RubyGems - brakeman-min - Versions diffs - 0.5.2 → 2.1.0 - Mend

brakeman-min 0.5.2 → 2.1.0

Files changed (152) hide show

data/CHANGES +529 -0
data/README.md +74 -28
data/bin/brakeman +60 -266
data/lib/brakeman.rb +422 -0
data/lib/brakeman/app_tree.rb +101 -0
data/lib/brakeman/brakeman.rake +10 -0
data/lib/brakeman/call_index.rb +215 -0
data/lib/brakeman/checks.rb +180 -0
data/lib/brakeman/checks/base_check.rb +538 -0
data/lib/brakeman/checks/check_basic_auth.rb +89 -0
data/lib/brakeman/checks/check_content_tag.rb +162 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +334 -0
data/lib/{checks → brakeman/checks}/check_default_routes.rb +13 -6
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +33 -0
data/lib/brakeman/checks/check_execute.rb +98 -0
data/lib/brakeman/checks/check_file_access.rb +62 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +54 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_parsing.rb +102 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +92 -0
data/lib/{checks → brakeman/checks}/check_mail_to.rb +14 -13
data/lib/brakeman/checks/check_mass_assignment.rb +143 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +48 -0
data/lib/brakeman/checks/check_model_attributes.rb +118 -0
data/lib/brakeman/checks/check_model_serialize.rb +66 -0
data/lib/{checks → brakeman/checks}/check_nested_attributes.rb +10 -6
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +177 -0
data/lib/brakeman/checks/check_render.rb +62 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +54 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +58 -0
data/lib/brakeman/checks/check_send.rb +35 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_settings.rb +145 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +62 -0
data/lib/brakeman/checks/check_sql.rb +577 -0
data/lib/brakeman/checks/check_strip_tags.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos.rb +67 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_validation_regex.rb +88 -0
data/lib/brakeman/checks/check_without_protection.rb +64 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/{format → brakeman/format}/style.css +28 -0
data/lib/brakeman/options.rb +256 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/{scanner_erubis.rb → brakeman/parsers/rails3_erubis.rb} +8 -21
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +780 -0
data/lib/{processors → brakeman/processors}/base_processor.rb +90 -74
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +334 -0
data/lib/brakeman/processors/controller_processor.rb +265 -0
data/lib/{processors → brakeman/processors}/erb_template_processor.rb +21 -19
data/lib/brakeman/processors/erubis_template_processor.rb +96 -0
data/lib/brakeman/processors/gem_processor.rb +59 -0
data/lib/{processors → brakeman/processors}/haml_template_processor.rb +26 -21
data/lib/brakeman/processors/lib/find_all_calls.rb +185 -0
data/lib/{processors → brakeman/processors}/lib/find_call.rb +23 -28
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +82 -0
data/lib/{processors/config_processor.rb → brakeman/processors/lib/rails2_config_processor.rb} +32 -35
data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb +60 -52
data/lib/brakeman/processors/lib/rails3_config_processor.rb +129 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +282 -0
data/lib/{processors → brakeman/processors}/lib/render_helper.rb +54 -20
data/lib/brakeman/processors/lib/route_helper.rb +62 -0
data/lib/{processors → brakeman/processors}/library_processor.rb +24 -17
data/lib/{processors → brakeman/processors}/model_processor.rb +46 -22
data/lib/{processors → brakeman/processors}/output_processor.rb +34 -40
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +113 -0
data/lib/brakeman/processors/template_alias_processor.rb +120 -0
data/lib/{processors → brakeman/processors}/template_processor.rb +10 -7
data/lib/brakeman/report.rb +68 -0
data/lib/brakeman/report/ignore/config.rb +130 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
data/lib/brakeman/report/initializers/multi_json.rb +29 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +279 -0
data/lib/brakeman/report/report_csv.rb +56 -0
data/lib/brakeman/report/report_hash.rb +22 -0
data/lib/brakeman/report/report_html.rb +203 -0
data/lib/brakeman/report/report_json.rb +46 -0
data/lib/brakeman/report/report_table.rb +109 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +18 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +17 -0
data/lib/brakeman/report/templates/error_overview.html.erb +25 -0
data/lib/brakeman/report/templates/header.html.erb +44 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +17 -0
data/lib/brakeman/report/templates/overview.html.erb +34 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +19 -0
data/lib/brakeman/report/templates/template_overview.html.erb +17 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +30 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +13 -0
data/lib/brakeman/rescanner.rb +446 -0
data/lib/brakeman/scanner.rb +362 -0
data/lib/brakeman/tracker.rb +296 -0
data/lib/brakeman/util.rb +413 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +217 -0
data/lib/brakeman/warning_codes.rb +68 -0
data/lib/ruby_parser/bm_sexp.rb +562 -0
data/lib/ruby_parser/bm_sexp_processor.rb +230 -0
metadata +152 -66
data/lib/checks.rb +0 -71
data/lib/checks/base_check.rb +0 -357
data/lib/checks/check_cross_site_scripting.rb +0 -336
data/lib/checks/check_evaluation.rb +0 -27
data/lib/checks/check_execute.rb +0 -110
data/lib/checks/check_file_access.rb +0 -46
data/lib/checks/check_forgery_setting.rb +0 -42
data/lib/checks/check_mass_assignment.rb +0 -74
data/lib/checks/check_model_attributes.rb +0 -36
data/lib/checks/check_redirect.rb +0 -98
data/lib/checks/check_render.rb +0 -65
data/lib/checks/check_send_file.rb +0 -15
data/lib/checks/check_session_settings.rb +0 -79
data/lib/checks/check_sql.rb +0 -146
data/lib/checks/check_validation_regex.rb +0 -60
data/lib/processor.rb +0 -86
data/lib/processors/alias_processor.rb +0 -384
data/lib/processors/controller_alias_processor.rb +0 -237
data/lib/processors/controller_processor.rb +0 -202
data/lib/processors/erubis_template_processor.rb +0 -85
data/lib/processors/lib/find_model_call.rb +0 -39
data/lib/processors/lib/processor_helper.rb +0 -36
data/lib/processors/lib/rails3_route_processor.rb +0 -184
data/lib/processors/lib/route_helper.rb +0 -34
data/lib/processors/params_processor.rb +0 -77
data/lib/processors/route_processor.rb +0 -11
data/lib/processors/template_alias_processor.rb +0 -86
data/lib/report.rb +0 -680
data/lib/scanner.rb +0 -227
data/lib/tracker.rb +0 -144
data/lib/util.rb +0 -141
data/lib/version.rb +0 -1
data/lib/warning.rb +0 -99

data/lib/brakeman/processors/lib/route_helper.rb ADDED

@@ -0,0 +1,62 @@
+module Brakeman::RouteHelper
+  #Manage Controller prefixes
+  #@prefix is an Array, but this method returns a string
+  #suitable for prefixing onto a controller name.
+  def prefix
+    if @prefix.length > 0
+      @prefix.join("::") << "::"
+    else
+      ''
+    end
+  end
+  #Sets the controller name to a proper class name.
+  #For example
+  # self.current_controller = :session
+  # @controller == :SessionController #true
+  #
+  #Also prepends the prefix if there is one set.
+  def current_controller= name
+    @current_controller = (prefix + camelize(name) + "Controller").to_sym
+    @tracker.routes[@current_controller] ||= Set.new
+  end
+  #Add route to controller. If a controller is specified,
+  #the current controller will be set to that controller.
+  #If no controller is specified, uses current controller value.
+  def add_route route, controller = nil
+    if node_type? route, :str, :lit
+      route = route.value
+    end
+    route = route.to_sym
+    if controller
+      self.current_controller = controller
+    end
+    routes = @tracker.routes[@current_controller]
+    if routes and routes != :allow_all_actions
+      routes << route
+    end
+  end
+  #Add default routes
+  def add_resources_routes
+    existing_routes = @tracker.routes[@current_controller]
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:index, :new, :create, :show, :edit, :update, :destroy]
+    end
+  end
+  #Add default routes minus :index
+  def add_resource_routes
+    existing_routes = @tracker.routes[@current_controller]
+    unless existing_routes.is_a? Array and existing_routes.first == :allow_all_actions
+      existing_routes.merge [:new, :create, :show, :edit, :update, :destroy]
+    end
+  end
+end

data/lib/{processors → brakeman/processors}/library_processor.rb RENAMED

@@ -1,13 +1,13 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
+require 'brakeman/processors/base_processor'
+require 'brakeman/processors/alias_processor'
 #Process generic library and stores it in Tracker.libs
-class LibraryProcessor < BaseProcessor
+class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super
     @file_name = nil
-    @alias_processor = AliasProcessor.new
+    @alias_processor = Brakeman::AliasProcessor.new tracker
   end
   def process_library src, file_name = nil
@@ -16,7 +16,7 @@ class LibraryProcessor < BaseProcessor
   end
   def process_class exp
-    name = class_name(exp[1])
+    name = class_name(exp.class_name)
     if @current_class
       outer_class = @current_class
@@ -30,8 +30,15 @@ class LibraryProcessor < BaseProcessor
     if @tracker.libs[name]
       @current_class = @tracker.libs[name]
     else
+      begin
+        parent = class_name exp.parent_name
+      rescue StandardError => e
+        Brakeman.debug e
+        parent = nil
+      end
       @current_class = { :name => name,
-                    :parent => class_name(exp[2]),
+                    :parent => parent,
                     :includes => [],
                     :public => {},
                     :private => {},
@@ -42,7 +49,7 @@ class LibraryProcessor < BaseProcessor
       @tracker.libs[name] = @current_class
     end
-    exp[3] = process exp[3]
+    exp.body = process_all! exp.body
     if outer_class
       @current_class = outer_class
@@ -54,7 +61,7 @@ class LibraryProcessor < BaseProcessor
   end
   def process_module exp
-    name = class_name(exp[1])
+    name = class_name(exp.module_name)
     if @current_module
       outer_class = @current_module
@@ -79,7 +86,7 @@ class LibraryProcessor < BaseProcessor
       @tracker.libs[name] = @current_module
     end
-    exp[2] = process exp[2]
+    exp.body = process_all! exp.body
     if outer_class
       @current_module = outer_class
@@ -91,26 +98,26 @@ class LibraryProcessor < BaseProcessor
   end
   def process_defn exp
-    exp[0] = :methdef
-    exp[3] = @alias_processor.process_safely process(exp[3]), SexpProcessor::Environment.new
+    exp = @alias_processor.process exp
+    exp.node_type = :methdef
     if @current_class
-      @current_class[:public][exp[1]] = exp[3]
+      @current_class[:public][exp.method_name] = exp
     elsif @current_module
-      @current_module[:public][exp[1]] = exp[3]
+      @current_module[:public][exp.method_name] = exp
     end
     exp
   end
   def process_defs exp
-    exp[0] = :selfdef
-    exp[4] = @alias_processor.process_safely process(exp[4]), SexpProcessor::Environment.new
+    exp = @alias_processor.process exp
+    exp.node_type = :selfdef
     if @current_class
-      @current_class[:public][exp[2]] = exp[4]
+      @current_class[:public][exp.method_name] = exp
     elsif @current_module
-      @current_module[:public][exp[3]] = exp[4]
+      @current_module[:public][exp.method_name] = exp
     end
     exp

data/lib/{processors → brakeman/processors}/model_processor.rb RENAMED

@@ -1,7 +1,10 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
 #Processes models. Puts results in tracker.models
-class ModelProcessor < BaseProcessor
+class Brakeman::ModelProcessor < Brakeman::BaseProcessor
+  ASSOCIATIONS = Set[:belongs_to, :has_one, :has_many, :has_and_belongs_to_many]
   def initialize tracker
     super
     @model = nil
@@ -16,24 +19,34 @@ class ModelProcessor < BaseProcessor
     process src
   end
-  #s(:class, NAME, PARENT, s(:scope ...))
+  #s(:class, NAME, PARENT, BODY)
   def process_class exp
+    name = class_name exp.class_name
     if @model
-      warn "[Notice] Skipping inner class: #{class_name exp[1]}" if OPTIONS[:debug]
+      Brakeman.debug "[Notice] Skipping inner class: #{name}"
       ignore
     else
-      @model = { :name => class_name(exp[1]),
-        :parent => class_name(exp[2]),
+      begin
+        parent = class_name exp.parent_name
+      rescue StandardError => e
+        Brakeman.debug e
+        parent = nil
+      end
+      @model = { :name => name,
+        :parent => parent,
         :includes => [],
         :public => {},
         :private => {},
         :protected => {},
         :options => {},
+        :associations => {},
         :file => @file_name }
       @tracker.models[@model[:name]] = @model
-      res = process exp[3]
+      exp.body = process_all! exp.body
       @model = nil
-      res
+      exp
     end
   end
@@ -41,45 +54,56 @@ class ModelProcessor < BaseProcessor
   #such as include, attr_accessible, private, etc.
   def process_call exp
     return exp unless @model
-    target = exp[1]
+    target = exp.target
     if sexp? target
       target = process target
     end
-    method = exp[2]
-    args = exp[3]
+    method = exp.method
+    first_arg = exp.first_arg
     #Methods called inside class definition
     #like attr_* and other settings
     if @current_method.nil? and target.nil?
-      if args.length == 1 #actually, empty
+      if first_arg.nil?
         case method
         when :private, :protected, :public
           @visibility = method
+        when :attr_accessible
+          @model[:attr_accessible] ||= []
         else
           #??
         end
       else
         case method
         when :include
-          @model[:includes] << class_name(args[1]) if @model
+          @model[:includes] << class_name(first_arg) if @model
         when :attr_accessible
           @model[:attr_accessible] ||= []
-          args = args[1..-1].map do |e|
-            e[1]
+          args = []
+          exp.each_arg do |e|
+            if node_type? e, :lit
+              args << e.value
+            end
           end
           @model[:attr_accessible].concat args
         else
           if @model
-            @model[:options][method] ||= []
-            @model[:options][method] << process(args)
+            if ASSOCIATIONS.include? method
+              @model[:associations][method] ||= []
+              @model[:associations][method].concat exp.args
+            else
+              @model[:options][method] ||= []
+              @model[:options][method] << exp.arglist.line(exp.line)
+            end
           end
         end
       end
       ignore
     else
-      call = Sexp.new :call, target, method, process(args)
+      call = make_call target, method, process_all!(exp.args)
       call.line(exp.line)
       call
     end
@@ -88,10 +112,10 @@ class ModelProcessor < BaseProcessor
   #Add method definition to tracker
   def process_defn exp
     return exp unless @model
-    name = exp[1]
+    name = exp.method_name
     @current_method = name
-    res = Sexp.new :methdef, name, process(exp[2]), process(exp[3][1])
+    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @model
@@ -104,7 +128,7 @@ class ModelProcessor < BaseProcessor
   #Add method definition to tracker
   def process_defs exp
     return exp unless @model
-    name = exp[2]
+    name = exp.method_name
     if exp[1].node_type == :self
       target = @model[:name]
@@ -113,7 +137,7 @@ class ModelProcessor < BaseProcessor
     end
     @current_method = name
-    res = Sexp.new :selfdef, target, name, process(exp[3]), process(exp[4][1])
+    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @model

data/lib/{processors → brakeman/processors}/output_processor.rb RENAMED

@@ -1,17 +1,16 @@
-require 'rubygems'
 require 'ruby2ruby'
-require 'util'
+require 'brakeman/util'
 #Produces formatted output strings from Sexps.
 #Recommended usage is
 #
 #  OutputProcessor.new.format(Sexp.new(:str, "hello"))
-class OutputProcessor < Ruby2Ruby
-  include Util
+class Brakeman::OutputProcessor < Ruby2Ruby
+  include Brakeman::Util
   #Copies +exp+ and then formats it.
   def format exp
-    process exp.deep_clone
+    process(exp.deep_clone) || "[Format Error]"
   end
   alias process_safely format
@@ -20,37 +19,7 @@ class OutputProcessor < Ruby2Ruby
     begin
       super exp if sexp? exp and not exp.empty?
     rescue Exception => e
-      warn "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" if OPTIONS[:debug]
-    end
-  end
-  def process_call exp
-    if exp[0].is_a? Symbol
-      target = exp[0]
-      method = exp[1]
-      args = process exp[2]
-      out = nil
-      if method == :[]
-        if target
-          out = "#{target}[#{args}]"
-        else
-          raise Exception.new("Not sure what to do with access and no target: #{exp}")
-        end
-      else
-        if target
-          out = "#{target}.#{method}(#{args})"
-        else
-          out = "#{method}(#{args})"
-        end
-      end
-      exp.clear
-      out
-    else
-      super exp
+      Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}"
     end
   end
@@ -129,9 +98,32 @@ class OutputProcessor < Ruby2Ruby
     out
   end
+  def process_defn exp
+    # Copied from Ruby2Ruby except without the whole
+    # "convert methods to attr_*" stuff
+    name = exp.shift
+    args = process exp.shift
+    args = "" if args == "()"
+    exp.shift if exp == s(s(:nil)) # empty it out of a default nil expression
+    body = []
+    until exp.empty? do
+      body << indent(process(exp.shift))
+    end
+    body << indent("# do nothing") if body.empty?
+    body = body.join("\n")
+    return "def #{name}#{args}\n#{body}\nend".gsub(/\n\s*\n+/, "\n")
+  end
+  alias process_methdef process_defn
   def process_call_with_block exp
     call = process exp[0]
-    block = process exp[1] if exp[1]
+    block = process_rlist exp[2..-1]
     out = "#{call} do\n #{block}\n end"
     exp.clear
     out
@@ -153,7 +145,7 @@ class OutputProcessor < Ruby2Ruby
     out
   end
-def process_escaped_output exp
+  def process_escaped_output exp
     out = if exp[0].node_type == :str
             ""
           else
@@ -203,11 +195,13 @@ def process_escaped_output exp
   end
   def process_const exp
-    if exp[0] == Tracker::UNKNOWN_MODEL
+    if exp[0] == Brakeman::Tracker::UNKNOWN_MODEL
       exp.clear
       "(Unresolved Model)"
     else
-      super exp
+      out = exp[0].to_s
+      exp.clear
+      out
     end
   end

data/lib/brakeman/processors/route_processor.rb ADDED

@@ -0,0 +1,17 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/route_helper'
+require 'brakeman/util'
+require 'brakeman/processors/lib/rails3_route_processor.rb'
+require 'brakeman/processors/lib/rails2_route_processor.rb'
+require 'set'
+class Brakeman::RoutesProcessor
+  def self.new tracker
+    if tracker.options[:rails3]
+      Brakeman::Rails3RoutesProcessor.new tracker
+    else
+      Brakeman::Rails2RoutesProcessor.new tracker
+    end
+  end
+end