brakeman 1.5.2 → 1.5.3

data/README.md

@@ -41,6 +41,10 @@ To specify an output file for the results:
 
 The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json` and `csv`.
 
+Multiple output files can be specified:
+
+    brakeman -o output.html -o output.json
+
 To suppress informational warnings and just output the report:
 
     brakeman -q

data/lib/brakeman.rb

@@ -27,8 +27,8 @@ module Brakeman
   #  * :ignore_model_output - consider models safe (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
-  #  * :output_file - file for output
-  #  * :output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)
+  #  * :output_files - files for output
+  #  * :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
   #  * :parallel_checks - run checks in parallel (default: true)
   #  * :print_report - if no output file specified, print to stdout (default: false)
   #  * :quiet - suppress most messages (default: true)
@@ -65,7 +65,7 @@ module Brakeman
 
     options = load_options(options[:config_file]).merge! options
     options = get_defaults.merge! options
-    options[:output_format] = get_output_format options
+    options[:output_formats] = get_output_formats options
 
     app_path = options[:app_path]
 
@@ -124,39 +124,47 @@ module Brakeman
     }
   end
 
-  #Determine output format based on options[:output_format]
-  #or options[:output_file]
-  def self.get_output_format options
+  #Determine output formats based on options[:output_formats]
+  #or options[:output_files]
+  def self.get_output_formats options
     #Set output format
+    if options[:output_format] && options[:output_files] && options[:output_files].size > 1
+      raise ArgumentError, "Cannot specify output format if multiple output files specified"
+    end
     if options[:output_format]
-      case options[:output_format]
-      when :html, :to_html
-        :to_html
-      when :csv, :to_csv
-        :to_csv
-      when :pdf, :to_pdf
-        :to_pdf
-      when :tabs, :to_tabs
-        :to_tabs
-      when :json, :to_json
-        :to_json
-      else
-        :to_s
-      end
+      [
+        case options[:output_format]
+        when :html, :to_html
+          :to_html
+        when :csv, :to_csv
+          :to_csv
+        when :pdf, :to_pdf
+          :to_pdf
+        when :tabs, :to_tabs
+          :to_tabs
+        when :json, :to_json
+          :to_json
+        else
+          :to_s
+        end
+      ]
     else
-      case options[:output_file]
-      when /\.html$/i
-        :to_html
-      when /\.csv$/i
-        :to_csv
-      when /\.pdf$/i
-        :to_pdf
-      when /\.tabs$/i
-        :to_tabs
-      when /\.json$/i
-        :to_json
-      else
-        :to_s
+      return [:to_s] unless options[:output_files]
+      options[:output_files].map do |output_file|
+        case output_file
+        when /\.html$/i
+          :to_html
+        when /\.csv$/i
+          :to_csv
+        when /\.pdf$/i
+          :to_pdf
+        when /\.tabs$/i
+          :to_tabs
+        when /\.json$/i
+          :to_json
+        else
+          :to_s
+        end
       end
     end
   end
@@ -253,17 +261,21 @@ module Brakeman
     end
     tracker.run_checks
 
-    if options[:output_file]
+    if options[:output_files]
       notify "Generating report..."
 
-      File.open options[:output_file], "w" do |f|
-        f.puts tracker.report.send(options[:output_format])
+      options[:output_files].each_with_index do |output_file, idx|
+        File.open output_file, "w" do |f|
+          f.write tracker.report.send(options[:output_formats][idx])
+        end
+        notify "Report saved in '#{output_file}'"
       end
-      notify "Report saved in '#{options[:output_file]}'"
     elsif options[:print_report]
       notify "Generating report..."
 
-      puts tracker.report.send(options[:output_format])
+      options[:output_formats].each do |output_format|
+        puts tracker.report.send(output_format)
+      end
     end
 
     tracker

data/lib/brakeman/brakeman.rake

@@ -0,0 +1,9 @@
+namespace :brakeman do
+
+  desc "Run Brakeman"
+  task :run, :output_file do |t, args|
+    require 'brakeman'
+    
+    Brakeman.run :app_path => ".", :output_file => args[:output_file], :print_report => true
+  end
+end

data/lib/brakeman/checks/check_evaluation.rb

@@ -18,9 +18,9 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
     end
   end
 
-  #Warns if result includes user input
+  #Warns if eval includes user input
   def process_result result
-    if include_user_input? result[:call]
+    if include_user_input? result[:call][-1]
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :message => "User input in eval",

data/lib/brakeman/checks/check_send.rb

@@ -0,0 +1,38 @@
+require 'brakeman/checks/base_check'
+
+#Checks if user supplied data is passed to send
+class Brakeman::CheckSend < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+
+  @description = "Check for unsafe use of Object#send"
+
+  def run_check
+    Brakeman.debug("Finding instances of #send")
+    calls = tracker.find_call :method => :send
+
+    calls.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    args = process result[:call][3]
+    target = process result[:call][1]
+
+    if has_immediate_user_input? args[1]
+      warn :result => result,
+        :warning_type => "Dangerous Send",
+        :message => "User controlled method execution",
+        :code => result[:call],
+        :confidence => CONFIDENCE[:high]
+    end
+
+    if has_immediate_user_input?(target)
+      warn :result => result,
+        :warning_type => "Dangerous Send",
+        :message => "User defined target of method invocation",
+        :code => result[:call],
+        :confidence => CONFIDENCE[:med]
+    end
+  end
+end

data/lib/brakeman/options.rb

@@ -130,7 +130,7 @@ module Brakeman::Options
         opts.on "-f", 
           "--format TYPE", 
           [:pdf, :text, :html, :csv, :tabs, :json],
-          "Specify output format. Default is text" do |type|
+          "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
           options[:output_format] = ("to_" << type.to_s).to_sym
@@ -152,8 +152,9 @@ module Brakeman::Options
           options[:message_limit] = limit.to_i
         end
 
-        opts.on "-o", "--output FILE", "Specify file for output. Defaults to stdout" do |file|
-          options[:output_file] = file
+        opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
+          options[:output_files] ||= []
+          options[:output_files].push(file)
         end
 
         opts.on "--separate-models", "Warn on each model without attr_accessible" do

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -0,0 +1,4 @@
+#Erubis processor which ignores any output which is plain text.
+class Brakeman::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -0,0 +1,46 @@
+#This is from the rails_xss plugin for Rails 2
+class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/brakeman/parsers/rails3_erubis.rb

@@ -0,0 +1,60 @@
+#This is from Rails 3 version of the Erubis handler
+class Brakeman::Rails3Erubis < ::Erubis::Eruby
+
+  def add_preamble(src)
+    # src << "_buf = ActionView::SafeBuffer.new;\n"
+  end
+
+  #This is different from Rails 3 - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
+        end
+
+        src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
+      end
+    else
+      src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+    end
+  end
+
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append= (' << code << ');'
+    end
+  end
+
+  def add_stmt(src, code)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append_if_string= ' << code
+    else
+      super
+    end
+  end
+
+  def add_expr_escaped(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_append= " << code
+    else
+      src << "@output_buffer.safe_concat(" << code << ");"
+    end
+  end
+
+  #Add code to output buffer.
+  def add_postamble(src)
+    # src << '_buf.to_s'
+  end
+end

data/lib/brakeman/processor.rb

@@ -40,8 +40,8 @@ module Brakeman
 
     #Process variable aliasing in controller source and save it in the
     #tracker.
-    def process_controller_alias src, only_method = nil
-      ControllerAliasProcessor.new(@tracker, only_method).process src
+    def process_controller_alias name, src, only_method = nil
+      ControllerAliasProcessor.new(@tracker, only_method).process_controller name, src
     end
 
     #Process a model source

data/lib/brakeman/processors/alias_processor.rb

@@ -492,12 +492,25 @@ class Brakeman::AliasProcessor < SexpProcessor
 
   #Returns a new SexpProcessor::Environment containing only instance variables.
   #This is useful, for example, when processing views.
-  def only_ivars
+  def only_ivars include_request_vars = false
     res = SexpProcessor::Environment.new
-    env.all.each do |k, v|
-      #TODO Why would this have nil values?
-      res[k] = v.dup if k.node_type == :ivar and not v.nil?
+
+    if include_request_vars
+      env.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if (k.node_type == :ivar or request_value? k) and not v.nil?
+          res[k] = v.dup
+        end
+      end
+    else
+      env.all.each do |k, v|
+        #TODO Why would this have nil values?
+        if k.node_type == :ivar and not v.nil?
+          res[k] = v.dup
+        end
+      end
     end
+
     res
   end
 

data/lib/brakeman/processors/base_processor.rb

@@ -32,14 +32,6 @@ class Brakeman::BaseProcessor < SexpProcessor
     exp
   end
 
-  def process_module exp
-    current_module = @current_module
-    @current_module = class_name exp[1]
-    process exp[2]
-    @current_module = current_module
-    exp
-  end
-
   #Process a new scope. Removes expressions that are set to nil.
   def process_scope exp
     exp = exp.dup
@@ -210,9 +202,14 @@ class Brakeman::BaseProcessor < SexpProcessor
     exp
   end
 
+  #Convenience method for `make_render exp, true`
+  def make_render_in_view exp
+    make_render exp, true
+  end
+
   #Generates :render node from call to render.
-  def make_render exp
-    render_type, value, rest = find_render_type exp[3]
+  def make_render exp, in_view = false 
+    render_type, value, rest = find_render_type exp[3], in_view
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
@@ -222,9 +219,11 @@ class Brakeman::BaseProcessor < SexpProcessor
   #Determines the type of a call to render.
   #
   #Possible types are:
-  #:action, :default :file, :inline, :js, :json, :nothing, :partial,
+  #:action, :default, :file, :inline, :js, :json, :nothing, :partial,
   #:template, :text, :update, :xml
-  def find_render_type args
+  #
+  #And also :layout for inside templates
+  def find_render_type args, in_view = false
     rest = Sexp.new(:hash)
     type = nil
     value = nil
@@ -252,10 +251,18 @@ class Brakeman::BaseProcessor < SexpProcessor
       value = args[1]
     end
 
+    types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :text, :update, :xml]
+
+    #render :layout => "blah" means something else when in a template
+    if in_view
+      types_in_hash << :layout
+    end
+
+    #Look for "type" of render in options hash
+    #For example, render :file => "blah"
     if hash? args[-1]
       hash_iterate(args[-1]) do |key, val|
-        case key[1]
-        when :action, :file, :inline, :js, :json, :nothing, :partial, :text, :update, :xml
+        if types_in_hash.include? key[1]
           type = key[1]
           value = val
         else  

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -17,11 +17,23 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     @current_class = @current_module = @current_method = nil
   end
 
+  def process_controller name, src
+    if not node_type? src, :class
+      Brakeman.debug "#{name} is not a class, it's a #{src.node_type}"
+      return
+    else
+      @current_class = name
+      process_default src
+    end
+  end
+
   #Processes a class which is probably a controller.
+  #(This method should be retired - only classes should ever be processed
+  # and @current_module will never be set, leading to inaccurate class names)
   def process_class exp
     @current_class = class_name(exp[1])
     if @current_module
-      @current_class = (@current_module + "::" + @current_class.to_s).to_sym
+      @current_class = ("#@current_module::#@current_class").to_sym
     end
 
     process_default exp
@@ -101,7 +113,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       processor = Brakeman::AliasProcessor.new @tracker
       processor.process_safely(method[3])
 
-      ivars = processor.only_ivars.all
+      ivars = processor.only_ivars(:include_request_vars).all
 
       @tracker.filter_cache[[filter[:controller], name]] = ivars
 

data/lib/brakeman/processors/controller_processor.rb

@@ -130,7 +130,13 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     name = exp[2]
 
     if exp[1].node_type == :self
-      target = @controller[:name]
+      if @controller
+        target = @controller[:name]
+      elsif @current_module
+        target = @current_module
+      else
+        target = nil
+      end
     else
       target = class_name exp[1]
     end

data/lib/brakeman/processors/erb_template_processor.rb

@@ -44,7 +44,7 @@ class Brakeman::ErbTemplateProcessor < Brakeman::TemplateProcessor
       end
     elsif target == nil and method == :render
       exp[3] = process(exp[3])
-      make_render exp
+      make_render_in_view exp
     else
       args = exp[3] = process(exp[3])
       call = Sexp.new :call, target, method, args

data/lib/brakeman/processors/erubis_template_processor.rb

@@ -41,7 +41,7 @@ class Brakeman::ErubisTemplateProcessor < Brakeman::TemplateProcessor
       end
     elsif target == nil and method == :render
       exp[3] = process exp[3]
-      make_render exp
+      make_render_in_view exp
     else
       args = exp[3] = process(exp[3])
       call = Sexp.new :call, target, method, args

data/lib/brakeman/processors/haml_template_processor.rb

@@ -92,7 +92,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     elsif target == nil and method == :render
       #Process call to render()
       exp[3] = process exp[3]
-      make_render exp
+      make_render_in_view exp
     else
       args = process exp[3]
       call = Sexp.new :call, target, method, args

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -3,9 +3,19 @@ module Brakeman::ProcessorHelper
 
   #Sets the current module.
   def process_module exp
-    @current_module = class_name(exp[1]).to_s
-    process exp[2] 
-    @current_module = nil
+    module_name = class_name(exp[1]).to_s
+    prev_module = @current_module
+
+    if prev_module
+      @current_module = "#{prev_module}::#{module_name}"
+    else
+      @current_module = module_name
+    end
+
+    process exp[2]
+
+    @current_module = prev_module
+
     exp
   end
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -11,8 +11,13 @@ module Brakeman::RenderHelper
     when :action
       process_action exp[2][1], exp[3]
     when :default
-      process_template template_name, exp[3]
-    when :partial
+      begin
+        process_template template_name, exp[3]
+      rescue ArgumentError => e
+        Brakeman.debug "Problem processing render: #{exp}"
+        raise e
+      end
+    when :partial, :layout
       process_partial exp[2], exp[3]
     when :nothing
     end
@@ -58,7 +63,7 @@ module Brakeman::RenderHelper
       return 
     end
 
-    template_env = only_ivars
+    template_env = only_ivars(:include_request_vars)
 
     #Hash the environment and the source of the template to avoid
     #pointlessly processing templates, which can become prohibitively
@@ -117,7 +122,7 @@ module Brakeman::RenderHelper
       #Run source through AliasProcessor with instance variables from the
       #current environment.
       #TODO: Add in :locals => { ... } to environment
-      src = Brakeman::TemplateAliasProcessor.new(@tracker, template).process_safely(template[:src], template_env)
+      src = Brakeman::TemplateAliasProcessor.new(@tracker, template, called_from).process_safely(template[:src], template_env)
 
       #Run alias-processed src through the template processor to pull out
       #information and outputs.

data/lib/brakeman/processors/template_alias_processor.rb

@@ -9,14 +9,19 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   FORM_METHODS = Set[:form_for, :remote_form_for, :form_remote_for]
 
-  def initialize tracker, template
-    super()
-    @tracker = tracker
+  def initialize tracker, template, called_from = nil
+    super tracker
     @template = template
+    @called_from = called_from
   end
 
   #Process template
   def process_template name, args
+    if @called_from and @called_from.match(/Template:#{Regexp.escape name}$/)
+      Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
+      return
+    end
+
     super name, args, "Template:#{@template[:name]}"
   end
 

data/lib/brakeman/rescanner.rb

@@ -117,6 +117,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name

data/lib/brakeman/scanner.rb

@@ -13,26 +13,21 @@ begin
   require 'erb'
   require 'erubis'
   require 'brakeman/processor'
+  require 'brakeman/parsers/rails2_erubis'
+  require 'brakeman/parsers/rails2_xss_plugin_erubis'
+  require 'brakeman/parsers/rails3_erubis'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
   exit
 end
 
-#Erubis processor which ignores any output which is plain text.
-class Brakeman::ScannerErubis < Erubis::Eruby
-  include Erubis::NoTextEnhancer
-end
-
-class Brakeman::ErubisEscape < Brakeman::ScannerErubis
-  include Erubis::EscapeEnhancer
-end
-
 #Scans the Rails application.
 class Brakeman::Scanner
   attr_reader :options
 
   RUBY_1_9 = !!(RUBY_VERSION =~ /^1\.9/)
+  KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml)$/
 
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
@@ -71,15 +66,15 @@ class Brakeman::Scanner
     process_initializers
     Brakeman.notify "Processing libs..."
     process_libs
-    Brakeman.notify "Processing routes...        "
+    Brakeman.notify "Processing routes...          "
     process_routes
-    Brakeman.notify "Processing templates...     "
+    Brakeman.notify "Processing templates...       "
     process_templates
-    Brakeman.notify "Processing models...        "
+    Brakeman.notify "Processing models...          "
     process_models
-    Brakeman.notify "Processing controllers...   "
+    Brakeman.notify "Processing controllers...     "
     process_controllers
-    Brakeman.notify "Indexing call sites...      "
+    Brakeman.notify "Indexing call sites...        "
     index_call_sites
     tracker
   end
@@ -215,7 +210,7 @@ class Brakeman::Scanner
     controller_files = Dir.glob(@app_path + "/controllers/**/*.rb").sort
     controller_files.reject! { |f| @skip_files.match f } if @skip_files
 
-    total = controller_files.length * 2
+    total = controller_files.length
     current = 0
 
     controller_files.each do |f|
@@ -240,7 +235,7 @@ class Brakeman::Scanner
         current += 1
       end
 
-      @processor.process_controller_alias controller[:src]
+      @processor.process_controller_alias name, controller[:src]
     end
 
     #No longer need these processed filter methods
@@ -298,7 +293,7 @@ class Brakeman::Scanner
   end
 
   def process_template path
-    type = path.match(/.*\.(erb|haml|rhtml)$/)[1].to_sym
+    type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
     type = :erb if type == :rhtml
     name = template_path_to_name path
     text = File.read path
@@ -308,9 +303,9 @@ class Brakeman::Scanner
         if tracker.config[:escape_html]
           type = :erubis
           if options[:rails3]
-            src = Brakeman::Rails3XSSErubis.new(text).src
+            src = Brakeman::Rails3Erubis.new(text).src
           else
-            src = Brakeman::Rails2XSSErubis.new(text).src
+            src = Brakeman::Rails2XSSPluginErubis.new(text).src
           end
         elsif tracker.config[:erubis]
           type = :erubis
@@ -353,7 +348,7 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    model_files = Dir.glob(@app_path + "/models/*.rb").sort
+    model_files = Dir.glob(@app_path + "/models/**/*.rb").sort
     model_files.reject! { |f| @skip_files.match f } if @skip_files
 
     total = model_files.length
@@ -389,111 +384,3 @@ class Brakeman::Scanner
     @ruby_parser.new.parse input
   end
 end
-
-#This is from Rails 3 version of the Erubis handler
-class Brakeman::Rails3XSSErubis < ::Erubis::Eruby
-
-  def add_preamble(src)
-    # src << "_buf = ActionView::SafeBuffer.new;\n"
-  end
-
-  #This is different from Rails 3 - fixes some line number issues
-  def add_text(src, text)
-    if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
-        end
-
-        src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
-      end
-    else
-      src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
-    end
-  end
-
-  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    if code =~ BLOCK_EXPR
-      src << '@output_buffer.append= ' << code
-    else
-      src << '@output_buffer.append= (' << code << ');'
-    end
-  end
-
-  def add_stmt(src, code)
-    if code =~ BLOCK_EXPR
-      src << '@output_buffer.append_if_string= ' << code
-    else
-      super
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_append= " << code
-    else
-      src << "@output_buffer.safe_concat(" << code << ");"
-    end
-  end
-
-  #Add code to output buffer.
-  def add_postamble(src)
-    # src << '_buf.to_s'
-  end
-end
-
-#This is from the rails_xss plugin for Rails 2
-class Brakeman::Rails2XSSErubis < ::Erubis::Eruby
-  def add_preamble(src)
-    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
-  end
-
-  #This is different from rails_xss - fixes some line number issues
-  def add_text(src, text)
-    if text == "\n"
-      src << "\n"
-    elsif text.include? "\n"
-      lines = text.split("\n")
-      if text.match(/\n\z/)
-        lines.each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-      else
-        lines[0..-2].each do |line|
-          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
-        end
-
-        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
-      end
-    else
-      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
-    end
-  end
-
-  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
-
-  def add_expr_literal(src, code)
-    if code =~ BLOCK_EXPR
-      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
-    else
-      src << '@output_buffer << ((' << code << ').to_s);'
-    end
-  end
-
-  def add_expr_escaped(src, code)
-    src << '@output_buffer << ' << escaped_expr(code) << ';'
-  end
-
-  def add_postamble(src)
-    #src << '@output_buffer.to_s'
-  end
-end

data/lib/brakeman/util.rb

@@ -80,6 +80,23 @@ module Brakeman::Util
     hash
   end
 
+  #Get value from hash using key.
+  #
+  #If _key_ is a Symbol, it will be converted to a Sexp(:lit, key).
+  def hash_access hash, key
+    if key.is_a? Symbol
+      key = Sexp.new(:lit, key)
+    end
+
+    hash_iterate hash do |k, v|
+      if k == key
+        return v
+      end
+    end
+
+    nil
+  end
+
   #Adds params, session, and cookies to environment
   #so they can be replaced by their respective Sexps.
   def set_env_defaults
@@ -187,6 +204,13 @@ module Brakeman::Util
     call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
   end
 
+  #Check if exp is params, cookies, or request_env
+  def request_value? exp
+    params? exp or
+    cookies? exp or
+    request_env? exp
+  end
+
   #Check if _exp_ is a Sexp.
   def sexp? exp
     exp.is_a? Sexp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.5.2"
+  Version = "1.5.3"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 7
+  hash: 5
   prerelease: 
   segments: 
   - 1
   - 5
-  - 2
-  version: 1.5.2
+  - 3
+  version: 1.5.3
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-03-22 00:00:00 Z
+date: 2012-04-10 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -133,6 +133,7 @@ files:
 - WARNING_TYPES
 - FEATURES
 - README.md
+- lib/brakeman/brakeman.rake
 - lib/ruby_parser/ruby18_parser.rb
 - lib/ruby_parser/ruby_parser_extras.rb
 - lib/ruby_parser/bm_sexp.rb
@@ -193,12 +194,16 @@ files:
 - lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_response_splitting.rb
 - lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_send.rb
 - lib/brakeman/checks/check_redirect.rb
 - lib/brakeman/checks/check_forgery_setting.rb
 - lib/brakeman/checks/check_render.rb
 - lib/brakeman/tracker.rb
 - lib/brakeman/util.rb
 - lib/brakeman/report.rb
+- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+- lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/version.rb
 - lib/brakeman/call_index.rb
 - lib/brakeman/options.rb