brakeman 1.1.0 → 1.2.0

data/lib/brakeman/checks/check_execute.rb

@@ -60,29 +60,18 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
   #
   # `rm -rf #{params[:file]}`
   def check_for_backticks tracker
-    tracker.each_method do |exp, set_name, method_name|
-      @current_set = set_name
-      @current_method = method_name
-
-      process exp
-    end 
-
-    @current_set = nil
-
-    tracker.each_template do |name, template|
-      @current_template = template
-
-      process template[:src]
+    tracker.find_call(:target => nil, :method => :`).each do |result|
+      process_backticks result
     end
-
-    @current_template = nil
   end
 
   #Processes backticks.
-  def process_dxstr exp
-    return exp if duplicate? exp 
+  def process_backticks result
+    return if duplicate? result
+
+    add_result result
 
-    add_result exp
+    exp = result[:call]
 
     if include_user_input? exp
       confidence = CONFIDENCE[:high]
@@ -96,15 +85,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       :code => exp,
       :confidence => confidence }
 
-    if @current_template
-      warning[:template] = @current_template
+    if result[:location][0] == :template
+      warning[:template] = result[:location][1]
     else
-      warning[:class] = @current_set
-      warning[:method] = @current_method
+      warning[:class] = result[:location][1]
+      warning[:method] = result[:location][2]
     end
 
     warn warning
-
-    exp
   end
 end

data/lib/brakeman/checks/check_render.rb

@@ -5,24 +5,15 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
   def run_check
-    debug_info "Checking all method bodies for calls to render()"
-    tracker.each_method do |src, class_name, method_name|
-      @current_class = class_name
-      @current_method = method_name
-      process src
-    end
-
-    debug_info "Checking all templates for calls to render()"
-    tracker.each_template do |name, template|
-      @current_template = template
-      process template[:src]
+    tracker.find_call(:target => nil, :method => :render).each do |result|
+      process_render result
     end
   end
 
-  def process_render exp
-    case exp[1]
+  def process_render result
+    case result[:call][1]
     when :partial, :template, :action, :file
-      check_for_dynamic_path exp
+      check_for_dynamic_path result
     when :inline
     when :js
     when :json
@@ -30,16 +21,15 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
     when :update
     when :xml
     end
-    exp
   end
 
   #Check if path to action or file is determined dynamically
-  def check_for_dynamic_path exp
-    view = exp[2]
+  def check_for_dynamic_path result
+    view = result[:call][2]
 
-    if sexp? view and view.node_type != :str and view.node_type != :lit and not duplicate? exp
+    if sexp? view and view.node_type != :str and view.node_type != :lit and not duplicate? result
 
-      add_result exp
+      add_result result
 
       if include_user_input? view
         confidence = CONFIDENCE[:high]
@@ -49,16 +39,15 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
 
       warning = { :warning_type => "Dynamic Render Path",
         :message => "Render path is dynamic",
-        :line => exp.line,
-        :code => exp,
+        :line => result[:call].line,
+        :code => result[:call],
         :confidence => confidence }
 
-
-      if @current_template
-        warning[:template] = @current_template
+      if result[:location][0] == :template
+        warning[:template] = result[:location][1]
       else
-        warning[:class] = @current_class
-        warning[:method] = @current_method
+        warning[:class] = result[:location][1]
+        warning[:method] = result[:location][2]
       end
 
       warn warning

data/lib/brakeman/checks/check_sql.rb

@@ -31,17 +31,47 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     debug_info "Finding possible SQL calls using constantized()"
     calls.concat tracker.find_call(:method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/).select { |result| constantize_call? result }
 
+    debug_info "Finding calls to named_scope or scope"
+    calls.concat find_scope_calls
+
     debug_info "Processing possible SQL calls"
     calls.each do |c|
       process_result c
     end
   end
 
+  #Find calls to named_scope() or scope() in models
+  def find_scope_calls
+    scope_calls = []
+
+    if version_between? "2.1.0", "3.0.9"
+      tracker.models.each do |name, model|
+        if model[:options][:named_scope]
+          model[:options][:named_scope].each do |args|
+            call = Sexp.new(:call, nil, :named_scope, args).line(args.line)
+            scope_calls << { :call => call, :location => [:class, name ] }
+          end
+        end
+       end
+    elsif version_between? "3.1.0", "3.9.9"
+      tracker.models.each do |name, model|
+        if model[:options][:scope]
+          model[:options][:scope].each do |args|
+            call = Sexp.new(:call, nil, :scope, args).line(args.line)
+            scope_calls << { :call => call, :location => [:class, name ] }
+          end
+        end
+      end
+    end
+
+    scope_calls
+  end
+
   #Process result from Tracker#find_call.
   def process_result result
     call = result[:call]
 
-    args = process call[3]
+    args = call[3]
 
     if call[2] == :find_by_sql or call[2] == :count_by_sql
       failed = check_arguments args[1]
@@ -94,8 +124,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         end
       when :array
         return check_arguments(arg[1])
-      when :string_interp
-        return true
+      when :string_interp, :dstr
+        return true if check_string_interp arg
       when :call
         return check_call(arg)
       else
@@ -108,11 +138,24 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     false
   end
 
+  def check_string_interp arg
+    arg.each do |exp|
+      #For now, don't warn on interpolation of Model.table_name
+      #but check for other 'safe' things in the future
+      if sexp? exp and (exp.node_type == :string_eval or exp.node_type == :evstr)
+        if call? exp[1] and (model_name?(exp[1][1]) or exp[1][1].nil?) and exp[1][2] == :table_name
+          return false
+        end
+      end
+    end
+  end
+
   #Check call for user input and string building
   def check_call exp
     target = exp[1]
     method = exp[2]
     args = exp[3]
+
     if sexp? target and 
       (method == :+ or method == :<< or method == :concat) and 
       (string? target or include_user_input? exp)
@@ -120,6 +163,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       true
     elsif call? target
       check_call target
+    elsif target == nil and tracker.options[:rails3] and method.to_s.match /^first|last|all|where|order|group|having$/
+      check_arguments args
     else
       false
     end

data/lib/brakeman/options.rb

@@ -0,0 +1,204 @@
+require 'optparse'
+require 'set'
+
+#Parses command line arguments for Brakeman
+module Brakeman::Options
+
+  class << self
+
+    #Parse argument array
+    def parse args
+      get_options args
+    end
+
+    #Parse arguments and remove them from the array as they are matched
+    def parse! args
+      get_options args, true
+    end
+
+    #Return hash of options and the parser
+    def get_options args, destructive = false
+      options = {}
+
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: brakeman [options] rails/root/path"
+
+        opts.on "-n", "--no-threads", "Run checks sequentially" do
+          options[:parallel_checks] = false
+        end
+
+        opts.on "--[no-]progress", "Show progress reports" do |progress|
+          options[:report_progress] = progress
+        end
+
+        opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
+          options[:app_path] = File.expand_path path
+        end
+
+        opts.on "-q", "--[no-]quiet", "Suppress informational messages" do |quiet|
+          options[:quiet] = quiet
+        end
+
+        opts.on( "-z", "--exit-on-warn", "Exit code is non-zero if warnings found") do
+          options[:exit_on_warn] = true
+        end
+
+        opts.on "-3", "--rails3", "Force Rails 3 mode" do
+          options[:rails3] = true
+        end
+
+        opts.separator ""
+        opts.separator "Scanning options:"
+
+        opts.on "-a", "--assume-routes", "Assume all controller methods are actions" do
+          options[:assume_all_routes] = true
+        end
+
+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+
+        opts.on "-e", "--escape-html", "Escape HTML by default" do
+          options[:escape_html] = true
+        end
+
+        opts.on "--faster", "Faster, but less accurate scan" do
+          options[:ignore_ifs] = true
+          options[:skip_libs] = true
+        end
+
+        opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
+          options[:ignore_ifs] = true
+        end
+
+        opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
+          options[:check_arguments] = !option
+        end
+
+        opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Consider the specified methods safe" do |methods|
+          options[:safe_methods] ||= Set.new
+          options[:safe_methods].merge methods.map {|e| e.to_sym }
+        end
+
+        opts.on "--skip-libs", "Skip processing lib directory" do
+          options[:skip_libs] = true
+        end
+
+        opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
+          checks.each_with_index do |s, index|
+            if s[0,5] != "Check"
+              checks[index] = "Check" << s
+            end
+          end
+
+          options[:run_checks] ||= Set.new
+          options[:run_checks].merge checks
+        end
+
+        opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
+          skip.each do |s|
+            if s[0,5] != "Check"
+              s = "Check" << s
+            end
+
+            options[:skip_checks] ||= Set.new
+            options[:skip_checks] << s
+          end
+        end
+
+        opts.separator ""
+        opts.separator "Output options:"
+
+        opts.on "-d", "--debug", "Lots of output" do
+          options[:debug] = true 
+        end
+
+        opts.on "-f", 
+          "--format TYPE", 
+          [:pdf, :text, :html, :csv, :tabs], 
+          "Specify output format. Default is text" do |type|
+
+          type = "s" if type == :text
+          options[:output_format] = ("to_" << type.to_s).to_sym
+          end
+
+        opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
+          options[:html_style] = File.expand_path file
+        end
+
+        opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
+          options[:combine_locations] = combine
+        end
+
+        opts.on "-m", "--routes", "Report controller information" do
+          options[:report_routes] = true
+        end
+
+        opts.on "--message-limit LENGTH", "Limit message length in HTML report" do |limit|
+          options[:message_limit] = limit.to_i
+        end
+
+        opts.on "-o", "--output FILE", "Specify file for output. Defaults to stdout" do |file|
+          options[:output_file] = file
+        end
+
+        opts.on "--separate-models", "Warn on each model without attr_accessible" do
+          options[:collapse_mass_assignment] = false
+        end
+
+        opts.on "--summary", "Only output summary of warnings" do
+          options[:summary_only] = true
+        end
+
+        opts.on "-w", 
+          "--confidence-level LEVEL", 
+          ["1", "2", "3"], 
+          "Set minimal confidence level (1 - 3)" do |level|
+
+          options[:min_confidence] =  3 - level.to_i
+        end
+
+        opts.separator ""
+        opts.separator "Configuration files:"
+
+        opts.on "-c", "--config-file FILE", "Use specified configuration file" do |file|
+          options[:config_file] = File.expand_path(file)
+        end
+
+        opts.on "-C", "--create-config [FILE]", "Output configuration file based on options" do |file|
+          if file
+            options[:create_config] = file
+          else
+            options[:create_config] = true
+          end
+        end
+
+        opts.separator ""
+
+        opts.on "-k", "--checks", "List all available vulnerability checks" do
+          options[:list_checks] = true
+        end
+
+        opts.on "--rake", "Create rake task to run Brakeman" do
+          options[:install_rake_task] = true
+        end
+
+        opts.on "-v", "--version", "Show Brakeman version" do
+          options[:show_version] = true
+        end
+
+        opts.on_tail "-h", "--help", "Display this message" do
+          options[:show_help] = true
+        end
+      end
+
+      if destructive
+        parser.parse! args
+      else
+        parser.parse args
+      end
+
+      return options, parser
+    end
+  end
+end

data/lib/brakeman/processor.rb

@@ -40,8 +40,8 @@ module Brakeman
 
     #Process variable aliasing in controller source and save it in the
     #tracker.
-    def process_controller_alias src
-      ControllerAliasProcessor.new(@tracker).process src
+    def process_controller_alias src, only_method = nil
+      ControllerAliasProcessor.new(@tracker, only_method).process src
     end
 
     #Process a model source

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -6,8 +6,12 @@ require 'brakeman/processors/lib/render_helper'
 class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   include Brakeman::RenderHelper
 
-  def initialize tracker
+  #If only_method is specified, only that method will be processed,
+  #other methods will be skipped.
+  #This is for rescanning just a single action.
+  def initialize tracker, only_method = nil
     super()
+    @only_method = only_method
     @tracker = tracker
     @rendered = false
     @current_class = @current_module = @current_method = nil
@@ -26,6 +30,10 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
   #Processes a method definition, which may include
   #processing any rendered templates.
   def process_methdef exp
+    #Skip if instructed to only process a specific method
+    #(but don't skip if this method was called from elsewhere)
+    return exp if @current_method.nil? and @only_method and @only_method != exp[1]
+
     is_route = route? exp[1]
     other_method = @current_method
     @current_method = exp[1]