brakeman 3.0.5 → 3.1.0

data/lib/brakeman/processors/template_processor.rb

@@ -1,4 +1,5 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/tracker/template'
 
 #Base Processor for templates/views
 class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
@@ -6,13 +7,8 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Initializes template information.
   def initialize tracker, template_name, called_from = nil, file_name = nil
     super(tracker) 
-    @current_template = { :name => template_name,
-                          :caller => called_from,
-                          :partial => template_name.to_s[0,1] == "_",
-                          :outputs => [],
-                          :src => nil, #set in Processor
-                          :type => nil, #set in Processor
-                          :file => file_name } 
+    @current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
+
     if called_from
       template_name = (template_name.to_s + "." + called_from.to_s).to_sym
     end
@@ -27,7 +23,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
     begin
       super
     rescue => e
-      except = e.exception("Error when processing #{@current_template[:name]}: #{e.message}")
+      except = e.exception("Error when processing #{@current_template.name}: #{e.message}")
       except.set_backtrace(e.backtrace)
       raise except
     end
@@ -48,7 +44,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   #Adds output to the list of outputs.
   def process_output exp
     exp.value = process exp.value
-    @current_template[:outputs] << exp unless exp.original_line
+    @current_template.add_output exp unless exp.original_line
     exp
   end
 

data/lib/brakeman/report/report_base.rb

@@ -40,7 +40,7 @@ class Brakeman::Report::Base
       c = tracker.controllers[name]
 
       if tracker.routes.include? :allow_all_actions or (tracker.routes[name] and tracker.routes[name].include? :allow_all_actions)
-        routes = c[:public].keys.map{|e| e.to_s}.sort.join(", ")
+        routes = c.methods_public.keys.map{|e| e.to_s}.sort.join(", ")
       elsif tracker.routes[name].nil?
         #No routes defined for this controller.
         #This can happen when it is only a parent class
@@ -48,7 +48,7 @@ class Brakeman::Report::Base
         routes = "[None]"
 
       else
-        routes = (Set.new(c[:public].keys) & tracker.routes[name.to_sym]).
+        routes = (Set.new(c.methods_public.keys) & tracker.routes[name.to_sym]).
           to_a.
           map {|e| e.to_s}.
           sort.
@@ -60,8 +60,8 @@ class Brakeman::Report::Base
       end
 
       controller_rows << { "Name" => name.to_s,
-        "Parent" => c[:parent].to_s,
-        "Includes" => c[:includes].join(", "),
+        "Parent" => c.parent.to_s,
+        "Includes" => c.includes.join(", "),
         "Routes" => routes
       }
     end
@@ -248,7 +248,7 @@ class Brakeman::Report::Base
   end
 
   def number_of_templates tracker
-    Set.new(tracker.templates.map {|k,v| v[:name].to_s[/[^.]+/]}).length
+    Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
   end
 
   def warning_file warning, absolute = @tracker.options[:absolute_paths]
@@ -263,8 +263,8 @@ class Brakeman::Report::Base
 
   def rails_version
     case
-    when tracker.config[:rails_version]
-      tracker.config[:rails_version]
+    when tracker.config.rails_version
+      tracker.config.rails_version
     when tracker.options[:rails4]
       "4.x"
     when tracker.options[:rails3]

data/lib/brakeman/report/report_html.rb

@@ -47,12 +47,10 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
     out_processor = Brakeman::OutputProcessor.new
     template_rows = {}
     tracker.templates.each do |name, template|
-      unless template[:outputs].empty?
-        template[:outputs].each do |out|
-          out = CGI.escapeHTML(out_processor.format(out))
-          template_rows[name] ||= []
-          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
-        end
+      template.each_output do |out|
+        out = CGI.escapeHTML(out_processor.format(out))
+        template_rows[name] ||= []
+        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
       end
     end
 
@@ -83,7 +81,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
     warning["Message"] = with_context original, warning["Message"]
     warning["Warning Type"] = with_link original, warning["Warning Type"]
     warning["Called From"] = original.called_from
-    warning["Template Name"] = original.template[:name]
+    warning["Template Name"] = original.template.name
     warning
   end
 

data/lib/brakeman/report/report_markdown.rb

@@ -99,12 +99,10 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
     out_processor = Brakeman::OutputProcessor.new
     template_rows = {}
     tracker.templates.each do |name, template|
-      unless template[:outputs].empty?
-        template[:outputs].each do |out|
-          out = out_processor.format out
-          template_rows[name] ||= []
-          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
-        end
+      template.each_output do |out|
+        out = out_processor.format out
+        template_rows[name] ||= []
+        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
       end
     end
 

data/lib/brakeman/report/report_table.rb

@@ -57,12 +57,10 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     out_processor = Brakeman::OutputProcessor.new
     template_rows = {}
     tracker.templates.each do |name, template|
-      unless template[:outputs].empty?
-        template[:outputs].each do |out|
-          out = out_processor.format out
-          template_rows[name] ||= []
-          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
-        end
+      template.each_output do |out|
+        out = out_processor.format out
+        template_rows[name] ||= []
+        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
       end
     end
 

data/lib/brakeman/rescanner.rb

@@ -88,8 +88,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
     when :routes
       rescan_routes
     when :gemfile
-      if tracker.config[:gems][:rails_xss] and tracker.config[:escape_html]
-        tracker.config[:escape_html] = false
+      if tracker.config.has_gem? :rails_xss and tracker.config.escape_html?
+        tracker.config.escape_html = false
       end
 
       process_gems
@@ -102,7 +102,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def rescan_controller path
     controller = tracker.reset_controller path
-    paths = controller.nil? ? [path] : controller[:files]
+    paths = controller.nil? ? [path] : controller.files
     parse_ruby_files(paths).each do |astfile|
       process_controller astfile
     end
@@ -110,16 +110,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
     #Process data flow and template rendering
     #from the controller
     tracker.controllers.each do |name, controller|
-      if controller[:files].include?(path)
+      if controller.files.include?(path)
         tracker.templates.each do |template_name, template|
-          next unless template[:caller]
-          if template[:caller].include_controller? name
+          next unless template.render_path
+          if template.render_path.include_controller? name
             tracker.reset_template template_name
           end
         end
 
-        controller[:src].each_value do |src|
-          @processor.process_controller_alias controller[:name], src
+        controller.src.each do |file, src|
+          @processor.process_controller_alias controller.name, src, nil, file
         end
       end
     end
@@ -145,10 +145,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
     #Search for processed template and process it.
     #Search for rendered versions of template and re-render (if necessary)
     tracker.templates.each do |name, template|
-      if template[:file] == path or template[:file].nil?
-        next unless template[:caller] and template[:name].to_sym == template_name.to_sym
+      if template.file == path or template.file.nil?
+        next unless template.render_path and template.name.to_sym == template_name.to_sym
 
-        template[:caller].each do |from|
+        template.render_path.each do |from|
           case from[:type]
           when :template
             rescan << [:template, from[:name]]
@@ -163,15 +163,15 @@ class Brakeman::Rescanner < Brakeman::Scanner
       if r[0] == :controller
         controller = tracker.controllers[r[1]]
 
-        controller[:src].each do |file, src|
+        controller.src.each do |file, src|
           unless @paths.include? file
-            @processor.process_controller_alias controller[:name], src, r[2]
+            @processor.process_controller_alias controller.name, src, r[2], file
           end
         end
       elsif r[0] == :template
         template = tracker.templates[r[1]]
 
-        rescan_template template[:file]
+        rescan_template template.file
       end
     end
 
@@ -181,7 +181,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_model path
     num_models = tracker.models.length
     model = tracker.reset_model path
-    paths = model.nil? ? [path] : model[:files]
+    paths = model.nil? ? [path] : model.files
     parse_ruby_files(paths).each do |astfile|
       process_model astfile.path, astfile.ast
     end
@@ -198,7 +198,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def rescan_lib path
     lib = tracker.reset_lib path
-    paths = lib.nil? ? [path] : lib[:files]
+    paths = lib.nil? ? [path] : lib.files
     parse_ruby_files(paths).each do |astfile|
       process_lib astfile
     end
@@ -206,7 +206,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     lib = nil
 
     tracker.libs.each do |name, library|
-      if library[:files].include?(path)
+      if library.files.include?(path)
         lib = library
         break
       end
@@ -269,7 +269,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |name, template|
-      template[:file] == path or template[:name].to_sym == template_name.to_sym
+      template.file == path or template.name.to_sym == template_name.to_sym
     end
   end
 
@@ -277,7 +277,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     deleted_lib = nil
 
     tracker.libs.delete_if do |name, lib|
-      if lib[:files].include?(path)
+      if lib.files.include?(path)
         deleted_lib = lib
         true
       end
@@ -297,7 +297,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     [:controllers, :models, :libs].each do |collection|
       tracker.send(collection).delete_if do |name, data|
-        if data[:files].include?(path)
+        if data.files.include?(path)
           deleted = true
           true
         end
@@ -305,7 +305,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     end
 
     tracker.templates.delete_if do |name, data|
-      if data[:file] == path
+      if data.file == path
         deleted = true
         true
       end
@@ -331,7 +331,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :routes
     when /\/config\/.+\.rb/
       :config
-    when /Gemfile/
+    when /Gemfile|gems\./
       :gemfile
     else
       :unknown
@@ -341,18 +341,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_mixin lib
     method_names = []
 
-    [:public, :private, :protected].each do |access|
-      lib[access].each do |name, meth|
-        method_names << name
-      end
+    lib.each_method do |name, meth|
+      method_names << name
     end
 
     to_rescan = []
 
     #Rescan controllers that mixed in library
     tracker.controllers.each do |name, controller|
-      if controller[:includes].include? lib[:name]
-        controller[:files].each do |path|
+      if controller.includes.include? lib.name
+        controller.files.each do |path|
           unless @paths.include? path
             to_rescan << path
           end
@@ -371,15 +369,15 @@ class Brakeman::Rescanner < Brakeman::Scanner
     #This is not precise, because a different controller might have the
     #same method...
     tracker.templates.each do |name, template|
-      next unless template[:caller]
+      next unless template.render_path
 
-      if template[:caller].include_any_method? method_names
+      if template.render_path.include_any_method? method_names
         name.to_s.match /^([^.]+)/
 
         original = tracker.templates[$1.to_sym]
 
         if original
-          to_rescan << [name, original[:file]]
+          to_rescan << [name, original.file]
         end
       end
     end

data/lib/brakeman/scanner.rb

@@ -107,7 +107,7 @@ class Brakeman::Scanner
     if @app_tree.exists?("vendor/plugins/rails_xss") or
       options[:rails3] or options[:escape_html]
 
-      tracker.config[:escape_html] = true
+      tracker.config.escape_html = true
       Brakeman.notify "[Notice] Escaping HTML by default"
     end
   end
@@ -128,12 +128,21 @@ class Brakeman::Scanner
 
   #Process Gemfile
   def process_gems
+    gem_files = {}
     if @app_tree.exists? "Gemfile"
-      if @app_tree.exists? "Gemfile.lock"
-        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")), @app_tree.read("Gemfile.lock"))
-      else
-        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")))
-      end
+      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
+    elsif @app_tree.exists? "gems.rb"
+      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
+    end
+
+    if @app_tree.exists? "Gemfile.lock"
+      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+    elsif @app_tree.exists? "gems.locked"
+      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+    end
+
+    if gem_files[:gemfile] or gem_files[:gemlock]
+      @processor.process_gems gem_files
     end
   rescue => e
     Brakeman.notify "[Notice] Error while processing Gemfile."
@@ -221,8 +230,8 @@ class Brakeman::Scanner
 
     track_progress controllers, "controllers" do |name, controller|
       Brakeman.debug "Processing #{name}"
-      controller[:src].each_value do |src|
-        @processor.process_controller_alias name, src
+      controller.src.each do |file, src|
+        @processor.process_controller_alias name, src, nil, file
       end
     end
 

data/lib/brakeman/tracker.rb

@@ -4,6 +4,7 @@ require 'brakeman/checks'
 require 'brakeman/report'
 require 'brakeman/processors/lib/find_call'
 require 'brakeman/processors/lib/find_all_calls'
+require 'brakeman/tracker/config'
 
 #The Tracker keeps track of all the processed information.
 class Brakeman::Tracker
@@ -25,20 +26,14 @@ class Brakeman::Tracker
     @processor = processor
     @options = options
 
-    @config = { :rails => {}, :gems => {} }
+    @config = Brakeman::Config.new(self)
     @templates = {}
     @controllers = {}
     #Initialize models with the unknown model so
     #we can match models later without knowing precisely what
     #class they are.
-    @models = { UNKNOWN_MODEL => { :name => UNKNOWN_MODEL,
-        :parent => nil,
-        :includes => [],
-        :public => {},
-        :private => {},
-        :protected => {},
-        :options => {},
-        :files => [] } }
+    @models = {}
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
     @routes = {}
     @initializers = {}
     @errors = []
@@ -90,17 +85,15 @@ class Brakeman::Tracker
     end
 
     classes.each do |set|
-      set.each do |set_name, info|
-        [:private, :public, :protected].each do |visibility|
-          info[visibility].each do |method_name, definition|
-            src = definition[:src]
-            if src.node_type == :selfdef
-              method_name = "#{src[1]}.#{method_name}"
-            end
+      set.each do |set_name, collection|
+        collection.each_method do |method_name, definition|
+          src = definition[:src]
+          if src.node_type == :defs
+            method_name = "#{src[1]}.#{method_name}"
+          end
 
-            yield src, set_name, method_name, definition[:file]
+          yield src, set_name, method_name, definition[:file]
 
-          end
         end
       end
     end
@@ -186,7 +179,7 @@ class Brakeman::Tracker
     end
 
     self.each_template do |name, template|
-      finder.process_source template[:src], :template => template, :file => template[:file]
+      finder.process_source template.src, :template => template, :file => template.file
     end
 
     @call_index = Brakeman::CallIndex.new finder.calls
@@ -228,23 +221,20 @@ class Brakeman::Tracker
 
     method_sets.each do |set|
       set.each do |set_name, info|
-        [:private, :public, :protected].each do |visibility|
-          info[visibility].each do |method_name, definition|
-            src = definition[:src]
-            if src.node_type == :selfdef
-              method_name = "#{src[1]}.#{method_name}"
-            end
-
-            finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
-
+        info.each_method do |method_name, definition|
+          src = definition[:src]
+          if src.node_type == :defs
+            method_name = "#{src[1]}.#{method_name}"
           end
+
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
         end
       end
     end
 
     if locations.include? :templates
       self.each_template do |name, template|
-        finder.process_source template[:src], :template => template, :file => template[:file]
+        finder.process_source template.src, :template => template, :file => template.file
       end
     end
 
@@ -257,7 +247,7 @@ class Brakeman::Tracker
   def reset_templates options = { :only_rendered => false }
     if options[:only_rendered]
       @templates.delete_if do |name, template|
-        template[:caller] and template[:caller].rendered_from_controller?
+        template.rendered_from_controller?
       end
     else
       @templates = {}
@@ -281,7 +271,7 @@ class Brakeman::Tracker
     model_name = nil
 
     @models.each do |name, model|
-      if model[:files].include?(path)
+      if model.files.include?(path)
         model_name = name
         break
       end
@@ -295,7 +285,7 @@ class Brakeman::Tracker
     lib_name = nil
 
     @libs.each do |name, lib|
-      if lib[:files].include?(path)
+      if lib.files.include?(path)
         lib_name = name
         break
       end
@@ -309,12 +299,12 @@ class Brakeman::Tracker
 
     #Remove from controller
     @controllers.each do |name, controller|
-      if controller[:files].include?(path)
+      if controller.files.include?(path)
         controller_name = name
 
         #Remove templates rendered from this controller
         @templates.each do |template_name, template|
-          if template[:caller] and template[:caller].include_controller? name
+          if template.render_path and template.render_path.include_controller? name
             reset_template template_name
             @call_index.remove_template_indexes template_name
           end