brakeman 3.1.1 → 3.1.2

data/lib/brakeman/report/templates/overview.html.erb

@@ -1,34 +1,38 @@
 <h2 id='summary'>Summary</h2>
 <table>
-  <tr>
-    <th>Scanned/Reported</th>
-    <th>Total</th>
-  </tr>
-  <tr>
-    <td>Controllers</td>
-    <td><%= tracker.controllers.length %></td>
-  </tr>
-  <tr>
-    <td>Models</td>
-    <td><%= tracker.models.length - 1 %></td>
-  </tr>
-  <tr>
-    <td>Templates</td>
-    <td><%= number_of_templates %></td>
-  </tr>
-  <tr>
-    <td>Errors</td>
-    <td><%= tracker.errors.length %></td>
-  </tr>
-  <tr>
-    <td>Security Warnings</td>
-    <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
-  </tr>
+  <thead>
+    <tr>
+      <th>Scanned/Reported</th>
+      <th>Total</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Controllers</td>
+      <td><%= tracker.controllers.length %></td>
+    </tr>
+    <tr>
+      <td>Models</td>
+      <td><%= tracker.models.length - 1 %></td>
+    </tr>
+    <tr>
+      <td>Templates</td>
+      <td><%= number_of_templates %></td>
+    </tr>
+    <tr>
+      <td>Errors</td>
+      <td><%= tracker.errors.length %></td>
+    </tr>
+    <tr>
+      <td>Security Warnings</td>
+      <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
+    </tr>
   <% if warnings_summary['Ignored Warnings'] %>
-  <tr>
-    <td>Ignored Warnings</td>
-    <td><%= ignored_warnings %></td>
-  </tr>
+    <tr>
+      <td>Ignored Warnings</td>
+      <td><%= ignored_warnings %></td>
+    </tr>
   <% end %>
+  </tbody>
 </table>
 <br>

data/lib/brakeman/report/templates/security_warnings.html.erb

@@ -1,19 +1,23 @@
 <h2>Security Warnings</h2>  
 <table>
-  <tr>
-    <th>Confidence</th>
-    <th>Class</th>
-    <th>Method</th>
-    <th>Warning Type</th>
-    <th>Message</th>
-  </tr>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Class</th>
+      <th>Method</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
   <% warnings.each do |warning| %>
-  <tr>
-    <td><%= warning['Confidence']%></td>
-    <td><%= warning['Class']%></td>
-    <td><%= warning['Method']%></td>
-    <td><%= warning['Warning Type']%></td>
-    <td><%= warning['Message']%></td>
-  </tr>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Class']%></td>
+      <td><%= warning['Method']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
   <% end %>
+  </tbody>
 </table>

data/lib/brakeman/report/templates/template_overview.html.erb

@@ -4,14 +4,18 @@
 
 <p><%= template[0] %></p>
 <table>
-  <tr>
-    <th>Output</th>
-  </tr>
+  <thead>
+    <tr>
+      <th>Output</th>
+    </tr>
+  </thead>
+  <tbody>
   <% template[1].each do |call| %>
-  <tr>
-    <td><%= call %></td>
-  </tr>
+    <tr>
+      <td><%= call %></td>
+    </tr>
   <% end %>
+  </tbody>
 </table>
 
 <% end %>

data/lib/brakeman/report/templates/view_warnings.html.erb

@@ -1,30 +1,34 @@
 <p>View Warnings</p>
 <table>
-  <tr>
-    <th>Confidence</th>
-    <th>Template</th>
-    <th>Warning Type</th>
-    <th>Message</th>
-  </tr>
-<% warnings.each_with_index do |warning, i| %>
-  <tr>
-    <td><%= warning['Confidence']%></td>
-    <td>
-      <% if warning['Called From'] and warning['Called From'].length > 1 %>
-        <div class="template_name" onClick="toggle('callers<%= i %>')" >
-          <div>
-            <%= warning['Template'] %>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Template</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each_with_index do |warning, i| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td>
+        <% if warning['Called From'] and warning['Called From'].length > 1 %>
+          <div class="template_name" onClick="toggle('callers<%= i %>')" >
+            <div>
+              <%= warning['Template'] %>
+            </div>
+            <div class="render_path" id="callers<%= i %>" >
+              <%= warning['Called From'].join(' &rarr; ') %> &rarr; <%= warning['Template Name'] %>
+            </div>
           </div>
-          <div class="render_path" id="callers<%= i %>" >
-            <%= warning['Called From'].join(' &rarr; ') %> &rarr; <%= warning['Template Name'] %>
-          </div>
-        </div>
-      <% else %>
-        <%= warning['Template']%>
-      <% end %>
-    </td>
-    <td><%= warning['Warning Type']%></td>
-    <td><%= warning['Message']%></td>
-  </tr>
-<% end %>
+        <% else %>
+          <%= warning['Template']%>
+        <% end %>
+      </td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
 </table>

data/lib/brakeman/report/templates/warning_overview.html.erb

@@ -1,13 +1,17 @@
 <table>
-  <tr>
-    <th>Warning Type</th>
-    <th>Total</th>
-  </tr>
+  <thead>
+    <tr>
+      <th>Warning Type</th>
+      <th>Total</th>
+    </tr>
+  </thead>
+  <tbody>
   <% types.sort.each do |warning_type| %>
-  <tr>
-    <td><%= warning_type %></td>
-    <td><%= warnings_summary[warning_type] %></td>
-  </tr>
+    <tr>
+      <td><%= warning_type %></td>
+      <td><%= warnings_summary[warning_type] %></td>
+    </tr>
   <% end %>
+  </tbody>
 </table>
 <br>

data/lib/brakeman/tracker/collection.rb

@@ -70,6 +70,18 @@ module Brakeman
       @files.first
     end
 
+    def top_line
+      if sexp? @src[file]
+        @src[file].line
+      else
+        @src.each_value do |source|
+          if sexp? source
+            return source.line
+          end
+        end
+      end
+    end
+
     def methods_public
       @methods[:public]
     end

data/lib/brakeman/tracker/controller.rb

@@ -124,9 +124,9 @@ module Brakeman
         end
       end
 
-      filter[:methods] = [args[0][1]]
+      filter[:methods] = []
 
-      args[1..-1].each do |a|
+      args.each do |a|
         filter[:methods] << a[1] if a.node_type == :lit
       end
 

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.1.1"
+  Version = "3.1.2"
 end

data/lib/brakeman/warning.rb

@@ -5,21 +5,39 @@ require 'brakeman/warning_codes'
 #The Warning class stores information about warnings
 class Brakeman::Warning
   attr_reader :called_from, :check, :class, :confidence, :controller,
-    :line, :method, :model, :template, :user_input, :warning_code, :warning_set,
-    :warning_type
+    :line, :method, :model, :template, :user_input, :user_input_type,
+    :warning_code, :warning_set, :warning_type
 
   attr_accessor :code, :context, :file, :message, :relative_path
 
   TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
 
+  OPTIONS = {:called_from => :@called_from,
+              :check => :@check,
+              :class => :@class,
+              :code => :@code,
+              :confidence => :@confidence,
+              :controller => :@controller,
+              :file => :@file,
+              :gem_info => :@gem_info,
+              :line => :@line,
+              :link_path => :@link_path,
+              :message => :@message,
+              :method => :@method,
+              :model => :@model,
+              :relative_path => :@relative_path,
+              :template => :@template,
+              :user_input => :@user_input,
+              :warning_set => :@warning_set,
+              :warning_type => :@warning_type
+            }
+
   #+options[:result]+ can be a result from Tracker#find_call. Otherwise, it can be +nil+.
   def initialize options = {}
     @view_name = nil
 
-    [:called_from, :check, :class, :code, :confidence, :controller, :file, :gem_info, :line, :link_path,
-      :message, :method, :model, :relative_path, :template, :user_input, :warning_set, :warning_type].each do |option|
-
-      self.instance_variable_set("@#{option}", options[option])
+    OPTIONS.each do |key, var|
+      self.instance_variable_set(var, options[key])
     end
 
     result = options[:result]
@@ -39,6 +57,11 @@ class Brakeman::Warning
       @method = :before_filter
     end
 
+    if @user_input.is_a? Brakeman::BaseCheck::Match
+      @user_input_type = @user_input.type
+      @user_input = @user_input.match
+    end
+
     if not @line
       if @user_input and @user_input.respond_to? :line
         @line = @user_input.line

data/lib/ruby_parser/bm_sexp.rb

@@ -554,6 +554,24 @@ class Sexp
 
     self[2]
   end
+
+  require 'set'
+  def inspect seen = Set.new
+    if seen.include? self.object_id
+      's(...)'
+    else
+      seen << self.object_id
+      sexp_str = self.map do |x|
+        if x.is_a? Sexp
+          x.inspect seen
+        else
+          x.inspect
+        end
+      end.join(', ')
+
+      "s(#{sexp_str})"
+    end
+  end
 end
 
 #Invalidate hash cache if the Sexp changes

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.1.2
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2015-09-23 00:00:00.000000000 Z
+date: 2015-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -183,6 +183,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: safe_yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
 email: gem@brakeman.org