brakeman-min 3.0.5 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +19 -0
- data/README.md +3 -13
- data/lib/brakeman.rb +3 -0
- data/lib/brakeman/checks/base_check.rb +19 -47
- data/lib/brakeman/checks/check_basic_auth.rb +3 -3
- data/lib/brakeman/checks/check_cross_site_scripting.rb +26 -12
- data/lib/brakeman/checks/check_default_routes.rb +1 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +2 -2
- data/lib/brakeman/checks/check_evaluation.rb +3 -0
- data/lib/brakeman/checks/check_execute.rb +3 -3
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -12
- data/lib/brakeman/checks/check_header_dos.rb +1 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
- data/lib/brakeman/checks/check_json_encoding.rb +1 -1
- data/lib/brakeman/checks/check_json_parsing.rb +3 -3
- data/lib/brakeman/checks/check_link_to.rb +1 -1
- data/lib/brakeman/checks/check_link_to_href.rb +9 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +5 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
- data/lib/brakeman/checks/check_model_attributes.rb +7 -7
- data/lib/brakeman/checks/check_model_serialize.rb +6 -6
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
- data/lib/brakeman/checks/check_number_to_currency.rb +2 -2
- data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -10
- data/lib/brakeman/checks/check_render.rb +1 -1
- data/lib/brakeman/checks/check_render_dos.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +1 -1
- data/lib/brakeman/checks/check_select_tag.rb +1 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -2
- data/lib/brakeman/checks/check_session_settings.rb +1 -2
- data/lib/brakeman/checks/check_simple_format.rb +2 -2
- data/lib/brakeman/checks/check_single_quotes.rb +3 -3
- data/lib/brakeman/checks/check_skip_before_filter.rb +5 -7
- data/lib/brakeman/checks/check_sql.rb +10 -14
- data/lib/brakeman/checks/check_sql_cves.rb +4 -4
- data/lib/brakeman/checks/check_ssl_verify.rb +27 -9
- data/lib/brakeman/checks/check_strip_tags.rb +5 -5
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
- data/lib/brakeman/checks/check_translate_bug.rb +3 -4
- data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -2
- data/lib/brakeman/checks/check_xml_dos.rb +1 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
- data/lib/brakeman/file_parser.rb +1 -0
- data/lib/brakeman/parsers/template_parser.rb +6 -5
- data/lib/brakeman/processor.rb +7 -7
- data/lib/brakeman/processors/alias_processor.rb +30 -12
- data/lib/brakeman/processors/base_processor.rb +4 -8
- data/lib/brakeman/processors/controller_alias_processor.rb +33 -132
- data/lib/brakeman/processors/controller_processor.rb +29 -53
- data/lib/brakeman/processors/erb_template_processor.rb +4 -6
- data/lib/brakeman/processors/erubis_template_processor.rb +8 -11
- data/lib/brakeman/processors/gem_processor.rb +19 -35
- data/lib/brakeman/processors/haml_template_processor.rb +10 -12
- data/lib/brakeman/processors/lib/find_all_calls.rb +3 -5
- data/lib/brakeman/processors/lib/find_call.rb +2 -2
- data/lib/brakeman/processors/lib/find_return_value.rb +1 -1
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +7 -8
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +6 -7
- data/lib/brakeman/processors/lib/render_helper.rb +15 -14
- data/lib/brakeman/processors/lib/render_path.rb +11 -5
- data/lib/brakeman/processors/library_processor.rb +13 -35
- data/lib/brakeman/processors/model_processor.rb +22 -64
- data/lib/brakeman/processors/output_processor.rb +1 -37
- data/lib/brakeman/processors/slim_template_processor.rb +6 -8
- data/lib/brakeman/processors/template_alias_processor.rb +9 -9
- data/lib/brakeman/processors/template_processor.rb +5 -9
- data/lib/brakeman/report/report_base.rb +7 -7
- data/lib/brakeman/report/report_html.rb +5 -7
- data/lib/brakeman/report/report_markdown.rb +4 -6
- data/lib/brakeman/report/report_table.rb +4 -6
- data/lib/brakeman/rescanner.rb +29 -31
- data/lib/brakeman/scanner.rb +17 -8
- data/lib/brakeman/tracker.rb +24 -34
- data/lib/brakeman/tracker/collection.rb +77 -0
- data/lib/brakeman/tracker/config.rb +93 -0
- data/lib/brakeman/tracker/controller.rb +161 -0
- data/lib/brakeman/tracker/library.rb +17 -0
- data/lib/brakeman/tracker/model.rb +90 -0
- data/lib/brakeman/tracker/template.rb +33 -0
- data/lib/brakeman/util.rb +17 -9
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +8 -9
- data/lib/ruby_parser/bm_sexp.rb +16 -16
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -120
- metadata +18 -27
- checksums.yaml.gz.sig +0 -2
- data.tar.gz.sig +0 -0
- metadata.gz.sig +0 -1
@@ -49,7 +49,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
49
49
|
exp
|
50
50
|
end
|
51
51
|
|
52
|
-
#Processes calls with blocks.
|
52
|
+
#Processes calls with blocks.
|
53
53
|
#
|
54
54
|
#s(:iter, CALL, {:lasgn|:masgn}, BLOCK)
|
55
55
|
def process_iter exp
|
@@ -63,20 +63,18 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
63
63
|
block = nil
|
64
64
|
end
|
65
65
|
|
66
|
-
call = Sexp.new(:
|
66
|
+
call = Sexp.new(:iter, call, exp.block_args, block).compact
|
67
67
|
call.line(exp.line)
|
68
68
|
call
|
69
69
|
end
|
70
70
|
|
71
|
-
#String with interpolation.
|
71
|
+
#String with interpolation.
|
72
72
|
def process_dstr exp
|
73
73
|
exp = exp.dup
|
74
74
|
exp.shift
|
75
75
|
exp.map! do |e|
|
76
76
|
if e.is_a? String
|
77
77
|
e
|
78
|
-
elsif e.value.is_a? String
|
79
|
-
e.value
|
80
78
|
else
|
81
79
|
res = process e
|
82
80
|
if res.empty?
|
@@ -87,7 +85,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
87
85
|
end
|
88
86
|
end.compact!
|
89
87
|
|
90
|
-
exp.unshift :
|
88
|
+
exp.unshift :dstr
|
91
89
|
end
|
92
90
|
|
93
91
|
#Processes a block. Changes Sexp node type to :rlist
|
@@ -103,10 +101,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
|
|
103
101
|
end
|
104
102
|
|
105
103
|
#Processes the inside of an interpolated String.
|
106
|
-
#Changes Sexp node type to :string_eval
|
107
104
|
def process_evstr exp
|
108
105
|
exp = exp.dup
|
109
|
-
exp[0] = :string_eval
|
110
106
|
exp[1] = process exp[1]
|
111
107
|
exp
|
112
108
|
end
|
@@ -20,12 +20,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
20
20
|
@method_cache = {} #Cache method lookups
|
21
21
|
end
|
22
22
|
|
23
|
-
def process_controller name, src
|
23
|
+
def process_controller name, src, file
|
24
24
|
if not node_type? src, :class
|
25
25
|
Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
|
26
26
|
return
|
27
27
|
else
|
28
28
|
@current_class = name
|
29
|
+
@file = file
|
29
30
|
|
30
31
|
process_default src
|
31
32
|
|
@@ -37,27 +38,28 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
37
38
|
def process_mixins
|
38
39
|
controller = @tracker.controllers[@current_class]
|
39
40
|
|
40
|
-
controller
|
41
|
+
controller.includes.each do |i|
|
41
42
|
mixin = @tracker.libs[i]
|
42
43
|
|
43
44
|
next unless mixin
|
44
45
|
|
45
46
|
#Process methods in alphabetical order for consistency
|
46
|
-
methods = mixin
|
47
|
+
methods = mixin.methods_public.keys.map { |n| n.to_s }.sort.map { |n| n.to_sym }
|
47
48
|
|
48
49
|
methods.each do |name|
|
49
50
|
#Need to process the method like it was in a controller in order
|
50
51
|
#to get the renders set
|
51
52
|
processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
|
52
|
-
method = mixin
|
53
|
+
method = mixin.get_method(name)[:src].deep_clone
|
53
54
|
|
54
|
-
if node_type? method, :
|
55
|
+
if node_type? method, :defn
|
55
56
|
method = processor.process_defn method
|
56
57
|
else
|
57
|
-
#Should be a
|
58
|
+
#Should be a defn, but this will catch other cases
|
58
59
|
method = processor.process method
|
59
60
|
end
|
60
61
|
|
62
|
+
@file = mixin.file
|
61
63
|
#Then process it like any other method in the controller
|
62
64
|
process method
|
63
65
|
end
|
@@ -71,7 +73,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
71
73
|
|
72
74
|
#Processes a method definition, which may include
|
73
75
|
#processing any rendered templates.
|
74
|
-
def
|
76
|
+
def process_defn exp
|
75
77
|
meth_name = exp.method_name
|
76
78
|
|
77
79
|
Brakeman.debug "Processing #{@current_class}##{meth_name}"
|
@@ -122,7 +124,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
122
124
|
end
|
123
125
|
|
124
126
|
#Check for +respond_to+
|
125
|
-
def
|
127
|
+
def process_iter exp
|
126
128
|
super
|
127
129
|
|
128
130
|
if call? exp.block_call and exp.block_call.method == :respond_to
|
@@ -166,13 +168,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
166
168
|
#Processes the default template for the current action
|
167
169
|
def process_default_render exp
|
168
170
|
process_layout
|
169
|
-
process_template template_name, nil
|
171
|
+
process_template template_name, nil, nil, nil
|
170
172
|
end
|
171
173
|
|
172
174
|
#Process template and add the current class and method name as called_from info
|
173
|
-
def process_template name, args
|
174
|
-
|
175
|
-
|
175
|
+
def process_template name, args, _, line
|
176
|
+
# If line is null, assume implicit render and set the end of the action
|
177
|
+
# method as the line number
|
178
|
+
if line.nil? and controller = @tracker.controllers[@current_class]
|
179
|
+
if meth = controller.get_method(@current_method)
|
180
|
+
line = meth[:src] && meth[:src].last && meth[:src].last.line
|
181
|
+
line += 1
|
182
|
+
end
|
183
|
+
end
|
184
|
+
|
185
|
+
render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file))
|
186
|
+
super name, args, render_path, line
|
176
187
|
end
|
177
188
|
|
178
189
|
#Turns a method name into a template name
|
@@ -192,12 +203,12 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
192
203
|
def layout_name
|
193
204
|
controller = @tracker.controllers[@current_class]
|
194
205
|
|
195
|
-
return controller
|
196
|
-
return false if controller
|
206
|
+
return controller.layout if controller.layout
|
207
|
+
return false if controller.layout == false
|
197
208
|
|
198
209
|
app_controller = @tracker.controllers[:ApplicationController]
|
199
210
|
|
200
|
-
return app_controller
|
211
|
+
return app_controller.layout if app_controller and app_controller.layout
|
201
212
|
|
202
213
|
nil
|
203
214
|
end
|
@@ -215,120 +226,12 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
215
226
|
#Get list of filters, including those that are inherited
|
216
227
|
def before_filter_list method, klass
|
217
228
|
controller = @tracker.controllers[klass]
|
218
|
-
filters = []
|
219
|
-
|
220
|
-
while controller
|
221
|
-
filters = get_before_filters(method, controller) + filters
|
222
|
-
|
223
|
-
controller = @tracker.controllers[controller[:parent]] ||
|
224
|
-
@tracker.libs[controller[:parent]]
|
225
|
-
end
|
226
|
-
|
227
|
-
remove_skipped_filters filters, method, klass
|
228
|
-
end
|
229
|
-
|
230
|
-
def remove_skipped_filters filters, method, klass
|
231
|
-
controller = @tracker.controllers[klass]
|
232
|
-
|
233
|
-
while controller
|
234
|
-
filters = filters - get_skipped_filters(method, controller)
|
235
|
-
|
236
|
-
controller = @tracker.controllers[controller[:parent]] ||
|
237
|
-
@tracker.libs[controller[:parent]]
|
238
|
-
end
|
239
229
|
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
def get_skipped_filters method, controller
|
244
|
-
return [] unless controller[:options] and controller[:options][:skip_filters]
|
245
|
-
|
246
|
-
filters = []
|
247
|
-
|
248
|
-
if controller[:skip_filter_cache].nil?
|
249
|
-
controller[:skip_filter_cache] = controller[:options][:skip_filters].map do |filter|
|
250
|
-
before_filter_to_hash(filter.args)
|
251
|
-
end
|
252
|
-
end
|
253
|
-
|
254
|
-
controller[:skip_filter_cache].each do |f|
|
255
|
-
if f[:all] or
|
256
|
-
(f[:only] == method) or
|
257
|
-
(f[:only].is_a? Array and f[:only].include? method) or
|
258
|
-
(f[:except].is_a? Symbol and f[:except] != method) or
|
259
|
-
(f[:except].is_a? Array and not f[:except].include? method)
|
260
|
-
|
261
|
-
filters.concat f[:methods]
|
262
|
-
end
|
263
|
-
end
|
264
|
-
|
265
|
-
filters
|
266
|
-
end
|
267
|
-
|
268
|
-
#Returns an array of filter names
|
269
|
-
def get_before_filters method, controller
|
270
|
-
return [] unless controller[:options] and controller[:options][:before_filters]
|
271
|
-
|
272
|
-
filters = []
|
273
|
-
|
274
|
-
if controller[:before_filter_cache].nil?
|
275
|
-
filter_cache = []
|
276
|
-
|
277
|
-
controller[:options][:before_filters].each do |filter|
|
278
|
-
filter_cache << before_filter_to_hash(filter.args)
|
279
|
-
end
|
280
|
-
|
281
|
-
controller[:before_filter_cache] = filter_cache
|
282
|
-
end
|
283
|
-
|
284
|
-
controller[:before_filter_cache].each do |f|
|
285
|
-
if f[:all] or
|
286
|
-
(f[:only] == method) or
|
287
|
-
(f[:only].is_a? Array and f[:only].include? method) or
|
288
|
-
(f[:except].is_a? Symbol and f[:except] != method) or
|
289
|
-
(f[:except].is_a? Array and not f[:except].include? method)
|
290
|
-
|
291
|
-
filters.concat f[:methods]
|
292
|
-
end
|
293
|
-
end
|
294
|
-
|
295
|
-
filters
|
296
|
-
end
|
297
|
-
|
298
|
-
#Returns a before filter as a hash table
|
299
|
-
def before_filter_to_hash args
|
300
|
-
filter = {}
|
301
|
-
|
302
|
-
#Process args for the uncommon but possible situation
|
303
|
-
#in which some variables are used in the filter.
|
304
|
-
args.each do |a|
|
305
|
-
if sexp? a
|
306
|
-
a = process_default a
|
307
|
-
end
|
308
|
-
end
|
309
|
-
|
310
|
-
filter[:methods] = [args[0][1]]
|
311
|
-
|
312
|
-
args[1..-1].each do |a|
|
313
|
-
filter[:methods] << a[1] if a.node_type == :lit
|
314
|
-
end
|
315
|
-
|
316
|
-
if args[-1].node_type == :hash
|
317
|
-
option = args[-1][1][1]
|
318
|
-
value = args[-1][2]
|
319
|
-
case value.node_type
|
320
|
-
when :array
|
321
|
-
filter[option] = value[1..-1].map {|v| v[1] }
|
322
|
-
when :lit, :str
|
323
|
-
filter[option] = value[1]
|
324
|
-
else
|
325
|
-
Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
|
326
|
-
end
|
230
|
+
if controller
|
231
|
+
controller.before_filter_list self, method
|
327
232
|
else
|
328
|
-
|
233
|
+
[]
|
329
234
|
end
|
330
|
-
|
331
|
-
filter
|
332
235
|
end
|
333
236
|
|
334
237
|
#Finds a method in the given class or a parent class
|
@@ -348,12 +251,10 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
348
251
|
controller ||= @tracker.libs[klass]
|
349
252
|
|
350
253
|
if klass and controller
|
351
|
-
method = controller
|
352
|
-
method ||= controller[:private][method_name]
|
353
|
-
method ||= controller[:protected][method_name]
|
254
|
+
method = controller.get_method method_name
|
354
255
|
|
355
256
|
if method.nil?
|
356
|
-
controller
|
257
|
+
controller.includes.each do |included|
|
357
258
|
method = find_method method_name, included
|
358
259
|
if method
|
359
260
|
@method_cache[method_name] = method
|
@@ -361,9 +262,9 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
361
262
|
end
|
362
263
|
end
|
363
264
|
|
364
|
-
@method_cache[method_name] = find_method method_name, controller
|
265
|
+
@method_cache[method_name] = find_method method_name, controller.parent
|
365
266
|
else
|
366
|
-
@method_cache[method_name] = { :controller => controller
|
267
|
+
@method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
|
367
268
|
end
|
368
269
|
else
|
369
270
|
nil
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'brakeman/processors/base_processor'
|
2
|
+
require 'brakeman/tracker/controller'
|
2
3
|
|
3
4
|
#Processes controller. Results are put in tracker.controllers
|
4
5
|
class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
@@ -28,7 +29,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
28
29
|
#If inside a real controller, treat any other classes as libraries.
|
29
30
|
#But if not inside a controller already, then the class may include
|
30
31
|
#a real controller, so we can't take this shortcut.
|
31
|
-
if @current_class and @current_class
|
32
|
+
if @current_class and @current_class.name.to_s.end_with? "Controller"
|
32
33
|
Brakeman.debug "[Notice] Treating inner class as library: #{name}"
|
33
34
|
Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
|
34
35
|
return exp
|
@@ -48,30 +49,18 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
48
49
|
|
49
50
|
if @current_class
|
50
51
|
outer_class = @current_class
|
51
|
-
name = (outer_class
|
52
|
+
name = (outer_class.name.to_s + "::" + name.to_s).to_sym
|
52
53
|
end
|
53
54
|
|
54
55
|
if @current_module
|
55
|
-
name = (@current_module
|
56
|
+
name = (@current_module.name.to_s + "::" + name.to_s).to_sym
|
56
57
|
end
|
57
58
|
|
58
59
|
if @tracker.controllers[name]
|
59
60
|
@current_class = @tracker.controllers[name]
|
60
|
-
@current_class
|
61
|
-
@current_class[:src][@file_name] = exp
|
61
|
+
@current_class.add_file @file_name, exp
|
62
62
|
else
|
63
|
-
@current_class =
|
64
|
-
:name => name,
|
65
|
-
:parent => parent,
|
66
|
-
:includes => [],
|
67
|
-
:public => {},
|
68
|
-
:private => {},
|
69
|
-
:protected => {},
|
70
|
-
:options => {:before_filters => [], :skip_filters => []},
|
71
|
-
:src => { @file_name => exp },
|
72
|
-
:files => [ @file_name ]
|
73
|
-
}
|
74
|
-
|
63
|
+
@current_class = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
|
75
64
|
@tracker.controllers[name] = @current_class
|
76
65
|
end
|
77
66
|
|
@@ -92,30 +81,18 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
92
81
|
|
93
82
|
if @current_module
|
94
83
|
outer_module = @current_module
|
95
|
-
name = (outer_module
|
84
|
+
name = (outer_module.name.to_s + "::" + name.to_s).to_sym
|
96
85
|
end
|
97
86
|
|
98
87
|
if @current_class
|
99
|
-
name = (@current_class
|
88
|
+
name = (@current_class.name.to_s + "::" + name.to_s).to_sym
|
100
89
|
end
|
101
90
|
|
102
91
|
if @tracker.libs[name]
|
103
92
|
@current_module = @tracker.libs[name]
|
104
|
-
@current_module
|
105
|
-
@current_module[:src][@file_name] = exp
|
93
|
+
@current_module.add_file @file_name, exp
|
106
94
|
else
|
107
|
-
@current_module =
|
108
|
-
:name => name,
|
109
|
-
:parent => parent,
|
110
|
-
:includes => [],
|
111
|
-
:public => {},
|
112
|
-
:private => {},
|
113
|
-
:protected => {},
|
114
|
-
:options => {:before_filters => []},
|
115
|
-
:src => { @file_name => exp },
|
116
|
-
:files => [ @file_name ]
|
117
|
-
}
|
118
|
-
|
95
|
+
@current_module = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
|
119
96
|
@tracker.libs[name] = @current_module
|
120
97
|
end
|
121
98
|
|
@@ -149,45 +126,44 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
149
126
|
when :private, :protected, :public
|
150
127
|
@visibility = method
|
151
128
|
when :protect_from_forgery
|
152
|
-
@current_class
|
129
|
+
@current_class.options[:protect_from_forgery] = true
|
153
130
|
else
|
154
131
|
#??
|
155
132
|
end
|
156
133
|
else
|
157
134
|
case method
|
158
135
|
when :include
|
159
|
-
@current_class
|
136
|
+
@current_class.add_include class_name(first_arg) if @current_class
|
160
137
|
when :before_filter, :append_before_filter, :before_action, :append_before_action
|
161
138
|
if node_type? exp.first_arg, :iter
|
162
139
|
add_lambda_filter exp
|
163
140
|
else
|
164
|
-
@current_class
|
141
|
+
@current_class.add_before_filter exp
|
165
142
|
end
|
166
143
|
when :prepend_before_filter, :prepend_before_action
|
167
144
|
if node_type? exp.first_arg, :iter
|
168
145
|
add_lambda_filter exp
|
169
146
|
else
|
170
|
-
@current_class
|
147
|
+
@current_class.prepend_before_filter exp
|
171
148
|
end
|
172
149
|
when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
|
173
|
-
@current_class
|
150
|
+
@current_class.skip_filter exp
|
174
151
|
when :layout
|
175
152
|
if string? last_arg
|
176
153
|
#layout "some_layout"
|
177
154
|
|
178
155
|
name = last_arg.value.to_s
|
179
156
|
if @app_tree.layout_exists?(name)
|
180
|
-
@current_class
|
157
|
+
@current_class.layout = "layouts/#{name}"
|
181
158
|
else
|
182
159
|
Brakeman.debug "[Notice] Layout not found: #{name}"
|
183
160
|
end
|
184
161
|
elsif node_type? last_arg, :nil, :false
|
185
162
|
#layout :false or layout nil
|
186
|
-
@current_class
|
163
|
+
@current_class.layout = false
|
187
164
|
end
|
188
165
|
else
|
189
|
-
@current_class
|
190
|
-
@current_class[:options][method] << exp
|
166
|
+
@current_class.add_option method, exp
|
191
167
|
end
|
192
168
|
end
|
193
169
|
|
@@ -213,14 +189,14 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
213
189
|
def process_defn exp
|
214
190
|
name = exp.method_name
|
215
191
|
@current_method = name
|
216
|
-
res = Sexp.new :
|
192
|
+
res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
|
217
193
|
res.line(exp.line)
|
218
194
|
@current_method = nil
|
219
195
|
|
220
196
|
if @current_class
|
221
|
-
@current_class
|
197
|
+
@current_class.add_method @visibility, name, res, @file_name
|
222
198
|
elsif @current_module
|
223
|
-
@current_module
|
199
|
+
@current_module.add_method @visibility, name, res, @file_name
|
224
200
|
end
|
225
201
|
|
226
202
|
res
|
@@ -232,7 +208,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
232
208
|
|
233
209
|
if exp[1].node_type == :self
|
234
210
|
if @current_class
|
235
|
-
target = @current_class
|
211
|
+
target = @current_class.name
|
236
212
|
elsif @current_module
|
237
213
|
target = @current_module
|
238
214
|
else
|
@@ -243,14 +219,14 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
243
219
|
end
|
244
220
|
|
245
221
|
@current_method = name
|
246
|
-
res = Sexp.new :
|
222
|
+
res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
|
247
223
|
res.line(exp.line)
|
248
224
|
@current_method = nil
|
249
225
|
|
250
226
|
if @current_class
|
251
|
-
@current_class
|
227
|
+
@current_class.add_method @visibility, name, res, @file_name
|
252
228
|
elsif @current_module
|
253
|
-
@current_module
|
229
|
+
@current_module.add_method @visibility, name, res, @file_name
|
254
230
|
end
|
255
231
|
|
256
232
|
res
|
@@ -268,13 +244,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
268
244
|
|
269
245
|
#Sets default layout for renders inside Controller
|
270
246
|
def set_layout_name
|
271
|
-
return if @current_class
|
247
|
+
return if @current_class.layout
|
272
248
|
|
273
|
-
name = underscore(@current_class
|
249
|
+
name = underscore(@current_class.name.to_s.split("::")[-1].gsub("Controller", ''))
|
274
250
|
|
275
251
|
#There is a layout for this Controller
|
276
252
|
if @app_tree.layout_exists?(name)
|
277
|
-
@current_class
|
253
|
+
@current_class.layout = "layouts/#{name}"
|
278
254
|
end
|
279
255
|
end
|
280
256
|
|
@@ -308,7 +284,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
|
|
308
284
|
#Build Sexp for filter method
|
309
285
|
body = Sexp.new(:lasgn,
|
310
286
|
block_variable,
|
311
|
-
Sexp.new(:call, Sexp.new(:const, @current_class
|
287
|
+
Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
|
312
288
|
|
313
289
|
filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
|
314
290
|
|