Class: Brakeman::Rails3ConfigProcessor

Inherits:
BasicProcessor show all
Defined in:
lib/brakeman/processors/lib/rails3_config_processor.rb

Overview

Processes configuration. Results are put in tracker.config.

Configuration of Rails via Rails::Initializer are stored in tracker.config.rails. For example:

MyApp::Application.configure do
  config.active_record.whitelist_attributes = true
end

will be stored in

tracker.config.rails[:active_record][:whitelist_attributes]

Values for tracker.config.rails will still be Sexps.

Direct Known Subclasses

Rails4ConfigProcessor

Constant Summary collapse

RAILS_CONFIG =
Sexp.new(:call, nil, :config)

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BasicProcessor

#process_default, #process_if

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #kwsplat?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #remove_kwsplat, #request_env?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore

Methods included from ProcessorHelper

#current_file, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_module

Methods inherited from SexpProcessor

#in_context, #process, processors, #scope

Constructor Details

#initialize(*args) ⇒ Rails3ConfigProcessor

Returns a new instance of Rails3ConfigProcessor.



21
22
23
24
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 21

def initialize *args
  super
  @inside_config = false
end

Instance Method Details

#get_rails_config(exp) ⇒ Object

Returns an array of symbols for each ‘level’ in the config

config.action_controller.session_store = :cookie

becomes

[:action_controller, :session_store]


118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 118

def get_rails_config exp
  if node_type? exp, :attrasgn
    attribute = exp.method.to_s[0..-2].to_sym
    get_rails_config(exp.target) << attribute
  elsif call? exp
    if exp.target == RAILS_CONFIG
      [exp.method]
    else
      get_rails_config(exp.target) << exp.method
    end
  else
    raise "WHAT"
  end
end

#include_rails_config?(exp) ⇒ Boolean

Check if an expression includes a call to set Rails config

Returns:

  • (Boolean)


96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 96

def include_rails_config? exp
  target = exp.target
  if call? target
    if target.target == RAILS_CONFIG
      true
    else
      include_rails_config? target
    end
  elsif target == RAILS_CONFIG
    true
  else
    false
  end
end

#process_attrasgn(exp) ⇒ Object

Look for configuration settings



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 61

def process_attrasgn exp
  return exp unless @inside_config

  if exp.target == RAILS_CONFIG
    #Get rid of '=' at end
    attribute = exp.method.to_s[0..-2].to_sym
    if exp.args.length > 1
      #Multiple arguments?...not sure if this will ever happen
      @tracker.config.rails[attribute] = exp.args
    else
      @tracker.config.rails[attribute] = exp.first_arg
    end
  elsif include_rails_config? exp
    options = get_rails_config exp
    level = @tracker.config.rails
    options[0..-2].each do |o|
      level[o] ||= {}

      option = level[o]

      if not option.is_a? Hash
        Brakeman.debug "[Notice] Skipping config setting: #{options.map(&:to_s).join(".")}"
        return exp
      end

      level = level[o]
    end

    level[options.last] = exp.first_arg
  end

  exp
end

#process_class(exp) ⇒ Object

Look for class Application < Rails::Application



50
51
52
53
54
55
56
57
58
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 50

def process_class exp
  if exp.class_name == :Application
    @inside_config = true
    process_all exp.body if sexp? exp.body
    @inside_config = false
  end

  exp
end

#process_config(src, current_file) ⇒ Object

Use this method to process configuration file



27
28
29
30
31
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 27

def process_config src, current_file
  @current_file = current_file
  res = Brakeman::AliasProcessor.new(@tracker).process_safely(src, nil, @current_file)
  process res
end

#process_iter(exp) ⇒ Object

Look for MyApp::Application.configure do … end



34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/brakeman/processors/lib/rails3_config_processor.rb', line 34

def process_iter exp
  call = exp.block_call

  if node_type?(call.target, :colon2) and
    call.target.rhs == :Application and
    call.method == :configure

    @inside_config = true
    process exp.block if sexp? exp.block
    @inside_config = false
  end

  exp
end