brakeman 1.6.0 → 1.6.1

data/README.md

@@ -1,3 +1,7 @@
+![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
+
+![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)
+
 # Brakeman
 
 Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

data/lib/brakeman/checks/base_check.rb

@@ -120,13 +120,28 @@ class Brakeman::BaseCheck < SexpProcessor
   end
 
   #Checks if the model inherits from parent,
-  def parent? model, parent
+  def ancestor? model, parent
     if model == nil
       false
     elsif model[:parent] == parent
       true
     elsif model[:parent]
-      parent? tracker.models[model[:parent]], parent
+      ancestor? tracker.models[model[:parent]], parent
+    else
+      false
+    end
+  end
+
+  def unprotected_model? model
+    model[:attr_accessible].nil? and !parent_classes_protected?(model) and ancestor?(model, :"ActiveRecord::Base")
+  end
+
+  # go up the chain of parent classes to see if any have attr_accessible
+  def parent_classes_protected? model
+    if model[:attr_accessible]
+      true
+    elsif parent = tracker.models[model[:parent]]
+      parent_classes_protected? parent
     else
       false
     end

data/lib/brakeman/checks/check_basic_auth.rb

@@ -23,7 +23,6 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
           warn :controller => name,
               :warning_type => "Basic Auth", 
               :message => "Basic authentication password stored in source code",
-              :line => call.line,
               :code => call, 
               :confidence => 0
 

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -100,7 +100,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       warn :template => @current_template, 
         :warning_type => "Cross Site Scripting",
         :message => message,
-        :line => input.match.line,
         :code => input.match,
         :confidence => CONFIDENCE[:high]
 
@@ -120,7 +119,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         warn :template => @current_template,
           :warning_type => "Cross Site Scripting", 
           :message => "Unescaped model attribute",
-          :line => code.line,
           :code => code,
           :confidence => confidence
       end
@@ -184,7 +182,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warn :template => @current_template,
             :warning_type => "Cross Site Scripting", 
             :message => message,
-            :line => exp.line,
             :code => exp,
             :user_input => @matched.match,
             :confidence => confidence

data/lib/brakeman/checks/check_execute.rb

@@ -52,7 +52,6 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "Command Injection", 
         :message => "Possible command injection",
-        :line => call.line,
         :code => call,
         :user_input => failure.match,
         :confidence => confidence
@@ -86,7 +85,6 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     warning = { :warning_type => "Command Injection",
       :message => "Possible command injection",
-      :line => exp.line,
       :code => exp,
       :user_input => user_input,
       :confidence => confidence }

data/lib/brakeman/checks/check_file_access.rb

@@ -47,7 +47,6 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
           :warning_type => "File Access",
           :message => message, 
           :confidence => CONFIDENCE[:high],
-          :line => call.line,
           :code => call,
           :user_input => input.match
       end

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     models = []
     tracker.models.each do |name, m|
-      if parent?(m, :"ActiveRecord::Base") and m[:attr_accessible].nil?
+      if unprotected_model? m
         models << name
       end
     end
@@ -68,7 +68,6 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       warn :result => res, 
         :warning_type => "Mass Assignment", 
         :message => "Unprotected mass assignment",
-        :line => call.line,
         :code => call, 
         :user_input => user_input,
         :confidence => confidence

data/lib/brakeman/checks/check_model_attributes.rb

@@ -62,7 +62,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
 
   def check_models
     tracker.models.each do |name, model|
-      if model[:attr_accessible].nil? and parent? model, :"ActiveRecord::Base"
+      if unprotected_model? model
         yield name, model
       end
     end

data/lib/brakeman/checks/check_redirect.rb

@@ -37,7 +37,6 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
       warn :result => result,
         :warning_type => "Redirect",
         :message => "Possible unprotected redirect",
-        :line => call.line,
         :code => call,
         :user_input => res.match,
         :confidence => confidence

data/lib/brakeman/checks/check_skip_before_filter.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckSkipBeforeFilter < Brakeman::BaseCheck
       warn :class => controller[:name],
         :warning_type => "Cross-Site Request Forgery",
         :message => "Use whitelist (:only => [..]) when skipping CSRF check",
-        :line => filter.line,
         :code => filter,
         :confidence => CONFIDENCE[:med]
     end

data/lib/brakeman/checks/check_sql.rb

@@ -16,10 +16,11 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def run_check
     @rails_version = tracker.config[:rails_version]
 
+    @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?,
+      :find, :find_by_sql, :first, :last, :maximum, :minimum, :sum]
+
     if tracker.options[:rails3]
-      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql|where|order|group|having)$/
-    else
-      @sql_targets = /^(find|find_by_sql|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/
+      @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]
     end
 
     Brakeman.debug "Finding possible SQL calls on models"
@@ -90,7 +91,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       find_calls.process_source block, model_name, scope_name
 
       find_calls.calls.each do |call|
-        if call[:method].to_s =~ @sql_targets
+        if @sql_targets.include? call[:method]
           process_result call
         end
       end
@@ -99,35 +100,82 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
   end
 
-  #Process result from Tracker#find_call.
+  #Process possible SQL injection sites:
+  #
+  # Model#find
+  #
+  # Model#(named_)scope
+  #
+  # Model#(find|count)_by_sql
+  #
+  # Model#all
+  #
+  ### Rails 3
+  #
+  # Model#(where|having)
+  # Model#(order|group)
+  #
+  ### Find Options Hash
+  #
+  # Dangerous keys that accept SQL:
+  #
+  # * conditions
+  # * order
+  # * having
+  # * joins
+  # * select
+  # * from
+  # * lock
+  #
   def process_result result
-    #TODO: I don't like this method at all. It's a pain to figure out what
-    #it is actually doing...
+    return if duplicate? result or result[:call].original_line
 
     call = result[:call]
-
+    method = call[2]
     args = call[3]
 
-    if call[2] == :find_by_sql or call[2] == :count_by_sql
-      failed = check_arguments args[1]
-    elsif call[2].to_s =~ /^find/
-      failed = (args.length > 2 and check_arguments args[-1])
-    elsif tracker.options[:rails3] and result[:method] != :scope
-      #This is for things like where("query = ?")
-      failed = check_arguments args[1]
-    else
-      failed = (args.length > 1 and check_arguments args[-1])
-    end
-
-    if failed and not call.original_line and not duplicate? result
+    dangerous_value = case method
+                      when :find
+                        check_find_arguments args[2]
+                      when :exists?
+                        check_find_arguments args[1]
+                      when :named_scope, :scope
+                        check_scope_arguments args
+                      when :find_by_sql, :count_by_sql
+                        check_by_sql_arguments args[1]
+                      when :calculate
+                        check_find_arguments args[3]
+                      when :last, :first, :all
+                        check_find_arguments args[1]
+                      when :average, :count, :maximum, :minimum, :sum
+                        if args.length > 2
+                          unsafe_sql?(args[1]) or check_find_arguments(args[-1])
+                        else
+                          check_find_arguments args[-1]
+                        end
+                      when :where, :having
+                        check_query_arguments args
+                      when :order, :group, :reorder
+                        check_order_arguments args
+                      when :joins
+                        check_joins_arguments args[1]
+                      when :from, :select
+                        unsafe_sql? args[1]
+                      when :lock
+                        check_lock_arguments args[1]
+                      else
+                        Brakeman.debug "Unhandled SQL method: #{method}"
+                      end
+
+    if dangerous_value
       add_result result
 
-      if input = include_user_input?(args[-1])
+      if input = include_user_input?(dangerous_value)
         confidence = CONFIDENCE[:high]
         user_input = input.match
       else
         confidence = CONFIDENCE[:med]
-        user_input = nil
+        user_input = dangerous_value
       end
 
       warn :result => result,
@@ -144,34 +192,137 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         confidence = CONFIDENCE[:low]
       end
 
-      warn :result => result, 
-        :warning_type => "SQL Injection", 
+      warn :result => result,
+        :warning_type => "SQL Injection",
         :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection",
         :confidence => confidence
     end
   end
 
-  private
+  #The 'find' methods accept a number of different types of parameters:
+  #
+  # * The first argument might be :all, :first, or :last
+  # * The first argument might be an integer ID or an array of IDs
+  # * The second argument might be a hash of options, some of which are
+  #   dangerous and some of which are not
+  # * The second argument might contain SQL fragments as values
+  # * The second argument might contain properly parameterized SQL fragments in arrays
+  # * The second argument might contain improperly parameterized SQL fragments in arrays
+  #
+  #This method should only be passed the second argument.
+  def check_find_arguments arg
+    if not sexp? arg or node_type? arg, :lit, :string, :str, :true, :false, :nil
+      return nil
+    end
 
-  #Check arguments for any string interpolation
-  def check_arguments arg
-    if sexp? arg
-      case arg.node_type
-      when :hash
-        hash_iterate(arg) do |key, value|
-          if check_arguments value
-            return true
-          end
-        end
-      when :array
-        return check_arguments(arg[1])
-      when :string_interp, :dstr
-        return true if check_string_interp arg
-      when :call
-        return check_call(arg)
+    unsafe_sql? arg
+  end
+
+  def check_scope_arguments args
+    return unless node_type? args, :arglist
+
+    if node_type? args[2], :iter
+      unsafe_sql? args[2][-1]
+    else
+      unsafe_sql? args[2]
+    end
+  end
+
+  def check_query_arguments arg
+    return unless sexp? arg
+
+    if node_type? arg, :arglist
+      if arg.length > 2 and node_type? arg[1], :string_interp, :dstr
+        # Model.where("blah = ?", blah)
+        return string_interp arg[1]
       else
-        return arg.any? do |a|
-          check_arguments(a)
+        arg = arg[1]
+      end
+    end
+
+    if request_value? arg
+      # Model.where(params[:where])
+      arg
+    elsif hash? arg
+      #This is generally going to be a hash of column names and values, which
+      #would escape the values. But the keys _could_ be user input.
+      check_hash_keys arg
+    elsif node_type? arg, :lit, :str
+      nil
+    else
+      #Hashes are safe...but we check above for hash, so...?
+      unsafe_sql? arg, :ignore_hash
+    end
+  end
+
+  #Checks each argument to order/reorder/group for possible SQL.
+  #Anything used with these methods is passed in verbatim.
+  def check_order_arguments args
+    return unless sexp? args
+
+    if node_type? args, :arglist
+      args.each do |arg|
+        if unsafe_arg = unsafe_sql?(arg)
+          return unsafe_arg
+        end
+      end
+
+      nil
+    else
+      unsafe_sql? args
+    end
+  end
+
+  #find_by_sql and count_by_sql can take either a straight SQL string
+  #or an array with values to bind.
+  def check_by_sql_arguments arg
+    return unless sexp? arg
+
+    #This is kind of necessary, because unsafe_sql? will handle an array
+    #correctly, but might be better to be explicit.
+    if array? arg
+      unsafe_sql? arg[1]
+    else
+      unsafe_sql? arg
+    end
+  end
+
+  #joins can take a string, hash of associations, or an array of both(?)
+  #We only care about the possible string values.
+  def check_joins_arguments arg
+    return unless sexp? arg and not node_type? arg, :hash, :string, :str
+
+    if array? arg
+      arg.each do |a|
+        if unsafe = check_joins_arguments(a)
+          return unsafe
+        end
+      end
+
+      nil
+    else
+      unsafe_sql? arg
+    end
+  end
+
+  #Model#lock essentially only cares about strings. But those strings can be
+  #any SQL fragment. This does not apply to all databases. (For those who do not
+  #support it, the lock method does nothing).
+  def check_lock_arguments arg
+    return unless sexp? arg and not node_type? arg, :hash, :array, :string, :str
+
+    unsafe_sql? arg, :ignore_hash
+  end
+
+
+  #Check hash keys for user input.
+  #(Seems unlikely, but if a user can control the column names queried, that
+  #could be bad)
+  def check_hash_keys exp
+    hash_iterate(exp) do |key, value|
+      unless symbol? key
+        if unsafe_key = unsafe_sql?(value)
+          return unsafe_key
         end
       end
     end
@@ -179,35 +330,169 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     false
   end
 
+  #Check an interpolated string for dangerous values.
+  #
+  #This method assumes values interpolated into strings are unsafe by default,
+  #unless safe_value? explicitly returns true.
   def check_string_interp arg
     arg.each do |exp|
-      #For now, don't warn on interpolation of Model.table_name
-      #but check for other 'safe' things in the future
-      if node_type? exp, :string_eval, :evstr
-        if call? exp[1] and (model_name?(exp[1][1]) or exp[1][1].nil?) and exp[1][2] == :table_name
-          return false
+      if node_type?(exp, :string_eval, :evstr) and not safe_value? exp[1]
+        return exp[1]
+      end
+    end
+
+    nil
+  end
+
+  #Checks the given expression for unsafe SQL values. If an unsafe value is
+  #found, returns that value (may be the given _exp_ or a subexpression).
+  #
+  #Otherwise, returns false/nil.
+  def unsafe_sql? exp, ignore_hash = false
+    return unless sexp? exp
+
+    dangerous_value = find_dangerous_value exp, ignore_hash
+
+    if safe_value? dangerous_value
+      false
+    else
+      dangerous_value
+    end
+  end
+
+  #Check _exp_ for dangerous values. Used by unsafe_sql?
+  def find_dangerous_value exp, ignore_hash
+    case exp.node_type
+    when :lit, :str, :const, :colon2, :true, :false, :nil
+      nil
+    when :array
+      #Assume this is an array like
+      #
+      #  ["blah = ? AND thing = ?", ...]
+      #
+      #and check first value
+
+      unsafe_sql? exp[1]
+    when :string_interp, :dstr
+      check_string_interp exp
+    when :hash
+      check_hash_values exp unless ignore_hash
+    when :if
+      unsafe_sql? exp[2] or unsafe_sql? exp[3]
+    when :call
+      unless IGNORE_METHODS_IN_SQL.include? exp[2]
+        if has_immediate_user_input? exp or has_immediate_model? exp
+          exp
+        else
+          check_call exp
         end
       end
+    when :or
+      if unsafe = (unsafe_sql?(exp[1]) || unsafe_sql?(exp[2]))
+        return unsafe
+      else
+        nil
+      end
+    when :block, :rlist
+      unsafe_sql? exp[-1]
+    else
+      if has_immediate_user_input? exp or has_immediate_model? exp
+        exp
+      else
+        nil
+      end
     end
   end
 
-  #Check call for user input and string building
-  def check_call exp
+  #Checks hash values associated with these keys:
+  #
+  # * conditions
+  # * order
+  # * having
+  # * joins
+  # * select
+  # * from
+  # * lock
+  def check_hash_values exp
+    hash_iterate(exp) do |key, value|
+      if symbol? key
+        unsafe = case key[1]
+                 when :conditions, :having, :select
+                   check_query_arguments value
+                 when :order, :group
+                   check_order_arguments value
+                 when :joins
+                   check_joins_arguments value
+                 when :lock
+                   check_lock_arguments value
+                 when :from
+                   unsafe_sql? value
+                 else
+                   nil
+                 end
+
+        return unsafe if unsafe
+      end
+    end
+
+    false
+  end
+
+  STRING_METHODS = Set[:<<, :+, :concat, :prepend]
+
+  def check_for_string_building exp
+    return unless call? exp
+
     target = exp[1]
     method = exp[2]
     args = exp[3]
 
-    if sexp? target and 
-      (method == :+ or method == :<< or method == :concat) and 
-      (string? target or include_user_input? exp)
+    if string? target or string? args[1]
+      if STRING_METHODS.include? method
+        return exp
+      end
+    elsif STRING_METHODS.include? method and call? target
+      unsafe_sql? target
+    end
+  end
 
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
+    :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
+    :sanitize_sql_for_conditions, :sanitize_sql_hash,
+    :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions]
+
+  def safe_value? exp
+    return true unless sexp? exp
+
+    case exp.node_type
+    when :str, :lit, :const, :colon2, :nil, :true, :false
       true
+    when :call
+      IGNORE_METHODS_IN_SQL.include? exp[2]
+    when :if
+      safe_value? exp[2] and safe_value? exp[3]
+    when :block, :rlist
+      safe_value? exp[-1]
+    when :or
+      safe_value? exp[1] and safe_value? exp[2]
+    else
+      false
+    end
+  end
+
+  #Check call for string building
+  def check_call exp
+    return unless call? exp
+
+    target = exp[1]
+    args = exp[3]
+
+    if unsafe = check_for_string_building(exp)
+      unsafe
     elsif call? target
       check_call target
-    elsif target == nil and tracker.options[:rails3] and method.to_s.match(/^first|last|all|where|order|group|having$/)
-      check_arguments args
     else
-      false
+      nil
     end
   end
 
@@ -218,7 +503,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def check_for_limit_or_offset_vulnerability options
     return false if @rails_version.nil? or @rails_version >= "2.1.1" or not hash? options
 
-    if hash_access(options, :limit) or hash_access(options[:offset])
+    if hash_access(options, :limit) or hash_access(options, :offset)
       return true
     end
 
@@ -231,7 +516,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   #
   # s(:call,
   #   s(:call,
-  #     s(:call, 
+  #     s(:call,
   #       s(:call, nil, :params, s(:arglist)),
   #       :[],
   #       s(:arglist, s(:lit, :x))),

data/lib/brakeman/checks/check_without_protection.rb

@@ -16,7 +16,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
     models = []
     tracker.models.each do |name, m|
-      if parent? m, :"ActiveRecord::Base"
+      if ancestor? m, :"ActiveRecord::Base"
         models << name
       end
     end
@@ -59,7 +59,6 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
           warn :result => res, 
             :warning_type => "Mass Assignment", 
             :message => "Unprotected mass assignment",
-            :line => call.line,
             :code => call, 
             :user_input => user_input,
             :confidence => confidence

data/lib/brakeman/processor.rb

@@ -10,6 +10,8 @@ module Brakeman
   #The ControllerProcessor, TemplateProcessor, and ModelProcessor will
   #update the Tracker with information about what is parsed.
   class Processor
+    include Util
+
     def initialize options
       @tracker = Tracker.new self, options
     end
@@ -35,7 +37,11 @@ module Brakeman
 
     #Process controller source. +file_name+ is used for reporting
     def process_controller src, file_name
-      ControllerProcessor.new(@tracker).process_controller src, file_name
+      if contains_class? src
+        ControllerProcessor.new(@tracker).process_controller src, file_name
+      else
+        LibraryProcessor.new(@tracker).process_library src, file_name
+      end
     end
 
     #Process variable aliasing in controller source and save it in the

data/lib/brakeman/processors/base_processor.rb

@@ -251,7 +251,7 @@ class Brakeman::BaseProcessor < SexpProcessor
       value = args[1]
     end
 
-    types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :text, :update, :xml]
+    types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :template, :text, :update, :xml]
 
     #render :layout => "blah" means something else when in a template
     if in_view

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -24,7 +24,41 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       return
     else
       @current_class = name
+
       process_default src
+
+      process_mixins
+    end
+  end
+
+  #Process modules mixed into the controller, in case they contain actions.
+  def process_mixins
+    controller = @tracker.controllers[@current_class]
+
+    controller[:includes].each do |i|
+      mixin = @tracker.libs[i]
+
+      next unless mixin
+
+      #Process methods in alphabetical order for consistency
+      methods = mixin[:public].keys.map { |n| n.to_s }.sort.map { |n| n.to_sym }
+
+      methods.each do |name|
+        #Need to process the method like it was in a controller in order
+        #to get the renders set
+        processor = Brakeman::ControllerProcessor.new(@tracker)
+        method = mixin[:public][name]
+
+        if node_type? method, :methdef
+          method = processor.process_defn method
+        else
+          #Should be a methdef, but this will catch other cases
+          method = processor.process method
+        end
+
+        #Then process it like any other method in the controller
+        process method
+      end
     end
   end
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -8,7 +8,7 @@ module Brakeman::RenderHelper
     process_default exp
     @rendered = true
     case exp[1]
-    when :action
+    when :action, :template
       process_action exp[2][1], exp[3]
     when :default
       begin

data/lib/brakeman/report.rb

@@ -505,7 +505,7 @@ class Brakeman::Report
     message = CGI.escapeHTML(message)
 
     if @highlight_user_input and warning.user_input
-      user_input = warning.format_user_input
+      user_input = CGI.escapeHTML(warning.format_user_input)
 
       message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
     end

data/lib/brakeman/rescanner.rb

@@ -127,7 +127,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and File.exist? path
 
     template_name = template_path_to_name(path)
 

data/lib/brakeman/util.rb

@@ -219,6 +219,25 @@ module Brakeman::Util
     exp.is_a? Sexp and types.include? exp.node_type
   end
 
+  #Returns true if the given _exp_ contains a :class node.
+  #
+  #Useful for checking if a module is just a module or if it is a namespace.
+  def contains_class? exp
+    todo = [exp]
+
+    until todo.empty?
+      current = todo.shift
+
+      if node_type? current, :class
+        return true
+      elsif sexp? current
+        todo = current[1..-1].concat todo
+      end
+    end
+
+    false
+  end
+
   #Return file name related to given warning. Uses +warning.file+ if it exists
   def file_for warning, tracker = nil
     if tracker.nil?

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.6.0"
+  Version = "1.6.1"
 end

data/lib/brakeman/warning.rb

@@ -29,8 +29,12 @@ class Brakeman::Warning
       end
     end
 
-    if @code and not @line and @code.respond_to? :line
-      @line = @code.line
+    if not @line
+      if @user_input and @user_input.respond_to? :line
+        @line = @user_input.line
+      elsif @code and @code.respond_to? :line
+        @line = @code.line
+      end
     end
 
     unless @warning_set

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 15
+  hash: 13
   prerelease: 
   segments: 
   - 1
   - 6
-  - 0
-  version: 1.6.0
+  - 1
+  version: 1.6.1
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-04-20 00:00:00 Z
+date: 2012-05-23 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -166,6 +166,20 @@ dependencies:
         version: "3.0"
   type: :runtime
   version_requirements: *id010
+- !ruby/object:Gem::Dependency 
+  name: json_pure
+  prerelease: false
+  requirement: &id011 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id011
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
 executables: 
@@ -298,7 +312,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.15
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.