brakeman 1.0.0 → 1.1.pre

data/bin/brakeman

@@ -24,6 +24,10 @@ OptionParser.new do |opts|
     options[:parallel_checks] = false
   end
 
+  opts.on "--no-progress", "Do not show progress reports" do
+    options[:report_progress] = false
+  end
+
   opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
     options[:app_path] = File.expand_path path
   end
@@ -55,6 +59,15 @@ OptionParser.new do |opts|
     options[:escape_html] = true
   end
 
+  opts.on "--faster", "Faster, but less accurate scan" do
+    options[:ignore_ifs] = true
+    options[:skip_libs] = true
+  end
+
+  opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
+    options[:ignore_ifs] = true
+  end
+
   opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
     options[:check_arguments] = !option
   end

data/lib/brakeman.rb

@@ -48,6 +48,7 @@ module Brakeman
     options = set_options options
 
     if options[:quiet]
+      options[:report_progress] = false
       $VERBOSE = nil
     end
 
@@ -120,6 +121,7 @@ module Brakeman
       :message_limit => 100,
       :parallel_checks => true,
       :quiet => true,
+      :report_progress => true,
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 
     }
   end
@@ -206,7 +208,11 @@ module Brakeman
     warn "Processing application in #{options[:app_path]}"
     tracker = scanner.process
 
-    warn "Running checks..."
+    if options[:parallel_checks]
+      warn "Running checks in parallel..."
+    else
+      warn "Runnning checks..."
+    end
     tracker.run_checks
 
     if options[:output_file]

data/lib/brakeman/processors/alias_processor.rb

@@ -25,6 +25,9 @@ class Brakeman::AliasProcessor < SexpProcessor
     self.default_method = :process_default
     self.warn_on_default = false
     @env = SexpProcessor::Environment.new
+    @inside_if = false
+    @ignore_ifs = false
+    @tracker = nil #set in subclass as necessary
     set_env_defaults
   end
 
@@ -117,6 +120,20 @@ class Brakeman::AliasProcessor < SexpProcessor
         joined = join_strings target, args[1]
         joined.line(exp.line)
         exp = joined
+      elsif number? target and number? args[1]
+        exp = Sexp.new(:lit, target[1] + args[1][1])
+      end
+    when :-
+      if number? target and number? args[1]
+        exp = Sexp.new(:lit, target[1] - args[1][1])
+      end
+    when :*
+      if number? target and number? args[1]
+        exp = Sexp.new(:lit, target[1] * args[1][1])
+      end
+    when :/
+      if number? target and number? args[1]
+        exp = Sexp.new(:lit, target[1] / args[1][1])
       end
     when :[]
       if array? target
@@ -136,6 +153,19 @@ class Brakeman::AliasProcessor < SexpProcessor
       if hash? target and hash? args[1]
         return process_hash_merge(target, args[1])
       end
+    when :<<
+      if string? target and string? args[1]
+        target[1] << args[1][1]
+        env[target_var] = target
+        return target
+      elsif array? target
+        target << args[1]
+        env[target_var] = target
+        return target
+      else
+        target = find_push_target exp
+        env[target] = exp unless target.nil? #Happens in TemplateAliasProcessor
+      end
     end
 
     exp
@@ -183,8 +213,10 @@ class Brakeman::AliasProcessor < SexpProcessor
     exp[2] = process exp[2] if sexp? exp[2]
     local = Sexp.new(:lvar, exp[1]).line(exp.line || -2)
 
-    if @inside_if and env[local]
-      env[local] = Sexp.new(:or, env[local], exp[2]).line(exp.line || -2)
+    if @inside_if and val = env[local]
+      if val != exp[2] #avoid setting to value it already is (e.g. "1 or 1")
+        env[local] = Sexp.new(:or, val, exp[2]).line(exp.line || -2)
+      end
     else
       env[local] = exp[2]
     end
@@ -198,8 +230,10 @@ class Brakeman::AliasProcessor < SexpProcessor
     exp[2] = process exp[2]
     ivar = Sexp.new(:ivar, exp[1]).line(exp.line)
 
-    if @inside_if and env[ivar]
-      env[ivar] = Sexp.new(:or, env[ivar], exp[2]).line(exp.line)
+    if @inside_if and val = env[ivar]
+      if val != exp[2]
+        env[ivar] = Sexp.new(:or, val, exp[2]).line(exp.line)
+      end
     else
       env[ivar] = exp[2]
     end
@@ -213,8 +247,10 @@ class Brakeman::AliasProcessor < SexpProcessor
     match = Sexp.new(:gvar, exp[1])
     value = exp[2] = process(exp[2])
 
-    if @inside_if and env[match]
-      env[match] = Sexp.new(:or, env[match], value)
+    if @inside_if and val = env[match]
+      if val != value
+        env[match] = Sexp.new(:or, env[match], value)
+      end
     else
       env[match] = value
     end
@@ -228,8 +264,10 @@ class Brakeman::AliasProcessor < SexpProcessor
     match = Sexp.new(:cvar, exp[1])
     value = exp[2] = process(exp[2])
     
-    if @inside_if and env[match]
-      env[match] = Sexp.new(:or, env[match], value)
+    if @inside_if and val = env[match]
+      if val != value
+        env[match] = Sexp.new(:or, env[match], value)
+      end
     else
       env[match] = value
     end
@@ -259,8 +297,10 @@ class Brakeman::AliasProcessor < SexpProcessor
       #This is what we'll replace with the value
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym, Sexp.new(:arglist))
 
-      if @inside_if and env[match]
-        env[match] = Sexp.new(:or, env[match], value)
+      if @inside_if and val = env[match]
+        if val != value
+          env[match] = Sexp.new(:or, env[match], value)
+        end
       else
         env[match] = value
       end
@@ -349,8 +389,7 @@ class Brakeman::AliasProcessor < SexpProcessor
 
   #Sets @inside_if = true
   def process_if exp
-    was_inside = @inside_if
-    @inside_if = true
+    @ignore_ifs ||= @tracker && @tracker.options[:ignore_ifs]
 
     condition = process exp[1]
 
@@ -362,6 +401,9 @@ class Brakeman::AliasProcessor < SexpProcessor
       exps = exp[2..-1]
     end
     
+    was_inside = @inside_if
+    @inside_if = !@ignore_ifs
+
     exps.each do |e|
       process e if sexp? e
     end
@@ -436,4 +478,13 @@ class Brakeman::AliasProcessor < SexpProcessor
 
     exp
   end
+
+  #Finds the inner most call target which is not the target of a call to <<
+  def find_push_target exp
+    if call? exp and exp[2] == :<<
+      find_push_target exp[1]
+    else
+      exp
+    end
+  end
 end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -31,7 +31,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
 
     if (sexp? target and target[2] == :_hamlout) or target == :_hamlout
       res = case method
-            when :adjust_tabs, :rstrip!
+            when :adjust_tabs, :rstrip!, :attributes #Check attributes, maybe?
               ignore
             when :options
               Sexp.new :call, :_hamlout, :options, exp[3]

data/lib/brakeman/processors/lib/render_helper.rb

@@ -59,7 +59,7 @@ module Brakeman::RenderHelper
     #Hash the environment and the source of the template to avoid
     #pointlessly processing templates, which can become prohibitively
     #expensive in terms of time and memory.
-    digest = Digest::SHA1.new.update(template_env.instance_variable_get(:@env).to_a.sort.to_s << template[:src].to_s).to_s.to_sym
+    digest = Digest::SHA1.new.update(template_env.instance_variable_get(:@env).to_a.sort.to_s << name).to_s.to_sym
 
     if @tracker.template_cache.include? digest
       #Already processed this template with identical environment

data/lib/brakeman/processors/library_processor.rb

@@ -92,7 +92,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_defn exp
     exp[0] = :methdef
-    exp[3] = @alias_processor.process_safely process(exp[3]), SexpProcessor::Environment.new
+    exp[3] = @alias_processor.process exp[3]
 
     if @current_class
       @current_class[:public][exp[1]] = exp[3]
@@ -105,7 +105,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def process_defs exp
     exp[0] = :selfdef
-    exp[4] = @alias_processor.process_safely process(exp[4]), SexpProcessor::Environment.new
+    exp[4] = @alias_processor.process exp[4]
 
     if @current_class
       @current_class[:public][exp[2]] = exp[4]

data/lib/brakeman/processors/template_alias_processor.rb

@@ -83,4 +83,16 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
     false
   end
+
+  def find_push_target exp
+    if sexp? exp
+      if exp.node_type == :lvar and (exp[1] == :_buf or exp[1] == :_erbout)
+        return nil
+      elsif exp.node_type == :ivar and exp[1] == :@output_buffer
+        return nil
+      end
+    end
+
+    super
+  end
 end

data/lib/brakeman/scanner.rb

@@ -32,6 +32,7 @@ class Brakeman::Scanner
   #Pass in path to the root of the Rails application
   def initialize options
     @options = options
+    @report_progress = options[:report_progress]
     @path = options[:app_path]
     @app_path = File.join(@path, "app")
     @processor = Brakeman::Processor.new options
@@ -58,15 +59,15 @@ class Brakeman::Scanner
     process_initializers
     warn "Processing libs..."
     process_libs
-    warn "Processing routes..."
+    warn "Processing routes...        "
     process_routes
-    warn "Processing templates..."
+    warn "Processing templates...     "
     process_templates
-    warn "Processing models..."
+    warn "Processing models...        "
     process_models
-    warn "Processing controllers..."
+    warn "Processing controllers...   "
     process_controllers
-    warn "Indexing call sites..."
+    warn "Indexing call sites...      "
     index_call_sites
     tracker
   end
@@ -76,18 +77,14 @@ class Brakeman::Scanner
   #Stores parsed information in tracker.config
   def process_config
     if options[:rails3]
-      @processor.process_config(parse_ruby(File.read("#@path/config/application.rb")))
-      @processor.process_config(parse_ruby(File.read("#@path/config/environments/production.rb")))
+      process_config_file "application.rb"
+      process_config_file "environments/production.rb"
     else
-      @processor.process_config(parse_ruby(File.read("#@path/config/environment.rb")))
-
-      if File.exists? "#@path/config/gems.rb"
-        @processor.process_config(parse_ruby(File.read("#@path/config/gems.rb")))
-      end
-
+      process_config_file "environment.rb"
+      process_config_file "gems.rb"
     end
 
-    if File.exists? "#@path/vendor/plugins/rails_xss" or 
+    if File.exists? "#@path/vendor/plugins/rails_xss" or
       options[:rails3] or options[:escape_html] or
       (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
 
@@ -96,6 +93,18 @@ class Brakeman::Scanner
     end
   end
 
+  def process_config_file file
+    if File.exists? "#@path/config/#{file}"
+      @processor.process_config(parse_ruby(File.read("#@path/config/#{file}")))
+    end
+
+  rescue Exception => e
+    warn "[Notice] Error while processing config/#{file}"
+    tracker.error e.exception(e.message + "\nwhile processing Gemfile"), e.backtrace
+  end
+
+  private :process_config_file
+
   #Process Gemfile
   def process_gems
     if File.exists? "#@path/Gemfile"
@@ -105,6 +114,9 @@ class Brakeman::Scanner
         @processor.process_gems(parse_ruby(File.read("#@path/Gemfile")))
       end
     end
+  rescue Exception => e
+    warn "[Notice] Error while processing Gemfile."
+    tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
   #Process all the .rb files in config/initializers/
@@ -131,7 +143,17 @@ class Brakeman::Scanner
       return
     end
 
-    Dir.glob(@path + "/lib/**/*.rb").sort.each do |f|
+    lib_files = Dir.glob(@path + "/lib/**/*.rb").sort
+    total = lib_files.length
+    current = 0
+
+    lib_files.each do |f|
+      warn "Processing #{f}" if options[:debug]
+      if @report_progress
+        $stderr.print " #{current}/#{total} files processed\r"
+        current += 1
+      end
+
       begin
         @processor.process_lib parse_ruby(File.read(f)), f
       rescue Racc::ParseError => e
@@ -163,7 +185,17 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    Dir.glob(@app_path + "/controllers/**/*.rb").sort.each do |f|
+    controller_files = Dir.glob(@app_path + "/controllers/**/*.rb").sort
+    total = controller_files.length * 2
+    current = 0
+
+    controller_files.each do |f|
+      warn "Processing #{f}" if options[:debug]
+      if @report_progress
+        $stderr.print " #{current}/#{total} files processed\r"
+        current += 1
+      end
+
       begin
         @processor.process_controller(parse_ruby(File.read(f)), f)
       rescue Racc::ParseError => e
@@ -173,7 +205,17 @@ class Brakeman::Scanner
       end
     end
 
+    current = 0
+    total = tracker.controllers.length
+
+    warn "Processing data flow in controllers..."
+
     tracker.controllers.each do |name, controller|
+      if @report_progress
+        $stderr.print " #{current}/#{total} controllers processed\r"
+        current += 1
+      end
+
       @processor.process_controller_alias controller[:src]
     end
   end
@@ -187,8 +229,15 @@ class Brakeman::Scanner
     $stdout.sync = true
     count = 0
 
-    Dir.glob(views_path).sort.each do |f|
-      count += 1
+    template_files = Dir.glob(views_path).sort
+    total = template_files.length
+
+    template_files.each do |f|
+      if @report_progress
+        $stderr.print " #{count}/#{total} files processed\r"
+        count += 1
+      end
+
       type = f.match(/.*\.(erb|haml|rhtml)$/)[1].to_sym
       type = :erb if type == :rhtml
       name = template_path_to_name f
@@ -231,7 +280,17 @@ class Brakeman::Scanner
       end
     end
 
+    total = tracker.templates.length
+    count = 0
+
+    warn "Processing data flow in templates..."
+
     tracker.templates.keys.dup.each do |name|
+      if @report_progress
+        count += 1
+        $stderr.print " #{count}/#{total} templates processed\r"
+      end
+
       @processor.process_template_alias tracker.templates[name]
     end
 
@@ -250,7 +309,17 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    Dir.glob(@app_path + "/models/*.rb").sort.each do |f|
+    model_files = Dir.glob(@app_path + "/models/*.rb").sort
+
+    total = model_files.length
+    current = 0
+
+    model_files.each do |f|
+      if @report_progress
+        $stderr.print " #{current}/#{total} files processed\r"
+        current += 1
+      end
+
       begin
         @processor.process_model(parse_ruby(File.read(f)), f)
       rescue Racc::ParseError => e
@@ -294,7 +363,7 @@ class Brakeman::RailsXSSErubis < ::Erubis::Eruby
         lines[0..-2].each do |line|
           src << "@output_buffer << ('" << escape_text(line) << "'.html_safe!);\n"
         end
-      
+
         src << "@output_buffer << ('" << escape_text(lines.last) << "'.html_safe!);"
       end
     else

data/lib/brakeman/util.rb

@@ -125,6 +125,11 @@ module Brakeman::Util
     exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Integer
   end
 
+  #Check if _exp_ represents a number: s(:lit, ...)
+  def number? exp
+    exp.is_a? Sexp and exp.node_type == :lit and exp[1].is_a? Numeric
+  end
+
   #Check if _exp_ represents a result: s(:result, ...)
   def result? exp
     exp.is_a? Sexp and exp.node_type == :result
@@ -182,13 +187,3 @@ module Brakeman::Util
     exp.is_a? Sexp
   end
 end
-
-class Sexp
-  def original_line line = nil
-    if line
-      @original_line = line
-    else
-      @original_line
-    end
-  end
-end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.0.0"
+  Version = "1.1.pre"
 end

data/lib/ruby_parser/ruby_parser_extras.rb

@@ -1052,7 +1052,7 @@ class Symbol
 end
 
 class Sexp
-  attr_writer :paren
+  attr_reader :paren
 
   def paren
     @paren ||= false
@@ -1069,6 +1069,94 @@ class Sexp
 
   alias :node_type :sexp_type
   alias :values :sexp_body # TODO: retire
+
+  alias :old_init :initialize
+  alias :old_push :<<
+  alias :old_line :line
+  alias :old_line_set :line=
+  alias :old_file_set :file=
+  alias :old_comments_set :comments=
+  alias :old_compact :compact
+  alias :old_fara :find_and_replace_all
+  alias :old_find_node :find_node
+
+  def initialize *args
+    old_init *args
+    @original_line = nil
+    @my_hash_value = nil
+  end
+
+  def original_line line = nil
+    if line
+      @my_hash_value = nil
+      @original_line = line
+    else
+      @original_line
+    end
+  end
+
+  def hash
+    #There still seems to be some instances in which the hash of the
+    #Sexp changes, but I have not found what method call is doing it.
+    #Of course, Sexp is subclasses from Array, so who knows what might
+    #be going on.
+    @my_hash_value ||= super
+  end
+
+  def line *args
+    @my_hash_value = nil
+    old_line *args
+  end
+
+  def line= *args
+    @my_hash_value = nil
+    old_line_set *args
+  end
+
+  def file= *args
+    @my_hash_value = nil
+    old_file_set *args
+  end
+
+  def compact
+    @my_hash_value = nil
+    old_compact
+  end
+
+  def find_and_replace_all *args
+    @my_hash_value = nil
+    old_fara *args
+  end
+
+  def find_node *args
+    @my_hash_value = nil
+    old_find_node *args
+  end
+
+  def paren= arg
+    @my_hash_value = nil
+    @paren = arg
+  end
+
+  def comments= *args
+    @my_hash_value = nil
+    old_comments_set *args
+  end
+end
+
+#Invalidate hash cache if the Sexp changes
+[:[]=, :clear, :collect!, :compact!, :concat, :delete, :delete_at,
+  :delete_if, :drop, :drop_while, :fill, :flatten!, :replace, :insert,
+  :keep_if, :map!, :pop, :push, :reject!, :replace, :reverse!, :rotate!,
+  :select!, :shift, :shuffle!, :slice!, :sort!, :sort_by!, :transpose, 
+  :uniq!, :unshift].each do |method|
+
+  Sexp.class_eval <<-RUBY
+    def #{method} *args
+      @my_hash_value = nil
+      super
+    end
+    RUBY
 end
 
 # END HACK

metadata

@@ -1,12 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  prerelease: false
+  prerelease: true
   segments: 
   - 1
-  - 0
-  - 0
-  version: 1.0.0
+  - 1
+  - pre
+  version: 1.1.pre
 platform: ruby
 authors: 
 - Justin Collins
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-12-08 00:00:00 -08:00
+date: 2011-12-21 00:00:00 -08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -23,18 +23,30 @@ dependencies:
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version 
         segments: 
-        - 2
-        - 2
-        version: "2.2"
+        - 0
+        version: "0"
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: ruby2ruby
+  name: i18n
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: ruby2ruby
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -42,14 +54,13 @@ dependencies:
         segments: 
         - 1
         - 2
-        - 4
-        version: 1.2.4
+        version: "1.2"
   type: :runtime
-  version_requirements: *id002
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: ruport
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -57,14 +68,13 @@ dependencies:
         segments: 
         - 1
         - 6
-        - 3
-        version: 1.6.3
+        version: "1.6"
   type: :runtime
-  version_requirements: *id003
+  version_requirements: *id004
 - !ruby/object:Gem::Dependency 
   name: erubis
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -72,14 +82,13 @@ dependencies:
         segments: 
         - 2
         - 6
-        - 5
-        version: 2.6.5
+        version: "2.6"
   type: :runtime
-  version_requirements: *id004
+  version_requirements: *id005
 - !ruby/object:Gem::Dependency 
   name: haml
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
@@ -87,10 +96,23 @@ dependencies:
         segments: 
         - 3
         - 0
-        - 12
-        version: 3.0.12
+        version: "3.0"
   type: :runtime
-  version_requirements: *id005
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
+  name: sass
+  prerelease: false
+  requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
+  type: :runtime
+  version_requirements: *id007
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
 executables: 
@@ -190,11 +212,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version 
       segments: 
-      - 0
-      version: "0"
+      - 1
+      - 3
+      - 1
+      version: 1.3.1
 requirements: []
 
 rubyforge_project: