brakeman-lib 4.5.0 → 4.7.1

data/lib/brakeman/report/report_codeclimate.rb

@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
   end
 
   def file_path(warning)
-    fp = Pathname.new(warning.relative_path)
     if tracker.options[:path_prefix]
-      fp = Pathname.new(tracker.options[:path_prefix]) + fp
+      (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
+    else
+      warning.file
     end
-    fp.to_s
   end
 end

data/lib/brakeman/report/report_hash.rb

@@ -11,7 +11,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
       report[meth] = self.send(meth)
       report[meth].each do |w|
         w.message = w.format_message
-        w.context = context_for(@app_tree, w).join("\n")
+        w.context = context_for(w).join("\n")
       end
     end
 

data/lib/brakeman/report/report_html.rb

@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
 
   def convert_ignored_warning warning, original
     warning = convert_warning(warning, original)
-    warning['File'] = original.relative_path
+    warning['File'] = original.file.relative
     warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
     warning
   end
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
     @element_id += 1
-    context = context_for(@app_tree, warning)
+    context = context_for(warning)
     message = html_message(warning, message)
 
     code_id = "context#@element_id"

data/lib/brakeman/report/report_json.rb

@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
 
   def convert_to_hashes warnings
     warnings.map do |w|
-      hash = w.to_hash
-      hash[:render_path] = convert_render_path hash[:render_path]
-      hash[:file] = warning_file w
-
-      hash
+      w.to_hash(absolute_paths: false)
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
-
-  def convert_render_path render_path
-    return unless render_path and not @tracker.options[:absolute_paths]
-
-    render_path.map do |r|
-      r = r.dup
-
-      if r[:file]
-        r[:file] = relative_path(r[:file])
-      end
-
-      if r[:rendered] and r[:rendered][:file]
-        r[:rendered] = r[:rendered].dup
-        r[:rendered][:file] = relative_path(r[:rendered][:file])
-      end
-
-      r
-    end
-  end
 end

data/lib/brakeman/report/report_table.rb

@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
 
-  def convert_warning warning, original
-    warning
-  end
-
   def convert_ignored_warning warning, original
     convert_warning warning, original
   end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
 Checks run: #{checks.checks_run.sort.join(", ")}
 HEADER
   end
+
+  def truncate_table str
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
+                          Brakeman.load_brakeman_dependency 'highline'
+                          ::HighLine.default_instance.terminal.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
 end

data/lib/brakeman/report/report_tabs.rb

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 
     end.join "\n"

data/lib/brakeman/report/report_text.rb

@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
     add_chunk generate_templates if tracker.options[:debug]
     add_chunk generate_obsolete
-    add_chunk generate_errors 
+    add_chunk generate_errors
     add_chunk generate_warnings
   end
 
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   def generate_header
     [
-      header("Brakeman Report"), 
+      header("Brakeman Report"),
       label("Application Path", tracker.app_path),
       label("Rails Version", rails_version),
       label("Brakeman Version", Brakeman::Version),
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
       HighLine.color("No warnings found", :bold, :green)
     else
       warnings = tracker.filtered_warnings.sort_by do |w|
-        [w.confidence, w.warning_type, w.fingerprint]
+        [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
       end.map do |w|
         output_warning w
       end
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     end
 
     double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
-      [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
+      [HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
     }.compact
   end
 
@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
-    controllers = values.map do |name, parent, includes, routes|
-      c = [ label("Controller", name) ]
+    controllers = values.map do |controller_name, parent, includes, routes|
+      c = [ label("Controller", controller_name) ]
       c << label("Parent", parent) unless parent.empty?
       c << label("Includes", includes) unless includes.empty?
       c << label("Routes", routes)
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     double_space "Controller Overview", controllers
   end
 end
-

data/lib/brakeman/rescanner.rb

@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
 
-    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
     @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
 
-    unless @app_tree.path_exists?(path)
+    unless path.exists?
       return rescan_deleted_file path, type
     end
 
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
 
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    fp = Brakeman::FileParser.new(tracker)
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, @app_tree.read_path(path)
+    template_parser.parse_template path, path.read
     process_template fp.file_list[:templates].first
 
     @processor.process_template_alias tracker.templates[template_name]
@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_initializer path
+    tracker.reset_initializer path
+
     parse_ruby_files([path]).each do |astfile|
       process_initializer astfile
     end
+
+    @reindex << :initializers
   end
 
   #Handle rescanning when a file is deleted
@@ -256,16 +260,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_deleted_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
 
     template_name = template_path_to_name(path)
 
     #Remove template
     tracker.reset_template template_name
 
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
-
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +372,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       next unless template.render_path
 
       if template.render_path.include_any_method? method_names
-        name.to_s.match /^([^.]+)/
+        name.to_s.match(/^([^.]+)/)
 
         original = tracker.templates[$1.to_sym]
 
@@ -388,8 +389,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def parse_ruby_files list
-    paths = list.select { |path| @app_tree.path_exists? path }
-    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    paths = list.select(&:exists?)
+    file_parser = Brakeman::FileParser.new(tracker)
     file_parser.parse_files paths, :rescan
     file_parser.file_list[:rescan]
   end

data/lib/brakeman/scanner.rb

@@ -16,7 +16,6 @@ end
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
-  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
 
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -66,7 +65,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker, @app_tree
+    fp = Brakeman::FileParser.new tracker
 
     files = {
       :initializers => @app_tree.initializer_paths,
@@ -95,7 +94,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3] or options[:rails4] or options[:rails5]
+    if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -111,14 +110,14 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
   end
 
   def process_config_file file
-    path = "config/#{file}"
+    path = @app_tree.file_path("config/#{file}")
 
-    if @app_tree.exists?(path)
+    if path.exists?
       @processor.process_config(parse_ruby_file(path), path)
     end
 
@@ -132,16 +131,21 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
+      file = @app_tree.file_path("Gemfile")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
+      file = @app_tree.file_path("gems.rb")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     end
 
     if @app_tree.exists? "Gemfile.lock"
-      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+      file = @app_tree.file_path("Gemfile.lock")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     elsif @app_tree.exists? "gems.locked"
-      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+      file = @app_tree.file_path("gems.locked")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     end
 
     if @app_tree.gemspec
@@ -215,7 +219,8 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      if routes_sexp = parse_ruby_file("config/routes.rb")
+      file = @app_tree.file_path("config/routes.rb")
+      if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -316,9 +321,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
 
-  def parse_ruby_file path
-    fp = Brakeman::FileParser.new(self.tracker, @app_tree)
-    fp.parse_ruby(@app_tree.read(path), path)
+  def parse_ruby_file file
+    fp = Brakeman::FileParser.new(self.tracker)
+    fp.parse_ruby(file.read, file)
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter
+    :duration, :ignored_filter, :app_tree
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -34,7 +34,7 @@ class Brakeman::Tracker
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
-    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
     @routes = {}
     @initializers = {}
     @errors = []
@@ -71,7 +71,7 @@ class Brakeman::Tracker
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks
-    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+    @checks = Brakeman::Checks.run_checks(self)
 
     @end_time = Time.now
     @duration = @end_time - @start_time
@@ -172,7 +172,7 @@ class Brakeman::Tracker
 
   #Returns a Report with this Tracker's information
   def report
-    Brakeman::Report.new(@app_tree, self)
+    Brakeman::Report.new(self)
   end
 
   def warnings
@@ -227,6 +227,10 @@ class Brakeman::Tracker
       finder.process_source template.src, :template => template, :file => template.file
     end
 
+    self.initializers.each do |file_name, src|
+      finder.process_all_source src, :file => file_name
+    end
+
     @call_index = Brakeman::CallIndex.new finder.calls
   end
 
@@ -237,8 +241,8 @@ class Brakeman::Tracker
   #
   #This will limit reindexing to the given sets
   def reindex_call_sites locations
-    #If reindexing templates, models, and controllers, just redo
-    #everything
+    #If reindexing templates, models, controllers,
+    #just redo everything.
     if locations.length == 3
       return index_call_sites
     end
@@ -260,6 +264,12 @@ class Brakeman::Tracker
       method_sets << self.controllers
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        @call_index.remove_indexes_by_file file_name
+      end
+    end
+
     @call_index.remove_indexes_by_class classes_to_reindex
 
     finder = Brakeman::FindAllCalls.new self
@@ -279,6 +289,12 @@ class Brakeman::Tracker
       end
     end
 
+    if locations.include? :initializers
+      self.initializers.each do |file_name, src|
+        finder.process_all_source src, :file => file_name
+      end
+    end
+
     @call_index.index_calls finder.calls
   end
 
@@ -363,4 +379,12 @@ class Brakeman::Tracker
   def reset_routes
     @routes = {}
   end
+
+  def reset_initializer path
+    @initializers.delete_if do |file, src|
+      path.relative.include? file
+    end
+
+    @call_index.remove_indexes_by_file path
+  end
 end

data/lib/brakeman/tracker/collection.rb

@@ -9,13 +9,14 @@ module Brakeman
     def initialize name, parent, file_name, src, tracker
       @name = name
       @parent = parent
-      @file_name = file_name
-      @files = [ file_name ]
-      @src = { file_name => src }
+      @files = []
+      @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @options = {}
       @tracker = tracker
+
+      add_file file_name, src
     end
 
     def ancestor? parent, seen={}