brakeman 1.7.1 → 1.8.0

data/lib/brakeman/checks/check_validation_regex.rb

@@ -28,7 +28,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
 
   #Check validates_format_of
   def process_validator validator
-    if value = hash_access(validator[-1], WITH)
+    if value = hash_access(validator.last, WITH)
       check_regex value, validator
     end
   end
@@ -38,12 +38,12 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
   def check_regex value, validator
     return unless regexp? value
 
-    regex = value[1].inspect
+    regex = value.value.inspect
     if regex =~ /^\/(.{2}).*(.{2})\/(m|i|x|n|e|u|s|o)*\z/
       if $1 != "\\A" or ($2 != "\\Z" and $2 != "\\z")
         warn :model => @current_model,
           :warning_type => "Format Validation", 
-          :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
+          :message => "Insufficient validation for '#{get_name validator}' using #{value.value.inspect}. Use \\A and \\z as anchors",
           :line => value.line,
           :confidence => CONFIDENCE[:high] 
       end

data/lib/brakeman/checks/check_without_protection.rb

@@ -33,7 +33,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
   #All results should be Model.new(...) or Model.attributes=() calls
   def process_result res
     call = res[:call]
-    last_arg = call[3][-1]
+    last_arg = call.args.last
 
     if hash? last_arg and not call.original_line and not duplicate? res
 
@@ -41,7 +41,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
         if true? value
           add_result res
 
-          if input = include_user_input?(call[3])
+          if input = include_user_input?(call.arglist)
             confidence = CONFIDENCE[:high]
             user_input = input.match
           else

data/lib/brakeman/format/style.css

@@ -116,3 +116,18 @@ p {
  .user_input {
    background-color: #fcecab;
  }
+
+ div.render_path {
+   display: none;
+   background-color: #ffe;
+   padding: 5px;
+   margin: 2px 0px 2px 0px;
+ }
+
+ div.template_name {
+   cursor: pointer;
+ }
+
+ div.template_name:hover {
+   background-color: white;
+ }

data/lib/brakeman/options.rb

@@ -169,6 +169,10 @@ module Brakeman::Options
           options[:summary_only] = true
         end
 
+        opts.on "--relative-paths", "Output relative file paths in reports" do
+          options[:relative_paths] = true
+        end
+
         opts.on "-w", 
           "--confidence-level LEVEL", 
           ["1", "2", "3"], 

data/lib/brakeman/processor.rb

@@ -72,7 +72,7 @@ module Brakeman
       #Each template which is rendered is stored separately
       #with a new name.
       if called_from
-        name = (name.to_s + "." + called_from.to_s).to_sym
+        name = ("#{name}.#{called_from}").to_sym
       end
 
       @tracker.templates[name][:src] = result

data/lib/brakeman/processors/alias_processor.rb

@@ -97,7 +97,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
 
   #Process a method call.
   def process_call exp
-    target_var = exp[1]
+    target_var = exp.target
     exp = process_default exp
 
     #In case it is replaced with something else
@@ -105,74 +105,75 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       return exp
     end
 
-    target = exp[1]
-    method = exp[2]
+    target = exp.target
+    method = exp.method
     args = exp[3]
+    first_arg = exp.first_arg
 
     #See if it is possible to simplify some basic cases
     #of addition/concatenation.
     case method
     when :+
-      if array? target and array? args[1]
-        joined = join_arrays target, args[1] 
+      if array? target and array? first_arg
+        joined = join_arrays target, first_arg 
         joined.line(exp.line)
         exp = joined
-      elsif string? args[1]
+      elsif string? first_arg
         if string? target # "blah" + "blah"
-          joined = join_strings target, args[1]
+          joined = join_strings target, first_arg
           joined.line(exp.line)
           exp = joined
-        elsif call? target and target[2] == :+ and string? target[3][1]
-          joined = join_strings target[3][1], args[1]
+        elsif call? target and target.method == :+ and string? target.first_arg
+          joined = join_strings target.first_arg, first_arg
           joined.line(exp.line)
-          target[3][1] = joined
+          target.first_arg = joined
           exp = target
         end
-      elsif number? args[1]
+      elsif number? first_arg
         if number? target
-          exp = Sexp.new(:lit, target[1] + args[1][1])
-        elsif target[2] == :+ and number? target[3][1]
-          target[3][1] = Sexp.new(:lit, target[3][1][1] + args[1][1])
+          exp = Sexp.new(:lit, target.value + first_arg.value)
+        elsif call? target and target.method == :+ and number? target.first_arg
+          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
           exp = target
         end
       end
     when :-
-      if number? target and number? args[1]
-        exp = Sexp.new(:lit, target[1] - args[1][1])
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value - first_arg.value)
       end
     when :*
-      if number? target and number? args[1]
-        exp = Sexp.new(:lit, target[1] * args[1][1])
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value * first_arg.value)
       end
     when :/
-      if number? target and number? args[1]
-        exp = Sexp.new(:lit, target[1] / args[1][1])
+      if number? target and number? first_arg
+        exp = Sexp.new(:lit, target.value / first_arg.value)
       end
     when :[]
       if array? target
-        temp_exp = process_array_access target, args[1..-1]
+        temp_exp = process_array_access target, exp.args
         exp = temp_exp if temp_exp
       elsif hash? target
-        temp_exp = process_hash_access target, args[1..-1]
+        temp_exp = process_hash_access target, exp.args
         exp = temp_exp if temp_exp
       end
     when :merge!, :update
-      if hash? target and hash? args[1]
-         target = process_hash_merge! target, args[1]
+      if hash? target and hash? first_arg
+         target = process_hash_merge! target, first_arg
          env[target_var] = target
          return target
       end
     when :merge
-      if hash? target and hash? args[1]
-        return process_hash_merge(target, args[1])
+      if hash? target and hash? first_arg
+        return process_hash_merge(target, first_arg)
       end
     when :<<
-      if string? target and string? args[1]
-        target[1] << args[1][1]
+      if string? target and string? first_arg
+        target.value << first_arg.value
         env[target_var] = target
         return target
       elsif array? target
-        target << args[1]
+        target << first_arg
         env[target_var] = target
         return target
       else
@@ -187,7 +188,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Process a new scope.
   def process_scope exp
     env.scope do
-      process exp[1]
+      process exp.block
     end
     exp
   end
@@ -203,7 +204,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_methdef exp
     env.scope do
       set_env_defaults
-      process exp[3]
+      process exp.body
     end
     exp
   end
@@ -212,7 +213,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_selfdef exp
     env.scope do
       set_env_defaults
-      process exp[4]
+      process exp.body
     end
     exp
   end
@@ -223,18 +224,18 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Local assignment
   # x = 1
   def process_lasgn exp
-    exp[2] = process exp[2] if sexp? exp[2]
-    return exp if exp[2].nil?
+    exp.rhs = process exp.rhs if sexp? exp.rhs
+    return exp if exp.rhs.nil?
 
-    local = Sexp.new(:lvar, exp[1]).line(exp.line || -2)
+    local = Sexp.new(:lvar, exp.lhs).line(exp.line || -2)
 
     if @inside_if and val = env[local]
       #avoid setting to value it already is (e.g. "1 or 1")
-      if val != exp[2] and val[1] != exp[2] and val[2] != exp[2]
-        env[local] = Sexp.new(:or, val, exp[2]).line(exp.line || -2)
+      if val != exp.rhs and val[1] != exp.rhs and val[2] != exp.rhs
+        env[local] = Sexp.new(:or, val, exp.rhs).line(exp.line || -2)
       end
     else
-      env[local] = exp[2]
+      env[local] = exp.rhs
     end
 
     exp
@@ -243,15 +244,15 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Instance variable assignment
   # @x = 1
   def process_iasgn exp
-    exp[2] = process exp[2]
-    ivar = Sexp.new(:ivar, exp[1]).line(exp.line)
+    exp.rhs = process exp.rhs
+    ivar = Sexp.new(:ivar, exp.lhs).line(exp.line)
 
     if @inside_if and val = env[ivar]
-      if val != exp[2]
-        env[ivar] = Sexp.new(:or, val, exp[2]).line(exp.line)
+      if val != exp.rhs
+        env[ivar] = Sexp.new(:or, val, exp.rhs).line(exp.line)
       end
     else
-      env[ivar] = exp[2]
+      env[ivar] = exp.rhs
     end
 
     exp
@@ -260,8 +261,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Global assignment
   # $x = 1
   def process_gasgn exp
-    match = Sexp.new(:gvar, exp[1])
-    value = exp[2] = process(exp[2])
+    match = Sexp.new(:gvar, exp.lhs)
+    value = exp.rhs = process(exp.rhs)
 
     if @inside_if and val = env[match]
       if val != value
@@ -277,8 +278,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Class variable assignment
   # @@x = 1
   def process_cvdecl exp
-    match = Sexp.new(:cvar, exp[1])
-    value = exp[2] = process(exp[2])
+    match = Sexp.new(:cvar, exp.lhs)
+    value = exp.rhs = process(exp.rhs)
     
     if @inside_if and val = env[match]
       if val != value
@@ -296,13 +297,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #or
   # x[:y] = 1
   def process_attrasgn exp
-    tar_variable = exp[1]
-    target = exp[1] = process(exp[1])
-    method = exp[2]
+    tar_variable = exp.target
+    target = exp.target = process(exp.target)
+    method = exp.method
+    args = exp.args
 
     if method == :[]=
-      index = exp[3][1] = process(exp[3][1])
-      value = exp[3][2] = process(exp[3][2])
+      index = exp.first_arg = process(args.first)
+      value = exp.second_arg = process(args.second)
       match = Sexp.new(:call, target, :[], Sexp.new(:arglist, index))
       env[match] = value
 
@@ -310,7 +312,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[tar_variable] = hash_insert target.deep_clone, index, value
       end
     elsif method.to_s[-1,1] == "="
-      value = exp[3][1] = process(exp[3][1])
+      value = exp.first_arg = process(args.first)
       #This is what we'll replace with the value
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym, Sexp.new(:arglist))
 
@@ -397,17 +399,17 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   #Constant assignments like
   # BIG_CONSTANT = 234810983
   def process_cdecl exp
-    if sexp? exp[2]
-      exp[2] = process exp[2]
+    if sexp? exp.rhs
+      exp.rhs = process exp.rhs
     end
 
-    if exp[1].is_a? Symbol
-      match = Sexp.new(:const, exp[1])
+    if exp.lhs.is_a? Symbol
+      match = Sexp.new(:const, exp.lhs)
     else
-      match = exp[1]
+      match = exp.lhs
     end
 
-    env[match] = exp[2]
+    env[match] = exp.rhs
 
     exp
   end
@@ -416,10 +418,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def process_if exp
     @ignore_ifs ||= @tracker && @tracker.options[:ignore_ifs]
 
-    condition = process exp[1]
+    condition = process exp.condition
 
     if true? condition
-      exps = [exp[2]]
+      exps = [exp.then_clause]
     elsif false? condition
       exps = exp[3..-1]
     else

data/lib/brakeman/processors/base_processor.rb

@@ -58,9 +58,9 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #Process an if statement.
   def process_if exp
     exp = exp.dup
-    exp[1] = process exp[1]
-    exp[2] = process exp[2] if exp[2]
-    exp[3] = process exp[3] if exp[3]
+    exp[1] = process exp.condition
+    exp[2] = process exp.then_clause if exp.then_clause
+    exp[3] = process exp.else_clause if exp.else_clause
     exp
   end
 
@@ -69,16 +69,16 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #s(:iter, CALL, {:lasgn|:masgn}, BLOCK)
   def process_iter exp
     exp = exp.dup
-    call = process exp[1]
+    call = process exp.block_call
     #deal with assignments somehow
-    if exp[3]
-      block = process exp[3]
+    if exp.block
+      block = process exp.block
       block = nil if block.empty?
     else
       block = nil
     end
 
-    call = Sexp.new(:call_with_block, call, exp[2], block).compact
+    call = Sexp.new(:call_with_block, call, exp.block_args, block).compact
     call.line(exp.line)
     call
   end
@@ -90,8 +90,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp.map! do |e|
       if e.is_a? String
         e
-      elsif e[1].is_a? String
-        e[1]
+      elsif e.value.is_a? String
+        e.value
       else
         res = process e
         if res.empty?
@@ -126,22 +126,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp
   end
 
-  #Processes an or keyword
-  def process_or exp
-    exp = exp.dup
-    exp[1] = process exp[1]
-    exp[2] = process exp[2]
-    exp
-  end
-
-  #Processes an and keyword
-  def process_and exp
-    exp = exp.dup
-    exp[1] = process exp[1]
-    exp[2] = process exp[2]
-    exp
-  end
-
   #Processes a hash
   def process_hash exp
     exp = exp.dup
@@ -171,22 +155,24 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #Processes a local assignment
   def process_lasgn exp
     exp = exp.dup
-    exp[2] = process exp[2]
+    exp.rhs = process exp.rhs
     exp
   end
 
+  alias :process_iasgn :process_lasgn
+
   #Processes an instance variable assignment
   def process_iasgn exp
     exp = exp.dup
-    exp[2] = process exp[2]
+    exp.rhs = process exp.rhs
     exp
   end
 
   #Processes an attribute assignment, which can be either x.y = 1 or x[:y] = 1
   def process_attrasgn exp
     exp = exp.dup
-    exp[1] = process exp[1]
-    exp[3] = process exp[3]
+    exp.target = process exp.target
+    exp.arglist = process exp.arglist
     exp
   end
 
@@ -202,7 +188,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
 
   #Generates :render node from call to render.
   def make_render exp, in_view = false 
-    render_type, value, rest = find_render_type exp[3], in_view
+    render_type, value, rest = find_render_type exp.args, in_view
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
@@ -220,28 +206,29 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     rest = Sexp.new(:hash)
     type = nil
     value = nil
+    first_arg = args.first
 
-    if args.length == 2 and args[-1] == Sexp.new(:lit, :update)
-      return :update, nil, args[0..-2]
+    if args.length == 1 and first_arg == Sexp.new(:lit, :update)
+      return :update, nil, Sexp.new(:arglist, *args[0..-2]) #TODO HUH?
     end
 
     #Look for render :action, ... or render "action", ...
-    if string? args[1] or symbol? args[1]
+    if string? first_arg or symbol? first_arg
       if @current_template and @tracker.options[:rails3]
         type = :partial
-        value = args[1]
+        value = first_arg
       else
         type = :action
-        value = args[1]
+        value = first_arg
       end
-    elsif args[1].is_a? Symbol or args[1].is_a? String
+    elsif first_arg.is_a? Symbol or first_arg.is_a? String
       type = :action
-      value = Sexp.new(:lit, args[1].to_sym)
-		elsif args[1].nil?
+      value = Sexp.new(:lit, first_arg.to_sym)
+		elsif first_arg.nil?
 			type = :default
-    elsif not hash? args[1]
+    elsif not hash? first_arg
       type = :action
-      value = args[1]
+      value = first_arg
     end
 
     types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :template, :text, :update, :xml]
@@ -253,10 +240,10 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
 
     #Look for "type" of render in options hash
     #For example, render :file => "blah"
-    if hash? args[-1]
-      hash_iterate(args[-1]) do |key, val|
-        if types_in_hash.include? key[1]
-          type = key[1]
+    if hash? args.last
+      hash_iterate(args.last) do |key, val|
+        if symbol? key and types_in_hash.include? key.value
+          type = key.value
           value = val
         else  
           rest << key << val
@@ -266,7 +253,6 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
 
     type ||= :default
     value ||= :default
-    args[-1] = rest
     return type, value, rest
   end
 end