brakeman-lib 4.5.0 → 4.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (91) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +164 -108
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +59 -56
  9. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
  11. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  12. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  13. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  14. data/lib/brakeman/checks/check_execute.rb +26 -1
  15. data/lib/brakeman/checks/check_file_access.rb +7 -1
  16. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  17. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  18. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  19. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  20. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  21. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  22. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  23. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  24. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  25. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  26. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  27. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  28. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
  29. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  30. data/lib/brakeman/checks/check_secrets.rb +1 -1
  31. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  32. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  33. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  34. data/lib/brakeman/checks/check_sql.rb +15 -17
  35. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  36. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  38. data/lib/brakeman/differ.rb +16 -28
  39. data/lib/brakeman/file_parser.rb +10 -16
  40. data/lib/brakeman/file_path.rb +85 -0
  41. data/lib/brakeman/options.rb +7 -0
  42. data/lib/brakeman/parsers/haml_embedded.rb +1 -1
  43. data/lib/brakeman/parsers/template_parser.rb +6 -4
  44. data/lib/brakeman/processor.rb +4 -5
  45. data/lib/brakeman/processors/alias_processor.rb +27 -7
  46. data/lib/brakeman/processors/base_processor.rb +10 -7
  47. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  48. data/lib/brakeman/processors/controller_processor.rb +9 -13
  49. data/lib/brakeman/processors/gem_processor.rb +10 -2
  50. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  51. data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
  52. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  53. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  54. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  55. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  56. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  57. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  58. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  59. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  60. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  61. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  62. data/lib/brakeman/processors/library_processor.rb +5 -5
  63. data/lib/brakeman/processors/model_processor.rb +4 -5
  64. data/lib/brakeman/processors/output_processor.rb +5 -0
  65. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  66. data/lib/brakeman/processors/template_processor.rb +14 -10
  67. data/lib/brakeman/report.rb +3 -3
  68. data/lib/brakeman/report/ignore/config.rb +2 -3
  69. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  70. data/lib/brakeman/report/pager.rb +1 -0
  71. data/lib/brakeman/report/report_base.rb +51 -6
  72. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  73. data/lib/brakeman/report/report_hash.rb +1 -1
  74. data/lib/brakeman/report/report_html.rb +2 -2
  75. data/lib/brakeman/report/report_json.rb +1 -24
  76. data/lib/brakeman/report/report_table.rb +20 -4
  77. data/lib/brakeman/report/report_tabs.rb +1 -1
  78. data/lib/brakeman/report/report_text.rb +6 -7
  79. data/lib/brakeman/rescanner.rb +13 -12
  80. data/lib/brakeman/scanner.rb +19 -14
  81. data/lib/brakeman/tracker.rb +30 -6
  82. data/lib/brakeman/tracker/collection.rb +4 -3
  83. data/lib/brakeman/tracker/config.rb +44 -73
  84. data/lib/brakeman/tracker/constants.rb +2 -1
  85. data/lib/brakeman/util.rb +1 -147
  86. data/lib/brakeman/version.rb +1 -1
  87. data/lib/brakeman/warning.rb +27 -13
  88. data/lib/brakeman/warning_codes.rb +4 -0
  89. data/lib/ruby_parser/bm_sexp.rb +7 -2
  90. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  91. metadata +27 -22
@@ -8,20 +8,16 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
8
8
 
9
9
  FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
10
10
 
11
- def initialize app_tree, tracker
11
+ def initialize tracker, current_file = nil
12
12
  super(tracker)
13
- @app_tree = app_tree
14
- @current_class = nil
15
- @current_method = nil
16
- @current_module = nil
17
13
  @visibility = :public
18
- @file_name = nil
14
+ @current_file = current_file
19
15
  @concerns = Set.new
20
16
  end
21
17
 
22
18
  #Use this method to process a Controller
23
- def process_controller src, file_name = nil
24
- @file_name = file_name
19
+ def process_controller src, current_file = @current_file
20
+ @current_file = current_file
25
21
  process src
26
22
  end
27
23
 
@@ -35,7 +31,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
35
31
  #a real controller, so we can't take this shortcut.
36
32
  if @current_class and @current_class.name.to_s.end_with? "Controller"
37
33
  Brakeman.debug "[Notice] Treating inner class as library: #{name}"
38
- Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
34
+ Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
39
35
  return exp
40
36
  end
41
37
 
@@ -196,8 +192,8 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
196
192
 
197
193
  filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
198
194
  args = exp.block_call.arglist
199
- args.insert(1, Sexp.new(:lit, filter_name))
200
- before_filter_call = make_call(nil, :before_filter, args)
195
+ args.insert(1, Sexp.new(:lit, filter_name).line(exp.line))
196
+ before_filter_call = make_call(nil, :before_filter, args).line(exp.line)
201
197
 
202
198
  if exp.block_args.length > 1
203
199
  block_variable = exp.block_args[1]
@@ -214,9 +210,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
214
210
  #Build Sexp for filter method
215
211
  body = Sexp.new(:lasgn,
216
212
  block_variable,
217
- Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
213
+ Sexp.new(:call, Sexp.new(:const, @current_class.name).line(exp.line), :new).line(exp.line)).line(exp.line)
218
214
 
219
- filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
215
+ filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args).line(exp.line), body).concat(block_inner).line(exp.line)
220
216
 
221
217
  vis = @visibility
222
218
  @visibility = :private
@@ -29,6 +29,14 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
29
29
  @tracker.config.set_rails_version
30
30
  end
31
31
 
32
+ # Known issue: Brakeman does not yet support `gem` calls with multiple
33
+ # "version requirements". Consider the following example from the ruby docs:
34
+ #
35
+ # gem 'rake', '>= 1.1.a', '< 2'
36
+ #
37
+ # We are assuming that `second_arg` (eg. '>= 1.1.a') is the only requirement.
38
+ # Perhaps we should instantiate an array of `::Gem::Requirement`s or even a
39
+ # `::Gem::Dependency` and pass that to `Tracker::Config#add_gem`?
32
40
  def process_call exp
33
41
  if exp.target == nil
34
42
  if exp.method == :gem
@@ -51,8 +59,8 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
51
59
  end
52
60
  end
53
61
  elsif @inside_gemspec and exp.method == :add_dependency
54
- if string? exp.first_arg and string? exp.last_arg
55
- @tracker.config.add_gem exp.first_arg.value, exp.last_arg.value, @gemspec, exp.line
62
+ if string? exp.first_arg and string? exp.second_arg
63
+ @tracker.config.add_gem exp.first_arg.value, exp.second_arg.value, @gemspec, exp.line
56
64
  end
57
65
  end
58
66
 
@@ -2,137 +2,60 @@ require 'brakeman/processors/template_processor'
2
2
 
3
3
  #Processes HAML templates.
4
4
  class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
5
- HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
5
+ HAMLOUT = s(:call, nil, :_hamlout)
6
+ HAML_BUFFER = s(:call, HAMLOUT, :buffer)
6
7
  HAML_HELPERS = s(:colon2, s(:const, :Haml), :Helpers)
8
+ HAML_HELPERS2 = s(:colon2, s(:colon3, :Haml), :Helpers)
7
9
  JAVASCRIPT_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)
8
10
  COFFEE_FILTER = s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Coffee)
9
11
 
12
+ def initialize *args
13
+ super
14
+ @javascript = false
15
+ end
16
+
10
17
  #Processes call, looking for template output
11
18
  def process_call exp
12
- target = exp.target
13
- if sexp? target
14
- target = process target
19
+ exp = process_default exp
20
+
21
+ if buffer_append? exp
22
+ output = normalize_output(exp.first_arg)
23
+ res = get_pushed_value(output)
15
24
  end
16
25
 
17
- method = exp.method
18
-
19
- if (call? target and target.method == :_hamlout)
20
- res = case method
21
- when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
22
- ignore
23
- when :options, :buffer
24
- exp
25
- when :open_tag
26
- process_call_args exp
27
- else
28
- arg = exp.first_arg
29
-
30
- if arg
31
- @inside_concat = true
32
- exp.first_arg = process(arg)
33
- out = normalize_output(exp.first_arg)
34
- @inside_concat = false
35
- else
36
- raise "Empty _hamlout.#{method}()?"
37
- end
38
-
39
- if string? out
40
- ignore
41
- else
42
- r = case method.to_s
43
- when "push_text"
44
- build_output_from_push_text(out)
45
- when HAML_FORMAT_METHOD
46
- if $4 == "true"
47
- if string_interp? out
48
- build_output_from_push_text(out, :escaped_output)
49
- else
50
- Sexp.new :format_escaped, out
51
- end
52
- else
53
- if string_interp? out
54
- build_output_from_push_text(out)
55
- else
56
- Sexp.new :format, out
57
- end
58
- end
59
-
60
- else
61
- raise "Unrecognized action on _hamlout: #{method}"
62
- end
63
-
64
- @javascript = false
65
- r
66
- end
67
- end
68
-
69
- res.line(exp.line)
70
- res
71
-
72
- #_hamlout.buffer <<
73
- #This seems to be used rarely, but directly appends args to output buffer.
74
- #Has something to do with values of blocks?
75
- elsif sexp? target and method == :<< and is_buffer_target? target
76
- @inside_concat = true
77
- exp.first_arg = process(exp.first_arg)
78
- out = normalize_output(exp.first_arg)
79
- @inside_concat = false
80
-
81
- if out.node_type == :str #ignore plain strings
82
- ignore
83
- else
84
- add_output out
85
- end
86
- elsif target == nil and method == :render
87
- #Process call to render()
88
- exp.arglist = process exp.arglist
89
- make_render_in_view exp
90
- elsif target == nil and method == :find_and_preserve and exp.first_arg
91
- process exp.first_arg
92
- elsif method == :render_with_options
93
- if target == JAVASCRIPT_FILTER or target == COFFEE_FILTER
94
- @javascript = true
95
- end
26
+ res or exp
27
+ end
96
28
 
97
- process exp.first_arg
98
- else
99
- exp.target = target
100
- exp.arglist = process exp.arglist
101
- exp
102
- end
29
+ # _haml_out.buffer << ...
30
+ def buffer_append? exp
31
+ call? exp and
32
+ exp.target == HAML_BUFFER and
33
+ exp.method == :<<
34
+ end
35
+
36
+ PRESERVE_METHODS = [:find_and_preserve, :preserve]
37
+
38
+ def find_and_preserve? exp
39
+ call? exp and
40
+ PRESERVE_METHODS.include?(exp.method) and
41
+ exp.first_arg
103
42
  end
104
43
 
105
44
  #If inside an output stream, only return the final expression
106
45
  def process_block exp
107
46
  exp = exp.dup
108
47
  exp.shift
109
- if @inside_concat
110
- @inside_concat = false
111
- exp[0..-2].each do |e|
112
- process e
113
- end
114
- @inside_concat = true
115
- process exp[-1]
116
- else
117
- exp.map! do |e|
118
- res = process e
119
- if res.empty?
120
- nil
121
- else
122
- res
123
- end
48
+
49
+ exp.map! do |e|
50
+ res = process e
51
+ if res.empty?
52
+ nil
53
+ else
54
+ res
124
55
  end
125
- Sexp.new(:rlist).concat(exp).compact
126
56
  end
127
- end
128
57
 
129
- #Checks if the buffer is the target in a method call Sexp.
130
- #TODO: Test this
131
- def is_buffer_target? exp
132
- exp.node_type == :call and
133
- node_type? exp.target, :lvar and
134
- exp.target.value == :_hamlout and
135
- exp.method == :buffer
58
+ Sexp.new(:rlist).concat(exp).compact
136
59
  end
137
60
 
138
61
  #HAML likes to put interpolated values into _hamlout.push_text
@@ -153,7 +76,6 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
153
76
  end
154
77
  end
155
78
 
156
- #Gets outputs from values interpolated into _hamlout.push_text
157
79
  def get_pushed_value exp, default = :output
158
80
  return exp unless sexp? exp
159
81
 
@@ -168,24 +90,71 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
168
90
  exp
169
91
  when :str, :ignore, :output, :escaped_output
170
92
  exp
171
- when :block, :rlist, :dstr
172
- exp.map! { |e| get_pushed_value e }
93
+ when :block, :rlist
94
+ exp.map! { |e| get_pushed_value(e, default) }
95
+ when :dstr
96
+ build_output_from_push_text(exp, default)
173
97
  when :if
174
- clauses = [get_pushed_value(exp.then_clause), get_pushed_value(exp.else_clause)].compact
98
+ clauses = [get_pushed_value(exp.then_clause, default), get_pushed_value(exp.else_clause, default)].compact
175
99
 
176
100
  if clauses.length > 1
177
- s(:or, *clauses)
101
+ s(:or, *clauses).line(exp.line)
178
102
  else
179
103
  clauses.first
180
104
  end
181
- else
182
- if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
183
- add_escaped_output exp.first_arg
184
- elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
185
- add_escaped_output exp.first_arg
105
+ when :call
106
+ if exp.method == :to_s or exp.method == :strip
107
+ get_pushed_value(exp.target, default)
108
+ elsif haml_helpers? exp.target and exp.method == :html_escape
109
+ get_pushed_value(exp.first_arg, :escaped_output)
110
+ elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
111
+ get_pushed_value(exp.first_arg, :escaped_output)
112
+ elsif find_and_preserve? exp or fix_textareas? exp
113
+ get_pushed_value(exp.first_arg, default)
114
+ elsif raw? exp
115
+ get_pushed_value(exp.first_arg, :output)
116
+ elsif hamlout_attributes? exp
117
+ ignore # ignore _hamlout.attributes calls
118
+ elsif exp.target.nil? and exp.method == :render
119
+ #Process call to render()
120
+ exp.arglist = process exp.arglist
121
+ make_render_in_view exp
122
+ elsif exp.method == :render_with_options
123
+ if exp.target == JAVASCRIPT_FILTER or exp.target == COFFEE_FILTER
124
+ @javascript = true
125
+ end
126
+
127
+ get_pushed_value(exp.first_arg, default)
128
+ @javascript = false
186
129
  else
187
130
  add_output exp, default
188
131
  end
132
+ else
133
+ add_output exp, default
189
134
  end
190
135
  end
136
+
137
+ def haml_helpers? exp
138
+ # Sometimes its Haml::Helpers and
139
+ # sometimes its ::Haml::Helpers
140
+ exp == HAML_HELPERS or
141
+ exp == HAML_HELPERS2
142
+ end
143
+
144
+ def hamlout_attributes? exp
145
+ call? exp and
146
+ exp.target == HAMLOUT and
147
+ exp.method == :attributes
148
+ end
149
+
150
+ def fix_textareas? exp
151
+ call? exp and
152
+ exp.target == HAMLOUT and
153
+ exp.method == :fix_textareas!
154
+ end
155
+
156
+ def raw? exp
157
+ call? exp and
158
+ exp.method == :raw
159
+ end
191
160
  end
@@ -19,16 +19,17 @@ module Brakeman
19
19
  end
20
20
  end
21
21
 
22
+ STRING_LENGTH_LIMIT = 50
23
+
22
24
  # Join two string literals into one.
23
25
  def join_strings lhs, rhs, original_exp = nil
24
26
  if string? lhs and string? rhs
25
- result = Sexp.new(:str).line(lhs.line)
26
- result.value = lhs.value + rhs.value
27
-
28
- if result.value.length > 50
27
+ if (lhs.value.length + rhs.value.length > STRING_LENGTH_LIMIT)
29
28
  # Avoid gigantic strings
30
29
  lhs
31
30
  else
31
+ result = Sexp.new(:str).line(lhs.line)
32
+ result.value = lhs.value + rhs.value
32
33
  result
33
34
  end
34
35
  elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
@@ -5,9 +5,9 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
5
5
 
6
6
  def initialize tracker
7
7
  super
8
- @current_class = nil
9
- @current_method = nil
8
+
10
9
  @in_target = false
10
+ @processing_class = false
11
11
  @calls = []
12
12
  @cache = {}
13
13
  end
@@ -23,10 +23,33 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
23
23
  process exp
24
24
  end
25
25
 
26
+ #For whatever reason, originally the indexing of calls
27
+ #was performed on individual method bodies (see process_defn).
28
+ #This method explicitly indexes all calls everywhere given any
29
+ #source.
30
+ def process_all_source exp, opts
31
+ @processing_class = true
32
+ process_source exp, opts
33
+ ensure
34
+ @processing_class = false
35
+ end
36
+
26
37
  #Process body of method
27
38
  def process_defn exp
28
- return exp unless @current_method
29
- process_all exp.body
39
+ return exp unless @current_method or @processing_class
40
+
41
+ # 'Normal' processing assumes the method name was given
42
+ # as an option to `process_source` but for `process_all_source`
43
+ # we don't want to do that.
44
+ if @current_method.nil?
45
+ @current_method = exp.method_name
46
+ process_all exp.body
47
+ @current_method = nil
48
+ else
49
+ process_all exp.body
50
+ end
51
+
52
+ exp
30
53
  end
31
54
 
32
55
  alias process_defs process_defn
@@ -33,14 +33,13 @@ require 'brakeman/processors/lib/basic_processor'
33
33
  # FindCall.new nil, /^g?sub!?$/
34
34
  class Brakeman::FindCall < Brakeman::BasicProcessor
35
35
 
36
- def initialize targets, methods, tracker, in_depth = false
36
+ def initialize targets, methods, tracker
37
37
  super tracker
38
38
  @calls = []
39
39
  @find_targets = targets
40
40
  @find_methods = methods
41
41
  @current_class = nil
42
42
  @current_method = nil
43
- @in_depth = in_depth
44
43
  end
45
44
 
46
45
  #Returns a list of results.
@@ -48,10 +47,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
48
47
  #A result looks like:
49
48
  #
50
49
  # s(:result, :ClassName, :method_name, s(:call, ...))
51
- #
52
- #or
53
- #
54
- # s(:result, :template_name, s(:call, ...))
55
50
  def matches
56
51
  @calls
57
52
  end
@@ -60,10 +55,7 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
60
55
  #or the template. These names are used when reporting results.
61
56
  #
62
57
  #Use FindCall#matches to retrieve results.
63
- def process_source exp, klass = nil, method = nil, template = nil
64
- @current_class = klass
65
- @current_method = method
66
- @current_template = template
58
+ def process_source exp
67
59
  process exp
68
60
  end
69
61
 
@@ -74,11 +66,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
74
66
 
75
67
  alias :process_defs :process_defn
76
68
 
77
- #Process body of block
78
- def process_rlist exp
79
- process_all exp
80
- end
81
-
82
69
  #Look for matching calls and add them to results
83
70
  def process_call exp
84
71
  target = get_target exp.target
@@ -87,25 +74,9 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
87
74
  process_call_args exp
88
75
 
89
76
  if match(@find_targets, target) and match(@find_methods, method)
90
-
91
- if @current_template
92
- @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
93
- else
94
- @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
95
- end
96
-
77
+ @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
97
78
  end
98
79
 
99
- #Normally FindCall won't match a method invocation that is the target of
100
- #another call, such as:
101
- #
102
- # User.find(:first, :conditions => "user = '#{params['user']}').name
103
- #
104
- #A search for User.find will not match this unless @in_depth is true.
105
- if @in_depth and call? exp.target
106
- process exp.target
107
- end
108
-
109
80
  exp
110
81
  end
111
82
 
@@ -123,8 +94,6 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
123
94
  case exp.node_type
124
95
  when :ivar, :lvar, :const, :lit
125
96
  exp.value
126
- when :true, :false
127
- exp.node_type
128
97
  when :colon2
129
98
  class_name exp
130
99
  else
@@ -141,43 +110,13 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
141
110
  when Symbol
142
111
  if search_terms == item
143
112
  true
144
- elsif sexp? item
145
- is_instance_of? item, search_terms
146
113
  else
147
114
  false
148
115
  end
149
- when Sexp
150
- search_terms == item
151
116
  when Enumerable
152
117
  if search_terms.empty?
153
118
  item == nil
154
- else
155
- search_terms.each do|term|
156
- if match(term, item)
157
- return true
158
- end
159
- end
160
- false
161
119
  end
162
- when Regexp
163
- search_terms.match item.to_s
164
- when nil
165
- true
166
- else
167
- raise "Cannot match #{search_terms} and #{item}"
168
- end
169
- end
170
-
171
- #Checks if +item+ is an instance of +klass+ by looking for Klass.new
172
- def is_instance_of? item, klass
173
- if call? item
174
- if sexp? item.target
175
- item.method == :new and item.target.node_type == :const and item.target.value == klass
176
- else
177
- item.method == :new and item.target == klass
178
- end
179
- else
180
- false
181
120
  end
182
121
  end
183
122
  end