Class: Brakeman::HamlTemplateProcessor

Inherits:
TemplateProcessor show all
Defined in:
lib/brakeman/processors/haml_template_processor.rb

Overview

Processes HAML templates.

Constant Summary collapse

HAML_FORMAT_METHOD =
/format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
HAML_HELPERS =
s(:colon2, s(:const, :Haml), :Helpers)

Constants inherited from BaseProcessor

BaseProcessor::IGNORE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from TemplateProcessor

#initialize, #process, #process_escaped_output, #process_lasgn, #process_output

Methods inherited from BaseProcessor

#find_render_type, #ignore, #initialize, #make_render, #make_render_in_view, #process_arglist, #process_attrasgn, #process_default, #process_dstr, #process_evstr, #process_hash, #process_if, #process_ignore, #process_iter, #process_lasgn, #process_scope

Methods included from Util

#array?, #block?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_all!, #process_call_args, #process_class, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::TemplateProcessor

Instance Method Details

#build_output_from_push_text(exp) ⇒ Object

HAML likes to put interpolated values into _hamlout.push_text but we want to handle those individually


122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'lib/brakeman/processors/haml_template_processor.rb', line 122

def build_output_from_push_text exp
  if node_type? exp, :string_interp, :dstr
    exp.map! do |e|
      if sexp? e
        if node_type? e, :string_eval, :evstr
          e = e.value
        end

        get_pushed_value e
      else
        e
      end
    end
  end
end

#get_pushed_value(exp) ⇒ Object

Gets outputs from values interpolated into _hamlout.push_text


139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# File 'lib/brakeman/processors/haml_template_processor.rb', line 139

def get_pushed_value exp
  return exp unless sexp? exp
  
  case exp.node_type
  when :format
    exp.node_type = :output
    @current_template[:outputs] << exp
    exp
  when :format_escaped
    exp.node_type = :escaped_output
    @current_template[:outputs] << exp
    exp
  when :str, :ignore, :output, :escaped_output
    exp
  when :block, :rlist, :string_interp, :dstr
    exp.map! { |e| get_pushed_value e }
  else
    if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
      s = Sexp.new(:escaped_output, exp.first_arg)
    else
      s = Sexp.new(:output, exp)
    end

    s.line(exp.line)
    @current_template[:outputs] << s
    s
  end
end

#is_buffer_target?(exp) ⇒ Boolean

Checks if the buffer is the target in a method call Sexp. TODO: Test this

Returns:

  • (Boolean)

113
114
115
116
117
118
# File 'lib/brakeman/processors/haml_template_processor.rb', line 113

def is_buffer_target? exp
  exp.node_type == :call and
  node_type? exp.target, :lvar and
  exp.target.value == :_hamlout and
  exp.method == :buffer
end

#process_block(exp) ⇒ Object

If inside an output stream, only return the final expression


88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/brakeman/processors/haml_template_processor.rb', line 88

def process_block exp
  exp = exp.dup
  exp.shift
  if @inside_concat
    @inside_concat = false
    exp[0..-2].each do |e|
      process e
    end
    @inside_concat = true
    process exp[-1]
  else
    exp.map! do |e|
      res = process e
      if res.empty?
        nil
      else
        res
      end
    end
    Sexp.new(:rlist).concat(exp).compact
  end
end

#process_call(exp) ⇒ Object

Processes call, looking for template output


9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/brakeman/processors/haml_template_processor.rb', line 9

def process_call exp
  target = exp.target
  if sexp? target
    target = process target
  end

  method = exp.method

  if (call? target and target.method == :_hamlout)
    res = case method
          when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
            ignore
          when :options, :buffer
            exp
          when :open_tag
            process_call_args exp
          else
            arg = exp.first_arg

            if arg
              @inside_concat = true
              out = exp.first_arg = process(arg)
              @inside_concat = false
            else
              raise "Empty _hamlout.#{method}()?"
            end

            if string? out
              ignore
            else
              case method.to_s
              when "push_text"
                build_output_from_push_text(out)
              when HAML_FORMAT_METHOD
                if $4 == "true"
                  Sexp.new :format_escaped, out
                else
                  Sexp.new :format, out
                end
              else
                raise "Unrecognized action on _hamlout: #{method}"
              end
            end

          end

    res.line(exp.line)
    res

    #_hamlout.buffer <<
    #This seems to be used rarely, but directly appends args to output buffer.
    #Has something to do with values of blocks?
  elsif sexp? target and method == :<< and is_buffer_target? target
    @inside_concat = true
    out = exp.first_arg = process(exp.first_arg)
    @inside_concat = false

    if out.node_type == :str #ignore plain strings
      ignore
    else
      s = Sexp.new(:output, out)
      @current_template[:outputs] << s
      s.line(exp.line)
      s
    end
  elsif target == nil and method == :render
    #Process call to render()
    exp.arglist = process exp.arglist
    make_render_in_view exp
  else
    #TODO: Do we really need a new Sexp here?
    call = make_call target, method, process_all!(exp.args)
    call.original_line = exp.original_line
    call.line(exp.line)
    call
  end
end