brakeman 0.9.2 → 1.0.rc1

data/bin/brakeman

@@ -4,14 +4,16 @@ require 'set'
 
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
-require 'version'
 require 'brakeman'
+require 'brakeman/version'
 
 trap("INT") do
   $stderr.puts "\nInterrupted - exiting."
   exit!
 end
 
+Brakeman::Warnings_Found_Exit_Code = 3
+
 #Parse command line options
 options = {}
 
@@ -28,10 +30,13 @@ OptionParser.new do |opts|
 
   opts.on "-q", "--quiet", "Suppress informational messages" do
     options[:quiet] = true
-    $VERBOSE = nil
   end
 
-  opts.on "-3", "--rails3", "[Experimental] Rails 3 support" do
+  opts.on( "-z", "--exit-on-warn", "Exit code is non-zero if warnings found") do |s|
+    options[:exit_on_warn] = s
+  end
+
+  opts.on "-3", "--rails3", "[Experimental] Force Rails 3 mode" do
     options[:rails3] = true
   end
 
@@ -101,7 +106,7 @@ OptionParser.new do |opts|
     options[:output_format] = ("to_" << type.to_s).to_sym
   end
 
-  opts.on "--css-file CSSFile" do |file|
+  opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
     options[:html_style] = File.expand_path file
   end
 
@@ -154,10 +159,20 @@ OptionParser.new do |opts|
     options[:list_checks] = true
   end
 
+  opts.on "-v", "--version", "Show Brakeman version" do
+    puts "brakeman #{Brakeman::Version}"
+    exit
+  end
+
   opts.on_tail "-h", "--help", "Display this message" do
     puts opts
     exit
   end
 end.parse!(ARGV)
 
-Brakeman.run options
+clean = Brakeman.run options
+
+if options[:exit_on_warn] && !clean
+  exit Brakeman::Warnings_Found_Exit_Code
+end
+

data/lib/brakeman.rb

@@ -1,8 +1,38 @@
+require 'rubygems'
 require 'yaml'
-
-OPTIONS = {}
+require 'set'
 
 module Brakeman
+
+  #Run Brakeman scan. Returns Tracker object.
+  #
+  #Options:
+  #
+  #  * :app_path - path to root of Rails app (required)
+  #  * :assume_all_routes - assume all methods are routes (default: false)
+  #  * :check_arguments - check arguments of methods (default: true)
+  #  * :collapse_mass_assignment - report unprotected models in single warning (default: true)
+  #  * :combine_locations - combine warning locations (default: true)
+  #  * :config_file - configuration file
+  #  * :create_config - output configuration file
+  #  * :escape_html - escape HTML by default (automatic)
+  #  * :exit_on_warn - return error exit code on warnings (default: false)
+  #  * :html_style - path to CSS file
+  #  * :ignore_model_output - consider models safe (default: false)
+  #  * :list_checks - list all checks (does not run scan)
+  #  * :message_limit - limit length of messages
+  #  * :min_confidence - minimum confidence (0-2, 0 is highest)
+  #  * :output_file - file for output
+  #  * :output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)
+  #  * :parallel_checks - run checks in parallel (default: true)
+  #  * :quiet - suppress most messages (default: false)
+  #  * :rails3 - force Rails 3 mode (automatic)
+  #  * :report_routes - show found routes on controllers (default: false)
+  #  * :run_checks - array of checks to run (run all if not specified)
+  #  * :safe_methods - array of methods to consider safe
+  #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_checks - checks not to run (run all if not specified)
+  #
   def self.run options
     if options[:list_checks]
       list_checks
@@ -14,6 +44,10 @@ module Brakeman
       exit
     end
 
+    if options[:quiet]
+      $VERBOSE = nil
+    end
+
     scan set_options(options)
   end
 
@@ -82,7 +116,7 @@ module Brakeman
       :ignore_model_output => false,
       :message_limit => 100,
       :parallel_checks => true,
-      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/../lib/format/style.css" 
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 
     }
   end
 
@@ -118,7 +152,7 @@ module Brakeman
   end
 
   def self.list_checks
-    require 'scanner'
+    require 'brakeman/scanner'
     $stderr.puts "Available Checks:"
     $stderr.puts "-" * 30
     $stderr.puts Checks.checks.map { |c| c.to_s }.sort.join "\n"
@@ -151,20 +185,17 @@ module Brakeman
   end
 
   def self.scan options
-    OPTIONS.clear
-    OPTIONS.merge! options
-
     #Load scanner
     warn "Loading scanner..."
 
     begin
-      require 'scanner'
+      require 'brakeman/scanner'
     rescue LoadError
       abort "Cannot find lib/ directory."
     end
 
     #Start scanning
-    scanner = Scanner.new options[:app_path]
+    scanner = Scanner.new options
 
     warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
 
@@ -175,13 +206,22 @@ module Brakeman
     tracker.run_checks
 
     warn "Generating report..."
-    if OPTIONS[:output_file]
-      File.open OPTIONS[:output_file], "w" do |f|
-        f.puts tracker.report.send(OPTIONS[:output_format])
+    if options[:output_file]
+      File.open options[:output_file], "w" do |f|
+        f.puts tracker.report.send(options[:output_format])
       end
-      warn "Report saved in '#{OPTIONS[:output_file]}'"
+      warn "Report saved in '#{options[:output_file]}'"
     else
-      puts tracker.report.send(OPTIONS[:output_format])
+      puts tracker.report.send(options[:output_format])
     end
+
+    if options[:exit_on_warn]
+      tracker.checks.all_warnings.each do |warning|
+        next if warning.confidence > options[:min_confidence]
+        return false
+      end
+    end
+    return true
+
   end
 end

data/lib/brakeman/call_index.rb

@@ -0,0 +1,204 @@
+require 'set'
+
+#Stores call sites to look up later.
+class Brakeman::CallIndex
+
+  #Initialize index with calls from FindAllCalls
+  def initialize calls
+    @calls_by_method = Hash.new { |h,k| h[k] = [] }
+    @calls_by_target = Hash.new { |h,k| h[k] = [] }
+    @methods = Set.new
+    @targets = Set.new
+
+    index_calls calls
+  end
+
+  #Find calls matching specified option hash.
+  #
+  #Options:
+  #
+  #  * :target - symbol, array of symbols, or regular expression to match target(s)
+  #  * :method - symbol, array of symbols, or regular expression to match method(s)
+  #  * :chained - boolean, whether or not to match against a whole method chain (false by default)
+  #  * :nested - boolean, whether or not to match against a method call that is a target itself (false by default)
+  def find_calls options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+    nested = options[:nested]
+    
+    if options[:chained]
+      return find_chain options
+    #Find by narrowest category
+    elsif target and method and target.is_a? Array and method.is_a? Array
+      if target.length > method.length
+        calls = filter_by_target calls_by_methods(method), target
+      else
+        calls = calls_by_targets(target)
+        calls = filter_by_method calls, method
+      end
+
+    #Find by target, then by methods, if provided
+    elsif target
+      calls = calls_by_target target
+
+      if calls and method
+        calls = filter_by_method calls, method
+      end
+
+    #Find calls with no explicit target
+    #with either :target => nil or :target => false
+    elsif options.key? :target and not target and method
+      calls = calls_by_method method
+      calls = filter_by_target calls, nil
+
+    #Find calls by method
+    elsif method
+      calls = calls_by_method method
+    else
+      warn "Invalid arguments to CallCache#find_calls: #{options.inspect}"
+    end
+
+    return [] if calls.nil?
+
+    #Remove calls that are actually targets of other calls
+    #Unless those are explicitly desired
+    calls = filter_nested calls unless nested
+
+    calls
+  end
+
+  private
+
+  def index_calls calls
+    calls.each do |call|
+      @methods << call[:method].to_s
+      @targets << call[:target].to_s
+      @calls_by_method[call[:method]] << call
+      @calls_by_target[call[:target]] << call
+    end
+  end
+
+  def find_chain options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+
+    calls = calls_by_method method
+    
+    return [] if calls.nil?
+
+    calls = filter_by_chain calls, target
+  end
+
+  def calls_by_target target
+    if target.is_a? Array
+      calls_by_targets target
+    elsif target.is_a? Regexp
+      targets = @targets.select do |t|
+        t.match target
+      end
+
+      if targets.empty?
+        []
+      elsif targets.length > 1
+        calls_by_targets targets
+      else
+        calls_by_target[targets.first]
+      end
+    else
+      @calls_by_target[target]
+    end
+  end
+
+  def calls_by_targets targets
+    calls = []
+
+    targets.each do |target|
+      calls.concat @calls_by_target[target] if @calls_by_target.key? target
+    end
+
+    calls
+  end
+
+  def calls_by_method method
+    if method.is_a? Array
+      calls_by_methods method
+    elsif method.is_a? Regexp
+      methods = @methods.select do |m|
+        m.match method
+      end
+
+      if methods.empty?
+        []
+      elsif methods.length > 1
+        calls_by_methods methods
+      else
+        @calls_by_method[methods.first.to_sym]
+      end
+    else
+      @calls_by_method[method.to_sym]
+    end
+  end
+
+  def calls_by_methods methods
+    methods = methods.map { |m| m.to_sym }
+    calls = []
+
+    methods.each do |method|
+      calls.concat @calls_by_method[method] if @calls_by_method.key? method
+    end
+
+    calls
+  end
+
+  def calls_with_no_target
+    @calls_by_target[nil]
+  end
+
+  def filter calls, key, value
+    if value.is_a? Array
+      values = Set.new value
+
+      calls.select do |call|
+        values.include? call[key]
+      end
+    elsif value.is_a? Regexp
+      calls.select do |call|
+        call[key].to_s.match value
+      end
+    else
+      calls.select do |call|
+        call[key] == value
+      end
+    end
+  end
+
+  def filter_by_method calls, method
+    filter calls, :method, method
+  end
+
+  def filter_by_target calls, target
+    filter calls, :target, target
+  end
+
+  def filter_nested calls
+    filter calls, :nested, false
+  end
+
+  def filter_by_chain calls, target
+    if target.is_a? Array
+      targets = Set.new target
+
+      calls.select do |call|
+        targets.include? call[:chain].first
+      end
+    elsif target.is_a? Regexp
+      calls.select do |call|
+        call[:chain].first.to_s.match target
+      end
+    else
+      calls.select do |call|
+        call[:chain].first == target
+      end
+    end
+  end
+end

data/lib/{checks.rb → brakeman/checks.rb}

@@ -5,7 +5,7 @@ require 'thread'
 #Checks can be added with +Check.add(check_class)+
 #
 #All .rb files in checks/ will be loaded.
-class Checks
+class Brakeman::Checks
   @checks = []
 
   attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
@@ -46,10 +46,15 @@ class Checks
     end
   end
 
+  #Return an array of all warnings found.
+  def all_warnings
+    @warnings + @template_warnings + @controller_warnings + @model_warnings
+  end
+
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
   def self.run_checks tracker
-    if OPTIONS[:parallel_checks]
+    if tracker.options[:parallel_checks]
       self.run_checks_parallel tracker
     else
       self.run_checks_sequential tracker
@@ -61,11 +66,13 @@ class Checks
     check_runner = self.new
 
     @checks.each do |c|
+      check_name = get_check_name c
+
       #Run or don't run check based on options
-      unless OPTIONS[:skip_checks].include? c.to_s or 
-        (OPTIONS[:run_checks] and not OPTIONS[:run_checks].include? c.to_s)
+      unless tracker.options[:skip_checks].include? check_name or 
+        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
-        warn " - #{c}"
+        warn " - #{check_name}"
 
         check = c.new(tracker)
         check.run_check
@@ -76,7 +83,7 @@ class Checks
 
         #Maintain list of which checks were run
         #mainly for reporting purposes
-        check_runner.checks_run << c.to_s[5..-1]
+        check_runner.checks_run << check_name[5..-1]
       end
     end
 
@@ -90,11 +97,13 @@ class Checks
     check_runner = self.new
 
     @checks.each do |c|
+      check_name = get_check_name c
+
       #Run or don't run check based on options
-      unless OPTIONS[:skip_checks].include? c.to_s or 
-        (OPTIONS[:run_checks] and not OPTIONS[:run_checks].include? c.to_s)
+      unless tracker.options[:skip_checks].include? check_name or 
+        (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
-        warn " - #{c}"
+        warn " - #{check_name}"
 
         threads << Thread.new do
           begin
@@ -102,14 +111,14 @@ class Checks
             check.run_check
             check.warnings
           rescue Exception => e
-            warn "[#{c.to_s}] #{e}"
+            warn "[#{check_name}] #{e}"
             []
           end
         end
 
         #Maintain list of which checks were run
         #mainly for reporting purposes
-        check_runner.checks_run << c.to_s[5..-1]
+        check_runner.checks_run << check_name[5..-1]
       end
     end
 
@@ -126,9 +135,15 @@ class Checks
 
     check_runner
   end
+
+  private
+
+  def self.get_check_name check_class
+    check_class.to_s.split("::").last
+  end
 end
 
 #Load all files in checks/ directory
 Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f| 
-  require f.match(/(checks\/.*)\.rb$/)[0]
+  require f.match(/(brakeman\/checks\/.*)\.rb$/)[0]
 end