Merge pull request #315 from presidentbeef/deal_with_controller_inside_class

Only treat controllers like controllers

lib/brakeman/processors/controller_processor.rb

@@ -24,6 +24,12 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   def process_class exp
     name = class_name(exp.class_name)
 
+    if not name.to_s.match(/Controller$/)
+      #Skip classes that are not controllers, but treat as a module because
+      #a class that is not a controller might contain a controller
+      return process_module exp
+    end
+
     if @controller
       Brakeman.debug "[Notice] Skipping inner class: #{name}"
       return ignore

test/apps/rails3/app/controllers/nested_controller.rb

+class Whatever
+  module Wherever
+    class NestedController < ApplicationController
+      def so_nested
+        @bad_thing = params[:x]
+      end
+    end
+  end
+end

test/apps/rails3/app/views/whatever/wherever/nested/so_nested.html.erb

+<%= raw @bad_thing %>

test/tests/test_rails3.rb

@@ -14,7 +14,7 @@ class Rails3Tests < Test::Unit::TestCase
     @expected ||= {
       :controller => 1,
       :model => 8,
-      :template => 36,
+      :template => 37,
       :warning => 53
     }
 
@@ -824,6 +824,16 @@ class Rails3Tests < Test::Unit::TestCase
       :file => /test_params\.html\.erb/
   end
 
+  def test_cross_site_scripting_in_nested_controller
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /so_nested\.html\.erb/
+  end
+
   def test_cross_site_scripting_select_tag_CVE_2012_3463
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",