brakeman 1.5.3 → 1.6.0.pre1

data/bin/brakeman

@@ -7,7 +7,13 @@ require 'brakeman/options'
 require 'brakeman/version'
 
 #Parse options
-options, parser = Brakeman::Options.parse! ARGV
+begin
+  options, parser = Brakeman::Options.parse! ARGV
+rescue OptionParser::ParseError => e
+  $stderr.puts e.message.capitalize
+  $stderr.puts "Please see `brakeman --help` for valid options"
+  exit -1
+end
 
 #Exit early for these options
 if options[:list_checks]
@@ -46,10 +52,18 @@ trap("INT") do
   exit!
 end
 
-#Run scan and output a report
-tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
+if options[:previous_results_json]
+  vulns = Brakeman.compare options
+  puts JSON.pretty_generate(vulns)
+else
+  #Run scan and output a report
+  tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
 
-#Return error code if --exit-on-warn is used and warnings were found
-if options[:exit_on_warn] and not tracker.checks.all_warnings.empty?
-  exit Brakeman::Warnings_Found_Exit_Code
+  #Return error code if --exit-on-warn is used and warnings were found
+  if options[:exit_on_warn] and not tracker.checks.all_warnings.empty?
+    exit Brakeman::Warnings_Found_Exit_Code
+  end
 end
+
+
+

data/lib/brakeman.rb

@@ -23,6 +23,7 @@ module Brakeman
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
   #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
   #  * :message_limit - limit length of messages
@@ -51,7 +52,6 @@ module Brakeman
     if @quiet
       options[:report_progress] = false
     end
-
     scan options
   end
 
@@ -114,6 +114,7 @@ module Brakeman
       :min_confidence => 2,
       :combine_locations => true,
       :collapse_mass_assignment => true,
+      :highlight_user_input => true,
       :ignore_redirect_to_model => true,
       :ignore_model_output => false,
       :message_limit => 100,
@@ -310,4 +311,23 @@ module Brakeman
   def self.debug message
     $stderr.puts message if @debug
   end
+
+  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  def self.compare options
+    require 'json'
+    require 'brakeman/differ'
+    raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]
+
+    begin
+      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names =>true)[:warnings]
+    rescue JSON::ParserError
+      self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
+      exit!
+    end
+
+    tracker = run(options)
+    new_results = JSON.parse(tracker.report.to_json, :symbolize_names =>true)[:warnings]
+
+    Brakeman::Differ.new(new_results, previous_results).diff
+  end
 end

data/lib/brakeman/checks.rb

@@ -1,4 +1,5 @@
 require 'thread'
+require 'brakeman/differ'
 
 #Collects up results from running different checks.
 #
@@ -64,13 +65,7 @@ class Brakeman::Checks
   def diff other_checks
     my_warnings = self.all_warnings
     other_warnings = other_checks.all_warnings
-
-    diff = {}
-
-    diff[:fixed] = other_warnings - my_warnings
-    diff[:new] = my_warnings - other_warnings
-
-    diff
+    Brakeman::Differ.new(my_warnings, other_warnings).diff
   end
 
   #Return an array of all warnings found.

data/lib/brakeman/checks/base_check.rb

@@ -12,6 +12,8 @@ class Brakeman::BaseCheck < SexpProcessor
 
   CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
 
+  Match = Struct.new(:type, :match)
+
   #Initialize Check with Checks.
   def initialize tracker
     super()
@@ -66,13 +68,13 @@ class Brakeman::BaseCheck < SexpProcessor
     process exp[3]
 
     if params? exp[1]
-      @has_user_input = :params
+      @has_user_input = Match.new(:params, exp)
     elsif cookies? exp[1]
-      @has_user_input = :cookies
+      @has_user_input = Match.new(:cookies, exp)
     elsif request_env? exp[1]
-      @has_user_input = :request
+      @has_user_input = Match.new(:request, exp)
     elsif sexp? exp[1] and model_name? exp[1][1]
-      @has_user_input = :model
+      @has_user_input = Match.new(:model, exp)
     end
 
     exp
@@ -92,13 +94,13 @@ class Brakeman::BaseCheck < SexpProcessor
 
   #Note that params are included in current expression
   def process_params exp
-    @has_user_input = :params
+    @has_user_input = Match.new(:params, exp)
     exp
   end
 
   #Note that cookies are included in current expression
   def process_cookies exp
-    @has_user_input = :cookies
+    @has_user_input = Match.new(:cookies, exp)
     exp
   end
 
@@ -206,19 +208,26 @@ class Brakeman::BaseCheck < SexpProcessor
 
   #Does not actually process string interpolation, but notes that it occurred.
   def process_string_interp exp
-    @string_interp = true
+    @string_interp = Match.new(:interp, exp)
     exp
   end
 
   #Checks if an expression contains string interpolation.
+  #
+  #Returns Match with :interp type if found.
   def include_interp? exp
     @string_interp = false
     process exp
     @string_interp
   end
 
-  #Checks if _exp_ includes parameters or cookies, but this only works 
-  #with the base process_default.
+  #Checks if _exp_ includes user input in the form of cookies, parameters,
+  #request environment, or model attributes.
+  #
+  #If found, returns a struct containing a type (:cookies, :params, :request, :model) and
+  #the matching expression (Match#type and Match#match).
+  #
+  #Returns false otherwise.
   def include_user_input? exp
     @has_user_input = false
     process exp
@@ -227,24 +236,24 @@ class Brakeman::BaseCheck < SexpProcessor
 
   #This is used to check for user input being used directly.
   #
-  #Returns false if none is found, otherwise it returns an array
-  #where the first element is the type of user input 
-  #(either :params or :cookies) and the second element is the matching 
-  #expression
+  ##If found, returns a struct containing a type (:cookies, :params, :request) and
+  #the matching expression (Match#type and Match#match).
+  #
+  #Returns false otherwise.
   def has_immediate_user_input? exp
     if exp.nil?
       false
     elsif params? exp
-      return :params, exp
+      return Match.new(:params, exp)
     elsif cookies? exp
-      return :cookies, exp
+      return Match.new(:cookies, exp)
     elsif call? exp
       if params? exp[1]
-        return :params, exp
+        return Match.new(:params, exp)
       elsif cookies? exp[1]
-        return :cookies, exp
+        return Match.new(:cookies, exp)
       elsif request_env? exp[1]
-        return :request, exp
+        return Match.new(:request, exp)
       else
         false
       end
@@ -253,10 +262,8 @@ class Brakeman::BaseCheck < SexpProcessor
       when :string_interp
         exp.each do |e|
           if sexp? e
-            type, match = has_immediate_user_input?(e)
-            if type
-              return type, match
-            end
+            match = has_immediate_user_input?(e)
+            return match if match
           end
         end
         false
@@ -265,10 +272,8 @@ class Brakeman::BaseCheck < SexpProcessor
           if exp[1].node_type == :rlist
             exp[1].each do |e|
               if sexp? e
-                type, match = has_immediate_user_input?(e)
-                if type
-                  return type, match
-                end
+                match = has_immediate_user_input?(e)
+                return match if match
               end
             end
             false

data/lib/brakeman/checks/check_basic_auth.rb

@@ -38,12 +38,6 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
 
     return false if args.nil? or not hash? args
 
-    hash_iterate(args) do |k, v|
-      if symbol? k and k[1] == :password
-        return v
-      end
-    end
-
-    nil
+    hash_access(args, :password)
   end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -83,11 +83,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       out = exp[1][3][1]
     end
 
-    type, match = has_immediate_user_input? out
-
-    if type
+    if input = has_immediate_user_input?(out)
       add_result exp
-      case type
+
+      case input.type
       when :params
         message = "Unescaped parameter value"
       when :cookies
@@ -101,8 +100,8 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       warn :template => @current_template, 
         :warning_type => "Cross Site Scripting",
         :message => message,
-        :line => match.line,
-        :code => match,
+        :line => input.match.line,
+        :code => input.match,
         :confidence => CONFIDENCE[:high]
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
@@ -161,29 +160,35 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       actually_process_call exp
       message = nil
 
-      if @matched == :model and not tracker.options[:ignore_model_output]
-        message = "Unescaped model attribute" 
-      elsif @matched == :params
-        message = "Unescaped parameter value" 
-      elsif @matched == :cookies
-        message = "Unescaped cookie value" 
-      end
-
-      if message and not duplicate? exp
-        add_result exp
-
-        if exp[1].nil? and @known_dangerous.include? exp[2]
-          confidence = CONFIDENCE[:high]
-        else
-          confidence = CONFIDENCE[:low]
+      if @matched
+        case @matched.type
+        when :model
+          unless tracker.options[:ignore_model_output]
+            message = "Unescaped model attribute"
+          end
+        when :params
+          message = "Unescaped parameter value"
+        when :cookies
+          message = "Unescaped cookie value"
         end
 
-        warn :template => @current_template,
-          :warning_type => "Cross Site Scripting", 
-          :message => message,
-          :line => exp.line,
-          :code => exp,
-          :confidence => confidence
+        if message and not duplicate? exp
+          add_result exp
+
+          if exp[1].nil? and @known_dangerous.include? exp[2]
+            confidence = CONFIDENCE[:high]
+          else
+            confidence = CONFIDENCE[:low]
+          end
+
+          warn :template => @current_template,
+            :warning_type => "Cross Site Scripting", 
+            :message => message,
+            :line => exp.line,
+            :code => exp,
+            :user_input => @matched.match,
+            :confidence => confidence
+        end
       end
 
       @mark = @matched = false
@@ -204,7 +209,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     #Ignore safe items
     if (target.nil? and (@ignore_methods.include? method or method.to_s =~ IGNORE_LIKE)) or
-      (@matched == :model and IGNORE_MODEL_METHODS.include? method) or
+      (@matched and @matched.type == :model and IGNORE_MODEL_METHODS.include? method) or
       (target == HAML_HELPERS and method == :html_escape) or
       ((target == URI or target == CGI) and method == :escape) or
       (target == XML_HELPER and method == :escape_xml) or
@@ -214,11 +219,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       #exp[0] = :ignore #should not be necessary
       @matched = false
     elsif sexp? exp[1] and model_name? exp[1][1]
-      @matched = :model
+      @matched = Match.new(:model, exp)
     elsif cookies? exp
-      @matched = :cookies
+      @matched = Match.new(:cookies, exp)
     elsif @inspect_arguments and params? exp
-      @matched = :params
+      @matched = Match.new(:params, exp)
     elsif @inspect_arguments
       process args
     end
@@ -226,13 +231,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   #Note that params have been found
   def process_params exp
-    @matched = :params
+    @matched = Match.new(:params, exp)
     exp
   end
 
   #Note that cookies have been found
   def process_cookies exp
-    @matched = :cookies
+    @matched = Match.new(:cookies, exp)
     exp
   end
 

data/lib/brakeman/checks/check_evaluation.rb

@@ -20,11 +20,12 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
 
   #Warns if eval includes user input
   def process_result result
-    if include_user_input? result[:call][-1]
+    if input = include_user_input?(result[:call][-1])
       warn :result => result,
         :warning_type => "Dangerous Eval",
         :message => "User input in eval",
         :code => result[:call],
+        :user_input => input.match,
         :confidence => CONFIDENCE[:high]
     end
   end

data/lib/brakeman/checks/check_execute.rb

@@ -54,6 +54,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
         :message => "Possible command injection",
         :line => call.line,
         :code => call,
+        :user_input => failure.match,
         :confidence => confidence
     end
   end
@@ -75,16 +76,19 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
 
     exp = result[:call]
 
-    if include_user_input? exp
+    if input = include_user_input?(exp)
       confidence = CONFIDENCE[:high]
+      user_input = input.match
     else
       confidence = CONFIDENCE[:med]
+      user_input = nil
     end
 
     warning = { :warning_type => "Command Injection",
       :message => "Possible command injection",
       :line => exp.line,
       :code => exp,
+      :user_input => user_input,
       :confidence => confidence }
 
     if result[:location][0] == :template

data/lib/brakeman/checks/check_file_access.rb

@@ -28,13 +28,14 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
 
     file_name = call[3][1]
 
-    if check = include_user_input?(file_name)
+    if input = include_user_input?(file_name)
       unless duplicate? result
         add_result result
 
-        if check == :params
+        case input.type
+        when :params
           message = "Parameter"
-        elsif check == :cookies
+        when :cookies
           message = "Cookie"
         else
           message = "User input"
@@ -47,7 +48,8 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck
           :message => message, 
           :confidence => CONFIDENCE[:high],
           :line => call.line,
-          :code => call
+          :code => call,
+          :user_input => input.match
       end
     end
   end

data/lib/brakeman/checks/check_link_to.rb

@@ -60,10 +60,9 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
 
   def check_argument result, exp
     arg = process exp
-    type, match = has_immediate_user_input? arg
 
-    if type
-      case type
+    if input = has_immediate_user_input?(arg)
+      case input.type
       when :params
         message = "Unescaped parameter value in link_to"
       when :cookies
@@ -76,7 +75,9 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
       warn :result => result,
         :warning_type => "Cross Site Scripting", 
         :message => message,
+        :user_input => input.match,
         :confidence => CONFIDENCE[:high]
+
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       method = match[2]
 
@@ -92,13 +93,14 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         warn :result => result,
           :warning_type => "Cross Site Scripting", 
           :message => "Unescaped model attribute in link_to",
+          :user_input => match,
           :confidence => confidence
       end
 
     elsif @matched
-      if @matched == :model and not tracker.options[:ignore_model_output]
+      if @matched.type == :model and not tracker.options[:ignore_model_output]
         message = "Unescaped model attribute in link_to"
-      elsif @matched == :params
+      elsif @matched.type == :params
         message = "Unescaped parameter value in link_to"
       end
 
@@ -108,6 +110,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
         warn :result => result, 
           :warning_type => "Cross Site Scripting", 
           :message => message,
+          :user_input => @matched.match,
           :confidence => CONFIDENCE[:med]
       end
     end