brakeman 1.6.2 → 1.7.0

data/lib/brakeman/processors/template_processor.rb

@@ -20,7 +20,6 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
     tracker.templates[template_name] = @current_template
 
     @inside_concat = false
-    self.warn_on_default = false
   end
 
   #Process the template Sexp.

data/lib/brakeman/report.rb

@@ -96,6 +96,7 @@ class Brakeman::Report
       if html
         w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
         w["Message"] = with_context warning, w["Message"]
+        w["Warning Type"] = with_link warning, w["Warning Type"]
       else
         w["Confidence"] = TEXT_CONFIDENCE[w["Confidence"]]
         w["Message"] = text_message warning, w["Message"]
@@ -134,6 +135,7 @@ class Brakeman::Report
         if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
+          w["Warning Type"] = with_link warning, w["Warning Type"]
         else
           w["Confidence"] = TEXT_CONFIDENCE[w["Confidence"]]
           w["Message"] = text_message warning, w["Message"]
@@ -170,6 +172,7 @@ class Brakeman::Report
         if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
+          w["Warning Type"] = with_link warning, w["Warning Type"]
         else
           w["Confidence"] = TEXT_CONFIDENCE[w["Confidence"]]
           w["Message"] = text_message warning, w["Message"]
@@ -206,6 +209,7 @@ class Brakeman::Report
         if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
+          w["Warning Type"] = with_link warning, w["Warning Type"]
         else
           w["Confidence"] = TEXT_CONFIDENCE[w["Confidence"]]
           w["Message"] = text_message warning, w["Message"]
@@ -595,6 +599,10 @@ class Brakeman::Report
     output << "</table></div>"
   end
 
+  def with_link warning, message
+    "<a href=\"#{warning.link}\">#{message}</a>"
+  end
+
   #Generated tab-separated output suitable for the Jenkins Brakeman Plugin:
   #https://github.com/presidentbeef/brakeman-jenkins-plugin
   def to_tabs
@@ -630,6 +638,8 @@ class Brakeman::Report
         w.file = file_for w
       end
     end
+
+    report[:config] = tracker.config
       
     report
   end

data/lib/brakeman/scanner.rb

@@ -8,6 +8,8 @@ begin
     require 'ruby_parser/bm_sexp.rb'
   end
 
+  require 'ruby_parser/bm_sexp_processor.rb'
+
   require 'haml'
   require 'sass'
   require 'erb'

data/lib/brakeman/util.rb

@@ -1,4 +1,3 @@
-require 'sexp_processor'
 require 'set'
 require 'active_support/inflector'
 
@@ -352,7 +351,7 @@ module Brakeman::Util
 
     lines.map do |line|
       if line.chomp.length > @terminal_width
-        line[0..(@terminal_width - 3)] + ">>"
+        line[0..(@terminal_width - 3)] + ">>\n"
       else
         line
       end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.6.2"
+  Version = "1.7.0"
 end

data/lib/brakeman/warning.rb

@@ -11,7 +11,7 @@ class Brakeman::Warning
   def initialize options = {}
     @view_name = nil
 
-    [:called_from, :check, :class, :code, :confidence, :controller, :file, :line,
+    [:called_from, :check, :class, :code, :confidence, :controller, :file, :line, :link_path,
       :message, :method, :model, :template, :user_input, :warning_set, :warning_type].each do |option|
 
       self.instance_variable_set("@#{option}", options[option])
@@ -101,6 +101,23 @@ class Brakeman::Warning
     @format_message
   end
 
+  def link
+    return @link if @link
+
+    if @link_path
+      if @link_path.start_with? "http"
+        @link = @link_path
+      else
+        @link = "http://brakemanscanner.org/docs/warning_types/#{@link_path}"
+      end
+    else
+      warning_path = self.warning_type.to_s.downcase.gsub(/\s+/, '_') + "/"
+      @link = "http://brakemanscanner.org/docs/warning_types/#{warning_path}"
+    end
+
+    @link
+  end
+
   #Generates a hash suitable for inserting into a table
   def to_row type = :warning
     @row = { "Confidence" => self.confidence,
@@ -151,6 +168,7 @@ class Brakeman::Warning
       :message => self.message,
       :file => self.file,
       :line => self.line,
+      :link => self.link,
       :code => (@code && self.format_code),
       :location => location,
       :user_input => (@user_input && self.format_user_input),

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -0,0 +1,231 @@
+##
+# SexpProcessor provides a uniform interface to process Sexps.
+#
+# In order to create your own SexpProcessor subclass you'll need
+# to call super in the initialize method, then set any of the
+# Sexp flags you want to be different from the defaults.
+#
+# SexpProcessor uses a Sexp's type to determine which process method
+# to call in the subclass.  For Sexp <code>s(:lit, 1)</code>
+# SexpProcessor will call #process_lit, if it is defined.
+#
+
+class Brakeman::SexpProcessor
+
+  VERSION = 'CUSTOM'
+
+  ##
+  # Return a stack of contexts. Most recent node is first.
+
+  attr_reader :context
+
+  ##
+  # Expected result class
+
+  attr_accessor :expected
+
+  ##
+  # A scoped environment to make you happy.
+
+  attr_reader :env
+
+  ##
+  # Creates a new SexpProcessor.  Use super to invoke this
+  # initializer from SexpProcessor subclasses, then use the
+  # attributes above to customize the functionality of the
+  # SexpProcessor
+
+  def initialize
+    @expected            = Sexp
+
+    # we do this on an instance basis so we can subclass it for
+    # different processors.
+    @processors = {}
+    @context    = []
+
+    public_methods.each do |name|
+      if name.to_s.start_with? "process_" then
+        @processors[name[8..-1].to_sym] = name.to_sym
+      end
+    end
+  end
+
+  ##
+  # Default Sexp processor.  Invokes process_<type> methods matching
+  # the Sexp type given.  Performs additional checks as specified by
+  # the initializer.
+
+  def process(exp)
+    return nil if exp.nil?
+
+    result = nil
+
+    type = exp.first
+    raise "type should be a Symbol, not: #{exp.first.inspect}" unless
+      Symbol === type
+
+    in_context type do
+      # now do a pass with the real processor (or generic)
+      meth = @processors[type]
+      if meth then
+        if $DEBUG
+          result = error_handler(type) do
+            self.send(meth, exp)
+          end
+        else
+          result = self.send(meth, exp)
+        end
+
+      else
+        result = self.process_default(exp)
+      end
+    end
+    
+    raise SexpTypeError, "Result must be a #{@expected}, was #{result.class}:#{result.inspect}" unless @expected === result
+    
+    result
+  end
+
+  def error_handler(type, exp=nil) # :nodoc:
+    begin
+      return yield
+    rescue StandardError => err
+      warn "#{err.class} Exception thrown while processing #{type} for sexp #{exp.inspect} #{caller.inspect}" if $DEBUG
+      raise
+    end
+  end
+
+  ##
+  # A fairly generic processor for a dummy node. Dummy nodes are used
+  # when your processor is doing a complicated rewrite that replaces
+  # the current sexp with multiple sexps.
+  #
+  # Bogus Example:
+  #
+  #   def process_something(exp)
+  #     return s(:dummy, process(exp), s(:extra, 42))
+  #   end
+
+  def process_dummy(exp)
+    result = @expected.new(:dummy) rescue @expected.new
+
+    until exp.empty? do
+      result << self.process(exp.shift)
+    end
+
+    result
+  end
+
+  ##
+  # Add a scope level to the current env. Eg:
+  #
+  #   def process_defn exp
+  #     name = exp.shift
+  #     args = process(exp.shift)
+  #     scope do
+  #       body = process(exp.shift)
+  #       # ...
+  #     end
+  #   end
+  #
+  #   env[:x] = 42
+  #   scope do
+  #     env[:x]       # => 42
+  #     env[:y] = 24
+  #   end
+  #   env[:y]         # => nil
+
+  def scope &block
+    env.scope(&block)
+  end
+
+  def in_context type
+    self.context.unshift type
+
+    yield
+
+    self.context.shift
+  end
+
+  ##
+  # I really hate this here, but I hate subdirs in my lib dir more...
+  # I guess it is kinda like shaving... I'll split this out when it
+  # itches too much...
+
+  class Environment
+    def initialize
+      @env = []
+      @env.unshift({})
+    end
+
+    def all
+      @env.reverse.inject { |env, scope| env.merge scope }
+    end
+
+    def depth
+      @env.length
+    end
+
+    # TODO: depth_of
+
+    def [] name
+      hash = @env.find { |closure| closure.has_key? name }
+      hash[name] if hash
+    end
+
+    def []= name, val
+      hash = @env.find { |closure| closure.has_key? name } || @env.first
+      hash[name] = val
+    end
+
+    def scope
+      @env.unshift({})
+      begin
+        yield
+      ensure
+        @env.shift
+        raise "You went too far unextending env" if @env.empty?
+      end
+    end
+  end
+end
+
+class Object
+
+  ##
+  # deep_clone is the usual Marshalling hack to make a deep copy.
+  # It is rather slow, so use it sparingly. Helps with debugging
+  # SexpProcessors since you usually shift off sexps.
+
+  def deep_clone
+    Marshal.load(Marshal.dump(self))
+  end
+end
+
+##
+# SexpProcessor base exception class.
+
+class SexpProcessorError < StandardError; end
+
+##
+# Raised by SexpProcessor if it sees a node type listed in its
+# unsupported list.
+
+class UnsupportedNodeError < SexpProcessorError; end
+
+##
+# Raised by SexpProcessor if it is in strict mode and sees a node for
+# which there is no processor available.
+
+class UnknownNodeError < SexpProcessorError; end
+
+##
+# Raised by SexpProcessor if a processor did not process every node in
+# a sexp and @require_empty is true.
+
+class NotEmptyError < SexpProcessorError; end
+
+##
+# Raised if assert_type encounters an unexpected sexp type.
+
+class SexpTypeError < SexpProcessorError; end

metadata

@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
   prerelease: 
   segments: 
   - 1
-  - 6
-  - 2
-  version: 1.6.2
+  - 7
+  - 0
+  version: 1.7.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-06-13 00:00:00 Z
+date: 2012-07-31 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -193,94 +193,96 @@ files:
 - WARNING_TYPES
 - FEATURES
 - README.md
-- lib/ruby_parser/ruby18_parser.rb
-- lib/ruby_parser/ruby_parser_extras.rb
-- lib/ruby_parser/bm_sexp.rb
-- lib/ruby_parser/ruby_lexer.rb
-- lib/ruby_parser/ruby_parser.rb
-- lib/ruby_parser/ruby19_parser.rb
-- lib/brakeman/warning.rb
+- lib/brakeman/version.rb
 - lib/brakeman/differ.rb
-- lib/brakeman/processors/gem_processor.rb
-- lib/brakeman/processors/controller_alias_processor.rb
-- lib/brakeman/processors/base_processor.rb
-- lib/brakeman/processors/controller_processor.rb
-- lib/brakeman/processors/library_processor.rb
-- lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/haml_template_processor.rb
-- lib/brakeman/processors/template_alias_processor.rb
-- lib/brakeman/processors/route_processor.rb
-- lib/brakeman/processors/model_processor.rb
-- lib/brakeman/processors/lib/find_all_calls.rb
-- lib/brakeman/processors/lib/find_call.rb
-- lib/brakeman/processors/lib/processor_helper.rb
-- lib/brakeman/processors/lib/rails3_route_processor.rb
-- lib/brakeman/processors/lib/route_helper.rb
-- lib/brakeman/processors/lib/rails2_config_processor.rb
-- lib/brakeman/processors/lib/rails2_route_processor.rb
-- lib/brakeman/processors/lib/render_helper.rb
-- lib/brakeman/processors/lib/rails3_config_processor.rb
-- lib/brakeman/processors/alias_processor.rb
-- lib/brakeman/processors/output_processor.rb
-- lib/brakeman/processors/config_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
-- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/util.rb
+- lib/brakeman/brakeman.rake
+- lib/brakeman/call_index.rb
+- lib/brakeman/tracker.rb
+- lib/brakeman/report.rb
+- lib/brakeman/scanner.rb
+- lib/brakeman/processor.rb
 - lib/brakeman/format/style.css
-- lib/brakeman/rescanner.rb
-- lib/brakeman/checks/check_send_file.rb
-- lib/brakeman/checks/check_translate_bug.rb
-- lib/brakeman/checks/check_session_settings.rb
-- lib/brakeman/checks/check_nested_attributes.rb
-- lib/brakeman/checks/check_strip_tags.rb
-- lib/brakeman/checks/check_safe_buffer_manipulation.rb
-- lib/brakeman/checks/check_sql.rb
-- lib/brakeman/checks/check_without_protection.rb
-- lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_escape_function.rb
-- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
+- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/check_session_settings.rb
 - lib/brakeman/checks/check_model_attributes.rb
-- lib/brakeman/checks/check_default_routes.rb
-- lib/brakeman/checks/check_select_vulnerability.rb
-- lib/brakeman/checks/check_evaluation.rb
-- lib/brakeman/checks/check_quote_table_name.rb
-- lib/brakeman/checks/check_validation_regex.rb
-- lib/brakeman/checks/check_link_to.rb
-- lib/brakeman/checks/check_execute.rb
-- lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_mail_to.rb
+- lib/brakeman/checks/check_sql.rb
+- lib/brakeman/checks/check_mass_assignment.rb
 - lib/brakeman/checks/check_link_to_href.rb
-- lib/brakeman/checks/check_skip_before_filter.rb
-- lib/brakeman/checks/base_check.rb
+- lib/brakeman/checks/check_filter_skipping.rb
 - lib/brakeman/checks/check_file_access.rb
-- lib/brakeman/checks/check_response_splitting.rb
-- lib/brakeman/checks/check_basic_auth.rb
-- lib/brakeman/checks/check_send.rb
-- lib/brakeman/checks/check_redirect.rb
-- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/base_check.rb
+- lib/brakeman/checks/check_validation_regex.rb
+- lib/brakeman/checks/check_evaluation.rb
+- lib/brakeman/checks/check_digest_dos.rb
 - lib/brakeman/checks/check_render.rb
-- lib/brakeman/tracker.rb
-- lib/brakeman/util.rb
-- lib/brakeman/report.rb
-- lib/brakeman/templates/header.html.erb
-- lib/brakeman/templates/warning_overview.html.erb
+- lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_execute.rb
+- lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_link_to.rb
+- lib/brakeman/checks/check_quote_table_name.rb
+- lib/brakeman/checks/check_send.rb
+- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_strip_tags.rb
+- lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_without_protection.rb
+- lib/brakeman/checks.rb
+- lib/brakeman/templates/controller_overview.html.erb
+- lib/brakeman/templates/model_warnings.html.erb
+- lib/brakeman/templates/template_overview.html.erb
+- lib/brakeman/templates/view_warnings.html.erb
 - lib/brakeman/templates/overview.html.erb
 - lib/brakeman/templates/controller_warnings.html.erb
+- lib/brakeman/templates/header.html.erb
 - lib/brakeman/templates/error_overview.html.erb
-- lib/brakeman/templates/controller_overview.html.erb
 - lib/brakeman/templates/security_warnings.html.erb
-- lib/brakeman/templates/model_warnings.html.erb
-- lib/brakeman/templates/view_warnings.html.erb
-- lib/brakeman/templates/template_overview.html.erb
+- lib/brakeman/templates/warning_overview.html.erb
+- lib/brakeman/processors/controller_alias_processor.rb
+- lib/brakeman/processors/lib/route_helper.rb
+- lib/brakeman/processors/lib/rails2_route_processor.rb
+- lib/brakeman/processors/lib/render_helper.rb
+- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/processor_helper.rb
+- lib/brakeman/processors/lib/rails3_config_processor.rb
+- lib/brakeman/processors/lib/find_all_calls.rb
+- lib/brakeman/processors/lib/find_call.rb
+- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/model_processor.rb
+- lib/brakeman/processors/output_processor.rb
+- lib/brakeman/processors/library_processor.rb
+- lib/brakeman/processors/erb_template_processor.rb
+- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/processors/alias_processor.rb
+- lib/brakeman/processors/config_processor.rb
+- lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/route_processor.rb
+- lib/brakeman/processors/controller_processor.rb
+- lib/brakeman/processors/haml_template_processor.rb
+- lib/brakeman/processors/base_processor.rb
+- lib/brakeman/warning.rb
+- lib/brakeman/options.rb
+- lib/brakeman/rescanner.rb
+- lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails3_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
-- lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/version.rb
-- lib/brakeman/call_index.rb
-- lib/brakeman/brakeman.rake
-- lib/brakeman/options.rb
-- lib/brakeman/scanner.rb
-- lib/brakeman/checks.rb
-- lib/brakeman/processor.rb
+- lib/ruby_parser/ruby_lexer.rb
+- lib/ruby_parser/bm_sexp.rb
+- lib/ruby_parser/ruby_parser_extras.rb
+- lib/ruby_parser/ruby_parser.rb
+- lib/ruby_parser/ruby19_parser.rb
+- lib/ruby_parser/ruby18_parser.rb
+- lib/ruby_parser/bm_sexp_processor.rb
 - lib/brakeman.rb
 homepage: http://brakemanscanner.org
 licenses: []
@@ -311,7 +313,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.