Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Use helper methods for results from FindCall

  • Loading branch information...
commit 1d34049ba37413fb4992895179d75eaeb7103a13 1 parent 50ccef0
@presidentbeef authored
View
15 lib/brakeman/checks/base_check.rb
@@ -173,8 +173,8 @@ def mass_assign_disabled?
matches = tracker.check_initializers([], :attr_accessible)
matches.each do |result|
- if result[1] == "ActiveRecord" and result[2] == :Base
- arg = result[-1].first_arg
+ if result.module == "ActiveRecord" and result.result_class == :Base
+ arg = result.call.first_arg
if arg.nil? or node_type? arg, :nil
@mass_assign_disabled = true
@@ -185,8 +185,8 @@ def mass_assign_disabled?
else
#Check for ActiveRecord::Base.send(:attr_accessible, nil)
matches.each do |result|
- if call? result[-1]
- call = result[-1]
+ call = result.call
+ if call? call
if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
@mass_assign_disabled = true
break
@@ -196,7 +196,7 @@ def mass_assign_disabled?
end
end
- #There is a chance someon is using Rails 3.x and the `strong_parameters`
+ #There is a chance someone is using Rails 3.x and the `strong_parameters`
#gem and still using hack above, so this is a separate check for
#including ActiveModel::ForbiddenAttributesProtection in
#ActiveRecord::Base in an initializer.
@@ -204,8 +204,9 @@ def mass_assign_disabled?
matches = tracker.check_initializers([], :include)
matches.each do |result|
- if call? result[-1]
- if result[-1].first_arg == Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
+ call = result.call
+ if call? call
+ if call.first_arg == Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
@mass_assign_disabled = true
end
end
View
2  lib/brakeman/checks/check_cross_site_scripting.rb
@@ -60,7 +60,7 @@ def run_check
json_escape_on = false
initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
- initializers.each {|result| json_escape_on = true?(result[-1].first_arg) }
+ initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
if !json_escape_on or version_between? "0.0.0", "2.0.99"
@known_dangerous << :to_json
View
25 lib/ruby_parser/bm_sexp.rb
@@ -147,13 +147,15 @@ def target= exp
#s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
# ^- method
def method
- expect :call, :attrasgn, :super, :zsuper
+ expect :call, :attrasgn, :super, :zsuper, :result
case self.node_type
when :call, :attrasgn
self[2]
when :super, :zsuper
:super
+ when :result
+ self.last
end
end
@@ -492,6 +494,27 @@ def parent_name
expect :class
self[2]
end
+
+ #Returns the call Sexp in a result returned from FindCall
+ def call
+ expect :result
+
+ self.last
+ end
+
+ #Returns the module the call is inside
+ def module
+ expect :result
+
+ self[1]
+ end
+
+ #Return the class the call is inside
+ def result_class
+ expect :result
+
+ self[2]
+ end
end
#Invalidate hash cache if the Sexp changes
Please sign in to comment.
Something went wrong with that request. Please try again.