brakeman-lib 4.4.0 → 4.7.0

data/lib/brakeman/processors/slim_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
   OUTPUT_BUFFER = s(:ivar, :@output_buffer)
   TEMPLE_UTILS = s(:colon2, s(:colon3, :Temple), :Utils)
   ATTR_MERGE = s(:call, s(:call, s(:array), :reject, s(:block_pass, s(:lit, :empty?))), :join, s(:str, " "))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
 
   def process_call exp
     target = exp.target
@@ -44,6 +45,21 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  def normalize_output arg
+    arg = super(arg)
+
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+
   #Slim likes to interpolate output into strings then pass them to safe_concat.
   #Better to pull those values out directly.
   def process_inside_interp exp

data/lib/brakeman/processors/template_alias_processor.rb

@@ -14,25 +14,52 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def initialize tracker, template, called_from = nil
     super tracker
     @template = template
+    @current_file = template.file
     @called_from = called_from
   end
 
   #Process template
-  def process_template name, args, _, line = nil, file_name = nil
-    @file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
-
+  def process_template name, args, _, line = nil
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
         return
       end
 
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name)
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
+    else
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
+    end
+  end
+
+  def process_lasgn exp
+    if exp.lhs == :haml_temp or haml_capture? exp.rhs
+      exp.rhs = process exp.rhs
+
+      # Avoid propagating contents of block
+      if node_type? exp.rhs, :iter
+        new_exp = exp.dup
+        new_exp.rhs = exp.rhs.block_call
+
+        super new_exp
+
+        exp # Still save the original, though
+      else
+        super exp
+      end
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name)
+      super exp
     end
   end
 
+  HAML_CAPTURE = [:capture, :capture_haml]
+
+  def haml_capture? exp
+    node_type? exp, :iter and
+      call? exp.block_call and
+      HAML_CAPTURE.include? exp.block_call.method
+  end
+
   #Determine template name
   def template_name name
     if !name.to_s.include?('/') && @template.name.to_s.include?('/')

data/lib/brakeman/processors/template_processor.rb

@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
 
   #Initializes template information.
-  def initialize tracker, template_name, called_from = nil, file_name = nil
-    super(tracker) 
-    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
-    @file_name = file_name
+  def initialize tracker, template_name, called_from = nil, current_file = nil
+    super(tracker)
+    @current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
+    @current_file = @current_template.file
 
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym
@@ -61,9 +61,9 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       branches = [arg.then_clause, arg.else_clause].compact
 
       if branches.empty?
-        s(:nil)
+        s(:nil).line(arg.line)
       elsif branches.length == 2
-        Sexp.new(:or, *branches)
+        Sexp.new(:or, *branches).line(arg.line)
       else
         branches.first
       end
@@ -77,9 +77,13 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   end
 
   def add_output output, type = :output
-    s = Sexp.new(type, output)
-    s.line(output.line)
-    @current_template.add_output s
-    s
+    if node_type? output, :or
+      Sexp.new(:or, add_output(output.lhs, type), add_output(output.rhs, type)).line(output.line)
+    else
+      s = Sexp.new(type, output)
+      s.line(output.line)
+      @current_template.add_output s
+      s
+    end
   end
 end

data/lib/brakeman/report.rb

@@ -8,8 +8,8 @@ class Brakeman::Report
 
   VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
 
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
   end
 
@@ -83,6 +83,6 @@ class Brakeman::Report
   alias to_s to_text
 
   def generate reporter
-    reporter.new(@app_tree, @tracker).generate_report
+    reporter.new(@tracker).generate_report
   end
 end

data/lib/brakeman/report/ignore/config.rb

@@ -22,6 +22,7 @@ module Brakeman
     def filter_ignored
       @shown_warnings = []
       @ignored_warnings = []
+      @used_fingerprints = Set.new
 
       @new_warnings.each do |w|
         if ignored? w
@@ -112,9 +113,7 @@ module Brakeman
     def save_to_file warnings, file = @file
       warnings = warnings.map do |w|
         if w.is_a? Warning
-          w_hash = w.to_hash
-          w_hash[:file] = w.relative_path
-          w = w_hash
+          w = w.to_hash(absolute_paths: false)
         end
 
         w[:note] = @notes[w[:fingerprint]] || ""

data/lib/brakeman/report/ignore/interactive.rb

@@ -280,9 +280,9 @@ q - Quit, do not update ignored warnings
         say warning.format_code
       end
 
-      if warning.relative_path
+      if warning.file
         label "File"
-        say warning.relative_path
+        say warning.file.relative
       end
 
       if warning.line

data/lib/brakeman/report/pager.rb

@@ -4,6 +4,7 @@ module Brakeman
       @tracker = tracker
       @pager = pager
       @output = output
+      @less_available = @less_options = nil
     end
 
     def page_report report, format

data/lib/brakeman/report/report_base.rb

@@ -13,8 +13,8 @@ class Brakeman::Report::Base
 
   TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
 
-  def initialize app_tree, tracker
-    @app_tree = app_tree
+  def initialize tracker
+    @app_tree = tracker.app_tree
     @tracker = tracker
     @checks = tracker.checks
     @ignore_filter = tracker.ignored_filter
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
     Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
 
-  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+  def absolute_paths?
+    @tracker.options[:absolute_paths]
+  end
+
+  def warning_file warning
     return nil if warning.file.nil?
 
-    if absolute
-      warning.file
+    if absolute_paths?
+      warning.file.absolute
     else
-      relative_path warning.file
+      warning.file.relative
     end
   end
 
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning
+    file = warning.file
+    context = []
+    return context unless warning.line and file and file.exists?
+
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+
+    start_line = 1 if start_line < 0
+
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+
+        next if line.strip == ""
+
+        if current_line > end_line
+          break
+        end
+
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+
+    context
+  end
+
   def rails_version
     case
     when tracker.config.rails_version
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
       "Unknown"
     end
   end
+
+  def github_url file, line=nil
+    if repo_url = @tracker.options[:github_url] and file
+      url = "#{repo_url}/#{file.relative}"
+      url << "#L#{line}" if line
+    else
+      nil
+    end
+  end
 end

data/lib/brakeman/report/report_codeclimate.rb

@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
   end
 
   def file_path(warning)
-    fp = Pathname.new(warning.relative_path)
     if tracker.options[:path_prefix]
-      fp = Pathname.new(tracker.options[:path_prefix]) + fp
+      (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
+    else
+      warning.file
     end
-    fp.to_s
   end
 end

data/lib/brakeman/report/report_hash.rb

@@ -11,7 +11,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
       report[meth] = self.send(meth)
       report[meth].each do |w|
         w.message = w.format_message
-        w.context = context_for(@app_tree, w).join("\n")
+        w.context = context_for(w).join("\n")
       end
     end
 

data/lib/brakeman/report/report_html.rb

@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
 
   def convert_ignored_warning warning, original
     warning = convert_warning(warning, original)
-    warning['File'] = original.relative_path
+    warning['File'] = original.file.relative
     warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
     warning
   end
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
     @element_id += 1
-    context = context_for(@app_tree, warning)
+    context = context_for(warning)
     message = html_message(warning, message)
 
     code_id = "context#@element_id"

data/lib/brakeman/report/report_json.rb

@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
 
   def convert_to_hashes warnings
     warnings.map do |w|
-      hash = w.to_hash
-      hash[:render_path] = convert_render_path hash[:render_path]
-      hash[:file] = warning_file w
-
-      hash
+      w.to_hash(absolute_paths: false)
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
-
-  def convert_render_path render_path
-    return unless render_path and not @tracker.options[:absolute_paths]
-
-    render_path.map do |r|
-      r = r.dup
-
-      if r[:file]
-        r[:file] = relative_path(r[:file])
-      end
-
-      if r[:rendered] and r[:rendered][:file]
-        r[:rendered] = r[:rendered].dup
-        r[:rendered][:file] = relative_path(r[:rendered][:file])
-      end
-
-      r
-    end
-  end
 end

data/lib/brakeman/report/report_table.rb

@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
 
-  def convert_warning warning, original
-    warning
-  end
-
   def convert_ignored_warning warning, original
     convert_warning warning, original
   end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
 Checks run: #{checks.checks_run.sort.join(", ")}
 HEADER
   end
+
+  def truncate_table str
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
+                          Brakeman.load_brakeman_dependency 'highline'
+                          ::HighLine.default_instance.terminal.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
 end

data/lib/brakeman/report/report_tabs.rb

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 
     end.join "\n"

data/lib/brakeman/report/report_text.rb

@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
-    controllers = values.map do |name, parent, includes, routes|
-      c = [ label("Controller", name) ]
+    controllers = values.map do |controller_name, parent, includes, routes|
+      c = [ label("Controller", controller_name) ]
       c << label("Parent", parent) unless parent.empty?
       c << label("Includes", includes) unless includes.empty?
       c << label("Routes", routes)

data/lib/brakeman/rescanner.rb

@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
 
-    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
     @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
 
-    unless @app_tree.path_exists?(path)
+    unless path.exists?
       return rescan_deleted_file path, type
     end
 
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
 
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    fp = Brakeman::FileParser.new(tracker)
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, @app_tree.read_path(path)
+    template_parser.parse_template path, path.read
     process_template fp.file_list[:templates].first
 
     @processor.process_template_alias tracker.templates[template_name]
@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_initializer path
+    tracker.reset_initializer path
+
     parse_ruby_files([path]).each do |astfile|
       process_initializer astfile
     end
+
+    @reindex << :initializers
   end
 
   #Handle rescanning when a file is deleted
@@ -256,16 +260,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_deleted_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
 
     template_name = template_path_to_name(path)
 
     #Remove template
     tracker.reset_template template_name
 
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
-
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +372,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       next unless template.render_path
 
       if template.render_path.include_any_method? method_names
-        name.to_s.match /^([^.]+)/
+        name.to_s.match(/^([^.]+)/)
 
         original = tracker.templates[$1.to_sym]
 
@@ -388,8 +389,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def parse_ruby_files list
-    paths = list.select { |path| @app_tree.path_exists? path }
-    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    paths = list.select(&:exists?)
+    file_parser = Brakeman::FileParser.new(tracker)
     file_parser.parse_files paths, :rescan
     file_parser.file_list[:rescan]
   end