brakeman-lib 4.5.0 → 4.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (91) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +164 -108
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +59 -56
  9. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
  11. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  12. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  13. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  14. data/lib/brakeman/checks/check_execute.rb +26 -1
  15. data/lib/brakeman/checks/check_file_access.rb +7 -1
  16. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  17. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  18. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  19. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  20. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  21. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  22. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  23. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  24. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  25. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  26. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  27. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  28. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
  29. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  30. data/lib/brakeman/checks/check_secrets.rb +1 -1
  31. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  32. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  33. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  34. data/lib/brakeman/checks/check_sql.rb +15 -17
  35. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  36. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  38. data/lib/brakeman/differ.rb +16 -28
  39. data/lib/brakeman/file_parser.rb +10 -16
  40. data/lib/brakeman/file_path.rb +85 -0
  41. data/lib/brakeman/options.rb +7 -0
  42. data/lib/brakeman/parsers/haml_embedded.rb +1 -1
  43. data/lib/brakeman/parsers/template_parser.rb +6 -4
  44. data/lib/brakeman/processor.rb +4 -5
  45. data/lib/brakeman/processors/alias_processor.rb +27 -7
  46. data/lib/brakeman/processors/base_processor.rb +10 -7
  47. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  48. data/lib/brakeman/processors/controller_processor.rb +9 -13
  49. data/lib/brakeman/processors/gem_processor.rb +10 -2
  50. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  51. data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
  52. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  53. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  54. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  55. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  56. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  57. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  58. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  59. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  60. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  61. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  62. data/lib/brakeman/processors/library_processor.rb +5 -5
  63. data/lib/brakeman/processors/model_processor.rb +4 -5
  64. data/lib/brakeman/processors/output_processor.rb +5 -0
  65. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  66. data/lib/brakeman/processors/template_processor.rb +14 -10
  67. data/lib/brakeman/report.rb +3 -3
  68. data/lib/brakeman/report/ignore/config.rb +2 -3
  69. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  70. data/lib/brakeman/report/pager.rb +1 -0
  71. data/lib/brakeman/report/report_base.rb +51 -6
  72. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  73. data/lib/brakeman/report/report_hash.rb +1 -1
  74. data/lib/brakeman/report/report_html.rb +2 -2
  75. data/lib/brakeman/report/report_json.rb +1 -24
  76. data/lib/brakeman/report/report_table.rb +20 -4
  77. data/lib/brakeman/report/report_tabs.rb +1 -1
  78. data/lib/brakeman/report/report_text.rb +6 -7
  79. data/lib/brakeman/rescanner.rb +13 -12
  80. data/lib/brakeman/scanner.rb +19 -14
  81. data/lib/brakeman/tracker.rb +30 -6
  82. data/lib/brakeman/tracker/collection.rb +4 -3
  83. data/lib/brakeman/tracker/config.rb +44 -73
  84. data/lib/brakeman/tracker/constants.rb +2 -1
  85. data/lib/brakeman/util.rb +1 -147
  86. data/lib/brakeman/version.rb +1 -1
  87. data/lib/brakeman/warning.rb +27 -13
  88. data/lib/brakeman/warning_codes.rb +4 -0
  89. data/lib/ruby_parser/bm_sexp.rb +7 -2
  90. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  91. metadata +27 -22
@@ -5,16 +5,16 @@ module Brakeman
5
5
  class FileParser
6
6
  attr_reader :file_list
7
7
 
8
- def initialize tracker, app_tree
8
+ def initialize tracker
9
9
  @tracker = tracker
10
10
  @timeout = @tracker.options[:parser_timeout]
11
- @app_tree = app_tree
11
+ @app_tree = @tracker.app_tree
12
12
  @file_list = {}
13
13
  end
14
14
 
15
15
  def parse_files list, type
16
16
  read_files list, type do |path, contents|
17
- if ast = parse_ruby(contents, path)
17
+ if ast = parse_ruby(contents, path.relative)
18
18
  ASTFile.new(path, ast)
19
19
  end
20
20
  end
@@ -24,24 +24,22 @@ module Brakeman
24
24
  @file_list[type] ||= []
25
25
 
26
26
  list.each do |path|
27
- result = yield path, read_path(path)
27
+ file = @app_tree.file_path(path)
28
+
29
+ result = yield file, file.read
28
30
  if result
29
31
  @file_list[type] << result
30
32
  end
31
33
  end
32
34
  end
33
35
 
34
- def parse_ruby input, path, parser = RubyParser.new
36
+ def parse_ruby input, path
35
37
  begin
36
38
  Brakeman.debug "Parsing #{path}"
37
- parser.parse input, path, @timeout
39
+ RubyParser.new.parse input, path, @timeout
38
40
  rescue Racc::ParseError => e
39
- if parser.class == RubyParser
40
- return parse_ruby(input, path, RubyParser.latest)
41
- else
42
- @tracker.error e, "Could not parse #{path}"
43
- nil
44
- end
41
+ @tracker.error e, "Could not parse #{path}"
42
+ nil
45
43
  rescue Timeout::Error => e
46
44
  @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
47
45
  nil
@@ -50,9 +48,5 @@ module Brakeman
50
48
  nil
51
49
  end
52
50
  end
53
-
54
- def read_path path
55
- @app_tree.read_path path
56
- end
57
51
  end
58
52
  end
@@ -0,0 +1,85 @@
1
+ require 'pathname'
2
+
3
+ module Brakeman
4
+ # Class to represent file paths within Brakeman.
5
+ # FilePath objects track both the relative and absolute paths
6
+ # to make it easier to manage paths.
7
+ class FilePath
8
+ attr_reader :absolute, :relative
9
+ @cache = {}
10
+
11
+ # Create a new FilePath using an AppTree object.
12
+ #
13
+ # Note that if the path is already a FilePath, that path will
14
+ # be returned unaltered.
15
+ #
16
+ # Additionally, paths are cached. If the absolute path already has
17
+ # a FilePath in the cache, that existing FilePath will be returned.
18
+ def self.from_app_tree app_tree, path
19
+ return path if path.is_a? Brakeman::FilePath
20
+
21
+ absolute = app_tree.expand_path(path).freeze
22
+
23
+ if fp = @cache[absolute]
24
+ return fp
25
+ end
26
+
27
+ relative = app_tree.relative_path(path).freeze
28
+
29
+ self.new(absolute, relative).tap { |fp| @cache[absolute] = fp }
30
+ end
31
+
32
+ # Create a new FilePath with the given absolute and relative paths.
33
+ def initialize absolute_path, relative_path
34
+ @absolute = absolute_path
35
+ @relative = relative_path
36
+ end
37
+
38
+ # Just the file name, no path
39
+ def basename
40
+ @basename ||= File.basename(self.relative)
41
+ end
42
+
43
+ # Read file from absolute path.
44
+ def read
45
+ File.read self.absolute
46
+ end
47
+
48
+ # Check if absolute path exists.
49
+ def exists?
50
+ File.exist? self.absolute
51
+ end
52
+
53
+ # Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
54
+ def <=> rhs
55
+ raise ArgumentError unless rhs.is_a? Brakeman::FilePath
56
+ self.relative <=> rhs.relative
57
+ end
58
+
59
+ # Compare FilePaths. Raises an ArgumentError unless both objects are FilePaths.
60
+ def == rhs
61
+ return false unless rhs.is_a? Brakeman::FilePath
62
+
63
+ self.absolute == rhs.absolute
64
+ end
65
+
66
+ # Returns a string with the absolute path.
67
+ def to_str
68
+ self.absolute
69
+ end
70
+
71
+ # Returns a string with the absolute path.
72
+ def to_s
73
+ self.to_str
74
+ end
75
+
76
+ def hash
77
+ @hash ||= [@absolute, @relative].hash
78
+ end
79
+
80
+ def eql? rhs
81
+ @absolute == rhs.absolute and
82
+ @relative == rhs.relative
83
+ end
84
+ end
85
+ end
@@ -82,6 +82,13 @@ module Brakeman::Options
82
82
  options[:rails5] = true
83
83
  end
84
84
 
85
+ opts.on "-6", "--rails6", "Force Rails 6 mode" do
86
+ options[:rails3] = true
87
+ options[:rails4] = true
88
+ options[:rails5] = true
89
+ options[:rails6] = true
90
+ end
91
+
85
92
  opts.separator ""
86
93
  opts.separator "Scanning options:"
87
94
 
@@ -1,6 +1,6 @@
1
1
  module Brakeman
2
2
  module FakeHamlFilter
3
- # Copied from Haml - force delayed compilation
3
+ # Copied from Haml 4 - force delayed compilation
4
4
  def compile(compiler, text)
5
5
  filter = self
6
6
  compiler.instance_eval do
@@ -13,7 +13,7 @@ module Brakeman
13
13
  end
14
14
 
15
15
  def parse_template path, text
16
- type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
16
+ type = path.relative.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
17
17
  type = :erb if type == :rhtml
18
18
  name = template_path_to_name path
19
19
  Brakeman.debug "Parsing #{path}"
@@ -63,7 +63,7 @@ module Brakeman
63
63
  else
64
64
  ERB.new(text, nil, '-').src
65
65
  end
66
- src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
66
+ src.sub!(/^#.*\n/, '')
67
67
  src
68
68
  end
69
69
  end
@@ -79,7 +79,9 @@ module Brakeman
79
79
 
80
80
  Haml::Engine.new(text,
81
81
  :filename => path,
82
- :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
82
+ :escape_html => tracker.config.escape_html?,
83
+ :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
84
+ ).precompiled.gsub(/([^\\])\\n/, '\1')
83
85
  rescue Haml::Error => e
84
86
  tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
85
87
  nil
@@ -95,7 +97,7 @@ module Brakeman
95
97
  end
96
98
 
97
99
  def self.parse_inline_erb tracker, text
98
- fp = Brakeman::FileParser.new(tracker, nil)
100
+ fp = Brakeman::FileParser.new(tracker)
99
101
  tp = self.new(tracker, fp)
100
102
  src = tp.parse_erb '_inline_', text
101
103
  type = tp.erubis? ? :erubis : :erb
@@ -13,8 +13,7 @@ module Brakeman
13
13
  include Util
14
14
 
15
15
  def initialize(app_tree, options)
16
- @app_tree = app_tree
17
- @tracker = Tracker.new(@app_tree, self, options)
16
+ @tracker = Tracker.new(app_tree, self, options)
18
17
  end
19
18
 
20
19
  def tracked_events
@@ -39,7 +38,7 @@ module Brakeman
39
38
  #Process controller source. +file_name+ is used for reporting
40
39
  def process_controller src, file_name
41
40
  if contains_class? src
42
- ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
41
+ ControllerProcessor.new(@tracker).process_controller src, file_name
43
42
  else
44
43
  LibraryProcessor.new(@tracker).process_library src, file_name
45
44
  end
@@ -48,7 +47,7 @@ module Brakeman
48
47
  #Process variable aliasing in controller source and save it in the
49
48
  #tracker.
50
49
  def process_controller_alias name, src, only_method = nil, file = nil
51
- ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
50
+ ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src, file
52
51
  end
53
52
 
54
53
  #Process a model source
@@ -91,7 +90,7 @@ module Brakeman
91
90
  def process_initializer file_name, src
92
91
  res = BaseProcessor.new(@tracker).process_file src, file_name
93
92
  res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
94
- @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
93
+ @tracker.initializers[file_name] = res
95
94
  end
96
95
 
97
96
  #Process source for a library file
@@ -20,19 +20,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
20
20
  #The recommended usage is:
21
21
  #
22
22
  # AliasProcessor.new.process_safely src
23
- def initialize tracker = nil, file_name = nil
23
+ def initialize tracker = nil, current_file = nil
24
24
  super()
25
25
  @env = SexpProcessor::Environment.new
26
26
  @inside_if = false
27
27
  @ignore_ifs = nil
28
28
  @exp_context = []
29
- @current_module = nil
30
29
  @tracker = tracker #set in subclass as necessary
31
30
  @helper_method_cache = {}
32
31
  @helper_method_info = Hash.new({})
33
32
  @or_depth_limit = (tracker && tracker.options[:branch_limit]) || 5 #arbitrary default
34
33
  @meth_env = nil
35
- @file_name = file_name
34
+ @current_file = current_file
36
35
  set_env_defaults
37
36
  end
38
37
 
@@ -44,8 +43,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
44
43
  #
45
44
  #This method returns a new Sexp with variables replaced with their values,
46
45
  #where possible.
47
- def process_safely src, set_env = nil, file_name = nil
48
- @file_name = file_name
46
+ def process_safely src, set_env = nil, current_file = @current_file
47
+ @current_file = current_file
49
48
  @env = set_env || SexpProcessor::Environment.new
50
49
  @result = src.deep_clone
51
50
  process @result
@@ -250,6 +249,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
250
249
  end
251
250
  env[target_var] = target
252
251
  return first_arg
252
+ elsif new_string? target
253
+ env[target_var] = first_arg
254
+ return first_arg
253
255
  elsif array? target
254
256
  target << first_arg
255
257
  env[target_var] = target
@@ -266,10 +268,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
266
268
  unless target.nil?
267
269
  exp = target
268
270
  end
271
+ when :dup
272
+ unless target.nil?
273
+ exp = target
274
+ end
269
275
  when :join
270
276
  if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
271
277
  exp = process_array_join(target, first_arg)
272
278
  end
279
+ when :!
280
+ # Convert `!!a` to boolean
281
+ if call? target and target.method == :!
282
+ exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
283
+ end
273
284
  end
274
285
 
275
286
  exp
@@ -368,6 +379,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
368
379
  elsif e.is_a? Symbol
369
380
  local = Sexp.new(:lvar, e)
370
381
  env.current[local] = local
382
+ elsif e.nil? # trailing comma, argument destructuring
383
+ next # Punt for now
371
384
  else
372
385
  raise "Unexpected value in block args: #{e.inspect}"
373
386
  end
@@ -596,7 +609,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
596
609
  if node_type? exp, :hash
597
610
  if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
598
611
  kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
599
- exp = Sexp.new.concat(rest).line(exp)
612
+ exp = Sexp.new.concat(rest).line(exp.line)
600
613
 
601
614
  kwsplats.each do |e|
602
615
  exp = process_hash_merge! exp, e.value
@@ -693,7 +706,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
693
706
  if @tracker
694
707
  @tracker.add_constant exp.lhs,
695
708
  exp.rhs,
696
- :file => current_file_name,
709
+ :file => @current_file,
697
710
  :module => @current_module,
698
711
  :class => @current_class,
699
712
  :method => @current_method
@@ -1188,6 +1201,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
1188
1201
  call? exp and exp.method == :raise
1189
1202
  end
1190
1203
 
1204
+ STRING_NEW = s(:call, s(:const, :String), :new)
1205
+
1206
+ # String.new ?
1207
+ def new_string? exp
1208
+ exp == STRING_NEW
1209
+ end
1210
+
1191
1211
  #Set variable to given value.
1192
1212
  #Creates "branched" versions of values when appropriate.
1193
1213
  #Avoids creating multiple branched versions inside same
@@ -15,11 +15,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
15
15
  super()
16
16
  @last = nil
17
17
  @tracker = tracker
18
- @current_template = @current_module = @current_class = @current_method = @file_name = nil
18
+ @app_tree = tracker.app_tree if tracker
19
+ @current_template = @current_module = @current_class = @current_method = @current_file = nil
19
20
  end
20
21
 
21
- def process_file exp, file_name
22
- @file_name = file_name
22
+ def process_file exp, current_file
23
+ @current_file = current_file
23
24
  process exp
24
25
  end
25
26
 
@@ -113,6 +114,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
113
114
  exp.unshift :rlist
114
115
  end
115
116
 
117
+ alias process_rlist process_block
118
+
116
119
  #Processes the inside of an interpolated String.
117
120
  def process_evstr exp
118
121
  exp = exp.dup
@@ -182,7 +185,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
182
185
  if @tracker
183
186
  @tracker.add_constant exp.lhs,
184
187
  exp.rhs,
185
- :file => current_file_name,
188
+ :file => current_file,
186
189
  :module => @current_module,
187
190
  :class => @current_class,
188
191
  :method => @current_method
@@ -234,8 +237,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
234
237
  elsif first_arg.is_a? Symbol or first_arg.is_a? String
235
238
  type = :action
236
239
  value = Sexp.new(:lit, first_arg.to_sym)
237
- elsif first_arg.nil?
238
- type = :default
240
+ elsif first_arg.nil?
241
+ type = :default
239
242
  elsif not hash? first_arg
240
243
  type = :action
241
244
  value = first_arg
@@ -287,7 +290,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
287
290
  template_name = "#@current_method/inline@#{value.line}:#{class_or_module}".to_sym
288
291
  type, ast = Brakeman::TemplateParser.parse_inline_erb(@tracker, value.value)
289
292
  ast = ast.deep_clone(value.line)
290
- @tracker.processor.process_template(template_name, ast, type, nil, @file_name)
293
+ @tracker.processor.process_template(template_name, ast, type, nil, @current_file)
291
294
  @tracker.processor.process_template_alias(@tracker.templates[template_name])
292
295
 
293
296
  return s(:lit, template_name), options
@@ -11,22 +11,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
11
11
  #If only_method is specified, only that method will be processed,
12
12
  #other methods will be skipped.
13
13
  #This is for rescanning just a single action.
14
- def initialize app_tree, tracker, only_method = nil
14
+ def initialize tracker, only_method = nil
15
15
  super tracker
16
- @app_tree = app_tree
16
+ @app_tree = tracker.app_tree
17
17
  @only_method = only_method
18
18
  @rendered = false
19
19
  @current_class = @current_module = @current_method = nil
20
20
  @method_cache = {} #Cache method lookups
21
21
  end
22
22
 
23
- def process_controller name, src, file_name
23
+ def process_controller name, src, current_file
24
24
  if not node_type? src, :class
25
25
  Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
26
26
  return
27
27
  else
28
28
  @current_class = name
29
- @file_name = file_name
29
+ @current_file = @app_tree.file_path(current_file)
30
30
 
31
31
  process_default src
32
32
 
@@ -37,6 +37,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
37
37
  #Process modules mixed into the controller, in case they contain actions.
38
38
  def process_mixins
39
39
  controller = @tracker.controllers[@current_class]
40
+ original_file = @current_file
40
41
 
41
42
  controller.includes.each do |i|
42
43
  mixin = @tracker.libs[i]
@@ -49,7 +50,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
49
50
  methods.each do |name|
50
51
  #Need to process the method like it was in a controller in order
51
52
  #to get the renders set
52
- processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
53
+ processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
53
54
  method = mixin.get_method(name)[:src].deep_clone
54
55
 
55
56
  if node_type? method, :defn
@@ -59,11 +60,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
59
60
  method = processor.process method
60
61
  end
61
62
 
62
- @file_name = mixin.file
63
+ @current_file = mixin.file
63
64
  #Then process it like any other method in the controller
64
65
  process method
65
66
  end
66
67
  end
68
+ ensure
69
+ @current_file = original_file
67
70
  end
68
71
 
69
72
  #Skip it, must be an inner class
@@ -187,7 +190,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
187
190
  end
188
191
  end
189
192
 
190
- render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file_name))
193
+ render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, @current_file)
191
194
  super name, args, render_path, line
192
195
  end
193
196