brakeman 2.5.0 → 2.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +14 -0
- data/README.md +6 -28
- data/lib/brakeman/checks/base_check.rb +5 -4
- data/lib/brakeman/checks/check_basic_auth.rb +1 -2
- data/lib/brakeman/checks/check_default_routes.rb +65 -15
- data/lib/brakeman/checks/check_detailed_exceptions.rb +5 -4
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -9
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +3 -3
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +27 -6
- data/lib/brakeman/checks/check_render.rb +2 -2
- data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
- data/lib/brakeman/checks/check_sql.rb +2 -1
- data/lib/brakeman/file_parser.rb +49 -0
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +88 -0
- data/lib/brakeman/processors/alias_processor.rb +25 -2
- data/lib/brakeman/processors/controller_alias_processor.rb +3 -3
- data/lib/brakeman/processors/controller_processor.rb +106 -54
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +27 -12
- data/lib/brakeman/processors/lib/route_helper.rb +1 -1
- data/lib/brakeman/processors/library_processor.rb +37 -28
- data/lib/brakeman/processors/model_processor.rb +117 -34
- data/lib/brakeman/report/report_base.rb +1 -1
- data/lib/brakeman/rescanner.rb +84 -35
- data/lib/brakeman/scanner.rb +84 -148
- data/lib/brakeman/tracker.rb +32 -12
- data/lib/brakeman/util.rb +13 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -1
- metadata +6 -4
- metadata.gz.sig +0 -0
data/lib/brakeman/rescanner.rb
CHANGED
@@ -5,7 +5,8 @@ require 'brakeman/differ'
|
|
5
5
|
|
6
6
|
#Class for rescanning changed files after an initial scan
|
7
7
|
class Brakeman::Rescanner < Brakeman::Scanner
|
8
|
-
|
8
|
+
include Brakeman::Util
|
9
|
+
KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
|
9
10
|
SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
|
10
11
|
:model, :controller]
|
11
12
|
|
@@ -74,10 +75,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
74
75
|
case type
|
75
76
|
when :controller
|
76
77
|
rescan_controller path
|
77
|
-
@reindex << :controllers << :templates
|
78
78
|
when :template
|
79
79
|
rescan_template path
|
80
|
-
@reindex << :templates
|
81
80
|
when :model
|
82
81
|
rescan_model path
|
83
82
|
when :lib
|
@@ -85,16 +84,9 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
85
84
|
when :config
|
86
85
|
process_config
|
87
86
|
when :initializer
|
88
|
-
|
87
|
+
rescan_initializer path
|
89
88
|
when :routes
|
90
|
-
|
91
|
-
# which affects which templates are rendered, so routes, controllers,
|
92
|
-
# and templates rendered from controllers must be rescanned
|
93
|
-
tracker.reset_routes
|
94
|
-
tracker.reset_templates :only_rendered => true
|
95
|
-
process_routes
|
96
|
-
process_controllers
|
97
|
-
@reindex << :controllers << :templates
|
89
|
+
rescan_routes
|
98
90
|
when :gemfile
|
99
91
|
if tracker.config[:gems][:rails_xss] and tracker.config[:escape_html]
|
100
92
|
tracker.config[:escape_html] = false
|
@@ -109,13 +101,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
109
101
|
end
|
110
102
|
|
111
103
|
def rescan_controller path
|
112
|
-
|
113
|
-
|
104
|
+
controller = tracker.reset_controller path
|
105
|
+
paths = controller.nil? ? [path] : controller[:files]
|
106
|
+
parse_ruby_files(paths).each do |astfile|
|
107
|
+
process_controller astfile
|
108
|
+
end
|
114
109
|
|
115
110
|
#Process data flow and template rendering
|
116
111
|
#from the controller
|
117
112
|
tracker.controllers.each do |name, controller|
|
118
|
-
if controller[:
|
113
|
+
if controller[:files].include?(path)
|
119
114
|
tracker.templates.each do |template_name, template|
|
120
115
|
next unless template[:caller]
|
121
116
|
unless template[:caller].grep(/^#{name}#/).empty?
|
@@ -123,9 +118,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
123
118
|
end
|
124
119
|
end
|
125
120
|
|
126
|
-
|
121
|
+
controller[:src].each_value do |src|
|
122
|
+
@processor.process_controller_alias controller[:name], src
|
123
|
+
end
|
127
124
|
end
|
128
125
|
end
|
126
|
+
|
127
|
+
@reindex << :templates << :controllers
|
129
128
|
end
|
130
129
|
|
131
130
|
def rescan_template path
|
@@ -134,7 +133,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
134
133
|
template_name = template_path_to_name(path)
|
135
134
|
|
136
135
|
tracker.reset_template template_name
|
137
|
-
|
136
|
+
fp = Brakeman::FileParser.new(tracker, @app_tree)
|
137
|
+
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
138
|
+
template_parser.parse_template path, @app_tree.read_path(path)
|
139
|
+
process_template fp.file_list[:templates].first
|
138
140
|
|
139
141
|
@processor.process_template_alias tracker.templates[template_name]
|
140
142
|
|
@@ -164,8 +166,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
164
166
|
if r[0] == :controller
|
165
167
|
controller = tracker.controllers[r[1]]
|
166
168
|
|
167
|
-
|
168
|
-
@
|
169
|
+
controller[:src].each do |file, src|
|
170
|
+
unless @paths.include? file
|
171
|
+
@processor.process_controller_alias controller[:name], src, r[2]
|
172
|
+
end
|
169
173
|
end
|
170
174
|
elsif r[0] == :template
|
171
175
|
template = tracker.templates[r[1]]
|
@@ -173,17 +177,22 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
173
177
|
rescan_template template[:file]
|
174
178
|
end
|
175
179
|
end
|
180
|
+
|
181
|
+
@reindex << :templates
|
176
182
|
end
|
177
183
|
|
178
184
|
def rescan_model path
|
179
185
|
num_models = tracker.models.length
|
180
|
-
tracker.reset_model path
|
181
|
-
|
186
|
+
model = tracker.reset_model path
|
187
|
+
paths = model.nil? ? [path] : model[:files]
|
188
|
+
parse_ruby_files(paths).each do |astfile|
|
189
|
+
process_model astfile.path, astfile.ast
|
190
|
+
end
|
182
191
|
|
183
192
|
#Only need to rescan other things if a model is added or removed
|
184
193
|
if num_models != tracker.models.length
|
185
|
-
|
186
|
-
|
194
|
+
process_template_data_flows
|
195
|
+
process_controller_data_flows
|
187
196
|
@reindex << :templates << :controllers
|
188
197
|
end
|
189
198
|
|
@@ -191,12 +200,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
191
200
|
end
|
192
201
|
|
193
202
|
def rescan_lib path
|
194
|
-
|
203
|
+
lib = tracker.reset_lib path
|
204
|
+
paths = lib.nil? ? [path] : lib[:files]
|
205
|
+
parse_ruby_files(paths).each do |astfile|
|
206
|
+
process_lib astfile
|
207
|
+
end
|
195
208
|
|
196
209
|
lib = nil
|
197
210
|
|
198
211
|
tracker.libs.each do |name, library|
|
199
|
-
if library[:
|
212
|
+
if library[:files].include?(path)
|
200
213
|
lib = library
|
201
214
|
break
|
202
215
|
end
|
@@ -205,11 +218,28 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
205
218
|
rescan_mixin lib if lib
|
206
219
|
end
|
207
220
|
|
221
|
+
def rescan_routes
|
222
|
+
# Routes affect which controller methods are treated as actions
|
223
|
+
# which affects which templates are rendered, so routes, controllers,
|
224
|
+
# and templates rendered from controllers must be rescanned
|
225
|
+
tracker.reset_routes
|
226
|
+
tracker.reset_templates :only_rendered => true
|
227
|
+
process_routes
|
228
|
+
process_controller_data_flows
|
229
|
+
@reindex << :controllers << :templates
|
230
|
+
end
|
231
|
+
|
232
|
+
def rescan_initializer path
|
233
|
+
parse_ruby_files([path]).each do |astfile|
|
234
|
+
process_initializer astfile
|
235
|
+
end
|
236
|
+
end
|
237
|
+
|
208
238
|
#Handle rescanning when a file is deleted
|
209
239
|
def rescan_deleted_file path, type
|
210
240
|
case type
|
211
241
|
when :controller
|
212
|
-
|
242
|
+
rescan_controller path
|
213
243
|
when :template
|
214
244
|
rescan_deleted_template path
|
215
245
|
when :model
|
@@ -229,10 +259,6 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
229
259
|
true
|
230
260
|
end
|
231
261
|
|
232
|
-
def rescan_deleted_controller path
|
233
|
-
tracker.reset_controller path
|
234
|
-
end
|
235
|
-
|
236
262
|
def rescan_deleted_template path
|
237
263
|
return unless path.match KNOWN_TEMPLATE_EXTENSIONS
|
238
264
|
|
@@ -260,7 +286,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
260
286
|
deleted_lib = nil
|
261
287
|
|
262
288
|
tracker.libs.delete_if do |name, lib|
|
263
|
-
if lib[:
|
289
|
+
if lib[:files].include?(path)
|
264
290
|
deleted_lib = lib
|
265
291
|
true
|
266
292
|
end
|
@@ -278,15 +304,22 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
278
304
|
def remove_deleted_file path
|
279
305
|
deleted = false
|
280
306
|
|
281
|
-
[:controllers, :
|
307
|
+
[:controllers, :models, :libs].each do |collection|
|
282
308
|
tracker.send(collection).delete_if do |name, data|
|
283
|
-
if data[:
|
309
|
+
if data[:files].include?(path)
|
284
310
|
deleted = true
|
285
311
|
true
|
286
312
|
end
|
287
313
|
end
|
288
314
|
end
|
289
315
|
|
316
|
+
tracker.templates.delete_if do |name, data|
|
317
|
+
if data[:file] == path
|
318
|
+
deleted = true
|
319
|
+
true
|
320
|
+
end
|
321
|
+
end
|
322
|
+
|
290
323
|
deleted
|
291
324
|
end
|
292
325
|
|
@@ -325,15 +358,24 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
325
358
|
|
326
359
|
method_matcher = /##{method_names.map {|n| Regexp.escape(n.to_s)}.join('|')}$/
|
327
360
|
|
361
|
+
to_rescan = []
|
362
|
+
|
328
363
|
#Rescan controllers that mixed in library
|
329
364
|
tracker.controllers.each do |name, controller|
|
330
365
|
if controller[:includes].include? lib[:name]
|
331
|
-
|
332
|
-
|
366
|
+
controller[:files].each do |path|
|
367
|
+
unless @paths.include? path
|
368
|
+
to_rescan << path
|
369
|
+
end
|
333
370
|
end
|
334
371
|
end
|
335
372
|
end
|
336
373
|
|
374
|
+
to_rescan.each do |controller|
|
375
|
+
tracker.reset_controller controller
|
376
|
+
rescan_file controller
|
377
|
+
end
|
378
|
+
|
337
379
|
to_rescan = []
|
338
380
|
|
339
381
|
#Check if a method from this mixin was used to render a template.
|
@@ -358,6 +400,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
358
400
|
rescan_file template[1]
|
359
401
|
end
|
360
402
|
end
|
403
|
+
|
404
|
+
def parse_ruby_files list
|
405
|
+
paths = list.select { |path| @app_tree.path_exists? path }
|
406
|
+
file_parser = Brakeman::FileParser.new(tracker, @app_tree)
|
407
|
+
file_parser.parse_files paths, :rescan
|
408
|
+
file_parser.file_list[:rescan]
|
409
|
+
end
|
361
410
|
end
|
362
411
|
|
363
412
|
#Class to make reporting of rescan results simpler to deal with
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -6,6 +6,8 @@ begin
|
|
6
6
|
require 'ruby_parser/bm_sexp_processor.rb'
|
7
7
|
require 'brakeman/processor'
|
8
8
|
require 'brakeman/app_tree'
|
9
|
+
require 'brakeman/file_parser'
|
10
|
+
require 'brakeman/parsers/template_parser'
|
9
11
|
rescue LoadError => e
|
10
12
|
$stderr.puts e.message
|
11
13
|
$stderr.puts "Please install the appropriate dependency."
|
@@ -15,9 +17,7 @@ end
|
|
15
17
|
#Scans the Rails application.
|
16
18
|
class Brakeman::Scanner
|
17
19
|
attr_reader :options
|
18
|
-
|
19
|
-
RUBY_1_9 = !!(RUBY_VERSION >= "1.9.0")
|
20
|
-
KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
|
20
|
+
RUBY_1_9 = RUBY_VERSION >= "1.9.0"
|
21
21
|
|
22
22
|
#Pass in path to the root of the Rails application
|
23
23
|
def initialize options, processor = nil
|
@@ -36,7 +36,6 @@ class Brakeman::Scanner
|
|
36
36
|
Brakeman.notify "[Notice] Detected Rails 4 application"
|
37
37
|
end
|
38
38
|
|
39
|
-
@ruby_parser = ::RubyParser
|
40
39
|
@processor = processor || Brakeman::Processor.new(@app_tree, options)
|
41
40
|
end
|
42
41
|
|
@@ -51,6 +50,8 @@ class Brakeman::Scanner
|
|
51
50
|
process_gems
|
52
51
|
Brakeman.notify "Processing configuration..."
|
53
52
|
process_config
|
53
|
+
Brakeman.notify "Parsing files..."
|
54
|
+
parse_files
|
54
55
|
Brakeman.notify "Processing initializers..."
|
55
56
|
process_initializers
|
56
57
|
Brakeman.notify "Processing libs..."
|
@@ -59,15 +60,45 @@ class Brakeman::Scanner
|
|
59
60
|
process_routes
|
60
61
|
Brakeman.notify "Processing templates... "
|
61
62
|
process_templates
|
63
|
+
Brakeman.notify "Processing data flow in templates..."
|
64
|
+
process_template_data_flows
|
62
65
|
Brakeman.notify "Processing models... "
|
63
66
|
process_models
|
64
67
|
Brakeman.notify "Processing controllers... "
|
65
68
|
process_controllers
|
69
|
+
Brakeman.notify "Processing data flow in controllers..."
|
70
|
+
process_controller_data_flows
|
66
71
|
Brakeman.notify "Indexing call sites... "
|
67
72
|
index_call_sites
|
68
73
|
tracker
|
69
74
|
end
|
70
75
|
|
76
|
+
def parse_files
|
77
|
+
fp = Brakeman::FileParser.new tracker, @app_tree
|
78
|
+
|
79
|
+
files = {
|
80
|
+
:initializers => @app_tree.initializer_paths,
|
81
|
+
:controllers => @app_tree.controller_paths,
|
82
|
+
:models => @app_tree.model_paths
|
83
|
+
}
|
84
|
+
|
85
|
+
unless options[:skip_libs]
|
86
|
+
files[:libs] = @app_tree.lib_paths
|
87
|
+
end
|
88
|
+
|
89
|
+
files.each do |name, paths|
|
90
|
+
fp.parse_files paths, name
|
91
|
+
end
|
92
|
+
|
93
|
+
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
94
|
+
|
95
|
+
fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
|
96
|
+
template_parser.parse_template path, contents
|
97
|
+
end
|
98
|
+
|
99
|
+
@file_list = fp.file_list
|
100
|
+
end
|
101
|
+
|
71
102
|
#Process config/environment.rb and config/gems.rb
|
72
103
|
#
|
73
104
|
#Stores parsed information in tracker.config
|
@@ -120,20 +151,15 @@ class Brakeman::Scanner
|
|
120
151
|
#
|
121
152
|
#Adds parsed information to tracker.initializers
|
122
153
|
def process_initializers
|
123
|
-
@
|
124
|
-
|
154
|
+
track_progress @file_list[:initializers] do |init|
|
155
|
+
Brakeman.debug "Processing #{init[:path]}"
|
156
|
+
process_initializer init
|
125
157
|
end
|
126
158
|
end
|
127
159
|
|
128
160
|
#Process an initializer
|
129
|
-
def process_initializer
|
130
|
-
|
131
|
-
@processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
|
132
|
-
rescue Racc::ParseError => e
|
133
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
134
|
-
rescue => e
|
135
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
136
|
-
end
|
161
|
+
def process_initializer init
|
162
|
+
@processor.process_initializer(init.path, init.ast)
|
137
163
|
end
|
138
164
|
|
139
165
|
#Process all .rb in lib/
|
@@ -145,26 +171,15 @@ class Brakeman::Scanner
|
|
145
171
|
return
|
146
172
|
end
|
147
173
|
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
@app_tree.lib_paths.each do |f|
|
152
|
-
Brakeman.debug "Processing #{f}"
|
153
|
-
report_progress(current, total)
|
154
|
-
current += 1
|
155
|
-
process_lib f
|
174
|
+
track_progress @file_list[:libs] do |lib|
|
175
|
+
Brakeman.debug "Processing #{lib.path}"
|
176
|
+
process_lib lib
|
156
177
|
end
|
157
178
|
end
|
158
179
|
|
159
180
|
#Process a library
|
160
|
-
def process_lib
|
161
|
-
|
162
|
-
@processor.process_lib parse_ruby(@app_tree.read_path(path)), path
|
163
|
-
rescue Racc::ParseError => e
|
164
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
165
|
-
rescue => e
|
166
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
167
|
-
end
|
181
|
+
def process_lib lib
|
182
|
+
@processor.process_lib lib.ast, lib.path
|
168
183
|
end
|
169
184
|
|
170
185
|
#Process config/routes.rb
|
@@ -188,37 +203,29 @@ class Brakeman::Scanner
|
|
188
203
|
#
|
189
204
|
#Adds processed controllers to tracker.controllers
|
190
205
|
def process_controllers
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
@app_tree.controller_paths.each do |f|
|
195
|
-
Brakeman.debug "Processing #{f}"
|
196
|
-
report_progress(current, total)
|
197
|
-
current += 1
|
198
|
-
process_controller f
|
206
|
+
track_progress @file_list[:controllers] do |controller|
|
207
|
+
Brakeman.debug "Processing #{controller.path}"
|
208
|
+
process_controller controller
|
199
209
|
end
|
210
|
+
end
|
200
211
|
|
201
|
-
|
202
|
-
|
212
|
+
def process_controller_data_flows
|
213
|
+
controllers = tracker.controllers.sort_by { |name, _| name.to_s }
|
203
214
|
|
204
|
-
|
205
|
-
|
206
|
-
tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
|
215
|
+
track_progress controllers, "controllers" do |name, controller|
|
207
216
|
Brakeman.debug "Processing #{name}"
|
208
|
-
|
209
|
-
|
210
|
-
|
217
|
+
controller[:src].each_value do |src|
|
218
|
+
@processor.process_controller_alias name, src
|
219
|
+
end
|
211
220
|
end
|
212
221
|
|
213
222
|
#No longer need these processed filter methods
|
214
223
|
tracker.filter_cache.clear
|
215
224
|
end
|
216
225
|
|
217
|
-
def process_controller
|
226
|
+
def process_controller astfile
|
218
227
|
begin
|
219
|
-
@processor.process_controller(
|
220
|
-
rescue Racc::ParseError => e
|
221
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
228
|
+
@processor.process_controller(astfile.ast, astfile.path)
|
222
229
|
rescue => e
|
223
230
|
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
224
231
|
end
|
@@ -228,119 +235,48 @@ class Brakeman::Scanner
|
|
228
235
|
#
|
229
236
|
#Adds processed views to tracker.views
|
230
237
|
def process_templates
|
231
|
-
|
232
|
-
|
233
|
-
count = 0
|
234
|
-
total = @app_tree.template_paths.length
|
238
|
+
templates = @file_list[:templates].sort_by { |t| t[:path] }
|
235
239
|
|
236
|
-
|
237
|
-
Brakeman.debug "Processing #{path}"
|
238
|
-
|
239
|
-
count += 1
|
240
|
-
process_template path
|
241
|
-
end
|
242
|
-
|
243
|
-
total = tracker.templates.length
|
244
|
-
count = 0
|
245
|
-
|
246
|
-
Brakeman.notify "Processing data flow in templates..."
|
247
|
-
|
248
|
-
tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
|
249
|
-
Brakeman.debug "Processing #{name}"
|
250
|
-
report_progress(count, total, "templates")
|
251
|
-
count += 1
|
252
|
-
@processor.process_template_alias tracker.templates[name]
|
240
|
+
track_progress templates, "templates" do |template|
|
241
|
+
Brakeman.debug "Processing #{template[:path]}"
|
242
|
+
process_template template
|
253
243
|
end
|
254
244
|
end
|
255
245
|
|
256
|
-
def process_template
|
257
|
-
type
|
258
|
-
|
259
|
-
name = template_path_to_name path
|
260
|
-
text = @app_tree.read_path path
|
261
|
-
|
262
|
-
begin
|
263
|
-
if type == :erb
|
264
|
-
if tracker.config[:escape_html]
|
265
|
-
type = :erubis
|
266
|
-
if options[:rails3]
|
267
|
-
require 'brakeman/parsers/rails3_erubis'
|
268
|
-
src = Brakeman::Rails3Erubis.new(text).src
|
269
|
-
else
|
270
|
-
require 'brakeman/parsers/rails2_xss_plugin_erubis'
|
271
|
-
src = Brakeman::Rails2XSSPluginErubis.new(text).src
|
272
|
-
end
|
273
|
-
elsif tracker.config[:erubis]
|
274
|
-
require 'brakeman/parsers/rails2_erubis'
|
275
|
-
type = :erubis
|
276
|
-
src = Brakeman::ScannerErubis.new(text).src
|
277
|
-
else
|
278
|
-
require 'erb'
|
279
|
-
src = ERB.new(text, nil, "-").src
|
280
|
-
src.sub!(/^#.*\n/, '') if RUBY_1_9
|
281
|
-
end
|
282
|
-
|
283
|
-
parsed = parse_ruby src
|
284
|
-
elsif type == :haml
|
285
|
-
Brakeman.load_brakeman_dependency 'haml'
|
286
|
-
Brakeman.load_brakeman_dependency 'sass'
|
287
|
-
|
288
|
-
src = Haml::Engine.new(text,
|
289
|
-
:escape_html => !!tracker.config[:escape_html]).precompiled
|
290
|
-
parsed = parse_ruby src
|
291
|
-
elsif type == :slim
|
292
|
-
Brakeman.load_brakeman_dependency 'slim'
|
293
|
-
|
294
|
-
src = Slim::Template.new(:disable_capture => true,
|
295
|
-
:generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
|
296
|
-
|
297
|
-
parsed = parse_ruby src
|
298
|
-
else
|
299
|
-
tracker.error "Unkown template type in #{path}"
|
300
|
-
end
|
246
|
+
def process_template template
|
247
|
+
@processor.process_template(template.name, template.ast, template.type, nil, template.path)
|
248
|
+
end
|
301
249
|
|
302
|
-
|
250
|
+
def process_template_data_flows
|
251
|
+
templates = tracker.templates.sort_by { |name, _| name.to_s }
|
303
252
|
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
|
308
|
-
rescue StandardError, LoadError => e
|
309
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
253
|
+
track_progress templates, "templates" do |name, template|
|
254
|
+
Brakeman.debug "Processing #{name}"
|
255
|
+
@processor.process_template_alias template
|
310
256
|
end
|
311
257
|
end
|
312
258
|
|
313
|
-
#Convert path/filename to view name
|
314
|
-
#
|
315
|
-
# views/test/something.html.erb -> test/something
|
316
|
-
def template_path_to_name path
|
317
|
-
names = path.split("/")
|
318
|
-
names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
|
319
|
-
names[(names.index("views") + 1)..-1].join("/").to_sym
|
320
|
-
end
|
321
|
-
|
322
259
|
#Process all the .rb files in models/
|
323
260
|
#
|
324
261
|
#Adds the processed models to tracker.models
|
325
262
|
def process_models
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
@app_tree.model_paths.each do |f|
|
330
|
-
Brakeman.debug "Processing #{f}"
|
331
|
-
report_progress(current, total)
|
332
|
-
current += 1
|
333
|
-
process_model f
|
263
|
+
track_progress @file_list[:models] do |model|
|
264
|
+
Brakeman.debug "Processing #{model[:path]}"
|
265
|
+
process_model model[:path], model[:ast]
|
334
266
|
end
|
335
267
|
end
|
336
268
|
|
337
|
-
def process_model path
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
|
269
|
+
def process_model path, ast
|
270
|
+
@processor.process_model(ast, path)
|
271
|
+
end
|
272
|
+
|
273
|
+
def track_progress list, type = "files"
|
274
|
+
total = list.length
|
275
|
+
current = 0
|
276
|
+
list.each do |item|
|
277
|
+
report_progress current, total, type
|
278
|
+
current += 1
|
279
|
+
yield item
|
344
280
|
end
|
345
281
|
end
|
346
282
|
|
@@ -354,7 +290,7 @@ class Brakeman::Scanner
|
|
354
290
|
end
|
355
291
|
|
356
292
|
def parse_ruby input
|
357
|
-
|
293
|
+
RubyParser.new.parse input
|
358
294
|
end
|
359
295
|
end
|
360
296
|
|