Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
社会瑞弟呀
brakeman
提交
294d4bed
B
brakeman
项目概览
社会瑞弟呀
/
brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
294d4bed
编写于
12月 06, 2012
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Remove more uses of Sexp#args
上级
63249fa7
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
40 addition
and
25 deletion
+40
-25
lib/brakeman/checks/check_mass_assignment.rb
lib/brakeman/checks/check_mass_assignment.rb
+27
-13
lib/brakeman/checks/check_send.rb
lib/brakeman/checks/check_send.rb
+2
-2
lib/brakeman/checks/check_sql.rb
lib/brakeman/checks/check_sql.rb
+1
-2
lib/brakeman/checks/check_without_protection.rb
lib/brakeman/checks/check_without_protection.rb
+1
-1
lib/brakeman/processors/base_processor.rb
lib/brakeman/processors/base_processor.rb
+9
-7
未找到文件。
lib/brakeman/checks/check_mass_assignment.rb
浏览文件 @
294d4bed
...
...
@@ -78,13 +78,14 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
#Want to ignore calls to Model.new that have no arguments
def
check_call
call
args
=
process_all!
call
.
args
process_call_args
call
first_arg
=
call
.
first_arg
if
args
.
empty
?
#empty new()
if
first_arg
.
nil
?
#empty new()
false
elsif
hash
?
args
.
first
and
not
include_user_input?
args
.
first
elsif
hash
?
first_arg
and
not
include_user_input?
first_arg
false
elsif
all_literal
s?
args
elsif
all_literal
_args?
call
false
else
true
...
...
@@ -93,17 +94,30 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
LITERALS
=
Set
[
:lit
,
:true
,
:false
,
:nil
,
:
string
]
def
all_literals?
args
args
.
all?
do
|
arg
|
if
sexp?
arg
if
arg
.
node_type
==
:hash
all_literals?
arg
else
LITERALS
.
include?
arg
.
node_type
end
def
all_literal_args?
exp
if
call?
exp
exp
.
each_arg
do
|
arg
|
return
false
unless
literal?
arg
end
true
else
exp
.
all?
do
|
arg
|
literal?
arg
end
end
end
def
literal?
exp
if
sexp?
exp
if
exp
.
node_type
==
:hash
all_literal_args?
exp
else
tru
e
LITERALS
.
include?
exp
.
node_typ
e
end
else
true
end
end
end
lib/brakeman/checks/check_send.rb
浏览文件 @
294d4bed
...
...
@@ -16,10 +16,10 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
end
def
process_result
result
args
=
process_all!
result
[
:call
].
args
process_call_args
result
[
:call
]
target
=
process
result
[
:call
].
target
if
input
=
has_immediate_user_input?
(
args
.
first
)
if
input
=
has_immediate_user_input?
(
result
[
:call
].
first_arg
)
warn
:result
=>
result
,
:warning_type
=>
"Dangerous Send"
,
:message
=>
"User controlled method execution"
,
...
...
lib/brakeman/checks/check_sql.rb
浏览文件 @
294d4bed
...
...
@@ -486,9 +486,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
target
=
exp
.
target
method
=
exp
.
method
args
=
exp
.
args
if
string?
target
or
string?
args
.
first
if
string?
target
or
string?
exp
.
first_arg
if
STRING_METHODS
.
include?
method
return
exp
end
...
...
lib/brakeman/checks/check_without_protection.rb
浏览文件 @
294d4bed
...
...
@@ -33,7 +33,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
#All results should be Model.new(...) or Model.attributes=() calls
def
process_result
res
call
=
res
[
:call
]
last_arg
=
call
.
args
.
last
last_arg
=
call
.
last_arg
if
hash
?
last_arg
and
not
call
.
original_line
and
not
duplicate?
res
...
...
lib/brakeman/processors/base_processor.rb
浏览文件 @
294d4bed
...
...
@@ -181,7 +181,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
#Generates :render node from call to render.
def
make_render
exp
,
in_view
=
false
render_type
,
value
,
rest
=
find_render_type
exp
.
args
,
in_view
render_type
,
value
,
rest
=
find_render_type
exp
,
in_view
rest
=
process
rest
result
=
Sexp
.
new
(
:render
,
render_type
,
value
,
rest
)
result
.
line
(
exp
.
line
)
...
...
@@ -195,14 +195,14 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
#:template, :text, :update, :xml
#
#And also :layout for inside templates
def
find_render_type
args
,
in_view
=
false
def
find_render_type
call
,
in_view
=
false
rest
=
Sexp
.
new
(
:hash
)
type
=
nil
value
=
nil
first_arg
=
args
.
first
first_arg
=
call
.
first_arg
if
args
.
length
==
1
and
first_arg
==
Sexp
.
new
(
:lit
,
:update
)
return
:update
,
nil
,
Sexp
.
new
(
:arglist
,
*
args
[
0
..-
2
])
#TODO HUH?
if
call
.
second_arg
.
nil?
and
first_arg
==
Sexp
.
new
(
:lit
,
:update
)
return
:update
,
nil
,
Sexp
.
new
(
:arglist
,
*
call
.
args
[
0
..-
2
])
#TODO HUH?
end
#Look for render :action, ... or render "action", ...
...
...
@@ -231,10 +231,12 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
types_in_hash
<<
:layout
end
last_arg
=
call
.
last_arg
#Look for "type" of render in options hash
#For example, render :file => "blah"
if
hash
?
args
.
last
hash_iterate
(
args
.
last
)
do
|
key
,
val
|
if
hash
?
last_arg
hash_iterate
(
last_arg
)
do
|
key
,
val
|
if
symbol?
key
and
types_in_hash
.
include?
key
.
value
type
=
key
.
value
value
=
val
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录