brakefast 0.0.1

data/brakefast.gemspec

@@ -0,0 +1,30 @@
+lib = File.expand_path('../lib/', __FILE__)
+$:.unshift lib unless $:.include?(lib)
+
+require 'brakefast/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "brakefast"
+  spec.version       = Brakefast::VERSION
+  spec.platform      = Gem::Platform::RUBY
+  spec.authors       = ["Sho Hashimoto"]
+  spec.email         = ["sho.hsmt@gmail.com"]
+  spec.homepage      = "https://github.com/sho-h/brakefast"
+
+  spec.summary       = "runtime brakeman notifier like bullet"
+  spec.description   = "runtime brakeman notifier like bullet"
+  spec.license     = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "uniform_notifier", "~> 1.9.0"
+  spec.add_runtime_dependency "brakeman"
+
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+end
+

data/lib/brakefast/brakeman.rb

@@ -0,0 +1,18 @@
+require 'brakeman'
+require 'brakefast/detector'
+
+module Brakefast
+  class Brakeman
+    def self.run(path)
+      tracker = ::Brakeman.run(Rails.root.to_s)
+      report = tracker.report.format(:to_hash)
+      Brakefast::Detector::Base.types.each do |type|
+        next if !Brakefast.public_send("#{type}_enable?")
+        report[type].each do |vulnerability|
+          detector = Brakefast::Detector::Base.create_instance(type, vulnerability)
+          detector.set_detector_module
+        end
+      end
+    end
+  end
+end

data/lib/brakefast/dependency.rb

@@ -0,0 +1,7 @@
+module Brakefast
+  module Dependency
+    def rails?
+      @rails ||= defined? ::Rails
+    end
+  end
+end

data/lib/brakefast/detector/base.rb

@@ -0,0 +1,58 @@
+require 'forwardable'
+
+module Brakefast
+  module Detector
+    class Base
+      extend Forwardable
+
+      attr_reader :vulnerability
+      def_delegator :@vulnerability, :method, :target_method_name
+      def_delegator :@vulnerability, :message, :message
+      def_delegator :@vulnerability, :file, :file
+      def_delegator :@vulnerability, :line, :line
+
+      @@type2klass = {
+      }
+
+      class << self
+        def create_instance(type, *args)
+          @@type2klass[type].new(*args)
+        end
+
+        def register_detector(type)
+          @@type2klass[type] = self
+        end
+
+        def types
+          @@type2klass.keys
+        end
+      end
+
+      def initialize(vulnerability)
+        @vulnerability = vulnerability
+      end
+
+      def set_detector_module
+        raise "override me"
+      end
+
+      def target_module_name
+        raise "override me"
+      end
+
+      private
+
+      def create_module_name(s)
+        s.to_s.gsub("::", "__") + "BrakefastHook"
+      end
+
+      def create_hook(module_name, hookee_mod)
+        name = create_module_name(module_name)
+        Brakefast.const_set(name, hookee_mod)
+        ::Object.const_get(module_name).class_eval %Q{
+          prepend Brakefast::#{name}
+        }
+      end
+    end
+  end
+end

data/lib/brakefast/detector/controller_warnings.rb

@@ -0,0 +1,32 @@
+module Brakefast
+  module Detector
+    class ControllerWarnings < Base
+      register_detector :controller_warnings
+
+      def set_detector_module
+        if target_module_name && target_method_name
+          mod = Module.new
+          mod.module_eval %Q{
+            def #{target_method_name}
+              s = "vulnerability found in #{file}:#{line} - #{message}"
+              Thread.current[:brakefast_notifications] << s
+=begin
+              # for debug
+              File.open("/tmp/1.log", "a") do |f|
+                f.write("vulnerability found in #{e.file}:#{e.line} - #{msg}")
+              end
+=end
+              super
+            end
+          }
+
+          create_hook(target_module_name, mod)
+        end
+      end
+
+      def target_module_name
+        vulnerability.controller
+      end
+    end
+  end
+end

data/lib/brakefast/detector/generic_warnings.rb

@@ -0,0 +1,27 @@
+module Brakefast
+  module Detector
+    class GenericWarnings < Base
+      register_detector :generic_warnings
+
+      def set_detector_module
+        if target_module_name && target_method_name
+          mod = Module.new
+          mod.module_eval %Q{
+            def #{target_method_name}
+              n = Brakefast::Notification::GenericWarnings.new(self, '#{message}',
+                                                               '#{file}','#{line}')
+              Brakefast.notification_collector.add(n)
+              super
+            end
+          }
+
+          create_hook(target_module_name, mod)
+        end
+      end
+
+      def target_module_name
+        vulnerability.class
+      end
+    end
+  end
+end

data/lib/brakefast/detector/model_warnings.rb

@@ -0,0 +1,26 @@
+module Brakefast
+  module Detector
+    class ModelWarnings < Base
+      register_detector :model_warnings
+
+      def set_detector_module
+        if target_module_name && target_method_name
+          mod = Module.new
+          mod.module_eval %Q{
+            def #{target_method_name}
+              s = "vulnerability found in #{file}:#{line} - #{message}"
+              Thread.current[:brakefast_notifications] << s
+              super
+            end
+          }
+
+          create_hook(target_module_name, mod)
+        end
+      end
+
+      def target_module_name
+        vulnerability.model
+      end
+    end
+  end
+end

data/lib/brakefast/detector.rb

@@ -0,0 +1,8 @@
+module Brakefast
+  module Detector
+    autoload :Base, 'brakefast/detector/base'
+    autoload :ControllerWarnings, 'brakefast/detector/controller_warnings'
+    autoload :ModelWarnings, 'brakefast/detector/model_warnings'
+    autoload :GenericWarnings, 'brakefast/detector/generic_warnings'
+  end
+end

data/lib/brakefast/notification/base.rb

@@ -0,0 +1,61 @@
+module Brakefast
+  module Notification
+    class Base
+      attr_accessor :notifier, :url
+      attr_reader :klass, :message, :path, :line
+
+      def initialize(klass, message, path = nil, line = nil)
+        @klass = klass
+        @message = message
+        @path = path
+        @line = line
+      end
+
+      def title
+        raise NoMethodError.new("no method title defined")
+      end
+
+      def body
+        raise NoMethodError.new("no method body defined")
+      end
+
+      def call_stack_messages
+        ""
+      end
+
+      def whoami
+        @user ||= ENV['USER'].presence || (`whoami`.chomp rescue "")
+        if @user.present?
+          "user: #{@user}"
+        else
+          ""
+        end
+      end
+
+      def body_with_caller
+        "#{body}\n#{call_stack_messages}\n"
+      end
+
+      def notify_inline
+        self.notifier.inline_notify(notification_data)
+      end
+
+      def notify_out_of_channel
+        self.notifier.out_of_channel_notify(notification_data)
+      end
+
+      def short_notice
+        [whoami.presence, url, title, body].compact.join("  ")
+      end
+
+      def notification_data
+        {
+          :user => whoami,
+          :url => url,
+          :title => title,
+          :body => body_with_caller,
+        }
+      end
+    end
+  end
+end

data/lib/brakefast/notification/controller_warnings.rb

@@ -0,0 +1,14 @@
+module Brakefast
+  module Notification
+    class ControllerWarnings < Base
+      # TODO: move to base?
+      def title
+        "vulnerability found: ControllerWarnings"
+      end
+
+      def body
+        "#{message} - #{path}:#{line}"
+      end
+    end
+  end
+end

data/lib/brakefast/notification/generic_warnings.rb

@@ -0,0 +1,14 @@
+module Brakefast
+  module Notification
+    class GenericWarnings < Base
+      # TODO: move to base?
+      def title
+        "vulnerability found: GenericWarnings"
+      end
+
+      def body
+        "#{message} - #{path}:#{line}"
+      end
+    end
+  end
+end

data/lib/brakefast/notification/model_warnings.rb

@@ -0,0 +1,14 @@
+module Brakefast
+  module Notification
+    class ModelWarnings < Base
+      # TODO: move to base?
+      def title
+        "vulnerability found: ModelWarnings"
+      end
+
+      def body
+        "#{message} - #{path}:#{line}"
+      end
+    end
+  end
+end

data/lib/brakefast/notification.rb

@@ -0,0 +1,10 @@
+module Brakefast
+  module Notification
+    autoload :Base, 'brakefast/notification/base'
+    autoload :GenericWarnings, 'brakefast/notification/generic_warnings'
+    autoload :ControllerWarnings, 'brakefast/notification/controller_warnings'
+    autoload :ModelWarnings, 'brakefast/notification/model_warnings'
+
+    class UnoptimizedQueryError < StandardError; end
+  end
+end

data/lib/brakefast/notification_collector.rb

@@ -0,0 +1,24 @@
+require 'set'
+
+module Brakefast
+  class NotificationCollector
+    attr_reader :collection
+
+    def initialize
+      reset
+    end
+
+    def reset
+      @collection = Set.new
+    end
+
+    def add(value)
+      @collection << value
+    end
+
+    def notifications_present?
+      !@collection.empty?
+    end
+  end
+end
+

data/lib/brakefast/rack.rb

@@ -0,0 +1,95 @@
+require 'brakefast/brakeman'
+
+module Brakefast
+  class Rack
+    include Dependency
+
+    def initialize(app)
+      @app = app
+      @brakeman_run = false
+    end
+
+    def call(env)
+      return @app.call(env) unless Brakefast.enable?
+      if !@brakeman_run
+        Brakefast::Brakeman.run(Rails.root.to_s)
+        @brakeman_run = true
+      end
+      Brakefast.start_request
+      status, headers, response = @app.call(env)
+
+      response_body = nil
+      if Brakefast.notification?
+        if !file?(headers) && !sse?(headers) && !empty?(response) &&
+            status == 200 && !response_body(response).frozen? && html_request?(headers, response)
+          response_body = response_body(response)
+          append_to_html_body(response_body, footer_note) if Brakefast.add_footer
+          append_to_html_body(response_body, Brakefast.gather_inline_notifications)
+          headers['Content-Length'] = response_body.bytesize.to_s
+        end
+        Brakefast.perform_out_of_channel_notifications(env)
+      end
+      [status, headers, response_body ? [response_body] : response]
+    ensure
+      Brakefast.end_request
+    end
+
+    # fix issue if response's body is a Proc
+    def empty?(response)
+      # response may be ["Not Found"], ["Move Permanently"], etc.
+      if rails?
+        (response.is_a?(Array) && response.size <= 1) ||
+          !response.respond_to?(:body) ||
+          !response_body(response).respond_to?(:empty?) ||
+          response_body(response).empty?
+      else
+        body = response_body(response)
+        body.nil? || body.empty?
+      end
+    end
+
+    def append_to_html_body(response_body, content)
+      if response_body.include?('</body>')
+        position = response_body.rindex('</body>')
+        response_body.insert(position, content)
+      else
+        response_body << content
+      end
+    end
+
+    def footer_note
+      "<div #{footer_div_attributes}>" + Brakefast.footer_info.uniq.join("<br>") + "</div>"
+    end
+
+    def file?(headers)
+      headers["Content-Transfer-Encoding"] == "binary"
+    end
+
+    def sse?(headers)
+      headers["Content-Type"] == "text/event-stream"
+    end
+
+    def html_request?(headers, response)
+      headers['Content-Type'] && headers['Content-Type'].include?('text/html') && response_body(response).include?("<html")
+    end
+
+    def response_body(response)
+      if rails?
+        Array === response.body ? response.body.first : response.body
+      else
+        response.first
+      end
+    end
+
+    private
+    def footer_div_attributes
+<<EOF
+data-is-brakefast-footer ondblclick="this.parentNode.removeChild(this);" style="position: fixed; bottom: 0pt; left: 0pt; cursor: pointer; border-style: solid; border-color: rgb(153, 153, 153);
+ -moz-border-top-colors: none; -moz-border-right-colors: none; -moz-border-bottom-colors: none;
+ -moz-border-left-colors: none; -moz-border-image: none; border-width: 2pt 2pt 0px 0px;
+ padding: 5px; border-radius: 0pt 10pt 0pt 0px; background: none repeat scroll 0% 0% rgba(200, 200, 200, 0.8);
+ color: rgb(119, 119, 119); font-size: 18px; font-family: 'Arial', sans-serif; z-index:9999;"
+EOF
+    end
+  end
+end

data/lib/brakefast/version.rb

@@ -0,0 +1,4 @@
+# encoding: utf-8
+module Brakefast
+  VERSION = "0.0.1"
+end

data/lib/brakefast.rb

@@ -0,0 +1,178 @@
+require "active_support/core_ext/module/delegation"
+require 'set'
+require 'uniform_notifier'
+require 'brakefast/dependency'
+
+module Brakefast
+  extend Dependency
+
+  autoload :Rack, 'brakefast/rack'
+  autoload :Notification, 'brakefast/notification'
+  autoload :Detector, 'brakefast/detector'
+  autoload :NotificationCollector, 'brakefast/notification_collector'
+
+  BRAKEFAST_DEBUG = 'BRAKEFAST_DEBUG'.freeze
+  TRUE = 'true'.freeze
+
+  if defined? Rails::Railtie
+    class BrakefastRailtie < Rails::Railtie
+      initializer "brakefast.configure_rails_initialization" do |app|
+        app.middleware.use Brakefast::Rack
+      end
+    end
+  end
+
+  class << self
+    attr_writer :enable, :errors_enable, :generic_warnings_enable, :controller_warnings_enable, :model_warnings_enable, :stacktrace_includes
+    attr_reader :notification_collector, :whitelist
+    attr_accessor :add_footer
+
+    available_notifiers = UniformNotifier::AVAILABLE_NOTIFIERS.map { |notifier| "#{notifier}=" }
+    available_notifiers << { :to => UniformNotifier }
+    delegate *available_notifiers
+
+    def raise=(should_raise)
+      UniformNotifier.raise=(should_raise ? Notification::UnoptimizedQueryError : false)
+    end
+
+    DETECTORS = [ Brakefast::Detector::ControllerWarnings,
+                  Brakefast::Detector::ModelWarnings,
+                  Brakefast::Detector::GenericWarnings ]
+
+    def enable=(enable)
+      @enable = @errors_enable = @generic_warnings_enable = @controller_warnings_enable = @model_warnings_enable = enable
+      reset_whitelist if enable?
+    end
+
+    def enable?
+      !!@enable
+    end
+
+    def errors_enable?
+      self.enable? && !!@errors_enable
+    end
+
+    def generic_warnings_enable?
+      self.enable? && !!@generic_warnings_enable
+    end
+
+    def controller_warnings_enable?
+      self.enable? && !!@controller_warnings_enable
+    end
+
+    def model_warnings_enable?
+      self.enable? && !!@model_warnings_enable
+    end
+
+    def stacktrace_includes
+      @stacktrace_includes || []
+    end
+
+    def add_whitelist(options)
+      @whitelist[options[:type]][options[:class_name].classify] ||= []
+      @whitelist[options[:type]][options[:class_name].classify] << options[:association].to_sym
+    end
+
+    def get_whitelist_associations(type, class_name)
+      Array(@whitelist[type][class_name])
+    end
+
+    def reset_whitelist
+      @whitelist = {:n_plus_one_query => {}, :unused_eager_loading => {}, :counter_cache => {}}
+    end
+
+    def brakefast_logger=(active)
+      if active
+        require 'fileutils'
+        root_path = "#{rails? ? Rails.root.to_s : Dir.pwd}"
+        FileUtils.mkdir_p(root_path + '/log')
+        brakefast_log_file = File.open("#{root_path}/log/brakefast.log", 'a+')
+        brakefast_log_file.sync = true
+        UniformNotifier.customized_logger = brakefast_log_file
+      end
+    end
+
+    def debug(title, message)
+      puts "[Brakefast][#{title}] #{message}" if ENV[BRAKEFAST_DEBUG] == TRUE
+    end
+
+    def start_request
+      Thread.current[:brakefast_start] = true
+      Thread.current[:brakefast_notification_collector] = Brakefast::NotificationCollector.new
+    end
+
+    def end_request
+      Thread.current[:brakefast_start] = nil
+      Thread.current[:brakefast_notification_collector] = nil
+    end
+
+    def start?
+      enable? && Thread.current[:brakefast_start]
+    end
+
+    def notification_collector
+      Thread.current[:brakefast_notification_collector]
+    end
+
+    def notification?
+      return unless start?
+      notification_collector.notifications_present?
+    end
+
+    def gather_inline_notifications
+      responses = []
+      for_each_active_notifier_with_notification do |notification|
+        responses << notification.notify_inline
+      end
+      responses.join( "\n" )
+    end
+
+    def perform_out_of_channel_notifications(env = {})
+      for_each_active_notifier_with_notification do |notification|
+        notification.url = env['REQUEST_URI']
+        notification.notify_out_of_channel
+      end
+    end
+
+    def footer_info
+      info = []
+      notification_collector.collection.each do |notification|
+        info << notification.short_notice
+      end
+      info
+    end
+
+    def warnings
+      notification_collector.collection.inject({}) do |warnings, notification|
+        warning_type = notification.class.to_s.split(':').last.tableize
+        warnings[warning_type] ||= []
+        warnings[warning_type] << notification
+        warnings
+      end
+    end
+
+    def profile
+      if Brakefast.enable?
+        begin
+          Brakefast.start_request
+
+          yield
+
+          Brakefast.perform_out_of_channel_notifications if Brakefast.notification?
+        ensure
+          Brakefast.end_request
+        end
+      end
+    end
+
+    private
+      def for_each_active_notifier_with_notification
+        UniformNotifier.active_notifiers.each do |notifier|
+          notification_collector.collection.each do |notification|
+            notification.notifier = notifier
+            yield notification
+          end
+        end
+      end
+  end
+end