brakeman-lib 3.3.1

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -0,0 +1,313 @@
+require 'brakeman/processors/lib/basic_processor'
+
+#Processes the Sexp from routes.rb. Stores results in tracker.routes.
+#
+#Note that it is only interested in determining what methods on which
+#controllers are used as routes, not the generated URLs for routes.
+class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
+  include Brakeman::RouteHelper
+
+  attr_reader :map, :nested, :current_controller
+
+  def initialize tracker
+    super
+    @map = Sexp.new(:lvar, :map)
+    @nested = nil  #used for identifying nested targets
+    @prefix = [] #Controller name prefix (a module name, usually)
+    @current_controller = nil
+    @with_options = nil #For use inside map.with_options
+    @file_name = "config/routes.rb"
+  end
+
+  #Call this with parsed route file information.
+  #
+  #This method first calls RouteAliasProcessor#process_safely on the +exp+,
+  #so it does not modify the +exp+.
+  def process_routes exp
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+  end
+
+  #Looking for mapping of routes
+  def process_call exp
+    target = exp.target
+
+    if target == map or (not target.nil? and target == nested)
+      process_map exp
+    else
+      process_default exp
+    end
+
+    exp
+  end
+
+  #Process a map.something call
+  #based on the method used
+  def process_map exp
+    args = exp.args
+
+    case exp.method
+    when :resource
+      process_resource args
+    when :resources
+      process_resources args
+    when :connect, :root
+      process_connect args
+    else
+      process_named_route args
+    end
+
+    exp
+  end
+
+  #Look for map calls that take a block.
+  #Otherwise, just do the default processing.
+  def process_iter exp
+    target = exp.block_call.target
+
+    if target == map or target == nested
+      method = exp.block_call.method
+      case method
+      when :namespace
+        process_namespace exp
+      when :resources, :resource
+        process_resources exp.block_call.args
+        process_default exp.block if exp.block
+      when :with_options
+        process_with_options exp
+      end
+      exp
+    else
+      process_default exp
+    end
+  end
+
+  #Process
+  # map.resources :x, :controller => :y, :member => ...
+  #etc.
+  def process_resources exp
+    controller = check_for_controller_name exp
+    if controller
+      self.current_controller = controller
+      process_resource_options exp[-1]
+    else
+      exp.each do |argument|
+        if node_type? argument, :lit
+          self.current_controller = exp.first.value
+          add_resources_routes
+          process_resource_options exp.last
+        end
+      end
+    end
+  end
+
+  #Process all the options that might be in the hash passed to
+  #map.resource, et al.
+  def process_resource_options exp
+    if exp.nil? and @with_options
+      exp = @with_options
+    elsif @with_options
+      exp = exp.concat @with_options[1..-1]
+    end
+    return unless exp.node_type == :hash
+
+    hash_iterate(exp) do |option, value|
+      case option[1]
+      when :controller, :requirements, :singular, :path_prefix, :as,
+        :path_names, :shallow, :name_prefix, :member_path, :nested_member_path,
+        :belongs_to, :conditions, :active_scaffold
+        #should be able to skip
+      when :collection, :member, :new
+        process_collection value
+      when :has_one
+        save_controller = current_controller
+        process_resource value[1..-1] #Verify this is proper behavior
+        self.current_controller = save_controller
+      when :has_many
+        save_controller = current_controller
+        process_resources value[1..-1]
+        self.current_controller = save_controller
+      when :only
+        process_option_only value
+      when :except
+        process_option_except value
+      else
+        Brakeman.notify "[Notice] Unhandled resource option, please report: #{option}"
+      end
+    end
+  end
+
+  #Process route option :only => ...
+  def process_option_only exp
+    routes = @tracker.routes[@current_controller]
+    [:index, :new, :create, :show, :edit, :update, :destroy].each do |r|
+      routes.delete r
+    end
+
+    if exp.node_type == :array
+      exp[1..-1].each do |e|
+        routes << e.value
+      end
+    end
+  end
+
+  #Process route option :except => ...
+  def process_option_except exp
+    return unless exp.node_type == :array
+    routes = @tracker.routes[@current_controller]
+
+    exp[1..-1].each do |e|
+      routes.delete e.value
+    end
+  end
+
+  #  map.resource :x, ..
+  def process_resource exp
+    controller = check_for_controller_name exp
+    if controller
+      self.current_controller = controller
+      process_resource_options exp.last
+    else
+      exp.each do |argument|
+        if node_type? argument, :lit
+          self.current_controller = pluralize(exp.first.value.to_s)
+          add_resource_routes
+          process_resource_options exp.last
+        end
+      end
+    end
+  end
+
+  #Process
+  # map.connect '/something', :controller => 'blah', :action => 'whatever'
+  def process_connect exp
+    return if exp.empty?
+
+    controller = check_for_controller_name exp
+    self.current_controller = controller if controller
+    
+    #Check for default route
+    if string? exp.first
+      if exp.first.value == ":controller/:action/:id"
+        @tracker.routes[:allow_all_actions] = exp.first
+      elsif exp.first.value.include? ":action"
+        @tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
+        return
+      end
+    end
+
+    #This -seems- redundant, but people might connect actions
+    #to a controller which already allows them all
+    return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
+
+    exp.last.each_with_index do |e,i|
+      if symbol? e and e.value == :action
+        action = exp.last[i + 1]
+        
+        if node_type? action, :lit
+          @tracker.routes[@current_controller] << action.value.to_sym
+        end
+
+        return
+      end
+    end
+  end
+
+  # map.with_options :controller => 'something' do |something|
+  #   something.resources :blah
+  # end
+  def process_with_options exp
+    @with_options = exp.block_call.last_arg
+    @nested = Sexp.new(:lvar, exp.block_args.value)
+
+    self.current_controller = check_for_controller_name exp.block_call.args
+    
+    #process block
+    process exp.block
+
+    @with_options = nil
+    @nested = nil
+  end
+
+  # map.namespace :something do |something|
+  #   something.resources :blah
+  # end
+  def process_namespace exp
+    call = exp.block_call
+    formal_args = exp.block_args
+    block = exp.block
+
+    @prefix << camelize(call.first_arg.value)
+
+    if formal_args
+      @nested = Sexp.new(:lvar, formal_args.value)
+    end
+
+    process block
+
+    @prefix.pop
+  end
+
+  # map.something_abnormal '/blah', :controller => 'something', :action => 'wohoo'
+  def process_named_route exp
+    process_connect exp
+  end
+
+  #Process collection option
+  # :collection => { :some_action => :http_actions }
+  def process_collection exp
+    return unless exp.node_type == :hash
+    routes = @tracker.routes[@current_controller]
+
+    hash_iterate(exp) do |action, type|
+      routes << action.value
+    end
+  end
+
+  private
+
+  #Checks an argument list for a hash that has a key :controller.
+  #If it does, returns the value.
+  #
+  #Otherwise, returns nil.
+  def check_for_controller_name args
+    args.each do |a|
+      if hash? a and value = hash_access(a, :controller)
+        return value.value if string? value or symbol? value
+      end
+    end
+
+    nil
+  end
+end
+
+#This is for a really specific case where a hash is used as arguments
+#to one of the map methods.
+class Brakeman::RouteAliasProcessor < Brakeman::AliasProcessor
+  
+  #This replaces
+  # { :some => :hash }.keys
+  #with 
+  # [:some]
+  def process_call exp
+    process_default exp
+    
+    if hash? exp.target and exp.method == :keys
+      keys = get_keys exp.target
+      exp.clear
+      keys.each_with_index do |e,i|
+        exp[i] = e
+      end
+    end
+    exp
+  end
+
+  #Returns an array Sexp containing the keys from the hash
+  def get_keys hash
+    keys = Sexp.new(:array)
+    hash_iterate(hash) do |key, value|
+      keys << key
+    end
+
+    keys
+  end
+end

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -0,0 +1,132 @@
+
+require 'brakeman/processors/lib/basic_processor'
+
+#Processes configuration. Results are put in tracker.config.
+#
+#Configuration of Rails via Rails::Initializer are stored in tracker.config.rails.
+#For example:
+#
+#  MyApp::Application.configure do
+#    config.active_record.whitelist_attributes = true
+#  end
+#
+#will be stored in
+#
+#  tracker.config.rails[:active_record][:whitelist_attributes]
+#
+#Values for tracker.config.rails will still be Sexps.
+class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
+  RAILS_CONFIG = Sexp.new(:call, nil, :config)
+
+  def initialize *args
+    super
+    @inside_config = false
+  end
+
+  #Use this method to process configuration file
+  def process_config src, file_name
+    @file_name = file_name
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+    process res
+  end
+
+  #Look for MyApp::Application.configure do ... end
+  def process_iter exp
+    call = exp.block_call
+
+    if node_type?(call.target, :colon2) and
+      call.target.rhs == :Application and
+      call.method == :configure
+
+      @inside_config = true
+      process exp.block if sexp? exp.block
+      @inside_config = false
+    end
+
+    exp
+  end
+
+  #Look for class Application < Rails::Application
+  def process_class exp
+    if exp.class_name == :Application
+      @inside_config = true
+      process_all exp.body if sexp? exp.body
+      @inside_config = false
+    end
+
+    exp
+  end
+
+  #Look for configuration settings
+  def process_attrasgn exp
+    return exp unless @inside_config
+
+    if exp.target == RAILS_CONFIG
+      #Get rid of '=' at end
+      attribute = exp.method.to_s[0..-2].to_sym
+      if exp.args.length > 1
+        #Multiple arguments?...not sure if this will ever happen
+        @tracker.config.rails[attribute] = exp.args
+      else
+        @tracker.config.rails[attribute] = exp.first_arg
+      end
+    elsif include_rails_config? exp
+      options = get_rails_config exp
+      level = @tracker.config.rails
+      options[0..-2].each do |o|
+        level[o] ||= {}
+
+        option = level[o]
+
+        if not option.is_a? Hash
+          Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
+          return exp
+        end
+
+        level = level[o]
+      end
+
+      level[options.last] = exp.first_arg
+    end
+
+    exp
+  end
+
+  #Check if an expression includes a call to set Rails config
+  def include_rails_config? exp
+    target = exp.target
+    if call? target
+      if target.target == RAILS_CONFIG
+        true
+      else
+        include_rails_config? target
+      end
+    elsif target == RAILS_CONFIG
+      true
+    else
+      false
+    end
+  end
+
+  #Returns an array of symbols for each 'level' in the config
+  #
+  #  config.action_controller.session_store = :cookie
+  #
+  #becomes
+  #
+  #  [:action_controller, :session_store]
+  def get_rails_config exp
+    if node_type? exp, :attrasgn
+      attribute = exp.method.to_s[0..-2].to_sym
+      get_rails_config(exp.target) << attribute
+    elsif call? exp
+      if exp.target == RAILS_CONFIG
+        [exp.method]
+      else
+        get_rails_config(exp.target) << exp.method
+      end
+    else
+      raise "WHAT"
+    end
+  end
+end

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -0,0 +1,308 @@
+require 'brakeman/processors/lib/basic_processor'
+
+#Processes the Sexp from routes.rb. Stores results in tracker.routes.
+#
+#Note that it is only interested in determining what methods on which
+#controllers are used as routes, not the generated URLs for routes.
+class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
+  include Brakeman::RouteHelper
+
+  attr_reader :map, :nested, :current_controller
+
+  def initialize tracker
+    super
+    @map = Sexp.new(:lvar, :map)
+    @nested = nil  #used for identifying nested targets
+    @prefix = [] #Controller name prefix (a module name, usually)
+    @current_controller = nil
+    @with_options = nil #For use inside map.with_options
+    @controller_block = false
+    @file_name = "config/routes.rb"
+  end
+
+  def process_routes exp
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+  end
+
+  def process_call exp
+    case exp.method
+    when :resources
+      process_resources exp
+    when :resource
+      process_resource exp
+    when :root
+      process_root exp
+    when :member
+      process_default exp
+    when :get, :put, :post, :delete
+      process_verb exp
+    when :match
+      process_match exp
+    else
+      exp
+    end
+  end
+
+  def process_iter exp
+    case exp.block_call.method
+    when :namespace
+      process_namespace exp
+    when :resource
+      process_resource_block exp
+    when :resources
+      process_resources_block exp
+    when :scope
+      process_scope_block exp
+    when :controller
+      process_controller_block exp
+    else
+      process_default exp
+    end
+  end
+
+  def process_namespace exp
+    arg = exp.block_call.first_arg
+    return exp unless symbol? arg or string? arg 
+
+    name = arg.value
+    block = exp.block
+
+    @prefix << camelize(name)
+
+    process block
+
+    @prefix.pop
+
+    exp
+  end
+
+  #TODO: Need test for this
+  def process_root exp
+    if value = hash_access(exp.first_arg, :to)
+      if string? value
+        add_route_from_string value
+      end
+    end
+
+    exp
+  end
+
+  def process_match exp
+    first_arg = exp.first_arg
+    second_arg = exp.second_arg
+    last_arg = exp.last_arg
+
+    if string? first_arg
+
+      matcher = first_arg.value
+      if matcher == ':controller(/:action(/:id(.:format)))' or
+        matcher.include? ':controller' and action_route?(matcher)  #Default routes
+        @tracker.routes[:allow_all_actions] = first_arg
+        return exp
+      elsif action_route?(first_arg)
+          if hash? second_arg and controller_name = hash_access(second_arg, :controller)
+            loose_action(controller_name, "matched") #TODO: Parse verbs
+          end
+      elsif second_arg.nil? and in_controller_block? and not matcher.include? ":"
+        add_route matcher
+      end
+    end
+
+    if hash? last_arg
+      hash_iterate last_arg do |k, v|
+        if string? k
+          if string? v
+            add_route_from_string v
+          elsif in_controller_block? and symbol? v
+            add_route v
+          end
+        elsif symbol? k
+         case k.value
+         when :action
+          if string? v
+            add_route_from_string v
+          else
+            add_route v
+          end
+
+         when :to
+           if string? v
+             add_route_from_string v[1]
+           elsif in_controller_block? and symbol? v
+             add_route v
+           end
+         end
+        end
+      end
+    end
+
+    @current_controller = nil unless in_controller_block?
+    exp
+  end
+
+  def add_route_from_string value
+    value = value[1] if string? value
+
+    controller, action = extract_action value
+
+    if action
+      add_route action, controller
+    elsif in_controller_block?
+      add_route value
+    end
+  end
+
+  def process_verb exp
+    first_arg = exp.first_arg
+    second_arg = exp.second_arg
+
+    if symbol? first_arg and not hash? second_arg
+      add_route first_arg
+    elsif hash? second_arg
+      hash_iterate second_arg do |k, v|
+        if symbol? k and k.value == :to
+          if string? v
+            add_route_from_string v
+          elsif in_controller_block? and symbol? v
+            add_route v
+          end
+        elsif action_route?(first_arg)
+          if hash? second_arg and controller_name = hash_access(second_arg, :controller)
+            loose_action(controller_name, exp.method)
+          end
+        end
+      end
+    elsif string? first_arg
+      if first_arg.value.include? ':controller' and action_route?(first_arg) #Default routes
+        @tracker.routes[:allow_all_actions] = first_arg
+      end
+
+      route = first_arg.value.split "/"
+      if route.length != 2
+        add_route route[0]
+      else
+        add_route route[1], route[0]
+      end
+    elsif in_controller_block? and symbol? first_arg
+      add_route first_arg
+    else hash? first_arg
+      hash_iterate first_arg do |k, v|
+        if string? k
+          if string? v
+            add_route_from_string v
+          elsif in_controller_block?
+            add_route v
+          end
+        end
+      end
+    end
+
+    @current_controller = nil unless in_controller_block?
+    exp
+  end
+
+  def process_resources exp
+    first_arg = exp.first_arg
+    second_arg = exp.second_arg
+
+    return exp unless symbol? first_arg or string? first_arg
+
+    if second_arg and second_arg.node_type == :hash
+      self.current_controller = first_arg.value
+      #handle hash
+      add_resources_routes
+    elsif exp.args.all? { |s| symbol? s }
+      exp.each_arg do |s|
+        self.current_controller = s.value
+        add_resources_routes
+      end
+    end
+
+    @current_controller = nil unless in_controller_block?
+    exp
+  end
+
+  def process_resource exp
+    #Does resource even take more than one controller name?
+    exp.each_arg do |s|
+      if symbol? s
+        self.current_controller = pluralize(s.value.to_s)
+        add_resource_routes
+      else
+        #handle something else, like options
+        #or something?
+      end
+    end
+
+    @current_controller = nil unless in_controller_block?
+    exp
+  end
+
+  def process_resources_block exp
+    in_controller_block do
+      process_resources exp.block_call
+      process exp.block
+    end
+
+    @current_controller = nil
+    exp
+  end
+
+  def process_resource_block exp
+    in_controller_block do
+      process_resource exp.block_call
+      process exp.block
+    end
+
+    @current_controller = nil
+    exp
+  end
+
+  def process_scope_block exp
+    #How to deal with options?
+    process exp.block
+    exp
+  end
+
+  def process_controller_block exp
+    if string? exp or symbol? exp
+      self.current_controller = exp.block_call.first_arg.value
+
+      in_controller_block do
+        process exp[-1] if exp[-1]
+      end
+
+      @current_controller = nil
+    end
+
+    exp
+  end
+
+  def extract_action str
+    str.split "#"
+  end
+
+  def in_controller_block?
+    @controller_block
+  end
+
+  def in_controller_block
+    prev_block = @controller_block
+    @controller_block = true
+    yield
+    @controller_block = prev_block
+  end
+
+  def action_route? arg
+    if string? arg
+      arg = arg.value
+    end
+
+    arg.is_a? String and (arg.include? ":action" or arg.include? "*action")
+  end
+
+  def loose_action controller_name, verb = "any"
+    self.current_controller = controller_name.value
+    @tracker.routes[@current_controller] = [:allow_all_actions, {:allow_verb => verb}]
+  end
+end