brakeman-min 0.5.2 → 2.1.0

data/lib/brakeman/scanner.rb

@@ -0,0 +1,362 @@
+require 'rubygems'
+
+begin
+  require 'ruby_parser'
+  require 'ruby_parser/bm_sexp.rb'
+  require 'ruby_parser/bm_sexp_processor.rb'
+  require 'brakeman/processor'
+  require 'brakeman/app_tree'
+rescue LoadError => e
+  $stderr.puts e.message
+  $stderr.puts "Please install the appropriate dependency."
+  exit -1
+end
+
+#Scans the Rails application.
+class Brakeman::Scanner
+  attr_reader :options
+
+  RUBY_1_9 = !!(RUBY_VERSION >= "1.9.0")
+  KNOWN_TEMPLATE_EXTENSIONS = /.*\.(erb|haml|rhtml|slim)$/
+
+  #Pass in path to the root of the Rails application
+  def initialize options, processor = nil
+    @options = options
+    @app_tree = Brakeman::AppTree.from_options(options)
+
+    if !@app_tree.root || !@app_tree.exists?("app")
+      raise Brakeman::NoApplication, "Please supply the path to a Rails application."
+    end
+
+    if @app_tree.exists?("script/rails")
+      options[:rails3] = true
+      Brakeman.notify "[Notice] Detected Rails 3 application"
+    elsif not @app_tree.exists?("script")
+      options[:rails3] = true # Probably need to do some refactoring
+      Brakeman.notify "[Notice] Detected Rails 4 application"
+    end
+
+    @ruby_parser = ::RubyParser
+    @processor = processor || Brakeman::Processor.new(@app_tree, options)
+  end
+
+  #Returns the Tracker generated from the scan
+  def tracker
+    @processor.tracked_events
+  end
+
+  #Process everything in the Rails application
+  def process
+    Brakeman.notify "Processing configuration..."
+    process_config
+    Brakeman.notify "Processing gems..."
+    process_gems
+    Brakeman.notify "Processing initializers..."
+    process_initializers
+    Brakeman.notify "Processing libs..."
+    process_libs
+    Brakeman.notify "Processing routes...          "
+    process_routes
+    Brakeman.notify "Processing templates...       "
+    process_templates
+    Brakeman.notify "Processing models...          "
+    process_models
+    Brakeman.notify "Processing controllers...     "
+    process_controllers
+    Brakeman.notify "Indexing call sites...        "
+    index_call_sites
+    tracker
+  end
+
+  #Process config/environment.rb and config/gems.rb
+  #
+  #Stores parsed information in tracker.config
+  def process_config
+    if options[:rails3]
+      process_config_file "application.rb"
+      process_config_file "environments/production.rb"
+    else
+      process_config_file "environment.rb"
+      process_config_file "gems.rb"
+    end
+
+    if @app_tree.exists?("vendor/plugins/rails_xss") or
+      options[:rails3] or options[:escape_html]
+
+      tracker.config[:escape_html] = true
+      Brakeman.notify "[Notice] Escaping HTML by default"
+    end
+  end
+
+  def process_config_file file
+    path = "config/#{file}"
+
+    if @app_tree.exists?(path)
+      @processor.process_config(parse_ruby(@app_tree.read(path)))
+    end
+
+  rescue Exception => e
+    Brakeman.notify "[Notice] Error while processing #{path}"
+    tracker.error e.exception(e.message + "\nwhile processing #{path}"), e.backtrace
+  end
+
+  private :process_config_file
+
+  #Process Gemfile
+  def process_gems
+    if @app_tree.exists? "Gemfile"
+      if @app_tree.exists? "Gemfile.lock"
+        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")), @app_tree.read("Gemfile.lock"))
+      else
+        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")))
+      end
+    end
+  rescue Exception => e
+    Brakeman.notify "[Notice] Error while processing Gemfile."
+    tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
+  end
+
+  #Process all the .rb files in config/initializers/
+  #
+  #Adds parsed information to tracker.initializers
+  def process_initializers
+    @app_tree.initializer_paths.each do |f|
+      process_initializer f
+    end
+  end
+
+  #Process an initializer
+  def process_initializer path
+    begin
+      @processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
+  #Process all .rb in lib/
+  #
+  #Adds parsed information to tracker.libs.
+  def process_libs
+    if options[:skip_libs]
+      Brakeman.notify '[Skipping]'
+      return
+    end
+
+    total = @app_tree.lib_paths.length
+    current = 0
+
+    @app_tree.lib_paths.each do |f|
+      Brakeman.debug "Processing #{f}"
+      report_progress(current, total)
+      current += 1
+      process_lib f
+    end
+  end
+
+  #Process a library
+  def process_lib path
+    begin
+      @processor.process_lib parse_ruby(@app_tree.read_path(path)), path
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
+  #Process config/routes.rb
+  #
+  #Adds parsed information to tracker.routes
+  def process_routes
+    if @app_tree.exists?("config/routes.rb")
+      begin
+        @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
+        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        options[:assume_all_routes] = true
+      end
+    else
+      Brakeman.notify "[Notice] No route information found"
+    end
+  end
+
+  #Process all .rb files in controllers/
+  #
+  #Adds processed controllers to tracker.controllers
+  def process_controllers
+    total = @app_tree.controller_paths.length
+    current = 0
+
+    @app_tree.controller_paths.each do |f|
+      Brakeman.debug "Processing #{f}"
+      report_progress(current, total)
+      current += 1
+      process_controller f
+    end
+
+    current = 0
+    total = tracker.controllers.length
+
+    Brakeman.notify "Processing data flow in controllers..."
+
+    tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
+      Brakeman.debug "Processing #{name}"
+      report_progress(current, total, "controllers")
+      current += 1
+      @processor.process_controller_alias name, controller[:src]
+    end
+
+    #No longer need these processed filter methods
+    tracker.filter_cache.clear
+  end
+
+  def process_controller path
+    begin
+      @processor.process_controller(parse_ruby(@app_tree.read_path(path)), path)
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
+  #Process all views and partials in views/
+  #
+  #Adds processed views to tracker.views
+  def process_templates
+    $stdout.sync = true
+
+    count = 0
+    total = @app_tree.template_paths.length
+
+    @app_tree.template_paths.each do |path|
+      Brakeman.debug "Processing #{path}"
+      report_progress(count, total)
+      count += 1
+      process_template path
+    end
+
+    total = tracker.templates.length
+    count = 0
+
+    Brakeman.notify "Processing data flow in templates..."
+
+    tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
+      Brakeman.debug "Processing #{name}"
+      report_progress(count, total, "templates")
+      count += 1
+      @processor.process_template_alias tracker.templates[name]
+    end
+  end
+
+  def process_template path
+    type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
+    type = :erb if type == :rhtml
+    name = template_path_to_name path
+    text = @app_tree.read_path path
+
+    begin
+      if type == :erb
+        if tracker.config[:escape_html]
+          type = :erubis
+          if options[:rails3]
+            require 'brakeman/parsers/rails3_erubis'
+            src = Brakeman::Rails3Erubis.new(text).src
+          else
+            require 'brakeman/parsers/rails2_xss_plugin_erubis'
+            src = Brakeman::Rails2XSSPluginErubis.new(text).src
+          end
+        elsif tracker.config[:erubis]
+          require 'brakeman/parsers/rails2_erubis'
+          type = :erubis
+          src = Brakeman::ScannerErubis.new(text).src
+        else
+          require 'erb'
+          src = ERB.new(text, nil, "-").src
+          src.sub!(/^#.*\n/, '') if RUBY_1_9
+        end
+
+        parsed = parse_ruby src
+      elsif type == :haml
+        Brakeman.load_dependency 'haml'
+        Brakeman.load_dependency 'sass'
+
+        src = Haml::Engine.new(text,
+                               :escape_html => !!tracker.config[:escape_html]).precompiled
+        parsed = parse_ruby src
+      elsif type == :slim
+        Brakeman.load_dependency 'slim'
+
+        src = Slim::Template.new(:disable_capture => true,
+                                 :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
+
+        parsed = parse_ruby src
+      else
+        tracker.error "Unkown template type in #{path}"
+      end
+
+      @processor.process_template(name, parsed, type, nil, path)
+
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}"
+    rescue Haml::Error => e
+      tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
+  #Convert path/filename to view name
+  #
+  # views/test/something.html.erb -> test/something
+  def template_path_to_name path
+    names = path.split("/")
+    names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
+    names[(names.index("views") + 1)..-1].join("/").to_sym
+  end
+
+  #Process all the .rb files in models/
+  #
+  #Adds the processed models to tracker.models
+  def process_models
+    total = @app_tree.model_paths.length
+    current = 0
+
+    @app_tree.model_paths.each do |f|
+      Brakeman.debug "Processing #{f}"
+      report_progress(current, total)
+      current += 1
+      process_model f
+    end
+  end
+
+  def process_model path
+    begin
+      @processor.process_model(parse_ruby(@app_tree.read_path(path)), path)
+    rescue Racc::ParseError => e
+      tracker.error e, "could not parse #{path}"
+    rescue Exception => e
+      tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
+    end
+  end
+
+  def report_progress(current, total, type = "files")
+    return unless @options[:report_progress]
+    $stderr.print " #{current}/#{total} #{type} processed\r"
+  end
+
+  def index_call_sites
+    tracker.index_call_sites
+  end
+
+  def parse_ruby input
+    @ruby_parser.new.parse input
+  end
+end
+
+# This is to allow operation without loading the Haml library
+module Haml; class Error < StandardError; end; end

data/lib/brakeman/tracker.rb

@@ -0,0 +1,296 @@
+require 'set'
+require 'brakeman/call_index'
+require 'brakeman/checks'
+require 'brakeman/report'
+require 'brakeman/processors/lib/find_call'
+require 'brakeman/processors/lib/find_all_calls'
+
+#The Tracker keeps track of all the processed information.
+class Brakeman::Tracker
+  attr_accessor :controllers, :templates, :models, :errors,
+    :checks, :initializers, :config, :routes, :processor, :libs,
+    :template_cache, :options, :filter_cache, :start_time, :end_time,
+    :duration, :ignored_filter
+
+  #Place holder when there should be a model, but it is not
+  #clear what model it will be.
+  UNKNOWN_MODEL = :BrakemanUnresolvedModel
+
+  #Creates a new Tracker.
+  #
+  #The Processor argument is only used by other Processors
+  #that might need to access it.
+  def initialize(app_tree, processor = nil, options = {})
+    @app_tree = app_tree
+    @processor = processor
+    @options = options
+
+    @config = { :rails => {} }
+    @templates = {}
+    @controllers = {}
+    #Initialize models with the unknown model so
+    #we can match models later without knowing precisely what
+    #class they are.
+    @models = { UNKNOWN_MODEL => { :name => UNKNOWN_MODEL,
+        :parent => nil,
+        :includes => [],
+        :public => {},
+        :private => {},
+        :protected => {},
+        :options => {} } }
+    @routes = {}
+    @initializers = {}
+    @errors = []
+    @libs = {}
+    @checks = nil
+    @processed = nil
+    @template_cache = Set.new
+    @filter_cache = {}
+    @call_index = nil
+    @start_time = Time.now
+    @end_time = nil
+    @duration = nil
+  end
+
+  #Add an error to the list. If no backtrace is given,
+  #the one from the exception will be used.
+  def error exception, backtrace = nil
+    backtrace ||= exception.backtrace
+    unless backtrace.is_a? Array
+      backtrace = [ backtrace ]
+    end
+
+    Brakeman.debug exception
+    Brakeman.debug backtrace
+
+    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+  end
+
+  #Run a set of checks on the current information. Results will be stored
+  #in Tracker#checks.
+  def run_checks
+    @checks = Brakeman::Checks.run_checks(@app_tree, self)
+
+    @end_time = Time.now
+    @duration = @end_time - @start_time
+    @checks
+  end
+
+  #Iterate over all methods in controllers and models.
+  def each_method
+    [self.controllers, self.models].each do |set|
+      set.each do |set_name, info|
+        [:private, :public, :protected].each do |visibility|
+          info[visibility].each do |method_name, definition|
+            if definition.node_type == :selfdef
+              method_name = "#{definition[1]}.#{method_name}"
+            end
+
+            yield definition, set_name, method_name, info[:file]
+
+          end
+        end
+      end
+    end
+  end
+
+  #Iterates over each template, yielding the name and the template.
+  #Prioritizes templates which have been rendered.
+  def each_template
+    if @processed.nil?
+      @processed, @rest = templates.keys.sort_by{|template| template.to_s}.partition { |k| k.to_s.include? "." }
+    end
+
+    @processed.each do |k|
+      yield k, templates[k]
+    end
+
+    @rest.each do |k|
+      yield k, templates[k]
+    end
+  end
+
+  #Find a method call.
+  #
+  #Options:
+  #  * :target => target name(s)
+  #  * :method => method name(s)
+  #  * :chained => search in method chains
+  #
+  #If :target => false or :target => nil, searches for methods without a target.
+  #Targets and methods can be specified as a symbol, an array of symbols,
+  #or a regular expression.
+  #
+  #If :chained => true, matches target at head of method chain and method at end.
+  #
+  #For example:
+  #
+  #    find_call :target => User, :method => :all, :chained => true
+  #
+  #could match
+  #
+  #    User.human.active.all(...)
+  #
+  def find_call options
+    index_call_sites unless @call_index
+    @call_index.find_calls options
+  end
+
+  #Searches the initializers for a method call
+  def check_initializers target, method
+    finder = Brakeman::FindCall.new target, method, self
+
+    initializers.sort.each do |name, initializer|
+      finder.process_source initializer
+    end
+
+    finder.matches
+  end
+
+  #Returns a Report with this Tracker's information
+  def report
+    Brakeman::Report.new(@app_tree, self)
+  end
+
+  def warnings
+    self.checks.all_warnings
+  end
+
+  def index_call_sites
+    finder = Brakeman::FindAllCalls.new self
+
+    self.each_method do |definition, set_name, method_name, file|
+      finder.process_source definition, :class => set_name, :method => method_name, :file => file
+    end
+
+    self.each_template do |name, template|
+      finder.process_source template[:src], :template => template, :file => template[:file]
+    end
+
+    @call_index = Brakeman::CallIndex.new finder.calls
+  end
+
+  #Reindex call sites
+  #
+  #Takes a set of symbols which can include :templates, :models,
+  #or :controllers
+  #
+  #This will limit reindexing to the given sets
+  def reindex_call_sites locations
+    #If reindexing templates, models, and controllers, just redo
+    #everything
+    if locations.length == 3
+      return index_call_sites
+    end
+
+    if locations.include? :templates
+      @call_index.remove_template_indexes
+    end
+
+    classes_to_reindex = Set.new
+    method_sets = []
+
+    if locations.include? :models
+      classes_to_reindex.merge self.models.keys
+      method_sets << self.models
+    end
+
+    if locations.include? :controllers
+      classes_to_reindex.merge self.controllers.keys
+      method_sets << self.controllers
+    end
+
+    @call_index.remove_indexes_by_class classes_to_reindex
+
+    finder = Brakeman::FindAllCalls.new self
+
+    method_sets.each do |set|
+      set.each do |set_name, info|
+        [:private, :public, :protected].each do |visibility|
+          info[visibility].each do |method_name, definition|
+            if definition.node_type == :selfdef
+              method_name = "#{definition[1]}.#{method_name}"
+            end
+
+            finder.process_source definition, :class => set_name, :method => method_name, :file => info[:file]
+
+          end
+        end
+      end
+    end
+
+    if locations.include? :templates
+      self.each_template do |name, template|
+        finder.process_source template[:src], :template => template, :file => template[:file]
+      end
+    end
+
+    @call_index.index_calls finder.calls
+  end
+
+  #Clear information related to templates.
+  #If :only_rendered => true, will delete templates rendered from
+  #controllers (but not those rendered from other templates)
+  def reset_templates options = { :only_rendered => false }
+    if options[:only_rendered]
+      @templates.delete_if do |name, template|
+        name.to_s.include? "Controller#"
+      end
+    else
+      @templates = {}
+    end
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+
+  #Clear information related to template
+  def reset_template name
+    name = name.to_sym
+    @templates.delete name
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+
+  #Clear information related to model
+  def reset_model path
+    model_name = nil
+
+    @models.each do |name, model|
+      if model[:file] == path
+        model_name = name
+        break
+      end
+    end
+
+    @models.delete model_name
+  end
+
+  def reset_controller path
+    #Remove from controller
+    @controllers.delete_if do |name, controller|
+      if controller[:file] == path
+        template_matcher = /^#{name}#/
+
+        #Remove templates rendered from this controller
+        @templates.each do |template_name, template|
+          if template[:caller] and not template[:caller].grep(template_matcher).empty?
+            reset_template template_name
+            @call_index.remove_template_indexes template_name
+          end
+        end
+
+        #Remove calls indexed from this controller
+        @call_index.remove_indexes_by_class [name]
+
+        true
+      end
+    end
+  end
+
+  #Clear information about routes
+  def reset_routes
+    @routes = {}
+  end
+end