Class: Brakeman::TemplateAliasProcessor

Inherits:
AliasProcessor
  • Object
show all
Includes:
RenderHelper
Defined in:
lib/brakeman/processors/template_alias_processor.rb

Overview

Processes aliasing in templates. Handles calls to render.

Constant Summary

FORM_METHODS = 
Set.new([:form_for, :remote_form_for, :form_remote_for])

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_PARAMETERS, Util::SESSION

Instance Attribute Summary

Attributes inherited from AliasProcessor

#result

Instance Method Summary (collapse)

Methods included from RenderHelper

#get_options, #process_action, #process_layout, #process_partial, #process_render

Methods inherited from AliasProcessor

#join_arrays, #join_strings, #only_ivars, #process_array_access, #process_attrasgn, #process_block, #process_call, #process_cdecl, #process_cvdecl, #process_default, #process_gasgn, #process_hash_access, #process_hash_merge, #process_hash_merge!, #process_iasgn, #process_if, #process_lasgn, #process_methdef, #process_op_asgn1, #process_op_asgn2, #process_safely, #process_scope, #process_selfdef, #set_line

Methods included from Util

#array?, #call?, #camelize, #cookies?, #false?, #hash?, #hash_insert, #hash_iterate, #integer?, #number?, #params?, #pluralize, #regexp?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #true?, #underscore

Methods included from ProcessorHelper

#class_name, #process_module

Constructor Details

- (TemplateAliasProcessor) initialize(tracker, template)

A new instance of TemplateAliasProcessor



12
13
14
15
16
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 12

def initialize tracker, template
  super()
  @tracker = tracker
  @template = template
end

Instance Method Details

- (Object) find_push_target(exp) 



87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 87

def find_push_target exp
  if sexp? exp
    if exp.node_type == :lvar and (exp[1] == :_buf or exp[1] == :_erbout)
      return nil
    elsif exp.node_type == :ivar and exp[1] == :@output_buffer
      return nil
    end
  end

  super
end

- (Object) get_model_target(exp)

Checks if exp is a call to Model.all or Model.find*



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 66

def get_model_target exp
  if call? exp
    target = exp[1]

    if exp[2] == :all or exp[2].to_s[0,4] == "find"
      models = Set.new @tracker.models.keys

      begin
        name = class_name target
        return target if models.include?(name)
      rescue StandardError
      end

    end

    return get_model_target(target)
  end

  false
end

- (Object) process_call_with_block(exp) Also known as: process_iter

Looks for form methods and iterating over collections of Models



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 32

def process_call_with_block exp
  process_default exp
  
  call = exp[1]
  target = call[1]
  method = call[2]
  args = exp[2]
  block = exp[3]

  #Check for e.g. Model.find.each do ... end
  if method == :each and args and block and model = get_model_target(target)
    if sexp? args and args.node_type == :lasgn
      if model == target[1]
        env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
      else
        env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
      end
      
      process block if sexp? block
    end
  elsif FORM_METHODS.include? method
    if sexp? args and args.node_type == :lasgn
      env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 

      process block if sexp? block
    end
  end

  exp
end

- (Object) process_template(name, args)

Process template



19
20
21
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 19

def process_template name, args
  super name, args, "Template:#{@template[:name]}"
end

- (Object) template_name(name)

Determine template name



24
25
26
27
28
29
 
# File 'lib/brakeman/processors/template_alias_processor.rb', line 24

def template_name name
  unless name.to_s.include? "/"
    name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
  end
  name
end