lib/brakeman/processors/template_alias_processor.rb in brakeman-1.7.1 vs lib/brakeman/processors/template_alias_processor.rb in brakeman-1.8.0

@@ -15,16 +15,20 @@
     @called_from = called_from
   end
 
   #Process template
   def process_template name, args
-    if @called_from and @called_from.match(/Template:#{name}$/)
-      Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
-      return
-    end
+    if @called_from
+      unless @called_from.grep(/Template:#{name}$/).empty?
+        Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
+        return
+      end
 
-    super name, args, "Template:#{@template[:name]}"
+      super name, args, @called_from + ["Template:#{@template[:name]}"]
+    else
+      super name, args, ["Template:#{@template[:name]}"]
+    end
   end
 
   #Determine template name
   def template_name name
     unless name.to_s.include? "/"
@@ -35,32 +39,35 @@
 
   #Looks for form methods and iterating over collections of Models
   def process_call_with_block exp
     process_default exp
     
-    call = exp[1]
-    target = call[1]
-    method = call[2]
-    args = exp[2]
-    block = exp[3]
+    call = exp.block_call
 
-    #Check for e.g. Model.find.each do ... end
-    if method == :each and args and block and model = get_model_target(target)
-      if node_type? args, :lasgn
-        if model == target[1]
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
-        else
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+    if call? call
+      target = call.target
+      method = call.method
+      args = exp.block_args
+      block = exp.block
+
+      #Check for e.g. Model.find.each do ... end
+      if method == :each and args and block and model = get_model_target(target)
+        if node_type? args, :lasgn
+          if model == target.target
+            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
+          else
+            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+          end
+
+          process block if sexp? block
         end
-        
-        process block if sexp? block
-      end
-    elsif FORM_METHODS.include? method
-      if node_type? args, :lasgn
-        env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+      elsif FORM_METHODS.include? method
+        if node_type? args, :lasgn
+          env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
 
-        process block if sexp? block
+          process block if sexp? block
+        end
       end
     end
 
     exp
   end
@@ -68,13 +75,13 @@
   alias process_iter process_call_with_block
 
   #Checks if +exp+ is a call to Model.all or Model.find*
   def get_model_target exp
     if call? exp
-      target = exp[1]
+      target = exp.target
 
-      if exp[2] == :all or exp[2].to_s[0,4] == "find"
+      if exp.method == :all or exp.method.to_s[0,4] == "find"
         models = Set.new @tracker.models.keys
 
         begin
           name = class_name target
           return target if models.include?(name)
@@ -89,12 +96,12 @@
     false
   end
 
   def find_push_target exp
     if sexp? exp
-      if exp.node_type == :lvar and (exp[1] == :_buf or exp[1] == :_erbout)
+      if exp.node_type == :lvar and (exp.value == :_buf or exp.value == :_erbout)
         return nil
-      elsif exp.node_type == :ivar and exp[1] == :@output_buffer
+      elsif exp.node_type == :ivar and exp.value == :@output_buffer
         return nil
       end
     end
 
     super