brakeman 1.8.3 → 1.9.0.pre1

data/lib/brakeman/processors/lib/render_helper.rb

@@ -92,7 +92,7 @@ module Brakeman::RenderHelper
 
       if hash? options[:locals]
         hash_iterate options[:locals] do |key, value|
-          template_env[Sexp.new(:call, nil, key.value, Sexp.new(:arglist))] = value
+          template_env[Sexp.new(:call, nil, key.value)] = value
         end
       end
 
@@ -111,7 +111,7 @@ module Brakeman::RenderHelper
 
         collection = get_class_target(options[:collection]) || Brakeman::Tracker::UNKNOWN_MODEL
 
-        template_env[Sexp.new(:call, nil, variable, Sexp.new(:arglist))] = Sexp.new(:call, Sexp.new(:const, collection), :new, Sexp.new(:arglist))
+        template_env[Sexp.new(:call, nil, variable)] = Sexp.new(:call, Sexp.new(:const, collection), :new)
       end
 
       #Set original_line for values so it is clear

data/lib/brakeman/processors/library_processor.rb

@@ -49,7 +49,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       @tracker.libs[name] = @current_class
     end
 
-    exp.body = process exp.body
+    exp.body = process_all! exp.body
 
     if outer_class
       @current_class = outer_class
@@ -86,7 +86,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
       @tracker.libs[name] = @current_module
     end
 
-    exp.body = process exp.body
+    exp.body = process_all! exp.body
 
     if outer_class
       @current_module = outer_class

data/lib/brakeman/processors/model_processor.rb

@@ -19,7 +19,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     process src
   end
 
-  #s(:class, NAME, PARENT, s(:scope ...))
+  #s(:class, NAME, PARENT, BODY)
   def process_class exp
     name = class_name exp.class_name
 
@@ -44,9 +44,9 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         :associations => {},
         :file => @file_name }
       @tracker.models[@model[:name]] = @model
-      res = process exp.body
+      exp.body = process_all! exp.body
       @model = nil
-      res
+      exp
     end
   end
 
@@ -60,12 +60,12 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     end
 
     method = exp.method
-    args = exp.args
+    first_arg = exp.first_arg
 
     #Methods called inside class definition
     #like attr_* and other settings
     if @current_method.nil? and target.nil?
-      if args.empty?
+      if first_arg.nil?
         case method
         when :private, :protected, :public
           @visibility = method
@@ -77,11 +77,15 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
       else
         case method
         when :include
-          @model[:includes] << class_name(args.first) if @model
+          @model[:includes] << class_name(first_arg) if @model
         when :attr_accessible
           @model[:attr_accessible] ||= []
-          args = args.map do |e|
-            e[1]
+          args = []
+
+          exp.each_arg do |e|
+            if node_type? e, :lit
+              args << e.value
+            end
           end
 
           @model[:attr_accessible].concat args
@@ -92,14 +96,14 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
               @model[:associations][method].concat exp.args
             else
               @model[:options][method] ||= []
-              @model[:options][method] << exp.arglist
+              @model[:options][method] << exp.arglist.line(exp.line)
             end
           end
         end
       end
       ignore
     else
-      call = Sexp.new :call, target, method, process(exp.arglist)
+      call = make_call target, method, process_all!(exp.args)
       call.line(exp.line)
       call
     end
@@ -111,7 +115,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     name = exp.method_name
 
     @current_method = name
-    res = Sexp.new :methdef, name, exp[2], process(exp.body.value)
+    res = Sexp.new :methdef, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @model
@@ -133,7 +137,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
     end
 
     @current_method = name
-    res = Sexp.new :selfdef, target, name, exp[3], process(exp.body.value)
+    res = Sexp.new :selfdef, target, name, exp.formal_args, *process_all!(exp.body)
     res.line(exp.line)
     @current_method = nil
     if @model

data/lib/brakeman/processors/output_processor.rb

@@ -14,6 +14,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   alias process_safely format
+  alias process_methdef process_defn
 
   def process exp
     begin
@@ -100,7 +101,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_call_with_block exp
     call = process exp[0]
-    block = process exp[1] if exp[1]
+    block = process_rlist exp[2..-1]
     out = "#{call} do\n #{block}\n end"
     exp.clear
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -1,6 +1,7 @@
 require 'set'
 require 'brakeman/processors/alias_processor'
 require 'brakeman/processors/lib/render_helper'
+require 'brakeman/tracker'
 
 #Processes aliasing in templates.
 #Handles calls to +render+.
@@ -37,32 +38,35 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
     name
   end
 
+  UNKNOWN_MODEL_CALL = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new)
+  FORM_BUILDER_CALL = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
+
   #Looks for form methods and iterating over collections of Models
   def process_call_with_block exp
     process_default exp
-    
+
     call = exp.block_call
 
     if call? call
       target = call.target
       method = call.method
-      args = exp.block_args
+      arg = exp.block_args.first_param
       block = exp.block
 
       #Check for e.g. Model.find.each do ... end
-      if method == :each and args and block and model = get_model_target(target)
-        if node_type? args, :lasgn
+      if method == :each and arg and block and model = get_model_target(target)
+        if arg.is_a? Symbol
           if model == target.target
-            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
+            env[Sexp.new(:lvar, arg)] = Sexp.new(:call, model, :new)
           else
-            env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+            env[Sexp.new(:lvar, arg)] = UNKNOWN_MODEL_CALL
           end
 
           process block if sexp? block
         end
       elsif FORM_METHODS.include? method
-        if node_type? args, :lasgn
-          env[Sexp.new(:lvar, args.lhs)] = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+        if arg.is_a? Symbol
+          env[Sexp.new(:lvar, arg)] = FORM_BUILDER_CALL
 
           process block if sexp? block
         end

data/lib/brakeman/report.rb

@@ -40,7 +40,8 @@ class Brakeman::Report
                      "<span class='med-confidence'>Medium</span>",
                      "<span class='weak-confidence'>Weak</span>" ]
 
-  def initialize tracker
+  def initialize(app_tree, tracker)
+    @app_tree = app_tree
     @tracker = tracker
     @checks = tracker.checks
     @element_id = 0 #Used for HTML ids
@@ -158,7 +159,7 @@ class Brakeman::Report
       end
 
       return nil if warnings.empty?
-      
+
       stabilizer = 0
       warnings = warnings.sort_by{|row| stabilizer += 1; [row["Confidence"], row["Warning Type"], row["Template"], stabilizer]}
       if html
@@ -232,7 +233,7 @@ class Brakeman::Report
       end
 
       return nil if warnings.empty?
-      
+
       stabilizer = 0
       warnings = warnings.sort_by{|row| stabilizer +=1; [row["Confidence"], row["Warning Type"], row["Controller"], stabilizer]}
 
@@ -318,7 +319,7 @@ class Brakeman::Report
     else
       output = ''
       template_rows.each do |template|
-        output << template.first.to_s << "\n\n" 
+        output << template.first.to_s << "\n\n"
         table = Terminal::Table.new(:headings => ['Output']) do |t|
           # template[1] is an array of calls
           template[1].each do |v|
@@ -392,7 +393,7 @@ class Brakeman::Report
     res = generate_controller_warnings
     out << "\n\n\nController Warnings:\n\n" << truncate_table(res.to_s) if res
 
-    res = generate_model_warnings 
+    res = generate_model_warnings
     out << "\n\n\nModel Warnings:\n\n" << truncate_table(res.to_s) if res
 
     res = generate_template_warnings
@@ -404,8 +405,8 @@ class Brakeman::Report
 
   #Generate CSV output
   def to_csv
-    output = csv_header 
-    output << "\nSUMMARY\n" 
+    output = csv_header
+    output << "\nSUMMARY\n"
 
     output << table_to_csv(generate_overview) << "\n"
 
@@ -437,7 +438,7 @@ class Brakeman::Report
     output << table_to_csv(res) << "\n" if res
 
     output << "Model Warnings\n"
-    res = generate_model_warnings 
+    res = generate_model_warnings
     output << table_to_csv(res) << "\n" if res
 
     res = generate_template_warnings
@@ -475,7 +476,17 @@ class Brakeman::Report
 
   #Generate header for text output
   def text_header
-    "\n+BRAKEMAN REPORT+\n\nApplication path: #{File.expand_path tracker.options[:app_path]}\nRails version: #{rails_version}\nGenerated at #{Time.now}\nChecks run: #{checks.checks_run.sort.join(", ")}\n"
+    <<-HEADER
+
++BRAKEMAN REPORT+
+
+Application path: #{File.expand_path tracker.options[:app_path]}
+Rails version: #{rails_version}
+Brakeman version: #{Brakeman::Version}
+Started at #{tracker.start_time}
+Duration: #{tracker.duration} seconds
+Checks run: #{checks.checks_run.sort.join(", ")}
+HEADER
   end
 
   #Generate header for CSV output
@@ -532,11 +543,11 @@ class Brakeman::Report
 
   #Generate HTML for warnings, including context show/hidden via Javascript
   def with_context warning, message
-    context = context_for warning
+    context = context_for(@app_tree, warning)
     full_message = nil
 
     if tracker.options[:message_limit] and
-      tracker.options[:message_limit] > 0 and 
+      tracker.options[:message_limit] > 0 and
       message.length > tracker.options[:message_limit]
 
       full_message = html_message(warning, message)
@@ -647,12 +658,12 @@ class Brakeman::Report
         else
           w.code = ""
         end
-        w.context = context_for(w).join("\n")
+        w.context = context_for(@app_tree, w).join("\n")
       end
     end
 
     report[:config] = tracker.config
-      
+
     report
   end
 
@@ -670,7 +681,10 @@ class Brakeman::Report
       :app_path => File.expand_path(tracker.options[:app_path]),
       :rails_version => rails_version,
       :security_warnings => all_warnings.length,
-      :timestamp => Time.now.to_s,
+      :start_time => tracker.start_time.to_s,
+      :end_time => tracker.end_time.to_s,
+      :timestamp => tracker.end_time.to_s,
+      :duration => tracker.duration,
       :checks_performed => checks.checks_run.sort,
       :number_of_controllers =>tracker.controllers.length,
       # ignore the "fake" model

data/lib/brakeman/rescanner.rb

@@ -12,7 +12,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def initialize options, processor, changed_files
     super(options, processor)
 
-    @paths = changed_files.map {|f| File.expand_path f, tracker.options[:app_path] }
+    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
     @old_results = tracker.checks  #Old warnings from previous scan
     @changes = nil                 #True if files had to be rescanned
     @reindex = Set.new
@@ -66,7 +66,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_file path, type = nil
     type ||= file_type path
 
-    unless File.exist? path
+    unless @app_tree.path_exists?(path)
       return rescan_deleted_file path, type
     end
 
@@ -128,7 +128,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_template path
-    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and File.exist? path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
 
     template_name = template_path_to_name(path)
 
@@ -177,7 +177,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   def rescan_model path
     num_models = tracker.models.length
     tracker.reset_model path
-    process_model path if File.exists? path
+    process_model path if @app_tree.path_exists?(path)
 
     #Only need to rescan other things if a model is added or removed
     if num_models != tracker.models.length
@@ -190,7 +190,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_lib path
-    process_lib path if File.exists? path
+    process_lib path if @app_tree.path_exists?(path)
 
     lib = nil
 

data/lib/brakeman/scanner.rb

@@ -1,13 +1,7 @@
 require 'rubygems'
 begin
-  if RUBY_VERSION =~ /^1\.9/
-    #Load our own version of ruby_parser :'(
-    require 'ruby_parser/ruby_parser.rb'
-  else
-    require 'ruby_parser'
-    require 'ruby_parser/bm_sexp.rb'
-  end
-
+  require 'ruby_parser'
+  require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
 
   require 'haml'
@@ -15,6 +9,7 @@ begin
   require 'erb'
   require 'erubis'
   require 'brakeman/processor'
+  require 'brakeman/app_tree'
   require 'brakeman/parsers/rails2_erubis'
   require 'brakeman/parsers/rails2_xss_plugin_erubis'
   require 'brakeman/parsers/rails3_erubis'
@@ -34,23 +29,19 @@ class Brakeman::Scanner
   #Pass in path to the root of the Rails application
   def initialize options, processor = nil
     @options = options
-    @report_progress = options[:report_progress]
-    @path = options[:app_path]
-    @app_path = File.join(@path, "app")
-    @processor = processor || Brakeman::Processor.new(options)
-    @skip_files = nil
-
-    #Convert files into Regexp for matching
-    if options[:skip_files]
-      list = "(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$"
-      @skip_files = Regexp.new(list)
+    @app_tree = Brakeman::AppTree.from_options(options)
+
+    if !@app_tree.root || !@app_tree.exists?("app")
+      abort("Please supply the path to a Rails application.")
     end
 
-    if RUBY_1_9
-      @ruby_parser = ::Ruby19Parser
-    else
-      @ruby_parser = ::RubyParser
+    if @app_tree.exists?("script/rails")
+      options[:rails3] = true
+      Brakeman.notify "[Notice] Detected Rails 3 application"
     end
+
+    @ruby_parser = ::RubyParser
+    @processor = processor || Brakeman::Processor.new(@app_tree, options)
   end
 
   #Returns the Tracker generated from the scan
@@ -93,7 +84,7 @@ class Brakeman::Scanner
       process_config_file "gems.rb"
     end
 
-    if File.exists? "#@path/vendor/plugins/rails_xss" or
+    if @app_tree.exists?("vendor/plugins/rails_xss") or
       options[:rails3] or options[:escape_html]
 
       tracker.config[:escape_html] = true
@@ -102,8 +93,10 @@ class Brakeman::Scanner
   end
 
   def process_config_file file
-    if File.exists? "#@path/config/#{file}"
-      @processor.process_config(parse_ruby(File.read("#@path/config/#{file}")))
+    path = "config/#{file}"
+
+    if @app_tree.exists?(path)
+      @processor.process_config(parse_ruby(@app_tree.read(path)))
     end
 
   rescue Exception => e
@@ -115,11 +108,11 @@ class Brakeman::Scanner
 
   #Process Gemfile
   def process_gems
-    if File.exists? "#@path/Gemfile"
-      if File.exists? "#@path/Gemfile.lock"
-        @processor.process_gems(parse_ruby(File.read("#@path/Gemfile")), File.read("#@path/Gemfile.lock"))
+    if @app_tree.exists? "Gemfile"
+      if @app_tree.exists? "Gemfile.lock"
+        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")), @app_tree.read("Gemfile.lock"))
       else
-        @processor.process_gems(parse_ruby(File.read("#@path/Gemfile")))
+        @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")))
       end
     end
   rescue Exception => e
@@ -131,10 +124,7 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.initializers
   def process_initializers
-    initializer_files = Dir.glob(@path + "/config/initializers/**/*.rb").sort
-    initializer_files.reject! { |f| @skip_files.match f } if @skip_files
-
-    initializer_files.each do |f|
+    @app_tree.initializer_paths.each do |f|
       process_initializer f
     end
   end
@@ -142,7 +132,7 @@ class Brakeman::Scanner
   #Process an initializer
   def process_initializer path
     begin
-      @processor.process_initializer(path, parse_ruby(File.read(path)))
+      @processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
     rescue Exception => e
@@ -159,19 +149,13 @@ class Brakeman::Scanner
       return
     end
 
-    lib_files = Dir.glob(@path + "/lib/**/*.rb").sort
-    lib_files.reject! { |f| @skip_files.match f } if @skip_files
-
-    total = lib_files.length
+    total = @app_tree.lib_paths.length
     current = 0
 
-    lib_files.each do |f|
+    @app_tree.lib_paths.each do |f|
       Brakeman.debug "Processing #{f}"
-      if @report_progress
-        $stderr.print " #{current}/#{total} files processed\r"
-        current += 1
-      end
-
+      report_progress(current, total)
+      current += 1
       process_lib f
     end
   end
@@ -179,7 +163,7 @@ class Brakeman::Scanner
   #Process a library
   def process_lib path
     begin
-      @processor.process_lib parse_ruby(File.read(path)), path
+      @processor.process_lib parse_ruby(@app_tree.read_path(path)), path
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
     rescue Exception => e
@@ -191,9 +175,9 @@ class Brakeman::Scanner
   #
   #Adds parsed information to tracker.routes
   def process_routes
-    if File.exists? "#@path/config/routes.rb"
+    if @app_tree.exists?("config/routes.rb")
       begin
-        @processor.process_routes parse_ruby(File.read("#@path/config/routes.rb"))
+        @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -208,19 +192,13 @@ class Brakeman::Scanner
   #
   #Adds processed controllers to tracker.controllers
   def process_controllers
-    controller_files = Dir.glob(@app_path + "/controllers/**/*.rb").sort
-    controller_files.reject! { |f| @skip_files.match f } if @skip_files
-
-    total = controller_files.length
+    total = @app_tree.controller_paths.length
     current = 0
 
-    controller_files.each do |f|
+    @app_tree.controller_paths.each do |f|
       Brakeman.debug "Processing #{f}"
-      if @report_progress
-        $stderr.print " #{current}/#{total} files processed\r"
-        current += 1
-      end
-
+      report_progress(current, total)
+      current += 1
       process_controller f
     end
 
@@ -231,11 +209,8 @@ class Brakeman::Scanner
 
     tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
       Brakeman.debug "Processing #{name}"
-      if @report_progress
-        $stderr.print " #{current}/#{total} controllers processed\r"
-        current += 1
-      end
-
+      report_progress(current, total, "controllers")
+      current += 1
       @processor.process_controller_alias name, controller[:src]
     end
 
@@ -245,7 +220,7 @@ class Brakeman::Scanner
 
   def process_controller path
     begin
-      @processor.process_controller(parse_ruby(File.read(path)), path)
+      @processor.process_controller(parse_ruby(@app_tree.read_path(path)), path)
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
     rescue Exception => e
@@ -257,23 +232,15 @@ class Brakeman::Scanner
   #
   #Adds processed views to tracker.views
   def process_templates
-
-    views_path = @app_path + "/views/**/*.{html.erb,html.haml,rhtml,js.erb}"
     $stdout.sync = true
-    count = 0
 
-    template_files = Dir.glob(views_path).sort
-    template_files.reject! { |f| @skip_files.match f } if @skip_files
-
-    total = template_files.length
+    count = 0
+    total = @app_tree.template_paths.length
 
-    template_files.each do |path|
+    @app_tree.template_paths.each do |path|
       Brakeman.debug "Processing #{path}"
-      if @report_progress
-        $stderr.print " #{count}/#{total} files processed\r"
-        count += 1
-      end
-
+      report_progress(count, total)
+      count += 1
       process_template path
     end
 
@@ -284,11 +251,8 @@ class Brakeman::Scanner
 
     tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
       Brakeman.debug "Processing #{name}"
-      if @report_progress
-        count += 1
-        $stderr.print " #{count}/#{total} templates processed\r"
-      end
-
+      report_progress(count, total, "templates")
+      count += 1
       @processor.process_template_alias tracker.templates[name]
     end
   end
@@ -297,7 +261,7 @@ class Brakeman::Scanner
     type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
     type = :erb if type == :rhtml
     name = template_path_to_name path
-    text = File.read path
+    text = @app_tree.read_path path
 
     begin
       if type == :erb
@@ -349,27 +313,20 @@ class Brakeman::Scanner
   #
   #Adds the processed models to tracker.models
   def process_models
-    model_files = Dir.glob(@app_path + "/models/**/*.rb").sort
-    model_files.reject! { |f| @skip_files.match f } if @skip_files
-
-    total = model_files.length
+    total = @app_tree.model_paths.length
     current = 0
 
-    model_files.each do |f|
+    @app_tree.model_paths.each do |f|
       Brakeman.debug "Processing #{f}"
-      if @report_progress
-        $stderr.print " #{current}/#{total} files processed\r"
-        current += 1
-      end
-
+      report_progress(current, total)
+      current += 1
       process_model f
-
     end
   end
 
   def process_model path
     begin
-      @processor.process_model(parse_ruby(File.read(path)), path)
+      @processor.process_model(parse_ruby(@app_tree.read_path(path)), path)
     rescue Racc::ParseError => e
       tracker.error e, "could not parse #{path}"
     rescue Exception => e
@@ -377,6 +334,11 @@ class Brakeman::Scanner
     end
   end
 
+  def report_progress(current, total, type = "files")
+    return unless @options[:report_progress]
+    $stderr.print " #{current}/#{total} #{type} processed\r"
+  end
+
   def index_call_sites
     tracker.index_call_sites
   end