brakeman 3.3.2 → 3.3.3

data/lib/brakeman/processors/controller_processor.rb

@@ -1,8 +1,11 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/processors/lib/module_helper'
 require 'brakeman/tracker/controller'
 
 #Processes controller. Results are put in tracker.controllers
 class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
+  include Brakeman::ModuleHelper
+
   FORMAT_HTML = Sexp.new(:call, Sexp.new(:lvar, :format), :html)
 
   def initialize app_tree, tracker
@@ -47,64 +50,15 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
       return exp
     end
 
-    if @current_class
-      outer_class = @current_class
-      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_module
-      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.controllers[name]
-      @current_class = @tracker.controllers[name]
-      @current_class.add_file @file_name, exp
-    else
-      @current_class = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
-      @tracker.controllers[name] = @current_class
-    end
-
-    exp.body = process_all! exp.body
-    set_layout_name
-
-    if outer_class
-      @current_class = outer_class
-    else
-      @current_class = nil
+    handle_class(exp, @tracker.controllers, Brakeman::Controller) do
+      set_layout_name
     end
 
     exp
   end
 
   def process_module exp, parent = nil
-    name = class_name(exp.module_name)
-
-    if @current_module
-      outer_module = @current_module
-      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_class
-      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.libs[name]
-      @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
-    else
-      @current_module = Brakeman::Controller.new name, parent, @file_name, exp, @tracker
-      @tracker.libs[name] = @current_module
-    end
-
-    exp.body = process_all! exp.body
-
-    if outer_module
-      @current_module = outer_module
-    else
-      @current_module = nil
-    end
-
-    exp
+    handle_module exp, Brakeman::Controller, parent
   end
 
   #Look for specific calls inside the controller
@@ -187,53 +141,6 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
   end
 
-  #Process method definition and store in Tracker
-  def process_defn exp
-    name = exp.method_name
-    @current_method = name
-    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
-    res.line(exp.line)
-    @current_method = nil
-
-    if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
-    elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
-    end
-
-    res
-  end
-
-  #Process self.method definition and store in Tracker
-  def process_defs exp
-    name = exp.method_name
-
-    if node_type? exp[1], :self
-      if @current_class
-        target = @current_class.name
-      elsif @current_module
-        target = @current_module.name
-      else
-        target = nil
-      end
-    else
-      target = class_name exp[1]
-    end
-
-    @current_method = name
-    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
-    res.line(exp.line)
-    @current_method = nil
-
-    if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
-    elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
-    end
-
-    res
-  end
-
   #Look for before_filters and add fake ones if necessary
   def process_iter exp
     if @current_method.nil? and call? exp.block_call

data/lib/brakeman/processors/erb_template_processor.rb

@@ -28,10 +28,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
         if arg.node_type == :str #ignore plain strings
           ignore
         else
-          s = Sexp.new :output, arg
-          s.line(exp.line)
-          @current_template.add_output s
-          s
+          add_output arg
         end
       elsif method == :force_encoding
         ignore

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -23,15 +23,9 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         if arg.node_type == :str #ignore plain strings
           ignore
         elsif node_type? target, :ivar and target.value == :@output_buffer
-          s = Sexp.new :escaped_output, arg
-          s.line(exp.line)
-          @current_template.add_output s
-          s
+          add_escaped_output arg
         else
-          s = Sexp.new :output, arg
-          s.line(exp.line)
-          @current_template.add_output s
-          s
+          add_output arg
         end
       elsif method == :to_s
         ignore
@@ -75,15 +69,9 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
         if arg.node_type == :str
           ignore
         elsif safe_append_method?(exp.method)
-          s = Sexp.new :output, arg
-          s.line(exp.line)
-          @current_template.add_output s
-          s
+          add_output arg
         else
-          s = Sexp.new :escaped_output, arg
-          s.line(exp.line)
-          @current_template.add_output s
-          s
+          add_escaped_output arg
         end
       else
         super

data/lib/brakeman/processors/haml_template_processor.rb

@@ -81,10 +81,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       if out.node_type == :str #ignore plain strings
         ignore
       else
-        s = Sexp.new(:output, out)
-        @current_template.add_output s
-        s.line(exp.line)
-        s
+        add_output out
       end
     elsif target == nil and method == :render
       #Process call to render()
@@ -175,16 +172,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
       exp.map! { |e| get_pushed_value e }
     else
       if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
-        s = Sexp.new(:escaped_output, exp.first_arg)
+        add_escaped_output exp.first_arg
       elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
-        s = Sexp.new(:escaped_output, exp.first_arg)
+        add_escaped_output exp.first_arg
       else
-        s = Sexp.new(default, exp)
+        add_output exp, default
       end
-
-      s.line(exp.line)
-      @current_template.add_output s
-      s
     end
   end
 end

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -28,11 +28,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     process_all exp.body
   end
 
-  #Process body of method
-  def process_defs exp
-    return exp unless @current_method
-    process_all exp.body
-  end
+  alias process_defs process_defn
 
   #Process body of block
   def process_rlist exp
@@ -70,11 +66,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def process_render exp
     process exp.last if sexp? exp.last
 
-    @calls << { :target => nil,
-                :method => :render,
-                :call => exp,
-                :nested => false,
-                :location => make_location }
+    add_simple_call :render, exp
 
     exp
   end
@@ -84,11 +76,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def process_dxstr exp
     process exp.last if sexp? exp.last
 
-    @calls << { :target => nil,
-                :method => :`,
-                :call => exp,
-                :nested => false,
-                :location => make_location }
+    add_simple_call :`, exp
 
     exp
   end
@@ -97,11 +85,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def process_dsym exp
     exp.each { |arg| process arg if sexp? arg }
 
-    @calls << { :target => nil,
-                :method => :literal_to_sym,
-                :call => exp,
-                :nested => false,
-                :location => make_location }
+    add_simple_call :literal_to_sym, exp
 
     exp
   end
@@ -110,11 +94,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   def process_dregx exp
     exp.each { |arg| process arg if sexp? arg }
 
-    @calls << { :target => nil,
-                :method => :brakeman_regex_interp,
-                :call => exp,
-                :nested => false,
-                :location => make_location }
+    add_simple_call :brakeman_regex_interp, exp
 
     exp
   end
@@ -126,6 +106,14 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
 
   private
 
+  def add_simple_call method_name, exp
+    @calls << { :target => nil,
+                :method => method_name,
+                :call => exp,
+                :nested => false,
+                :location => make_location }
+  end
+
   #Gets the target of a call as a Symbol
   #if possible
   def get_target exp, include_calls = false

data/lib/brakeman/processors/lib/find_return_value.rb

@@ -65,7 +65,7 @@ class Brakeman::FindReturnValue
       @uses_ivars = true if node_type? current, :ivar
 
       if node_type? current, :return
-        @return_values << current.value unless current.value.nil?
+        @return_values << last_value(current.value) if current.value
       elsif sexp? current
         todo = current[1..-1].concat todo
       end
@@ -97,10 +97,40 @@ class Brakeman::FindReturnValue
           true_branch or false_branch
         end
       end
-    when :lasgn, :iasgn
-      exp.rhs
+    when :lasgn, :iasgn, :op_asgn_or, :attrasgn
+      last_value exp.rhs
+    when :rescue
+      values = []
+
+      exp.each_sexp do |e|
+        if node_type? e, :resbody
+          if e.last
+            values << last_value(e.last)
+          end
+        elsif sexp? e
+          values << last_value(e)
+        end
+      end
+
+      values.reject! do |v|
+        v.nil? or node_type? v, :nil
+      end
+
+      if values.length > 1
+        values.inject do |m, v|
+          make_or(m, v)
+        end
+      else
+        values.first
+      end
     when :return
-      exp.value
+      if exp.value
+        last_value exp.value
+      else
+        nil
+      end
+    when :nil
+      nil
     else
       exp.original_line = exp.line unless exp.original_line
       exp

data/lib/brakeman/processors/lib/module_helper.rb

@@ -0,0 +1,111 @@
+module Brakeman::ModuleHelper
+  def handle_module exp, tracker_class, parent = nil
+    name = class_name(exp.module_name)
+
+    if @current_module
+      outer_module = @current_module
+      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @current_class
+      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @tracker.libs[name]
+      @current_module = @tracker.libs[name]
+      @current_module.add_file @file_name, exp
+    else
+      @current_module = tracker_class.new name, parent, @file_name, exp, @tracker
+      @tracker.libs[name] = @current_module
+    end
+
+    exp.body = process_all! exp.body
+
+    if outer_module
+      @current_module = outer_module
+    else
+      @current_module = nil
+    end
+
+    exp
+  end
+
+  def handle_class exp, collection, tracker_class
+    name = class_name(exp.class_name)
+    parent = class_name exp.parent_name
+
+    if @current_class
+      outer_class = @current_class
+      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if @current_module
+      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
+    end
+
+    if collection[name]
+      @current_class = collection[name]
+      @current_class.add_file @file_name, exp
+    else
+      @current_class = tracker_class.new name, parent, @file_name, exp, @tracker 
+      collection[name] = @current_class
+    end
+
+    exp.body = process_all! exp.body
+
+    yield if block_given?
+
+    if outer_class
+      @current_class = outer_class
+    else
+      @current_class = nil
+    end
+
+    exp
+  end
+
+  def process_defs exp
+    name = exp.method_name
+
+    if node_type? exp[1], :self
+      if @current_class
+        target = @current_class.name
+      elsif @current_module
+        target = @current_module.name
+      else
+        target = nil
+      end
+    else
+      target = class_name exp[1]
+    end
+
+    @current_method = name
+    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
+    res.line(exp.line)
+    @current_method = nil
+
+    if @current_class
+      @current_class.add_method @visibility, name, res, @file_name
+    elsif @current_module
+      @current_module.add_method @visibility, name, res, @file_name
+    end
+    res
+  end
+
+  def process_defn exp
+    name = exp.method_name
+
+    @current_method = name
+    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
+    res.line(exp.line)
+    @current_method = nil
+
+    if @current_class
+      @current_class.add_method @visibility, name, res, @file_name
+    elsif @current_module
+      @current_module.add_method @visibility, name, res, @file_name
+    end
+
+    res
+  end
+end