Merge pull request #527 from presidentbeef/add_rails4_option

Add -4 option to force Rails 4

Merge pull request #527 from presidentbeef/add_rails4_option
Add -4 option to force Rails 4
ac2e6f06 · Justin · cf5b837c · 6e26a0f0 · ac2e6f06 · ac2e6f06
6 changed file
--- a/lib/brakeman/checks/base_check.rb
+++ b/lib/brakeman/checks/base_check.rb
@@ -177,7 +177,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
      tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)

      @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9") && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
+    elsif tracker.options[:rails4] && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
            tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)))

      @mass_assign_disabled = true

--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -19,7 +19,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    @sql_targets = [:all, :average, :calculate, :count, :count_by_sql, :exists?, :delete_all, :destroy_all,
      :find, :find_by_sql, :first, :last, :maximum, :minimum, :pluck, :sum, :update_all]
    @sql_targets.concat [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where] if tracker.options[:rails3]
-    @sql_targets << :find_by << :find_by! if version_between? "4.0.0", "9.9.9"
+    @sql_targets << :find_by << :find_by! if tracker.options[:rails4]

    @connection_calls = [:delete, :execute, :insert, :select_all, :select_one,
      :select_rows, :select_value, :select_values]

--- a/lib/brakeman/options.rb
+++ b/lib/brakeman/options.rb
@@ -47,6 +47,11 @@ module Brakeman::Options
          options[:rails3] = true
        end

+        opts.on "-4", "--rails4", "Force Rails 4 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+        end
+
        opts.separator ""
        opts.separator "Scanning options:"


--- a/lib/brakeman/processors/gem_processor.rb
+++ b/lib/brakeman/processors/gem_processor.rb
@@ -19,9 +19,15 @@ class Brakeman::GemProcessor < Brakeman::BaseProcessor
      @tracker.config[:rails_version] = $1
    end

-    if @tracker.config[:rails_version] =~ /^(3|4)\./ and not @tracker.options[:rails3]
-      @tracker.options[:rails3] = true
-      Brakeman.notify "[Notice] Detected Rails #$1 application"
+    if @tracker.options[:rails3].nil? and @tracker.options[:rails4].nil? and @tracker.config[:rails_version]
+      if @tracker.config[:rails_version].start_with? "3"
+        @tracker.options[:rails3] = true
+        Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif @tracker.config[:rails_version].start_with? "4"
+        @tracker.options[:rails3] = true
+        @tracker.options[:rails4] = true
+        Brakeman.notify "[Notice] Detected Rails 4 application"
+      end
    end

    if @tracker.config[:gems][:rails_xss]

--- a/lib/brakeman/report/report_base.rb
+++ b/lib/brakeman/report/report_base.rb
@@ -262,9 +262,16 @@ class Brakeman::Report::Base
  end

  def rails_version
-    return tracker.config[:rails_version] if tracker.config[:rails_version]
-    return "3.x" if tracker.options[:rails3]
-    "Unknown"
+    case
+    when tracker.config[:rails_version]
+      tracker.config[:rails_version]
+    when tracker.options[:rails4]
+      "4.x"
+    when tracker.options[:rails3]
+      "3.x"
+    else
+      "Unknown"
+    end
  end

  #Escape warning message and highlight user input in text output

--- a/lib/brakeman/scanner.rb
+++ b/lib/brakeman/scanner.rb
@@ -28,14 +28,6 @@ class Brakeman::Scanner
      raise Brakeman::NoApplication, "Please supply the path to a Rails application."
    end

-    if @app_tree.exists?("script/rails")
-      options[:rails3] = true
-      Brakeman.notify "[Notice] Detected Rails 3 application"
-    elsif not @app_tree.exists?("script")
-      options[:rails3] = true # Probably need to do some refactoring
-      Brakeman.notify "[Notice] Detected Rails 4 application"
-    end
-
    @processor = processor || Brakeman::Processor.new(@app_tree, options)
  end

@@ -48,6 +40,7 @@ class Brakeman::Scanner
  def process
    Brakeman.notify "Processing gems..."
    process_gems
+    guess_rails_version
    Brakeman.notify "Processing configuration..."
    process_config
    Brakeman.notify "Parsing files..."
@@ -147,6 +140,20 @@ class Brakeman::Scanner
    tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
  end

+  #Set :rails3/:rails4 option if version was not determined from Gemfile
+  def guess_rails_version
+    unless tracker.options[:rails3] or tracker.options[:rails4]
+      if @app_tree.exists?("script/rails")
+        tracker.options[:rails3] = true
+        Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif not @app_tree.exists?("script")
+        tracker.options[:rails3] = true # Probably need to do some refactoring
+        tracker.options[:rails4] = true
+        Brakeman.notify "[Notice] Detected Rails 4 application"
+      end
+    end
+  end
+
  #Process all the .rb files in config/initializers/
  #
  #Adds parsed information to tracker.initializers