brakeman 3.0.5 → 3.1.0

data/lib/brakeman/tracker/collection.rb

@@ -0,0 +1,77 @@
+require 'brakeman/util'
+
+module Brakeman
+  class Collection
+    include Brakeman::Util
+
+    attr_reader :collection, :files, :includes, :name, :options, :parent, :src, :tracker
+
+    def initialize name, parent, file_name, src, tracker
+      @name = name
+      @parent = parent
+      @file_name = file_name
+      @files = [ file_name ]
+      @src = { file_name => src }
+      @includes = []
+      @methods = { :public => {}, :private => {}, :protected => {} }
+      @options = {}
+      @tracker = tracker
+    end
+
+    def ancestor? parent, seen={}
+      seen[self.name] = true
+
+      if self.parent == parent or seen[self.parent]
+        true
+      elsif parent_model = collection[self.parent]
+        parent_model.ancestor? parent, seen
+      else
+        false
+      end
+    end
+
+    def add_file file_name, src
+      @files << file_name unless @files.include? file_name
+      @src[file_name] = src
+    end
+
+    def add_include class_name
+      @includes << class_name
+    end
+
+    def add_option name, exp
+      @options[name] ||= []
+      @options[name] << exp
+    end
+
+    def add_method visibility, name, src, file_name
+      @methods[visibility][name] = { :src => src, :file => file_name }
+    end
+
+    def each_method
+      @methods.each do |vis, meths|
+        meths.each do |name, info|
+          yield name, info
+        end
+      end
+    end
+
+    def get_method name
+      each_method do |n, info|
+        if n == name
+          return info
+        end
+      end
+
+      nil
+    end
+
+    def file
+      @files.first
+    end
+
+    def methods_public
+      @methods[:public]
+    end
+  end
+end

data/lib/brakeman/tracker/config.rb

@@ -0,0 +1,93 @@
+require 'brakeman/util'
+
+module Brakeman
+  class Config
+    include Util
+
+    attr_reader :rails, :tracker
+    attr_accessor :rails_version
+    attr_writer :erubis, :escape_html
+
+    def initialize tracker
+      @tracker = tracker
+      @rails = {}
+      @gems = {}
+      @settings = {}
+    end
+
+    def allow_forgery_protection?
+      @rails[:action_controller] and
+        @rails[:action_controller][:allow_forgery_protection] == Sexp.new(:false)
+    end
+
+    def erubis?
+      @erubis
+    end
+
+    def escape_html?
+      @escape_html
+    end
+
+    def escape_html_entities_in_json?
+      #TODO add version-specific information here
+      @rails[:active_support] and
+        true? @rails[:active_support][:escape_html_entities_in_json]
+    end
+
+    def whitelist_attributes?
+      @rails[:active_record] and
+        @rails[:active_record][:whitelist_attributes] == Sexp.new(:true)
+    end
+
+    def gem_version name
+      @gems[name] and @gems[name][:version]
+    end
+
+    def add_gem name, version, file, line
+      name = name.to_sym
+      @gems[name] = {
+        :version => version,
+        :file => file,
+        :line => line
+      }
+    end
+
+    def has_gem? name
+      !!@gems[name]
+    end
+
+    def get_gem name
+      @gems[name]
+    end
+
+    def set_rails_version
+      # Ignore ~>, etc. when using values from Gemfile
+      version = gem_version(:rails) || gem_version(:railties)
+      if version and version.match(/(\d+\.\d+\.\d+.*)/)
+        @rails_version = $1
+
+        if tracker.options[:rails3].nil? and tracker.options[:rails4].nil?
+          if @rails_version.start_with? "3"
+            tracker.options[:rails3] = true
+            Brakeman.notify "[Notice] Detected Rails 3 application"
+          elsif @rails_version.start_with? "4"
+            tracker.options[:rails3] = true
+            tracker.options[:rails4] = true
+            Brakeman.notify "[Notice] Detected Rails 4 application"
+          end
+        end
+      end
+
+      if get_gem :rails_xss
+        @escape_html = true
+        Brakeman.notify "[Notice] Escaping HTML by default"
+      end
+    end
+
+    def session_settings
+      @rails[:action_controller] &&
+        @rails[:action_controller][:session]
+    end
+
+  end
+end

data/lib/brakeman/tracker/controller.rb

@@ -0,0 +1,161 @@
+require 'brakeman/tracker/collection'
+
+module Brakeman
+  module ControllerMethods
+    attr_accessor :layout
+
+    def initialize_controller
+      @options[:before_filters] = []
+      @options[:skip_filters] = []
+      @layout = nil
+      @skip_filter_cache = nil
+      @before_filter_cache = nil
+    end
+
+    def protect_from_forgery?
+      @options[:protect_from_forgery]
+    end
+
+    def add_before_filter exp
+      @options[:before_filters] << exp
+    end
+
+    def prepend_before_filter exp
+      @options[:before_filters].unshift exp
+    end
+
+    def before_filters
+      @options[:before_filters]
+    end
+
+    def skip_filter exp
+      @options[:skip_filters] << exp
+    end
+
+    def skip_filters
+      @options[:skip_filters]
+    end
+
+    def before_filter_list processor, method
+      controller = self
+      filters = []
+
+      while controller
+        filters = controller.get_before_filters(processor, method) + filters
+
+        controller = tracker.controllers[controller.parent] ||
+          tracker.libs[controller.parent]
+      end
+
+      remove_skipped_filters processor, filters, method
+    end
+
+    def get_skipped_filters processor, method
+      filters = []
+
+      if @skip_filter_cache.nil?
+        @skip_filter_cache = skip_filters.map do |filter|
+          before_filter_to_hash(processor, filter.args)
+        end
+      end
+
+      @skip_filter_cache.each do |f|
+        if f[:all] or
+          (f[:only] == method) or
+          (f[:only].is_a? Array and f[:only].include? method) or
+          (f[:except].is_a? Symbol and f[:except] != method) or
+          (f[:except].is_a? Array and not f[:except].include? method)
+
+          filters.concat f[:methods]
+        else
+        end
+      end
+
+      filters
+    end
+
+    def remove_skipped_filters processor, filters, method
+      controller = self
+
+      while controller
+        filters = filters - controller.get_skipped_filters(processor, method)
+
+        controller = tracker.controllers[controller.parent] ||
+          tracker.libs[controller.parent]
+      end
+
+      filters
+    end
+
+    def get_before_filters processor, method
+      filters = []
+
+      if @before_filter_cache.nil?
+        @before_filter_cache = []
+
+        before_filters.each do |filter|
+          @before_filter_cache << before_filter_to_hash(processor, filter.args)
+        end
+      end
+
+      @before_filter_cache.each do |f|
+        if f[:all] or
+          (f[:only] == method) or
+          (f[:only].is_a? Array and f[:only].include? method) or
+          (f[:except].is_a? Symbol and f[:except] != method) or
+          (f[:except].is_a? Array and not f[:except].include? method)
+
+          filters.concat f[:methods]
+        end
+      end
+
+
+      filters
+    end
+
+    def before_filter_to_hash processor, args
+      filter = {}
+
+      #Process args for the uncommon but possible situation
+      #in which some variables are used in the filter.
+      args.each do |a|
+        if sexp? a
+          a = processor.process_default a
+        end
+      end
+
+      filter[:methods] = [args[0][1]]
+
+      args[1..-1].each do |a|
+        filter[:methods] << a[1] if a.node_type == :lit
+      end
+
+      if args[-1].node_type == :hash
+        option = args[-1][1][1]
+        value = args[-1][2]
+        case value.node_type
+        when :array
+          filter[option] = value[1..-1].map {|v| v[1] }
+        when :lit, :str
+          filter[option] = value[1]
+        else
+          Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+        end
+      else
+        filter[:all] = true
+      end
+
+      filter
+    end
+  end
+
+  class Controller < Brakeman::Collection
+    include ControllerMethods
+
+    def initialize name, parent, file_name, src, tracker
+      super
+      initialize_controller
+      @collection = tracker.controllers
+    end
+  end
+end

data/lib/brakeman/tracker/library.rb

@@ -0,0 +1,17 @@
+require 'brakeman/tracker/collection'
+require 'brakeman/tracker/controller'
+require 'brakeman/tracker/model'
+
+module Brakeman
+  class Library < Brakeman::Collection
+    include ControllerMethods
+    include ModelMethods
+
+    def initialize name, parent, file_name, src, tracker
+      super
+      initialize_controller
+      initialize_model
+      @collection = tracker.libs
+    end
+  end
+end

data/lib/brakeman/tracker/model.rb

@@ -0,0 +1,90 @@
+require 'brakeman/tracker/collection'
+
+module Brakeman
+  module ModelMethods
+    attr_reader :associations, :attr_accessible, :role_accessible
+
+    def initialize_model
+      @associations = {}
+      @role_accessible = []
+      @attr_accessible = nil
+    end
+
+    def association? method_name
+      @associations.each do |name, args|
+        args.each do |arg|
+          if symbol? arg and arg.value == method_name
+            return true
+          end
+        end
+      end
+
+      false
+    end
+
+    def unprotected_model?
+      @attr_accessible.nil? and !parent_classes_protected? and ancestor?(:"ActiveRecord::Base")
+    end
+
+    # go up the chain of parent classes to see if any have attr_accessible
+    def parent_classes_protected? seen={}
+      seen[self.name] = true
+
+      if @attr_accessible or self.includes.include? :"ActiveModel::ForbiddenAttributesProtection"
+        true
+      elsif parent = tracker.models[self.parent] and !seen[self.parent]
+        parent.parent_classes_protected? seen
+      else
+        false
+      end
+    end
+
+    def set_attr_accessible exp = nil
+      if exp
+        args = []
+
+        exp.each_arg do |e|
+          if node_type? e, :lit
+            args << e.value
+          elsif hash? e
+            @role_accessible.concat args
+          end
+        end
+
+        @attr_accessible ||= []
+        @attr_accessible.concat args
+      else
+        @attr_accessible ||= []
+      end
+    end
+
+    def set_attr_protected exp
+      add_option :attr_protected, exp
+    end
+
+    def attr_protected
+      @options[:attr_protected]
+    end
+  end
+
+  class Model < Brakeman::Collection
+    include ModelMethods
+
+    ASSOCIATIONS = Set[:belongs_to, :has_one, :has_many, :has_and_belongs_to_many]
+
+    def initialize name, parent, file_name, src, tracker
+      super
+      initialize_model
+      @collection = tracker.models
+    end
+
+    def add_option name, exp
+      if ASSOCIATIONS.include? name
+        @associations[name] ||= []
+        @associations[name].concat exp.args
+      else
+        super name, exp.arglist.line(exp.line)
+      end
+    end
+  end
+end

data/lib/brakeman/tracker/template.rb

@@ -0,0 +1,33 @@
+require 'brakeman/tracker/collection'
+
+module Brakeman
+  class Template < Brakeman::Collection
+    attr_accessor :type
+    attr_reader :render_path
+    attr_writer :src
+
+    def initialize name, called_from, file_name, tracker
+      super name, nil, file_name, nil, tracker
+      @render_path = called_from
+      @outputs = []
+    end
+
+    def add_output exp
+      @outputs << exp
+    end
+
+    def each_output
+      @outputs.each do |o|
+        yield o
+      end
+    end
+
+    def rendered_from_controller?
+      if @render_path
+        @render_path.rendered_from_controller?
+      else
+        false
+      end
+    end
+  end
+end