RubyGems - brakeman-min - Versions diffs - 0.5.2 → 2.1.0 - Mend

brakeman-min 0.5.2 → 2.1.0

Files changed (152) hide show

data/CHANGES +529 -0
data/README.md +74 -28
data/bin/brakeman +60 -266
data/lib/brakeman.rb +422 -0
data/lib/brakeman/app_tree.rb +101 -0
data/lib/brakeman/brakeman.rake +10 -0
data/lib/brakeman/call_index.rb +215 -0
data/lib/brakeman/checks.rb +180 -0
data/lib/brakeman/checks/base_check.rb +538 -0
data/lib/brakeman/checks/check_basic_auth.rb +89 -0
data/lib/brakeman/checks/check_content_tag.rb +162 -0
data/lib/brakeman/checks/check_cross_site_scripting.rb +334 -0
data/lib/{checks → brakeman/checks}/check_default_routes.rb +13 -6
data/lib/brakeman/checks/check_deserialize.rb +57 -0
data/lib/brakeman/checks/check_digest_dos.rb +38 -0
data/lib/brakeman/checks/check_escape_function.rb +21 -0
data/lib/brakeman/checks/check_evaluation.rb +33 -0
data/lib/brakeman/checks/check_execute.rb +98 -0
data/lib/brakeman/checks/check_file_access.rb +62 -0
data/lib/brakeman/checks/check_filter_skipping.rb +31 -0
data/lib/brakeman/checks/check_forgery_setting.rb +54 -0
data/lib/brakeman/checks/check_jruby_xml.rb +38 -0
data/lib/brakeman/checks/check_json_parsing.rb +102 -0
data/lib/brakeman/checks/check_link_to.rb +132 -0
data/lib/brakeman/checks/check_link_to_href.rb +92 -0
data/lib/{checks → brakeman/checks}/check_mail_to.rb +14 -13
data/lib/brakeman/checks/check_mass_assignment.rb +143 -0
data/lib/brakeman/checks/check_model_attr_accessible.rb +48 -0
data/lib/brakeman/checks/check_model_attributes.rb +118 -0
data/lib/brakeman/checks/check_model_serialize.rb +66 -0
data/lib/{checks → brakeman/checks}/check_nested_attributes.rb +10 -6
data/lib/brakeman/checks/check_quote_table_name.rb +40 -0
data/lib/brakeman/checks/check_redirect.rb +177 -0
data/lib/brakeman/checks/check_render.rb +62 -0
data/lib/brakeman/checks/check_response_splitting.rb +21 -0
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/brakeman/checks/check_sanitize_methods.rb +54 -0
data/lib/brakeman/checks/check_select_tag.rb +60 -0
data/lib/brakeman/checks/check_select_vulnerability.rb +58 -0
data/lib/brakeman/checks/check_send.rb +35 -0
data/lib/brakeman/checks/check_send_file.rb +19 -0
data/lib/brakeman/checks/check_session_settings.rb +145 -0
data/lib/brakeman/checks/check_single_quotes.rb +101 -0
data/lib/brakeman/checks/check_skip_before_filter.rb +62 -0
data/lib/brakeman/checks/check_sql.rb +577 -0
data/lib/brakeman/checks/check_strip_tags.rb +64 -0
data/lib/brakeman/checks/check_symbol_dos.rb +67 -0
data/lib/brakeman/checks/check_translate_bug.rb +45 -0
data/lib/brakeman/checks/check_unsafe_reflection.rb +51 -0
data/lib/brakeman/checks/check_validation_regex.rb +88 -0
data/lib/brakeman/checks/check_without_protection.rb +64 -0
data/lib/brakeman/checks/check_yaml_parsing.rb +121 -0
data/lib/brakeman/differ.rb +66 -0
data/lib/{format → brakeman/format}/style.css +28 -0
data/lib/brakeman/options.rb +256 -0
data/lib/brakeman/parsers/rails2_erubis.rb +6 -0
data/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/{scanner_erubis.rb → brakeman/parsers/rails3_erubis.rb} +8 -21
data/lib/brakeman/processor.rb +102 -0
data/lib/brakeman/processors/alias_processor.rb +780 -0
data/lib/{processors → brakeman/processors}/base_processor.rb +90 -74
data/lib/brakeman/processors/config_processor.rb +14 -0
data/lib/brakeman/processors/controller_alias_processor.rb +334 -0
data/lib/brakeman/processors/controller_processor.rb +265 -0
data/lib/{processors → brakeman/processors}/erb_template_processor.rb +21 -19
data/lib/brakeman/processors/erubis_template_processor.rb +96 -0
data/lib/brakeman/processors/gem_processor.rb +59 -0
data/lib/{processors → brakeman/processors}/haml_template_processor.rb +26 -21
data/lib/brakeman/processors/lib/find_all_calls.rb +185 -0
data/lib/{processors → brakeman/processors}/lib/find_call.rb +23 -28
data/lib/brakeman/processors/lib/find_return_value.rb +134 -0
data/lib/brakeman/processors/lib/processor_helper.rb +82 -0
data/lib/{processors/config_processor.rb → brakeman/processors/lib/rails2_config_processor.rb} +32 -35
data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb +60 -52
data/lib/brakeman/processors/lib/rails3_config_processor.rb +129 -0
data/lib/brakeman/processors/lib/rails3_route_processor.rb +282 -0
data/lib/{processors → brakeman/processors}/lib/render_helper.rb +54 -20
data/lib/brakeman/processors/lib/route_helper.rb +62 -0
data/lib/{processors → brakeman/processors}/library_processor.rb +24 -17
data/lib/{processors → brakeman/processors}/model_processor.rb +46 -22
data/lib/{processors → brakeman/processors}/output_processor.rb +34 -40
data/lib/brakeman/processors/route_processor.rb +17 -0
data/lib/brakeman/processors/slim_template_processor.rb +113 -0
data/lib/brakeman/processors/template_alias_processor.rb +120 -0
data/lib/{processors → brakeman/processors}/template_processor.rb +10 -7
data/lib/brakeman/report.rb +68 -0
data/lib/brakeman/report/ignore/config.rb +130 -0
data/lib/brakeman/report/ignore/interactive.rb +311 -0
data/lib/brakeman/report/initializers/faster_csv.rb +7 -0
data/lib/brakeman/report/initializers/multi_json.rb +29 -0
data/lib/brakeman/report/renderer.rb +24 -0
data/lib/brakeman/report/report_base.rb +279 -0
data/lib/brakeman/report/report_csv.rb +56 -0
data/lib/brakeman/report/report_hash.rb +22 -0
data/lib/brakeman/report/report_html.rb +203 -0
data/lib/brakeman/report/report_json.rb +46 -0
data/lib/brakeman/report/report_table.rb +109 -0
data/lib/brakeman/report/report_tabs.rb +17 -0
data/lib/brakeman/report/templates/controller_overview.html.erb +18 -0
data/lib/brakeman/report/templates/controller_warnings.html.erb +17 -0
data/lib/brakeman/report/templates/error_overview.html.erb +25 -0
data/lib/brakeman/report/templates/header.html.erb +44 -0
data/lib/brakeman/report/templates/ignored_warnings.html.erb +21 -0
data/lib/brakeman/report/templates/model_warnings.html.erb +17 -0
data/lib/brakeman/report/templates/overview.html.erb +34 -0
data/lib/brakeman/report/templates/security_warnings.html.erb +19 -0
data/lib/brakeman/report/templates/template_overview.html.erb +17 -0
data/lib/brakeman/report/templates/view_warnings.html.erb +30 -0
data/lib/brakeman/report/templates/warning_overview.html.erb +13 -0
data/lib/brakeman/rescanner.rb +446 -0
data/lib/brakeman/scanner.rb +362 -0
data/lib/brakeman/tracker.rb +296 -0
data/lib/brakeman/util.rb +413 -0
data/lib/brakeman/version.rb +3 -0
data/lib/brakeman/warning.rb +217 -0
data/lib/brakeman/warning_codes.rb +68 -0
data/lib/ruby_parser/bm_sexp.rb +562 -0
data/lib/ruby_parser/bm_sexp_processor.rb +230 -0
metadata +152 -66
data/lib/checks.rb +0 -71
data/lib/checks/base_check.rb +0 -357
data/lib/checks/check_cross_site_scripting.rb +0 -336
data/lib/checks/check_evaluation.rb +0 -27
data/lib/checks/check_execute.rb +0 -110
data/lib/checks/check_file_access.rb +0 -46
data/lib/checks/check_forgery_setting.rb +0 -42
data/lib/checks/check_mass_assignment.rb +0 -74
data/lib/checks/check_model_attributes.rb +0 -36
data/lib/checks/check_redirect.rb +0 -98
data/lib/checks/check_render.rb +0 -65
data/lib/checks/check_send_file.rb +0 -15
data/lib/checks/check_session_settings.rb +0 -79
data/lib/checks/check_sql.rb +0 -146
data/lib/checks/check_validation_regex.rb +0 -60
data/lib/processor.rb +0 -86
data/lib/processors/alias_processor.rb +0 -384
data/lib/processors/controller_alias_processor.rb +0 -237
data/lib/processors/controller_processor.rb +0 -202
data/lib/processors/erubis_template_processor.rb +0 -85
data/lib/processors/lib/find_model_call.rb +0 -39
data/lib/processors/lib/processor_helper.rb +0 -36
data/lib/processors/lib/rails3_route_processor.rb +0 -184
data/lib/processors/lib/route_helper.rb +0 -34
data/lib/processors/params_processor.rb +0 -77
data/lib/processors/route_processor.rb +0 -11
data/lib/processors/template_alias_processor.rb +0 -86
data/lib/report.rb +0 -680
data/lib/scanner.rb +0 -227
data/lib/tracker.rb +0 -144
data/lib/util.rb +0 -141
data/lib/version.rb +0 -1
data/lib/warning.rb +0 -99

data/lib/processors/lib/find_model_call.rb DELETED

@@ -1,39 +0,0 @@
-require 'processors/lib/find_call'
-#This processor specifically looks for calls like
-# User.active.human.find(:all, :conditions => ...)
-class FindModelCall < FindCall
-  #Passes +targets+ to FindCall
-  def initialize targets
-    super(targets, /^(find.*|first|last|all|count|sum|average|minumum|maximum|count_by_sql)$/, true)
-  end
-  #Matches entire method chain as a target. This differs from
-  #FindCall#get_target, which only matches the first expression in the chain.
-  def get_target exp
-    if sexp? exp
-      case exp.node_type
-      when :ivar, :lvar, :const
-        exp[1]
-      when :true, :false
-        exp[0]
-      when :lit
-        exp[1]
-      when :colon2
-        class_name exp
-      when :call
-        t = get_target(exp[1])
-        if t and match(@find_targets, t)
-          t
-        else
-          process exp
-        end
-      else
-        process exp
-      end
-    else
-      exp
-    end
-  end
-end

data/lib/processors/lib/processor_helper.rb DELETED

@@ -1,36 +0,0 @@
-#Contains a couple shared methods for Processors.
-module ProcessorHelper
-  #Sets the current module.
-  def process_module exp
-    @current_module = class_name(exp[1]).to_s
-    process exp[2]
-    @current_module = nil
-    exp
-  end
-  #Returns a class name as a Symbol.
-  def class_name exp
-    case exp
-    when Sexp
-      case exp.node_type
-      when :const
-        exp[1]
-      when :colon2
-        "#{class_name(exp[1])}::#{exp[2]}".to_sym
-      when :colon3
-        "::#{exp[1]}".to_sym
-      when :call
-        process exp
-      else
-        raise "Error: Cannot get class name from #{exp}"
-      end
-    when Symbol
-      exp
-    when nil
-      nil
-    else
-      raise "Error: Cannot get class name from #{exp}"
-    end
-  end
-end

data/lib/processors/lib/rails3_route_processor.rb DELETED

@@ -1,184 +0,0 @@
-#Processes the Sexp from routes.rb. Stores results in tracker.routes.
-#
-#Note that it is only interested in determining what methods on which
-#controllers are used as routes, not the generated URLs for routes.
-class RoutesProcessor < BaseProcessor
-  include RouteHelper
-  attr_reader :map, :nested, :current_controller
-  def initialize tracker
-    super
-    @map = Sexp.new(:lvar, :map)
-    @nested = nil  #used for identifying nested targets
-    @prefix = [] #Controller name prefix (a module name, usually)
-    @current_controller = nil
-    @with_options = nil #For use inside map.with_options
-  end
-  def process_routes exp
-    process exp.dup
-  end
-  def process_call exp
-    case exp[2]
-    when :resources
-      process_resources exp
-    when :resource
-      process_resource exp
-    when :root
-      process_root exp
-    when :member
-      process_default exp
-    when :get, :put, :post, :delete
-      process_verb exp
-    when :match
-      process_match exp
-    else
-      exp
-    end
-  end
-  def process_iter exp
-    case exp[1][2]
-    when :namespace
-      process_namespace exp
-    when :resource
-      process_resource_block exp
-    when :resources
-      process_resources_block exp
-    when :scope
-      process_scope_block exp
-    else
-      super
-    end
-  end
-  def process_namespace exp
-    name = exp[1][3][1][1]
-    block = exp[3]
-    @prefix << camelize(name)
-    process block
-    @prefix.pop
-    exp
-  end
-  def process_root exp
-    args = exp[3][1..-1]
-    hash_iterate args[0] do |k, v|
-      if symbol? k and k[1] == :to
-        controller, action = extract_action v[1]
-        self.current_controller = controller
-        @tracker.routes[@current_controller] << action.to_sym
-        break
-      end
-    end
-    exp
-  end
-  def process_match exp
-    args = exp[3][1..-1]
-    hash_iterate args[0] do |k, v|
-      if string? k and string? v
-        controller, action = extract_action v[1]
-        self.current_controller = controller
-        @tracker.routes[@current_controller] << action.to_sym if action
-      elsif symbol? k and k[1] == :action
-        @tracker.routes[@current_controller] << v[1].to_sym
-      end
-    end
-    exp
-  end
-  def process_verb exp
-    args = exp[3][1..-1]
-    if symbol? args[0]
-      @tracker.routes[@current_controller] << args[0][1]
-    elsif hash? args[1]
-      hash_iterate args[1] do |k, v|
-        if symbol? k and k[1] == :to and string? v
-          controller, action = extract_action v[1]
-          self.current_controller = controller
-          @tracker.routes[@current_controller] << action.to_sym
-        end
-      end
-    elsif string? args[0]
-      route = args[0][1].split "/"
-      if route.length != 2
-        @tracker.routes[@current_controller] << route[0].to_sym
-      else
-        self.current_controller = route[0]
-        @tracker.routes[@current_controller] << route[1].to_sym
-        @current_controller = nil
-      end
-    else hash? args[0]
-      hash_iterate args[0] do |k, v|
-        if string? v
-          controller, action = extract_action v[1]
-          self.current_controller = controller
-          @tracker.routes[@current_controller] << action.to_sym
-        end
-      end
-    end
-    exp
-  end
-  def process_resources exp
-    if exp[3] and exp[3][2] and exp[3][2][0] == :hash
-      #handle hash
-    elsif exp[3][1..-1].all? { |s| symbol? s }
-      exp[3][1..-1].each do |s|
-        self.current_controller = s[1]
-        add_resources_routes
-      end
-    end
-    exp
-  end
-  def process_resource exp
-    exp[3][1..-1].each do |s|
-      self.current_controller = s[1]
-      add_resource_routes
-    end
-    exp
-  end
-  def process_resources_block exp
-    process_resources exp[1]
-    process exp[3]
-    exp
-  end
-  def process_resource_block exp
-    process_resource exp[1]
-    process exp[3]
-    exp
-  end
-  def process_scope_block exp
-    #How to deal with options?
-    process exp[3]
-    exp
-  end
-  def extract_action str
-    str.split "#"
-  end
-end

data/lib/processors/lib/route_helper.rb DELETED

@@ -1,34 +0,0 @@
-module RouteHelper
-  #Manage Controller prefixes
-  #@prefix is an Array, but this method returns a string
-  #suitable for prefixing onto a controller name.
-  def prefix
-    if @prefix.length > 0
-      @prefix.join("::") << "::"
-    else
-      ''
-    end
-  end
-  #Sets the controller name to a proper class name.
-  #For example
-  # self.current_controller = :session
-  # @controller == :SessionController #true
-  #
-  #Also prepends the prefix if there is one set.
-  def current_controller= name
-    @current_controller = (prefix + camelize(name) + "Controller").to_sym
-    @tracker.routes[@current_controller] ||= Set.new
-  end
-  #Add default routes
-  def add_resources_routes
-    @tracker.routes[@current_controller].merge [:index, :new, :create, :show, :edit, :update, :destroy]
-  end
-  #Add default routes minus :index
-  def add_resource_routes
-    @tracker.routes[@current_controller].merge [:new, :create, :show, :edit, :update, :destroy]
-  end
-end

data/lib/processors/params_processor.rb DELETED

@@ -1,77 +0,0 @@
-require 'rubygems'
-require 'sexp_processor'
-require 'set'
-#Looks for request parameters. Not used currently.
-class ParamsProcessor < SexpProcessor
-  attr_reader :result
-  def initialize
-    super()
-    self.strict = false
-    self.auto_shift_type = false
-    self.require_empty = false
-    self.default_method = :process_default
-    self.warn_on_default = false
-    @result = []
-    @matched = false
-    @mark = false
-    @watch_nodes = Set.new([:call, :iasgn, :lasgn, :gasgn, :cvasgn, :return, :attrasgn])
-    @params = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
-  end
-  def process_default exp
-    if @watch_nodes.include?(exp.node_type) and not @mark
-      @mark = true
-      @matched = false
-      process_these exp[1..-1]
-      if @matched
-        @result << exp
-        @matched = false
-      end
-      @mark = false
-    else
-      process_these exp[1..-1]
-    end
-    exp
-  end
-  def process_these exp
-    exp.each do |e|
-      if sexp? e and not e.empty?
-        process e
-      end
-    end
-  end
-  def process_call exp
-    if @mark
-      actually_process_call exp
-    else
-      @mark = true
-      actually_process_call exp
-      if @matched
-        @result << exp
-      end
-      @mark = @matched = false
-    end
-    exp
-  end
-  def actually_process_call exp
-    process exp[1]
-    process exp[3]
-    if exp[1] == @params or exp == @params
-      @matched = true
-    end
-  end
-  #Don't really care about condition
-  def process_if exp
-    process_these exp[2..-1]
-    exp
-  end
-end

data/lib/processors/route_processor.rb DELETED

@@ -1,11 +0,0 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
-require 'processors/lib/route_helper'
-require 'util'
-require 'set'
-if OPTIONS[:rails3]
-  require 'processors/lib/rails3_route_processor'
-else
-  require 'processors/lib/rails2_route_processor'
-end

data/lib/processors/template_alias_processor.rb DELETED

@@ -1,86 +0,0 @@
-require 'set'
-require 'processors/alias_processor'
-require 'processors/lib/render_helper'
-#Processes aliasing in templates.
-#Handles calls to +render+.
-class TemplateAliasProcessor < AliasProcessor
-  include RenderHelper
-  FORM_METHODS = Set.new([:form_for, :remote_form_for, :form_remote_for])
-  def initialize tracker, template
-    super()
-    @tracker = tracker
-    @template = template
-  end
-  #Process template
-  def process_template name, args
-    super name, args, "Template:#{@template[:name]}"
-  end
-  #Determine template name
-  def template_name name
-    unless name.to_s.include? "/"
-      name = "#{@template[:name].to_s.match(/^(.*\/).*$/)[1]}#{name}"
-    end
-    name
-  end
-  #Looks for form methods and iterating over collections of Models
-  def process_call_with_block exp
-    process_default exp
-    call = exp[1]
-    target = call[1]
-    method = call[2]
-    args = exp[2]
-    block = exp[3]
-    #Check for e.g. Model.find.each do ... end
-    if method == :each and args and block and model = get_model_target(target)
-      if sexp? args and args.node_type == :lasgn
-        if model == target[1]
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
-        else
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
-        end
-        process block if sexp? block
-      end
-    elsif FORM_METHODS.include? method
-      if sexp? args and args.node_type == :lasgn
-        env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist))
-        process block if sexp? block
-      end
-    end
-    exp
-  end
-  alias process_iter process_call_with_block
-  #Checks if +exp+ is a call to Model.all or Model.find*
-  def get_model_target exp
-    if call? exp
-      target = exp[1]
-      if exp[2] == :all or exp[2].to_s[0,4] == "find"
-        models = Set.new @tracker.models.keys
-        begin
-          name = class_name target
-          return target if models.include?(name)
-        rescue StandardError
-        end
-      end
-      return get_model_target(target)
-    end
-    false
-  end
-end