brakeman-lib 3.3.1

data/lib/brakeman/app_tree.rb

@@ -0,0 +1,161 @@
+require 'pathname'
+
+module Brakeman
+  class AppTree
+    VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb html.slim].join(",")
+
+    attr_reader :root
+
+    def self.from_options(options)
+      root = File.expand_path options[:app_path]
+
+      # Convert files into Regexp for matching
+      init_options = {}
+      if options[:skip_files]
+        init_options[:skip_files] = regex_for_paths(options[:skip_files])
+      end
+
+      if options[:only_files]
+        init_options[:only_files] = regex_for_paths(options[:only_files])
+      end
+      init_options[:additional_libs_path] = options[:additional_libs_path]
+      new(root, init_options)
+    end
+
+    # Accepts an array of filenames and paths with the following format and
+    # returns a Regexp to match them:
+    #   * "path1/file1.rb" - Matches a specific filename in the project directory.
+    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
+    #
+    def self.regex_for_paths(paths)
+      path_regexes = paths.map do |f|
+        # If path ends in a file separator then we assume it is a path rather
+        # than a filename.
+        if f.end_with?(File::SEPARATOR)
+          # If path starts with a file separator then we assume that they
+          # want the project relative path to start with this path prefix.
+          if f.start_with?(File::SEPARATOR)
+            "\\A#{Regexp.escape f}"
+          # If it ends in a file separator, but does not begin with a file
+          # separator then we assume the path can match any path component in
+          # the project.
+          else
+            Regexp.escape f
+          end
+        else
+          "#{Regexp.escape f}\\z"
+        end
+      end
+      Regexp.new("(?:" << path_regexes.join("|") << ")")
+    end
+    private_class_method(:regex_for_paths)
+
+    def initialize(root, init_options = {})
+      @root = root
+      @skip_files = init_options[:skip_files]
+      @only_files = init_options[:only_files]
+      @additional_libs_path = init_options[:additional_libs_path] || []
+    end
+
+    def expand_path(path)
+      File.expand_path(path, @root)
+    end
+
+    def read(path)
+      File.read(File.join(@root, path))
+    end
+
+    # This variation requires full paths instead of paths based
+    # off the project root. I'd prefer to get all the code outside
+    # of AppTree using project-root based paths (e.g. app/models/user.rb)
+    # instead of full paths, but I suspect it's an incompatible change.
+    def read_path(path)
+      File.read(path)
+    end
+
+    def exists?(path)
+      File.exist?(File.join(@root, path))
+    end
+
+    # This is a pair for #read_path. Again, would like to kill these
+    def path_exists?(path)
+      File.exist?(path)
+    end
+
+    def initializer_paths
+      @initializer_paths ||= find_paths("config/initializers")
+    end
+
+    def controller_paths
+      @controller_paths ||= find_paths("app/**/controllers")
+    end
+
+    def model_paths
+      @model_paths ||= find_paths("app/**/models")
+    end
+
+    def template_paths
+      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}")
+    end
+
+    def layout_exists?(name)
+      pattern = "#{@root}/{engines/*/,}app/views/layouts/#{name}.html.{erb,haml,slim}"
+      !Dir.glob(pattern).empty?
+    end
+
+    def lib_paths
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" } +
+                     find_additional_lib_paths
+    end
+
+  private
+
+    def find_additional_lib_paths
+      @additional_libs_path.collect{ |path| find_paths path }.flatten
+    end
+
+    def find_paths(directory, extensions = "*.rb")
+      pattern = @root + "/{engines/*/,}#{directory}/**/#{extensions}"
+
+      select_files(Dir.glob(pattern).sort)
+    end
+
+    def select_files(paths)
+      paths = select_only_files(paths)
+      reject_skipped_files(paths)
+    end
+
+    def select_only_files(paths)
+      return paths unless @only_files
+      project_root  = Pathname.new(@root)
+      paths.select do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @only_files.match(project_relative_path)
+      end
+    end
+
+    def reject_skipped_files(paths)
+      return paths unless @skip_files
+      project_root  = Pathname.new(@root)
+      paths.reject do |path|
+        absolute_path = Pathname.new(path)
+        # relative root never has a leading separator. But, we use a leading
+        # separator in a @skip_files entry to imply that a directory is
+        # "absolute" with respect to the project directory.
+        project_relative_path = File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(project_root).to_s
+        )
+        @skip_files.match(project_relative_path)
+      end
+    end
+  end
+end

data/lib/brakeman/brakeman.rake

@@ -0,0 +1,17 @@
+namespace :brakeman do
+
+  desc "Run Brakeman"
+  task :run, :output_files do |t, args|
+    require 'brakeman'
+
+    files = args[:output_files].split(' ') if args[:output_files]
+    Brakeman.run :app_path => ".", :output_files => files, :print_report => true
+  end
+
+  desc "Check your code with Brakeman"
+  task :check do
+    require 'brakeman'
+    result = Brakeman.run app_path: '.', print_report: true
+    exit Brakeman::Warnings_Found_Exit_Code unless result.filtered_warnings.empty?
+  end
+end

data/lib/brakeman/call_index.rb

@@ -0,0 +1,219 @@
+require 'set'
+
+#Stores call sites to look up later.
+class Brakeman::CallIndex
+
+  #Initialize index with calls from FindAllCalls
+  def initialize calls
+    @calls_by_method = Hash.new { |h, k| h[k] = [] }
+    @calls_by_target = Hash.new { |h, k| h[k] = [] }
+
+    index_calls calls
+  end
+
+  #Find calls matching specified option hash.
+  #
+  #Options:
+  #
+  #  * :target - symbol, array of symbols, or regular expression to match target(s)
+  #  * :method - symbol, array of symbols, or regular expression to match method(s)
+  #  * :chained - boolean, whether or not to match against a whole method chain (false by default)
+  #  * :nested - boolean, whether or not to match against a method call that is a target itself (false by default)
+  def find_calls options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+    nested = options[:nested]
+
+    if options[:chained]
+      return find_chain options
+    #Find by narrowest category
+    elsif target and method and target.is_a? Array and method.is_a? Array
+      if target.length > method.length
+        calls = filter_by_target calls_by_methods(method), target
+      else
+        calls = calls_by_targets(target)
+        calls = filter_by_method calls, method
+      end
+
+    #Find by target, then by methods, if provided
+    elsif target
+      calls = calls_by_target target
+
+      if calls and method
+        calls = filter_by_method calls, method
+      end
+
+    #Find calls with no explicit target
+    #with either :target => nil or :target => false
+    elsif (options.key? :target or options.key? :targets) and not target and method
+      calls = calls_by_method method
+      calls = filter_by_target calls, nil
+
+    #Find calls by method
+    elsif method
+      calls = calls_by_method method
+    else
+      raise "Invalid arguments to CallCache#find_calls: #{options.inspect}"
+    end
+
+    return [] if calls.nil?
+
+    #Remove calls that are actually targets of other calls
+    #Unless those are explicitly desired
+    calls = filter_nested calls unless nested
+
+    calls
+  end
+
+  def remove_template_indexes template_name = nil
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          from_template call, template_name
+        end
+      end
+    end
+  end
+
+  def remove_indexes_by_class classes
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |name, calls|
+        calls.delete_if do |call|
+          call[:location][:type] == :class and classes.include? call[:location][:class]
+        end
+      end
+    end
+  end
+
+  def index_calls calls
+    calls.each do |call|
+      @calls_by_method[call[:method]] << call
+
+      target = call[:target]
+
+      if not target.is_a? Sexp
+        @calls_by_target[target] << call
+      elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] << call
+      end
+    end
+  end
+
+  private
+
+  def find_chain options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+
+    calls = calls_by_method method
+
+    return [] if calls.nil?
+
+    calls = filter_by_chain calls, target
+  end
+
+  def calls_by_target target
+    if target.is_a? Array
+      calls_by_targets target
+    else
+      @calls_by_target[target]
+    end
+  end
+
+  def calls_by_targets targets
+    calls = []
+
+    targets.each do |target|
+      calls.concat @calls_by_target[target] if @calls_by_target.key? target
+    end
+
+    calls
+  end
+
+  def calls_by_method method
+    if method.is_a? Array
+      calls_by_methods method
+    elsif method.is_a? Regexp
+      calls_by_methods_regex method
+    else
+      @calls_by_method[method.to_sym]
+    end
+  end
+
+  def calls_by_methods methods
+    methods = methods.map { |m| m.to_sym }
+    calls = []
+
+    methods.each do |method|
+      calls.concat @calls_by_method[method] if @calls_by_method.key? method
+    end
+
+    calls
+  end
+
+  def calls_by_methods_regex methods_regex
+    calls = []
+    @calls_by_method.each do |key, value|
+      calls.concat value if key.to_s.match methods_regex
+    end
+    calls
+  end
+
+  def calls_with_no_target
+    @calls_by_target[nil]
+  end
+
+  def filter calls, key, value
+    if value.is_a? Array
+      values = Set.new value
+
+      calls.select do |call|
+        values.include? call[key]
+      end
+    elsif value.is_a? Regexp
+      calls.select do |call|
+        call[key].to_s.match value
+      end
+    else
+      calls.select do |call|
+        call[key] == value
+      end
+    end
+  end
+
+  def filter_by_method calls, method
+    filter calls, :method, method
+  end
+
+  def filter_by_target calls, target
+    filter calls, :target, target
+  end
+
+  def filter_nested calls
+    filter calls, :nested, false
+  end
+
+  def filter_by_chain calls, target
+    if target.is_a? Array
+      targets = Set.new target
+
+      calls.select do |call|
+        targets.include? call[:chain].first
+      end
+    elsif target.is_a? Regexp
+      calls.select do |call|
+        call[:chain].first.to_s.match target
+      end
+    else
+      calls.select do |call|
+        call[:chain].first == target
+      end
+    end
+  end
+
+  def from_template call, template_name
+    return false unless call[:location][:type] == :template
+    return true if template_name.nil?
+    call[:location][:template] == template_name
+  end
+end

data/lib/brakeman/checks.rb

@@ -0,0 +1,191 @@
+require 'thread'
+require 'brakeman/differ'
+
+#Collects up results from running different checks.
+#
+#Checks can be added with +Check.add(check_class)+
+#
+#All .rb files in checks/ will be loaded.
+class Brakeman::Checks
+  @checks = []
+  @optional_checks = []
+
+  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
+
+  #Add a check. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @checks << klass unless @checks.include? klass
+  end
+
+  #Add an optional check
+  def self.add_optional klass
+    @optional_checks << klass unless @checks.include? klass
+  end
+
+  def self.checks
+    @checks + @optional_checks
+  end
+
+  def self.optional_checks
+    @optional_checks
+  end
+
+  def self.initialize_checks check_directory = ""
+    #Load all files in check_directory
+    Dir.glob(File.join(check_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+
+  #No need to use this directly.
+  def initialize options = { }
+    if options[:min_confidence]
+      @min_confidence = options[:min_confidence]
+    else
+      @min_confidence = Brakeman.get_defaults[:min_confidence]
+    end
+
+    @warnings = []
+    @template_warnings = []
+    @model_warnings = []
+    @controller_warnings = []
+    @checks_run = []
+  end
+
+  #Add Warning to list of warnings to report.
+  #Warnings are split into four different arrays
+  #for template, controller, model, and generic warnings.
+  #
+  #Will not add warnings which are below the minimum confidence level.
+  def add_warning warning
+    unless warning.confidence > @min_confidence
+      case warning.warning_set
+      when :template
+        @template_warnings << warning
+      when :warning
+        @warnings << warning
+      when :controller
+        @controller_warnings << warning
+      when :model
+        @model_warnings << warning
+      else
+        raise "Unknown warning: #{warning.warning_set}"
+      end
+    end
+  end
+
+  #Return a hash of arrays of new and fixed warnings
+  #
+  #    diff = checks.diff old_checks
+  #    diff[:fixed]  # [...]
+  #    diff[:new]    # [...]
+  def diff other_checks
+    my_warnings = self.all_warnings
+    other_warnings = other_checks.all_warnings
+    Brakeman::Differ.new(my_warnings, other_warnings).diff
+  end
+
+  #Return an array of all warnings found.
+  def all_warnings
+    @warnings + @template_warnings + @controller_warnings + @model_warnings
+  end
+
+  #Run all the checks on the given Tracker.
+  #Returns a new instance of Checks with the results.
+  def self.run_checks(app_tree, tracker)
+    checks = self.checks_to_run(tracker)
+    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
+    self.actually_run_checks(checks, check_runner, app_tree, tracker)
+  end
+
+  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    threads = [] # Results for parallel
+    results = [] # Results for sequential
+    parallel = tracker.options[:parallel_checks]
+    error_mutex = Mutex.new
+
+    checks.each do |c|
+      check_name = get_check_name c
+      Brakeman.notify " - #{check_name}"
+
+      if parallel
+        threads << Thread.new do
+          self.run_a_check(c, error_mutex, app_tree, tracker)
+        end
+      else
+        results << self.run_a_check(c, error_mutex, app_tree, tracker)
+      end
+
+      #Maintain list of which checks were run
+      #mainly for reporting purposes
+      check_runner.checks_run << check_name[5..-1]
+    end
+
+    threads.each { |t| t.join }
+
+    Brakeman.notify "Checks finished, collecting results..."
+
+    if parallel
+      threads.each do |thread|
+        thread.value.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    else
+      results.each do |warnings|
+        warnings.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    end
+
+    check_runner
+  end
+
+  private
+
+  def self.get_check_name check_class
+    check_class.to_s.split("::").last
+  end
+
+  def self.checks_to_run tracker
+    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+               @checks + @optional_checks
+             else
+               @checks
+             end
+
+    self.filter_checks to_run, tracker
+  end
+
+  def self.filter_checks checks, tracker
+    skipped = tracker.options[:skip_checks]
+    explicit = tracker.options[:run_checks]
+
+    checks.reject do |c|
+      check_name = self.get_check_name(c)
+
+      skipped.include? check_name or
+        (explicit and not explicit.include? check_name)
+    end
+  end
+
+  def self.run_a_check klass, mutex, app_tree, tracker
+    check = klass.new(app_tree, tracker)
+
+    begin
+      check.run_check
+    rescue => e
+      mutex.synchronize do
+        tracker.error e
+      end
+    end
+
+    check.warnings
+  end
+end
+
+#Load all files in checks/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f|
+  require f.match(/(brakeman\/checks\/.*)\.rb$/)[0]
+end