brakeman 1.7.1 → 1.8.0

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -29,9 +29,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
 
   #Look for MyApp::Application.configure do ... end
   def process_iter exp
-    if node_type?(exp[1][1], :colon2) and exp[1][1][2] == :Application
+    if node_type?(exp.block_call.target, :colon2) and exp.block_call.method == :Application
       @inside_config = true
-      process exp[-1] if sexp? exp[-1]
+      process exp.body if sexp? exp.body
       @inside_config = false
     end
 
@@ -40,9 +40,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
 
   #Look for class Application < Rails::Application
   def process_class exp
-    if exp[1] == :Application
+    if exp.class_name == :Application
       @inside_config = true
-      process exp[-1] if sexp? exp[-1]
+      process exp.body if sexp? exp.body
       @inside_config = false
     end
 
@@ -53,14 +53,14 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
   def process_attrasgn exp
     return exp unless @inside_config
 
-    if exp[1] == Brakeman::RAILS_CONFIG
+    if exp.target == Brakeman::RAILS_CONFIG
       #Get rid of '=' at end
-      attribute = exp[2].to_s[0..-2].to_sym
-      if exp[3].length > 2
+      attribute = exp.method.to_s[0..-2].to_sym
+      if exp.args.length > 1
         #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][attribute] = exp[3][1..-1]
+        @tracker.config[:rails][attribute] = exp.args
       else
-        @tracker.config[:rails][attribute] = exp[3][1]
+        @tracker.config[:rails][attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
       options = get_rails_config exp
@@ -70,7 +70,7 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
         level = level[o]
       end
 
-      level[options.last] = exp[3][1]
+      level[options.last] = exp.first_arg
     end
 
     exp
@@ -78,9 +78,9 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
 
   #Check if an expression includes a call to set Rails config
   def include_rails_config? exp
-    target = exp[1]
+    target = exp.target
     if call? target
-      if target[1] == Brakeman::RAILS_CONFIG
+      if target.target == Brakeman::RAILS_CONFIG
         true
       else
         include_rails_config? target
@@ -101,13 +101,13 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
   #  [:action_controller, :session_store]
   def get_rails_config exp
     if node_type? exp, :attrasgn
-      attribute = exp[2].to_s[0..-2].to_sym
-      get_rails_config(exp[1]) << attribute
+      attribute = exp.method.to_s[0..-2].to_sym
+      get_rails_config(exp.target) << attribute
     elsif call? exp
-      if exp[1] == Brakeman::RAILS_CONFIG
-        [exp[2]]
+      if exp.target == Brakeman::RAILS_CONFIG
+        [exp.method]
       else
-        get_rails_config(exp[1]) << exp[2]
+        get_rails_config(exp.target) << exp.method
       end
     else
       raise "WHAT"

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -22,7 +22,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_call exp
-    case exp[2]
+    case exp.method
     when :resources
       process_resources exp
     when :resource
@@ -41,7 +41,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_iter exp
-    case exp[1][2]
+    case exp.block_call.method
     when :namespace
       process_namespace exp
     when :resource
@@ -58,8 +58,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_namespace exp
-    name = exp[1][3][1][1]
-    block = exp[3]
+    name = exp.block_call.first_arg.value
+    block = exp.block
 
     @prefix << camelize(name)
 
@@ -70,10 +70,11 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
     exp
   end
 
+  #TODO: Need test for this
   def process_root exp
-    args = exp[3][1..-1]
+    args = exp.args
 
-    if value = hash_access(args[0], :to)
+    if value = hash_access(args.first, :to)
       if string? value
         add_route_from_string value
       end
@@ -83,17 +84,17 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_match exp
-    args = exp[3][1..-1]
+    args = exp.args
 
     #Check if there is an unrestricted action parameter
     action_variable = false
 
-    if string? args[0]
-      matcher = args[0][1]
+    if string? args.first
+      matcher = args.first.value
 
       if matcher == ':controller(/:action(/:id(.:format)))' or
         matcher.include? ':controller' and matcher.include? ':action' #Default routes
-        @tracker.routes[:allow_all_actions] = args[0]
+        @tracker.routes[:allow_all_actions] = args.first
         return exp
       elsif matcher.include? ':action'
         action_variable = true
@@ -102,16 +103,16 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
       end
     end
 
-    if hash? args[-1]
-      hash_iterate args[-1] do |k, v|
+    if hash? args.last
+      hash_iterate args.last do |k, v|
         if string? k
           if string? v
-            add_route_from_string v[1]
+            add_route_from_string v
           elsif in_controller_block? and symbol? v
             add_route v
           end
         elsif symbol? k
-         case k[1]
+         case k.value
          when :action
           if string? v
             add_route_from_string v
@@ -152,31 +153,32 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_verb exp
-    args = exp[3][1..-1]
-
-    if symbol? args[0] and not hash? args[1]
-      add_route args[0]
-    elsif hash? args[1]
-      hash_iterate args[1] do |k, v|
-        if symbol? k and k[1] == :to
+    args = exp.args
+    first_arg = args.first
+
+    if symbol? first_arg and not hash? args.second
+      add_route first_arg
+    elsif hash? args.second
+      hash_iterate args.second do |k, v|
+        if symbol? k and k.value == :to
           if string? v
-            add_route_from_string v[1]
+            add_route_from_string v
           elsif in_controller_block? and symbol? v
             add_route v
           end
         end
       end
-    elsif string? args[0]
-      route = args[0][1].split "/"
+    elsif string? first_arg
+      route = first_arg.value.split "/"
       if route.length != 2
         add_route route[0]
       else
         add_route route[1], route[0]
       end
-    elsif in_controller_block? and symbol? args[0]
-      add_route args[0]
-    else hash? args[0]
-      hash_iterate args[0] do |k, v|
+    elsif in_controller_block? and symbol? first_arg
+      add_route first_arg
+    else hash? first_arg
+      hash_iterate first_arg do |k, v|
         if string? k
           if string? v
             add_route_from_string v
@@ -192,13 +194,13 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
   end
 
   def process_resources exp
-    if exp[3] and exp[3][2] and exp[3][2][0] == :hash
-      self.current_controller = exp[3][1][1]
+    if exp.args and exp.args.second and exp.args.second.node_type == :hash
+      self.current_controller = exp.first_arg.value
       #handle hash
       add_resources_routes
-    elsif exp[3][1..-1].all? { |s| symbol? s }
-      exp[3][1..-1].each do |s|
-        self.current_controller = s[1]
+    elsif exp.args.all? { |s| symbol? s }
+      exp.args.each do |s|
+        self.current_controller = s.value
         add_resources_routes
       end
     end
@@ -209,9 +211,9 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
 
   def process_resource exp
     #Does resource even take more than one controller name?
-    exp[3][1..-1].each do |s|
+    exp.args.each do |s|
       if symbol? s
-        self.current_controller = pluralize(s[1].to_s)
+        self.current_controller = pluralize(s.value.to_s)
         add_resource_routes
       else
         #handle something else, like options
@@ -225,8 +227,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
 
   def process_resources_block exp
     in_controller_block do
-      process_resources exp[1]
-      process exp[3]
+      process_resources exp.block_call
+      process exp.block
     end
 
     @current_controller = nil
@@ -235,8 +237,8 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
 
   def process_resource_block exp
     in_controller_block do
-      process_resource exp[1]
-      process exp[3]
+      process_resource exp.block_call
+      process exp.block
     end
 
     @current_controller = nil
@@ -245,7 +247,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
 
   def process_scope_block exp
     #How to deal with options?
-    process exp[3]
+    process exp.block
     exp
   end
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -3,11 +3,11 @@ require 'digest/sha1'
 #Processes a call to render() in a controller or template
 module Brakeman::RenderHelper
 
-  #Process s(:render, TYPE, OPTIONS)
+  #Process s(:render, TYPE, OPTION?, OPTIONS)
   def process_render exp
     process_default exp
     @rendered = true
-    case exp[1]
+    case exp.render_type
     when :action, :template
       process_action exp[2][1], exp[3]
     when :default
@@ -40,7 +40,7 @@ module Brakeman::RenderHelper
       return
     end
 
-    names = name[1].to_s.split("/")
+    names = name.value.to_s.split("/")
     names[-1] = "_" + names[-1]
     process_template template_name(names.join("/")), args
   end
@@ -92,7 +92,7 @@ module Brakeman::RenderHelper
 
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key[1], Sexp.new(:arglist))] = value
+          template_env[Sexp.new(:call, nil, key.value, Sexp.new(:arglist))] = value
         end
       end
 
@@ -105,7 +105,7 @@ module Brakeman::RenderHelper
         #Unless the :as => :variable_name option is used
         if options[:as]
           if string? options[:as] or symbol? options[:as]
-            variable = options[:as][1].to_sym
+            variable = options[:as].value.to_sym
           end
         end
 
@@ -148,7 +148,7 @@ module Brakeman::RenderHelper
 
     hash_iterate args do |key, value|
       if symbol? key
-        options[key[1]] = value
+        options[key.value] = value
       end
     end
 

data/lib/brakeman/processors/lib/route_helper.rb

@@ -26,7 +26,7 @@ module Brakeman::RouteHelper
   #If no controller is specified, uses current controller value.
   def add_route route, controller = nil
     if node_type? route, :str, :lit
-      route = route[1]
+      route = route.value
     end
 
     route = route.to_sym

data/lib/brakeman/processors/library_processor.rb

@@ -16,7 +16,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_class exp
-    name = class_name(exp[1])
+    name = class_name(exp.class_name)
     
     if @current_class
       outer_class = @current_class
@@ -31,7 +31,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       @current_class = @tracker.libs[name]
     else
       begin
-        parent = class_name exp[2]
+        parent = class_name exp.parent_name
       rescue StandardError => e
         Brakeman.debug e
         parent = nil
@@ -49,7 +49,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       @tracker.libs[name] = @current_class
     end
 
-    exp[3] = process exp[3]
+    exp.body = process exp.body
 
     if outer_class
       @current_class = outer_class
@@ -61,7 +61,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_module exp
-    name = class_name(exp[1])
+    name = class_name(exp.module_name)
 
     if @current_module
       outer_class = @current_module
@@ -86,7 +86,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       @tracker.libs[name] = @current_module
     end
 
-    exp[2] = process exp[2]
+    exp.body = process exp.body
 
     if outer_class
       @current_module = outer_class
@@ -99,12 +99,12 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_defn exp
     exp = @alias_processor.process exp
-    exp[0] = :methdef
+    exp.node_type = :methdef
 
     if @current_class
-      @current_class[:public][exp[1]] = exp
+      @current_class[:public][exp.method_name] = exp
     elsif @current_module
-      @current_module[:public][exp[1]] = exp
+      @current_module[:public][exp.method_name] = exp
     end
 
     exp
@@ -112,12 +112,12 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_defs exp
     exp = @alias_processor.process exp
-    exp[0] = :selfdef
+    exp.node_type = :selfdef
 
     if @current_class
-      @current_class[:public][exp[2]] = exp
+      @current_class[:public][exp.method_name] = exp
     elsif @current_module
-      @current_module[:public][exp[3]] = exp
+      @current_module[:public][exp.method_name] = exp
     end
 
     exp

data/lib/brakeman/processors/model_processor.rb

@@ -18,18 +18,20 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
 
   #s(:class, NAME, PARENT, s(:scope ...))
   def process_class exp
+    name = class_name exp.class_name
+
     if @model
-      Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}"
+      Brakeman.debug "[Notice] Skipping inner class: #{name}"
       ignore
     else
       begin
-        parent = class_name exp[2]
+        parent = class_name exp.parent_name
       rescue StandardError => e
         Brakeman.debug e
         parent = nil
       end
 
-      @model = { :name => class_name(exp[1]),
+      @model = { :name => name,
         :parent => parent,
         :includes => [],
         :public => {},
@@ -38,7 +40,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         :options => {},
         :file => @file_name }
       @tracker.models[@model[:name]] = @model
-      res = process exp[3]
+      res = process exp.body
       @model = nil
       res
     end
@@ -48,18 +50,18 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   #such as include, attr_accessible, private, etc.
   def process_call exp
     return exp unless @model
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
 
-    method = exp[2]
-    args = exp[3]
+    method = exp.method
+    args = exp.args
 
     #Methods called inside class definition
     #like attr_* and other settings
     if @current_method.nil? and target.nil?
-      if args.length == 1 #actually, empty
+      if args.empty?
         case method
         when :private, :protected, :public
           @visibility = method
@@ -71,10 +73,10 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       else
         case method
         when :include
-          @model[:includes] << class_name(args[1]) if @model
+          @model[:includes] << class_name(args.first) if @model
         when :attr_accessible
           @model[:attr_accessible] ||= []
-          args = args[1..-1].map do |e|
+          args = args.map do |e|
             e[1]
           end
 
@@ -82,13 +84,13 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         else
           if @model
             @model[:options][method] ||= []
-            @model[:options][method] << args
+            @model[:options][method] << exp.arglist
           end
         end
       end
       ignore
     else
-      call = Sexp.new :call, target, method, process(args)
+      call = Sexp.new :call, target, method, process(exp.arglist)
       call.line(exp.line)
       call
     end
@@ -97,10 +99,10 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   #Add method definition to tracker
   def process_defn exp
     return exp unless @model
-    name = exp[1]
+    name = exp.method_name
 
     @current_method = name
-    res = Sexp.new :methdef, name, process(exp[2]), process(exp[3][1])
+    res = Sexp.new :methdef, name, exp[2], process(exp.body.value)
     res.line(exp.line)
     @current_method = nil
     if @model
@@ -113,7 +115,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   #Add method definition to tracker
   def process_defs exp
     return exp unless @model
-    name = exp[2]
+    name = exp.method_name
 
     if exp[1].node_type == :self
       target = @model[:name]
@@ -122,7 +124,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     end
 
     @current_method = name
-    res = Sexp.new :selfdef, target, name, process(exp[3]), process(exp[4][1])
+    res = Sexp.new :selfdef, target, name, exp[3], process(exp.body.value)
     res.line(exp.line)
     @current_method = nil
     if @model