brakeman-lib 3.3.1

data/lib/brakeman/scanner.rb

@@ -0,0 +1,317 @@
+begin
+  Brakeman.load_brakeman_dependency 'ruby_parser'
+  require 'ruby_parser/bm_sexp.rb'
+  require 'ruby_parser/bm_sexp_processor.rb'
+  require 'brakeman/processor'
+  require 'brakeman/app_tree'
+  require 'brakeman/file_parser'
+  require 'brakeman/parsers/template_parser'
+rescue LoadError => e
+  $stderr.puts e.message
+  $stderr.puts "Please install the appropriate dependency."
+  exit(-1)
+end
+
+#Scans the Rails application.
+class Brakeman::Scanner
+  attr_reader :options
+  RUBY_1_9 = RUBY_VERSION >= "1.9.0"
+
+  #Pass in path to the root of the Rails application
+  def initialize options, processor = nil
+    @options = options
+    @app_tree = Brakeman::AppTree.from_options(options)
+
+    if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
+      raise Brakeman::NoApplication, "Please supply the path to a Rails application."
+    end
+
+    @processor = processor || Brakeman::Processor.new(@app_tree, options)
+  end
+
+  #Returns the Tracker generated from the scan
+  def tracker
+    @processor.tracked_events
+  end
+
+  #Process everything in the Rails application
+  def process
+    Brakeman.notify "Processing gems..."
+    process_gems
+    guess_rails_version
+    Brakeman.notify "Processing configuration..."
+    process_config
+    Brakeman.notify "Parsing files..."
+    parse_files
+    Brakeman.notify "Processing initializers..."
+    process_initializers
+    Brakeman.notify "Processing libs..."
+    process_libs
+    Brakeman.notify "Processing routes...          "
+    process_routes
+    Brakeman.notify "Processing templates...       "
+    process_templates
+    Brakeman.notify "Processing data flow in templates..."
+    process_template_data_flows
+    Brakeman.notify "Processing models...          "
+    process_models
+    Brakeman.notify "Processing controllers...     "
+    process_controllers
+    Brakeman.notify "Processing data flow in controllers..."
+    process_controller_data_flows
+    Brakeman.notify "Indexing call sites...        "
+    index_call_sites
+    tracker
+  end
+
+  def parse_files
+    fp = Brakeman::FileParser.new tracker, @app_tree
+
+    files = {
+      :initializers => @app_tree.initializer_paths,
+      :controllers => @app_tree.controller_paths,
+      :models => @app_tree.model_paths
+    }
+
+    unless options[:skip_libs]
+      files[:libs] = @app_tree.lib_paths
+    end
+
+    files.each do |name, paths|
+      fp.parse_files paths, name
+    end
+
+    template_parser = Brakeman::TemplateParser.new(tracker, fp)
+
+    fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
+      template_parser.parse_template path, contents
+    end
+
+    @file_list = fp.file_list
+  end
+
+  #Process config/environment.rb and config/gems.rb
+  #
+  #Stores parsed information in tracker.config
+  def process_config
+    if options[:rails3] or options[:rails4] or options[:rails5]
+      process_config_file "application.rb"
+      process_config_file "environments/production.rb"
+    else
+      process_config_file "environment.rb"
+      process_config_file "gems.rb"
+    end
+
+    if @app_tree.exists?("vendor/plugins/rails_xss") or
+      options[:rails3] or options[:escape_html]
+
+      tracker.config.escape_html = true
+      Brakeman.notify "[Notice] Escaping HTML by default"
+    end
+  end
+
+  def process_config_file file
+    path = "config/#{file}"
+
+    if @app_tree.exists?(path)
+      @processor.process_config(parse_ruby(@app_tree.read(path)), path)
+    end
+
+  rescue => e
+    Brakeman.notify "[Notice] Error while processing #{path}"
+    tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
+  end
+
+  private :process_config_file
+
+  #Process Gemfile
+  def process_gems
+    gem_files = {}
+    if @app_tree.exists? "Gemfile"
+      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
+    elsif @app_tree.exists? "gems.rb"
+      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
+    end
+
+    if @app_tree.exists? "Gemfile.lock"
+      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
+    elsif @app_tree.exists? "gems.locked"
+      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
+    end
+
+    if gem_files[:gemfile] or gem_files[:gemlock]
+      @processor.process_gems gem_files
+    end
+  rescue => e
+    Brakeman.notify "[Notice] Error while processing Gemfile."
+    tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
+  end
+
+  #Set :rails3/:rails4 option if version was not determined from Gemfile
+  def guess_rails_version
+    unless tracker.options[:rails3] or tracker.options[:rails4]
+      if @app_tree.exists?("script/rails")
+        tracker.options[:rails3] = true
+        Brakeman.notify "[Notice] Detected Rails 3 application"
+      elsif @app_tree.exists?("app/channels")
+        tracker.options[:rails3] = true
+        tracker.options[:rails4] = true
+        tracker.options[:rails5] = true
+        Brakeman.notify "[Notice] Detected Rails 5 application"
+      elsif not @app_tree.exists?("script")
+        tracker.options[:rails3] = true
+        tracker.options[:rails4] = true
+        Brakeman.notify "[Notice] Detected Rails 4 application"
+      end
+    end
+  end
+
+  #Process all the .rb files in config/initializers/
+  #
+  #Adds parsed information to tracker.initializers
+  def process_initializers
+    track_progress @file_list[:initializers] do |init|
+      Brakeman.debug "Processing #{init[:path]}"
+      process_initializer init
+    end
+  end
+
+  #Process an initializer
+  def process_initializer init
+    @processor.process_initializer(init.path, init.ast)
+  end
+
+  #Process all .rb in lib/
+  #
+  #Adds parsed information to tracker.libs.
+  def process_libs
+    if options[:skip_libs]
+      Brakeman.notify '[Skipping]'
+      return
+    end
+
+    track_progress @file_list[:libs] do |lib|
+      Brakeman.debug "Processing #{lib.path}"
+      process_lib lib
+    end
+  end
+
+  #Process a library
+  def process_lib lib
+    @processor.process_lib lib.ast, lib.path
+  end
+
+  #Process config/routes.rb
+  #
+  #Adds parsed information to tracker.routes
+  def process_routes
+    if @app_tree.exists?("config/routes.rb")
+      begin
+        @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
+      rescue => e
+        tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
+        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        options[:assume_all_routes] = true
+      end
+    else
+      Brakeman.notify "[Notice] No route information found"
+    end
+  end
+
+  #Process all .rb files in controllers/
+  #
+  #Adds processed controllers to tracker.controllers
+  def process_controllers
+    track_progress @file_list[:controllers] do |controller|
+      Brakeman.debug "Processing #{controller.path}"
+      process_controller controller
+    end
+  end
+
+  def process_controller_data_flows
+    controllers = tracker.controllers.sort_by { |name, _| name.to_s }
+
+    track_progress controllers, "controllers" do |name, controller|
+      Brakeman.debug "Processing #{name}"
+      controller.src.each do |file, src|
+        @processor.process_controller_alias name, src, nil, file
+      end
+    end
+
+    #No longer need these processed filter methods
+    tracker.filter_cache.clear
+  end
+
+  def process_controller astfile
+    begin
+      @processor.process_controller(astfile.ast, astfile.path)
+    rescue => e
+      tracker.error e.exception(e.message + "\nWhile processing #{astfile.path}"), e.backtrace
+    end
+  end
+
+  #Process all views and partials in views/
+  #
+  #Adds processed views to tracker.views
+  def process_templates
+    templates = @file_list[:templates].sort_by { |t| t[:path] }
+
+    track_progress templates, "templates" do |template|
+      Brakeman.debug "Processing #{template[:path]}"
+      process_template template
+    end
+  end
+
+  def process_template template
+    @processor.process_template(template.name, template.ast, template.type, nil, template.path)
+  end
+
+  def process_template_data_flows
+    templates = tracker.templates.sort_by { |name, _| name.to_s }
+
+    track_progress templates, "templates" do |name, template|
+      Brakeman.debug "Processing #{name}"
+      @processor.process_template_alias template
+    end
+  end
+
+  #Process all the .rb files in models/
+  #
+  #Adds the processed models to tracker.models
+  def process_models
+    track_progress @file_list[:models] do |model|
+      Brakeman.debug "Processing #{model[:path]}"
+      process_model model[:path], model[:ast]
+    end
+  end
+
+  def process_model path, ast
+    @processor.process_model(ast, path)
+  end
+
+  def track_progress list, type = "files"
+    total = list.length
+    current = 0
+    list.each do |item|
+      report_progress current, total, type
+      current += 1
+      yield item
+    end
+  end
+
+  def report_progress(current, total, type = "files")
+    return unless @options[:report_progress]
+    $stderr.print " #{current}/#{total} #{type} processed\r"
+  end
+
+  def index_call_sites
+    tracker.index_call_sites
+  end
+
+  def parse_ruby input
+    RubyParser.new.parse input
+  end
+end
+
+# This is to allow operation without loading the Haml library
+module Haml; class Error < StandardError; end; end

data/lib/brakeman/tracker.rb

@@ -0,0 +1,347 @@
+require 'set'
+require 'brakeman/call_index'
+require 'brakeman/checks'
+require 'brakeman/report'
+require 'brakeman/processors/lib/find_call'
+require 'brakeman/processors/lib/find_all_calls'
+require 'brakeman/tracker/config'
+require 'brakeman/tracker/constants'
+
+#The Tracker keeps track of all the processed information.
+class Brakeman::Tracker
+  attr_accessor :controllers, :constants, :templates, :models, :errors,
+    :checks, :initializers, :config, :routes, :processor, :libs,
+    :template_cache, :options, :filter_cache, :start_time, :end_time,
+    :duration, :ignored_filter
+
+  #Place holder when there should be a model, but it is not
+  #clear what model it will be.
+  UNKNOWN_MODEL = :BrakemanUnresolvedModel
+
+  #Creates a new Tracker.
+  #
+  #The Processor argument is only used by other Processors
+  #that might need to access it.
+  def initialize(app_tree, processor = nil, options = {})
+    @app_tree = app_tree
+    @processor = processor
+    @options = options
+
+    @config = Brakeman::Config.new(self)
+    @templates = {}
+    @controllers = {}
+    #Initialize models with the unknown model so
+    #we can match models later without knowing precisely what
+    #class they are.
+    @models = {}
+    @models[UNKNOWN_MODEL] = Brakeman::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @routes = {}
+    @initializers = {}
+    @errors = []
+    @libs = {}
+    @constants = Brakeman::Constants.new
+    @checks = nil
+    @processed = nil
+    @template_cache = Set.new
+    @filter_cache = {}
+    @call_index = nil
+    @start_time = Time.now
+    @end_time = nil
+    @duration = nil
+  end
+
+  #Add an error to the list. If no backtrace is given,
+  #the one from the exception will be used.
+  def error exception, backtrace = nil
+    backtrace ||= exception.backtrace
+    unless backtrace.is_a? Array
+      backtrace = [ backtrace ]
+    end
+
+    Brakeman.debug exception
+    Brakeman.debug backtrace
+
+    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+  end
+
+  #Run a set of checks on the current information. Results will be stored
+  #in Tracker#checks.
+  def run_checks
+    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+
+    @end_time = Time.now
+    @duration = @end_time - @start_time
+    @checks
+  end
+
+  def app_path
+    @app_path ||= File.expand_path @options[:app_path]
+  end
+
+  #Iterate over all methods in controllers and models.
+  def each_method
+    classes = [self.controllers, self.models]
+
+    if @options[:index_libs]
+      classes << self.libs
+    end
+
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.each_method do |method_name, definition|
+          src = definition[:src]
+          yield src, set_name, method_name, definition[:file]
+        end
+      end
+    end
+  end
+
+  #Iterates over each template, yielding the name and the template.
+  #Prioritizes templates which have been rendered.
+  def each_template
+    if @processed.nil?
+      @processed, @rest = templates.keys.sort_by{|template| template.to_s}.partition { |k| k.to_s.include? "." }
+    end
+
+    @processed.each do |k|
+      yield k, templates[k]
+    end
+
+    @rest.each do |k|
+      yield k, templates[k]
+    end
+  end
+
+
+  def each_class
+    classes = [self.controllers, self.models]
+
+    if @options[:index_libs]
+      classes << self.libs
+    end
+
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.src.each do |file, src|
+          yield src, set_name, file
+        end
+      end
+    end
+  end
+
+  #Find a method call.
+  #
+  #Options:
+  #  * :target => target name(s)
+  #  * :method => method name(s)
+  #  * :chained => search in method chains
+  #
+  #If :target => false or :target => nil, searches for methods without a target.
+  #Targets and methods can be specified as a symbol, an array of symbols,
+  #or a regular expression.
+  #
+  #If :chained => true, matches target at head of method chain and method at end.
+  #
+  #For example:
+  #
+  #    find_call :target => User, :method => :all, :chained => true
+  #
+  #could match
+  #
+  #    User.human.active.all(...)
+  #
+  def find_call options
+    index_call_sites unless @call_index
+    @call_index.find_calls options
+  end
+
+  #Searches the initializers for a method call
+  def check_initializers target, method
+    finder = Brakeman::FindCall.new target, method, self
+
+    initializers.sort.each do |name, initializer|
+      finder.process_source initializer
+    end
+
+    finder.matches
+  end
+
+  #Returns a Report with this Tracker's information
+  def report
+    Brakeman::Report.new(@app_tree, self)
+  end
+
+  def warnings
+    self.checks.all_warnings
+  end
+
+  def filtered_warnings
+    if self.ignored_filter
+      self.warnings.reject do |w|
+        self.ignored_filter.ignored? w
+      end
+    else
+      self.warnings
+    end
+  end
+
+  def add_constant name, value, context = nil
+    @constants.add name, value, context
+  end
+
+  def constant_lookup name
+    @constants.get_literal name
+  end
+
+  def index_call_sites
+    finder = Brakeman::FindAllCalls.new self
+
+    self.each_method do |definition, set_name, method_name, file|
+      finder.process_source definition, :class => set_name, :method => method_name, :file => file
+    end
+
+    self.each_class do |definition, set_name, file|
+      finder.process_source definition, :class => set_name, :file => file
+    end
+
+    self.each_template do |name, template|
+      finder.process_source template.src, :template => template, :file => template.file
+    end
+
+    @call_index = Brakeman::CallIndex.new finder.calls
+  end
+
+  #Reindex call sites
+  #
+  #Takes a set of symbols which can include :templates, :models,
+  #or :controllers
+  #
+  #This will limit reindexing to the given sets
+  def reindex_call_sites locations
+    #If reindexing templates, models, and controllers, just redo
+    #everything
+    if locations.length == 3
+      return index_call_sites
+    end
+
+    if locations.include? :templates
+      @call_index.remove_template_indexes
+    end
+
+    classes_to_reindex = Set.new
+    method_sets = []
+
+    if locations.include? :models
+      classes_to_reindex.merge self.models.keys
+      method_sets << self.models
+    end
+
+    if locations.include? :controllers
+      classes_to_reindex.merge self.controllers.keys
+      method_sets << self.controllers
+    end
+
+    @call_index.remove_indexes_by_class classes_to_reindex
+
+    finder = Brakeman::FindAllCalls.new self
+
+    method_sets.each do |set|
+      set.each do |set_name, info|
+        info.each_method do |method_name, definition|
+          src = definition[:src]
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
+        end
+      end
+    end
+
+    if locations.include? :templates
+      self.each_template do |name, template|
+        finder.process_source template.src, :template => template, :file => template.file
+      end
+    end
+
+    @call_index.index_calls finder.calls
+  end
+
+  #Clear information related to templates.
+  #If :only_rendered => true, will delete templates rendered from
+  #controllers (but not those rendered from other templates)
+  def reset_templates options = { :only_rendered => false }
+    if options[:only_rendered]
+      @templates.delete_if do |name, template|
+        template.rendered_from_controller?
+      end
+    else
+      @templates = {}
+    end
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+
+  #Clear information related to template
+  def reset_template name
+    name = name.to_sym
+    @templates.delete name
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+
+  #Clear information related to model
+  def reset_model path
+    model_name = nil
+
+    @models.each do |name, model|
+      if model.files.include?(path)
+        model_name = name
+        break
+      end
+    end
+
+    @models.delete model_name
+  end
+
+  #Clear information related to model
+  def reset_lib path
+    lib_name = nil
+
+    @libs.each do |name, lib|
+      if lib.files.include?(path)
+        lib_name = name
+        break
+      end
+    end
+
+    @libs.delete lib_name
+  end
+
+  def reset_controller path
+    controller_name = nil
+
+    #Remove from controller
+    @controllers.each do |name, controller|
+      if controller.files.include?(path)
+        controller_name = name
+
+        #Remove templates rendered from this controller
+        @templates.each do |template_name, template|
+          if template.render_path and template.render_path.include_controller? name
+            reset_template template_name
+            @call_index.remove_template_indexes template_name
+          end
+        end
+
+        #Remove calls indexed from this controller
+        @call_index.remove_indexes_by_class [name]
+        break
+      end
+    end
+    @controllers.delete controller_name
+  end
+
+  #Clear information about routes
+  def reset_routes
+    @routes = {}
+  end
+end