brakeman 1.8.3 → 1.9.0.pre1

data/lib/brakeman/templates/header.html.erb

@@ -26,13 +26,18 @@
   <tr>
     <th>Application Path</th>
     <th>Rails Version</th>
-    <th>Report Generation Time</th>
+    <th>Brakeman Version</th>
+    <th>Report Time</th>
     <th>Checks Performed</th>
   </tr>
   <tr>
     <td><%= File.expand_path tracker.options[:app_path] %></td>
     <td><%= rails_version %></td>
-    <td><%= Time.now %></td>
+    <td><%= Brakeman::Version %>
+    <td>
+      <%= tracker.start_time %><br><br>
+      <%= tracker.duration %> seconds
+    </td>
     <td><%= checks.checks_run.sort.join(", ") %></td>
   </tr>
 </table>

data/lib/brakeman/tracker.rb

@@ -9,7 +9,8 @@ require 'brakeman/processors/lib/find_all_calls'
 class Brakeman::Tracker
   attr_accessor :controllers, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
-    :template_cache, :options, :filter_cache
+    :template_cache, :options, :filter_cache, :start_time, :end_time,
+    :duration
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -19,9 +20,11 @@ class Brakeman::Tracker
   #
   #The Processor argument is only used by other Processors
   #that might need to access it.
-  def initialize processor = nil, options = {}
+  def initialize(app_tree, processor = nil, options = {})
+    @app_tree = app_tree
     @processor = processor
     @options = options
+
     @config = {}
     @templates = {}
     @controllers = {}
@@ -44,6 +47,9 @@ class Brakeman::Tracker
     @template_cache = Set.new
     @filter_cache = {}
     @call_index = nil
+    @start_time = Time.now
+    @end_time = nil
+    @duration = nil
   end
 
   #Add an error to the list. If no backtrace is given,
@@ -63,7 +69,11 @@ class Brakeman::Tracker
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks
-    @checks = Brakeman::Checks.run_checks(self)
+    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+
+    @end_time = Time.now
+    @duration = @end_time - @start_time
+    @checks
   end
 
   #Iterate over all methods in controllers and models.
@@ -139,7 +149,7 @@ class Brakeman::Tracker
 
   #Returns a Report with this Tracker's information
   def report
-    Brakeman::Report.new(self)
+    Brakeman::Report.new(@app_tree, self)
   end
 
   def index_call_sites

data/lib/brakeman/util.rb

@@ -4,21 +4,21 @@ require 'active_support/inflector'
 #This is a mixin containing utility methods.
 module Brakeman::Util
 
-  QUERY_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :query_parameters, Sexp.new(:arglist))
+  QUERY_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :query_parameters)
 
-  PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :path_parameters, Sexp.new(:arglist))
+  PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :path_parameters)
 
-  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :request_parameters, Sexp.new(:arglist))
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request), :request_parameters)
 
-  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :parameters, Sexp.new(:arglist))
+  REQUEST_PARAMS = Sexp.new(:call, Sexp.new(:call, nil, :request), :parameters)
 
-  REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :env, Sexp.new(:arglist))
+  REQUEST_ENV = Sexp.new(:call, Sexp.new(:call, nil, :request), :env)
 
-  PARAMETERS = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
+  PARAMETERS = Sexp.new(:call, nil, :params)
 
-  COOKIES = Sexp.new(:call, nil, :cookies, Sexp.new(:arglist))
+  COOKIES = Sexp.new(:call, nil, :cookies)
 
-  SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
+  SESSION = Sexp.new(:call, nil, :session)
 
   ALL_PARAMETERS = Set[PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS, REQUEST_PARAMS]
 
@@ -75,7 +75,7 @@ module Brakeman::Util
       end
       index += 2
     end
-      
+
     hash << key << value
 
     hash
@@ -96,19 +96,24 @@ module Brakeman::Util
     nil
   end
 
+  #These are never modified
+  PARAMS_SEXP = Sexp.new(:params)
+  SESSION_SEXP = Sexp.new(:session)
+  COOKIES_SEXP = Sexp.new(:cookies)
+
   #Adds params, session, and cookies to environment
   #so they can be replaced by their respective Sexps.
   def set_env_defaults
-    @env[PARAMETERS] = Sexp.new(:params)
-    @env[SESSION] = Sexp.new(:session)
-    @env[COOKIES] = Sexp.new(:cookies)
+    @env[PARAMETERS] = PARAMS_SEXP
+    @env[SESSION] = SESSION_SEXP
+    @env[COOKIES] = COOKIES_SEXP
   end
 
   #Check if _exp_ represents a hash: s(:hash, {...})
   #This also includes pseudo hashes params, session, and cookies.
   def hash? exp
-    exp.is_a? Sexp and (exp.node_type == :hash or 
-                        exp.node_type == :params or 
+    exp.is_a? Sexp and (exp.node_type == :hash or
+                        exp.node_type == :params or
                         exp.node_type == :session or
                         exp.node_type == :cookies)
   end
@@ -239,6 +244,22 @@ module Brakeman::Util
     false
   end
 
+  def make_call target, method, *args
+    call = Sexp.new(:call, target, method)
+
+    if args.empty? or args.first.empty?
+      #nothing to do
+    elsif node_type? args.first, :arglist
+      call.concat args.first[1..-1]
+    elsif args.first.node_type.is_a? Sexp #just a list of args
+      call.concat args.first
+    else
+      call.concat args
+    end
+
+    call
+  end
+
   #Return file name related to given warning. Uses +warning.file+ if it exists
   def file_for warning, tracker = nil
     if tracker.nil?
@@ -315,10 +336,10 @@ module Brakeman::Util
 
   #Return array of lines surrounding the warning location from the original
   #file.
-  def context_for warning, tracker = nil
+  def context_for app_tree, warning, tracker = nil
     file = file_for warning, tracker
     context = []
-    return context unless warning.line and file and File.exist? file
+    return context unless warning.line and file and @app_tree.path_exists? file
 
     current_line = 0
     start_line = warning.line - 5
@@ -369,5 +390,5 @@ module Brakeman::Util
       output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
     end
     output
-  end  
+  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.8.3"
+  Version = "1.9.0.pre1"
 end

data/lib/brakeman/warning.rb

@@ -76,14 +76,14 @@ class Brakeman::Warning
 
   #Return String of the code output from the OutputProcessor and
   #stripped of newlines and tabs.
-  def format_code
-    Brakeman::OutputProcessor.new.format(self.code).gsub(/(\t|\r|\n)+/, " ")
+  def format_code strip = true
+    format_ruby self.code, strip
   end
 
   #Return String of the user input formatted and
   #stripped of newlines and tabs.
-  def format_user_input
-    Brakeman::OutputProcessor.new.format(self.user_input).gsub(/(\t|\r|\n)+/, " ")
+  def format_user_input strip = true
+    format_ruby self.user_input, strip
   end
 
   #Return formatted warning message
@@ -171,9 +171,9 @@ class Brakeman::Warning
       :file => self.file,
       :line => self.line,
       :link => self.link,
-      :code => (@code && self.format_code),
+      :code => (@code && self.format_code(false)),
       :location => location,
-      :user_input => (@user_input && self.format_user_input),
+      :user_input => (@user_input && self.format_user_input(false)),
       :confidence => TEXT_CONFIDENCE[self.confidence]
     }
   end
@@ -181,4 +181,12 @@ class Brakeman::Warning
   def to_json
     MultiJson.dump self.to_hash
   end
+
+  private
+
+  def format_ruby code, strip
+    formatted = Brakeman::OutputProcessor.new.format(code)
+    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+    formatted
+  end
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -3,7 +3,7 @@
 #of a Sexp.
 class Sexp
   attr_reader :paren
-  ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and]
+  ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
 
   def method_missing name, *args
     #Brakeman does not use this functionality,
@@ -23,6 +23,12 @@ class Sexp
     last
   end
 
+  def value= exp
+    raise WrongSexpError, "Sexp#value= called on multi-item Sexp", caller[1..-1] if size > 2
+    @my_hash_value = nil
+    self[1] = exp
+  end
+
   def second
     self[1]
   end
@@ -35,26 +41,6 @@ class Sexp
     self[0] = type
   end
 
-  #Don't use this, please.
-  #:nodoc:
-  def resbody delete = false
-    #RubyParser and Ruby2Ruby rely on method_missing for this, but since we
-    #don't want to use method_missing, here's a real method.
-    find_node :resbody, delete
-  end
-
-  #Don't use this, please.
-  #:nodoc:
-  def lasgn delete = false
-    find_node :lasgn, delete
-  end
-
-  #Don't use this, please.
-  #:nodoc:
-  def iasgn delete = false
-    find_node :iasgn, delete
-  end
-
   alias :node_type :sexp_type
   alias :values :sexp_body # TODO: retire
 
@@ -161,21 +147,34 @@ class Sexp
   #s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
   #                        ^- method
   def method
-    expect :call, :attrasgn, :super, :zsuper
+    expect :call, :attrasgn, :super, :zsuper, :result
 
     case self.node_type
     when :call, :attrasgn
       self[2]
     when :super, :zsuper
       :super
+    when :result
+      self.last
     end
   end
 
   #Sets the arglist in a method call.
   def arglist= exp
     expect :call, :attrasgn
-    self[3] = exp
-    #RP 3 TODO
+    start_index = 3
+
+    if exp.is_a? Sexp and exp.node_type == :arglist
+      exp = exp[1..-1]
+    end
+
+    exp.each_with_index do |e, i|
+      self[start_index + i] = e
+    end
+  end
+
+  def set_args *exp
+    self.arglist = exp
   end
 
   #Returns arglist for method call. This differs from Sexp#args, as Sexp#args
@@ -189,17 +188,14 @@ class Sexp
 
     case self.node_type
     when :call, :attrasgn
-      self[3]
+      self[3..-1].unshift :arglist
     when :super, :zsuper
       if self[1]
-        Sexp.new(:arglist).concat self[1..-1]
+        self[1..-1].unshift :arglist
       else
         Sexp.new(:arglist)
       end
     end
-
-    #For new ruby_parser
-    #Sexp.new(:arglist, *self[3..-1])
   end
 
   #Returns arguments of a method call. This will be an 'untyped' Sexp.
@@ -208,59 +204,93 @@ class Sexp
   #                                                             ^--------args--------^
   def args
     expect :call, :attrasgn, :super, :zsuper
-    #For new ruby_parser
-    #if self[3]
-    #  self[3..-1]
-    #else
-    #  []
-    #end
 
     case self.node_type
     when :call, :attrasgn
-      #For old ruby_parser
       if self[3]
-        self[3][1..-1]
+        self[3..-1]
       else
-        []
+        Sexp.new
       end
     when :super, :zsuper
       if self[1]
         self[1..-1]
       else
-        []
+        Sexp.new
+      end
+    end
+  end
+
+  def each_arg replace = false
+    expect :call, :attrasgn, :super, :zsuper
+    range = nil
+
+    case self.node_type
+    when :call, :attrasgn
+      if self[3]
+        range = (3...self.length)
+      end
+    when :super, :zsuper
+      if self[1]
+        range = (1...self.length)
+      end
+    end
+
+    if range
+      range.each do |i|
+        res = yield self[i]
+        self[i] = res if replace
       end
     end
+
+    self
+  end
+
+  def each_arg! &block
+    self.each_arg true, &block
   end
 
   #Returns first argument of a method call.
   def first_arg
     expect :call, :attrasgn
-    if self[3]
-      self[3][1]
-    end
+    self[3]
   end
 
   #Sets first argument of a method call.
   def first_arg= exp
     expect :call, :attrasgn
-    if self[3]
-      self[3][1] = exp
-    end
+    self[3] = exp
   end
 
   #Returns second argument of a method call.
   def second_arg
     expect :call, :attrasgn
-    if self[3]
-      self[3][2]
-    end
+    self[4]
   end
 
   #Sets second argument of a method call.
   def second_arg= exp
     expect :call, :attrasgn
+    self[4] = exp
+  end
+
+  def third_arg
+    expect :call, :attrasgn
+    self[5]
+  end
+
+  def third_arg= exp
+    expect :call, :attrasgn
+    self[5] = exp
+  end
+
+  def last_arg
+    expect :call, :attrasgn
+
     if self[3]
-      self[3][2] = exp
+      self[-1]
+    else
+      nil
     end
   end
 
@@ -317,7 +347,11 @@ class Sexp
   #      s(:lasgn, :y),
   #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
   #       ^-------------------- block --------------------------^
-  def block
+  def block delete = nil
+    unless delete.nil? #this is from RubyParser
+      return find_node :block, delete
+    end
+
     expect :iter, :call_with_block, :scope, :resbody
 
     case self.node_type
@@ -342,6 +376,11 @@ class Sexp
     self[2]
   end
 
+  def first_param
+    expect :args
+    self[1]
+  end
+
   #Returns the left hand side of assignment or boolean:
   #
   #    s(:lasgn, :x, s(:lit, 1))
@@ -384,34 +423,61 @@ class Sexp
     end
   end
 
-  #Sets body
+  def formal_args
+    expect :defn, :defs, :methdef, :selfdef
+
+    case self.node_type
+    when :defn, :methdef
+      self[2]
+    when :defs, :selfdef
+      self[3]
+    end
+  end
+
+  #Sets body, which is now a complicated process because the body is no longer
+  #a separate Sexp, but just a list of Sexps.
   def body= exp
     expect :defn, :defs, :methdef, :selfdef, :class, :module
 
     case self.node_type
     when :defn, :methdef, :class
-      self[3] = exp
+      index = 3
     when :defs, :selfdef
-      self[4] = exp
+      index = 4
     when :module
-      self[2] = exp
+      index = 2
+    end
+
+    self.slice!(index..-1) #Remove old body
+
+    #Insert new body
+    exp.each do |e|
+      self[index] = e
+      index += 1
     end
   end
 
   #Returns body of a method definition, class, or module.
+  #This will be an untyped Sexp containing a list of Sexps from the body.
   def body
     expect :defn, :defs, :methdef, :selfdef, :class, :module
 
     case self.node_type
     when :defn, :methdef, :class
-      self[3]
+      self[3..-1]
     when :defs, :selfdef
-      self[4]
+      self[4..-1]
     when :module
-      self[2]
+      self[2..-1]
     end
   end
 
+  #Like Sexp#body, except the returned Sexp is of type :rlist
+  #instead of untyped.
+  def body_list
+    self.body.unshift :rlist
+  end
+
   def render_type
     expect :render
     self[1]
@@ -428,6 +494,27 @@ class Sexp
     expect :class
     self[2]
   end
+
+  #Returns the call Sexp in a result returned from FindCall
+  def call
+    expect :result
+
+    self.last
+  end
+
+  #Returns the module the call is inside
+  def module
+    expect :result
+
+    self[1]
+  end
+
+  #Return the class the call is inside
+  def result_class
+    expect :result
+
+    self[2]
+  end
 end
 
 #Invalidate hash cache if the Sexp changes
@@ -445,4 +532,17 @@ end
     RUBY
 end
 
+#Methods used by RubyParser which would normally go through method_missing but
+#we don't want that to happen because it hides Brakeman errors
+[:resbody, :lasgn, :iasgn, :splat].each do |method|
+  Sexp.class_eval <<-RUBY
+    def #{method} delete = false
+      if delete
+        @my_hash_value = false
+      end
+      find_node :#{method}, delete
+    end
+  RUBY
+end
+
 class WrongSexpError < RuntimeError; end