brakeman 0.0.2

data/lib/scanner.rb

@@ -0,0 +1,232 @@
+require 'rubygems'
+begin
+  require 'ruby_parser'
+  require 'haml'
+  require 'erb'
+  require 'erubis'
+  require 'processor'
+rescue LoadError => e
+  $stderr.puts e.message
+  $stderr.puts "Please install the appropriate dependency."
+  exit
+end
+
+#Erubis processor which ignores any output which is plain text.
+class ScannerErubis < Erubis::Eruby
+  include Erubis::NoTextEnhancer
+end
+
+#Scans the Rails application.
+class Scanner
+
+  #Pass in path to the root of the Rails application
+  def initialize path
+    @path = path
+    @app_path = path + "/app/"
+    @processor = Processor.new
+  end
+
+  #Returns the Tracker generated from the scan
+  def tracker
+    @processor.tracked_events
+  end
+
+  #Process everything in the Rails application
+  def process
+    warn "Processing configuration..."
+    process_config
+    warn "Processing initializers..."
+    process_initializers
+    warn "Processing libs..."
+    process_libs
+    warn "Processing routes..."
+    process_routes
+    warn "Processing templates..."
+    process_templates
+    warn "Processing models..."
+    process_models
+    warn "Processing controllers..."
+    process_controllers
+    tracker
+  end
+
+  #Process config/environment.rb and config/gems.rb
+  #
+  #Stores parsed information in tracker.config
+  def process_config
+    @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environment.rb")))
+
+    if File.exists? "#@path/config/gems.rb"
+      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
+    end
+
+    if File.exists? "#@path/vendor/plugins/rails_xss"
+      tracker.config[:escape_html] = true
+      warn "[Notice] Escaping HTML by default"
+    end
+  end
+
+  #Process all the .rb files in config/initializers/
+  #
+  #Adds parsed information to tracker.initializers
+  def process_initializers
+    Dir.glob(@path + "/config/initializers/**/*.rb").sort.each do |f|
+      begin
+        @processor.process_initializer(f, RubyParser.new.parse(File.read(f)))
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{f}"
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
+      end
+    end
+  end
+
+  #Process all .rb in lib/
+  #
+  #Adds parsed information to tracker.libs.
+  def process_libs
+    Dir.glob(@path + "/lib/**/*.rb").sort.each do |f|
+      begin
+        @processor.process_lib RubyParser.new.parse(File.read(f)), f
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{f}"
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
+      end
+    end
+  end
+
+  #Process config/routes.rb
+  #
+  #Adds parsed information to tracker.routes
+  def process_routes
+    if File.exists? "#@path/config/routes.rb"
+      @processor.process_routes RubyParser.new.parse(File.read("#@path/config/routes.rb"))
+    end
+  end
+
+  #Process all .rb files in controllers/
+  #
+  #Adds processed controllers to tracker.controllers
+  def process_controllers
+    Dir.glob(@app_path + "/controllers/**/*.rb").sort.each do |f|
+      begin
+        @processor.process_controller(RubyParser.new.parse(File.read(f)), f)
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{f}"
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
+      end
+    end
+
+    tracker.controllers.each do |name, controller|
+      @processor.process_controller_alias controller[:src]
+    end
+  end
+
+  #Process all views and partials in views/
+  #
+  #Adds processed views to tracker.views
+  def process_templates
+
+    views_path = @app_path + "/views/**/*.{html.erb,html.haml,rhtml,js.erb}"
+    $stdout.sync = true
+    count = 0
+
+    Dir.glob(views_path).sort.each do |f|
+      count += 1
+      type = f.match(/.*\.(erb|haml|rhtml)$/)[1].to_sym
+      type = :erb if type == :rhtml
+      name = template_path_to_name f
+
+      begin
+        if type == :erb
+          if tracker.config[:escape_html]
+            src = RailsXSSErubis.new(File.read(f)).src
+          elsif tracker.config[:erubis]
+            src = ScannerErubis.new(File.read(f)).src
+          else
+            src = ERB.new(File.read(f), nil, "-").src
+          end
+          parsed = RubyParser.new.parse src
+        elsif type == :haml
+          src = Haml::Engine.new(File.read(f),
+                                 :escape_html => !!tracker.config[:escape_html]).precompiled
+          parsed = RubyParser.new.parse src
+        else
+          tracker.error "Unkown template type in #{f}"
+        end
+
+        @processor.process_template(name, parsed, type, nil, f)
+
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{f}"
+      rescue Haml::Error => e
+        tracker.error e, ["While compiling HAML in #{f}"] << e.backtrace
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
+      end
+    end
+
+    tracker.templates.keys.dup.each do |name|
+      @processor.process_template_alias tracker.templates[name]
+    end
+
+  end
+
+  #Convert path/filename to view name
+  #
+  # views/test/something.html.erb -> test/something
+  def template_path_to_name path
+    names = path.split("/")
+    names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
+    names[(names.index("views") + 1)..-1].join("/").to_sym
+  end
+
+  #Process all the .rb files in models/
+  #
+  #Adds the processed models to tracker.models
+  def process_models
+    Dir.glob(@app_path + "/models/*.rb").sort.each do |f|
+      begin
+        @processor.process_model(RubyParser.new.parse(File.read(f)), f)
+      rescue Racc::ParseError => e
+        tracker.error e, "could not parse #{f}"
+      rescue Exception => e
+        tracker.error e.exception(e.message + "\nWhile processing #{f}"), e.backtrace
+      end
+    end
+  end
+end
+
+#This is from the rails_xss plugin,
+#except we don't care about plain text.
+class RailsXSSErubis < ::Erubis::Eruby
+  include Erubis::NoTextEnhancer
+
+  #Initializes output buffer.
+  def add_preamble(src)
+    src << "@output_buffer = ActionView::SafeBuffer.new;\n"
+  end
+
+  #This does nothing.
+  def add_text(src, text)
+    #    src << "@output_buffer << ('" << escape_text(text) << "'.html_safe!);"
+  end
+
+  #Add an expression to the output buffer _without_ escaping.
+  def add_expr_literal(src, code)
+    src << '@output_buffer << ((' << code << ').to_s);'
+  end
+
+  #Add an expression to the output buffer after escaping it.
+  def add_expr_escaped(src, code)
+    src << '@output_buffer << ' << escaped_expr(code) << ';'
+  end
+
+  #Add code to output buffer.
+  def add_postamble(src)
+    src << '@output_buffer.to_s'
+  end
+end
+

data/lib/tracker.rb

@@ -0,0 +1,144 @@
+require 'set'
+require 'checks'
+require 'report'
+require 'processors/lib/find_call'
+require 'processors/lib/find_model_call'
+
+#The Tracker keeps track of all the processed information.
+class Tracker
+  attr_accessor :controllers, :templates, :models, :errors,
+    :checks, :initializers, :config, :routes, :processor, :libs,
+    :template_cache
+
+  #Place holder when there should be a model, but it is not
+  #clear what model it will be.
+  UNKNOWN_MODEL = :BrakemanUnresolvedModel
+
+  #Creates a new Tracker.
+  #
+  #The Processor argument is only used by other Processors
+  #that might need to access it.
+  def initialize processor = nil
+    @processor = processor
+    @config = {}
+    @templates = {}
+    @controllers = {}
+    #Initialize models with the unknown model so
+    #we can match models later without knowing precisely what
+    #class they are.
+    @models = { UNKNOWN_MODEL => { :name => UNKNOWN_MODEL,
+        :parent => nil,
+        :includes => [],
+        :public => {},
+        :private => {},
+        :protected => {},
+        :options => {} } }
+    @routes = {}
+    @initializers = {}
+    @errors = []
+    @libs = {}
+    @checks = nil
+    @template_cache = Set.new
+  end
+
+  #Add an error to the list. If no backtrace is given,
+  #the one from the exception will be used.
+  def error exception, backtrace = nil
+    backtrace ||= exception.backtrace
+    unless backtrace.is_a? Array
+      backtrace = [ backtrace ]
+    end
+
+    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+  end
+
+  #Run a set of checks on the current information. Results will be stored
+  #in Tracker#checks.
+  def run_checks
+    @checks = Checks.run_checks(self)
+  end
+
+  #Iterate over all methods in controllers and models.
+  def each_method
+    [self.controllers, self.models].each do |set|
+      set.each do |set_name, info|
+        [:private, :public, :protected].each do |visibility|
+          info[visibility].each do |method_name, definition|    
+            if definition.node_type == :selfdef
+              method_name = "#{definition[1]}.#{method_name}"
+            end
+
+            yield definition, set_name, method_name
+
+          end
+        end
+      end
+    end
+  end
+
+  #Iterates over each template, yielding the name and the template. 
+  #Prioritizes templates which have been rendered.
+  def each_template
+    if @processed.nil?
+      @processed, @rest = templates.keys.partition { |k| k.to_s.include? "." }
+    end
+
+    @processed.each do |k|
+      yield k, templates[k]
+    end
+
+    @rest.each do |k|
+      yield k, templates[k]
+    end
+  end
+
+  #Find a method call.
+  #
+  #See FindCall for details on arguments.
+  def find_call target, method
+    finder = FindCall.new target, method
+
+    self.each_method do |definition, set_name, method_name|
+      finder.process_source definition, set_name, method_name
+    end
+
+    self.each_template do |name, template|
+      finder.process_source template[:src], nil, nil, template
+    end
+
+    finder.matches
+  end
+
+  #Finds method call on models.
+  #
+  #See FindCall for details on arguments.
+  def find_model_find target
+    finder = FindModelCall.new target
+
+    self.each_method do |definition, set_name, method_name|
+      finder.process_source definition, set_name, method_name
+    end
+
+    self.each_template do |name, template|
+      finder.process_source template[:src], nil, nil, template
+    end
+
+    finder.matches
+  end
+
+  #Similar to Tracker#find_call, but searches the initializers
+  def check_initializers target, method
+    finder = FindCall.new target, method
+
+    initializers.each do |name, initializer|
+      finder.process_source initializer
+    end
+
+    finder.matches
+  end
+
+  #Returns a Report with this Tracker's information
+  def report
+    Report.new(self)
+  end
+end

data/lib/util.rb

@@ -0,0 +1,141 @@
+require 'sexp_processor'
+require 'set'
+require 'active_support/inflector'
+
+#This is a mixin containing utility methods.
+module Util
+
+  QUERY_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :query_parameters, Sexp.new(:arglist))
+
+  PATH_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :path_parameters, Sexp.new(:arglist))
+
+  REQUEST_PARAMETERS = Sexp.new(:call, Sexp.new(:call, nil, :request, Sexp.new(:arglist)), :request_parameters, Sexp.new(:arglist))
+
+  PARAMETERS = Sexp.new(:call, nil, :params, Sexp.new(:arglist))
+
+  COOKIES = Sexp.new(:call, nil, :cookies, Sexp.new(:arglist))
+
+  SESSION = Sexp.new(:call, nil, :session, Sexp.new(:arglist))
+
+  ALL_PARAMETERS = Set.new([PARAMETERS, QUERY_PARAMETERS, PATH_PARAMETERS, REQUEST_PARAMETERS])
+
+  #Convert a string from "something_like_this" to "SomethingLikeThis"
+  #
+  #Taken from ActiveSupport.
+  def camelize lower_case_and_underscored_word
+    lower_case_and_underscored_word.to_s.gsub(/\/(.?)/) { "::#{$1.upcase}" }.gsub(/(?:^|_)(.)/) { $1.upcase }
+  end
+
+  #Convert a string from "Something::LikeThis" to "something/like_this"
+  #
+  #Taken from ActiveSupport.
+  def underscore camel_cased_word
+    camel_cased_word.to_s.gsub(/::/, '/').
+      gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+      gsub(/([a-z\d])([A-Z])/,'\1_\2').
+      tr("-", "_").
+      downcase
+  end
+
+  #Use ActiveSupport::Inflector to pluralize a word.
+  def pluralize word
+    ActiveSupport::Inflector.pluralize word
+  end
+
+  #Takes an Sexp like
+  # (:hash, (:lit, :key), (:str, "value"))
+  #and yields the key and value pairs to the given block.
+  #
+  #For example:
+  #
+  # h = Sexp.new(:hash, (:lit, :name), (:str, "bob"), (:lit, :name), (:str, "jane"))
+  # names = []
+  # hash_iterate(h) do |key, value|
+  #   if symbol? key and key[1] == :name
+  #     names << value[1]
+  #   end
+  # end
+  # names #["bob"]
+  def hash_iterate hash
+    1.step(hash.length - 1, 2) do |i|
+      yield hash[i], hash[i + 1]
+    end
+  end
+
+  #Insert value into Hash Sexp
+  def hash_insert hash, key, value
+    index = 0
+    hash_iterate hash.dup do |k,v|
+      index += 1
+      if k == key and index % 2 == 1
+        hash[index + 1] = value
+        return hash
+      end
+    end
+      
+    hash << key << value
+
+    hash
+  end
+
+  #Adds params, session, and cookies to environment
+  #so they can be replaced by their respective Sexps.
+  def set_env_defaults
+    @env[PARAMETERS] = Sexp.new(:params)
+    @env[SESSION] = Sexp.new(:session)
+    @env[COOKIES] = Sexp.new(:cookies)
+  end
+
+  #Check if _exp_ represents a hash: s(:hash, {...})
+  #This also includes pseudo hashes params, session, and cookies.
+  def hash? exp
+    exp.is_a? Sexp and (exp.node_type == :hash or 
+                        exp.node_type == :params or 
+                        exp.node_type == :session or
+                        exp.node_type == :cookies)
+  end
+
+  #Check if _exp_ represents an array: s(:array, [...])
+  def array? exp
+    exp.is_a? Sexp and exp.node_type == :array
+  end
+
+  #Check if _exp_ represents a String: s(:str, "...")
+  def string? exp
+    exp.is_a? Sexp and exp.node_type == :str
+  end
+
+  #Check if _exp_ represents a Symbol: s(:lit, :...)
+  def symbol? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Symbol
+  end
+
+  #Check if _exp_ represents a method call: s(:call, ...)
+  def call? exp
+    exp.is_a? Sexp and exp.node_type == :call
+  end
+
+  #Check if _exp_ represents a Regexp: s(:lit, /.../)
+  def regexp? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Regexp
+  end
+
+  #Check if _exp_ represents an Integer: s(:lit, ...)
+  def integer? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Integer
+  end
+
+  #Check if _exp_ is a params hash
+  def params? exp
+    exp.is_a? Sexp and exp.node_type == :params
+  end
+
+  def cookies? exp
+    exp.is_a? Sexp and exp.node_type == :cookies
+  end
+
+  #Check if _exp_ is a Sexp.
+  def sexp? exp
+    exp.is_a? Sexp
+  end
+end