brakeman 2.0.0 → 2.1.0

data/lib/brakeman/report/report_csv.rb

@@ -0,0 +1,56 @@
+Brakeman.load_dependency 'csv'
+require "brakeman/report/initializers/faster_csv"
+require "brakeman/report/report_table"
+
+class Brakeman::Report::CSV < Brakeman::Report::Table
+  def generate_report
+    output = csv_header
+    output << "\nSUMMARY\n"
+
+    output << table_to_csv(generate_overview) << "\n"
+
+    output << table_to_csv(generate_warning_overview) << "\n"
+
+    #Return output early if only summarizing
+    if tracker.options[:summary_only]
+      return output
+    end
+
+    if tracker.options[:report_routes] or tracker.options[:debug]
+      output << "CONTROLLERS\n"
+      output << table_to_csv(generate_controllers) << "\n"
+    end
+
+    if tracker.options[:debug]
+      output << "TEMPLATES\n\n"
+      output << table_to_csv(generate_templates) << "\n"
+    end
+
+    res = generate_errors
+    output << "ERRORS\n" << table_to_csv(res) << "\n" if res
+
+    res = generate_warnings
+    output << "SECURITY WARNINGS\n" << table_to_csv(res) << "\n" if res
+
+    output << "Controller Warnings\n"
+    res = generate_controller_warnings
+    output << table_to_csv(res) << "\n" if res
+
+    output << "Model Warnings\n"
+    res = generate_model_warnings
+    output << table_to_csv(res) << "\n" if res
+
+    res = generate_template_warnings
+    output << "Template Warnings\n"
+    output << table_to_csv(res) << "\n" if res
+
+    output
+  end
+
+  #Generate header for CSV output
+  def csv_header
+    header = CSV.generate_line(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
+    header << CSV.generate_line([File.expand_path(tracker.options[:app_path]), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version])
+    "BRAKEMAN REPORT\n\n" + header
+  end
+end

data/lib/brakeman/report/report_hash.rb

@@ -0,0 +1,22 @@
+# Generates a hash table for use in Brakeman tests
+class Brakeman::Report::Hash < Brakeman::Report::Base
+  def generate_report
+    report = { :errors => tracker.errors,
+               :controllers => tracker.controllers,
+               :models => tracker.models,
+               :templates => tracker.templates
+              }
+
+    [:generic_warnings, :controller_warnings, :model_warnings, :template_warnings].each do |meth|
+      report[meth] = self.send(meth)
+      report[meth].each do |w|
+        w.message = w.format_message
+        w.context = context_for(@app_tree, w).join("\n")
+      end
+    end
+
+    report[:config] = tracker.config
+
+    report
+  end
+end

data/lib/brakeman/report/report_html.rb

@@ -0,0 +1,203 @@
+require 'cgi'
+
+class Brakeman::Report::HTML < Brakeman::Report::Base
+  HTML_CONFIDENCE = [ "<span class='high-confidence'>High</span>",
+    "<span class='med-confidence'>Medium</span>",
+    "<span class='weak-confidence'>Weak</span>" ]
+
+  def initialize *args
+    super
+
+    @element_id = 0 #Used for HTML ids
+  end
+
+  def generate_report
+    out = html_header <<
+    generate_overview <<
+    generate_warning_overview.to_s
+
+    # Return early if only summarizing
+    return out if tracker.options[:summary_only]
+
+    out << generate_controllers.to_s if tracker.options[:report_routes] or tracker.options[:debug]
+    out << generate_templates.to_s if tracker.options[:debug]
+    out << generate_errors.to_s
+    out << generate_warnings.to_s
+    out << generate_controller_warnings.to_s
+    out << generate_model_warnings.to_s
+    out << generate_template_warnings.to_s
+    out << generate_ignored_warnings.to_s
+    out << "</body></html>"
+  end
+
+  def generate_overview
+      locals = {
+        :tracker => tracker,
+        :warnings => all_warnings.length,
+        :warnings_summary => warnings_summary,
+        :number_of_templates => number_of_templates(@tracker),
+        :ignored_warnings => ignored_warnings.length
+        }
+
+      Brakeman::Report::Renderer.new('overview', :locals => locals).render
+  end
+
+  #Generate listings of templates and their output
+  def generate_templates
+    out_processor = Brakeman::OutputProcessor.new
+    template_rows = {}
+    tracker.templates.each do |name, template|
+      unless template[:outputs].empty?
+        template[:outputs].each do |out|
+          out = CGI.escapeHTML(out_processor.format(out))
+          template_rows[name] ||= []
+          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
+        end
+      end
+    end
+
+    template_rows = template_rows.sort_by{|name, value| name.to_s}
+
+      Brakeman::Report::Renderer.new('template_overview', :locals => {:template_rows => template_rows}).render
+  end
+
+  def render_array template, headings, value_array, locals
+    return if value_array.empty?
+
+    Brakeman::Report::Renderer.new(template, :locals => locals).render
+  end
+
+  def convert_warning warning, original
+    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
+    warning["Message"] = with_context original, warning["Message"]
+    warning["Warning Type"] = with_link original, warning["Warning Type"]
+    warning
+  end
+
+  def with_link warning, message
+    "<a rel=\"no-referrer\" href=\"#{warning.link}\">#{message}</a>"
+  end
+
+  def convert_template_warning warning, original
+    warning["Confidence"] = HTML_CONFIDENCE[warning["Confidence"]]
+    warning["Message"] = with_context original, warning["Message"]
+    warning["Warning Type"] = with_link original, warning["Warning Type"]
+    warning["Called From"] = original.called_from
+    warning["Template Name"] = original.template[:name]
+    warning
+  end
+
+  def convert_ignored_warning warning, original
+    warning = convert_warning(warning, original)
+    warning['File'] = original.relative_path
+    warning['Note'] = CGI.escapeHTML(@ignore_filter.note_for(original) || "")
+    warning
+  end
+
+  #Return header for HTML output. Uses CSS from tracker.options[:html_style]
+  def html_header
+    if File.exist? tracker.options[:html_style]
+      css = File.read tracker.options[:html_style]
+    else
+      raise "Cannot find CSS stylesheet for HTML: #{tracker.options[:html_style]}"
+    end
+
+    locals = {
+      :css => css,
+      :tracker => tracker,
+      :checks => checks,
+      :rails_version => rails_version,
+      :brakeman_version => Brakeman::Version
+      }
+
+    Brakeman::Report::Renderer.new('header', :locals => locals).render
+  end
+
+  #Generate HTML for warnings, including context show/hidden via Javascript
+  def with_context warning, message
+    context = context_for(@app_tree, warning)
+    full_message = nil
+
+    if tracker.options[:message_limit] and tracker.options[:message_limit] > 0 and message.length > tracker.options[:message_limit]
+      full_message = html_message(warning, message)
+      message = message[0..tracker.options[:message_limit]] << "..."
+    end
+
+    message = html_message(warning, message)
+    return message if context.empty? and not full_message
+
+    @element_id += 1
+    code_id = "context#@element_id"
+    message_id = "message#@element_id"
+    full_message_id = "full_message#@element_id"
+    alt = false
+    output = "<div class='warning_message' onClick=\"toggle('#{code_id}');toggle('#{message_id}');toggle('#{full_message_id}')\" >" <<
+    if full_message
+      "<span id='#{message_id}' style='display:block' >#{message}</span>" <<
+      "<span id='#{full_message_id}' style='display:none'>#{full_message}</span>"
+    else
+      message
+    end <<
+    "<table id='#{code_id}' class='context' style='display:none'>" <<
+    "<caption>#{warning_file(warning) || ''}</caption>"
+
+    unless context.empty?
+      if warning.line - 1 == 1 or warning.line + 1 == 1
+        error = " near_error"
+      elsif 1 == warning.line
+        error = " error"
+      else
+        error = ""
+      end
+
+      output << <<-HTML
+        <tr class='context first#{error}'>
+          <td class='context_line'>
+            <pre class='context'>#{context.first[0]}</pre>
+          </td>
+          <td class='context'>
+            <pre class='context'>#{CGI.escapeHTML context.first[1].chomp}</pre>
+          </td>
+        </tr>
+      HTML
+
+      if context.length > 1
+        output << context[1..-1].map do |code|
+          alt = !alt
+          if code[0] == warning.line - 1 or code[0] == warning.line + 1
+            error = " near_error"
+          elsif code[0] == warning.line
+            error = " error"
+          else
+            error = ""
+          end
+
+          <<-HTML
+          <tr class='context#{alt ? ' alt' : ''}#{error}'>
+            <td class='context_line'>
+              <pre class='context'>#{code[0]}</pre>
+            </td>
+            <td class='context'>
+              <pre class='context'>#{CGI.escapeHTML code[1].chomp}</pre>
+            </td>
+          </tr>
+          HTML
+        end.join
+      end
+    end
+
+    output << "</table></div>"
+  end
+
+  #Escape warning message and highlight user input in HTML output
+  def html_message warning, message
+    message = CGI.escapeHTML(message)
+
+    if @highlight_user_input and warning.user_input
+      user_input = CGI.escapeHTML(warning.format_user_input)
+      message.gsub!(user_input, "<span class=\"user_input\">#{user_input}</span>")
+    end
+
+    message
+  end
+end

data/lib/brakeman/report/report_json.rb

@@ -0,0 +1,46 @@
+Brakeman.load_dependency 'multi_json'
+require 'brakeman/report/initializers/multi_json'
+
+class Brakeman::Report::JSON < Brakeman::Report::Base
+  def generate_report
+    errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
+    app_path = tracker.options[:app_path]
+
+    warnings = convert_to_hashes all_warnings
+
+    ignored = convert_to_hashes ignored_warnings
+
+    scan_info = {
+      :app_path => File.expand_path(tracker.options[:app_path]),
+      :rails_version => rails_version,
+      :security_warnings => all_warnings.length,
+      :start_time => tracker.start_time.to_s,
+      :end_time => tracker.end_time.to_s,
+      :duration => tracker.duration,
+      :checks_performed => checks.checks_run.sort,
+      :number_of_controllers => tracker.controllers.length,
+      # ignore the "fake" model
+      :number_of_models => tracker.models.length - 1,
+      :number_of_templates => number_of_templates(@tracker),
+      :ruby_version => RUBY_VERSION,
+      :brakeman_version => Brakeman::Version
+    }
+
+    report_info = {
+      :scan_info => scan_info,
+      :warnings => warnings,
+      :ignored_warnings => ignored,
+      :errors => errors
+    }
+
+    MultiJson.dump(report_info, :pretty => true)
+  end
+
+  def convert_to_hashes warnings
+    warnings.map do |w|
+      hash = w.to_hash
+      hash[:file] = warning_file w
+      hash
+    end.sort_by { |w| w[:file] }
+  end
+end

data/lib/brakeman/report/report_table.rb

@@ -0,0 +1,109 @@
+Brakeman.load_dependency 'terminal-table'
+
+class Brakeman::Report::Table < Brakeman::Report::Base
+  def generate_report
+    out = text_header <<
+    "\n\n+SUMMARY+\n\n" <<
+    truncate_table(generate_overview.to_s) << "\n\n" <<
+    truncate_table(generate_warning_overview.to_s) << "\n"
+
+    #Return output early if only summarizing
+    return out if tracker.options[:summary_only]
+
+    if tracker.options[:report_routes] or tracker.options[:debug]
+      out << "\n+CONTROLLERS+\n" <<
+      truncate_table(generate_controllers.to_s) << "\n"
+    end
+
+    if tracker.options[:debug]
+      out << "\n+TEMPLATES+\n\n" <<
+      truncate_table(generate_templates.to_s) << "\n"
+    end
+
+    res = generate_errors
+    out << "+Errors+\n" << truncate_table(res.to_s) if res
+
+    res = generate_warnings
+    out << "\n\n+SECURITY WARNINGS+\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_controller_warnings
+    out << "\n\n\nController Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_model_warnings
+    out << "\n\n\nModel Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_template_warnings
+    out << "\n\nView Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    out << "\n"
+    out
+  end
+
+  def generate_overview
+    num_warnings = all_warnings.length
+
+    Terminal::Table.new(:headings => ['Scanned/Reported', 'Total']) do |t|
+      t.add_row ['Controllers', tracker.controllers.length]
+      t.add_row ['Models', tracker.models.length - 1]
+      t.add_row ['Templates', number_of_templates(@tracker)]
+      t.add_row ['Errors', tracker.errors.length]
+      t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
+      t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
+    end
+  end
+
+  #Generate listings of templates and their output
+  def generate_templates
+    out_processor = Brakeman::OutputProcessor.new
+    template_rows = {}
+    tracker.templates.each do |name, template|
+      unless template[:outputs].empty?
+        template[:outputs].each do |out|
+          out = out_processor.format out
+          template_rows[name] ||= []
+          template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
+        end
+      end
+    end
+
+    template_rows = template_rows.sort_by{|name, value| name.to_s}
+
+    output = ''
+    template_rows.each do |template|
+      output << template.first.to_s << "\n\n"
+      table = Terminal::Table.new(:headings => ['Output']) do |t|
+        # template[1] is an array of calls
+        template[1].each do |v|
+          t.add_row [v]
+        end
+      end
+
+      output << table.to_s << "\n\n"
+    end
+
+    output
+  end
+
+  def render_array template, headings, value_array, locals
+    return if value_array.empty?
+
+    Terminal::Table.new(:headings => headings) do |t|
+      value_array.each { |value_row| t.add_row value_row }
+    end
+  end
+
+  #Generate header for text output
+  def text_header
+    <<-HEADER
+
++BRAKEMAN REPORT+
+
+Application path: #{File.expand_path tracker.options[:app_path]}
+Rails version: #{rails_version}
+Brakeman version: #{Brakeman::Version}
+Started at #{tracker.start_time}
+Duration: #{tracker.duration} seconds
+Checks run: #{checks.checks_run.sort.join(", ")}
+HEADER
+  end
+end

data/lib/brakeman/report/report_tabs.rb

@@ -0,0 +1,17 @@
+#Generated tab-separated output suitable for the Jenkins Brakeman Plugin:
+#https://github.com/presidentbeef/brakeman-jenkins-plugin
+class Brakeman::Report::Tabs < Brakeman::Report::Base
+  def generate_report
+    [[:warnings, "General"], [:controller_warnings, "Controller"],
+      [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
+
+      checks.send(meth).map do |w|
+        line = w.line || 0
+        w.warning_type.gsub!(/[^\w\s]/, ' ')
+        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+      end.join "\n"
+
+    end.join "\n"
+
+  end
+end