brakeman-lib 4.5.0 → 4.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (91) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGES.md +164 -108
  3. data/README.md +6 -7
  4. data/lib/brakeman.rb +7 -0
  5. data/lib/brakeman/app_tree.rb +34 -22
  6. data/lib/brakeman/call_index.rb +54 -15
  7. data/lib/brakeman/checks.rb +7 -7
  8. data/lib/brakeman/checks/base_check.rb +59 -56
  9. data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
  10. data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
  11. data/lib/brakeman/checks/check_default_routes.rb +5 -0
  12. data/lib/brakeman/checks/check_deserialize.rb +49 -0
  13. data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
  14. data/lib/brakeman/checks/check_execute.rb +26 -1
  15. data/lib/brakeman/checks/check_file_access.rb +7 -1
  16. data/lib/brakeman/checks/check_force_ssl.rb +27 -0
  17. data/lib/brakeman/checks/check_header_dos.rb +2 -2
  18. data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
  19. data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
  20. data/lib/brakeman/checks/check_json_parsing.rb +7 -2
  21. data/lib/brakeman/checks/check_link_to_href.rb +6 -1
  22. data/lib/brakeman/checks/check_mail_to.rb +1 -1
  23. data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
  24. data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
  25. data/lib/brakeman/checks/check_model_attributes.rb +12 -50
  26. data/lib/brakeman/checks/check_model_serialize.rb +1 -1
  27. data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
  28. data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
  29. data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
  30. data/lib/brakeman/checks/check_secrets.rb +1 -1
  31. data/lib/brakeman/checks/check_session_settings.rb +15 -12
  32. data/lib/brakeman/checks/check_simple_format.rb +5 -0
  33. data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
  34. data/lib/brakeman/checks/check_sql.rb +15 -17
  35. data/lib/brakeman/checks/check_validation_regex.rb +1 -1
  36. data/lib/brakeman/checks/check_xml_dos.rb +2 -2
  37. data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
  38. data/lib/brakeman/differ.rb +16 -28
  39. data/lib/brakeman/file_parser.rb +10 -16
  40. data/lib/brakeman/file_path.rb +85 -0
  41. data/lib/brakeman/options.rb +7 -0
  42. data/lib/brakeman/parsers/haml_embedded.rb +1 -1
  43. data/lib/brakeman/parsers/template_parser.rb +6 -4
  44. data/lib/brakeman/processor.rb +4 -5
  45. data/lib/brakeman/processors/alias_processor.rb +27 -7
  46. data/lib/brakeman/processors/base_processor.rb +10 -7
  47. data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
  48. data/lib/brakeman/processors/controller_processor.rb +9 -13
  49. data/lib/brakeman/processors/gem_processor.rb +10 -2
  50. data/lib/brakeman/processors/haml_template_processor.rb +92 -123
  51. data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
  52. data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
  53. data/lib/brakeman/processors/lib/find_call.rb +3 -64
  54. data/lib/brakeman/processors/lib/module_helper.rb +8 -8
  55. data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
  56. data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
  57. data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
  58. data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
  59. data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
  60. data/lib/brakeman/processors/lib/render_helper.rb +2 -2
  61. data/lib/brakeman/processors/lib/render_path.rb +18 -1
  62. data/lib/brakeman/processors/library_processor.rb +5 -5
  63. data/lib/brakeman/processors/model_processor.rb +4 -5
  64. data/lib/brakeman/processors/output_processor.rb +5 -0
  65. data/lib/brakeman/processors/template_alias_processor.rb +32 -5
  66. data/lib/brakeman/processors/template_processor.rb +14 -10
  67. data/lib/brakeman/report.rb +3 -3
  68. data/lib/brakeman/report/ignore/config.rb +2 -3
  69. data/lib/brakeman/report/ignore/interactive.rb +2 -2
  70. data/lib/brakeman/report/pager.rb +1 -0
  71. data/lib/brakeman/report/report_base.rb +51 -6
  72. data/lib/brakeman/report/report_codeclimate.rb +3 -3
  73. data/lib/brakeman/report/report_hash.rb +1 -1
  74. data/lib/brakeman/report/report_html.rb +2 -2
  75. data/lib/brakeman/report/report_json.rb +1 -24
  76. data/lib/brakeman/report/report_table.rb +20 -4
  77. data/lib/brakeman/report/report_tabs.rb +1 -1
  78. data/lib/brakeman/report/report_text.rb +6 -7
  79. data/lib/brakeman/rescanner.rb +13 -12
  80. data/lib/brakeman/scanner.rb +19 -14
  81. data/lib/brakeman/tracker.rb +30 -6
  82. data/lib/brakeman/tracker/collection.rb +4 -3
  83. data/lib/brakeman/tracker/config.rb +44 -73
  84. data/lib/brakeman/tracker/constants.rb +2 -1
  85. data/lib/brakeman/util.rb +1 -147
  86. data/lib/brakeman/version.rb +1 -1
  87. data/lib/brakeman/warning.rb +27 -13
  88. data/lib/brakeman/warning_codes.rb +4 -0
  89. data/lib/ruby_parser/bm_sexp.rb +7 -2
  90. data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
  91. metadata +27 -22
@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
70
70
  end
71
71
 
72
72
  def file_path(warning)
73
- fp = Pathname.new(warning.relative_path)
74
73
  if tracker.options[:path_prefix]
75
- fp = Pathname.new(tracker.options[:path_prefix]) + fp
74
+ (Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
75
+ else
76
+ warning.file
76
77
  end
77
- fp.to_s
78
78
  end
79
79
  end
@@ -11,7 +11,7 @@ class Brakeman::Report::Hash < Brakeman::Report::Base
11
11
  report[meth] = self.send(meth)
12
12
  report[meth].each do |w|
13
13
  w.message = w.format_message
14
- w.context = context_for(@app_tree, w).join("\n")
14
+ w.context = context_for(w).join("\n")
15
15
  end
16
16
  end
17
17
 
@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
86
86
 
87
87
  def convert_ignored_warning warning, original
88
88
  warning = convert_warning(warning, original)
89
- warning['File'] = original.relative_path
89
+ warning['File'] = original.file.relative
90
90
  warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
91
91
  warning
92
92
  end
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
113
113
  #Generate HTML for warnings, including context show/hidden via Javascript
114
114
  def with_context warning, message
115
115
  @element_id += 1
116
- context = context_for(@app_tree, warning)
116
+ context = context_for(warning)
117
117
  message = html_message(warning, message)
118
118
 
119
119
  code_id = "context#@element_id"
@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
37
37
 
38
38
  def convert_to_hashes warnings
39
39
  warnings.map do |w|
40
- hash = w.to_hash
41
- hash[:render_path] = convert_render_path hash[:render_path]
42
- hash[:file] = warning_file w
43
-
44
- hash
40
+ w.to_hash(absolute_paths: false)
45
41
  end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
46
42
  end
47
-
48
- def convert_render_path render_path
49
- return unless render_path and not @tracker.options[:absolute_paths]
50
-
51
- render_path.map do |r|
52
- r = r.dup
53
-
54
- if r[:file]
55
- r[:file] = relative_path(r[:file])
56
- end
57
-
58
- if r[:rendered] and r[:rendered][:file]
59
- r[:rendered] = r[:rendered].dup
60
- r[:rendered][:file] = relative_path(r[:rendered][:file])
61
- end
62
-
63
- r
64
- end
65
- end
66
43
  end
@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
199
199
  end
200
200
  end
201
201
 
202
- def convert_warning warning, original
203
- warning
204
- end
205
-
206
202
  def convert_ignored_warning warning, original
207
203
  convert_warning warning, original
208
204
  end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
271
267
  Checks run: #{checks.checks_run.sort.join(", ")}
272
268
  HEADER
273
269
  end
270
+
271
+ def truncate_table str
272
+ @terminal_width ||= if @tracker.options[:table_width]
273
+ @tracker.options[:table_width]
274
+ elsif $stdin && $stdin.tty?
275
+ Brakeman.load_brakeman_dependency 'highline'
276
+ ::HighLine.default_instance.terminal.terminal_size[0]
277
+ else
278
+ 80
279
+ end
280
+ lines = str.lines
281
+
282
+ lines.map do |line|
283
+ if line.chomp.length > @terminal_width
284
+ line[0..(@terminal_width - 3)] + ">>\n"
285
+ else
286
+ line
287
+ end
288
+ end.join
289
+ end
274
290
  end
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
10
10
  self.send(meth).map do |w|
11
11
  line = w.line || 0
12
12
  w.warning_type.gsub!(/[^\w\s]/, ' ')
13
- "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
13
+ "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
14
14
  end.join "\n"
15
15
 
16
16
  end.join "\n"
@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
19
19
  add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
20
20
  add_chunk generate_templates if tracker.options[:debug]
21
21
  add_chunk generate_obsolete
22
- add_chunk generate_errors
22
+ add_chunk generate_errors
23
23
  add_chunk generate_warnings
24
24
  end
25
25
 
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
51
51
 
52
52
  def generate_header
53
53
  [
54
- header("Brakeman Report"),
54
+ header("Brakeman Report"),
55
55
  label("Application Path", tracker.app_path),
56
56
  label("Rails Version", rails_version),
57
57
  label("Brakeman Version", Brakeman::Version),
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
92
92
  HighLine.color("No warnings found", :bold, :green)
93
93
  else
94
94
  warnings = tracker.filtered_warnings.sort_by do |w|
95
- [w.confidence, w.warning_type, w.fingerprint]
95
+ [w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
96
96
  end.map do |w|
97
97
  output_warning w
98
98
  end
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
140
140
  end
141
141
 
142
142
  double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
143
- [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
143
+ [HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
144
144
  }.compact
145
145
  end
146
146
 
@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
201
201
 
202
202
  # ONLY used for generate_controllers to avoid duplication
203
203
  def render_array name, cols, values, locals
204
- controllers = values.map do |name, parent, includes, routes|
205
- c = [ label("Controller", name) ]
204
+ controllers = values.map do |controller_name, parent, includes, routes|
205
+ c = [ label("Controller", controller_name) ]
206
206
  c << label("Parent", parent) unless parent.empty?
207
207
  c << label("Includes", includes) unless includes.empty?
208
208
  c << label("Routes", routes)
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
211
211
  double_space "Controller Overview", controllers
212
212
  end
213
213
  end
214
-
@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
13
13
  def initialize options, processor, changed_files
14
14
  super(options, processor)
15
15
 
16
- @paths = changed_files.map {|f| @app_tree.expand_path(f) }
16
+ @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
17
17
  @old_results = tracker.filtered_warnings #Old warnings from previous scan
18
18
  @changes = nil #True if files had to be rescanned
19
19
  @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
67
67
  def rescan_file path, type = nil
68
68
  type ||= file_type path
69
69
 
70
- unless @app_tree.path_exists?(path)
70
+ unless path.exists?
71
71
  return rescan_deleted_file path, type
72
72
  end
73
73
 
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
127
127
  end
128
128
 
129
129
  def rescan_template path
130
- return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
130
+ return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
131
131
 
132
132
  template_name = template_path_to_name(path)
133
133
 
134
134
  tracker.reset_template template_name
135
- fp = Brakeman::FileParser.new(tracker, @app_tree)
135
+ fp = Brakeman::FileParser.new(tracker)
136
136
  template_parser = Brakeman::TemplateParser.new(tracker, fp)
137
- template_parser.parse_template path, @app_tree.read_path(path)
137
+ template_parser.parse_template path, path.read
138
138
  process_template fp.file_list[:templates].first
139
139
 
140
140
  @processor.process_template_alias tracker.templates[template_name]
@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
226
226
  end
227
227
 
228
228
  def rescan_initializer path
229
+ tracker.reset_initializer path
230
+
229
231
  parse_ruby_files([path]).each do |astfile|
230
232
  process_initializer astfile
231
233
  end
234
+
235
+ @reindex << :initializers
232
236
  end
233
237
 
234
238
  #Handle rescanning when a file is deleted
@@ -256,16 +260,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
256
260
  end
257
261
 
258
262
  def rescan_deleted_template path
259
- return unless path.match KNOWN_TEMPLATE_EXTENSIONS
263
+ return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
260
264
 
261
265
  template_name = template_path_to_name(path)
262
266
 
263
267
  #Remove template
264
268
  tracker.reset_template template_name
265
269
 
266
- rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
267
- rendered_from_view = /^#{template_name}\.Template:(.+)/
268
-
269
270
  #Remove any rendered versions, or partials rendered from it
270
271
  tracker.templates.delete_if do |_name, template|
271
272
  template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +372,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
371
372
  next unless template.render_path
372
373
 
373
374
  if template.render_path.include_any_method? method_names
374
- name.to_s.match /^([^.]+)/
375
+ name.to_s.match(/^([^.]+)/)
375
376
 
376
377
  original = tracker.templates[$1.to_sym]
377
378
 
@@ -388,8 +389,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
388
389
  end
389
390
 
390
391
  def parse_ruby_files list
391
- paths = list.select { |path| @app_tree.path_exists? path }
392
- file_parser = Brakeman::FileParser.new(tracker, @app_tree)
392
+ paths = list.select(&:exists?)
393
+ file_parser = Brakeman::FileParser.new(tracker)
393
394
  file_parser.parse_files paths, :rescan
394
395
  file_parser.file_list[:rescan]
395
396
  end
@@ -16,7 +16,6 @@ end
16
16
  #Scans the Rails application.
17
17
  class Brakeman::Scanner
18
18
  attr_reader :options
19
- RUBY_1_9 = RUBY_VERSION >= "1.9.0"
20
19
 
21
20
  #Pass in path to the root of the Rails application
22
21
  def initialize options, processor = nil
@@ -66,7 +65,7 @@ class Brakeman::Scanner
66
65
  end
67
66
 
68
67
  def parse_files
69
- fp = Brakeman::FileParser.new tracker, @app_tree
68
+ fp = Brakeman::FileParser.new tracker
70
69
 
71
70
  files = {
72
71
  :initializers => @app_tree.initializer_paths,
@@ -95,7 +94,7 @@ class Brakeman::Scanner
95
94
  #
96
95
  #Stores parsed information in tracker.config
97
96
  def process_config
98
- if options[:rails3] or options[:rails4] or options[:rails5]
97
+ if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
99
98
  process_config_file "application.rb"
100
99
  process_config_file "environments/production.rb"
101
100
  else
@@ -111,14 +110,14 @@ class Brakeman::Scanner
111
110
  end
112
111
 
113
112
  if @app_tree.exists? ".ruby-version"
114
- tracker.config.set_ruby_version @app_tree.read ".ruby-version"
113
+ tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
115
114
  end
116
115
  end
117
116
 
118
117
  def process_config_file file
119
- path = "config/#{file}"
118
+ path = @app_tree.file_path("config/#{file}")
120
119
 
121
- if @app_tree.exists?(path)
120
+ if path.exists?
122
121
  @processor.process_config(parse_ruby_file(path), path)
123
122
  end
124
123
 
@@ -132,16 +131,21 @@ class Brakeman::Scanner
132
131
  #Process Gemfile
133
132
  def process_gems
134
133
  gem_files = {}
134
+
135
135
  if @app_tree.exists? "Gemfile"
136
- gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
136
+ file = @app_tree.file_path("Gemfile")
137
+ gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
137
138
  elsif @app_tree.exists? "gems.rb"
138
- gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
139
+ file = @app_tree.file_path("gems.rb")
140
+ gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
139
141
  end
140
142
 
141
143
  if @app_tree.exists? "Gemfile.lock"
142
- gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
144
+ file = @app_tree.file_path("Gemfile.lock")
145
+ gem_files[:gemlock] = { :src => file.read, :file => file }
143
146
  elsif @app_tree.exists? "gems.locked"
144
- gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
147
+ file = @app_tree.file_path("gems.locked")
148
+ gem_files[:gemlock] = { :src => file.read, :file => file }
145
149
  end
146
150
 
147
151
  if @app_tree.gemspec
@@ -215,7 +219,8 @@ class Brakeman::Scanner
215
219
  #Adds parsed information to tracker.routes
216
220
  def process_routes
217
221
  if @app_tree.exists?("config/routes.rb")
218
- if routes_sexp = parse_ruby_file("config/routes.rb")
222
+ file = @app_tree.file_path("config/routes.rb")
223
+ if routes_sexp = parse_ruby_file(file)
219
224
  @processor.process_routes routes_sexp
220
225
  else
221
226
  Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -316,9 +321,9 @@ class Brakeman::Scanner
316
321
  tracker.index_call_sites
317
322
  end
318
323
 
319
- def parse_ruby_file path
320
- fp = Brakeman::FileParser.new(self.tracker, @app_tree)
321
- fp.parse_ruby(@app_tree.read(path), path)
324
+ def parse_ruby_file file
325
+ fp = Brakeman::FileParser.new(self.tracker)
326
+ fp.parse_ruby(file.read, file)
322
327
  end
323
328
  end
324
329
 
@@ -12,7 +12,7 @@ class Brakeman::Tracker
12
12
  attr_accessor :controllers, :constants, :templates, :models, :errors,
13
13
  :checks, :initializers, :config, :routes, :processor, :libs,
14
14
  :template_cache, :options, :filter_cache, :start_time, :end_time,
15
- :duration, :ignored_filter
15
+ :duration, :ignored_filter, :app_tree
16
16
 
17
17
  #Place holder when there should be a model, but it is not
18
18
  #clear what model it will be.
@@ -34,7 +34,7 @@ class Brakeman::Tracker
34
34
  #we can match models later without knowing precisely what
35
35
  #class they are.
36
36
  @models = {}
37
- @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
37
+ @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
38
38
  @routes = {}
39
39
  @initializers = {}
40
40
  @errors = []
@@ -71,7 +71,7 @@ class Brakeman::Tracker
71
71
  #Run a set of checks on the current information. Results will be stored
72
72
  #in Tracker#checks.
73
73
  def run_checks
74
- @checks = Brakeman::Checks.run_checks(@app_tree, self)
74
+ @checks = Brakeman::Checks.run_checks(self)
75
75
 
76
76
  @end_time = Time.now
77
77
  @duration = @end_time - @start_time
@@ -172,7 +172,7 @@ class Brakeman::Tracker
172
172
 
173
173
  #Returns a Report with this Tracker's information
174
174
  def report
175
- Brakeman::Report.new(@app_tree, self)
175
+ Brakeman::Report.new(self)
176
176
  end
177
177
 
178
178
  def warnings
@@ -227,6 +227,10 @@ class Brakeman::Tracker
227
227
  finder.process_source template.src, :template => template, :file => template.file
228
228
  end
229
229
 
230
+ self.initializers.each do |file_name, src|
231
+ finder.process_all_source src, :file => file_name
232
+ end
233
+
230
234
  @call_index = Brakeman::CallIndex.new finder.calls
231
235
  end
232
236
 
@@ -237,8 +241,8 @@ class Brakeman::Tracker
237
241
  #
238
242
  #This will limit reindexing to the given sets
239
243
  def reindex_call_sites locations
240
- #If reindexing templates, models, and controllers, just redo
241
- #everything
244
+ #If reindexing templates, models, controllers,
245
+ #just redo everything.
242
246
  if locations.length == 3
243
247
  return index_call_sites
244
248
  end
@@ -260,6 +264,12 @@ class Brakeman::Tracker
260
264
  method_sets << self.controllers
261
265
  end
262
266
 
267
+ if locations.include? :initializers
268
+ self.initializers.each do |file_name, src|
269
+ @call_index.remove_indexes_by_file file_name
270
+ end
271
+ end
272
+
263
273
  @call_index.remove_indexes_by_class classes_to_reindex
264
274
 
265
275
  finder = Brakeman::FindAllCalls.new self
@@ -279,6 +289,12 @@ class Brakeman::Tracker
279
289
  end
280
290
  end
281
291
 
292
+ if locations.include? :initializers
293
+ self.initializers.each do |file_name, src|
294
+ finder.process_all_source src, :file => file_name
295
+ end
296
+ end
297
+
282
298
  @call_index.index_calls finder.calls
283
299
  end
284
300
 
@@ -363,4 +379,12 @@ class Brakeman::Tracker
363
379
  def reset_routes
364
380
  @routes = {}
365
381
  end
382
+
383
+ def reset_initializer path
384
+ @initializers.delete_if do |file, src|
385
+ path.relative.include? file
386
+ end
387
+
388
+ @call_index.remove_indexes_by_file path
389
+ end
366
390
  end
@@ -9,13 +9,14 @@ module Brakeman
9
9
  def initialize name, parent, file_name, src, tracker
10
10
  @name = name
11
11
  @parent = parent
12
- @file_name = file_name
13
- @files = [ file_name ]
14
- @src = { file_name => src }
12
+ @files = []
13
+ @src = {}
15
14
  @includes = []
16
15
  @methods = { :public => {}, :private => {}, :protected => {} }
17
16
  @options = {}
18
17
  @tracker = tracker
18
+
19
+ add_file file_name, src
19
20
  end
20
21
 
21
22
  def ancestor? parent, seen={}