brakeman 1.7.1 → 1.8.0

data/lib/brakeman/processors/template_alias_processor.rb

@@ -17,12 +17,16 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args
-    if @called_from and @called_from.match(/Template:#{name}$/)
-      Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
-      return
-    end
+    if @called_from
+      unless @called_from.grep(/Template:#{name}$/).empty?
+        Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
+        return
+      end
 
-    super name, args, "Template:#{@template[:name]}"
+      super name, args, @called_from + ["Template:#{@template[:name]}"]
+    else
+      super name, args, ["Template:#{@template[:name]}"]
+    end
   end
 
   #Determine template name
@@ -37,28 +41,31 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   def process_call_with_block exp
     process_default exp
     
-    call = exp[1]
-    target = call[1]
-    method = call[2]
-    args = exp[2]
-    block = exp[3]
-
-    #Check for e.g. Model.find.each do ... end
-    if method == :each and args and block and model = get_model_target(target)
-      if node_type? args, :lasgn
-        if model == target[1]
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
-        else
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+    call = exp.block_call
+
+    if call? call
+      target = call.target
+      method = call.method
+      args = exp.block_args
+      block = exp.block
+
+      #Check for e.g. Model.find.each do ... end
+      if method == :each and args and block and model = get_model_target(target)
+        if node_type? args, :lasgn
+          if model == target.target
+            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
+          else
+            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+          end
+
+          process block if sexp? block
         end
-        
-        process block if sexp? block
-      end
-    elsif FORM_METHODS.include? method
-      if node_type? args, :lasgn
-        env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+      elsif FORM_METHODS.include? method
+        if node_type? args, :lasgn
+          env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
 
-        process block if sexp? block
+          process block if sexp? block
+        end
       end
     end
 
@@ -70,9 +77,9 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   #Checks if +exp+ is a call to Model.all or Model.find*
   def get_model_target exp
     if call? exp
-      target = exp[1]
+      target = exp.target
 
-      if exp[2] == :all or exp[2].to_s[0,4] == "find"
+      if exp.method == :all or exp.method.to_s[0,4] == "find"
         models = Set.new @tracker.models.keys
 
         begin
@@ -91,9 +98,9 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   def find_push_target exp
     if sexp? exp
-      if exp.node_type == :lvar and (exp[1] == :_buf or exp[1] == :_erbout)
+      if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout)
         return nil
-      elsif exp.node_type == :ivar and exp[1] == :@output_buffer
+      elsif exp.node_type == :ivar and exp.value == :@output_buffer
         return nil
       end
     end

data/lib/brakeman/processors/template_processor.rb

@@ -35,19 +35,19 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
 
   #Ignore initial variable assignment
   def process_lasgn exp
-    if exp[1] == :_erbout and exp[2].node_type == :str  #ignore
+    if exp.lhs == :_erbout and exp.rhs.node_type == :str  #ignore
       ignore
-    elsif exp[1] == :_buf and exp[2].node_type == :str
+    elsif exp.lhs == :_buf and exp.rhs.node_type == :str
       ignore
     else
-      exp[2] = process exp[2]
+      exp.rhs = process exp.rhs
       exp
     end
   end
 
   #Adds output to the list of outputs.
   def process_output exp
-    process exp[1]
+    process exp.value
     @current_template[:outputs] << exp
     exp
   end

data/lib/brakeman/report.rb

@@ -1,5 +1,6 @@
 require 'cgi'
 require 'set'
+require 'pathname'
 require 'brakeman/processors/output_processor'
 require 'brakeman/util'
 require 'terminal-table'
@@ -136,6 +137,8 @@ class Brakeman::Report
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
           w["Warning Type"] = with_link warning, w["Warning Type"]
+          w["Called From"] = warning.called_from
+          w["Template Name"] = warning.template[:name]
         else
           w["Confidence"] = TEXT_CONFIDENCE[w["Confidence"]]
           w["Message"] = text_message warning, w["Message"]
@@ -549,7 +552,7 @@ class Brakeman::Report
       message
     end <<
     "<table id='#{code_id}' class='context' style='display:none'>" <<
-    "<caption>#{(warning.file || '').gsub(tracker.options[:app_path], "")}</caption>"
+    "<caption>#{warning_file(warning, :relative) || ''}</caption>"
 
     unless context.empty?
       if warning.line - 1 == 1 or warning.line + 1 == 1
@@ -612,7 +615,7 @@ class Brakeman::Report
       checks.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{file_for w}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{warning_file w}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 
     end.join "\n"
@@ -635,7 +638,6 @@ class Brakeman::Report
           w.code = ""
         end
         w.context = context_for(w).join("\n")
-        w.file = file_for w
       end
     end
 
@@ -648,7 +650,14 @@ class Brakeman::Report
     require 'json'
 
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
-    warnings = all_warnings.map { |w| w.to_hash }.sort_by{|w| w[:file]}
+    app_path = tracker.options[:app_path]
+
+    warnings = all_warnings.map do |w|
+      hash = w.to_hash
+      hash[:file] = warning_file w
+      hash
+    end.sort_by { |w| w[:file] }
+
     scan_info = {
       :app_path => File.expand_path(tracker.options[:app_path]),
       :rails_version => rails_version,
@@ -678,6 +687,16 @@ class Brakeman::Report
     Set.new(tracker.templates.map {|k,v| v[:name].to_s[/[^.]+/]}).length
   end
 
+  def warning_file warning, relative = false
+    return nil if warning.file.nil?
+
+    if @tracker.options[:relative_paths] or relative
+      Pathname.new(warning.file).relative_path_from(Pathname.new(tracker.options[:app_path])).to_s
+    else
+      warning.file
+    end
+  end
+
   private
 
   def load_and_render_erb file, bind

data/lib/brakeman/templates/error_overview.html.erb

@@ -7,7 +7,15 @@
 <% tracker.errors.each do |warning| %>
   <tr>
     <td><%= CGI.escapeHTML warning[:error] %></td>
-    <td><%= warning[:backtrace][0] %></td>
+    <td>
+      <% if tracker.options[:debug] %>
+        <% warning[:backtrace].each do |line| %>
+          <%= line %><br/>
+        <% end %>
+      <% else %>
+        <%= warning[:backtrace][0] %>
+      <% end %>
+    </td>
   </tr>
 <% end %>
 </table>

data/lib/brakeman/templates/view_warnings.html.erb

@@ -6,12 +6,25 @@
     <th>Warning Type</th>
     <th>Message</th>
   </tr>
-<% warnings.each do |warning| %>
+<% warnings.each_with_index do |warning, i| %>
   <tr>
     <td><%= warning['Confidence']%></td>
-    <td><%= warning['Template']%></td>
+    <td>
+      <% if warning['Called From'] and warning['Called From'].length > 1 %>
+        <div class="template_name" onClick="toggle('callers<%= i %>')" >
+          <div>
+            <%= warning['Template'] %>
+          </div>
+          <div class="render_path" id="callers<%= i %>" >
+            <%= warning['Called From'].join(' &rarr; ') %> &rarr; <%= warning['Template Name'] %>
+          </div>
+        </div>
+      <% else %>
+        <%= warning['Template']%>
+      <% end %>
+    </td>
     <td><%= warning['Warning Type']%></td>
     <td><%= warning['Message']%></td>
   </tr>
 <% end %>
-</table>
+</table>

data/lib/brakeman/tracker.rb

@@ -54,6 +54,9 @@ class Brakeman::Tracker
       backtrace = [ backtrace ]
     end
 
+    Brakeman.debug exception
+    Brakeman.debug backtrace
+
     @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
   end
 

data/lib/brakeman/util.rb

@@ -346,7 +346,11 @@ module Brakeman::Util
   end
 
   def truncate_table str
-    @terminal_width ||= ::HighLine::SystemExtensions::terminal_size[0]
+    @terminal_width ||= if $stdin && $stdin.tty?
+                          ::HighLine::SystemExtensions::terminal_size[0]
+                        else
+                          80
+                        end
     lines = str.lines
 
     lines.map do |line|

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.7.1"
+  Version = "1.8.0"
 end

data/lib/brakeman/warning.rb

@@ -66,7 +66,7 @@ class Brakeman::Warning
   def view_name
     return @view_name if @view_name
     if called_from
-      @view_name = "#{template[:name]} (#{called_from})"
+      @view_name = "#{template[:name]} (#{called_from.last})"
     else
       @view_name = template[:name]
     end

data/lib/ruby_parser/bm_sexp.rb

@@ -3,20 +3,44 @@
 #of a Sexp.
 class Sexp
   attr_reader :paren
+  ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and]
+
+  def method_missing name, *args
+    #Brakeman does not use this functionality,
+    #so overriding it to raise a NoMethodError.
+    #
+    #The original functionality calls find_node and optionally
+    #deletes the node if found.
+    raise NoMethodError.new("No method '#{name}' for Sexp", name, args)
+  end
 
   def paren
     @paren ||= false
   end
 
   def value
-    raise "multi item sexp" if size > 2
+    raise WrongSexpError, "Sexp#value called on multi-item Sexp", caller[1..-1] if size > 2
     last
   end
 
+  def second
+    self[1]
+  end
+
   def to_sym
     self.value.to_sym
   end
 
+  def node_type= type
+    self[0] = type
+  end
+
+  def resbody delete = false
+    #RubyParser relies on method_missing for this, but since we don't want to use
+    #method_missing, here's a real method.
+    find_node :resbody, delete
+  end
+
   alias :node_type :sexp_type
   alias :values :sexp_body # TODO: retire
 
@@ -86,6 +110,282 @@ class Sexp
     @my_hash_value = nil
     old_comments_set(*args)
   end
+
+  #Iterates over the Sexps in an Sexp, skipping values that are not
+  #an Sexp.
+  def each_sexp
+    self.each do |e|
+      yield e if Sexp === e
+    end
+  end
+
+  #Raise a WrongSexpError if the nodes type does not match one of the expected
+  #types.
+  def expect *types
+    unless types.include? self.node_type
+      raise WrongSexpError, "Expected #{types.join ' or '} but given #{self.inspect}", caller[1..-1]
+    end
+  end
+
+  #Returns target of a method call:
+  #
+  #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
+  #         ^-----------target-----------^
+  def target
+    expect :call, :attrasgn
+    self[1]
+  end
+
+  #Sets the target of a method call:
+  def target= exp
+    expect :call, :attrasgn
+    self[1] = exp
+  end
+
+  #Returns method of a method call:
+  #
+  #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
+  #                        ^- method
+  def method
+    expect :call, :attrasgn
+    self[2]
+  end
+
+  #Sets the arglist in a method call.
+  def arglist= exp
+    expect :call, :attrasgn
+    self[3] = exp
+    #RP 3 TODO
+  end
+
+  #Returns arglist for method call. This differs from Sexp#args, as Sexp#args
+  #does not return a 'real' Sexp (it does not have a node type) but
+  #Sexp#arglist returns a s(:arglist, ...)
+  #
+  #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
+  #                                                 ^------------ arglist ------------^
+  def arglist
+    expect :call, :attrasgn
+    self[3]
+
+    #For new ruby_parser
+    #Sexp.new(:arglist, *self[3..-1])
+  end
+
+  #Returns arguments of a method call. This will be an 'untyped' Sexp.
+  #
+  #    s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1), s(:lit, 2)))
+  #                                                             ^--------args--------^
+  def args
+    expect :call, :attrasgn
+    #For new ruby_parser
+    #if self[3]
+    #  self[3..-1]
+    #else
+    #  []
+    #end
+
+    #For old ruby_parser
+    if self[3]
+      self[3][1..-1]
+    else
+      []
+    end
+  end
+
+  #Returns first argument of a method call.
+  def first_arg
+    expect :call, :attrasgn
+    if self[3]
+      self[3][1]
+    end
+  end
+
+  #Sets first argument of a method call.
+  def first_arg= exp
+    expect :call, :attrasgn
+    if self[3]
+      self[3][1] = exp
+    end
+  end
+
+  #Returns second argument of a method call.
+  def second_arg
+    expect :call, :attrasgn
+    if self[3]
+      self[3][2]
+    end
+  end
+
+  #Sets second argument of a method call.
+  def second_arg= exp
+    expect :call, :attrasgn
+    if self[3]
+      self[3][2] = exp
+    end
+  end
+
+  #Returns condition of an if expression:
+  #
+  #    s(:if,
+  #     s(:lvar, :condition), <-- condition
+  #     s(:lvar, :then_val),
+  #     s(:lvar, :else_val)))
+  def condition
+    expect :if
+    self[1]
+  end
+
+  #Returns 'then' clause of an if expression:
+  #
+  #    s(:if,
+  #     s(:lvar, :condition),
+  #     s(:lvar, :then_val), <-- then clause
+  #     s(:lvar, :else_val)))
+  def then_clause
+    expect :if
+    self[2]
+  end
+
+  #Returns 'else' clause of an if expression:
+  #
+  #    s(:if,
+  #     s(:lvar, :condition),
+  #     s(:lvar, :then_val),
+  #     s(:lvar, :else_val)))
+  #     ^---else caluse---^
+  def else_clause
+    expect :if
+    self[3]
+  end
+
+  #Method call associated with a block:
+  #
+  #    s(:iter,
+  #     s(:call, nil, :x, s(:arglist)), <- block_call
+  #      s(:lasgn, :y),
+  #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
+  def block_call
+    expect :iter, :call_with_block
+    self[1]
+  end
+
+  #Returns block of a call with a block.
+  #Could be a single expression or a block:
+  #
+  #    s(:iter,
+  #     s(:call, nil, :x, s(:arglist)),
+  #      s(:lasgn, :y),
+  #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
+  #       ^-------------------- block --------------------------^
+  def block
+    expect :iter, :call_with_block, :scope
+
+    case self.node_type
+    when :iter, :call_with_block
+      self[3]
+    when :scope
+      self[1]
+    end
+  end
+
+  #Returns parameters for a block
+  #
+  #    s(:iter,
+  #     s(:call, nil, :x, s(:arglist)),
+  #      s(:lasgn, :y), <- block_args
+  #       s(:call, nil, :p, s(:arglist, s(:lvar, :y))))
+  def block_args
+    expect :iter, :call_with_block
+    self[2]
+  end
+
+  #Returns the left hand side of assignment or boolean:
+  #
+  #    s(:lasgn, :x, s(:lit, 1))
+  #               ^--lhs
+  def lhs
+    expect *ASSIGNMENT_BOOL
+    self[1]
+  end
+
+  #Sets the left hand side of assignment or boolean.
+  def lhs= exp
+    expect *ASSIGNMENT_BOOL
+    self[1] = exp
+  end
+
+  #Returns right side (value) of assignment or boolean:
+  #
+  #    s(:lasgn, :x, s(:lit, 1))
+  #                  ^--rhs---^
+  def rhs
+    expect *ASSIGNMENT_BOOL
+    self[2]
+  end
+
+  #Sets the right hand side of assignment or boolean.
+  def rhs= exp
+    expect *ASSIGNMENT_BOOL
+    self[2] = exp
+  end
+
+  #Returns name of method being defined in a method definition.
+  def method_name
+    expect :defn, :defs, :methdef, :selfdef
+
+    case self.node_type
+    when :defn, :methdef
+      self[1]
+    when :defs, :selfdef
+      self[2]
+    end
+  end
+
+  #Sets body
+  def body= exp
+    expect :defn, :defs, :methdef, :selfdef, :class, :module
+    
+    case self.node_type
+    when :defn, :methdef, :class
+      self[3] = exp
+    when :defs, :selfdef
+      self[4] = exp
+    when :module
+      self[2] = exp
+    end
+  end
+
+  #Returns body of a method definition, class, or module.
+  def body
+    expect :defn, :defs, :methdef, :selfdef, :class, :module
+
+    case self.node_type
+    when :defn, :methdef, :class
+      self[3]
+    when :defs, :selfdef
+      self[4]
+    when :module
+      self[2]
+    end
+  end
+
+  def render_type
+    expect :render
+    self[1]
+  end
+
+  def class_name
+    expect :class, :module
+    self[1]
+  end
+
+  alias module_name class_name
+
+  def parent_name
+    expect :class
+    self[2]
+  end
 end
 
 #Invalidate hash cache if the Sexp changes
@@ -103,4 +403,4 @@ end
     RUBY
 end
 
-
+class WrongSexpError < RuntimeError; end