brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/util.rb

@@ -0,0 +1,413 @@
+require 'set'
+require 'pathname'
+
+#This is a mixin containing utility methods.
+module Brakeman::Util
+
+  QUERY_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :query_parameters)
+
+  PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
+
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
+
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
+
+  REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
+
+  PARAMETERS = Sexp.new(:call, nil, :params)
+
+  COOKIES = Sexp.new(:call, nil, :cookies)
+
+  SESSION = Sexp.new(:call, nil, :session)
+
+  ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
+
+  #Convert a string from "something_like_this" to "SomethingLikeThis"
+  #
+  #Taken from ActiveSupport.
+  def camelize lower_case_and_underscored_word
+    lower_case_and_underscored_word.to_s.gsub(/\/(.?)/) { "::#{$1.upcase}" }.gsub(/(?:^|_)(.)/) { $1.upcase }
+  end
+
+  #Convert a string from "Something::LikeThis" to "something/like_this"
+  #
+  #Taken from ActiveSupport.
+  def underscore camel_cased_word
+    camel_cased_word.to_s.gsub(/::/, '/').
+      gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+      gsub(/([a-z\d])([A-Z])/,'\1_\2').
+      tr("-", "_").
+      downcase
+  end
+
+  # stupid simple, used to delegate to ActiveSupport
+  def pluralize word
+    word + "s"
+  end
+
+
+  #Takes an Sexp like
+  # (:hash, (:lit, :key), (:str, "value"))
+  #and yields the key and value pairs to the given block.
+  #
+  #For example:
+  #
+  # h = Sexp.new(:hash, (:lit, :name), (:str, "bob"), (:lit, :name), (:str, "jane"))
+  # names = []
+  # hash_iterate(h) do |key, value|
+  #   if symbol? key and key[1] == :name
+  #     names << value[1]
+  #   end
+  # end
+  # names #["bob"]
+  def hash_iterate hash
+    1.step(hash.length - 1, 2) do |i|
+      yield hash[i], hash[i + 1]
+    end
+  end
+
+  #Insert value into Hash Sexp
+  def hash_insert hash, key, value
+    index = 1
+    hash_iterate hash.dup do |k,v|
+      if k == key
+        hash[index + 1] = value
+        return hash
+      end
+      index += 2
+    end
+
+    hash << key << value
+
+    hash
+  end
+
+  #Get value from hash using key.
+  #
+  #If _key_ is a Symbol, it will be converted to a Sexp(:lit, key).
+  def hash_access hash, key
+    if key.is_a? Symbol
+      key = Sexp.new(:lit, key)
+    end
+
+    if index = hash.find_index(key) and index > 0
+      return hash[index + 1]
+    end
+
+    nil
+  end
+
+  #These are never modified
+  PARAMS_SEXP = Sexp.new(:params)
+  SESSION_SEXP = Sexp.new(:session)
+  COOKIES_SEXP = Sexp.new(:cookies)
+
+  #Adds params, session, and cookies to environment
+  #so they can be replaced by their respective Sexps.
+  def set_env_defaults
+    @env[PARAMETERS] = PARAMS_SEXP
+    @env[SESSION] = SESSION_SEXP
+    @env[COOKIES] = COOKIES_SEXP
+  end
+
+  #Check if _exp_ represents a hash: s(:hash, {...})
+  #This also includes pseudo hashes params, session, and cookies.
+  def hash? exp
+    exp.is_a? Sexp and (exp.node_type == :hash or
+                        exp.node_type == :params or
+                        exp.node_type == :session or
+                        exp.node_type == :cookies)
+  end
+
+  #Check if _exp_ represents an array: s(:array, [...])
+  def array? exp
+    exp.is_a? Sexp and exp.node_type == :array
+  end
+
+  #Check if _exp_ represents a String: s(:str, "...")
+  def string? exp
+    exp.is_a? Sexp and exp.node_type == :str
+  end
+
+  #Check if _exp_ represents a Symbol: s(:lit, :...)
+  def symbol? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Symbol
+  end
+
+  #Check if _exp_ represents a method call: s(:call, ...)
+  def call? exp
+    exp.is_a? Sexp and exp.node_type == :call
+  end
+
+  #Check if _exp_ represents a Regexp: s(:lit, /.../)
+  def regexp? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Regexp
+  end
+
+  #Check if _exp_ represents an Integer: s(:lit, ...)
+  def integer? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Integer
+  end
+
+  #Check if _exp_ represents a number: s(:lit, ...)
+  def number? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Numeric
+  end
+
+  #Check if _exp_ represents a result: s(:result, ...)
+  def result? exp
+    exp.is_a? Sexp and exp.node_type == :result
+  end
+
+  #Check if _exp_ represents a :true, :lit, or :string node
+  def true? exp
+    exp.is_a? Sexp and (exp.node_type == :true or
+                        exp.node_type == :lit or
+                        exp.node_type == :string)
+  end
+
+  #Check if _exp_ represents a :false or :nil node
+  def false? exp
+    exp.is_a? Sexp and (exp.node_type == :false or
+                        exp.node_type == :nil)
+  end
+
+  #Check if _exp_ represents a block of code
+  def block? exp
+    exp.is_a? Sexp and (exp.node_type == :block or
+                        exp.node_type == :rlist)
+  end
+
+  #Check if _exp_ is a params hash
+  def params? exp
+    if exp.is_a? Sexp
+      return true if exp.node_type == :params or ALL_PARAMETERS.include? exp
+
+      if exp.node_type == :call
+        if params? exp[1]
+          return true
+        elsif exp[2] == :[]
+          return params? exp[1]
+        end
+      end
+    end
+
+    false
+  end
+
+  def cookies? exp
+    if exp.is_a? Sexp
+      return true if exp.node_type == :cookies or exp == COOKIES
+
+      if exp.node_type == :call
+        if cookies? exp[1]
+          return true
+        elsif exp[2] == :[]
+          return cookies? exp[1]
+        end
+      end
+    end
+
+    false
+  end
+
+  def request_env? exp
+    call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
+  end
+
+  #Check if exp is params, cookies, or request_env
+  def request_value? exp
+    params? exp or
+    cookies? exp or
+    request_env? exp
+  end
+
+  #Check if _exp_ is a Sexp.
+  def sexp? exp
+    exp.is_a? Sexp
+  end
+
+  #Check if _exp_ is a Sexp and the node type matches one of the given types.
+  def node_type? exp, *types
+    exp.is_a? Sexp and types.include? exp.node_type
+  end
+
+  #Returns true if the given _exp_ contains a :class node.
+  #
+  #Useful for checking if a module is just a module or if it is a namespace.
+  def contains_class? exp
+    todo = [exp]
+
+    until todo.empty?
+      current = todo.shift
+
+      if node_type? current, :class
+        return true
+      elsif sexp? current
+        todo = current[1..-1].concat todo
+      end
+    end
+
+    false
+  end
+
+  def make_call target, method, *args
+    call = Sexp.new(:call, target, method)
+
+    if args.empty? or args.first.empty?
+      #nothing to do
+    elsif node_type? args.first, :arglist
+      call.concat args.first[1..-1]
+    elsif args.first.node_type.is_a? Sexp #just a list of args
+      call.concat args.first
+    else
+      call.concat args
+    end
+
+    call
+  end
+
+  #Return file name related to given warning. Uses +warning.file+ if it exists
+  def file_for warning, tracker = nil
+    if tracker.nil?
+      tracker = @tracker || self.tracker
+    end
+
+    if warning.file
+      File.expand_path warning.file, tracker.options[:app_path]
+    elsif warning.template.is_a? Hash and warning.template[:file]
+      warning.template[:file]
+    else
+      case warning.warning_set
+      when :controller
+        file_by_name warning.controller, :controller, tracker
+      when :template
+        file_by_name warning.template[:name], :template, tracker
+      when :model
+        file_by_name warning.model, :model, tracker
+      when :warning
+        file_by_name warning.class, nil, tracker
+      else
+        nil
+      end
+    end
+  end
+
+  #Attempt to determine path to context file based on the reported name
+  #in the warning.
+  #
+  #For example,
+  #
+  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
+  def file_by_name name, type, tracker = nil
+    return nil unless name
+    string_name = name.to_s
+    name = name.to_sym
+
+    unless type
+      if string_name =~ /Controller$/
+        type = :controller
+      elsif camelize(string_name) == string_name # This is not always true
+        type = :model
+      else
+        type = :template
+      end
+    end
+
+    path = tracker.options[:app_path]
+
+    case type
+    when :controller
+      if tracker.controllers[name] and tracker.controllers[name][:file]
+        path = tracker.controllers[name][:file]
+      else
+        path += "/app/controllers/#{underscore(string_name)}.rb"
+      end
+    when :model
+      if tracker.models[name] and tracker.models[name][:file]
+        path = tracker.models[name][:file]
+      else
+        path += "/app/models/#{underscore(string_name)}.rb"
+      end
+    when :template
+      if tracker.templates[name] and tracker.templates[name][:file]
+        path = tracker.templates[name][:file]
+      elsif string_name.include? " "
+        name = string_name.split[0].to_sym
+        path = file_for tracker, name, :template
+      else
+        path = nil
+      end
+    end
+
+    path
+  end
+
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for app_tree, warning, tracker = nil
+    file = file_for warning, tracker
+    context = []
+    return context unless warning.line and file and @app_tree.path_exists? file
+
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+
+    start_line = 1 if start_line < 0
+
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+
+        next if line.strip == ""
+
+        if current_line > end_line
+          break
+        end
+
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+
+    context
+  end
+
+  def relative_path file
+    if file and not file.empty? and file.start_with? '/'
+      Pathname.new(file).relative_path_from(Pathname.new(@tracker.options[:app_path])).to_s
+    else
+      file
+    end
+  end
+
+  def truncate_table str
+    @terminal_width ||= if $stdin && $stdin.tty?
+                          Brakeman.load_dependency 'highline'
+                          ::HighLine.new.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
+
+  # rely on Terminal::Table to build the structure, extract the data out in CSV format
+  def table_to_csv table
+    Brakeman.load_dependency 'terminal-table'
+    output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
+    table.rows.each do |row|
+      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
+    end
+    output
+  end
+end

data/lib/brakeman/version.rb

@@ -0,0 +1,3 @@
+module Brakeman
+  Version = "2.1.0"
+end

data/lib/brakeman/warning.rb

@@ -0,0 +1,217 @@
+require 'multi_json'
+require 'digest/sha2'
+require 'brakeman/warning_codes'
+
+#The Warning class stores information about warnings
+class Brakeman::Warning
+  attr_reader :called_from, :check, :class, :confidence, :controller,
+    :line, :method, :model, :template, :user_input, :warning_code, :warning_set,
+    :warning_type
+
+  attr_accessor :code, :context, :file, :message, :relative_path
+
+  TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
+
+  #+options[:result]+ can be a result from Tracker#find_call. Otherwise, it can be +nil+.
+  def initialize options = {}
+    @view_name = nil
+
+    [:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
+      :message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
+
+      self.instance_variable_set("@#{option}", options[option])
+    end
+
+    result = options[:result]
+    if result
+      @code ||= result[:call]
+      @file ||= result[:location][:file]
+
+      if result[:location][:type] == :template #template result
+        @template ||= result[:location][:template]
+      else
+        @class ||= result[:location][:class]
+        @method ||= result[:location][:method]
+      end
+    end
+
+    if not @line
+      if @user_input and @user_input.respond_to? :line
+        @line = @user_input.line
+      elsif @code and @code.respond_to? :line
+        @line = @code.line
+      end
+    end
+
+    unless @warning_set
+      if self.model
+        @warning_set = :model
+      elsif self.template
+        @warning_set = :template
+        @called_from = self.template[:caller]
+      elsif self.controller
+        @warning_set = :controller
+      else
+        @warning_set = :warning
+      end
+    end
+
+    if options[:warning_code]
+      @warning_code = Brakeman::WarningCodes.code options[:warning_code]
+    end
+
+    Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code
+
+    @format_message = nil
+    @row = nil
+  end
+
+  def hash
+    self.to_s.hash
+  end
+
+  def eql? other_warning
+    self.hash == other_warning.hash
+  end
+
+  #Returns name of a view, including where it was rendered from
+  def view_name
+    return @view_name if @view_name
+    if called_from
+      @view_name = "#{template[:name]} (#{called_from.last})"
+    else
+      @view_name = template[:name]
+    end
+  end
+
+  #Return String of the code output from the OutputProcessor and
+  #stripped of newlines and tabs.
+  def format_code strip = true
+    format_ruby self.code, strip
+  end
+
+  #Return String of the user input formatted and
+  #stripped of newlines and tabs.
+  def format_user_input strip = true
+    format_ruby self.user_input, strip
+  end
+
+  #Return formatted warning message
+  def format_message
+    return @format_message if @format_message
+
+    @format_message = self.message.dup
+
+    if self.line
+      @format_message << " near line #{self.line}"
+    end
+
+    if self.code
+      @format_message << ": #{format_code}"
+    end
+
+    @format_message
+  end
+
+  def link
+    return @link if @link
+
+    if @link_path
+      if @link_path.start_with? "http"
+        @link = @link_path
+      else
+        @link = "http://brakemanscanner.org/docs/warning_types/#{@link_path}"
+      end
+    else
+      warning_path = self.warning_type.to_s.downcase.gsub(/\s+/, '_') + "/"
+      @link = "http://brakemanscanner.org/docs/warning_types/#{warning_path}"
+    end
+
+    @link
+  end
+
+  #Generates a hash suitable for inserting into a table
+  def to_row type = :warning
+    @row = { "Confidence" => self.confidence,
+      "Warning Type" => self.warning_type.to_s,
+      "Message" => self.format_message }
+
+    case type
+    when :template
+      @row["Template"] = self.view_name.to_s
+    when :model
+      @row["Model"] = self.model.to_s
+    when :controller
+      @row["Controller"] = self.controller.to_s
+    when :warning
+      @row["Class"] = self.class.to_s
+      @row["Method"] = self.method.to_s
+    end
+
+    @row
+  end
+
+  def to_s
+   output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
+   output << " near line #{self.line}" if self.line
+   output << " in #{self.file}" if self.file
+   output << ": #{self.format_code}" if self.code
+
+   output
+  end
+
+  def fingerprint
+    loc = self.location
+    location_string = loc && loc.sort_by { |k, v| k.to_s }.inspect
+    warning_code_string = sprintf("%03d", @warning_code)
+    code_string = @code.inspect
+
+    Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
+  end
+
+  def location
+    case @warning_set
+    when :template
+      location = { :type => :template, :template => self.view_name }
+    when :model
+      location = { :type => :model, :model => self.model }
+    when :controller
+      location = { :type => :controller, :controller => self.controller }
+    when :warning
+      if self.class
+        location = { :type => :method, :class => self.class, :method => self.method }
+      else
+        location = nil
+      end
+    end
+  end
+
+  def to_hash
+    { :warning_type => self.warning_type,
+      :warning_code => @warning_code,
+      :fingerprint => self.fingerprint,
+      :message => self.message,
+      :file => self.file,
+      :line => self.line,
+      :link => self.link,
+      :code => (@code && self.format_code(false)),
+      :render_path => self.called_from,
+      :location => self.location,
+      :user_input => (@user_input && self.format_user_input(false)),
+      :confidence => TEXT_CONFIDENCE[self.confidence]
+    }
+  end
+
+  def to_json
+    MultiJson.dump self.to_hash
+  end
+
+  private
+
+  def format_ruby code, strip
+    formatted = Brakeman::OutputProcessor.new.format(code)
+    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+    formatted
+  end
+end
+