          get_pushed_value e, default
+        else
+          e
+        end
+      end
+    end
+  end
+
+  #Gets outputs from values interpolated into _hamlout.push_text
+  def get_pushed_value exp, default = :output
+    return exp unless sexp? exp
+
+    case exp.node_type
+    when :format
+      exp.node_type = :output
+      @current_template.add_output exp
+      exp
+    when :format_escaped
+      exp.node_type = :escaped_output
+      @current_template.add_output exp
+      exp
+    when :str, :ignore, :output, :escaped_output
+      exp
+    when :block, :rlist, :dstr
+      exp.map! { |e| get_pushed_value e }
+    else
+      if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
+        s = Sexp.new(:escaped_output, exp.first_arg)
+      elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
+        s = Sexp.new(:escaped_output, exp.first_arg)
+      else
+        s = Sexp.new(default, exp)
+      end
+
+      s.line(exp.line)
+      @current_template.add_output s
+      s
+    end
+  end
+end

data/lib/brakeman/processors/lib/basic_processor.rb

@@ -0,0 +1,37 @@
+require 'brakeman/processors/lib/processor_helper'
+require 'brakeman/processors/lib/safe_call_helper'
+require 'brakeman/util'
+
+class Brakeman::BasicProcessor < Brakeman::SexpProcessor
+  include Brakeman::ProcessorHelper
+  include Brakeman::SafeCallHelper
+  include Brakeman::Util
+
+  def initialize tracker
+    super()
+    @tracker = tracker
+    @current_template = @current_module = @current_class = @current_method = nil
+  end
+
+  def process_default exp
+    process_all exp
+  end
+
+  def process_if exp
+    condition = exp.condition
+
+    process condition
+
+    if true? condition
+      process exp.then_clause
+    elsif false? condition
+      process exp.else_clause
+    else
+      [exp.then_clause, exp.else_clause].compact.map do |e|
+        process e
+      end
+    end
+
+    exp
+  end
+end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -0,0 +1,223 @@
+require 'brakeman/processors/lib/basic_processor'
+
+class Brakeman::FindAllCalls < Brakeman::BasicProcessor
+  attr_reader :calls
+
+  def initialize tracker
+    super
+    @current_class = nil
+    @current_method = nil
+    @in_target = false
+    @calls = []
+    @cache = {}
+  end
+
+  #Process the given source. Provide either class and method being searched
+  #or the template. These names are used when reporting results.
+  def process_source exp, opts
+    @current_class = opts[:class]
+    @current_method = opts[:method]
+    @current_template = opts[:template]
+    @current_file = opts[:file]
+    process exp
+  end
+
+  #Process body of method
+  def process_defn exp
+    return exp unless @current_method
+    process_all exp.body
+  end
+
+  #Process body of method
+  def process_defs exp
+    return exp unless @current_method
+    process_all exp.body
+  end
+
+  #Process body of block
+  def process_rlist exp
+    process_all exp
+  end
+
+  def process_call exp
+    @calls << create_call_hash(exp)
+    exp
+  end
+
+  def process_iter exp
+    call = exp.block_call
+
+    if call.node_type == :call
+      call_hash = create_call_hash(call)
+
+      call_hash[:block] = exp.block
+      call_hash[:block_args] = exp.block_args
+
+      @calls << call_hash
+
+      process exp.block
+    else
+      #Probably a :render call with block
+      process call
+      process exp.block
+    end
+
+    exp
+  end
+
+  #Calls to render() are converted to s(:render, ...) but we would
+  #like them in the call cache still for speed
+  def process_render exp
+    process exp.last if sexp? exp.last
+
+    @calls << { :target => nil,
+                :method => :render,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+
+    exp
+  end
+
+  #Technically, `` is call to Kernel#`
+  #But we just need them in the call cache for speed
+  def process_dxstr exp
+    process exp.last if sexp? exp.last
+
+    @calls << { :target => nil,
+                :method => :`,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+
+    exp
+  end
+
+  #:"string" is equivalent to "string".to_sym
+  def process_dsym exp
+    exp.each { |arg| process arg if sexp? arg }
+
+    @calls << { :target => nil,
+                :method => :literal_to_sym,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+
+    exp
+  end
+
+  # Process a dynamic regex like a call
+  def process_dregx exp
+    exp.each { |arg| process arg if sexp? arg }
+
+    @calls << { :target => nil,
+                :method => :brakeman_regex_interp,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+
+    exp
+  end
+
+  #Process an assignment like a call
+  def process_attrasgn exp
+    process_call exp
+  end
+
+  private
+
+  #Gets the target of a call as a Symbol
+  #if possible
+  def get_target exp, include_calls = false
+    if sexp? exp
+      case exp.node_type
+      when :ivar, :lvar, :const, :lit
+        exp.value
+      when :true, :false
+        exp[0]
+      when :colon2
+        class_name exp
+      when :self
+        @current_class || @current_module || nil
+      when :params, :session, :cookies
+        exp.node_type
+      when :call, :safe_call
+        if include_calls
+          if exp.target.nil?
+            exp.method
+          else
+            t = get_target(exp.target, :include_calls)
+            if t.is_a? Symbol
+              :"#{t}.#{exp.method}"
+            else
+              exp
+            end
+          end
+        else
+          exp
+        end
+      else
+        exp
+      end
+    else
+      exp
+    end
+  end
+
+  #Returns method chain as an array
+  #For example, User.human.alive.all would return [:User, :human, :alive, :all]
+  def get_chain call
+    if node_type? call, :call, :attrasgn, :safe_call, :safe_attrasgn
+      get_chain(call.target) + [call.method]
+    elsif call.nil?
+      []
+    else
+      [get_target(call)]
+    end
+  end
+
+  def make_location
+    if @current_template
+      key = [@current_template, @current_file]
+      cached = @cache[key]
+      return cached if cached
+
+      @cache[key] = { :type => :template,
+        :template => @current_template,
+        :file => @current_file }
+    else
+      key = [@current_class, @current_method, @current_file]
+      cached = @cache[key]
+      return cached if cached
+      @cache[key] = { :type => :class,
+        :class => @current_class,
+        :method => @current_method,
+        :file => @current_file }
+    end
+
+  end
+
+  #Return info hash for a call Sexp
+  def create_call_hash exp
+    target = get_target exp.target
+
+    if call? target
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+
+      target = get_target(target, :include_calls)
+    end
+
+    method = exp.method
+    process_call_args exp
+
+    { :target => target,
+      :method => method,
+      :call => exp,
+      :nested => @in_target,
+      :chain => get_chain(exp),
+      :location => make_location }
+  end
+end