brakeman 3.0.5 → 3.1.0

data/lib/brakeman/processors/erb_template_processor.rb

@@ -34,7 +34,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         else
           s = Sexp.new :output, arg
           s.line(exp.line)
-          @current_template[:outputs] << s
+          @current_template.add_output s
           s
         end
       elsif method == :force_encoding
@@ -46,11 +46,9 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
       exp.arglist = process(exp.arglist)
       make_render_in_view exp
     else
-      #TODO: Is it really necessary to create a new Sexp here?
-      call = make_call target, method, process_all!(exp.args)
-      call.original_line = exp.original_line
-      call.line(exp.line)
-      call
+      exp.target = target
+      exp.arglist = process(exp.arglist)
+      exp
     end
   end
 

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -9,12 +9,14 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
     if sexp? target
       target = process target
     end
+
+    exp.target = target
+    exp.arglist = process exp.arglist
     method = exp.method
 
     #_buf is the default output variable for Erubis
     if node_type?(target, :lvar, :ivar) and (target.value == :_buf or target.value == :@output_buffer)
       if method == :<< or method == :safe_concat
-        exp.arglist = process exp.arglist
 
         arg = exp.first_arg
 
@@ -28,12 +30,12 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         elsif node_type? target, :ivar and target.value == :@output_buffer
           s = Sexp.new :escaped_output, arg
           s.line(exp.line)
-          @current_template[:outputs] << s
+          @current_template.add_output s
           s
         else
           s = Sexp.new :output, arg
           s.line(exp.line)
-          @current_template[:outputs] << s
+          @current_template.add_output s
           s
         end
       elsif method == :to_s
@@ -42,14 +44,9 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         abort "Unrecognized action on buffer: #{method}"
       end
     elsif target == nil and method == :render
-      exp.arglist = process exp.arglist
       make_render_in_view exp
     else
-      #TODO: Is it really necessary to create a new Sexp here?
-      call = make_call target, method, process_all!(exp.args)
-      call.original_line = exp.original_line
-      call.line(exp.line)
-      call
+      exp
     end
   end
 
@@ -83,12 +80,12 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         elsif exp.method == :safe_append=
           s = Sexp.new :output, arg
           s.line(exp.line)
-          @current_template[:outputs] << s
+          @current_template.add_output s
           s
         else
           s = Sexp.new :escaped_output, arg
           s.line(exp.line)
-          @current_template[:outputs] << s
+          @current_template.add_output s
           s
         end
       else

data/lib/brakeman/processors/gem_processor.rb

@@ -6,37 +6,18 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   def initialize *args
     super
     @gem_name_version = /^\s*([-_+.A-Za-z0-9]+) \((\w(\.\w+)*)\)/
-    @tracker.config[:gems] ||= {}
   end
 
-  def process_gems src, gem_lock = nil
-    process src
+  def process_gems gem_files
+    @gem_files = gem_files
+    @gemfile = gem_files[:gemfile][:file]
+    process gem_files[:gemfile][:src]
 
-    if gem_lock
-      process_gem_lock gem_lock
-      @tracker.config[:rails_version] = @tracker.config[:gems][:rails][:version] if @tracker.config[:gems][:rails]
-    elsif @tracker.config[:gems] && @tracker.config[:gems][:rails] && @tracker.config[:gems][:rails][:version] =~ /(\d+.\d+.\d+)/
-      @tracker.config[:rails_version] = $1
-    else
-      @tracker.config[:rails_version] = nil
+    if gem_files[:gemlock]
+      process_gem_lock
     end
 
-    if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
-      if @tracker.config[:rails_version].start_with? "3"
-        @tracker.options[:rails3] = true
-        Brakeman.notify "[Notice] Detected Rails 3 application"
-      elsif @tracker.config[:rails_version].start_with? "4"
-        @tracker.options[:rails3] = true
-        @tracker.options[:rails4] = true
-        Brakeman.notify "[Notice] Detected Rails 4 application"
-      end
-    end
-
-    if @tracker.config[:gems][:rails_xss]
-      @tracker.config[:escape_html] = true
-
-      Brakeman.notify "[Notice] Escaping HTML by default"
-    end
+    @tracker.config.set_rails_version
   end
 
   def process_call exp
@@ -46,20 +27,23 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
 
       gem_version = exp.second_arg
 
-      if string? gem_version
-        @tracker.config[:gems][gem_name.value.to_sym] = { :version => gem_version.value.to_s, :file => 'Gemfile', :line => exp.line }
-      else
-        @tracker.config[:gems][gem_name.value.to_sym] = { :version => nil, :file => 'Gemfile' , :line => exp.line }
-      end
+      version = if string? gem_version
+                  gem_version.value
+                else
+                  nil
+                end
+
+      @tracker.config.add_gem gem_name.value, version, @gemfile, exp.line
     end
 
     exp
   end
 
-  def process_gem_lock gem_lock
+  def process_gem_lock
     line_num = 1
-    gem_lock.each_line do |line|
-      set_gem_version_and_file line, 'Gemfile.lock', line_num
+    file = @gem_files[:gemlock][:file]
+    @gem_files[:gemlock][:src].each_line do |line|
+      set_gem_version_and_file line, file, line_num
       line_num += 1
     end
   end
@@ -67,7 +51,7 @@ class Brakeman::GemProcessor < Brakeman::BasicProcessor
   # Supports .rc2 but not ~>, >=, or <=
   def set_gem_version_and_file line, file, line_num
     if line =~ @gem_name_version
-      @tracker.config[:gems][$1.to_sym] = { :version => $2, :file => file, :line => line_num }
+      @tracker.config.add_gem $1, $2, file, line_num
     end
   end
 end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -67,7 +67,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
         ignore
       else
         s = Sexp.new(:output, out)
-        @current_template[:outputs] << s
+        @current_template.add_output s
         s.line(exp.line)
         s
       end
@@ -76,11 +76,9 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.arglist = process exp.arglist
       make_render_in_view exp
     else
-      #TODO: Do we really need a new Sexp here?
-      call = make_call target, method, process_all!(exp.args)
-      call.original_line = exp.original_line
-      call.line(exp.line)
-      call
+      exp.target = target
+      exp.arglist = process exp.arglist
+      exp
     end
   end
 
@@ -120,10 +118,10 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   #HAML likes to put interpolated values into _hamlout.push_text
   #but we want to handle those individually
   def build_output_from_push_text exp
-    if node_type? exp, :string_interp, :dstr
+    if string_interp? exp
       exp.map! do |e|
         if sexp? e
-          if node_type? e, :string_eval, :evstr
+          if node_type? e, :evstr
             e = e.value
           end
 
@@ -142,15 +140,15 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     case exp.node_type
     when :format
       exp.node_type = :output
-      @current_template[:outputs] << exp
+      @current_template.add_output exp
       exp
     when :format_escaped
       exp.node_type = :escaped_output
-      @current_template[:outputs] << exp
+      @current_template.add_output exp
       exp
     when :str, :ignore, :output, :escaped_output
       exp
-    when :block, :rlist, :string_interp, :dstr
+    when :block, :rlist, :dstr
       exp.map! { |e| get_pushed_value e }
     else
       if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
@@ -160,7 +158,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       end
 
       s.line(exp.line)
-      @current_template[:outputs] << s
+      @current_template.add_output s
       s
     end
   end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -23,12 +23,12 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   end
 
   #Process body of method
-  def process_methdef exp
+  def process_defn exp
     process_all exp.body
   end
 
   #Process body of method
-  def process_selfdef exp
+  def process_defs exp
     process_all exp.body
   end
 
@@ -42,7 +42,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     exp
   end
 
-  def process_call_with_block exp
+  def process_iter exp
     call = exp.block_call
 
     if call.node_type == :call
@@ -63,8 +63,6 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     exp
   end
 
-  alias process_iter process_call_with_block
-
   #Calls to render() are converted to s(:render, ...) but we would
   #like them in the call cache still for speed
   def process_render exp

data/lib/brakeman/processors/lib/find_call.rb

@@ -68,11 +68,11 @@ class Brakeman::FindCall < Brakeman::BasicProcessor
   end
 
   #Process body of method
-  def process_methdef exp
+  def process_defn exp
     process_all exp.body
   end
 
-  alias :process_selfdef :process_methdef
+  alias :process_defs :process_defn
 
   #Process body of block
   def process_rlist exp

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -38,7 +38,7 @@ class Brakeman::FindReturnValue
 
     find_explicit_return_values exp
 
-    if node_type? exp, :methdef, :selfdef, :defn, :defs
+    if node_type? exp, :defn, :defs
       body = exp.body
 
       unless body.empty?

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -2,7 +2,7 @@ require 'brakeman/processors/lib/basic_processor'
 
 #Processes configuration. Results are put in tracker.config.
 #
-#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
+#Configuration of Rails via Rails::Initializer are stored in tracker.config.rails.
 #For example:
 #
 #  Rails::Initializer.run |config|
@@ -13,7 +13,7 @@ require 'brakeman/processors/lib/basic_processor'
 #
 #  tracker.config[:rails][:action_controller][:session_store]
 #
-#Values for tracker.config[:rails] will still be Sexps.
+#Values for tracker.config.rails will still be Sexps.
 class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   #Replace block variable in
   #
@@ -24,7 +24,6 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
 
   def initialize *args
     super
-    @tracker.config[:rails] ||= {}
   end
 
   #Use this method to process configuration file
@@ -40,7 +39,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
 
     if exp.method == :gem and exp.first_arg.value == "erubis"
       Brakeman.notify "[Notice] Using Erubis for ERB templates"
-      @tracker.config[:erubis] = true
+      @tracker.config.erubis = true
     end
 
     exp
@@ -53,13 +52,13 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
       attribute = exp.method.to_s[0..-2].to_sym
       if exp.args.length > 1
         #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][attribute] = exp.args
+        @tracker.config.rails[attribute] = exp.args
       else
-        @tracker.config[:rails][attribute] = exp.first_arg
+        @tracker.config.rails[attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
       options = get_rails_config exp
-      level = @tracker.config[:rails]
+      level = @tracker.config.rails
       options[0..-2].each do |o|
         level[o] ||= {}
         level = level[o]
@@ -75,7 +74,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BasicProcessor
   def process_cdecl exp
     #Set Rails version required
     if exp.lhs == :RAILS_GEM_VERSION
-      @tracker.config[:rails_version] = exp.rhs.value
+      @tracker.config.rails_version = exp.rhs.value
     end
 
     exp

data/lib/brakeman/processors/lib/rails3_config_processor.rb

@@ -3,7 +3,7 @@ require 'brakeman/processors/lib/basic_processor'
 
 #Processes configuration. Results are put in tracker.config.
 #
-#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
+#Configuration of Rails via Rails::Initializer are stored in tracker.config.rails.
 #For example:
 #
 #  MyApp::Application.configure do
@@ -12,15 +12,14 @@ require 'brakeman/processors/lib/basic_processor'
 #
 #will be stored in
 #
-#  tracker.config[:rails][:active_record][:whitelist_attributes]
+#  tracker.config.rails[:active_record][:whitelist_attributes]
 #
-#Values for tracker.config[:rails] will still be Sexps.
+#Values for tracker.config.rails will still be Sexps.
 class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
   RAILS_CONFIG = Sexp.new(:call, nil, :config)
 
   def initialize *args
     super
-    @tracker.config[:rails] ||= {}
     @inside_config = false
   end
 
@@ -66,13 +65,13 @@ class Brakeman::Rails3ConfigProcessor < Brakeman::BasicProcessor
       attribute = exp.method.to_s[0..-2].to_sym
       if exp.args.length > 1
         #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][attribute] = exp.args
+        @tracker.config.rails[attribute] = exp.args
       else
-        @tracker.config[:rails][attribute] = exp.first_arg
+        @tracker.config.rails[attribute] = exp.first_arg
       end
     elsif include_rails_config? exp
       options = get_rails_config exp
-      level = @tracker.config[:rails]
+      level = @tracker.config.rails
       options[0..-2].each do |o|
         level[o] ||= {}
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -9,15 +9,15 @@ module Brakeman::RenderHelper
     @rendered = true
     case exp.render_type
     when :action, :template
-      process_action exp[2][1], exp[3]
+      process_action exp[2][1], exp[3], exp.line
     when :default
       begin
-        process_template template_name, exp[3]
+        process_template template_name, exp[3], nil, exp.line
       rescue ArgumentError
         Brakeman.debug "Problem processing render: #{exp}"
       end
     when :partial, :layout
-      process_partial exp[2], exp[3]
+      process_partial exp[2], exp[3], exp.line
     when :nothing
     end
     exp
@@ -31,30 +31,31 @@ module Brakeman::RenderHelper
 
     return unless name
 
-    process_template name, nil
+    process_template name, nil, nil, nil
   end
 
   #Determines file name for partial and then processes it
-  def process_partial name, args
+  def process_partial name, args, line
     if name == "" or !(string? name or symbol? name)
       return
     end
 
     names = name.value.to_s.split("/")
     names[-1] = "_" + names[-1]
-    process_template template_name(names.join("/")), args
+    process_template template_name(names.join("/")), args, nil, line
   end
 
   #Processes a given action
-  def process_action name, args
+  def process_action name, args, line
     if name.is_a? String or name.is_a? Symbol
-      process_template template_name(name), args
+      process_template template_name(name), args, nil, line
     end
   end
 
   #Processes a template, adding any instance variables
   #to its environment.
-  def process_template name, args, called_from = nil
+  def process_template name, args, called_from = nil, *_
+
     Brakeman.debug "Rendering #{name} (#{called_from})"
     #Get scanned source for this template
     name = name.to_s.gsub(/^\//, "")
@@ -81,10 +82,10 @@ module Brakeman::RenderHelper
 
       #Process layout
       if string? options[:layout]
-        process_template "layouts/#{options[:layout][1]}", nil
+        process_template "layouts/#{options[:layout][1]}", nil, nil, nil
       elsif node_type? options[:layout], :false
         #nothing
-      elsif not template[:name].to_s.match(/[^\/_][^\/]+$/)
+      elsif not template.name.to_s.match(/[^\/_][^\/]+$/)
         #Don't do this for partials
         
         process_layout
@@ -100,7 +101,7 @@ module Brakeman::RenderHelper
 
         #The collection name is the name of the partial without the leading
         #underscore.
-        variable = template[:name].to_s.match(/[^\/_][^\/]+$/)[0].to_sym
+        variable = template.name.to_s.match(/[^\/_][^\/]+$/)[0].to_sym
 
         #Unless the :as => :variable_name option is used
         if options[:as]
@@ -127,7 +128,7 @@ module Brakeman::RenderHelper
       #Run source through AliasProcessor with instance variables from the
       #current environment.
       #TODO: Add in :locals => { ... } to environment
-      src = Brakeman::TemplateAliasProcessor.new(@tracker, template, called_from).process_safely(template[:src], template_env)
+      src = Brakeman::TemplateAliasProcessor.new(@tracker, template, called_from).process_safely(template.src, template_env)
 
       digest = Digest::SHA1.new.update(name + src.to_s).to_s.to_sym
 
@@ -142,7 +143,7 @@ module Brakeman::RenderHelper
       #This information will be stored in tracker.templates, but with a name
       #specifying this particular route. The original source should remain
       #pristine (so it can be processed within other environments).
-      @tracker.processor.process_template name, src, template[:type], called_from
+      @tracker.processor.process_template name, src, template.type, called_from
     end
   end