brakeman 1.2.0 → 1.2.1

data/README.md

@@ -6,9 +6,15 @@ It targets Rails versions 2.x and 3.x.
  
 There is also a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
 
-# Homepage
+For even more continuous testing, try the [Guard plugin](https://github.com/oreoshake/guard-brakeman).
 
-http://brakemanscanner.org/
+# Homepage/News
+
+Website: http://brakemanscanner.org/
+
+Twitter: http://twitter.com/brakemanscanner
+
+Mailing list: brakeman@librelist.com
 
 # Installation
 

data/lib/brakeman.rb

@@ -8,6 +8,9 @@ module Brakeman
   #option is set
   Warnings_Found_Exit_Code = 3
 
+  @debug = false
+  @quiet = false
+
   #Run Brakeman scan. Returns Tracker object.
   #
   #Options:
@@ -42,14 +45,15 @@ module Brakeman
   def self.run options
     options = set_options options
 
-    if options[:quiet]
-      options[:report_progress] = false
-      $VERBOSE = nil
-    end
+    @quiet = !!options[:quiet]
+    @debug = !!options[:debug]
+
+    options[:report_progress] = !@quiet
 
     scan options
   end
 
+  #Sets up options for run, checks given application path
   def self.set_options options
     if options.is_a? String
       options = { :app_path => options }
@@ -67,12 +71,13 @@ module Brakeman
 
     if File.exist? app_path + "/script/rails"
       options[:rails3] = true
-      warn "[Notice] Detected Rails 3 application" 
+      notify "[Notice] Detected Rails 3 application"
     end
 
     options
   end
 
+  #Load options from YAML file
   def self.load_options config_file
     config_file ||= ""
 
@@ -84,7 +89,7 @@ module Brakeman
       "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f|
 
       if File.exist? f and not File.directory? f
-        warn "[Notice] Using configuration in #{f}" unless options[:quiet]
+        notify "[Notice] Using configuration in #{f}"
         options = YAML.load_file f
         options.each do |k,v|
           if v.is_a? Array
@@ -99,6 +104,7 @@ module Brakeman
     return {}
   end
 
+  #Default set of options
   def self.get_defaults
     { :skip_checks => Set.new, 
       :check_arguments => true, 
@@ -116,6 +122,8 @@ module Brakeman
     }
   end
 
+  #Determine output format based on options[:output_format]
+  #or options[:output_file]
   def self.get_output_format options
     #Set output format
     if options[:output_format]
@@ -147,6 +155,7 @@ module Brakeman
     end
   end
 
+  #Output list of checks (for `-k` option)
   def self.list_checks
     require 'brakeman/scanner'
     $stderr.puts "Available Checks:"
@@ -154,6 +163,9 @@ module Brakeman
     $stderr.puts Checks.checks.map { |c| c.to_s.match(/^Brakeman::(.*)$/)[1] }.sort.join "\n"
   end
 
+  #Installs Rake task for running Brakeman,
+  #which basically means copying `lib/brakeman/brakeman.rake` to
+  #`lib/tasks/brakeman.rake` in the current Rails application.
   def self.install_rake_task
     if not File.exists? "Rakefile"
       abort "No Rakefile detected"
@@ -164,7 +176,7 @@ module Brakeman
     require 'fileutils'
 
     if not File.exists? "lib/tasks"
-      warn "Creating lib/tasks"
+      notify "Creating lib/tasks"
       FileUtils.mkdir_p "lib/tasks"
     end
 
@@ -173,13 +185,14 @@ module Brakeman
     FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake"
 
     if File.exists? "lib/tasks/brakeman.rake"
-      warn "Task created in lib/tasks/brakeman.rake"
-      warn "Usage: rake brakeman:run[output_file]"
+      notify "Task created in lib/tasks/brakeman.rake"
+      notify "Usage: rake brakeman:run[output_file]"
     else
-      warn "Could not create task"
+      notify "Could not create task"
     end
   end
 
+  #Output configuration to YAML
   def self.dump_config options
     if options[:create_config].is_a? String
       file = options[:create_config]
@@ -206,9 +219,10 @@ module Brakeman
     exit
   end
 
+  #Run a scan. Generally called from Brakeman.run instead of directly.
   def self.scan options
     #Load scanner
-    warn "Loading scanner..."
+    notify "Loading scanner..."
 
     begin
       require 'brakeman/scanner'
@@ -219,27 +233,27 @@ module Brakeman
     #Start scanning
     scanner = Scanner.new options
 
-    warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
+    notify "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
 
-    warn "Processing application in #{options[:app_path]}"
+    notify "Processing application in #{options[:app_path]}"
     tracker = scanner.process
 
     if options[:parallel_checks]
-      warn "Running checks in parallel..."
+      notify "Running checks in parallel..."
     else
-      warn "Runnning checks..."
+      notify "Runnning checks..."
     end
     tracker.run_checks
 
     if options[:output_file]
-      warn "Generating report..."
+      notify "Generating report..."
 
       File.open options[:output_file], "w" do |f|
         f.puts tracker.report.send(options[:output_format])
       end
-      warn "Report saved in '#{options[:output_file]}'"
+      notify "Report saved in '#{options[:output_file]}'"
     elsif options[:print_report]
-      warn "Generating report..."
+      notify "Generating report..."
 
       puts tracker.report.send(options[:output_format])
     end
@@ -256,9 +270,33 @@ module Brakeman
     tracker
   end
 
-  def self.rescan tracker, files
+  #Rescan a subset of files in a Rails application.
+  #
+  #A full scan must have been run already to use this method.
+  #The returned Tracker object from Brakeman.run is used as a starting point
+  #for the rescan.
+  #
+  #Options may be given as a hash with the same values as Brakeman.run.
+  #Note that these options will be merged into the Tracker.
+  #
+  #This method returns a RescanReport object with information about the scan.
+  #However, the Tracker object will also be modified as the scan is run.
+  def self.rescan tracker, files, options = {}
     require 'brakeman/rescanner'
 
+    tracker.options.merge! options
+
+    @quiet = !!tracker.options[:quiet]
+    @debug = !!tracker.options[:debug]
+
     Rescanner.new(tracker.options, tracker.processor, files).recheck
   end
+
+  def self.notify message
+    $stderr.puts message unless @quiet
+  end
+
+  def self.debug message
+    $stderr.puts message if @debug
+  end
 end

data/lib/brakeman/call_index.rb

@@ -55,7 +55,7 @@ class Brakeman::CallIndex
     elsif method
       calls = calls_by_method method
     else
-      warn "Invalid arguments to CallCache#find_calls: #{options.inspect}"
+      notify "Invalid arguments to CallCache#find_calls: #{options.inspect}"
     end
 
     return [] if calls.nil?

data/lib/brakeman/checks.rb

@@ -89,7 +89,7 @@ class Brakeman::Checks
       unless tracker.options[:skip_checks].include? check_name or 
         (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
-        warn " - #{check_name}"
+        Brakeman.notify " - #{check_name}"
 
         check = c.new(tracker)
         check.run_check
@@ -120,7 +120,7 @@ class Brakeman::Checks
       unless tracker.options[:skip_checks].include? check_name or 
         (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
-        warn " - #{check_name}"
+        Brakeman.notify " - #{check_name}"
 
         threads << Thread.new do
           begin
@@ -128,7 +128,7 @@ class Brakeman::Checks
             check.run_check
             check.warnings
           rescue Exception => e
-            warn "[#{check_name}] #{e}"
+            Brakeman.notify "[#{check_name}] #{e}"
             []
           end
         end
@@ -141,7 +141,7 @@ class Brakeman::Checks
 
     threads.each { |t| t.join }
 
-    warn "Checks finished, collecting results..."
+    Brakeman.notify "Checks finished, collecting results..."
 
     #Collect results
     threads.each do |thread|

data/lib/brakeman/checks/base_check.rb

@@ -20,7 +20,6 @@ class Brakeman::BaseCheck < SexpProcessor
     @tracker = tracker
     @string_interp = false
     @current_set = nil
-    @debug_mode = tracker.options[:debug]
     @current_template = @current_module = @current_class = @current_method = nil
     self.strict = false
     self.auto_shift_type = false
@@ -397,8 +396,4 @@ class Brakeman::BaseCheck < SexpProcessor
       "config/environment.rb"
     end
   end
-
-  def debug_info msg
-    Kernel.warn msg if @debug_mode
-  end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -44,9 +44,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
 
-    link_to_check = Brakeman::CheckLinkTo.new(tracker)
-    link_to_check.run_check
-    warnings.concat link_to_check.warnings unless link_to_check.warnings.empty?
+    if version_between?("2.0.0", "2.9.9") and not tracker.config[:escape_html]
+      link_to_check = Brakeman::CheckLinkTo.new(tracker)
+      link_to_check.run_check
+      warnings.concat link_to_check.warnings unless link_to_check.warnings.empty?
+    end
 
     @known_dangerous = Set.new([:truncate, :concat])
 
@@ -59,10 +61,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     tracker.each_template do |name, template|
       @current_template = template
       template[:outputs].each do |out|
-        debug_info "Checking #{name} for direct XSS"
+        Brakeman.debug "Checking #{name} for direct XSS"
 
         unless check_for_immediate_xss out
-          debug_info "Checking #{name} for indirect XSS"
+          Brakeman.debug "Checking #{name} for indirect XSS"
 
           @matched = false
           @mark = false
@@ -266,7 +268,14 @@ end
 #This _only_ checks calls to link_to
 class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
   def run_check
-    @ignore_methods = []
+    @ignore_methods = Set.new([:button_to, :check_box, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate] ).merge tracker.options[:safe_methods]
+
     @known_dangerous = []
     #Ideally, I think this should also check to see if people are setting
     #:escape => false

data/lib/brakeman/checks/check_default_routes.rb

@@ -15,7 +15,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :confidence => CONFIDENCE[:high],
         :file => "#{tracker.options[:app_path]}/config/routes.rb"
     else #Report each controller separately
-      debug_info "Checking each controller for default routes"
+      Brakeman.debug "Checking each controller for default routes"
 
       tracker.routes.each do |name, actions|
         if actions.is_a? Array and actions[0] == :allow_all_actions

data/lib/brakeman/checks/check_evaluation.rb

@@ -7,10 +7,10 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Process calls
   def run_check
-    debug_info "Finding eval-like calls"
+    Brakeman.debug "Finding eval-like calls"
     calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
 
-    debug_info "Processing eval-like calls"
+    Brakeman.debug "Processing eval-like calls"
     calls.each do |call|
       process_result call
     end

data/lib/brakeman/checks/check_execute.rb

@@ -13,13 +13,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
   #Check models, controllers, and views for command injection.
   def run_check
-    debug_info "Finding system calls using ``"
+    Brakeman.debug "Finding system calls using ``"
     check_for_backticks tracker
 
-    debug_info "Finding other system calls"
+    Brakeman.debug "Finding other system calls"
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, nil], :methods => [:exec, :popen, :popen3, :syscall, :system]
 
-    debug_info "Processing system calls"
+    Brakeman.debug "Processing system calls"
     calls.each do |result|
       process_result result
     end

data/lib/brakeman/checks/check_file_access.rb

@@ -6,16 +6,16 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
   def run_check
-    debug_info "Finding possible file access"
+    Brakeman.debug "Finding possible file access"
     methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
 
-    debug_info "Finding calls to load()"
+    Brakeman.debug "Finding calls to load()"
     methods.concat tracker.find_call :target => false, :method => :load
 
-    debug_info "Finding calls using FileUtils"
+    Brakeman.debug "Finding calls using FileUtils"
     methods.concat tracker.find_call :target => :FileUtils
 
-    debug_info "Processing found calls"
+    Brakeman.debug "Processing found calls"
     methods.each do |call|
       process_result call
     end

data/lib/brakeman/checks/check_mail_to.rb

@@ -28,7 +28,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
   #Check for javascript encoding of mail_to address
   #    mail_to email, name, :encode => :javascript
   def mail_to_javascript?
-    debug_info "Checking calls to mail_to for javascript encoding"
+    Brakeman.debug "Checking calls to mail_to for javascript encoding"
 
     tracker.find_call(:target => false, :method => :mail_to).each do |result|
       call = result[:call]

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
 
     @results = Set.new
 
-    debug_info "Finding possible mass assignment calls on #{models.length} models"
+    Brakeman.debug "Finding possible mass assignment calls on #{models.length} models"
     calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
       :attributes=, 
       :update_attribute, 
@@ -30,7 +30,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
       :create,
       :create!]
 
-    debug_info "Processing possible mass assignment calls"
+    Brakeman.debug "Processing possible mass assignment calls"
     calls.each do |result|
       process_result result
     end

data/lib/brakeman/checks/check_quote_table_name.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck
   end
 
   def uses_quote_table_name?
-    debug_info "Finding calls to quote_table_name()"
+    Brakeman.debug "Finding calls to quote_table_name()"
 
     not tracker.find_call(:target => false, :method => :quote_table_name).empty?
   end

data/lib/brakeman/checks/check_redirect.rb

@@ -9,7 +9,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
   def run_check
-    debug_info "Finding calls to redirect_to()"
+    Brakeman.debug "Finding calls to redirect_to()"
 
     @tracker.find_call(:target => false, :method => :redirect_to).each do |res|
       process_result res
@@ -42,7 +42,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
   #which can be used to enable/disable reporting output of method calls which use
   #user input as arguments.
   def include_user_input? call
-    debug_info "Checking if call includes user input"
+    Brakeman.debug "Checking if call includes user input"
 
     if tracker.options[:ignore_redirect_to_model] and call? call[3][1] and 
       call[3][1][2] == :new and call[3][1][1]

data/lib/brakeman/checks/check_send_file.rb

@@ -6,7 +6,7 @@ class Brakeman::CheckSendFile < Brakeman::CheckFileAccess
   Brakeman::Checks.add self
 
   def run_check
-    debug_info "Finding all calls to send_file()"
+    Brakeman.debug "Finding all calls to send_file()"
 
     methods = tracker.find_call :target => false, :method => :send_file
 

data/lib/brakeman/checks/check_sql.rb

@@ -14,7 +14,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   def run_check
     @rails_version = tracker.config[:rails_version]
 
-    debug_info "Finding possible SQL calls on models"
+    Brakeman.debug "Finding possible SQL calls on models"
     if tracker.options[:rails3]
       calls = tracker.find_call :targets => tracker.models.keys,
         :methods => /^(find.*|first|last|all|where|order|group|having)$/,
@@ -25,16 +25,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         :chained => true
     end
 
-    debug_info "Finding possible SQL calls with no target"
+    Brakeman.debug "Finding possible SQL calls with no target"
     calls.concat tracker.find_call(:target => nil, :method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/)
 
-    debug_info "Finding possible SQL calls using constantized()"
+    Brakeman.debug "Finding possible SQL calls using constantized()"
     calls.concat tracker.find_call(:method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/).select { |result| constantize_call? result }
 
-    debug_info "Finding calls to named_scope or scope"
+    Brakeman.debug "Finding calls to named_scope or scope"
     calls.concat find_scope_calls
 
-    debug_info "Processing possible SQL calls"
+    Brakeman.debug "Processing possible SQL calls"
     calls.each do |c|
       process_result c
     end

data/lib/brakeman/checks/check_strip_tags.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
   end
 
   def uses_strip_tags?
-    debug_info "Finding calls to strip_tags()"
+    Brakeman.debug "Finding calls to strip_tags()"
 
     not tracker.find_call(:target => false, :method => :strip_tags).empty?
   end

data/lib/brakeman/checks/check_translate_bug.rb

@@ -6,7 +6,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
   Brakeman::Checks.add self
 
   def run_check
-    if (version_between?('2.3.0', '2.3.99') and tracker.options[:escape_html]) or 
+    if (version_between?('2.3.0', '2.3.99') and tracker.config[:escape_html]) or
         version_between?('3.0.0', '3.0.10') or
         version_between?('3.1.0', '3.1.1')
 
@@ -34,7 +34,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
   end
 
   def uses_translate?
-    debug_info "Finding calls to translate() or t()"
+    Brakeman.debug "Finding calls to translate() or t()"
 
     not tracker.find_call(:target => nil, :methods => [:t, :translate]).empty?
   end

data/lib/brakeman/checks/check_without_protection.rb

@@ -23,7 +23,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
 
     @results = Set.new
 
-    debug_info "Finding all mass assignments"
+    Brakeman.debug "Finding all mass assignments"
     calls = tracker.find_call :targets => models, :methods => [:new,
       :attributes=, 
       :update_attribute, 
@@ -32,7 +32,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
       :create,
       :create!]
 
-    debug_info "Processing all mass assignments"
+    Brakeman.debug "Processing all mass assignments"
     calls.each do |result|
       process_result result
     end

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -87,7 +87,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     method = find_method name, @current_class    
 
     if method.nil?
-      warn "[Notice] Could not find filter #{name}" if @tracker.options[:debug]
+      Brakeman.debug "[Notice] Could not find filter #{name}"
       return
     end
 
@@ -207,7 +207,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
       when :lit, :str
         filter[option] = value[1]
       else
-        warn "[Notice] Unknown before_filter value: #{option} => #{value}" if @tracker.options[:debug]
+        Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
       end
     else
       filter[:all] = true

data/lib/brakeman/processors/controller_processor.rb

@@ -22,7 +22,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
   #s(:class, NAME, PARENT, s(:scope ...))
   def process_class exp
     if @controller
-      warn "[Notice] Skipping inner class: #{class_name exp[1]}" if @tracker.options[:debug]
+      Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}"
       return ignore
     end
 
@@ -83,7 +83,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
             unless Dir.glob("#{@tracker.options[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty?
               @controller[:layout] = "layouts/#{name}"
             else
-              warn "[Notice] Layout not found: #{name}" if @tracker.options[:debug]
+              Brakeman.debug "[Notice] Layout not found: #{name}"
             end
           elsif sexp? args[-1] and (args[-1][0] == :nil or args[-1][0] == :false)
             #layout :false or layout nil

data/lib/brakeman/processors/lib/rails2_config_processor.rb

@@ -37,7 +37,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
     target = process target if sexp? target
 
     if exp[2] == :gem and exp[3][1][1] == "erubis"
-      warn "[Notice] Using Erubis for ERB templates"
+      Brakeman.notify "[Notice] Using Erubis for ERB templates"
       @tracker.config[:erubis] = true
     end
 

data/lib/brakeman/processors/lib/render_helper.rb

@@ -21,10 +21,13 @@ module Brakeman::RenderHelper
 
   #Processes layout
   def process_layout name = nil
-    layout = name || layout_name
-    return unless layout
+    if name.nil? and defined? layout_name
+      name = layout_name
+    end
+
+    return unless name
 
-    process_template layout, nil
+    process_template name, nil
   end
 
   #Determines file name for partial and then processes it
@@ -50,7 +53,7 @@ module Brakeman::RenderHelper
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]
     unless template
-      warn "[Notice] No such template: #{name}" if @tracker.options[:debug]
+      Brakeman.debug "[Notice] No such template: #{name}"
       return 
     end
 

data/lib/brakeman/processors/model_processor.rb

@@ -19,7 +19,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   #s(:class, NAME, PARENT, s(:scope ...))
   def process_class exp
     if @model
-      warn "[Notice] Skipping inner class: #{class_name exp[1]}" if @tracker.options[:debug]
+      Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}"
       ignore
     else
       @model = { :name => class_name(exp[1]),
@@ -56,6 +56,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
         case method
         when :private, :protected, :public
           @visibility = method
+        when :attr_accessible
+          @model[:attr_accessible] ||= []
         else
           #??
         end

data/lib/brakeman/processors/output_processor.rb

@@ -19,7 +19,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
     begin
       super exp if sexp? exp and not exp.empty?
     rescue Exception => e
-      warn "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" if @tracker.options[:debug]
+      Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}"
     end
   end
 

data/lib/brakeman/report.rb

@@ -83,7 +83,7 @@ class Brakeman::Report
       
      
       tracker.errors.each do |w|
-        p w if tracker.options[:debug]
+        Brakeman.debug w.inspect
 
         if html
           w[:error] = CGI.escapeHTML w[:error]

data/lib/brakeman/rescanner.rb

@@ -45,7 +45,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     SCAN_ORDER.each do |type|
       paths_by_type[type].each do |path|
-        warn "Rescanning #{path} as #{type}" if tracker.options[:debug]
+        Brakeman.debug "Rescanning #{path} as #{type}"
 
         if rescan_file path, type
           @changes = true
@@ -244,4 +244,12 @@ class Brakeman::RescanReport
   def diff
     @diff ||= @new_results.diff(@old_results)
   end
+
+  def to_s
+    <<-OUTPUT
+Total warnings: #{all_warnings.length}
+Fixed warnings: #{fixed_warnings.length}
+New warnings: #{new_warnings.length}
+    OUTPUT
+  end
 end

data/lib/brakeman/scanner.rb

@@ -51,23 +51,23 @@ class Brakeman::Scanner
 
   #Process everything in the Rails application
   def process
-    warn "Processing configuration..."
+    Brakeman.notify "Processing configuration..."
     process_config
-    warn "Processing gems..."
+    Brakeman.notify "Processing gems..."
     process_gems
-    warn "Processing initializers..."
+    Brakeman.notify "Processing initializers..."
     process_initializers
-    warn "Processing libs..."
+    Brakeman.notify "Processing libs..."
     process_libs
-    warn "Processing routes...        "
+    Brakeman.notify "Processing routes...        "
     process_routes
-    warn "Processing templates...     "
+    Brakeman.notify "Processing templates...     "
     process_templates
-    warn "Processing models...        "
+    Brakeman.notify "Processing models...        "
     process_models
-    warn "Processing controllers...   "
+    Brakeman.notify "Processing controllers...   "
     process_controllers
-    warn "Indexing call sites...      "
+    Brakeman.notify "Indexing call sites...      "
     index_call_sites
     tracker
   end
@@ -89,7 +89,7 @@ class Brakeman::Scanner
       (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss")
 
       tracker.config[:escape_html] = true
-      warn "[Notice] Escaping HTML by default"
+      Brakeman.notify "[Notice] Escaping HTML by default"
     end
   end
 
@@ -99,7 +99,7 @@ class Brakeman::Scanner
     end
 
   rescue Exception => e
-    warn "[Notice] Error while processing config/#{file}"
+    Brakeman.notify "[Notice] Error while processing config/#{file}"
     tracker.error e.exception(e.message + "\nwhile processing Gemfile"), e.backtrace
   end
 
@@ -115,7 +115,7 @@ class Brakeman::Scanner
       end
     end
   rescue Exception => e
-    warn "[Notice] Error while processing Gemfile."
+    Brakeman.notify "[Notice] Error while processing Gemfile."
     tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
   end
 
@@ -144,7 +144,7 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.libs.
   def process_libs
     if options[:skip_libs]
-      warn '[Skipping]'
+      Brakeman.notify '[Skipping]'
       return
     end
 
@@ -153,7 +153,7 @@ class Brakeman::Scanner
     current = 0
 
     lib_files.each do |f|
-      warn "Processing #{f}" if options[:debug]
+      Brakeman.debug "Processing #{f}"
       if @report_progress
         $stderr.print " #{current}/#{total} files processed\r"
         current += 1
@@ -183,11 +183,11 @@ class Brakeman::Scanner
         @processor.process_routes parse_ruby(File.read("#@path/config/routes.rb"))
       rescue Exception => e
         tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
-        warn "[Notice] Error while processing routes - assuming all public controller methods are actions."
+        Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
         options[:assume_all_routes] = true
       end
     else
-      warn "[Notice] No route information found"
+      Brakeman.notify "[Notice] No route information found"
     end
   end
 
@@ -200,7 +200,7 @@ class Brakeman::Scanner
     current = 0
 
     controller_files.each do |f|
-      warn "Processing #{f}" if options[:debug]
+      Brakeman.debug "Processing #{f}"
       if @report_progress
         $stderr.print " #{current}/#{total} files processed\r"
         current += 1
@@ -212,7 +212,7 @@ class Brakeman::Scanner
     current = 0
     total = tracker.controllers.length
 
-    warn "Processing data flow in controllers..."
+    Brakeman.notify "Processing data flow in controllers..."
 
     tracker.controllers.each do |name, controller|
       if @report_progress
@@ -258,7 +258,7 @@ class Brakeman::Scanner
     total = tracker.templates.length
     count = 0
 
-    warn "Processing data flow in templates..."
+    Brakeman.notify "Processing data flow in templates..."
 
     tracker.templates.keys.dup.each do |name|
       if @report_progress

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.2.0"
+  Version = "1.2.1"
 end

data/lib/brakeman/warning.rb

@@ -5,6 +5,8 @@ class Brakeman::Warning
 
   attr_accessor :code, :context, :file, :message
 
+  TEXT_CONFIDENCE = [ "High", "Medium", "Weak" ]
+
   #+options[:result]+ can be a result from Tracker#find_call. Otherwise, it can be +nil+.
   def initialize options = {}
     @view_name = nil
@@ -111,4 +113,13 @@ class Brakeman::Warning
 
     @row
   end
+
+  def to_s
+   output =  "(#{TEXT_CONFIDENCE[self.confidence]}) #{self.warning_type} - #{self.message}"
+   output << " near line #{self.line}" if self.line
+   output << " in #{self.file}" if self.file
+   output << ": #{self.format_code}" if self.code
+
+   output
+  end
 end

metadata

@@ -1,127 +1,101 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version 
-  prerelease: false
-  segments: 
-  - 1
-  - 2
-  - 0
-  version: 1.2.0
+version: !ruby/object:Gem::Version
+  version: 1.2.1
+  prerelease: 
 platform: ruby
-authors: 
+authors:
 - Justin Collins
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-01-13 00:00:00 -08:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2012-01-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: activesupport
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &76221240 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: i18n
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *76221240
+- !ruby/object:Gem::Dependency
+  name: i18n
+  requirement: &76220920 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: ruby2ruby
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: *76220920
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: &76220320 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 2
-        version: "1.2"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: ruport
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: *76220320
+- !ruby/object:Gem::Dependency
+  name: ruport
+  requirement: &76219720 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 6
-        version: "1.6"
+      - !ruby/object:Gem::Version
+        version: '1.6'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: erubis
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: *76219720
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: &76943790 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 2
-        - 6
-        version: "2.6"
+      - !ruby/object:Gem::Version
+        version: '2.6'
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: haml
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
+  version_requirements: *76943790
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: &76943560 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: sass
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
+  version_requirements: *76943560
+- !ruby/object:Gem::Dependency
+  name: sass
+  requirement: &76943330 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 3
-        - 0
-        version: "3.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id007
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
+  prerelease: false
+  version_requirements: *76943330
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis.
 email: 
-executables: 
+executables:
 - brakeman
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - bin/brakeman
 - WARNING_TYPES
 - FEATURES
@@ -194,37 +168,28 @@ files:
 - lib/brakeman/processor.rb
 - lib/brakeman.rb
 - lib/brakeman/format/style.css
-has_rdoc: true
 homepage: http://brakemanscanner.org
 licenses: []
-
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
-