Process Concerns in controllers

Fixes #958
presidentbeef · Nov 28, 2016 · 166026a · 166026a
1 parent 8aed569
commit 166026a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/lib/brakeman/processors/controller_processor.rb b/lib/brakeman/processors/controller_processor.rb
@@ -61,6 +61,16 @@ def process_module exp, parent = nil
     handle_module exp, Brakeman::Controller, parent
   end
 
+  def process_concern concern_name
+    return unless @current_class
+
+    if mod = @tracker.find_class(concern_name)
+      if mod.options[:included]
+        process mod.options[:included].deep_clone
+      end
+    end
+  end
+
   #Look for specific calls inside the controller
   def process_call exp
     return exp if process_call_defn? exp
@@ -89,7 +99,11 @@ def process_call exp
       else
         case method
         when :include
-          @current_class.add_include class_name(first_arg) if @current_class
+          if @current_class
+            concern = class_name(first_arg)
+            @current_class.add_include concern
+            process_concern concern
+          end
         when :before_filter, :append_before_filter, :before_action, :append_before_action
           if node_type? exp.first_arg, :iter
             add_lambda_filter exp

diff --git a/lib/brakeman/processors/library_processor.rb b/lib/brakeman/processors/library_processor.rb
@@ -51,4 +51,16 @@ def process_call exp
       process_default exp
     end
   end
+
+  def process_iter exp
+    res = process_default exp
+
+    if node_type? res, :iter and call? exp.block_call # sometimes this changes after processing
+      if exp.block_call.method == :included
+        (@current_module || @current_class).options[:included] = res.block
+      end
+    end
+
+    res
+  end
 end