brakeman 0.0.3 → 0.1.0

data/bin/brakeman

@@ -3,27 +3,14 @@ require "optparse"
 require 'set'
 require 'yaml'
 
-Version = "0.0.2"
+
+Version = "0.1.0"
 
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
   exit!
 end
 
-#Load scanner
-begin
-  require 'scanner'
-rescue LoadError
-  #Try to find lib directory locally
-  $: << "#{File.expand_path(File.dirname(__FILE__))}/../lib"
-
-  begin
-    require 'scanner'
-  rescue LoadError
-    abort "Cannot find lib/ directory."
-  end
-end
-
 #Parse command line options
 options = {}
 
@@ -86,7 +73,7 @@ OptionParser.new do |opts|
 
   opts.on "-f", 
     "--format TYPE", 
-    [:pdf, :text, :html, :csv], 
+    [:pdf, :text, :html, :csv, :tabs], 
     "Specify output format. Default is text" do |type|
     
     type = "s" if type == :text
@@ -187,6 +174,8 @@ if OPTIONS[:output_format]
     OPTIONS[:output_format] = :to_csv
   when :pdf, :to_pdf
     OPTIONS[:output_format] = :to_pdf
+  when :tabs, :to_tabs
+    OPTIONS[:output_format] = :to_tabs
   else
     OPTIONS[:output_format] = :to_s
   end
@@ -198,6 +187,8 @@ else
     OPTIONS[:output_format] = :to_csv
   when /\.pdf$/i
     OPTIONS[:output_format] = :to_pdf
+  when /\.tabs$/i
+    OPTIONS[:output_format] = :to_tabs
   else
     OPTIONS[:output_format] = :to_s
   end
@@ -247,6 +238,20 @@ abort("Please supply the path to a Rails application.") unless app_path and File
 
 warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
 
+#Load scanner
+begin
+  require 'scanner'
+rescue LoadError
+  #Try to find lib directory locally
+  $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
+
+  begin
+    require 'scanner'
+  rescue LoadError
+    abort "Cannot find lib/ directory."
+  end
+end
+
 #Start scanning
 scanner = Scanner.new app_path
 

data/lib/checks/check_cross_site_scripting.rb

@@ -26,7 +26,7 @@ class CheckCrossSiteScripting < BaseCheck
 
   MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
 
-  IGNORE_LIKE = /^link_to_|_path|_tag|_url$/
+  IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
 
   HAML_HELPERS = Sexp.new(:colon2, Sexp.new(:const, :Haml), :Helpers)
 
@@ -42,34 +42,31 @@ class CheckCrossSiteScripting < BaseCheck
     @models = tracker.models.keys
     @inspect_arguments = OPTIONS[:check_arguments]
 
+    CheckLinkTo.new(checks, tracker).run_check
+
     tracker.each_template do |name, template|
       @current_template = template
 
       template[:outputs].each do |out|
         type, match = has_immediate_user_input?(out[1])
-        if type
-          unless duplicate? out
+        if type and not duplicate? out
             add_result out
             case type
             when :params
-
-              warn :template => @current_template, 
-                :warning_type => "Cross Site Scripting", 
-                :message => "Unescaped parameter value",
-                :line => match.line,
-                :code => match,
-                :confidence => CONFIDENCE[:high]
-
+              message = "Unescaped parameter value"
             when :cookies
-
-              warn :template => @current_template, 
-                :warning_type => "Cross Site Scripting", 
-                :message => "Unescaped cookie value",
-                :line => match.line,
-                :code => match,
-                :confidence => CONFIDENCE[:high]
+              message = "Unescaped cookie value"
+            else
+              message = "Unescaped user input value"
             end
-          end
+
+            warn :template => @current_template, 
+              :warning_type => "Cross Site Scripting",
+              :message => message,
+              :line => match.line,
+              :code => match,
+              :confidence => CONFIDENCE[:high]
+
         elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(out[1])
           method = match[2]
 
@@ -168,8 +165,8 @@ class CheckCrossSiteScripting < BaseCheck
     elsif @inspect_arguments and (ALL_PARAMETERS.include?(exp) or params? exp)
 
       @matched = :params
-    else
-      process args if @inspect_arguments
+    elsif @inspect_arguments
+      process args
     end
   end
 
@@ -212,5 +209,116 @@ class CheckCrossSiteScripting < BaseCheck
     end
     exp
   end
+end
+
+#This _only_ checks calls to link_to
+class CheckLinkTo < CheckCrossSiteScripting
+  IGNORE_METHODS = IGNORE_METHODS - [:link_to]
+
+  def run_check
+    #Ideally, I think this should also check to see if people are setting
+    #:escape => false
+    methods = tracker.find_call [], :link_to 
+
+    @models = tracker.models.keys
+    @inspect_arguments = OPTIONS[:check_arguments]
+
+    methods.each do |call|
+      process_result call
+    end
+  end
+
+  def process_result result
+    #Have to make a copy of this, otherwise it will be changed to
+    #an ignored method call by the code above.
+    call = result[-1] = result[-1].dup
+
+    @matched = false
+
+    return if call[3][1].nil?
+
+    #Only check first argument for +link_to+, as the second
+    #will *usually* be a record or escaped.
+    first_arg = process call[3][1]
+
+    type, match = has_immediate_user_input? first_arg
+
+    if type
+      case type
+      when :params
+        message = "Unescaped parameter value in link_to"
+      when :cookies
+        message = "Unescaped cookie value in link_to"
+      else
+        message = "Unescaped user input value in link_to"
+      end
+
+      unless duplicate? result
+        add_result result
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :message => message,
+          :confidence => CONFIDENCE[:high]
+      end
+
+    elsif not OPTIONS[:ignore_model_output] and match = has_immediate_model?(first_arg)
+      method = match[2]
+
+      unless duplicate? result or IGNORE_MODEL_METHODS.include? method
+        add_result result
+
+        if MODEL_METHODS.include? method or method.to_s =~ /^find_by/
+          confidence = CONFIDENCE[:high]
+        else
+          confidence = CONFIDENCE[:med]
+        end
+
+        warn :result => result,
+          :warning_type => "Cross Site Scripting", 
+          :message => "Unescaped model attribute in link_to",
+          :confidence => confidence
+      end
+
+    elsif @matched
+      if @matched == :model and not OPTIONS[:ignore_model_output]
+        message = "Unescaped model attribute in link_to"
+      elsif @matched == :params
+        message = "Unescaped parameter value in link_to"
+      end
+
+      if message and not duplicate? result
+        add_result result
+
+        warn :result => result, 
+          :warning_type => "Cross Site Scripting", 
+          :message => message,
+          :confidence => CONFIDENCE[:med]
+      end
+    end
+  end
+
+  def process_call exp
+    @mark = true
+    actually_process_call exp
+    exp
+  end
+
+
+  def actually_process_call exp
+    return if @matched
+
+    target = exp[1]
+    if sexp? target
+      target = process target.dup
+    end
+
+    #Bare records create links to the model resource,
+    #not a string that could have injection
+    if model_name? target and context == [:call, :arglist]
+      return exp
+    end
 
+    super
+  end
 end

data/lib/processors/controller_alias_processor.rb

@@ -93,6 +93,7 @@ class ControllerAliasProcessor < AliasProcessor
 
   #Processes the default template for the current action
   def process_default_render exp
+    process_layout
     process_template template_name, nil
   end
 
@@ -114,6 +115,20 @@ class ControllerAliasProcessor < AliasProcessor
     end
   end
 
+  #Determines default layout name
+  def layout_name
+    controller = @tracker.controllers[@current_class]
+
+    return controller[:layout] if controller[:layout]
+    return false if controller[:layout] == false
+
+    app_controller = @tracker.controllers[:ApplicationController]
+
+    return app_controller[:layout] if app_controller and app_controller[:layout]
+
+    nil
+  end
+
   #Returns true if the given method name is also a route
   def route? method
     return true if @tracker.routes[:allow_all_actions]

data/lib/processors/controller_processor.rb

@@ -42,6 +42,7 @@ class ControllerProcessor < BaseProcessor
                     :file => @file_name }
     @tracker.controllers[@controller[:name]] = @controller
     exp[3] = process exp[3]
+    set_layout_name
     @controller = nil
     exp
   end
@@ -75,6 +76,20 @@ class ControllerProcessor < BaseProcessor
         when :before_filter
           @controller[:options][:before_filters] ||= []
           @controller[:options][:before_filters] << args[1..-1]
+        when :layout
+          if string? args[-1]
+            #layout "some_layout"
+
+            name = args[-1][1].to_s
+            unless Dir.glob("#{OPTIONS[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
+              @controller[:layout] = "layouts/#{name}"
+            else
+              warn "[Notice] Layout not found: #{name}" if OPTIONS[:debug]
+            end
+          elsif sexp? args[-1] and (args[-1][0] == :nil or args[-1][0] == :false)
+            #layout :false or layout nil
+            @controller[:layout] = false
+          end
         end
       end
       ignore
@@ -135,6 +150,18 @@ class ControllerProcessor < BaseProcessor
     end
   end
 
+  #Sets default layout for renders inside Controller
+  def set_layout_name
+    return if @controller[:layout]
+
+    name = underscore(@controller[:name].to_s.split("::")[-1].gsub("Controller", ''))
+
+    #There is a layout for this Controller
+    unless Dir.glob("#{OPTIONS[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
+      @controller[:layout] = "layouts/#{name}"
+    end
+  end
+
   #This is to handle before_filter do |controller| ... end
   #
   #We build a new method and process that the same way as usual

data/lib/processors/haml_template_processor.rb

@@ -3,6 +3,22 @@ require 'processors/template_processor'
 #Processes HAML templates.
 class HamlTemplateProcessor < TemplateProcessor
   HAML_FORMAT_METHOD = /format_script_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)_(true|false)/
+  
+  def initialize *args
+    super
+
+    @tracker.libs.each do |name, lib|
+      if name.to_s =~ /^Haml::Filters/
+        begin
+          require lib[:file]
+        rescue Exception => e
+          if OPTIONS[:debug]
+            raise e
+          end
+        end
+      end
+    end
+  end
 
   #Processes call, looking for template output
   def process_call exp

data/lib/processors/lib/render_helper.rb

@@ -19,6 +19,14 @@ module RenderHelper
     exp
   end
 
+  #Processes layout
+  def process_layout name = nil
+    layout = name || layout_name
+    return unless layout
+
+    process_template layout, nil
+  end
+
   #Determines file name for partial and then processes it
   def process_partial name, args
     if name == "" or !(string? name or symbol? name)
@@ -61,6 +69,17 @@ module RenderHelper
 
       options = get_options args
 
+      #Process layout
+      if string? options[:layout]
+        process_template "layouts/#{options[:layout][1]}", nil
+      elsif sexp? options[:layout] and options[:layout][0] == :false
+        #nothing
+      elsif not template[:name].to_s.match(/[^\/_][^\/]+$/)
+        #Don't do this for partials
+        
+        process_layout
+      end
+
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
           template_env[Sexp.new(:call, nil, key[1], Sexp.new(:arglist))] = value

data/lib/processors/library_processor.rb

@@ -73,7 +73,8 @@ class LibraryProcessor < BaseProcessor
                     :public => {},
                     :private => {},
                     :protected => {},
-                    :src => exp }
+                    :src => exp,
+                    :file => @file_name }
     
       @tracker.libs[name] = @current_module
     end

data/lib/report.rb

@@ -625,4 +625,15 @@ class Report
 
     output << "</table></div>"
   end
+
+  def to_tabs
+    [[:warnings, "General"], [:controller_warnings, "Controller"],
+      [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
+
+      checks.send(meth).map do |w|
+        "#{file_for w}\t#{w.line}\t#{w.warning_type}\t#{category}\t#{w.message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+      end.join "\n"
+
+    end.join "\n"
+  end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 25
-  prerelease: false
+  hash: 27
+  prerelease: 
   segments: 
   - 0
+  - 1
   - 0
-  - 3
-  version: 0.0.3
+  version: 0.1.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-10-15 00:00:00 -07:00
+date: 2011-01-18 00:00:00 -08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -111,47 +111,47 @@ files:
 - WARNING_TYPES
 - FEATURES
 - README.md
-- lib/warning.rb
-- lib/processors/params_processor.rb
-- lib/processors/controller_alias_processor.rb
 - lib/processors/base_processor.rb
-- lib/processors/controller_processor.rb
-- lib/processors/library_processor.rb
-- lib/processors/erb_template_processor.rb
+- lib/processors/alias_processor.rb
 - lib/processors/haml_template_processor.rb
-- lib/processors/template_alias_processor.rb
-- lib/processors/route_processor.rb
-- lib/processors/model_processor.rb
-- lib/processors/lib/find_call.rb
+- lib/processors/output_processor.rb
+- lib/processors/params_processor.rb
+- lib/processors/erubis_template_processor.rb
+- lib/processors/controller_alias_processor.rb
 - lib/processors/lib/processor_helper.rb
-- lib/processors/lib/find_model_call.rb
 - lib/processors/lib/render_helper.rb
-- lib/processors/alias_processor.rb
-- lib/processors/output_processor.rb
+- lib/processors/lib/find_model_call.rb
+- lib/processors/lib/find_call.rb
+- lib/processors/route_processor.rb
+- lib/processors/model_processor.rb
+- lib/processors/erb_template_processor.rb
+- lib/processors/template_alias_processor.rb
 - lib/processors/config_processor.rb
-- lib/processors/erubis_template_processor.rb
 - lib/processors/template_processor.rb
+- lib/processors/controller_processor.rb
+- lib/processors/library_processor.rb
+- lib/report.rb
+- lib/util.rb
 - lib/checks/check_send_file.rb
-- lib/checks/check_session_settings.rb
-- lib/checks/check_sql.rb
+- lib/checks/check_default_routes.rb
+- lib/checks/check_render.rb
+- lib/checks/check_execute.rb
 - lib/checks/check_mass_assignment.rb
+- lib/checks/check_sql.rb
+- lib/checks/check_validation_regex.rb
 - lib/checks/check_cross_site_scripting.rb
+- lib/checks/check_redirect.rb
+- lib/checks/check_session_settings.rb
+- lib/checks/check_forgery_setting.rb
+- lib/checks/base_check.rb
 - lib/checks/check_model_attributes.rb
-- lib/checks/check_default_routes.rb
 - lib/checks/check_evaluation.rb
-- lib/checks/check_validation_regex.rb
-- lib/checks/check_execute.rb
-- lib/checks/base_check.rb
 - lib/checks/check_file_access.rb
-- lib/checks/check_redirect.rb
-- lib/checks/check_forgery_setting.rb
-- lib/checks/check_render.rb
-- lib/tracker.rb
-- lib/util.rb
-- lib/report.rb
+- lib/processor.rb
 - lib/scanner.rb
+- lib/tracker.rb
 - lib/checks.rb
-- lib/processor.rb
+- lib/warning.rb
 - lib/format/style.css
 has_rdoc: true
 homepage: http://github.com/presidentbeef/brakeman
@@ -183,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.4.1
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.