brakeman 2.0.0 → 2.1.0

data/lib/brakeman/report/ignore/config.rb

@@ -0,0 +1,130 @@
+require 'set'
+require 'multi_json'
+
+module Brakeman
+  class IgnoreConfig
+    attr_reader :shown_warnings, :ignored_warnings
+    attr_accessor :file
+
+    def initialize file, new_warnings
+      @file = file
+      @new_warnings = new_warnings
+      @already_ignored = []
+      @ignored_fingerprints = Set.new
+      @notes = {}
+      @shown_warnings = @ignored_warnings = nil
+    end
+
+    # Populate ignored_warnings and shown_warnings based on ignore
+    # configuration
+    def filter_ignored
+      @shown_warnings = []
+      @ignored_warnings = []
+
+      @new_warnings.each do |w|
+        if ignored? w
+          @ignored_warnings << w
+        else
+          @shown_warnings << w
+        end
+      end
+
+      @shown_warnings
+    end
+
+    # Remove warning from ignored list
+    def unignore warning
+      @ignored_fingerprints.delete warning.fingerprint
+      @already_ignored.reject! do |w|
+        w[:fingerprint] == warning.fingerprint
+      end
+    end
+
+    # Determine if warning should be ignored
+    def ignored? warning
+      @ignored_fingerprints.include? warning.fingerprint
+    end
+
+    def ignore warning
+      @ignored_fingerprints << warning.fingerprint
+    end
+
+    # Add note for warning
+    def add_note warning, note
+      @notes[warning.fingerprint] = note
+    end
+
+    # Retrieve note for warning if it exists. Returns nil if no
+    # note is found
+    def note_for warning
+      if warning.is_a? Warning
+        fingerprint = warning.fingerprint
+      else
+        fingerprint = warning[:fingerprint]
+      end
+
+      @already_ignored.each do |w|
+        if fingerprint == w[:fingerprint]
+          return w[:note]
+        end
+      end
+
+      nil
+    end
+
+    # Read configuration to file
+    def read_from_file file = @file
+      if File.exist? file
+        @already_ignored = MultiJson.load(File.read(file), :symbolize_keys => true)[:ignored_warnings]
+      else
+        Brakeman.notify "[Notice] Could not find ignore configuration in #{file}"
+        @already_ignored = []
+      end
+
+      @already_ignored.each do |w|
+        @ignored_fingerprints << w[:fingerprint]
+        @notes[w[:fingerprint]] = w[:note]
+      end
+    end
+
+    # Save configuration to file
+    def save_to_file warnings, file = @file
+      warnings = warnings.map do |w|
+        if w.is_a? Warning
+          w_hash = w.to_hash
+          w_hash[:file] = w.relative_path
+          w = w_hash
+        end
+
+        w[:note] = @notes[w[:fingerprint]] || ""
+        w
+      end
+
+      output = {
+        :ignored_warnings => warnings,
+        :updated => Time.now.to_s,
+        :brakeman_version => Brakeman::Version
+      }
+
+      File.open file, "w" do |f|
+        f.puts MultiJson.dump(output, :pretty => true)
+      end
+    end
+
+    # Save old ignored warnings and newly ignored ones
+    def save_with_old
+      warnings = @ignored_warnings.dup
+
+      # Only add ignored warnings not already ignored
+      @already_ignored.each do |w|
+        fingerprint = w[:fingerprint]
+
+        unless @ignored_warnings.find { |w| w.fingerprint == fingerprint }
+          warnings << w
+        end
+      end
+
+      save_to_file warnings
+    end
+  end
+end

data/lib/brakeman/report/ignore/interactive.rb

@@ -0,0 +1,311 @@
+Brakeman.load_dependency 'highline'
+
+module Brakeman
+  class InteractiveIgnorer
+    def initialize file, warnings
+      @ignore_config = Brakeman::IgnoreConfig.new(file, warnings)
+      @new_warnings = warnings
+      @skip_ignored = false
+      @skip_rest = false
+      @ignore_rest = false
+      @quit = false
+      @restart = false
+    end
+
+    def start
+      file_menu
+      initial_menu
+
+      @ignore_config.filter_ignored
+
+      unless @quit
+        final_menu
+      end
+
+      if @restart
+        @restart = false
+        start
+      end
+
+      @ignore_config
+    end
+
+    private
+
+    def file_menu
+      loop do
+        @ignore_config.file = HighLine.new.ask "Input file: " do |q|
+          if @ignore_config.file and not @ignore_config.file.empty?
+            q.default = @ignore_config.file
+          else
+            q.default = "config/brakeman.ignore"
+          end
+        end
+
+        if File.exist? @ignore_config.file
+          @ignore_config.read_from_file
+          return
+        else
+          if yes_or_no "No such file. Continue with empty config? "
+            return
+          end
+        end
+      end
+    end
+
+    def initial_menu
+      HighLine.new.choose do |m|
+        m.choice "Inspect all warnings" do
+          @skip_ignored = false
+          process_warnings
+        end
+
+        m.choice "Hide previously ignored warnings" do
+          @skip_ignored = true
+          process_warnings
+        end
+
+        m.choice "Skip - use current ignore configuration" do
+          @quit = true
+          @ignore_config.filter_ignored
+        end
+      end
+    end
+
+    def warning_menu
+      HighLine.new.choose do |m|
+        m.prompt = "Action: "
+        m.layout = :one_line
+        m.list_option = ", "
+        m.select_by = :name
+
+        m.choice "i"
+        m.choice "n"
+        m.choice "k"
+        m.choice "u"
+        m.choice "a"
+        m.choice "s"
+        m.choice "q"
+        m.choice "?" do
+          say <<-HELP
+i - Add warning to ignore list
+n - Add warning to ignore list and add note
+s - Skip this warning (will remain ignored or shown)
+u - Remove this warning from ignore list
+a - Ignore this warning and all remaining warnings
+k - Skip this warning and all remaining warnings
+q - Quit, do not update ignored warnings
+? - Display this help
+          HELP
+
+          "?"
+        end
+      end
+    end
+
+    def final_menu
+      summarize_changes
+
+      HighLine.new.choose do |m|
+        m.choice "Save changes" do
+          save
+        end
+
+        m.choice "Start over" do
+          start_over
+        end
+
+        m.choice "Quit, do not save changes" do
+          quit
+        end
+      end
+    end
+
+    def save
+      @ignore_config.file = HighLine.new.ask "Output file: " do |q|
+        if @ignore_config.file and not @ignore_config.file.empty?
+          q.default = @ignore_config.file
+        else
+          q.default = "config/brakeman.ignore"
+        end
+      end
+
+      @ignore_config.save_with_old
+    end
+
+    def start_over
+      reset_config
+      @restart = true
+    end
+
+    def reset_config
+      @ignore_config = Brakeman::IgnoreConfig.new(@ignore_config.file, @new_warnings)
+    end
+
+    def process_warnings
+      @new_warnings.each do |w|
+        if skip_ignored? w or @skip_rest
+          next
+        elsif @ignore_rest
+          ignore w
+        elsif @quit or @restart
+          return
+        else
+          ask_about w
+        end
+      end
+    end
+
+    def ask_about warning
+      pretty_display warning
+      warning_action warning_menu, warning
+    end
+
+    def warning_action action, warning
+      case action
+      when "i"
+        ignore warning
+      when "n"
+        ignore_and_note warning
+      when "s"
+        # do nothing
+      when "u"
+        unignore warning
+      when "a"
+        ignore_rest warning
+      when "k"
+        skip_rest warning
+      when "q"
+        quit
+      when "?"
+        ask_about warning
+      else
+        raise "Unexpected action"
+      end
+    end
+
+    def ignore warning
+      @ignore_config.ignore warning
+    end
+
+    def ignore_and_note warning
+      note = HighLine.new.ask("Note: ")
+      @ignore_config.ignore warning
+      @ignore_config.add_note warning, note
+    end
+
+    def unignore warning
+      @ignore_config.unignore warning
+    end
+
+    def skip_rest warning
+      @skip_rest = true
+    end
+
+    def ignore_rest warning
+      ignore warning
+      @ignore_rest = true
+    end
+
+    def quit
+      reset_config
+      @ignore_config.read_from_file
+      @ignore_config.filter_ignored
+      @quit = true
+    end
+
+    def pretty_display warning
+      say "-" * 20
+      show_confidence warning
+
+      label "Category"
+      say warning.warning_type
+
+      label "Message"
+      say warning.message
+
+      if warning.code
+        label "Code"
+        say warning.format_code
+      end
+
+      if warning.relative_path
+        label "File"
+        say warning.relative_path
+      end
+
+      if warning.line
+        label "Line"
+        say warning.line
+      end
+
+      if already_ignored? warning
+        show_note warning
+        say "Already ignored", :red
+      end
+
+      say ""
+    end
+
+    def already_ignored? warning
+      @ignore_config.ignored? warning
+    end
+
+    def skip_ignored? warning
+      @skip_ignored and already_ignored? warning
+    end
+
+    def summarize_changes
+      say "-" * 20
+
+      say "Ignoring #{@ignore_config.ignored_warnings.length} warnings", :yellow
+      say "Showing #{@ignore_config.shown_warnings.length} warnings", :green
+    end
+
+    def label name
+      say "#{name}: ", :green
+    end
+
+    def show_confidence warning
+      label "Confidence"
+
+      case warning.confidence
+      when 0
+        say "High", :red
+      when 1
+        say "Medium", :yellow
+      when 2
+        say "Weak", :cyan
+      else
+        say "Unknown"
+      end
+    end
+
+    def show_note warning
+      note = @ignore_config.note_for warning
+
+      if note
+        label "Note"
+        say note
+      end
+    end
+
+    def say text, color = nil
+      text = text.to_s
+
+      if color
+        HighLine.new.say HighLine.new.color(text, color)
+      else
+        HighLine.new.say text
+      end
+    end
+
+    def yes_or_no message
+      answer = HighLine.new.ask message do |q|
+        q.in = ["y", "n", "yes", "no"]
+      end
+
+      answer.match /^y/i
+    end
+  end
+end

data/lib/brakeman/report/renderer.rb

@@ -1,3 +1,5 @@
+require 'erb'
+
 class Brakeman::Report
   class Renderer
     def initialize(template_file, hash = {})

data/lib/brakeman/report/report_base.rb

@@ -0,0 +1,279 @@
+require 'set'
+require 'brakeman/util'
+require 'brakeman/version'
+require 'brakeman/report/renderer'
+require 'brakeman/processors/output_processor'
+
+# Base class for report formats
+class Brakeman::Report::Base
+  include Brakeman::Util
+
+  attr_reader :tracker, :checks
+
+  TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
+
+  def initialize app_tree, tracker
+    @app_tree = app_tree
+    @tracker = tracker
+    @checks = tracker.checks
+    @ignore_filter = tracker.ignored_filter
+    @highlight_user_input = tracker.options[:highlight_user_input]
+    @warnings_summary = nil
+  end
+
+  #Generate table of how many warnings of each warning type were reported
+  def generate_warning_overview
+    types = warnings_summary.keys
+    types.delete :high_confidence
+    values = types.sort.collect{|warning_type| [warning_type, warnings_summary[warning_type]] }
+    locals = {:types => types, :warnings_summary => warnings_summary}
+
+    render_array('warning_overview', ['Warning Type', 'Total'], values, locals)
+  end
+
+  #Generate table of controllers and routes found for those controllers
+  def generate_controllers
+    controller_rows = []
+
+    tracker.controllers.keys.map{|k| k.to_s}.sort.each do |name|
+      name = name.to_sym
+      c = tracker.controllers[name]
+
+      if tracker.routes[:allow_all_actions] or tracker.routes[name] == :allow_all_actions
+        routes = c[:public].keys.map{|e| e.to_s}.sort.join(", ")
+      elsif tracker.routes[name].nil?
+        #No routes defined for this controller.
+        #This can happen when it is only a parent class
+        #for other controllers, for example.
+        routes = "[None]"
+
+      else
+        routes = (Set.new(c[:public].keys) & tracker.routes[name.to_sym]).
+          to_a.
+          map {|e| e.to_s}.
+          sort.
+          join(", ")
+      end
+
+      if routes == ""
+        routes = "[None]"
+      end
+
+      controller_rows << { "Name" => name.to_s,
+        "Parent" => c[:parent].to_s,
+        "Includes" => c[:includes].join(", "),
+        "Routes" => routes
+      }
+    end
+
+    cols = ['Name', 'Parent', 'Includes', 'Routes']
+
+    locals = {:controller_rows => controller_rows}
+    values = controller_rows.collect{|row| row.values_at(*cols) }
+    render_array('controller_overview', cols, values, locals)
+  end
+
+  #Generate table of errors or return nil if no errors
+  def generate_errors
+    values = tracker.errors.collect{|error| [error[:error], error[:backtrace][0]]}
+    render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
+  end
+
+  def generate_warnings
+    render_warnings generic_warnings,
+                    :warning,
+                    'security_warnings',
+                    ["Confidence", "Class", "Method", "Warning Type", "Message"],
+                    'Class'
+  end
+
+  #Generate table of template warnings or return nil if no warnings
+  def generate_template_warnings
+    render_warnings template_warnings,
+                    :template,
+                    'view_warnings',
+                    ['Confidence', 'Template', 'Warning Type', 'Message'],
+                    'Template'
+
+  end
+
+  #Generate table of model warnings or return nil if no warnings
+  def generate_model_warnings
+    render_warnings model_warnings,
+                    :model,
+                    'model_warnings',
+                    ['Confidence', 'Model', 'Warning Type', 'Message'],
+                    'Model'
+  end
+
+  #Generate table of controller warnings or nil if no warnings
+  def generate_controller_warnings
+    render_warnings controller_warnings,
+                    :controller,
+                    'controller_warnings',
+                    ['Confidence', 'Controller', 'Warning Type', 'Message'],
+                    'Controller'
+  end
+
+  def generate_ignored_warnings
+    render_warnings ignored_warnings,
+                    :ignored,
+                    'ignored_warnings',
+                    ['Confidence', 'Warning Type', 'File', 'Message'],
+                    'Warning Type'
+  end
+
+  def render_warnings warnings, type, template, cols, sort_col
+    unless warnings.empty?
+      rows = sort(convert_to_rows(warnings, type), sort_col)
+
+      values = rows.collect { |row| row.values_at(*cols) }
+
+      locals = { :warnings => rows }
+
+      render_array(template, cols, values, locals)
+    else
+      nil
+    end
+  end
+
+  def convert_to_rows warnings, type = :warning
+    warnings.map do |warning|
+      w = warning.to_row type
+
+      case type
+        when :warning
+          convert_warning w, warning
+        when :template
+          convert_template_warning w, warning
+        when :model
+          convert_model_warning w, warning
+        when :controller
+          convert_controller_warning w, warning
+        when :ignored
+          convert_ignored_warning w, warning
+        end
+    end
+  end
+
+  def convert_warning warning, original
+    warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
+    warning["Message"] = text_message original, warning["Message"]
+    warning
+  end
+
+  def convert_template_warning warning, original
+    convert_warning warning, original
+  end
+
+  def convert_model_warning warning, original
+    convert_warning warning, original
+  end
+
+  def convert_controller_warning warning, original
+    convert_warning warning, original
+  end
+
+  def convert_ignored_warning warning, original
+    convert_warning warning, original
+  end
+
+  def sort rows, sort_col
+    stabilizer = 0
+    rows.sort_by do |row|
+      stabilizer += 1
+
+      row.values_at("Confidence", "Warning Type", sort_col) << stabilizer
+    end
+  end
+
+  #Return summary of warnings in hash and store in @warnings_summary
+  def warnings_summary
+    return @warnings_summary if @warnings_summary
+
+    summary = Hash.new(0)
+    high_confidence_warnings = 0
+
+    [all_warnings].each do |warnings|
+      warnings.each do |warning|
+        summary[warning.warning_type.to_s] += 1
+        high_confidence_warnings += 1 if warning.confidence == 0
+      end
+    end
+
+    summary[:high_confidence] = high_confidence_warnings
+    @warnings_summary = summary
+  end
+
+  def all_warnings
+    if @ignore_filter
+      @all_warnings ||= @ignore_filter.shown_warnings
+    else
+      @all_warnings ||= tracker.checks.all_warnings
+    end
+  end
+
+  def filter_warnings warnings
+    if @ignore_filter
+      warnings.reject do |w|
+        @ignore_filter.ignored? w
+      end
+    else
+      warnings
+    end
+  end
+
+  def generic_warnings
+    filter_warnings tracker.checks.warnings
+  end
+
+  def template_warnings
+    filter_warnings tracker.checks.template_warnings
+  end
+
+  def model_warnings
+    filter_warnings tracker.checks.model_warnings
+  end
+
+  def controller_warnings
+    filter_warnings tracker.checks.controller_warnings
+  end
+
+  def ignored_warnings
+    if @ignore_filter
+      @ignore_filter.ignored_warnings
+    else
+      []
+    end
+  end
+
+  def number_of_templates tracker
+    Set.new(tracker.templates.map {|k,v| v[:name].to_s[/[^.]+/]}).length
+  end
+
+  def warning_file warning, absolute = @tracker.options[:absolute_paths]
+    return nil if warning.file.nil?
+
+    if absolute
+      warning.file
+    else
+      relative_path warning.file
+    end
+  end
+
+  def rails_version
+    return tracker.config[:rails_version] if tracker.config[:rails_version]
+    return "3.x" if tracker.options[:rails3]
+    "Unknown"
+  end
+
+  #Escape warning message and highlight user input in text output
+  def text_message warning, message
+    if @highlight_user_input and warning.user_input
+      user_input = warning.format_user_input
+      message.gsub(user_input, "+#{user_input}+")
+    else
+      message
+    end
+  end
+end