brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -0,0 +1,134 @@
+require 'brakeman/processors/alias_processor'
+
+#Attempts to determine the return value of a method.
+#
+#Preferred usage:
+#
+#  Brakeman::FindReturnValue.return_value exp
+class Brakeman::FindReturnValue
+  include Brakeman::Util
+
+  #Returns a guess at the return value of a given method or other block of code.
+  #
+  #If multiple return values are possible, returns all values in an :or Sexp.
+  def self.return_value exp, env = nil
+    self.new.get_return_value exp, env
+  end
+
+  def initialize
+    @uses_ivars = false
+    @return_values = []
+  end
+
+  def uses_ivars?
+    @uses_ivars
+  end
+
+  #Find return value of Sexp. Takes an optional starting environment.
+  def get_return_value exp, env = nil
+    process_method exp, env
+    value = make_return_value
+    value.original_line = exp.line
+    value
+  end
+
+  #Process method (or, actually, any Sexp) for return value.
+  def process_method exp, env = nil
+    exp = Brakeman::AliasProcessor.new.process_safely exp, env
+
+    find_explicit_return_values exp
+
+    if node_type? exp, :methdef, :selfdef, :defn, :defs
+      body = exp.body
+
+      unless body.empty?
+        @return_values << last_value(body)
+      else
+        Brakeman.debug "FindReturnValue: Empty method? #{exp.inspect}"
+      end
+    elsif exp
+      @return_values << last_value(exp)
+    else
+       Brakeman.debug "FindReturnValue: Given something strange? #{exp.inspect}"
+    end
+
+    exp
+  end
+
+  #Searches expression for return statements.
+  def find_explicit_return_values exp
+    todo = [exp]
+
+    until todo.empty?
+      current = todo.shift
+
+      @uses_ivars = true if node_type? current, :ivar
+
+      if node_type? current, :return
+        @return_values << current.value unless current.value.nil?
+      elsif sexp? current
+        todo = current[1..-1].concat todo
+      end
+    end
+  end
+
+  #Determines the "last value" of an expression.
+  def last_value exp
+    case exp.node_type
+    when :rlist, :block, :scope, Sexp
+      last_value exp.last
+    when :if
+      then_clause = exp.then_clause
+      else_clause = exp.else_clause
+
+      if then_clause.nil?
+        last_value else_clause
+      elsif else_clause.nil?
+        last_value then_clause
+      else
+        true_branch = last_value then_clause
+        false_branch = last_value else_clause
+
+        if true_branch and false_branch
+          value = make_or(true_branch, false_branch)
+          value.original_line = value.rhs.line
+          value
+        else #Unlikely?
+          true_branch or false_branch
+        end
+      end
+    when :lasgn, :iasgn
+      exp.rhs
+    when :return
+      exp.value
+    else
+      exp.original_line = exp.line unless exp.original_line
+      exp
+    end
+  end
+
+  def make_or lhs, rhs
+    #Better checks in future
+    if lhs == rhs
+      lhs
+    else
+      Sexp.new(:or, lhs, rhs)
+    end
+  end
+
+  #Turns the array of return values into an :or Sexp
+  def make_return_value
+    @return_values.compact!
+    @return_values.uniq!
+
+    if @return_values.empty?
+      Sexp.new(:nil)
+    elsif @return_values.length == 1
+      @return_values.first
+    else
+      @return_values.reduce do |value, sexp|
+        make_or value, sexp
+      end
+    end
+  end
+end

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -0,0 +1,82 @@
+#Contains a couple shared methods for Processors.
+module Brakeman::ProcessorHelper
+  def process_all exp
+    exp.each_sexp do |e|
+      process e
+    end
+    exp
+  end
+
+  def process_all! exp
+    exp.map! do |e|
+      if sexp? e
+        process e
+      else
+        e
+      end
+    end
+
+    exp
+  end
+
+  #Process the arguments of a method call. Does not store results.
+  #
+  #This method is used because Sexp#args and Sexp#arglist create new objects.
+  def process_call_args exp
+    exp.each_arg do |a|
+      process a if sexp? a
+    end
+
+    exp
+  end
+  #Sets the current module.
+  def process_module exp
+    module_name = class_name(exp.class_name).to_s
+    prev_module = @current_module
+
+    if prev_module
+      @current_module = "#{prev_module}::#{module_name}"
+    else
+      @current_module = module_name
+    end
+
+    if block_given?
+      yield
+    else
+      process_all exp.body
+    end
+
+    @current_module = prev_module
+
+    exp
+  end
+
+  #Returns a class name as a Symbol.
+  def class_name exp
+    case exp
+    when Sexp
+      case exp.node_type
+      when :const
+        exp.value
+      when :lvar
+        exp.value.to_sym
+      when :colon2
+        "#{class_name(exp.lhs)}::#{exp.rhs}".to_sym
+      when :colon3
+        "::#{exp.value}".to_sym
+      when :call
+        process exp
+      when :self
+        @current_class || @current_module || nil
+      else
+        raise "Error: Cannot get class name from #{exp}"
+      end
+    when Symbol
+      exp
+    when nil
+      nil
+    else
+      raise "Error: Cannot get class name from #{exp}"
+    end
+  end
+end

data/lib/{processors/config_processor.rb → brakeman/processors/lib/rails2_config_processor.rb}

@@ -1,13 +1,3 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
-  
-#Replace block variable in
-#
-#  Rails::Initializer.run |config|
-#
-#with this value so we can keep track of it.
-RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
-
 #Processes configuration. Results are put in tracker.config.
 #
 #Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
@@ -22,7 +12,14 @@ RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
 #  tracker.config[:rails][:action_controller][:session_store]
 #
 #Values for tracker.config[:rails] will still be Sexps.
-class ConfigProcessor < BaseProcessor
+class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
+  #Replace block variable in
+  #
+  #  Rails::Initializer.run |config|
+  #
+  #with this value so we can keep track of it.
+  RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
+
   def initialize *args
     super
     @tracker.config[:rails] ||= {}
@@ -30,17 +27,17 @@ class ConfigProcessor < BaseProcessor
 
   #Use this method to process configuration file
   def process_config src
-    res = ConfigAliasProcessor.new.process_safely(src)
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src)
     process res
   end
 
   #Check if config is set to use Erubis
   def process_call exp
-    target = exp[1]
+    target = exp.target
     target = process target if sexp? target
 
-    if exp[2] == :gem and exp[3][1][1] == "erubis"
-      warn "[Notice] Using Erubis for ERB templates"
+    if exp.method == :gem and exp.first_arg.value == "erubis"
+      Brakeman.notify "[Notice] Using Erubis for ERB templates"
       @tracker.config[:erubis] = true
     end
 
@@ -49,14 +46,14 @@ class ConfigProcessor < BaseProcessor
 
   #Look for configuration settings
   def process_attrasgn exp
-    if exp[1] == RAILS_CONFIG
+    if exp.target == RAILS_CONFIG
       #Get rid of '=' at end
-      attribute = exp[2].to_s[0..-2].to_sym
-      if exp[3].length > 2
+      attribute = exp.method.to_s[0..-2].to_sym
+      if exp.args.length > 1
         #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][exp[2]] = exp[3][1..-1]
+        @tracker.config[:rails][attribute] = exp.args
       else
-        @tracker.config[:rails][exp[2]] = exp[3][1]
+        @tracker.config[:rails][attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
       options = get_rails_config exp
@@ -66,7 +63,7 @@ class ConfigProcessor < BaseProcessor
         level = level[o]
       end
 
-      level[options.last] = exp[3][1]
+      level[options.last] = exp.first_arg
     end
 
     exp
@@ -75,8 +72,8 @@ class ConfigProcessor < BaseProcessor
   #Check for Rails version
   def process_cdecl exp
     #Set Rails version required
-    if exp[1] == :RAILS_GEM_VERSION
-      @tracker.config[:rails_version] = exp[2][1]
+    if exp.lhs == :RAILS_GEM_VERSION
+      @tracker.config[:rails_version] = exp.rhs.value
     end
 
     exp
@@ -84,9 +81,9 @@ class ConfigProcessor < BaseProcessor
 
   #Check if an expression includes a call to set Rails config
   def include_rails_config? exp
-    target = exp[1]
+    target = exp.target
     if call? target
-      if target[1] == RAILS_CONFIG
+      if target.target == RAILS_CONFIG
         true
       else
         include_rails_config? target
@@ -106,14 +103,14 @@ class ConfigProcessor < BaseProcessor
   #
   #  [:action_controller, :session_store]
   def get_rails_config exp
-    if sexp? exp and exp.node_type == :attrasgn
-      attribute = exp[2].to_s[0..-2].to_sym
-      get_rails_config(exp[1]) << attribute
+    if node_type? exp, :attrasgn
+      attribute = exp.method.to_s[0..-2].to_sym
+      get_rails_config(exp.target) << attribute
     elsif call? exp
-      if exp[1] == RAILS_CONFIG
-        [exp[2]]
+      if exp.target == RAILS_CONFIG
+        [exp.method]
       else
-        get_rails_config(exp[1]) << exp[2]
+        get_rails_config(exp.target) << exp.method
       end
     else
       raise "WHAT"
@@ -122,7 +119,7 @@ class ConfigProcessor < BaseProcessor
 end
 
 #This is necessary to replace block variable so we can track config settings
-class ConfigAliasProcessor < AliasProcessor
+class Brakeman::ConfigAliasProcessor < Brakeman::AliasProcessor
 
   RAILS_INIT = Sexp.new(:colon2, Sexp.new(:const, :Rails), :Initializer)
 
@@ -134,11 +131,11 @@ class ConfigAliasProcessor < AliasProcessor
   #
   #and replace config with RAILS_CONFIG
   def process_iter exp
-    target = exp[1][1]
-    method = exp[1][2]
+    target = exp.block_call.target
+    method = exp.block_call.method
 
     if sexp? target and target == RAILS_INIT and method == :run
-      exp[2][2] = RAILS_CONFIG
+      env[Sexp.new(:lvar, exp.block_args.value)] = Brakeman::Rails2ConfigProcessor::RAILS_CONFIG
     end
 
     process_default exp

data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb

@@ -1,10 +1,11 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
+
 #Processes the Sexp from routes.rb. Stores results in tracker.routes.
 #
 #Note that it is only interested in determining what methods on which
 #controllers are used as routes, not the generated URLs for routes.
-class RoutesProcessor < BaseProcessor
-  include RouteHelper
+class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
+  include Brakeman::RouteHelper
 
   attr_reader :map, :nested, :current_controller
 
@@ -22,16 +23,15 @@ class RoutesProcessor < BaseProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process RouteAliasProcessor.new.process_safely(exp)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp)
   end
 
   #Looking for mapping of routes
   def process_call exp
-    target = exp[1]
+    target = exp.target
 
-    if target == map or target == nested
+    if target == map or (not target.nil? and target == nested)
       process_map exp
-
     else
       process_default exp
     end
@@ -42,9 +42,9 @@ class RoutesProcessor < BaseProcessor
   #Process a map.something call
   #based on the method used
   def process_map exp
-    args = exp[3][1..-1]
+    args = exp.args
 
-    case exp[2]
+    case exp.method
     when :resource
       process_resource args
     when :resources
@@ -61,14 +61,16 @@ class RoutesProcessor < BaseProcessor
   #Look for map calls that take a block.
   #Otherwise, just do the default processing.
   def process_iter exp
-    if exp[1][1] == map or exp[1][1] == nested
-      method = exp[1][2]
+    target = exp.block_call.target
+
+    if target == map or target == nested
+      method = exp.block_call.method
       case method
       when :namespace
         process_namespace exp
       when :resources, :resource
-        process_resources exp[1][3][1..-1]
-        process_default exp[3]
+        process_resources exp.block_call.args
+        process_default exp.block if exp.block
       when :with_options
         process_with_options exp
       end
@@ -88,10 +90,10 @@ class RoutesProcessor < BaseProcessor
       process_resource_options exp[-1]
     else
       exp.each do |argument|
-        if sexp? argument and argument.node_type == :lit
-          self.current_controller = exp[0][1]
+        if node_type? argument, :lit
+          self.current_controller = exp.first.value
           add_resources_routes
-          process_resource_options exp[-1]
+          process_resource_options exp.last
         end
       end
     end
@@ -110,7 +112,8 @@ class RoutesProcessor < BaseProcessor
     hash_iterate(exp) do |option, value|
       case option[1]
       when :controller, :requirements, :singular, :path_prefix, :as,
-        :path_names, :shallow, :name_prefix
+        :path_names, :shallow, :name_prefix, :member_path, :nested_member_path,
+        :belongs_to, :conditions, :active_scaffold
         #should be able to skip
       when :collection, :member, :new
         process_collection value
@@ -127,7 +130,7 @@ class RoutesProcessor < BaseProcessor
       when :except
         process_option_except value
       else
-        raise "Unhandled resource option: #{option}"
+        Brakeman.notify "[Notice] Unhandled resource option, please report: #{option}"
       end
     end
   end
@@ -141,7 +144,7 @@ class RoutesProcessor < BaseProcessor
 
     if exp.node_type == :array
       exp[1..-1].each do |e|
-        routes << e[1]
+        routes << e.value
       end
     end
   end
@@ -152,7 +155,7 @@ class RoutesProcessor < BaseProcessor
     routes = @tracker.routes[@current_controller]
 
     exp[1..-1].each do |e|
-      routes.delete e[1]
+      routes.delete e.value
     end
   end
 
@@ -161,13 +164,13 @@ class RoutesProcessor < BaseProcessor
     controller = check_for_controller_name exp
     if controller
       self.current_controller = controller
-      process_resource_options exp[-1]
+      process_resource_options exp.last
     else
       exp.each do |argument|
-        if sexp? argument and argument.node_type == :lit
-          self.current_controller = pluralize(exp[0][1].to_s)
+        if node_type? argument, :lit
+          self.current_controller = pluralize(exp.first.value.to_s)
           add_resource_routes
-          process_resource_options exp[-1]
+          process_resource_options exp.last
         end
       end
     end
@@ -176,26 +179,33 @@ class RoutesProcessor < BaseProcessor
   #Process
   # map.connect '/something', :controller => 'blah', :action => 'whatever'
   def process_connect exp
+    return if exp.empty?
+
     controller = check_for_controller_name exp
     self.current_controller = controller if controller
     
     #Check for default route
-    if string? exp[0]
-      if exp[0][1] == ":controller/:action/:id"
-        @tracker.routes[:allow_all_actions] = exp[0]
-      elsif exp[0][1].include? ":action"
-        @tracker.routes[@current_controller] = :allow_all_actions
+    if string? exp.first
+      if exp.first.value == ":controller/:action/:id"
+        @tracker.routes[:allow_all_actions] = exp.first
+      elsif exp.first.value.include? ":action"
+        @tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
         return
       end
     end
 
     #This -seems- redundant, but people might connect actions
     #to a controller which already allows them all
-    return if @tracker.routes[@current_controller] == :allow_all_actions
+    return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
+
+    exp.last.each_with_index do |e,i|
+      if symbol? e and e.value == :action
+        action = exp.last[i + 1]
+        
+        if node_type? action, :lit
+          @tracker.routes[@current_controller] << action.value.to_sym
+        end
 
-    exp[-1].each_with_index do |e,i|
-      if symbol? e and e[1] == :action
-        @tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym
         return
       end
     end
@@ -205,13 +215,13 @@ class RoutesProcessor < BaseProcessor
   #   something.resources :blah
   # end
   def process_with_options exp
-    @with_options = exp[1][3][-1]
-    @nested = Sexp.new(:lvar, exp[2][1])
+    @with_options = exp.block_call.last_arg
+    @nested = Sexp.new(:lvar, exp.block_args.value)
 
-    self.current_controller = check_for_controller_name exp[1][3]
+    self.current_controller = check_for_controller_name exp.block_call.args
     
     #process block
-    process exp[3] 
+    process exp.block
 
     @with_options = nil
     @nested = nil
@@ -221,13 +231,15 @@ class RoutesProcessor < BaseProcessor
   #   something.resources :blah
   # end
   def process_namespace exp
-    call = exp[1]
-    formal_args = exp[2]
-    block = exp[3]
+    call = exp.block_call
+    formal_args = exp.block_args
+    block = exp.block
 
-    @prefix << camelize(call[3][1][1])
+    @prefix << camelize(call.first_arg.value)
 
-    @nested = Sexp.new(:lvar, formal_args[1])
+    if formal_args
+      @nested = Sexp.new(:lvar, formal_args.value)
+    end
 
     process block
 
@@ -246,7 +258,7 @@ class RoutesProcessor < BaseProcessor
     routes = @tracker.routes[@current_controller]
 
     hash_iterate(exp) do |action, type|
-      routes << action[1]
+      routes << action.value
     end
   end
 
@@ -258,12 +270,8 @@ class RoutesProcessor < BaseProcessor
   #Otherwise, returns nil.
   def check_for_controller_name args
     args.each do |a|
-      if hash? a
-        hash_iterate(a) do |k, v|
-          if k[1] == :controller
-            return v[1]
-          end 
-        end
+      if hash? a and value = hash_access(a, :controller)
+        return value.value if string? value or symbol? value
       end
     end
 
@@ -273,7 +281,7 @@ end
 
 #This is for a really specific case where a hash is used as arguments
 #to one of the map methods.
-class RouteAliasProcessor < AliasProcessor
+class Brakeman::RouteAliasProcessor < Brakeman::AliasProcessor
   
   #This replaces
   # { :some => :hash }.keys
@@ -282,8 +290,8 @@ class RouteAliasProcessor < AliasProcessor
   def process_call exp
     process_default exp
     
-    if hash? exp[1] and exp[2] == :keys
-        keys = get_keys exp[1] 
+    if hash? exp.target and exp.method == :keys
+      keys = get_keys exp.target
       exp.clear
       keys.each_with_index do |e,i|
         exp[i] = e