brakeman 1.9.4 → 1.9.5

data/lib/brakeman/report/initializers/faster_csv.rb

@@ -0,0 +1,7 @@
+# Ruby 1.8 compatible
+if CSV.const_defined? :Reader
+  require 'fastercsv'
+  Object.send(:remove_const, :CSV)
+  CSV = FasterCSV
+end
+

data/lib/brakeman/report/initializers/multi_json.rb

@@ -0,0 +1,29 @@
+#MultiJson interface changed in 1.3.0, but need
+#to support older MultiJson for Rails 3.1.
+mj_engine = nil
+
+if MultiJson.respond_to? :default_adapter
+  mj_engine = MultiJson.default_adapter
+else
+  mj_engine = MultiJson.default_engine
+
+  module MultiJson
+    def self.dump *args
+      encode *args
+    end
+
+    def self.load *args
+      decode *args
+    end
+  end
+end
+
+#This is so OkJson will work with symbol values
+if mj_engine == :ok_json
+  class Symbol
+    def to_json
+      self.to_s.inspect
+    end
+  end
+end
+

data/lib/brakeman/report/renderer.rb

@@ -0,0 +1,22 @@
+class Brakeman::Report
+  class Renderer
+    def initialize(template_file, hash = {})
+      hash[:locals] ||= {}
+      singleton = class << self; self end
+
+      hash[:locals].each do |attribute_name, attribute_value|
+        singleton.send(:define_method, attribute_name) { attribute_value }
+      end
+
+      # There are last, so as to make overwriting these using locals impossible.
+      singleton.send(:define_method, 'template_file') { template_file }
+      singleton.send(:define_method, 'template') {
+        File.read(File.expand_path("templates/#{template_file}.html.erb", File.dirname(__FILE__)))
+      }
+    end
+
+    def render
+      ERB.new(template).result(binding)
+    end
+  end
+end

data/lib/brakeman/{templates → report/templates}/header.html.erb

@@ -11,7 +11,7 @@
         elem.style.display = "block";
       else
         elem.style.display = "none";
-        
+
       elem.parentNode.scrollIntoView();
     }
   </script>
@@ -33,7 +33,7 @@
   <tr>
     <td><%= File.expand_path tracker.options[:app_path] %></td>
     <td><%= rails_version %></td>
-    <td><%= Brakeman::Version %>
+    <td><%= brakeman_version %>
     <td>
       <%= tracker.start_time %><br><br>
       <%= tracker.duration %> seconds

data/lib/brakeman/{templates → report/templates}/overview.html.erb

@@ -1,4 +1,4 @@
-<h2 id='summary'>Summary</h2> 
+<h2 id='summary'>Summary</h2>
 <table>
   <tr>
     <th>Scanned/Reported</th>
@@ -14,7 +14,7 @@
   </tr>
   <tr>
     <td>Templates</td>
-    <td><%= number_of_templates(@tracker) %></td>
+    <td><%= number_of_templates %></td>
   </tr>
   <tr>
     <td>Errors</td>

data/lib/brakeman/scanner.rb

@@ -39,6 +39,9 @@ class Brakeman::Scanner
     if @app_tree.exists?("script/rails")
       options[:rails3] = true
       Brakeman.notify "[Notice] Detected Rails 3 application"
+    elsif not @app_tree.exists?("script")
+      options[:rails3] = true # Probably need to do some refactoring
+      Brakeman.notify "[Notice] Detected Rails 4 application"
     end
 
     @ruby_parser = ::RubyParser

data/lib/brakeman/util.rb

@@ -172,6 +172,12 @@ module Brakeman::Util
                         exp.node_type == :nil)
   end
 
+  #Check if _exp_ represents a block of code
+  def block? exp
+    exp.is_a? Sexp and (exp.node_type == :block or
+                        exp.node_type == :rlist)
+  end
+
   #Check if _exp_ is a params hash
   def params? exp
     if exp.is_a? Sexp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.9.4"
+  Version = "1.9.5"
 end

data/lib/brakeman/warning_codes.rb

@@ -59,6 +59,7 @@ module Brakeman::WarningCodes
     :CVE_2013_1855 => 56,
     :CVE_2013_1856 => 57,
     :CVE_2013_1857 => 58,
+    :unsafe_symbol_creation => 59
   }
 
   def self.code name

data/lib/ruby_parser/bm_sexp.rb

@@ -3,6 +3,7 @@
 #of a Sexp.
 class Sexp
   attr_reader :paren
+  attr_accessor :original_line
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
 
   def method_missing name, *args
@@ -28,10 +29,10 @@ class Sexp
     end
 
     if line
-      s.original_line(self.original_line || self.line)
+      s.original_line = self.original_line || self.line
       s.line(line)
     else
-      s.original_line(self.original_line)
+      s.original_line = self.original_line
       s.line(self.line)
     end
 
@@ -62,6 +63,7 @@ class Sexp
   end
 
   def node_type= type
+    @my_hash_value = nil
     self[0] = type
   end
 
@@ -69,22 +71,13 @@ class Sexp
   alias :values :sexp_body # TODO: retire
 
   alias :old_push :<<
-  alias :old_line :line
-  alias :old_line_set :line=
-  alias :old_file_set :file=
-  alias :old_comments_set :comments=
   alias :old_compact :compact
   alias :old_fara :find_and_replace_all
   alias :old_find_node :find_node
 
-  def original_line line = nil
-    if line
-      @my_hash_value = nil
-      @original_line = line
-      self
-    else
-      @original_line ||= nil
-    end
+  def << arg
+    @my_hash_value = nil
+    old_push arg
   end
 
   def hash
@@ -95,21 +88,6 @@ class Sexp
     @my_hash_value ||= super
   end
 
-  def line num = nil
-    @my_hash_value = nil if num
-    old_line(num)
-  end
-
-  def line= *args
-    @my_hash_value = nil
-    old_line_set(*args)
-  end
-
-  def file= *args
-    @my_hash_value = nil
-    old_file_set(*args)
-  end
-
   def compact
     @my_hash_value = nil
     old_compact
@@ -125,16 +103,6 @@ class Sexp
     old_find_node(*args)
   end
 
-  def paren= arg
-    @my_hash_value = nil
-    @paren = arg
-  end
-
-  def comments= *args
-    @my_hash_value = nil
-    old_comments_set(*args)
-  end
-
   #Iterates over the Sexps in an Sexp, skipping values that are not
   #an Sexp.
   def each_sexp
@@ -163,6 +131,7 @@ class Sexp
   #Sets the target of a method call:
   def target= exp
     expect :call, :attrasgn
+    @my_hash_value = nil
     self[1] = exp
   end
 
@@ -186,6 +155,7 @@ class Sexp
   #Sets the arglist in a method call.
   def arglist= exp
     expect :call, :attrasgn
+    @my_hash_value = nil
     start_index = 3
 
     if exp.is_a? Sexp and exp.node_type == :arglist
@@ -271,6 +241,7 @@ class Sexp
   end
 
   def each_arg! &block
+    @my_hash_value = nil
     self.each_arg true, &block
   end
 
@@ -283,6 +254,7 @@ class Sexp
   #Sets first argument of a method call.
   def first_arg= exp
     expect :call, :attrasgn
+    @my_hash_value = nil
     self[3] = exp
   end
 
@@ -295,6 +267,7 @@ class Sexp
   #Sets second argument of a method call.
   def second_arg= exp
     expect :call, :attrasgn
+    @my_hash_value = nil
     self[4] = exp
   end
 
@@ -305,6 +278,7 @@ class Sexp
 
   def third_arg= exp
     expect :call, :attrasgn
+    @my_hash_value = nil
     self[5] = exp
   end
 
@@ -462,6 +436,7 @@ class Sexp
   #a separate Sexp, but just a list of Sexps.
   def body= exp
     expect :defn, :defs, :methdef, :selfdef, :class, :module
+    @my_hash_value = nil
 
     case self.node_type
     when :defn, :methdef, :class

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  version: 1.9.4
+  version: 1.9.5
 platform: ruby
 authors: 
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-03-19 00:00:00 Z
+date: 2013-04-05 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
@@ -26,9 +26,9 @@ dependencies:
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
     requirements: 
-    - - ~>
+    - - "="
       - !ruby/object:Gem::Version 
-        version: "2.0"
+        version: 2.0.3
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency 
@@ -133,6 +133,19 @@ files:
 - lib/brakeman/util.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
+- lib/brakeman/report/renderer.rb
+- lib/brakeman/report/templates/controller_overview.html.erb
+- lib/brakeman/report/templates/model_warnings.html.erb
+- lib/brakeman/report/templates/template_overview.html.erb
+- lib/brakeman/report/templates/view_warnings.html.erb
+- lib/brakeman/report/templates/overview.html.erb
+- lib/brakeman/report/templates/controller_warnings.html.erb
+- lib/brakeman/report/templates/header.html.erb
+- lib/brakeman/report/templates/error_overview.html.erb
+- lib/brakeman/report/templates/security_warnings.html.erb
+- lib/brakeman/report/templates/warning_overview.html.erb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
 - lib/brakeman/tracker.rb
 - lib/brakeman/report.rb
 - lib/brakeman/scanner.rb
@@ -184,16 +197,6 @@ files:
 - lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_without_protection.rb
 - lib/brakeman/checks.rb
-- lib/brakeman/templates/controller_overview.html.erb
-- lib/brakeman/templates/model_warnings.html.erb
-- lib/brakeman/templates/template_overview.html.erb
-- lib/brakeman/templates/view_warnings.html.erb
-- lib/brakeman/templates/overview.html.erb
-- lib/brakeman/templates/controller_warnings.html.erb
-- lib/brakeman/templates/header.html.erb
-- lib/brakeman/templates/error_overview.html.erb
-- lib/brakeman/templates/security_warnings.html.erb
-- lib/brakeman/templates/warning_overview.html.erb
 - lib/brakeman/processors/controller_alias_processor.rb
 - lib/brakeman/processors/lib/find_return_value.rb
 - lib/brakeman/processors/lib/route_helper.rb