brakeman 4.5.0 → 4.5.1

data/lib/brakeman/report/report_table.rb

@@ -199,10 +199,6 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
 
-  def convert_warning warning, original
-    warning
-  end
-
   def convert_ignored_warning warning, original
     convert_warning warning, original
   end
@@ -271,4 +267,24 @@ Duration: #{tracker.duration} seconds
 Checks run: #{checks.checks_run.sort.join(", ")}
 HEADER
   end
+
+  def truncate_table str
+    @terminal_width ||= if @tracker.options[:table_width]
+                          @tracker.options[:table_width]
+                        elsif $stdin && $stdin.tty?
+                          Brakeman.load_brakeman_dependency 'highline'
+                          ::HighLine.default_instance.terminal.terminal_size[0]
+                        else
+                          80
+                        end
+    lines = str.lines
+
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>\n"
+      else
+        line
+      end
+    end.join
+  end
 end

data/lib/brakeman/report/report_tabs.rb

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
       end.join "\n"
 
     end.join "\n"

data/lib/brakeman/report/report_text.rb

@@ -201,8 +201,8 @@ class Brakeman::Report::Text < Brakeman::Report::Base
 
   # ONLY used for generate_controllers to avoid duplication
   def render_array name, cols, values, locals
-    controllers = values.map do |name, parent, includes, routes|
-      c = [ label("Controller", name) ]
+    controllers = values.map do |controller_name, parent, includes, routes|
+      c = [ label("Controller", controller_name) ]
       c << label("Parent", parent) unless parent.empty?
       c << label("Includes", includes) unless includes.empty?
       c << label("Routes", routes)

data/lib/brakeman/rescanner.rb

@@ -13,7 +13,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
 
-    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @paths = changed_files.map {|f| tracker.app_tree.file_path(f) }
     @old_results = tracker.filtered_warnings  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -67,7 +67,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
 
-    unless @app_tree.path_exists?(path)
+    unless path.exists?
       return rescan_deleted_file path, type
     end
 
@@ -127,14 +127,14 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS and path.exists?
 
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    fp = Brakeman::FileParser.new(tracker)
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
-    template_parser.parse_template path, @app_tree.read_path(path)
+    template_parser.parse_template path, path.read
     process_template fp.file_list[:templates].first
 
     @processor.process_template_alias tracker.templates[template_name]
@@ -256,16 +256,13 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_deleted_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.relative.match KNOWN_TEMPLATE_EXTENSIONS
 
     template_name = template_path_to_name(path)
 
     #Remove template
     tracker.reset_template template_name
 
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
-
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |_name, template|
       template.file == path or template.name.to_sym == template_name.to_sym
@@ -371,7 +368,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       next unless template.render_path
 
       if template.render_path.include_any_method? method_names
-        name.to_s.match /^([^.]+)/
+        name.to_s.match(/^([^.]+)/)
 
         original = tracker.templates[$1.to_sym]
 
@@ -388,8 +385,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def parse_ruby_files list
-    paths = list.select { |path| @app_tree.path_exists? path }
-    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    paths = list.select(&:exists?)
+    file_parser = Brakeman::FileParser.new(tracker)
     file_parser.parse_files paths, :rescan
     file_parser.file_list[:rescan]
   end

data/lib/brakeman/scanner.rb

@@ -16,7 +16,6 @@ end
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
-  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
 
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -66,7 +65,7 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker, @app_tree
+    fp = Brakeman::FileParser.new tracker
 
     files = {
       :initializers => @app_tree.initializer_paths,
@@ -95,7 +94,7 @@ class Brakeman::Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    if options[:rails3] or options[:rails4] or options[:rails5]
+    if options[:rails3] or options[:rails4] or options[:rails5] or options[:rails6]
       process_config_file "application.rb"
       process_config_file "environments/production.rb"
     else
@@ -111,14 +110,14 @@ class Brakeman::Scanner
     end
 
     if @app_tree.exists? ".ruby-version"
-      tracker.config.set_ruby_version @app_tree.read ".ruby-version"
+      tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
   end
 
   def process_config_file file
-    path = "config/#{file}"
+    path = @app_tree.file_path("config/#{file}")
 
-    if @app_tree.exists?(path)
+    if path.exists?
       @processor.process_config(parse_ruby_file(path), path)
     end
 
@@ -132,16 +131,21 @@ class Brakeman::Scanner
   #Process Gemfile
   def process_gems
     gem_files = {}
+
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
+      file = @app_tree.file_path("Gemfile")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
+      file = @app_tree.file_path("gems.rb")
+      gem_files[:gemfile] = { :src => parse_ruby_file(file), :file => file }
     end
 
     if @app_tree.exists? "Gemfile.lock"
-      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+      file = @app_tree.file_path("Gemfile.lock")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     elsif @app_tree.exists? "gems.locked"
-      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+      file = @app_tree.file_path("gems.locked")
+      gem_files[:gemlock] = { :src => file.read, :file => file }
     end
 
     if @app_tree.gemspec
@@ -215,7 +219,8 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      if routes_sexp = parse_ruby_file("config/routes.rb")
+      file = @app_tree.file_path("config/routes.rb")
+      if routes_sexp = parse_ruby_file(file)
         @processor.process_routes routes_sexp
       else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -316,9 +321,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
 
-  def parse_ruby_file path
-    fp = Brakeman::FileParser.new(self.tracker, @app_tree)
-    fp.parse_ruby(@app_tree.read(path), path)
+  def parse_ruby_file file
+    fp = Brakeman::FileParser.new(self.tracker)
+    fp.parse_ruby(file.read, file)
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -12,7 +12,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :constants, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration, :ignored_filter
+    :duration, :ignored_filter, :app_tree
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -34,7 +34,7 @@ class Brakeman::Tracker
     #we can match models later without knowing precisely what
     #class they are.
     @models = {}
-    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, @app_tree.file_path("NOT_REAL.rb"), nil, self)
     @routes = {}
     @initializers = {}
     @errors = []
@@ -71,7 +71,7 @@ class Brakeman::Tracker
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks
-    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+    @checks = Brakeman::Checks.run_checks(self)
 
     @end_time = Time.now
     @duration = @end_time - @start_time
@@ -172,7 +172,7 @@ class Brakeman::Tracker
 
   #Returns a Report with this Tracker's information
   def report
-    Brakeman::Report.new(@app_tree, self)
+    Brakeman::Report.new(self)
   end
 
   def warnings

data/lib/brakeman/tracker/collection.rb

@@ -9,13 +9,14 @@ module Brakeman
     def initialize name, parent, file_name, src, tracker
       @name = name
       @parent = parent
-      @file_name = file_name
-      @files = [ file_name ]
-      @src = { file_name => src }
+      @files = []
+      @src = {}
       @includes = []
       @methods = { :public => {}, :private => {}, :protected => {} }
       @options = {}
       @tracker = tracker
+
+      add_file file_name, src
     end
 
     def ancestor? parent, seen={}

data/lib/brakeman/tracker/config.rb

@@ -97,6 +97,12 @@ module Brakeman
             tracker.options[:rails4] = true
             tracker.options[:rails5] = true
             Brakeman.notify "[Notice] Detected Rails 5 application"
+          elsif @rails_version.start_with? "6"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            tracker.options[:rails6] = true
+            Brakeman.notify "[Notice] Detected Rails 6 application"
           end
         end
       end

data/lib/brakeman/util.rb

@@ -346,158 +346,12 @@ module Brakeman::Util
     @tracker.config.rails_version
   end
 
-  #Return file name related to given warning. Uses +warning.file+ if it exists
-  def file_for warning, tracker = nil
-    if tracker.nil?
-      tracker = @tracker || self.tracker
-    end
-
-    if warning.file
-      File.expand_path warning.file, tracker.app_path
-    elsif warning.template and warning.template.file
-      warning.template.file
-    else
-      case warning.warning_set
-      when :controller
-        file_by_name warning.controller, :controller, tracker
-      when :template
-        file_by_name warning.template.name, :template, tracker
-      when :model
-        file_by_name warning.model, :model, tracker
-      when :warning
-        file_by_name warning.class, nil, tracker
-      else
-        nil
-      end
-    end
-  end
-
-  #Attempt to determine path to context file based on the reported name
-  #in the warning.
-  #
-  #For example,
-  #
-  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
-  def file_by_name name, type, tracker = nil
-    return nil unless name
-    string_name = name.to_s
-    name = name.to_sym
-
-    unless type
-      if string_name =~ /Controller$/
-        type = :controller
-      elsif camelize(string_name) == string_name # This is not always true
-        type = :model
-      else
-        type = :template
-      end
-    end
-
-    path = tracker.app_path
-
-    case type
-    when :controller
-      if tracker.controllers[name]
-        path = tracker.controllers[name].file
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :model
-      if tracker.models[name]
-        path = tracker.models[name].file
-      else
-        path += "/app/models/#{underscore(string_name)}.rb"
-      end
-    when :template
-      if tracker.templates[name] and tracker.templates[name].file
-        path = tracker.templates[name].file
-      elsif string_name.include? " "
-        name = string_name.split[0].to_sym
-        path = file_for tracker, name, :template
-      else
-        path = nil
-      end
-    end
-
-    path
-  end
-
-  #Return array of lines surrounding the warning location from the original
-  #file.
-  def context_for app_tree, warning, tracker = nil
-    file = file_for warning, tracker
-    context = []
-    return context unless warning.line and file and @app_tree.path_exists? file
-
-    current_line = 0
-    start_line = warning.line - 5
-    end_line = warning.line + 5
-
-    start_line = 1 if start_line < 0
-
-    File.open file do |f|
-      f.each_line do |line|
-        current_line += 1
-
-        next if line.strip == ""
-
-        if current_line > end_line
-          break
-        end
-
-        if current_line >= start_line
-          context << [current_line, line]
-        end
-      end
-    end
-
-    context
-  end
-
-  def relative_path file
-    pname = Pathname.new file
-    if file and not file.empty? and pname.absolute?
-      pname.relative_path_from(Pathname.new(@tracker.app_path)).to_s
-    else
-      file
-    end
-  end
-
   #Convert path/filename to view name
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.split("/")
+    names = path.relative.split("/")
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
     names[(names.index("views") + 1)..-1].join("/").to_sym
   end
-
-  def github_url file, line=nil
-    if repo_url = @tracker.options[:github_url] and file and not file.empty? and file.start_with? '/'
-      url = "#{repo_url}/#{relative_path(file)}"
-      url << "#L#{line}" if line
-    else
-      nil
-    end
-  end
-
-  def truncate_table str
-    @terminal_width ||= if @tracker.options[:table_width]
-                          @tracker.options[:table_width]
-                        elsif $stdin && $stdin.tty?
-                          Brakeman.load_brakeman_dependency 'highline'
-                          ::HighLine.new.terminal_size[0]
-                        else
-                          80
-                        end
-    lines = str.lines
-
-    lines.map do |line|
-      if line.chomp.length > @terminal_width
-        line[0..(@terminal_width - 3)] + ">>\n"
-      else
-        line
-      end
-    end.join
-  end
 end