brakeman 1.1.0 → 1.2.0

data/lib/brakeman/scanner.rb

@@ -30,12 +30,12 @@ class Brakeman::Scanner
   RUBY_1_9 = !!(RUBY_VERSION =~ /^1\.9/)
 
   #Pass in path to the root of the Rails application
-  def initialize options
+  def initialize options, processor = nil
     @options = options
     @report_progress = options[:report_progress]
     @path = options[:app_path]
     @app_path = File.join(@path, "app")
-    @processor = Brakeman::Processor.new options
+    @processor = processor || Brakeman::Processor.new(options)
 
     if RUBY_1_9
       @ruby_parser = ::Ruby19Parser
@@ -124,13 +124,18 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.initializers
   def process_initializers
     Dir.glob(@path + "/config/initializers/**/*.rb").sort.each do |f|
-      begin
-        @processor.process_initializer(f, parse_ruby(File.read(f)))
-      rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
-      rescue Exception => e
-        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
-      end
+      process_initializer f
+    end
+  end
+
+  #Process an initializer
+  def process_initializer path
+    begin
+      @processor.process_initializer(path, parse_ruby(File.read(path)))
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
 
@@ -154,13 +159,18 @@ class Brakeman::Scanner
         current += 1
       end
 
-      begin
-        @processor.process_lib parse_ruby(File.read(f)), f
-      rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
-      rescue Exception => e
-        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
-      end
+      process_lib f
+    end
+  end
+
+  #Process a library
+  def process_lib path
+    begin
+      @processor.process_lib parse_ruby(File.read(path)), path
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
 
@@ -196,13 +206,7 @@ class Brakeman::Scanner
         current += 1
       end
 
-      begin
-        @processor.process_controller(parse_ruby(File.read(f)), f)
-      rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
-      rescue Exception => e
-        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
-      end
+      process_controller f
     end
 
     current = 0
@@ -220,6 +224,16 @@ class Brakeman::Scanner
     end
   end
 
+  def process_controller path
+    begin
+      @processor.process_controller(parse_ruby(File.read(path)), path)
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
   #Process all views and partials in views/
   #
   #Adds processed views to tracker.views
@@ -232,52 +246,13 @@ class Brakeman::Scanner
     template_files = Dir.glob(views_path).sort
     total = template_files.length
 
-    template_files.each do |f|
+    template_files.each do |path|
       if @report_progress
         $stderr.print " #{count}/#{total} files processed\r"
         count += 1
       end
 
-      type = f.match(/.*\.(erb|haml|rhtml)$/)[1].to_sym
-      type = :erb if type == :rhtml
-      name = template_path_to_name f
-      text = File.read f
-
-      begin
-        if type == :erb
-          if tracker.config[:escape_html]
-            type = :erubis
-            if options[:rails3]
-              src = Brakeman::RailsXSSErubis.new(text).src
-            else
-              src = Brakeman::ErubisEscape.new(text).src
-            end
-          elsif tracker.config[:erubis]
-            type = :erubis
-            src = Brakeman::ScannerErubis.new(text).src
-          else
-            src = ERB.new(text, nil, "-").src
-            src.sub!(/^#.*\n/, '') if RUBY_1_9
-          end
-
-          parsed = parse_ruby src
-        elsif type == :haml
-          src = Haml::Engine.new(text,
-                                 :escape_html => !!tracker.config[:escape_html]).precompiled
-          parsed = parse_ruby src
-        else
-          tracker.error "Unkown template type in #{f}"
-        end
-
-        @processor.process_template(name, parsed, type, nil, f)
-
-      rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}"
-      rescue Haml::Error => e
-        tracker.error e, ["While compiling HAML in #{f}"] << e.backtrace
-      rescue Exception => e
-        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
-      end
+      process_template path
     end
 
     total = tracker.templates.length
@@ -293,7 +268,49 @@ class Brakeman::Scanner
 
       @processor.process_template_alias tracker.templates[name]
     end
+  end
+
+  def process_template path
+    type = path.match(/.*\.(erb|haml|rhtml)$/)[1].to_sym
+    type = :erb if type == :rhtml
+    name = template_path_to_name path
+    text = File.read path
+
+    begin
+      if type == :erb
+        if tracker.config[:escape_html]
+          type = :erubis
+          if options[:rails3]
+            src = Brakeman::RailsXSSErubis.new(text).src
+          else
+            src = Brakeman::ErubisEscape.new(text).src
+          end
+        elsif tracker.config[:erubis]
+          type = :erubis
+          src = Brakeman::ScannerErubis.new(text).src
+        else
+          src = ERB.new(text, nil, "-").src
+          src.sub!(/^#.*\n/, '') if RUBY_1_9
+        end
+
+        parsed = parse_ruby src
+      elsif type == :haml
+        src = Haml::Engine.new(text,
+                               :escape_html => !!tracker.config[:escape_html]).precompiled
+        parsed = parse_ruby src
+      else
+        tracker.error "Unkown template type in #{path}"
+      end
 
+      @processor.process_template(name, parsed, type, nil, path)
+
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}"
+    rescue Haml::Error => e
+      tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
   end
 
   #Convert path/filename to view name
@@ -320,13 +337,18 @@ class Brakeman::Scanner
         current += 1
       end
 
-      begin
-        @processor.process_model(parse_ruby(File.read(f)), f)
-      rescue Racc::ParseError => e
-        tracker.error e, "could not parse #{f}"
-      rescue Exception => e
-        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
-      end
+      process_model f
+
+    end
+  end
+
+  def process_model path
+    begin
+      @processor.process_model(parse_ruby(File.read(path)), path)
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
     end
   end
 
@@ -335,11 +357,7 @@ class Brakeman::Scanner
   end
 
   def parse_ruby input
-    if RUBY_1_9
-      Ruby19Parser.new.parse input
-    else
-      Ruby18Parser.new.parse input
-    end
+    @ruby_parser.new.parse input
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -67,7 +67,7 @@ class Brakeman::Tracker
     [self.controllers, self.models].each do |set|
       set.each do |set_name, info|
         [:private, :public, :protected].each do |visibility|
-          info[visibility].each do |method_name, definition|    
+          info[visibility].each do |method_name, definition|
             if definition.node_type == :selfdef
               method_name = "#{definition[1]}.#{method_name}"
             end
@@ -118,7 +118,7 @@ class Brakeman::Tracker
   #    User.human.active.all(...)
   #
   def find_call options
-    index_calls unless @call_index
+    index_call_sites unless @call_index
     @call_index.find_calls options
   end
 
@@ -151,4 +151,105 @@ class Brakeman::Tracker
 
     @call_index = Brakeman::CallIndex.new finder.calls
   end
+
+  #Reindex call sites
+  #
+  #Takes a set of symbols which can include :templates, :models,
+  #or :controllers
+  #
+  #This will limit reindexing to the given sets
+  def reindex_call_sites locations
+    #If reindexing templates, models, and controllers, just redo
+    #everything
+    if locations.length == 3
+      return index_call_sites
+    end
+
+    if locations.include? :templates
+      @call_index.remove_template_indexes
+    end
+
+    classes_to_reindex = Set.new
+    method_sets = []
+
+    if locations.include? :models
+      classes_to_reindex.merge self.models.keys
+      method_sets << self.models
+    end
+
+    if locations.include? :controllers
+      classes_to_reindex.merge self.controllers.keys
+      method_sets << self.controllers
+    end
+
+    @call_index.remove_indexes_by_class classes_to_reindex
+
+    finder = Brakeman::FindAllCalls.new self
+
+    method_sets.each do |set|
+      set.each do |set_name, info|
+        [:private, :public, :protected].each do |visibility|
+          info[visibility].each do |method_name, definition|
+            if definition.node_type == :selfdef
+              method_name = "#{definition[1]}.#{method_name}"
+            end
+
+            finder.process_source definition, set_name, method_name
+
+          end
+        end
+      end
+    end
+
+    if locations.include? :templates
+      self.each_template do |name, template|
+        finder.process_source template[:src], nil, nil, template
+      end
+    end
+
+    @call_index.index_calls finder.calls
+  end
+
+  #Clear information related to templates.
+  #If :only_rendered => true, will delete templates rendered from
+  #controllers (but not those rendered from other templates)
+  def reset_templates options = { :only_rendered => false }
+    if options[:only_rendered]
+      @templates.delete_if do |name, template|
+        name.to_s.include? "Controller#"
+      end
+    else
+      @templates = {}
+    end
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+
+  #Clear information related to template
+  def reset_template name
+    name = name.to_sym
+    @templates.delete name
+    @processed = nil
+    @rest = nil
+  end
+
+  #Clear information related to model
+  def reset_model path
+    model_name = nil
+
+    @models.each do |name, model|
+      if model[:file] == path
+        model_name = name
+        break
+      end
+    end
+
+    @models.delete model_name
+  end
+
+  #Clear information about routes
+  def reset_routes
+    @routes = {}
+  end
 end

data/lib/brakeman/util.rb

@@ -186,4 +186,110 @@ module Brakeman::Util
   def sexp? exp
     exp.is_a? Sexp
   end
+
+  #Return file name related to given warning. Uses +warning.file+ if it exists
+  def file_for warning, tracker = nil
+    if tracker.nil?
+      tracker = @tracker || self.tracker
+    end
+
+    if warning.file
+      File.expand_path warning.file, tracker.options[:app_path]
+    else
+      case warning.warning_set
+      when :controller
+        file_by_name warning.controller, :controller, tracker
+      when :template
+        file_by_name warning.template[:name], :template, tracker
+      when :model
+        file_by_name warning.model, :model, tracker
+      when :warning
+        file_by_name warning.class, nil, tracker
+      else
+        nil
+      end
+    end
+  end
+
+  #Attempt to determine path to context file based on the reported name
+  #in the warning.
+  #
+  #For example,
+  #
+  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
+  def file_by_name name, type, tracker = nil
+    return nil unless name
+    string_name = name.to_s
+    name = name.to_sym
+
+    unless type
+      if string_name =~ /Controller$/
+        type = :controller
+      elsif camelize(string_name) == string_name
+        type = :model
+      else
+        type = :template
+      end
+    end
+
+    path = tracker.options[:app_path]
+
+    case type
+    when :controller
+      if tracker.controllers[name] and tracker.controllers[name][:file]
+        path = tracker.controllers[name][:file]
+      else
+        path += "/app/controllers/#{underscore(string_name)}.rb"
+      end
+    when :model
+      if tracker.models[name] and tracker.models[name][:file]
+        path = tracker.models[name][:file]
+      else
+        path += "/app/controllers/#{underscore(string_name)}.rb"
+      end
+    when :template
+      if tracker.templates[name] and tracker.templates[name][:file]
+        path = tracker.templates[name][:file]
+      elsif string_name.include? " "
+        name = string_name.split[0].to_sym
+        path = file_for tracker, name, :template
+      else
+        path = nil
+      end
+    end
+
+    path
+  end
+
+  #Return array of lines surrounding the warning location from the original
+  #file.
+  def context_for warning, tracker = nil
+    file = file_for warning, tracker
+    context = []
+    return context unless warning.line and file and File.exist? file
+
+    current_line = 0
+    start_line = warning.line - 5
+    end_line = warning.line + 5
+
+    start_line = 1 if start_line < 0
+
+    File.open file do |f|
+      f.each_line do |line|
+        current_line += 1
+
+        next if line.strip == ""
+
+        if current_line > end_line
+          break
+        end
+
+        if current_line >= start_line
+          context << [current_line, line]
+        end
+      end
+    end
+
+    context
+  end
 end