brakeman 1.0.rc1 → 1.0.0

data/README.md

@@ -2,9 +2,9 @@
 
 Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
 
-It targets Rails versions > 2.0 with experimental support for Rails 3.x
-
-There is also a [plugin available](https://github.com/presidentbeef/brakeman-jenkins-plugin) for Jenkins/Hudson.
+It targets Rails versions 2.x and 3.x.
+ 
+There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
 
 # Homepage
 
@@ -77,6 +77,10 @@ Normally Brakeman will parse `routes.rb` and attempt to infer which controller m
 
 Note that this will be enabled automatically if Brakeman runs into an error while parsing the routes.
 
+By default, Brakeman will return 0 as an exit code unless something when very wrong. To return an error code when warnings were found:
+
+    brakeman -z
+
 # Warning information
 
 See WARNING_TYPES for more information on the warnings reported by this tool.

data/bin/brakeman

@@ -170,7 +170,7 @@ OptionParser.new do |opts|
   end
 end.parse!(ARGV)
 
-clean = Brakeman.run options
+clean = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
 if options[:exit_on_warn] && !clean
   exit Brakeman::Warnings_Found_Exit_Code

data/lib/brakeman.rb

@@ -16,7 +16,7 @@ module Brakeman
   #  * :config_file - configuration file
   #  * :create_config - output configuration file
   #  * :escape_html - escape HTML by default (automatic)
-  #  * :exit_on_warn - return error exit code on warnings (default: false)
+  #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
   #  * :list_checks - list all checks (does not run scan)
@@ -25,7 +25,8 @@ module Brakeman
   #  * :output_file - file for output
   #  * :output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)
   #  * :parallel_checks - run checks in parallel (default: true)
-  #  * :quiet - suppress most messages (default: false)
+  #  * :print_report - if no output file specified, print to stdout (default: false)
+  #  * :quiet - suppress most messages (default: true)
   #  * :rails3 - force Rails 3 mode (automatic)
   #  * :report_routes - show found routes on controllers (default: false)
   #  * :run_checks - array of checks to run (run all if not specified)
@@ -44,11 +45,13 @@ module Brakeman
       exit
     end
 
+    options = set_options options
+
     if options[:quiet]
       $VERBOSE = nil
     end
 
-    scan set_options(options)
+    scan options
   end
 
   private
@@ -116,6 +119,7 @@ module Brakeman
       :ignore_model_output => false,
       :message_limit => 100,
       :parallel_checks => true,
+      :quiet => true,
       :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 
     }
   end
@@ -205,13 +209,16 @@ module Brakeman
     warn "Running checks..."
     tracker.run_checks
 
-    warn "Generating report..."
     if options[:output_file]
+      warn "Generating report..."
+
       File.open options[:output_file], "w" do |f|
         f.puts tracker.report.send(options[:output_format])
       end
       warn "Report saved in '#{options[:output_file]}'"
-    else
+    elsif options[:print_report]
+      warn "Generating report..."
+
       puts tracker.report.send(options[:output_format])
     end
 
@@ -220,8 +227,10 @@ module Brakeman
         next if warning.confidence > options[:min_confidence]
         return false
       end
+      
+      return true
     end
-    return true
 
+    tracker
   end
 end

data/lib/brakeman/checks/check_sql.rb

@@ -98,6 +98,10 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         return true
       when :call
         return check_call(arg)
+      else
+        return arg.any? do |a|
+          check_arguments(a)
+        end
       end
     end
 

data/lib/brakeman/format/style.css

@@ -0,0 +1,105 @@
+/* CSS style used for HTML reports */
+
+body {
+  font-family: sans-serif;
+  color: #161616;
+}
+
+p {
+  font-weight: bold;
+  font-size: 11pt;
+  color: #2D0200;
+ }
+
+ th {
+   background-color: #980905;
+   border-bottom: 5px solid #530200;
+   color: white;
+   font-size: 11pt;
+   padding: 1px 8px 1px 8px;
+ }
+
+ td {
+   border-bottom: 2px solid white;
+   font-family: monospace;
+   padding: 5px 8px 1px 8px;
+ }
+
+ table {
+   background-color: #FCF4D4;
+   border-collapse: collapse;
+ }
+
+ h1 {
+   color: #2D0200;
+   font-size: 14pt;
+ }
+
+ h2 {
+   color: #2D0200;
+   font-size: 12pt;
+ }
+
+ span.high-confidence {
+   font-weight:bold;
+   color: red;
+ }
+
+ span.med-confidence {
+ }
+
+ span.weak-confidence {
+   color:gray;
+ }
+
+ div.warning_message {
+   cursor: pointer;
+ }
+
+ div.warning_message:hover {
+   background-color: white;
+ }
+
+ table.context {
+   margin-top: 5px;
+   margin-bottom: 5px;
+   border-left: 1px solid #90e960;
+   color: #212121;
+ }
+
+ tr.context {
+   background-color: white;
+ }
+
+ tr.first {
+   border-top: 1px solid #7ecc54;
+   padding-top: 2px;
+ }
+
+ tr.error {
+  background-color: #f4c1c1 !important
+ }
+
+ tr.near_error {
+  background-color: #f4d4d4 !important
+ }
+
+ tr.alt {
+   background-color: #e8f4d4;
+ }
+
+ td.context {
+   padding: 2px 10px 0px 6px;
+   border-bottom: none;
+ }
+
+ td.context_line {
+   padding: 2px 8px 0px 7px;
+   border-right: 1px solid #b3bda4;
+   border-bottom: none;
+   color: #6e7465;
+ }
+
+ pre.context {
+   margin-bottom: 1px;
+ }

data/lib/brakeman/processors/alias_processor.rb

@@ -182,7 +182,13 @@ class Brakeman::AliasProcessor < SexpProcessor
   def process_lasgn exp
     exp[2] = process exp[2] if sexp? exp[2]
     local = Sexp.new(:lvar, exp[1]).line(exp.line || -2)
-    env[local] = exp[2]
+
+    if @inside_if and env[local]
+      env[local] = Sexp.new(:or, env[local], exp[2]).line(exp.line || -2)
+    else
+      env[local] = exp[2]
+    end
+
     exp
   end
 
@@ -191,7 +197,13 @@ class Brakeman::AliasProcessor < SexpProcessor
   def process_iasgn exp
     exp[2] = process exp[2]
     ivar = Sexp.new(:ivar, exp[1]).line(exp.line)
-    env[ivar] = exp[2]
+
+    if @inside_if and env[ivar]
+      env[ivar] = Sexp.new(:or, env[ivar], exp[2]).line(exp.line)
+    else
+      env[ivar] = exp[2]
+    end
+
     exp
   end
 
@@ -200,7 +212,13 @@ class Brakeman::AliasProcessor < SexpProcessor
   def process_gasgn exp
     match = Sexp.new(:gvar, exp[1])
     value = exp[2] = process(exp[2])
-    env[match] = value
+
+    if @inside_if and env[match]
+      env[match] = Sexp.new(:or, env[match], value)
+    else
+      env[match] = value
+    end
+
     exp
   end
 
@@ -209,7 +227,13 @@ class Brakeman::AliasProcessor < SexpProcessor
   def process_cvdecl exp
     match = Sexp.new(:cvar, exp[1])
     value = exp[2] = process(exp[2])
-    env[match] = value
+    
+    if @inside_if and env[match]
+      env[match] = Sexp.new(:or, env[match], value)
+    else
+      env[match] = value
+    end
+
     exp
   end
 
@@ -234,7 +258,12 @@ class Brakeman::AliasProcessor < SexpProcessor
       value = exp[3][1] = process(exp[3][1])
       #This is what we'll replace with the value
       match = Sexp.new(:call, target, method.to_s[0..-2].to_sym, Sexp.new(:arglist))
-      env[match] = value
+
+      if @inside_if and env[match]
+        env[match] = Sexp.new(:or, env[match], value)
+      else
+        env[match] = value
+      end
     else
       raise "Unrecognized assignment: #{exp}"
     end
@@ -318,6 +347,30 @@ class Brakeman::AliasProcessor < SexpProcessor
     exp
   end
 
+  #Sets @inside_if = true
+  def process_if exp
+    was_inside = @inside_if
+    @inside_if = true
+
+    condition = process exp[1]
+
+    if true? condition
+      exps = [exp[2]]
+    elsif false? condition
+      exps = exp[3..-1]
+    else
+      exps = exp[2..-1]
+    end
+    
+    exps.each do |e|
+      process e if sexp? e
+    end
+
+    @inside_if = was_inside
+
+    exp
+  end
+
   #Process single integer access to an array. 
   #
   #Returns the value inside the array, if possible.

data/lib/brakeman/processors/controller_processor.rb

@@ -1,4 +1,3 @@
-require 'ruby_parser'
 require 'brakeman/processors/base_processor'
 
 #Processes controller. Results are put in tracker.controllers

data/lib/brakeman/scanner.rb

@@ -1,18 +1,13 @@
 require 'rubygems'
 begin
-  require 'ruby_parser'
+  #Load our own version of ruby_parser :'(
+  require 'ruby_parser/ruby_parser.rb'
+
   require 'haml'
   require 'sass'
   require 'erb'
   require 'erubis'
   require 'brakeman/processor'
-
-  #Load our own version of ruby_parser :(
-  original_verbosity = $VERBOSE
-  $VERBOSE = nil
-  require 'ruby_parser/ruby_parser.rb'
-  $VERBOSE = original_verbosity
-
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -40,6 +35,12 @@ class Brakeman::Scanner
     @path = options[:app_path]
     @app_path = File.join(@path, "app")
     @processor = Brakeman::Processor.new options
+
+    if RUBY_1_9
+      @ruby_parser = ::Ruby19Parser
+    else
+      @ruby_parser = ::Ruby18Parser
+    end
   end
 
   #Returns the Tracker generated from the scan
@@ -75,13 +76,13 @@ class Brakeman::Scanner
   #Stores parsed information in tracker.config
   def process_config
     if options[:rails3]
-      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/application.rb")))
-      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environments/production.rb")))
+      @processor.process_config(parse_ruby(File.read("#@path/config/application.rb")))
+      @processor.process_config(parse_ruby(File.read("#@path/config/environments/production.rb")))
     else
-      @processor.process_config(RubyParser.new.parse(File.read("#@path/config/environment.rb")))
+      @processor.process_config(parse_ruby(File.read("#@path/config/environment.rb")))
 
       if File.exists? "#@path/config/gems.rb"
-        @processor.process_config(RubyParser.new.parse(File.read("#@path/config/gems.rb")))
+        @processor.process_config(parse_ruby(File.read("#@path/config/gems.rb")))
       end
 
     end
@@ -99,9 +100,9 @@ class Brakeman::Scanner
   def process_gems
     if File.exists? "#@path/Gemfile"
       if File.exists? "#@path/Gemfile.lock"
-        @processor.process_gems(RubyParser.new.parse(File.read("#@path/Gemfile")), File.read("#@path/Gemfile.lock"))
+        @processor.process_gems(parse_ruby(File.read("#@path/Gemfile")), File.read("#@path/Gemfile.lock"))
       else
-        @processor.process_gems(RubyParser.new.parse(File.read("#@path/Gemfile")))
+        @processor.process_gems(parse_ruby(File.read("#@path/Gemfile")))
       end
     end
   end
@@ -112,7 +113,7 @@ class Brakeman::Scanner
   def process_initializers
     Dir.glob(@path + "/config/initializers/**/*.rb").sort.each do |f|
       begin
-        @processor.process_initializer(f, RubyParser.new.parse(File.read(f)))
+        @processor.process_initializer(f, parse_ruby(File.read(f)))
       rescue Racc::ParseError => e
         tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
@@ -132,7 +133,7 @@ class Brakeman::Scanner
 
     Dir.glob(@path + "/lib/**/*.rb").sort.each do |f|
       begin
-        @processor.process_lib RubyParser.new.parse(File.read(f)), f
+        @processor.process_lib parse_ruby(File.read(f)), f
       rescue Racc::ParseError => e
         tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
@@ -147,7 +148,7 @@ class Brakeman::Scanner
   def process_routes
     if File.exists? "#@path/config/routes.rb"
       begin
-        @processor.process_routes RubyParser.new.parse(File.read("#@path/config/routes.rb"))
+        @processor.process_routes parse_ruby(File.read("#@path/config/routes.rb"))
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
         warn "[Notice] Error while processing routes - assuming all public controller methods are actions."
@@ -164,7 +165,7 @@ class Brakeman::Scanner
   def process_controllers
     Dir.glob(@app_path + "/controllers/**/*.rb").sort.each do |f|
       begin
-        @processor.process_controller(RubyParser.new.parse(File.read(f)), f)
+        @processor.process_controller(parse_ruby(File.read(f)), f)
       rescue Racc::ParseError => e
         tracker.error e, "could not parse #{f}. There is probably a typo in the file. Test it with 'ruby_parse #{f}'"
       rescue Exception => e
@@ -210,11 +211,11 @@ class Brakeman::Scanner
             src.sub!(/^#.*\n/, '') if RUBY_1_9
           end
 
-          parsed = RubyParser.new.parse src
+          parsed = parse_ruby src
         elsif type == :haml
           src = Haml::Engine.new(text,
                                  :escape_html => !!tracker.config[:escape_html]).precompiled
-          parsed = RubyParser.new.parse src
+          parsed = parse_ruby src
         else
           tracker.error "Unkown template type in #{f}"
         end
@@ -251,7 +252,7 @@ class Brakeman::Scanner
   def process_models
     Dir.glob(@app_path + "/models/*.rb").sort.each do |f|
       begin
-        @processor.process_model(RubyParser.new.parse(File.read(f)), f)
+        @processor.process_model(parse_ruby(File.read(f)), f)
       rescue Racc::ParseError => e
         tracker.error e, "could not parse #{f}"
       rescue Exception => e
@@ -263,6 +264,14 @@ class Brakeman::Scanner
   def index_call_sites
     tracker.index_call_sites
   end
+
+  def parse_ruby input
+    if RUBY_1_9
+      Ruby19Parser.new.parse input
+    else
+      Ruby18Parser.new.parse input
+    end
+  end
 end
 
 #This is from Rails 3 version of the Erubis handler