brakeman 1.5.3 → 1.6.0.pre1

data/lib/brakeman/rescanner.rb

@@ -1,4 +1,6 @@
 require 'brakeman/scanner'
+require 'terminal-table'
+require 'brakeman/util'
 
 #Class for rescanning changed files after an initial scan
 class Brakeman::Rescanner < Brakeman::Scanner
@@ -64,6 +66,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
 
+    unless File.exist? path
+      return rescan_deleted_file path, type
+    end
+
     case type
     when :controller
       rescan_controller path
@@ -89,6 +95,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
       process_controllers
       @reindex << :controllers << :templates
     when :gemfile
+      if tracker.config[:gems][:rails_xss] and tracker.config[:escape_html]
+        tracker.config[:escape_html] = false
+      end
+
       process_gems
     else
       return false #Nothing to do, file hopefully does not need to be rescanned
@@ -111,7 +121,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
           end
         end
 
-        @processor.process_controller_alias controller[:src]
+        @processor.process_controller_alias controller[:name], controller[:src]
       end
     end
   end
@@ -154,7 +164,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
         controller = tracker.controllers[r[1]]
 
         unless @paths.include? controller[:file]
-          @processor.process_controller_alias controller[:src], r[2]
+          @processor.process_controller_alias controller[:name], controller[:src], r[2]
         end
       elsif r[0] == :template
         template = tracker.templates[r[1]]
@@ -179,6 +189,98 @@ class Brakeman::Rescanner < Brakeman::Scanner
     @reindex << :models
   end
 
+  #Handle rescanning when a file is deleted
+  def rescan_deleted_file path, type
+    case type
+    when :controller
+      rescan_deleted_controller path
+    when :template
+      rescan_deleted_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_deleted_lib path
+    when :initializer
+      rescan_deleted_initializer path
+    else
+      if remove_deleted_file path
+        return true
+      else
+        Brakeman.notify "Ignoring deleted file: #{path}"
+      end
+    end
+
+    true
+  end
+
+  def rescan_deleted_controller path
+    #Remove from controller
+    tracker.controllers.delete_if do |name, controller|
+      if controller[:file] == path
+        template_matcher = /(.+)\.#{name}#/
+
+        #Remove templates rendered from this controller
+        tracker.templates.keys.each do |template_name|
+          if template_name.to_s.match template_matcher
+            tracker.templates.delete template_name
+          end
+        end
+
+        true
+      end
+    end
+  end
+
+  def rescan_deleted_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+
+    template_name = template_path_to_name(path)
+
+    #Remove template
+    tracker.reset_template template_name
+
+    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
+    rendered_from_view = /^#{template_name}\.Template:(.+)/
+
+    #Remove any rendered versions, or partials rendered from it
+    tracker.templates.delete_if do |name, template|
+      if template[:file] == path
+        true
+      elsif template[:file].nil?
+        name = name.to_s
+
+        name.match(rendered_from_controller) or name.match(rendered_from_view)
+      end
+    end
+  end
+
+  def rescan_deleted_lib path
+    tracker.libs.delete_if do |name, lib|
+      lib[:path] == path
+    end
+  end
+
+  def rescan_deleted_initializer path
+    tracker.initializers.delete Pathname.new(path).basename.to_s
+  end
+
+  #Check controllers, templates, models and libs for data from file
+  #and delete it.
+  def remove_deleted_file path
+    deleted = false
+
+    [:controllers, :templates, :models, :libs].each do |collection|
+      tracker.send(collection).delete_if do |name, data|
+        if data[:file] == path
+          deleted = true
+          true
+        end
+      end
+    end
+
+    deleted
+  end
+
   #Guess at what kind of file the path contains
   def file_type path
     case path
@@ -206,6 +308,7 @@ end
 
 #Class to make reporting of rescan results simpler to deal with
 class Brakeman::RescanReport
+  include Brakeman::Util
   attr_reader :old_results, :new_results
 
   def initialize old_results, tracker
@@ -271,17 +374,16 @@ New warnings: #{new_warnings.length}
         if warnings.length > 0
           out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
 
-          table = Ruport::Data::Table(["Confidence", "Class", "Method", "Warning Type", "Message"])
-
-          warnings.sort_by { |w| w.confidence}.each do |warning|
-            w = warning.to_row
+          table = Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
+            warnings.sort_by { |w| w.confidence}.each do |warning|
+              w = warning.to_row
 
-            w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
+              w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
 
-            table << w
+              t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
+            end            
           end
-
-          out << table.to_s
+          out << truncate_table(table.to_s)
         end
       end
 

data/lib/brakeman/scanner.rb

@@ -92,8 +92,7 @@ class Brakeman::Scanner
     end
 
     if File.exists? "#@path/vendor/plugins/rails_xss" or
-      options[:rails3] or options[:escape_html] or
-      (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
+      options[:rails3] or options[:escape_html]
 
       tracker.config[:escape_html] = true
       Brakeman.notify "[Notice] Escaping HTML by default"
@@ -228,7 +227,7 @@ class Brakeman::Scanner
 
     Brakeman.notify "Processing data flow in controllers..."
 
-    tracker.controllers.each do |name, controller|
+    tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
       Brakeman.debug "Processing #{name}"
       if @report_progress
         $stderr.print " #{current}/#{total} controllers processed\r"
@@ -281,7 +280,7 @@ class Brakeman::Scanner
 
     Brakeman.notify "Processing data flow in templates..."
 
-    tracker.templates.keys.dup.each do |name|
+    tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
       Brakeman.debug "Processing #{name}"
       if @report_progress
         count += 1

data/lib/brakeman/templates/controller_overview.html.erb

@@ -0,0 +1,18 @@
+<h2>Controllers</h2>
+
+<table>
+  <tr>
+    <th>Name</th>
+    <th>Parent</th>
+    <th>Includes</th>
+    <th>Routes</th>
+  </tr>
+<% controller_rows.each do |row| %>
+  <tr>
+    <td><%= row['Name'] %></td>
+    <td><%= row['Parent'] %></td>
+    <td><%= row['Includes'] %></td>
+    <td><%= row['Routes'] %></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/controller_warnings.html.erb

@@ -0,0 +1,17 @@
+<p>Controller Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Controller</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Controller']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/error_overview.html.erb

@@ -0,0 +1,14 @@
+<div onClick="toggle('errors_table');">  <h2>Exceptions raised during the analysis (click to see them)</h2 ></div> <div id='errors_table' style='display:none'> 
+<table>
+  <tr>
+    <th>Error</th>
+    <th>Location</th>
+  </tr>
+<% tracker.errors.each do |warning| %>
+  <tr>
+    <td><%= CGI.escapeHTML warning[:error] %></td>
+    <td><%= warning[:backtrace][0] %></td>
+  </tr>
+<% end %>
+</table>
+</div>

data/lib/brakeman/templates/header.html.erb

@@ -0,0 +1,38 @@
+<!DOCTYPE HTML SYSTEM>
+<html>
+<head>
+<title>Brakeman Report</title>
+  <script>
+    function toggle(context) {
+      var elem = document.getElementById(context);
+
+      if (elem.style.display != "block")
+        elem.style.display = "block";
+      else
+        elem.style.display = "none";
+        
+      elem.parentNode.scrollIntoView();
+    }
+  </script>
+  <style>
+    <%= css %>
+  </style>
+</head>
+<body>
+
+<h1>Brakeman Report</h1>
+<table>
+  <tr>
+    <th>Application Path</th>
+    <th>Rails Version</th>
+    <th>Report Generation Time</th>
+    <th>Checks Performed</th>
+  </tr>
+  <tr>
+    <td><%= File.expand_path tracker.options[:app_path] %></td>
+    <td><%= rails_version %></td>
+    <td><%= Time.now %></td>
+    <td><%= checks.checks_run.sort.join(", ") %></td>
+  </tr>
+</table>
+<br>

data/lib/brakeman/templates/model_warnings.html.erb

@@ -0,0 +1,17 @@
+<p>Model Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Model</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Model']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/overview.html.erb

@@ -0,0 +1,28 @@
+<h2 id='summary'>Summary</h2> 
+<table>
+  <tr>
+    <th>Scanned/Reported</th>
+    <th>Total</th>
+  </tr>
+  <tr>
+    <td>Controllers</td>
+    <td><%= tracker.controllers.length %></td>
+  </tr>
+  <tr>
+    <td>Models</td>
+    <td><%= tracker.models.length - 1 %></td>
+  </tr>
+  <tr>
+    <td>Templates</td>
+    <td><%= number_of_templates(@tracker) %></td>
+  </tr>
+  <tr>
+    <td>Errors</td>
+    <td><%= tracker.errors.length %></td>
+  </tr>
+  <tr>
+    <td>Security Warnings</td>
+    <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
+  </tr>
+</table>
+<br>

data/lib/brakeman/templates/security_warnings.html.erb

@@ -0,0 +1,28 @@
+<h2>Security Warnings</h2>  
+<table>
+<% if warning_messages.any? %>
+  <tr>
+    <th>Confidence</th>
+    <th>Class</th>
+    <th>Method</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+  <% warning_messages.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Class']%></td>
+    <td><%= warning['Method']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+  <% end %>
+<% else %>
+  <tr>
+    <th>General Warnings</th>
+  </tr>
+  <tr>
+    <td>[NONE]</td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/template_overview.html.erb

@@ -0,0 +1,17 @@
+<h2>Templates</h2>
+
+<% template_rows.each do |template| %>
+
+<p><%= template[0] %></p>
+<table>
+  <tr>
+    <th>Output</th>
+  </tr>
+  <% template[1].each do |call| %>
+  <tr>
+    <td><%= call %></td>
+  </tr>
+  <% end %>
+</table>
+
+<% end %>

data/lib/brakeman/templates/view_warnings.html.erb

@@ -0,0 +1,17 @@
+<p>View Warnings</p>
+<table>
+  <tr>
+    <th>Confidence</th>
+    <th>Template</th>
+    <th>Warning Type</th>
+    <th>Message</th>
+  </tr>
+<% warnings.each do |warning| %>
+  <tr>
+    <td><%= warning['Confidence']%></td>
+    <td><%= warning['Template']%></td>
+    <td><%= warning['Warning Type']%></td>
+    <td><%= warning['Message']%></td>
+  </tr>
+<% end %>
+</table>

data/lib/brakeman/templates/warning_overview.html.erb

@@ -0,0 +1,13 @@
+<table>
+  <tr>
+    <th>Warning Type</th>
+    <th>Total</th>
+  </tr>
+  <% types.sort.each do |warning_type| %>
+  <tr>
+    <td><%= warning_type %></td>
+    <td><%= warnings_summary[warning_type] %></td>
+  </tr>
+  <% end %>
+</table>
+<br>

data/lib/brakeman/tracker.rb

@@ -85,7 +85,7 @@ class Brakeman::Tracker
   #Prioritizes templates which have been rendered.
   def each_template
     if @processed.nil?
-      @processed, @rest = templates.keys.partition { |k| k.to_s.include? "." }
+      @processed, @rest = templates.keys.sort_by{|template| template.to_s}.partition { |k| k.to_s.include? "." }
     end
 
     @processed.each do |k|

data/lib/brakeman/util.rb

@@ -88,10 +88,8 @@ module Brakeman::Util
       key = Sexp.new(:lit, key)
     end
 
-    hash_iterate hash do |k, v|
-      if k == key
-        return v
-      end
+    if index = hash.find_index(key) and index > 0
+      return hash[index + 1]
     end
 
     nil
@@ -326,4 +324,26 @@ module Brakeman::Util
 
     context
   end
+
+  def truncate_table str
+    @terminal_width ||= ::HighLine::SystemExtensions::terminal_size[0]
+    lines = str.lines
+
+    lines.map do |line|
+      if line.chomp.length > @terminal_width
+        line[0..(@terminal_width - 3)] + ">>"
+      else
+        line
+      end
+    end.join
+  end
+
+  # rely on Terminal::Table to build the structure, extract the data out in CSV format
+  def table_to_csv table
+    output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
+    table.rows.each do |row|
+      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})
+    end
+    output
+  end  
 end