Class: Brakeman::ErbTemplateProcessor

Inherits:
TemplateProcessor show all
Defined in:
lib/brakeman/processors/erb_template_processor.rb

Overview

Processes ERB templates (those ending in .html.erb or .rthml).

Constant Summary

Constants inherited from BaseProcessor

BaseProcessor::IGNORE

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::DIR_CONST, Util::LITERALS, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from TemplateProcessor

#add_escaped_output, #add_output, #initialize, #normalize_output, #process, #process_escaped_output, #process_lasgn, #process_output

Methods inherited from BaseProcessor

#find_render_type, #ignore, #initialize, #make_inline_render, #make_render, #make_render_in_view, #process_arglist, #process_attrasgn, #process_cdecl, #process_default, #process_dstr, #process_evstr, #process_file, #process_hash, #process_if, #process_ignore, #process_iter, #process_lasgn, #process_scope

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #dir_glob?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #kwsplat?, #literal?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #remove_kwsplat, #request_env?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore

Methods included from ProcessorHelper

#current_file, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #initialize, #process, processors, #scope

Constructor Details

This class inherits a constructor from Brakeman::TemplateProcessor

Instance Method Details

#process_block(exp) ⇒ Object

Process block, removing irrelevant expressions


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/brakeman/processors/erb_template_processor.rb', line 49

def process_block exp
  exp = exp.dup
  exp.shift
  if @inside_concat
    @inside_concat = false
    exp[0..-2].each do |e|
      process e
    end
    @inside_concat = true
    process exp.last
  else
    exp.map! do |e|
      res = process e
      if res.empty? or res == ignore
        nil
      elsif node_type?(res, :lvar) and res.value == :_erbout
        nil

      else
        res
      end
    end
    block = Sexp.new(:rlist).concat(exp).compact
    block.line(exp.line)
    block
  end
end

#process_call(exp) ⇒ Object

s(:call, TARGET, :method, ARGS)


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# File 'lib/brakeman/processors/erb_template_processor.rb', line 8

def process_call exp
  target = exp.target
  if sexp? target
    target = process target
  end
  method = exp.method
  
  #_erbout is the default output variable for erb
  if node_type? target, :lvar and target.value == :_erbout
    if method == :concat or method == :<<
      @inside_concat = true
      exp.arglist = process(exp.arglist)
      @inside_concat = false

      if exp.second_arg
        raise "Did not expect more than a single argument to _erbout.concat"
      end

      arg = normalize_output(exp.first_arg)

      if arg.node_type == :str #ignore plain strings
        ignore
      else
        add_output arg
      end
    elsif method == :force_encoding
      ignore
    else
      abort "Unrecognized action on _erbout: #{method}"
    end
  elsif target == nil and method == :render
    exp.arglist = process(exp.arglist)
    make_render_in_view exp
  else
    exp.target = target
    exp.arglist = process(exp.arglist)
    exp
  end
end