RubyGems - brakeman-lib - Versions diffs - 3.3.1 - Mend

brakeman-lib 3.3.1

Files changed (159) hide show

checksums.yaml +7 -0
data/CHANGES +872 -0
data/FEATURES +16 -0
data/README.md +169 -0
data/WARNING_TYPES +95 -0
data/bin/brakeman +89 -0
data/lib/brakeman.rb +495 -0
data/lib/brakeman/app_tree.rb +161 -0
data/lib/brakeman/brakeman.rake +17 -0
data/lib/brakeman/call_index.rb +219 -0
data/lib/brakeman/checks.rb +191 -0
data/lib/brakeman/checks/base_check.rb +518 -0
data/lib/brakeman/checks/check_basic_auth.rb +88 -0
data/lib/brakeman/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/brakeman/checks/check_content_tag.rb +160 -0
data/lib/brakeman/checks/check_create_with.rb +75 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +385 -0
data/lib/brakeman/checks/check_default_routes.rb +86 -0
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_detailed_exceptions.rb +55 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_dynamic_finders.rb +49 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +36 -0
data/lib/brakeman/checks/check_execute.rb +167 -0
data/lib/brakeman/checks/check_file_access.rb +63 -0
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +74 -0
data/lib/brakeman/checks/check_header_dos.rb +31 -0
data/lib/brakeman/checks/check_i18n_xss.rb +48 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_encoding.rb +47 -0
data/lib/brakeman/checks/check_json_parsing.rb +107 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +115 -0
data/lib/brakeman/checks/check_mail_to.rb +49 -0
data/lib/brakeman/checks/check_mass_assignment.rb +198 -0
data/lib/brakeman/checks/check_mime_type_dos.rb +39 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +55 -0
data/lib/brakeman/checks/check_model_attributes.rb +119 -0
data/lib/brakeman/checks/check_model_serialize.rb +67 -0
data/lib/brakeman/checks/check_nested_attributes.rb +38 -0
data/lib/brakeman/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/brakeman/checks/check_number_to_currency.rb +74 -0
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +215 -0
data/lib/brakeman/checks/check_regex_dos.rb +69 -0
data/lib/brakeman/checks/check_render.rb +92 -0
data/lib/brakeman/checks/check_render_dos.rb +37 -0
data/lib/brakeman/checks/check_render_inline.rb +54 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_route_dos.rb +42 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +79 -0
data/lib/brakeman/checks/check_secrets.rb +40 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +60 -0
data/lib/brakeman/checks/check_send.rb +48 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_manipulation.rb +36 -0
data/lib/brakeman/checks/check_session_settings.rb +170 -0
data/lib/brakeman/checks/check_simple_format.rb +59 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +60 -0
data/lib/brakeman/checks/check_sql.rb +660 -0
data/lib/brakeman/checks/check_sql_cves.rb +101 -0
data/lib/brakeman/checks/check_ssl_verify.rb +49 -0
data/lib/brakeman/checks/check_strip_tags.rb +89 -0
data/lib/brakeman/checks/check_symbol_dos.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_unscoped_find.rb +41 -0
data/lib/brakeman/checks/check_validation_regex.rb +116 -0
data/lib/brakeman/checks/check_weak_hash.rb +151 -0
data/lib/brakeman/checks/check_without_protection.rb +80 -0
data/lib/brakeman/checks/check_xml_dos.rb +51 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/brakeman/file_parser.rb +50 -0
data/lib/brakeman/format/style.css +133 -0
data/lib/brakeman/options.rb +301 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/brakeman/parsers/rails3_erubis.rb +74 -0
data/lib/brakeman/parsers/template_parser.rb +89 -0
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +1013 -0
data/lib/brakeman/processors/base_processor.rb +277 -0
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +273 -0
data/lib/brakeman/processors/controller_processor.rb +326 -0
data/lib/brakeman/processors/erb_template_processor.rb +80 -0
data/lib/brakeman/processors/erubis_template_processor.rb +104 -0
data/lib/brakeman/processors/gem_processor.rb +57 -0
data/lib/brakeman/processors/haml_template_processor.rb +190 -0
data/lib/brakeman/processors/lib/basic_processor.rb +37 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +223 -0
data/lib/brakeman/processors/lib/find_call.rb +183 -0
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +75 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +145 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +313 -0
data/lib/brakeman/processors/lib/rails3_config_processor.rb +132 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +308 -0
data/lib/brakeman/processors/lib/render_helper.rb +181 -0
data/lib/brakeman/processors/lib/render_path.rb +107 -0
data/lib/brakeman/processors/lib/route_helper.rb +68 -0
data/lib/brakeman/processors/lib/safe_call_helper.rb +16 -0
data/lib/brakeman/processors/library_processor.rb +119 -0
data/lib/brakeman/processors/model_processor.rb +191 -0
data/lib/brakeman/processors/output_processor.rb +171 -0
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +107 -0
data/lib/brakeman/processors/template_alias_processor.rb +116 -0
data/lib/brakeman/processors/template_processor.rb +74 -0
data/lib/brakeman/report.rb +78 -0
data/lib/brakeman/report/config/remediation.yml +71 -0
data/lib/brakeman/report/ignore/config.rb +135 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +286 -0
data/lib/brakeman/report/report_codeclimate.rb +70 -0
data/lib/brakeman/report/report_csv.rb +55 -0
data/lib/brakeman/report/report_hash.rb +23 -0
data/lib/brakeman/report/report_html.rb +216 -0
data/lib/brakeman/report/report_json.rb +42 -0
data/lib/brakeman/report/report_markdown.rb +156 -0
data/lib/brakeman/report/report_table.rb +107 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +22 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/error_overview.html.erb +29 -0
data/lib/brakeman/report/templates/header.html.erb +58 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +25 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/overview.html.erb +38 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +23 -0
data/lib/brakeman/report/templates/template_overview.html.erb +21 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +34 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +17 -0
data/lib/brakeman/rescanner.rb +483 -0
data/lib/brakeman/scanner.rb +317 -0
data/lib/brakeman/tracker.rb +347 -0
data/lib/brakeman/tracker/collection.rb +93 -0
data/lib/brakeman/tracker/config.rb +101 -0
data/lib/brakeman/tracker/constants.rb +101 -0
data/lib/brakeman/tracker/controller.rb +161 -0
data/lib/brakeman/tracker/library.rb +17 -0
data/lib/brakeman/tracker/model.rb +90 -0
data/lib/brakeman/tracker/template.rb +33 -0
data/lib/brakeman/util.rb +481 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +255 -0
data/lib/brakeman/warning_codes.rb +111 -0
data/lib/ruby_parser/bm_sexp.rb +610 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +362 -0

@@ -0,0 +1,483 @@
+require 'brakeman/scanner'
+require 'brakeman/util'
+require 'brakeman/differ'
+#Class for rescanning changed files after an initial scan
+class Brakeman::Rescanner < Brakeman::Scanner
+ include Brakeman::Util
+  KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
+  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+    :model, :controller]
+  #Create new Rescanner to scan changed files
+  def initialize options, processor, changed_files
+    super(options, processor)
+    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @old_results = tracker.filtered_warnings  #Old warnings from previous scan
+    @changes = nil                 #True if files had to be rescanned
+    @reindex = Set.new
+  end
+  #Runs checks.
+  #Will rescan files if they have not already been scanned
+  def recheck
+    rescan if @changes.nil?
+    tracker.run_checks if @changes
+    Brakeman::RescanReport.new @old_results, tracker
+  end
+  #Rescans changed files
+  def rescan
+    tracker.template_cache.clear
+    paths_by_type = {}
+    SCAN_ORDER.each do |type|
+      paths_by_type[type] = []
+    end
+    @paths.each do |path|
+      type = file_type(path)
+      paths_by_type[type] << path unless type == :unknown
+    end
+    @changes = false
+    SCAN_ORDER.each do |type|
+      paths_by_type[type].each do |path|
+        Brakeman.debug "Rescanning #{path} as #{type}"
+        if rescan_file path, type
+          @changes = true
+        end
+      end
+    end
+    if @changes and not @reindex.empty?
+      tracker.reindex_call_sites @reindex
+    end
+    self
+  end
+  #Rescans a single file
+  def rescan_file path, type = nil
+    type ||= file_type path
+    unless @app_tree.path_exists?(path)
+      return rescan_deleted_file path, type
+    end
+    case type
+    when :controller
+      rescan_controller path
+    when :template
+      rescan_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_lib path
+    when :config
+      process_config
+    when :initializer
+      rescan_initializer path
+    when :routes
+      rescan_routes
+    when :gemfile
+      if tracker.config.has_gem? :rails_xss and tracker.config.escape_html?
+        tracker.config.escape_html = false
+      end
+      process_gems
+    else
+      return false #Nothing to do, file hopefully does not need to be rescanned
+    end
+    true
+  end
+  def rescan_controller path
+    controller = tracker.reset_controller path
+    paths = controller.nil? ? [path] : controller.files
+    parse_ruby_files(paths).each do |astfile|
+      process_controller astfile
+    end
+    #Process data flow and template rendering
+    #from the controller
+    tracker.controllers.each do |name, controller|
+      if controller.files.include?(path)
+        tracker.templates.each do |template_name, template|
+          next unless template.render_path
+          if template.render_path.include_controller? name
+            tracker.reset_template template_name
+          end
+        end
+        controller.src.each do |file, src|
+          @processor.process_controller_alias controller.name, src, nil, file
+        end
+      end
+    end
+    @reindex << :templates << :controllers
+  end
+  def rescan_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    template_name = template_path_to_name(path)
+    tracker.reset_template template_name
+    fp = Brakeman::FileParser.new(tracker, @app_tree)
+    template_parser = Brakeman::TemplateParser.new(tracker, fp)
+    template_parser.parse_template path, @app_tree.read_path(path)
+    process_template fp.file_list[:templates].first
+    @processor.process_template_alias tracker.templates[template_name]
+    rescan = Set.new
+    #Search for processed template and process it.
+    #Search for rendered versions of template and re-render (if necessary)
+    tracker.templates.each do |name, template|
+      if template.file == path or template.file.nil?
+        next unless template.render_path and template.name.to_sym == template_name.to_sym
+        template.render_path.each do |from|
+          case from[:type]
+          when :template
+            rescan << [:template, from[:name]]
+          when :controller
+            rescan << [:controller, from[:class], from[:method]]
+          end
+        end
+      end
+    end
+    rescan.each do |r|
+      if r[0] == :controller
+        controller = tracker.controllers[r[1]]
+        controller.src.each do |file, src|
+          unless @paths.include? file
+            @processor.process_controller_alias controller.name, src, r[2], file
+          end
+        end
+      elsif r[0] == :template
+        template = tracker.templates[r[1]]
+        rescan_template template.file
+      end
+    end
+    @reindex << :templates
+  end
+  def rescan_model path
+    num_models = tracker.models.length
+    model = tracker.reset_model path
+    paths = model.nil? ? [path] : model.files
+    parse_ruby_files(paths).each do |astfile|
+      process_model astfile.path, astfile.ast
+    end
+    #Only need to rescan other things if a model is added or removed
+    if num_models != tracker.models.length
+      process_template_data_flows
+      process_controller_data_flows
+      @reindex << :templates << :controllers
+    end
+    @reindex << :models
+  end
+  def rescan_lib path
+    lib = tracker.reset_lib path
+    paths = lib.nil? ? [path] : lib.files
+    parse_ruby_files(paths).each do |astfile|
+      process_lib astfile
+    end
+    lib = nil
+    tracker.libs.each do |name, library|
+      if library.files.include?(path)
+        lib = library
+        break
+      end
+    end
+    rescan_mixin lib if lib
+  end
+  def rescan_routes
+    # Routes affect which controller methods are treated as actions
+    # which affects which templates are rendered, so routes, controllers,
+    # and templates rendered from controllers must be rescanned
+    tracker.reset_routes
+    tracker.reset_templates :only_rendered => true
+    process_routes
+    process_controller_data_flows
+    @reindex << :controllers << :templates
+  end
+  def rescan_initializer path
+    parse_ruby_files([path]).each do |astfile|
+      process_initializer astfile
+    end
+  end
+  #Handle rescanning when a file is deleted
+  def rescan_deleted_file path, type
+    case type
+    when :controller
+      rescan_controller path
+    when :template
+      rescan_deleted_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_deleted_lib path
+    when :initializer
+      rescan_deleted_initializer path
+    else
+      if remove_deleted_file path
+        return true
+      else
+        Brakeman.notify "Ignoring deleted file: #{path}"
+      end
+    end
+    true
+  end
+  def rescan_deleted_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    template_name = template_path_to_name(path)
+    #Remove template
+    tracker.reset_template template_name
+    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
+    rendered_from_view = /^#{template_name}\.Template:(.+)/
+    #Remove any rendered versions, or partials rendered from it
+    tracker.templates.delete_if do |name, template|
+      template.file == path or template.name.to_sym == template_name.to_sym
+    end
+  end
+  def rescan_deleted_lib path
+    deleted_lib = nil
+    tracker.libs.delete_if do |name, lib|
+      if lib.files.include?(path)
+        deleted_lib = lib
+        true
+      end
+    end
+    rescan_mixin deleted_lib if deleted_lib
+  end
+  def rescan_deleted_initializer path
+    tracker.initializers.delete Pathname.new(path).basename.to_s
+  end
+  #Check controllers, templates, models and libs for data from file
+  #and delete it.
+  def remove_deleted_file path
+    deleted = false
+    [:controllers, :models, :libs].each do |collection|
+      tracker.send(collection).delete_if do |name, data|
+        if data.files.include?(path)
+          deleted = true
+          true
+        end
+      end
+    end
+    tracker.templates.delete_if do |name, data|
+      if data.file == path
+        deleted = true
+        true
+      end
+    end
+    deleted
+  end
+  #Guess at what kind of file the path contains
+  def file_type path
+    case path
+    when /\/app\/controllers/
+      :controller
+    when /\/app\/views/
+      :template
+    when /\/app\/models/
+      :model
+    when /\/lib/
+      :lib
+    when /\/config\/initializers/
+      :initializer
+    when /config\/routes\.rb/
+      :routes
+    when /\/config\/.+\.(rb|yml)/
+      :config
+    when /Gemfile|gems\./
+      :gemfile
+    else
+      :unknown
+    end
+  end
+  def rescan_mixin lib
+    method_names = []
+    lib.each_method do |name, meth|
+      method_names << name
+    end
+    to_rescan = []
+    #Rescan controllers that mixed in library
+    tracker.controllers.each do |name, controller|
+      if controller.includes.include? lib.name
+        controller.files.each do |path|
+          unless @paths.include? path
+            to_rescan << path
+          end
+        end
+      end
+    end
+    to_rescan.each do |controller|
+      tracker.reset_controller controller
+      rescan_file controller
+    end
+    to_rescan = []
+    #Check if a method from this mixin was used to render a template.
+    #This is not precise, because a different controller might have the
+    #same method...
+    tracker.templates.each do |name, template|
+      next unless template.render_path
+      if template.render_path.include_any_method? method_names
+        name.to_s.match /^([^.]+)/
+        original = tracker.templates[$1.to_sym]
+        if original
+          to_rescan << [name, original.file]
+        end
+      end
+    end
+    to_rescan.each do |template|
+      tracker.reset_template template[0]
+      rescan_file template[1]
+    end
+  end
+  def parse_ruby_files list
+    paths = list.select { |path| @app_tree.path_exists? path }
+    file_parser = Brakeman::FileParser.new(tracker, @app_tree)
+    file_parser.parse_files paths, :rescan
+    file_parser.file_list[:rescan]
+  end
+end
+#Class to make reporting of rescan results simpler to deal with
+class Brakeman::RescanReport
+  include Brakeman::Util
+  attr_reader :old_results, :new_results
+  def initialize old_results, tracker
+    @tracker = tracker
+    @old_results = old_results
+    @all_warnings = nil
+    @diff = nil
+  end
+  #Returns true if any warnings were found (new or old)
+  def any_warnings?
+    not all_warnings.empty?
+  end
+  #Returns an array of all warnings found
+  def all_warnings
+    @all_warnings ||= @tracker.filtered_warnings
+  end
+  #Returns an array of warnings which were in the old report but are not in the
+  #new report after rescanning
+  def fixed_warnings
+    diff[:fixed]
+  end
+  #Returns an array of warnings which were in the new report but were not in
+  #the old report
+  def new_warnings
+    diff[:new]
+  end
+  #Returns true if there are any new or fixed warnings
+  def warnings_changed?
+    not (diff[:new].empty? and diff[:fixed].empty?)
+  end
+  #Returns a hash of arrays for :new and :fixed warnings
+  def diff
+    @diff ||= Brakeman::Differ.new(all_warnings, @old_results).diff
+  end
+  #Returns an array of warnings which were in the old report and the new report
+  def existing_warnings
+    @old ||= all_warnings.select do |w|
+      not new_warnings.include? w
+    end
+  end
+  #Output total, fixed, and new warnings
+  def to_s(verbose = false)
+    Brakeman.load_brakeman_dependency 'terminal-table'
+    if !verbose
+      <<-OUTPUT
+Total warnings: #{all_warnings.length}
+Fixed warnings: #{fixed_warnings.length}
+New warnings: #{new_warnings.length}
+      OUTPUT
+    else
+      #Eventually move this to different method, or make default to_s
+      out = ""
+      {:fixed => fixed_warnings, :new => new_warnings, :existing => existing_warnings}.each do |warning_type, warnings|
+        if warnings.length > 0
+          out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
+          table = Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
+            warnings.sort_by { |w| w.confidence}.each do |warning|
+              w = warning.to_row
+              w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
+              t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
+            end
+          end
+          out << truncate_table(table.to_s)
+        end
+      end
+      out
+    end
+  end
+end