spektr 0.4.1 → 0.5.0

data/lib/spektr/warning.rb

@@ -10,12 +10,12 @@ module Spektr
       @location = location
       @message = message
       @confidence = confidence
-      @line = IO.readlines(full_path)[@location.line - 1].strip if full_path && @location && File.exist?(full_path)
+      @line = IO.readlines(full_path)[@location.start_line - 1].strip if full_path && @location && File.exist?(full_path)
     end
 
     def full_message
       if @location
-        "#{message} at line #{@location.line} of #{@path}"
+        "#{message} at line #{@location.start_line} of #{@path}"
       else
         "#{message}"
       end

data/lib/spektr.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 require 'bundler'
-require 'parser'
-require 'parser/current'
+require 'prism'
 require 'erb'
+require 'herb'
 require 'haml'
 require 'logger'
 require 'tty/spinner'
@@ -23,12 +23,12 @@ module Spektr
     @output_format = output_format
     start_spinner('Initializing')
     @log_level = if debug
-      Logger::DEBUG
-    elsif terminal?
-      Logger::ERROR
-    else
-      Logger::WARN
-    end
+                   Logger::DEBUG
+                 elsif terminal?
+                   Logger::ERROR
+                 else
+                   Logger::WARN
+                 end
     checks = Checks.load(checks)
     root = './' if root.nil?
     @app = App.new(checks: checks, root: root, ignore: ignore)

data/spektr.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |spec|
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 
   spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/gregmolnar/spektr"
+  spec.metadata['source_code_uri'] = 'https://github.com/gregmolnar/spektr'
   # spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
 
   # Specify which files should be added to the gem when it is released.
@@ -28,9 +28,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'erubi'
+  spec.add_dependency 'herb'
   spec.add_dependency 'haml'
-  spec.add_dependency 'parser', '>= 2.6.0'
   spec.add_dependency 'pastel'
+  spec.add_dependency 'prism'
   spec.add_dependency 'ruby_parser', '>= 3.0'
   spec.add_dependency 'slim'
   spec.add_dependency 'tty-color'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.5.0
 platform: ruby
 authors:
 - Greg Molnar
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: erubi
@@ -25,7 +24,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: haml
+  name: herb
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -39,19 +38,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: parser
+  name: haml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pastel
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +65,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: prism
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
@@ -303,16 +316,8 @@ files:
 - lib/spektr/cli.rb
 - lib/spektr/core_ext/string.rb
 - lib/spektr/erubi.rb
-- lib/spektr/exp/assignment.rb
-- lib/spektr/exp/base.rb
-- lib/spektr/exp/const.rb
-- lib/spektr/exp/definition.rb
-- lib/spektr/exp/ivasign.rb
-- lib/spektr/exp/lvasign.rb
-- lib/spektr/exp/send.rb
-- lib/spektr/exp/xstr.rb
-- lib/spektr/processors/base.rb
-- lib/spektr/processors/class_processor.rb
+- lib/spektr/extractors/calls.rb
+- lib/spektr/extractors/methods.rb
 - lib/spektr/targets/base.rb
 - lib/spektr/targets/config.rb
 - lib/spektr/targets/controller.rb
@@ -329,7 +334,6 @@ licenses:
 metadata:
   homepage_uri: https://spektrhq.com
   source_code_uri: https://github.com/gregmolnar/spektr
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -344,8 +348,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Rails static code analyzer for security issues
 test_files: []

data/lib/spektr/exp/assignment.rb

@@ -1,20 +0,0 @@
-module Spektr
-  module Exp
-    module Assignment
-      def user_input?
-        if ast.children[1].type == :send
-          _send = Send.new(ast.children[1])
-          name = if _send.receiver && _send.receiver.type == :send
-            _send.receiver.name
-          else
-            nil
-          end
-          if [:params, :cookies, :request].include? name
-            return true
-          end
-        end
-        false
-      end
-    end
-  end
-end

data/lib/spektr/exp/base.rb

@@ -1,32 +0,0 @@
-module Spektr
-  module Exp
-    class Base
-      attr_accessor :ast, :name, :type, :options, :arguments, :body, :location
-
-      def initialize(ast)
-        @ast = ast
-        @type = ast.type
-        @location = ast.location
-        @name = ast.children.first
-        @options = {}
-        @arguments = []
-        @body = []
-      end
-
-      def send?
-        is_a? Send
-      end
-
-      include AST::Processor::Mixin
-
-      def process(ast)
-        return unless ast.respond_to?(:to_ast)
-        super
-      end
-
-      def handler_missing(node)
-        # puts "handler missing for #{node.type}"
-      end
-    end
-  end
-end

data/lib/spektr/exp/const.rb

@@ -1,7 +0,0 @@
-module Spektr
-  module Exp
-    class Const < Base
-      include Spektr::Exp::Assignment
-    end
-  end
-end

data/lib/spektr/exp/definition.rb

@@ -1,32 +0,0 @@
-module Spektr
-  module Exp
-    class Definition < Base
-      attr_accessor :private, :protected
-
-      def initialize(ast)
-        super
-        process @ast.children
-      end
-
-      def process(ast)
-        ast&.each do |node|
-          next unless Parser::AST::Node === node
-          case node.type
-          when :args
-            node.children.each do |argument|
-              @arguments << argument.children.first
-            end
-          when :begin
-            process(node.children)
-          when :lvasgn
-            @body << Lvasign.new(node)
-          when :ivasgn
-            @body << Ivasign.new(node)
-          when :send
-            @body << Send.new(node)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/spektr/exp/ivasign.rb

@@ -1,7 +0,0 @@
-module Spektr
-  module Exp
-    class Ivasign < Base
-      include Spektr::Exp::Assignment
-    end
-  end
-end

data/lib/spektr/exp/lvasign.rb

@@ -1,7 +0,0 @@
-module Spektr
-  module Exp
-    class Lvasign < Base
-      include Spektr::Exp::Assignment
-    end
-  end
-end

data/lib/spektr/exp/send.rb

@@ -1,135 +0,0 @@
-module Spektr
-  module Exp
-    class Send < Base
-      attr_accessor :receiver
-
-      def initialize(ast)
-        super
-        @receiver = Receiver.new(ast.children[0]) if ast.children[0]
-        @name = if ast.children.first.is_a?(Parser::AST::Node)
-                  ast.children.first.children.last
-                else
-                  ast.children[1]
-                end
-        children = ast.children[2..]
-        children.each do |child|
-          next unless child.is_a?(Parser::AST::Node)
-
-          case child.type
-          when :hash
-            if children.size == 1 || children.last == child
-              child.children.each do |pair|
-                @options[pair.children[0].children[0]] = Option.new(pair)
-              end
-            else
-              @arguments << Argument.new(child)
-            end
-          else
-            @arguments << Argument.new(child)
-          end
-        end
-      end
-    end
-
-    class Argument < Base
-      attr_accessor :name, :type, :ast, :children
-
-      def initialize(ast)
-        @name = nil
-        process_ast(ast)
-        ast = ast.children.first if ast.type == :begin
-        @ast = ast
-        argument = if %i[xstr hash].include? ast.type
-                     ast
-                   elsif ast.type != :dstr && ast.children.first.is_a?(Parser::AST::Node) && ast.children.first.children.first.is_a?(Parser::AST::Node)
-                     ast.children.first.children.first
-                   elsif ast.type != :dstr && ast.children.first.is_a?(Parser::AST::Node)
-                     ast.children.first
-                   else
-                     ast
-                   end
-        @type = argument.type
-        @children = argument.children
-      end
-
-      def process_ast(ast)
-        process(ast)
-      end
-
-      def on_begin(node)
-        process_all(node)
-      end
-
-      def on_send(node)
-        if node.children.first.nil?
-          @name ||= node.children[1]
-        elsif node.is_a?(Parser::AST::Node)
-          process_all(node)
-        end
-      end
-
-      def on_const(node)
-        @name ||= node.children[1] if node.children.first.nil?
-      end
-
-      def on_str(node)
-        @name ||= node.children.first
-      end
-
-      alias on_sym on_str
-      alias on_ivar on_str
-    end
-
-    class Option
-      attr_accessor :name, :key, :value, :type, :value_name, :value_type
-
-      def initialize(ast)
-        @key = ast.children.first
-        @name = ast.children.first.children.last
-        @type = ast.type
-
-        @value = ast.children.last
-        @value_name = ast.children.last.children.last
-        @value_type = ast.children.last.type
-      end
-    end
-
-    class Receiver
-      attr_accessor :name, :type, :ast, :expanded, :children
-
-      def initialize(ast)
-        @children = []
-        set_attributes(ast)
-      end
-
-      def set_attributes(ast)
-        if [:begin].include?(ast.type) && ast.children[0].is_a?(Parser::AST::Node)
-          return set_attributes(ast.children[0])
-        end
-
-        @ast = ast
-        if ast.type == :dstr
-          @type = :dstr
-          @name = ast.children[0].children.first
-          ast.children[1..].each do |ch|
-            @children << Receiver.new(ch)
-          end
-        else
-          @expanded = expand!(ast)
-          @ast = ast.type == :send && ast.children[0].is_a?(Parser::AST::Node) ? ast.children[0] : ast
-          @type = @ast.type
-          @name = @ast.children.last
-        end
-      end
-
-      def expand!(ast, tree = [])
-        if ast.is_a?(Parser::AST::Node) && ast.children.any?
-          tree << ast.children.last
-          expand!(ast.children.first, tree)
-        else
-          tree.reverse.join('.')
-        end
-      end
-    end
-  end
-end

data/lib/spektr/exp/xstr.rb

@@ -1,12 +0,0 @@
-module Spektr
-  module Exp
-    class Xstr < Base
-      def initialize(ast)
-        super
-        ast.children[1..].each do |child|
-          @arguments << Argument.new(child)
-        end
-      end
-    end
-  end
-end

data/lib/spektr/processors/base.rb

@@ -1,87 +0,0 @@
-require 'ast'
-module Spektr::Processors
-  class Base
-    include AST::Processor::Mixin
-    attr_accessor :name, :name_parts, :parent_parts, :parent_modules, :parent_name, :parent_name_with_modules
-
-    def initialize
-      @modules = []
-      @name_parts = []
-      @parent_parts = []
-      @parent_modules = []
-    end
-
-    def name
-      @name_parts.join('::')
-    end
-
-    def parent_name
-      parent_parts.join('::')
-    end
-
-    def parent_parts
-      result = @parent_parts.dup
-      result.pop if part_matches_self?(result.last.to_s)
-      result
-    end
-
-    def part_matches_self?(part)
-      (part == name || part_with_module(part) == name)
-    end
-
-    def part_with_module(part)
-      (@parent_modules | [part]).join('::')
-    end
-
-    def parent_name_with_modules
-      parts = @parent_modules | parent_parts
-      parts.join('::')
-    end
-
-    def on_begin(node)
-      process_all(node)
-    end
-
-    def on_module(node)
-      parts = extract_name_part(node)
-      @modules.concat(parts)
-      @name_parts.concat(parts)
-      @parent_modules << node.children.first.children.last
-      process_all(node)
-    end
-
-    def extract_parent_parts(node)
-      return unless node.is_a?(Parser::AST::Node) && %i[ module class const send].include?(node.type)
-      @parent_parts.prepend(node.children.last) if node.type == :const
-      if node.children.any?
-        node.children.each do |child|
-          extract_parent_parts(child)
-        end
-      end
-    end
-
-    def on_class(node)
-      extract_parent_parts(node)
-      @name_parts.concat(extract_name_part(node))
-      process_all(node)
-    end
-
-    def extract_name_part(node)
-      parts = []
-      node.children.first.children.each do |child|
-        if child.is_a?(Parser::AST::Node)
-          parts << child.children.last
-        elsif child.is_a? Symbol
-          parts << child.to_s
-        end
-      end
-      parts
-    end
-
-    def on_const(node); end
-
-    def handler_missing(node)
-      # puts "handler missing for #{node.type}"
-    end
-  end
-end

data/lib/spektr/processors/class_processor.rb

@@ -1,24 +0,0 @@
-module Spektr
-  module Processors
-    class ClassProcessor < Base
-      include AST::Processor::Mixin
-
-      attr_accessor :data
-
-      def on_begin(node)
-      end
-
-      def on_def(node)
-        puts "on def: #{node.inspect}"
-      end
-
-      def on_require(node)
-        puts "on require: #{node.inspect}"
-      end
-
-      def on_class(node)
-        puts "on class2: #{node.inspect}"
-      end
-    end
-  end
-end