brakeman-min 0.5.2 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGES +529 -0
- data/README.md +74 -28
- data/bin/brakeman +60 -266
- data/lib/brakeman.rb +422 -0
- data/lib/brakeman/app_tree.rb +101 -0
- data/lib/brakeman/brakeman.rake +10 -0
- data/lib/brakeman/call_index.rb +215 -0
- data/lib/brakeman/checks.rb +180 -0
- data/lib/brakeman/checks/base_check.rb +538 -0
- data/lib/brakeman/checks/check_basic_auth.rb +89 -0
- data/lib/brakeman/checks/check_content_tag.rb +162 -0
- data/lib/brakeman/checks/check_cross_site_scripting.rb +334 -0
- data/lib/{checks → brakeman/checks}/check_default_routes.rb +13 -6
- data/lib/brakeman/checks/check_deserialize.rb +57 -0
- data/lib/brakeman/checks/check_digest_dos.rb +38 -0
- data/lib/brakeman/checks/check_escape_function.rb +21 -0
- data/lib/brakeman/checks/check_evaluation.rb +33 -0
- data/lib/brakeman/checks/check_execute.rb +98 -0
- data/lib/brakeman/checks/check_file_access.rb +62 -0
- data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
- data/lib/brakeman/checks/check_forgery_setting.rb +54 -0
- data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
- data/lib/brakeman/checks/check_json_parsing.rb +102 -0
- data/lib/brakeman/checks/check_link_to.rb +132 -0
- data/lib/brakeman/checks/check_link_to_href.rb +92 -0
- data/lib/{checks → brakeman/checks}/check_mail_to.rb +14 -13
- data/lib/brakeman/checks/check_mass_assignment.rb +143 -0
- data/lib/brakeman/checks/check_model_attr_accessible.rb +48 -0
- data/lib/brakeman/checks/check_model_attributes.rb +118 -0
- data/lib/brakeman/checks/check_model_serialize.rb +66 -0
- data/lib/{checks → brakeman/checks}/check_nested_attributes.rb +10 -6
- data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
- data/lib/brakeman/checks/check_redirect.rb +177 -0
- data/lib/brakeman/checks/check_render.rb +62 -0
- data/lib/brakeman/checks/check_response_splitting.rb +21 -0
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
- data/lib/brakeman/checks/check_sanitize_methods.rb +54 -0
- data/lib/brakeman/checks/check_select_tag.rb +60 -0
- data/lib/brakeman/checks/check_select_vulnerability.rb +58 -0
- data/lib/brakeman/checks/check_send.rb +35 -0
- data/lib/brakeman/checks/check_send_file.rb +19 -0
- data/lib/brakeman/checks/check_session_settings.rb +145 -0
- data/lib/brakeman/checks/check_single_quotes.rb +101 -0
- data/lib/brakeman/checks/check_skip_before_filter.rb +62 -0
- data/lib/brakeman/checks/check_sql.rb +577 -0
- data/lib/brakeman/checks/check_strip_tags.rb +64 -0
- data/lib/brakeman/checks/check_symbol_dos.rb +67 -0
- data/lib/brakeman/checks/check_translate_bug.rb +45 -0
- data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
- data/lib/brakeman/checks/check_validation_regex.rb +88 -0
- data/lib/brakeman/checks/check_without_protection.rb +64 -0
- data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
- data/lib/brakeman/differ.rb +66 -0
- data/lib/{format → brakeman/format}/style.css +28 -0
- data/lib/brakeman/options.rb +256 -0
- data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
- data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
- data/lib/{scanner_erubis.rb → brakeman/parsers/rails3_erubis.rb} +8 -21
- data/lib/brakeman/processor.rb +102 -0
- data/lib/brakeman/processors/alias_processor.rb +780 -0
- data/lib/{processors → brakeman/processors}/base_processor.rb +90 -74
- data/lib/brakeman/processors/config_processor.rb +14 -0
- data/lib/brakeman/processors/controller_alias_processor.rb +334 -0
- data/lib/brakeman/processors/controller_processor.rb +265 -0
- data/lib/{processors → brakeman/processors}/erb_template_processor.rb +21 -19
- data/lib/brakeman/processors/erubis_template_processor.rb +96 -0
- data/lib/brakeman/processors/gem_processor.rb +59 -0
- data/lib/{processors → brakeman/processors}/haml_template_processor.rb +26 -21
- data/lib/brakeman/processors/lib/find_all_calls.rb +185 -0
- data/lib/{processors → brakeman/processors}/lib/find_call.rb +23 -28
- data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
- data/lib/brakeman/processors/lib/processor_helper.rb +82 -0
- data/lib/{processors/config_processor.rb → brakeman/processors/lib/rails2_config_processor.rb} +32 -35
- data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb +60 -52
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +129 -0
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +282 -0
- data/lib/{processors → brakeman/processors}/lib/render_helper.rb +54 -20
- data/lib/brakeman/processors/lib/route_helper.rb +62 -0
- data/lib/{processors → brakeman/processors}/library_processor.rb +24 -17
- data/lib/{processors → brakeman/processors}/model_processor.rb +46 -22
- data/lib/{processors → brakeman/processors}/output_processor.rb +34 -40
- data/lib/brakeman/processors/route_processor.rb +17 -0
- data/lib/brakeman/processors/slim_template_processor.rb +113 -0
- data/lib/brakeman/processors/template_alias_processor.rb +120 -0
- data/lib/{processors → brakeman/processors}/template_processor.rb +10 -7
- data/lib/brakeman/report.rb +68 -0
- data/lib/brakeman/report/ignore/config.rb +130 -0
- data/lib/brakeman/report/ignore/interactive.rb +311 -0
- data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
- data/lib/brakeman/report/initializers/multi_json.rb +29 -0
- data/lib/brakeman/report/renderer.rb +24 -0
- data/lib/brakeman/report/report_base.rb +279 -0
- data/lib/brakeman/report/report_csv.rb +56 -0
- data/lib/brakeman/report/report_hash.rb +22 -0
- data/lib/brakeman/report/report_html.rb +203 -0
- data/lib/brakeman/report/report_json.rb +46 -0
- data/lib/brakeman/report/report_table.rb +109 -0
- data/lib/brakeman/report/report_tabs.rb +17 -0
- data/lib/brakeman/report/templates/controller_overview.html.erb +18 -0
- data/lib/brakeman/report/templates/controller_warnings.html.erb +17 -0
- data/lib/brakeman/report/templates/error_overview.html.erb +25 -0
- data/lib/brakeman/report/templates/header.html.erb +44 -0
- data/lib/brakeman/report/templates/ignored_warnings.html.erb +21 -0
- data/lib/brakeman/report/templates/model_warnings.html.erb +17 -0
- data/lib/brakeman/report/templates/overview.html.erb +34 -0
- data/lib/brakeman/report/templates/security_warnings.html.erb +19 -0
- data/lib/brakeman/report/templates/template_overview.html.erb +17 -0
- data/lib/brakeman/report/templates/view_warnings.html.erb +30 -0
- data/lib/brakeman/report/templates/warning_overview.html.erb +13 -0
- data/lib/brakeman/rescanner.rb +446 -0
- data/lib/brakeman/scanner.rb +362 -0
- data/lib/brakeman/tracker.rb +296 -0
- data/lib/brakeman/util.rb +413 -0
- data/lib/brakeman/version.rb +3 -0
- data/lib/brakeman/warning.rb +217 -0
- data/lib/brakeman/warning_codes.rb +68 -0
- data/lib/ruby_parser/bm_sexp.rb +562 -0
- data/lib/ruby_parser/bm_sexp_processor.rb +230 -0
- metadata +152 -66
- data/lib/checks.rb +0 -71
- data/lib/checks/base_check.rb +0 -357
- data/lib/checks/check_cross_site_scripting.rb +0 -336
- data/lib/checks/check_evaluation.rb +0 -27
- data/lib/checks/check_execute.rb +0 -110
- data/lib/checks/check_file_access.rb +0 -46
- data/lib/checks/check_forgery_setting.rb +0 -42
- data/lib/checks/check_mass_assignment.rb +0 -74
- data/lib/checks/check_model_attributes.rb +0 -36
- data/lib/checks/check_redirect.rb +0 -98
- data/lib/checks/check_render.rb +0 -65
- data/lib/checks/check_send_file.rb +0 -15
- data/lib/checks/check_session_settings.rb +0 -79
- data/lib/checks/check_sql.rb +0 -146
- data/lib/checks/check_validation_regex.rb +0 -60
- data/lib/processor.rb +0 -86
- data/lib/processors/alias_processor.rb +0 -384
- data/lib/processors/controller_alias_processor.rb +0 -237
- data/lib/processors/controller_processor.rb +0 -202
- data/lib/processors/erubis_template_processor.rb +0 -85
- data/lib/processors/lib/find_model_call.rb +0 -39
- data/lib/processors/lib/processor_helper.rb +0 -36
- data/lib/processors/lib/rails3_route_processor.rb +0 -184
- data/lib/processors/lib/route_helper.rb +0 -34
- data/lib/processors/params_processor.rb +0 -77
- data/lib/processors/route_processor.rb +0 -11
- data/lib/processors/template_alias_processor.rb +0 -86
- data/lib/report.rb +0 -680
- data/lib/scanner.rb +0 -227
- data/lib/tracker.rb +0 -144
- data/lib/util.rb +0 -141
- data/lib/version.rb +0 -1
- data/lib/warning.rb +0 -99
@@ -0,0 +1,62 @@
|
|
1
|
+
module Brakeman::RouteHelper
|
2
|
+
#Manage Controller prefixes
|
3
|
+
#@prefix is an Array, but this method returns a string
|
4
|
+
#suitable for prefixing onto a controller name.
|
5
|
+
def prefix
|
6
|
+
if @prefix.length > 0
|
7
|
+
@prefix.join("::") << "::"
|
8
|
+
else
|
9
|
+
''
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
#Sets the controller name to a proper class name.
|
14
|
+
#For example
|
15
|
+
# self.current_controller = :session
|
16
|
+
# @controller == :SessionController #true
|
17
|
+
#
|
18
|
+
#Also prepends the prefix if there is one set.
|
19
|
+
def current_controller= name
|
20
|
+
@current_controller = (prefix + camelize(name) + "Controller").to_sym
|
21
|
+
@tracker.routes[@current_controller] ||= Set.new
|
22
|
+
end
|
23
|
+
|
24
|
+
#Add route to controller. If a controller is specified,
|
25
|
+
#the current controller will be set to that controller.
|
26
|
+
#If no controller is specified, uses current controller value.
|
27
|
+
def add_route route, controller = nil
|
28
|
+
if node_type? route, :str, :lit
|
29
|
+
route = route.value
|
30
|
+
end
|
31
|
+
|
32
|
+
route = route.to_sym
|
33
|
+
|
34
|
+
if controller
|
35
|
+
self.current_controller = controller
|
36
|
+
end
|
37
|
+
|
38
|
+
routes = @tracker.routes[@current_controller]
|
39
|
+
|
40
|
+
if routes and routes != :allow_all_actions
|
41
|
+
routes << route
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
#Add default routes
|
46
|
+
def add_resources_routes
|
47
|
+
existing_routes = @tracker.routes[@current_controller]
|
48
|
+
|
49
|
+
unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
|
50
|
+
existing_routes.merge [:index, :new, :create, :show, :edit, :update, :destroy]
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
#Add default routes minus :index
|
55
|
+
def add_resource_routes
|
56
|
+
existing_routes = @tracker.routes[@current_controller]
|
57
|
+
|
58
|
+
unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
|
59
|
+
existing_routes.merge [:new, :create, :show, :edit, :update, :destroy]
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
@@ -1,13 +1,13 @@
|
|
1
|
-
require 'processors/base_processor'
|
2
|
-
require 'processors/alias_processor'
|
1
|
+
require 'brakeman/processors/base_processor'
|
2
|
+
require 'brakeman/processors/alias_processor'
|
3
3
|
|
4
4
|
#Process generic library and stores it in Tracker.libs
|
5
|
-
class LibraryProcessor < BaseProcessor
|
5
|
+
class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
6
6
|
|
7
7
|
def initialize tracker
|
8
8
|
super
|
9
9
|
@file_name = nil
|
10
|
-
@alias_processor = AliasProcessor.new
|
10
|
+
@alias_processor = Brakeman::AliasProcessor.new tracker
|
11
11
|
end
|
12
12
|
|
13
13
|
def process_library src, file_name = nil
|
@@ -16,7 +16,7 @@ class LibraryProcessor < BaseProcessor
|
|
16
16
|
end
|
17
17
|
|
18
18
|
def process_class exp
|
19
|
-
name = class_name(exp
|
19
|
+
name = class_name(exp.class_name)
|
20
20
|
|
21
21
|
if @current_class
|
22
22
|
outer_class = @current_class
|
@@ -30,8 +30,15 @@ class LibraryProcessor < BaseProcessor
|
|
30
30
|
if @tracker.libs[name]
|
31
31
|
@current_class = @tracker.libs[name]
|
32
32
|
else
|
33
|
+
begin
|
34
|
+
parent = class_name exp.parent_name
|
35
|
+
rescue StandardError => e
|
36
|
+
Brakeman.debug e
|
37
|
+
parent = nil
|
38
|
+
end
|
39
|
+
|
33
40
|
@current_class = { :name => name,
|
34
|
-
:parent =>
|
41
|
+
:parent => parent,
|
35
42
|
:includes => [],
|
36
43
|
:public => {},
|
37
44
|
:private => {},
|
@@ -42,7 +49,7 @@ class LibraryProcessor < BaseProcessor
|
|
42
49
|
@tracker.libs[name] = @current_class
|
43
50
|
end
|
44
51
|
|
45
|
-
exp
|
52
|
+
exp.body = process_all! exp.body
|
46
53
|
|
47
54
|
if outer_class
|
48
55
|
@current_class = outer_class
|
@@ -54,7 +61,7 @@ class LibraryProcessor < BaseProcessor
|
|
54
61
|
end
|
55
62
|
|
56
63
|
def process_module exp
|
57
|
-
name = class_name(exp
|
64
|
+
name = class_name(exp.module_name)
|
58
65
|
|
59
66
|
if @current_module
|
60
67
|
outer_class = @current_module
|
@@ -79,7 +86,7 @@ class LibraryProcessor < BaseProcessor
|
|
79
86
|
@tracker.libs[name] = @current_module
|
80
87
|
end
|
81
88
|
|
82
|
-
exp
|
89
|
+
exp.body = process_all! exp.body
|
83
90
|
|
84
91
|
if outer_class
|
85
92
|
@current_module = outer_class
|
@@ -91,26 +98,26 @@ class LibraryProcessor < BaseProcessor
|
|
91
98
|
end
|
92
99
|
|
93
100
|
def process_defn exp
|
94
|
-
exp
|
95
|
-
exp
|
101
|
+
exp = @alias_processor.process exp
|
102
|
+
exp.node_type = :methdef
|
96
103
|
|
97
104
|
if @current_class
|
98
|
-
@current_class[:public][exp
|
105
|
+
@current_class[:public][exp.method_name] = exp
|
99
106
|
elsif @current_module
|
100
|
-
@current_module[:public][exp
|
107
|
+
@current_module[:public][exp.method_name] = exp
|
101
108
|
end
|
102
109
|
|
103
110
|
exp
|
104
111
|
end
|
105
112
|
|
106
113
|
def process_defs exp
|
107
|
-
exp
|
108
|
-
exp
|
114
|
+
exp = @alias_processor.process exp
|
115
|
+
exp.node_type = :selfdef
|
109
116
|
|
110
117
|
if @current_class
|
111
|
-
@current_class[:public][exp
|
118
|
+
@current_class[:public][exp.method_name] = exp
|
112
119
|
elsif @current_module
|
113
|
-
@current_module[:public][exp
|
120
|
+
@current_module[:public][exp.method_name] = exp
|
114
121
|
end
|
115
122
|
|
116
123
|
exp
|
@@ -1,7 +1,10 @@
|
|
1
|
-
require 'processors/base_processor'
|
1
|
+
require 'brakeman/processors/base_processor'
|
2
2
|
|
3
3
|
#Processes models. Puts results in tracker.models
|
4
|
-
class ModelProcessor < BaseProcessor
|
4
|
+
class Brakeman::ModelProcessor < Brakeman::BaseProcessor
|
5
|
+
|
6
|
+
ASSOCIATIONS = Set[:belongs_to, :has_one, :has_many, :has_and_belongs_to_many]
|
7
|
+
|
5
8
|
def initialize tracker
|
6
9
|
super
|
7
10
|
@model = nil
|
@@ -16,24 +19,34 @@ class ModelProcessor < BaseProcessor
|
|
16
19
|
process src
|
17
20
|
end
|
18
21
|
|
19
|
-
#s(:class, NAME, PARENT,
|
22
|
+
#s(:class, NAME, PARENT, BODY)
|
20
23
|
def process_class exp
|
24
|
+
name = class_name exp.class_name
|
25
|
+
|
21
26
|
if @model
|
22
|
-
|
27
|
+
Brakeman.debug "[Notice] Skipping inner class: #{name}"
|
23
28
|
ignore
|
24
29
|
else
|
25
|
-
|
26
|
-
|
30
|
+
begin
|
31
|
+
parent = class_name exp.parent_name
|
32
|
+
rescue StandardError => e
|
33
|
+
Brakeman.debug e
|
34
|
+
parent = nil
|
35
|
+
end
|
36
|
+
|
37
|
+
@model = { :name => name,
|
38
|
+
:parent => parent,
|
27
39
|
:includes => [],
|
28
40
|
:public => {},
|
29
41
|
:private => {},
|
30
42
|
:protected => {},
|
31
43
|
:options => {},
|
44
|
+
:associations => {},
|
32
45
|
:file => @file_name }
|
33
46
|
@tracker.models[@model[:name]] = @model
|
34
|
-
|
47
|
+
exp.body = process_all! exp.body
|
35
48
|
@model = nil
|
36
|
-
|
49
|
+
exp
|
37
50
|
end
|
38
51
|
end
|
39
52
|
|
@@ -41,45 +54,56 @@ class ModelProcessor < BaseProcessor
|
|
41
54
|
#such as include, attr_accessible, private, etc.
|
42
55
|
def process_call exp
|
43
56
|
return exp unless @model
|
44
|
-
target = exp
|
57
|
+
target = exp.target
|
45
58
|
if sexp? target
|
46
59
|
target = process target
|
47
60
|
end
|
48
61
|
|
49
|
-
method = exp
|
50
|
-
|
62
|
+
method = exp.method
|
63
|
+
first_arg = exp.first_arg
|
51
64
|
|
52
65
|
#Methods called inside class definition
|
53
66
|
#like attr_* and other settings
|
54
67
|
if @current_method.nil? and target.nil?
|
55
|
-
if
|
68
|
+
if first_arg.nil?
|
56
69
|
case method
|
57
70
|
when :private, :protected, :public
|
58
71
|
@visibility = method
|
72
|
+
when :attr_accessible
|
73
|
+
@model[:attr_accessible] ||= []
|
59
74
|
else
|
60
75
|
#??
|
61
76
|
end
|
62
77
|
else
|
63
78
|
case method
|
64
79
|
when :include
|
65
|
-
@model[:includes] << class_name(
|
80
|
+
@model[:includes] << class_name(first_arg) if @model
|
66
81
|
when :attr_accessible
|
67
82
|
@model[:attr_accessible] ||= []
|
68
|
-
args =
|
69
|
-
|
83
|
+
args = []
|
84
|
+
|
85
|
+
exp.each_arg do |e|
|
86
|
+
if node_type? e, :lit
|
87
|
+
args << e.value
|
88
|
+
end
|
70
89
|
end
|
71
90
|
|
72
91
|
@model[:attr_accessible].concat args
|
73
92
|
else
|
74
93
|
if @model
|
75
|
-
|
76
|
-
|
94
|
+
if ASSOCIATIONS.include? method
|
95
|
+
@model[:associations][method] ||= []
|
96
|
+
@model[:associations][method].concat exp.args
|
97
|
+
else
|
98
|
+
@model[:options][method] ||= []
|
99
|
+
@model[:options][method] << exp.arglist.line(exp.line)
|
100
|
+
end
|
77
101
|
end
|
78
102
|
end
|
79
103
|
end
|
80
104
|
ignore
|
81
105
|
else
|
82
|
-
call =
|
106
|
+
call = make_call target, method, process_all!(exp.args)
|
83
107
|
call.line(exp.line)
|
84
108
|
call
|
85
109
|
end
|
@@ -88,10 +112,10 @@ class ModelProcessor < BaseProcessor
|
|
88
112
|
#Add method definition to tracker
|
89
113
|
def process_defn exp
|
90
114
|
return exp unless @model
|
91
|
-
name = exp
|
115
|
+
name = exp.method_name
|
92
116
|
|
93
117
|
@current_method = name
|
94
|
-
res = Sexp.new :methdef, name,
|
118
|
+
res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
|
95
119
|
res.line(exp.line)
|
96
120
|
@current_method = nil
|
97
121
|
if @model
|
@@ -104,7 +128,7 @@ class ModelProcessor < BaseProcessor
|
|
104
128
|
#Add method definition to tracker
|
105
129
|
def process_defs exp
|
106
130
|
return exp unless @model
|
107
|
-
name = exp
|
131
|
+
name = exp.method_name
|
108
132
|
|
109
133
|
if exp[1].node_type == :self
|
110
134
|
target = @model[:name]
|
@@ -113,7 +137,7 @@ class ModelProcessor < BaseProcessor
|
|
113
137
|
end
|
114
138
|
|
115
139
|
@current_method = name
|
116
|
-
res = Sexp.new :selfdef, target, name,
|
140
|
+
res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
|
117
141
|
res.line(exp.line)
|
118
142
|
@current_method = nil
|
119
143
|
if @model
|
@@ -1,17 +1,16 @@
|
|
1
|
-
require 'rubygems'
|
2
1
|
require 'ruby2ruby'
|
3
|
-
require 'util'
|
2
|
+
require 'brakeman/util'
|
4
3
|
|
5
4
|
#Produces formatted output strings from Sexps.
|
6
5
|
#Recommended usage is
|
7
6
|
#
|
8
7
|
# OutputProcessor.new.format(Sexp.new(:str, "hello"))
|
9
|
-
class OutputProcessor < Ruby2Ruby
|
10
|
-
include Util
|
8
|
+
class Brakeman::OutputProcessor < Ruby2Ruby
|
9
|
+
include Brakeman::Util
|
11
10
|
|
12
11
|
#Copies +exp+ and then formats it.
|
13
12
|
def format exp
|
14
|
-
process
|
13
|
+
process(exp.deep_clone) || "[Format Error]"
|
15
14
|
end
|
16
15
|
|
17
16
|
alias process_safely format
|
@@ -20,37 +19,7 @@ class OutputProcessor < Ruby2Ruby
|
|
20
19
|
begin
|
21
20
|
super exp if sexp? exp and not exp.empty?
|
22
21
|
rescue Exception => e
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
def process_call exp
|
28
|
-
if exp[0].is_a? Symbol
|
29
|
-
target = exp[0]
|
30
|
-
|
31
|
-
method = exp[1]
|
32
|
-
|
33
|
-
args = process exp[2]
|
34
|
-
|
35
|
-
out = nil
|
36
|
-
|
37
|
-
if method == :[]
|
38
|
-
if target
|
39
|
-
out = "#{target}[#{args}]"
|
40
|
-
else
|
41
|
-
raise Exception.new("Not sure what to do with access and no target: #{exp}")
|
42
|
-
end
|
43
|
-
else
|
44
|
-
if target
|
45
|
-
out = "#{target}.#{method}(#{args})"
|
46
|
-
else
|
47
|
-
out = "#{method}(#{args})"
|
48
|
-
end
|
49
|
-
end
|
50
|
-
exp.clear
|
51
|
-
out
|
52
|
-
else
|
53
|
-
super exp
|
22
|
+
Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}"
|
54
23
|
end
|
55
24
|
end
|
56
25
|
|
@@ -129,9 +98,32 @@ class OutputProcessor < Ruby2Ruby
|
|
129
98
|
out
|
130
99
|
end
|
131
100
|
|
101
|
+
def process_defn exp
|
102
|
+
# Copied from Ruby2Ruby except without the whole
|
103
|
+
# "convert methods to attr_*" stuff
|
104
|
+
name = exp.shift
|
105
|
+
args = process exp.shift
|
106
|
+
args = "" if args == "()"
|
107
|
+
|
108
|
+
exp.shift if exp == s(s(:nil)) # empty it out of a default nil expression
|
109
|
+
|
110
|
+
body = []
|
111
|
+
until exp.empty? do
|
112
|
+
body << indent(process(exp.shift))
|
113
|
+
end
|
114
|
+
|
115
|
+
body << indent("# do nothing") if body.empty?
|
116
|
+
|
117
|
+
body = body.join("\n")
|
118
|
+
|
119
|
+
return "def #{name}#{args}\n#{body}\nend".gsub(/\n\s*\n+/, "\n")
|
120
|
+
end
|
121
|
+
|
122
|
+
alias process_methdef process_defn
|
123
|
+
|
132
124
|
def process_call_with_block exp
|
133
125
|
call = process exp[0]
|
134
|
-
block =
|
126
|
+
block = process_rlist exp[2..-1]
|
135
127
|
out = "#{call} do\n #{block}\n end"
|
136
128
|
exp.clear
|
137
129
|
out
|
@@ -153,7 +145,7 @@ class OutputProcessor < Ruby2Ruby
|
|
153
145
|
out
|
154
146
|
end
|
155
147
|
|
156
|
-
def process_escaped_output exp
|
148
|
+
def process_escaped_output exp
|
157
149
|
out = if exp[0].node_type == :str
|
158
150
|
""
|
159
151
|
else
|
@@ -203,11 +195,13 @@ def process_escaped_output exp
|
|
203
195
|
end
|
204
196
|
|
205
197
|
def process_const exp
|
206
|
-
if exp[0] == Tracker::UNKNOWN_MODEL
|
198
|
+
if exp[0] == Brakeman::Tracker::UNKNOWN_MODEL
|
207
199
|
exp.clear
|
208
200
|
"(Unresolved Model)"
|
209
201
|
else
|
210
|
-
|
202
|
+
out = exp[0].to_s
|
203
|
+
exp.clear
|
204
|
+
out
|
211
205
|
end
|
212
206
|
end
|
213
207
|
|
@@ -0,0 +1,17 @@
|
|
1
|
+
require 'brakeman/processors/base_processor'
|
2
|
+
require 'brakeman/processors/alias_processor'
|
3
|
+
require 'brakeman/processors/lib/route_helper'
|
4
|
+
require 'brakeman/util'
|
5
|
+
require 'brakeman/processors/lib/rails3_route_processor.rb'
|
6
|
+
require 'brakeman/processors/lib/rails2_route_processor.rb'
|
7
|
+
require 'set'
|
8
|
+
|
9
|
+
class Brakeman::RoutesProcessor
|
10
|
+
def self.new tracker
|
11
|
+
if tracker.options[:rails3]
|
12
|
+
Brakeman::Rails3RoutesProcessor.new tracker
|
13
|
+
else
|
14
|
+
Brakeman::Rails2RoutesProcessor.new tracker
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|