brakeman-lib 3.3.1

data/lib/brakeman/tracker/collection.rb

@@ -0,0 +1,93 @@
+require 'brakeman/util'
+
+module Brakeman
+  class Collection
+    include Brakeman::Util
+
+    attr_reader :collection, :files, :includes, :name, :options, :parent, :src, :tracker
+
+    def initialize name, parent, file_name, src, tracker
+      @name = name
+      @parent = parent
+      @file_name = file_name
+      @files = [ file_name ]
+      @src = { file_name => src }
+      @includes = []
+      @methods = { :public => {}, :private => {}, :protected => {} }
+      @options = {}
+      @tracker = tracker
+    end
+
+    def ancestor? parent, seen={}
+      seen[self.name] = true
+
+      if self.parent == parent or seen[self.parent]
+        true
+      elsif parent_model = collection[self.parent]
+        parent_model.ancestor? parent, seen
+      else
+        false
+      end
+    end
+
+    def add_file file_name, src
+      @files << file_name unless @files.include? file_name
+      @src[file_name] = src
+    end
+
+    def add_include class_name
+      @includes << class_name
+    end
+
+    def add_option name, exp
+      @options[name] ||= []
+      @options[name] << exp
+    end
+
+    def add_method visibility, name, src, file_name
+      if src.node_type == :defs
+        name = :"#{src[1]}.#{name}"
+      end
+
+      @methods[visibility][name] = { :src => src, :file => file_name }
+    end
+
+    def each_method
+      @methods.each do |vis, meths|
+        meths.each do |name, info|
+          yield name, info
+        end
+      end
+    end
+
+    def get_method name
+      each_method do |n, info|
+        if n == name
+          return info
+        end
+      end
+
+      nil
+    end
+
+    def file
+      @files.first
+    end
+
+    def top_line
+      if sexp? @src[file]
+        @src[file].line
+      else
+        @src.each_value do |source|
+          if sexp? source
+            return source.line
+          end
+        end
+      end
+    end
+
+    def methods_public
+      @methods[:public]
+    end
+  end
+end

data/lib/brakeman/tracker/config.rb

@@ -0,0 +1,101 @@
+require 'brakeman/util'
+
+module Brakeman
+  class Config
+    include Util
+
+    attr_reader :rails, :tracker
+    attr_accessor :rails_version
+    attr_writer :erubis, :escape_html
+    attr_reader :gems
+
+    def initialize tracker
+      @tracker = tracker
+      @rails = {}
+      @gems = {}
+      @settings = {}
+      @escape_html = nil
+      @erubis = nil
+    end
+
+    def allow_forgery_protection?
+      @rails[:action_controller] and
+        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
+    end
+
+    def erubis?
+      @erubis
+    end
+
+    def escape_html?
+      @escape_html
+    end
+
+    def escape_html_entities_in_json?
+      #TODO add version-specific information here
+      @rails[:active_support] and
+        true? @rails[:active_support][:escape_html_entities_in_json]
+    end
+
+    def whitelist_attributes?
+      @rails[:active_record] and
+        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+    end
+
+    def gem_version name
+      @gems[name] and @gems[name][:version]
+    end
+
+    def add_gem name, version, file, line
+      name = name.to_sym
+      @gems[name] = {
+        :version => version,
+        :file => file,
+        :line => line
+      }
+    end
+
+    def has_gem? name
+      !!@gems[name]
+    end
+
+    def get_gem name
+      @gems[name]
+    end
+
+    def set_rails_version
+      # Ignore ~>, etc. when using values from Gemfile
+      version = gem_version(:rails) || gem_version(:railties)
+      if version and version.match(/(\d+\.\d+\.\d+.*)/)
+        @rails_version = $1
+
+        if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
+          if @rails_version.start_with? "3"
+            tracker.options[:rails3] = true
+            Brakeman.notify "[Notice] Detected Rails 3 application"
+          elsif @rails_version.start_with? "4"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            Brakeman.notify "[Notice] Detected Rails 4 application"
+          elsif @rails_version.start_with? "5"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            tracker.options[:rails5] = true
+            Brakeman.notify "[Notice] Detected Rails 5 application"
+          end
+        end
+      end
+
+      if get_gem :rails_xss
+        @escape_html = true
+        Brakeman.notify "[Notice] Escaping HTML by default"
+      end
+    end
+
+    def session_settings
+      @rails[:action_controller] &&
+        @rails[:action_controller][:session]
+    end
+
+  end
+end

data/lib/brakeman/tracker/constants.rb

@@ -0,0 +1,101 @@
+require 'brakeman/processors/output_processor'
+
+module Brakeman
+  class Constant
+    attr_reader :name, :file
+
+    def initialize name, value = nil, context = nil 
+      set_name name, context
+      @values = [ value ]
+      @context = context
+
+      if @context
+        @file = @context[:file]
+      end
+    end
+
+    def line
+      if @values.first.is_a? Sexp
+        @values.first.line
+      end
+    end
+
+    def set_name name, context
+      @name = Constants.constant_as_array(name)
+    end
+
+    def match? name
+      @name.reverse.zip(name.reverse).reduce(true) { |m, a| a[1] ? a[0] == a[1] && m : m }
+    end
+
+    def value
+      @values.reverse.reduce do |m, v|
+        Sexp.new(:or, v, m)
+      end
+    end
+
+    def add_value exp
+      unless @values.include? exp
+        @values << exp
+      end
+    end
+  end
+
+  class Constants
+    include Brakeman::Util
+
+    def initialize
+      @constants = []
+    end
+
+    def [] exp
+      return unless constant? exp
+      match = find_constant exp
+
+      if match
+        match.value
+      else
+        nil
+      end
+    end
+
+    def find_constant exp
+      name = Constants.constant_as_array(exp)
+      @constants.find do |c|
+        c.match? name
+      end
+    end
+
+    def add name, value, context = nil
+      if existing = self.find_constant(name)
+        existing.add_value value
+      else
+        @constants << Constant.new(name, value, context)
+      end
+    end
+
+    def get_literal name
+      if x = self[name] and [:lit, :false, :str, :true, :array, :hash].include? x.node_type
+        x
+      else
+        nil
+      end
+    end
+
+    def each &block
+      @constants.each &block
+    end
+
+    def self.constant_as_array exp
+      get_constant_name(exp).split('::')
+    end
+
+    def self.get_constant_name exp
+      if exp.is_a? Sexp
+        Brakeman::OutputProcessor.new.format(exp)
+      else
+        exp.to_s
+      end
+    end
+  end
+end

data/lib/brakeman/tracker/controller.rb

@@ -0,0 +1,161 @@
+require 'brakeman/tracker/collection'
+
+module Brakeman
+  module ControllerMethods
+    attr_accessor :layout
+
+    def initialize_controller
+      @options[:before_filters] = []
+      @options[:skip_filters] = []
+      @layout = nil
+      @skip_filter_cache = nil
+      @before_filter_cache = nil
+    end
+
+    def protect_from_forgery?
+      @options[:protect_from_forgery]
+    end
+
+    def add_before_filter exp
+      @options[:before_filters] << exp
+    end
+
+    def prepend_before_filter exp
+      @options[:before_filters].unshift exp
+    end
+
+    def before_filters
+      @options[:before_filters]
+    end
+
+    def skip_filter exp
+      @options[:skip_filters] << exp
+    end
+
+    def skip_filters
+      @options[:skip_filters]
+    end
+
+    def before_filter_list processor, method
+      controller = self
+      filters = []
+
+      while controller
+        filters = controller.get_before_filters(processor, method) + filters
+
+        controller = tracker.controllers[controller.parent] ||
+          tracker.libs[controller.parent]
+      end
+
+      remove_skipped_filters processor, filters, method
+    end
+
+    def get_skipped_filters processor, method
+      filters = []
+
+      if @skip_filter_cache.nil?
+        @skip_filter_cache = skip_filters.map do |filter|
+          before_filter_to_hash(processor, filter.args)
+        end
+      end
+
+      @skip_filter_cache.each do |f|
+        if f[:all] or
+          (f[:only] == method) or
+          (f[:only].is_a? Array and f[:only].include? method) or
+          (f[:except].is_a? Symbol and f[:except] != method) or
+          (f[:except].is_a? Array and not f[:except].include? method)
+
+          filters.concat f[:methods]
+        else
+        end
+      end
+
+      filters
+    end
+
+    def remove_skipped_filters processor, filters, method
+      controller = self
+
+      while controller
+        filters = filters - controller.get_skipped_filters(processor, method)
+
+        controller = tracker.controllers[controller.parent] ||
+          tracker.libs[controller.parent]
+      end
+
+      filters
+    end
+
+    def get_before_filters processor, method
+      filters = []
+
+      if @before_filter_cache.nil?
+        @before_filter_cache = []
+
+        before_filters.each do |filter|
+          @before_filter_cache << before_filter_to_hash(processor, filter.args)
+        end
+      end
+
+      @before_filter_cache.each do |f|
+        if f[:all] or
+          (f[:only] == method) or
+          (f[:only].is_a? Array and f[:only].include? method) or
+          (f[:except].is_a? Symbol and f[:except] != method) or
+          (f[:except].is_a? Array and not f[:except].include? method)
+
+          filters.concat f[:methods]
+        end
+      end
+
+
+      filters
+    end
+
+    def before_filter_to_hash processor, args
+      filter = {}
+
+      #Process args for the uncommon but possible situation
+      #in which some variables are used in the filter.
+      args.each do |a|
+        if sexp? a
+          a = processor.process_default a
+        end
+      end
+
+      filter[:methods] = []
+
+      args.each do |a|
+        filter[:methods] << a[1] if a.node_type == :lit
+      end
+
+      if args[-1].node_type == :hash
+        option = args[-1][1][1]
+        value = args[-1][2]
+        case value.node_type
+        when :array
+          filter[option] = value[1..-1].map {|v| v[1] }
+        when :lit, :str
+          filter[option] = value[1]
+        else
+          Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+        end
+      else
+        filter[:all] = true
+      end
+
+      filter
+    end
+  end
+
+  class Controller < Brakeman::Collection
+    include ControllerMethods
+
+    def initialize name, parent, file_name, src, tracker
+      super
+      initialize_controller
+      @collection = tracker.controllers
+    end
+  end
+end