brakeman-lib 3.3.1

data/lib/brakeman/processors/lib/find_call.rb

@@ -0,0 +1,183 @@
+require 'brakeman/processors/lib/basic_processor'
+
+#Finds method calls matching the given target(s).
+#   #-- This should be deprecated --#
+#   #--  Do not use for new code  --#
+#
+#Targets/methods can be:
+#
+# - nil: matches anything, including nothing
+# - Empty array: matches nothing
+# - Symbol: matches single target/method exactly
+# - Array of symbols: matches against any of the symbols
+# - Regular expression: matches the expression
+# - Array of regular expressions: matches any of the expressions
+#
+#If a target is also the name of a class, methods called on instances
+#of that class will also be matched, in a very limited way.
+#(Any methods called on Klass.new, basically. More useful when used
+#in conjunction with AliasProcessor.)
+#
+#Examples:
+#
+# #To find any uses of this class:
+# FindCall.new :FindCall, nil
+#
+# #Find system calls without a target
+# FindCall.new [], [:system, :exec, :syscall]
+#
+# #Find all calls to length(), no matter the target
+# FindCall.new nil, :length
+#
+# #Find all calls to sub, sub!, gsub, or gsub!
+# FindCall.new nil, /^g?sub!?$/
+class Brakeman::FindCall < Brakeman::BasicProcessor
+
+  def initialize targets, methods, tracker, in_depth = false
+    super tracker
+    @calls = []
+    @find_targets = targets
+    @find_methods = methods
+    @current_class = nil
+    @current_method = nil
+    @in_depth = in_depth
+  end
+
+  #Returns a list of results.
+  #
+  #A result looks like:
+  #
+  # s(:result, :ClassName, :method_name, s(:call, ...))
+  #
+  #or
+  #
+  # s(:result, :template_name, s(:call, ...))
+  def matches
+    @calls
+  end
+
+  #Process the given source. Provide either class and method being searched
+  #or the template. These names are used when reporting results.
+  #
+  #Use FindCall#matches to retrieve results.
+  def process_source exp, klass = nil, method = nil, template = nil
+    @current_class = klass
+    @current_method = method
+    @current_template = template
+    process exp
+  end
+
+  #Process body of method
+  def process_defn exp
+    process_all exp.body
+  end
+
+  alias :process_defs :process_defn
+
+  #Process body of block
+  def process_rlist exp
+    process_all exp
+  end
+
+  #Look for matching calls and add them to results
+  def process_call exp
+    target = get_target exp.target
+    method = exp.method
+
+    process_call_args exp
+
+    if match(@find_targets, target) and match(@find_methods, method)
+
+      if @current_template
+        @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
+      else
+        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
+      end
+
+    end
+    
+    #Normally FindCall won't match a method invocation that is the target of
+    #another call, such as:
+    #
+    #  User.find(:first, :conditions => "user = '#{params['user']}').name
+    #
+    #A search for User.find will not match this unless @in_depth is true.
+    if @in_depth and call? exp.target
+      process exp.target
+    end
+
+    exp
+  end
+
+  #Process an assignment like a call
+  def process_attrasgn exp
+    process_call exp
+  end
+
+  private
+
+  #Gets the target of a call as a Symbol
+  #if possible
+  def get_target exp
+    if sexp? exp
+      case exp.node_type
+      when :ivar, :lvar, :const, :lit
+        exp.value
+      when :true, :false
+        exp.node_type
+      when :colon2
+        class_name exp
+      else
+        exp
+      end
+    else
+      exp
+    end
+  end
+
+  #Checks if the search terms match the given item
+  def match search_terms, item
+    case search_terms
+    when Symbol
+      if search_terms == item
+        true
+      elsif sexp? item
+        is_instance_of? item, search_terms
+      else
+        false
+      end
+    when Sexp
+      search_terms == item
+    when Enumerable
+      if search_terms.empty?
+        item == nil
+      else
+        search_terms.each do|term|
+          if match(term, item)
+            return true
+          end
+        end
+        false
+      end
+    when Regexp
+      search_terms.match item.to_s
+    when nil
+      true
+    else
+      raise "Cannot match #{search_terms} and #{item}"
+    end
+  end
+
+  #Checks if +item+ is an instance of +klass+ by looking for Klass.new
+  def is_instance_of? item, klass
+    if call? item
+      if sexp? item.target
+        item.method == :new and item.target.node_type == :const and item.target.value == klass
+      else
+        item.method == :new and item.target == klass
+      end
+    else
+      false
+    end
+  end
+end

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -0,0 +1,134 @@
+require 'brakeman/processors/alias_processor'
+
+#Attempts to determine the return value of a method.
+#
+#Preferred usage:
+#
+#  Brakeman::FindReturnValue.return_value exp
+class Brakeman::FindReturnValue
+  include Brakeman::Util
+
+  #Returns a guess at the return value of a given method or other block of code.
+  #
+  #If multiple return values are possible, returns all values in an :or Sexp.
+  def self.return_value exp, env = nil
+    self.new.get_return_value exp, env
+  end
+
+  def initialize
+    @uses_ivars = false
+    @return_values = []
+  end
+
+  def uses_ivars?
+    @uses_ivars
+  end
+
+  #Find return value of Sexp. Takes an optional starting environment.
+  def get_return_value exp, env = nil
+    process_method exp, env
+    value = make_return_value
+    value.original_line = exp.line
+    value
+  end
+
+  #Process method (or, actually, any Sexp) for return value.
+  def process_method exp, env = nil
+    exp = Brakeman::AliasProcessor.new.process_safely exp, env
+
+    find_explicit_return_values exp
+
+    if node_type? exp, :defn, :defs
+      body = exp.body
+
+      unless body.empty?
+        @return_values << last_value(body)
+      else
+        Brakeman.debug "FindReturnValue: Empty method? #{exp.inspect}"
+      end
+    elsif exp
+      @return_values << last_value(exp)
+    else
+       Brakeman.debug "FindReturnValue: Given something strange? #{exp.inspect}"
+    end
+
+    exp
+  end
+
+  #Searches expression for return statements.
+  def find_explicit_return_values exp
+    todo = [exp]
+
+    until todo.empty?
+      current = todo.shift
+
+      @uses_ivars = true if node_type? current, :ivar
+
+      if node_type? current, :return
+        @return_values << current.value unless current.value.nil?
+      elsif sexp? current
+        todo = current[1..-1].concat todo
+      end
+    end
+  end
+
+  #Determines the "last value" of an expression.
+  def last_value exp
+    case exp.node_type
+    when :rlist, :block, :scope, Sexp
+      last_value exp.last
+    when :if
+      then_clause = exp.then_clause
+      else_clause = exp.else_clause
+
+      if then_clause.nil?
+        last_value else_clause
+      elsif else_clause.nil?
+        last_value then_clause
+      else
+        true_branch = last_value then_clause
+        false_branch = last_value else_clause
+
+        if true_branch and false_branch
+          value = make_or(true_branch, false_branch)
+          value.original_line = value.rhs.line
+          value
+        else #Unlikely?
+          true_branch or false_branch
+        end
+      end
+    when :lasgn, :iasgn
+      exp.rhs
+    when :return
+      exp.value
+    else
+      exp.original_line = exp.line unless exp.original_line
+      exp
+    end
+  end
+
+  def make_or lhs, rhs
+    #Better checks in future
+    if lhs == rhs
+      lhs
+    else
+      Sexp.new(:or, lhs, rhs)
+    end
+  end
+
+  #Turns the array of return values into an :or Sexp
+  def make_return_value
+    @return_values.compact!
+    @return_values.uniq!
+
+    if @return_values.empty?
+      Sexp.new(:nil)
+    elsif @return_values.length == 1
+      @return_values.first
+    else
+      @return_values.reduce do |value, sexp|
+        make_or value, sexp
+      end
+    end
+  end
+end

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -0,0 +1,75 @@
+#Contains a couple shared methods for Processors.
+module Brakeman::ProcessorHelper
+  def process_all exp
+    exp.each_sexp do |e|
+      process e
+    end
+    exp
+  end
+
+  def process_all! exp
+    exp.map! do |e|
+      if sexp? e
+        process e
+      else
+        e
+      end
+    end
+
+    exp
+  end
+
+  #Process the arguments of a method call. Does not store results.
+  #
+  #This method is used because Sexp#args and Sexp#arglist create new objects.
+  def process_call_args exp
+    exp.each_arg do |a|
+      process a if sexp? a
+    end
+
+    exp
+  end
+
+  def process_class exp
+    current_class = @current_class
+    @current_class = class_name exp[1]
+    process_all exp.body
+    @current_class = current_class
+    exp
+  end
+
+  #Sets the current module.
+  def process_module exp
+    module_name = class_name(exp.class_name).to_s
+    prev_module = @current_module
+
+    if prev_module
+      @current_module = "#{prev_module}::#{module_name}"
+    else
+      @current_module = module_name
+    end
+
+    if block_given?
+      yield
+    else
+      process_all exp.body
+    end
+
+    @current_module = prev_module
+
+    exp
+  end
+
+  # e.g. private defn
+  def process_call_defn? exp
+    if call? exp and exp.target.nil? and node_type? exp.first_arg, :defn, :defs and [:private, :public, :protected].include? exp.method
+      prev_visibility = @visibility
+      @visibility = exp.method
+      process exp.first_arg
+      @visibility = prev_visibility
+      exp
+    else
+      false
+    end
+  end
+end

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -0,0 +1,145 @@
+require 'brakeman/processors/lib/basic_processor'
+
+#Processes configuration. Results are put in tracker.config.
+#
+#Configuration of Rails via Rails::Initializer are stored in tracker.config.rails.
+#For example:
+#
+#  Rails::Initializer.run |config|
+#    config.action_controller.session_store = :cookie_store
+#  end
+#
+#will be stored in
+#
+#  tracker.config[:rails][:action_controller][:session_store]
+#
+#Values for tracker.config.rails will still be Sexps.
+class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
+  #Replace block variable in
+  #
+  #  Rails::Initializer.run |config|
+  #
+  #with this value so we can keep track of it.
+  RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
+
+  def initialize *args
+    super
+  end
+
+  #Use this method to process configuration file
+  def process_config src, file_name
+    @file_name = file_name
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+    process res
+  end
+
+  #Check if config is set to use Erubis
+  def process_call exp
+    target = exp.target
+    target = process target if sexp? target
+
+    if exp.method == :gem and exp.first_arg.value == "erubis"
+      Brakeman.notify "[Notice] Using Erubis for ERB templates"
+      @tracker.config.erubis = true
+    end
+
+    exp
+  end
+
+  #Look for configuration settings
+  def process_attrasgn exp
+    if exp.target == RAILS_CONFIG
+      #Get rid of '=' at end
+      attribute = exp.method.to_s[0..-2].to_sym
+      if exp.args.length > 1
+        #Multiple arguments?...not sure if this will ever happen
+        @tracker.config.rails[attribute] = exp.args
+      else
+        @tracker.config.rails[attribute] = exp.first_arg
+      end
+    elsif include_rails_config? exp
+      options = get_rails_config exp
+      level = @tracker.config.rails
+      options[0..-2].each do |o|
+        level[o] ||= {}
+        level = level[o]
+      end
+
+      level[options.last] = exp.first_arg
+    end
+
+    exp
+  end
+
+  #Check for Rails version
+  def process_cdecl exp
+    #Set Rails version required
+    if exp.lhs == :RAILS_GEM_VERSION
+      @tracker.config.rails_version = exp.rhs.value
+    end
+
+    exp
+  end
+
+  #Check if an expression includes a call to set Rails config
+  def include_rails_config? exp
+    target = exp.target
+    if call? target
+      if target.target == RAILS_CONFIG
+        true
+      else
+        include_rails_config? target
+      end
+    elsif target == RAILS_CONFIG
+      true
+    else
+      false
+    end
+  end
+
+  #Returns an array of symbols for each 'level' in the config
+  #
+  #  config.action_controller.session_store = :cookie
+  #
+  #becomes
+  #
+  #  [:action_controller, :session_store]
+  def get_rails_config exp
+    if node_type? exp, :attrasgn
+      attribute = exp.method.to_s[0..-2].to_sym
+      get_rails_config(exp.target) << attribute
+    elsif call? exp
+      if exp.target == RAILS_CONFIG
+        [exp.method]
+      else
+        get_rails_config(exp.target) << exp.method
+      end
+    else
+      raise "WHAT"
+    end
+  end
+end
+
+#This is necessary to replace block variable so we can track config settings
+class Brakeman::ConfigAliasProcessor < Brakeman::AliasProcessor
+
+  RAILS_INIT = Sexp.new(:colon2, Sexp.new(:const, :Rails), :Initializer)
+
+  #Look for a call to 
+  #
+  #  Rails::Initializer.run do |config|
+  #    ...
+  #  end
+  #
+  #and replace config with RAILS_CONFIG
+  def process_iter exp
+    target = exp.block_call.target
+    method = exp.block_call.method
+
+    if sexp? target and target == RAILS_INIT and method == :run
+      env[Sexp.new(:lvar, exp.block_args.value)] = Brakeman::Rails2ConfigProcessor::RAILS_CONFIG
+    end
+
+    process_default exp
+  end
+end