brakeman 3.3.2 → 3.3.3

data/lib/brakeman/processors/lib/render_helper.rb

@@ -8,7 +8,7 @@ module Brakeman::RenderHelper
     process_default exp
     @rendered = true
     case exp.render_type
-    when :action, :template
+    when :action, :template, :inline
       process_action exp[2][1], exp[3], exp.line
     when :default
       begin

data/lib/brakeman/processors/library_processor.rb

@@ -1,9 +1,11 @@
 require 'brakeman/processors/base_processor'
 require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/module_helper'
 require 'brakeman/tracker/library'
 
 #Process generic library and stores it in Tracker.libs
 class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
+  include Brakeman::ModuleHelper
 
   def initialize tracker
     super
@@ -19,66 +21,11 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   end
 
   def process_class exp
-    name = class_name(exp.class_name)
-    parent = class_name exp.parent_name
-
-    if @current_class
-      outer_class = @current_class
-      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_module
-      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.libs[name]
-      @current_class = @tracker.libs[name]
-      @current_class.add_file @file_name, exp
-    else
-      @current_class = Brakeman::Library.new name, parent, @file_name, exp, @tracker 
-      @tracker.libs[name] = @current_class
-    end
-
-    exp.body = process_all! exp.body
-
-    if outer_class
-      @current_class = outer_class
-    else
-      @current_class = nil
-    end
-
-    exp
+    handle_class exp, @tracker.libs, Brakeman::Library
   end
 
   def process_module exp
-    name = class_name(exp.module_name)
-
-    if @current_module
-      outer_module = @current_module
-      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_class
-      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.libs[name]
-      @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
-    else
-      @current_module = Brakeman::Library.new name, nil, @file_name, exp, @tracker
-      @tracker.libs[name] = @current_module
-    end
-
-    exp.body = process_all! exp.body
-
-    if outer_module
-      @current_module = outer_module
-    else
-      @current_module = nil
-    end
-
-    exp
+    handle_module exp, Brakeman::Library
   end
 
   def process_defn exp

data/lib/brakeman/processors/model_processor.rb

@@ -1,8 +1,10 @@
 require 'brakeman/processors/base_processor'
+require 'brakeman/processors/lib/module_helper'
 require 'brakeman/tracker/model'
 
 #Processes models. Puts results in tracker.models
 class Brakeman::ModelProcessor < Brakeman::BaseProcessor
+  include Brakeman::ModuleHelper
 
   def initialize tracker
     super
@@ -31,63 +33,11 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       return exp
     end
 
-    if @current_class
-      outer_class = @current_class
-      name = (outer_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_module
-      name = (@current_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.models[name]
-      @current_class = @tracker.models[name]
-      @current_class.add_file @file_name, exp
-    else
-      @current_class = Brakeman::Model.new name, parent, @file_name, exp, @tracker 
-      @tracker.models[name] = @current_class
-    end
-
-    exp.body = process_all! exp.body
-
-    if outer_class
-      @current_class = outer_class
-    else
-      @current_class = nil
-    end
-
-    exp
+    handle_class exp, @tracker.models, Brakeman::Model
   end
 
   def process_module exp
-    name = class_name(exp.class_name)
-
-    if @current_module
-      outer_module = @current_module
-      name = (outer_module.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @current_class
-      name = (@current_class.name.to_s + "::" + name.to_s).to_sym
-    end
-
-    if @tracker.libs[name]
-      @current_module = @tracker.libs[name]
-      @current_module.add_file @file_name, exp
-    else
-      @current_module = Brakeman::Model.new name, nil, @file_name, exp, @tracker
-      @tracker.libs[name] = @current_module
-    end
-
-    exp.body = process_all! exp.body
-
-    if outer_module
-      @current_module = outer_module
-    else
-      @current_module = nil
-    end
-
-    exp
+    handle_module exp, Brakeman::Model
   end
 
   #Handle calls outside of methods,
@@ -138,54 +88,4 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       call
     end
   end
-
-  #Add method definition to tracker
-  def process_defn exp
-    return exp unless @current_class
-    name = exp.method_name
-
-    @current_method = name
-    res = Sexp.new :defn, name, exp.formal_args, *process_all!(exp.body)
-    res.line(exp.line)
-    @current_method = nil
-
-    if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
-    elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
-    end
-
-    res
-  end
-
-  #Add method definition to tracker
-  def process_defs exp
-    return exp unless @current_class
-    name = exp.method_name
-
-    if node_type? exp[1], :self
-      if @current_class
-        target = @current_class.name
-      elsif @current_module
-        target = @current_module.name
-      else
-        target = nil
-      end
-    else
-      target = class_name exp[1]
-    end
-
-    @current_method = name
-    res = Sexp.new :defs, target, name, exp.formal_args, *process_all!(exp.body)
-    res.line(exp.line)
-    @current_method = nil
-
-    if @current_class
-      @current_class.add_method @visibility, name, res, @file_name
-    elsif @current_module
-      @current_module.add_method @visibility, name, res, @file_name
-    end
-    res
-  end
-
 end

data/lib/brakeman/processors/slim_template_processor.rb

@@ -16,20 +16,20 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       arg = normalize_output(exp.first_arg)
 
       if is_escaped? arg
-        make_escaped_output arg
+        add_escaped_output arg
       elsif string? arg
         ignore
       elsif render? arg
-        make_output make_render_in_view arg
+        add_output make_render_in_view arg
       elsif string_interp? arg
         process_inside_interp arg
       elsif node_type? arg, :ignore
         ignore
       else
-        make_output arg
+        add_output arg
       end
     elsif is_escaped? exp
-      make_escaped_output exp.first_arg
+      add_escaped_output exp.first_arg
     elsif target == nil and method == :render
       exp.arglist = process exp.arglist
       make_render_in_view exp
@@ -39,20 +39,6 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
-  def make_output exp
-    s = Sexp.new :output, exp
-    s.line(exp.line)
-    @current_template.add_output s
-    s
-  end
-
-  def make_escaped_output exp
-    s = Sexp.new :escaped_output, exp.first_arg
-    s.line(exp.line)
-    @current_template.add_output s
-    s
-  end
-
   #Slim likes to interpolate output into strings then pass them to safe_concat.
   #Better to pull those values out directly.
   def process_inside_interp exp
@@ -76,13 +62,13 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       elsif exp == SAFE_BUFFER
         ignore
       elsif render? exp
-        make_output make_render_in_view exp
+        add_output make_render_in_view exp
       elsif node_type? :output, :escaped_output
         exp
       elsif is_escaped? exp
-        make_escaped_output exp
+        add_escaped_output exp
       else
-        make_output exp
+        add_output exp
       end
     end
   end

data/lib/brakeman/processors/template_processor.rb

@@ -71,4 +71,15 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
       arg
     end
   end
+
+  def add_escaped_output output
+    add_output output, :escaped_output
+  end
+
+  def add_output output, type = :output
+    s = Sexp.new(type, output)
+    s.line(output.line)
+    @current_template.add_output s
+    s
+  end
 end

data/lib/brakeman/scanner.rb

@@ -23,7 +23,7 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
-      raise Brakeman::NoApplication, "Please supply the path to a Rails application."
+      raise Brakeman::NoApplication, "Please supply the path to a Rails application (looking in #{@app_tree.root})."
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.3.2"
+  Version = "3.3.3"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -3,7 +3,7 @@
 #of a Sexp.
 class Sexp
   attr_accessor :original_line, :or_depth
-  ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2]
+  ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cvasgn, :cdecl, :or, :and, :colon2, :op_asgn_or]
 
   def method_missing name, *args
     #Brakeman does not use this functionality,
@@ -51,7 +51,7 @@ class Sexp
 
   def value
     raise WrongSexpError, "Sexp#value called on multi-item Sexp", caller[1..-1] if size > 2
-    last
+    self[1]
   end
 
   def value= exp
@@ -436,7 +436,11 @@ class Sexp
     expect :attrasgn, :safe_attrasgn, *ASSIGNMENT_BOOL
 
     if self.node_type == :attrasgn or self.node_type == :safe_attrasgn
-      self[3]
+      if self[2] == :[]=
+        self[4]
+      else
+        self[3]
+      end
     else
       self[2]
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.3.2
+  version: 3.3.3
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-06-10 00:00:00.000000000 Z
+date: 2016-07-21 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -1298,6 +1298,7 @@ files:
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
+- lib/brakeman/processors/lib/module_helper.rb
 - lib/brakeman/processors/lib/processor_helper.rb
 - lib/brakeman/processors/lib/rails2_config_processor.rb
 - lib/brakeman/processors/lib/rails2_route_processor.rb
@@ -1375,7 +1376,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.