brakeman-min 5.0.2 → 5.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +6 -0
- data/lib/brakeman.rb +0 -4
- data/lib/brakeman/checks/check_detailed_exceptions.rb +1 -1
- data/lib/brakeman/checks/check_evaluation.rb +1 -1
- data/lib/brakeman/checks/check_sql.rb +2 -15
- data/lib/brakeman/checks/check_verb_confusion.rb +1 -1
- data/lib/brakeman/file_parser.rb +14 -36
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/processors/alias_processor.rb +7 -52
- data/lib/brakeman/processors/controller_alias_processor.rb +43 -6
- data/lib/brakeman/processors/lib/call_conversion_helper.rb +0 -10
- data/lib/brakeman/processors/library_processor.rb +0 -9
- data/lib/brakeman/report.rb +1 -4
- data/lib/brakeman/report/ignore/interactive.rb +1 -1
- data/lib/brakeman/scanner.rb +0 -3
- data/lib/brakeman/tracker.rb +4 -33
- data/lib/brakeman/tracker/collection.rb +5 -27
- data/lib/brakeman/util.rb +0 -8
- data/lib/brakeman/version.rb +1 -1
- metadata +2 -18
- data/lib/brakeman/report/report_github.rb +0 -31
- data/lib/brakeman/tracker/method_info.rb +0 -29
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4427b42453d4b3fe3f8e11dfc21bfdbd28b71fa4ccb4defac5996e83e24cb241
|
4
|
+
data.tar.gz: 4900a0b9e21a6d07461745ee3e62e0604a744808fd73e905b9c8f02ac69fb74f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6402aac15ef3608d22d571febb4757f2d88d0eeb21f1be50905e7d0e1ab473cf312a122c318ec5c78ae15e1c1ba024e7dc14c3fd51d7d740e16ad8fa0442c5f1
|
7
|
+
data.tar.gz: c72b497d8a9efaf76d24e483ed8f255e3915f6999766a370bcd1c92095dc5e0e890ef0302feea5e38c95d2cb4fd200a865439b75d9460acd4a136f455296d19c
|
data/CHANGES.md
CHANGED
data/lib/brakeman.rb
CHANGED
@@ -250,8 +250,6 @@ module Brakeman
|
|
250
250
|
[:to_sarif]
|
251
251
|
when :sonar, :to_sonar
|
252
252
|
[:to_sonar]
|
253
|
-
when :github, :to_github
|
254
|
-
[:to_github]
|
255
253
|
else
|
256
254
|
[:to_text]
|
257
255
|
end
|
@@ -285,8 +283,6 @@ module Brakeman
|
|
285
283
|
:to_sarif
|
286
284
|
when /\.sonar$/i
|
287
285
|
:to_sonar
|
288
|
-
when /\.github$/i
|
289
|
-
:to_github
|
290
286
|
else
|
291
287
|
:to_text
|
292
288
|
end
|
@@ -26,7 +26,7 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
|
|
26
26
|
def check_detailed_exceptions
|
27
27
|
tracker.controllers.each do |_name, controller|
|
28
28
|
controller.methods_public.each do |method_name, definition|
|
29
|
-
src = definition
|
29
|
+
src = definition[:src]
|
30
30
|
body = src.body.last
|
31
31
|
next unless body
|
32
32
|
|
@@ -10,7 +10,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
|
|
10
10
|
#Process calls
|
11
11
|
def run_check
|
12
12
|
Brakeman.debug "Finding eval-like calls"
|
13
|
-
calls = tracker.find_call
|
13
|
+
calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
|
14
14
|
|
15
15
|
Brakeman.debug "Processing eval-like calls"
|
16
16
|
calls.each do |call|
|
@@ -572,7 +572,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
572
572
|
end
|
573
573
|
|
574
574
|
IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
|
575
|
-
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
|
575
|
+
:quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
|
576
576
|
:sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
|
577
577
|
:sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
|
578
578
|
:to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
|
@@ -592,8 +592,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
592
592
|
IGNORE_METHODS_IN_SQL.include? exp.method or
|
593
593
|
quote_call? exp or
|
594
594
|
arel? exp or
|
595
|
-
exp.method.to_s.end_with? "_id"
|
596
|
-
number_target? exp
|
595
|
+
exp.method.to_s.end_with? "_id"
|
597
596
|
end
|
598
597
|
when :if
|
599
598
|
safe_value? exp.then_clause and safe_value? exp.else_clause
|
@@ -696,16 +695,4 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
|
|
696
695
|
active_record_models.include? klass
|
697
696
|
end
|
698
697
|
end
|
699
|
-
|
700
|
-
def number_target? exp
|
701
|
-
return unless call? exp
|
702
|
-
|
703
|
-
if number? exp.target
|
704
|
-
true
|
705
|
-
elsif call? exp.target
|
706
|
-
number_target? exp.target
|
707
|
-
else
|
708
|
-
false
|
709
|
-
end
|
710
|
-
end
|
711
698
|
end
|
data/lib/brakeman/file_parser.rb
CHANGED
@@ -1,5 +1,3 @@
|
|
1
|
-
require 'parallel'
|
2
|
-
|
3
1
|
module Brakeman
|
4
2
|
ASTFile = Struct.new(:path, :ast)
|
5
3
|
|
@@ -15,46 +13,21 @@ module Brakeman
|
|
15
13
|
end
|
16
14
|
|
17
15
|
def parse_files list
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
# then partition them into ASTFiles and Exceptions
|
22
|
-
# and add the Exceptions to @errors
|
23
|
-
#
|
24
|
-
# Basically just a funky way to deal with two possible
|
25
|
-
# return types that are returned from isolated processes.
|
26
|
-
#
|
27
|
-
# Note this method no longer uses read_files
|
28
|
-
@file_list, new_errors = Parallel.map(list) do |file_name|
|
29
|
-
file_path = @app_tree.file_path(file_name)
|
30
|
-
contents = file_path.read
|
31
|
-
|
32
|
-
begin
|
33
|
-
if ast = parse_ruby(contents, file_path.relative)
|
34
|
-
ASTFile.new(file_name, ast)
|
35
|
-
end
|
36
|
-
rescue Exception => e
|
37
|
-
e
|
16
|
+
read_files list do |path, contents|
|
17
|
+
if ast = parse_ruby(contents, path.relative)
|
18
|
+
ASTFile.new(path, ast)
|
38
19
|
end
|
39
|
-
end.compact.partition do |result|
|
40
|
-
result.is_a? ASTFile
|
41
20
|
end
|
42
|
-
|
43
|
-
errors.concat new_errors
|
44
21
|
end
|
45
22
|
|
46
23
|
def read_files list
|
47
24
|
list.each do |path|
|
48
25
|
file = @app_tree.file_path(path)
|
49
26
|
|
50
|
-
|
51
|
-
result = yield file, file.read
|
27
|
+
result = yield file, file.read
|
52
28
|
|
53
|
-
|
54
|
-
|
55
|
-
end
|
56
|
-
rescue Exception => e
|
57
|
-
@errors << e
|
29
|
+
if result
|
30
|
+
@file_list << result
|
58
31
|
end
|
59
32
|
end
|
60
33
|
end
|
@@ -69,12 +42,17 @@ module Brakeman
|
|
69
42
|
Brakeman.debug "Parsing #{path}"
|
70
43
|
RubyParser.new.parse input, path, @timeout
|
71
44
|
rescue Racc::ParseError => e
|
72
|
-
|
45
|
+
error e.exception(e.message + "\nCould not parse #{path}")
|
73
46
|
rescue Timeout::Error => e
|
74
|
-
|
47
|
+
error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout")
|
75
48
|
rescue => e
|
76
|
-
|
49
|
+
error e.exception(e.message + "\nWhile processing #{path}")
|
77
50
|
end
|
78
51
|
end
|
52
|
+
|
53
|
+
def error exception
|
54
|
+
@errors << exception
|
55
|
+
nil
|
56
|
+
end
|
79
57
|
end
|
80
58
|
end
|
data/lib/brakeman/options.rb
CHANGED
@@ -233,7 +233,7 @@ module Brakeman::Options
|
|
233
233
|
|
234
234
|
opts.on "-f",
|
235
235
|
"--format TYPE",
|
236
|
-
[:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar
|
236
|
+
[:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar],
|
237
237
|
"Specify output formats. Default is text" do |type|
|
238
238
|
|
239
239
|
type = "s" if type == :text
|
@@ -220,28 +220,13 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
220
220
|
exp = math_op(:+, target, first_arg, exp)
|
221
221
|
end
|
222
222
|
when :-, :*, :/
|
223
|
-
|
224
|
-
if string? first_arg
|
225
|
-
exp = process_array_join(target, first_arg)
|
226
|
-
end
|
227
|
-
else
|
228
|
-
exp = math_op(method, target, first_arg, exp)
|
229
|
-
end
|
223
|
+
exp = math_op(method, target, first_arg, exp)
|
230
224
|
when :[]
|
231
225
|
if array? target
|
232
226
|
exp = process_array_access(target, exp.args, exp)
|
233
227
|
elsif hash? target
|
234
228
|
exp = process_hash_access(target, first_arg, exp)
|
235
229
|
end
|
236
|
-
when :fetch
|
237
|
-
if array? target
|
238
|
-
# Not dealing with default value
|
239
|
-
# so just pass in first argument, but process_array_access expects
|
240
|
-
# an array of arguments.
|
241
|
-
exp = process_array_access(target, [first_arg], exp)
|
242
|
-
elsif hash? target
|
243
|
-
exp = process_hash_access(target, first_arg, exp)
|
244
|
-
end
|
245
230
|
when :merge!, :update
|
246
231
|
if hash? target and hash? first_arg
|
247
232
|
target = process_hash_merge! target, first_arg
|
@@ -281,12 +266,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
281
266
|
target = find_push_target(target_var)
|
282
267
|
env[target] = exp unless target.nil? # Happens in TemplateAliasProcessor
|
283
268
|
end
|
284
|
-
when :push
|
285
|
-
if array? target
|
286
|
-
target << first_arg
|
287
|
-
env[target_var] = target
|
288
|
-
return target
|
289
|
-
end
|
290
269
|
when :first
|
291
270
|
if array? target and first_arg.nil? and sexp? target[1]
|
292
271
|
exp = target[1]
|
@@ -300,7 +279,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
300
279
|
exp = target
|
301
280
|
end
|
302
281
|
when :join
|
303
|
-
if array? target and (string? first_arg or first_arg.nil?)
|
282
|
+
if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
|
304
283
|
exp = process_array_join(target, first_arg)
|
305
284
|
end
|
306
285
|
when :!
|
@@ -308,15 +287,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
308
287
|
if call? target and target.method == :!
|
309
288
|
exp = s(:or, s(:true).line(exp.line), s(:false).line(exp.line)).line(exp.line)
|
310
289
|
end
|
311
|
-
when :values
|
312
|
-
# Hash literal
|
313
|
-
if node_type? target, :hash
|
314
|
-
exp = hash_values(target)
|
315
|
-
end
|
316
|
-
when :values_at
|
317
|
-
if hash? target
|
318
|
-
exp = hash_values_at target, exp.args
|
319
|
-
end
|
320
290
|
end
|
321
291
|
|
322
292
|
exp
|
@@ -324,11 +294,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
324
294
|
|
325
295
|
# Painful conversion of Array#join into string interpolation
|
326
296
|
def process_array_join array, join_str
|
327
|
-
# Empty array
|
328
|
-
if array.length == 1
|
329
|
-
return s(:str, '').line(array.line)
|
330
|
-
end
|
331
|
-
|
332
297
|
result = s().line(array.line)
|
333
298
|
|
334
299
|
join_value = if string? join_str
|
@@ -337,10 +302,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
337
302
|
nil
|
338
303
|
end
|
339
304
|
|
340
|
-
|
341
|
-
|
342
|
-
result << join_item(e, join_value)
|
343
|
-
end
|
305
|
+
array[1..-2].each do |e|
|
306
|
+
result << join_item(e, join_value)
|
344
307
|
end
|
345
308
|
|
346
309
|
result << join_item(array.last, nil)
|
@@ -369,7 +332,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
369
332
|
result.unshift combined_first
|
370
333
|
|
371
334
|
# Have to fix up strings that follow interpolation
|
372
|
-
|
335
|
+
result.reduce(s(:dstr).line(array.line)) do |memo, e|
|
373
336
|
if string? e and node_type? memo.last, :evstr
|
374
337
|
e.value = "#{join_value}#{e.value}"
|
375
338
|
elsif join_value and node_type? memo.last, :evstr and node_type? e, :evstr
|
@@ -378,14 +341,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
378
341
|
|
379
342
|
memo << e
|
380
343
|
end
|
381
|
-
|
382
|
-
# Convert (:dstr, "hello world")
|
383
|
-
# to (:str, "hello world")
|
384
|
-
if string.length == 2 and string.last.is_a? String
|
385
|
-
string[0] = :str
|
386
|
-
end
|
387
|
-
|
388
|
-
string
|
389
344
|
end
|
390
345
|
|
391
346
|
def join_item item, join_value
|
@@ -1058,8 +1013,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
|
|
1058
1013
|
method_name = call.method
|
1059
1014
|
|
1060
1015
|
#Look for helper methods and see if we can get a return value
|
1061
|
-
if found_method =
|
1062
|
-
helper = found_method
|
1016
|
+
if found_method = find_method(method_name, @current_class)
|
1017
|
+
helper = found_method[:method]
|
1063
1018
|
|
1064
1019
|
if sexp? helper
|
1065
1020
|
value = process_helper_method helper, call.args
|
@@ -51,7 +51,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
51
51
|
#Need to process the method like it was in a controller in order
|
52
52
|
#to get the renders set
|
53
53
|
processor = Brakeman::ControllerProcessor.new(@tracker, mixin.file)
|
54
|
-
method = mixin.get_method(name)
|
54
|
+
method = mixin.get_method(name)[:src].deep_clone
|
55
55
|
|
56
56
|
if node_type? method, :defn
|
57
57
|
method = processor.process_defn method
|
@@ -143,16 +143,16 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
143
143
|
#Basically, adds any instance variable assignments to the environment.
|
144
144
|
#TODO: method arguments?
|
145
145
|
def process_before_filter name
|
146
|
-
filter =
|
146
|
+
filter = find_method name, @current_class
|
147
147
|
|
148
148
|
if filter.nil?
|
149
149
|
Brakeman.debug "[Notice] Could not find filter #{name}"
|
150
150
|
return
|
151
151
|
end
|
152
152
|
|
153
|
-
method = filter
|
153
|
+
method = filter[:method]
|
154
154
|
|
155
|
-
if ivars = @tracker.filter_cache[[filter
|
155
|
+
if ivars = @tracker.filter_cache[[filter[:controller], name]]
|
156
156
|
ivars.each do |variable, value|
|
157
157
|
env[variable] = value
|
158
158
|
end
|
@@ -162,7 +162,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
162
162
|
|
163
163
|
ivars = processor.only_ivars(:include_request_vars).all
|
164
164
|
|
165
|
-
@tracker.filter_cache[[filter
|
165
|
+
@tracker.filter_cache[[filter[:controller], name]] = ivars
|
166
166
|
|
167
167
|
ivars.each do |variable, value|
|
168
168
|
env[variable] = value
|
@@ -182,7 +182,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
182
182
|
# method as the line number
|
183
183
|
if line.nil? and controller = @tracker.controllers[@current_class]
|
184
184
|
if meth = controller.get_method(@current_method)
|
185
|
-
if line = meth
|
185
|
+
if line = meth[:src] && meth[:src].last && meth[:src].last.line
|
186
186
|
line += 1
|
187
187
|
else
|
188
188
|
line = 1
|
@@ -241,4 +241,41 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
|
|
241
241
|
[]
|
242
242
|
end
|
243
243
|
end
|
244
|
+
|
245
|
+
#Finds a method in the given class or a parent class
|
246
|
+
#
|
247
|
+
#Returns nil if the method could not be found.
|
248
|
+
#
|
249
|
+
#If found, returns hash table with controller name and method sexp.
|
250
|
+
def find_method method_name, klass
|
251
|
+
return nil if sexp? method_name
|
252
|
+
method_name = method_name.to_sym
|
253
|
+
|
254
|
+
if method = @method_cache[method_name]
|
255
|
+
return method
|
256
|
+
end
|
257
|
+
|
258
|
+
controller = @tracker.controllers[klass]
|
259
|
+
controller ||= @tracker.libs[klass]
|
260
|
+
|
261
|
+
if klass and controller
|
262
|
+
method = controller.get_method method_name
|
263
|
+
|
264
|
+
if method.nil?
|
265
|
+
controller.includes.each do |included|
|
266
|
+
method = find_method method_name, included
|
267
|
+
if method
|
268
|
+
@method_cache[method_name] = method
|
269
|
+
return method
|
270
|
+
end
|
271
|
+
end
|
272
|
+
|
273
|
+
@method_cache[method_name] = find_method method_name, controller.parent
|
274
|
+
else
|
275
|
+
@method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
|
276
|
+
end
|
277
|
+
else
|
278
|
+
nil
|
279
|
+
end
|
280
|
+
end
|
244
281
|
end
|
@@ -76,8 +76,6 @@ module Brakeman
|
|
76
76
|
|
77
77
|
#Have to do this because first element is :array and we have to skip it
|
78
78
|
array[1..-1][index] or original_exp
|
79
|
-
elsif all_literals? array
|
80
|
-
safe_literal(array.line)
|
81
79
|
else
|
82
80
|
original_exp
|
83
81
|
end
|
@@ -94,13 +92,5 @@ module Brakeman
|
|
94
92
|
original_exp
|
95
93
|
end
|
96
94
|
end
|
97
|
-
|
98
|
-
def hash_values_at hash, keys
|
99
|
-
values = keys.map do |key|
|
100
|
-
process_hash_access hash, key
|
101
|
-
end
|
102
|
-
|
103
|
-
Sexp.new(:array).concat(values).line(hash.line)
|
104
|
-
end
|
105
95
|
end
|
106
96
|
end
|
@@ -54,15 +54,6 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
|
|
54
54
|
|
55
55
|
def process_call exp
|
56
56
|
if process_call_defn? exp
|
57
|
-
exp
|
58
|
-
elsif @current_method.nil? and exp.target.nil? and (@current_class or @current_module)
|
59
|
-
# Methods called inside class / module
|
60
|
-
case exp.method
|
61
|
-
when :include
|
62
|
-
module_name = class_name(exp.first_arg)
|
63
|
-
(@current_class || @current_module).add_include module_name
|
64
|
-
end
|
65
|
-
|
66
57
|
exp
|
67
58
|
else
|
68
59
|
process_default exp
|
data/lib/brakeman/report.rb
CHANGED
@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
|
|
6
6
|
class Brakeman::Report
|
7
7
|
attr_reader :tracker
|
8
8
|
|
9
|
-
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit
|
9
|
+
VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain, :to_text, :to_junit]
|
10
10
|
|
11
11
|
def initialize tracker
|
12
12
|
@app_tree = tracker.app_tree
|
@@ -48,9 +48,6 @@ class Brakeman::Report
|
|
48
48
|
when :to_sonar
|
49
49
|
require_report 'sonar'
|
50
50
|
Brakeman::Report::Sonar
|
51
|
-
when :to_github
|
52
|
-
require_report 'github'
|
53
|
-
Brakeman::Report::Github
|
54
51
|
else
|
55
52
|
raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
|
56
53
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
data/lib/brakeman/tracker.rb
CHANGED
@@ -35,7 +35,6 @@ class Brakeman::Tracker
|
|
35
35
|
#class they are.
|
36
36
|
@models = {}
|
37
37
|
@models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
|
38
|
-
@method_cache = {}
|
39
38
|
@routes = {}
|
40
39
|
@initializers = {}
|
41
40
|
@errors = []
|
@@ -100,8 +99,8 @@ class Brakeman::Tracker
|
|
100
99
|
classes.each do |set|
|
101
100
|
set.each do |set_name, collection|
|
102
101
|
collection.each_method do |method_name, definition|
|
103
|
-
src = definition
|
104
|
-
yield src, set_name, method_name, definition
|
102
|
+
src = definition[:src]
|
103
|
+
yield src, set_name, method_name, definition[:file]
|
105
104
|
end
|
106
105
|
end
|
107
106
|
end
|
@@ -221,34 +220,6 @@ class Brakeman::Tracker
|
|
221
220
|
nil
|
222
221
|
end
|
223
222
|
|
224
|
-
def find_method method_name, class_name, method_type = :instance
|
225
|
-
return nil unless method_name.is_a? Symbol
|
226
|
-
|
227
|
-
klass = find_class(class_name)
|
228
|
-
return nil unless klass
|
229
|
-
|
230
|
-
cache_key = [klass, method_name, method_type]
|
231
|
-
|
232
|
-
if method = @method_cache[cache_key]
|
233
|
-
return method
|
234
|
-
end
|
235
|
-
|
236
|
-
if method = klass.get_method(method_name, method_type)
|
237
|
-
return method
|
238
|
-
else
|
239
|
-
# Check modules included for method definition
|
240
|
-
# TODO: only for instance methods, otherwise check extends!
|
241
|
-
klass.includes.each do |included_name|
|
242
|
-
if method = find_method(method_name, included_name, method_type)
|
243
|
-
return (@method_cache[cache_key] = method)
|
244
|
-
end
|
245
|
-
end
|
246
|
-
|
247
|
-
# Not in any included modules, check the parent
|
248
|
-
@method_cache[cache_key] = find_method(method_name, klass.parent)
|
249
|
-
end
|
250
|
-
end
|
251
|
-
|
252
223
|
def index_call_sites
|
253
224
|
finder = Brakeman::FindAllCalls.new self
|
254
225
|
|
@@ -314,8 +285,8 @@ class Brakeman::Tracker
|
|
314
285
|
method_sets.each do |set|
|
315
286
|
set.each do |set_name, info|
|
316
287
|
info.each_method do |method_name, definition|
|
317
|
-
src = definition
|
318
|
-
finder.process_source src, :class => set_name, :method => method_name, :file => definition
|
288
|
+
src = definition[:src]
|
289
|
+
finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
|
319
290
|
end
|
320
291
|
end
|
321
292
|
end
|
@@ -1,5 +1,4 @@
|
|
1
1
|
require 'brakeman/util'
|
2
|
-
require 'brakeman/tracker/method_info'
|
3
2
|
|
4
3
|
module Brakeman
|
5
4
|
class Collection
|
@@ -14,7 +13,6 @@ module Brakeman
|
|
14
13
|
@src = {}
|
15
14
|
@includes = []
|
16
15
|
@methods = { :public => {}, :private => {}, :protected => {} }
|
17
|
-
@class_methods = {}
|
18
16
|
@options = {}
|
19
17
|
@tracker = tracker
|
20
18
|
|
@@ -48,16 +46,11 @@ module Brakeman
|
|
48
46
|
end
|
49
47
|
|
50
48
|
def add_method visibility, name, src, file_name
|
51
|
-
meth_info = Brakeman::MethodInfo.new(name, src, self, file_name)
|
52
|
-
|
53
49
|
if src.node_type == :defs
|
54
|
-
@class_methods[name] = meth_info
|
55
|
-
|
56
|
-
# TODO fix this weirdness
|
57
50
|
name = :"#{src[1]}.#{name}"
|
58
51
|
end
|
59
52
|
|
60
|
-
@methods[visibility][name] =
|
53
|
+
@methods[visibility][name] = { :src => src, :file => file_name }
|
61
54
|
end
|
62
55
|
|
63
56
|
def each_method
|
@@ -68,31 +61,16 @@ module Brakeman
|
|
68
61
|
end
|
69
62
|
end
|
70
63
|
|
71
|
-
def get_method name
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
when :instance
|
76
|
-
get_instance_method name
|
77
|
-
else
|
78
|
-
raise "Unexpected method type: #{type.inspect}"
|
79
|
-
end
|
80
|
-
end
|
81
|
-
|
82
|
-
def get_instance_method name
|
83
|
-
@methods.each do |_vis, meths|
|
84
|
-
if meths[name]
|
85
|
-
return meths[name]
|
64
|
+
def get_method name
|
65
|
+
each_method do |n, info|
|
66
|
+
if n == name
|
67
|
+
return info
|
86
68
|
end
|
87
69
|
end
|
88
70
|
|
89
71
|
nil
|
90
72
|
end
|
91
73
|
|
92
|
-
def get_class_method name
|
93
|
-
@class_methods[name]
|
94
|
-
end
|
95
|
-
|
96
74
|
def file
|
97
75
|
@files.first
|
98
76
|
end
|
data/lib/brakeman/util.rb
CHANGED
@@ -142,14 +142,6 @@ module Brakeman::Util
|
|
142
142
|
nil
|
143
143
|
end
|
144
144
|
|
145
|
-
def hash_values hash
|
146
|
-
values = hash.each_sexp.each_slice(2).map do |_, value|
|
147
|
-
value
|
148
|
-
end
|
149
|
-
|
150
|
-
Sexp.new(:array).concat(values).line(hash.line)
|
151
|
-
end
|
152
|
-
|
153
145
|
#These are never modified
|
154
146
|
PARAMS_SEXP = Sexp.new(:params)
|
155
147
|
SESSION_SEXP = Sexp.new(:session)
|
data/lib/brakeman/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: brakeman-min
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 5.0.
|
4
|
+
version: 5.0.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Justin Collins
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-06-
|
11
|
+
date: 2021-06-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: minitest
|
@@ -66,20 +66,6 @@ dependencies:
|
|
66
66
|
- - '='
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: 0.10.2
|
69
|
-
- !ruby/object:Gem::Dependency
|
70
|
-
name: parallel
|
71
|
-
requirement: !ruby/object:Gem::Requirement
|
72
|
-
requirements:
|
73
|
-
- - "~>"
|
74
|
-
- !ruby/object:Gem::Version
|
75
|
-
version: '1.20'
|
76
|
-
type: :runtime
|
77
|
-
prerelease: false
|
78
|
-
version_requirements: !ruby/object:Gem::Requirement
|
79
|
-
requirements:
|
80
|
-
- - "~>"
|
81
|
-
- !ruby/object:Gem::Version
|
82
|
-
version: '1.20'
|
83
69
|
- !ruby/object:Gem::Dependency
|
84
70
|
name: ruby_parser
|
85
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -304,7 +290,6 @@ files:
|
|
304
290
|
- lib/brakeman/report/report_base.rb
|
305
291
|
- lib/brakeman/report/report_codeclimate.rb
|
306
292
|
- lib/brakeman/report/report_csv.rb
|
307
|
-
- lib/brakeman/report/report_github.rb
|
308
293
|
- lib/brakeman/report/report_hash.rb
|
309
294
|
- lib/brakeman/report/report_html.rb
|
310
295
|
- lib/brakeman/report/report_json.rb
|
@@ -334,7 +319,6 @@ files:
|
|
334
319
|
- lib/brakeman/tracker/constants.rb
|
335
320
|
- lib/brakeman/tracker/controller.rb
|
336
321
|
- lib/brakeman/tracker/library.rb
|
337
|
-
- lib/brakeman/tracker/method_info.rb
|
338
322
|
- lib/brakeman/tracker/model.rb
|
339
323
|
- lib/brakeman/tracker/template.rb
|
340
324
|
- lib/brakeman/util.rb
|
@@ -1,31 +0,0 @@
|
|
1
|
-
# Github Actions Formatter
|
2
|
-
# Formats warnings as workflow commands to create annotations in GitHub UI
|
3
|
-
class Brakeman::Report::Github < Brakeman::Report::Base
|
4
|
-
def generate_report
|
5
|
-
# @see https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-a-warning-message
|
6
|
-
errors.concat(warnings).join("\n")
|
7
|
-
end
|
8
|
-
|
9
|
-
def warnings
|
10
|
-
all_warnings
|
11
|
-
.map { |warning| "::warning file=#{warning_file(warning)},line=#{warning.line}::#{warning.message}" }
|
12
|
-
end
|
13
|
-
|
14
|
-
def errors
|
15
|
-
tracker.errors.map do |error|
|
16
|
-
if error[:exception].is_a?(Racc::ParseError)
|
17
|
-
# app/services/balance.rb:4 :: parse error on value "..." (tDOT3)
|
18
|
-
file, line = error[:exception].message.split(':').map(&:strip)[0,2]
|
19
|
-
"::error file=#{file},line=#{line}::#{clean_message(error[:error])}"
|
20
|
-
else
|
21
|
-
"::error ::#{clean_message(error[:error])}"
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
25
|
-
|
26
|
-
private
|
27
|
-
|
28
|
-
def clean_message(msg)
|
29
|
-
msg.gsub('::','').squeeze(' ')
|
30
|
-
end
|
31
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
require 'brakeman/util'
|
2
|
-
|
3
|
-
module Brakeman
|
4
|
-
class MethodInfo
|
5
|
-
include Brakeman::Util
|
6
|
-
|
7
|
-
attr_reader :name, :src, :owner, :file, :type
|
8
|
-
|
9
|
-
def initialize name, src, owner, file
|
10
|
-
@name = name
|
11
|
-
@src = src
|
12
|
-
@owner = owner
|
13
|
-
@file = file
|
14
|
-
@type = case src.node_type
|
15
|
-
when :defn
|
16
|
-
:instance
|
17
|
-
when :defs
|
18
|
-
:class
|
19
|
-
else
|
20
|
-
raise "Expected sexp type: #{src.node_type}"
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
|
-
# To support legacy code that expected a Hash
|
25
|
-
def [] attr
|
26
|
-
self.send(attr)
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|