Use process_call_args and Sexp#each_arg

eb08c600 · Justin Collins · 4ef580b9 · eb08c600 · eb08c600 · eb08c600
10 changed file
--- a/lib/brakeman/checks/base_check.rb
+++ b/lib/brakeman/checks/base_check.rb
@@ -61,7 +61,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
  #Process calls and check if they include user input
  def process_call exp
    process exp.target if sexp? exp.target
-    process_all exp.args
+    process_call_args exp

    target = exp.target


--- a/lib/brakeman/checks/check_cross_site_scripting.rb
+++ b/lib/brakeman/checks/check_cross_site_scripting.rb
@@ -231,7 +231,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
    end

    method = exp.method
-    args = exp.arglist

    #Ignore safe items
    if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
@@ -252,7 +251,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
    elsif @inspect_arguments and params? exp
      @matched = Match.new(:params, exp)
    elsif @inspect_arguments
-      process args
+      process_call_args exp
    end
  end


--- a/lib/brakeman/checks/check_mail_to.rb
+++ b/lib/brakeman/checks/check_mail_to.rb
@@ -34,7 +34,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
    Brakeman.debug "Checking calls to mail_to for javascript encoding"

    tracker.find_call(:target => false, :method => :mail_to).each do |result|
-      result[:call].arglist.each do |arg|
+      result[:call].each_arg do |arg|
        if hash? arg
          if option = hash_access(arg, :encode)
            return result if symbol? option and option.value == :javascript

--- a/lib/brakeman/checks/check_mass_assignment.rb
+++ b/lib/brakeman/checks/check_mass_assignment.rb
@@ -78,13 +78,14 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck

  #Want to ignore calls to Model.new that have no arguments
  def check_call call
-    args = process_all! call.args
+    process_call_args call
+    first_arg = call.first_arg

-    if args.empty? #empty new()
+    if first_arg.nil? #empty new()
      false
-    elsif hash? args.first and not include_user_input? args.first
+    elsif hash? first_arg and not include_user_input? first_arg
      false
-    elsif all_literals? args
+    elsif all_literal_args? call
      false
    else
      true
@@ -93,17 +94,30 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck

  LITERALS = Set[:lit, :true, :false, :nil, :string]

-  def all_literals? args
-    args.all? do |arg|
-      if sexp? arg
-        if arg.node_type == :hash
-          all_literals? arg
-        else
-          LITERALS.include? arg.node_type
-        end
+  def all_literal_args? exp
+    if call? exp
+      exp.each_arg do |arg|
+        return false unless literal? arg
+      end
+
+      true
+    else
+      exp.all? do |arg|
+        literal? arg
+      end
+    end
+
+  end
+
+  def literal? exp
+    if sexp? exp
+      if exp.node_type == :hash
+        all_literal_args? exp
      else
-        true
+        LITERALS.include? exp.node_type
      end
+    else
+      true
    end
  end
 end
--- a/lib/brakeman/checks/check_send.rb
+++ b/lib/brakeman/checks/check_send.rb
@@ -16,7 +16,7 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
  end

  def process_result result
-    args = process_all! result[:call].args
+    process_call_args result[:call]
    target = process result[:call].target

    if input = has_immediate_user_input?(result[:call].first_arg)

--- a/lib/brakeman/processors/haml_template_processor.rb
+++ b/lib/brakeman/processors/haml_template_processor.rb
@@ -36,8 +36,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
            when :options, :buffer
              exp
            when :open_tag
-              process(exp.arglist)
-              exp
+              process_call_args exp
            else
              arg = exp.first_arg


--- a/lib/brakeman/processors/lib/find_all_calls.rb
+++ b/lib/brakeman/processors/lib/find_all_calls.rb
@@ -46,7 +46,7 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
    end

    method = exp.method
-    process_all exp.args
+    process_call_args exp

    call = { :target => target, :method => method, :call => exp, :nested => @in_target, :chain => get_chain(exp) }
    

--- a/lib/brakeman/processors/lib/find_call.rb
+++ b/lib/brakeman/processors/lib/find_call.rb
@@ -84,7 +84,7 @@ class Brakeman::FindCall < Brakeman::BaseProcessor
    target = get_target exp.target
    method = exp.method

-    process_all exp.args
+    process_call_args exp

    if match(@find_targets, target) and match(@find_methods, method)


--- a/lib/brakeman/processors/lib/processor_helper.rb
+++ b/lib/brakeman/processors/lib/processor_helper.rb
@@ -19,6 +19,16 @@ module Brakeman::ProcessorHelper
    exp
  end

+  #Process the arguments of a method call. Does not store results.
+  #
+  #This method is used because Sexp#args and Sexp#arglist create new objects.
+  def process_call_args exp
+    exp.each_arg do |a|
+      process a if sexp? a
+    end
+
+    exp
+  end
  #Sets the current module.
  def process_module exp
    module_name = class_name(exp.class_name).to_s

--- a/lib/brakeman/processors/lib/rails3_route_processor.rb
+++ b/lib/brakeman/processors/lib/rails3_route_processor.rb
@@ -200,7 +200,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
      #handle hash
      add_resources_routes
    elsif exp.args.all? { |s| symbol? s }
-      exp.args.each do |s|
+      exp.each_arg do |s|
        self.current_controller = s.value
        add_resources_routes
      end
@@ -212,7 +212,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor

  def process_resource exp
    #Does resource even take more than one controller name?
-    exp.args.each do |s|
+    exp.each_arg do |s|
      if symbol? s
        self.current_controller = pluralize(s.value.to_s)
        add_resource_routes