brakeman 3.0.5 → 3.1.0

data/lib/brakeman/processors/base_processor.rb

@@ -49,7 +49,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     exp
   end
 
-  #Processes calls with blocks. Changes Sexp node type to :call_with_block
+  #Processes calls with blocks.
   #
   #s(:iter, CALL, {:lasgn|:masgn}, BLOCK)
   def process_iter exp
@@ -63,20 +63,18 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       block = nil
     end
 
-    call = Sexp.new(:call_with_block, call, exp.block_args, block).compact
+    call = Sexp.new(:iter, call, exp.block_args, block).compact
     call.line(exp.line)
     call
   end
 
-  #String with interpolation. Changes Sexp node type to :string_interp
+  #String with interpolation.
   def process_dstr exp
     exp = exp.dup
     exp.shift
     exp.map! do |e|
       if e.is_a? String
         e
-      elsif e.value.is_a? String
-        e.value
       else
         res = process e
         if res.empty?
@@ -87,7 +85,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
       end
     end.compact!
 
-    exp.unshift :string_interp
+    exp.unshift :dstr
   end
 
   #Processes a block. Changes Sexp node type to :rlist
@@ -103,10 +101,8 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   end
 
   #Processes the inside of an interpolated String.
-  #Changes Sexp node type to :string_eval
   def process_evstr exp
     exp = exp.dup
-    exp[0] = :string_eval
     exp[1] = process exp[1]
     exp
   end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -20,12 +20,13 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     @method_cache = {} #Cache method lookups
   end
 
-  def process_controller name, src
+  def process_controller name, src, file
     if not node_type? src, :class
       Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
       return
     else
       @current_class = name
+      @file = file
 
       process_default src
 
@@ -37,27 +38,28 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   def process_mixins
     controller = @tracker.controllers[@current_class]
 
-    controller[:includes].each do |i|
+    controller.includes.each do |i|
       mixin = @tracker.libs[i]
 
       next unless mixin
 
       #Process methods in alphabetical order for consistency
-      methods = mixin[:public].keys.map { |n| n.to_s }.sort.map { |n| n.to_sym }
+      methods = mixin.methods_public.keys.map { |n| n.to_s }.sort.map { |n| n.to_sym }
 
       methods.each do |name|
         #Need to process the method like it was in a controller in order
         #to get the renders set
         processor = Brakeman::ControllerProcessor.new(@app_tree, @tracker)
-        method = mixin[:public][name][:src].deep_clone
+        method = mixin.get_method(name)[:src].deep_clone
 
-        if node_type? method, :methdef
+        if node_type? method, :defn
           method = processor.process_defn method
         else
-          #Should be a methdef, but this will catch other cases
+          #Should be a defn, but this will catch other cases
           method = processor.process method
         end
 
+        @file = mixin.file
         #Then process it like any other method in the controller
         process method
       end
@@ -71,7 +73,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Processes a method definition, which may include
   #processing any rendered templates.
-  def process_methdef exp
+  def process_defn exp
     meth_name = exp.method_name
 
     Brakeman.debug "Processing #{@current_class}##{meth_name}"
@@ -122,7 +124,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   end
 
   #Check for +respond_to+
-  def process_call_with_block exp
+  def process_iter exp
     super
 
     if call? exp.block_call and exp.block_call.method == :respond_to
@@ -166,13 +168,22 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Processes the default template for the current action
   def process_default_render exp
     process_layout
-    process_template template_name, nil
+    process_template template_name, nil, nil, nil
   end
 
   #Process template and add the current class and method name as called_from info
-  def process_template name, args
-    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method)
-    super name, args, render_path
+  def process_template name, args, _, line
+    # If line is null, assume implicit render and set the end of the action
+    # method as the line number
+    if line.nil? and controller = @tracker.controllers[@current_class]
+      if meth = controller.get_method(@current_method)
+        line = meth[:src] && meth[:src].last && meth[:src].last.line
+        line += 1
+      end
+    end
+
+    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method, line, relative_path(@file))
+    super name, args, render_path, line
   end
 
   #Turns a method name into a template name
@@ -192,12 +203,12 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   def layout_name
     controller = @tracker.controllers[@current_class]
 
-    return controller[:layout] if controller[:layout]
-    return false if controller[:layout] == false
+    return controller.layout if controller.layout
+    return false if controller.layout == false
 
     app_controller = @tracker.controllers[:ApplicationController]
 
-    return app_controller[:layout] if app_controller and app_controller[:layout]
+    return app_controller.layout if app_controller and app_controller.layout
 
     nil
   end
@@ -215,120 +226,12 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Get list of filters, including those that are inherited
   def before_filter_list method, klass
     controller = @tracker.controllers[klass]
-    filters = []
-
-    while controller
-      filters = get_before_filters(method, controller) + filters
-
-      controller = @tracker.controllers[controller[:parent]] ||
-                   @tracker.libs[controller[:parent]]
-    end
-
-    remove_skipped_filters filters, method, klass
-  end
-
-  def remove_skipped_filters filters, method, klass
-    controller = @tracker.controllers[klass]
-
-    while controller
-      filters = filters - get_skipped_filters(method, controller)
-
-      controller = @tracker.controllers[controller[:parent]] ||
-                   @tracker.libs[controller[:parent]]
-    end
 
-    filters
-  end
-
-  def get_skipped_filters method, controller
-    return [] unless controller[:options] and controller[:options][:skip_filters]
-
-    filters = []
-
-    if controller[:skip_filter_cache].nil?
-      controller[:skip_filter_cache] = controller[:options][:skip_filters].map do |filter|
-        before_filter_to_hash(filter.args)
-      end
-    end
-
-    controller[:skip_filter_cache].each do |f|
-      if f[:all] or
-        (f[:only] == method) or
-        (f[:only].is_a? Array and f[:only].include? method) or
-        (f[:except].is_a? Symbol and f[:except] != method) or
-        (f[:except].is_a? Array and not f[:except].include? method)
-
-        filters.concat f[:methods]
-      end
-    end
-
-    filters
-  end
-
-  #Returns an array of filter names
-  def get_before_filters method, controller
-    return [] unless controller[:options] and controller[:options][:before_filters]
-
-    filters = []
-
-    if controller[:before_filter_cache].nil?
-      filter_cache = []
-
-      controller[:options][:before_filters].each do |filter|
-        filter_cache << before_filter_to_hash(filter.args)
-      end
-
-      controller[:before_filter_cache] = filter_cache
-    end
-
-    controller[:before_filter_cache].each do |f|
-      if f[:all] or
-        (f[:only] == method) or
-        (f[:only].is_a? Array and f[:only].include? method) or
-        (f[:except].is_a? Symbol and f[:except] != method) or
-        (f[:except].is_a? Array and not f[:except].include? method)
-
-        filters.concat f[:methods]
-      end
-    end
-
-    filters
-  end
-
-  #Returns a before filter as a hash table
-  def before_filter_to_hash args
-    filter = {}
-
-    #Process args for the uncommon but possible situation
-    #in which some variables are used in the filter.
-    args.each do |a|
-      if sexp? a
-        a = process_default a
-      end
-    end
-
-    filter[:methods] = [args[0][1]]
-
-    args[1..-1].each do |a|
-      filter[:methods] << a[1] if a.node_type == :lit
-    end
-
-    if args[-1].node_type == :hash
-      option = args[-1][1][1]
-      value = args[-1][2]
-      case value.node_type
-      when :array
-        filter[option] = value[1..-1].map {|v| v[1] }
-      when :lit, :str
-        filter[option] = value[1]
-      else
-        Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
-      end
+    if controller
+      controller.before_filter_list self, method
     else
-      filter[:all] = true
+      []
     end
-
-    filter
   end
 
   #Finds a method in the given class or a parent class
@@ -348,12 +251,10 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     controller ||= @tracker.libs[klass]
 
     if klass and controller
-      method = controller[:public][method_name]
-      method ||= controller[:private][method_name]
-      method ||= controller[:protected][method_name]
+      method = controller.get_method method_name
 
       if method.nil?
-        controller[:includes].each do |included|
+        controller.includes.each do |included|
           method = find_method method_name, included
           if method
             @method_cache[method_name] = method
@@ -361,9 +262,9 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
           end
        end
 
-        @method_cache[method_name] = find_method method_name, controller[:parent]
+        @method_cache[method_name] = find_method method_name, controller.parent
       else
-        @method_cache[method_name] = { :controller => controller[:name], :method => method[:src] }
+        @method_cache[method_name] = { :controller => controller.name, :method => method[:src] }
       end
     else
       nil

data/lib/brakeman/processors/controller_processor.rb

@@ -1,4 +1,5 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/controller'
 
 #Processes controller. Results are put in tracker.controllers
 class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
@@ -28,7 +29,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #If inside a real controller, treat any other classes as libraries.
     #But if not inside a controller already, then the class may include
     #a real controller, so we can't take this shortcut.
-    if @current_class and @current_class[:name].to_s.end_with? "Controller"
+    if @current_class and @current_class.name.to_s.end_with? "Controller"
       Brakeman.debug "[Notice] Treating inner class as library: #{name}"
       Brakeman::LibraryProcessor.new(@tracker).process_library exp, @file_name
       return exp
@@ -48,30 +49,18 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     if @current_class
       outer_class = @current_class
-      name = (outer_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
     end
 
     if @current_module
-      name = (@current_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
     end
 
     if @tracker.controllers[name]
       @current_class = @tracker.controllers[name]
-      @current_class[:files] << @file_name unless @current_class[:files].include? @file_name
-      @current_class[:src][@file_name] = exp
+      @current_class.add_file @file_name, exp
     else
-      @current_class = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {:before_filters => [], :skip_filters => []},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
-
+      @current_class = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
       @tracker.controllers[name] = @current_class
     end
 
@@ -92,30 +81,18 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     if @current_module
       outer_module = @current_module
-      name = (outer_module[:name].to_s + "::" + name.to_s).to_sym
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
     end
 
     if @current_class
-      name = (@current_class[:name].to_s + "::" + name.to_s).to_sym
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
     end
 
     if @tracker.libs[name]
       @current_module = @tracker.libs[name]
-      @current_module[:files] << @file_name unless @current_module[:files].include? @file_name
-      @current_module[:src][@file_name] = exp
+      @current_module.add_file @file_name, exp
     else
-      @current_module = {
-        :name => name,
-        :parent => parent,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {:before_filters => []},
-        :src => { @file_name => exp },
-        :files => [ @file_name ]
-      }
-
+      @current_module = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
       @tracker.libs[name] = @current_module
     end
 
@@ -149,45 +126,44 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
         when :private, :protected, :public
           @visibility = method
         when :protect_from_forgery
-          @current_class[:options][:protect_from_forgery] = true
+          @current_class.options[:protect_from_forgery] = true
         else
           #??
         end
       else
         case method
         when :include
-          @current_class[:includes] << class_name(first_arg) if @current_class
+          @current_class.add_include class_name(first_arg) if @current_class
         when :before_filter, :append_before_filter, :before_action, :append_before_action
           if node_type? exp.first_arg, :iter
             add_lambda_filter exp
           else
-            @current_class[:options][:before_filters] << exp
+            @current_class.add_before_filter exp
           end
         when :prepend_before_filter, :prepend_before_action
           if node_type? exp.first_arg, :iter
             add_lambda_filter exp
           else
-            @current_class[:options][:before_filters].unshift exp
+            @current_class.prepend_before_filter exp
           end
         when :skip_before_filter, :skip_filter, :skip_before_action, :skip_action_callback
-          @current_class[:options][:skip_filters] << exp
+          @current_class.skip_filter exp
         when :layout
           if string? last_arg
             #layout "some_layout"
 
             name = last_arg.value.to_s
             if @app_tree.layout_exists?(name)
-              @current_class[:layout] = "layouts/#{name}"
+              @current_class.layout = "layouts/#{name}"
             else
               Brakeman.debug "[Notice] Layout not found: #{name}"
             end
           elsif node_type? last_arg, :nil, :false
             #layout :false or layout nil
-            @current_class[:layout] = false
+            @current_class.layout = false
           end
         else
-          @current_class[:options][method] ||= []
-          @current_class[:options][method] << exp
+          @current_class.add_option method, exp
         end
       end
 
@@ -213,14 +189,14 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_defn exp
     name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
 
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
 
     res
@@ -232,7 +208,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
     if exp[1].node_type == :self
       if @current_class
-        target = @current_class[:name]
+        target = @current_class.name
       elsif @current_module
         target = @current_module
       else
@@ -243,14 +219,14 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     @current_method = name
-    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
+    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
 
     if @current_class
-      @current_class[@visibility][name] = { :src => res, :file => @file_name }
+      @current_class.add_method @visibility, name, res, @file_name
     elsif @current_module
-      @current_module[@visibility][name] = { :src => res, :file => @file_name }
+      @current_module.add_method @visibility, name, res, @file_name
     end
 
     res
@@ -268,13 +244,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
 
   #Sets default layout for renders inside Controller
   def set_layout_name
-    return if @current_class[:layout]
+    return if @current_class.layout
 
-    name = underscore(@current_class[:name].to_s.split("::")[-1].gsub("Controller", ''))
+    name = underscore(@current_class.name.to_s.split("::")[-1].gsub("Controller", ''))
 
     #There is a layout for this Controller
     if @app_tree.layout_exists?(name)
-      @current_class[:layout] = "layouts/#{name}"
+      @current_class.layout = "layouts/#{name}"
     end
   end
 
@@ -308,7 +284,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     #Build Sexp for filter method
     body = Sexp.new(:lasgn,
                     block_variable,
-                    Sexp.new(:call, Sexp.new(:const, @current_class[:name]), :new))
+                    Sexp.new(:call, Sexp.new(:const, @current_class.name), :new))
 
     filter_method = Sexp.new(:defn, filter_name, Sexp.new(:args), body).concat(block_inner).line(exp.line)