Class: Brakeman::ErbTemplateProcessor

Inherits:
TemplateProcessor show all
Defined in:
lib/brakeman/processors/erb_template_processor.rb

Overview

Processes ERB templates (those ending in .html.erb or .rthml).

Constant Summary

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseProcessor

#ignore

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from TemplateProcessor

#initialize, #process, #process_escaped_output, #process_lasgn, #process_output

Methods inherited from BaseProcessor

#find_render_type, #initialize, #make_render, #make_render_in_view, #process_arglist, #process_attrasgn, #process_class, #process_default, #process_dstr, #process_evstr, #process_hash, #process_if, #process_ignore, #process_iter, #process_lasgn, #process_scope

Methods included from Util

#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::TemplateProcessor

Instance Method Details

#process_block(exp) ⇒ Object

Process block, removing irrelevant expressions



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'lib/brakeman/processors/erb_template_processor.rb', line 59

def process_block exp
  exp.shift
  if @inside_concat
    @inside_concat = false
    exp[0..-2].each do |e|
      process e
    end
    @inside_concat = true
    process exp[-1]
  else
    exp.map! do |e|
      res = process e
      if res.empty? or res == ignore
        nil
      elsif node_type?(res, :lvar) and res.value == :_erbout
        nil

      else
        res
      end
    end
    block = Sexp.new(:rlist).concat(exp).compact
    block.line(exp.line)
    block
  end
end

#process_call(exp) ⇒ Object

s(:call, TARGET, :method, s(:arglist))



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'lib/brakeman/processors/erb_template_processor.rb', line 8

def process_call exp
  target = exp.target
  if sexp? target
    target = process target
  end
  method = exp.method
  
  #_erbout is the default output variable for erb
  if node_type? target, :lvar and target.value == :_erbout
    if method == :concat
      @inside_concat = true
      args = exp.arglist = process(exp.arglist)
      @inside_concat = false

      if args.length > 2
        raise Exception.new("Did not expect more than a single argument to _erbout.concat")
      end

      arg = args[1]

      if arg.node_type == :call and arg.method == :to_s #erb always calls to_s on output
        arg = arg.target
      end

      if arg.node_type == :str #ignore plain strings
        ignore
      else
        s = Sexp.new :output, arg
        s.line(exp.line)
        @current_template[:outputs] << s
        s
      end
    elsif method == :force_encoding
      ignore
    else
      abort "Unrecognized action on _erbout: #{method}"
    end
  elsif target == nil and method == :render
    exp.arglist = process(exp.arglist)
    make_render_in_view exp
  else
    #TODO: Is it really necessary to create a new Sexp here?
    args = exp.arglist = process(exp.arglist)
    call = Sexp.new :call, target, method, args
    call.original_line(exp.original_line)
    call.line(exp.line)
    call
  end
end