brakeman-min 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (51) hide show
  1. data/FEATURES +16 -0
  2. data/README.md +118 -0
  3. data/WARNING_TYPES +69 -0
  4. data/bin/brakeman +269 -0
  5. data/lib/checks.rb +67 -0
  6. data/lib/checks/base_check.rb +353 -0
  7. data/lib/checks/check_cross_site_scripting.rb +324 -0
  8. data/lib/checks/check_default_routes.rb +29 -0
  9. data/lib/checks/check_evaluation.rb +27 -0
  10. data/lib/checks/check_execute.rb +110 -0
  11. data/lib/checks/check_file_access.rb +46 -0
  12. data/lib/checks/check_forgery_setting.rb +42 -0
  13. data/lib/checks/check_mail_to.rb +48 -0
  14. data/lib/checks/check_mass_assignment.rb +72 -0
  15. data/lib/checks/check_model_attributes.rb +36 -0
  16. data/lib/checks/check_nested_attributes.rb +34 -0
  17. data/lib/checks/check_redirect.rb +98 -0
  18. data/lib/checks/check_render.rb +65 -0
  19. data/lib/checks/check_send_file.rb +15 -0
  20. data/lib/checks/check_session_settings.rb +36 -0
  21. data/lib/checks/check_sql.rb +124 -0
  22. data/lib/checks/check_validation_regex.rb +60 -0
  23. data/lib/format/style.css +105 -0
  24. data/lib/processor.rb +83 -0
  25. data/lib/processors/alias_processor.rb +384 -0
  26. data/lib/processors/base_processor.rb +237 -0
  27. data/lib/processors/config_processor.rb +146 -0
  28. data/lib/processors/controller_alias_processor.rb +237 -0
  29. data/lib/processors/controller_processor.rb +202 -0
  30. data/lib/processors/erb_template_processor.rb +84 -0
  31. data/lib/processors/erubis_template_processor.rb +62 -0
  32. data/lib/processors/haml_template_processor.rb +131 -0
  33. data/lib/processors/lib/find_call.rb +176 -0
  34. data/lib/processors/lib/find_model_call.rb +39 -0
  35. data/lib/processors/lib/processor_helper.rb +36 -0
  36. data/lib/processors/lib/render_helper.rb +137 -0
  37. data/lib/processors/library_processor.rb +118 -0
  38. data/lib/processors/model_processor.rb +125 -0
  39. data/lib/processors/output_processor.rb +233 -0
  40. data/lib/processors/params_processor.rb +77 -0
  41. data/lib/processors/route_processor.rb +338 -0
  42. data/lib/processors/template_alias_processor.rb +86 -0
  43. data/lib/processors/template_processor.rb +55 -0
  44. data/lib/report.rb +651 -0
  45. data/lib/scanner.rb +215 -0
  46. data/lib/scanner_erubis.rb +43 -0
  47. data/lib/tracker.rb +144 -0
  48. data/lib/util.rb +141 -0
  49. data/lib/version.rb +1 -0
  50. data/lib/warning.rb +97 -0
  51. metadata +141 -0
data/lib/version.rb ADDED
@@ -0,0 +1 @@
1
+ Version = "0.2.0"
data/lib/warning.rb ADDED
@@ -0,0 +1,97 @@
1
+ #The Warning class stores information about warnings
2
+ class Warning
3
+ attr_reader :called_from, :check, :class, :code, :confidence, :controller, :file, :line,
4
+ :message, :method, :model, :template, :warning_set, :warning_type
5
+
6
+ #+options[:result]+ can be a result Sexp from FindCall. Otherwise, it can be +nil+.
7
+ def initialize options = {}
8
+ @view_name = nil
9
+
10
+ [:called_from, :check, :class, :code, :confidence, :controller, :file, :line,
11
+ :message, :method, :model, :template, :warning_set, :warning_type].each do |option|
12
+
13
+ self.instance_variable_set("@#{option}", options[option])
14
+ end
15
+
16
+ result = options[:result]
17
+ if result
18
+ if result.length == 3 #template result
19
+ @template ||= result[1]
20
+ @code ||= result[2]
21
+ else
22
+ @class ||= result[1]
23
+ @method ||= result[2]
24
+ @code ||= result[3]
25
+ end
26
+ end
27
+
28
+ if @code and not @line and @code.respond_to? :line
29
+ @line = @code.line
30
+ end
31
+
32
+ unless @warning_set
33
+ if self.model
34
+ @warning_set = :model
35
+ elsif self.template
36
+ @warning_set = :template
37
+ @called_from = self.template[:caller]
38
+ elsif self.controller
39
+ @warning_set = :controller
40
+ else
41
+ @warning_set = :warning
42
+ end
43
+ end
44
+ end
45
+
46
+ #Returns name of a view, including where it was rendered from
47
+ def view_name
48
+ return @view_name if @view_name
49
+ if called_from
50
+ @view_name = "#{template[:name]} (#{called_from})"
51
+ else
52
+ @view_name = template[:name]
53
+ end
54
+ end
55
+
56
+ #Return String of the code output from the OutputProcessor and
57
+ #stripped of newlines
58
+ def format_code
59
+ OutputProcessor.new.format(self.code).gsub(/(\r|\n)+/, " ")
60
+ end
61
+
62
+ #Return formatted warning message
63
+ def format_message
64
+ message = self.message
65
+
66
+ if self.line
67
+ message << " near line #{self.line}"
68
+ end
69
+
70
+ if self.code
71
+ message << ": #{format_code}"
72
+ end
73
+
74
+ message
75
+ end
76
+
77
+ #Generates a hash suitable for inserting into a Ruport table
78
+ def to_row type = :warning
79
+ row = { "Confidence" => self.confidence,
80
+ "Warning Type" => self.warning_type.to_s,
81
+ "Message" => self.format_message }
82
+
83
+ case type
84
+ when :template
85
+ row["Template"] = self.view_name.to_s
86
+ when :model
87
+ row["Model"] = self.model.to_s
88
+ when :controller
89
+ row["Controller"] = self.controller.to_s
90
+ when :warning
91
+ row["Class"] = self.class.to_s
92
+ row["Method"] = self.method.to_s
93
+ end
94
+
95
+ row
96
+ end
97
+ end
metadata ADDED
@@ -0,0 +1,141 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: brakeman-min
3
+ version: !ruby/object:Gem::Version
4
+ prerelease: false
5
+ segments:
6
+ - 0
7
+ - 2
8
+ - 0
9
+ version: 0.2.0
10
+ platform: ruby
11
+ authors:
12
+ - Justin Collins
13
+ autorequire:
14
+ bindir: bin
15
+ cert_chain: []
16
+
17
+ date: 2011-02-18 00:00:00 -08:00
18
+ default_executable:
19
+ dependencies:
20
+ - !ruby/object:Gem::Dependency
21
+ name: activesupport
22
+ prerelease: false
23
+ requirement: &id001 !ruby/object:Gem::Requirement
24
+ none: false
25
+ requirements:
26
+ - - ~>
27
+ - !ruby/object:Gem::Version
28
+ segments:
29
+ - 2
30
+ - 2
31
+ version: "2.2"
32
+ type: :runtime
33
+ version_requirements: *id001
34
+ - !ruby/object:Gem::Dependency
35
+ name: ruby2ruby
36
+ prerelease: false
37
+ requirement: &id002 !ruby/object:Gem::Requirement
38
+ none: false
39
+ requirements:
40
+ - - ~>
41
+ - !ruby/object:Gem::Version
42
+ segments:
43
+ - 1
44
+ - 2
45
+ - 4
46
+ version: 1.2.4
47
+ type: :runtime
48
+ version_requirements: *id002
49
+ description: " Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.\n This gem only supports tab output to minimize dependencies. It does not include erubis or haml in its dependencies.\n To use either of these, please install the required gems manually.\n"
50
+ email:
51
+ executables:
52
+ - brakeman
53
+ extensions: []
54
+
55
+ extra_rdoc_files: []
56
+
57
+ files:
58
+ - bin/brakeman
59
+ - WARNING_TYPES
60
+ - FEATURES
61
+ - README.md
62
+ - lib/processors/base_processor.rb
63
+ - lib/processors/alias_processor.rb
64
+ - lib/processors/haml_template_processor.rb
65
+ - lib/processors/output_processor.rb
66
+ - lib/processors/params_processor.rb
67
+ - lib/processors/erubis_template_processor.rb
68
+ - lib/processors/controller_alias_processor.rb
69
+ - lib/processors/lib/processor_helper.rb
70
+ - lib/processors/lib/render_helper.rb
71
+ - lib/processors/lib/find_model_call.rb
72
+ - lib/processors/lib/find_call.rb
73
+ - lib/processors/route_processor.rb
74
+ - lib/processors/model_processor.rb
75
+ - lib/processors/erb_template_processor.rb
76
+ - lib/processors/template_alias_processor.rb
77
+ - lib/processors/config_processor.rb
78
+ - lib/processors/template_processor.rb
79
+ - lib/processors/controller_processor.rb
80
+ - lib/processors/library_processor.rb
81
+ - lib/report.rb
82
+ - lib/util.rb
83
+ - lib/checks/check_send_file.rb
84
+ - lib/checks/check_default_routes.rb
85
+ - lib/checks/check_render.rb
86
+ - lib/checks/check_execute.rb
87
+ - lib/checks/check_mass_assignment.rb
88
+ - lib/checks/check_sql.rb
89
+ - lib/checks/check_mail_to.rb
90
+ - lib/checks/check_validation_regex.rb
91
+ - lib/checks/check_cross_site_scripting.rb
92
+ - lib/checks/check_redirect.rb
93
+ - lib/checks/check_session_settings.rb
94
+ - lib/checks/check_forgery_setting.rb
95
+ - lib/checks/base_check.rb
96
+ - lib/checks/check_model_attributes.rb
97
+ - lib/checks/check_nested_attributes.rb
98
+ - lib/checks/check_evaluation.rb
99
+ - lib/checks/check_file_access.rb
100
+ - lib/processor.rb
101
+ - lib/scanner.rb
102
+ - lib/tracker.rb
103
+ - lib/checks.rb
104
+ - lib/version.rb
105
+ - lib/warning.rb
106
+ - lib/scanner_erubis.rb
107
+ - lib/format/style.css
108
+ has_rdoc: true
109
+ homepage: http://github.com/presidentbeef/brakeman
110
+ licenses: []
111
+
112
+ post_install_message:
113
+ rdoc_options: []
114
+
115
+ require_paths:
116
+ - lib
117
+ required_ruby_version: !ruby/object:Gem::Requirement
118
+ none: false
119
+ requirements:
120
+ - - ">="
121
+ - !ruby/object:Gem::Version
122
+ segments:
123
+ - 0
124
+ version: "0"
125
+ required_rubygems_version: !ruby/object:Gem::Requirement
126
+ none: false
127
+ requirements:
128
+ - - ">="
129
+ - !ruby/object:Gem::Version
130
+ segments:
131
+ - 0
132
+ version: "0"
133
+ requirements: []
134
+
135
+ rubyforge_project:
136
+ rubygems_version: 1.3.7
137
+ signing_key:
138
+ specification_version: 3
139
+ summary: Security vulnerability scanner for Ruby on Rails.
140
+ test_files: []
141
+