Class: Brakeman::HamlTemplateProcessor

Inherits:

TemplateProcessor

• Object
• SexpProcessor
• BaseProcessor
• TemplateProcessor
• Brakeman::HamlTemplateProcessor

Defined in:

lib/brakeman/processors/haml_template_processor.rb

Overview

Processes HAML templates.

Constant Summary

HAML_FORMAT_METHOD =

/format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/

HAML_HELPERS =

s(:colon2, s(:const, :Haml), :Helpers)

JAVASCRIPT_FILTER =

s(:colon2, s(:colon2, s(:const, :Haml), :Filters), :Javascript)

Constants inherited from BaseProcessor

BaseProcessor::IGNORE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::COOKIES_SEXP, Util::PARAMETERS, Util::PARAMS_SEXP, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION, Util::SESSION_SEXP

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary

• #build_output_from_push_text(exp, default = :output) ⇒ Object

  HAML likes to put interpolated values into _hamlout.push_text but we want to handle those individually.

• #get_pushed_value(exp, default = :output) ⇒ Object

  Gets outputs from values interpolated into _hamlout.push_text.

• #is_buffer_target?(exp) ⇒ Boolean

  Checks if the buffer is the target in a method call Sexp.

• #process_block(exp) ⇒ Object

  If inside an output stream, only return the final expression.

• #process_call(exp) ⇒ Object

  Processes call, looking for template output.

Methods inherited from TemplateProcessor

#initialize, #process, #process_escaped_output, #process_lasgn, #process_output

Methods inherited from BaseProcessor

#find_render_type, #ignore, #initialize, #make_render, #make_render_in_view, #process_arglist, #process_attrasgn, #process_default, #process_dstr, #process_evstr, #process_hash, #process_if, #process_ignore, #process_iter, #process_lasgn, #process_scope

Methods included from Util

#array?, #block?, #call?, #camelize, #class_name, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #github_url, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #make_call, #node_type?, #number?, #params?, #pluralize, #rails_version, #regexp?, #relative_path, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #string_interp?, #symbol?, #table_to_csv, #template_path_to_name, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#process_all, #process_all!, #process_call_args, #process_call_defn?, #process_class, #process_module

Methods inherited from SexpProcessor

#in_context, #initialize, #process, processors, #scope

Constructor Details

This class inherits a constructor from Brakeman::TemplateProcessor

Instance Method Details

#build_output_from_push_text(exp, default = :output) ⇒ Object

HAML likes to put interpolated values into _hamlout.push_text but we want to handle those individually

# File 'lib/brakeman/processors/haml_template_processor.rb', line 140

def build_output_from_push_text exp, default = :output
  if string_interp? exp
    exp.map! do |e|
      if sexp? e
        if node_type? e, :evstr and e[1]
          e = e.value
        end

        get_pushed_value e, default
      else
        e
      end
    end
  end
end

#get_pushed_value(exp, default = :output) ⇒ Object

Gets outputs from values interpolated into _hamlout.push_text

# File 'lib/brakeman/processors/haml_template_processor.rb', line 157

def get_pushed_value exp, default = :output
  return exp unless sexp? exp

  case exp.node_type
  when :format
    exp.node_type = :output
    @current_template.add_output exp
    exp
  when :format_escaped
    exp.node_type = :escaped_output
    @current_template.add_output exp
    exp
  when :str, :ignore, :output, :escaped_output
    exp
  when :block, :rlist, :dstr
    exp.map! { |e| get_pushed_value e }
  else
    if call? exp and exp.target == HAML_HELPERS and exp.method == :html_escape
      s = Sexp.new(:escaped_output, exp.first_arg)
    elsif @javascript and call? exp and (exp.method == :j or exp.method == :escape_javascript)
      s = Sexp.new(:escaped_output, exp.first_arg)
    else
      s = Sexp.new(default, exp)
    end

    s.line(exp.line)
    @current_template.add_output s
    s
  end
end

#is_buffer_target?(exp) ⇒ Boolean

Checks if the buffer is the target in a method call Sexp. TODO: Test this

Returns:

• (Boolean)

# File 'lib/brakeman/processors/haml_template_processor.rb', line 131

def is_buffer_target? exp
  exp.node_type == :call and
  node_type? exp.target, :lvar and
  exp.target.value == :_hamlout and
  exp.method == :buffer
end

#process_block(exp) ⇒ Object

If inside an output stream, only return the final expression

# File 'lib/brakeman/processors/haml_template_processor.rb', line 106

def process_block exp
  exp = exp.dup
  exp.shift
  if @inside_concat
    @inside_concat = false
    exp[0..-2].each do |e|
      process e
    end
    @inside_concat = true
    process exp[-1]
  else
    exp.map! do |e|
      res = process e
      if res.empty?
        nil
      else
        res
      end
    end
    Sexp.new(:rlist).concat(exp).compact
  end
end

#process_call(exp) ⇒ Object

Processes call, looking for template output

# File 'lib/brakeman/processors/haml_template_processor.rb', line 10

def process_call exp
  target = exp.target
  if sexp? target
    target = process target
  end

  method = exp.method

  if (call? target and target.method == :_hamlout)
    res = case method
          when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
            ignore
          when :options, :buffer
            exp
          when :open_tag
            process_call_args exp
          else
            arg = exp.first_arg

            if arg
              @inside_concat = true
              out = exp.first_arg = process(arg)
              @inside_concat = false
            else
              raise "Empty _hamlout.#{method}()?"
            end

            if string? out
              ignore
            else
              r = case method.to_s
                  when "push_text"
                    build_output_from_push_text(out)
                  when HAML_FORMAT_METHOD
                    if $4 == "true"
                      if string_interp? out
                        build_output_from_push_text(out, :escaped_output)
                      else
                        Sexp.new :format_escaped, out
                      end
                    else
                      if string_interp? out
                        build_output_from_push_text(out)
                      else
                        Sexp.new :format, out
                      end
                    end

                  else
                    raise "Unrecognized action on _hamlout: #{method}"
                  end

              @javascript = false
              r
            end
          end

    res.line(exp.line)
    res

    #_hamlout.buffer <<
    #This seems to be used rarely, but directly appends args to output buffer.
    #Has something to do with values of blocks?
  elsif sexp? target and method == :<< and is_buffer_target? target
    @inside_concat = true
    out = exp.first_arg = process(exp.first_arg)
    @inside_concat = false

    if out.node_type == :str #ignore plain strings
      ignore
    else
      s = Sexp.new(:output, out)
      @current_template.add_output s
      s.line(exp.line)
      s
    end
  elsif target == nil and method == :render
    #Process call to render()
    exp.arglist = process exp.arglist
    make_render_in_view exp
  elsif target == nil and method == :find_and_preserve
    process exp.first_arg
  elsif method == :render_with_options
    if target == JAVASCRIPT_FILTER
      @javascript = true
    end

    process exp.first_arg
  else
    exp.target = target
    exp.arglist = process exp.arglist
    exp
  end
end