brakeman 0.0.2

data/lib/checks/check_render.rb

@@ -0,0 +1,65 @@
+require 'checks/base_check'
+
+#Check calls to +render()+ for dangerous values
+class CheckRender < BaseCheck
+  Checks.add self
+
+  def run_check
+    tracker.each_method do |src, class_name, method_name|
+      @current_class = class_name
+      @current_method = method_name
+      process src
+    end
+
+    tracker.each_template do |name, template|
+      @current_template = template
+      process template[:src]
+    end
+  end
+
+  def process_render exp
+    case exp[1]
+    when :partial, :template, :action, :file
+      check_for_dynamic_path exp
+    when :inline
+    when :js
+    when :json
+    when :text
+    when :update
+    when :xml
+    end
+    exp
+  end
+
+  #Check if path to action or file is determined dynamically
+  def check_for_dynamic_path exp
+    view = exp[2]
+
+    if sexp? view and view.node_type != :str and view.node_type != :lit and not duplicate? exp
+
+      add_result exp
+
+      if include_user_input? view
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warning = { :warning_type => "Dynamic Render Path",
+        :message => "Render path is dynamic",
+        :line => exp.line,
+        :code => exp,
+        :confidence => confidence }
+
+
+      if @current_template
+        warning[:template] = @current_template
+      else
+        warning[:class] = @current_class
+        warning[:method] = @current_method
+      end
+
+      warn warning
+    end
+  end
+end 

data/lib/checks/check_send_file.rb

@@ -0,0 +1,15 @@
+require 'checks/check_file_access'
+require 'processors/lib/processor_helper'
+
+#Checks for user input in send_file()
+class CheckSendFile < CheckFileAccess
+  Checks.add self
+
+  def run_check
+    methods = tracker.find_call nil, :send_file
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+end

data/lib/checks/check_session_settings.rb

@@ -0,0 +1,36 @@
+require 'checks/base_check'
+
+class CheckSessionSettings < BaseCheck
+  Checks.add self
+
+  def run_check
+    settings = tracker.config[:rails] and
+                tracker.config[:rails][:action_controller] and
+                tracker.config[:rails][:action_controller][:session]
+
+    if settings and hash? settings
+      hash_iterate settings do |key, value|
+        if symbol? key
+
+          if key[1] == :session_http_only and 
+            sexp? value and
+            value.node_type == :false
+
+            warn :warning_type => "Session Setting",
+              :message => "Session cookies should be set to HTTP only",
+              :confidence => CONFIDENCE[:high]
+
+          elsif key[1] == :secret and 
+            string? value and
+            value[1].length < 30
+
+            warn :warning_type => "Session Setting",
+              :message => "Session secret should be at least 30 characters long",
+              :confidence => CONFIDENCE[:high]
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/checks/check_sql.rb

@@ -0,0 +1,124 @@
+require 'checks/base_check'
+require 'processors/lib/find_call'
+
+#This check tests for find calls which do not use Rails' auto SQL escaping
+#
+#For example:
+# Project.find(:all, :conditions => "name = '" + params[:name] + "'")
+#
+# Project.find(:all, :conditions => "name = '#{params[:name]}'")
+#
+# User.find_by_sql("SELECT * FROM projects WHERE name = '#{params[:name]}'")
+class CheckSQL < BaseCheck
+  Checks.add self
+
+  def run_check
+    @rails_version = tracker.config[:rails_version]
+    calls = tracker.find_model_find tracker.models.keys
+    calls.concat tracker.find_call([], /^(find.*|last|first|all|count|sum|average|minumum|maximum)$/)
+    calls.each do |c|
+      process c
+    end
+  end
+
+  #Process result from FindCall.
+  def process_result exp
+    call = exp[-1]
+
+    args = process call[3]
+
+    if call[2] == :find_by_sql
+      failed = check_arguments args[1]
+    elsif call[2].to_s =~ /^find/
+      failed = (args.length > 2 and check_arguments args[-1])
+    else
+      failed = (args.length > 1 and check_arguments args[-1])
+    end
+
+    if failed and not duplicate? call, exp[1]
+      add_result call, exp[1]
+
+      if include_user_input? args[-1]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:med]
+      end
+
+      warn :result => exp,
+        :warning_type => "SQL Injection",
+        :message => "Possible SQL injection",
+        :confidence => confidence
+    end
+
+    if check_for_limit_or_offset_vulnerability args[-1]
+      if include_user_input? args[-1]
+        confidence = CONFIDENCE[:high]
+      else
+        confidence = CONFIDENCE[:low]
+      end
+
+      warn :result => exp, 
+        :warning_type => "SQL Injection", 
+        :message => "Upgrade to Rails >= 2.1.2 to escape :limit and :offset. Possible SQL injection",
+        :confidence => confidence
+    end
+    exp
+  end
+
+  private
+
+  #Check arguments for any string interpolation
+  def check_arguments arg
+    if sexp? arg
+      case arg.node_type
+      when :hash
+        hash_iterate(arg) do |key, value|
+          if check_arguments value
+            return true
+          end
+        end
+      when :array
+        return check_arguments(arg[1])
+      when :string_interp
+        return true
+      when :call
+        return check_call(arg)
+      end
+    end
+
+    false
+  end
+
+  #Check call for user input and string building
+  def check_call exp
+    target = exp[1]
+    method = exp[2]
+    args = exp[3]
+    if sexp? target and 
+      (method == :+ or method == :<< or method == :concat) and 
+      (string? target or include_user_input? exp)
+
+      true
+    elsif call? target
+      check_call target
+    else
+      false
+    end
+  end
+
+  #Prior to Rails 2.1.1, the :offset and :limit parameters were not
+  #escaping input properly.
+  #
+  #http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
+  def check_for_limit_or_offset_vulnerability options
+    return false if @rails_version.nil? or @rails_version >= "2.1.1" or not hash? options
+
+    hash_iterate(options) do |key, value|
+      if symbol? key
+        return (key[1] == :limit or key[1] == :offset)
+      end
+    end
+
+    false
+  end
+end

data/lib/checks/check_validation_regex.rb

@@ -0,0 +1,60 @@
+require 'checks/base_check'
+
+#Reports any calls to +validates_format_of+ which do not use +\A+ and +\z+
+#as anchors in the given regular expression.
+#
+#For example:
+#
+# #Allows anything after new line
+# validates_format_of :user_name, :with => /^\w+$/
+class CheckValidationRegex < BaseCheck
+  Checks.add self
+
+  WITH = Sexp.new(:lit, :with)
+
+  def run_check
+    tracker.models.each do |name, model|
+      @current_model = name
+      format_validations = model[:options][:validates_format_of]
+      if format_validations
+        format_validations.each do |v|
+          process_validator v
+        end
+      end
+    end
+  end
+
+  #Check validates_format_of
+  def process_validator validator
+    hash_iterate(validator[-1]) do |key, value|
+      if key == WITH
+        check_regex value, validator
+      end
+    end
+  end
+
+  #Issue warning if the regular expression does not use
+  #+\A+ and +\z+
+  def check_regex value, validator
+    return unless regexp? value
+
+    regex = value[1].inspect
+    if regex =~ /[^\A].*[^\z]\/(m|i|x|n|e|u|s|o)*\z/
+      warn :model => @current_model,
+        :warning_type => "Format Validation", 
+        :message => "Insufficient validation for '#{get_name validator}' using #{value[1].inspect}. Use \\A and \\z as anchors",
+        :line => value.line,
+        :confidence => CONFIDENCE[:high] 
+    end
+  end
+
+  #Get the name of the attribute being validated.
+  def get_name validator
+    name = validator[1]
+    if sexp? name
+      name[1]
+    else
+      name
+    end
+  end
+end

data/lib/format/style.css

@@ -0,0 +1,105 @@
+/* CSS style used for HTML reports */
+
+body {
+  font-family: sans-serif;
+  color: #161616;
+}
+
+p {
+  font-weight: bold;
+  font-size: 11pt;
+  color: #2D0200;
+ }
+
+ th {
+   background-color: #980905;
+   border-bottom: 5px solid #530200;
+   color: white;
+   font-size: 11pt;
+   padding: 1px 8px 1px 8px;
+ }
+
+ td {
+   border-bottom: 2px solid white;
+   font-family: monospace;
+   padding: 5px 8px 1px 8px;
+ }
+
+ table {
+   background-color: #FCF4D4;
+   border-collapse: collapse;
+ }
+
+ h1 {
+   color: #2D0200;
+   font-size: 14pt;
+ }
+
+ h2 {
+   color: #2D0200;
+   font-size: 12pt;
+ }
+
+ span.high-confidence {
+   font-weight:bold;
+   color: red;
+ }
+
+ span.med-confidence {
+ }
+
+ span.weak-confidence {
+   color:gray;
+ }
+
+ div.warning_message {
+   cursor: pointer;
+ }
+
+ div.warning_message:hover {
+   background-color: white;
+ }
+
+ table.context {
+   margin-top: 5px;
+   margin-bottom: 5px;
+   border-left: 1px solid #90e960;
+   color: #212121;
+ }
+
+ tr.context {
+   background-color: white;
+ }
+
+ tr.first {
+   border-top: 1px solid #7ecc54;
+   padding-top: 2px;
+ }
+
+ tr.error {
+  background-color: #f4c1c1 !important
+ }
+
+ tr.near_error {
+  background-color: #f4d4d4 !important
+ }
+
+ tr.alt {
+   background-color: #e8f4d4;
+ }
+
+ td.context {
+   padding: 2px 10px 0px 6px;
+   border-bottom: none;
+ }
+
+ td.context_line {
+   padding: 2px 8px 0px 7px;
+   border-right: 1px solid #b3bda4;
+   border-bottom: none;
+   color: #6e7465;
+ }
+
+ pre.context {
+   margin-bottom: 1px;
+ }

data/lib/processor.rb

@@ -0,0 +1,83 @@
+#Load all files in processors/
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/processors/*.rb").each { |f| require f.match(/processors.*/)[0] }
+require 'tracker'
+require 'set'
+
+#Makes calls to the appropriate processor.
+#
+#The ControllerProcessor, TemplateProcessor, and ModelProcessor will
+#update the Tracker with information about what is parsed.
+class Processor
+  def initialize
+    @tracker = Tracker.new self
+  end
+
+  def tracked_events
+    @tracker
+  end
+
+  #Process configuration file source
+  def process_config src
+    ConfigProcessor.new(@tracker).process_config src
+  end
+
+  #Process route file source
+  def process_routes src
+    RoutesProcessor.new(@tracker).process_routes src
+  end
+
+  #Process controller source. +file_name+ is used for reporting
+  def process_controller src, file_name
+    ControllerProcessor.new(@tracker).process_controller src, file_name
+  end
+
+  #Process variable aliasing in controller source and save it in the
+  #tracker.
+  def process_controller_alias src
+    ControllerAliasProcessor.new(@tracker).process src
+  end
+
+  #Process a model source
+  def process_model src, file_name
+    result = ModelProcessor.new(@tracker).process_model src, file_name
+    AliasProcessor.new.process result
+  end
+
+  #Process either an ERB or HAML template
+  def process_template name, src, type, called_from = nil, file_name = nil
+    case type
+    when :erb
+      result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+    when :haml
+      result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+    else
+      abort "Unknown template type: #{type} (#{name})"
+    end
+
+    #Each template which is rendered is stored separately
+    #with a new name.
+    if called_from
+      name = (name.to_s + "." + called_from.to_s).to_sym
+    end
+
+    @tracker.templates[name][:src] = result
+    @tracker.templates[name][:type] = type
+  end
+
+  #Process any calls to render() within a template
+  def process_template_alias template
+    TemplateAliasProcessor.new(@tracker, template).process_safely template[:src]
+  end
+
+  #Process source for initializing files
+  def process_initializer name, src
+    res = BaseProcessor.new(@tracker).process src
+    res = AliasProcessor.new.process res
+    @tracker.initializers[name] = res
+  end
+
+  #Process source for a library file
+  def process_lib src, file_name
+    LibraryProcessor.new(@tracker).process_library src, file_name
+  end
+end