brakeman-min 0.5.2 → 2.1.0

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -0,0 +1,230 @@
+##
+# SexpProcessor provides a uniform interface to process Sexps.
+#
+# In order to create your own SexpProcessor subclass you'll need
+# to call super in the initialize method, then set any of the
+# Sexp flags you want to be different from the defaults.
+#
+# SexpProcessor uses a Sexp's type to determine which process method
+# to call in the subclass.  For Sexp <code>s(:lit, 1)</code>
+# SexpProcessor will call #process_lit, if it is defined.
+#
+
+class Brakeman::SexpProcessor
+
+  VERSION = 'CUSTOM'
+
+  ##
+  # Return a stack of contexts. Most recent node is first.
+
+  attr_reader :context
+
+  ##
+  # Expected result class
+
+  attr_accessor :expected
+
+  ##
+  # A scoped environment to make you happy.
+
+  attr_reader :env
+
+  ##
+  # Creates a new SexpProcessor.  Use super to invoke this
+  # initializer from SexpProcessor subclasses, then use the
+  # attributes above to customize the functionality of the
+  # SexpProcessor
+
+  def initialize
+    @expected            = Sexp
+
+    # we do this on an instance basis so we can subclass it for
+    # different processors.
+    @processors = {}
+    @context    = []
+
+    public_methods.each do |name|
+      if name.to_s.start_with? "process_" then
+        @processors[name[8..-1].to_sym] = name.to_sym
+      end
+    end
+  end
+
+  ##
+  # Default Sexp processor.  Invokes process_<type> methods matching
+  # the Sexp type given.  Performs additional checks as specified by
+  # the initializer.
+
+  def process(exp)
+    return nil if exp.nil?
+
+    result = nil
+
+    type = exp.first
+    raise "Type should be a Symbol, not: #{exp.first.inspect} in #{exp.inspect}" unless Symbol === type
+
+    in_context type do
+      # now do a pass with the real processor (or generic)
+      meth = @processors[type]
+      if meth then
+        if $DEBUG
+          result = error_handler(type) do
+            self.send(meth, exp)
+          end
+        else
+          result = self.send(meth, exp)
+        end
+
+      else
+        result = self.process_default(exp)
+      end
+    end
+    
+    raise SexpTypeError, "Result must be a #{@expected}, was #{result.class}:#{result.inspect}" unless @expected === result
+    
+    result
+  end
+
+  def error_handler(type, exp=nil) # :nodoc:
+    begin
+      return yield
+    rescue StandardError => err
+      warn "#{err.class} Exception thrown while processing #{type} for sexp #{exp.inspect} #{caller.inspect}" if $DEBUG
+      raise
+    end
+  end
+
+  ##
+  # A fairly generic processor for a dummy node. Dummy nodes are used
+  # when your processor is doing a complicated rewrite that replaces
+  # the current sexp with multiple sexps.
+  #
+  # Bogus Example:
+  #
+  #   def process_something(exp)
+  #     return s(:dummy, process(exp), s(:extra, 42))
+  #   end
+
+  def process_dummy(exp)
+    result = @expected.new(:dummy) rescue @expected.new
+
+    until exp.empty? do
+      result << self.process(exp.shift)
+    end
+
+    result
+  end
+
+  ##
+  # Add a scope level to the current env. Eg:
+  #
+  #   def process_defn exp
+  #     name = exp.shift
+  #     args = process(exp.shift)
+  #     scope do
+  #       body = process(exp.shift)
+  #       # ...
+  #     end
+  #   end
+  #
+  #   env[:x] = 42
+  #   scope do
+  #     env[:x]       # => 42
+  #     env[:y] = 24
+  #   end
+  #   env[:y]         # => nil
+
+  def scope &block
+    env.scope(&block)
+  end
+
+  def in_context type
+    self.context.unshift type
+
+    yield
+
+    self.context.shift
+  end
+
+  ##
+  # I really hate this here, but I hate subdirs in my lib dir more...
+  # I guess it is kinda like shaving... I'll split this out when it
+  # itches too much...
+
+  class Environment
+    def initialize
+      @env = []
+      @env.unshift({})
+    end
+
+    def all
+      @env.reverse.inject { |env, scope| env.merge scope }
+    end
+
+    def depth
+      @env.length
+    end
+
+    # TODO: depth_of
+
+    def [] name
+      hash = @env.find { |closure| closure.has_key? name }
+      hash[name] if hash
+    end
+
+    def []= name, val
+      hash = @env.find { |closure| closure.has_key? name } || @env.first
+      hash[name] = val
+    end
+
+    def scope
+      @env.unshift({})
+      begin
+        yield
+      ensure
+        @env.shift
+        raise "You went too far unextending env" if @env.empty?
+      end
+    end
+  end
+end
+
+class Object
+
+  ##
+  # deep_clone is the usual Marshalling hack to make a deep copy.
+  # It is rather slow, so use it sparingly. Helps with debugging
+  # SexpProcessors since you usually shift off sexps.
+
+  def deep_clone
+    Marshal.load(Marshal.dump(self))
+  end
+end
+
+##
+# SexpProcessor base exception class.
+
+class SexpProcessorError < StandardError; end
+
+##
+# Raised by SexpProcessor if it sees a node type listed in its
+# unsupported list.
+
+class UnsupportedNodeError < SexpProcessorError; end
+
+##
+# Raised by SexpProcessor if it is in strict mode and sees a node for
+# which there is no processor available.
+
+class UnknownNodeError < SexpProcessorError; end
+
+##
+# Raised by SexpProcessor if a processor did not process every node in
+# a sexp and @require_empty is true.
+
+class NotEmptyError < SexpProcessorError; end
+
+##
+# Raised if assert_type encounters an unexpected sexp type.
+
+class SexpTypeError < SexpProcessorError; end

metadata

@@ -1,12 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman-min
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  hash: 11
+  prerelease: 
   segments: 
-  - 0
-  - 5
   - 2
-  version: 0.5.2
+  - 1
+  - 0
+  version: 2.1.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,21 +15,22 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-29 00:00:00 -07:00
-default_executable: 
+date: 2013-07-17 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
-  name: activesupport
+  name: ruby_parser
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 11
         segments: 
+        - 3
         - 2
         - 2
-        version: "2.2"
+        version: 3.2.2
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -39,14 +41,30 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 5
         segments: 
-        - 1
         - 2
-        - 4
-        version: 1.2.4
+        - 0
+        - 5
+        version: 2.0.5
   type: :runtime
   version_requirements: *id002
-description: "  Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.\n  This gem only supports tab output to minimize dependencies. It does not include erubis or haml in its dependencies.\n  To use either of these, please install the required gems manually.\n"
+- !ruby/object:Gem::Dependency 
+  name: multi_json
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
+        version: "1.2"
+  type: :runtime
+  version_requirements: *id003
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This version of the gem only requires the minimum number of dependencies. Use the 'brakeman' gem for a full install.
 email: 
 executables: 
 - brakeman
@@ -56,62 +74,128 @@ extra_rdoc_files: []
 
 files: 
 - bin/brakeman
+- CHANGES
 - WARNING_TYPES
 - FEATURES
 - README.md
-- lib/warning.rb
-- lib/processors/params_processor.rb
-- lib/processors/controller_alias_processor.rb
-- lib/processors/base_processor.rb
-- lib/processors/controller_processor.rb
-- lib/processors/library_processor.rb
-- lib/processors/erb_template_processor.rb
-- lib/processors/haml_template_processor.rb
-- lib/processors/template_alias_processor.rb
-- lib/processors/route_processor.rb
-- lib/processors/model_processor.rb
-- lib/processors/lib/find_call.rb
-- lib/processors/lib/processor_helper.rb
-- lib/processors/lib/rails3_route_processor.rb
-- lib/processors/lib/route_helper.rb
-- lib/processors/lib/rails2_route_processor.rb
-- lib/processors/lib/find_model_call.rb
-- lib/processors/lib/render_helper.rb
-- lib/processors/alias_processor.rb
-- lib/processors/output_processor.rb
-- lib/processors/config_processor.rb
-- lib/processors/erubis_template_processor.rb
-- lib/processors/template_processor.rb
-- lib/checks/check_send_file.rb
-- lib/checks/check_session_settings.rb
-- lib/checks/check_nested_attributes.rb
-- lib/checks/check_sql.rb
-- lib/checks/check_mass_assignment.rb
-- lib/checks/check_cross_site_scripting.rb
-- lib/checks/check_model_attributes.rb
-- lib/checks/check_default_routes.rb
-- lib/checks/check_evaluation.rb
-- lib/checks/check_validation_regex.rb
-- lib/checks/check_execute.rb
-- lib/checks/check_mail_to.rb
-- lib/checks/base_check.rb
-- lib/checks/check_file_access.rb
-- lib/checks/check_redirect.rb
-- lib/checks/check_forgery_setting.rb
-- lib/checks/check_render.rb
-- lib/tracker.rb
-- lib/util.rb
-- lib/report.rb
-- lib/version.rb
-- lib/scanner.rb
-- lib/checks.rb
-- lib/scanner_erubis.rb
-- lib/processor.rb
-- lib/format/style.css
-has_rdoc: true
-homepage: http://github.com/presidentbeef/brakeman
-licenses: []
-
+- lib/brakeman/app_tree.rb
+- lib/brakeman/brakeman.rake
+- lib/brakeman/call_index.rb
+- lib/brakeman/checks/base_check.rb
+- lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_content_tag.rb
+- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_deserialize.rb
+- lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/check_evaluation.rb
+- lib/brakeman/checks/check_execute.rb
+- lib/brakeman/checks/check_file_access.rb
+- lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/check_jruby_xml.rb
+- lib/brakeman/checks/check_json_parsing.rb
+- lib/brakeman/checks/check_link_to.rb
+- lib/brakeman/checks/check_link_to_href.rb
+- lib/brakeman/checks/check_mail_to.rb
+- lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_model_attr_accessible.rb
+- lib/brakeman/checks/check_model_attributes.rb
+- lib/brakeman/checks/check_model_serialize.rb
+- lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_quote_table_name.rb
+- lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_render.rb
+- lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
+- lib/brakeman/checks/check_sanitize_methods.rb
+- lib/brakeman/checks/check_select_tag.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
+- lib/brakeman/checks/check_send.rb
+- lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_session_settings.rb
+- lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_strip_tags.rb
+- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_without_protection.rb
+- lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/checks.rb
+- lib/brakeman/differ.rb
+- lib/brakeman/format/style.css
+- lib/brakeman/options.rb
+- lib/brakeman/parsers/rails2_erubis.rb
+- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/processor.rb
+- lib/brakeman/processors/alias_processor.rb
+- lib/brakeman/processors/base_processor.rb
+- lib/brakeman/processors/config_processor.rb
+- lib/brakeman/processors/controller_alias_processor.rb
+- lib/brakeman/processors/controller_processor.rb
+- lib/brakeman/processors/erb_template_processor.rb
+- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/haml_template_processor.rb
+- lib/brakeman/processors/lib/find_all_calls.rb
+- lib/brakeman/processors/lib/find_call.rb
+- lib/brakeman/processors/lib/find_return_value.rb
+- lib/brakeman/processors/lib/processor_helper.rb
+- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/rails2_route_processor.rb
+- lib/brakeman/processors/lib/rails3_config_processor.rb
+- lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/render_helper.rb
+- lib/brakeman/processors/lib/route_helper.rb
+- lib/brakeman/processors/library_processor.rb
+- lib/brakeman/processors/model_processor.rb
+- lib/brakeman/processors/output_processor.rb
+- lib/brakeman/processors/route_processor.rb
+- lib/brakeman/processors/slim_template_processor.rb
+- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report/ignore/config.rb
+- lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
+- lib/brakeman/report/renderer.rb
+- lib/brakeman/report/report_base.rb
+- lib/brakeman/report/report_csv.rb
+- lib/brakeman/report/report_hash.rb
+- lib/brakeman/report/report_html.rb
+- lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_table.rb
+- lib/brakeman/report/report_tabs.rb
+- lib/brakeman/report/templates/controller_overview.html.erb
+- lib/brakeman/report/templates/controller_warnings.html.erb
+- lib/brakeman/report/templates/error_overview.html.erb
+- lib/brakeman/report/templates/header.html.erb
+- lib/brakeman/report/templates/ignored_warnings.html.erb
+- lib/brakeman/report/templates/model_warnings.html.erb
+- lib/brakeman/report/templates/overview.html.erb
+- lib/brakeman/report/templates/security_warnings.html.erb
+- lib/brakeman/report/templates/template_overview.html.erb
+- lib/brakeman/report/templates/view_warnings.html.erb
+- lib/brakeman/report/templates/warning_overview.html.erb
+- lib/brakeman/report.rb
+- lib/brakeman/rescanner.rb
+- lib/brakeman/scanner.rb
+- lib/brakeman/tracker.rb
+- lib/brakeman/util.rb
+- lib/brakeman/version.rb
+- lib/brakeman/warning.rb
+- lib/brakeman/warning_codes.rb
+- lib/brakeman.rb
+- lib/ruby_parser/bm_sexp.rb
+- lib/ruby_parser/bm_sexp_processor.rb
+homepage: http://brakemanscanner.org
+licenses: 
+- MIT
 post_install_message: 
 rdoc_options: []
 
@@ -122,6 +206,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
@@ -130,13 +215,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.