brakeman 1.9.5 → 2.0.0.pre2

checksums.yaml

@@ -1,7 +1,7 @@
 --- 
 SHA512: 
-  metadata.gz: 5fec83c0cb268acf3954ea08df30a173ad10b3121d4d30d18c1670de66cf17d01fde3d0649c28f5c5570938d9d4a13368af819f4d580800441c1cdf4b4873cd2
-  data.tar.gz: ff597aced590649b3a90cf2f895407f9e347a8a81b1f34337e2eff32310958c34bbe711985b70ce58f6f91eb658bc8d6db533819b881fb4d3ec9fa3842cb751e
+  data.tar.gz: 0fa96dca9b41558e7db8c55a2ec2a2e4dc95fc79afba243d0e656fe0c120fbe5b8c71c6c2216a4d27036efc5a57db9cd9661d2a2952e6b92f4c98777a4e26173
+  metadata.gz: 6ed79f61f202f946c7c417f2945ae57ebba267a4e4f46e45eb07fd0eddebe947046d907ff18775bb942073ec3ea00a2a8a9ccaf9b1b31e66d2afa8d62a95166b
 SHA1: 
-  metadata.gz: b4735612d0032bfd8a72f0feb285ee4e704a3a1a
-  data.tar.gz: 1898b18fbf38409a98ba3b5517f3896b057872c9
+  data.tar.gz: ca68abc07bbc2bafc9af02bcabab84d4756447b7
+  metadata.gz: fad7234ee850e69edbe9bacf2783605edbcf7b64

data/CHANGES

@@ -1,3 +1,30 @@
+# 2.0.0
+  
+ * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
+ * Add Marshal/CSV deserialization check
+ * Combine deserialization checks into single check
+ * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
+ * Avoid duplicate results for Symbol DoS check
+ * Medium confidence for mass assignment to attr_protected models
+ * Remove "timestamp" key from JSON reports
+ * Remove deprecated config file locations
+ * Only treat classes with names containing `Controller` like controllers
+ * Better handling of classes nested inside controllers
+ * Better handling of controller classes nested in classes/modules
+ * Handle `->` lambdas with no arguments
+ * Handle explicit block argument destructuring
+ * Skip Rails config options that are real objects
+ * Detect Rails 3 JSON escape config option
+ * Much better tracking of warning file names
+ * Fix errors when using `--separate-models` (Noah Davis)
+ * Fix fingerprint generation to actually use the file path
+ * Fix text report console output in JRuby
+ * Fix false positives on `Model#id`
+ * Fix false positives on `params.to_json`
+ * Fix model path guesses to use "models/" instead of "controllers/"
+ * Clean up SQL CVE warning messages
+ * Use exceptions instead of abort in brakeman lib
+
 # 1.9.5
 
  * Add check for unsafe symbol creation

data/README.md

@@ -1,13 +1,16 @@
 ![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
 
-[![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/presidentbeef/brakeman)
+[![Travis CI
+Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman)
+[![Code
+Climate](https://codeclimate.com/github/presidentbeef/brakeman.png)](https://codeclimate.com/github/presidentbeef/brakeman)
 
 # Brakeman
 
 Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
 
 It targets Rails versions 2.x and 3.x.
- 
+
 There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
 
 For even more continuous testing, try the [Guard plugin](https://github.com/oreoshake/guard-brakeman).

data/bin/brakeman

@@ -52,22 +52,27 @@ trap("INT") do
   exit!
 end
 
-if options[:previous_results_json]
-  vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
-  puts MultiJson.dump(vulns, :pretty => true)
-
-  if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
-    exit Brakeman::Warnings_Found_Exit_Code
-  end
-else
-  #Run scan and output a report
-  tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
-
-  #Return error code if --exit-on-warn is used and warnings were found
-  if options[:exit_on_warn] and not tracker.checks.all_warnings.empty?
-    exit Brakeman::Warnings_Found_Exit_Code
-  end
+if options[:quiet].nil?
+  options[:quiet] = :command_line
 end
 
+begin
+  if options[:previous_results_json]
+    vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
+    puts MultiJson.dump(vulns, :pretty => true)
 
+    if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
+      exit Brakeman::Warnings_Found_Exit_Code
+    end
+  else
+    #Run scan and output a report
+    tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
+    #Return error code if --exit-on-warn is used and warnings were found
+    if options[:exit_on_warn] and not tracker.checks.all_warnings.empty?
+      exit Brakeman::Warnings_Found_Exit_Code
+    end
+  end
+rescue Brakeman::Scanner::NoApplication => e
+  $stderr.puts e.message
+end

data/lib/brakeman.rb

@@ -40,7 +40,7 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_checks - checks not to run (run all if not specified)
-  #  * :relative_path - show relative path of each file(default: false)
+  #  * :absolute_paths - show absolute path of each file (default: false)
   #  * :summary_only - only output summary section of report
   #                    (does not apply to tabs format)
   #
@@ -63,56 +63,51 @@ module Brakeman
       options = { :app_path => options }
     end
 
-    options[:app_path] = File.expand_path(options[:app_path])
-
-    file_options = load_options(options[:config_file])
+    if options[:quiet] == :command_line
+      command_line = true
+      options.delete :quiet
+    end
 
-    options = file_options.merge options
+    options = default_options.merge(load_options(options[:config_file], options[:quiet])).merge(options)
 
-    options[:quiet] = true if options[:quiet].nil? && file_options[:quiet]
+    if options[:quiet].nil? and not command_line
+      options[:quiet] = true
+    end
 
-    options = get_defaults.merge! options
+    options[:app_path] = File.expand_path(options[:app_path])
     options[:output_formats] = get_output_formats options
 
     options
   end
 
-  DEPRECATED_CONFIG_FILES = [
-    File.expand_path("./config.yaml"),
-    File.expand_path("~/.brakeman/config.yaml"),
-    File.expand_path("/etc/brakeman/config.yaml"),
-    "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"
-  ]
-
   CONFIG_FILES = [
     File.expand_path("./config/brakeman.yml"),
     File.expand_path("~/.brakeman/config.yml"),
-    File.expand_path("/etc/brakeman/config.yml"),
+    File.expand_path("/etc/brakeman/config.yml")
   ]
 
   #Load options from YAML file
-  def self.load_options custom_location
+  def self.load_options custom_location, quiet
     #Load configuration file
     if config = config_file(custom_location)
       options = YAML.load_file config
       options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
-      notify "[Notice] Using configuration in #{config}" unless options[:quiet]
+      
+      # notify if options[:quiet] and quiet is nil||false
+      notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
       options
     else
       {}
     end
   end
 
-  def self.config_file(custom_location=nil)
-    DEPRECATED_CONFIG_FILES.each do |f|
-      notify "#{f} is deprecated, please use one of #{CONFIG_FILES.join(", ")}" if File.file?(f)
-    end
-    supported_locations = [File.expand_path(custom_location || "")] + DEPRECATED_CONFIG_FILES + CONFIG_FILES
-    supported_locations.detect{|f| File.file?(f) }
+  def self.config_file custom_location = nil
+    supported_locations = [File.expand_path(custom_location || "")] + CONFIG_FILES
+    supported_locations.detect {|f| File.file?(f) }
   end
 
   #Default set of options
-  def self.get_defaults
+  def self.default_options
     { :assume_all_routes => true,
       :skip_checks => Set.new,
       :check_arguments => true,
@@ -126,7 +121,6 @@ module Brakeman
       :message_limit => 100,
       :parallel_checks => true,
       :relative_path => false,
-      :quiet => true,
       :report_progress => true,
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css"
     }
@@ -140,61 +134,80 @@ module Brakeman
       raise ArgumentError, "Cannot specify output format if multiple output files specified"
     end
     if options[:output_format]
-      [
-        case options[:output_format]
-        when :html, :to_html
-          :to_html
-        when :csv, :to_csv
-          :to_csv
-        when :pdf, :to_pdf
-          :to_pdf
-        when :tabs, :to_tabs
-          :to_tabs
-        when :json, :to_json
-          :to_json
-        else
-          :to_s
-        end
-      ]
+      get_formats_from_output_format options[:output_format]
+    elsif options[:output_files]
+      get_formats_from_output_files options[:output_files]
+    else
+      return [:to_s]
+    end
+  end
+  
+  def self.get_formats_from_output_format output_format
+    case output_format
+    when :html, :to_html
+      [:to_html]
+    when :csv, :to_csv
+      [:to_csv]
+    when :pdf, :to_pdf
+      [:to_pdf]
+    when :tabs, :to_tabs
+      [:to_tabs]
+    when :json, :to_json
+      [:to_json]
     else
-      return [:to_s] unless options[:output_files]
-      options[:output_files].map do |output_file|
-        case output_file
-        when /\.html$/i
-          :to_html
-        when /\.csv$/i
-          :to_csv
-        when /\.pdf$/i
-          :to_pdf
-        when /\.tabs$/i
-          :to_tabs
-        when /\.json$/i
-          :to_json
-        else
-          :to_s
-        end
+      [:to_s]
+    end
+  end
+  private_class_method :get_formats_from_output_format
+  
+  def self.get_formats_from_output_files output_files
+    output_files.map do |output_file|
+      case output_file
+      when /\.html$/i
+        :to_html
+      when /\.csv$/i
+        :to_csv
+      when /\.pdf$/i
+        :to_pdf
+      when /\.tabs$/i
+        :to_tabs
+      when /\.json$/i
+        :to_json
+      else
+        :to_s
       end
     end
   end
+  private_class_method :get_formats_from_output_files
 
   #Output list of checks (for `-k` option)
   def self.list_checks
     require 'brakeman/scanner'
+    format_length = 30
+    
     $stderr.puts "Available Checks:"
-    $stderr.puts "-" * 30
-    $stderr.puts Checks.checks.map { |c|
-      c.to_s.match(/^Brakeman::(.*)$/)[1].ljust(27) << c.description
-    }.sort.join "\n"
+    $stderr.puts "-" * format_length
+    Checks.checks.each do |check|
+      $stderr.printf("%-#{format_length}s%s\n", check.name, check.description)
+    end
   end
 
   #Installs Rake task for running Brakeman,
   #which basically means copying `lib/brakeman/brakeman.rake` to
   #`lib/tasks/brakeman.rake` in the current Rails application.
-  def self.install_rake_task
-    if not File.exists? "Rakefile"
-      abort "No Rakefile detected"
-    elsif File.exists? "lib/tasks/brakeman.rake"
-      abort "Task already exists"
+  def self.install_rake_task install_path = nil
+    if install_path
+      rake_path = File.join(install_path, "Rakefile")
+      task_path = File.join(install_path, "lib", "tasks", "brakeman.rake")
+    else
+      rake_path = "Rakefile"
+      task_path = File.join("lib", "tasks", "brakeman.rake")
+    end
+
+    if not File.exists? rake_path
+      raise RakeInstallError, "No Rakefile detected"
+    elsif File.exists? task_path
+      raise RakeInstallError, "Task already exists"
     end
 
     require 'fileutils'
@@ -206,13 +219,13 @@ module Brakeman
 
     path = File.expand_path(File.dirname(__FILE__))
 
-    FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake"
+    FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
 
-    if File.exists? "lib/tasks/brakeman.rake"
-      notify "Task created in lib/tasks/brakeman.rake"
+    if File.exists? task_path
+      notify "Task created in #{task_path}"
       notify "Usage: rake brakeman:run[output_file]"
     else
-      notify "Could not create task"
+      raise RakeInstallError, "Could not create task"
     end
   end
 
@@ -251,7 +264,7 @@ module Brakeman
     begin
       require 'brakeman/scanner'
     rescue LoadError
-      abort "Cannot find lib/ directory."
+      raise NoBrakemanError, "Cannot find lib/ directory."
     end
 
     #Start scanning
@@ -270,22 +283,32 @@ module Brakeman
     if options[:output_files]
       notify "Generating report..."
 
-      options[:output_files].each_with_index do |output_file, idx|
-        File.open output_file, "w" do |f|
-          f.write tracker.report.send(options[:output_formats][idx])
-        end
-        notify "Report saved in '#{output_file}'"
-      end
+      write_report_to_files tracker, options[:output_files]
     elsif options[:print_report]
       notify "Generating report..."
 
-      options[:output_formats].each do |output_format|
-        puts tracker.report.send(output_format)
-      end
+      write_report_to_formats tracker, options[:output_formats]
     end
 
     tracker
   end
+  
+  def self.write_report_to_files tracker, output_files
+    output_files.each_with_index do |output_file, idx|
+      File.open output_file, "w" do |f|
+        f.write tracker.report.format(output_file)
+      end
+      notify "Report saved in '#{output_file}'"
+    end
+  end
+  private_class_method :write_report_to_files
+  
+  def self.write_report_to_formats tracker, output_formats
+    output_formats.each do |output_format|
+      puts tracker.report.format(output_format)
+    end
+  end
+  private_class_method :write_report_to_formats
 
   #Rescan a subset of files in a Rails application.
   #
@@ -336,4 +359,7 @@ module Brakeman
 
     Brakeman::Differ.new(new_results, previous_results).diff
   end
+
+  class RakeInstallError < RuntimeError; end
+  class NoBrakemanError < RuntimeError; end
 end

data/lib/brakeman/app_tree.rb

@@ -8,17 +8,20 @@ module Brakeman
       root = options[:app_path]
 
       # Convert files into Regexp for matching
+      init_options = {}
       if options[:skip_files]
-        list = "(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$"
-        new(root, Regexp.new(list))
-      else
-        new(root)
+        init_options[:skip_files] = Regexp.new("(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$")
       end
+      if options[:only_files]
+        init_options[:only_files] = Regexp.new("(?:" << options[:only_files].map { |f| Regexp.escape f }.join("|") << ")")
+      end
+      new(root, init_options)
     end
 
-    def initialize(root, skip_files = nil)
+    def initialize(root, init_options = {})
       @root = root
-      @skip_files = skip_files
+      @skip_files = init_options[:skip_files]
+      @only_files = init_options[:only_files]
     end
 
     def expand_path(path)
@@ -76,14 +79,22 @@ module Brakeman
     def find_paths(directory, extensions = "*.rb")
       pattern = @root + "/#{directory}/**/#{extensions}"
 
-      Dir.glob(pattern).sort.tap do |paths|
-        reject_skipped_files(paths)
-      end
+      select_files(Dir.glob(pattern).sort)
+    end
+
+    def select_files(paths)
+      paths = select_only_files(paths)
+      reject_skipped_files(paths)
+    end
+
+    def select_only_files(paths)
+      return paths unless @only_files
+      paths.select { |f| @only_files.match f }
     end
 
     def reject_skipped_files(paths)
-      return unless @skip_files
-      paths.reject! { |f| @skip_files.match f }
+      return paths unless @skip_files
+      paths.reject { |f| @skip_files.match f }
     end
 
   end