brakeman-lib 4.5.0 → 4.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +15 -0
- data/README.md +6 -6
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +9 -9
- data/lib/brakeman/checks/check_cross_site_scripting.rb +5 -0
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +52 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_json_parsing.rb +5 -0
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +3 -3
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +10 -10
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +15 -17
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/file_parser.rb +6 -8
- data/lib/brakeman/file_path.rb +71 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/template_parser.rb +3 -3
- data/lib/brakeman/processor.rb +3 -4
- data/lib/brakeman/processors/alias_processor.rb +12 -6
- data/lib/brakeman/processors/base_processor.rb +8 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +5 -9
- data/lib/brakeman/processors/haml_template_processor.rb +5 -0
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/template_alias_processor.rb +4 -5
- data/lib/brakeman/processors/template_processor.rb +4 -4
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +2 -2
- data/lib/brakeman/rescanner.rb +9 -12
- data/lib/brakeman/scanner.rb +19 -14
- data/lib/brakeman/tracker.rb +4 -4
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +6 -0
- data/lib/brakeman/util.rb +1 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +23 -13
- data/lib/brakeman/warning_codes.rb +1 -0
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +20 -10
@@ -12,24 +12,23 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
|
12
12
|
@current_method = nil
|
13
13
|
@current_module = nil
|
14
14
|
@visibility = :public
|
15
|
-
@
|
15
|
+
@current_file = nil
|
16
16
|
end
|
17
17
|
|
18
18
|
#Process model source
|
19
|
-
def process_model src,
|
20
|
-
@
|
19
|
+
def process_model src, current_file = @current_file
|
20
|
+
@current_file = current_file
|
21
21
|
process src
|
22
22
|
end
|
23
23
|
|
24
24
|
#s(:class, NAME, PARENT, BODY)
|
25
25
|
def process_class exp
|
26
26
|
name = class_name(exp.class_name)
|
27
|
-
parent = class_name(exp.parent_name)
|
28
27
|
|
29
28
|
#If inside an inner class we treat it as a library.
|
30
29
|
if @current_class
|
31
30
|
Brakeman.debug "[Notice] Treating inner class as library: #{name}"
|
32
|
-
Brakeman::LibraryProcessor.new(@tracker).process_library exp, @
|
31
|
+
Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
|
33
32
|
return exp
|
34
33
|
end
|
35
34
|
|
@@ -8,6 +8,11 @@ require 'brakeman/util'
|
|
8
8
|
class Brakeman::OutputProcessor < Ruby2Ruby
|
9
9
|
include Brakeman::Util
|
10
10
|
|
11
|
+
def initialize *args
|
12
|
+
super
|
13
|
+
@user_input = nil
|
14
|
+
end
|
15
|
+
|
11
16
|
#Copies +exp+ and then formats it.
|
12
17
|
def format exp, user_input = nil, &block
|
13
18
|
@user_input = user_input
|
@@ -14,22 +14,21 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
|
|
14
14
|
def initialize tracker, template, called_from = nil
|
15
15
|
super tracker
|
16
16
|
@template = template
|
17
|
+
@current_file = template.file
|
17
18
|
@called_from = called_from
|
18
19
|
end
|
19
20
|
|
20
21
|
#Process template
|
21
|
-
def process_template name, args, _, line = nil
|
22
|
-
@file_name = file_name || relative_path(@template.file || @tracker.templates[@template.name])
|
23
|
-
|
22
|
+
def process_template name, args, _, line = nil
|
24
23
|
if @called_from
|
25
24
|
if @called_from.include_template? name
|
26
25
|
Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"
|
27
26
|
return
|
28
27
|
end
|
29
28
|
|
30
|
-
super name, args, @called_from.dup.add_template_render(@template.name, line, @
|
29
|
+
super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line
|
31
30
|
else
|
32
|
-
super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @
|
31
|
+
super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line
|
33
32
|
end
|
34
33
|
end
|
35
34
|
|
@@ -5,10 +5,10 @@ require 'brakeman/tracker/template'
|
|
5
5
|
class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
6
6
|
|
7
7
|
#Initializes template information.
|
8
|
-
def initialize tracker, template_name, called_from = nil,
|
9
|
-
super(tracker)
|
10
|
-
@current_template = Brakeman::Template.new template_name, called_from,
|
11
|
-
@
|
8
|
+
def initialize tracker, template_name, called_from = nil, current_file = nil
|
9
|
+
super(tracker)
|
10
|
+
@current_template = Brakeman::Template.new template_name, called_from, current_file, tracker
|
11
|
+
@current_file = @current_template.file
|
12
12
|
|
13
13
|
if called_from
|
14
14
|
template_name = (template_name.to_s + "." + called_from.to_s).to_sym
|
data/lib/brakeman/report.rb
CHANGED
@@ -8,8 +8,8 @@ class Brakeman::Report
|
|
8
8
|
|
9
9
|
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text]
|
10
10
|
|
11
|
-
def initialize
|
12
|
-
@app_tree = app_tree
|
11
|
+
def initialize tracker
|
12
|
+
@app_tree = tracker.app_tree
|
13
13
|
@tracker = tracker
|
14
14
|
end
|
15
15
|
|
@@ -83,6 +83,6 @@ class Brakeman::Report
|
|
83
83
|
alias to_s to_text
|
84
84
|
|
85
85
|
def generate reporter
|
86
|
-
reporter.new(@
|
86
|
+
reporter.new(@tracker).generate_report
|
87
87
|
end
|
88
88
|
end
|
@@ -22,6 +22,7 @@ module Brakeman
|
|
22
22
|
def filter_ignored
|
23
23
|
@shown_warnings = []
|
24
24
|
@ignored_warnings = []
|
25
|
+
@used_fingerprints = Set.new
|
25
26
|
|
26
27
|
@new_warnings.each do |w|
|
27
28
|
if ignored? w
|
@@ -112,9 +113,7 @@ module Brakeman
|
|
112
113
|
def save_to_file warnings, file = @file
|
113
114
|
warnings = warnings.map do |w|
|
114
115
|
if w.is_a? Warning
|
115
|
-
|
116
|
-
w_hash[:file] = w.relative_path
|
117
|
-
w = w_hash
|
116
|
+
w = w.to_hash(absolute_paths: false)
|
118
117
|
end
|
119
118
|
|
120
119
|
w[:note] = @notes[w[:fingerprint]] || ""
|
@@ -13,8 +13,8 @@ class Brakeman::Report::Base
|
|
13
13
|
|
14
14
|
TEXT_CONFIDENCE = Brakeman::Warning::TEXT_CONFIDENCE
|
15
15
|
|
16
|
-
def initialize
|
17
|
-
@app_tree = app_tree
|
16
|
+
def initialize tracker
|
17
|
+
@app_tree = tracker.app_tree
|
18
18
|
@tracker = tracker
|
19
19
|
@checks = tracker.checks
|
20
20
|
@ignore_filter = tracker.ignored_filter
|
@@ -123,16 +123,52 @@ class Brakeman::Report::Base
|
|
123
123
|
Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
|
124
124
|
end
|
125
125
|
|
126
|
-
def
|
126
|
+
def absolute_paths?
|
127
|
+
@tracker.options[:absolute_paths]
|
128
|
+
end
|
129
|
+
|
130
|
+
def warning_file warning
|
127
131
|
return nil if warning.file.nil?
|
128
132
|
|
129
|
-
if
|
130
|
-
warning.file
|
133
|
+
if absolute_paths?
|
134
|
+
warning.file.absolute
|
131
135
|
else
|
132
|
-
|
136
|
+
warning.file.relative
|
133
137
|
end
|
134
138
|
end
|
135
139
|
|
140
|
+
#Return array of lines surrounding the warning location from the original
|
141
|
+
#file.
|
142
|
+
def context_for warning
|
143
|
+
file = warning.file
|
144
|
+
context = []
|
145
|
+
return context unless warning.line and file and file.exists?
|
146
|
+
|
147
|
+
current_line = 0
|
148
|
+
start_line = warning.line - 5
|
149
|
+
end_line = warning.line + 5
|
150
|
+
|
151
|
+
start_line = 1 if start_line < 0
|
152
|
+
|
153
|
+
File.open file do |f|
|
154
|
+
f.each_line do |line|
|
155
|
+
current_line += 1
|
156
|
+
|
157
|
+
next if line.strip == ""
|
158
|
+
|
159
|
+
if current_line > end_line
|
160
|
+
break
|
161
|
+
end
|
162
|
+
|
163
|
+
if current_line >= start_line
|
164
|
+
context << [current_line, line]
|
165
|
+
end
|
166
|
+
end
|
167
|
+
end
|
168
|
+
|
169
|
+
context
|
170
|
+
end
|
171
|
+
|
136
172
|
def rails_version
|
137
173
|
case
|
138
174
|
when tracker.config.rails_version
|
@@ -145,4 +181,13 @@ class Brakeman::Report::Base
|
|
145
181
|
"Unknown"
|
146
182
|
end
|
147
183
|
end
|
184
|
+
|
185
|
+
def github_url file, line=nil
|
186
|
+
if repo_url = @tracker.options[:github_url] and file
|
187
|
+
url = "#{repo_url}/#{file.relative}"
|
188
|
+
url << "#L#{line}" if line
|
189
|
+
else
|
190
|
+
nil
|
191
|
+
end
|
192
|
+
end
|
148
193
|
end
|
@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
|
|
70
70
|
end
|
71
71
|
|
72
72
|
def file_path(warning)
|
73
|
-
fp = Pathname.new(warning.relative_path)
|
74
73
|
if tracker.options[:path_prefix]
|
75
|
-
|
74
|
+
(Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
|
75
|
+
else
|
76
|
+
warning.file
|
76
77
|
end
|
77
|
-
fp.to_s
|
78
78
|
end
|
79
79
|
end
|
@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
86
86
|
|
87
87
|
def convert_ignored_warning warning, original
|
88
88
|
warning = convert_warning(warning, original)
|
89
|
-
warning['File'] = original.
|
89
|
+
warning['File'] = original.file.relative
|
90
90
|
warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
|
91
91
|
warning
|
92
92
|
end
|
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
113
113
|
#Generate HTML for warnings, including context show/hidden via Javascript
|
114
114
|
def with_context warning, message
|
115
115
|
@element_id += 1
|
116
|
-
context = context_for(
|
116
|
+
context = context_for(warning)
|
117
117
|
message = html_message(warning, message)
|
118
118
|
|
119
119
|
code_id = "context#@element_id"
|
@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
|
|
37
37
|
|
38
38
|
def convert_to_hashes warnings
|
39
39
|
warnings.map do |w|
|
40
|
-
|
41
|
-
hash[:render_path] = convert_render_path hash[:render_path]
|
42
|
-
hash[:file] = warning_file w
|
43
|
-
|
44
|
-
hash
|
40
|
+
w.to_hash(absolute_paths: false)
|
45
41
|
end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
|
46
42
|
end
|
47
|
-
|
48
|
-
def convert_render_path render_path
|
49
|
-
return unless render_path and not @tracker.options[:absolute_paths]
|
50
|
-
|
51
|
-
render_path.map do |r|
|
52
|
-
r = r.dup
|
53
|
-
|
54
|
-
if r[:file]
|
55
|
-
r[:file] = relative_path(r[:file])
|
56
|
-
end
|
57
|
-
|
58
|
-
if r[:rendered] and r[:rendered][:file]
|
59
|
-
r[:rendered] = r[:rendered].dup
|
60
|
-
r[:rendered][:file] = relative_path(r[:rendered][:file])
|
61
|
-
end
|
62
|
-
|
63
|
-
r
|
64
|
-
end
|
65
|
-
end
|
66
43
|
end
|
@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
|
|
199
199
|
end
|
200
200
|
end
|
201
201
|
|
202
|
-
def convert_warning warning, original
|
203
|
-
warning
|
204
|
-
end
|
205
|
-
|
206
202
|
def convert_ignored_warning warning, original
|
207
203
|
convert_warning warning, original
|
208
204
|
end
|
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
|
|
271
267
|
Checks run: #{checks.checks_run.sort.join(", ")}
|
272
268
|
HEADER
|
273
269
|
end
|
270
|
+
|
271
|
+
def truncate_table str
|
272
|
+
@terminal_width ||= if @tracker.options[:table_width]
|
273
|
+
@tracker.options[:table_width]
|
274
|
+
elsif $stdin && $stdin.tty?
|
275
|
+
Brakeman.load_brakeman_dependency 'highline'
|
276
|
+
::HighLine.default_instance.terminal.terminal_size[0]
|
277
|
+
else
|
278
|
+
80
|
279
|
+
end
|
280
|
+
lines = str.lines
|
281
|
+
|
282
|
+
lines.map do |line|
|
283
|
+
if line.chomp.length > @terminal_width
|
284
|
+
line[0..(@terminal_width - 3)] + ">>\n"
|
285
|
+
else
|
286
|
+
line
|
287
|
+
end
|
288
|
+
end.join
|
289
|
+
end
|
274
290
|
end
|
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
|
|
10
10
|
self.send(meth).map do |w|
|
11
11
|
line = w.line || 0
|
12
12
|
w.warning_type.gsub!(/[^\w\s]/, ' ')
|
13
|
-
"#{
|
13
|
+
"#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
|
14
14
|
end.join "\n"
|
15
15
|
|
16
16
|
end.join "\n"
|
@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
201
201
|
|
202
202
|
# ONLY used for generate_controllers to avoid duplication
|
203
203
|
def render_array name, cols, values, locals
|
204
|
-
controllers = values.map do |
|
205
|
-
c = [ label("Controller",
|
204
|
+
controllers = values.map do |controller_name, parent, includes, routes|
|
205
|
+
c = [ label("Controller", controller_name) ]
|
206
206
|
c << label("Parent", parent) unless parent.empty?
|
207
207
|
c << label("Includes", includes) unless includes.empty?
|
208
208
|
c << label("Routes", routes)
|
data/lib/brakeman/rescanner.rb
CHANGED
@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
13
13
|
def initialize options, processor, changed_files
|
14
14
|
super(options, processor)
|
15
15
|
|
16
|
-
@paths = changed_files.map {|f|
|
16
|
+
@paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
|
17
17
|
@old_results = tracker.filtered_warnings #Old warnings from previous scan
|
18
18
|
@changes = nil #True if files had to be rescanned
|
19
19
|
@reindex = Set.new
|
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
67
67
|
def rescan_file path, type = nil
|
68
68
|
type ||= file_type path
|
69
69
|
|
70
|
-
unless
|
70
|
+
unless path.exists?
|
71
71
|
return rescan_deleted_file path, type
|
72
72
|
end
|
73
73
|
|
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
127
127
|
end
|
128
128
|
|
129
129
|
def rescan_template path
|
130
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS and
|
130
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
|
131
131
|
|
132
132
|
template_name = template_path_to_name(path)
|
133
133
|
|
134
134
|
tracker.reset_template template_name
|
135
|
-
fp = Brakeman::FileParser.new(tracker
|
135
|
+
fp = Brakeman::FileParser.new(tracker)
|
136
136
|
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
137
|
-
template_parser.parse_template path,
|
137
|
+
template_parser.parse_template path, path.read
|
138
138
|
process_template fp.file_list[:templates].first
|
139
139
|
|
140
140
|
@processor.process_template_alias tracker.templates[template_name]
|
@@ -256,16 +256,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
256
256
|
end
|
257
257
|
|
258
258
|
def rescan_deleted_template path
|
259
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS
|
259
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
|
260
260
|
|
261
261
|
template_name = template_path_to_name(path)
|
262
262
|
|
263
263
|
#Remove template
|
264
264
|
tracker.reset_template template_name
|
265
265
|
|
266
|
-
rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
|
267
|
-
rendered_from_view = /^#{template_name}\.Template:(.+)/
|
268
|
-
|
269
266
|
#Remove any rendered versions, or partials rendered from it
|
270
267
|
tracker.templates.delete_if do |_name, template|
|
271
268
|
template.file == path or template.name.to_sym == template_name.to_sym
|
@@ -371,7 +368,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
371
368
|
next unless template.render_path
|
372
369
|
|
373
370
|
if template.render_path.include_any_method? method_names
|
374
|
-
name.to_s.match
|
371
|
+
name.to_s.match(/^([^.]+)/)
|
375
372
|
|
376
373
|
original = tracker.templates[$1.to_sym]
|
377
374
|
|
@@ -388,8 +385,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
388
385
|
end
|
389
386
|
|
390
387
|
def parse_ruby_files list
|
391
|
-
paths = list.select
|
392
|
-
file_parser = Brakeman::FileParser.new(tracker
|
388
|
+
paths = list.select(&:exists?)
|
389
|
+
file_parser = Brakeman::FileParser.new(tracker)
|
393
390
|
file_parser.parse_files paths, :rescan
|
394
391
|
file_parser.file_list[:rescan]
|
395
392
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -16,7 +16,6 @@ end
|
|
16
16
|
#Scans the Rails application.
|
17
17
|
class Brakeman::Scanner
|
18
18
|
attr_reader :options
|
19
|
-
RUBY_1_9 = RUBY_VERSION >= "1.9.0"
|
20
19
|
|
21
20
|
#Pass in path to the root of the Rails application
|
22
21
|
def initialize options, processor = nil
|
@@ -66,7 +65,7 @@ class Brakeman::Scanner
|
|
66
65
|
end
|
67
66
|
|
68
67
|
def parse_files
|
69
|
-
fp = Brakeman::FileParser.new tracker
|
68
|
+
fp = Brakeman::FileParser.new tracker
|
70
69
|
|
71
70
|
files = {
|
72
71
|
:initializers => @app_tree.initializer_paths,
|
@@ -95,7 +94,7 @@ class Brakeman::Scanner
|
|
95
94
|
#
|
96
95
|
#Stores parsed information in tracker.config
|
97
96
|
def process_config
|
98
|
-
if options[:rails3] or options[:rails4] or options[:rails5]
|
97
|
+
if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
|
99
98
|
process_config_file "application.rb"
|
100
99
|
process_config_file "environments/production.rb"
|
101
100
|
else
|
@@ -111,14 +110,14 @@ class Brakeman::Scanner
|
|
111
110
|
end
|
112
111
|
|
113
112
|
if @app_tree.exists? ".ruby-version"
|
114
|
-
tracker.config.set_ruby_version @app_tree.
|
113
|
+
tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
|
115
114
|
end
|
116
115
|
end
|
117
116
|
|
118
117
|
def process_config_file file
|
119
|
-
path = "config/#{file}"
|
118
|
+
path = @app_tree.file_path("config/#{file}")
|
120
119
|
|
121
|
-
if
|
120
|
+
if path.exists?
|
122
121
|
@processor.process_config(parse_ruby_file(path), path)
|
123
122
|
end
|
124
123
|
|
@@ -132,16 +131,21 @@ class Brakeman::Scanner
|
|
132
131
|
#Process Gemfile
|
133
132
|
def process_gems
|
134
133
|
gem_files = {}
|
134
|
+
|
135
135
|
if @app_tree.exists? "Gemfile"
|
136
|
-
|
136
|
+
file = @app_tree.file_path("Gemfile")
|
137
|
+
gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
|
137
138
|
elsif @app_tree.exists? "gems.rb"
|
138
|
-
|
139
|
+
file = @app_tree.file_path("gems.rb")
|
140
|
+
gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
|
139
141
|
end
|
140
142
|
|
141
143
|
if @app_tree.exists? "Gemfile.lock"
|
142
|
-
|
144
|
+
file = @app_tree.file_path("Gemfile.lock")
|
145
|
+
gem_files[:gemlock] = { :src => file.read, :file => file }
|
143
146
|
elsif @app_tree.exists? "gems.locked"
|
144
|
-
|
147
|
+
file = @app_tree.file_path("gems.locked")
|
148
|
+
gem_files[:gemlock] = { :src => file.read, :file => file }
|
145
149
|
end
|
146
150
|
|
147
151
|
if @app_tree.gemspec
|
@@ -215,7 +219,8 @@ class Brakeman::Scanner
|
|
215
219
|
#Adds parsed information to tracker.routes
|
216
220
|
def process_routes
|
217
221
|
if @app_tree.exists?("config/routes.rb")
|
218
|
-
|
222
|
+
file = @app_tree.file_path("config/routes.rb")
|
223
|
+
if routes_sexp = parse_ruby_file(file)
|
219
224
|
@processor.process_routes routes_sexp
|
220
225
|
else
|
221
226
|
Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
|
@@ -316,9 +321,9 @@ class Brakeman::Scanner
|
|
316
321
|
tracker.index_call_sites
|
317
322
|
end
|
318
323
|
|
319
|
-
def parse_ruby_file
|
320
|
-
fp = Brakeman::FileParser.new(self.tracker
|
321
|
-
fp.parse_ruby(
|
324
|
+
def parse_ruby_file file
|
325
|
+
fp = Brakeman::FileParser.new(self.tracker)
|
326
|
+
fp.parse_ruby(file.read, file)
|
322
327
|
end
|
323
328
|
end
|
324
329
|
|