brakeman-lib 6.2.2 → 7.0.0

data/lib/brakeman/rescanner.rb

@@ -6,15 +6,15 @@ require 'brakeman/differ'
 class Brakeman::Rescanner < Brakeman::Scanner
  include Brakeman::Util
   KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
-  SCAN_ORDER = [:gemfile, :config, :initializer, :lib, :routes, :template,
-    :model, :controller]
 
   #Create new Rescanner to scan changed files
   def initialize options, processor, changed_files
-    super(options, processor)
+    super(options)
+
+    @old_tracker = processor.tracked_events
 
     @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
-    @old_results = tracker.filtered_warnings  #Old warnings from previous scan
+    @old_results = @old_tracker.filtered_warnings.dup  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
   end
@@ -24,379 +24,55 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def recheck
     rescan if @changes.nil?
 
-    tracker.run_checks if @changes
-
-    Brakeman::RescanReport.new @old_results, tracker
+    if @changes
+      tracker.run_checks
+      Brakeman.filter_warnings(tracker, options) # Actually sets ignored_filter
+      Brakeman::RescanReport.new @old_results, tracker
+    else
+      # No changes, fake no new results
+      Brakeman::RescanReport.new @old_results, @old_tracker
+    end
   end
 
   #Rescans changed files
   def rescan
-    tracker.template_cache.clear
+    raise "Cannot rescan: set `support_rescanning: true`" unless @old_tracker.options[:support_rescanning]
 
-    paths_by_type = {}
+    tracker.file_cache = @old_tracker.pristine_file_cache
 
-    SCAN_ORDER.each do |type|
-      paths_by_type[type] = []
-    end
+    template_paths = []
+    ruby_paths = []
 
+    # Remove changed files from the cache.
+    # Collect files to re-parse.
     @paths.each do |path|
-      type = file_type(path)
-      paths_by_type[type] << path unless type == :unknown
-    end
-
-    @changes = false
-
-    SCAN_ORDER.each do |type|
-      paths_by_type[type].each do |path|
-        Brakeman.debug "Rescanning #{path} as #{type}"
-
-        if rescan_file path, type
-          @changes = true
-        end
-      end
-    end
-
-    if @changes and not @reindex.empty?
-      tracker.reindex_call_sites @reindex
-    end
-
-    self
-  end
-
-  #Rescans a single file
-  def rescan_file path, type = nil
-    type ||= file_type path
-
-    unless path.exists?
-      return rescan_deleted_file path, type
-    end
-
-    case type
-    when :controller
-      rescan_controller path
-    when :template
-      rescan_template path
-    when :model
-      rescan_model path
-    when :lib
-      rescan_lib path
-    when :config
-      process_config
-    when :initializer
-      rescan_initializer path
-    when :routes
-      rescan_routes
-    when :gemfile
-      if tracker.config.has_gem? :rails_xss and tracker.config.escape_html?
-        tracker.config.escape_html = false
-      end
-
-      process_gems
-    else
-      return false #Nothing to do, file hopefully does not need to be rescanned
-    end
-
-    true
-  end
-
-  def rescan_controller path
-    controller = tracker.reset_controller path
-    paths = controller.nil? ? [path] : controller.files
-    parse_ruby_files(paths).each do |astfile|
-      process_controller astfile
-    end
-
-    #Process data flow and template rendering
-    #from the controller
-    tracker.controllers.each do |name, controller|
-      if controller.files.include?(path)
-        tracker.templates.each do |template_name, template|
-          next unless template.render_path
-          if template.render_path.include_controller? name
-            tracker.reset_template template_name
-          end
-        end
-
-        controller.src.each do |file, src|
-          @processor.process_controller_alias controller.name, src, nil, file
-        end
-      end
-    end
-
-    @reindex << :templates << :controllers
-  end
-
-  def rescan_template path
-    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
-
-    template_name = template_path_to_name(path)
-
-    tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
-    template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, path.read
-    tracker.add_errors(fp.errors)
-    process_template fp.file_list.first
-
-    @processor.process_template_alias tracker.templates[template_name]
-
-    rescan = Set.new
+      file_cache.delete path
 
-    #Search for processed template and process it.
-    #Search for rendered versions of template and re-render (if necessary)
-    tracker.templates.each do |_name, template|
-      if template.file == path or template.file.nil?
-        next unless template.render_path and template.name.to_sym == template_name.to_sym
-
-        template.render_path.each do |from|
-          case from[:type]
-          when :template
-            rescan << [:template, from[:name]]
-          when :controller
-            rescan << [:controller, from[:class], from[:method]]
-          end
-        end
-      end
-    end
-
-    rescan.each do |r|
-      if r[0] == :controller
-        controller = tracker.controllers[r[1]]
-
-        controller.src.each do |file, src|
-          unless @paths.include? file
-            @processor.process_controller_alias controller.name, src, r[2], file
-          end
+      if path.exists?
+        if path.relative.match? KNOWN_TEMPLATE_EXTENSIONS
+          template_paths << path
+        elsif path.relative.end_with? '.rb'
+          ruby_paths << path
         end
-      elsif r[0] == :template
-        template = tracker.templates[r[1]]
-
-        rescan_template template.file
       end
     end
 
-    @reindex << :templates
-  end
-
-  def rescan_model path
-    num_models = tracker.models.length
-    model = tracker.reset_model path
-    paths = model.nil? ? [path] : model.files
-    parse_ruby_files(paths).each do |astfile|
-      process_model astfile.path, astfile.ast
-    end
-
-    #Only need to rescan other things if a model is added or removed
-    if num_models != tracker.models.length
-      process_template_data_flows
-      process_controller_data_flows
-      @reindex << :templates << :controllers
-    end
-
-    @reindex << :models
-  end
-
-  def rescan_lib path
-    lib = tracker.reset_lib path
-    paths = lib.nil? ? [path] : lib.files
-    parse_ruby_files(paths).each do |astfile|
-      process_lib astfile
-    end
-
-    lib = nil
-
-    tracker.libs.each do |_name, library|
-      if library.files.include?(path)
-        lib = library
-        break
-      end
-    end
-
-    rescan_mixin lib if lib
-  end
-
-  def rescan_routes
-    # Routes affect which controller methods are treated as actions
-    # which affects which templates are rendered, so routes, controllers,
-    # and templates rendered from controllers must be rescanned
-    tracker.reset_routes
-    tracker.reset_templates :only_rendered => true
-    process_routes
-    process_controller_data_flows
-    @reindex << :controllers << :templates
-  end
-
-  def rescan_initializer path
-    tracker.reset_initializer path
-
-    parse_ruby_files([path]).each do |astfile|
-      process_initializer astfile
-    end
-
-    @reindex << :initializers
-  end
-
-  #Handle rescanning when a file is deleted
-  def rescan_deleted_file path, type
-    case type
-    when :controller
-      rescan_controller path
-    when :template
-      rescan_deleted_template path
-    when :model
-      rescan_model path
-    when :lib
-      rescan_deleted_lib path
-    when :initializer
-      rescan_deleted_initializer path
+    # Try to skip rescanning files that do not impact
+    # Brakeman results
+    if @paths.all? { |path| ignorable? path }
+      @changes = false
     else
-      if remove_deleted_file path
-        return true
-      else
-        Brakeman.notify "Ignoring deleted file: #{path}"
-      end
+      @changes = true
+      process(ruby_paths:, template_paths:)
     end
 
-    true
-  end
-
-  def rescan_deleted_template path
-    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
-
-    template_name = template_path_to_name(path)
-
-    #Remove template
-    tracker.reset_template template_name
-
-    #Remove any rendered versions, or partials rendered from it
-    tracker.templates.delete_if do |_name, template|
-      template.file == path or template.name.to_sym == template_name.to_sym
-    end
-  end
-
-  def rescan_deleted_lib path
-    deleted_lib = nil
-
-    tracker.libs.delete_if do |_name, lib|
-      if lib.files.include?(path)
-        deleted_lib = lib
-        true
-      end
-    end
-
-    rescan_mixin deleted_lib if deleted_lib
-  end
-
-  def rescan_deleted_initializer path
-    tracker.initializers.delete Pathname.new(path).basename.to_s
-  end
-
-  #Check controllers, templates, models and libs for data from file
-  #and delete it.
-  def remove_deleted_file path
-    deleted = false
-
-    [:controllers, :models, :libs].each do |collection|
-      tracker.send(collection).delete_if do |_name, data|
-        if data.files.include?(path)
-          deleted = true
-          true
-        end
-      end
-    end
-
-    tracker.templates.delete_if do |_name, data|
-      if data.file == path
-        deleted = true
-        true
-      end
-    end
-
-    deleted
-  end
-
-  #Guess at what kind of file the path contains
-  def file_type path
-    case path
-    when /\/app\/controllers/
-      :controller
-    when /\/app\/views/
-      :template
-    when /\/app\/models/
-      :model
-    when /\/lib/
-      :lib
-    when /\/config\/initializers/
-      :initializer
-    when /config\/routes\.rb/
-      :routes
-    when /\/config\/.+\.(rb|yml)/
-      :config
-    when /\.ruby-version/
-      :config
-    when /Gemfile|gems\./
-      :gemfile
-    else
-      :unknown
-    end
+    self
   end
 
-  def rescan_mixin lib
-    method_names = []
-
-    lib.each_method do |name, _meth|
-      method_names << name
-    end
+  IGNORE_PATTERN = /\.(md|txt|js|ts|tsx|json|scss|css|xml|ru|png|jpg|pdf|gif|svg|webm|ttf|sql)$/
 
-    to_rescan = []
-
-    #Rescan controllers that mixed in library
-    tracker.controllers.each do |_name, controller|
-      if controller.includes.include? lib.name
-        controller.files.each do |path|
-          unless @paths.include? path
-            to_rescan << path
-          end
-        end
-      end
-    end
-
-    to_rescan.each do |controller|
-      tracker.reset_controller controller
-      rescan_file controller
-    end
-
-    to_rescan = []
-
-    #Check if a method from this mixin was used to render a template.
-    #This is not precise, because a different controller might have the
-    #same method...
-    tracker.templates.each do |name, template|
-      next unless template.render_path
-
-      if template.render_path.include_any_method? method_names
-        name.to_s.match(/^([^.]+)/)
-
-        original = tracker.templates[$1.to_sym]
-
-        if original
-          to_rescan << [name, original.file]
-        end
-      end
-    end
-
-    to_rescan.each do |template|
-      tracker.reset_template template[0]
-      rescan_file template[1]
-    end
-  end
-
-  def parse_ruby_files list
-    paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks])
-    file_parser.parse_files paths
-    tracker.add_errors(file_parser.errors)
-    file_parser.file_list
+  def ignorable? path
+    path.relative.match? IGNORE_PATTERN
   end
 end
 
@@ -452,37 +128,11 @@ class Brakeman::RescanReport
   end
 
   #Output total, fixed, and new warnings
-  def to_s(verbose = false)
-    Brakeman.load_brakeman_dependency 'terminal-table'
-
-    if !verbose
-      <<-OUTPUT
-Total warnings: #{all_warnings.length}
-Fixed warnings: #{fixed_warnings.length}
-New warnings: #{new_warnings.length}
-      OUTPUT
-    else
-      #Eventually move this to different method, or make default to_s
-      out = ""
-
-      {:fixed => fixed_warnings, :new => new_warnings, :existing => existing_warnings}.each do |warning_type, warnings|
-        if warnings.length > 0
-          out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
-
-          table = Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
-            warnings.sort_by { |w| w.confidence}.each do |warning|
-              w = warning.to_row
-
-              w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
-
-              t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
-            end
-          end
-          out << truncate_table(table.to_s)
-        end
-      end
-
-      out
-    end
+  def to_s
+    <<~OUTPUT
+      Total warnings: #{all_warnings.length}
+      Fixed warnings: #{fixed_warnings.length}
+      New warnings: #{new_warnings.length}
+    OUTPUT
   end
 end

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
   require 'brakeman/processors/lib/file_type_detector'
+  require 'brakeman/tracker/file_cache'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -38,6 +39,10 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
 
+  def file_cache
+    tracker.file_cache
+  end
+
   def process_step description
     Brakeman.notify "#{description}...".ljust(40)
 
@@ -67,7 +72,7 @@ class Brakeman::Scanner
   end
 
   #Process everything in the Rails application
-  def process
+  def process(ruby_paths: nil, template_paths: nil)
     process_step 'Processing gems' do
       process_gems
     end
@@ -77,14 +82,30 @@ class Brakeman::Scanner
       process_config
     end
 
+    # -
+    # If ruby_paths or template_paths are set,
+    # only parse those files. The rest will be fetched
+    # from the file cache.
+    #
+    # Otherwise, parse everything normally.
+    #
+    astfiles = nil
+    process_step 'Finding files' do
+      ruby_paths ||= tracker.app_tree.ruby_file_paths
+      template_paths ||= tracker.app_tree.template_paths
+    end
+
     process_step 'Parsing files' do
-      parse_files
+      astfiles = parse_files(ruby_paths: ruby_paths, template_paths: template_paths)
     end
 
     process_step 'Detecting file types' do
-      detect_file_types
+      detect_file_types(astfiles)
     end
 
+    tracker.save_file_cache! if support_rescanning?
+    # -
+
     process_step 'Processing initializers' do
       process_initializers
     end
@@ -124,44 +145,37 @@ class Brakeman::Scanner
     tracker
   end
 
-  def parse_files
+  def parse_files(ruby_paths:, template_paths:)
     fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout], tracker.options[:parallel_checks], tracker.options[:use_prism])
 
-    fp.parse_files tracker.app_tree.ruby_file_paths
+    fp.parse_files ruby_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths) do |path, contents|
-      template_parser.parse_template path, contents
+    fp.read_files(template_paths) do |path, contents|
+      template_parser.parse_template(path, contents)
     end
 
     # Collect errors raised during parsing
     tracker.add_errors(fp.errors)
 
-    @parsed_files = fp.file_list
+    fp.file_list
   end
 
-  def detect_file_types
-    @file_list = {
-      controllers: [],
-      initializers: [],
-      libs: [],
-      models: [],
-      templates: [],
-    }
-
+  def detect_file_types(astfiles)
     detector = Brakeman::FileTypeDetector.new
 
-    @parsed_files.each do |file|
+    astfiles.each do |file|
       if file.is_a? Brakeman::TemplateParser::TemplateFile
-        @file_list[:templates] << file
+        file_cache.add_file file, :template
       else
         type = detector.detect_type(file)
+
         unless type == :skip
-          if @file_list[type].nil?
-            raise type.to_s
+          if file_cache.valid_type? type
+            file_cache.add_file(file, type)
           else
-            @file_list[type] << file
+            raise "Unexpected file type: #{type.inspect}"
           end
         end
       end
@@ -268,8 +282,8 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    track_progress @file_list[:initializers] do |init|
-      process_step_file init[:path] do
+    track_progress file_cache.initializers do |path, init|
+      process_step_file path do
         process_initializer init
       end
     end
@@ -289,8 +303,10 @@ class Brakeman::Scanner
       return
     end
 
-    track_progress @file_list[:libs] do |lib|
-      process_step_file lib.path do
+    libs = file_cache.libs.sort_by { |path, _| path }
+
+    track_progress libs do |path, lib|
+      process_step_file path do
         process_lib lib
       end
     end
@@ -322,15 +338,17 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    track_progress @file_list[:controllers] do |controller|
-      process_step_file controller.path do
+    controllers = file_cache.controllers.sort_by { |path, _| path }
+
+    track_progress controllers do |path, controller|
+      process_step_file path do
         process_controller controller
       end
     end
   end
 
   def process_controller_data_flows
-    controllers = tracker.controllers.sort_by { |name, _| name.to_s }
+    controllers = tracker.controllers.sort_by { |name, _| name }
 
     track_progress controllers, "controllers" do |name, controller|
       process_step_file name do
@@ -356,10 +374,10 @@ class Brakeman::Scanner
   #
   #Adds processed views to tracker.views
   def process_templates
-    templates = @file_list[:templates].sort_by { |t| t[:path] }
+    templates = file_cache.templates.sort_by { |path, _| path }
 
-    track_progress templates, "templates" do |template|
-      process_step_file template[:path] do
+    track_progress templates, "templates" do |path, template|
+      process_step_file path do
         process_template template
       end
     end
@@ -370,7 +388,7 @@ class Brakeman::Scanner
   end
 
   def process_template_data_flows
-    templates = tracker.templates.sort_by { |name, _| name.to_s }
+    templates = tracker.templates.sort_by { |name, _| name }
 
     track_progress templates, "templates" do |name, template|
       process_step_file name do
@@ -383,15 +401,17 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    track_progress @file_list[:models] do |model|
-      process_step_file model[:path] do
-        process_model model[:path], model[:ast]
+    models = file_cache.models.sort_by { |path, _| path }
+
+    track_progress models do |path, model|
+      process_step_file path do
+        process_model model
       end
     end
   end
 
-  def process_model path, ast
-    @processor.process_model(ast, path)
+  def process_model astfile
+    @processor.process_model(astfile.ast, astfile.path)
   end
 
   def track_progress list, type = "files"
@@ -420,6 +440,10 @@ class Brakeman::Scanner
     tracker.error(e)
     nil
   end
+
+  def support_rescanning?
+    tracker.options[:support_rescanning]
+  end
 end
 
 # This is to allow operation without loading the Haml library