Update template parsing

GriffinMB · GriffinMB · commit b7ba5b6084b3 · 2018-02-03T15:36:33.000-05:00
diff --git a/lib/sobelow.ex b/lib/sobelow.ex
@@ -20,6 +20,7 @@ defmodule Sobelow do
   alias Sobelow.Config
   alias Sobelow.Vuln
   alias Sobelow.FindingLog
+  alias Sobelow.MetaLog
   alias Mix.Shell.IO, as: MixIO
   # Remove directory structure check for release candidate
   # prior to 1.0
@@ -49,6 +50,7 @@ defmodule Sobelow do
     # off the test pipeline to avoid dumping warning
     # messages into the findings output.
     root_meta_files = get_meta_files(root)
+    template_meta_files = get_meta_templates(root)
 
     # If web_root ends with the app_name, then it is the
     # more recent version of Phoenix. Meaning, all files are
@@ -61,6 +63,9 @@ defmodule Sobelow do
     libroot_meta_files = if !phx_post_1_2?, do: get_meta_files(lib_root), else: []
 
     FindingLog.start_link()
+    MetaLog.start_link()
+
+    MetaLog.add_templates(template_meta_files)
 
     # This is where the core testing-pipeline starts.
     #
@@ -242,6 +247,25 @@ defmodule Sobelow do
     end
   end
 
+  defp get_meta_templates(root) do
+    ignored_files = get_env(:ignored_files)
+
+    Utils.template_files(root)
+    |> Enum.reject(&is_ignored_file(&1, ignored_files))
+    |> Enum.map(&get_template_meta/1)
+    |> Map.new()
+  end
+
+  defp get_template_meta(filename) do
+    meta_funs = Utils.get_meta_template_funs(filename)
+    raw = meta_funs.raw
+
+    {
+      Utils.normalize_path(filename),
+      %{raw: raw}
+    }
+  end
+
   defp get_meta_files(root) do
     ignored_files = get_env(:ignored_files)
 
@@ -269,14 +293,13 @@ defmodule Sobelow do
       |> Enum.map(&get_mod/1)
 
     Enum.each(mods -- skip_mods, fn mod ->
-      apply(mod, :get_vulns, [fun, meta_file, web_root, skip_mods])
+      params = [fun, meta_file, web_root, skip_mods]
+      apply(mod, :get_vulns, params)
     end)
   end
 
   defp get_fun_vulns(fun, meta_file, web_root, mods) do
-    Enum.each(mods, fn mod ->
-      apply(mod, :get_vulns, [fun, meta_file, web_root])
-    end)
+    get_fun_vulns({fun, []}, meta_file, web_root, mods)
   end
 
   defp combine_skips([]), do: []
diff --git a/lib/sobelow/meta_log.ex b/lib/sobelow/meta_log.ex
@@ -0,0 +1,27 @@
+defmodule Sobelow.MetaLog do
+  use GenServer
+
+  def start_link() do
+    GenServer.start_link(__MODULE__, :ok, name: __MODULE__)
+  end
+
+  def add_templates(templates) do
+    GenServer.cast(__MODULE__, {:add, templates})
+  end
+
+  def get_templates() do
+    GenServer.call(__MODULE__, :get_templates)
+  end
+
+  def init(:ok) do
+    {:ok, %{:templates => %{}}}
+  end
+
+  def handle_cast({:add, templates}, log) do
+    {:noreply, Map.put(log, :templates, templates)}
+  end
+
+  def handle_call(:get_templates, _from, log) do
+    {:reply, log.templates, log}
+  end
+end
diff --git a/lib/sobelow/utils.ex b/lib/sobelow/utils.ex
@@ -353,6 +353,23 @@ defmodule Sobelow.Utils do
 
   def get_meta_funs(ast, acc), do: {ast, acc}
 
+  def get_meta_template_funs(filepath) do
+    ast = EEx.compile_string(File.read!(filepath))
+    get_meta_template_fun(ast)
+  end
+
+  def get_meta_template_fun(ast) do
+    init_acc = %{raw: []}
+    {_, acc} = Macro.prewalk(ast, init_acc, &get_meta_template_fun(&1, &2))
+    acc
+  end
+
+  def get_meta_template_fun({:raw, _, _} = ast, acc) do
+    {ast, Map.update!(acc, :raw, &[ast | &1])}
+  end
+
+  def get_meta_template_fun(ast, acc), do: {ast, acc}
+
   def get_fun_vars_and_meta(fun, idx, type, module \\ nil) do
     {params, {fun_name, line_no}} = get_fun_declaration(fun)
 
@@ -784,6 +801,14 @@ defmodule Sobelow.Utils do
     end
   end
 
+  def template_files(filepath, _directory \\ "") do
+    if File.dir?(filepath) do
+      Path.wildcard(filepath <> "/**/*.html.eex")
+    else
+      []
+    end
+  end
+
   # Setup Utils
   def get_app_name(filepath) do
     if File.exists?(filepath) do
@@ -919,10 +944,11 @@ defmodule Sobelow.Utils do
 
   # XSS Utils
 
-  def get_template_vars(filepath) do
-    ast = EEx.compile_string(File.read!(filepath))
-    {_, acc} = Macro.prewalk(ast, [], &extract_template_vars(&1, &2))
-    acc
+  def get_template_vars(raw_funs) do
+    Enum.flat_map(raw_funs, fn ast ->
+      {_, acc} = Macro.prewalk(ast, [], &extract_template_vars(&1, &2))
+      acc
+    end)
   end
 
   defp extract_template_vars({:raw, _, [{_, _, [_, raw]}]} = ast, acc) do
diff --git a/lib/sobelow/xss/raw.ex b/lib/sobelow/xss/raw.ex
@@ -25,6 +25,7 @@ defmodule Sobelow.XSS.Raw do
   def run(fun, meta_file, web_root, controller) do
     {vars, _, {fun_name, [{_, line_no}]}} = parse_render_def(fun)
     filename = meta_file.filename
+    templates = Sobelow.MetaLog.get_templates()
 
     root =
       if String.ends_with?(web_root, "/lib/") do
@@ -45,9 +46,10 @@ defmodule Sobelow.XSS.Raw do
         end
 
       template_path = root <> "templates/" <> controller <> "/" <> template <> ".eex"
+      raw_funs = templates[Utils.normalize_path(template_path)]
 
-      if File.exists?(template_path) do
-        raw_vals = Utils.get_template_vars(template_path)
+      if raw_funs do
+        raw_vals = Utils.get_template_vars(raw_funs.raw)
 
         Enum.each(ref_vars, fn var ->
           if Enum.member?(raw_vals, var) do
