brakeman 1.1.0 → 1.2.0

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -65,6 +65,42 @@ class Brakeman::FindAllCalls < Brakeman::BaseProcessor
     exp
   end
 
+  #Calls to render() are converted to s(:render, ...) but we would
+  #like them in the call cache still for speed
+  def process_render exp
+    process exp[-1] if sexp? exp[-1]
+
+    call = { :target => nil, :method => :render, :call => exp, :nested => false }
+
+    if @current_template
+      call[:location] = [:template, @current_template]
+    else
+      call[:location] = [:class, @current_class, @current_method]
+    end
+
+    @calls << call
+
+    exp
+  end
+
+  #Technically, `` is call to Kernel#`
+  #But we just need them in the call cache for speed
+  def process_dxstr exp
+    process exp[-1] if sexp? exp[-1]
+
+    call = { :target => nil, :method => :`, :call => exp, :nested => false }
+
+    if @current_template
+      call[:location] = [:template, @current_template]
+    else
+      call[:location] = [:class, @current_class, @current_method]
+    end
+
+    @calls << call
+
+    exp
+  end
+
   #Process an assignment like a call
   def process_attrasgn exp
     process_call exp

data/lib/brakeman/processors/lib/rails3_route_processor.rb

@@ -153,6 +153,7 @@ class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
 
           self.current_controller = controller
           @tracker.routes[@current_controller] << action.to_sym
+          break
         end
       end
     end

data/lib/brakeman/processors/model_processor.rb

@@ -73,7 +73,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         else
           if @model
             @model[:options][method] ||= []
-            @model[:options][method] << process(args)
+            @model[:options][method] << args
           end
         end
       end

data/lib/brakeman/report.rb

@@ -36,7 +36,7 @@ class Brakeman::Report
   end
 
   #Generate summary table of what was parsed
-  def generate_overview
+  def generate_overview html = false
     templates = Set.new(@tracker.templates.map {|k,v| v[:name].to_s[/[^.]+/]}).length
     warnings = checks.warnings.length +
                 checks.controller_warnings.length +
@@ -49,7 +49,7 @@ class Brakeman::Report
     unless tracker.options[:output_format] == :to_csv
       summary = warnings_summary
 
-      if tracker.options[:output_format] == :to_html
+      if html
         warnings = "#{warnings} <span class='high-confidence'>(#{summary[:high_confidence]})</span>"
       else
         warnings = "#{warnings} (#{summary[:high_confidence]})"
@@ -77,7 +77,7 @@ class Brakeman::Report
   end
 
   #Generate table of errors or return nil if no errors
-  def generate_errors
+  def generate_errors html = false
     unless tracker.errors.empty?
       table = Ruport::Data::Table(["Error", "Location"])
       
@@ -85,7 +85,7 @@ class Brakeman::Report
       tracker.errors.each do |w|
         p w if tracker.options[:debug]
 
-        if tracker.options[:output_format] == :to_html
+        if html
           w[:error] = CGI.escapeHTML w[:error]
         end
 
@@ -99,13 +99,13 @@ class Brakeman::Report
   end
 
   #Generate table of general security warnings
-  def generate_warnings
+  def generate_warnings html = false
     table = Ruport::Data::Table(["Confidence", "Class", "Method", "Warning Type", "Message"])
     checks.warnings.each do |warning|
       next if warning.confidence > tracker.options[:min_confidence]
       w = warning.to_row
 
-      if tracker.options[:output_format] == :to_html
+      if html
         w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
         w["Message"] = with_context warning, w["Message"]
       else
@@ -128,14 +128,14 @@ class Brakeman::Report
   end
 
   #Generate table of template warnings or return nil if no warnings
-  def generate_template_warnings
+  def generate_template_warnings html = false
     unless checks.template_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Template", "Warning Type", "Message"])
       checks.template_warnings.each do |warning|
         next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :template
 
-        if tracker.options[:output_format] == :to_html
+        if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -159,14 +159,14 @@ class Brakeman::Report
   end
 
   #Generate table of model warnings or return nil if no warnings
-  def generate_model_warnings
+  def generate_model_warnings html = false
     unless checks.model_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Model", "Warning Type", "Message"])
       checks.model_warnings.each do |warning|
         next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :model
 
-        if tracker.options[:output_format] == :to_html
+        if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -190,14 +190,14 @@ class Brakeman::Report
   end
 
   #Generate table of controller warnings or nil if no warnings
-  def generate_controller_warnings
+  def generate_controller_warnings html = false
     unless checks.controller_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Controller", "Warning Type", "Message"])
       checks.controller_warnings.each do |warning|
         next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :controller
 
-        if tracker.options[:output_format] == :to_html
+        if html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -257,14 +257,14 @@ class Brakeman::Report
   end
 
   #Generate listings of templates and their output
-  def generate_templates
+  def generate_templates html = false
     out_processor = Brakeman::OutputProcessor.new
     table = Ruport::Data::Table(["Name", "Output"])
     tracker.templates.each do |name, template|
       unless template[:outputs].empty?
         template[:outputs].each do |out|
           out = out_processor.format out
-          out = CGI.escapeHTML(out) if tracker.options[:output_format] == :to_html
+          out = CGI.escapeHTML(out) if html
           table << { "Name" => name,
             "Output" => out.gsub("\n", ";").gsub(/\s+/, " ") }
         end
@@ -277,9 +277,14 @@ class Brakeman::Report
   def to_html
     out = html_header <<
     "<h2 id='summary'>Summary</h2>" <<
-    generate_overview.to_html << "<br/>" <<
+    generate_overview(true).to_html << "<br/>" <<
     generate_warning_overview.to_html
 
+    #Return early if only summarizing
+    if tracker.options[:summary_only]
+      return out
+    end
+
     if tracker.options[:report_routes] or tracker.options[:debug]
       out << "<h2>Controllers</h2>" <<
       generate_controllers.to_html
@@ -287,24 +292,24 @@ class Brakeman::Report
 
     if tracker.options[:debug]
       out << "<h2>Templates</h2>" <<
-      generate_templates.to_html
+      generate_templates(true).to_html
     end
 
-    res = generate_errors
+    res = generate_errors(true)
     if res
         out << "<div onClick=\"toggle('errors_table');\">  <h2>Exceptions raised during the analysis (click to see them)</h2 ></div> <div id='errors_table' style='display:none'>" << res.to_html << '</div>'
     end
 
-    res = generate_warnings
+    res = generate_warnings(true)
     out << "<h2>Security Warnings</h2>" << res.to_html if res
 
-    res = generate_controller_warnings
+    res = generate_controller_warnings(true)
     out << res.to_html if res
 
-    res = generate_model_warnings 
+    res = generate_model_warnings(true)
     out << res.to_html if res
 
-    res = generate_template_warnings
+    res = generate_template_warnings(true)
     out << res.to_html if res
 
     out << "</body></html>"
@@ -317,6 +322,11 @@ class Brakeman::Report
     generate_overview.to_s << "\n" <<
     generate_warning_overview.to_s << "\n"
 
+    #Return output early if only summarizing
+    if tracker.options[:summary_only]
+      return out
+    end
+
     if tracker.options[:report_routes] or tracker.options[:debug]
       out << "+CONTROLLERS+\n" <<
       generate_controllers.to_s << "\n"
@@ -352,6 +362,11 @@ class Brakeman::Report
     generate_overview.to_csv << "\n" <<
     generate_warning_overview.to_csv << "\n"
 
+    #Return output early if only summarizing
+    if tracker.options[:summary_only]
+      return out
+    end
+
     if tracker.options[:report_routes] or tracker.options[:debug]
       out << "CONTROLLERS\n" <<
       generate_controllers.to_csv << "\n"
@@ -483,107 +498,6 @@ class Brakeman::Report
     @warnings_summary = summary
   end
 
-  #Return file name related to given warning. Uses +warning.file+ if it exists
-  def file_for warning
-    if warning.file
-      File.expand_path warning.file, tracker.options[:app_path]
-    else
-      case warning.warning_set
-      when :controller
-        file_by_name warning.controller, :controller
-      when :template
-        file_by_name warning.template[:name], :template
-      when :model
-        file_by_name warning.model, :model
-      when :warning
-        file_by_name warning.class
-      else
-        nil
-      end
-    end
-  end
-
-  #Attempt to determine path to context file based on the reported name
-  #in the warning.
-  #
-  #For example,
-  #
-  #  file_by_name FileController #=> "/rails/root/app/controllers/file_controller.rb
-  def file_by_name name, type = nil
-    return nil unless name
-    string_name = name.to_s
-    name = name.to_sym
-
-    unless type
-      if string_name =~ /Controller$/
-        type = :controller
-      elsif camelize(string_name) == string_name
-        type = :model
-      else
-        type = :template
-      end
-    end
-
-    path = tracker.options[:app_path]
-
-    case type
-    when :controller
-      if tracker.controllers[name] and tracker.controllers[name][:file]
-        path = tracker.controllers[name][:file]
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :model
-      if tracker.models[name] and tracker.models[name][:file]
-        path = tracker.models[name][:file]
-      else
-        path += "/app/controllers/#{underscore(string_name)}.rb"
-      end
-    when :template
-      if tracker.templates[name] and tracker.templates[name][:file]
-        path = tracker.templates[name][:file]
-      elsif string_name.include? " "
-        name = string_name.split[0].to_sym
-        path = file_for name, :template
-      else
-        path = nil
-      end
-    end
-
-    path
-  end
-
-  #Return array of lines surrounding the warning location from the original
-  #file.
-  def context_for warning
-    file = file_for warning
-    context = []
-    return context unless warning.line and file and File.exist? file
-
-    current_line = 0
-    start_line = warning.line - 5
-    end_line = warning.line + 5
-
-    start_line = 1 if start_line < 0
-
-    File.open file do |f|
-      f.each_line do |line|
-        current_line += 1
-
-        next if line.strip == ""
-
-        if current_line > end_line
-          break
-        end
-
-        if current_line >= start_line
-          context << [current_line, line]
-        end
-      end
-    end
-
-    context
-  end
 
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message

data/lib/brakeman/rescanner.rb

@@ -0,0 +1,247 @@
+require 'brakeman/scanner'
+
+#Class for rescanning changed files after an initial scan
+class Brakeman::Rescanner < Brakeman::Scanner
+
+  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+    :model, :controller]
+
+  #Create new Rescanner to scan changed files
+  def initialize options, processor, changed_files
+    super(options, processor)
+
+    @paths = changed_files.map {|f| File.expand_path f, tracker.options[:app_path] }
+    @old_results = tracker.checks  #Old warnings from previous scan
+    @changes = nil                 #True if files had to be rescanned
+    @reindex = Set.new
+  end
+
+  #Runs checks.
+  #Will rescan files if they have not already been scanned
+  def recheck
+    rescan if @changes.nil?
+
+    tracker.run_checks if @changes
+
+    Brakeman::RescanReport.new @old_results, tracker.checks
+  end
+
+  #Rescans changed files
+  def rescan
+    tracker.template_cache.clear
+
+    paths_by_type = {}
+
+    SCAN_ORDER.each do |type|
+      paths_by_type[type] = []
+    end
+
+    @paths.each do |path|
+      type = file_type(path)
+      paths_by_type[type] << path unless type == :unknown
+    end
+
+    @changes = false
+
+    SCAN_ORDER.each do |type|
+      paths_by_type[type].each do |path|
+        warn "Rescanning #{path} as #{type}" if tracker.options[:debug]
+
+        if rescan_file path, type
+          @changes = true
+        end
+      end
+    end
+
+    if @changes and not @reindex.empty?
+      tracker.reindex_call_sites @reindex
+    end
+
+    self
+  end
+
+  #Rescans a single file
+  def rescan_file path, type = nil
+    type ||= file_type path
+
+    case type
+    when :controller
+      rescan_controller path
+      @reindex << :controllers << :templates
+    when :template
+      rescan_template path
+      @reindex << :templates
+    when :model
+      rescan_model path
+    when :lib
+      process_library path
+    when :config
+      process_config
+    when :initializer
+      process_initializer path
+    when :routes
+      # Routes affect which controller methods are treated as actions
+      # which affects which templates are rendered, so routes, controllers,
+      # and templates rendered from controllers must be rescanned
+      tracker.reset_routes
+      tracker.reset_templates :only_rendered => true
+      process_routes
+      process_controllers
+      @reindex << :controllers << :templates
+    when :gemfile
+      process_gems
+    else
+      return false #Nothing to do, file hopefully does not need to be rescanned
+    end
+
+    true
+  end
+
+  def rescan_controller path
+    #Process source
+    process_controller path
+
+    #Process data flow and template rendering
+    #from the controller
+    tracker.controllers.each do |name, controller|
+      if controller[:file] == path
+        tracker.templates.keys.each do |template_name|
+          if template_name.to_s.match /(.+)\.#{name}#/
+            tracker.templates.delete template_name
+          end
+        end
+
+        @processor.process_controller_alias controller[:src]
+      end
+    end
+  end
+
+  def rescan_template path
+    template_name = template_path_to_name(path)
+
+    tracker.reset_template template_name
+    process_template path
+
+    @processor.process_template_alias tracker.templates[template_name]
+
+    rescan = Set.new
+
+    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
+    rendered_from_view = /^#{template_name}\.Template:(.+)/
+
+    #Search for processed template and process it.
+    #Search for rendered versions of template and re-render (if necessary)
+    tracker.templates.each do |name, template|
+      if template[:file] == path or template[:file].nil?
+       name = name.to_s
+
+       if name.match(rendered_from_controller)
+         #Rendered from controller, so reprocess controller
+
+         rescan << [:controller, $1.to_sym, $2.to_sym]
+       elsif name.match(rendered_from_view)
+         #Rendered from another template, so reprocess that template
+
+         rescan << [:template, $1.to_sym]
+       end
+      end
+    end
+
+    rescan.each do |r|
+      if r[0] == :controller
+        controller = tracker.controllers[r[1]]
+
+        unless @paths.include? controller[:file]
+          @processor.process_controller_alias controller[:src], r[2]
+        end
+      elsif r[0] == :template
+        template = tracker.templates[r[1]]
+
+        rescan_template template[:file]
+      end
+    end
+  end
+
+  def rescan_model path
+    num_models = tracker.models.length
+    tracker.reset_model path
+    process_model path if File.exists? path
+
+    #Only need to rescan other things if a model is added or removed
+    if num_models != tracker.models.length
+      process_templates
+      process_controllers
+      @reindex << :templates << :controllers
+    end
+
+    @reindex << :models
+  end
+
+  #Guess at what kind of file the path contains
+  def file_type path
+    case path
+    when /\/app\/controllers/
+      :controller
+    when /\/app\/views/
+      :template
+    when /\/app\/models/
+      :model
+    when /\/lib/
+      :lib
+    when /\/config\/initializers/
+      :initializer
+    when /config\/routes\.rb/
+      :routes
+    when /\/config/
+      :config
+    when /Gemfile/
+      :gemfile
+    else
+      :unknown
+    end
+  end
+end
+
+#Class to make reporting of rescan results simpler to deal with
+class Brakeman::RescanReport
+  attr_reader :old_results, :new_results
+
+  def initialize old_results, new_results
+    @old_results = old_results
+    @new_results = new_results
+    @all_warnings = nil
+    @diff = nil
+  end
+
+  #Returns true if any warnings were found (new or old)
+  def any_warnings?
+    not all_warnings.empty?
+  end
+
+  #Returns an array of all warnings found
+  def all_warnings
+    @all_warnings ||= new_results.all_warnings
+  end
+
+  #Returns an array of warnings which were in the old report but are not in the
+  #new report after rescanning
+  def fixed_warnings
+    diff[:fixed]
+  end
+
+  #Returns an array of warnings which were in the new report but were not in
+  #the old report
+  def new_warnings
+    diff[:new]
+  end
+
+  #Returns true if there are any new or fixed warnings
+  def warnings_changed?
+    not (diff[:new].empty? and diff[:fixed].empty?)
+  end
+
+  #Returns a hash of arrays for :new and :fixed warnings
+  def diff
+    @diff ||= @new_results.diff(@old_results)
+  end
+end