RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/options.rb ADDED Viewed

@@ -0,0 +1,339 @@
+require 'optparse'
+require 'set'
+#Parses command line arguments for Railroader
+module Railroader::Options
+  class << self
+    #Parse argument array
+    def parse args
+      get_options args
+    end
+    #Parse arguments and remove them from the array as they are matched
+    def parse! args
+      get_options args, true
+    end
+    #Return hash of options and the parser
+    def get_options args, destructive = false
+      options = {}
+      parser = create_option_parser options
+      if destructive
+        parser.parse! args
+      else
+        parser.parse args
+      end
+      if options[:previous_results_json] and options[:output_files]
+        options[:comparison_output_file] = options[:output_files].shift
+      end
+      return options, parser
+    end
+    def create_option_parser options
+      OptionParser.new do |opts|
+        opts.banner = "Usage: railroader [options] rails/root/path"
+        opts.on "-n", "--no-threads", "Run checks sequentially" do
+          options[:parallel_checks] = false
+        end
+        opts.on "--[no-]progress", "Show progress reports" do |progress|
+          options[:report_progress] = progress
+        end
+        opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
+          options[:app_path] = path
+        end
+        opts.on "-q", "--[no-]quiet", "Suppress informational messages" do |quiet|
+          options[:quiet] = quiet
+        end
+        opts.on( "-z", "--[no-]exit-on-warn", "Exit code is non-zero if warnings found (Default)") do |exit_on_warn|
+          options[:exit_on_warn] = exit_on_warn
+        end
+        opts.on "--[no-]exit-on-error", "Exit code is non-zero if errors raised (Default)" do |exit_on_error|
+          options[:exit_on_error] = exit_on_error
+        end
+        opts.on "--ensure-latest", "Fail when Railroader is outdated" do
+          options[:ensure_latest] = true
+        end
+        opts.on "-3", "--rails3", "Force Rails 3 mode" do
+          options[:rails3] = true
+        end
+        opts.on "-4", "--rails4", "Force Rails 4 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+        end
+        opts.on "-5", "--rails5", "Force Rails 5 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+        end
+        opts.separator ""
+        opts.separator "Scanning options:"
+        opts.on "-A", "--run-all-checks", "Run all default and optional checks" do
+          options[:run_all_checks] = true
+        end
+        opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (Default)" do |assume|
+          options[:assume_all_routes] = assume
+        end
+        opts.on "-e", "--escape-html", "Escape HTML by default" do
+          options[:escape_html] = true
+        end
+        opts.on "--faster", "Faster, but less accurate scan" do
+          options[:ignore_ifs] = true
+          options[:skip_libs] = true
+          options[:disable_constant_tracking] = true
+        end
+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+        opts.on "--ignore-protected", "Consider models with attr_protected safe" do
+          options[:ignore_attr_protected] = true
+        end
+        opts.on "--[no-]index-libs", "Add libraries to call index (Default)" do |index|
+          options[:index_libs] = index
+        end
+        opts.on "--interprocedural", "Process method calls to known methods" do
+          options[:interprocedural] = true
+        end
+        opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
+          options[:ignore_ifs] = true
+        end
+        opts.on "--branch-limit LIMIT", Integer, "Limit depth of values in branches (-1 for no limit)" do |limit|
+          options[:branch_limit] = limit
+        end
+        opts.on "--parser-timeout SECONDS", Integer, "Set parse timeout (Default: 10)" do |timeout|
+          options[:parser_timeout] = timeout
+        end
+        opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
+          options[:check_arguments] = !option
+        end
+        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Set methods as safe for unescaped output in views" do |methods|
+          options[:safe_methods] ||= Set.new
+          options[:safe_methods].merge methods.map {|e| e.to_sym }
+        end
+        opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
+          options[:url_safe_methods] ||= Set.new
+          options[:url_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+        opts.on "--skip-files file1,path2,etc", Array, "Skip processing of these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
+          options[:skip_files] ||= Set.new
+          options[:skip_files].merge files
+        end
+        opts.on "--only-files file1,path2,etc", Array, "Process only these files/directories. Directories are application relative and must end in \"#{File::SEPARATOR}\"" do |files|
+          options[:only_files] ||= Set.new
+          options[:only_files].merge files
+        end
+        opts.on "--skip-libs", "Skip processing lib directory" do
+          options[:skip_libs] = true
+        end
+        opts.on "--add-libs-path path1,path2,etc", Array, "An application relative lib directory (ex. app/mailers) to process" do |paths|
+          options[:additional_libs_path] ||= Set.new
+          options[:additional_libs_path].merge paths
+        end
+        opts.on "--add-engines-path path1,path2,etc", Array, "Include these engines in the scan" do |paths|
+          options[:engine_paths] ||= Set.new
+          options[:engine_paths].merge paths
+        end
+        opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
+          checks.each_with_index do |s, index|
+            if s[0,5] != "Check"
+              checks[index] = "Check" << s
+            end
+          end
+          options[:run_checks] ||= Set.new
+          options[:run_checks].merge checks
+        end
+        opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
+          skip.each do |s|
+            if s[0,5] != "Check"
+              s = "Check" << s
+            end
+            options[:skip_checks] ||= Set.new
+            options[:skip_checks] << s
+          end
+        end
+        opts.on "--add-checks-path path1,path2,etc", Array, "A directory containing additional out-of-tree checks to run" do |paths|
+          options[:additional_checks_path] ||= Set.new
+          options[:additional_checks_path].merge paths.map {|p| File.expand_path p}
+        end
+        opts.separator ""
+        opts.separator "Output options:"
+        opts.on "-d", "--debug", "Lots of output" do
+          options[:debug] = true
+        end
+        opts.on "-f",
+          "--format TYPE",
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table],
+          "Specify output formats. Default is text" do |type|
+          type = "s" if type == :text
+          options[:output_format] = ("to_" << type.to_s).to_sym
+        end
+        opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
+          options[:html_style] = File.expand_path file
+        end
+        opts.on "-i IGNOREFILE", "--ignore-config IGNOREFILE", "Use configuration to ignore warnings" do |file|
+          options[:ignore_file] = file
+        end
+        opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
+          options[:interactive_ignore] = true
+        end
+        opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
+          options[:combine_locations] = combine
+        end
+        opts.on "--[no-]highlights", "Highlight user input in report" do |highlight|
+          options[:highlight_user_input] = highlight
+        end
+        opts.on "--[no-]color", "Use ANSI colors in report (Default)" do |color|
+          if color
+            options[:output_color] = :force
+          else
+            options[:output_color] = color
+          end
+        end
+        opts.on "-m", "--routes", "Report controller information" do
+          options[:report_routes] = true
+        end
+        opts.on "--message-limit LENGTH", "Limit message length in HTML report" do |limit|
+          options[:message_limit] = limit.to_i
+        end
+        opts.on "--[no-]pager", "Use pager for output to terminal (Default)" do |pager|
+          options[:pager] = pager
+        end
+        opts.on "--table-width WIDTH", "Limit table width in text report" do |width|
+          options[:table_width] = width.to_i
+        end
+        opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
+          options[:output_files] ||= []
+          options[:output_files].push(file)
+        end
+        opts.on "--[no-]separate-models", "Warn on each model without attr_accessible (Default)" do |separate|
+          options[:collapse_mass_assignment] = !separate
+        end
+        opts.on "--[no-]summary", "Only output summary of warnings" do |summary_only|
+          if summary_only
+            options[:summary_only] = :summary_only
+          else
+            options[:summary_only] = :no_summary
+          end
+        end
+        opts.on "--absolute-paths", "Output absolute file paths in reports" do
+          options[:absolute_paths] = true
+        end
+        opts.on "--github-repo USER/REPO[/PATH][@REF]", "Output links to GitHub in markdown and HTML reports using specified repo" do |repo|
+          options[:github_repo] = repo
+        end
+        opts.on "-w",
+          "--confidence-level LEVEL",
+          ["1", "2", "3"],
+          "Set minimal confidence level (1 - 3)" do |level|
+          options[:min_confidence] =  3 - level.to_i
+        end
+        opts.on "--compare FILE", "Compare the results of a previous Railroader scan (only JSON is supported)" do |file|
+          options[:previous_results_json] = File.expand_path(file)
+        end
+        opts.separator ""
+        opts.separator "Configuration files:"
+        opts.on "-c", "--config-file FILE", "Use specified configuration file" do |file|
+          options[:config_file] = File.expand_path(file)
+        end
+        opts.on "-C", "--create-config [FILE]", "Output configuration file based on options" do |file|
+          if file
+            options[:create_config] = file
+          else
+            options[:create_config] = true
+          end
+        end
+        opts.on "--allow-check-paths-in-config", "Allow loading checks from configuration file (Unsafe)" do
+          options[:allow_check_paths_in_config] = true
+        end
+        opts.separator ""
+        opts.on "-k", "--checks", "List all available vulnerability checks" do
+          options[:list_checks] = true
+        end
+        opts.on "--optional-checks", "List optional checks" do
+          options[:list_optional_checks] = true
+        end
+        opts.on "-v", "--version", "Show Railroader version" do
+          options[:show_version] = true
+        end
+        opts.on "--force-scan", "Scan application even if rails is not detected" do
+          options[:force_scan] = true
+        end
+        opts.on_tail "-h", "--help", "Display this message" do
+          options[:show_help] = true
+        end
+      end
+    end
+  end
+end

data/lib/railroader/parsers/rails2_erubis.rb ADDED Viewed

@@ -0,0 +1,6 @@
+Railroader.load_railroader_dependency 'erubis'
+#Erubis processor which ignores any output which is plain text.
+class Railroader::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb ADDED Viewed

@@ -0,0 +1,48 @@
+Railroader.load_railroader_dependency 'erubis'
+#This is from the rails_xss plugin for Rails 2
+class Railroader::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/railroader/parsers/rails3_erubis.rb ADDED Viewed

@@ -0,0 +1,81 @@
+Railroader.load_railroader_dependency 'erubis'
+# This is from Rails 5 version of the Erubis handler
+# https://github.com/rails/rails/blob/ec608107801b1e505db03ba76bae4a326a5804ca/actionview/lib/action_view/template/handlers/erb.rb#L7-L73
+class Railroader::Rails3Erubis < ::Erubis::Eruby
+  def add_preamble(src)
+    @newline_pending = 0
+    src << "@output_buffer = output_buffer || ActionView::OutputBuffer.new;"
+  end
+  def add_text(src, text)
+    return if text.empty?
+    if text == "\n"
+      @newline_pending += 1
+    else
+      src << "@output_buffer.safe_append='"
+      src << "\n" * @newline_pending if @newline_pending > 0
+      src << escape_text(text)
+      src << "'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # Erubis toggles <%= and <%== behavior when escaping is enabled.
+  # We override to always treat <%== as escaped.
+  def add_expr(src, code, indicator)
+    case indicator
+    when '=='
+      add_expr_escaped(src, code)
+    else
+      super
+    end
+  end
+  BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+  def add_expr_literal(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << '@output_buffer.append= ' << code
+    else
+      src << '@output_buffer.append=(' << code << ');'
+    end
+  end
+  def add_expr_escaped(src, code)
+    flush_newline_if_pending(src)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_expr_append= " << code
+    else
+      src << "@output_buffer.safe_expr_append=(" << code << ");"
+    end
+  end
+  def add_stmt(src, code)
+    flush_newline_if_pending(src)
+    super
+  end
+  def add_postamble(src)
+    flush_newline_if_pending(src)
+    src << '@output_buffer.to_s'
+  end
+  def flush_newline_if_pending(src)
+    if @newline_pending > 0
+      src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+      @newline_pending = 0
+    end
+  end
+  # This is borrowed from graphql's erb plugin:
+  # https://github.com/github/graphql-client/blob/51e76bd8d8b2ac0021d8fef7468b9a294e4bd6e8/lib/graphql/client/erubis.rb#L33-L38
+  def convert_input(src, input)
+    input = input.gsub(/<%graphql/, "<%#")
+    super(src, input)
+  end
+end

data/lib/railroader/parsers/template_parser.rb ADDED Viewed

@@ -0,0 +1,108 @@
+module Railroader
+  class TemplateParser
+    include Railroader::Util
+    attr_reader :tracker
+    KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+    TemplateFile = Struct.new(:path, :ast, :name, :type)
+    def initialize tracker, file_parser
+      @tracker = tracker
+      @file_parser = file_parser
+      @file_parser.file_list[:templates] ||= []
+    end
+    def parse_template path, text
+      type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name path
+      Railroader.debug "Parsing #{path}"
+      begin
+        src = case type
+              when :erb
+                type = :erubis if erubis?
+                parse_erb path, text
+              when :haml
+                parse_haml path, text
+              when :slim
+                parse_slim path, text
+              else
+                tracker.error "Unknown template type in #{path}"
+                nil
+              end
+        if src and ast = @file_parser.parse_ruby(src, path)
+          @file_parser.file_list[:templates] << TemplateFile.new(path, ast, name, type)
+        end
+      rescue Racc::ParseError => e
+        tracker.error e, "Could not parse #{path}"
+      rescue StandardError, LoadError => e
+        tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+      end
+      nil
+    end
+    def parse_erb path, text
+      if tracker.config.escape_html?
+        if tracker.options[:rails3]
+          require 'railroader/parsers/rails3_erubis'
+          Railroader::Rails3Erubis.new(text, :filename => path).src
+        else
+          require 'railroader/parsers/rails2_xss_plugin_erubis'
+          Railroader::Rails2XSSPluginErubis.new(text, :filename => path).src
+        end
+      elsif tracker.config.erubis?
+        require 'railroader/parsers/rails2_erubis'
+        Railroader::ScannerErubis.new(text, :filename => path).src
+      else
+        require 'erb'
+        src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+          ERB.new(text, trim_mode: path).src
+        else
+          ERB.new(text, nil, path).src
+        end
+        src.sub!(/^#.*\n/, '') if Railroader::Scanner::RUBY_1_9
+        src
+      end
+    end
+    def erubis?
+      tracker.config.escape_html? or
+        tracker.config.erubis?
+    end
+    def parse_haml path, text
+      Railroader.load_railroader_dependency 'haml'
+      Railroader.load_railroader_dependency 'sass'
+      Haml::Engine.new(text,
+                       :filename => path,
+                       :escape_html => tracker.config.escape_html?).precompiled.gsub(/([^\\])\\n/, '\1')
+    rescue Haml::Error => e
+      tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+      nil
+    rescue Sass::SyntaxError => e
+      tracker.error e, "While processing #{path}"
+      nil
+    end
+    def parse_slim path, text
+      Railroader.load_railroader_dependency 'slim'
+      Slim::Template.new(path,
+                         :disable_capture => true,
+                         :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+    end
+    def self.parse_inline_erb tracker, text
+      fp = Railroader::FileParser.new(tracker, nil)
+      tp = self.new(tracker, fp)
+      src = tp.parse_erb '_inline_', text
+      type = tp.erubis? ? :erubis : :erb
+      return type, fp.parse_ruby(src, "_inline_")
+    end
+  end
+end

data/lib/railroader/processor.rb ADDED Viewed

@@ -0,0 +1,102 @@
+#Load all files in processors/
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb").each { |f| require f.match(/railroader\/processors.*/)[0] }
+require 'railroader/tracker'
+require 'set'
+require 'pathname'
+module Railroader
+  #Makes calls to the appropriate processor.
+  #
+  #The ControllerProcessor, TemplateProcessor, and ModelProcessor will
+  #update the Tracker with information about what is parsed.
+  class Processor
+    include Util
+    def initialize(app_tree, options)
+      @app_tree = app_tree
+      @tracker = Tracker.new(@app_tree, self, options)
+    end
+    def tracked_events
+      @tracker
+    end
+    #Process configuration file source
+    def process_config src, file_name
+      ConfigProcessor.new(@tracker).process_config src, file_name
+    end
+    #Process Gemfile
+    def process_gems gem_files
+      GemProcessor.new(@tracker).process_gems gem_files
+    end
+    #Process route file source
+    def process_routes src
+      RoutesProcessor.new(@tracker).process_routes src
+    end
+    #Process controller source. +file_name+ is used for reporting
+    def process_controller src, file_name
+      if contains_class? src
+        ControllerProcessor.new(@app_tree, @tracker).process_controller src, file_name
+      else
+        LibraryProcessor.new(@tracker).process_library src, file_name
+      end
+    end
+    #Process variable aliasing in controller source and save it in the
+    #tracker.
+    def process_controller_alias name, src, only_method = nil, file = nil
+      ControllerAliasProcessor.new(@app_tree, @tracker, only_method).process_controller name, src, file
+    end
+    #Process a model source
+    def process_model src, file_name
+      result = ModelProcessor.new(@tracker).process_model src, file_name
+      AliasProcessor.new(@tracker).process result if result
+    end
+    #Process either an ERB or HAML template
+    def process_template name, src, type, called_from = nil, file_name = nil
+      case type
+      when :erb
+        result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml
+        result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :erubis
+        result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :slim
+        result = SlimTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      else
+        abort "Unknown template type: #{type} (#{name})"
+      end
+      #Each template which is rendered is stored separately
+      #with a new name.
+      if called_from
+        name = ("#{name}.#{called_from}").to_sym
+      end
+      @tracker.templates[name].src = result
+      @tracker.templates[name].type = type
+    end
+    #Process any calls to render() within a template
+    def process_template_alias template
+      TemplateAliasProcessor.new(@tracker, template).process_safely template.src
+    end
+    #Process source for initializing files
+    def process_initializer file_name, src
+      res = BaseProcessor.new(@tracker).process_file src, file_name
+      res = AliasProcessor.new(@tracker).process_safely res, nil, file_name
+      @tracker.initializers[Pathname.new(file_name).basename.to_s] = res
+    end
+    #Process source for a library file
+    def process_lib src, file_name
+      LibraryProcessor.new(@tracker).process_library src, file_name
+    end
+  end
+end