brakeman-lib 3.7.2 → 4.0.0

data/lib/brakeman/processors/lib/render_helper.rb

@@ -62,7 +62,7 @@ module Brakeman::RenderHelper
     template = @tracker.templates[name.to_sym]
     unless template
       Brakeman.debug "[Notice] No such template: #{name}"
-      return 
+      return
     end
 
     template_env = only_ivars(:include_request_vars)
@@ -87,7 +87,7 @@ module Brakeman::RenderHelper
         #nothing
       elsif not template.name.to_s.match(/[^\/_][^\/]+$/)
         #Don't do this for partials
-        
+
         process_layout
       end
 
@@ -117,7 +117,7 @@ module Brakeman::RenderHelper
 
       #Set original_line for values so it is clear
       #that values came from another file
-      template_env.all.each do |var, value|
+      template_env.all.each do |_var, value|
         unless value.original_line
           #TODO: This has been broken for a while now and no one noticed
           #so maybe we can skip it

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
 
   def initialize app_tree, tracker
     @app_tree = app_tree
@@ -34,10 +34,10 @@ class Brakeman::Report
       Brakeman::Report::Hash
     when :to_markdown
       return self.to_markdown
-    when :to_plain
+    when :to_plain, :to_text, :to_s
       return self.to_plain
-    when :to_s
-      return self.to_s
+    when :to_table
+      return self.to_table
     when :to_pdf
       raise "PDF output is not yet supported."
     else
@@ -64,7 +64,7 @@ class Brakeman::Report
     generate Brakeman::Report::JSON
   end
 
-  def to_s
+  def to_table
     require_report 'table'
     generate Brakeman::Report::Table
   end
@@ -74,11 +74,14 @@ class Brakeman::Report
     generate Brakeman::Report::Markdown
   end
 
-  def to_plain
+  def to_text
     require_report 'text'
     generate Brakeman::Report::Text
   end
 
+  alias to_plain to_text
+  alias to_s to_text
+
   def generate reporter
     reporter.new(@app_tree, @tracker).generate_report
   end

data/lib/brakeman/report/report_base.rb

@@ -3,6 +3,7 @@ require 'brakeman/util'
 require 'brakeman/version'
 require 'brakeman/report/renderer'
 require 'brakeman/processors/output_processor'
+require 'brakeman/warning'
 
 # Base class for report formats
 class Brakeman::Report::Base
@@ -10,7 +11,7 @@ class Brakeman::Report::Base
 
   attr_reader :tracker, :checks
 
-  TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
+  TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
 
   def initialize app_tree, tracker
     @app_tree = app_tree

data/lib/brakeman/report/report_text.rb

@@ -186,12 +186,10 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
     controllers = values.map do |name, parent, includes, routes|
-      [
-        label("Controller", name),
-        label("Parent", parent),
-        label("Includes", includes),
-        label("Routes", routes)
-      ]
+      c = [ label("Controller", name) ]
+      c << label("Parent", parent) unless parent.empty?
+      c << label("Includes", includes) unless includes.empty?
+      c << label("Routes", routes)
     end
 
     double_space "Controller Overview", controllers

data/lib/brakeman/rescanner.rb

@@ -143,7 +143,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     #Search for processed template and process it.
     #Search for rendered versions of template and re-render (if necessary)
-    tracker.templates.each do |name, template|
+    tracker.templates.each do |_name, template|
       if template.file == path or template.file.nil?
         next unless template.render_path and template.name.to_sym == template_name.to_sym
 
@@ -204,7 +204,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     lib = nil
 
-    tracker.libs.each do |name, library|
+    tracker.libs.each do |_name, library|
       if library.files.include?(path)
         lib = library
         break
@@ -267,7 +267,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     rendered_from_view = /^#{template_name}\.Template:(.+)/
 
     #Remove any rendered versions, or partials rendered from it
-    tracker.templates.delete_if do |name, template|
+    tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
     end
   end
@@ -275,7 +275,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_deleted_lib path
     deleted_lib = nil
 
-    tracker.libs.delete_if do |name, lib|
+    tracker.libs.delete_if do |_name, lib|
       if lib.files.include?(path)
         deleted_lib = lib
         true
@@ -295,7 +295,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     deleted = false
 
     [:controllers, :models, :libs].each do |collection|
-      tracker.send(collection).delete_if do |name, data|
+      tracker.send(collection).delete_if do |_name, data|
         if data.files.include?(path)
           deleted = true
           true
@@ -303,7 +303,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       end
     end
 
-    tracker.templates.delete_if do |name, data|
+    tracker.templates.delete_if do |_name, data|
       if data.file == path
         deleted = true
         true
@@ -340,14 +340,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_mixin lib
     method_names = []
 
-    lib.each_method do |name, meth|
+    lib.each_method do |name, _meth|
       method_names << name
     end
 
     to_rescan = []
 
     #Rescan controllers that mixed in library
-    tracker.controllers.each do |name, controller|
+    tracker.controllers.each do |_name, controller|
       if controller.includes.include? lib.name
         controller.files.each do |path|
           unless @paths.include? path

data/lib/brakeman/tracker.rb

@@ -219,7 +219,7 @@ class Brakeman::Tracker
       finder.process_source definition, :class => set_name, :file => file
     end
 
-    self.each_template do |name, template|
+    self.each_template do |_name, template|
       finder.process_source template.src, :template => template, :file => template.file
     end
 
@@ -270,7 +270,7 @@ class Brakeman::Tracker
     end
 
     if locations.include? :templates
-      self.each_template do |name, template|
+      self.each_template do |_name, template|
         finder.process_source template.src, :template => template, :file => template.file
       end
     end
@@ -283,7 +283,7 @@ class Brakeman::Tracker
   #controllers (but not those rendered from other templates)
   def reset_templates options = { :only_rendered => false }
     if options[:only_rendered]
-      @templates.delete_if do |name, template|
+      @templates.delete_if do |_name, template|
         template.rendered_from_controller?
       end
     else

data/lib/brakeman/tracker/collection.rb

@@ -53,7 +53,7 @@ module Brakeman
     end
 
     def each_method
-      @methods.each do |vis, meths|
+      @methods.each do |_vis, meths|
         meths.each do |name, info|
           yield name, info
         end

data/lib/brakeman/util.rb

@@ -18,10 +18,14 @@ module Brakeman::Util
 
   COOKIES = Sexp.new(:call, nil, :cookies)
 
+  REQUEST_COOKIES = s(:call, s(:call, nil, :request), :cookies)
+
   SESSION = Sexp.new(:call, nil, :session)
 
   ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
+  ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
+
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #
   #Taken from ActiveSupport.
@@ -229,7 +233,7 @@ module Brakeman::Util
 
   def cookies? exp
     if exp.is_a? Sexp
-      return true if exp.node_type == :cookies or exp == COOKIES
+      return true if exp.node_type == :cookies or ALL_COOKIES.include? exp
 
       if call? exp
         if cookies? exp[1]

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.7.2"
+  Version = "4.0.0"
 end

data/lib/brakeman/warning.rb

@@ -10,27 +10,39 @@ class Brakeman::Warning
 
   attr_accessor :code, :context, :file, :message, :relative_path
 
-  TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
-
-  OPTIONS = {:called_from => :@called_from,
-              :check => :@check,
-              :class => :@class,
-              :code => :@code,
-              :confidence => :@confidence,
-              :controller => :@controller,
-              :file => :@file,
-              :gem_info => :@gem_info,
-              :line => :@line,
-              :link_path => :@link_path,
-              :message => :@message,
-              :method => :@method,
-              :model => :@model,
-              :relative_path => :@relative_path,
-              :template => :@template,
-              :user_input => :@user_input,
-              :warning_set => :@warning_set,
-              :warning_type => :@warning_type
-            }
+  TEXT_CONFIDENCE = {
+    0 => "High",
+    1 => "Medium",
+    2 => "Weak",
+  }
+
+  CONFIDENCE = {
+    :high => 0,
+    :med => 1,
+    :medium => 1,
+    :low => 2,
+    :weak => 2,
+  }
+
+  OPTIONS = {
+    :called_from => :@called_from,
+    :check => :@check,
+    :class => :@class,
+    :code => :@code,
+    :controller => :@controller,
+    :file => :@file,
+    :gem_info => :@gem_info,
+    :line => :@line,
+    :link_path => :@link_path,
+    :message => :@message,
+    :method => :@method,
+    :model => :@model,
+    :relative_path => :@relative_path,
+    :template => :@template,
+    :user_input => :@user_input,
+    :warning_set => :@warning_set,
+    :warning_type => :@warning_type,
+  }
 
   #+options[:result]+ can be a result from Tracker#find_call. Otherwise, it can be +nil+.
   def initialize options = {}
@@ -40,6 +52,8 @@ class Brakeman::Warning
       self.instance_variable_set(var, options[key])
     end
 
+    self.confidence = options[:confidence]
+
     result = options[:result]
     if result
       @code ||= result[:call]
@@ -113,6 +127,20 @@ class Brakeman::Warning
     self.hash == other_warning.hash
   end
 
+  def confidence= conf
+    @confidence = case conf
+                  when Integer
+                    conf
+                  when Symbol
+                    CONFIDENCE[conf]
+                  else
+                    raise "Could not set confidence to `#{conf}`"
+                  end
+
+    raise "Could not set confidence to `#{conf}`" unless @confidence
+    raise "Invalid confidence: `#{@confidence}`" unless TEXT_CONFIDENCE[@confidence]
+  end
+
   #Returns name of a view, including where it was rendered from
   def view_name(include_renderer = true)
     if called_from and include_renderer

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.7.2
+  version: 4.0.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2017-08-16 00:00:00.000000000 Z
+date: 2017-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest