brakeman 1.7.1 → 1.8.0

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -66,7 +66,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #(This method should be retired - only classes should ever be processed
   # and @current_module will never be set, leading to inaccurate class names)
   def process_class exp
-    @current_class = class_name(exp[1])
+    @current_class = class_name(exp.class_name)
     if @current_module
       @current_class = ("#@current_module::#@current_class").to_sym
     end
@@ -77,13 +77,15 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Processes a method definition, which may include
   #processing any rendered templates.
   def process_methdef exp
+    meth_name = exp.method_name
+
     #Skip if instructed to only process a specific method
     #(but don't skip if this method was called from elsewhere)
-    return exp if @current_method.nil? and @only_method and @only_method != exp[1]
+    return exp if @current_method.nil? and @only_method and @only_method != meth_name
 
-    is_route = route? exp[1]
+    is_route = route? meth_name
     other_method = @current_method
-    @current_method = exp[1]
+    @current_method = meth_name
     @rendered = false if is_route
 
     env.scope do
@@ -95,7 +97,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         end
       end
 
-      process exp[3]
+      process exp.body
 
       if is_route and not @rendered
         process_default_render exp
@@ -110,7 +112,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   def process_call exp
     exp = super
 
-    if exp[2] == :head
+    if call? exp and exp.method == :head
       @rendered = true
     end
     exp
@@ -120,7 +122,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   def process_call_with_block exp
     process_default exp
 
-    if exp[1][2] == :respond_to
+    if call? exp.block_call and exp.block_call.method == :respond_to
       @rendered = true
     end
 
@@ -146,7 +148,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       end
     else
       processor = Brakeman::AliasProcessor.new @tracker
-      processor.process_safely(method[3])
+      processor.process_safely(method.body)
 
       ivars = processor.only_ivars(:include_request_vars).all
 
@@ -166,7 +168,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Process template and add the current class and method name as called_from info
   def process_template name, args
-    super name, args, "#@current_class##@current_method"
+    super name, args, ["#@current_class##@current_method"]
   end
 
   #Turns a method name into a template name

data/lib/brakeman/processors/controller_processor.rb

@@ -21,18 +21,19 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #s(:class, NAME, PARENT, s(:scope ...))
   def process_class exp
+    name = class_name(exp.class_name)
+
     if @controller
-      Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}"
+      Brakeman.debug "[Notice] Skipping inner class: #{name}"
       return ignore
     end
 
-    name = class_name(exp[1])
     if @current_module
       name = (@current_module.to_s + "::" + name.to_s).to_sym
     end
 
     begin
-      parent = class_name exp[2]
+      parent = class_name exp.parent_name
     rescue StandardError => e
       Brakeman.debug e
       parent = nil
@@ -48,7 +49,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
                     :src => exp,
                     :file => @file_name }
     @tracker.controllers[@controller[:name]] = @controller
-    exp[3] = process exp[3]
+    exp.body = process exp.body
     set_layout_name
     @controller = nil
     exp
@@ -56,18 +57,18 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Look for specific calls inside the controller
   def process_call exp
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
 
-    method = exp[2]
-    args = exp[3]
+    method = exp.method
+    args = exp.args
 
     #Methods called inside class definition
     #like attr_* and other settings
     if @current_method.nil? and target.nil? and @controller
-      if args.length == 1 #actually, empty
+      if args.empty?
         case method
         when :private, :protected, :public
           @visibility = method
@@ -79,21 +80,21 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       else
         case method
         when :include
-          @controller[:includes] << class_name(args[1]) if @controller
+          @controller[:includes] << class_name(args.first) if @controller
         when :before_filter
           @controller[:options][:before_filters] ||= []
-          @controller[:options][:before_filters] << args[1..-1]
+          @controller[:options][:before_filters] << args
         when :layout
-          if string? args[-1]
+          if string? args.last
             #layout "some_layout"
 
-            name = args[-1][1].to_s
+            name = args.last.value.to_s
             unless Dir.glob("#{@tracker.options[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
               @controller[:layout] = "layouts/#{name}"
             else
               Brakeman.debug "[Notice] Layout not found: #{name}"
             end
-          elsif node_type? args[-1], :nil, :false
+          elsif node_type? args.last, :nil, :false
             #layout :false or layout nil
             @controller[:layout] = false
           end
@@ -115,7 +116,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       call.line(exp.line)
       call
     else
-      call = Sexp.new :call, target, method, process(args)
+      call = Sexp.new :call, target, method, process(exp.arglist) #RP 3 TODO
       call.line(exp.line)
       call
     end
@@ -123,9 +124,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Process method definition and store in Tracker
   def process_defn exp
-    name = exp[1]
+    name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, process(exp[2]), process(exp[3][1])
+    res = Sexp.new :methdef, name, process(exp[2]), process(exp.body.block)
     res.line(exp.line)
     @current_method = nil
     @controller[@visibility][name] = res unless @controller.nil?
@@ -135,7 +136,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Process self.method definition and store in Tracker
   def process_defs exp
-    name = exp[2]
+    name = exp.method_name
 
     if exp[1].node_type == :self
       if @controller
@@ -150,7 +151,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     @current_method = name
-    res = Sexp.new :selfdef, target, name, process(exp[3]), process(exp[4][1])
+    res = Sexp.new :selfdef, target, name, process(exp[3]), process(exp.body.block)
     res.line(exp.line)
     @current_method = nil
     @controller[@visibility][name] = res unless @controller.nil?
@@ -160,7 +161,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Look for before_filters and add fake ones if necessary
   def process_iter exp
-    if exp[1][2] == :before_filter
+    if exp.block_call.method == :before_filter
       add_fake_filter exp
     else
       super
@@ -185,20 +186,20 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   #methods and filters.
   def add_fake_filter exp
     filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
-    args = exp[1][3]
+    args = exp.block_call.arglist
     args.insert(1, Sexp.new(:lit, filter_name))
     before_filter_call = Sexp.new(:call, nil, :before_filter, args)
 
-    if exp[2]
-      block_variable = exp[2][1]
+    if exp.block_args
+      block_variable = exp.block_args[1]
     else
       block_variable = :temp
     end
 
-    if node_type? exp[3], :block
-      block_inner = exp[3][1..-1]
+    if node_type? exp.block, :block
+      block_inner = exp.block[1..-1]
     else
-      block_inner = [exp[3]]
+      block_inner = [exp.block]
     end
 
     #Build Sexp for filter method

data/lib/brakeman/processors/erb_template_processor.rb

@@ -6,33 +6,33 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
   
   #s(:call, TARGET, :method, s(:arglist))
   def process_call exp
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
-    method = exp[2]
+    method = exp.method
     
     #_erbout is the default output variable for erb
-    if target and target[1] == :_erbout
+    if node_type? target, :lvar and target.value == :_erbout
       if method == :concat
         @inside_concat = true
-        args = exp[3] = process(exp[3])
+        args = exp.arglist = process(exp.arglist)
         @inside_concat = false
 
         if args.length > 2
           raise Exception.new("Did not expect more than a single argument to _erbout.concat")
         end
 
-        args = args[1]
+        arg = args[1]
 
-        if args.node_type == :call and args[2] == :to_s #erb always calls to_s on output
-          args = args[1]
+        if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
+          arg = arg.target
         end
 
-        if args.node_type == :str #ignore plain strings
+        if arg.node_type == :str #ignore plain strings
           ignore
         else
-          s = Sexp.new :output, args
+          s = Sexp.new :output, arg
           s.line(exp.line)
           @current_template[:outputs] << s
           s
@@ -43,11 +43,11 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         abort "Unrecognized action on _erbout: #{method}"
       end
     elsif target == nil and method == :render
-      exp[3] = process(exp[3])
+      exp.arglist = process(exp.arglist)
       make_render_in_view exp
     else
       #TODO: Is it really necessary to create a new Sexp here?
-      args = exp[3] = process(exp[3])
+      args = exp.arglist = process(exp.arglist)
       call = Sexp.new :call, target, method, args
       call.original_line(exp.original_line)
       call.line(exp.line)
@@ -70,7 +70,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         res = process e
         if res.empty? or res == ignore
           nil
-        elsif node_type?(res, :lvar) and res[1] == :_erbout
+        elsif node_type?(res, :lvar) and res.value == :_erbout
           nil
 
         else

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -5,31 +5,33 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
   
   #s(:call, TARGET, :method, s(:arglist))
   def process_call exp
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
-    method = exp[2]
+    method = exp.method
 
     #_buf is the default output variable for Erubis
-    if target and (target[1] == :_buf or target[1] == :@output_buffer)
+    if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
-        args = exp[3][1] = process(exp[3][1])
+        exp.arglist = process exp.arglist
+
+        arg = exp.first_arg
 
         #We want the actual content
-        if args.node_type == :call and (args[2] == :to_s or args[2] == :html_safe!)
-          args = args[1]
+        if arg.node_type == :call and (arg.method == :to_s or arg.method == :html_safe!)
+          arg = arg.target
         end
 
-        if args.node_type == :str #ignore plain strings
+        if arg.node_type == :str #ignore plain strings
           ignore
-        elsif target[1] == :@output_buffer
-          s = Sexp.new :escaped_output, args
+        elsif node_type? target, :ivar and target.value == :@output_buffer
+          s = Sexp.new :escaped_output, arg
           s.line(exp.line)
           @current_template[:outputs] << s
           s
         else
-          s = Sexp.new :output, args
+          s = Sexp.new :output, arg
           s.line(exp.line)
           @current_template[:outputs] << s
           s
@@ -40,11 +42,11 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         abort "Unrecognized action on buffer: #{method}"
       end
     elsif target == nil and method == :render
-      exp[3] = process exp[3]
+      exp.arglist = process exp.arglist
       make_render_in_view exp
     else
       #TODO: Is it really necessary to create a new Sexp here?
-      args = exp[3] = process(exp[3])
+      args = exp.arglist = process(exp.arglist)
       call = Sexp.new :call, target, method, args
       call.original_line(exp.original_line)
       call.line(exp.line)
@@ -72,14 +74,14 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
   #  @output_buffer.append = some_output
   #  @output_buffer.safe_append = some_output
   def process_attrasgn exp
-    if exp[1].node_type == :ivar and exp[1][1] == :@output_buffer
-      if exp[2] == :append= or exp[2] == :safe_append=
-        args = exp[3][1] = process(exp[3][1])
+    if exp.target.node_type == :ivar and exp.target.value == :@output_buffer
+      if exp.method == :append= or exp.method == :safe_append=
+        arg = exp.first_arg = process(exp.first_arg)
 
-        if args.node_type == :str
+        if arg.node_type == :str
           ignore
         else
-          s = Sexp.new :escaped_output, args
+          s = Sexp.new :escaped_output, arg
           s.line(exp.line)
           @current_template[:outputs] << s
           s

data/lib/brakeman/processors/gem_processor.rb

@@ -26,13 +26,13 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
   end
 
   def process_call exp
-    if exp[1] == nil and exp[2] == :gem
-      args = exp[3][1..-1]
+    if exp.target == nil and exp.method == :gem
+      args = exp.args
 
-      if sexp? args[1]
-        @tracker.config[:gems][args[0][1].to_sym] = args[1][1]
+      if string? args.second
+        @tracker.config[:gems][args.first.value.to_sym] = args.second.value
       else
-        @tracker.config[:gems][args[0][1].to_sym] = ">=0.0.0"
+        @tracker.config[:gems][args.first.value.to_sym] = ">=0.0.0"
       end
     end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -22,29 +22,29 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   #Processes call, looking for template output
   def process_call exp
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
 
-    method = exp[2]
+    method = exp.method
 
-    if (sexp? target and target[2] == :_hamlout) or target == :_hamlout
+    if (call? target and target.method == :_hamlout) or target == :_hamlout
       res = case method
             when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
               ignore
             when :options
-              Sexp.new :call, :_hamlout, :options, exp[3]
+              Sexp.new :call, :_hamlout, :options, exp.arglist
             when :buffer
-              Sexp.new :call, :_hamlout, :buffer, exp[3]
+              Sexp.new :call, :_hamlout, :buffer, exp.arglist
             when :open_tag
-              Sexp.new(:tag, process(exp[3]))
+              Sexp.new(:tag, process(exp.arglist))
             else
-              arg = exp[3][1]
+              arg = exp.first_arg
 
               if arg
                 @inside_concat = true
-                out = exp[3][1] = process(arg)
+                out = exp.arglist[1] = process(arg)
                 @inside_concat = false
               else
                 raise Exception.new("Empty _hamlout.#{method}()?")
@@ -78,7 +78,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       #This seems to be used rarely, but directly appends args to output buffer
     elsif sexp? target and method == :<< and is_buffer_target? target
       @inside_concat = true
-      out = exp[3][1] = process(exp[3][1])
+      out = exp.arglist[1] = process(exp.arglist[1])
       @inside_concat = false
 
       if out.node_type == :str #ignore plain strings
@@ -91,11 +91,11 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       end
     elsif target == nil and method == :render
       #Process call to render()
-      exp[3] = process exp[3]
+      exp.arglist = process exp.arglist
       make_render_in_view exp
     else
       #TODO: Do we really need a new Sexp here?
-      args = process exp[3]
+      args = process exp.arglist
       call = Sexp.new :call, target, method, args
       call.original_line(exp.original_line)
       call.line(exp.line)
@@ -127,7 +127,11 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   end
 
   #Checks if the buffer is the target in a method call Sexp.
+  #TODO: Test this
   def is_buffer_target? exp
-    exp.node_type == :call and exp[1] == :_hamlout and exp[2] == :buffer
+    exp.node_type == :call and
+    node_type? exp.target, :lvar and
+    exp.target.value == :_hamlout and
+    exp.method == :buffer
   end
 end