Respect template_exists? in controllers

fixes #1124

lib/brakeman/processors/controller_alias_processor.rb

@@ -114,6 +114,8 @@ def process_call exp
 
     if method == :head
       @rendered = true
+    elsif exp.target.nil? and method == :template_exists?
+      env[exp.first_arg] = Sexp.new(:lit, :"brakeman:existing_template")
     elsif @tracker.options[:interprocedural] and
       @current_method and (exp.target.nil? or exp.target.node_type == :self)
 

test/apps/rails5/app/controllers/widget_controller.rb

@@ -102,6 +102,11 @@ def redirect_to_path
       redirect_to expired_or_invalid_session_path
     end
   end
+
+  def render_safely
+    slug = params[:slug].to_s
+    render slug if template_exists?(slug, 'pages')
+  end
 end
 
 IDENTIFIER_NAMESPACE = 'apis'

test/tests/rails5.rb

@@ -390,6 +390,19 @@ def test_dynamic_render_path_with_boolean
       :user_input => s(:call, s(:call, s(:params), :[], s(:lit, :x)), :thing?)
   end
 
+  def test_dynamic_render_path_template_exists
+    assert_no_warning :type => :warning,
+      :warning_code => 15,
+      :fingerprint => "5c250fd85fe088bf628d517af37038fa516acc4b6103ee6d8a15e857079ad434",
+      :warning_type => "Dynamic Render Path",
+      :line => 108,
+      :message => /^Render\ path\ contains\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "app/controllers/widget_controller.rb",
+      :code => s(:render, :action, s(:call, s(:call, s(:params), :[], s(:lit, :slug)), :to_s), s(:hash)),
+      :user_input => s(:call, s(:call, s(:params), :[], s(:lit, :slug)), :to_s)
+  end
+
   def test_render_inline_cookies
     assert_warning :type => :warning,
       :warning_code => 84,