brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -40,6 +40,10 @@ module Brakeman
       else
         original_exp
       end
+    rescue Encoding::CompatibilityError => e
+      # If the two strings are different encodings, we can't join them.
+      Brakeman.debug e.inspect
+      original_exp
     end
 
     def math_op op, lhs, rhs, original_exp = nil

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -5,9 +5,9 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   def initialize tracker
     super
-    @current_class = nil
-    @current_method = nil
+
     @in_target = false
+    @processing_class = false
     @calls = []
     @cache = {}
   end
@@ -23,10 +23,33 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     process exp
   end
 
+  #For whatever reason, originally the indexing of calls
+  #was performed on individual method bodies (see process_defn).
+  #This method explicitly indexes all calls everywhere given any
+  #source.
+  def process_all_source exp, opts
+    @processing_class = true
+    process_source exp, opts
+  ensure
+    @processing_class = false
+  end
+
   #Process body of method
   def process_defn exp
-    return exp unless @current_method
-    process_all exp.body
+    return exp unless @current_method or @processing_class
+
+    # 'Normal' processing assumes the method name was given
+    # as an option to `process_source` but for `process_all_source`
+    # we don't want to do that.
+    if @current_method.nil?
+      @current_method = exp.method_name
+      process_all exp.body
+      @current_method = nil
+    else
+      process_all exp.body
+    end
+
+    exp
   end
 
   alias process_defs process_defn

data/lib/brakeman/processors/lib/find_call.rb

@@ -33,14 +33,13 @@ require 'brakeman/processors/lib/basic_processor'
 # FindCall.new nil, /^g?sub!?$/
 class Brakeman::FindCall < Brakeman::BasicProcessor
 
-  def initialize targets, methods, tracker, in_depth = false
+  def initialize targets, methods, tracker
     super tracker
     @calls = []
     @find_targets = targets
     @find_methods = methods
     @current_class = nil
     @current_method = nil
-    @in_depth = in_depth
   end
 
   #Returns a list of results.
@@ -48,10 +47,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #A result looks like:
   #
   # s(:result, :ClassName, :method_name, s(:call, ...))
-  #
-  #or
-  #
-  # s(:result, :template_name, s(:call, ...))
   def matches
     @calls
   end
@@ -60,10 +55,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   #or the template. These names are used when reporting results.
   #
   #Use FindCall#matches to retrieve results.
-  def process_source exp, klass = nil, method = nil, template = nil
-    @current_class = klass
-    @current_method = method
-    @current_template = template
+  def process_source exp
     process exp
   end
 
@@ -74,11 +66,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
 
   alias :process_defs :process_defn
 
-  #Process body of block
-  def process_rlist exp
-    process_all exp
-  end
-
   #Look for matching calls and add them to results
   def process_call exp
     target = get_target exp.target
@@ -87,25 +74,9 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     process_call_args exp
 
     if match(@find_targets, target) and match(@find_methods, method)
-
-      if @current_template
-        @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
-      else
-        @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
-      end
-
+      @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
     end
     
-    #Normally FindCall won't match a method invocation that is the target of
-    #another call, such as:
-    #
-    #  User.find(:first, :conditions => "user = '#{params['user']}').name
-    #
-    #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and call? exp.target
-      process exp.target
-    end
-
     exp
   end
 
@@ -123,8 +94,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
       case exp.node_type
       when :ivar, :lvar, :const, :lit
         exp.value
-      when :true, :false
-        exp.node_type
       when :colon2
         class_name exp
       else
@@ -141,43 +110,13 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
     when Symbol
       if search_terms == item
         true
-      elsif sexp? item
-        is_instance_of? item, search_terms
       else
         false
       end
-    when Sexp
-      search_terms == item
     when Enumerable
       if search_terms.empty?
         item == nil
-      else
-        search_terms.each do|term|
-          if match(term, item)
-            return true
-          end
-        end
-        false
       end
-    when Regexp
-      search_terms.match item.to_s
-    when nil
-      true
-    else
-      raise "Cannot match #{search_terms} and #{item}"
-    end
-  end
-
-  #Checks if +item+ is an instance of +klass+ by looking for Klass.new
-  def is_instance_of? item, klass
-    if call? item
-      if sexp? item.target
-        item.method == :new and item.target.node_type == :const and item.target.value == klass
-      else
-        item.method == :new and item.target == klass
-      end
-    else
-      false
     end
   end
 end

data/lib/brakeman/processors/lib/module_helper.rb

@@ -13,9 +13,9 @@ module Brakeman::ModuleHelper
 
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
+      @current_module.add_file @current_file, exp
     else
-      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @current_module = tracker_class.new name, parent, @current_file, exp, @tracker
       @tracker.libs[name] = @current_module
     end
 
@@ -45,9 +45,9 @@ module Brakeman::ModuleHelper
 
     if collection[name]
       @current_class = collection[name]
-      @current_class.add_file @file_name, exp
+      @current_class.add_file @current_file, exp
     else
-      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker 
+      @current_class = tracker_class.new name, parent, @current_file, exp, @tracker
       collection[name] = @current_class
     end
 
@@ -85,9 +85,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
 
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
     res
   end
@@ -101,9 +101,9 @@ module Brakeman::ModuleHelper
     @current_method = nil
 
     if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
+      @current_class.add_method @visibility, name, res, @current_file
     elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
+      @current_module.add_method @visibility, name, res, @current_file
     end
 
     res

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -73,10 +73,10 @@ module Brakeman::ProcessorHelper
     end
   end
 
-  def current_file_name
+  def current_file
     case
-    when @file_name
-      @file_name
+    when @current_file
+      @current_file
     when @current_class.is_a?(Brakeman::Collection)
       @current_class.file
     when @current_module.is_a?(Brakeman::Collection)

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -27,9 +27,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   end
 
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src, nil, current_file)
     process res
   end
 
@@ -75,7 +75,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config.rails_version = exp.rhs.value
+      @tracker.config.set_rails_version exp.rhs.value
     end
 
     exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -16,7 +16,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
 
   #Call this with parsed route file information.
@@ -24,7 +24,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp, nil, @current_file)
   end
 
   #Looking for mapping of routes

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -24,9 +24,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   end
 
   #Use this method to process configuration file
-  def process_config src, file_name
-    @file_name = file_name
-    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @file_name)
+  def process_config src, current_file
+    @current_file = current_file
+    res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
     process res
   end
 

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -17,11 +17,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BasicProcessor
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
     @controller_block = false
-    @file_name = "config/routes.rb"
+    @current_file = "config/routes.rb"
   end
 
   def process_routes exp
-    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @file_name)
+    process Brakeman::AliasProcessor.new.process_safely(exp, nil, @current_file)
   end
 
   def process_call exp

data/lib/brakeman/processors/lib/render_helper.rb

@@ -36,7 +36,7 @@ module Brakeman::RenderHelper
 
   #Determines file name for partial and then processes it
   def process_partial name, args, line
-    if name == "" or !(string? name or symbol? name)
+    if !(string? name or symbol? name) or name.value == ""
       return
     end
 
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template.type, called_from
+      @tracker.processor.process_template name, src, template.type, called_from, template.file
     end
   end
 

data/lib/brakeman/processors/lib/render_path.rb

@@ -83,7 +83,7 @@ module Brakeman
     end
 
     def map &block
-      @path.map &block
+      @path.map(&block)
     end
 
     def to_a
@@ -114,6 +114,23 @@ module Brakeman
       JSON.generate(@path)
     end
 
+    def with_relative_paths
+      @path.map do |loc|
+        r = loc.dup
+
+        if r[:file]
+          r[:file] = r[:file].relative
+        end
+
+        if r[:rendered] and r[:rendered][:file]
+          r[:rendered] = r[:rendered].dup
+          r[:rendered][:file] = r[:rendered][:file].relative
+        end
+
+        r
+      end
+    end
+
     def initialize_copy original
       @path = original.path.dup
       self

data/lib/brakeman/processors/library_processor.rb

@@ -9,15 +9,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def initialize tracker
     super
-    @file_name = nil
+    @current_file = nil
     @alias_processor = Brakeman::AliasProcessor.new tracker
     @current_module = nil
     @current_class = nil
     @initializer_env = nil
   end
 
-  def process_library src, file_name = nil
-    @file_name = file_name
+  def process_library src, current_file = @current_file
+    @current_file = current_file
     process src
   end
 
@@ -41,10 +41,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
     if @current_class
       exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
+      @current_class.add_method :public, exp.method_name, exp, @current_file
     elsif @current_module
       exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
+      @current_module.add_method :public, exp.method_name, exp, @current_file
     end
 
     exp

data/lib/brakeman/processors/model_processor.rb

@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     @current_method = nil
     @current_module = nil
     @visibility = :public
-    @file_name = nil
+    @current_file = nil
   end
 
   #Process model source
-  def process_model src, file_name = nil
-    @file_name = file_name
+  def process_model src, current_file = @current_file
+    @current_file = current_file
     process src
   end
 
   #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name(exp.class_name)
-    parent = class_name(exp.parent_name)
 
     #If inside an inner class we treat it as a library.
     if @current_class
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
-      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
+      Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end
 

data/lib/brakeman/processors/output_processor.rb

@@ -8,6 +8,11 @@ require 'brakeman/util'
 class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
 
+  def initialize *args
+    super
+    @user_input = nil
+  end
+
   #Copies +exp+ and then formats it.
   def format exp, user_input = nil, &block
     @user_input = user_input