brakeman-min 0.5.2 → 2.1.0

data/lib/checks.rb

@@ -1,71 +0,0 @@
-#Collects up results from running different checks.
-#
-#Checks can be added with +Check.add(check_class)+
-#
-#All .rb files in checks/ will be loaded.
-class Checks
-  @checks = []
-
-  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
-
-  #Add a check. This will call +_klass_.new+ when running tests
-  def self.add klass
-    @checks << klass
-  end
-
-  def self.checks
-    @checks
-  end
-
-  #No need to use this directly.
-  def initialize
-    @warnings = []
-    @template_warnings = []
-    @model_warnings = []
-    @controller_warnings = []
-    @checks_run = []
-  end
-
-  #Add Warning to list of warnings to report.
-  #Warnings are split into four different arrays
-  #for template, controller, model, and generic warnings.
-  def add_warning warning
-    case warning.warning_set
-    when :template
-      @template_warnings << warning
-    when :warning
-      @warnings << warning
-    when :controller
-      @controller_warnings << warning
-    when :model
-      @model_warnings << warning
-    else
-      raise "Unknown warning: #{warning.warning_set}"
-    end
-  end
-
-  #Run all the checks on the given Tracker.
-  #Returns a new instance of Checks with the results.
-  def self.run_checks tracker
-    checks = self.new
-    @checks.each do |c|
-      #Run or don't run check based on options
-      unless OPTIONS[:skip_checks].include? c.to_s or 
-        (OPTIONS[:run_checks] and not OPTIONS[:run_checks].include? c.to_s)
-
-        warn " - #{c}"
-        c.new(checks, tracker).run_check
-
-        #Maintain list of which checks were run
-        #mainly for reporting purposes
-        checks.checks_run << c.to_s[5..-1]
-      end
-    end
-    checks
-  end
-end
-
-#Load all files in checks/ directory
-Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f| 
-  require f.match(/(checks\/.*)\.rb$/)[0]
-end

data/lib/checks/base_check.rb

@@ -1,357 +0,0 @@
-require 'rubygems'
-require 'sexp_processor'
-require 'processors/output_processor'
-require 'warning'
-require 'util'
-
-#Basis of vulnerability checks.
-class BaseCheck < SexpProcessor
-  include ProcessorHelper
-  include Util
-  attr_reader :checks, :tracker
-
-  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
-
-  #Initialize Check with Checks.
-  def initialize checks, tracker
-    super()
-    @results = [] #only to check for duplicates
-    @checks = checks
-    @tracker = tracker
-    @string_interp = false
-    @current_template = @current_module = @current_class = @current_method = nil
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
-  end
-
-  #Add result to result list, which is used to check for duplicates
-  def add_result result, location = nil
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[1]
-    location = location[:name] if location.is_a? Hash
-    location = location.to_sym
-
-    @results << [result.line, location, result]
-  end
-
-  #Default Sexp processing. Iterates over each value in the Sexp
-  #and processes them if they are also Sexps.
-  def process_default exp
-    type = exp.shift
-    exp.each_with_index do |e, i|
-      if sexp? e
-        process e
-      else
-        e
-      end
-    end
-
-    exp.unshift type
-  end
-
-  #Process calls and check if they include user input
-  def process_call exp
-    process exp[1] if sexp? exp[1]
-    process exp[3]
-
-    if ALL_PARAMETERS.include? exp[1] or ALL_PARAMETERS.include? exp or params? exp[1]
-      @has_user_input = :params
-    elsif exp[1] == COOKIES or exp == COOKIES or cookies? exp[1]
-      @has_user_input = :cookies
-    elsif sexp? exp[1] and model_name? exp[1][1]
-      @has_user_input = :model
-    end
-
-    exp
-  end
-
-  #Note that params are included in current expression
-  def process_params exp
-    @has_user_input = :params
-    exp
-  end
-
-  #Note that cookies are included in current expression
-  def process_cookies exp
-    @has_user_input = :cookies
-    exp
-  end
-
-  private
-
-  #Report a warning 
-  def warn options
-    @checks.add_warning Warning.new(options.merge({ :check => self.class.to_s }))
-  end 
-
-  #Run _exp_ through OutputProcessor to get a nice String.
-  def format_output exp
-    OutputProcessor.new.format(exp).gsub(/\r|\n/, "")
-  end
-
-  #Checks if the model inherits from parent,
-  def parent? tracker, model, parent
-    if model == nil
-      false
-    elsif model[:parent] == parent
-      true
-    elsif model[:parent]
-      parent? tracker, tracker.models[model[:parent]], parent
-    else
-      false
-    end
-  end
-
-  #Checks if mass assignment is disabled globally in an initializer.
-  def mass_assign_disabled? tracker
-    matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
-    if matches.empty?
-      false
-    else
-      matches.each do |result|
-        if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
-          return true
-        end
-      end
-    end
-  end
-
-  #This is to avoid reporting duplicates. Checks if the result has been
-  #reported already from the same line number.
-  def duplicate? result, location = nil
-    line = result.line
-    location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[1]
-
-    location = location[:name] if location.is_a? Hash
-    location = location.to_sym
-    @results.each do |r|
-      if r[0] == line and r[1] == location
-        if OPTIONS[:combine_locations]
-          return true
-        elsif r[2] == result
-          return true
-        end
-      end
-    end
-
-    false
-  end
-
-  #Ignores ignores
-  def process_ignore exp
-    exp
-  end
-
-  #Does not actually process string interpolation, but notes that it occurred.
-  def process_string_interp exp
-    @string_interp = true
-    exp
-  end
-
-  #Checks if an expression contains string interpolation.
-  def include_interp? exp
-    @string_interp = false
-    process exp
-    @string_interp
-  end
-
-  #Checks if _exp_ includes parameters or cookies, but this only works 
-  #with the base process_default.
-  def include_user_input? exp
-    @has_user_input = false
-    process exp
-    @has_user_input
-  end
-
-  #This is used to check for user input being used directly.
-  #
-  #Returns false if none is found, otherwise it returns an array
-  #where the first element is the type of user input 
-  #(either :params or :cookies) and the second element is the matching 
-  #expression
-  def has_immediate_user_input? exp
-    if params? exp
-      return :params, exp
-    elsif cookies? exp
-      return :cookies, exp
-    elsif call? exp
-      if sexp? exp[1]
-        if ALL_PARAMETERS.include? exp[1] or params? exp[1]
-          return :params, exp
-        elsif exp[1] == COOKIES
-          return :cookies, exp
-        else
-          false
-        end
-      else
-        false
-      end
-    elsif sexp? exp
-      case exp.node_type
-      when :string_interp
-        exp.each do |e|
-          if sexp? e
-            type, match = has_immediate_user_input?(e)
-            if type
-              return type, match
-            end
-          end
-        end
-        false
-      when :string_eval
-        if sexp? exp[1]
-          if exp[1].node_type == :rlist
-            exp[1].each do |e|
-              if sexp? e
-                type, match = has_immediate_user_input?(e)
-                if type
-                  return type, match
-                end
-              end
-            end
-            false
-          else
-            has_immediate_user_input? exp[1]
-          end
-        end
-      when :format
-        has_immediate_user_input? exp[1]
-      when :if
-        (sexp? exp[2] and has_immediate_user_input? exp[2]) or 
-        (sexp? exp[3] and has_immediate_user_input? exp[3])
-      else
-        false
-      end
-    end
-  end
-
-  #Checks for a model attribute at the top level of the
-  #expression.
-  def has_immediate_model? exp, out = nil
-    out = exp if out.nil?
-
-    if sexp? exp and exp.node_type == :output
-      exp = exp[1]
-    end
-
-    if call? exp
-      target = exp[1]
-      method = exp[2]
-
-      if call? target and not method.to_s[-1,1] == "?"
-        has_immediate_model? target, out
-      elsif model_name? target 
-        exp
-      else
-        false
-      end
-    elsif sexp? exp
-      case exp.node_type
-      when :string_interp
-        exp.each do |e|
-          if sexp? e and match = has_immediate_model?(e, out)
-            return match
-          end
-        end
-        false
-      when :string_eval
-        if sexp? exp[1]
-          if exp[1].node_type == :rlist
-            exp[1].each do |e|
-              if sexp? e and match = has_immediate_model?(e, out)
-                return match
-              end
-            end
-            false
-          else
-            has_immediate_model? exp[1], out
-          end
-        end
-      when :format
-        has_immediate_model? exp[1], out
-      when :if
-        ((sexp? exp[2] and has_immediate_model? exp[2], out) or 
-         (sexp? exp[3] and has_immediate_model? exp[3], out))
-      else
-        false
-      end
-    end
-  end
-
-  #Checks if +exp+ is a model name.
-  #
-  #Prior to using this method, either @tracker must be set to 
-  #the current tracker, or else @models should contain an array of the model
-  #names, which is available via tracker.models.keys
-  def model_name? exp
-    @models ||= @tracker.models.keys
-
-    if exp.is_a? Symbol
-      @models.include? exp
-    elsif sexp? exp
-      klass = nil
-      begin
-        klass = class_name exp
-      rescue StandardError
-      end
-
-      klass and @models.include? klass
-    else
-      false
-    end
-  end
-
-  #Finds entire method call chain where +target+ is a target in the chain
-  def find_chain exp, target
-    return unless sexp? exp 
-
-    case exp.node_type
-    when :output, :format
-      find_chain exp[1], target
-    when :call
-      if exp == target or include_target? exp, target
-        return exp 
-      end
-    else
-      exp.each do |e|
-        if sexp? e
-          res = find_chain e, target
-          return res if res
-        end
-      end
-      nil
-    end
-  end
-
-  #Returns true if +target+ is in +exp+
-  def include_target? exp, target
-    return false unless call? exp
-
-    exp.each do |e|
-      return true if e == target or include_target? e, target
-    end
-
-    false
-  end
-
-  #Returns true if low_version <= RAILS_VERSION <= high_version
-  #
-  #If the Rails version is unknown, returns false.
-  def version_between? low_version, high_version
-    return false unless tracker.config[:rails_version]
-
-    version = tracker.config[:rails_version].split(".").map! { |n| n.to_i }
-    low_version = low_version.split(".").map! { |n| n.to_i }
-    high_version = high_version.split(".").map! { |n| n.to_i }
-
-    version.each_with_index do |n, i|
-      if n < low_version[i] or n > high_version[i]
-        return false
-      end
-    end
-
-    return true
-  end
-end

data/lib/checks/check_cross_site_scripting.rb

@@ -1,336 +0,0 @@
-require 'checks/base_check'
-require 'processors/lib/find_call'
-require 'processors/lib/processor_helper'
-require 'util'
-require 'set'
-
-#This check looks for unescaped output in templates which contains
-#parameters or model attributes.
-#
-#For example:
-#
-# <%= User.find(:id).name %>
-# <%= params[:id] %>
-class CheckCrossSiteScripting < BaseCheck
-  Checks.add self
-
-  #Ignore these methods and their arguments.
-  #It is assumed they will take care of escaping their output.
-  IGNORE_METHODS = Set.new([:h, :escapeHTML, :link_to, :text_field_tag, :hidden_field_tag,
-                           :image_tag, :select, :submit_tag, :hidden_field, :url_encode,
-                           :radio_button, :will_paginate, :button_to, :url_for, :mail_to,
-                           :fields_for, :label, :text_area, :text_field, :hidden_field, :check_box,
-                           :field_field]) 
-
-  IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
-
-  MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
-
-  IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
-
-  HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
-
-  XML_HELPER = Sexp.new(:colon2, Sexp.new(:const, :Erubis), :XmlHelper)
-
-  URI = Sexp.new(:const, :URI)
-
-  CGI = Sexp.new(:const, :CGI)
-
-  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
-
-  #Run check
-  def run_check 
-    IGNORE_METHODS.merge OPTIONS[:safe_methods]
-    @models = tracker.models.keys
-    @inspect_arguments = OPTIONS[:check_arguments]
-
-    CheckLinkTo.new(checks, tracker).run_check
-
-    tracker.each_template do |name, template|
-      @current_template = template
-
-      template[:outputs].each do |out|
-        type, match = (out[0] == :output and has_immediate_user_input?(out[1]))
-        if type and not duplicate? out
-            add_result out
-            case type
-            when :params
-              message = "Unescaped parameter value"
-            when :cookies
-              message = "Unescaped cookie value"
-            else
-              message = "Unescaped user input value"
-            end
-
-            warn :template => @current_template, 
-              :warning_type => "Cross Site Scripting",
-              :message => message,
-              :line => match.line,
-              :code => match,
-              :confidence => CONFIDENCE[:high]
-
-        elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(out[1])
-          method = match[2]
-
-          unless duplicate? out or IGNORE_MODEL_METHODS.include? method
-            add_result out
-
-            if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-              confidence = CONFIDENCE[:high]
-            else
-              confidence = CONFIDENCE[:med]
-            end
-
-            code = find_chain out, match
-            warn :template => @current_template,
-              :warning_type => "Cross Site Scripting", 
-              :message => "Unescaped model attribute",
-              :line => code.line,
-              :code => code,
-              :confidence => confidence
-          end
-
-        else
-          @matched = false
-          @mark = false
-          process out
-        end
-      end
-    end
-  end
-
-  #Process an output Sexp
-  def process_output exp
-    process exp[1].dup
-  end
-
-  #Look for calls to raw()
-  #Otherwise, ignore
-  def process_escaped_output exp
-    if exp[1].node_type == :call and exp[1][2] == :raw
-      process_output exp
-    else
-      exp
-    end
-  end
-
-  #Check a call for user input
-  #
-  #
-  #Since we want to report an entire call and not just part of one, use @mark
-  #to mark when a call is started. Any dangerous values inside will then
-  #report the entire call chain.
-  def process_call exp
-    if @mark
-      actually_process_call exp
-    else
-      @mark = true
-      actually_process_call exp
-      message = nil
-
-      if @matched == :model and not OPTIONS[:ignore_model_output]
-        message = "Unescaped model attribute" 
-      elsif @matched == :params
-        message = "Unescaped parameter value" 
-      end
-
-      if message and not duplicate? exp
-        add_result exp
-
-        warn :template => @current_template, 
-          :warning_type => "Cross Site Scripting", 
-          :message => message,
-          :line => exp.line,
-          :code => exp,
-          :confidence => CONFIDENCE[:low]
-      end
-
-      @mark = @matched = false
-    end
-
-    exp
-  end
-
-  def actually_process_call exp
-    return if @matched
-    target = exp[1]
-    if sexp? target
-      target = process target
-    end
-
-    method = exp[2]
-    args = exp[3]
-
-    #Ignore safe items
-    if (target.nil? and (IGNORE_METHODS.include? method or method.to_s =~ IGNORE_LIKE)) or
-      (@matched == :model and IGNORE_MODEL_METHODS.include? method) or
-      (target == HAML_HELPERS and method == :html_escape) or
-      ((target == URI or target == CGI) and method == :escape) or
-      (target == XML_HELPER and method == :escape_xml) or
-      (target == FORM_BUILDER and IGNORE_METHODS.include? method) or
-      (method.to_s[-1,1] == "?")
-
-      exp[0] = :ignore
-      @matched = false
-    elsif sexp? exp[1] and model_name? exp[1][1]
-
-      @matched = :model
-    elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
-      @matched = :params
-    elsif @inspect_arguments
-      process args
-    end
-  end
-
-  #Note that params have been found
-  def process_params exp
-    @matched = :params
-    exp
-  end
-
-  #Note that cookies have been found
-  def process_cookies exp
-    @matched = :cookies
-    exp
-  end
-
-  #Ignore calls to render
-  def process_render exp
-    exp
-  end
-
-  #Process as default
-  def process_string_interp exp
-    process_default exp
-  end
-
-  #Process as default
-  def process_format exp
-    process_default exp
-  end
-
-  #Ignore output HTML escaped via HAML
-  def process_format_escaped exp
-    exp
-  end
-
-  #Ignore condition in if Sexp
-  def process_if exp
-    exp[2..-1].each do |e|
-      process e if sexp? e
-    end
-    exp
-  end
-end
-
-#This _only_ checks calls to link_to
-class CheckLinkTo < CheckCrossSiteScripting
-  IGNORE_METHODS = IGNORE_METHODS - [:link_to]
-
-  def run_check
-    #Ideally, I think this should also check to see if people are setting
-    #:escape => false
-    methods = tracker.find_call [], :link_to 
-
-    @models = tracker.models.keys
-    @inspect_arguments = OPTIONS[:check_arguments]
-
-    methods.each do |call|
-      process_result call
-    end
-  end
-
-  def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
-    call = result[-1] = result[-1].dup
-
-    @matched = false
-
-    return if call[3][1].nil?
-
-    #Only check first argument for +link_to+, as the second
-    #will *usually* be a record or escaped.
-    first_arg = process call[3][1]
-
-    type, match = has_immediate_user_input? first_arg
-
-    if type
-      case type
-      when :params
-        message = "Unescaped parameter value in link_to"
-      when :cookies
-        message = "Unescaped cookie value in link_to"
-      else
-        message = "Unescaped user input value in link_to"
-      end
-
-      unless duplicate? result
-        add_result result
-
-        warn :result => result,
-          :warning_type => "Cross Site Scripting", 
-          :message => message,
-          :confidence => CONFIDENCE[:high]
-      end
-
-    elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(first_arg)
-      method = match[2]
-
-      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
-        add_result result
-
-        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
-          confidence = CONFIDENCE[:high]
-        else
-          confidence = CONFIDENCE[:med]
-        end
-
-        warn :result => result,
-          :warning_type => "Cross Site Scripting", 
-          :message => "Unescaped model attribute in link_to",
-          :confidence => confidence
-      end
-
-    elsif @matched
-      if @matched == :model and not OPTIONS[:ignore_model_output]
-        message = "Unescaped model attribute in link_to"
-      elsif @matched == :params
-        message = "Unescaped parameter value in link_to"
-      end
-
-      if message and not duplicate? result
-        add_result result
-
-        warn :result => result, 
-          :warning_type => "Cross Site Scripting", 
-          :message => message,
-          :confidence => CONFIDENCE[:med]
-      end
-    end
-  end
-
-  def process_call exp
-    @mark = true
-    actually_process_call exp
-    exp
-  end
-
-
-  def actually_process_call exp
-    return if @matched
-
-    target = exp[1]
-    if sexp? target
-      target = process target.dup
-    end
-
-    #Bare records create links to the model resource,
-    #not a string that could have injection
-    if model_name? target and context == [:call, :arglist]
-      return exp
-    end
-
-    super
-  end
-end