Class: Brakeman::TemplateAliasProcessor
- Inherits:
-
AliasProcessor
- Object
- SexpProcessor
- AliasProcessor
- Brakeman::TemplateAliasProcessor
- Includes:
- RenderHelper
- Defined in:
- lib/brakeman/processors/template_alias_processor.rb
Overview
Processes aliasing in templates. Handles calls to render
.
Constant Summary collapse
- FORM_METHODS =
Set[:form_for, :remote_form_for, :form_remote_for]
Constants included from Util
Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from AliasProcessor
Attributes inherited from SexpProcessor
Instance Method Summary collapse
-
#find_push_target(exp) ⇒ Object
Ignore ‘<<` calls on template variables which are used by the templating library (HAML, ERB, etc.).
-
#get_model_target(exp) ⇒ Object
Checks if
exp
is a call to Model.all or Model.find*. -
#initialize(tracker, template, called_from = nil) ⇒ TemplateAliasProcessor
constructor
A new instance of TemplateAliasProcessor.
-
#process_call_with_block(exp) ⇒ Object
(also: #process_iter)
Looks for form methods and iterating over collections of Models.
-
#process_template(name, args) ⇒ Object
Process template.
-
#template_name(name) ⇒ Object
Determine template name.
Methods included from RenderHelper
#get_class_target, #get_options, #process_action, #process_layout, #process_partial, #process_render
Methods inherited from AliasProcessor
#duplicate?, #join_arrays, #join_strings, #only_ivars, #process_array_access, #process_attrasgn, #process_block, #process_call, #process_cdecl, #process_cvdecl, #process_default, #process_gasgn, #process_hash_access, #process_hash_merge, #process_hash_merge!, #process_iasgn, #process_if, #process_lasgn, #process_methdef, #process_op_asgn1, #process_op_asgn2, #process_safely, #process_scope, #process_selfdef, #process_svalue, #set_line
Methods included from Util
#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore
Methods included from ProcessorHelper
#class_name, #process_all, #process_module
Methods inherited from SexpProcessor
#error_handler, #in_context, #process, #process_dummy, #scope
Constructor Details
#initialize(tracker, template, called_from = nil) ⇒ TemplateAliasProcessor
Returns a new instance of TemplateAliasProcessor.
12 13 14 15 16 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 12 def initialize tracker, template, called_from = nil super tracker @template = template @called_from = called_from end |
Instance Method Details
#find_push_target(exp) ⇒ Object
Ignore ‘<<` calls on template variables which are used by the templating library (HAML, ERB, etc.)
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 101 def find_push_target exp if sexp? exp if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout) return nil elsif exp.node_type == :ivar and exp.value == :@output_buffer return nil elsif exp.node_type == :call and call? exp.target and exp.target.method == :_hamlout and exp.method == :buffer return nil end end super end |
#get_model_target(exp) ⇒ Object
Checks if exp
is a call to Model.all or Model.find*
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 78 def get_model_target exp if call? exp target = exp.target if exp.method == :all or exp.method.to_s[0,4] == "find" models = Set.new @tracker.models.keys begin name = class_name target return target if models.include?(name) rescue StandardError end end return get_model_target(target) end false end |
#process_call_with_block(exp) ⇒ Object Also known as: process_iter
Looks for form methods and iterating over collections of Models
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 41 def process_call_with_block exp process_default exp call = exp.block_call if call? call target = call.target method = call.method args = exp.block_args block = exp.block #Check for e.g. Model.find.each do ... end if method == :each and args and block and model = get_model_target(target) if node_type? args, :lasgn if model == target.target env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, model, :new, Sexp.new(:arglist)) else env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist)) end process block if sexp? block end elsif FORM_METHODS.include? method if node_type? args, :lasgn env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) process block if sexp? block end end end exp end |
#process_template(name, args) ⇒ Object
Process template
19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 19 def process_template name, args if @called_from unless @called_from.grep(/Template:#{name}$/).empty? Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}" return end super name, args, @called_from + ["Template:#{@template[:name]}"] else super name, args, ["Template:#{@template[:name]}"] end end |
#template_name(name) ⇒ Object
Determine template name
33 34 35 36 37 38 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 33 def template_name name unless name.to_s.include? "/" name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}" end name end |