RubyGems - brakeman - Versions diffs - 1.5.3 → 1.6.0.pre1 - Mend

brakeman 1.5.3 → 1.6.0.pre1

Files changed (54) hide show

data/bin/brakeman +20 -6
data/lib/brakeman.rb +21 -1
data/lib/brakeman/checks.rb +2 -7
data/lib/brakeman/checks/base_check.rb +31 -26
data/lib/brakeman/checks/check_basic_auth.rb +1 -7
data/lib/brakeman/checks/check_cross_site_scripting.rb +38 -33
data/lib/brakeman/checks/check_evaluation.rb +2 -1
data/lib/brakeman/checks/check_execute.rb +5 -1
data/lib/brakeman/checks/check_file_access.rb +6 -4
data/lib/brakeman/checks/check_link_to.rb +8 -5
data/lib/brakeman/checks/check_link_to_href.rb +6 -5
data/lib/brakeman/checks/check_mail_to.rb +2 -4
data/lib/brakeman/checks/check_mass_assignment.rb +12 -6
data/lib/brakeman/checks/check_redirect.rb +17 -14
data/lib/brakeman/checks/check_render.rb +4 -4
data/lib/brakeman/checks/check_send.rb +4 -2
data/lib/brakeman/checks/check_session_settings.rb +16 -21
data/lib/brakeman/checks/check_skip_before_filter.rb +2 -4
data/lib/brakeman/checks/check_sql.rb +8 -7
data/lib/brakeman/checks/check_validation_regex.rb +2 -4
data/lib/brakeman/checks/check_without_protection.rb +8 -9
data/lib/brakeman/differ.rb +61 -0
data/lib/brakeman/format/style.css +4 -0
data/lib/brakeman/options.rb +8 -0
data/lib/brakeman/processors/alias_processor.rb +5 -7
data/lib/brakeman/processors/controller_alias_processor.rb +10 -3
data/lib/brakeman/processors/erb_template_processor.rb +2 -0
data/lib/brakeman/processors/erubis_template_processor.rb +2 -0
data/lib/brakeman/processors/gem_processor.rb +8 -0
data/lib/brakeman/processors/haml_template_processor.rb +2 -0
data/lib/brakeman/processors/lib/rails2_route_processor.rb +2 -6
data/lib/brakeman/processors/lib/rails3_route_processor.rb +2 -4
data/lib/brakeman/processors/lib/render_helper.rb +3 -1
data/lib/brakeman/processors/library_processor.rb +4 -6
data/lib/brakeman/processors/template_alias_processor.rb +1 -1
data/lib/brakeman/report.rb +257 -198
data/lib/brakeman/rescanner.rb +112 -10
data/lib/brakeman/scanner.rb +3 -4
data/lib/brakeman/templates/controller_overview.html.erb +18 -0
data/lib/brakeman/templates/controller_warnings.html.erb +17 -0
data/lib/brakeman/templates/error_overview.html.erb +14 -0
data/lib/brakeman/templates/header.html.erb +38 -0
data/lib/brakeman/templates/model_warnings.html.erb +17 -0
data/lib/brakeman/templates/overview.html.erb +28 -0
data/lib/brakeman/templates/security_warnings.html.erb +28 -0
data/lib/brakeman/templates/template_overview.html.erb +17 -0
data/lib/brakeman/templates/view_warnings.html.erb +17 -0
data/lib/brakeman/templates/warning_overview.html.erb +13 -0
data/lib/brakeman/tracker.rb +1 -1
data/lib/brakeman/util.rb +24 -4
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +11 -3
data/lib/ruby_parser/bm_sexp.rb +5 -11
metadata +84 -23

data/lib/brakeman/rescanner.rb CHANGED Viewed

@@ -1,4 +1,6 @@
 require 'brakeman/scanner'
+require 'terminal-table'
+require 'brakeman/util'
 #Class for rescanning changed files after an initial scan
 class Brakeman::Rescanner < Brakeman::Scanner
@@ -64,6 +66,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
+    unless File.exist? path
+      return rescan_deleted_file path, type
+    end
     case type
     when :controller
       rescan_controller path
@@ -89,6 +95,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
       process_controllers
       @reindex << :controllers << :templates
     when :gemfile
+      if tracker.config[:gems][:rails_xss] and tracker.config[:escape_html]
+        tracker.config[:escape_html] = false
+      end
       process_gems
     else
       return false #Nothing to do, file hopefully does not need to be rescanned
@@ -111,7 +121,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
           end
         end
-        @processor.process_controller_alias controller[:src]
+        @processor.process_controller_alias controller[:name], controller[:src]
       end
     end
   end
@@ -154,7 +164,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
         controller = tracker.controllers[r[1]]
         unless @paths.include? controller[:file]
-          @processor.process_controller_alias controller[:src], r[2]
+          @processor.process_controller_alias controller[:name], controller[:src], r[2]
         end
       elsif r[0] == :template
         template = tracker.templates[r[1]]
@@ -179,6 +189,98 @@ class Brakeman::Rescanner < Brakeman::Scanner
     @reindex << :models
   end
+  #Handle rescanning when a file is deleted
+  def rescan_deleted_file path, type
+    case type
+    when :controller
+      rescan_deleted_controller path
+    when :template
+      rescan_deleted_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_deleted_lib path
+    when :initializer
+      rescan_deleted_initializer path
+    else
+      if remove_deleted_file path
+        return true
+      else
+        Brakeman.notify "Ignoring deleted file: #{path}"
+      end
+    end
+    true
+  end
+  def rescan_deleted_controller path
+    #Remove from controller
+    tracker.controllers.delete_if do |name, controller|
+      if controller[:file] == path
+        template_matcher = /(.+)\.#{name}#/
+        #Remove templates rendered from this controller
+        tracker.templates.keys.each do |template_name|
+          if template_name.to_s.match template_matcher
+            tracker.templates.delete template_name
+          end
+        end
+        true
+      end
+    end
+  end
+  def rescan_deleted_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    template_name = template_path_to_name(path)
+    #Remove template
+    tracker.reset_template template_name
+    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
+    rendered_from_view = /^#{template_name}\.Template:(.+)/
+    #Remove any rendered versions, or partials rendered from it
+    tracker.templates.delete_if do |name, template|
+      if template[:file] == path
+        true
+      elsif template[:file].nil?
+        name = name.to_s
+        name.match(rendered_from_controller) or name.match(rendered_from_view)
+      end
+    end
+  end
+  def rescan_deleted_lib path
+    tracker.libs.delete_if do |name, lib|
+      lib[:path] == path
+    end
+  end
+  def rescan_deleted_initializer path
+    tracker.initializers.delete Pathname.new(path).basename.to_s
+  end
+  #Check controllers, templates, models and libs for data from file
+  #and delete it.
+  def remove_deleted_file path
+    deleted = false
+    [:controllers, :templates, :models, :libs].each do |collection|
+      tracker.send(collection).delete_if do |name, data|
+        if data[:file] == path
+          deleted = true
+          true
+        end
+      end
+    end
+    deleted
+  end
   #Guess at what kind of file the path contains
   def file_type path
     case path
@@ -206,6 +308,7 @@ end
 #Class to make reporting of rescan results simpler to deal with
 class Brakeman::RescanReport
+  include Brakeman::Util
   attr_reader :old_results, :new_results
   def initialize old_results, tracker
@@ -271,17 +374,16 @@ New warnings: #{new_warnings.length}
         if warnings.length > 0
           out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
-          table = Ruport::Data::Table(["Confidence", "Class", "Method", "Warning Type", "Message"])
-          warnings.sort_by { |w| w.confidence}.each do |warning|
-            w = warning.to_row
+          table = Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
+            warnings.sort_by { |w| w.confidence}.each do |warning|
+              w = warning.to_row
-            w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
+              w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
-            table << w
+              t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
+            end
           end
-          out << table.to_s
+          out << truncate_table(table.to_s)
         end
       end

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -92,8 +92,7 @@ class Brakeman::Scanner
     end
     if File.exists? "#@path/vendor/plugins/rails_xss" or
-      options[:rails3] or options[:escape_html] or
-      (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
+      options[:rails3] or options[:escape_html]
       tracker.config[:escape_html] = true
       Brakeman.notify "[Notice] Escaping HTML by default"
@@ -228,7 +227,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in controllers..."
-    tracker.controllers.each do |name, controller|
+    tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
       Brakeman.debug "Processing #{name}"
       if @report_progress
         $stderr.print " #{current}/#{total} controllers processed\r"
@@ -281,7 +280,7 @@ class Brakeman::Scanner
     Brakeman.notify "Processing data flow in templates..."
-    tracker.templates.keys.dup.each do |name|
+    tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
       Brakeman.debug "Processing #{name}"
       if @report_progress
         count += 1

data/lib/brakeman/templates/controller_overview.html.erb ADDED Viewed

@@ -0,0 +1,18 @@
+<h2>Controllers</h2>
+<table>
+  <tr>
+    <th>Name</th>
+    <th>Parent</th>
+    <th>Includes</th>
+    <th>Routes</th>
+  </tr>
+<% controller_rows.each do |row| %>
+  <tr>
+    <td><%= row['Name'] %></td>
+    <td><%= row['Parent'] %></td>
+    <td><%= row['Includes'] %></td>
+    <td><%= row['Routes'] %></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/controller_warnings.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<p>Controller Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Controller</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Controller']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/error_overview.html.erb ADDED Viewed

@@ -0,0 +1,14 @@
+<div onClick="toggle('errors_table');">  <h2>Exceptions raised during the analysis (click to see them)</h2 ></div> <div id='errors_table' style='display:none'>
+<table>
+  <tr>
+    <th>Error</th>
+    <th>Location</th>
+  </tr>
+<% tracker.errors.each do |warning| %>
+  <tr>
+    <td><%= CGI.escapeHTML warning[:error] %></td>
+    <td><%= warning[:backtrace][0] %></td>
+  </tr>
+<% end %>
+</table>
+</div>

data/lib/brakeman/templates/header.html.erb ADDED Viewed

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML SYSTEM>
+<html>
+<head>
+<title>Brakeman Report</title>
+  <script>
+    function toggle(context) {
+      var elem = document.getElementById(context);
+      if (elem.style.display != "block")
+        elem.style.display = "block";
+      else
+        elem.style.display = "none";
+      elem.parentNode.scrollIntoView();
+    }
+  </script>
+  <style>
+    <%= css %>
+  </style>
+</head>
+<body>
+<h1>Brakeman Report</h1>
+<table>
+  <tr>
+    <th>Application Path</th>
+    <th>Rails Version</th>
+    <th>Report Generation Time</th>
+    <th>Checks Performed</th>
+  </tr>
+  <tr>
+    <td><%= File.expand_path tracker.options[:app_path] %></td>
+    <td><%= rails_version %></td>
+    <td><%= Time.now %></td>
+    <td><%= checks.checks_run.sort.join(", ") %></td>
+  </tr>
+</table>
+<br>

data/lib/brakeman/templates/model_warnings.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<p>Model Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Model</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Model']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/overview.html.erb ADDED Viewed

@@ -0,0 +1,28 @@
+<h2 id='summary'>Summary</h2>
+<table>
+  <tr>
+    <th>Scanned/Reported</th>
+    <th>Total</th>
+  </tr>
+  <tr>
+    <td>Controllers</td>
+    <td><%= tracker.controllers.length %></td>
+  </tr>
+  <tr>
+    <td>Models</td>
+    <td><%= tracker.models.length - 1 %></td>
+  </tr>
+  <tr>
+    <td>Templates</td>
+    <td><%= number_of_templates(@tracker) %></td>
+  </tr>
+  <tr>
+    <td>Errors</td>
+    <td><%= tracker.errors.length %></td>
+  </tr>
+  <tr>
+    <td>Security Warnings</td>
+    <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
+  </tr>
+</table>
+<br>

data/lib/brakeman/templates/security_warnings.html.erb ADDED Viewed

@@ -0,0 +1,28 @@
+<h2>Security Warnings</h2>
+<table>
+<% if warning_messages.any? %>
+  <tr>
+    <th>Confidence</th>
+    <th>Class</th>
+    <th>Method</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+  <% warning_messages.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Class']%></td>
+    <td><%= warning['Method']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+  <% end %>
+<% else %>
+  <tr>
+    <th>General Warnings</th>
+  </tr>
+  <tr>
+    <td>[NONE]</td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/template_overview.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<h2>Templates</h2>
+<% template_rows.each do |template| %>
+<p><%= template[0] %></p>
+<table>
+  <tr>
+    <th>Output</th>
+  </tr>
+  <% template[1].each do |call| %>
+  <tr>
+    <td><%= call %></td>
+  </tr>
+  <% end %>
+</table>
+<% end %>

data/lib/brakeman/templates/view_warnings.html.erb ADDED Viewed

@@ -0,0 +1,17 @@
+<p>View Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Template</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Template']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/warning_overview.html.erb ADDED Viewed

@@ -0,0 +1,13 @@
+<table>
+  <tr>
+    <th>Warning Type</th>
+    <th>Total</th>
+  </tr>
+  <% types.sort.each do |warning_type| %>
+  <tr>
+    <td><%= warning_type %></td>
+    <td><%= warnings_summary[warning_type] %></td>
+  </tr>
+  <% end %>
+</table>
+<br>

data/lib/brakeman/tracker.rb CHANGED Viewed

@@ -85,7 +85,7 @@ class Brakeman::Tracker
   #Prioritizes templates which have been rendered.
   def each_template
     if @processed.nil?
-      @processed, @rest = templates.keys.partition { |k| k.to_s.include? "." }
+      @processed, @rest = templates.keys.sort_by{|template| template.to_s}.partition { |k| k.to_s.include? "." }
     end
     @processed.each do |k|

data/lib/brakeman/util.rb CHANGED Viewed

@@ -88,10 +88,8 @@ module Brakeman::Util
       key = Sexp.new(:lit, key)
     end
-    hash_iterate hash do |k, v|
-      if k == key
-        return v
-      end
+    if index = hash.find_index(key) and index > 0
+      return hash[index + 1]
     end
     nil
@@ -326,4 +324,26 @@ module Brakeman::Util
     context
   end
+  def truncate_table str
+    @terminal_width ||= ::HighLine::SystemExtensions::terminal_size[0]
+    lines = str.lines
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>"
+      else
+        line
+      end
+    end.join
+  end
+  # rely on Terminal::Table to build the structure, extract the data out in CSV format
+  def table_to_csv table
+    output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
+    table.rows.each do |row|
+      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
+    end
+    output
+  end
 end