brakeman 0.7.2 → 0.8.0

data/README.md

@@ -6,6 +6,10 @@ It targets Rails versions > 2.0 with experimental support for Rails 3.x
 
 There is also a [plugin available](https://github.com/presidentbeef/brakeman-jenkins-plugin) for Jenkins/Hudson.
 
+# Homepage
+
+http://brakemanscanner.org/
+
 # Installation
 
 Using RubyGems:

data/bin/brakeman

@@ -1,25 +1,17 @@
 #!/usr/bin/env ruby
-require "optparse"
+require 'optparse'
 require 'set'
-require 'yaml'
 
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
 require 'version'
+require 'brakeman'
 
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
   exit!
 end
 
-def list_checks
-  require 'scanner'
-  $stderr.puts "Available Checks:"
-  $stderr.puts "-" * 30
-  $stderr.puts Checks.checks.map { |c| c.to_s }.sort.join "\n"
-  exit
-end
-
 #Parse command line options
 options = {}
 
@@ -148,147 +140,4 @@ OptionParser.new do |opts|
   end
 end.parse!(ARGV)
 
-#Load configuation file
-[File.expand_path(options[:config_file].to_s),
-  File.expand_path("./config.yaml"),
-  File.expand_path("~/.brakeman/config.yaml"),
-  File.expand_path("/etc/brakeman/config.yaml"),
-  "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f|
-
-  if File.exist? f and not File.directory? f
-    warn "[Notice] Using configuration in #{f}" unless options[:quiet]
-    OPTIONS = YAML.load_file f
-    OPTIONS.merge! options
-    OPTIONS.each do |k,v|
-      if v.is_a? Array
-        OPTIONS[k] = Set.new v
-      end
-    end
-    break
-  end
-end
-  
-OPTIONS = options unless defined? OPTIONS
-
-#List available checks and exits
-list_checks if OPTIONS[:list_checks]
-
-#Set defaults just in case
-{ :skip_checks => Set.new, 
-  :check_arguments => true, 
-  :safe_methods => Set.new,
-  :min_confidence => 2,
-  :combine_locations => true,
-  :collapse_mass_assignment => true,
-  :ignore_redirect_to_model => true,
-  :ignore_model_output => false,
-  :message_limit => 100,
-  :html_style => "#{File.expand_path(File.dirname(__FILE__))}/../lib/format/style.css" 
-}.each do |k,v|
-  OPTIONS[k] = v if OPTIONS[k].nil?
-end
-
-
-#Set output format
-if OPTIONS[:output_format]
-  case OPTIONS[:output_format]
-  when :html, :to_html
-    OPTIONS[:output_format] = :to_html
-  when :csv, :to_csv
-    OPTIONS[:output_format] = :to_csv
-  when :pdf, :to_pdf
-    OPTIONS[:output_format] = :to_pdf
-  when :tabs, :to_tabs
-    OPTIONS[:output_format] = :to_tabs
-  else
-    OPTIONS[:output_format] = :to_s
-  end
-else
-  case OPTIONS[:output_file]
-  when /\.html$/i
-    OPTIONS[:output_format] = :to_html
-  when /\.csv$/i
-    OPTIONS[:output_format] = :to_csv
-  when /\.pdf$/i
-    OPTIONS[:output_format] = :to_pdf
-  when /\.tabs$/i
-    OPTIONS[:output_format] = :to_tabs
-  else
-    OPTIONS[:output_format] = :to_s
-  end
-end
-
-#Output configuration if requested
-if OPTIONS[:create_config]
-
-  if OPTIONS[:create_config].is_a? String
-    file = OPTIONS[:create_config]
-  else
-    file = nil
-  end
-
-  OPTIONS.delete :create_config
-
-  OPTIONS.each do |k,v|
-    if v.is_a? Set
-      OPTIONS[k] = v.to_a
-    end
-  end
-
-  if file
-    File.open file, "w" do |f|
-      YAML.dump OPTIONS, f
-    end
-    puts "Output configuration to #{file}"
-  else
-    puts YAML.dump(OPTIONS)
-  end
-  exit
-end
-
-
-#Check application path
-unless OPTIONS[:app_path]
-  if ARGV[-1].nil?
-    OPTIONS[:app_path] = File.expand_path "."
-  else
-    OPTIONS[:app_path] = File.expand_path ARGV[-1]
-  end
-end
-
-app_path = OPTIONS[:app_path]
-
-abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app"
-
-warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
-
-if File.exist? app_path + "/script/rails"
-  OPTIONS[:rails3] = true
-  warn "[Notice] Detected Rails 3 application. Enabling experimental Rails 3 support." 
-end
-
-#Load scanner
-begin
-  require 'scanner'
-rescue LoadError
-  abort "Cannot find lib/ directory."
-end
-
-#Start scanning
-scanner = Scanner.new app_path
-
-warn "Processing application in #{app_path}"
-tracker = scanner.process
-
-warn "Running checks..."
-tracker.run_checks
-
-warn "Generating report..."
-if OPTIONS[:output_file]
-  File.open OPTIONS[:output_file], "w" do |f|
-    f.puts tracker.report.send(OPTIONS[:output_format])
-  end
-  warn "Report saved in '#{OPTIONS[:output_file]}'"
-else
-  puts tracker.report.send(OPTIONS[:output_format])
-end
+Brakeman.run options

data/lib/brakeman.rb

@@ -0,0 +1,186 @@
+require 'yaml'
+
+OPTIONS = {}
+
+module Brakeman
+  def self.run options
+    if options[:list_checks]
+      list_checks
+      exit
+    end
+
+    if options[:create_config]
+      dump_config options
+      exit
+    end
+
+    scan set_options(options)
+  end
+
+  private
+
+  def self.set_options options
+    options = load_options(options[:config_file]).merge! options
+    options = get_defaults.merge! options
+    options[:output_format] = get_output_format options
+
+    #Check application path
+    unless options[:app_path]
+      if ARGV[-1].nil?
+        options[:app_path] = File.expand_path "."
+      else
+        options[:app_path] = File.expand_path ARGV[-1]
+      end
+    end
+
+    app_path = options[:app_path]
+
+    abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app"
+
+    if File.exist? app_path + "/script/rails"
+      options[:rails3] = true
+      warn "[Notice] Detected Rails 3 application. Enabling experimental Rails 3 support." 
+    end
+
+    options
+  end
+
+  def self.load_options config_file
+    config_file ||= ""
+
+    #Load configuation file
+    [File.expand_path(config_file),
+      File.expand_path("./config.yaml"),
+      File.expand_path("~/.brakeman/config.yaml"),
+      File.expand_path("/etc/brakeman/config.yaml"),
+      "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f|
+
+      if File.exist? f and not File.directory? f
+        warn "[Notice] Using configuration in #{f}" unless options[:quiet]
+        options = YAML.load_file f
+        options.each do |k,v|
+          if v.is_a? Array
+            options[k] = Set.new v
+          end
+        end
+
+        return options
+      end
+      end
+
+    return {}
+  end
+
+  def self.get_defaults
+    { :skip_checks => Set.new, 
+      :check_arguments => true, 
+      :safe_methods => Set.new,
+      :min_confidence => 2,
+      :combine_locations => true,
+      :collapse_mass_assignment => true,
+      :ignore_redirect_to_model => true,
+      :ignore_model_output => false,
+      :message_limit => 100,
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/../lib/format/style.css" 
+    }
+  end
+
+  def self.get_output_format options
+    #Set output format
+    if options[:output_format]
+      case options[:output_format]
+      when :html, :to_html
+        :to_html
+      when :csv, :to_csv
+        :to_csv
+      when :pdf, :to_pdf
+        :to_pdf
+      when :tabs, :to_tabs
+        :to_tabs
+      else
+        :to_s
+      end
+    else
+      case options[:output_file]
+      when /\.html$/i
+        :to_html
+      when /\.csv$/i
+        :to_csv
+      when /\.pdf$/i
+        :to_pdf
+      when /\.tabs$/i
+        :to_tabs
+      else
+        :to_s
+      end
+    end
+  end
+
+  def self.list_checks
+    require 'scanner'
+    $stderr.puts "Available Checks:"
+    $stderr.puts "-" * 30
+    $stderr.puts Checks.checks.map { |c| c.to_s }.sort.join "\n"
+  end
+
+  def self.dump_config options
+    if options[:create_config].is_a? String
+      file = options[:create_config]
+    else
+      file = nil
+    end
+
+    options.delete :create_config
+
+    options.each do |k,v|
+      if v.is_a? Set
+        options[k] = v.to_a
+      end
+    end
+
+    if file
+      File.open file, "w" do |f|
+        YAML.dump options, f
+      end
+      puts "Output configuration to #{file}"
+    else
+      puts YAML.dump(options)
+    end
+    exit
+  end
+
+  def self.scan options
+    OPTIONS.clear
+    OPTIONS.merge! options
+
+    #Load scanner
+    warn "Loading scanner..."
+
+    begin
+      require 'scanner'
+    rescue LoadError
+      abort "Cannot find lib/ directory."
+    end
+
+    #Start scanning
+    scanner = Scanner.new options[:app_path]
+
+    warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
+
+    warn "Processing application in #{options[:app_path]}"
+    tracker = scanner.process
+
+    warn "Running checks..."
+    tracker.run_checks
+
+    warn "Generating report..."
+    if OPTIONS[:output_file]
+      File.open OPTIONS[:output_file], "w" do |f|
+        f.puts tracker.report.send(OPTIONS[:output_format])
+      end
+      warn "Report saved in '#{OPTIONS[:output_file]}'"
+    else
+      puts tracker.report.send(OPTIONS[:output_format])
+    end
+  end
+end

data/lib/checks/check_basic_auth.rb

@@ -0,0 +1,47 @@
+require 'checks/base_check'
+
+#Checks if password is stored in controller
+#when using http_basic_authenticate_with
+#
+#Only for Rails >= 3.1
+class CheckBasicAuth < BaseCheck
+  Checks.add self
+
+  def run_check
+    return if version_between? "0.0.0", "3.0.99"
+
+    controllers = tracker.controllers.select do |name, c|
+      c[:options][:http_basic_authenticate_with]
+    end
+
+    Hash[controllers].each do |name, controller|
+      controller[:options][:http_basic_authenticate_with].each do |call|
+
+        if pass = get_password(call) and string? pass
+          warn :controller => name,
+              :warning_type => "Basic Auth", 
+              :message => "Basic authentication password stored in source code",
+              :line => call.line,
+              :code => call, 
+              :confidence => 0
+
+          break
+        end
+      end
+    end
+  end
+
+  def get_password call
+    args = call[3][1]
+
+    return false if args.nil? or not hash? args
+
+    hash_iterate(args) do |k, v|
+      if symbol? k and k[1] == :password
+        return v
+      end
+    end
+
+    nil
+  end
+end

data/lib/checks/check_cross_site_scripting.rb

@@ -28,7 +28,7 @@ class CheckCrossSiteScripting < BaseCheck
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
 
   #Methods known to not escape their input
-  KNOWN_DANGEROUS = Set.new([:auto_link, :truncate, :concat])
+  KNOWN_DANGEROUS = Set.new([:truncate, :concat])
 
   MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
 
@@ -52,6 +52,12 @@ class CheckCrossSiteScripting < BaseCheck
 
     CheckLinkTo.new(checks, tracker).run_check
 
+    if version_between? "2.0.0", "3.0.5"
+      KNOWN_DANGEROUS << :auto_link
+    elsif version_between? "3.0.6", "3.0.99"
+      IGNORE_METHODS << :auto_link
+    end
+
     tracker.each_template do |name, template|
       @current_template = template
 

data/lib/checks/check_mass_assignment.rb

@@ -42,7 +42,7 @@ class CheckMassAssignment < BaseCheck
     if check and not @results.include? call
       @results << call
 
-      if include_user_input? call[3]
+      if include_user_input? call[3] and not hash? call[3][1]
         confidence = CONFIDENCE[:high]
       else
         confidence = CONFIDENCE[:med]
@@ -55,6 +55,7 @@ class CheckMassAssignment < BaseCheck
         :code => call, 
         :confidence => confidence
     end
+
     res
   end
 
@@ -63,8 +64,7 @@ class CheckMassAssignment < BaseCheck
     args = process call[3]
     if args.length <= 1 #empty new()
       false
-    elsif hash? args[1]
-      #Still should probably check contents of hash
+    elsif hash? args[1] and not include_user_input? args[1]
       false
     else
       true