Class: Brakeman::Warning

Inherits:
Object
  • Object
show all
Defined in:
lib/brakeman/warning.rb

Overview

The Warning class stores information about warnings

Constant Summary collapse

TEXT_CONFIDENCE = 
{
  0 => "High",
  1 => "Medium",
  2 => "Weak",
}
CONFIDENCE = 
{
  :high => 0,
  :med => 1,
  :medium => 1,
  :low => 2,
  :weak => 2,
}
OPTIONS = 
{
  :called_from => :@called_from,
  :check => :@check,
  :class => :@class,
  :code => :@code,
  :controller => :@controller,
  :cwe_id => :@cwe_id,
  :file => :@file,
  :gem_info => :@gem_info,
  :line => :@line,
  :link => :@link,
  :link_path => :@link_path,
  :message => :@message,
  :method => :@method,
  :model => :@model,
  :template => :@template,
  :user_input => :@user_input,
  :warning_set => :@warning_set,
  :warning_type => :@warning_type,
}

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ Warning

options[:result] can be a result from Tracker#find_call. Otherwise, it can be nil.



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
# File 'lib/brakeman/warning.rb', line 50

def initialize options = {}
  @view_name = nil

  OPTIONS.each do |key, var|
    self.instance_variable_set(var, options[key])
  end

  self.confidence = options[:confidence]

  result = options[:result]
  if result
    @code ||= result[:call]
    @file ||= result[:location][:file]

    if result[:location][:type] == :template #template result
      @template ||= result[:location][:template]
    else
      @class ||= result[:location][:class]
      @method ||= result[:location][:method]
    end
  end

  if @method.to_s =~ /^fake_filter\d+/
    @method = :before_filter
  end

  if @user_input.is_a? Brakeman::BaseCheck::Match
    @user_input_type = @user_input.type
    @user_input = @user_input.match
  elsif @user_input == false
    @user_input = nil
  end

  if not @line
    if @user_input and @user_input.respond_to? :line
      @line = @user_input.line
    elsif @code and @code.respond_to? :line
      @line = @code.line
    end
  end

  if @gem_info
    if @gem_info.is_a? Hash
      @line ||= @gem_info[:line]
      @file ||= @gem_info[:file]
    else
      # Fallback behavior returns just a string for the file name
      @file ||= @gem_info
    end
  end

  unless @warning_set
    if self.model
      @warning_set = :model
      @file ||= self.model.file
    elsif self.template
      @warning_set = :template
      @called_from = self.template.render_path
      @file ||= self.template.file
    elsif self.controller
      @warning_set = :controller
    else
      @warning_set = :warning
    end
  end

  if options[:warning_code]
    @warning_code = Brakeman::WarningCodes.code options[:warning_code]
  else
    @warning_code = nil
  end

  Brakeman.debug("Warning created without warning code: #{options[:warning_code]}") unless @warning_code

  if options[:message].is_a? String
    @message = Brakeman::Messages::Message.new(options[:message])
  end

  @format_message = nil
  @row = nil
end

Instance Attribute Details

#called_fromObject (readonly)

Returns the value of attribute called_from.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def called_from
  @called_from
end

#checkObject (readonly)

Returns the value of attribute check.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def check
  @check
end

#classObject (readonly)

Returns the value of attribute class.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def class
  @class
end

#codeObject

Returns the value of attribute code.



12
13
14
 
# File 'lib/brakeman/warning.rb', line 12

def code
  @code
end

#confidenceObject

Returns the value of attribute confidence.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def confidence
  @confidence
end

#contextObject

Returns the value of attribute context.



12
13
14
 
# File 'lib/brakeman/warning.rb', line 12

def context
  @context
end

#controllerObject (readonly)

Returns the value of attribute controller.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def controller
  @controller
end

#cwe_idObject (readonly)

Returns the value of attribute cwe_id.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def cwe_id
  @cwe_id
end

#fileObject

Returns the value of attribute file.



12
13
14
 
# File 'lib/brakeman/warning.rb', line 12

def file
  @file
end

#lineObject (readonly)

Returns the value of attribute line.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def line
  @line
end

#messageObject

Returns the value of attribute message.



12
13
14
 
# File 'lib/brakeman/warning.rb', line 12

def message
  @message
end

#methodObject (readonly)

Returns the value of attribute method.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def method
  @method
end

#modelObject (readonly)

Returns the value of attribute model.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def model
  @model
end

#templateObject (readonly)

Returns the value of attribute template.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def template
  @template
end

#user_inputObject (readonly)

Returns the value of attribute user_input.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def user_input
  @user_input
end

#user_input_typeObject (readonly)

Returns the value of attribute user_input_type.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def user_input_type
  @user_input_type
end

#warning_codeObject (readonly)

Returns the value of attribute warning_code.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def warning_code
  @warning_code
end

#warning_setObject (readonly)

Returns the value of attribute warning_set.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def warning_set
  @warning_set
end

#warning_typeObject (readonly)

Returns the value of attribute warning_type.



8
9
10
 
# File 'lib/brakeman/warning.rb', line 8

def warning_type
  @warning_type
end

Instance Method Details

#check_nameObject 



280
281
282
 
# File 'lib/brakeman/warning.rb', line 280

def check_name
  @check_name ||= self.check.sub(/^Brakeman::Check/, '')
end

#confidence_nameObject 



284
285
286
 
# File 'lib/brakeman/warning.rb', line 284

def confidence_name
  TEXT_CONFIDENCE[self.confidence]
end

#eql?(other_warning) ⇒ Boolean

Returns:

  • (Boolean) 


136
137
138
 
# File 'lib/brakeman/warning.rb', line 136

def eql? other_warning
  self.hash == other_warning.hash
end

#fingerprintObject 



250
251
252
253
254
255
256
257
 
# File 'lib/brakeman/warning.rb', line 250

def fingerprint
  loc = self.location
  location_string = loc && loc.sort_by { |k, v| k.to_s }.inspect
  warning_code_string = sprintf("%03d", @warning_code)
  code_string = @code.inspect

  Digest::SHA2.new(256).update("#{warning_code_string}#{code_string}#{location_string}#{self.file.relative}#{self.confidence}").to_s
end

#format_code(strip = true) ⇒ Object

Return String of the code output from the OutputProcessor and stripped of newlines and tabs.



165
166
167
 
# File 'lib/brakeman/warning.rb', line 165

def format_code strip = true
  format_ruby self.code, strip
end

#format_messageObject

Return formatted warning message



186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
 
# File 'lib/brakeman/warning.rb', line 186

def format_message
  return @format_message if @format_message

  @format_message = self.message.to_s.dup

  if self.line
    @format_message << " near line #{self.line}"
  end

  if self.code
    @format_message << ": #{format_code}"
  end

  @format_message
end

#format_user_input(strip = true) ⇒ Object

Return String of the user input formatted and stripped of newlines and tabs.



171
172
173
 
# File 'lib/brakeman/warning.rb', line 171

def format_user_input strip = true
  format_ruby self.user_input, strip
end

#format_with_user_input(strip = true, &block) ⇒ Object 



175
176
177
178
179
180
181
182
183
 
# File 'lib/brakeman/warning.rb', line 175

def format_with_user_input strip = true, &block
  if self.user_input
    formatted = Brakeman::OutputProcessor.new.format(code, self.user_input, &block)
    formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
    formatted
  else
    format_code
  end
end

#hashObject 



132
133
134
 
# File 'lib/brakeman/warning.rb', line 132

def hash
  self.to_s.hash
end

#linkObject 



202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
 
# File 'lib/brakeman/warning.rb', line 202

def link
  return @link if @link

  if @link_path
    if @link_path.start_with? "http"
      @link = @link_path
    else
      @link = "https://brakemanscanner.org/docs/warning_types/#{@link_path}"
    end
  else
    warning_path = self.warning_type.to_s.downcase.gsub(/\s+/, '_') + "/"
    @link = "https://brakemanscanner.org/docs/warning_types/#{warning_path}"
  end

  @link
end

#location(include_renderer = true) ⇒ Object 



259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
 
# File 'lib/brakeman/warning.rb', line 259

def location include_renderer = true
  case @warning_set
  when :template
    { :type => :template, :template => self.view_name(include_renderer) }
  when :model
    { :type => :model, :model => self.model.name }
  when :controller
    { :type => :controller, :controller => self.controller }
  when :warning
    if self.class
      { :type => :method, :class => self.class, :method => self.method }
    else
      nil
    end
  end
end

#relative_pathObject 



276
277
278
 
# File 'lib/brakeman/warning.rb', line 276

def relative_path
  self.file.relative
end

#to_hash(absolute_paths: true) ⇒ Object 



288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
 
# File 'lib/brakeman/warning.rb', line 288

def to_hash absolute_paths: true
  if self.called_from and not absolute_paths
    render_path = self.called_from.with_relative_paths
  else
    render_path = self.called_from
  end

  { :warning_type => self.warning_type,
    :warning_code => @warning_code,
    :fingerprint => self.fingerprint,
    :check_name => self.check_name,
    :message => self.message.to_s,
    :file => (absolute_paths ? self.file.absolute : self.file.relative),
    :line => self.line,
    :link => self.link,
    :code => (@code && self.format_code(false)),
    :render_path => render_path,
    :location => self.location(false),
    :user_input => (@user_input && self.format_user_input(false)),
    :confidence => self.confidence_name,
    :cwe_id => cwe_id
  }
end

#to_jsonObject 



312
313
314
 
# File 'lib/brakeman/warning.rb', line 312

def to_json
  JSON.generate self.to_hash
end

#to_row(type = :warning) ⇒ Object

Generates a hash suitable for inserting into a table



220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
 
# File 'lib/brakeman/warning.rb', line 220

def to_row type = :warning
  @row = { "Confidence" => TEXT_CONFIDENCE[self.confidence],
    "Warning Type" => self.warning_type.to_s,
    "CWE ID" => self.cwe_id,
    "Message" => self.message }

  case type
  when :template
    @row["Template"] = self.view_name.to_s
  when :model
    @row["Model"] = self.model.name.to_s
  when :controller
    @row["Controller"] = self.controller.to_s
  when :warning
    @row["Class"] = self.class.to_s
    @row["Method"] = self.method.to_s
  end

  @row
end

#to_sObject 



241
242
243
244
245
246
247
248
 
# File 'lib/brakeman/warning.rb', line 241

def to_s
 output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
 output << " near line #{self.line}" if self.line
 output << " in #{self.file.relative}" if self.file
 output << ": #{self.format_code}" if self.code

 output
end

#view_name(include_renderer = true) ⇒ Object

Returns name of a view, including where it was rendered from



155
156
157
158
159
160
161
 
# File 'lib/brakeman/warning.rb', line 155

def view_name(include_renderer = true)
  if called_from and include_renderer
    @view_name = "#{template.name} (#{called_from.last})"
  else
    @view_name = template.name
  end
end