brakeman 1.1.0 → 1.2.0

data/bin/brakeman

@@ -1,10 +1,9 @@
 #!/usr/bin/env ruby
-require 'optparse'
-require 'set'
-
+#Adjust path in case called directly and not through gem
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
 require 'brakeman'
+require 'brakeman/options'
 require 'brakeman/version'
 
 trap("INT") do
@@ -12,180 +11,40 @@ trap("INT") do
   exit!
 end
 
-Brakeman::Warnings_Found_Exit_Code = 3
-
-#Parse command line options
-options = {}
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: brakeman [options] rails/root/path"
- 
-  opts.on "-n", "--no-threads", "Run checks sequentially" do
-    options[:parallel_checks] = false
-  end
-
-  opts.on "--no-progress", "Do not show progress reports" do
-    options[:report_progress] = false
-  end
-
-  opts.on "-p", "--path PATH", "Specify path to Rails application" do |path|
-    options[:app_path] = File.expand_path path
-  end
-
-  opts.on "-q", "--quiet", "Suppress informational messages" do
-    options[:quiet] = true
-  end
-
-  opts.on( "-z", "--exit-on-warn", "Exit code is non-zero if warnings found") do |s|
-    options[:exit_on_warn] = s
-  end
-
-  opts.on "-3", "--rails3", "Force Rails 3 mode" do
-    options[:rails3] = true
-  end
-
-  opts.separator ""
-  opts.separator "Scanning options:"
-
-  opts.on "-a", "--assume-routes", "Assume all controller methods are actions" do
-    options[:assume_all_routes] = true
-  end
-
-  opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
-    options[:ignore_model_output] = true
-  end
-
-  opts.on "-e", "--escape-html", "Escape HTML by default" do
-    options[:escape_html] = true
-  end
-
-  opts.on "--faster", "Faster, but less accurate scan" do
-    options[:ignore_ifs] = true
-    options[:skip_libs] = true
-  end
-
-  opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
-    options[:ignore_ifs] = true
-  end
-
-  opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
-    options[:check_arguments] = !option
-  end
-
-  opts.on "-s", "--safe-methods meth1,meth2,etc", Array, "Consider the specified methods safe" do |methods|
-    options[:safe_methods] ||= Set.new
-    options[:safe_methods].merge methods.map {|e| e.to_sym }
-  end
-
-  opts.on "--skip-libs", "Skip processing lib directory" do
-    options[:skip_libs] = true
-  end
-
-  opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
-    checks.each_with_index do |s, index|
-      if s[0,5] != "Check"
-        checks[index] = "Check" << s
-      end
-    end
-
-    options[:run_checks] ||= Set.new
-    options[:run_checks].merge checks
-  end
-
-  opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
-    skip.each do |s|
-      if s[0,5] != "Check"
-        s = "Check" << s
-      end
-
-      options[:skip_checks] ||= Set.new
-      options[:skip_checks] << s
-    end
-  end
-
-  opts.separator ""
-  opts.separator "Output options:"
-
-  opts.on "-d", "--debug", "Lots of output" do
-    options[:debug] = true 
-  end
-
-  opts.on "-f", 
-    "--format TYPE", 
-    [:pdf, :text, :html, :csv, :tabs], 
-    "Specify output format. Default is text" do |type|
-    
-    type = "s" if type == :text
-    options[:output_format] = ("to_" << type.to_s).to_sym
-  end
-
-  opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
-    options[:html_style] = File.expand_path file
-  end
-
-  opts.on "-l", "--[no]-combine-locations", "Combine warning locations (Default)" do |combine|
-    options[:combine_locations] = combine
-  end
-
-  opts.on "-m", "--routes", "Report controller information" do
-    options[:report_routes] = true
-  end
-
-  opts.on "--message-limit LENGTH", "Limit message length in HTML report" do |limit|
-    options[:message_limit] = limit.to_i
-  end
-
-  opts.on "-o", "--output FILE", "Specify file for output. Defaults to stdout" do |file|
-    options[:output_file] = file
-  end
-
-  opts.on "--separate-models", "Warn on each model without attr_accessible" do
-    options[:collapse_mass_assignment] = false
-  end
-
-  opts.on "-w", 
-    "--confidence-level LEVEL", 
-    ["1", "2", "3"], 
-    "Set minimal confidence level (1 - 3)" do |level|
-
-    options[:min_confidence] =  3 - level.to_i
-  end
-
-  opts.separator ""
-  opts.separator "Configuration files:"
-
-  opts.on "-c", "--config-file FILE", "Use specified configuration file" do |file|
-    options[:config_file] = File.expand_path(file)
-  end
-
-  opts.on "-C", "--create-config [FILE]", "Output configuration file based on options" do |file|
-    if file
-      options[:create_config] = file
-    else
-      options[:create_config] = true
-    end
-  end
-
-  opts.separator ""
-
-  opts.on "-k", "--checks", "List all available vulnerability checks" do
-    options[:list_checks] = true
-  end
-
-  opts.on "-v", "--version", "Show Brakeman version" do
-    puts "brakeman #{Brakeman::Version}"
-    exit
-  end
+#Parse options
+options, parser = Brakeman::Options.parse! ARGV
+
+#Exit early for these options
+if options[:list_checks]
+  Brakeman.list_checks
+  exit
+elsif options[:create_config]
+  Brakeman.dump_config options
+  exit
+elsif options[:show_help]
+  puts parser
+  exit
+elsif options[:show_version]
+  puts "brakeman #{Brakeman::Version}"
+  exit
+elsif options[:install_rake_task]
+  Brakeman.install_rake_task
+  exit
+end
 
-  opts.on_tail "-h", "--help", "Display this message" do
-    puts opts
-    exit
+#Set application path according to the commandline arguments
+unless options[:app_path]
+  if ARGV[-1].nil?
+    options[:app_path] = File.expand_path "."
+  else
+    options[:app_path] = File.expand_path ARGV[-1]
   end
-end.parse!(ARGV)
+end
 
+#Run scan and output a report
 clean = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
-if options[:exit_on_warn] && !clean
+#Return error code if --exit-on-warn is used and warnings were found
+if options[:exit_on_warn] and not clean
   exit Brakeman::Warnings_Found_Exit_Code
 end
-

data/lib/brakeman.rb

@@ -4,6 +4,10 @@ require 'set'
 
 module Brakeman
 
+  #This exit code is used when warnings are found and the --exit-on-warn
+  #option is set
+  Warnings_Found_Exit_Code = 3
+
   #Run Brakeman scan. Returns Tracker object.
   #
   #Options:
@@ -14,12 +18,10 @@ module Brakeman
   #  * :collapse_mass_assignment - report unprotected models in single warning (default: true)
   #  * :combine_locations - combine warning locations (default: true)
   #  * :config_file - configuration file
-  #  * :create_config - output configuration file
   #  * :escape_html - escape HTML by default (automatic)
   #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
-  #  * :list_checks - list all checks (does not run scan)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
   #  * :output_file - file for output
@@ -33,18 +35,11 @@ module Brakeman
   #  * :safe_methods - array of methods to consider safe
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_checks - checks not to run (run all if not specified)
+  #  * :summary_only - only output summary section of report 
+  #                    (does not apply to tabs format)
   #
+  #Alternatively, just supply a path as a string.
   def self.run options
-    if options[:list_checks]
-      list_checks
-      exit
-    end
-
-    if options[:create_config]
-      dump_config options
-      exit
-    end
-
     options = set_options options
 
     if options[:quiet]
@@ -55,22 +50,17 @@ module Brakeman
     scan options
   end
 
-  private
-
   def self.set_options options
+    if options.is_a? String
+      options = { :app_path => options }
+    end
+
+    options[:app_path] = File.expand_path(options[:app_path])
+
     options = load_options(options[:config_file]).merge! options
     options = get_defaults.merge! options
     options[:output_format] = get_output_format options
 
-    #Check application path
-    unless options[:app_path]
-      if ARGV[-1].nil?
-        options[:app_path] = File.expand_path "."
-      else
-        options[:app_path] = File.expand_path ARGV[-1]
-      end
-    end
-
     app_path = options[:app_path]
 
     abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app"
@@ -86,7 +76,7 @@ module Brakeman
   def self.load_options config_file
     config_file ||= ""
 
-    #Load configuation file
+    #Load configuration file
     [File.expand_path(config_file),
       File.expand_path("./config.yaml"),
       File.expand_path("~/.brakeman/config.yaml"),
@@ -161,7 +151,33 @@ module Brakeman
     require 'brakeman/scanner'
     $stderr.puts "Available Checks:"
     $stderr.puts "-" * 30
-    $stderr.puts Checks.checks.map { |c| c.to_s }.sort.join "\n"
+    $stderr.puts Checks.checks.map { |c| c.to_s.match(/^Brakeman::(.*)$/)[1] }.sort.join "\n"
+  end
+
+  def self.install_rake_task
+    if not File.exists? "Rakefile"
+      abort "No Rakefile detected"
+    elsif File.exists? "lib/tasks/brakeman.rake"
+      abort "Task already exists"
+    end
+
+    require 'fileutils'
+
+    if not File.exists? "lib/tasks"
+      warn "Creating lib/tasks"
+      FileUtils.mkdir_p "lib/tasks"
+    end
+
+    path = File.expand_path(File.dirname(__FILE__))
+
+    FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake"
+
+    if File.exists? "lib/tasks/brakeman.rake"
+      warn "Task created in lib/tasks/brakeman.rake"
+      warn "Usage: rake brakeman:run[output_file]"
+    else
+      warn "Could not create task"
+    end
   end
 
   def self.dump_config options
@@ -239,4 +255,10 @@ module Brakeman
 
     tracker
   end
+
+  def self.rescan tracker, files
+    require 'brakeman/rescanner'
+
+    Rescanner.new(tracker.options, tracker.processor, files).recheck
+  end
 end

data/lib/brakeman/call_index.rb

@@ -67,7 +67,41 @@ class Brakeman::CallIndex
     calls
   end
 
-  private
+  def remove_template_indexes
+    @calls_by_method.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][0] == :template
+      end
+
+      @methods.delete name.to_s if calls.empty?
+    end
+
+    @calls_by_target.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][0] == :template
+      end
+
+      @targets.delete name.to_s if calls.empty?
+    end
+  end
+
+  def remove_indexes_by_class classes
+    @calls_by_method.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][0] == :class and classes.include? call[:location][1]
+      end
+
+      @methods.delete name.to_s if calls.empty?
+    end
+
+    @calls_by_target.each do |name, calls|
+      calls.delete_if do |call|
+        call[:location][0] == :class and classes.include? call[:location][1]
+      end
+
+      @targets.delete name.to_s if calls.empty?
+    end
+  end
 
   def index_calls calls
     calls.each do |call|
@@ -78,6 +112,8 @@ class Brakeman::CallIndex
     end
   end
 
+  private
+
   def find_chain options
     target = options[:target] || options[:targets]
     method = options[:method] || options[:methods]

data/lib/brakeman/checks.rb

@@ -46,6 +46,23 @@ class Brakeman::Checks
     end
   end
 
+  #Return a hash of arrays of new and fixed warnings
+  #
+  #    diff = checks.diff old_checks
+  #    diff[:fixed]  # [...]
+  #    diff[:new]    # [...]
+  def diff other_checks
+    my_warnings = self.all_warnings
+    other_warnings = other_checks.all_warnings
+
+    diff = {}
+
+    diff[:fixed] = other_warnings - my_warnings
+    diff[:new] = my_warnings - other_warnings
+
+    diff
+  end
+
   #Return an array of all warnings found.
   def all_warnings
     @warnings + @template_warnings + @controller_warnings + @model_warnings

data/lib/brakeman/checks/base_check.rb

@@ -1,5 +1,6 @@
 require 'sexp_processor'
 require 'brakeman/processors/output_processor'
+require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/warning'
 require 'brakeman/util'
 
@@ -91,7 +92,10 @@ class Brakeman::BaseCheck < SexpProcessor
 
   #Report a warning 
   def warn options
-    @warnings << Brakeman::Warning.new(options.merge({ :check => self.class.to_s }))
+    warning = Brakeman::Warning.new(options.merge({ :check => self.class.to_s }))
+    warning.file = file_for warning
+
+    @warnings << warning 
   end 
 
   #Run _exp_ through OutputProcessor to get a nice String.

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -14,22 +14,9 @@ require 'set'
 class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
-  #Ignore these methods and their arguments.
-  #It is assumed they will take care of escaping their output.
-  IGNORE_METHODS = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
-                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button, :select,
-                           :submit_tag, :text_area, :text_field, 
-                           :text_field_tag, :url_encode, :url_for,
-                           :will_paginate] )
-
   #Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set.new([:average, :count, :maximum, :minimum, :sum])
 
-  #Methods known to not escape their input
-  KNOWN_DANGEROUS = Set.new([:truncate, :concat])
-
   MODEL_METHODS = Set.new([:all, :find, :first, :last, :new])
 
   IGNORE_LIKE = /^link_to_|(_path|_tag|_url)$/
@@ -46,7 +33,14 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Run check
   def run_check 
-    IGNORE_METHODS.merge tracker.options[:safe_methods]
+    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] ).merge tracker.options[:safe_methods]
+
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
 
@@ -54,10 +48,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     link_to_check.run_check
     warnings.concat link_to_check.warnings unless link_to_check.warnings.empty?
 
+    @known_dangerous = Set.new([:truncate, :concat])
+
     if version_between? "2.0.0", "3.0.5"
-      KNOWN_DANGEROUS << :auto_link
+      @known_dangerous << :auto_link
     elsif version_between? "3.0.6", "3.0.99"
-      IGNORE_METHODS << :auto_link
+      @ignore_methods << :auto_link
     end
 
     tracker.each_template do |name, template|
@@ -170,7 +166,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       if message and not duplicate? exp
         add_result exp
 
-        if exp[1].nil? and KNOWN_DANGEROUS.include? exp[2]
+        if exp[1].nil? and @known_dangerous.include? exp[2]
           confidence = CONFIDENCE[:high]
         else
           confidence = CONFIDENCE[:low]
@@ -201,15 +197,15 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     args = exp[3]
 
     #Ignore safe items
-    if (target.nil? and (IGNORE_METHODS.include? method or method.to_s =~ IGNORE_LIKE)) or
+    if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
       (@matched == :model and IGNORE_MODEL_METHODS.include? method) or
       (target == HAML_HELPERS and method == :html_escape) or
       ((target == URI or target == CGI) and method == :escape) or
       (target == XML_HELPER and method == :escape_xml) or
-      (target == FORM_BUILDER and IGNORE_METHODS.include? method) or
+      (target == FORM_BUILDER and @ignore_methods.include? method) or
       (method.to_s[-1,1] == "?")
 
-      exp[0] = :ignore
+      #exp[0] = :ignore #should not be necessary
       @matched = false
     elsif sexp? exp[1] and model_name? exp[1][1]
       @matched = :model
@@ -269,9 +265,9 @@ end
 
 #This _only_ checks calls to link_to
 class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
-  IGNORE_METHODS = IGNORE_METHODS - [:link_to]
-
   def run_check
+    @ignore_methods = []
+    @known_dangerous = []
     #Ideally, I think this should also check to see if people are setting
     #:escape => false
     methods = tracker.find_call :target => false, :method => :link_to