Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Brakeman 4.7.0 fails processing routes.rb #1410

Closed
daveknapik opened this issue Oct 17, 2019 · 5 comments · Fixed by #1415

Comments

@daveknapik
Copy link

@daveknapik daveknapik commented Oct 17, 2019

Background

Brakeman version: 4.7.0
Rails version: 5.2.2
Ruby version: 2.6.3

Issue

Since upgrading Brakeman to 4.7.0 it fails both locally and on CircleCI while processing config/routes.rb. My application's routes are working just fine, so I think it could be a Brakeman bug.

Other Error

Stack trace:

Traceback (most recent call last):
	54: from /usr/local/bundle/bin/brakeman:23:in `<main>'
	53: from /usr/local/bundle/bin/brakeman:23:in `load'
	52: from /usr/local/bundle/gems/brakeman-4.7.0/bin/brakeman:10:in `<top (required)>'
	51: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:20:in `start'
	50: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:35:in `run'
	49: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:142:in `run_report'
	48: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:118:in `regular_report'
	47: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/commandline.rb:133:in `run_brakeman'
	46: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman.rb:80:in `run'
	45: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman.rb:361:in `scan'
	44: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/scanner.rb:51:in `process'
	43: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/scanner.rb:224:in `process_routes'
	42: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processor.rb:35:in `process_routes'
	41: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:24:in `process_routes'
	40: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
	39: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
	38: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:78:in `block in process'
	37: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
	36: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
	35: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
	34: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
	33: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
	32: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
	31: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
	30: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
	29: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:76:in `block in process'
	28: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:59:in `process_iter'
	27: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
	26: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
	25: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
	24: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
	23: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
	22: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
	21: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
	20: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
	19: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:78:in `block in process'
	18: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
	17: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
	16: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
	15: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
	14: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
	13: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
	12: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
	11: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
	10: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:78:in `block in process'
	 9: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/basic_processor.rb:17:in `process_default'
	 8: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:4:in `process_all'
	 7: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each_sexp'
	 6: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:139:in `each'
	 5: from /usr/local/bundle/gems/brakeman-4.7.0/bundle/ruby/2.6.0/gems/sexp_processor-4.13.0/lib/sexp.rb:142:in `block in each_sexp'
	 4: from /usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/processor_helper.rb:5:in `block in process_all'
	 3: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:72:in `process'
	 2: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:113:in `in_context'
	 1: from /usr/local/bundle/gems/brakeman-4.7.0/lib/ruby_parser/bm_sexp_processor.rb:76:in `block in process'
/usr/local/bundle/gems/brakeman-4.7.0/lib/brakeman/processors/lib/rails3_route_processor.rb:47:in `process_iter': Expected call or attrasgn or safe_call or safe_attrasgn or super or zsuper or result but given s(:lambda) (WrongSexpError)
Exited with code 1
@presidentbeef

This comment has been minimized.

Copy link
Owner

@presidentbeef presidentbeef commented Oct 17, 2019

This is because of a change in ruby_parser 3.14.0.

As a temporary fix, you could use brakeman-lib and specify ruby_parser < 3.14.0 in your Gemfile.

Somewhere in your routes you are using a -> lambda. If you can share that bit of code, it would be helpful. Thanks!

@daveknapik

This comment has been minimized.

Copy link
Author

@daveknapik daveknapik commented Oct 17, 2019

Thanks! I inherited this project and haven't had to poke around much in the routes, but there is this portion that is probably the culprit:

# Monkey patch discover_path and discover_url to support passing type value of 'discover' and 'things_to_do'
#
#   ref: https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_dispatch/routing/route_set.rb#L321-L334
#
%i(path url).each do |helper_type|
  mod = Rails.application.routes.named_routes.public_send "#{helper_type}_helpers_module"
  method_name = "discover_#{helper_type}"
  original_helper = mod.instance_method method_name

  extract_option = ->(args) {
    case args.last
    when Hash then args.pop
    when ActionController::Parameters then args.pop.to_h
    else {}
    end
  }

  translate = ->(discover_type) {
    case discover_type
    when 'discover' then 'all'
    when 'things_to_do' then 'tours-and-activities'
    else discover_type || 'all'
    end
  }
@michaelglass

This comment has been minimized.

Copy link

@michaelglass michaelglass commented Oct 17, 2019

we use stabby lambdas for constraints. There's an example in the rails guide: https://guides.rubyonrails.org/routing.html#advanced-constraints

Brakeman didn't crash hard but we got a similar error on config/application.rb

this is the line:

config.middleware.use Flipper::Middleware::SetupEnv, -> { FeatureFlag.flipper }
@lucascaton

This comment has been minimized.

Copy link

@lucascaton lucascaton commented Oct 21, 2019

Is it caused by this issue? seattlerb/ruby_parser#300

@presidentbeef

This comment has been minimized.

Copy link
Owner

@presidentbeef presidentbeef commented Oct 21, 2019

@lucascaton No, I don't think so. The issue is that ruby_parser changed how it handles ->{ } from parsing as (:call, nil, :lambda) to parsing as (:lambda). I was aware of the change but apparently missed this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.