brakeman-lib 4.5.0 → 4.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +164 -108
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +59 -56
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +26 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +15 -17
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +10 -16
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +6 -4
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +27 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +6 -7
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +19 -14
- data/lib/brakeman/tracker.rb +30 -6
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -73
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +1 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +7 -2
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +27 -22
data/lib/brakeman/file_parser.rb
CHANGED
@@ -5,16 +5,16 @@ module Brakeman
|
|
5
5
|
class FileParser
|
6
6
|
attr_reader :file_list
|
7
7
|
|
8
|
-
def initialize tracker
|
8
|
+
def initialize tracker
|
9
9
|
@tracker = tracker
|
10
10
|
@timeout = @tracker.options[:parser_timeout]
|
11
|
-
@app_tree = app_tree
|
11
|
+
@app_tree = @tracker.app_tree
|
12
12
|
@file_list = {}
|
13
13
|
end
|
14
14
|
|
15
15
|
def parse_files list, type
|
16
16
|
read_files list, type do |path, contents|
|
17
|
-
if ast = parse_ruby(contents, path)
|
17
|
+
if ast = parse_ruby(contents, path.relative)
|
18
18
|
ASTFile.new(path, ast)
|
19
19
|
end
|
20
20
|
end
|
@@ -24,24 +24,22 @@ module Brakeman
|
|
24
24
|
@file_list[type] ||= []
|
25
25
|
|
26
26
|
list.each do |path|
|
27
|
-
|
27
|
+
file = @app_tree.file_path(path)
|
28
|
+
|
29
|
+
result = yield file, file.read
|
28
30
|
if result
|
29
31
|
@file_list[type] << result
|
30
32
|
end
|
31
33
|
end
|
32
34
|
end
|
33
35
|
|
34
|
-
def parse_ruby input, path
|
36
|
+
def parse_ruby input, path
|
35
37
|
begin
|
36
38
|
Brakeman.debug "Parsing #{path}"
|
37
|
-
|
39
|
+
RubyParser.new.parse input, path, @timeout
|
38
40
|
rescue Racc::ParseError => e
|
39
|
-
|
40
|
-
|
41
|
-
else
|
42
|
-
@tracker.error e, "Could not parse #{path}"
|
43
|
-
nil
|
44
|
-
end
|
41
|
+
@tracker.error e, "Could not parse #{path}"
|
42
|
+
nil
|
45
43
|
rescue Timeout::Error => e
|
46
44
|
@tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
|
47
45
|
nil
|
@@ -50,9 +48,5 @@ module Brakeman
|
|
50
48
|
nil
|
51
49
|
end
|
52
50
|
end
|
53
|
-
|
54
|
-
def read_path path
|
55
|
-
@app_tree.read_path path
|
56
|
-
end
|
57
51
|
end
|
58
52
|
end
|
@@ -0,0 +1,85 @@
|
|
1
|
+
require 'pathname'
|
2
|
+
|
3
|
+
module Brakeman
|
4
|
+
# Class to represent file paths within Brakeman.
|
5
|
+
# FilePath objects track both the relative and absolute paths
|
6
|
+
# to make it easier to manage paths.
|
7
|
+
class FilePath
|
8
|
+
attr_reader :absolute, :relative
|
9
|
+
@cache = {}
|
10
|
+
|
11
|
+
# Create a new FilePath using an AppTree object.
|
12
|
+
#
|
13
|
+
# Note that if the path is already a FilePath, that path will
|
14
|
+
# be returned unaltered.
|
15
|
+
#
|
16
|
+
# Additionally, paths are cached. If the absolute path already has
|
17
|
+
# a FilePath in the cache, that existing FilePath will be returned.
|
18
|
+
def self.from_app_tree app_tree, path
|
19
|
+
return path if path.is_a? Brakeman::FilePath
|
20
|
+
|
21
|
+
absolute = app_tree.expand_path(path).freeze
|
22
|
+
|
23
|
+
if fp = @cache[absolute]
|
24
|
+
return fp
|
25
|
+
end
|
26
|
+
|
27
|
+
relative = app_tree.relative_path(path).freeze
|
28
|
+
|
29
|
+
self.new(absolute, relative).tap { |fp| @cache[absolute] = fp }
|
30
|
+
end
|
31
|
+
|
32
|
+
# Create a new FilePath with the given absolute and relative paths.
|
33
|
+
def initialize absolute_path, relative_path
|
34
|
+
@absolute = absolute_path
|
35
|
+
@relative = relative_path
|
36
|
+
end
|
37
|
+
|
38
|
+
# Just the file name, no path
|
39
|
+
def basename
|
40
|
+
@basename ||= File.basename(self.relative)
|
41
|
+
end
|
42
|
+
|
43
|
+
# Read file from absolute path.
|
44
|
+
def read
|
45
|
+
File.read self.absolute
|
46
|
+
end
|
47
|
+
|
48
|
+
# Check if absolute path exists.
|
49
|
+
def exists?
|
50
|
+
File.exist? self.absolute
|
51
|
+
end
|
52
|
+
|
53
|
+
# Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
|
54
|
+
def <=> rhs
|
55
|
+
raise ArgumentError unless rhs.is_a? Brakeman::FilePath
|
56
|
+
self.relative <=> rhs.relative
|
57
|
+
end
|
58
|
+
|
59
|
+
# Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
|
60
|
+
def == rhs
|
61
|
+
return false unless rhs.is_a? Brakeman::FilePath
|
62
|
+
|
63
|
+
self.absolute == rhs.absolute
|
64
|
+
end
|
65
|
+
|
66
|
+
# Returns a string with the absolute path.
|
67
|
+
def to_str
|
68
|
+
self.absolute
|
69
|
+
end
|
70
|
+
|
71
|
+
# Returns a string with the absolute path.
|
72
|
+
def to_s
|
73
|
+
self.to_str
|
74
|
+
end
|
75
|
+
|
76
|
+
def hash
|
77
|
+
@hash ||= [@absolute, @relative].hash
|
78
|
+
end
|
79
|
+
|
80
|
+
def eql? rhs
|
81
|
+
@absolute == rhs.absolute and
|
82
|
+
@relative == rhs.relative
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -82,6 +82,13 @@ module Brakeman::Options
|
|
82
82
|
options[:rails5] = true
|
83
83
|
end
|
84
84
|
|
85
|
+
opts.on "-6", "--rails6", "Force Rails 6 mode" do
|
86
|
+
options[:rails3] = true
|
87
|
+
options[:rails4] = true
|
88
|
+
options[:rails5] = true
|
89
|
+
options[:rails6] = true
|
90
|
+
end
|
91
|
+
|
85
92
|
opts.separator ""
|
86
93
|
opts.separator "Scanning options:"
|
87
94
|
|
@@ -13,7 +13,7 @@ module Brakeman
|
|
13
13
|
end
|
14
14
|
|
15
15
|
def parse_template path, text
|
16
|
-
type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
|
16
|
+
type = path.relative.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
|
17
17
|
type = :erb if type == :rhtml
|
18
18
|
name = template_path_to_name path
|
19
19
|
Brakeman.debug "Parsing #{path}"
|
@@ -63,7 +63,7 @@ module Brakeman
|
|
63
63
|
else
|
64
64
|
ERB.new(text, nil, '-').src
|
65
65
|
end
|
66
|
-
src.sub!(/^#.*\n/, '')
|
66
|
+
src.sub!(/^#.*\n/, '')
|
67
67
|
src
|
68
68
|
end
|
69
69
|
end
|
@@ -79,7 +79,9 @@ module Brakeman
|
|
79
79
|
|
80
80
|
Haml::Engine.new(text,
|
81
81
|
:filename => path,
|
82
|
-
:escape_html => tracker.config.escape_html
|
82
|
+
:escape_html => tracker.config.escape_html?,
|
83
|
+
:escape_filter_interpolations => tracker.config.escape_filter_interpolations?
|
84
|
+
).precompiled.gsub(/([^\\])\\n/, '\1')
|
83
85
|
rescue Haml::Error => e
|
84
86
|
tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
|
85
87
|
nil
|
@@ -95,7 +97,7 @@ module Brakeman
|
|
95
97
|
end
|
96
98
|
|
97
99
|
def self.parse_inline_erb tracker, text
|
98
|
-
fp = Brakeman::FileParser.new(tracker
|
100
|
+
fp = Brakeman::FileParser.new(tracker)
|
99
101
|
tp = self.new(tracker, fp)
|
100
102
|
src = tp.parse_erb '_inline_', text
|
101
103
|
type = tp.erubis? ? :erubis : :erb
|
data/lib/brakeman/processor.rb
CHANGED
@@ -13,8 +13,7 @@ module Brakeman
|
|
13
13
|
include Util
|
14
14
|
|
15
15
|
def initialize(app_tree, options)
|
16
|
-
@
|
17
|
-
@tracker = Tracker.new(@app_tree, self, options)
|
16
|
+
@tracker = Tracker.new(app_tree, self, options)
|
18
17
|
end
|
19
18
|
|
20
19
|
def tracked_events
|
@@ -39,7 +38,7 @@ module Brakeman
|
|
39
38
|
#Process controller source. +file_name+ is used for reporting
|
40
39
|
def process_controller src, file_name
|
41
40
|
if contains_class? src
|
42
|
-
ControllerProcessor.new(@
|
41
|
+
ControllerProcessor.new(@tracker).process_controller src, file_name
|
43
42
|
else
|
44
43
|
LibraryProcessor.new(@tracker).process_library src, file_name
|
45
44
|
end
|
@@ -48,7 +47,7 @@ module Brakeman
|
|
48
47
|
#Process variable aliasing in controller source and save it in the
|
49
48
|
#tracker.
|
50
49
|
def process_controller_alias name, src, only_method = nil, file = nil
|
51
|
-
ControllerAliasProcessor.new(@
|
50
|
+
ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src, file
|
52
51
|
end
|
53
52
|
|
54
53
|
#Process a model source
|
@@ -91,7 +90,7 @@ module Brakeman
|
|
91
90
|
def process_initializer file_name, src
|
92
91
|
res = BaseProcessor.new(@tracker).process_file src, file_name
|
93
92
|
res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
|
94
|
-
@tracker.initializers[
|
93
|
+
@tracker.initializers[file_name] = res
|
95
94
|
end
|
96
95
|
|
97
96
|
#Process source for a library file
|
@@ -20,19 +20,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
20
20
|
#The recommended usage is:
|
21
21
|
#
|
22
22
|
# AliasProcessor.new.process_safely src
|
23
|
-
def initialize tracker = nil,
|
23
|
+
def initialize tracker = nil, current_file = nil
|
24
24
|
super()
|
25
25
|
@env = SexpProcessor::Environment.new
|
26
26
|
@inside_if = false
|
27
27
|
@ignore_ifs = nil
|
28
28
|
@exp_context = []
|
29
|
-
@current_module = nil
|
30
29
|
@tracker = tracker #set in subclass as necessary
|
31
30
|
@helper_method_cache = {}
|
32
31
|
@helper_method_info = Hash.new({})
|
33
32
|
@or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
|
34
33
|
@meth_env = nil
|
35
|
-
@
|
34
|
+
@current_file = current_file
|
36
35
|
set_env_defaults
|
37
36
|
end
|
38
37
|
|
@@ -44,8 +43,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
44
43
|
#
|
45
44
|
#This method returns a new Sexp with variables replaced with their values,
|
46
45
|
#where possible.
|
47
|
-
def process_safely src, set_env = nil,
|
48
|
-
@
|
46
|
+
def process_safely src, set_env = nil, current_file = @current_file
|
47
|
+
@current_file = current_file
|
49
48
|
@env = set_env || SexpProcessor::Environment.new
|
50
49
|
@result = src.deep_clone
|
51
50
|
process @result
|
@@ -250,6 +249,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
250
249
|
end
|
251
250
|
env[target_var] = target
|
252
251
|
return first_arg
|
252
|
+
elsif new_string? target
|
253
|
+
env[target_var] = first_arg
|
254
|
+
return first_arg
|
253
255
|
elsif array? target
|
254
256
|
target << first_arg
|
255
257
|
env[target_var] = target
|
@@ -266,10 +268,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
266
268
|
unless target.nil?
|
267
269
|
exp = target
|
268
270
|
end
|
271
|
+
when :dup
|
272
|
+
unless target.nil?
|
273
|
+
exp = target
|
274
|
+
end
|
269
275
|
when :join
|
270
276
|
if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
|
271
277
|
exp = process_array_join(target, first_arg)
|
272
278
|
end
|
279
|
+
when :!
|
280
|
+
# Convert `!!a` to boolean
|
281
|
+
if call? target and target.method == :!
|
282
|
+
exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
|
283
|
+
end
|
273
284
|
end
|
274
285
|
|
275
286
|
exp
|
@@ -368,6 +379,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
368
379
|
elsif e.is_a? Symbol
|
369
380
|
local = Sexp.new(:lvar, e)
|
370
381
|
env.current[local] = local
|
382
|
+
elsif e.nil? # trailing comma, argument destructuring
|
383
|
+
next # Punt for now
|
371
384
|
else
|
372
385
|
raise "Unexpected value in block args: #{e.inspect}"
|
373
386
|
end
|
@@ -596,7 +609,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
596
609
|
if node_type? exp, :hash
|
597
610
|
if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
|
598
611
|
kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
|
599
|
-
exp = Sexp.new.concat(rest).line(exp)
|
612
|
+
exp = Sexp.new.concat(rest).line(exp.line)
|
600
613
|
|
601
614
|
kwsplats.each do |e|
|
602
615
|
exp = process_hash_merge! exp, e.value
|
@@ -693,7 +706,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
693
706
|
if @tracker
|
694
707
|
@tracker.add_constant exp.lhs,
|
695
708
|
exp.rhs,
|
696
|
-
:file =>
|
709
|
+
:file => @current_file,
|
697
710
|
:module => @current_module,
|
698
711
|
:class => @current_class,
|
699
712
|
:method => @current_method
|
@@ -1188,6 +1201,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
1188
1201
|
call? exp and exp.method == :raise
|
1189
1202
|
end
|
1190
1203
|
|
1204
|
+
STRING_NEW = s(:call, s(:const, :String), :new)
|
1205
|
+
|
1206
|
+
# String.new ?
|
1207
|
+
def new_string? exp
|
1208
|
+
exp == STRING_NEW
|
1209
|
+
end
|
1210
|
+
|
1191
1211
|
#Set variable to given value.
|
1192
1212
|
#Creates "branched" versions of values when appropriate.
|
1193
1213
|
#Avoids creating multiple branched versions inside same
|
@@ -15,11 +15,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
15
15
|
super()
|
16
16
|
@last = nil
|
17
17
|
@tracker = tracker
|
18
|
-
@
|
18
|
+
@app_tree = tracker.app_tree if tracker
|
19
|
+
@current_template = @current_module = @current_class = @current_method = @current_file = nil
|
19
20
|
end
|
20
21
|
|
21
|
-
def process_file exp,
|
22
|
-
@
|
22
|
+
def process_file exp, current_file
|
23
|
+
@current_file = current_file
|
23
24
|
process exp
|
24
25
|
end
|
25
26
|
|
@@ -113,6 +114,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
113
114
|
exp.unshift :rlist
|
114
115
|
end
|
115
116
|
|
117
|
+
alias process_rlist process_block
|
118
|
+
|
116
119
|
#Processes the inside of an interpolated String.
|
117
120
|
def process_evstr exp
|
118
121
|
exp = exp.dup
|
@@ -182,7 +185,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
182
185
|
if @tracker
|
183
186
|
@tracker.add_constant exp.lhs,
|
184
187
|
exp.rhs,
|
185
|
-
:file =>
|
188
|
+
:file => current_file,
|
186
189
|
:module => @current_module,
|
187
190
|
:class => @current_class,
|
188
191
|
:method => @current_method
|
@@ -234,8 +237,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
234
237
|
elsif first_arg.is_a? Symbol or first_arg.is_a? String
|
235
238
|
type = :action
|
236
239
|
value = Sexp.new(:lit, first_arg.to_sym)
|
237
|
-
|
238
|
-
|
240
|
+
elsif first_arg.nil?
|
241
|
+
type = :default
|
239
242
|
elsif not hash? first_arg
|
240
243
|
type = :action
|
241
244
|
value = first_arg
|
@@ -287,7 +290,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
287
290
|
template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
|
288
291
|
type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
|
289
292
|
ast = ast.deep_clone(value.line)
|
290
|
-
@tracker.processor.process_template(template_name, ast, type, nil, @
|
293
|
+
@tracker.processor.process_template(template_name, ast, type, nil, @current_file)
|
291
294
|
@tracker.processor.process_template_alias(@tracker.templates[template_name])
|
292
295
|
|
293
296
|
return s(:lit, template_name), options
|
@@ -11,22 +11,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
11
11
|
#If only_method is specified, only that method will be processed,
|
12
12
|
#other methods will be skipped.
|
13
13
|
#This is for rescanning just a single action.
|
14
|
-
def initialize
|
14
|
+
def initialize tracker, only_method = nil
|
15
15
|
super tracker
|
16
|
-
@app_tree = app_tree
|
16
|
+
@app_tree = tracker.app_tree
|
17
17
|
@only_method = only_method
|
18
18
|
@rendered = false
|
19
19
|
@current_class = @current_module = @current_method = nil
|
20
20
|
@method_cache = {} #Cache method lookups
|
21
21
|
end
|
22
22
|
|
23
|
-
def process_controller name, src,
|
23
|
+
def process_controller name, src, current_file
|
24
24
|
if not node_type? src, :class
|
25
25
|
Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
|
26
26
|
return
|
27
27
|
else
|
28
28
|
@current_class = name
|
29
|
-
@
|
29
|
+
@current_file = @app_tree.file_path(current_file)
|
30
30
|
|
31
31
|
process_default src
|
32
32
|
|
@@ -37,6 +37,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
37
37
|
#Process modules mixed into the controller, in case they contain actions.
|
38
38
|
def process_mixins
|
39
39
|
controller = @tracker.controllers[@current_class]
|
40
|
+
original_file = @current_file
|
40
41
|
|
41
42
|
controller.includes.each do |i|
|
42
43
|
mixin = @tracker.libs[i]
|
@@ -49,7 +50,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
49
50
|
methods.each do |name|
|
50
51
|
#Need to process the method like it was in a controller in order
|
51
52
|
#to get the renders set
|
52
|
-
processor = Brakeman::ControllerProcessor.new(@
|
53
|
+
processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
|
53
54
|
method = mixin.get_method(name)[:src].deep_clone
|
54
55
|
|
55
56
|
if node_type? method, :defn
|
@@ -59,11 +60,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
59
60
|
method = processor.process method
|
60
61
|
end
|
61
62
|
|
62
|
-
@
|
63
|
+
@current_file = mixin.file
|
63
64
|
#Then process it like any other method in the controller
|
64
65
|
process method
|
65
66
|
end
|
66
67
|
end
|
68
|
+
ensure
|
69
|
+
@current_file = original_file
|
67
70
|
end
|
68
71
|
|
69
72
|
#Skip it, must be an inner class
|
@@ -187,7 +190,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
187
190
|
end
|
188
191
|
end
|
189
192
|
|
190
|
-
render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line,
|
193
|
+
render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, @current_file)
|
191
194
|
super name, args, render_path, line
|
192
195
|
end
|
193
196
|
|