brakeman 1.9.5 → 2.0.0.pre2

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -13,10 +13,11 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
 
   #Process the given source. Provide either class and method being searched
   #or the template. These names are used when reporting results.
-  def process_source exp, klass = nil, method = nil, template = nil
-    @current_class = klass
-    @current_method = method
-    @current_template = template
+  def process_source exp, opts
+    @current_class = opts[:class]
+    @current_method = opts[:method]
+    @current_template = opts[:template]
+    @current_file = opts[:file]
     process exp
   end
 
@@ -48,15 +49,12 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     method = exp.method
     process_call_args exp
 
-    call = { :target => target, :method => method, :call => exp, :nested => @in_target, :chain => get_chain(exp) }
-    
-    if @current_template
-      call[:location] = [:template, @current_template]
-    else
-      call[:location] = [:class, @current_class, @current_method]
-    end
-
-    @calls << call
+    @calls << { :target => target,
+                :method => method,
+                :call => exp,
+                :nested => @in_target,
+                :chain => get_chain(exp),
+                :location => make_location }
 
     exp
   end
@@ -66,15 +64,11 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   def process_render exp
     process exp.last if sexp? exp.last
 
-    call = { :target => nil, :method => :render, :call => exp, :nested => false }
-
-    if @current_template
-      call[:location] = [:template, @current_template]
-    else
-      call[:location] = [:class, @current_class, @current_method]
-    end
-
-    @calls << call
+    @calls << { :target => nil,
+                :method => :render,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
 
     exp
   end
@@ -84,15 +78,11 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   def process_dxstr exp
     process exp.last if sexp? exp.last
 
-    call = { :target => nil, :method => :`, :call => exp, :nested => false }
-
-    if @current_template
-      call[:location] = [:template, @current_template]
-    else
-      call[:location] = [:class, @current_class, @current_method]
-    end
-
-    @calls << call
+    @calls << { :target => nil,
+                :method => :`,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
 
     exp
   end
@@ -101,15 +91,11 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
   def process_dsym exp
     exp.each { |arg| process arg if sexp? arg }
 
-    call = { :target => nil, :method => :literal_to_sym, :call => exp, :nested => false }
-
-    if @current_template
-      call[:location] = [:template, @current_template]
-    else
-      call[:location] = [:class, @current_class, @current_method]
-    end
-
-    @calls << call
+    @calls << { :target => nil,
+                :method => :literal_to_sym,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
 
     exp
   end
@@ -155,4 +141,18 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
       [get_target(call)]
     end
   end
+
+  def make_location
+    if @current_template
+      { :type => :template,
+        :template => @current_template,
+        :file => @current_file }
+    else
+      { :type => :class,
+        :class => @current_class,
+        :method => @current_method,
+        :file => @current_file }
+    end
+
+  end
 end

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -40,7 +40,11 @@ module Brakeman::ProcessorHelper
       @current_module = module_name
     end
 
-    process_all exp.body
+    if block_given?
+      yield
+    else
+      process_all exp.body
+    end
 
     @current_module = prev_module
 

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -72,6 +72,14 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
       level = @tracker.config[:rails]
       options[0..-2].each do |o|
         level[o] ||= {}
+
+        option = level[o]
+
+        if not option.is_a? Hash
+          Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
+          return exp
+        end
+
         level = level[o]
       end
 

data/lib/brakeman/processors/output_processor.rb

@@ -14,7 +14,6 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   alias process_safely format
-  alias process_methdef process_defn
 
   def process exp
     begin
@@ -99,6 +98,29 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     out
   end
 
+  def process_defn exp
+    # Copied from Ruby2Ruby except without the whole
+    # "convert methods to attr_*" stuff
+    name = exp.shift
+    args = process exp.shift
+    args = "" if args == "()"
+
+    exp.shift if exp == s(s(:nil)) # empty it out of a default nil expression
+
+    body = []
+    until exp.empty? do
+      body << indent(process(exp.shift))
+    end
+
+    body << indent("# do nothing") if body.empty?
+
+    body = body.join("\n")
+
+    return "def #{name}#{args}\n#{body}\nend".gsub(/\n\s*\n+/, "\n")
+  end
+
+  alias process_methdef process_defn
+
   def process_call_with_block exp
     call = process exp[0]
     block = process_rlist exp[2..-1]

data/lib/brakeman/report.rb

@@ -3,7 +3,7 @@ require 'set'
 require 'brakeman/processors/output_processor'
 require 'brakeman/util'
 require 'terminal-table'
-require 'highline/system_extensions'
+require 'highline'
 require "csv"
 require 'multi_json'
 require 'brakeman/version'
@@ -283,6 +283,26 @@ class Brakeman::Report
     end
   end
 
+  # format output from filename or format
+  def format(filename_or_format)
+    case filename_or_format
+    when /\.html/, :to_html
+      to_html
+    when /\.pdf/, :to_pdf
+      to_pdf
+    when /\.csv/, :to_csv
+      to_csv
+    when /\.json/, :to_json
+      to_json
+    when /\.tabs/, :to_tabs
+      to_tabs
+    when :to_test
+      to_test
+    else
+      to_s
+    end
+  end
+  
   #Generate HTML output
   def to_html
     out = html_header <<
@@ -504,7 +524,7 @@ HEADER
       message
     end <<
     "<table id='#{code_id}' class='context' style='display:none'>" <<
-    "<caption>#{warning_file(warning, :relative) || ''}</caption>"
+    "<caption>#{warning_file(warning) || ''}</caption>"
 
     unless context.empty?
       if warning.line - 1 == 1 or warning.line + 1 == 1
@@ -567,7 +587,7 @@ HEADER
       checks.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file w}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 
     end.join "\n"
@@ -584,11 +604,6 @@ HEADER
       report[meth] = @checks.send(meth)
       report[meth].each do |w|
         w.message = w.format_message
-        if w.code
-          w.code = w.format_code
-        else
-          w.code = ""
-        end
         w.context = context_for(@app_tree, w).join("\n")
       end
     end
@@ -614,10 +629,9 @@ HEADER
       :security_warnings => all_warnings.length,
       :start_time => tracker.start_time.to_s,
       :end_time => tracker.end_time.to_s,
-      :timestamp => tracker.end_time.to_s,
       :duration => tracker.duration,
       :checks_performed => checks.checks_run.sort,
-      :number_of_controllers =>tracker.controllers.length,
+      :number_of_controllers => tracker.controllers.length,
       # ignore the "fake" model
       :number_of_models => tracker.models.length - 1,
       :number_of_templates => number_of_templates(@tracker),
@@ -642,13 +656,13 @@ HEADER
     Set.new(tracker.templates.map {|k,v| v[:name].to_s[/[^.]+/]}).length
   end
 
-  def warning_file warning, relative = false
+  def warning_file warning, absolute = @tracker.options[:absolute_paths]
     return nil if warning.file.nil?
 
-    if @tracker.options[:relative_paths] or relative
-      relative_path warning.file
-    else
+    if absolute
       warning.file
+    else
+      relative_path warning.file
     end
   end
 

data/lib/brakeman/scanner.rb

@@ -33,7 +33,7 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if !@app_tree.root || !@app_tree.exists?("app")
-      abort("Please supply the path to a Rails application.")
+      raise NoApplication, "Please supply the path to a Rails application."
     end
 
     if @app_tree.exists?("script/rails")
@@ -104,8 +104,8 @@ class Brakeman::Scanner
     end
 
   rescue Exception => e
-    Brakeman.notify "[Notice] Error while processing config/#{file}"
-    tracker.error e.exception(e.message + "\nwhile processing Gemfile"), e.backtrace
+    Brakeman.notify "[Notice] Error while processing #{path}"
+    tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
   end
 
   private :process_config_file
@@ -355,4 +355,6 @@ class Brakeman::Scanner
   def parse_ruby input
     @ruby_parser.new.parse input
   end
+
+  class NoApplication < RuntimeError; end
 end

data/lib/brakeman/tracker.rb

@@ -25,7 +25,7 @@ class Brakeman::Tracker
     @processor = processor
     @options = options
 
-    @config = {}
+    @config = { :rails => {} }
     @templates = {}
     @controllers = {}
     #Initialize models with the unknown model so
@@ -86,7 +86,7 @@ class Brakeman::Tracker
               method_name = "#{definition[1]}.#{method_name}"
             end
 
-            yield definition, set_name, method_name
+            yield definition, set_name, method_name, info[:file]
 
           end
         end
@@ -155,12 +155,12 @@ class Brakeman::Tracker
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 
-    self.each_method do |definition, set_name, method_name|
-      finder.process_source definition, set_name, method_name
+    self.each_method do |definition, set_name, method_name, file|
+      finder.process_source definition, :class => set_name, :method => method_name, :file => file
     end
 
     self.each_template do |name, template|
-      finder.process_source template[:src], nil, nil, template
+      finder.process_source template[:src], :template => template, :file => template[:file]
     end
 
     @call_index = Brakeman::CallIndex.new finder.calls
@@ -208,7 +208,7 @@ class Brakeman::Tracker
               method_name = "#{definition[1]}.#{method_name}"
             end
 
-            finder.process_source definition, set_name, method_name
+            finder.process_source definition, :class => set_name, :method => method_name, :file => info[:file]
 
           end
         end
@@ -217,7 +217,7 @@ class Brakeman::Tracker
 
     if locations.include? :templates
       self.each_template do |name, template|
-        finder.process_source template[:src], nil, nil, template
+        finder.process_source template[:src], :template => template, :file => template[:file]
       end
     end
 

data/lib/brakeman/util.rb

@@ -275,6 +275,8 @@ module Brakeman::Util
 
     if warning.file
       File.expand_path warning.file, tracker.options[:app_path]
+    elsif warning.template.is_a? Hash and warning.template[:file]
+      warning.template[:file]
     else
       case warning.warning_set
       when :controller
@@ -305,7 +307,7 @@ module Brakeman::Util
     unless type
       if string_name =~ /Controller$/
         type = :controller
-      elsif camelize(string_name) == string_name
+      elsif camelize(string_name) == string_name # This is not always true
         type = :model
       else
         type = :template
@@ -325,7 +327,7 @@ module Brakeman::Util
       if tracker.models[name] and tracker.models[name][:file]
         path = tracker.models[name][:file]
       else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
+        path += "/app/models/#{underscore(string_name)}.rb"
       end
     when :template
       if tracker.templates[name] and tracker.templates[name][:file]
@@ -383,7 +385,7 @@ module Brakeman::Util
 
   def truncate_table str
     @terminal_width ||= if $stdin && $stdin.tty?
-                          ::HighLine::SystemExtensions::terminal_size[0]
+                          ::HighLine.new.terminal_size[0]
                         else
                           80
                         end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.9.5"
+  Version = "2.0.0.pre2"
 end

data/lib/brakeman/warning.rb

@@ -5,9 +5,10 @@ require 'brakeman/warning_codes'
 #The Warning class stores information about warnings
 class Brakeman::Warning
   attr_reader :called_from, :check, :class, :confidence, :controller,
-    :line, :method, :model, :template, :user_input, :warning_set, :warning_type
+    :line, :method, :model, :template, :user_input, :warning_code, :warning_set,
+    :warning_type
 
-  attr_accessor :code, :context, :file, :message
+  attr_accessor :code, :context, :file, :message, :relative_path
 
   TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
 
@@ -23,13 +24,14 @@ class Brakeman::Warning
 
     result = options[:result]
     if result
-      if result[:location][0] == :template #template result
-        @template ||= result[:location][1]
-        @code ||= result[:call]
+      @code ||= result[:call]
+      @file ||= result[:location][:file]
+
+      if result[:location][:type] == :template #template result
+        @template ||= result[:location][:template]
       else
-        @class ||= result[:location][1]
-        @method ||= result[:location][2]
-        @code ||= result[:call]
+        @class ||= result[:location][:class]
+        @method ||= result[:location][:method]
       end
     end
 
@@ -160,9 +162,10 @@ class Brakeman::Warning
 
   def fingerprint
     loc = self.location
-    location_string = loc && loc.sort_by { |k, v| k.to_s }.to_s
+    location_string = loc && loc.sort_by { |k, v| k.to_s }.inspect
     warning_code_string = sprintf("%03d", @warning_code)
     code_string = @code.inspect
+
     Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
   end
 

data/lib/ruby_parser/bm_sexp.rb

@@ -371,7 +371,11 @@ class Sexp
   #       s(:call, nil, :p, s(:arglist, s(:lvar, :y))))
   def block_args
     expect :iter, :call_with_block
-    self[2]
+    if self[2] == 0 # ?! See https://github.com/presidentbeef/brakeman/issues/331
+      return Sexp.new(:args)
+    else
+      self[2]
+    end
   end
 
   def first_param