brakeman 1.7.1 → 1.8.0

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -22,25 +22,21 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
 
   #Process body of method
   def process_methdef exp
-    process exp[3]
+    process exp.body
   end
 
   #Process body of method
   def process_selfdef exp
-    process exp[4]
+    process exp.body
   end
 
   #Process body of block
   def process_rlist exp
-    exp[1..-1].each do |e|
-      process e
-    end
-
-    exp
+    process_all exp
   end
 
   def process_call exp
-    target = get_target exp[1]
+    target = get_target exp.target
     
     if call? target
       already_in_target = @in_target
@@ -49,8 +45,8 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
       @in_target = already_in_target
     end
 
-    method = exp[2]
-    process exp[3]
+    method = exp.method
+    process_all exp.args
 
     call = { :target => target, :method => method, :call => exp, :nested => @in_target, :chain => get_chain(exp) }
     
@@ -68,7 +64,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp
-    process exp[-1] if sexp? exp[-1]
+    process exp.last if sexp? exp.last
 
     call = { :target => nil, :method => :render, :call => exp, :nested => false }
 
@@ -86,7 +82,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   #Technically, `` is call to Kernel#`
   #But we just need them in the call cache for speed
   def process_dxstr exp
-    process exp[-1] if sexp? exp[-1]
+    process exp.last if sexp? exp.last
 
     call = { :target => nil, :method => :`, :call => exp, :nested => false }
 
@@ -113,12 +109,10 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   def get_target exp
     if sexp? exp
       case exp.node_type
-      when :ivar, :lvar, :const
-        exp[1]
+      when :ivar, :lvar, :const, :lit
+        exp.value
       when :true, :false
         exp[0]
-      when :lit
-        exp[1]
       when :colon2
         begin
           class_name exp
@@ -139,7 +133,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   #For example, User.human.alive.all would return [:User, :human, :alive, :all]
   def get_chain call
     if node_type? call, :call, :attrasgn
-      get_chain(call[1]) + [call[2]]
+      get_chain(call.target) + [call.method]
     else
       [get_target(call)]
     end

data/lib/brakeman/processors/lib/find_call.rb

@@ -1,6 +1,8 @@
 require 'brakeman/processors/base_processor'
 
 #Finds method calls matching the given target(s).
+#   #-- This should be deprecated --#
+#   #--  Do not use for new code  --#
 #
 #Targets/methods can be:
 #
@@ -67,29 +69,22 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
 
   #Process body of method
   def process_methdef exp
-    process exp[3]
+    process exp.body
   end
 
-  #Process body of method
-  def process_selfdef exp
-    process exp[4]
-  end
+  alias :process_selfdef :process_methdef
 
   #Process body of block
   def process_rlist exp
-    exp[1..-1].each do |e|
-      process e
-    end
-
-    exp
+    process_all exp
   end
 
   #Look for matching calls and add them to results
   def process_call exp
-    target = get_target exp[1] 
-    method = exp[2]
+    target = get_target exp.target
+    method = exp.method
 
-    process exp[3]
+    process_all exp.args
 
     if match(@find_targets, target) and match(@find_methods, method)
 
@@ -107,8 +102,8 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
     #  User.find(:first, :conditions => "user = '#{params['user']}').name
     #
     #A search for User.find will not match this unless @in_depth is true.
-    if @in_depth and node_type? exp[1], :call
-      process exp[1]
+    if @in_depth and node_type? exp.target, :call
+      process exp.target
     end
 
     exp
@@ -126,12 +121,10 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
   def get_target exp
     if sexp? exp
       case exp.node_type
-      when :ivar, :lvar, :const
-        exp[1]
+      when :ivar, :lvar, :const, :lit
+        exp.value
       when :true, :false
-        exp[0]
-      when :lit
-        exp[1]
+        exp.node_type
       when :colon2
         class_name exp
       else
@@ -176,10 +169,10 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
   #Checks if +item+ is an instance of +klass+ by looking for Klass.new
   def is_instance_of? item, klass
     if call? item
-      if sexp? item[1]
-        item[2] == :new and item[1].node_type == :const and item[1][1] == klass
+      if sexp? item.target
+        item.method == :new and item.target.node_type == :const and item.target.value == klass
       else
-        item[2] == :new and item[1] == klass
+        item.method == :new and item.target == klass
       end
     else
       false

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -1,9 +1,15 @@
 #Contains a couple shared methods for Processors.
 module Brakeman::ProcessorHelper
+  def process_all exp
+    exp.each_sexp do |e|
+      process e
+    end
+    exp
+  end
 
   #Sets the current module.
   def process_module exp
-    module_name = class_name(exp[1]).to_s
+    module_name = class_name(exp.class_name).to_s
     prev_module = @current_module
 
     if prev_module
@@ -12,7 +18,7 @@ module Brakeman::ProcessorHelper
       @current_module = module_name
     end
 
-    process exp[2]
+    process exp.body
 
     @current_module = prev_module
 
@@ -25,13 +31,13 @@ module Brakeman::ProcessorHelper
     when Sexp
       case exp.node_type
       when :const
-        exp[1]
+        exp.value
       when :lvar
-        exp[1].to_sym
+        exp.value.to_sym
       when :colon2
         "#{class_name(exp[1])}::#{exp[2]}".to_sym
       when :colon3
-        "::#{exp[1]}".to_sym
+        "::#{exp.value}".to_sym
       when :call
         process exp
       when :self

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -33,10 +33,10 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
 
   #Check if config is set to use Erubis
   def process_call exp
-    target = exp[1]
+    target = exp.target
     target = process target if sexp? target
 
-    if exp[2] == :gem and exp[3][1][1] == "erubis"
+    if exp.method == :gem and exp.first_arg.value == "erubis"
       Brakeman.notify "[Notice] Using Erubis for ERB templates"
       @tracker.config[:erubis] = true
     end
@@ -46,14 +46,14 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
 
   #Look for configuration settings
   def process_attrasgn exp
-    if exp[1] == Brakeman::RAILS_CONFIG
+    if exp.target == Brakeman::RAILS_CONFIG
       #Get rid of '=' at end
-      attribute = exp[2].to_s[0..-2].to_sym
-      if exp[3].length > 2
+      attribute = exp.method.to_s[0..-2].to_sym
+      if exp.args.length > 1
         #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][attribute] = exp[3][1..-1]
+        @tracker.config[:rails][attribute] = exp.args
       else
-        @tracker.config[:rails][attribute] = exp[3][1]
+        @tracker.config[:rails][attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
       options = get_rails_config exp
@@ -63,7 +63,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
         level = level[o]
       end
 
-      level[options.last] = exp[3][1]
+      level[options.last] = exp.first_arg
     end
 
     exp
@@ -72,8 +72,8 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
   #Check for Rails version
   def process_cdecl exp
     #Set Rails version required
-    if exp[1] == :RAILS_GEM_VERSION
-      @tracker.config[:rails_version] = exp[2][1]
+    if exp.lhs == :RAILS_GEM_VERSION
+      @tracker.config[:rails_version] = exp.rhs.value
     end
 
     exp
@@ -81,9 +81,9 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
 
   #Check if an expression includes a call to set Rails config
   def include_rails_config? exp
-    target = exp[1]
+    target = exp.target
     if call? target
-      if target[1] == Brakeman::RAILS_CONFIG
+      if target.target == Brakeman::RAILS_CONFIG
         true
       else
         include_rails_config? target
@@ -104,13 +104,13 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
   #  [:action_controller, :session_store]
   def get_rails_config exp
     if node_type? exp, :attrasgn
-      attribute = exp[2].to_s[0..-2].to_sym
-      get_rails_config(exp[1]) << attribute
+      attribute = exp.method.to_s[0..-2].to_sym
+      get_rails_config(exp.target) << attribute
     elsif call? exp
-      if exp[1] == Brakeman::RAILS_CONFIG
-        [exp[2]]
+      if exp.target == Brakeman::RAILS_CONFIG
+        [exp.method]
       else
-        get_rails_config(exp[1]) << exp[2]
+        get_rails_config(exp.target) << exp.method
       end
     else
       raise "WHAT"
@@ -131,11 +131,12 @@ class Brakeman::ConfigAliasProcessor < Brakeman::AliasProcessor
   #
   #and replace config with Brakeman::RAILS_CONFIG
   def process_iter exp
-    target = exp[1][1]
-    method = exp[1][2]
+    target = exp.block_call.target
+    method = exp.block_call.method
+
 
     if sexp? target and target == RAILS_INIT and method == :run
-      exp[2][2] = Brakeman::RAILS_CONFIG
+      exp.block_args.rhs = Brakeman::RAILS_CONFIG
     end
 
     process_default exp

data/lib/brakeman/processors/lib/rails2_route_processor.rb

@@ -28,7 +28,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
 
   #Looking for mapping of routes
   def process_call exp
-    target = exp[1]
+    target = exp.target
 
     if target == map or (not target.nil? and target == nested)
       process_map exp
@@ -42,9 +42,9 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   #Process a map.something call
   #based on the method used
   def process_map exp
-    args = exp[3][1..-1]
+    args = exp.args
 
-    case exp[2]
+    case exp.method
     when :resource
       process_resource args
     when :resources
@@ -61,14 +61,16 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   #Look for map calls that take a block.
   #Otherwise, just do the default processing.
   def process_iter exp
-    if exp[1][1] == map or exp[1][1] == nested
-      method = exp[1][2]
+    target = exp.block_call.target
+
+    if target == map or target == nested
+      method = exp.block_call.method
       case method
       when :namespace
         process_namespace exp
       when :resources, :resource
-        process_resources exp[1][3][1..-1]
-        process_default exp[3] if exp[3]
+        process_resources exp.block_call.args
+        process_default exp.block if exp.block
       when :with_options
         process_with_options exp
       end
@@ -89,9 +91,9 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     else
       exp.each do |argument|
         if node_type? argument, :lit
-          self.current_controller = exp[0][1]
+          self.current_controller = exp.first.value
           add_resources_routes
-          process_resource_options exp[-1]
+          process_resource_options exp.last
         end
       end
     end
@@ -141,7 +143,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
 
     if exp.node_type == :array
       exp[1..-1].each do |e|
-        routes << e[1]
+        routes << e.value
       end
     end
   end
@@ -152,7 +154,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     routes = @tracker.routes[@current_controller]
 
     exp[1..-1].each do |e|
-      routes.delete e[1]
+      routes.delete e.value
     end
   end
 
@@ -161,13 +163,13 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     controller = check_for_controller_name exp
     if controller
       self.current_controller = controller
-      process_resource_options exp[-1]
+      process_resource_options exp.last
     else
       exp.each do |argument|
         if node_type? argument, :lit
-          self.current_controller = pluralize(exp[0][1].to_s)
+          self.current_controller = pluralize(exp.first.value.to_s)
           add_resource_routes
-          process_resource_options exp[-1]
+          process_resource_options exp.last
         end
       end
     end
@@ -180,10 +182,10 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     self.current_controller = controller if controller
     
     #Check for default route
-    if string? exp[0]
-      if exp[0][1] == ":controller/:action/:id"
-        @tracker.routes[:allow_all_actions] = exp[0]
-      elsif exp[0][1].include? ":action"
+    if string? exp.first
+      if exp.first.value == ":controller/:action/:id"
+        @tracker.routes[:allow_all_actions] = exp.first
+      elsif exp.first.value.include? ":action"
         @tracker.routes[@current_controller] = [:allow_all_actions, exp.line]
         return
       end
@@ -193,9 +195,9 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     #to a controller which already allows them all
     return if @tracker.routes[@current_controller].is_a? Array and @tracker.routes[@current_controller][0] == :allow_all_actions
 
-    exp[-1].each_with_index do |e,i|
-      if symbol? e and e[1] == :action
-        @tracker.routes[@current_controller] << exp[-1][i + 1][1].to_sym
+    exp.last.each_with_index do |e,i|
+      if symbol? e and e.value == :action
+        @tracker.routes[@current_controller] << exp.last[i + 1].value.to_sym
         return
       end
     end
@@ -205,13 +207,13 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   #   something.resources :blah
   # end
   def process_with_options exp
-    @with_options = exp[1][3][-1]
-    @nested = Sexp.new(:lvar, exp[2][1])
+    @with_options = exp.block_call.args.last
+    @nested = Sexp.new(:lvar, exp.block_args.lhs)
 
-    self.current_controller = check_for_controller_name exp[1][3]
+    self.current_controller = check_for_controller_name exp.block_call.args
     
     #process block
-    process exp[3] 
+    process exp.block
 
     @with_options = nil
     @nested = nil
@@ -221,13 +223,15 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   #   something.resources :blah
   # end
   def process_namespace exp
-    call = exp[1]
-    formal_args = exp[2]
-    block = exp[3]
+    call = exp.block_call
+    formal_args = exp.block_args
+    block = exp.block
 
-    @prefix << camelize(call[3][1][1])
+    @prefix << camelize(call.first_arg.value)
 
-    @nested = Sexp.new(:lvar, formal_args[1])
+    if formal_args
+      @nested = Sexp.new(:lvar, formal_args.lhs)
+    end
 
     process block
 
@@ -246,7 +250,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
     routes = @tracker.routes[@current_controller]
 
     hash_iterate(exp) do |action, type|
-      routes << action[1]
+      routes << action.value
     end
   end
 
@@ -259,7 +263,7 @@ class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
   def check_for_controller_name args
     args.each do |a|
       if hash? a and value = hash_access(a, :controller)
-        return value[1]
+        return value.value if string? value or symbol? value
       end
     end
 
@@ -278,8 +282,8 @@ class Brakeman::RouteAliasProcessor < Brakeman::AliasProcessor
   def process_call exp
     process_default exp
     
-    if hash? exp[1] and exp[2] == :keys
-        keys = get_keys exp[1] 
+    if hash? exp.target and exp.method == :keys
+      keys = get_keys exp.target
       exp.clear
       keys.each_with_index do |e,i|
         exp[i] = e