brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/differ.rb

@@ -0,0 +1,66 @@
+# extracting the diff logic to it's own class for consistency. Currently handles
+# an array of Brakeman::Warnings or plain hash representations.  
+class Brakeman::Differ
+  DEFAULT_HASH = {:new => [], :fixed => []}
+  OLD_WARNING_KEYS = [:warning_type, :location, :code, :message, :file, :link, :confidence, :user_input]
+  attr_reader :old_warnings, :new_warnings
+
+  def initialize new_warnings, old_warnings
+    @new_warnings = new_warnings
+    @old_warnings = old_warnings
+  end
+
+  def diff
+    # get the type of elements
+    return DEFAULT_HASH if @new_warnings.empty?
+
+    warnings = {}
+    warnings[:new] = @new_warnings - @old_warnings
+    warnings[:fixed] = @old_warnings - @new_warnings
+
+    second_pass(warnings)
+  end
+
+  # second pass to cleanup any vulns which have changed in line number only.
+  # Given a list of new warnings, delete pairs of new/fixed vulns that differ
+  # only by line number.
+  # Horrible O(n^2) performance.  Keep n small :-/
+  def second_pass(warnings)
+    # keep track of the number of elements deleted because the index numbers
+    # won't update as the list is modified
+    elements_deleted_offset = 0
+
+    # dup this list since we will be deleting from it and the iterator gets confused.
+    # use _with_index for fast deletion as opposed to .reject!{|obj| obj == *_warning}
+    warnings[:new].dup.each_with_index do |new_warning, new_warning_id|
+      warnings[:fixed].each_with_index do |fixed_warning, fixed_warning_id|
+        if eql_except_line_number new_warning, fixed_warning
+          warnings[:new].delete_at(new_warning_id - elements_deleted_offset)
+          elements_deleted_offset += 1
+          warnings[:fixed].delete_at(fixed_warning_id)
+          break
+        end
+      end
+    end
+
+    warnings
+  end
+
+  def eql_except_line_number new_warning, fixed_warning
+    # can't do this ahead of time, as callers may be expecting a Brakeman::Warning
+    if new_warning.is_a? Brakeman::Warning 
+      new_warning = new_warning.to_hash
+      fixed_warning = fixed_warning.to_hash
+    end
+
+    if new_warning[:fingerprint] and fixed_warning[:fingerprint]
+      new_warning[:fingerprint] == fixed_warning[:fingerprint]
+    else
+     OLD_WARNING_KEYS.each do |attr|
+        return false if new_warning[attr] != fixed_warning[attr]
+      end
+
+      true
+    end
+  end
+end

data/lib/{format → brakeman/format}/style.css

@@ -5,6 +5,10 @@ body {
   color: #161616;
 }
 
+a {
+  color: #161616;
+}
+
 p {
   font-weight: bold;
   font-size: 11pt;
@@ -60,6 +64,11 @@ p {
    background-color: white;
  }
 
+ table caption {
+   background-color: #FFE;
+   padding: 2px;
+ }
+
  table.context {
    margin-top: 5px;
    margin-bottom: 5px;
@@ -103,3 +112,22 @@ p {
  pre.context {
    margin-bottom: 1px;
  }
+
+ .user_input {
+   background-color: #fcecab;
+ }
+
+ div.render_path {
+   display: none;
+   background-color: #ffe;
+   padding: 5px;
+   margin: 2px 0px 2px 0px;
+ }
+
+ div.template_name {
+   cursor: pointer;
+ }
+
+ div.template_name:hover {
+   background-color: white;
+ }

data/lib/brakeman/options.rb

@@ -0,0 +1,256 @@
+require 'optparse'
+require 'set'
+
+#Parses command line arguments for Brakeman
+module Brakeman::Options
+
+  class << self
+
+    #Parse argument array
+    def parse args
+      get_options args
+    end
+
+    #Parse arguments and remove them from the array as they are matched
+    def parse! args
+      get_options args, true
+    end
+
+    #Return hash of options and the parser
+    def get_options args, destructive = false
+      options = {}
+
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: brakeman [options] rails/root/path"
+
+        opts.on "-n", "--no-threads", "Run checks sequentially" do
+          options[:parallel_checks] = false
+        end
+
+        opts.on "--[no-]progress", "Show progress reports" do |progress|
+          options[:report_progress] = progress
+        end
+
+        opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
+          options[:app_path] = File.expand_path path
+        end
+
+        opts.on "-q", "--[no-]quiet", "Suppress informational messages" do |quiet|
+          options[:quiet] = quiet
+        end
+
+        opts.on( "-z", "--exit-on-warn", "Exit code is non-zero if warnings found") do
+          options[:exit_on_warn] = true
+        end
+
+        opts.on "-3", "--rails3", "Force Rails 3 mode" do
+          options[:rails3] = true
+        end
+
+        opts.separator ""
+        opts.separator "Scanning options:"
+
+        opts.on "-a", "--[no-]assume-routes", "Assume all controller methods are actions (default)" do |assume|
+          options[:assume_all_routes] = assume
+        end
+
+        opts.on "-e", "--escape-html", "Escape HTML by default" do
+          options[:escape_html] = true
+        end
+
+        opts.on "--faster", "Faster, but less accurate scan" do
+          options[:ignore_ifs] = true
+          options[:skip_libs] = true
+        end
+
+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+
+        opts.on "--ignore-protected", "Consider models with attr_protected safe" do
+          options[:ignore_attr_protected] = true
+        end
+
+        opts.on "--interprocedural", "Process method calls to known methods" do
+          options[:interprocedural] = true
+        end
+
+        opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
+          options[:ignore_ifs] = true
+        end
+
+        opts.on "--branch-limit LIMIT", Integer, "Limit depth of values in branches (-1 for no limit)" do |limit|
+          options[:branch_limit] = limit
+        end
+
+        opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
+          options[:check_arguments] = !option
+        end
+
+        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Consider the specified methods safe" do |methods|
+          options[:safe_methods] ||= Set.new
+          options[:safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
+        opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
+          options[:url_safe_methods] ||= Set.new
+          options[:url_safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
+        opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
+          options[:skip_files] ||= Set.new
+          options[:skip_files].merge files
+        end
+
+        opts.on "--only-files file1,file2,etc", Array, "Process only these files" do |files|
+          options[:only_files] ||= Set.new
+          options[:only_files].merge files
+        end
+
+        opts.on "--skip-libs", "Skip processing lib directory" do
+          options[:skip_libs] = true
+        end
+
+        opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
+          checks.each_with_index do |s, index|
+            if s[0,5] != "Check"
+              checks[index] = "Check" << s
+            end
+          end
+
+          options[:run_checks] ||= Set.new
+          options[:run_checks].merge checks
+        end
+
+        opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
+          skip.each do |s|
+            if s[0,5] != "Check"
+              s = "Check" << s
+            end
+
+            options[:skip_checks] ||= Set.new
+            options[:skip_checks] << s
+          end
+        end
+
+        opts.separator ""
+        opts.separator "Output options:"
+
+        opts.on "-d", "--debug", "Lots of output" do
+          options[:debug] = true
+        end
+
+        opts.on "-f",
+          "--format TYPE",
+          [:pdf, :text, :html, :csv, :tabs, :json],
+          "Specify output formats. Default is text" do |type|
+
+          type = "s" if type == :text
+          options[:output_format] = ("to_" << type.to_s).to_sym
+          end
+
+        opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
+          options[:html_style] = File.expand_path file
+        end
+
+        opts.on "-i IGNOREFILE", "--ignore-config IGNOREFILE", "Use configuration to ignore warnings" do |file|
+          options[:ignore_file] = file
+        end
+
+        opts.on "-I", "--interactive-ignore", "Interactively ignore warnings" do
+          options[:interactive_ignore] = true 
+        end
+
+        opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
+          options[:combine_locations] = combine
+        end
+
+        opts.on "--[no-]highlights", "Highlight user input in report" do |highlight|
+          options[:highlight_user_input] = highlight
+        end
+
+        opts.on "-m", "--routes", "Report controller information" do
+          options[:report_routes] = true
+        end
+
+        opts.on "--message-limit LENGTH", "Limit message length in HTML report" do |limit|
+          options[:message_limit] = limit.to_i
+        end
+
+        opts.on "-o", "--output FILE", "Specify files for output. Defaults to stdout. Multiple '-o's allowed" do |file|
+          options[:output_files] ||= []
+          options[:output_files].push(file)
+        end
+
+        opts.on "--separate-models", "Warn on each model without attr_accessible" do
+          options[:collapse_mass_assignment] = false
+        end
+
+        opts.on "--summary", "Only output summary of warnings" do
+          options[:summary_only] = true
+        end
+
+        opts.on "--absolute-paths", "Output absolute file paths in reports" do
+          options[:absolute_paths] = true
+        end
+
+        opts.on "-w",
+          "--confidence-level LEVEL",
+          ["1", "2", "3"],
+          "Set minimal confidence level (1 - 3)" do |level|
+
+          options[:min_confidence] =  3 - level.to_i
+        end
+
+        opts.on "--compare FILE", "Compare the results of a previous brakeman scan (only JSON is supported)" do |file|
+          options[:previous_results_json] = File.expand_path(file)
+        end
+
+        opts.separator ""
+        opts.separator "Configuration files:"
+
+        opts.on "-c", "--config-file FILE", "Use specified configuration file" do |file|
+          options[:config_file] = File.expand_path(file)
+        end
+
+        opts.on "-C", "--create-config [FILE]", "Output configuration file based on options" do |file|
+          if file
+            options[:create_config] = file
+          else
+            options[:create_config] = true
+          end
+        end
+
+        opts.separator ""
+
+        opts.on "-k", "--checks", "List all available vulnerability checks" do
+          options[:list_checks] = true
+        end
+
+        opts.on "--rake", "Create rake task to run Brakeman" do
+          options[:install_rake_task] = true
+        end
+
+        opts.on "-v", "--version", "Show Brakeman version" do
+          options[:show_version] = true
+        end
+
+        opts.on_tail "-h", "--help", "Display this message" do
+          options[:show_help] = true
+        end
+      end
+
+      if destructive
+        parser.parse! args
+      else
+        parser.parse args
+      end
+
+      if options[:previous_results_json] and options[:output_files]
+        options[:comparison_output_file] = options[:output_files].shift
+      end
+
+      return options, parser
+    end
+  end
+end

data/lib/brakeman/parsers/rails2_erubis.rb

@@ -0,0 +1,6 @@
+Brakeman.load_dependency 'erubis'
+
+#Erubis processor which ignores any output which is plain text.
+class Brakeman::ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end

data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb

@@ -0,0 +1,48 @@
+Brakeman.load_dependency 'erubis'
+
+#This is from the rails_xss plugin for Rails 2
+class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
+  def add_preamble(src)
+    #src << "@output_buffer = ActiveSupport::SafeBuffer.new;"
+  end
+
+  #This is different from rails_xss - fixes some line number issues
+  def add_text(src, text)
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
+      lines = text.split("\n")
+      if text.match(/\n\z/)
+        lines.each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+      else
+        lines[0..-2].each do |line|
+          src << "@output_buffer.safe_concat('" << escape_text(line) << "');\n"
+        end
+
+        src << "@output_buffer.safe_concat('" << escape_text(lines.last) << "');"
+      end
+    else
+      src << "@output_buffer.safe_concat('" << escape_text(text) << "');"
+    end
+  end
+
+  BLOCK_EXPR = /\s+(do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+  def add_expr_literal(src, code)
+    if code =~ BLOCK_EXPR
+      src << "@output_buffer.safe_concat((" << $1 << ").to_s);"
+    else
+      src << '@output_buffer << ((' << code << ').to_s);'
+    end
+  end
+
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+
+  def add_postamble(src)
+    #src << '@output_buffer.to_s'
+  end
+end

data/lib/{scanner_erubis.rb → brakeman/parsers/rails3_erubis.rb}

@@ -1,22 +1,19 @@
-begin
-  require 'erubis'
-rescue LoadError => e
-  $stderr.puts e.message
-  $stderr.puts "Please install Erubis."
-  exit!
-end
+Brakeman.load_dependency 'erubis'
 
 #This is from Rails 3 version of the Erubis handler
-class RailsXSSErubis < ::Erubis::Eruby
+class Brakeman::Rails3Erubis < ::Erubis::Eruby
 
   def add_preamble(src)
     # src << "_buf = ActionView::SafeBuffer.new;\n"
   end
 
+  #This is different from Rails 3 - fixes some line number issues
   def add_text(src, text)
-    if text.include? "\n"
+    if text == "\n"
+      src << "\n"
+    elsif text.include? "\n"
       lines = text.split("\n")
-      if text.match /\n\z/
+      if text.match(/\n\z/)
         lines.each do |line|
           src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
         end
@@ -24,7 +21,7 @@ class RailsXSSErubis < ::Erubis::Eruby
         lines[0..-2].each do |line|
           src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
         end
-      
+
         src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
       end
     else
@@ -63,13 +60,3 @@ class RailsXSSErubis < ::Erubis::Eruby
     # src << '_buf.to_s'
   end
 end
-
-#Erubis processor which ignores any output which is plain text.
-class ScannerErubis < Erubis::Eruby
-  include Erubis::NoTextEnhancer
-end
-
-class ErubisEscape < ScannerErubis
-  include Erubis::EscapeEnhancer
-end
-