brakeman 2.5.0 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGES +14 -0
- data/README.md +6 -28
- data/lib/brakeman/checks/base_check.rb +5 -4
- data/lib/brakeman/checks/check_basic_auth.rb +1 -2
- data/lib/brakeman/checks/check_default_routes.rb +65 -15
- data/lib/brakeman/checks/check_detailed_exceptions.rb +5 -4
- data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -9
- data/lib/brakeman/checks/check_model_attr_accessible.rb +1 -1
- data/lib/brakeman/checks/check_model_attributes.rb +3 -3
- data/lib/brakeman/checks/check_model_serialize.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +27 -6
- data/lib/brakeman/checks/check_render.rb +2 -2
- data/lib/brakeman/checks/check_skip_before_filter.rb +2 -2
- data/lib/brakeman/checks/check_sql.rb +2 -1
- data/lib/brakeman/file_parser.rb +49 -0
- data/lib/brakeman/options.rb +1 -1
- data/lib/brakeman/parsers/template_parser.rb +88 -0
- data/lib/brakeman/processors/alias_processor.rb +25 -2
- data/lib/brakeman/processors/controller_alias_processor.rb +3 -3
- data/lib/brakeman/processors/controller_processor.rb +106 -54
- data/lib/brakeman/processors/lib/rails3_route_processor.rb +27 -12
- data/lib/brakeman/processors/lib/route_helper.rb +1 -1
- data/lib/brakeman/processors/library_processor.rb +37 -28
- data/lib/brakeman/processors/model_processor.rb +117 -34
- data/lib/brakeman/report/report_base.rb +1 -1
- data/lib/brakeman/rescanner.rb +84 -35
- data/lib/brakeman/scanner.rb +84 -148
- data/lib/brakeman/tracker.rb +32 -12
- data/lib/brakeman/util.rb +13 -4
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning_codes.rb +2 -1
- metadata +6 -4
- metadata.gz.sig +0 -0
data/lib/brakeman/rescanner.rb
CHANGED
@@ -5,7 +5,8 @@ require 'brakeman/differ'
|
|
5
5
|
|
6
6
|
#Class for rescanning changed files after an initial scan
|
7
7
|
class Brakeman::Rescanner < Brakeman::Scanner
|
8
|
-
|
8
|
+
include Brakeman::Util
|
9
|
+
KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
|
9
10
|
SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
|
10
11
|
:model, :controller]
|
11
12
|
|
@@ -74,10 +75,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
74
75
|
case type
|
75
76
|
when :controller
|
76
77
|
rescan_controller path
|
77
|
-
@reindex << :controllers << :templates
|
78
78
|
when :template
|
79
79
|
rescan_template path
|
80
|
-
@reindex << :templates
|
81
80
|
when :model
|
82
81
|
rescan_model path
|
83
82
|
when :lib
|
@@ -85,16 +84,9 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
85
84
|
when :config
|
86
85
|
process_config
|
87
86
|
when :initializer
|
88
|
-
|
87
|
+
rescan_initializer path
|
89
88
|
when :routes
|
90
|
-
|
91
|
-
# which affects which templates are rendered, so routes, controllers,
|
92
|
-
# and templates rendered from controllers must be rescanned
|
93
|
-
tracker.reset_routes
|
94
|
-
tracker.reset_templates :only_rendered => true
|
95
|
-
process_routes
|
96
|
-
process_controllers
|
97
|
-
@reindex << :controllers << :templates
|
89
|
+
rescan_routes
|
98
90
|
when :gemfile
|
99
91
|
if tracker.config[:gems][:rails_xss] and tracker.config[:escape_html]
|
100
92
|
tracker.config[:escape_html] = false
|
@@ -109,13 +101,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
109
101
|
end
|
110
102
|
|
111
103
|
def rescan_controller path
|
112
|
-
|
113
|
-
|
104
|
+
controller = tracker.reset_controller path
|
105
|
+
paths = controller.nil? ? [path] : controller[:files]
|
106
|
+
parse_ruby_files(paths).each do |astfile|
|
107
|
+
process_controller astfile
|
108
|
+
end
|
114
109
|
|
115
110
|
#Process data flow and template rendering
|
116
111
|
#from the controller
|
117
112
|
tracker.controllers.each do |name, controller|
|
118
|
-
if controller[:
|
113
|
+
if controller[:files].include?(path)
|
119
114
|
tracker.templates.each do |template_name, template|
|
120
115
|
next unless template[:caller]
|
121
116
|
unless template[:caller].grep(/^#{name}#/).empty?
|
@@ -123,9 +118,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
123
118
|
end
|
124
119
|
end
|
125
120
|
|
126
|
-
|
121
|
+
controller[:src].each_value do |src|
|
122
|
+
@processor.process_controller_alias controller[:name], src
|
123
|
+
end
|
127
124
|
end
|
128
125
|
end
|
126
|
+
|
127
|
+
@reindex << :templates << :controllers
|
129
128
|
end
|
130
129
|
|
131
130
|
def rescan_template path
|
@@ -134,7 +133,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
134
133
|
template_name = template_path_to_name(path)
|
135
134
|
|
136
135
|
tracker.reset_template template_name
|
137
|
-
|
136
|
+
fp = Brakeman::FileParser.new(tracker, @app_tree)
|
137
|
+
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
138
|
+
template_parser.parse_template path, @app_tree.read_path(path)
|
139
|
+
process_template fp.file_list[:templates].first
|
138
140
|
|
139
141
|
@processor.process_template_alias tracker.templates[template_name]
|
140
142
|
|
@@ -164,8 +166,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
164
166
|
if r[0] == :controller
|
165
167
|
controller = tracker.controllers[r[1]]
|
166
168
|
|
167
|
-
|
168
|
-
@
|
169
|
+
controller[:src].each do |file, src|
|
170
|
+
unless @paths.include? file
|
171
|
+
@processor.process_controller_alias controller[:name], src, r[2]
|
172
|
+
end
|
169
173
|
end
|
170
174
|
elsif r[0] == :template
|
171
175
|
template = tracker.templates[r[1]]
|
@@ -173,17 +177,22 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
173
177
|
rescan_template template[:file]
|
174
178
|
end
|
175
179
|
end
|
180
|
+
|
181
|
+
@reindex << :templates
|
176
182
|
end
|
177
183
|
|
178
184
|
def rescan_model path
|
179
185
|
num_models = tracker.models.length
|
180
|
-
tracker.reset_model path
|
181
|
-
|
186
|
+
model = tracker.reset_model path
|
187
|
+
paths = model.nil? ? [path] : model[:files]
|
188
|
+
parse_ruby_files(paths).each do |astfile|
|
189
|
+
process_model astfile.path, astfile.ast
|
190
|
+
end
|
182
191
|
|
183
192
|
#Only need to rescan other things if a model is added or removed
|
184
193
|
if num_models != tracker.models.length
|
185
|
-
|
186
|
-
|
194
|
+
process_template_data_flows
|
195
|
+
process_controller_data_flows
|
187
196
|
@reindex << :templates << :controllers
|
188
197
|
end
|
189
198
|
|
@@ -191,12 +200,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
191
200
|
end
|
192
201
|
|
193
202
|
def rescan_lib path
|
194
|
-
|
203
|
+
lib = tracker.reset_lib path
|
204
|
+
paths = lib.nil? ? [path] : lib[:files]
|
205
|
+
parse_ruby_files(paths).each do |astfile|
|
206
|
+
process_lib astfile
|
207
|
+
end
|
195
208
|
|
196
209
|
lib = nil
|
197
210
|
|
198
211
|
tracker.libs.each do |name, library|
|
199
|
-
if library[:
|
212
|
+
if library[:files].include?(path)
|
200
213
|
lib = library
|
201
214
|
break
|
202
215
|
end
|
@@ -205,11 +218,28 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
205
218
|
rescan_mixin lib if lib
|
206
219
|
end
|
207
220
|
|
221
|
+
def rescan_routes
|
222
|
+
# Routes affect which controller methods are treated as actions
|
223
|
+
# which affects which templates are rendered, so routes, controllers,
|
224
|
+
# and templates rendered from controllers must be rescanned
|
225
|
+
tracker.reset_routes
|
226
|
+
tracker.reset_templates :only_rendered => true
|
227
|
+
process_routes
|
228
|
+
process_controller_data_flows
|
229
|
+
@reindex << :controllers << :templates
|
230
|
+
end
|
231
|
+
|
232
|
+
def rescan_initializer path
|
233
|
+
parse_ruby_files([path]).each do |astfile|
|
234
|
+
process_initializer astfile
|
235
|
+
end
|
236
|
+
end
|
237
|
+
|
208
238
|
#Handle rescanning when a file is deleted
|
209
239
|
def rescan_deleted_file path, type
|
210
240
|
case type
|
211
241
|
when :controller
|
212
|
-
|
242
|
+
rescan_controller path
|
213
243
|
when :template
|
214
244
|
rescan_deleted_template path
|
215
245
|
when :model
|
@@ -229,10 +259,6 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
229
259
|
true
|
230
260
|
end
|
231
261
|
|
232
|
-
def rescan_deleted_controller path
|
233
|
-
tracker.reset_controller path
|
234
|
-
end
|
235
|
-
|
236
262
|
def rescan_deleted_template path
|
237
263
|
return unless path.match KNOWN_TEMPLATE_EXTENSIONS
|
238
264
|
|
@@ -260,7 +286,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
260
286
|
deleted_lib = nil
|
261
287
|
|
262
288
|
tracker.libs.delete_if do |name, lib|
|
263
|
-
if lib[:
|
289
|
+
if lib[:files].include?(path)
|
264
290
|
deleted_lib = lib
|
265
291
|
true
|
266
292
|
end
|
@@ -278,15 +304,22 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
278
304
|
def remove_deleted_file path
|
279
305
|
deleted = false
|
280
306
|
|
281
|
-
[:controllers, :
|
307
|
+
[:controllers, :models, :libs].each do |collection|
|
282
308
|
tracker.send(collection).delete_if do |name, data|
|
283
|
-
if data[:
|
309
|
+
if data[:files].include?(path)
|
284
310
|
deleted = true
|
285
311
|
true
|
286
312
|
end
|
287
313
|
end
|
288
314
|
end
|
289
315
|
|
316
|
+
tracker.templates.delete_if do |name, data|
|
317
|
+
if data[:file] == path
|
318
|
+
deleted = true
|
319
|
+
true
|
320
|
+
end
|
321
|
+
end
|
322
|
+
|
290
323
|
deleted
|
291
324
|
end
|
292
325
|
|
@@ -325,15 +358,24 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
325
358
|
|
326
359
|
method_matcher = /##{method_names.map {|n| Regexp.escape(n.to_s)}.join('|')}$/
|
327
360
|
|
361
|
+
to_rescan = []
|
362
|
+
|
328
363
|
#Rescan controllers that mixed in library
|
329
364
|
tracker.controllers.each do |name, controller|
|
330
365
|
if controller[:includes].include? lib[:name]
|
331
|
-
|
332
|
-
|
366
|
+
controller[:files].each do |path|
|
367
|
+
unless @paths.include? path
|
368
|
+
to_rescan << path
|
369
|
+
end
|
333
370
|
end
|
334
371
|
end
|
335
372
|
end
|
336
373
|
|
374
|
+
to_rescan.each do |controller|
|
375
|
+
tracker.reset_controller controller
|
376
|
+
rescan_file controller
|
377
|
+
end
|
378
|
+
|
337
379
|
to_rescan = []
|
338
380
|
|
339
381
|
#Check if a method from this mixin was used to render a template.
|
@@ -358,6 +400,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
358
400
|
rescan_file template[1]
|
359
401
|
end
|
360
402
|
end
|
403
|
+
|
404
|
+
def parse_ruby_files list
|
405
|
+
paths = list.select { |path| @app_tree.path_exists? path }
|
406
|
+
file_parser = Brakeman::FileParser.new(tracker, @app_tree)
|
407
|
+
file_parser.parse_files paths, :rescan
|
408
|
+
file_parser.file_list[:rescan]
|
409
|
+
end
|
361
410
|
end
|
362
411
|
|
363
412
|
#Class to make reporting of rescan results simpler to deal with
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -6,6 +6,8 @@ begin
|
|
6
6
|
require 'ruby_parser/bm_sexp_processor.rb'
|
7
7
|
require 'brakeman/processor'
|
8
8
|
require 'brakeman/app_tree'
|
9
|
+
require 'brakeman/file_parser'
|
10
|
+
require 'brakeman/parsers/template_parser'
|
9
11
|
rescue LoadError => e
|
10
12
|
$stderr.puts e.message
|
11
13
|
$stderr.puts "Please install the appropriate dependency."
|
@@ -15,9 +17,7 @@ end
|
|
15
17
|
#Scans the Rails application.
|
16
18
|
class Brakeman::Scanner
|
17
19
|
attr_reader :options
|
18
|
-
|
19
|
-
RUBY_1_9 = !!(RUBY_VERSION >= "1.9.0")
|
20
|
-
KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
|
20
|
+
RUBY_1_9 = RUBY_VERSION >= "1.9.0"
|
21
21
|
|
22
22
|
#Pass in path to the root of the Rails application
|
23
23
|
def initialize options, processor = nil
|
@@ -36,7 +36,6 @@ class Brakeman::Scanner
|
|
36
36
|
Brakeman.notify "[Notice] Detected Rails 4 application"
|
37
37
|
end
|
38
38
|
|
39
|
-
@ruby_parser = ::RubyParser
|
40
39
|
@processor = processor || Brakeman::Processor.new(@app_tree, options)
|
41
40
|
end
|
42
41
|
|
@@ -51,6 +50,8 @@ class Brakeman::Scanner
|
|
51
50
|
process_gems
|
52
51
|
Brakeman.notify "Processing configuration..."
|
53
52
|
process_config
|
53
|
+
Brakeman.notify "Parsing files..."
|
54
|
+
parse_files
|
54
55
|
Brakeman.notify "Processing initializers..."
|
55
56
|
process_initializers
|
56
57
|
Brakeman.notify "Processing libs..."
|
@@ -59,15 +60,45 @@ class Brakeman::Scanner
|
|
59
60
|
process_routes
|
60
61
|
Brakeman.notify "Processing templates... "
|
61
62
|
process_templates
|
63
|
+
Brakeman.notify "Processing data flow in templates..."
|
64
|
+
process_template_data_flows
|
62
65
|
Brakeman.notify "Processing models... "
|
63
66
|
process_models
|
64
67
|
Brakeman.notify "Processing controllers... "
|
65
68
|
process_controllers
|
69
|
+
Brakeman.notify "Processing data flow in controllers..."
|
70
|
+
process_controller_data_flows
|
66
71
|
Brakeman.notify "Indexing call sites... "
|
67
72
|
index_call_sites
|
68
73
|
tracker
|
69
74
|
end
|
70
75
|
|
76
|
+
def parse_files
|
77
|
+
fp = Brakeman::FileParser.new tracker, @app_tree
|
78
|
+
|
79
|
+
files = {
|
80
|
+
:initializers => @app_tree.initializer_paths,
|
81
|
+
:controllers => @app_tree.controller_paths,
|
82
|
+
:models => @app_tree.model_paths
|
83
|
+
}
|
84
|
+
|
85
|
+
unless options[:skip_libs]
|
86
|
+
files[:libs] = @app_tree.lib_paths
|
87
|
+
end
|
88
|
+
|
89
|
+
files.each do |name, paths|
|
90
|
+
fp.parse_files paths, name
|
91
|
+
end
|
92
|
+
|
93
|
+
template_parser = Brakeman::TemplateParser.new(tracker, fp)
|
94
|
+
|
95
|
+
fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
|
96
|
+
template_parser.parse_template path, contents
|
97
|
+
end
|
98
|
+
|
99
|
+
@file_list = fp.file_list
|
100
|
+
end
|
101
|
+
|
71
102
|
#Process config/environment.rb and config/gems.rb
|
72
103
|
#
|
73
104
|
#Stores parsed information in tracker.config
|
@@ -120,20 +151,15 @@ class Brakeman::Scanner
|
|
120
151
|
#
|
121
152
|
#Adds parsed information to tracker.initializers
|
122
153
|
def process_initializers
|
123
|
-
@
|
124
|
-
|
154
|
+
track_progress @file_list[:initializers] do |init|
|
155
|
+
Brakeman.debug "Processing #{init[:path]}"
|
156
|
+
process_initializer init
|
125
157
|
end
|
126
158
|
end
|
127
159
|
|
128
160
|
#Process an initializer
|
129
|
-
def process_initializer
|
130
|
-
|
131
|
-
@processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
|
132
|
-
rescue Racc::ParseError => e
|
133
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
134
|
-
rescue => e
|
135
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
136
|
-
end
|
161
|
+
def process_initializer init
|
162
|
+
@processor.process_initializer(init.path, init.ast)
|
137
163
|
end
|
138
164
|
|
139
165
|
#Process all .rb in lib/
|
@@ -145,26 +171,15 @@ class Brakeman::Scanner
|
|
145
171
|
return
|
146
172
|
end
|
147
173
|
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
@app_tree.lib_paths.each do |f|
|
152
|
-
Brakeman.debug "Processing #{f}"
|
153
|
-
report_progress(current, total)
|
154
|
-
current += 1
|
155
|
-
process_lib f
|
174
|
+
track_progress @file_list[:libs] do |lib|
|
175
|
+
Brakeman.debug "Processing #{lib.path}"
|
176
|
+
process_lib lib
|
156
177
|
end
|
157
178
|
end
|
158
179
|
|
159
180
|
#Process a library
|
160
|
-
def process_lib
|
161
|
-
|
162
|
-
@processor.process_lib parse_ruby(@app_tree.read_path(path)), path
|
163
|
-
rescue Racc::ParseError => e
|
164
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
165
|
-
rescue => e
|
166
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
167
|
-
end
|
181
|
+
def process_lib lib
|
182
|
+
@processor.process_lib lib.ast, lib.path
|
168
183
|
end
|
169
184
|
|
170
185
|
#Process config/routes.rb
|
@@ -188,37 +203,29 @@ class Brakeman::Scanner
|
|
188
203
|
#
|
189
204
|
#Adds processed controllers to tracker.controllers
|
190
205
|
def process_controllers
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
@app_tree.controller_paths.each do |f|
|
195
|
-
Brakeman.debug "Processing #{f}"
|
196
|
-
report_progress(current, total)
|
197
|
-
current += 1
|
198
|
-
process_controller f
|
206
|
+
track_progress @file_list[:controllers] do |controller|
|
207
|
+
Brakeman.debug "Processing #{controller.path}"
|
208
|
+
process_controller controller
|
199
209
|
end
|
210
|
+
end
|
200
211
|
|
201
|
-
|
202
|
-
|
212
|
+
def process_controller_data_flows
|
213
|
+
controllers = tracker.controllers.sort_by { |name, _| name.to_s }
|
203
214
|
|
204
|
-
|
205
|
-
|
206
|
-
tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
|
215
|
+
track_progress controllers, "controllers" do |name, controller|
|
207
216
|
Brakeman.debug "Processing #{name}"
|
208
|
-
|
209
|
-
|
210
|
-
|
217
|
+
controller[:src].each_value do |src|
|
218
|
+
@processor.process_controller_alias name, src
|
219
|
+
end
|
211
220
|
end
|
212
221
|
|
213
222
|
#No longer need these processed filter methods
|
214
223
|
tracker.filter_cache.clear
|
215
224
|
end
|
216
225
|
|
217
|
-
def process_controller
|
226
|
+
def process_controller astfile
|
218
227
|
begin
|
219
|
-
@processor.process_controller(
|
220
|
-
rescue Racc::ParseError => e
|
221
|
-
tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
|
228
|
+
@processor.process_controller(astfile.ast, astfile.path)
|
222
229
|
rescue => e
|
223
230
|
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
224
231
|
end
|
@@ -228,119 +235,48 @@ class Brakeman::Scanner
|
|
228
235
|
#
|
229
236
|
#Adds processed views to tracker.views
|
230
237
|
def process_templates
|
231
|
-
|
232
|
-
|
233
|
-
count = 0
|
234
|
-
total = @app_tree.template_paths.length
|
238
|
+
templates = @file_list[:templates].sort_by { |t| t[:path] }
|
235
239
|
|
236
|
-
|
237
|
-
Brakeman.debug "Processing #{path}"
|
238
|
-
|
239
|
-
count += 1
|
240
|
-
process_template path
|
241
|
-
end
|
242
|
-
|
243
|
-
total = tracker.templates.length
|
244
|
-
count = 0
|
245
|
-
|
246
|
-
Brakeman.notify "Processing data flow in templates..."
|
247
|
-
|
248
|
-
tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
|
249
|
-
Brakeman.debug "Processing #{name}"
|
250
|
-
report_progress(count, total, "templates")
|
251
|
-
count += 1
|
252
|
-
@processor.process_template_alias tracker.templates[name]
|
240
|
+
track_progress templates, "templates" do |template|
|
241
|
+
Brakeman.debug "Processing #{template[:path]}"
|
242
|
+
process_template template
|
253
243
|
end
|
254
244
|
end
|
255
245
|
|
256
|
-
def process_template
|
257
|
-
type
|
258
|
-
|
259
|
-
name = template_path_to_name path
|
260
|
-
text = @app_tree.read_path path
|
261
|
-
|
262
|
-
begin
|
263
|
-
if type == :erb
|
264
|
-
if tracker.config[:escape_html]
|
265
|
-
type = :erubis
|
266
|
-
if options[:rails3]
|
267
|
-
require 'brakeman/parsers/rails3_erubis'
|
268
|
-
src = Brakeman::Rails3Erubis.new(text).src
|
269
|
-
else
|
270
|
-
require 'brakeman/parsers/rails2_xss_plugin_erubis'
|
271
|
-
src = Brakeman::Rails2XSSPluginErubis.new(text).src
|
272
|
-
end
|
273
|
-
elsif tracker.config[:erubis]
|
274
|
-
require 'brakeman/parsers/rails2_erubis'
|
275
|
-
type = :erubis
|
276
|
-
src = Brakeman::ScannerErubis.new(text).src
|
277
|
-
else
|
278
|
-
require 'erb'
|
279
|
-
src = ERB.new(text, nil, "-").src
|
280
|
-
src.sub!(/^#.*\n/, '') if RUBY_1_9
|
281
|
-
end
|
282
|
-
|
283
|
-
parsed = parse_ruby src
|
284
|
-
elsif type == :haml
|
285
|
-
Brakeman.load_brakeman_dependency 'haml'
|
286
|
-
Brakeman.load_brakeman_dependency 'sass'
|
287
|
-
|
288
|
-
src = Haml::Engine.new(text,
|
289
|
-
:escape_html => !!tracker.config[:escape_html]).precompiled
|
290
|
-
parsed = parse_ruby src
|
291
|
-
elsif type == :slim
|
292
|
-
Brakeman.load_brakeman_dependency 'slim'
|
293
|
-
|
294
|
-
src = Slim::Template.new(:disable_capture => true,
|
295
|
-
:generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
|
296
|
-
|
297
|
-
parsed = parse_ruby src
|
298
|
-
else
|
299
|
-
tracker.error "Unkown template type in #{path}"
|
300
|
-
end
|
246
|
+
def process_template template
|
247
|
+
@processor.process_template(template.name, template.ast, template.type, nil, template.path)
|
248
|
+
end
|
301
249
|
|
302
|
-
|
250
|
+
def process_template_data_flows
|
251
|
+
templates = tracker.templates.sort_by { |name, _| name.to_s }
|
303
252
|
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
|
308
|
-
rescue StandardError, LoadError => e
|
309
|
-
tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
|
253
|
+
track_progress templates, "templates" do |name, template|
|
254
|
+
Brakeman.debug "Processing #{name}"
|
255
|
+
@processor.process_template_alias template
|
310
256
|
end
|
311
257
|
end
|
312
258
|
|
313
|
-
#Convert path/filename to view name
|
314
|
-
#
|
315
|
-
# views/test/something.html.erb -> test/something
|
316
|
-
def template_path_to_name path
|
317
|
-
names = path.split("/")
|
318
|
-
names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
|
319
|
-
names[(names.index("views") + 1)..-1].join("/").to_sym
|
320
|
-
end
|
321
|
-
|
322
259
|
#Process all the .rb files in models/
|
323
260
|
#
|
324
261
|
#Adds the processed models to tracker.models
|
325
262
|
def process_models
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
@app_tree.model_paths.each do |f|
|
330
|
-
Brakeman.debug "Processing #{f}"
|
331
|
-
report_progress(current, total)
|
332
|
-
current += 1
|
333
|
-
process_model f
|
263
|
+
track_progress @file_list[:models] do |model|
|
264
|
+
Brakeman.debug "Processing #{model[:path]}"
|
265
|
+
process_model model[:path], model[:ast]
|
334
266
|
end
|
335
267
|
end
|
336
268
|
|
337
|
-
def process_model path
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
|
269
|
+
def process_model path, ast
|
270
|
+
@processor.process_model(ast, path)
|
271
|
+
end
|
272
|
+
|
273
|
+
def track_progress list, type = "files"
|
274
|
+
total = list.length
|
275
|
+
current = 0
|
276
|
+
list.each do |item|
|
277
|
+
report_progress current, total, type
|
278
|
+
current += 1
|
279
|
+
yield item
|
344
280
|
end
|
345
281
|
end
|
346
282
|
|
@@ -354,7 +290,7 @@ class Brakeman::Scanner
|
|
354
290
|
end
|
355
291
|
|
356
292
|
def parse_ruby input
|
357
|
-
|
293
|
+
RubyParser.new.parse input
|
358
294
|
end
|
359
295
|
end
|
360
296
|
|