Merge pull request #1900 from presidentbeef/more_safe_literal_indexing

Fix array/hash unknown index handling
presidentbeef · Dec 30, 2024 · 440d35d · 440d35d
2 parents cbd1881 + 470fcdc
commit 440d35d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/lib/brakeman/processors/alias_processor.rb b/lib/brakeman/processors/alias_processor.rb
@@ -97,6 +97,7 @@ def replace exp, int = 0
   end
 
   def process_bracket_call exp
+    # TODO: What is even happening in this method?
     r = replace(exp)
 
     if r != exp
@@ -127,7 +128,7 @@ def process_bracket_call exp
         return r
       end
     else
-      t = nil
+      t = exp.target # put it back?
     end
 
     if hash? t
@@ -242,6 +243,7 @@ def process_call exp
         exp = math_op(method, target, first_arg, exp)
       end
     when :[]
+      # TODO: This might never be used because of process_bracket_call above
       if array? target
         exp = process_array_access(target, exp.args, exp)
       elsif hash? target

diff --git a/test/tests/alias_processor.rb b/test/tests/alias_processor.rb
@@ -138,6 +138,13 @@ def test_array_fetch_unknown_literal
     RUBY
   end
 
+  def test_array_index_unknown_literal
+    assert_alias ':BRAKEMAN_SAFE_LITERAL', <<-RUBY
+    x = [1, 2, 3][y]
+    x
+    RUBY
+  end
+
   def test_array_append
     assert_alias '[1, 2, 3]', <<-RUBY
       x = [1]