Class: Brakeman::SlimTemplateProcessor

Inherits:

TemplateProcessor

• Object
• SexpProcessor
• BaseProcessor
• TemplateProcessor
• Brakeman::SlimTemplateProcessor

Includes:

RenderHelper

Defined in:

lib/brakeman/processors/slim_template_processor.rb

Constant Summary

SAFE_BUFFER =

s(:call, s(:colon2, s(:const, :ActiveSupport), :SafeBuffer), :new)

OUTPUT_BUFFER =

s(:ivar, :@output_buffer)

TEMPLE_UTILS =

s(:colon2, s(:colon3, :Temple), :Utils)

ATTR_MERGE =

s(:call, s(:call, s(:array), :reject, s(:block_pass, s(:lit, :empty?))), :join, s(:str, " "))

EMBEDDED_FILTER =

s(:const, :BrakemanFilter)

Constants inherited from BaseProcessor

BaseProcessor::IGNORE

Constants included from Util

Util::ALL_COOKIES, Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::DIR_CONST, Util::LITERALS, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_COOKIES, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::REQUEST_REQUEST_PARAMETERS, Util::SAFE_LITERAL, Util::SESSION, Util::SESSION_SEXP, Util::SIMPLE_LITERALS

Constants inherited from SexpProcessor

Brakeman::SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary

• #add_escaped_output(exp) ⇒ Object
• #embedded_filter?(arg) ⇒ Boolean

  Handle our “fake” embedded filters.

• #internal_variable?(exp) ⇒ Boolean
• #is_escaped?(exp) ⇒ Boolean
• #normalize_output(arg) ⇒ Object
• #process_call(exp) ⇒ Object
• #process_inside_interp(exp) ⇒ Object

  Slim likes to interpolate output into strings then pass them to safe_concat.

• #process_interp_output(exp) ⇒ Object
• #process_render(exp) ⇒ Object
• #render?(exp) ⇒ Boolean

Methods included from RenderHelper

#get_class_target, #get_options, #process_action, #process_layout, #process_partial, #process_template, #template_name

Methods inherited from TemplateProcessor

#add_output, #initialize, #process, #process_escaped_output, #process_lasgn, #process_output

Methods inherited from BaseProcessor

#find_render_type, #ignore, #initialize, #make_inline_render, #make_render, #make_render_in_view, #process_arglist, #process_attrasgn, #process_block, #process_cdecl, #process_default, #process_dstr, #process_evstr, #process_file, #process_hash, #process_if, #process_ignore, #process_iter, #process_lasgn, #process_scope

Methods included from Util

#all_literals?, #array?, #block?, #call?, #camelize, #class_name, #constant?, #contains_class?, #cookies?, #dir_glob?, #false?, #hash?, #hash_access, #hash_insert, #hash_iterate, #hash_values, #integer?, #kwsplat?, #literal?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #recurse_check?, #regexp?, #remove_kwsplat, #request_headers?, #request_value?, #result?, #safe_literal, #safe_literal?, #safe_literal_target?, #set_env_defaults, #sexp?, #simple_literal?, #string?, #string_interp?, #symbol?, #template_path_to_name, #true?, #underscore

Methods included from ProcessorHelper

#current_file, #process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #initialize, #process, processors, #scope

Constructor Details

This class inherits a constructor from Brakeman::TemplateProcessor

Instance Method Details

#add_escaped_output(exp) ⇒ Object

# File 'lib/brakeman/processors/slim_template_processor.rb', line 97

def add_escaped_output exp
  exp = normalize_output(exp)

  return exp if string? exp or internal_variable? exp

  super exp
end

#embedded_filter?(arg) ⇒ Boolean

Handle our “fake” embedded filters

Returns:

• (Boolean)

# File 'lib/brakeman/processors/slim_template_processor.rb', line 59

def embedded_filter? arg
  call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
end

#internal_variable?(exp) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brakeman/processors/slim_template_processor.rb', line 111

def internal_variable? exp
  node_type? exp, :lvar and
  exp.value =~ /^_(temple_|slim_)/
end

#is_escaped?(exp) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brakeman/processors/slim_template_processor.rb', line 105

def is_escaped? exp
  call? exp and
  exp.target == TEMPLE_UTILS and
  (exp.method == :escape_html or exp.method == :escape_html_safe)
end

#normalize_output(arg) ⇒ Object

# File 'lib/brakeman/processors/slim_template_processor.rb', line 48

def normalize_output arg
  arg = super(arg)

  if embedded_filter? arg
    super(arg.first_arg)
  else
    arg
  end
end

#process_call(exp) ⇒ Object

# File 'lib/brakeman/processors/slim_template_processor.rb', line 13

def process_call exp
  target = exp.target
  method = exp.method

  if method == :safe_concat and (target == SAFE_BUFFER or target == OUTPUT_BUFFER)
    arg = normalize_output(exp.first_arg)

    if is_escaped? arg
      add_escaped_output arg.first_arg
    elsif string? arg
      ignore
    elsif render? arg
      add_output make_render_in_view arg
    elsif string_interp? arg
      process_inside_interp arg
    elsif node_type? arg, :ignore
      ignore
    elsif internal_variable? arg
      ignore
    elsif arg == ATTR_MERGE
      ignore
    else
      add_output arg
    end
  elsif is_escaped? exp
    add_escaped_output arg
  elsif target == nil and method == :render
    exp.arglist = process exp.arglist
    make_render_in_view exp
  else
    exp.arglist = process exp.arglist
    exp
  end
end

#process_inside_interp(exp) ⇒ Object

Slim likes to interpolate output into strings then pass them to safe_concat. Better to pull those values out directly.

# File 'lib/brakeman/processors/slim_template_processor.rb', line 65

def process_inside_interp exp
  exp.map! do |e|
    if node_type? e, :evstr
      e.value = process_interp_output e.value
      e
    else
      e
    end
  end

  exp
end

#process_interp_output(exp) ⇒ Object

# File 'lib/brakeman/processors/slim_template_processor.rb', line 78

def process_interp_output exp
  if sexp? exp
    if node_type? exp, :if
      process_interp_output exp.then_clause
      process_interp_output exp.else_clause
    elsif exp == SAFE_BUFFER
      ignore
    elsif render? exp
      add_output make_render_in_view exp
    elsif node_type? :output, :escaped_output
      exp
    elsif is_escaped? exp
      add_escaped_output exp
    else
      add_output exp
    end
  end
end

#process_render(exp) ⇒ Object

# File 'lib/brakeman/processors/slim_template_processor.rb', line 122

def process_render exp
  #Still confused as to why this is not needed in other template processors
  #but is needed here
  exp
end

#render?(exp) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/brakeman/processors/slim_template_processor.rb', line 116

def render? exp
  call? exp and
  exp.target.nil? and
  exp.method == :render
end