brakeman 3.0.5 → 3.1.0

data/lib/brakeman/util.rb

@@ -129,6 +129,10 @@ module Brakeman::Util
     exp.is_a? Sexp and exp.node_type == :str
   end
 
+  def string_interp? exp
+    exp.is_a? Sexp and exp.node_type == :dstr
+  end
+
   #Check if _exp_ represents a Symbol: s(:lit, :...)
   def symbol? exp
     exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Symbol
@@ -267,6 +271,10 @@ module Brakeman::Util
     call
   end
 
+  def rails_version
+    @tracker.config.rails_version
+  end
+
   #Return file name related to given warning. Uses +warning.file+ if it exists
   def file_for warning, tracker = nil
     if tracker.nil?
@@ -275,14 +283,14 @@ module Brakeman::Util
 
     if warning.file
       File.expand_path warning.file, tracker.app_path
-    elsif warning.template.is_a? Hash and warning.template[:file]
-      warning.template[:file]
+    elsif warning.template and warning.template.file
+      warning.template.file
     else
       case warning.warning_set
       when :controller
         file_by_name warning.controller, :controller, tracker
       when :template
-        file_by_name warning.template[:name], :template, tracker
+        file_by_name warning.template.name, :template, tracker
       when :model
         file_by_name warning.model, :model, tracker
       when :warning
@@ -318,20 +326,20 @@ module Brakeman::Util
 
     case type
     when :controller
-      if tracker.controllers[name] and tracker.controllers[name][:files]
-        path = tracker.controllers[name][:files].first
+      if tracker.controllers[name]
+        path = tracker.controllers[name].file
       else
         path += "/app/controllers/#{underscore(string_name)}.rb"
       end
     when :model
-      if tracker.models[name] and tracker.models[name][:files]
-        path = tracker.models[name][:files].first
+      if tracker.models[name]
+        path = tracker.models[name].file
       else
         path += "/app/models/#{underscore(string_name)}.rb"
       end
     when :template
-      if tracker.templates[name] and tracker.templates[name][:file]
-        path = tracker.templates[name][:file]
+      if tracker.templates[name] and tracker.templates[name].file
+        path = tracker.templates[name].file
       elsif string_name.include? " "
         name = string_name.split[0].to_sym
         path = file_for tracker, name, :template

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.0.5"
+  Version = "3.1.0"
 end

data/lib/brakeman/warning.rb

@@ -62,7 +62,7 @@ class Brakeman::Warning
         @warning_set = :model
       elsif self.template
         @warning_set = :template
-        @called_from = self.template[:caller]
+        @called_from = self.template.render_path
       elsif self.controller
         @warning_set = :controller
       else
@@ -89,12 +89,11 @@ class Brakeman::Warning
   end
 
   #Returns name of a view, including where it was rendered from
-  def view_name
-    return @view_name if @view_name
-    if called_from
-      @view_name = "#{template[:name]} (#{called_from.last})"
+  def view_name(include_renderer = true)
+    if called_from and include_renderer
+      @view_name = "#{template.name} (#{called_from.last})"
     else
-      @view_name = template[:name]
+      @view_name = template.name
     end
   end
 
@@ -183,10 +182,10 @@ class Brakeman::Warning
     Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{@relative_path}#{self.confidence}").to_s
   end
 
-  def location
+  def location include_renderer = true
     case @warning_set
     when :template
-      location = { :type => :template, :template => self.view_name }
+      location = { :type => :template, :template => self.view_name(include_renderer) }
     when :model
       location = { :type => :model, :model => self.model }
     when :controller
@@ -210,7 +209,7 @@ class Brakeman::Warning
       :link => self.link,
       :code => (@code && self.format_code(false)),
       :render_path => self.called_from,
-      :location => self.location,
+      :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
       :confidence => TEXT_CONFIDENCE[self.confidence]
     }

data/lib/ruby_parser/bm_sexp.rb

@@ -357,7 +357,7 @@ class Sexp
   #      s(:lasgn, :y),
   #       s(:block, s(:lvar, :y), s(:call, nil, :z, s(:arglist))))
   def block_call
-    expect :iter, :call_with_block
+    expect :iter
     self[1]
   end
 
@@ -374,10 +374,10 @@ class Sexp
       return find_node :block, delete
     end
 
-    expect :iter, :call_with_block, :scope, :resbody
+    expect :iter, :scope, :resbody
 
     case self.node_type
-    when :iter, :call_with_block
+    when :iter
       self[3]
     when :scope
       self[1]
@@ -394,7 +394,7 @@ class Sexp
   #      s(:lasgn, :y), <- block_args
   #       s(:call, nil, :p, s(:arglist, s(:lvar, :y))))
   def block_args
-    expect :iter, :call_with_block
+    expect :iter
     if self[2] == 0 # ?! See https://github.com/presidentbeef/brakeman/issues/331
       return Sexp.new(:args)
     else
@@ -451,23 +451,23 @@ class Sexp
 
   #Returns name of method being defined in a method definition.
   def method_name
-    expect :defn, :defs, :methdef, :selfdef
+    expect :defn, :defs
 
     case self.node_type
-    when :defn, :methdef
+    when :defn
       self[1]
-    when :defs, :selfdef
+    when :defs
       self[2]
     end
   end
 
   def formal_args
-    expect :defn, :defs, :methdef, :selfdef
+    expect :defn, :defs
 
     case self.node_type
-    when :defn, :methdef
+    when :defn
       self[2]
-    when :defs, :selfdef
+    when :defs
       self[3]
     end
   end
@@ -475,13 +475,13 @@ class Sexp
   #Sets body, which is now a complicated process because the body is no longer
   #a separate Sexp, but just a list of Sexps.
   def body= exp
-    expect :defn, :defs, :methdef, :selfdef, :class, :module
+    expect :defn, :defs, :class, :module
     @my_hash_value = nil
 
     case self.node_type
-    when :defn, :methdef, :class
+    when :defn, :class
       index = 3
-    when :defs, :selfdef
+    when :defs
       index = 4
     when :module
       index = 2
@@ -499,12 +499,12 @@ class Sexp
   #Returns body of a method definition, class, or module.
   #This will be an untyped Sexp containing a list of Sexps from the body.
   def body
-    expect :defn, :defs, :methdef, :selfdef, :class, :module
+    expect :defn, :defs, :class, :module
 
     case self.node_type
-    when :defn, :methdef, :class
+    when :defn, :class
       self[3..-1]
-    when :defs, :selfdef
+    when :defs
       self[4..-1]
     when :module
       self[2..-1]

data/lib/ruby_parser/bm_sexp_processor.rb

@@ -72,14 +72,7 @@ class Brakeman::SexpProcessor
       # now do a pass with the real processor (or generic)
       meth = @processors[type]
       if meth then
-        if $DEBUG
-          result = error_handler(type) do
-            self.send(meth, exp)
-          end
-        else
-          result = self.send(meth, exp)
-        end
-
+        result = self.send(meth, exp)
       else
         result = self.process_default(exp)
       end
@@ -90,36 +83,6 @@ class Brakeman::SexpProcessor
     result
   end
 
-  def error_handler(type, exp=nil) # :nodoc:
-    begin
-      return yield
-    rescue => err
-      warn "#{err.class} Exception thrown while processing #{type} for sexp #{exp.inspect} #{caller.inspect}" if $DEBUG
-      raise
-    end
-  end
-
-  ##
-  # A fairly generic processor for a dummy node. Dummy nodes are used
-  # when your processor is doing a complicated rewrite that replaces
-  # the current sexp with multiple sexps.
-  #
-  # Bogus Example:
-  #
-  #   def process_something(exp)
-  #     return s(:dummy, process(exp), s(:extra, 42))
-  #   end
-
-  def process_dummy(exp)
-    result = @expected.new(:dummy) rescue @expected.new
-
-    until exp.empty? do
-      result << self.process(exp.shift)
-    end
-
-    result
-  end
-
   ##
   # Add a scope level to the current env. Eg:
   #
@@ -150,86 +113,4 @@ class Brakeman::SexpProcessor
 
     self.context.shift
   end
-
-  ##
-  # I really hate this here, but I hate subdirs in my lib dir more...
-  # I guess it is kinda like shaving... I'll split this out when it
-  # itches too much...
-
-  class Environment
-    def initialize
-      @env = []
-      @env.unshift({})
-    end
-
-    def all
-      @env.reverse.inject { |env, scope| env.merge scope }
-    end
-
-    def depth
-      @env.length
-    end
-
-    # TODO: depth_of
-
-    def [] name
-      hash = @env.find { |closure| closure.has_key? name }
-      hash[name] if hash
-    end
-
-    def []= name, val
-      hash = @env.find { |closure| closure.has_key? name } || @env.first
-      hash[name] = val
-    end
-
-    def scope
-      @env.unshift({})
-      begin
-        yield
-      ensure
-        @env.shift
-        raise "You went too far unextending env" if @env.empty?
-      end
-    end
-  end
 end
-
-class Object
-
-  ##
-  # deep_clone is the usual Marshalling hack to make a deep copy.
-  # It is rather slow, so use it sparingly. Helps with debugging
-  # SexpProcessors since you usually shift off sexps.
-
-  def deep_clone
-    Marshal.load(Marshal.dump(self))
-  end
-end
-
-##
-# SexpProcessor base exception class.
-
-class SexpProcessorError < StandardError; end
-
-##
-# Raised by SexpProcessor if it sees a node type listed in its
-# unsupported list.
-
-class UnsupportedNodeError < SexpProcessorError; end
-
-##
-# Raised by SexpProcessor if it is in strict mode and sees a node for
-# which there is no processor available.
-
-class UnknownNodeError < SexpProcessorError; end
-
-##
-# Raised by SexpProcessor if a processor did not process every node in
-# a sexp and @require_empty is true.
-
-class NotEmptyError < SexpProcessorError; end
-
-##
-# Raised if assert_type encounters an unexpected sexp type.
-
-class SexpTypeError < SexpProcessorError; end

metadata

@@ -1,36 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.0.5
+  version: 3.1.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
-  aW4xHTAbBgoJkiaJk/IsZAEZFg1wcmVzaWRlbnRiZWVmMRMwEQYKCZImiZPyLGQB
-  GRYDY29tMB4XDTE1MDEwMzAxMjI0NFoXDTE2MDEwMzAxMjI0NFowRTEPMA0GA1UE
-  AwwGanVzdGluMR0wGwYKCZImiZPyLGQBGRYNcHJlc2lkZW50YmVlZjETMBEGCgmS
-  JomT8ixkARkWA2NvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjt
-  xjn8ArkEqQNrRjEeyZAOyr0O8+WZ54AcObsKg2osrcAW6iFd7tjnTFclQHmZgje+
-  cwxeF/YG4PbA72ElmCvjn8vQJkdgHspKds1otSozvTF2VDnyAEg0nDTMgkQGQy4R
-  HX3NHXMJ8UCAJv2IV/FsItzcPzPmhhf6vu/QaNrmAm3/nF52EsMSEJNC9eTPWudC
-  kPgt19T9LRKMk5YbXDM6jWGRubusE03bTwY3RThqYM5ra1DwI/HpWKsKdmNrBbse
-  f065WyR7RNAxindc2wMyq1EaInmO7Vds+rsOFZ4ZnO90z046ywmTLTadqlfuc9Qo
-  CEw/AhYB6f6DLH8ICkMCAwEAAaOBhDCBgTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
-  sDAdBgNVHQ4EFgQUmIuIvxLr7ziB52LOpVgd694EfaEwIwYDVR0RBBwwGoEYanVz
-  dGluQHByZXNpZGVudGJlZWYuY29tMCMGA1UdEgQcMBqBGGp1c3RpbkBwcmVzaWRl
-  bnRiZWVmLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAbgSKdn/VSDdl5H2ayE+OM662
-  gTJWP1CWfbcRVJW/UDjDucEF42t6V/dZTDmwyYTR8Qv+5FsQoPHsDsD3Jr1E62dl
-  VYDeUkbmiV5f8fANbvnGUknzrHwp2T0/URxiIY8oFcaCGT+iua9zlNU20+XhB9JN
-  fsOSUNBuuE/MYGA37MR1sP7lFHr5e7I1Qk1x3HvjNB/kSv1+Cj26Lde1ehvMqpmi
-  bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
-  mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
-  -----END CERTIFICATE-----
-date: 2015-06-20 00:00:00.000000000 Z
+- brakeman-public_cert.pem
+date: 2015-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -64,30 +43,36 @@ dependencies:
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 1.4.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: 1.4.5
 - !ruby/object:Gem::Dependency
   name: fastercsv
   requirement: !ruby/object:Gem::Requirement
@@ -108,14 +93,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.20
+        version: '1.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.6.20
+        version: '1.6'
 - !ruby/object:Gem::Dependency
   name: erubis
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +149,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: slim
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.6
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.6
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: multi_json
   requirement: !ruby/object:Gem::Requirement
@@ -321,6 +326,12 @@ files:
 - lib/brakeman/rescanner.rb
 - lib/brakeman/scanner.rb
 - lib/brakeman/tracker.rb
+- lib/brakeman/tracker/collection.rb
+- lib/brakeman/tracker/config.rb
+- lib/brakeman/tracker/controller.rb
+- lib/brakeman/tracker/library.rb
+- lib/brakeman/tracker/model.rb
+- lib/brakeman/tracker/template.rb
 - lib/brakeman/util.rb
 - lib/brakeman/version.rb
 - lib/brakeman/warning.rb
@@ -347,7 +358,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.