lib/brakeman/messages.rb
module Brakeman
module Messages
# Create a new message from a list of messages.
# Strings are converted to Brakeman::Messages::Plain objects.
def msg *args
parts = args.map do |a|
if a.is_a? String
Plain.new(a)
else
a
end
end
Message.new(*parts)
end
# Create a new code message fragment
def msg_code code
Code.new code
end
# Create a new message fragment with a CVE identifier
def msg_cve cve
CVE.new cve
end
# Create a new message fragment representing a file name
def msg_file str
Messages::FileName.new str
end
# Create a new message fragment from a user input type (e.g. `:params`).
# The input type will be converted to a friendly version (e.g. "parameter value").
def msg_input input
Input.new input
end
# Create a new message fragment which will not be modified during output
def msg_lit str
Literal.new str
end
# Create a new plain string message fragment
def msg_plain str
Plain.new str
end
# Create a message fragment representing the version of a library
def msg_version version, lib = "Rails"
Version.new version, lib
end
end
end
# Class to represent a list of message types
class Brakeman::Messages::Message
def initialize *args
@parts = args.map do |a|
case a
when String, Symbol
Brakeman::Messages::Plain.new(a.to_s)
else
a
end
end
end
def << msg
if msg.is_a? String
@parts << Brakeman::Messages::Plain.new(msg)
else
@parts << msg
end
end
def to_s
output = @parts.map(&:to_s).join
case @parts.first
when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
else
output[0] = output[0].capitalize
end
output
end
def to_html
require 'cgi'
output = @parts.map(&:to_html).join
case @parts.first
when Brakeman::Messages::Code, Brakeman::Messages::Literal, Brakeman::Messages::Version
else
output[0] = output[0].capitalize
end
output
end
end
class Brakeman::Messages::Code
def initialize code
@code = code.to_s
end
def to_s
"`#{@code}`"
end
def to_html
"<span class=\"code\">#{CGI.escapeHTML(@code)}</span>"
end
end
class Brakeman::Messages::CVE
def initialize cve
@cve = cve
end
def to_s
"(#{@cve})"
end
def to_html
"(<a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@cve}\" target=\"_blank\" rel=\"noreferrer\">#{@cve}</a>)"
end
end
class Brakeman::Messages::FileName
def initialize file
@file = file
end
def to_s
"`#{@file}`"
end
def to_html
"<span class=\"filename\">#{CGI.escapeHTML(@file)}</span>"
end
end
class Brakeman::Messages::Input
def initialize input
@input = input
@value = friendly_type_of(@input)
end
def friendly_type_of input_type
if input_type.is_a? Brakeman::BaseCheck::Match
input_type = input_type.type
end
case input_type
when :params
"parameter value"
when :cookies
"cookie value"
when :request
"request value"
when :model
"model attribute"
else
"user input"
end
end
def to_s
@value
end
def to_html
self.to_s
end
end
class Brakeman::Messages::Literal
def initialize value
@value = value.to_s
end
def to_s
@value
end
def to_html
@value
end
end
class Brakeman::Messages::Plain
def initialize string
@value = string
end
def to_s
@value
end
def to_html
CGI.escapeHTML(@value)
end
end
class Brakeman::Messages::Version
def initialize version, lib
@version = version
@library = lib
end
def to_s
"#{@library} #{@version}"
end
def to_html
CGI.escapeHTML(self.to_s)
end
end