spektr 0.5.3 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67409372de77e0e8bf4117c53e8589c393250ce270720735e6f306aabe97dd3f
-  data.tar.gz: db4149f62a076ae7ce005b72a3daf1e9cbbf26d860f092ff8e0259923c4736bb
+  metadata.gz: b3f2e35ede68f8a611ce58a5ad3a4fc251e3d18191b9f1bc7fb314666d789063
+  data.tar.gz: 908740bb4515316fa1c5a69a0b583ea282251a3483fc33a704f83e63521fe249
 SHA512:
-  metadata.gz: 05c35aff0fb9d5453585f302febdcdfe1e5a778925cc59caa958a1a41ad8b4de657bb1f9ff47aa895f0cc382c09accc731cd0095fbf51b5a7c33dad4c1bbc137
-  data.tar.gz: 1a9ccf43fc043a6d66574d195a45ee6351c0fe98937928a17f3452e4ad184dd70565fc878f63f5008475cc3ae07740665fa8e624b327b2734e6855af45de04a1
+  metadata.gz: f92ec1f4949da94bad355d9062b825fbb96480bdf6fe9fb424a421afbaa132cae4b9d0313d0f7af902e25b6ac6141ddc871ecd01cc8f4e4118bd0e7082f362d3
+  data.tar.gz: b6e240e0449e4fb858ae591aaeec936a18502741e105b56b30f00c05c6286a7ce690cfb3ae7d66ce07c5f53c64eb8f6bff55420b0f016d2764d30cba5bb090eb

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 ## Unreleased
 
+## 0.5.5
+
+* fix false positives
+
+## 0.5.4
+
+* more parser fixes
+
 ## 0.5.3
 
 * parser fixes

data/lib/spektr/checks/base.rb

@@ -54,11 +54,11 @@ module Spektr
             return true if user_input?(argument)
           end
         end
-      when :embedded_statements_node, :if_node, :else_node
+      when :embedded_statements_node, :if_node, :else_node, :case_node, :embedded_variable_node
         node.statements.body.each do |item|
           return true if user_input? item
         end
-      when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
+      when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node, :interpolated_regular_expression_node
         node.parts.each do |part|
           return true if user_input?(part)
         end
@@ -93,32 +93,79 @@ module Spektr
         end
         return if variable && variable.location.start_line == node.location.start_line
         return user_input?(variable)
-      when :local_variable_or_write_node
+      when :instance_variable_or_write_node, :local_variable_or_write_node
         return user_input?(node.value)
+      when :instance_variable_write_node, :local_variable_write_node
+        return user_input? node.value
       when :and_node, :or_node
         return user_input?(node.left)
         return user_input?(node.right)
-      when :instance_variable_write_node, :local_variable_write_node
-        return user_input? node.value
       when :splat_node
         return user_input? node.expression
       when :parentheses_node
         node.body.body.each do |item|
           return user_input? item
         end
-      when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
+      when :string_node, :symbol_node, :constant_read_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
         # do nothing
       else
-        raise "Unknown argument type #{node.type.inspect} #{node.inspect}"
+        ::Spektr.logger.debug "Unknown argument type #{node.type.inspect} #{node.inspect}"
       end
       false
     end
 
     # TODO: this doesn't work properly
     def model_attribute?(node)
+      return false if node.nil?
       model_names = @app.models.collect(&:name)
       case node.type
-      when :local_variable_read_node, :instance_variable_read_node
+      when :call_node
+        return model_attribute?(node.receiver) if node.receiver
+        if node.arguments
+          node.arguments.arguments.each do |argument|
+            return true if model_attribute?(argument)
+          end
+        end
+      when :embedded_statements_node, :if_node, :else_node, :case_node, :embedded_variable_node
+        node.statements.body.each do |item|
+          return true if model_attribute? item
+        end
+      when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node, :interpolated_regular_expression_node
+        node.parts.each do |part|
+          return true if model_attribute?(part)
+        end
+      when :keyword_hash_node, :hash_node
+        node.elements.each do |element|
+          return true if model_attribute?(element.key)
+          return true if model_attribute?(element.value)
+        end
+      when :array_node
+        node.elements.each do |element|
+          return true if model_attribute?(element)
+        end
+      # TODO: make this better. ivars can be overridden in the view as well and
+      # can be set in non controller targets too
+      when :_instance_variable_read_node
+        return false unless @target.respond_to?(:view_path)
+        actions = []
+        @app.controllers.each do |controller|
+          actions = actions.concat controller.actions.select { |action|
+            action.template == @target.view_path
+          }
+        end
+        actions.each do |action|
+          next unless action.body
+          action.body.each do |exp|
+            return true if exp.name == node.name && model_attribute?(exp)
+          end
+        end
+      when :local_variable_read_node
+        variable = @target.lvars.find do |n|
+          n.name == node.name
+        end
+        return if variable && variable.location.start_line == node.location.start_line
+        return model_attribute?(variable)
+      when :instance_variable_read_node
         # TODO: handle helpers here too
         if ["Spektr::Targets::Controller", "Spektr::Targets::View"].include?(@target.class.name)
           actions = []
@@ -134,53 +181,25 @@ module Spektr
             end
           end
         end
-      when :local_variable_or_write_node
+      when :instance_variable_or_write, :local_variable_or_write_node
         return model_attribute?(node.value)
+      when :instance_variable_write_node, :local_variable_write_node
+        return model_attribute? node.value
       when :and_node, :or_node
         return model_attribute?(node.left)
         return model_attribute?(node.right)
-      when :call_node
-        return model_attribute?(node.receiver) if node.receiver
-        if node.arguments
-          node.arguments.arguments.each do |argument|
-            return true if model_attribute?(argument)
-          end
-        end
-      when :keyword_hash_node, :hash_node
-        node.elements.each do |element|
-          return true if model_attribute?(element.key)
-          return true if model_attribute?(element.value)
-        end
-      when :array_node
-        node.elements.each do |element|
-          return true if model_attribute?(element)
-        end
+      when :splat_node
+        return model_attribute? node.expression
       when :parentheses_node
         node.body.body.each do |item|
           return model_attribute? item
         end
-      when :interpolated_string_node, :interpolated_x_string_node, :interpolated_symbol_node
-        node.parts.each do |part|
-          return true if model_attribute?(part)
-        end
-      when :embedded_statements_node, :if_node, :else_node
-        node.statements.body.each do |item|
-          return true if model_attribute? item
-        end
-      when :instance_variable_write_node, :local_variable_write_node
-        return model_attribute? node.value
       when :constant_read_node
         return true if model_names.include? node.name.to_s
-      when :interpolated_string_node
-        node.parts.each do |item|
-          return model_attribute? item
-        end
-      when :splat_node
-        return model_attribute? node.expression
       when :string_node, :symbol_node, :integer_node, :constant_path_node, :nil_node, :true_node, :false_node, :self_node, :global_variable_read_node
         # do nothing
       else
-        raise "Unknown argument type #{node.type}"
+        Spektr.logger.debug "Unknown argument type #{node.type}"
       end
     end
 

data/lib/spektr/checks/mass_assignment.rb

@@ -23,13 +23,20 @@ module Spektr
           argument = call.arguments&.arguments&.first
           next if argument.nil?
           ::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
-          if user_input?(argument)
-            # we check for permit! separately
-            next if argument.respond_to?(:name) && argument.name == :permit!
-            # check for permit with arguments
-            next if argument.respond_to?(:name) && argument.name == :permit && argument.arguments
-            warn! @target, self, call.location, "Mass assignment"
+          next unless user_input?(argument)
+          if argument.type == :local_variable_read_node
+            variable = @target.lvars.find do |n|
+              n.name == argument.name
+            end
+            param = variable.value
+          else
+            param = argument
           end
+          # we check for permit! separately
+          next if param.respond_to?(:name) && param.name == :permit!
+          # check for permit with arguments
+          next if param.respond_to?(:name) && param.name == :permit && param.arguments
+          warn! @target, self, call.location, "Mass assignment"
         end
         @target.find_calls(:permit!).each do |call|
           unless call.arguments

data/lib/spektr/checks/sqli.rb

@@ -19,7 +19,9 @@ module Spektr
 
         ].each do |m|
           @target.find_calls(m).each do |call|
-            check_argument(call.arguments&.arguments&.first, m, call)
+            arguments = call.arguments&.arguments&.first
+            next if arguments && arguments.type == :keyword_hash_node
+            check_argument(arguments, m, call)
           end
         end
         [:calculate].each do |m|

data/lib/spektr/version.rb

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.5.3'
+  VERSION = '0.5.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.5
 platform: ruby
 authors:
 - Greg Molnar