brakeman 1.8.3 → 1.9.0.pre1

data/lib/brakeman/processors/base_processor.rb

@@ -6,38 +6,31 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::Util
 
-  attr_reader :ignore
+  IGNORE = Sexp.new :ignore
 
   #Return a new Processor.
   def initialize tracker
     super()
     @last = nil
     @tracker = tracker
-    @ignore = Sexp.new :ignore
     @current_template = @current_module = @current_class = @current_method = nil
   end
 
+  def ignore
+    IGNORE
+  end
+
   def process_class exp
     current_class = @current_class
     @current_class = class_name exp[1]
-    process exp[3]
+    process_all exp.body
     @current_class = current_class
     exp
   end
 
   #Process a new scope. Removes expressions that are set to nil.
   def process_scope exp
-    exp = exp.dup
-    exp.shift
-    exp.map! do |e|
-      res = process e
-      if res.empty?
-        res = nil
-      else
-        res
-      end
-    end.compact
-    exp.unshift :scope
+    #NOPE?
   end
 
   #Default processing.
@@ -188,7 +181,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
 
   #Generates :render node from call to render.
   def make_render exp, in_view = false 
-    render_type, value, rest = find_render_type exp.args, in_view
+    render_type, value, rest = find_render_type exp, in_view
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
@@ -202,14 +195,14 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   #:template, :text, :update, :xml
   #
   #And also :layout for inside templates
-  def find_render_type args, in_view = false
+  def find_render_type call, in_view = false
     rest = Sexp.new(:hash)
     type = nil
     value = nil
-    first_arg = args.first
+    first_arg = call.first_arg
 
-    if args.length == 1 and first_arg == Sexp.new(:lit, :update)
-      return :update, nil, Sexp.new(:arglist, *args[0..-2]) #TODO HUH?
+    if call.second_arg.nil? and first_arg == Sexp.new(:lit, :update)
+      return :update, nil, Sexp.new(:arglist, *call.args[0..-2]) #TODO HUH?
     end
 
     #Look for render :action, ... or render "action", ...
@@ -238,10 +231,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       types_in_hash << :layout
     end
 
+    last_arg = call.last_arg
+
     #Look for "type" of render in options hash
     #For example, render :file => "blah"
-    if hash? args.last
-      hash_iterate(args.last) do |key, val|
+    if hash? last_arg
+      hash_iterate(last_arg) do |key, val|
         if symbol? key and types_in_hash.include? key.value
           type = key.value
           value = val

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -1,5 +1,6 @@
 require 'brakeman/processors/alias_processor'
 require 'brakeman/processors/lib/render_helper'
+require 'brakeman/processors/lib/find_return_value'
 
 #Processes aliasing in controllers, but includes following
 #renders in routes and putting variables into templates
@@ -9,8 +10,9 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #If only_method is specified, only that method will be processed,
   #other methods will be skipped.
   #This is for rescanning just a single action.
-  def initialize tracker, only_method = nil
+  def initialize app_tree, tracker, only_method = nil
     super()
+    @app_tree = app_tree
     @only_method = only_method
     @tracker = tracker
     @rendered = false
@@ -46,7 +48,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       methods.each do |name|
         #Need to process the method like it was in a controller in order
         #to get the renders set
-        processor = Brakeman::ControllerProcessor.new(@tracker)
+        processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
         method = mixin[:public][name]
 
         if node_type? method, :methdef
@@ -97,7 +99,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
         end
       end
 
-      process exp.body
+      process_all exp.body
 
       if is_route and not @rendered
         process_default_render exp
@@ -111,10 +113,18 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Look for calls to head()
   def process_call exp
     exp = super
+    return exp unless call? exp
 
-    if call? exp and exp.method == :head
+    method = exp.method
+
+    if method == :head
       @rendered = true
+    elsif @tracker.options[:interprocedural] and
+      @current_method and (exp.target.nil? or exp.target.node_type == :self)
+
+      exp = get_call_value(exp)
     end
+
     exp
   end
 
@@ -132,7 +142,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Processes a call to a before filter.
   #Basically, adds any instance variable assignments to the environment.
   #TODO: method arguments?
-  def process_before_filter name 
+  def process_before_filter name
     filter = find_method name, @current_class
 
     if filter.nil?
@@ -148,7 +158,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       end
     else
       processor = Brakeman::AliasProcessor.new @tracker
-      processor.process_safely(method.body)
+      processor.process_safely(method.body_list)
 
       ivars = processor.only_ivars(:include_request_vars).all
 
@@ -200,9 +210,12 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Returns true if the given method name is also a route
   def route? method
-    return true if @tracker.routes[:allow_all_actions] or @tracker.options[:assume_all_routes]
-    routes = @tracker.routes[@current_class]
-    routes and (routes == :allow_all_actions or routes.include? method)
+    if @tracker.routes[:allow_all_actions] or @tracker.options[:assume_all_routes]
+      true
+    else
+      routes = @tracker.routes[@current_class]
+      routes and (routes == :allow_all_actions or routes.include? method)
+    end
   end
 
   #Get list of filters, including those that are inherited
@@ -236,9 +249,9 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     end
 
     controller[:before_filter_cache].each do |f|
-      if f[:all] or 
+      if f[:all] or
         (f[:only] == method) or
-        (f[:only].is_a? Array and f[:only].include? method) or 
+        (f[:only].is_a? Array and f[:only].include? method) or
         (f[:except].is_a? Symbol and f[:except] != method) or
         (f[:except].is_a? Array and not f[:except].include? method)
 

data/lib/brakeman/processors/controller_processor.rb

@@ -2,10 +2,11 @@ require 'brakeman/processors/base_processor'
 
 #Processes controller. Results are put in tracker.controllers
 class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
-  FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html, Sexp.new(:arglist))
+  FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
 
-  def initialize tracker
-    super 
+  def initialize app_tree, tracker
+    super(tracker)
+    @app_tree = app_tree
     @controller = nil
     @current_method = nil
     @current_module = nil
@@ -49,7 +50,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
                     :src => exp,
                     :file => @file_name }
     @tracker.controllers[@controller[:name]] = @controller
-    exp.body = process exp.body
+    exp.body = process_all! exp.body
     set_layout_name
     @controller = nil
     exp
@@ -63,12 +64,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     method = exp.method
-    args = exp.args
+    first_arg = exp.first_arg
+    last_arg = exp.last_arg
 
     #Methods called inside class definition
     #like attr_* and other settings
     if @current_method.nil? and target.nil? and @controller
-      if args.empty?
+      if first_arg.nil? #No args
         case method
         when :private, :protected, :public
           @visibility = method
@@ -80,21 +82,21 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       else
         case method
         when :include
-          @controller[:includes] << class_name(args.first) if @controller
+          @controller[:includes] << class_name(first_arg) if @controller
         when :before_filter
           @controller[:options][:before_filters] ||= []
-          @controller[:options][:before_filters] << args
+          @controller[:options][:before_filters] << exp.args
         when :layout
-          if string? args.last
+          if string? last_arg
             #layout "some_layout"
 
-            name = args.last.value.to_s
-            unless Dir.glob("#{@tracker.options[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
+            name = last_arg.value.to_s
+            if @app_tree.layout_exists?(name)
               @controller[:layout] = "layouts/#{name}"
             else
               Brakeman.debug "[Notice] Layout not found: #{name}"
             end
-          elsif node_type? args.last, :nil, :false
+          elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil
             @controller[:layout] = false
           end
@@ -107,7 +109,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       exp
     elsif target == nil and method == :render
       make_render exp
-    elsif exp == FORMAT_HTML and context[1] != :iter 
+    elsif exp == FORMAT_HTML and context[1] != :iter
       #This is an empty call to
       # format.html
       #Which renders the default template if no arguments
@@ -116,7 +118,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       call.line(exp.line)
       call
     else
-      call = Sexp.new :call, target, method, process(exp.arglist) #RP 3 TODO
+      call = make_call target, method, process_all!(exp.args)
       call.line(exp.line)
       call
     end
@@ -126,11 +128,10 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_defn exp
     name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, process(exp[2]), process(exp.body.block)
+    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     @controller[@visibility][name] = res unless @controller.nil?
-
     res
   end
 
@@ -151,7 +152,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     @current_method = name
-    res = Sexp.new :selfdef, target, name, process(exp[3]), process(exp.body.block)
+    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     @controller[@visibility][name] = res unless @controller.nil?
@@ -175,7 +176,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     name = underscore(@controller[:name].to_s.split("::")[-1].gsub("Controller", ''))
 
     #There is a layout for this Controller
-    unless Dir.glob("#{@tracker.options[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
+    if @app_tree.layout_exists?(name)
       @controller[:layout] = "layouts/#{name}"
     end
   end
@@ -188,9 +189,9 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
     args = exp.block_call.arglist
     args.insert(1, Sexp.new(:lit, filter_name))
-    before_filter_call = Sexp.new(:call, nil, :before_filter, args)
+    before_filter_call = make_call(nil, :before_filter, args)
 
-    if exp.block_args
+    if exp.block_args.length > 1
       block_variable = exp.block_args[1]
     else
       block_variable = :temp
@@ -203,12 +204,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     #Build Sexp for filter method
-    body = Sexp.new(:scope, 
-            Sexp.new(:block,
-              Sexp.new(:lasgn, block_variable, 
-                Sexp.new(:call, Sexp.new(:const, @controller[:name]), :new, Sexp.new(:arglist)))).concat(block_inner))
+    body = Sexp.new(:lasgn,
+                    block_variable, 
+                    Sexp.new(:call, Sexp.new(:const, @controller[:name]), :new))
 
-    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).line(exp.line)
+    filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)
 
     vis = @visibility
     @visibility = :private

data/lib/brakeman/processors/erb_template_processor.rb

@@ -4,7 +4,7 @@ require 'brakeman/processors/template_processor'
 #(those ending in .html.erb or .rthml).
 class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
   
-  #s(:call, TARGET, :method, s(:arglist))
+  #s(:call, TARGET, :method, ARGS)
   def process_call exp
     target = exp.target
     if sexp? target
@@ -16,14 +16,14 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
     if node_type? target, :lvar and target.value == :_erbout
       if method == :concat
         @inside_concat = true
-        args = exp.arglist = process(exp.arglist)
+        exp.arglist = process(exp.arglist)
         @inside_concat = false
 
-        if args.length > 2
+        if exp.second_arg
           raise Exception.new("Did not expect more than a single argument to _erbout.concat")
         end
 
-        arg = args[1]
+        arg = exp.first_arg
 
         if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
           arg = arg.target
@@ -47,8 +47,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
       make_render_in_view exp
     else
       #TODO: Is it really necessary to create a new Sexp here?
-      args = exp.arglist = process(exp.arglist)
-      call = Sexp.new :call, target, method, args
+      call = make_call target, method, process_all!(exp.args)
       call.original_line(exp.original_line)
       call.line(exp.line)
       call
@@ -64,7 +63,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         process e
       end
       @inside_concat = true
-      process exp[-1]
+      process exp.last
     else
       exp.map! do |e|
         res = process e

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -3,7 +3,7 @@ require 'brakeman/processors/template_processor'
 #Processes ERB templates using Erubis instead of erb.
 class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
   
-  #s(:call, TARGET, :method, s(:arglist))
+  #s(:call, TARGET, :method, ARGS)
   def process_call exp
     target = exp.target
     if sexp? target
@@ -46,8 +46,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
       make_render_in_view exp
     else
       #TODO: Is it really necessary to create a new Sexp here?
-      args = exp.arglist = process(exp.arglist)
-      call = Sexp.new :call, target, method, args
+      call = make_call target, method, process_all!(exp.args)
       call.original_line(exp.original_line)
       call.line(exp.line)
       call

data/lib/brakeman/processors/gem_processor.rb

@@ -27,12 +27,13 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
 
   def process_call exp
     if exp.target == nil and exp.method == :gem
-      args = exp.args
+      gem_name = exp.first_arg
+      gem_version = exp.second_arg
 
-      if string? args.second
-        @tracker.config[:gems][args.first.value.to_sym] = args.second.value
+      if string? gem_version
+        @tracker.config[:gems][gem_name.value.to_sym] = gem_version.value
       else
-        @tracker.config[:gems][args.first.value.to_sym] = ">=0.0.0"
+        @tracker.config[:gems][gem_name.value.to_sym] = ">=0.0.0"
       end
     end
 

data/lib/brakeman/processors/haml_template_processor.rb

@@ -36,14 +36,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
             when :options, :buffer
               exp
             when :open_tag
-              process(exp.arglist)
-              exp
+              process_call_args exp
             else
               arg = exp.first_arg
 
               if arg
                 @inside_concat = true
-                out = exp.arglist[1] = process(arg)
+                out = exp.first_arg = process(arg)
                 @inside_concat = false
               else
                 raise Exception.new("Empty _hamlout.#{method}()?")
@@ -78,7 +77,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       #Has something to do with values of blocks?
     elsif sexp? target and method == :<< and is_buffer_target? target
       @inside_concat = true
-      out = exp.arglist[1] = process(exp.arglist[1])
+      out = exp.first_arg = process(exp.first_arg)
       @inside_concat = false
 
       if out.node_type == :str #ignore plain strings
@@ -95,8 +94,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       make_render_in_view exp
     else
       #TODO: Do we really need a new Sexp here?
-      args = process exp.arglist
-      call = Sexp.new :call, target, method, args
+      call = make_call target, method, process_all!(exp.args)
       call.original_line(exp.original_line)
       call.line(exp.line)
       call

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -22,12 +22,12 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
 
   #Process body of method
   def process_methdef exp
-    process exp.body
+    process_all exp.body
   end
 
   #Process body of method
   def process_selfdef exp
-    process exp.body
+    process_all exp.body
   end
 
   #Process body of block
@@ -46,7 +46,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     end
 
     method = exp.method
-    process_all exp.args
+    process_call_args exp
 
     call = { :target => target, :method => method, :call => exp, :nested => @in_target, :chain => get_chain(exp) }