Class: Brakeman::TemplateAliasProcessor
- Inherits:
-
AliasProcessor
- Object
- SexpProcessor
- AliasProcessor
- Brakeman::TemplateAliasProcessor
- Includes:
- RenderHelper
- Defined in:
- lib/brakeman/processors/template_alias_processor.rb
Overview
Processes aliasing in templates. Handles calls to render
.
Constant Summary collapse
- FORM_METHODS =
Set[:form_for, :remote_form_for, :form_remote_for]
- HAML_CAPTURE =
[:capture, :capture_haml]
- UNKNOWN_MODEL_CALL =
Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new)
- FORM_BUILDER_CALL =
Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
- COLLECTION_METHODS =
[:all, :find, :select, :where]
Constants inherited from AliasProcessor
AliasProcessor::ARRAY_CONST, AliasProcessor::HASH_CONST, AliasProcessor::RAILS_DEV, AliasProcessor::RAILS_TEST, AliasProcessor::STRING_NEW, AliasProcessor::TEMP_FILE_CLASS
Constants included from CallConversionHelper
CallConversionHelper::STRING_LENGTH_LIMIT
Constants included from Util
Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::DIR_CONST, Util::LITERALS, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP, Util::SIMPLE_LITERALS
Constants inherited from SexpProcessor
Instance Attribute Summary
Attributes inherited from AliasProcessor
Attributes inherited from SexpProcessor
Instance Method Summary collapse
-
#find_push_target(exp) ⇒ Object
Ignore ‘<<` calls on template variables which are used by the templating library (HAML, ERB, etc.).
-
#get_model_target(exp) ⇒ Object
Checks if
exp
is a call to Model.all or Model.find*. - #haml_capture?(exp) ⇒ Boolean
-
#initialize(tracker, template, called_from = nil) ⇒ TemplateAliasProcessor
constructor
A new instance of TemplateAliasProcessor.
-
#process_iter(exp) ⇒ Object
Looks for form methods and iterating over collections of Models.
- #process_lasgn(exp) ⇒ Object
-
#process_template(name, args, _, line = nil) ⇒ Object
Process template.
-
#template_name(name) ⇒ Object
Determine template name.
Methods included from RenderHelper
#get_class_target, #get_options, #process_action, #process_layout, #process_partial, #process_render
Methods inherited from AliasProcessor
#array_detect_all_literals?, #array_include_all_literals?, #assign_args, #collapse_send_call, #duplicate?, #early_return?, #find_method, #get_call_value, #get_rhs, #hash_include_all_literals?, #hash_or_array_include_all_literals?, #join_item, #merge_if_branch, #meth_env, #new_string?, #only_ivars, #only_request_vars, #process_array_join, #process_attrasgn, #process_block, #process_bracket_call, #process_call, #process_case, #process_cdecl, #process_cvdecl, #process_default, #process_defn, #process_defs, #process_gasgn, #process_hash, #process_hash_merge, #process_hash_merge!, #process_helper_method, #process_iasgn, #process_if, #process_if_branch, #process_masgn, #process_op_asgn1, #process_op_asgn2, #process_or_simple_operation, #process_or_target, #process_safely, #process_scope, #process_svalue, #raise?, #replace, #same_value?, #self_assign?, #self_assign_target?, #self_assign_var?, #set_value, #simple_when?, #splat_array?, #temp_file_new, #temp_file_open?, #too_deep?, #top_target, #value_from_case, #value_from_if
Methods included from CallConversionHelper
#hash_values_at, #join_arrays, #join_strings, #math_op, #process_array_access, #process_hash_access
Methods included from Util
#all_literals?, #array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #dir_glob?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #hash_values, #integer?, #kwsplat?, #literal?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #recurse_check?, #regexp?, #remove_kwsplat, #request_env?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #simple_literal?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore
Methods included from ProcessorHelper
#current_file, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module
Methods inherited from SexpProcessor
#in_context, #process, processors, #scope
Constructor Details
#initialize(tracker, template, called_from = nil) ⇒ TemplateAliasProcessor
Returns a new instance of TemplateAliasProcessor.
14 15 16 17 18 19 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 14 def initialize tracker, template, called_from = nil super tracker @template = template @current_file = template.file @called_from = called_from end |
Instance Method Details
#find_push_target(exp) ⇒ Object
Ignore ‘<<` calls on template variables which are used by the templating library (HAML, ERB, etc.)
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 135 def find_push_target exp if sexp? exp if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout) return nil elsif exp.node_type == :ivar and exp.value == :@output_buffer return nil elsif exp.node_type == :call and call? exp.target and exp.target.method == :_hamlout and exp.method == :buffer return nil end end super end |
#get_model_target(exp) ⇒ Object
Checks if exp
is a call to Model.all or Model.find*
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 117 def get_model_target exp if call? exp target = exp.target if COLLECTION_METHODS.include? exp.method or exp.method.to_s[0,4] == "find" models = Set.new @tracker.models.keys name = class_name target return target if models.include?(name) end return get_model_target(target) end false end |
#haml_capture?(exp) ⇒ Boolean
62 63 64 65 66 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 62 def haml_capture? exp node_type? exp, :iter and call? exp.block_call and HAML_CAPTURE.include? exp.block_call.method end |
#process_iter(exp) ⇒ Object
Looks for form methods and iterating over collections of Models
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 80 def process_iter exp process_default exp call = exp.block_call if call? call target = call.target method = call.method arg = exp.block_args.first_param block = exp.block #Check for e.g. Model.find.each do ... end if method == :each and arg and block and model = get_model_target(target) if arg.is_a? Symbol if model == target.target env[Sexp.new(:lvar, arg)] = Sexp.new(:call, model, :new) else env[Sexp.new(:lvar, arg)] = UNKNOWN_MODEL_CALL end process block if sexp? block end elsif FORM_METHODS.include? method if arg.is_a? Symbol env[Sexp.new(:lvar, arg)] = FORM_BUILDER_CALL process block if sexp? block end end end exp end |
#process_lasgn(exp) ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 40 def process_lasgn exp if exp.lhs == :haml_temp or haml_capture? exp.rhs exp.rhs = process exp.rhs # Avoid propagating contents of block if node_type? exp.rhs, :iter new_exp = exp.dup new_exp.rhs = exp.rhs.block_call super new_exp exp # Still save the original, though else super exp end else super exp end end |
#process_template(name, args, _, line = nil) ⇒ Object
Process template
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 22 def process_template name, args, _, line = nil # Strip forward slash from beginning of template path. # This also happens in RenderHelper#process_template but # we need it here too to accurately avoid circular renders below. name = name.to_s.gsub(/^\//, "") if @called_from if @called_from.include_template? name Brakeman.debug "Skipping circular render from #{@template.name} to #{name}" return end super name, args, @called_from.dup.add_template_render(@template.name, line, @current_file), line else super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @current_file), line end end |
#template_name(name) ⇒ Object
Determine template name
69 70 71 72 73 74 |
# File 'lib/brakeman/processors/template_alias_processor.rb', line 69 def template_name name if !name.to_s.include?('/') && @template.name.to_s.include?('/') name = "#{@template.name.to_s.match(/^(.*\/).*$/)[1]}#{name}" end name end |