brakeman 1.6.2 → 1.7.0

data/lib/brakeman/checks/check_without_protection.rb

@@ -14,17 +14,10 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
       return
     end
 
-    models = []
-    tracker.models.each do |name, m|
-      if ancestor? m, :"ActiveRecord::Base"
-        models << name
-      end
-    end
-
-    return if models.empty?
+    return if active_record_models.empty?
 
     Brakeman.debug "Finding all mass assignments"
-    calls = tracker.find_call :targets => models, :methods => [:new,
+    calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
       :attributes=, 
       :update_attributes, 
       :update_attributes!,

data/lib/brakeman/format/style.css

@@ -5,6 +5,10 @@ body {
   color: #161616;
 }
 
+a {
+  color: #161616;
+}
+
 p {
   font-weight: bold;
   font-size: 11pt;

data/lib/brakeman/processors/alias_processor.rb

@@ -1,12 +1,11 @@
-require 'rubygems'
-require 'sexp_processor'
 require 'brakeman/util'
+require 'ruby_parser/bm_sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
 
 #Returns an s-expression with aliases replaced with their value.
 #This does not preserve semantics (due to side effects, etc.), but it makes
 #processing easier when searching for various things.
-class Brakeman::AliasProcessor < SexpProcessor
+class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::Util
 
@@ -19,11 +18,6 @@ class Brakeman::AliasProcessor < SexpProcessor
   # AliasProcessor.new.process_safely src
   def initialize tracker = nil
     super()
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
     @env = SexpProcessor::Environment.new
     @inside_if = false
     @ignore_ifs = false
@@ -368,7 +362,11 @@ class Brakeman::AliasProcessor < SexpProcessor
     match = Sexp.new(:call, target, :[], Sexp.new(:arglist, index))
 
     unless env[match]
-      env[match] = value
+      if request_value? target
+        env[match] = Sexp.new(:or, match, value)
+      else
+        env[match] = value
+      end
     end
 
     exp
@@ -452,7 +450,9 @@ class Brakeman::AliasProcessor < SexpProcessor
   def process_array_access target, args
     if args.length == 1 and integer? args[0]
       index = args[0][1]
-      target[index + 1]
+
+      #Have to do this because first element is :array and we have to skip it
+      target[1..-1][index + 1]
     else
       nil
     end

data/lib/brakeman/processors/base_processor.rb

@@ -1,10 +1,8 @@
-require 'rubygems'
-require 'sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/util'
 
 #Base processor for most processors.
-class Brakeman::BaseProcessor < SexpProcessor
+class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::Util
 
@@ -13,11 +11,6 @@ class Brakeman::BaseProcessor < SexpProcessor
   #Return a new Processor.
   def initialize tracker
     super()
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
     @last = nil
     @tracker = tracker
     @ignore = Sexp.new :ignore
@@ -50,7 +43,7 @@ class Brakeman::BaseProcessor < SexpProcessor
   #Default processing.
   def process_default exp
     exp = exp.dup
-    type = exp.shift
+
     exp.each_with_index do |e, i|
       if sexp? e and not e.empty?
         exp[i] = process e
@@ -58,8 +51,8 @@ class Brakeman::BaseProcessor < SexpProcessor
         e
       end
     end
-  ensure
-    exp.unshift type
+
+    exp
   end
 
   #Process an if statement.

data/lib/brakeman/processors/controller_processor.rb

@@ -30,8 +30,16 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     if @current_module
       name = (@current_module.to_s + "::" + name.to_s).to_sym
     end
+
+    begin
+      parent = class_name exp[2]
+    rescue StandardError => e
+      Brakeman.debug e
+      parent = nil
+    end
+
     @controller = { :name => name,
-                    :parent => class_name(exp[2]),
+                    :parent => parent,
                     :includes => [],
                     :public => {},
                     :private => {},

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -14,6 +14,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
     @prefix = [] #Controller name prefix (a module name, usually)
     @current_controller = nil
     @with_options = nil #For use inside map.with_options
+    @controller_block = false
   end
 
   def process_routes exp
@@ -49,6 +50,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
       process_resources_block exp
     when :scope
       process_scope_block exp
+    when :controller
+      process_controller_block exp
     else
       super
     end
@@ -71,11 +74,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
     args = exp[3][1..-1]
 
     if value = hash_access(args[0], :to)
-      if string? value[1]
-        controller, action = extract_action v[1]
-
-        self.current_controller = controller
-        @tracker.routes[@current_controller] << action.to_sym
+      if string? value
+        add_route_from_string value
       end
     end
 
@@ -97,19 +97,36 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
         return exp
       elsif matcher.include? ':action'
         action_variable = true
+      elsif args[1].nil? and in_controller_block? and not matcher.include? ":"
+        add_route matcher
       end
     end
 
     if hash? args[-1]
       hash_iterate args[-1] do |k, v|
-        if string? k and string? v
-          controller, action = extract_action v[1]
+        if string? k
+          if string? v
+            add_route_from_string v[1]
+          elsif in_controller_block? and symbol? v
+            add_route v
+          end
+        elsif symbol? k
+         case k[1]
+         when :action
+          if string? v
+            add_route_from_string v
+          else
+            add_route v
+          end
 
-          self.current_controller = controller
-          @tracker.routes[@current_controller] << action.to_sym if action
-        elsif symbol? k and k[1] == :action
-          @tracker.routes[@current_controller] << v[1].to_sym
           action_variable = false
+         when :to
+           if string? v
+             add_route_from_string v[1]
+           elsif in_controller_block? and symbol? v
+             add_route v
+           end
+         end
         end
       end
     end
@@ -118,44 +135,59 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
       @tracker.routes[@current_controller] = :allow_all_actions
     end
 
+    @current_controller = nil unless in_controller_block?
     exp
   end
 
+  def add_route_from_string value
+    value = value[1] if string? value
+
+    controller, action = extract_action value
+
+    if action
+      add_route action, controller
+    elsif in_controller_block?
+      add_route value
+    end
+  end
+
   def process_verb exp
     args = exp[3][1..-1]
 
     if symbol? args[0] and not hash? args[1]
-      @tracker.routes[@current_controller] << args[0][1]
+      add_route args[0]
     elsif hash? args[1]
       hash_iterate args[1] do |k, v|
-        if symbol? k and k[1] == :to and string? v
-          controller, action = extract_action v[1]
-
-          self.current_controller = controller
-          @tracker.routes[@current_controller] << action.to_sym
+        if symbol? k and k[1] == :to
+          if string? v
+            add_route_from_string v[1]
+          elsif in_controller_block? and symbol? v
+            add_route v
+          end
         end
       end
     elsif string? args[0]
       route = args[0][1].split "/"
       if route.length != 2
-        @tracker.routes[@current_controller] << route[0].to_sym
+        add_route route[0]
       else
-        self.current_controller = route[0]
-        @tracker.routes[@current_controller] << route[1].to_sym
-        @current_controller = nil
+        add_route route[1], route[0]
       end
+    elsif in_controller_block? and symbol? args[0]
+      add_route args[0]
     else hash? args[0]
       hash_iterate args[0] do |k, v|
-        if string? v
-          controller, action = extract_action v[1]
-
-          self.current_controller = controller
-          @tracker.routes[@current_controller] << action.to_sym
-          break
+        if string? k
+          if string? v
+            add_route_from_string v
+          elsif in_controller_block?
+            add_route v
+          end
         end
       end
     end
 
+    @current_controller = nil unless in_controller_block?
     exp
   end
 
@@ -171,6 +203,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
       end
     end
 
+    @current_controller = nil unless in_controller_block?
     exp
   end
 
@@ -186,18 +219,27 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
       end
     end
 
+    @current_controller = nil unless in_controller_block?
     exp
   end
 
   def process_resources_block exp
-    process_resources exp[1]
-    process exp[3]
+    in_controller_block do
+      process_resources exp[1]
+      process exp[3]
+    end
+
+    @current_controller = nil
     exp
   end
 
   def process_resource_block exp
-    process_resource exp[1]
-    process exp[3]
+    in_controller_block do
+      process_resource exp[1]
+      process exp[3]
+    end
+
+    @current_controller = nil
     exp
   end
 
@@ -207,7 +249,30 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
     exp
   end
 
+  def process_controller_block exp
+    args = exp[1][3]
+    self.current_controller = args[1][1]
+
+    in_controller_block do
+      process exp[-1] if exp[-1]
+    end
+
+    @current_controller = nil
+    exp
+  end
+
   def extract_action str
     str.split "#"
   end
+
+  def in_controller_block?
+    @controller_block
+  end
+
+  def in_controller_block
+    prev_block = @controller_block
+    @controller_block = true
+    yield
+    @controller_block = prev_block
+  end
 end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -15,7 +15,6 @@ module Brakeman::RenderHelper
         process_template template_name, exp[3]
       rescue ArgumentError => e
         Brakeman.debug "Problem processing render: #{exp}"
-        raise e
       end
     when :partial, :layout
       process_partial exp[2], exp[3]
@@ -48,7 +47,9 @@ module Brakeman::RenderHelper
 
   #Processes a given action
   def process_action name, args
-    process_template template_name(name), args
+    if name.is_a? String or name.is_a? Symbol
+      process_template template_name(name), args
+    end
   end
 
   #Processes a template, adding any instance variables

data/lib/brakeman/processors/lib/route_helper.rb

@@ -21,6 +21,27 @@ module Brakeman::RouteHelper
     @tracker.routes[@current_controller] ||= Set.new
   end
 
+  #Add route to controller. If a controller is specified,
+  #the current controller will be set to that controller.
+  #If no controller is specified, uses current controller value.
+  def add_route route, controller = nil
+    if node_type? route, :str, :lit
+      route = route[1]
+    end
+
+    route = route.to_sym
+
+    if controller
+      self.current_controller = controller
+    end
+
+    routes = @tracker.routes[@current_controller]
+    
+    if routes and routes != :allow_all_actions
+      routes << route
+    end
+  end
+
   #Add default routes
   def add_resources_routes
     existing_routes = @tracker.routes[@current_controller]

data/lib/brakeman/processors/library_processor.rb

@@ -30,8 +30,15 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     if @tracker.libs[name]
       @current_class = @tracker.libs[name]
     else
+      begin
+        parent = class_name exp[2]
+      rescue StandardError => e
+        Brakeman.debug e
+        parent = nil
+      end
+
       @current_class = { :name => name,
-                    :parent => class_name(exp[2]),
+                    :parent => parent,
                     :includes => [],
                     :public => {},
                     :private => {},
@@ -91,6 +98,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_defn exp
+    exp = @alias_processor.process exp
     exp[0] = :methdef
 
     if @current_class
@@ -103,6 +111,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_defs exp
+    exp = @alias_processor.process exp
     exp[0] = :selfdef
 
     if @current_class

data/lib/brakeman/processors/model_processor.rb

@@ -22,8 +22,15 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}"
       ignore
     else
+      begin
+        parent = class_name exp[2]
+      rescue StandardError => e
+        Brakeman.debug e
+        parent = nil
+      end
+
       @model = { :name => class_name(exp[1]),
-        :parent => class_name(exp[2]),
+        :parent => parent,
         :includes => [],
         :public => {},
         :private => {},