brakeman-min 7.1.2 → 8.0.1

data/lib/brakeman/parsers/template_parser.rb

@@ -21,7 +21,7 @@ module Brakeman
       begin
         src = case type
               when :erb
-                type = :erubis if erubis?
+                type = :erubi if erubi?
                 parse_erb path, text
               when :haml
                 type = :haml6 if haml6?
@@ -46,17 +46,9 @@ module Brakeman
     end
 
     def parse_erb path, text
-      if tracker.config.escape_html?
-        if tracker.options[:rails3]
-          require 'brakeman/parsers/rails3_erubis'
-          Brakeman::Rails3Erubis.new(text, :filename => path).src
-        else
-          require 'brakeman/parsers/rails2_xss_plugin_erubis'
-          Brakeman::Rails2XSSPluginErubis.new(text, :filename => path).src
-        end
-      elsif tracker.config.erubis?
-        require 'brakeman/parsers/rails2_erubis'
-        Brakeman::ScannerErubis.new(text, :filename => path).src
+      if erubi?
+        require 'brakeman/parsers/rails_erubi'
+        Brakeman::Erubi.new(text, :filename => path).src
       else
         require 'erb'
         src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
@@ -69,9 +61,9 @@ module Brakeman
       end
     end
 
-    def erubis?
+    def erubi?
       tracker.config.escape_html? or
-        tracker.config.erubis?
+        tracker.config.erubi?
     end
 
     def parse_haml path, text
@@ -148,7 +140,7 @@ module Brakeman
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)
       src = tp.parse_erb '_inline_', text
-      type = tp.erubis? ? :erubis : :erb
+      type = tp.erubi? ? :erubi : :erb
 
       return type, fp.parse_ruby(src, "_inline_")
     end

data/lib/brakeman/processor.rb

@@ -65,8 +65,8 @@ module Brakeman
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml6
         result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
-      when :erubis
-        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubi
+        result = ErubiTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim
         result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       else

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -146,7 +146,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     filter = tracker.find_method name, @current_class
 
     if filter.nil?
-      Brakeman.debug "[Notice] Could not find filter #{name}"
+      Brakeman.debug "Could not find filter #{name}"
       return
     end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -30,13 +30,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #But if not inside a controller already, then the class may include
     #a real controller, so we can't take this shortcut.
     if @current_class and @current_class.name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end
 
     if not name.to_s.end_with? "Controller"
-      Brakeman.debug "[Notice] Adding noncontroller as library: #{name}"
+      Brakeman.debug "Adding noncontroller as library: #{name}"
       #Set the class to be a module in order to get the right namespacing.
       #Add class to libraries, in case it is needed later (e.g. it's used
       #as a parent class for a controller.)
@@ -124,7 +124,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
             if @app_tree.layout_exists?(name)
               @current_class.layout = "layouts/#{name}"
             else
-              Brakeman.debug "[Notice] Layout not found: #{name}"
+              Brakeman.debug "Layout not found: #{name}"
             end
           elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil

data/lib/brakeman/processors/{erubis_template_processor.rb → erubi_template_procesor.rb}

@@ -1,7 +1,7 @@
 require 'brakeman/processors/template_processor'
 
-#Processes ERB templates using Erubis instead of erb.
-class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
+#Processes ERB templates using Erubi instead of erb.
+class Brakeman::ErubiTemplateProcessor < Brakeman::TemplateProcessor
 
   #s(:call, TARGET, :method, ARGS)
   def process_call exp
@@ -14,7 +14,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     exp.arglist = process exp.arglist
     method = exp.method
 
-    #_buf is the default output variable for Erubis
+    #_buf is the default output variable for Erubi
     if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
 

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -33,14 +33,15 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
     process res
   end
 
-  #Check if config is set to use Erubis
+  # Check if config is set to use Erubis
+  # but because it's 2026 we're going to use Erubi
   def process_call exp
     target = exp.target
     target = process target if sexp? target
 
     if exp.method == :gem and exp.first_arg.value == "erubis"
-      Brakeman.notify "[Notice] Using Erubis for ERB templates"
-      @tracker.config.erubis = true
+      Brakeman.debug "[Notice] Using Erubi for ERB templates"
+      @tracker.config.erubi = true
     end
 
     exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -131,7 +131,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BasicProcessor
       when :except
         process_option_except value
       else
-        Brakeman.notify "[Notice] Unhandled resource option, please report: #{option}"
+        Brakeman.alert "Unhandled resource option, please report: #{option}"
       end
     end
   end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -98,7 +98,7 @@ module Brakeman::RenderHelper
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]
     unless template
-      Brakeman.debug "[Notice] No such template: #{name}"
+      Brakeman.debug "No such template: #{name}"
       return
     end
 

data/lib/brakeman/processors/lib/render_path.rb

@@ -36,7 +36,7 @@ module Brakeman
           file: template.file,
         }
       else
-        Brakeman.debug "[Notice] No render path to add template information"
+        Brakeman.debug "No render path to add template information"
       end
     end
 

data/lib/brakeman/processors/model_processor.rb

@@ -27,7 +27,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
 
     #If inside an inner class we treat it as a library.
     if @current_class
-      Brakeman.debug "[Notice] Treating inner class as library: #{name}"
+      Brakeman.debug "Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @current_file
       return exp
     end

data/lib/brakeman/report/ignore/config.rb

@@ -107,7 +107,7 @@ module Brakeman
           raise e, "\nError[#{e.class}] while reading brakeman ignore file: #{file}\n"
         end
       else
-        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        Brakeman.alert "Could not find ignore configuration in #{file} (no file)"
         @already_ignored = []
       end
 

data/lib/brakeman/scanner.rb

@@ -31,8 +31,6 @@ class Brakeman::Scanner
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
-    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
-    @per_file_timing = tracker.options[:debug] && tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -44,32 +42,12 @@ class Brakeman::Scanner
     tracker.file_cache
   end
 
-  def process_step description
-    Brakeman.notify "#{description}...".ljust(40)
-
-    if @show_timing
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
-
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def process_step(description, &)
+    Brakeman.process_step(description, &)
   end
 
-  def process_step_file description
-    if @per_file_timing
-      Brakeman.notify "Processing #{description}"
-
-      start_t = Time.now
-      yield
-      duration = Time.now - start_t
-
-      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
-    else
-      yield
-    end
+  def process_step_file(description, &)
+    Brakeman.logger.single_context(description, &)
   end
 
   #Process everything in the Rails application
@@ -111,7 +89,7 @@ class Brakeman::Scanner
       process_initializers
     end
 
-    process_step 'Processing libs' do
+    process_step 'Processing libraries' do
       process_libs
     end
 
@@ -123,7 +101,7 @@ class Brakeman::Scanner
       process_templates
     end
 
-    process_step 'Processing data flow in templates' do
+    process_step 'Processing data flow' do
       process_template_data_flows
     end
 
@@ -135,11 +113,11 @@ class Brakeman::Scanner
       process_controllers
     end
 
-    process_step 'Processing data flow in controllers' do
+    process_step 'Processing data flow' do
       process_controller_data_flows
     end
 
-    process_step 'Indexing call sites' do
+    process_step 'Indexing method calls' do
       index_call_sites
     end
 
@@ -154,6 +132,7 @@ class Brakeman::Scanner
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
     fp.read_files(template_paths) do |path, contents|
+      Brakeman.logger.spin
       template_parser.parse_template(path, contents)
     end
 
@@ -167,6 +146,8 @@ class Brakeman::Scanner
     detector = Brakeman::FileTypeDetector.new
 
     astfiles.each do |file|
+      Brakeman.logger.spin
+
       if file.is_a? Brakeman::TemplateParser::TemplateFile
         file_cache.add_file file, :template
       else
@@ -202,7 +183,7 @@ class Brakeman::Scanner
       options[:rails3] or options[:escape_html]
 
       tracker.config.escape_html = true
-      Brakeman.notify "[Notice] Escaping HTML by default"
+      Brakeman.debug 'Escaping HTML by default'
     end
 
     if @app_tree.exists? ".ruby-version"
@@ -222,7 +203,7 @@ class Brakeman::Scanner
     end
 
   rescue => e
-    Brakeman.notify "[Notice] Error while processing #{path}"
+    Brakeman.alert "Error while processing #{path}"
     tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
   end
 
@@ -264,7 +245,7 @@ class Brakeman::Scanner
       @processor.process_gems gem_files
     end
   rescue => e
-    Brakeman.notify "[Notice] Error while processing Gemfile."
+    Brakeman.alert 'Error while processing Gemfile'
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
@@ -273,16 +254,16 @@ class Brakeman::Scanner
     unless tracker.options[:rails3] or tracker.options[:rails4]
       if @app_tree.exists?("script/rails")
         tracker.options[:rails3] = true
-        Brakeman.notify "[Notice] Detected Rails 3 application"
+        Brakeman.debug 'Detected Rails 3 application'
       elsif @app_tree.exists?("app/channels")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
         tracker.options[:rails5] = true
-        Brakeman.notify "[Notice] Detected Rails 5 application"
+        Brakeman.debug 'Detected Rails 5 application'
       elsif not @app_tree.exists?("script")
         tracker.options[:rails3] = true
         tracker.options[:rails4] = true
-        Brakeman.notify "[Notice] Detected Rails 4 application"
+        Brakeman.debug 'Detected Rails 4 application'
       end
     end
   end
@@ -303,15 +284,10 @@ class Brakeman::Scanner
     @processor.process_initializer(init.path, init.ast)
   end
 
-  #Process all .rb in lib/
-  #
-  #Adds parsed information to tracker.libs.
+  # Adds parsed information to tracker.libs.
+  # This is a catch-all for any Ruby files that weren't determined
+  # to be a specific type of file (like a controller).
   def process_libs
-    if options[:skip_libs]
-      Brakeman.notify '[Skipping]'
-      return
-    end
-
     libs = file_cache.libs.sort_by { |path, _| path }
 
     track_progress libs do |path, lib|
@@ -335,11 +311,11 @@ class Brakeman::Scanner
       if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
-        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        Brakeman.alert 'Error while processing routes - assuming all public controller methods are actions.'
         options[:assume_all_routes] = true
       end
     else
-      Brakeman.notify "[Notice] No route information found"
+      Brakeman.alert 'No route information found'
     end
   end
 
@@ -427,15 +403,15 @@ class Brakeman::Scanner
     total = list.length
     current = 0
     list.each do |item|
-      report_progress current, total, type
+      report_progress current, total
       current += 1
       yield item
     end
   end
 
-  def report_progress(current, total, type = "files")
+  def report_progress(current, total)
     return unless @options[:report_progress]
-    $stderr.print " #{current}/#{total} #{type} processed\r"
+    Brakeman.logger.update_progress(current, total)
   end
 
   def index_call_sites

data/lib/brakeman/tracker/collection.rb

@@ -55,13 +55,23 @@ module Brakeman
       if src.node_type == :defs
         @class_methods[name] = meth_info
 
-        # TODO fix this weirdness
-        name = :"#{src[1]}.#{name}"
+        name = :"#{method_definition_receiver(src[1])}.#{name}"
       end
 
       @methods[visibility][name] = meth_info
     end
 
+    def method_definition_receiver(receiver)
+      return receiver if receiver.is_a?(Symbol)
+
+      case receiver.sexp_type
+      when :self
+        "self"
+      else
+        receiver[1].to_s
+      end
+    end
+
     def each_method
       @methods.each do |_vis, meths|
         meths.each do |name, info|

data/lib/brakeman/tracker/config.rb

@@ -5,7 +5,7 @@ module Brakeman
     include Util
 
     attr_reader :gems, :rails, :ruby_version, :tracker
-    attr_writer :erubis, :escape_html
+    attr_writer :erubi, :escape_html
 
     def initialize tracker
       @tracker = tracker
@@ -13,7 +13,7 @@ module Brakeman
       @gems = {}
       @settings = {}
       @escape_html = nil
-      @erubis = nil
+      @erubi = nil
       @ruby_version = nil
       @rails_version = nil
     end
@@ -28,8 +28,8 @@ module Brakeman
       false
     end
 
-    def erubis?
-      @erubis
+    def erubi?
+      @erubi
     end
 
     def escape_html?
@@ -88,29 +88,29 @@ module Brakeman
         if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
           if @rails_version.start_with? "3"
             tracker.options[:rails3] = true
-            Brakeman.notify "[Notice] Detected Rails 3 application"
+            notify_version 3
           elsif @rails_version.start_with? "4"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
-            Brakeman.notify "[Notice] Detected Rails 4 application"
+            notify_version 4
           elsif @rails_version.start_with? "5"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
-            Brakeman.notify "[Notice] Detected Rails 5 application"
+            notify_version 5
           elsif @rails_version.start_with? "6"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
-            Brakeman.notify "[Notice] Detected Rails 6 application"
+            notify_version 6
           elsif @rails_version.start_with? "7"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
-            Brakeman.notify "[Notice] Detected Rails 7 application"
+            notify_version 7
           elsif @rails_version.start_with? "8"
             tracker.options[:rails3] = true
             tracker.options[:rails4] = true
@@ -118,14 +118,14 @@ module Brakeman
             tracker.options[:rails6] = true
             tracker.options[:rails7] = true
             tracker.options[:rails8] = true
-            Brakeman.notify "[Notice] Detected Rails 8 application"
+            notify_version 8
           end
         end
       end
 
       if get_gem :rails_xss
         @escape_html = true
-        Brakeman.notify "[Notice] Escaping HTML by default"
+        Brakeman.debug "Escaping HTML by default"
       end
     end
 
@@ -182,7 +182,7 @@ module Brakeman
         option = config[o]
 
         if not option.is_a? Hash
-          Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
+          Brakeman.debug "Skipping config setting: #{path.map(&:to_s).join(".")}"
           return
         end
 
@@ -202,7 +202,7 @@ module Brakeman
       version = tracker.config.rails[:load_defaults].value.to_s
 
       unless version.match?(/^\d+\.\d+$/)
-        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        Brakeman.alert "Unknown version: #{tracker.config.rails[:load_defaults]}"
         return
       end
 
@@ -284,5 +284,9 @@ module Brakeman
         set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
       end
     end
+
+    private def notify_version version
+      Brakeman.debug "Detected Rails #{version} application"
+    end
   end
 end

data/lib/brakeman/tracker/constants.rb

@@ -29,7 +29,7 @@ module Brakeman
 
     def set_name name, context
       @name = name
-      @name_array = Constants.constant_as_array(name)
+      @name_array = Constants.constant_as_array(name, context)
     end
 
     def match? name
@@ -129,7 +129,22 @@ module Brakeman
       end
     end
 
-    def self.constant_as_array exp
+    def self.constant_as_array exp, context = nil
+      # Only prepend context for simple (unqualified) constants
+      if context && (exp.is_a?(Symbol) || (exp.is_a?(Sexp) && exp.node_type == :const))
+        context_name = context[:module] || context[:class]
+        context_name = context_name.name if context_name.respond_to?(:name)
+        if context_name
+          # Build colon2 chain: A::B becomes s(:colon2, s(:const, :A), :B)
+          parts = context_name.to_s.split("::")
+          base = Sexp.new(:const, parts.first.to_sym)
+          parts[1..].each do |part|
+            base = Sexp.new(:colon2, base, part.to_sym)
+          end
+          exp = Sexp.new(:colon2, base, exp)
+        end
+      end
+
       res = []
       while exp
         if exp.is_a? Sexp

data/lib/brakeman/tracker/controller.rb

@@ -132,7 +132,7 @@ module Brakeman
           when :lit, :str
             filter[option.value] = value[1]
           else
-            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+            Brakeman.debug "Unknown before_filter value: #{option} => #{value}"
           end
         end
       else

data/lib/brakeman/tracker.rb

@@ -101,15 +101,9 @@ class Brakeman::Tracker
     @app_path ||= File.expand_path @options[:app_path]
   end
 
-  #Iterate over all methods in controllers and models.
+  #Iterate over all methods
   def each_method
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.each_method do |method_name, definition|
           src = definition.src
@@ -137,13 +131,7 @@ class Brakeman::Tracker
 
 
   def each_class
-    classes = [self.controllers, self.models]
-
-    if @options[:index_libs]
-      classes << self.libs
-    end
-
-    classes.each do |set|
+    [self.controllers, self.models, self.libs].each do |set|
       set.each do |set_name, collection|
         collection.src.each do |file, src|
           yield src, set_name, file
@@ -329,6 +317,8 @@ class Brakeman::Tracker
     finder = Brakeman::FindAllCalls.new self
 
     method_sets.each do |set|
+      Brakeman.logger.spin
+
       set.each do |set_name, info|
         info.each_method do |method_name, definition|
           src = definition.src
@@ -339,12 +329,14 @@ class Brakeman::Tracker
 
     if locations.include? :templates
       self.each_template do |_name, template|
+        Brakeman.logger.spin
         finder.process_source template.src, :template => template, :file => template.file
       end
     end
 
     if locations.include? :initializers
       self.initializers.each do |file_name, src|
+        Brakeman.logger.spin
         finder.process_all_source src, :file => file_name
       end
     end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.1.2"
+  Version = "8.0.1"
 end