RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/options.rb ADDED Viewed

@@ -0,0 +1,339 @@
+require 'optparse'
+require 'set'
+#Parses command line arguments for Railroader
+module Railroader::Options
+  class << self
+    #Parse argument array
+    def parse args
+      get_options args
+    end
+    #Parse arguments and remove them from the array as they are matched
+    def parse! args
+      get_options args, true
+    end
+    #Return hash of options and the parser
+    def get_options args, destructive = false
+      options = {}
+      parser = create_option_parser options
+      if destructive
+        parser.parse! args
+      else
+        parser.parse args
+      end
+      if options[:previous_results_json] and options[:output_files]
+        options[:comparison_output_file] = options[:output_files].shift
+      end
+      return options, parser
+    end
+    def create_option_parser options
+      OptionParser.new do |opts|
+        opts.banner = "Usage: railroader [options] rails/root/path"
+        opts.on "-n", "--no-threads", "Run checks sequentially" do
+          options[:parallel_checks] = false
+        end
+        opts.on "--[no-]progress", "Show progress reports" do |progress|
+          options[:report_progress] = progress
+        end
+        opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
+          options[:app_path] = path
+        end
+        opts.on "-q", "--[no-]quiet", "Suppress informational messages" do |quiet|
+          options[:quiet] = quiet
+        end
+        opts.on( "-z", "--[no-]exit-on-warn", "Exit code is non-zero if warnings found (Default)") do |exit_on_warn|
+          options[:exit_on_warn] = exit_on_warn
+        end
+        opts.on "--[no-]exit-on-error", "Exit code is non-zero if errors raised (Default)" do |exit_on_error|
+          options[:exit_on_error] = exit_on_error
+        end
+        opts.on "--ensure-latest", "Fail when Railroader is outdated" do
+          options[:ensure_latest] = true
+        end
+        opts.on "-3", "--rails3", "Force Rails 3 mode" do
+          options[:rails3] = true
+        end
+        opts.on "-4", "--rails4", "Force Rails 4 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+        end
+        opts.on "-5", "--rails5", "Force Rails 5 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+        end
+        opts.separator ""
+        opts.separator "Scanning options:"
+        opts.on "-A", "--run-all-checks", "Run all default and optional checks" do
+          options[:run_all_checks] = true
+        end
+        opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (Default)" do |assume|
+          options[:assume_all_routes] = assume
+        end
+        opts.on "-e", "--escape-html", "Escape HTML by default" do
+          options[:escape_html] = true
+        end
+        opts.on "--faster", "Faster, but less accurate scan" do
+          options[:ignore_ifs] = true
+          options[:skip_libs] = true
+          options[:disable_constant_tracking] = true
+        end
+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+        opts.on "--ignore-protected", "Consider models with attr_protected safe" do
+          options[:ignore_attr_protected] = true
+        end
+        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
+          options[:index_libs] = index
+        end
+        opts.on "--interprocedural", "Process method calls to known methods" do
+          options[:interprocedural] = true
+        end
+        opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
+          options[:ignore_ifs] = true
+        end
+        opts.on "--branch-limit LIMIT", Integer, "Limit depth of values in branches (-1 for no limit)" do |limit|
+          options[:branch_limit] = limit
+        end
+        opts.on "--parser-timeout SECONDS", Integer, "Set parse timeout (Default: 10)" do |timeout|
+          options[:parser_timeout] = timeout
+        end
+        opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
+          options[:check_arguments] = !option
+        end
+        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Set methods as safe for unescaped output in views" do |methods|
+          options[:safe_methods] ||= Set.new
+          options[:safe_methods].merge methods.map {|e| e.to_sym }
+        end
+        opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
+          options[:url_safe_methods] ||= Set.new
+          options[:url_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+        opts.on "--skip-files file1,path2,etc", Array, "Skip processing of these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
+          options[:skip_files] ||= Set.new
+          options[:skip_files].merge files
+        end
+        opts.on "--only-files file1,path2,etc", Array, "Process only these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
+          options[:only_files] ||= Set.new
+          options[:only_files].merge files
+        end
+        opts.on "--skip-libs", "Skip processing lib directory" do
+          options[:skip_libs] = true
+        end
+        opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
+          options[:additional_libs_path] ||= Set.new
+          options[:additional_libs_path].merge paths
+        end
+        opts.on "--add-engines-path path1,path2,etc", Array, "Include these engines in the scan" do |paths|
+          options[:engine_paths] ||= Set.new
+          options[:engine_paths].merge paths
+        end
+        opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
+          checks.each_with_index do |s, index|
+            if s[0,5] != "Check"
+              checks[index] = "Check" << s
+            end
+          end
+          options[:run_checks] ||= Set.new
+          options[:run_checks].merge checks
+        end
+        opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
+          skip.each do |s|
+            if s[0,5] != "Check"
+              s = "Check" << s
+            end
+            options[:skip_checks] ||= Set.new
+            options[:skip_checks] << s
+          end
+        end
+        opts.on "--add-checks-path path1,path2,etc", Array, "A directory containing additional out-of-tree checks to run" do |paths|
+          options[:additional_checks_path] ||= Set.new
+          options[:additional_checks_path].merge paths.map {|p| File.expand_path p}
+        end
+        opts.separator ""
+        opts.separator "Output options:"
+        opts.on "-d", "--debug", "Lots of output" do
+          options[:debug] = true
+        end
+        opts.on "-f",
+          "--format TYPE",
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
+          "Specify output formats. Default is text" do |type|
+          type = "s" if type == :text
+          options[:output_format] = ("to_" << type.to_s).to_sym
+        end
+        opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
+          options[:html_style] = File.expand_path file
+        end
+        opts.on "-i IGNOREFILE", "--ignore-config IGNOREFILE", "Use configuration to ignore warnings" do |file|
+          options[:ignore_file] = file
+        end
+        opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
+          options[:interactive_ignore] = true
+        end
+        opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
+          options[:combine_locations] = combine
+        end
+        opts.on "--[no-]highlights", "Highlight user input in report" do |highlight|
+          options[:highlight_user_input] = highlight
+        end
+        opts.on "--[no-]color", "Use ANSI colors in report (Default)" do |color|
+          if color
+            options[:output_color] = :force
+          else
+            options[:output_color] = color
+          end
+        end
+        opts.on "-m", "--routes", "Report controller information" do
+          options[:report_routes] = true
+        end
+        opts.on "--message-limit LENGTH", "Limit message length in HTML report" do |limit|
+          options[:message_limit] = limit.to_i
+        end
+        opts.on "--[no-]pager", "Use pager for output to terminal (Default)" do |pager|
+          options[:pager] = pager
+        end
+        opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
+          options[:table_width] = width.to_i
+        end
+        opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
+          options[:output_files] ||= []
+          options[:output_files].push(file)
+        end
+        opts.on "--[no-]separate-models", "Warn on each model without attr_accessible (Default)" do |separate|
+          options[:collapse_mass_assignment] = !separate
+        end
+        opts.on "--[no-]summary", "Only output summary of warnings" do |summary_only|
+          if summary_only
+            options[:summary_only] = :summary_only
+          else
+            options[:summary_only] = :no_summary
+          end
+        end
+        opts.on "--absolute-paths", "Output absolute file paths in reports" do
+          options[:absolute_paths] = true
+        end
+        opts.on "--github-repo USER/REPO[/PATH][@REF]", "Output links to GitHub in markdown and HTML reports using specified repo" do |repo|
+          options[:github_repo] = repo
+        end
+        opts.on "-w",
+          "--confidence-level LEVEL",
+          ["1", "2", "3"],
+          "Set minimal confidence level (1 - 3)" do |level|
+          options[:min_confidence] =  3 - level.to_i
+        end
+        opts.on "--compare FILE", "Compare the results of a previous Railroader scan (only JSON is supported)" do |file|
+          options[:previous_results_json] = File.expand_path(file)
+        end
+        opts.separator ""
+        opts.separator "Configuration files:"
+        opts.on "-c", "--config-file FILE", "Use specified configuration file" do |file|
+          options[:config_file] = File.expand_path(file)
+        end
+        opts.on "-C", "--create-config [FILE]", "Output configuration file based on options" do |file|
+          if file
+            options[:create_config] = file
+          else
+            options[:create_config] = true
+          end
+        end
+        opts.on "--allow-check-paths-in-config", "Allow loading checks from configuration file (Unsafe)" do
+          options[:allow_check_paths_in_config] = true
+        end
+        opts.separator ""
+        opts.on "-k", "--checks", "List all available vulnerability checks" do
+          options[:list_checks] = true
+        end
+        opts.on "--optional-checks", "List optional checks" do
+          options[:list_optional_checks] = true
+        end
+        opts.on "-v", "--version", "Show Railroader version" do
+          options[:show_version] = true
+        end
+        opts.on "--force-scan", "Scan application even if rails is not detected" do
+          options[:force_scan] = true
+        end
+        opts.on_tail "-h", "--help", "Display this message" do
+          options[:show_help] = true
+        end
+      end
+    end
+  end
+end

data/lib/railroader/parsers/rails2_erubis.rb ADDED Viewed

@@ -0,0 +1,6 @@
+Railroader.load_railroader_dependency 'erubis'
+#Erubis processor which ignores any output which is plain text.
+class Railroader::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb ADDED Viewed

@@ -0,0 +1,48 @@
+Railroader.load_railroader_dependency 'erubis'
+#This is from the rails_xss plugin for Rails 2
+class Railroader::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/railroader/parsers/rails3_erubis.rb ADDED Viewed

@@ -0,0 +1,81 @@
+Railroader.load_railroader_dependency 'erubis'
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
+class Railroader::Rails3Erubis < ::Erubis::Eruby
+  def add_preamble(src)
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
+  end
+  def add_text(src, text)
+    return if text.empty?
+    if text == "\n"
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
+    else
+      super
+    end
+  end
+  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append=(' << code << ');'
+    end
+  end
+  def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_expr_append= " << code
+    else
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
+    end
+  end
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+  def add_postamble(src)
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # This is borrowed from graphql's erb plugin:
+  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
+  def convert_input(src, input)
+    input = input.gsub(/<%graphql/, "<%#")
+    super(src, input)
+  end
+end

data/lib/railroader/parsers/template_parser.rb ADDED Viewed

@@ -0,0 +1,108 @@
+module Railroader
+  class TemplateParser
+    include Railroader::Util
+    attr_reader :tracker
+    KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+    TemplateFile = Struct.new(:path, :ast, :name, :type)
+    def initialize tracker, file_parser
+      @tracker = tracker
+      @file_parser = file_parser
+      @file_parser.file_list[:templates] ||= []
+    end
+    def parse_template path, text
+      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name path
+      Railroader.debug "Parsing #{path}"
+      begin
+        src = case type
+              when :erb
+                type = :erubis if erubis?
+                parse_erb path, text
+              when :haml
+                parse_haml path, text
+              when :slim
+                parse_slim path, text
+              else
+                tracker.error "Unknown template type in #{path}"
+                nil
+              end
+        if src and ast = @file_parser.parse_ruby(src, path)
+          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+        end
+      rescue Racc::ParseError => e
+        tracker.error e, "Could not parse #{path}"
+      rescue StandardError, LoadError => e
+        tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      end
+      nil
+    end
+    def parse_erb path, text
+      if tracker.config.escape_html?
+        if tracker.options[:rails3]
+          require 'railroader/parsers/rails3_erubis'
+          Railroader::Rails3Erubis.new(text, :filename => path).src
+        else
+          require 'railroader/parsers/rails2_xss_plugin_erubis'
+          Railroader::Rails2XSSPluginErubis.new(text, :filename => path).src
+        end
+      elsif tracker.config.erubis?
+        require 'railroader/parsers/rails2_erubis'
+        Railroader::ScannerErubis.new(text, :filename => path).src
+      else
+        require 'erb'
+        src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+          ERB.new(text, trim_mode: path).src
+        else
+          ERB.new(text, nil, path).src
+        end
+        src.sub!(/^#.*\n/, '') if Railroader::Scanner::RUBY_1_9
+        src
+      end
+    end
+    def erubis?
+      tracker.config.escape_html? or
+        tracker.config.erubis?
+    end
+    def parse_haml path, text
+      Railroader.load_railroader_dependency 'haml'
+      Railroader.load_railroader_dependency 'sass'
+      Haml::Engine.new(text,
+                       :filename => path,
+                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+    rescue Haml::Error => e
+      tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      nil
+    rescue Sass::SyntaxError => e
+      tracker.error e, "While processing #{path}"
+      nil
+    end
+    def parse_slim path, text
+      Railroader.load_railroader_dependency 'slim'
+      Slim::Template.new(path,
+                         :disable_capture => true,
+                         :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+    end
+    def self.parse_inline_erb tracker, text
+      fp = Railroader::FileParser.new(tracker, nil)
+      tp = self.new(tracker, fp)
+      src = tp.parse_erb '_inline_', text
+      type = tp.erubis? ? :erubis : :erb
+      return type, fp.parse_ruby(src, "_inline_")
+    end
+  end
+end

data/lib/railroader/processor.rb ADDED Viewed

@@ -0,0 +1,102 @@
+#Load all files in processors/
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb").each { |f| require f.match(/railroader\/processors.*/)[0] }
+require 'railroader/tracker'
+require 'set'
+require 'pathname'
+module Railroader
+  #Makes calls to the appropriate processor.
+  #
+  #The ControllerProcessor, TemplateProcessor, and ModelProcessor will
+  #update the Tracker with information about what is parsed.
+  class Processor
+    include Util
+    def initialize(app_tree, options)
+      @app_tree = app_tree
+      @tracker = Tracker.new(@app_tree, self, options)
+    end
+    def tracked_events
+      @tracker
+    end
+    #Process configuration file source
+    def process_config src, file_name
+      ConfigProcessor.new(@tracker).process_config src, file_name
+    end
+    #Process Gemfile
+    def process_gems gem_files
+      GemProcessor.new(@tracker).process_gems gem_files
+    end
+    #Process route file source
+    def process_routes src
+      RoutesProcessor.new(@tracker).process_routes src
+    end
+    #Process controller source. +file_name+ is used for reporting
+    def process_controller src, file_name
+      if contains_class? src
+        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+      else
+        LibraryProcessor.new(@tracker).process_library src, file_name
+      end
+    end
+    #Process variable aliasing in controller source and save it in the
+    #tracker.
+    def process_controller_alias name, src, only_method = nil, file = nil
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+    end
+    #Process a model source
+    def process_model src, file_name
+      result = ModelProcessor.new(@tracker).process_model src, file_name
+      AliasProcessor.new(@tracker).process result if result
+    end
+    #Process either an ERB or HAML template
+    def process_template name, src, type, called_from = nil, file_name = nil
+      case type
+      when :erb
+        result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml
+        result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubis
+        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :slim
+        result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      else
+        abort "Unknown template type: #{type} (#{name})"
+      end
+      #Each template which is rendered is stored separately
+      #with a new name.
+      if called_from
+        name = ("#{name}.#{called_from}").to_sym
+      end
+      @tracker.templates[name].src = result
+      @tracker.templates[name].type = type
+    end
+    #Process any calls to render() within a template
+    def process_template_alias template
+      TemplateAliasProcessor.new(@tracker, template).process_safely template.src
+    end
+    #Process source for initializing files
+    def process_initializer file_name, src
+      res = BaseProcessor.new(@tracker).process_file src, file_name
+      res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
+      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+    end
+    #Process source for a library file
+    def process_lib src, file_name
+      LibraryProcessor.new(@tracker).process_library src, file_name
+    end
+  end
+end