brakeman 2.0.0 → 2.1.0

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -0,0 +1,21 @@
+<div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
+<div>
+  <table style="display:none" id="ignored_table">
+    <tr>
+      <th>Confidence</th>
+      <th>File</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+      <th>Note</th>
+    </tr>
+    <% warnings.each do |warning| %>
+      <tr>
+        <td><%= warning['Confidence']%></td>
+        <td><%= warning['File']%></td>
+        <td><%= warning['Warning Type']%></td>
+        <td><%= warning['Message']%></td>
+        <td><%= warning['Note']%></td>
+      </tr>
+    <% end %>
+  </table>
+</div>

data/lib/brakeman/report/templates/overview.html.erb

@@ -24,5 +24,11 @@
     <td>Security Warnings</td>
     <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
   </tr>
+  <% if warnings_summary['Ignored Warnings'] %>
+  <tr>
+    <td>Ignored Warnings</td>
+    <td><%= ignored_warnings %></td>
+  </tr>
+  <% end %>
 </table>
 <br>

data/lib/brakeman/report/templates/security_warnings.html.erb

@@ -7,7 +7,7 @@
     <th>Warning Type</th>
     <th>Message</th>
   </tr>
-  <% warning_messages.each do |warning| %>
+  <% warnings.each do |warning| %>
   <tr>
     <td><%= warning['Confidence']%></td>
     <td><%= warning['Class']%></td>

data/lib/brakeman/scanner.rb

@@ -1,19 +1,11 @@
 require 'rubygems'
+
 begin
   require 'ruby_parser'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
-
-  require 'haml'
-  require 'sass'
-  require 'erb'
-  require 'erubis'
-  require 'slim'
   require 'brakeman/processor'
   require 'brakeman/app_tree'
-  require 'brakeman/parsers/rails2_erubis'
-  require 'brakeman/parsers/rails2_xss_plugin_erubis'
-  require 'brakeman/parsers/rails3_erubis'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -33,7 +25,7 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if !@app_tree.root || !@app_tree.exists?("app")
-      raise NoApplication, "Please supply the path to a Rails application."
+      raise Brakeman::NoApplication, "Please supply the path to a Rails application."
     end
 
     if @app_tree.exists?("script/rails")
@@ -272,24 +264,33 @@ class Brakeman::Scanner
         if tracker.config[:escape_html]
           type = :erubis
           if options[:rails3]
+            require 'brakeman/parsers/rails3_erubis'
             src = Brakeman::Rails3Erubis.new(text).src
           else
+            require 'brakeman/parsers/rails2_xss_plugin_erubis'
             src = Brakeman::Rails2XSSPluginErubis.new(text).src
           end
         elsif tracker.config[:erubis]
+          require 'brakeman/parsers/rails2_erubis'
           type = :erubis
           src = Brakeman::ScannerErubis.new(text).src
         else
+          require 'erb'
           src = ERB.new(text, nil, "-").src
           src.sub!(/^#.*\n/, '') if RUBY_1_9
         end
 
         parsed = parse_ruby src
       elsif type == :haml
+        Brakeman.load_dependency 'haml'
+        Brakeman.load_dependency 'sass'
+
         src = Haml::Engine.new(text,
                                :escape_html => !!tracker.config[:escape_html]).precompiled
         parsed = parse_ruby src
       elsif type == :slim
+        Brakeman.load_dependency 'slim'
+
         src = Slim::Template.new(:disable_capture => true,
                                  :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template
 
@@ -355,6 +356,7 @@ class Brakeman::Scanner
   def parse_ruby input
     @ruby_parser.new.parse input
   end
-
-  class NoApplication < RuntimeError; end
 end
+
+# This is to allow operation without loading the Haml library
+module Haml; class Error < StandardError; end; end

data/lib/brakeman/tracker.rb

@@ -10,7 +10,7 @@ class Brakeman::Tracker
   attr_accessor :controllers, :templates, :models, :errors,
     :checks, :initializers, :config, :routes, :processor, :libs,
     :template_cache, :options, :filter_cache, :start_time, :end_time,
-    :duration
+    :duration, :ignored_filter
 
   #Place holder when there should be a model, but it is not
   #clear what model it will be.
@@ -152,6 +152,10 @@ class Brakeman::Tracker
     Brakeman::Report.new(@app_tree, self)
   end
 
+  def warnings
+    self.checks.all_warnings
+  end
+
   def index_call_sites
     finder = Brakeman::FindAllCalls.new self
 

data/lib/brakeman/util.rb

@@ -385,6 +385,7 @@ module Brakeman::Util
 
   def truncate_table str
     @terminal_width ||= if $stdin && $stdin.tty?
+                          Brakeman.load_dependency 'highline'
                           ::HighLine.new.terminal_size[0]
                         else
                           80
@@ -402,6 +403,7 @@ module Brakeman::Util
 
   # rely on Terminal::Table to build the structure, extract the data out in CSV format
   def table_to_csv table
+    Brakeman.load_dependency 'terminal-table'
     output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
     table.rows.each do |row|
       output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "2.0.0"
+  Version = "2.1.0"
 end

data/lib/ruby_parser/bm_sexp.rb

@@ -3,7 +3,7 @@
 #of a Sexp.
 class Sexp
   attr_reader :paren
-  attr_accessor :original_line
+  attr_accessor :original_line, :or_depth
   ASSIGNMENT_BOOL = [:gasgn, :iasgn, :lasgn, :cvdecl, :cdecl, :or, :and, :colon2]
 
   def method_missing name, *args
@@ -67,6 +67,17 @@ class Sexp
     self[0] = type
   end
 
+  #Join self and exp into an :or Sexp.
+  #Sets or_depth.
+  #Used for combining "branched" values in AliasProcessor.
+  def combine exp, line = nil
+    combined = Sexp.new(:or, self, exp).line(line || -2)
+
+    combined.or_depth = [self.or_depth, exp.or_depth].compact.reduce(0, :+) + 1
+
+    combined
+  end
+
   alias :node_type :sexp_type
   alias :values :sexp_body # TODO: retire
 

metadata

@@ -1,7 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  version: 2.0.0
+  hash: 11
+  prerelease: 
+  segments: 
+  - 2
+  - 1
+  - 0
+  version: 2.1.0
 platform: ruby
 authors: 
 - Justin Collins
@@ -9,25 +15,37 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-05-20 00:00:00 Z
+date: 2013-07-17 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby_parser
   prerelease: false
   requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: 3.1.1
+        hash: 11
+        segments: 
+        - 3
+        - 2
+        - 2
+        version: 3.2.2
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
   name: ruby2ruby
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 2
+        - 0
+        - 5
         version: 2.0.5
   type: :runtime
   version_requirements: *id002
@@ -35,9 +53,14 @@ dependencies:
   name: terminal-table
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 1
+        - 4
         version: "1.4"
   type: :runtime
   version_requirements: *id003
@@ -45,9 +68,14 @@ dependencies:
   name: fastercsv
   prerelease: false
   requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 1
+        - 5
         version: "1.5"
   type: :runtime
   version_requirements: *id004
@@ -55,9 +83,15 @@ dependencies:
   name: highline
   prerelease: false
   requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 41
+        segments: 
+        - 1
+        - 6
+        - 19
         version: 1.6.19
   type: :runtime
   version_requirements: *id005
@@ -65,9 +99,14 @@ dependencies:
   name: erubis
   prerelease: false
   requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 2
+        - 6
         version: "2.6"
   type: :runtime
   version_requirements: *id006
@@ -75,12 +114,21 @@ dependencies:
   name: haml
   prerelease: false
   requirement: &id007 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
         version: "3.0"
     - - <
       - !ruby/object:Gem::Version 
+        hash: 31
+        segments: 
+        - 5
+        - 0
         version: "5.0"
   type: :runtime
   version_requirements: *id007
@@ -88,9 +136,14 @@ dependencies:
   name: sass
   prerelease: false
   requirement: &id008 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
         version: "3.0"
   type: :runtime
   version_requirements: *id008
@@ -98,19 +151,37 @@ dependencies:
   name: slim
   prerelease: false
   requirement: &id009 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 3
+        - 6
         version: 1.3.6
+    - - <
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        version: "3.0"
   type: :runtime
   version_requirements: *id009
 - !ruby/object:Gem::Dependency 
   name: multi_json
   prerelease: false
   requirement: &id010 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 1
+        - 2
         version: "1.2"
   type: :runtime
   version_requirements: *id010
@@ -128,135 +199,153 @@ files:
 - WARNING_TYPES
 - FEATURES
 - README.md
-- lib/brakeman/version.rb
-- lib/brakeman/differ.rb
-- lib/brakeman/util.rb
+- lib/brakeman/app_tree.rb
 - lib/brakeman/brakeman.rake
 - lib/brakeman/call_index.rb
-- lib/brakeman/report/renderer.rb
-- lib/brakeman/report/templates/controller_overview.html.erb
-- lib/brakeman/report/templates/model_warnings.html.erb
-- lib/brakeman/report/templates/template_overview.html.erb
-- lib/brakeman/report/templates/view_warnings.html.erb
-- lib/brakeman/report/templates/overview.html.erb
-- lib/brakeman/report/templates/controller_warnings.html.erb
-- lib/brakeman/report/templates/header.html.erb
-- lib/brakeman/report/templates/error_overview.html.erb
-- lib/brakeman/report/templates/security_warnings.html.erb
-- lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
-- lib/brakeman/tracker.rb
-- lib/brakeman/report.rb
-- lib/brakeman/scanner.rb
-- lib/brakeman/processor.rb
-- lib/brakeman/format/style.css
-- lib/brakeman/warning_codes.rb
-- lib/brakeman/app_tree.rb
-- lib/brakeman/checks/check_select_vulnerability.rb
-- lib/brakeman/checks/check_escape_function.rb
-- lib/brakeman/checks/check_single_quotes.rb
-- lib/brakeman/checks/check_model_serialize.rb
+- lib/brakeman/checks/base_check.rb
 - lib/brakeman/checks/check_basic_auth.rb
-- lib/brakeman/checks/check_safe_buffer_manipulation.rb
-- lib/brakeman/checks/check_forgery_setting.rb
-- lib/brakeman/checks/check_session_settings.rb
-- lib/brakeman/checks/check_model_attributes.rb
-- lib/brakeman/checks/check_redirect.rb
-- lib/brakeman/checks/check_yaml_parsing.rb
-- lib/brakeman/checks/check_skip_before_filter.rb
-- lib/brakeman/checks/check_response_splitting.rb
-- lib/brakeman/checks/check_mail_to.rb
 - lib/brakeman/checks/check_content_tag.rb
-- lib/brakeman/checks/check_unsafe_reflection.rb
-- lib/brakeman/checks/check_sql.rb
-- lib/brakeman/checks/check_select_tag.rb
-- lib/brakeman/checks/check_mass_assignment.rb
-- lib/brakeman/checks/check_link_to_href.rb
-- lib/brakeman/checks/check_filter_skipping.rb
-- lib/brakeman/checks/check_symbol_dos.rb
-- lib/brakeman/checks/check_sanitize_methods.rb
-- lib/brakeman/checks/check_file_access.rb
+- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_default_routes.rb
 - lib/brakeman/checks/check_deserialize.rb
-- lib/brakeman/checks/base_check.rb
-- lib/brakeman/checks/check_validation_regex.rb
-- lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_digest_dos.rb
-- lib/brakeman/checks/check_render.rb
-- lib/brakeman/checks/check_send_file.rb
-- lib/brakeman/checks/check_json_parsing.rb
+- lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
-- lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_file_access.rb
+- lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_forgery_setting.rb
 - lib/brakeman/checks/check_jruby_xml.rb
-- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_json_parsing.rb
 - lib/brakeman/checks/check_link_to.rb
+- lib/brakeman/checks/check_link_to_href.rb
+- lib/brakeman/checks/check_mail_to.rb
+- lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_model_attr_accessible.rb
+- lib/brakeman/checks/check_model_attributes.rb
+- lib/brakeman/checks/check_model_serialize.rb
+- lib/brakeman/checks/check_nested_attributes.rb
 - lib/brakeman/checks/check_quote_table_name.rb
+- lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_render.rb
+- lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
+- lib/brakeman/checks/check_sanitize_methods.rb
+- lib/brakeman/checks/check_select_tag.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_send.rb
-- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_session_settings.rb
+- lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_sql.rb
 - lib/brakeman/checks/check_strip_tags.rb
-- lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
+- lib/brakeman/checks/check_yaml_parsing.rb
 - lib/brakeman/checks.rb
+- lib/brakeman/differ.rb
+- lib/brakeman/format/style.css
+- lib/brakeman/options.rb
+- lib/brakeman/parsers/rails2_erubis.rb
+- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/processor.rb
+- lib/brakeman/processors/alias_processor.rb
+- lib/brakeman/processors/base_processor.rb
+- lib/brakeman/processors/config_processor.rb
 - lib/brakeman/processors/controller_alias_processor.rb
+- lib/brakeman/processors/controller_processor.rb
+- lib/brakeman/processors/erb_template_processor.rb
+- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/haml_template_processor.rb
+- lib/brakeman/processors/lib/find_all_calls.rb
+- lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb
-- lib/brakeman/processors/lib/route_helper.rb
-- lib/brakeman/processors/lib/rails2_route_processor.rb
-- lib/brakeman/processors/lib/render_helper.rb
-- lib/brakeman/processors/lib/rails2_config_processor.rb
-- lib/brakeman/processors/lib/rails3_route_processor.rb
 - lib/brakeman/processors/lib/processor_helper.rb
+- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/rails2_route_processor.rb
 - lib/brakeman/processors/lib/rails3_config_processor.rb
-- lib/brakeman/processors/lib/find_all_calls.rb
-- lib/brakeman/processors/lib/find_call.rb
-- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/render_helper.rb
+- lib/brakeman/processors/lib/route_helper.rb
+- lib/brakeman/processors/library_processor.rb
 - lib/brakeman/processors/model_processor.rb
 - lib/brakeman/processors/output_processor.rb
-- lib/brakeman/processors/library_processor.rb
-- lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/template_processor.rb
-- lib/brakeman/processors/alias_processor.rb
-- lib/brakeman/processors/config_processor.rb
-- lib/brakeman/processors/gem_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
 - lib/brakeman/processors/route_processor.rb
-- lib/brakeman/processors/controller_processor.rb
 - lib/brakeman/processors/slim_template_processor.rb
-- lib/brakeman/processors/haml_template_processor.rb
-- lib/brakeman/processors/base_processor.rb
-- lib/brakeman/warning.rb
-- lib/brakeman/options.rb
+- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report/ignore/config.rb
+- lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
+- lib/brakeman/report/renderer.rb
+- lib/brakeman/report/report_base.rb
+- lib/brakeman/report/report_csv.rb
+- lib/brakeman/report/report_hash.rb
+- lib/brakeman/report/report_html.rb
+- lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_table.rb
+- lib/brakeman/report/report_tabs.rb
+- lib/brakeman/report/templates/controller_overview.html.erb
+- lib/brakeman/report/templates/controller_warnings.html.erb
+- lib/brakeman/report/templates/error_overview.html.erb
+- lib/brakeman/report/templates/header.html.erb
+- lib/brakeman/report/templates/ignored_warnings.html.erb
+- lib/brakeman/report/templates/model_warnings.html.erb
+- lib/brakeman/report/templates/overview.html.erb
+- lib/brakeman/report/templates/security_warnings.html.erb
+- lib/brakeman/report/templates/template_overview.html.erb
+- lib/brakeman/report/templates/view_warnings.html.erb
+- lib/brakeman/report/templates/warning_overview.html.erb
+- lib/brakeman/report.rb
 - lib/brakeman/rescanner.rb
-- lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/parsers/rails3_erubis.rb
-- lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+- lib/brakeman/scanner.rb
+- lib/brakeman/tracker.rb
+- lib/brakeman/util.rb
+- lib/brakeman/version.rb
+- lib/brakeman/warning.rb
+- lib/brakeman/warning_codes.rb
+- lib/brakeman.rb
 - lib/ruby_parser/bm_sexp.rb
 - lib/ruby_parser/bm_sexp_processor.rb
-- lib/brakeman.rb
 homepage: http://brakemanscanner.org
 licenses: 
 - MIT
-metadata: {}
-
 post_install_message: 
 rdoc_options: []
 
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
-  - &id011 
-    - ">="
+  - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
-  - *id011
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 2.0.0
+rubygems_version: 1.8.25
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []