Class: Brakeman::FindCall

Inherits:
BasicProcessor show all
Defined in:
lib/brakeman/processors/lib/find_call.rb

Overview

Finds method calls matching the given target(s).

#-- This should be deprecated --#
#--  Do not use for new code  --#

Targets/methods can be:

  • nil: matches anything, including nothing

  • Empty array: matches nothing

  • Symbol: matches single target/method exactly

  • Array of symbols: matches against any of the symbols

  • Regular expression: matches the expression

  • Array of regular expressions: matches any of the expressions

If a target is also the name of a class, methods called on instances of that class will also be matched, in a very limited way. (Any methods called on Klass.new, basically. More useful when used in conjunction with AliasProcessor.)

Examples:

#To find any uses of this class: FindCall.new :FindCall, nil

#Find system calls without a target FindCall.new [], [:system, :exec, :syscall]

#Find all calls to length(), no matter the target FindCall.new nil, :length

#Find all calls to sub, sub!, gsub, or gsub! FindCall.new nil, /^g?sub!?$/

Constant Summary

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BasicProcessor

#process_default, #process_if

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#current_file_name, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(targets, methods, tracker, in_depth = false) ⇒ FindCall

Returns a new instance of FindCall.



36
37
38
39
40
41
42
43
44
# File 'lib/brakeman/processors/lib/find_call.rb', line 36

def initialize targets, methods, tracker, in_depth = false
  super tracker
  @calls = []
  @find_targets = targets
  @find_methods = methods
  @current_class = nil
  @current_method = nil
  @in_depth = in_depth
end

Instance Method Details

#matchesObject

Returns a list of results.

A result looks like:

s(:result, :ClassName, :method_name, s(:call, …))

or

s(:result, :template_name, s(:call, …))



55
56
57
# File 'lib/brakeman/processors/lib/find_call.rb', line 55

def matches
  @calls
end

#process_attrasgn(exp) ⇒ Object

Process an assignment like a call



113
114
115
# File 'lib/brakeman/processors/lib/find_call.rb', line 113

def process_attrasgn exp
  process_call exp
end

#process_call(exp) ⇒ Object

Look for matching calls and add them to results



83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# File 'lib/brakeman/processors/lib/find_call.rb', line 83

def process_call exp
  target = get_target exp.target
  method = exp.method

  process_call_args exp

  if match(@find_targets, target) and match(@find_methods, method)

    if @current_template
      @calls << Sexp.new(:result, @current_template, exp).line(exp.line)
    else
      @calls << Sexp.new(:result, @current_module, @current_class, @current_method, exp).line(exp.line)
    end

  end
  
  #Normally FindCall won't match a method invocation that is the target of
  #another call, such as:
  #
  #  User.find(:first, :conditions => "user = '#{params['user']}').name
  #
  #A search for User.find will not match this unless @in_depth is true.
  if @in_depth and call? exp.target
    process exp.target
  end

  exp
end

#process_defn(exp) ⇒ Object Also known as: process_defs

Process body of method



71
72
73
# File 'lib/brakeman/processors/lib/find_call.rb', line 71

def process_defn exp
  process_all exp.body
end

#process_rlist(exp) ⇒ Object

Process body of block



78
79
80
# File 'lib/brakeman/processors/lib/find_call.rb', line 78

def process_rlist exp
  process_all exp
end

#process_source(exp, klass = nil, method = nil, template = nil) ⇒ Object

Process the given source. Provide either class and method being searched or the template. These names are used when reporting results.

Use FindCall#matches to retrieve results.



63
64
65
66
67
68
# File 'lib/brakeman/processors/lib/find_call.rb', line 63

def process_source exp, klass = nil, method = nil, template = nil
  @current_class = klass
  @current_method = method
  @current_template = template
  process exp
end