Support loading slim/smart

in a very specific case. Fixes #1570
presidentbeef · Apr 14, 2021 · cf3d9ac · cf3d9ac
1 parent aef6253
commit cf3d9ac
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/lib/brakeman/parsers/template_parser.rb b/lib/brakeman/parsers/template_parser.rb
@@ -9,6 +9,7 @@ class TemplateParser
     def initialize tracker, file_parser
       @tracker = tracker
       @file_parser = file_parser
+      @slim_smart = nil # Load slim/smart ?
     end
 
     def parse_template path, text
@@ -88,13 +89,36 @@ def parse_haml path, text
 
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+
+      if @slim_smart.nil? and load_slim_smart?
+        @slim_smart = true
+        Brakeman.load_brakeman_dependency 'slim/smart'
+      else
+        @slim_smart = false
+      end
+
       require_relative 'slim_embedded'
 
       Slim::Template.new(path,
                          :disable_capture => true,
                          :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
     end
 
+    def load_slim_smart?
+      return !@slim_smart unless @slim_smart.nil?
+
+      # Terrible hack to find
+      #   gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
+      if tracker.app_tree.exists? 'Gemfile'
+        gemfile_contents = tracker.app_tree.file_path('Gemfile').read
+        if gemfile_contents.include? 'slim/smart'
+          return true
+        end
+      end
+
+      false
+    end
+
     def self.parse_inline_erb tracker, text
       fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
       tp = self.new(tracker, fp)

diff --git a/test/apps/rails5.2/Gemfile b/test/apps/rails5.2/Gemfile
@@ -60,3 +60,5 @@ end
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
+
+gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"]
diff --git a/test/apps/rails5.2/app/views/users/smart.html.slim b/test/apps/rails5.2/app/views/users/smart.html.slim
@@ -0,0 +1,11 @@
+p
+  Your credit card
+  strong will not
+  > be charged now.
+
+This is a text
+  which spans
+  several lines.
+
+footer
+  Copyright &copy; #{params[:x]} not xss?