brakeman 1.7.1 → 1.8.0

data/lib/brakeman/checks/check_execute.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     args = process call[3]
 
-    case call[2]
+    case call.method
     when :system, :exec
       failure = include_user_input?(args[1]) || include_interp?(args[1])
     else

data/lib/brakeman/checks/check_file_access.rb

@@ -27,7 +27,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
     return if duplicate? result
     add_result result
     call = result[:call]
-    file_name = call[3][1]
+    file_name = call.first_arg
 
     if match = has_immediate_user_input?(file_name)
       confidence = CONFIDENCE[:high]
@@ -38,7 +38,7 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
       match = include_user_input?(file_name)
 
       #Check for string building in file name
-      if call?(file_name) and (file_name[2] == :+ or file_name[2] == :<<)
+      if call?(file_name) and (file_name.method == :+ or file_name.method == :<<)
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:low]

data/lib/brakeman/checks/check_link_to.rb

@@ -40,21 +40,23 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
 
+    args = call.args
+
     @matched = false
 
     #Skip if no arguments(?) or first argument is a hash
-    return if call[3][1].nil? or hash? call[3][1]
+    return if args.first.nil? or hash? args.first
 
     if version_between? "2.0.0", "2.2.99"
-      check_argument result, call[3][1]
+      check_argument result, args.first
 
-      if call[3][2] and not  hash? call[3][2]
-        check_argument result, call[3][2]
+      if args.second and not hash? args.second
+        check_argument result, args.second
       end
-    elsif call[3][2]
+    elsif args.second
       #Only check first argument if there is a second argument
       #in Rails 2.3.x
-      check_argument result, call[3][1]
+      check_argument result, args.first
     end
   end
 
@@ -128,7 +130,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   def actually_process_call exp
     return if @matched
 
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target.dup
     end

data/lib/brakeman/checks/check_link_to_href.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckLinkToHref < Brakeman::CheckLinkTo
     #an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
-    url_arg = process call[3][2]
+    url_arg = process call.args.second
 
     #Ignore situations where the href is an interpolated string
     #with something before the user input

data/lib/brakeman/checks/check_mail_to.rb

@@ -34,7 +34,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
 
     tracker.find_call(:target => false, :method => :mail_to).each do |result|
       call = result[:call]
-      args = call[-1]
+      args = call.args
 
       args.each do |arg|
         if hash? arg

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -52,8 +52,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
-      elsif input = include_user_input?(call[3])
-        if not hash? call[3][1] and not attr_protected
+      elsif input = include_user_input?(call.arglist)
+        if not hash? call.first_arg and not attr_protected
           confidence = CONFIDENCE[:high]
           user_input = input.match
         else
@@ -78,10 +78,11 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
   #Want to ignore calls to Model.new that have no arguments
   def check_call call
-    args = process call[3]
-    if args.length <= 1 #empty new()
+    args = process_all call.args
+
+    if args.empty? #empty new()
       false
-    elsif hash? args[1] and not include_user_input? args[1]
+    elsif hash? args.first and not include_user_input? args.first
       false
     elsif all_literals? args
       false

data/lib/brakeman/checks/check_redirect.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
 
     call = result[:call]
 
-    method = call[2]
+    method = call.method
 
     if method == :redirect_to and not only_path?(call) and res = include_user_input?(call)
       add_result result
@@ -56,11 +56,12 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   def include_user_input? call
     Brakeman.debug "Checking if call includes user input"
 
-    args = call[3]
+    args = call.args
+    first_arg = call.first_arg
 
-    if tracker.options[:ignore_redirect_to_model] and call? args[1] and
-      (@model_find_calls.include? args[1][2] or args[1][2].to_s.match(/^find_by_/)) and
-      model_name? args[1][1]
+    if tracker.options[:ignore_redirect_to_model] and call? first_arg and
+      (@model_find_calls.include? first_arg.method or first_arg.method.to_s.match(/^find_by_/)) and
+      model_name? first_arg.target
 
       return false
     end
@@ -94,14 +95,14 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   #Checks +redirect_to+ arguments for +only_path => true+ which essentially
   #nullifies the danger posed by redirecting with user input
   def only_path? call
-    call[3].each do |arg|
-      if hash? arg
-        if value = hash_access(arg, :only_path)
-          return true if true?(value)
-        end
-      elsif call? arg and arg[2] == :url_for
-        return check_url_for(arg)
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return true if true?(value)
       end
+    elsif call? arg and arg.method == :url_for
+      return check_url_for(arg)
     end
 
     false
@@ -110,11 +111,11 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   #+url_for+ is only_path => true by default. This checks to see if it is
   #set to false for some reason.
   def check_url_for call
-    call[3].each do |arg|
-      if hash? arg
-        if value = hash_access(arg, :only_path)
-          return false if false?(value)
-        end
+    arg = call.first_arg
+
+    if hash? arg
+      if value = hash_access(arg, :only_path)
+        return false if false?(value)
       end
     end
 

data/lib/brakeman/checks/check_render.rb

@@ -13,7 +13,9 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   end
 
   def process_render result
-    case result[:call][1]
+    return unless node_type? result[:call], :render
+
+    case result[:call].render_type
     when :partial, :template, :action, :file
       check_for_dynamic_path result
     when :inline

data/lib/brakeman/checks/check_select_tag.rb

@@ -38,12 +38,12 @@ class Brakeman::CheckSelectTag < Brakeman::BaseCheck
     add_result result
 
     #Only concerned if user input is supplied for :prompt option
-    last_arg = result[:call][3][-1]
+    last_arg = result[:call].arglist.last
 
     if hash? last_arg
       prompt_option = hash_access last_arg, :prompt
 
-      if call? prompt_option and @ignore_methods.include? prompt_option[2]
+      if call? prompt_option and @ignore_methods.include? prompt_option.method
         return
       elsif sexp? prompt_option and input = include_user_input?(prompt_option)
 

data/lib/brakeman/checks/check_select_vulnerability.rb

@@ -35,13 +35,13 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
   def process_result result
     return if duplicate? result
 
-    args = result[:call][3]
+    third_arg = result[:call].args[2]
 
     #Check for user input in options parameter
-    if sexp? args[3] and include_user_input? args[3]
+    if sexp? third_arg and include_user_input? third_arg
       add_result result
 
-      if node_type? args[3], :string_interp, :dstr
+      if node_type? third_arg, :string_interp, :dstr
         confidence = CONFIDENCE[:med]
       else
         confidence = CONFIDENCE[:low]

data/lib/brakeman/checks/check_send.rb

@@ -16,10 +16,10 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
   end
 
   def process_result result
-    args = process result[:call][3]
-    target = process result[:call][1]
+    args = process_all result[:call].args
+    target = process result[:call].target
 
-    if input = has_immediate_user_input?(args[1])
+    if input = has_immediate_user_input?(args.first)
       warn :result => result,
         :warning_type => "Dangerous Send",
         :message => "User controlled method execution",

data/lib/brakeman/checks/check_session_settings.rb

@@ -31,8 +31,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #Looks for ActionController::Base.session = { ... }
   #in Rails 2.x apps
   def process_attrasgn exp
-    if not tracker.options[:rails3] and exp[1] == @session_settings and exp[2] == :session=
-      check_for_issues exp[3][1], "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+    if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
+      check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
     end
       
     exp
@@ -41,8 +41,8 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
   #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
   #in Rails 3.x apps
   def process_call exp
-    if tracker.options[:rails3] and exp[1] == @session_settings and exp[2] == :session_store
-        check_for_issues exp[3][2], "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
+    if tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session_store
+        check_for_issues exp.args.second, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
     end
       
     exp
@@ -63,7 +63,7 @@ class Brakeman::CheckSessionSettings < Brakeman::BaseCheck
       end
 
       if value = hash_access(settings, :secret)
-        if string? value and value[1].length < 30
+        if string? value and value.value.length < 30
 
           warn :warning_type => "Session Setting",
             :message => "Session secret should be at least 30 characters long",

data/lib/brakeman/checks/check_single_quotes.rb

@@ -50,9 +50,9 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   #
   #    class ERB
   def process_class exp
-    if exp[1] == :ERB
+    if exp.class_name == :ERB
       @inside_erb = true
-      process exp[-1]
+      process exp.body
       @inside_erb = false
     end
 
@@ -63,9 +63,9 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   #
   #    module Util
   def process_module exp
-    if @inside_erb and exp[1] == :Util
+    if @inside_erb and exp.module_name == :Util
       @inside_util = true
-      process exp[-1]
+      process exp.body
       @inside_util = false
     end
 
@@ -76,9 +76,9 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   #
   #    def html_escape
   def process_defn exp
-    if @inside_util and exp[1] == :html_escape
+    if @inside_util and exp.method_name == :html_escape
       @inside_html_escape = true
-      process exp[-1]
+      process exp.body
       @inside_html_escape = false
     end
 
@@ -89,10 +89,10 @@ class Brakeman::CheckSingleQuotes < Brakeman::BaseCheck
   #
   #    Rack::Utils.escape_html
   def process_call exp
-    if @inside_html_escape and exp[1] == RACK_UTILS and exp[2] == :escape_html
+    if @inside_html_escape and exp.target == RACK_UTILS and exp.method == :escape_html
       @uses_rack_escape = true
     else
-      process exp[1] if exp[1]
+      process exp.target if exp.target
     end
 
     exp

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -35,9 +35,9 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
   def skip_verify_except? filter
     return false unless call? filter
 
-    args = filter[3]
+    args = filter.args
 
-    if symbol? args[1] and args[1][1] == :verify_authenticity_token and hash? args.last
+    if symbol? args.first and args.first.value == :verify_authenticity_token and hash? args.last
       if hash_access(args.last, :except)
         return true
       end

data/lib/brakeman/checks/check_sql.rb

@@ -53,6 +53,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   end
 
   #Find calls to named_scope() or scope() in models
+  #RP 3 TODO
   def find_scope_calls
     scope_calls = []
 
@@ -71,12 +72,11 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
           model[:options][:scope].each do |args|
             second_arg = args[2]
 
-            if second_arg.node_type == :iter and
-              (second_arg[-1].node_type == :block or second_arg[-1].node_type == :call)
+            if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
               process_scope_with_block name, args
             elsif second_arg.node_type == :call
               call = second_arg
-              scope_calls << { :call => call, :location => [:class, name ], :method => call[2] }
+              scope_calls << { :call => call, :location => [:class, name ], :method => call.method }
             else
               call = Sexp.new(:call, nil, :scope, args).line(args.line)
               scope_calls << { :call => call, :location => [:class, name ], :method => :scope }
@@ -135,7 +135,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         end
       end
     elsif block.node_type == :call
-      process_result :target => block[1], :method => block[2], :call => block, :location => [:class, model_name, scope_name]
+      process_result :target => block.target, :method => block.method, :call => block, :location => [:class, model_name, scope_name]
     end
   end
 
@@ -170,38 +170,38 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     return if duplicate? result or result[:call].original_line
 
     call = result[:call]
-    method = call[2]
-    args = call[3]
+    method = call.method
+    args = call.args
 
     dangerous_value = case method
                       when :find
-                        check_find_arguments args[2]
+                        check_find_arguments args.second
                       when :exists?
-                        check_find_arguments args[1]
+                        check_find_arguments args.first
                       when :named_scope, :scope
-                        check_scope_arguments args
+                        check_scope_arguments call.arglist
                       when :find_by_sql, :count_by_sql
-                        check_by_sql_arguments args[1]
+                        check_by_sql_arguments args.first
                       when :calculate
-                        check_find_arguments args[3]
+                        check_find_arguments args[2]
                       when :last, :first, :all
-                        check_find_arguments args[1]
+                        check_find_arguments args.first
                       when :average, :count, :maximum, :minimum, :sum
                         if args.length > 2
-                          unsafe_sql?(args[1]) or check_find_arguments(args[-1])
+                          unsafe_sql?(args.first) or check_find_arguments(args.last)
                         else
-                          check_find_arguments args[-1]
+                          check_find_arguments args.last
                         end
                       when :where, :having
-                        check_query_arguments args
+                        check_query_arguments call.arglist
                       when :order, :group, :reorder
-                        check_order_arguments args
+                        check_order_arguments call.arglist
                       when :joins
-                        check_joins_arguments args[1]
+                        check_joins_arguments args.first
                       when :from, :select
-                        unsafe_sql? args[1]
+                        unsafe_sql? args.first
                       when :lock
-                        check_lock_arguments args[1]
+                        check_lock_arguments args.first
                       else
                         Brakeman.debug "Unhandled SQL method: #{method}"
                       end
@@ -375,8 +375,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #unless safe_value? explicitly returns true.
   def check_string_interp arg
     arg.each do |exp|
-      if node_type?(exp, :string_eval, :evstr) and not safe_value? exp[1]
-        return exp[1]
+      if node_type?(exp, :string_eval, :evstr) and not safe_value? exp.value
+        return exp.value
       end
     end
 
@@ -417,9 +417,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :hash
       check_hash_values exp unless ignore_hash
     when :if
-      unsafe_sql? exp[2] or unsafe_sql? exp[3]
+      unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
     when :call
-      unless IGNORE_METHODS_IN_SQL.include? exp[2]
+      unless IGNORE_METHODS_IN_SQL.include? exp.method
         if has_immediate_user_input? exp or has_immediate_model? exp
           exp
         else
@@ -427,13 +427,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         end
       end
     when :or
-      if unsafe = (unsafe_sql?(exp[1]) || unsafe_sql?(exp[2]))
+      if unsafe = (unsafe_sql?(exp.lhs) || unsafe_sql?(exp.rhs))
         return unsafe
       else
         nil
       end
     when :block, :rlist
-      unsafe_sql? exp[-1]
+      unsafe_sql? exp.last
     else
       if has_immediate_user_input? exp or has_immediate_model? exp
         exp
@@ -482,11 +482,11 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_for_string_building exp
     return unless call? exp
 
-    target = exp[1]
-    method = exp[2]
-    args = exp[3]
+    target = exp.target
+    method = exp.method
+    args = exp.args
 
-    if string? target or string? args[1]
+    if string? target or string? args.first
       if STRING_METHODS.include? method
         return exp
       end
@@ -507,13 +507,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :str, :lit, :const, :colon2, :nil, :true, :false
       true
     when :call
-      IGNORE_METHODS_IN_SQL.include? exp[2]
+      IGNORE_METHODS_IN_SQL.include? exp.method
     when :if
-      safe_value? exp[2] and safe_value? exp[3]
+      safe_value? exp.then_clause and safe_value? exp.else_clause
     when :block, :rlist
-      safe_value? exp[-1]
+      safe_value? exp.last
     when :or
-      safe_value? exp[1] and safe_value? exp[2]
+      safe_value? exp.lhs and safe_value? exp.rhs
     else
       false
     end
@@ -523,13 +523,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_call exp
     return unless call? exp
 
-    target = exp[1]
-    args = exp[3]
-
     if unsafe = check_for_string_building(exp)
       unsafe
-    elsif call? target
-      check_call target
+    elsif call? exp.target
+      check_call exp.target
     else
       nil
     end
@@ -565,6 +562,6 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #   s(:arglist, s(:str, "something")))
   def constantize_call? result
     call = result[:call]
-    call? call[1] and call[1][2] == :constantize
+    call? call.target and call.target.method == :constantize
   end
 end