From cf3d9accc095cf9f0927738a775aa127ac5d1601 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Mon, 12 Apr 2021 22:24:22 -0700 Subject: [PATCH] Support loading slim/smart in a very specific case. Fixes #1570 --- lib/brakeman/parsers/template_parser.rb | 24 +++++++++++++++++++ test/apps/rails5.2/Gemfile | 2 ++ .../rails5.2/app/views/users/smart.html.slim | 11 +++++++++ 3 files changed, 37 insertions(+) create mode 100644 test/apps/rails5.2/app/views/users/smart.html.slim diff --git a/lib/brakeman/parsers/template_parser.rb b/lib/brakeman/parsers/template_parser.rb index a2644223b1..166941a545 100644 --- a/lib/brakeman/parsers/template_parser.rb +++ b/lib/brakeman/parsers/template_parser.rb @@ -9,6 +9,7 @@ class TemplateParser def initialize tracker, file_parser @tracker = tracker @file_parser = file_parser + @slim_smart = nil # Load slim/smart ? end def parse_template path, text @@ -88,6 +89,14 @@ def parse_haml path, text def parse_slim path, text Brakeman.load_brakeman_dependency 'slim' + + if @slim_smart.nil? and load_slim_smart? + @slim_smart = true + Brakeman.load_brakeman_dependency 'slim/smart' + else + @slim_smart = false + end + require_relative 'slim_embedded' Slim::Template.new(path, @@ -95,6 +104,21 @@ def parse_slim path, text :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template end + def load_slim_smart? + return !@slim_smart unless @slim_smart.nil? + + # Terrible hack to find + # gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"] + if tracker.app_tree.exists? 'Gemfile' + gemfile_contents = tracker.app_tree.file_path('Gemfile').read + if gemfile_contents.include? 'slim/smart' + return true + end + end + + false + end + def self.parse_inline_erb tracker, text fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout]) tp = self.new(tracker, fp) diff --git a/test/apps/rails5.2/Gemfile b/test/apps/rails5.2/Gemfile index 4f6e5ca2c3..bf16589819 100644 --- a/test/apps/rails5.2/Gemfile +++ b/test/apps/rails5.2/Gemfile @@ -60,3 +60,5 @@ end # Windows does not include zoneinfo files, so bundle the tzinfo-data gem gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby] + +gem "slim", "~> 3.0.1", require: ["slim", "slim/smart"] diff --git a/test/apps/rails5.2/app/views/users/smart.html.slim b/test/apps/rails5.2/app/views/users/smart.html.slim new file mode 100644 index 0000000000..168ef7575b --- /dev/null +++ b/test/apps/rails5.2/app/views/users/smart.html.slim @@ -0,0 +1,11 @@ +p + Your credit card + strong will not + > be charged now. + +This is a text + which spans + several lines. + +footer + Copyright © #{params[:x]} not xss?