Merge pull request presidentbeef#1280 from presidentbeef/track_render…

…ed_template_with_render_path Add rendered template information to render paths
attackgithub · Nov 13, 2018 · dd0b5d2 · dd0b5d2
2 parents 55fcbe8 + 306ed7b
commit dd0b5d2
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 0 deletions.
diff --git a/lib/brakeman/processors/lib/render_helper.rb b/lib/brakeman/processors/lib/render_helper.rb
@@ -65,6 +65,11 @@ def process_template name, args, called_from = nil, *_
       return
     end
 
+    if called_from
+      # Track actual template that was rendered
+      called_from.last_template = template
+    end
+
     template_env = only_ivars(:include_request_vars)
 
     #Hash the environment and the source of the template to avoid

diff --git a/lib/brakeman/processors/lib/render_path.rb b/lib/brakeman/processors/lib/render_path.rb
@@ -29,6 +29,17 @@ def add_template_render template_name, line, file
       self
     end
 
+    def last_template= template
+      if @path.last
+        @path.last[:rendered] = {
+          name: template.name,
+          file: template.file,
+        }
+      else
+        Brakeman.debug "[Notice] No render path to add template information"
+      end
+    end
+
     def include_template? name
       name = name.to_sym
 
@@ -71,6 +82,10 @@ def length
       @path.length
     end
 
+    def map &block
+      @path.map &block
+    end
+
     def to_a
       @path.map do |loc|
         case loc[:type]

diff --git a/lib/brakeman/report/report_json.rb b/lib/brakeman/report/report_json.rb
@@ -38,8 +38,29 @@ def generate_report
   def convert_to_hashes warnings
     warnings.map do |w|
       hash = w.to_hash
+      hash[:render_path] = convert_render_path hash[:render_path]
       hash[:file] = warning_file w
+
       hash
     end.sort_by { |w| "#{w[:fingerprint]}#{w[:line]}" }
   end
+
+  def convert_render_path render_path
+    return unless render_path and not @tracker.options[:absolute_paths]
+
+    render_path.map do |r|
+      r = r.dup
+
+      if r[:file]
+        r[:file] = relative_path(r[:file])
+      end
+
+      if r[:rendered] and r[:rendered][:file]
+        r[:rendered] = r[:rendered].dup
+        r[:rendered][:file] = relative_path(r[:rendered][:file])
+      end
+
+      r
+    end
+  end
 end
diff --git a/test/tests/json_output.rb b/test/tests/json_output.rb
@@ -13,6 +13,29 @@ def test_for_render_path
     end
   end
 
+  def test_for_render_path_keys
+    controller_keys = %w[type class method line file].sort
+    template_keys = %w[type name line file].sort
+    rendered_keys = %w[name file].sort
+
+    @@json["warnings"].each do |warning|
+      if rp = warning["render_path"]
+        case rp["type"]
+        when "controller"
+          assert_equal controller_keys, rp.keys.sort
+        when "template"
+          assert_equal template_keys, rp.keys.sort
+        else
+          raise "Unknown render path type: #{rp["type"]}"
+        end
+
+        if rp["rendered"]
+          assert_equal rendered_keys, rp["rendered"].keys.sort
+        end
+      end
+    end
+  end
+
   def test_for_expected_keys
     assert (@@json.keys - ["warnings", "ignored_warnings", "scan_info", "errors", "obsolete"]).empty?
   end