brakeman 0.8.4 → 0.9.0

data/README.md

@@ -77,12 +77,6 @@ Normally Brakeman will parse `routes.rb` and attempt to infer which controller m
 
 Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
 
-To skip processing the `lib` directory (which is currently only used in a couple situations):
-
-    brakeman --skip-libs
-
-This can save processing time and memory.
-
 # Warning information
 
 See WARNING_TYPES for more information on the warnings reported by this tool.

data/lib/checks/base_check.rb

@@ -104,14 +104,21 @@ class BaseCheck < SexpProcessor
   end
 
   #Checks if mass assignment is disabled globally in an initializer.
-  def mass_assign_disabled? tracker
-    matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
-    if matches.empty?
-      false
+  def mass_assign_disabled?
+    if version_between?("3.1.0", "4.0.0") and 
+      tracker.config[:rails][:active_record] and 
+      tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
+
+      return true
     else
-      matches.each do |result|
-        if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
-          return true
+      matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
+      if matches.empty?
+        false
+      else
+        matches.each do |result|
+          if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
+            return true
+          end
         end
       end
     end
@@ -343,13 +350,23 @@ class BaseCheck < SexpProcessor
     low_version = low_version.split(".").map! { |n| n.to_i }
     high_version = high_version.split(".").map! { |n| n.to_i }
 
-    version.each_with_index do |n, i|
-      if n < low_version[i] or n > high_version[i]
+    version.each_with_index do |v, i|
+      if v < low_version[i]
+        return false
+      elsif v > low_version[i]
+        break
+      end
+    end
+
+    version.each_with_index do |v, i|
+      if v > high_version[i]
         return false
+      elsif v < high_version[i]
+        break
       end
     end
 
-    return true
+    true
   end
 
   def gemfile_or_environment

data/lib/checks/check_mass_assignment.rb

@@ -7,7 +7,7 @@ class CheckMassAssignment < BaseCheck
   Checks.add self
 
   def run_check
-    return if mass_assign_disabled? tracker
+    return if mass_assign_disabled?
 
     models = []
     tracker.models.each do |name, m|

data/lib/checks/check_model_attributes.rb

@@ -9,7 +9,7 @@ class CheckModelAttributes < BaseCheck
   Checks.add self
 
   def run_check
-    return if mass_assign_disabled? tracker
+    return if mass_assign_disabled?
 
     names = []
 

data/lib/checks/check_without_protection.rb

@@ -8,7 +8,7 @@ class CheckWithoutProtection < BaseCheck
   Checks.add self
 
   def run_check
-    if mass_assign_disabled? tracker or version_between? "0.0.0", "3.0.99"
+    if version_between? "0.0.0", "3.0.99"
       return
     end
 

data/lib/processors/config_processor.rb

@@ -1,146 +1,5 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
-  
-#Replace block variable in
-#
-#  Rails::Initializer.run |config|
-#
-#with this value so we can keep track of it.
-RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
-
-#Processes configuration. Results are put in tracker.config.
-#
-#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
-#For example:
-#
-#  Rails::Initializer.run |config|
-#    config.action_controller.session_store = :cookie_store
-#  end
-#
-#will be stored in
-#
-#  tracker.config[:rails][:action_controller][:session_store]
-#
-#Values for tracker.config[:rails] will still be Sexps.
-class ConfigProcessor < BaseProcessor
-  def initialize *args
-    super
-    @tracker.config[:rails] ||= {}
-  end
-
-  #Use this method to process configuration file
-  def process_config src
-    res = ConfigAliasProcessor.new.process_safely(src)
-    process res
-  end
-
-  #Check if config is set to use Erubis
-  def process_call exp
-    target = exp[1]
-    target = process target if sexp? target
-
-    if exp[2] == :gem and exp[3][1][1] == "erubis"
-      warn "[Notice] Using Erubis for ERB templates"
-      @tracker.config[:erubis] = true
-    end
-
-    exp
-  end
-
-  #Look for configuration settings
-  def process_attrasgn exp
-    if exp[1] == RAILS_CONFIG
-      #Get rid of '=' at end
-      attribute = exp[2].to_s[0..-2].to_sym
-      if exp[3].length > 2
-        #Multiple arguments?...not sure if this will ever happen
-        @tracker.config[:rails][exp[2]] = exp[3][1..-1]
-      else
-        @tracker.config[:rails][exp[2]] = exp[3][1]
-      end
-    elsif include_rails_config? exp
-      options = get_rails_config exp
-      level = @tracker.config[:rails]
-      options[0..-2].each do |o|
-        level[o] ||= {}
-        level = level[o]
-      end
-
-      level[options.last] = exp[3][1]
-    end
-
-    exp
-  end
-
-  #Check for Rails version
-  def process_cdecl exp
-    #Set Rails version required
-    if exp[1] == :RAILS_GEM_VERSION
-      @tracker.config[:rails_version] = exp[2][1]
-    end
-
-    exp
-  end
-
-  #Check if an expression includes a call to set Rails config
-  def include_rails_config? exp
-    target = exp[1]
-    if call? target
-      if target[1] == RAILS_CONFIG
-        true
-      else
-        include_rails_config? target
-      end
-    elsif target == RAILS_CONFIG
-      true
-    else
-      false
-    end
-  end
-
-  #Returns an array of symbols for each 'level' in the config
-  #
-  #  config.action_controller.session_store = :cookie
-  #
-  #becomes
-  #
-  #  [:action_controller, :session_store]
-  def get_rails_config exp
-    if sexp? exp and exp.node_type == :attrasgn
-      attribute = exp[2].to_s[0..-2].to_sym
-      get_rails_config(exp[1]) << attribute
-    elsif call? exp
-      if exp[1] == RAILS_CONFIG
-        [exp[2]]
-      else
-        get_rails_config(exp[1]) << exp[2]
-      end
-    else
-      raise "WHAT"
-    end
-  end
-end
-
-#This is necessary to replace block variable so we can track config settings
-class ConfigAliasProcessor < AliasProcessor
-
-  RAILS_INIT = Sexp.new(:colon2, Sexp.new(:const, :Rails), :Initializer)
-
-  #Look for a call to 
-  #
-  #  Rails::Initializer.run do |config|
-  #    ...
-  #  end
-  #
-  #and replace config with RAILS_CONFIG
-  def process_iter exp
-    target = exp[1][1]
-    method = exp[1][2]
-
-    if sexp? target and target == RAILS_INIT and method == :run
-      exp[2][2] = RAILS_CONFIG
-    end
-
-    process_default exp
-  end
+if OPTIONS[:rails3]
+  load 'processors/lib/rails3_config_processor.rb'
+else
+  load 'processors/lib/rails2_config_processor.rb'
 end

data/lib/processors/lib/rails2_config_processor.rb

@@ -0,0 +1,146 @@
+require 'processors/base_processor'
+require 'processors/alias_processor'
+  
+#Replace block variable in
+#
+#  Rails::Initializer.run |config|
+#
+#with this value so we can keep track of it.
+RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
+
+#Processes configuration. Results are put in tracker.config.
+#
+#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
+#For example:
+#
+#  Rails::Initializer.run |config|
+#    config.action_controller.session_store = :cookie_store
+#  end
+#
+#will be stored in
+#
+#  tracker.config[:rails][:action_controller][:session_store]
+#
+#Values for tracker.config[:rails] will still be Sexps.
+class ConfigProcessor < BaseProcessor
+  def initialize *args
+    super
+    @tracker.config[:rails] ||= {}
+  end
+
+  #Use this method to process configuration file
+  def process_config src
+    res = ConfigAliasProcessor.new.process_safely(src)
+    process res
+  end
+
+  #Check if config is set to use Erubis
+  def process_call exp
+    target = exp[1]
+    target = process target if sexp? target
+
+    if exp[2] == :gem and exp[3][1][1] == "erubis"
+      warn "[Notice] Using Erubis for ERB templates"
+      @tracker.config[:erubis] = true
+    end
+
+    exp
+  end
+
+  #Look for configuration settings
+  def process_attrasgn exp
+    if exp[1] == RAILS_CONFIG
+      #Get rid of '=' at end
+      attribute = exp[2].to_s[0..-2].to_sym
+      if exp[3].length > 2
+        #Multiple arguments?...not sure if this will ever happen
+        @tracker.config[:rails][attribute] = exp[3][1..-1]
+      else
+        @tracker.config[:rails][attribute] = exp[3][1]
+      end
+    elsif include_rails_config? exp
+      options = get_rails_config exp
+      level = @tracker.config[:rails]
+      options[0..-2].each do |o|
+        level[o] ||= {}
+        level = level[o]
+      end
+
+      level[options.last] = exp[3][1]
+    end
+
+    exp
+  end
+
+  #Check for Rails version
+  def process_cdecl exp
+    #Set Rails version required
+    if exp[1] == :RAILS_GEM_VERSION
+      @tracker.config[:rails_version] = exp[2][1]
+    end
+
+    exp
+  end
+
+  #Check if an expression includes a call to set Rails config
+  def include_rails_config? exp
+    target = exp[1]
+    if call? target
+      if target[1] == RAILS_CONFIG
+        true
+      else
+        include_rails_config? target
+      end
+    elsif target == RAILS_CONFIG
+      true
+    else
+      false
+    end
+  end
+
+  #Returns an array of symbols for each 'level' in the config
+  #
+  #  config.action_controller.session_store = :cookie
+  #
+  #becomes
+  #
+  #  [:action_controller, :session_store]
+  def get_rails_config exp
+    if sexp? exp and exp.node_type == :attrasgn
+      attribute = exp[2].to_s[0..-2].to_sym
+      get_rails_config(exp[1]) << attribute
+    elsif call? exp
+      if exp[1] == RAILS_CONFIG
+        [exp[2]]
+      else
+        get_rails_config(exp[1]) << exp[2]
+      end
+    else
+      raise "WHAT"
+    end
+  end
+end
+
+#This is necessary to replace block variable so we can track config settings
+class ConfigAliasProcessor < AliasProcessor
+
+  RAILS_INIT = Sexp.new(:colon2, Sexp.new(:const, :Rails), :Initializer)
+
+  #Look for a call to 
+  #
+  #  Rails::Initializer.run do |config|
+  #    ...
+  #  end
+  #
+  #and replace config with RAILS_CONFIG
+  def process_iter exp
+    target = exp[1][1]
+    method = exp[1][2]
+
+    if sexp? target and target == RAILS_INIT and method == :run
+      exp[2][2] = RAILS_CONFIG
+    end
+
+    process_default exp
+  end
+end

data/lib/processors/lib/rails3_config_processor.rb

@@ -0,0 +1,119 @@
+require 'processors/base_processor'
+require 'processors/alias_processor'
+
+RAILS_CONFIG = Sexp.new(:call, nil, :config, Sexp.new(:arglist))
+  
+#Processes configuration. Results are put in tracker.config.
+#
+#Configuration of Rails via Rails::Initializer are stored in tracker.config[:rails].
+#For example:
+#
+#  MyApp::Application.configure do
+#    config.active_record.whitelist_attributes = true
+#  end
+#
+#will be stored in
+#
+#  tracker.config[:rails][:active_record][:whitelist_attributes]
+#
+#Values for tracker.config[:rails] will still be Sexps.
+class ConfigProcessor < BaseProcessor
+  def initialize *args
+    super
+    @tracker.config[:rails] ||= {}
+    @inside_config = false
+  end
+
+  #Use this method to process configuration file
+  def process_config src
+    res = AliasProcessor.new.process_safely(src)
+    process res
+  end
+
+  #Look for MyApp::Application.configure do ... end
+  def process_iter exp
+    if sexp?(exp[1][1]) and exp[1][1][0] == :colon2 and exp[1][1][2] == :Application
+      @inside_config = true
+      process exp[-1] if sexp? exp[-1]
+      @inside_config = false
+    end
+
+    exp
+  end
+
+  #Look for class Application < Rails::Application
+  def process_class exp
+    if exp[1] == :Application
+      @inside_config = true
+      process exp[-1] if sexp? exp[-1]
+      @inside_config = false
+    end
+
+    exp
+  end
+
+  #Look for configuration settings
+  def process_attrasgn exp
+    return unless @inside_config
+
+    if exp[1] == RAILS_CONFIG
+      #Get rid of '=' at end
+      attribute = exp[2].to_s[0..-2].to_sym
+      if exp[3].length > 2
+        #Multiple arguments?...not sure if this will ever happen
+        @tracker.config[:rails][attribute] = exp[3][1..-1]
+      else
+        @tracker.config[:rails][attribute] = exp[3][1]
+      end
+    elsif include_rails_config? exp
+      options = get_rails_config exp
+      level = @tracker.config[:rails]
+      options[0..-2].each do |o|
+        level[o] ||= {}
+        level = level[o]
+      end
+
+      level[options.last] = exp[3][1]
+    end
+
+    exp
+  end
+
+  #Check if an expression includes a call to set Rails config
+  def include_rails_config? exp
+    target = exp[1]
+    if call? target
+      if target[1] == RAILS_CONFIG
+        true
+      else
+        include_rails_config? target
+      end
+    elsif target == RAILS_CONFIG
+      true
+    else
+      false
+    end
+  end
+
+  #Returns an array of symbols for each 'level' in the config
+  #
+  #  config.action_controller.session_store = :cookie
+  #
+  #becomes
+  #
+  #  [:action_controller, :session_store]
+  def get_rails_config exp
+    if sexp? exp and exp.node_type == :attrasgn
+      attribute = exp[2].to_s[0..-2].to_sym
+      get_rails_config(exp[1]) << attribute
+    elsif call? exp
+      if exp[1] == RAILS_CONFIG
+        [exp[2]]
+      else
+        get_rails_config(exp[1]) << exp[2]
+      end
+    else
+      raise "WHAT"
+    end
+  end
+end

data/lib/processors/route_processor.rb

@@ -5,7 +5,7 @@ require 'util'
 require 'set'
 
 if OPTIONS[:rails3]
-  require 'processors/lib/rails3_route_processor'
+  load 'processors/lib/rails3_route_processor.rb'
 else
-  require 'processors/lib/rails2_route_processor'
+  load 'processors/lib/rails2_route_processor.rb'
 end

data/lib/report.rb

@@ -5,6 +5,17 @@ require 'ruport'
 require 'processors/output_processor'
 require 'util'
 
+#Fix for Ruport under 1.9
+#as reported here: https://github.com/ruport/ruport/pull/7
+module Ruport
+  class Formatter::CSV < Formatter
+    def csv_writer
+      @csv_writer ||= options.formatter ||
+        FCSV.instance(output, options.format_options || {})
+    end
+  end
+end
+
 #Generates a report based on the Tracker and the results of
 #Tracker#run_checks. Be sure to +run_checks+ before generating
 #a report.

data/lib/scanner.rb

@@ -69,15 +69,22 @@ class Scanner
   #
   #Stores parsed information in tracker.config
   def process_config
-    @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environment.rb")))
+    if OPTIONS[:rails3]
+      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/application.rb")))
+      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environments/production.rb")))
+    else
+      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environment.rb")))
+
+      if File.exists? "#@path/config/gems.rb"
+        @processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
+      end
 
-    if File.exists? "#@path/config/gems.rb"
-      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
     end
 
     if File.exists? "#@path/vendor/plugins/rails_xss" or 
       OPTIONS[:rails3] or OPTIONS[:escape_html] or
       (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
+
       tracker.config[:escape_html] = true
       warn "[Notice] Escaping HTML by default"
     end

data/lib/version.rb

@@ -1 +1 @@
-Version = "0.8.4"
+Version = "0.9.0"

metadata

@@ -1,90 +1,120 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: brakeman
-version: !ruby/object:Gem::Version
-  version: 0.8.4
-  prerelease: 
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 9
+  - 0
+  version: 0.9.0
 platform: ruby
-authors:
+authors: 
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-04 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2011-11-16 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: activesupport
-  requirement: &70053260 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.2'
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 2
+        version: "2.2"
   type: :runtime
-  prerelease: false
-  version_requirements: *70053260
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: ruby2ruby
-  requirement: &70052900 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 2
+        - 4
         version: 1.2.4
   type: :runtime
-  prerelease: false
-  version_requirements: *70052900
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: ruby_parser
-  requirement: &70051800 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 3
+        - 0
         version: 2.3.0
   type: :runtime
-  prerelease: false
-  version_requirements: *70051800
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
   name: ruport
-  requirement: &70051430 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 6
+        - 3
         version: 1.6.3
   type: :runtime
-  prerelease: false
-  version_requirements: *70051430
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
   name: erubis
-  requirement: &70051060 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 6
+        - 5
         version: 2.6.5
   type: :runtime
-  prerelease: false
-  version_requirements: *70051060
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
   name: haml
-  requirement: &70050750 !ruby/object:Gem::Requirement
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        - 12
         version: 3.0.12
   type: :runtime
-  prerelease: false
-  version_requirements: *70050750
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications
-  via static analysis.
+  version_requirements: *id006
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
 email: 
-executables:
+executables: 
 - brakeman
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -105,9 +135,11 @@ files:
 - lib/processors/lib/processor_helper.rb
 - lib/processors/lib/rails3_route_processor.rb
 - lib/processors/lib/route_helper.rb
+- lib/processors/lib/rails2_config_processor.rb
 - lib/processors/lib/rails2_route_processor.rb
 - lib/processors/lib/find_model_call.rb
 - lib/processors/lib/render_helper.rb
+- lib/processors/lib/rails3_config_processor.rb
 - lib/processors/alias_processor.rb
 - lib/processors/output_processor.rb
 - lib/processors/config_processor.rb
@@ -148,28 +180,37 @@ files:
 - lib/checks.rb
 - lib/processor.rb
 - lib/format/style.css
+has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.6
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
+