brakeman 1.9.4 → 1.9.5

data/lib/brakeman/processors/controller_processor.rb

@@ -187,6 +187,11 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   #We build a new method and process that the same way as usual
   #methods and filters.
   def add_fake_filter exp
+    unless @controller
+      Brakeman.debug "Skipping before_filter outside controller: #{exp}"
+      return exp
+    end
+
     filter_name = ("fake_filter" + rand.to_s[/\d+$/]).to_sym
     args = exp.block_call.arglist
     args.insert(1, Sexp.new(:lit, filter_name))

data/lib/brakeman/processors/erb_template_processor.rb

@@ -48,7 +48,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
     else
       #TODO: Is it really necessary to create a new Sexp here?
       call = make_call target, method, process_all!(exp.args)
-      call.original_line(exp.original_line)
+      call.original_line = exp.original_line
       call.line(exp.line)
       call
     end
@@ -56,6 +56,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
 
   #Process block, removing irrelevant expressions
   def process_block exp
+    exp = exp.dup
     exp.shift
     if @inside_concat
       @inside_concat = false

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -47,7 +47,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     else
       #TODO: Is it really necessary to create a new Sexp here?
       call = make_call target, method, process_all!(exp.args)
-      call.original_line(exp.original_line)
+      call.original_line = exp.original_line
       call.line(exp.line)
       call
     end
@@ -55,6 +55,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
 
   #Process blocks, ignoring :ignore exps
   def process_block exp
+    exp = exp.dup
     exp.shift
     exp.map! do |e|
       res = process e

data/lib/brakeman/processors/haml_template_processor.rb

@@ -95,7 +95,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     else
       #TODO: Do we really need a new Sexp here?
       call = make_call target, method, process_all!(exp.args)
-      call.original_line(exp.original_line)
+      call.original_line = exp.original_line
       call.line(exp.line)
       call
     end
@@ -103,6 +103,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
   #If inside an output stream, only return the final expression
   def process_block exp
+    exp = exp.dup
     exp.shift
     if @inside_concat
       @inside_concat = false

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -97,6 +97,23 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     exp
   end
 
+  #:"string" is equivalent to "string".to_sym
+  def process_dsym exp
+    exp.each { |arg| process arg if sexp? arg }
+
+    call = { :target => nil, :method => :literal_to_sym, :call => exp, :nested => false }
+
+    if @current_template
+      call[:location] = [:template, @current_template]
+    else
+      call[:location] = [:class, @current_class, @current_method]
+    end
+
+    @calls << call
+
+    exp
+  end
+
   #Process an assignment like a call
   def process_attrasgn exp
     process_call exp

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -28,7 +28,7 @@ class Brakeman::FindReturnValue
   def get_return_value exp, env = nil
     process_method exp, env
     value = make_return_value
-    value.original_line(exp.line)
+    value.original_line = exp.line
     value
   end
 
@@ -91,7 +91,7 @@ class Brakeman::FindReturnValue
 
         if true_branch and false_branch
           value = make_or(true_branch, false_branch)
-          value.original_line(value.rhs.line)
+          value.original_line = value.rhs.line
           value
         else #Unlikely?
           true_branch or false_branch
@@ -102,7 +102,7 @@ class Brakeman::FindReturnValue
     when :return
       exp.value
     else
-      exp.original_line(exp.line) unless exp.original_line
+      exp.original_line = exp.line unless exp.original_line
       exp
     end
   end

data/lib/brakeman/processors/lib/render_helper.rb

@@ -120,7 +120,7 @@ module Brakeman::RenderHelper
         unless value.original_line
           #TODO: This has been broken for a while now and no one noticed
           #so maybe we can skip it
-          value.original_line(value.line)
+          value.original_line = value.line
         end
       end
 

data/lib/brakeman/processors/slim_template_processor.rb

@@ -39,7 +39,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       make_render_in_view exp
     else
       call = make_call target, method, process_all!(exp.args)
-      call.original_line(exp.original_line)
+      call.original_line = exp.original_line
       call.line(exp.line)
       call
     end

data/lib/brakeman/processors/template_processor.rb

@@ -47,7 +47,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
 
   #Adds output to the list of outputs.
   def process_output exp
-    process exp.value
+    exp.value = process exp.value
     @current_template[:outputs] << exp
     exp
   end

data/lib/brakeman/report.rb

@@ -7,42 +7,8 @@ require 'highline/system_extensions'
 require "csv"
 require 'multi_json'
 require 'brakeman/version'
-
-if CSV.const_defined? :Reader
-  # Ruby 1.8 compatible
-  require 'fastercsv'
-  Object.send(:remove_const, :CSV)
-  CSV = FasterCSV
-else
-  # CSV is now FasterCSV in ruby 1.9
-end
-
-#MultiJson interface changed in 1.3.0, but need
-#to support older MultiJson for Rails 3.1.
-if MultiJson.respond_to? :default_adapter
-  mj_engine = MultiJson.default_adapter
-else
-  mj_engine = MultiJson.default_engine
-
-  module MultiJson
-    def self.dump *args
-      encode *args
-    end
-
-    def self.load *args
-      decode *args
-    end
-  end
-end
-
-#This is so OkJson will work with symbol values
-if mj_engine == :ok_json
-  class Symbol
-    def to_json
-      self.to_s.inspect
-    end
-  end
-end
+require 'brakeman/report/renderer'
+Dir.glob(File.dirname(__FILE__) + '/report/initializers/*.rb').each {|file| require file }
 
 #Generates a report based on the Tracker and the results of
 #Tracker#run_checks. Be sure to +run_checks+ before generating
@@ -71,7 +37,14 @@ class Brakeman::Report
     warnings = all_warnings.length
 
     if html
-      load_and_render_erb('overview', binding)
+      locals = {
+        :tracker => tracker,
+        :warnings => warnings,
+        :warnings_summary => warnings_summary,
+        :number_of_templates => number_of_templates(@tracker),
+        }
+
+      Brakeman::Report::Renderer.new('overview', :locals => locals).render
     else
       Terminal::Table.new(:headings => ['Scanned/Reported', 'Total']) do |t|
         t.add_row ['Controllers', tracker.controllers.length]
@@ -87,34 +60,26 @@ class Brakeman::Report
   def generate_warning_overview html = false
     types = warnings_summary.keys
     types.delete :high_confidence
+    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
+    locals = {:types => types, :warnings_summary => warnings_summary}
 
-    unless types.empty?
-      if html
-        load_and_render_erb('warning_overview', binding)
-      else
-        Terminal::Table.new(:headings => ['Warning Type', 'Total']) do |t|
-          types.sort.each do |warning_type|
-            t.add_row [warning_type, warnings_summary[warning_type]]
-          end
-        end
-      end
-    end
+    render_array('warning_overview', ['Warning Type', 'Total'], values, locals, html)
   end
 
   #Generate table of errors or return nil if no errors
   def generate_errors html = false
-    if tracker.errors.any?
-      if html
-        load_and_render_erb('error_overview', binding)
-      else
-        Terminal::Table.new(:headings => ['Error', 'Location']) do |t|
-          tracker.errors.each do |error|
-            t.add_row [error[:error], error[:backtrace][0]]
-          end
-        end
-      end
+    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
+    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker}, html)
+  end
+
+  def render_array(template, headings, value_array, locals, html = false)
+    return if value_array.empty?
+    if html
+      Brakeman::Report::Renderer.new(template, :locals => locals).render
     else
-      nil
+      Terminal::Table.new(:headings => headings) do |t|
+        value_array.each { |value_row| t.add_row value_row }
+      end
     end
   end
 
@@ -139,17 +104,9 @@ class Brakeman::Report
     stabilizer = 0
     warning_messages = warning_messages.sort_by{|row| stabilizer += 1; [row['Confidence'], row['Warning Type'], row['Class'], stabilizer]}
 
-    unless warning_messages.empty?
-      if html
-        load_and_render_erb('security_warnings', binding)
-      else
-        Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
-          warning_messages.each do |row|
-            t.add_row [row["Confidence"], row["Class"], row["Method"], row["Warning Type"], row["Message"]]
-          end
-        end
-      end
-    end
+    locals = {:warning_messages => warning_messages}
+    values = warning_messages.collect{|row| [row["Confidence"], row["Class"], row["Method"], row["Warning Type"], row["Message"]] }
+    render_array('security_warnings', ["Confidence", "Class", "Method", "Warning Type", "Message"], values, locals, html)
   end
 
   #Generate table of template warnings or return nil if no warnings
@@ -177,15 +134,10 @@ class Brakeman::Report
 
       stabilizer = 0
       warnings = warnings.sort_by{|row| stabilizer += 1; [row["Confidence"], row["Warning Type"], row["Template"], stabilizer]}
-      if html
-        load_and_render_erb('view_warnings', binding)
-      else
-        Terminal::Table.new(:headings => ["Confidence", "Template", "Warning Type", "Message"]) do |t|
-          warnings.each do |warning|
-            t.add_row [warning["Confidence"], warning["Template"], warning["Warning Type"], warning["Message"]]
-          end
-        end
-      end
+
+      locals = {:warnings => warnings}
+      values = warnings.collect{|warning| [warning["Confidence"], warning["Template"], warning["Warning Type"], warning["Message"]] }
+      render_array('view_warnings', ["Confidence", "Template", "Warning Type", "Message"], values, locals, html)
     else
       nil
     end
@@ -214,15 +166,9 @@ class Brakeman::Report
       stabilizer = 0
       warnings = warnings.sort_by{|row| stabilizer +=1; [row["Confidence"],row["Warning Type"], row["Model"], stabilizer]}
 
-      if html
-        load_and_render_erb('model_warnings', binding)
-      else
-        Terminal::Table.new(:headings => ["Confidence", "Model", "Warning Type", "Message"]) do |t|
-          warnings.each do |warning|
-            t.add_row [warning["Confidence"], warning["Model"], warning["Warning Type"], warning["Message"]]
-          end
-        end
-      end
+      locals = {:warnings => warnings}
+      values = warnings.collect{|warning| [warning["Confidence"], warning["Model"], warning["Warning Type"], warning["Message"]] }
+      render_array('model_warnings', ["Confidence", "Model", "Warning Type", "Message"], values, locals, html)
     else
       nil
     end
@@ -252,15 +198,9 @@ class Brakeman::Report
       stabilizer = 0
       warnings = warnings.sort_by{|row| stabilizer +=1; [row["Confidence"], row["Warning Type"], row["Controller"], stabilizer]}
 
-      if html
-        load_and_render_erb('controller_warnings', binding)
-      else
-        Terminal::Table.new(:headings => ["Confidence", "Controller", "Warning Type", "Message"]) do |t|
-          warnings.each do |warning|
-            t.add_row [warning["Confidence"], warning["Controller"], warning["Warning Type"], warning["Message"]]
-          end
-        end
-      end
+      locals = {:warnings => warnings}
+      values = warnings.collect{|warning| [warning["Confidence"], warning["Controller"], warning["Warning Type"], warning["Message"]] }
+      render_array('controller_warnings', ["Confidence", "Controller", "Warning Type", "Message"], values, locals, html)
     else
       nil
     end
@@ -301,15 +241,9 @@ class Brakeman::Report
     end
     controller_rows = controller_rows.sort_by{|row| row['Name']}
 
-    if html
-      load_and_render_erb('controller_overview', binding)
-    else
-      Terminal::Table.new(:headings => ['Name', 'Parent', 'Includes', 'Routes']) do |t|
-        controller_rows.each do |row|
-          t.add_row [row['Name'], row['Parent'], row['Includes'], row['Routes']]
-        end
-      end
-    end
+    locals = {:controller_rows => controller_rows}
+    values = controller_rows.collect{|row| [row['Name'], row['Parent'], row['Includes'], row['Routes']] }
+    render_array('controller_overview', ['Name', 'Parent', 'Includes', 'Routes'], values, locals, html)
   end
 
   #Generate listings of templates and their output
@@ -330,7 +264,7 @@ class Brakeman::Report
     template_rows = template_rows.sort_by{|name, value| name.to_s}
 
     if html
-      load_and_render_erb('template_overview', binding)
+      Brakeman::Report::Renderer.new('template_overview', :locals => {:template_rows => template_rows}).render
     else
       output = ''
       template_rows.each do |template|
@@ -356,24 +290,15 @@ class Brakeman::Report
     generate_warning_overview(true).to_s
 
     # Return early if only summarizing
-    if tracker.options[:summary_only]
-      return out
-    end
-
-    if tracker.options[:report_routes] or tracker.options[:debug]
-      out << generate_controllers(true).to_s
-    end
-
-    if tracker.options[:debug]
-      out << generate_templates(true).to_s
-    end
+    return out if tracker.options[:summary_only]
 
+    out << generate_controllers(true).to_s if tracker.options[:report_routes] or tracker.options[:debug]
+    out << generate_templates(true).to_s if tracker.options[:debug]
     out << generate_errors(true).to_s
     out << generate_warnings(true).to_s
     out << generate_controller_warnings(true).to_s
     out << generate_model_warnings(true).to_s
     out << generate_template_warnings(true).to_s
-
     out << "</body></html>"
   end
 
@@ -385,9 +310,7 @@ class Brakeman::Report
     truncate_table(generate_warning_overview.to_s) << "\n"
 
     #Return output early if only summarizing
-    if tracker.options[:summary_only]
-      return out
-    end
+    return out if tracker.options[:summary_only]
 
     if tracker.options[:report_routes] or tracker.options[:debug]
       out << "\n+CONTROLLERS+\n" <<
@@ -469,13 +392,9 @@ class Brakeman::Report
   end
 
   def rails_version
-    if version = tracker.config[:rails_version]
-      return version
-    elsif tracker.options[:rails3]
-      return "3.x"
-    else
-      return "Unknown"
-    end
+    return tracker.config[:rails_version] if tracker.config[:rails_version]
+    return "3.x" if tracker.options[:rails3]
+    "Unknown"
   end
 
   #Return header for HTML output. Uses CSS from tracker.options[:html_style]
@@ -486,7 +405,15 @@ class Brakeman::Report
       raise "Cannot find CSS stylesheet for HTML: #{tracker.options[:html_style]}"
     end
 
-    load_and_render_erb('header', binding)
+    locals = {
+      :css => css,
+      :tracker => tracker,
+      :checks => checks,
+      :rails_version => rails_version,
+      :brakeman_version => Brakeman::Version
+      }
+
+    Brakeman::Report::Renderer.new('header', :locals => locals).render
   end
 
   #Generate header for text output
@@ -519,13 +446,9 @@ HEADER
     high_confidence_warnings = 0
 
     [all_warnings].each do |warnings|
-
       warnings.each do |warning|
         summary[warning.warning_type.to_s] += 1
-
-        if warning.confidence == 0
-          high_confidence_warnings += 1
-        end
+        high_confidence_warnings += 1 if warning.confidence == 0
       end
     end
 
@@ -549,7 +472,6 @@ HEADER
 
     if @highlight_user_input and warning.user_input
       user_input = CGI.escapeHTML(warning.format_user_input)
-
       message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
     end
 
@@ -561,19 +483,13 @@ HEADER
     context = context_for(@app_tree, warning)
     full_message = nil
 
-    if tracker.options[:message_limit] and
-      tracker.options[:message_limit] > 0 and
-      message.length > tracker.options[:message_limit]
-
+    if tracker.options[:message_limit] and tracker.options[:message_limit] > 0 and message.length > tracker.options[:message_limit]
       full_message = html_message(warning, message)
       message = message[0..tracker.options[:message_limit]] << "..."
     end
 
     message = html_message(warning, message)
-
-    if context.empty? and not full_message
-      return message
-    end
+    return message if context.empty? and not full_message
 
     @element_id += 1
     code_id = "context#@element_id"
@@ -736,11 +652,4 @@ HEADER
     end
   end
 
-  private
-
-  def load_and_render_erb file, bind
-    content = File.read(File.expand_path("templates/#{file}.html.erb", File.dirname(__FILE__)))
-    template = ERB.new(content)
-    template.result(bind)
-  end
 end