brakeman 3.0.5 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES +19 -0
- data/README.md +3 -13
- data/lib/brakeman.rb +3 -0
- data/lib/brakeman/checks/base_check.rb +19 -47
- data/lib/brakeman/checks/check_basic_auth.rb +3 -3
- data/lib/brakeman/checks/check_cross_site_scripting.rb +26 -12
- data/lib/brakeman/checks/check_default_routes.rb +1 -1
- data/lib/brakeman/checks/check_detailed_exceptions.rb +2 -2
- data/lib/brakeman/checks/check_evaluation.rb +3 -0
- data/lib/brakeman/checks/check_execute.rb +3 -3
- data/lib/brakeman/checks/check_file_disclosure.rb +2 -2
- data/lib/brakeman/checks/check_forgery_setting.rb +9 -12
- data/lib/brakeman/checks/check_header_dos.rb +1 -1
- data/lib/brakeman/checks/check_i18n_xss.rb +2 -2
- data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
- data/lib/brakeman/checks/check_json_encoding.rb +1 -1
- data/lib/brakeman/checks/check_json_parsing.rb +3 -3
- data/lib/brakeman/checks/check_link_to.rb +1 -1
- data/lib/brakeman/checks/check_link_to_href.rb +9 -2
- data/lib/brakeman/checks/check_mass_assignment.rb +5 -2
- data/lib/brakeman/checks/check_model_attr_accessible.rb +4 -4
- data/lib/brakeman/checks/check_model_attributes.rb +7 -7
- data/lib/brakeman/checks/check_model_serialize.rb +6 -6
- data/lib/brakeman/checks/check_nested_attributes.rb +2 -2
- data/lib/brakeman/checks/check_number_to_currency.rb +2 -2
- data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
- data/lib/brakeman/checks/check_redirect.rb +2 -10
- data/lib/brakeman/checks/check_render.rb +1 -1
- data/lib/brakeman/checks/check_render_dos.rb +1 -1
- data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
- data/lib/brakeman/checks/check_sanitize_methods.rb +1 -1
- data/lib/brakeman/checks/check_select_tag.rb +1 -1
- data/lib/brakeman/checks/check_select_vulnerability.rb +2 -2
- data/lib/brakeman/checks/check_session_settings.rb +1 -2
- data/lib/brakeman/checks/check_simple_format.rb +2 -2
- data/lib/brakeman/checks/check_single_quotes.rb +3 -3
- data/lib/brakeman/checks/check_skip_before_filter.rb +5 -7
- data/lib/brakeman/checks/check_sql.rb +10 -14
- data/lib/brakeman/checks/check_sql_cves.rb +4 -4
- data/lib/brakeman/checks/check_ssl_verify.rb +27 -9
- data/lib/brakeman/checks/check_strip_tags.rb +5 -5
- data/lib/brakeman/checks/check_symbol_dos_cve.rb +1 -1
- data/lib/brakeman/checks/check_translate_bug.rb +3 -4
- data/lib/brakeman/checks/check_unscoped_find.rb +1 -1
- data/lib/brakeman/checks/check_validation_regex.rb +2 -2
- data/lib/brakeman/checks/check_xml_dos.rb +1 -1
- data/lib/brakeman/checks/check_yaml_parsing.rb +1 -1
- data/lib/brakeman/file_parser.rb +1 -0
- data/lib/brakeman/parsers/template_parser.rb +6 -5
- data/lib/brakeman/processor.rb +7 -7
- data/lib/brakeman/processors/alias_processor.rb +30 -12
- data/lib/brakeman/processors/base_processor.rb +4 -8
- data/lib/brakeman/processors/controller_alias_processor.rb +33 -132
- data/lib/brakeman/processors/controller_processor.rb +29 -53
- data/lib/brakeman/processors/erb_template_processor.rb +4 -6
- data/lib/brakeman/processors/erubis_template_processor.rb +8 -11
- data/lib/brakeman/processors/gem_processor.rb +19 -35
- data/lib/brakeman/processors/haml_template_processor.rb +10 -12
- data/lib/brakeman/processors/lib/find_all_calls.rb +3 -5
- data/lib/brakeman/processors/lib/find_call.rb +2 -2
- data/lib/brakeman/processors/lib/find_return_value.rb +1 -1
- data/lib/brakeman/processors/lib/rails2_config_processor.rb +7 -8
- data/lib/brakeman/processors/lib/rails3_config_processor.rb +6 -7
- data/lib/brakeman/processors/lib/render_helper.rb +15 -14
- data/lib/brakeman/processors/lib/render_path.rb +11 -5
- data/lib/brakeman/processors/library_processor.rb +13 -35
- data/lib/brakeman/processors/model_processor.rb +22 -64
- data/lib/brakeman/processors/output_processor.rb +1 -37
- data/lib/brakeman/processors/slim_template_processor.rb +6 -8
- data/lib/brakeman/processors/template_alias_processor.rb +9 -9
- data/lib/brakeman/processors/template_processor.rb +5 -9
- data/lib/brakeman/report/report_base.rb +7 -7
- data/lib/brakeman/report/report_html.rb +5 -7
- data/lib/brakeman/report/report_markdown.rb +4 -6
- data/lib/brakeman/report/report_table.rb +4 -6
- data/lib/brakeman/rescanner.rb +29 -31
- data/lib/brakeman/scanner.rb +17 -8
- data/lib/brakeman/tracker.rb +24 -34
- data/lib/brakeman/tracker/collection.rb +77 -0
- data/lib/brakeman/tracker/config.rb +93 -0
- data/lib/brakeman/tracker/controller.rb +161 -0
- data/lib/brakeman/tracker/library.rb +17 -0
- data/lib/brakeman/tracker/model.rb +90 -0
- data/lib/brakeman/tracker/template.rb +33 -0
- data/lib/brakeman/util.rb +17 -9
- data/lib/brakeman/version.rb +1 -1
- data/lib/brakeman/warning.rb +8 -9
- data/lib/ruby_parser/bm_sexp.rb +16 -16
- data/lib/ruby_parser/bm_sexp_processor.rb +1 -120
- metadata +42 -31
- checksums.yaml.gz.sig +0 -1
- data.tar.gz.sig +0 -0
- metadata.gz.sig +0 -0
@@ -1,4 +1,5 @@
|
|
1
1
|
require 'brakeman/processors/base_processor'
|
2
|
+
require 'brakeman/tracker/template'
|
2
3
|
|
3
4
|
#Base Processor for templates/views
|
4
5
|
class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
@@ -6,13 +7,8 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
6
7
|
#Initializes template information.
|
7
8
|
def initialize tracker, template_name, called_from = nil, file_name = nil
|
8
9
|
super(tracker)
|
9
|
-
@current_template =
|
10
|
-
|
11
|
-
:partial => template_name.to_s[0,1] == "_",
|
12
|
-
:outputs => [],
|
13
|
-
:src => nil, #set in Processor
|
14
|
-
:type => nil, #set in Processor
|
15
|
-
:file => file_name }
|
10
|
+
@current_template = Brakeman::Template.new template_name, called_from, file_name, tracker
|
11
|
+
|
16
12
|
if called_from
|
17
13
|
template_name = (template_name.to_s + "." + called_from.to_s).to_sym
|
18
14
|
end
|
@@ -27,7 +23,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
27
23
|
begin
|
28
24
|
super
|
29
25
|
rescue => e
|
30
|
-
except = e.exception("Error when processing #{@current_template
|
26
|
+
except = e.exception("Error when processing #{@current_template.name}: #{e.message}")
|
31
27
|
except.set_backtrace(e.backtrace)
|
32
28
|
raise except
|
33
29
|
end
|
@@ -48,7 +44,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
|
|
48
44
|
#Adds output to the list of outputs.
|
49
45
|
def process_output exp
|
50
46
|
exp.value = process exp.value
|
51
|
-
@current_template
|
47
|
+
@current_template.add_output exp unless exp.original_line
|
52
48
|
exp
|
53
49
|
end
|
54
50
|
|
@@ -40,7 +40,7 @@ class Brakeman::Report::Base
|
|
40
40
|
c = tracker.controllers[name]
|
41
41
|
|
42
42
|
if tracker.routes.include? :allow_all_actions or (tracker.routes[name] and tracker.routes[name].include? :allow_all_actions)
|
43
|
-
routes = c
|
43
|
+
routes = c.methods_public.keys.map{|e| e.to_s}.sort.join(", ")
|
44
44
|
elsif tracker.routes[name].nil?
|
45
45
|
#No routes defined for this controller.
|
46
46
|
#This can happen when it is only a parent class
|
@@ -48,7 +48,7 @@ class Brakeman::Report::Base
|
|
48
48
|
routes = "[None]"
|
49
49
|
|
50
50
|
else
|
51
|
-
routes = (Set.new(c
|
51
|
+
routes = (Set.new(c.methods_public.keys) & tracker.routes[name.to_sym]).
|
52
52
|
to_a.
|
53
53
|
map {|e| e.to_s}.
|
54
54
|
sort.
|
@@ -60,8 +60,8 @@ class Brakeman::Report::Base
|
|
60
60
|
end
|
61
61
|
|
62
62
|
controller_rows << { "Name" => name.to_s,
|
63
|
-
"Parent" => c
|
64
|
-
"Includes" => c
|
63
|
+
"Parent" => c.parent.to_s,
|
64
|
+
"Includes" => c.includes.join(", "),
|
65
65
|
"Routes" => routes
|
66
66
|
}
|
67
67
|
end
|
@@ -248,7 +248,7 @@ class Brakeman::Report::Base
|
|
248
248
|
end
|
249
249
|
|
250
250
|
def number_of_templates tracker
|
251
|
-
Set.new(tracker.templates.map {|k,v| v
|
251
|
+
Set.new(tracker.templates.map {|k,v| v.name.to_s[/[^.]+/]}).length
|
252
252
|
end
|
253
253
|
|
254
254
|
def warning_file warning, absolute = @tracker.options[:absolute_paths]
|
@@ -263,8 +263,8 @@ class Brakeman::Report::Base
|
|
263
263
|
|
264
264
|
def rails_version
|
265
265
|
case
|
266
|
-
when tracker.config
|
267
|
-
tracker.config
|
266
|
+
when tracker.config.rails_version
|
267
|
+
tracker.config.rails_version
|
268
268
|
when tracker.options[:rails4]
|
269
269
|
"4.x"
|
270
270
|
when tracker.options[:rails3]
|
@@ -47,12 +47,10 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
|
|
47
47
|
out_processor = Brakeman::OutputProcessor.new
|
48
48
|
template_rows = {}
|
49
49
|
tracker.templates.each do |name, template|
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
55
|
-
end
|
50
|
+
template.each_output do |out|
|
51
|
+
out = CGI.escapeHTML(out_processor.format(out))
|
52
|
+
template_rows[name] ||= []
|
53
|
+
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
56
54
|
end
|
57
55
|
end
|
58
56
|
|
@@ -83,7 +81,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
|
|
83
81
|
warning["Message"] = with_context original, warning["Message"]
|
84
82
|
warning["Warning Type"] = with_link original, warning["Warning Type"]
|
85
83
|
warning["Called From"] = original.called_from
|
86
|
-
warning["Template Name"] = original.template
|
84
|
+
warning["Template Name"] = original.template.name
|
87
85
|
warning
|
88
86
|
end
|
89
87
|
|
@@ -99,12 +99,10 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
|
|
99
99
|
out_processor = Brakeman::OutputProcessor.new
|
100
100
|
template_rows = {}
|
101
101
|
tracker.templates.each do |name, template|
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
107
|
-
end
|
102
|
+
template.each_output do |out|
|
103
|
+
out = out_processor.format out
|
104
|
+
template_rows[name] ||= []
|
105
|
+
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
108
106
|
end
|
109
107
|
end
|
110
108
|
|
@@ -57,12 +57,10 @@ class Brakeman::Report::Table < Brakeman::Report::Base
|
|
57
57
|
out_processor = Brakeman::OutputProcessor.new
|
58
58
|
template_rows = {}
|
59
59
|
tracker.templates.each do |name, template|
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
65
|
-
end
|
60
|
+
template.each_output do |out|
|
61
|
+
out = out_processor.format out
|
62
|
+
template_rows[name] ||= []
|
63
|
+
template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
|
66
64
|
end
|
67
65
|
end
|
68
66
|
|
data/lib/brakeman/rescanner.rb
CHANGED
@@ -88,8 +88,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
88
88
|
when :routes
|
89
89
|
rescan_routes
|
90
90
|
when :gemfile
|
91
|
-
if tracker.config
|
92
|
-
tracker.config
|
91
|
+
if tracker.config.has_gem? :rails_xss and tracker.config.escape_html?
|
92
|
+
tracker.config.escape_html = false
|
93
93
|
end
|
94
94
|
|
95
95
|
process_gems
|
@@ -102,7 +102,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
102
102
|
|
103
103
|
def rescan_controller path
|
104
104
|
controller = tracker.reset_controller path
|
105
|
-
paths = controller.nil? ? [path] : controller
|
105
|
+
paths = controller.nil? ? [path] : controller.files
|
106
106
|
parse_ruby_files(paths).each do |astfile|
|
107
107
|
process_controller astfile
|
108
108
|
end
|
@@ -110,16 +110,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
110
110
|
#Process data flow and template rendering
|
111
111
|
#from the controller
|
112
112
|
tracker.controllers.each do |name, controller|
|
113
|
-
if controller
|
113
|
+
if controller.files.include?(path)
|
114
114
|
tracker.templates.each do |template_name, template|
|
115
|
-
next unless template
|
116
|
-
if template
|
115
|
+
next unless template.render_path
|
116
|
+
if template.render_path.include_controller? name
|
117
117
|
tracker.reset_template template_name
|
118
118
|
end
|
119
119
|
end
|
120
120
|
|
121
|
-
controller
|
122
|
-
@processor.process_controller_alias controller
|
121
|
+
controller.src.each do |file, src|
|
122
|
+
@processor.process_controller_alias controller.name, src, nil, file
|
123
123
|
end
|
124
124
|
end
|
125
125
|
end
|
@@ -145,10 +145,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
145
145
|
#Search for processed template and process it.
|
146
146
|
#Search for rendered versions of template and re-render (if necessary)
|
147
147
|
tracker.templates.each do |name, template|
|
148
|
-
if template
|
149
|
-
next unless template
|
148
|
+
if template.file == path or template.file.nil?
|
149
|
+
next unless template.render_path and template.name.to_sym == template_name.to_sym
|
150
150
|
|
151
|
-
template
|
151
|
+
template.render_path.each do |from|
|
152
152
|
case from[:type]
|
153
153
|
when :template
|
154
154
|
rescan << [:template, from[:name]]
|
@@ -163,15 +163,15 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
163
163
|
if r[0] == :controller
|
164
164
|
controller = tracker.controllers[r[1]]
|
165
165
|
|
166
|
-
controller
|
166
|
+
controller.src.each do |file, src|
|
167
167
|
unless @paths.include? file
|
168
|
-
@processor.process_controller_alias controller
|
168
|
+
@processor.process_controller_alias controller.name, src, r[2], file
|
169
169
|
end
|
170
170
|
end
|
171
171
|
elsif r[0] == :template
|
172
172
|
template = tracker.templates[r[1]]
|
173
173
|
|
174
|
-
rescan_template template
|
174
|
+
rescan_template template.file
|
175
175
|
end
|
176
176
|
end
|
177
177
|
|
@@ -181,7 +181,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
181
181
|
def rescan_model path
|
182
182
|
num_models = tracker.models.length
|
183
183
|
model = tracker.reset_model path
|
184
|
-
paths = model.nil? ? [path] : model
|
184
|
+
paths = model.nil? ? [path] : model.files
|
185
185
|
parse_ruby_files(paths).each do |astfile|
|
186
186
|
process_model astfile.path, astfile.ast
|
187
187
|
end
|
@@ -198,7 +198,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
198
198
|
|
199
199
|
def rescan_lib path
|
200
200
|
lib = tracker.reset_lib path
|
201
|
-
paths = lib.nil? ? [path] : lib
|
201
|
+
paths = lib.nil? ? [path] : lib.files
|
202
202
|
parse_ruby_files(paths).each do |astfile|
|
203
203
|
process_lib astfile
|
204
204
|
end
|
@@ -206,7 +206,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
206
206
|
lib = nil
|
207
207
|
|
208
208
|
tracker.libs.each do |name, library|
|
209
|
-
if library
|
209
|
+
if library.files.include?(path)
|
210
210
|
lib = library
|
211
211
|
break
|
212
212
|
end
|
@@ -269,7 +269,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
269
269
|
|
270
270
|
#Remove any rendered versions, or partials rendered from it
|
271
271
|
tracker.templates.delete_if do |name, template|
|
272
|
-
template
|
272
|
+
template.file == path or template.name.to_sym == template_name.to_sym
|
273
273
|
end
|
274
274
|
end
|
275
275
|
|
@@ -277,7 +277,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
277
277
|
deleted_lib = nil
|
278
278
|
|
279
279
|
tracker.libs.delete_if do |name, lib|
|
280
|
-
if lib
|
280
|
+
if lib.files.include?(path)
|
281
281
|
deleted_lib = lib
|
282
282
|
true
|
283
283
|
end
|
@@ -297,7 +297,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
297
297
|
|
298
298
|
[:controllers, :models, :libs].each do |collection|
|
299
299
|
tracker.send(collection).delete_if do |name, data|
|
300
|
-
if data
|
300
|
+
if data.files.include?(path)
|
301
301
|
deleted = true
|
302
302
|
true
|
303
303
|
end
|
@@ -305,7 +305,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
305
305
|
end
|
306
306
|
|
307
307
|
tracker.templates.delete_if do |name, data|
|
308
|
-
if data
|
308
|
+
if data.file == path
|
309
309
|
deleted = true
|
310
310
|
true
|
311
311
|
end
|
@@ -331,7 +331,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
331
331
|
:routes
|
332
332
|
when /\/config\/.+\.rb/
|
333
333
|
:config
|
334
|
-
when /Gemfile
|
334
|
+
when /Gemfile|gems\./
|
335
335
|
:gemfile
|
336
336
|
else
|
337
337
|
:unknown
|
@@ -341,18 +341,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
341
341
|
def rescan_mixin lib
|
342
342
|
method_names = []
|
343
343
|
|
344
|
-
|
345
|
-
|
346
|
-
method_names << name
|
347
|
-
end
|
344
|
+
lib.each_method do |name, meth|
|
345
|
+
method_names << name
|
348
346
|
end
|
349
347
|
|
350
348
|
to_rescan = []
|
351
349
|
|
352
350
|
#Rescan controllers that mixed in library
|
353
351
|
tracker.controllers.each do |name, controller|
|
354
|
-
if controller
|
355
|
-
controller
|
352
|
+
if controller.includes.include? lib.name
|
353
|
+
controller.files.each do |path|
|
356
354
|
unless @paths.include? path
|
357
355
|
to_rescan << path
|
358
356
|
end
|
@@ -371,15 +369,15 @@ class Brakeman::Rescanner < Brakeman::Scanner
|
|
371
369
|
#This is not precise, because a different controller might have the
|
372
370
|
#same method...
|
373
371
|
tracker.templates.each do |name, template|
|
374
|
-
next unless template
|
372
|
+
next unless template.render_path
|
375
373
|
|
376
|
-
if template
|
374
|
+
if template.render_path.include_any_method? method_names
|
377
375
|
name.to_s.match /^([^.]+)/
|
378
376
|
|
379
377
|
original = tracker.templates[$1.to_sym]
|
380
378
|
|
381
379
|
if original
|
382
|
-
to_rescan << [name, original
|
380
|
+
to_rescan << [name, original.file]
|
383
381
|
end
|
384
382
|
end
|
385
383
|
end
|
data/lib/brakeman/scanner.rb
CHANGED
@@ -107,7 +107,7 @@ class Brakeman::Scanner
|
|
107
107
|
if @app_tree.exists?("vendor/plugins/rails_xss") or
|
108
108
|
options[:rails3] or options[:escape_html]
|
109
109
|
|
110
|
-
tracker.config
|
110
|
+
tracker.config.escape_html = true
|
111
111
|
Brakeman.notify "[Notice] Escaping HTML by default"
|
112
112
|
end
|
113
113
|
end
|
@@ -128,12 +128,21 @@ class Brakeman::Scanner
|
|
128
128
|
|
129
129
|
#Process Gemfile
|
130
130
|
def process_gems
|
131
|
+
gem_files = {}
|
131
132
|
if @app_tree.exists? "Gemfile"
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
133
|
+
gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
|
134
|
+
elsif @app_tree.exists? "gems.rb"
|
135
|
+
gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
|
136
|
+
end
|
137
|
+
|
138
|
+
if @app_tree.exists? "Gemfile.lock"
|
139
|
+
gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
|
140
|
+
elsif @app_tree.exists? "gems.locked"
|
141
|
+
gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
|
142
|
+
end
|
143
|
+
|
144
|
+
if gem_files[:gemfile] or gem_files[:gemlock]
|
145
|
+
@processor.process_gems gem_files
|
137
146
|
end
|
138
147
|
rescue => e
|
139
148
|
Brakeman.notify "[Notice] Error while processing Gemfile."
|
@@ -221,8 +230,8 @@ class Brakeman::Scanner
|
|
221
230
|
|
222
231
|
track_progress controllers, "controllers" do |name, controller|
|
223
232
|
Brakeman.debug "Processing #{name}"
|
224
|
-
controller
|
225
|
-
@processor.process_controller_alias name, src
|
233
|
+
controller.src.each do |file, src|
|
234
|
+
@processor.process_controller_alias name, src, nil, file
|
226
235
|
end
|
227
236
|
end
|
228
237
|
|
data/lib/brakeman/tracker.rb
CHANGED
@@ -4,6 +4,7 @@ require 'brakeman/checks'
|
|
4
4
|
require 'brakeman/report'
|
5
5
|
require 'brakeman/processors/lib/find_call'
|
6
6
|
require 'brakeman/processors/lib/find_all_calls'
|
7
|
+
require 'brakeman/tracker/config'
|
7
8
|
|
8
9
|
#The Tracker keeps track of all the processed information.
|
9
10
|
class Brakeman::Tracker
|
@@ -25,20 +26,14 @@ class Brakeman::Tracker
|
|
25
26
|
@processor = processor
|
26
27
|
@options = options
|
27
28
|
|
28
|
-
@config =
|
29
|
+
@config = Brakeman::Config.new(self)
|
29
30
|
@templates = {}
|
30
31
|
@controllers = {}
|
31
32
|
#Initialize models with the unknown model so
|
32
33
|
#we can match models later without knowing precisely what
|
33
34
|
#class they are.
|
34
|
-
@models = {
|
35
|
-
|
36
|
-
:includes => [],
|
37
|
-
:public => {},
|
38
|
-
:private => {},
|
39
|
-
:protected => {},
|
40
|
-
:options => {},
|
41
|
-
:files => [] } }
|
35
|
+
@models = {}
|
36
|
+
@models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
|
42
37
|
@routes = {}
|
43
38
|
@initializers = {}
|
44
39
|
@errors = []
|
@@ -90,17 +85,15 @@ class Brakeman::Tracker
|
|
90
85
|
end
|
91
86
|
|
92
87
|
classes.each do |set|
|
93
|
-
set.each do |set_name,
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
end
|
88
|
+
set.each do |set_name, collection|
|
89
|
+
collection.each_method do |method_name, definition|
|
90
|
+
src = definition[:src]
|
91
|
+
if src.node_type == :defs
|
92
|
+
method_name = "#{src[1]}.#{method_name}"
|
93
|
+
end
|
100
94
|
|
101
|
-
|
95
|
+
yield src, set_name, method_name, definition[:file]
|
102
96
|
|
103
|
-
end
|
104
97
|
end
|
105
98
|
end
|
106
99
|
end
|
@@ -186,7 +179,7 @@ class Brakeman::Tracker
|
|
186
179
|
end
|
187
180
|
|
188
181
|
self.each_template do |name, template|
|
189
|
-
finder.process_source template
|
182
|
+
finder.process_source template.src, :template => template, :file => template.file
|
190
183
|
end
|
191
184
|
|
192
185
|
@call_index = Brakeman::CallIndex.new finder.calls
|
@@ -228,23 +221,20 @@ class Brakeman::Tracker
|
|
228
221
|
|
229
222
|
method_sets.each do |set|
|
230
223
|
set.each do |set_name, info|
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
method_name = "#{src[1]}.#{method_name}"
|
236
|
-
end
|
237
|
-
|
238
|
-
finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
|
239
|
-
|
224
|
+
info.each_method do |method_name, definition|
|
225
|
+
src = definition[:src]
|
226
|
+
if src.node_type == :defs
|
227
|
+
method_name = "#{src[1]}.#{method_name}"
|
240
228
|
end
|
229
|
+
|
230
|
+
finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
|
241
231
|
end
|
242
232
|
end
|
243
233
|
end
|
244
234
|
|
245
235
|
if locations.include? :templates
|
246
236
|
self.each_template do |name, template|
|
247
|
-
finder.process_source template
|
237
|
+
finder.process_source template.src, :template => template, :file => template.file
|
248
238
|
end
|
249
239
|
end
|
250
240
|
|
@@ -257,7 +247,7 @@ class Brakeman::Tracker
|
|
257
247
|
def reset_templates options = { :only_rendered => false }
|
258
248
|
if options[:only_rendered]
|
259
249
|
@templates.delete_if do |name, template|
|
260
|
-
template
|
250
|
+
template.rendered_from_controller?
|
261
251
|
end
|
262
252
|
else
|
263
253
|
@templates = {}
|
@@ -281,7 +271,7 @@ class Brakeman::Tracker
|
|
281
271
|
model_name = nil
|
282
272
|
|
283
273
|
@models.each do |name, model|
|
284
|
-
if model
|
274
|
+
if model.files.include?(path)
|
285
275
|
model_name = name
|
286
276
|
break
|
287
277
|
end
|
@@ -295,7 +285,7 @@ class Brakeman::Tracker
|
|
295
285
|
lib_name = nil
|
296
286
|
|
297
287
|
@libs.each do |name, lib|
|
298
|
-
if lib
|
288
|
+
if lib.files.include?(path)
|
299
289
|
lib_name = name
|
300
290
|
break
|
301
291
|
end
|
@@ -309,12 +299,12 @@ class Brakeman::Tracker
|
|
309
299
|
|
310
300
|
#Remove from controller
|
311
301
|
@controllers.each do |name, controller|
|
312
|
-
if controller
|
302
|
+
if controller.files.include?(path)
|
313
303
|
controller_name = name
|
314
304
|
|
315
305
|
#Remove templates rendered from this controller
|
316
306
|
@templates.each do |template_name, template|
|
317
|
-
if template
|
307
|
+
if template.render_path and template.render_path.include_controller? name
|
318
308
|
reset_template template_name
|
319
309
|
@call_index.remove_template_indexes template_name
|
320
310
|
end
|