brakeman-lib 4.4.0 → 4.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +63 -0
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +75 -56
- data/lib/brakeman/checks/check_content_tag.rb +12 -0
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +15 -10
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +0 -1
- data/lib/brakeman/checks/check_execute.rb +44 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +54 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_send.rb +0 -1
- data/lib/brakeman/checks/check_session_manipulation.rb +0 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +27 -20
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +6 -8
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +44 -0
- data/lib/brakeman/parsers/slim_embedded.rb +44 -0
- data/lib/brakeman/parsers/template_parser.rb +8 -8
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +49 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +4 -0
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/slim_template_processor.rb +16 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +2 -2
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +24 -18
- data/lib/brakeman/tracker.rb +35 -7
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -48
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +18 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +1 -1
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +58 -43
@@ -8,6 +8,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
|
|
8
8
|
OUTPUT_BUFFER = s(:ivar, :@output_buffer)
|
9
9
|
TEMPLE_UTILS = s(:colon2, s(:colon3, :Temple), :Utils)
|
10
10
|
ATTR_MERGE = s(:call, s(:call, s(:array), :reject, s(:block_pass, s(:lit, :empty?))), :join, s(:str, " "))
|
11
|
+
EMBEDDED_FILTER = s(:const, :BrakemanFilter)
|
11
12
|
|
12
13
|
def process_call exp
|
13
14
|
target = exp.target
|
@@ -44,6 +45,21 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
|
|
44
45
|
end
|
45
46
|
end
|
46
47
|
|
48
|
+
def normalize_output arg
|
49
|
+
arg = super(arg)
|
50
|
+
|
51
|
+
if embedded_filter? arg
|
52
|
+
super(arg.first_arg)
|
53
|
+
else
|
54
|
+
arg
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
# Handle our "fake" embedded filters
|
59
|
+
def embedded_filter? arg
|
60
|
+
call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
|
61
|
+
end
|
62
|
+
|
47
63
|
#Slim likes to interpolate output into strings then pass them to safe_concat.
|
48
64
|
#Better to pull those values out directly.
|
49
65
|
def process_inside_interp exp
|
@@ -14,25 +14,52 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
14
14
|
def initialize tracker, template, called_from = nil
|
15
15
|
super tracker
|
16
16
|
@template = template
|
17
|
+
@current_file = template.file
|
17
18
|
@called_from = called_from
|
18
19
|
end
|
19
20
|
|
20
21
|
#Process template
|
21
|
-
def process_template name, args, _, line = nil
|
22
|
-
@file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
|
23
|
-
|
22
|
+
def process_template name, args, _, line = nil
|
24
23
|
if @called_from
|
25
24
|
if @called_from.include_template? name
|
26
25
|
Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
|
27
26
|
return
|
28
27
|
end
|
29
28
|
|
30
|
-
super name, args, @called_from.dup.add_template_render(@template.name, line, @
|
29
|
+
super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
|
30
|
+
else
|
31
|
+
super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
def process_lasgn exp
|
36
|
+
if exp.lhs == :haml_temp or haml_capture? exp.rhs
|
37
|
+
exp.rhs = process exp.rhs
|
38
|
+
|
39
|
+
# Avoid propagating contents of block
|
40
|
+
if node_type? exp.rhs, :iter
|
41
|
+
new_exp = exp.dup
|
42
|
+
new_exp.rhs = exp.rhs.block_call
|
43
|
+
|
44
|
+
super new_exp
|
45
|
+
|
46
|
+
exp # Still save the original, though
|
47
|
+
else
|
48
|
+
super exp
|
49
|
+
end
|
31
50
|
else
|
32
|
-
super
|
51
|
+
super exp
|
33
52
|
end
|
34
53
|
end
|
35
54
|
|
55
|
+
HAML_CAPTURE = [:capture, :capture_haml]
|
56
|
+
|
57
|
+
def haml_capture? exp
|
58
|
+
node_type? exp, :iter and
|
59
|
+
call? exp.block_call and
|
60
|
+
HAML_CAPTURE.include? exp.block_call.method
|
61
|
+
end
|
62
|
+
|
36
63
|
#Determine template name
|
37
64
|
def template_name name
|
38
65
|
if !name.to_s.include?('/') && @template.name.to_s.include?('/')
|
@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
|
|
5
5
|
class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
6
6
|
|
7
7
|
#Initializes template information.
|
8
|
-
def initialize tracker, template_name, called_from = nil,
|
9
|
-
super(tracker)
|
10
|
-
@current_template = Brakeman::Template.new template_name, called_from,
|
11
|
-
@
|
8
|
+
def initialize tracker, template_name, called_from = nil, current_file = nil
|
9
|
+
super(tracker)
|
10
|
+
@current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
|
11
|
+
@current_file = @current_template.file
|
12
12
|
|
13
13
|
if called_from
|
14
14
|
template_name = (template_name.to_s + "." + called_from.to_s).to_sym
|
@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
61
61
|
branches = [arg.then_clause, arg.else_clause].compact
|
62
62
|
|
63
63
|
if branches.empty?
|
64
|
-
s(:nil)
|
64
|
+
s(:nil).line(arg.line)
|
65
65
|
elsif branches.length == 2
|
66
|
-
Sexp.new(:or, *branches)
|
66
|
+
Sexp.new(:or, *branches).line(arg.line)
|
67
67
|
else
|
68
68
|
branches.first
|
69
69
|
end
|
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
77
77
|
end
|
78
78
|
|
79
79
|
def add_output output, type = :output
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
80
|
+
if node_type? output, :or
|
81
|
+
Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
|
82
|
+
else
|
83
|
+
s = Sexp.new(type, output)
|
84
|
+
s.line(output.line)
|
85
|
+
@current_template.add_output s
|
86
|
+
s
|
87
|
+
end
|
84
88
|
end
|
85
89
|
end
|
data/lib/brakeman/report.rb
CHANGED
@@ -8,8 +8,8 @@ class Brakeman::Report
|
|
8
8
|
|
9
9
|
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
|
10
10
|
|
11
|
-
def initialize
|
12
|
-
@app_tree = app_tree
|
11
|
+
def initialize tracker
|
12
|
+
@app_tree = tracker.app_tree
|
13
13
|
@tracker = tracker
|
14
14
|
end
|
15
15
|
|
@@ -83,6 +83,6 @@ class Brakeman::Report
|
|
83
83
|
alias to_s to_text
|
84
84
|
|
85
85
|
def generate reporter
|
86
|
-
reporter.new(@
|
86
|
+
reporter.new(@tracker).generate_report
|
87
87
|
end
|
88
88
|
end
|
@@ -22,6 +22,7 @@ module Brakeman
|
|
22
22
|
def filter_ignored
|
23
23
|
@shown_warnings = []
|
24
24
|
@ignored_warnings = []
|
25
|
+
@used_fingerprints = Set.new
|
25
26
|
|
26
27
|
@new_warnings.each do |w|
|
27
28
|
if ignored? w
|
@@ -112,9 +113,7 @@ module Brakeman
|
|
112
113
|
def save_to_file warnings, file = @file
|
113
114
|
warnings = warnings.map do |w|
|
114
115
|
if w.is_a? Warning
|
115
|
-
|
116
|
-
w_hash[:file] = w.relative_path
|
117
|
-
w = w_hash
|
116
|
+
w = w.to_hash(absolute_paths: false)
|
118
117
|
end
|
119
118
|
|
120
119
|
w[:note] = @notes[w[:fingerprint]] || ""
|
@@ -13,8 +13,8 @@ class Brakeman::Report::Base
|
|
13
13
|
|
14
14
|
TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
|
15
15
|
|
16
|
-
def initialize
|
17
|
-
@app_tree = app_tree
|
16
|
+
def initialize tracker
|
17
|
+
@app_tree = tracker.app_tree
|
18
18
|
@tracker = tracker
|
19
19
|
@checks = tracker.checks
|
20
20
|
@ignore_filter = tracker.ignored_filter
|
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
|
|
123
123
|
Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
|
124
124
|
end
|
125
125
|
|
126
|
-
def
|
126
|
+
def absolute_paths?
|
127
|
+
@tracker.options[:absolute_paths]
|
128
|
+
end
|
129
|
+
|
130
|
+
def warning_file warning
|
127
131
|
return nil if warning.file.nil?
|
128
132
|
|
129
|
-
if
|
130
|
-
warning.file
|
133
|
+
if absolute_paths?
|
134
|
+
warning.file.absolute
|
131
135
|
else
|
132
|
-
|
136
|
+
warning.file.relative
|
133
137
|
end
|
134
138
|
end
|
135
139
|
|
140
|
+
#Return array of lines surrounding the warning location from the original
|
141
|
+
#file.
|
142
|
+
def context_for warning
|
143
|
+
file = warning.file
|
144
|
+
context = []
|
145
|
+
return context unless warning.line and file and file.exists?
|
146
|
+
|
147
|
+
current_line = 0
|
148
|
+
start_line = warning.line - 5
|
149
|
+
end_line = warning.line + 5
|
150
|
+
|
151
|
+
start_line = 1 if start_line < 0
|
152
|
+
|
153
|
+
File.open file do |f|
|
154
|
+
f.each_line do |line|
|
155
|
+
current_line += 1
|
156
|
+
|
157
|
+
next if line.strip == ""
|
158
|
+
|
159
|
+
if current_line > end_line
|
160
|
+
break
|
161
|
+
end
|
162
|
+
|
163
|
+
if current_line >= start_line
|
164
|
+
context << [current_line, line]
|
165
|
+
end
|
166
|
+
end
|
167
|
+
end
|
168
|
+
|
169
|
+
context
|
170
|
+
end
|
171
|
+
|
136
172
|
def rails_version
|
137
173
|
case
|
138
174
|
when tracker.config.rails_version
|
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
|
|
145
181
|
"Unknown"
|
146
182
|
end
|
147
183
|
end
|
184
|
+
|
185
|
+
def github_url file, line=nil
|
186
|
+
if repo_url = @tracker.options[:github_url] and file
|
187
|
+
url = "#{repo_url}/#{file.relative}"
|
188
|
+
url << "#L#{line}" if line
|
189
|
+
else
|
190
|
+
nil
|
191
|
+
end
|
192
|
+
end
|
148
193
|
end
|
@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
|
|
70
70
|
end
|
71
71
|
|
72
72
|
def file_path(warning)
|
73
|
-
fp = Pathname.new(warning.relative_path)
|
74
73
|
if tracker.options[:path_prefix]
|
75
|
-
|
74
|
+
(Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
|
75
|
+
else
|
76
|
+
warning.file
|
76
77
|
end
|
77
|
-
fp.to_s
|
78
78
|
end
|
79
79
|
end
|
@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
86
86
|
|
87
87
|
def convert_ignored_warning warning, original
|
88
88
|
warning = convert_warning(warning, original)
|
89
|
-
warning['File'] = original.
|
89
|
+
warning['File'] = original.file.relative
|
90
90
|
warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
|
91
91
|
warning
|
92
92
|
end
|
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
113
113
|
#Generate HTML for warnings, including context show/hidden via Javascript
|
114
114
|
def with_context warning, message
|
115
115
|
@element_id += 1
|
116
|
-
context = context_for(
|
116
|
+
context = context_for(warning)
|
117
117
|
message = html_message(warning, message)
|
118
118
|
|
119
119
|
code_id = "context#@element_id"
|
@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
|
|
37
37
|
|
38
38
|
def convert_to_hashes warnings
|
39
39
|
warnings.map do |w|
|
40
|
-
|
41
|
-
hash[:render_path] = convert_render_path hash[:render_path]
|
42
|
-
hash[:file] = warning_file w
|
43
|
-
|
44
|
-
hash
|
40
|
+
w.to_hash(absolute_paths: false)
|
45
41
|
end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
|
46
42
|
end
|
47
|
-
|
48
|
-
def convert_render_path render_path
|
49
|
-
return unless render_path and not @tracker.options[:absolute_paths]
|
50
|
-
|
51
|
-
render_path.map do |r|
|
52
|
-
r = r.dup
|
53
|
-
|
54
|
-
if r[:file]
|
55
|
-
r[:file] = relative_path(r[:file])
|
56
|
-
end
|
57
|
-
|
58
|
-
if r[:rendered] and r[:rendered][:file]
|
59
|
-
r[:rendered] = r[:rendered].dup
|
60
|
-
r[:rendered][:file] = relative_path(r[:rendered][:file])
|
61
|
-
end
|
62
|
-
|
63
|
-
r
|
64
|
-
end
|
65
|
-
end
|
66
43
|
end
|
@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
|
|
199
199
|
end
|
200
200
|
end
|
201
201
|
|
202
|
-
def convert_warning warning, original
|
203
|
-
warning
|
204
|
-
end
|
205
|
-
|
206
202
|
def convert_ignored_warning warning, original
|
207
203
|
convert_warning warning, original
|
208
204
|
end
|
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
|
|
271
267
|
Checks run: #{checks.checks_run.sort.join(", ")}
|
272
268
|
HEADER
|
273
269
|
end
|
270
|
+
|
271
|
+
def truncate_table str
|
272
|
+
@terminal_width ||= if @tracker.options[:table_width]
|
273
|
+
@tracker.options[:table_width]
|
274
|
+
elsif $stdin && $stdin.tty?
|
275
|
+
Brakeman.load_brakeman_dependency 'highline'
|
276
|
+
::HighLine.default_instance.terminal.terminal_size[0]
|
277
|
+
else
|
278
|
+
80
|
279
|
+
end
|
280
|
+
lines = str.lines
|
281
|
+
|
282
|
+
lines.map do |line|
|
283
|
+
if line.chomp.length > @terminal_width
|
284
|
+
line[0..(@terminal_width - 3)] + ">>\n"
|
285
|
+
else
|
286
|
+
line
|
287
|
+
end
|
288
|
+
end.join
|
289
|
+
end
|
274
290
|
end
|
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
|
|
10
10
|
self.send(meth).map do |w|
|
11
11
|
line = w.line || 0
|
12
12
|
w.warning_type.gsub!(/[^\w\s]/, ' ')
|
13
|
-
"#{
|
13
|
+
"#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
|
14
14
|
end.join "\n"
|
15
15
|
|
16
16
|
end.join "\n"
|
@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
201
201
|
|
202
202
|
# ONLY used for generate_controllers to avoid duplication
|
203
203
|
def render_array name, cols, values, locals
|
204
|
-
controllers = values.map do |
|
205
|
-
c = [ label("Controller",
|
204
|
+
controllers = values.map do |controller_name, parent, includes, routes|
|
205
|
+
c = [ label("Controller", controller_name) ]
|
206
206
|
c << label("Parent", parent) unless parent.empty?
|
207
207
|
c << label("Includes", includes) unless includes.empty?
|
208
208
|
c << label("Routes", routes)
|
data/lib/brakeman/rescanner.rb
CHANGED
@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
13
13
|
def initialize options, processor, changed_files
|
14
14
|
super(options, processor)
|
15
15
|
|
16
|
-
@paths = changed_files.map {|f|
|
16
|
+
@paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
|
17
17
|
@old_results = tracker.filtered_warnings #Old warnings from previous scan
|
18
18
|
@changes = nil #True if files had to be rescanned
|
19
19
|
@reindex = Set.new
|
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
67
67
|
def rescan_file path, type = nil
|
68
68
|
type ||= file_type path
|
69
69
|
|
70
|
-
unless
|
70
|
+
unless path.exists?
|
71
71
|
return rescan_deleted_file path, type
|
72
72
|
end
|
73
73
|
|
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
127
127
|
end
|
128
128
|
|
129
129
|
def rescan_template path
|
130
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS and
|
130
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
|
131
131
|
|
132
132
|
template_name = template_path_to_name(path)
|
133
133
|
|
134
134
|
tracker.reset_template template_name
|
135
|
-
fp = Brakeman::FileParser.new(tracker
|
135
|
+
fp = Brakeman::FileParser.new(tracker)
|
136
136
|
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
137
|
-
template_parser.parse_template path,
|
137
|
+
template_parser.parse_template path, path.read
|
138
138
|
process_template fp.file_list[:templates].first
|
139
139
|
|
140
140
|
@processor.process_template_alias tracker.templates[template_name]
|
@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
226
226
|
end
|
227
227
|
|
228
228
|
def rescan_initializer path
|
229
|
+
tracker.reset_initializer path
|
230
|
+
|
229
231
|
parse_ruby_files([path]).each do |astfile|
|
230
232
|
process_initializer astfile
|
231
233
|
end
|
234
|
+
|
235
|
+
@reindex << :initializers
|
232
236
|
end
|
233
237
|
|
234
238
|
#Handle rescanning when a file is deleted
|
@@ -256,16 +260,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
256
260
|
end
|
257
261
|
|
258
262
|
def rescan_deleted_template path
|
259
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS
|
263
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
|
260
264
|
|
261
265
|
template_name = template_path_to_name(path)
|
262
266
|
|
263
267
|
#Remove template
|
264
268
|
tracker.reset_template template_name
|
265
269
|
|
266
|
-
rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
|
267
|
-
rendered_from_view = /^#{template_name}\.Template:(.+)/
|
268
|
-
|
269
270
|
#Remove any rendered versions, or partials rendered from it
|
270
271
|
tracker.templates.delete_if do |_name, template|
|
271
272
|
template.file == path or template.name.to_sym == template_name.to_sym
|
@@ -371,7 +372,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
371
372
|
next unless template.render_path
|
372
373
|
|
373
374
|
if template.render_path.include_any_method? method_names
|
374
|
-
name.to_s.match
|
375
|
+
name.to_s.match(/^([^.]+)/)
|
375
376
|
|
376
377
|
original = tracker.templates[$1.to_sym]
|
377
378
|
|
@@ -388,8 +389,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
388
389
|
end
|
389
390
|
|
390
391
|
def parse_ruby_files list
|
391
|
-
paths = list.select
|
392
|
-
file_parser = Brakeman::FileParser.new(tracker
|
392
|
+
paths = list.select(&:exists?)
|
393
|
+
file_parser = Brakeman::FileParser.new(tracker)
|
393
394
|
file_parser.parse_files paths, :rescan
|
394
395
|
file_parser.file_list[:rescan]
|
395
396
|
end
|