brakeman-lib 4.5.0 → 4.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +164 -108
- data/README.md +6 -7
- data/lib/brakeman.rb +7 -0
- data/lib/brakeman/app_tree.rb +34 -22
- data/lib/brakeman/call_index.rb +54 -15
- data/lib/brakeman/checks.rb +7 -7
- data/lib/brakeman/checks/base_check.rb +59 -56
- data/lib/brakeman/checks/check_cookie_serialization.rb +22 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +9 -4
- data/lib/brakeman/checks/check_default_routes.rb +5 -0
- data/lib/brakeman/checks/check_deserialize.rb +49 -0
- data/lib/brakeman/checks/check_dynamic_finders.rb +1 -1
- data/lib/brakeman/checks/check_execute.rb +26 -1
- data/lib/brakeman/checks/check_file_access.rb +7 -1
- data/lib/brakeman/checks/check_force_ssl.rb +27 -0
- data/lib/brakeman/checks/check_header_dos.rb +2 -2
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +2 -2
- data/lib/brakeman/checks/check_json_parsing.rb +7 -2
- data/lib/brakeman/checks/check_link_to_href.rb +6 -1
- data/lib/brakeman/checks/check_mail_to.rb +1 -1
- data/lib/brakeman/checks/check_mime_type_dos.rb +2 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +12 -50
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_nested_attributes_bypass.rb +4 -4
- data/lib/brakeman/checks/check_reverse_tabnabbing.rb +58 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +2 -2
- data/lib/brakeman/checks/check_secrets.rb +1 -1
- data/lib/brakeman/checks/check_session_settings.rb +15 -12
- data/lib/brakeman/checks/check_simple_format.rb +5 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +15 -17
- data/lib/brakeman/checks/check_validation_regex.rb +1 -1
- data/lib/brakeman/checks/check_xml_dos.rb +2 -2
- data/lib/brakeman/checks/check_yaml_parsing.rb +10 -18
- data/lib/brakeman/differ.rb +16 -28
- data/lib/brakeman/file_parser.rb +10 -16
- data/lib/brakeman/file_path.rb +85 -0
- data/lib/brakeman/options.rb +7 -0
- data/lib/brakeman/parsers/haml_embedded.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +6 -4
- data/lib/brakeman/processor.rb +4 -5
- data/lib/brakeman/processors/alias_processor.rb +27 -7
- data/lib/brakeman/processors/base_processor.rb +10 -7
- data/lib/brakeman/processors/controller_alias_processor.rb +10 -7
- data/lib/brakeman/processors/controller_processor.rb +9 -13
- data/lib/brakeman/processors/gem_processor.rb +10 -2
- data/lib/brakeman/processors/haml_template_processor.rb +92 -123
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +5 -4
- data/lib/brakeman/processors/lib/find_all_calls.rb +27 -4
- data/lib/brakeman/processors/lib/find_call.rb +3 -64
- data/lib/brakeman/processors/lib/module_helper.rb +8 -8
- data/lib/brakeman/processors/lib/processor_helper.rb +3 -3
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +4 -4
- data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +3 -3
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -2
- data/lib/brakeman/processors/lib/render_helper.rb +2 -2
- data/lib/brakeman/processors/lib/render_path.rb +18 -1
- data/lib/brakeman/processors/library_processor.rb +5 -5
- data/lib/brakeman/processors/model_processor.rb +4 -5
- data/lib/brakeman/processors/output_processor.rb +5 -0
- data/lib/brakeman/processors/template_alias_processor.rb +32 -5
- data/lib/brakeman/processors/template_processor.rb +14 -10
- data/lib/brakeman/report.rb +3 -3
- data/lib/brakeman/report/ignore/config.rb +2 -3
- data/lib/brakeman/report/ignore/interactive.rb +2 -2
- data/lib/brakeman/report/pager.rb +1 -0
- data/lib/brakeman/report/report_base.rb +51 -6
- data/lib/brakeman/report/report_codeclimate.rb +3 -3
- data/lib/brakeman/report/report_hash.rb +1 -1
- data/lib/brakeman/report/report_html.rb +2 -2
- data/lib/brakeman/report/report_json.rb +1 -24
- data/lib/brakeman/report/report_table.rb +20 -4
- data/lib/brakeman/report/report_tabs.rb +1 -1
- data/lib/brakeman/report/report_text.rb +6 -7
- data/lib/brakeman/rescanner.rb +13 -12
- data/lib/brakeman/scanner.rb +19 -14
- data/lib/brakeman/tracker.rb +30 -6
- data/lib/brakeman/tracker/collection.rb +4 -3
- data/lib/brakeman/tracker/config.rb +44 -73
- data/lib/brakeman/tracker/constants.rb +2 -1
- data/lib/brakeman/util.rb +1 -147
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +27 -13
- data/lib/brakeman/warning_codes.rb +4 -0
- data/lib/ruby_parser/bm_sexp.rb +7 -2
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -0
- metadata +27 -22
@@ -70,10 +70,10 @@ class Brakeman::Report::CodeClimate < Brakeman::Report::Base
|
|
70
70
|
end
|
71
71
|
|
72
72
|
def file_path(warning)
|
73
|
-
fp = Pathname.new(warning.relative_path)
|
74
73
|
if tracker.options[:path_prefix]
|
75
|
-
|
74
|
+
(Pathname.new(tracker.options[:path_prefix]) + Pathname.new(warning.file.relative)).to_s
|
75
|
+
else
|
76
|
+
warning.file
|
76
77
|
end
|
77
|
-
fp.to_s
|
78
78
|
end
|
79
79
|
end
|
@@ -86,7 +86,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
86
86
|
|
87
87
|
def convert_ignored_warning warning, original
|
88
88
|
warning = convert_warning(warning, original)
|
89
|
-
warning['File'] = original.
|
89
|
+
warning['File'] = original.file.relative
|
90
90
|
warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
|
91
91
|
warning
|
92
92
|
end
|
@@ -113,7 +113,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Table
|
|
113
113
|
#Generate HTML for warnings, including context show/hidden via Javascript
|
114
114
|
def with_context warning, message
|
115
115
|
@element_id += 1
|
116
|
-
context = context_for(
|
116
|
+
context = context_for(warning)
|
117
117
|
message = html_message(warning, message)
|
118
118
|
|
119
119
|
code_id = "context#@element_id"
|
@@ -37,30 +37,7 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
|
|
37
37
|
|
38
38
|
def convert_to_hashes warnings
|
39
39
|
warnings.map do |w|
|
40
|
-
|
41
|
-
hash[:render_path] = convert_render_path hash[:render_path]
|
42
|
-
hash[:file] = warning_file w
|
43
|
-
|
44
|
-
hash
|
40
|
+
w.to_hash(absolute_paths: false)
|
45
41
|
end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
|
46
42
|
end
|
47
|
-
|
48
|
-
def convert_render_path render_path
|
49
|
-
return unless render_path and not @tracker.options[:absolute_paths]
|
50
|
-
|
51
|
-
render_path.map do |r|
|
52
|
-
r = r.dup
|
53
|
-
|
54
|
-
if r[:file]
|
55
|
-
r[:file] = relative_path(r[:file])
|
56
|
-
end
|
57
|
-
|
58
|
-
if r[:rendered] and r[:rendered][:file]
|
59
|
-
r[:rendered] = r[:rendered].dup
|
60
|
-
r[:rendered][:file] = relative_path(r[:rendered][:file])
|
61
|
-
end
|
62
|
-
|
63
|
-
r
|
64
|
-
end
|
65
|
-
end
|
66
43
|
end
|
@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
|
|
199
199
|
end
|
200
200
|
end
|
201
201
|
|
202
|
-
def convert_warning warning, original
|
203
|
-
warning
|
204
|
-
end
|
205
|
-
|
206
202
|
def convert_ignored_warning warning, original
|
207
203
|
convert_warning warning, original
|
208
204
|
end
|
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
|
|
271
267
|
Checks run: #{checks.checks_run.sort.join(", ")}
|
272
268
|
HEADER
|
273
269
|
end
|
270
|
+
|
271
|
+
def truncate_table str
|
272
|
+
@terminal_width ||= if @tracker.options[:table_width]
|
273
|
+
@tracker.options[:table_width]
|
274
|
+
elsif $stdin && $stdin.tty?
|
275
|
+
Brakeman.load_brakeman_dependency 'highline'
|
276
|
+
::HighLine.default_instance.terminal.terminal_size[0]
|
277
|
+
else
|
278
|
+
80
|
279
|
+
end
|
280
|
+
lines = str.lines
|
281
|
+
|
282
|
+
lines.map do |line|
|
283
|
+
if line.chomp.length > @terminal_width
|
284
|
+
line[0..(@terminal_width - 3)] + ">>\n"
|
285
|
+
else
|
286
|
+
line
|
287
|
+
end
|
288
|
+
end.join
|
289
|
+
end
|
274
290
|
end
|
@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
|
|
10
10
|
self.send(meth).map do |w|
|
11
11
|
line = w.line || 0
|
12
12
|
w.warning_type.gsub!(/[^\w\s]/, ' ')
|
13
|
-
"#{
|
13
|
+
"#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
|
14
14
|
end.join "\n"
|
15
15
|
|
16
16
|
end.join "\n"
|
@@ -19,7 +19,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
19
19
|
add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
|
20
20
|
add_chunk generate_templates if tracker.options[:debug]
|
21
21
|
add_chunk generate_obsolete
|
22
|
-
add_chunk generate_errors
|
22
|
+
add_chunk generate_errors
|
23
23
|
add_chunk generate_warnings
|
24
24
|
end
|
25
25
|
|
@@ -51,7 +51,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
51
51
|
|
52
52
|
def generate_header
|
53
53
|
[
|
54
|
-
header("Brakeman Report"),
|
54
|
+
header("Brakeman Report"),
|
55
55
|
label("Application Path", tracker.app_path),
|
56
56
|
label("Rails Version", rails_version),
|
57
57
|
label("Brakeman Version", Brakeman::Version),
|
@@ -92,7 +92,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
92
92
|
HighLine.color("No warnings found", :bold, :green)
|
93
93
|
else
|
94
94
|
warnings = tracker.filtered_warnings.sort_by do |w|
|
95
|
-
[w.confidence, w.warning_type, w.fingerprint]
|
95
|
+
[w.confidence, w.warning_type, w.file, w.line, w.fingerprint]
|
96
96
|
end.map do |w|
|
97
97
|
output_warning w
|
98
98
|
end
|
@@ -140,7 +140,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
140
140
|
end
|
141
141
|
|
142
142
|
double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
|
143
|
-
[HighLine.new.color(template.first
|
143
|
+
[HighLine.new.color("#{template.first}\n", :cyan)] + template[1]
|
144
144
|
}.compact
|
145
145
|
end
|
146
146
|
|
@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
201
201
|
|
202
202
|
# ONLY used for generate_controllers to avoid duplication
|
203
203
|
def render_array name, cols, values, locals
|
204
|
-
controllers = values.map do |
|
205
|
-
c = [ label("Controller",
|
204
|
+
controllers = values.map do |controller_name, parent, includes, routes|
|
205
|
+
c = [ label("Controller", controller_name) ]
|
206
206
|
c << label("Parent", parent) unless parent.empty?
|
207
207
|
c << label("Includes", includes) unless includes.empty?
|
208
208
|
c << label("Routes", routes)
|
@@ -211,4 +211,3 @@ class Brakeman::Report::Text < Brakeman::Report::Base
|
|
211
211
|
double_space "Controller Overview", controllers
|
212
212
|
end
|
213
213
|
end
|
214
|
-
|
data/lib/brakeman/rescanner.rb
CHANGED
@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
13
13
|
def initialize options, processor, changed_files
|
14
14
|
super(options, processor)
|
15
15
|
|
16
|
-
@paths = changed_files.map {|f|
|
16
|
+
@paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
|
17
17
|
@old_results = tracker.filtered_warnings #Old warnings from previous scan
|
18
18
|
@changes = nil #True if files had to be rescanned
|
19
19
|
@reindex = Set.new
|
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
67
67
|
def rescan_file path, type = nil
|
68
68
|
type ||= file_type path
|
69
69
|
|
70
|
-
unless
|
70
|
+
unless path.exists?
|
71
71
|
return rescan_deleted_file path, type
|
72
72
|
end
|
73
73
|
|
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
127
127
|
end
|
128
128
|
|
129
129
|
def rescan_template path
|
130
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS and
|
130
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
|
131
131
|
|
132
132
|
template_name = template_path_to_name(path)
|
133
133
|
|
134
134
|
tracker.reset_template template_name
|
135
|
-
fp = Brakeman::FileParser.new(tracker
|
135
|
+
fp = Brakeman::FileParser.new(tracker)
|
136
136
|
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
137
|
-
template_parser.parse_template path,
|
137
|
+
template_parser.parse_template path, path.read
|
138
138
|
process_template fp.file_list[:templates].first
|
139
139
|
|
140
140
|
@processor.process_template_alias tracker.templates[template_name]
|
@@ -226,9 +226,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
226
226
|
end
|
227
227
|
|
228
228
|
def rescan_initializer path
|
229
|
+
tracker.reset_initializer path
|
230
|
+
|
229
231
|
parse_ruby_files([path]).each do |astfile|
|
230
232
|
process_initializer astfile
|
231
233
|
end
|
234
|
+
|
235
|
+
@reindex << :initializers
|
232
236
|
end
|
233
237
|
|
234
238
|
#Handle rescanning when a file is deleted
|
@@ -256,16 +260,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
256
260
|
end
|
257
261
|
|
258
262
|
def rescan_deleted_template path
|
259
|
-
return unless path.match KNOWN_TEMPLATE_EXTENSIONS
|
263
|
+
return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
|
260
264
|
|
261
265
|
template_name = template_path_to_name(path)
|
262
266
|
|
263
267
|
#Remove template
|
264
268
|
tracker.reset_template template_name
|
265
269
|
|
266
|
-
rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
|
267
|
-
rendered_from_view = /^#{template_name}\.Template:(.+)/
|
268
|
-
|
269
270
|
#Remove any rendered versions, or partials rendered from it
|
270
271
|
tracker.templates.delete_if do |_name, template|
|
271
272
|
template.file == path or template.name.to_sym == template_name.to_sym
|
@@ -371,7 +372,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
371
372
|
next unless template.render_path
|
372
373
|
|
373
374
|
if template.render_path.include_any_method? method_names
|
374
|
-
name.to_s.match
|
375
|
+
name.to_s.match(/^([^.]+)/)
|
375
376
|
|
376
377
|
original = tracker.templates[$1.to_sym]
|
377
378
|
|
@@ -388,8 +389,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
388
389
|
end
|
389
390
|
|
390
391
|
def parse_ruby_files list
|
391
|
-
paths = list.select
|
392
|
-
file_parser = Brakeman::FileParser.new(tracker
|
392
|
+
paths = list.select(&:exists?)
|
393
|
+
file_parser = Brakeman::FileParser.new(tracker)
|
393
394
|
file_parser.parse_files paths, :rescan
|
394
395
|
file_parser.file_list[:rescan]
|
395
396
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -16,7 +16,6 @@ end
|
|
16
16
|
#Scans the Rails application.
|
17
17
|
class Brakeman::Scanner
|
18
18
|
attr_reader :options
|
19
|
-
RUBY_1_9 = RUBY_VERSION >= "1.9.0"
|
20
19
|
|
21
20
|
#Pass in path to the root of the Rails application
|
22
21
|
def initialize options, processor = nil
|
@@ -66,7 +65,7 @@ class Brakeman::Scanner
|
|
66
65
|
end
|
67
66
|
|
68
67
|
def parse_files
|
69
|
-
fp = Brakeman::FileParser.new tracker
|
68
|
+
fp = Brakeman::FileParser.new tracker
|
70
69
|
|
71
70
|
files = {
|
72
71
|
:initializers => @app_tree.initializer_paths,
|
@@ -95,7 +94,7 @@ class Brakeman::Scanner
|
|
95
94
|
#
|
96
95
|
#Stores parsed information in tracker.config
|
97
96
|
def process_config
|
98
|
-
if options[:rails3] or options[:rails4] or options[:rails5]
|
97
|
+
if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
|
99
98
|
process_config_file "application.rb"
|
100
99
|
process_config_file "environments/production.rb"
|
101
100
|
else
|
@@ -111,14 +110,14 @@ class Brakeman::Scanner
|
|
111
110
|
end
|
112
111
|
|
113
112
|
if @app_tree.exists? ".ruby-version"
|
114
|
-
tracker.config.set_ruby_version @app_tree.
|
113
|
+
tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
|
115
114
|
end
|
116
115
|
end
|
117
116
|
|
118
117
|
def process_config_file file
|
119
|
-
path = "config/#{file}"
|
118
|
+
path = @app_tree.file_path("config/#{file}")
|
120
119
|
|
121
|
-
if
|
120
|
+
if path.exists?
|
122
121
|
@processor.process_config(parse_ruby_file(path), path)
|
123
122
|
end
|
124
123
|
|
@@ -132,16 +131,21 @@ class Brakeman::Scanner
|
|
132
131
|
#Process Gemfile
|
133
132
|
def process_gems
|
134
133
|
gem_files = {}
|
134
|
+
|
135
135
|
if @app_tree.exists? "Gemfile"
|
136
|
-
|
136
|
+
file = @app_tree.file_path("Gemfile")
|
137
|
+
gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
|
137
138
|
elsif @app_tree.exists? "gems.rb"
|
138
|
-
|
139
|
+
file = @app_tree.file_path("gems.rb")
|
140
|
+
gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
|
139
141
|
end
|
140
142
|
|
141
143
|
if @app_tree.exists? "Gemfile.lock"
|
142
|
-
|
144
|
+
file = @app_tree.file_path("Gemfile.lock")
|
145
|
+
gem_files[:gemlock] = { :src => file.read, :file => file }
|
143
146
|
elsif @app_tree.exists? "gems.locked"
|
144
|
-
|
147
|
+
file = @app_tree.file_path("gems.locked")
|
148
|
+
gem_files[:gemlock] = { :src => file.read, :file => file }
|
145
149
|
end
|
146
150
|
|
147
151
|
if @app_tree.gemspec
|
@@ -215,7 +219,8 @@ class Brakeman::Scanner
|
|
215
219
|
#Adds parsed information to tracker.routes
|
216
220
|
def process_routes
|
217
221
|
if @app_tree.exists?("config/routes.rb")
|
218
|
-
|
222
|
+
file = @app_tree.file_path("config/routes.rb")
|
223
|
+
if routes_sexp = parse_ruby_file(file)
|
219
224
|
@processor.process_routes routes_sexp
|
220
225
|
else
|
221
226
|
Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
|
@@ -316,9 +321,9 @@ class Brakeman::Scanner
|
|
316
321
|
tracker.index_call_sites
|
317
322
|
end
|
318
323
|
|
319
|
-
def parse_ruby_file
|
320
|
-
fp = Brakeman::FileParser.new(self.tracker
|
321
|
-
fp.parse_ruby(
|
324
|
+
def parse_ruby_file file
|
325
|
+
fp = Brakeman::FileParser.new(self.tracker)
|
326
|
+
fp.parse_ruby(file.read, file)
|
322
327
|
end
|
323
328
|
end
|
324
329
|
|
data/lib/brakeman/tracker.rb
CHANGED
@@ -12,7 +12,7 @@ class Brakeman::Tracker
|
|
12
12
|
attr_accessor :controllers, :constants, :templates, :models, :errors,
|
13
13
|
:checks, :initializers, :config, :routes, :processor, :libs,
|
14
14
|
:template_cache, :options, :filter_cache, :start_time, :end_time,
|
15
|
-
:duration, :ignored_filter
|
15
|
+
:duration, :ignored_filter, :app_tree
|
16
16
|
|
17
17
|
#Place holder when there should be a model, but it is not
|
18
18
|
#clear what model it will be.
|
@@ -34,7 +34,7 @@ class Brakeman::Tracker
|
|
34
34
|
#we can match models later without knowing precisely what
|
35
35
|
#class they are.
|
36
36
|
@models = {}
|
37
|
-
@models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil,
|
37
|
+
@models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
|
38
38
|
@routes = {}
|
39
39
|
@initializers = {}
|
40
40
|
@errors = []
|
@@ -71,7 +71,7 @@ class Brakeman::Tracker
|
|
71
71
|
#Run a set of checks on the current information. Results will be stored
|
72
72
|
#in Tracker#checks.
|
73
73
|
def run_checks
|
74
|
-
@checks = Brakeman::Checks.run_checks(
|
74
|
+
@checks = Brakeman::Checks.run_checks(self)
|
75
75
|
|
76
76
|
@end_time = Time.now
|
77
77
|
@duration = @end_time - @start_time
|
@@ -172,7 +172,7 @@ class Brakeman::Tracker
|
|
172
172
|
|
173
173
|
#Returns a Report with this Tracker's information
|
174
174
|
def report
|
175
|
-
Brakeman::Report.new(
|
175
|
+
Brakeman::Report.new(self)
|
176
176
|
end
|
177
177
|
|
178
178
|
def warnings
|
@@ -227,6 +227,10 @@ class Brakeman::Tracker
|
|
227
227
|
finder.process_source template.src, :template => template, :file => template.file
|
228
228
|
end
|
229
229
|
|
230
|
+
self.initializers.each do |file_name, src|
|
231
|
+
finder.process_all_source src, :file => file_name
|
232
|
+
end
|
233
|
+
|
230
234
|
@call_index = Brakeman::CallIndex.new finder.calls
|
231
235
|
end
|
232
236
|
|
@@ -237,8 +241,8 @@ class Brakeman::Tracker
|
|
237
241
|
#
|
238
242
|
#This will limit reindexing to the given sets
|
239
243
|
def reindex_call_sites locations
|
240
|
-
#If reindexing templates, models,
|
241
|
-
#everything
|
244
|
+
#If reindexing templates, models, controllers,
|
245
|
+
#just redo everything.
|
242
246
|
if locations.length == 3
|
243
247
|
return index_call_sites
|
244
248
|
end
|
@@ -260,6 +264,12 @@ class Brakeman::Tracker
|
|
260
264
|
method_sets << self.controllers
|
261
265
|
end
|
262
266
|
|
267
|
+
if locations.include? :initializers
|
268
|
+
self.initializers.each do |file_name, src|
|
269
|
+
@call_index.remove_indexes_by_file file_name
|
270
|
+
end
|
271
|
+
end
|
272
|
+
|
263
273
|
@call_index.remove_indexes_by_class classes_to_reindex
|
264
274
|
|
265
275
|
finder = Brakeman::FindAllCalls.new self
|
@@ -279,6 +289,12 @@ class Brakeman::Tracker
|
|
279
289
|
end
|
280
290
|
end
|
281
291
|
|
292
|
+
if locations.include? :initializers
|
293
|
+
self.initializers.each do |file_name, src|
|
294
|
+
finder.process_all_source src, :file => file_name
|
295
|
+
end
|
296
|
+
end
|
297
|
+
|
282
298
|
@call_index.index_calls finder.calls
|
283
299
|
end
|
284
300
|
|
@@ -363,4 +379,12 @@ class Brakeman::Tracker
|
|
363
379
|
def reset_routes
|
364
380
|
@routes = {}
|
365
381
|
end
|
382
|
+
|
383
|
+
def reset_initializer path
|
384
|
+
@initializers.delete_if do |file, src|
|
385
|
+
path.relative.include? file
|
386
|
+
end
|
387
|
+
|
388
|
+
@call_index.remove_indexes_by_file path
|
389
|
+
end
|
366
390
|
end
|
@@ -9,13 +9,14 @@ module Brakeman
|
|
9
9
|
def initialize name, parent, file_name, src, tracker
|
10
10
|
@name = name
|
11
11
|
@parent = parent
|
12
|
-
@
|
13
|
-
@
|
14
|
-
@src = { file_name => src }
|
12
|
+
@files = []
|
13
|
+
@src = {}
|
15
14
|
@includes = []
|
16
15
|
@methods = { :public => {}, :private => {}, :protected => {} }
|
17
16
|
@options = {}
|
18
17
|
@tracker = tracker
|
18
|
+
|
19
|
+
add_file file_name, src
|
19
20
|
end
|
20
21
|
|
21
22
|
def ancestor? parent, seen={}
|