brakeman 1.8.3 → 1.9.0.pre1

data/README.md

@@ -1,6 +1,6 @@
 ![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)
 
-![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/presidentbeef/brakeman)
+[![Travis CI Status](https://secure.travis-ci.org/presidentbeef/brakeman.png)](https://travis-ci.org/presidentbeef/brakeman) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/presidentbeef/brakeman)
 
 # Brakeman
 
@@ -145,32 +145,8 @@ Brakeman options can stored and read from YAML files. To simplify the process of
 
 Options passed in on the commandline have priority over configuration files.
 
-The default config locations are `./config.yaml`, `~/.brakeman/`, and `/etc/brakeman/config.yaml`
+The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.yml`, and `/etc/brakeman/config.yml`
 
 The `-c` option can be used to specify a configuration file to use.
 
-# License
-
-The MIT License
-
-Copyright (c) 2012, Twitter, Inc.
-
-Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+# License see MIT-LICENSE

data/lib/brakeman.rb

@@ -16,7 +16,7 @@ module Brakeman
   #Options:
   #
   #  * :app_path - path to root of Rails app (required)
-  #  * :assume_all_routes - assume all methods are routes (default: false)
+  #  * :assume_all_routes - assume all methods are routes (default: true)
   #  * :check_arguments - check arguments of methods (default: true)
   #  * :collapse_mass_assignment - report unprotected models in single warning (default: true)
   #  * :combine_locations - combine warning locations (default: true)
@@ -26,6 +26,7 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
+  #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
   #  * :output_files - files for output
@@ -40,7 +41,7 @@ module Brakeman
   #  * :skip_libs - do not process lib/ directory (default: false)
   #  * :skip_checks - checks not to run (run all if not specified)
   #  * :relative_path - show relative path of each file(default: false)
-  #  * :summary_only - only output summary section of report 
+  #  * :summary_only - only output summary section of report
   #                    (does not apply to tabs format)
   #
   #Alternatively, just supply a path as a string.
@@ -68,49 +69,48 @@ module Brakeman
     options = get_defaults.merge! options
     options[:output_formats] = get_output_formats options
 
-    app_path = options[:app_path]
-
-    abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app"
-
-    if File.exist? app_path + "/script/rails"
-      options[:rails3] = true
-      notify "[Notice] Detected Rails 3 application" unless options[:quiet]
-    end
-
     options
   end
 
-  #Load options from YAML file
-  def self.load_options config_file
-    config_file ||= ""
+  DEPRECATED_CONFIG_FILES = [
+    File.expand_path("./config.yaml"),
+    File.expand_path("~/.brakeman/config.yaml"),
+    File.expand_path("/etc/brakeman/config.yaml"),
+    "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"
+  ]
 
-    #Load configuration file
-    [File.expand_path(config_file),
-      File.expand_path("./config.yaml"),
-      File.expand_path("~/.brakeman/config.yaml"),
-      File.expand_path("/etc/brakeman/config.yaml"),
-      "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f|
-
-      if File.exist? f and not File.directory? f
-        notify "[Notice] Using configuration in #{f}"
-        options = YAML.load_file f
-        options.each do |k,v|
-          if v.is_a? Array
-            options[k] = Set.new v
-          end
-        end
+  CONFIG_FILES = [
+    File.expand_path("./config/brakeman.yml"),
+    File.expand_path("~/.brakeman/config.yml"),
+    File.expand_path("/etc/brakeman/config.yml"),
+  ]
 
-        return options
-      end
-      end
+  #Load options from YAML file
+  def self.load_options custom_location
+    #Load configuration file
+    if config = config_file(custom_location)
+      notify "[Notice] Using configuration in #{config}"
+      options = YAML.load_file config
+      options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
+      options
+    else
+      {}
+    end
+  end
 
-    return {}
+  def self.config_file(custom_location=nil)
+    DEPRECATED_CONFIG_FILES.each do |f|
+      notify "#{f} is deprecated, please use one of #{CONFIG_FILES.join(", ")}" if File.file?(f)
+    end
+    supported_locations = [File.expand_path(custom_location || "")] + DEPRECATED_CONFIG_FILES + CONFIG_FILES
+    supported_locations.detect{|f| File.file?(f) }
   end
 
   #Default set of options
   def self.get_defaults
-    { :skip_checks => Set.new, 
-      :check_arguments => true, 
+    { :assume_all_routes => true,
+      :skip_checks => Set.new,
+      :check_arguments => true,
       :safe_methods => Set.new,
       :min_confidence => 2,
       :combine_locations => true,
@@ -123,7 +123,7 @@ module Brakeman
       :relative_path => false,
       :quiet => true,
       :report_progress => true,
-      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css"
     }
   end
 
@@ -252,8 +252,6 @@ module Brakeman
     #Start scanning
     scanner = Scanner.new options
 
-    notify "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."
-
     notify "Processing application in #{options[:app_path]}"
     tracker = scanner.process
 

data/lib/brakeman/app_tree.rb

@@ -0,0 +1,90 @@
+module Brakeman
+  class AppTree
+    VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb].join(",")
+
+    attr_reader :root
+
+    def self.from_options(options)
+      root = options[:app_path]
+
+      # Convert files into Regexp for matching
+      if options[:skip_files]
+        list = "(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$"
+        new(root, Regexp.new(list))
+      else
+        new(root)
+      end
+    end
+
+    def initialize(root, skip_files = nil)
+      @root = root
+      @skip_files = skip_files
+    end
+
+    def expand_path(path)
+      File.expand_path(path, @root)
+    end
+
+    def read(path)
+      File.read(File.join(@root, path))
+    end
+
+    # This variation requires full paths instead of paths based
+    # off the project root. I'd prefer to get all the code outside
+    # of AppTree using project-root based paths (e.g. app/models/user.rb)
+    # instead of full paths, but I suspect it's an incompatible change.
+    def read_path(path)
+      File.read(path)
+    end
+
+    def exists?(path)
+      File.exists?(File.join(@root, path))
+    end
+
+    # This is a pair for #read_path. Again, would like to kill these
+    def path_exists?(path)
+      File.exists?(path)
+    end
+
+    def initializer_paths
+      @initializer_paths ||= find_paths("config/initializers")
+    end
+
+    def controller_paths
+      @controller_paths ||= find_paths("app/controllers")
+    end
+
+    def model_paths
+      @model_paths ||= find_paths("app/models")
+    end
+
+    def template_paths
+      @template_paths ||= find_paths("app/views", "*.{#{VIEW_EXTENSIONS}}")
+    end
+
+    def layout_exists?(name)
+      pattern = "#{@root}/app/views/layouts/#{name}.html.{erb,haml}"
+      !Dir.glob(pattern).empty?
+    end
+
+    def lib_paths
+      @lib_files ||= find_paths("lib")
+    end
+
+  private
+
+    def find_paths(directory, extensions = "*.rb")
+      pattern = @root + "/#{directory}/**/#{extensions}"
+
+      Dir.glob(pattern).sort.tap do |paths|
+        reject_skipped_files(paths)
+      end
+    end
+
+    def reject_skipped_files(paths)
+      return unless @skip_files
+      paths.reject! { |f| @skip_files.match f }
+    end
+
+  end
+end

data/lib/brakeman/call_index.rb

@@ -7,8 +7,6 @@ class Brakeman::CallIndex
   def initialize calls
     @calls_by_method = Hash.new { |h,k| h[k] = [] }
     @calls_by_target = Hash.new { |h,k| h[k] = [] }
-    @methods = Set.new
-    @targets = Set.new
 
     index_calls calls
   end
@@ -25,7 +23,7 @@ class Brakeman::CallIndex
     target = options[:target] || options[:targets]
     method = options[:method] || options[:methods]
     nested = options[:nested]
-    
+
     if options[:chained]
       return find_chain options
     #Find by narrowest category
@@ -72,16 +70,12 @@ class Brakeman::CallIndex
       calls.delete_if do |call|
         from_template call, template_name
       end
-
-      @methods.delete name.to_s if calls.empty?
     end
 
     @calls_by_target.each do |name, calls|
       calls.delete_if do |call|
         from_template call, template_name
       end
-
-      @targets.delete name.to_s if calls.empty?
     end
   end
 
@@ -90,25 +84,22 @@ class Brakeman::CallIndex
       calls.delete_if do |call|
         call[:location][0] == :class and classes.include? call[:location][1]
       end
-
-      @methods.delete name.to_s if calls.empty?
     end
 
     @calls_by_target.each do |name, calls|
       calls.delete_if do |call|
         call[:location][0] == :class and classes.include? call[:location][1]
       end
-
-      @targets.delete name.to_s if calls.empty?
     end
   end
 
   def index_calls calls
     calls.each do |call|
-      @methods << call[:method].to_s
-      @targets << call[:target].to_s if call[:target].is_a? Symbol
       @calls_by_method[call[:method]] << call
-      @calls_by_target[call[:target]] << call
+
+      unless call[:target].is_a? Sexp
+        @calls_by_target[call[:target]] << call
+      end
     end
   end
 
@@ -128,18 +119,6 @@ class Brakeman::CallIndex
   def calls_by_target target
     if target.is_a? Array
       calls_by_targets target
-    elsif target.is_a? Regexp
-      targets = @targets.select do |t|
-        t.match target
-      end
-
-      if targets.empty?
-        []
-      elsif targets.length > 1
-        calls_by_targets targets
-      else
-        @calls_by_target[targets.first]
-      end
     else
       @calls_by_target[target]
     end
@@ -158,18 +137,6 @@ class Brakeman::CallIndex
   def calls_by_method method
     if method.is_a? Array
       calls_by_methods method
-    elsif method.is_a? Regexp
-      methods = @methods.select do |m|
-        m.match method
-      end
-
-      if methods.empty?
-        []
-      elsif methods.length > 1
-        calls_by_methods methods
-      else
-        @calls_by_method[methods.first.to_sym]
-      end
     else
       @calls_by_method[method.to_sym]
     end

data/lib/brakeman/checks.rb

@@ -75,28 +75,28 @@ class Brakeman::Checks
 
   #Run all the checks on the given Tracker.
   #Returns a new instance of Checks with the results.
-  def self.run_checks tracker
+  def self.run_checks(app_tree, tracker)
     if tracker.options[:parallel_checks]
-      self.run_checks_parallel tracker
+      self.run_checks_parallel(app_tree, tracker)
     else
-      self.run_checks_sequential tracker
+      self.run_checks_sequential(app_tree, tracker)
     end
   end
 
   #Run checks sequentially
-  def self.run_checks_sequential tracker
+  def self.run_checks_sequential(app_tree, tracker)
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
 
     @checks.each do |c|
       check_name = get_check_name c
 
       #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or 
+      unless tracker.options[:skip_checks].include? check_name or
         (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
         Brakeman.notify " - #{check_name}"
 
-        check = c.new(tracker)
+        check = c.new(app_tree, tracker)
 
         begin
           check.run_check
@@ -118,23 +118,23 @@ class Brakeman::Checks
   end
 
   #Run checks in parallel threads
-  def self.run_checks_parallel tracker
+  def self.run_checks_parallel(app_tree, tracker)
     threads = []
     error_mutex = Mutex.new
-    
+
     check_runner = self.new :min_confidence => tracker.options[:min_confidence]
 
     @checks.each do |c|
       check_name = get_check_name c
 
       #Run or don't run check based on options
-      unless tracker.options[:skip_checks].include? check_name or 
+      unless tracker.options[:skip_checks].include? check_name or
         (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name)
 
         Brakeman.notify " - #{check_name}"
 
         threads << Thread.new do
-          check = c.new(tracker)
+          check = c.new(app_tree, tracker)
 
           begin
             check.run_check
@@ -175,6 +175,6 @@ class Brakeman::Checks
 end
 
 #Load all files in checks/ directory
-Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f| 
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f|
   require f.match(/(brakeman\/checks\/.*)\.rb$/)[0]
 end

data/lib/brakeman/checks/base_check.rb

@@ -14,8 +14,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   Match = Struct.new(:type, :match)
 
   #Initialize Check with Checks.
-  def initialize tracker
+  def initialize(app_tree, tracker)
     super()
+    @app_tree = app_tree
     @results = [] #only to check for duplicates
     @warnings = []
     @tracker = tracker
@@ -60,7 +61,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Process calls and check if they include user input
   def process_call exp
     process exp.target if sexp? exp.target
-    process_all exp.args
+    process_call_args exp
 
     target = exp.target
 
@@ -71,7 +72,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
         @has_user_input = Match.new(:cookies, exp)
       elsif request_env? target
         @has_user_input = Match.new(:request, exp)
-      elsif sexp? target and model_name? target[1]
+      elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
         @has_user_input = Match.new(:model, exp)
       end
     end
@@ -103,15 +104,21 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     exp
   end
 
+  #Does not actually process string interpolation, but notes that it occurred.
+  def process_string_interp exp
+    @string_interp = Match.new(:interp, exp)
+    process_default exp
+  end
+
   private
 
-  #Report a warning 
+  #Report a warning
   def warn options
     warning = Brakeman::Warning.new(options.merge({ :check => self.class.to_s }))
     warning.file = file_for warning
 
-    @warnings << warning 
-  end 
+    @warnings << warning
+  end
 
   #Run _exp_ through OutputProcessor to get a nice String.
   def format_output exp
@@ -137,7 +144,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   # go up the chain of parent classes to see if any have attr_accessible
   def parent_classes_protected? model
-    if model[:attr_accessible]
+    if model[:attr_accessible] or model[:includes].include? :"ActiveModel::ForbiddenAttributesProtection"
       true
     elsif parent = tracker.models[model[:parent]]
       parent_classes_protected? parent
@@ -149,24 +156,31 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Checks if mass assignment is disabled globally in an initializer.
   def mass_assign_disabled?
     return @mass_assign_disabled unless @mass_assign_disabled.nil?
-        
+
     @mass_assign_disabled = false
 
-    if version_between?("3.1.0", "4.0.0") and 
+    if version_between?("3.1.0", "3.9.9") and
       tracker.config[:rails] and
-      tracker.config[:rails][:active_record] and 
+      tracker.config[:rails][:active_record] and
       tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)
 
+      @mass_assign_disabled = true
+    elsif version_between?("4.0.0", "4.9.9")
+      #May need to revisit dependng on what Rails 4 actually does/has
       @mass_assign_disabled = true
     else
       matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
 
       if matches.empty?
+        #Check for
+        #  class ActiveRecord::Base
+        #    attr_accessible nil
+        #  end
         matches = tracker.check_initializers([], :attr_accessible)
 
         matches.each do |result|
-          if result[1] == :ActiveRecord and result[2] == :Base
-            arg = result[-1][3][1]
+          if result.module == "ActiveRecord" and result.result_class == :Base
+            arg = result.call.first_arg
 
             if arg.nil? or node_type? arg, :nil
               @mass_assign_disabled = true
@@ -175,10 +189,31 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
           end
         end
       else
+        #Check for ActiveRecord::Base.send(:attr_accessible, nil)
         matches.each do |result|
-          if result[-1][3] == Sexp.new(:arglist, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
+          call = result.call
+          if call? call
+            if call.first_arg == Sexp.new(:lit, :attr_accessible) and call.second_arg == Sexp.new(:nil)
+              @mass_assign_disabled = true
+              break
+            end
+          end
+        end
+      end
+    end
+
+    #There is a chance someone is using Rails 3.x and the `strong_parameters`
+    #gem and still using hack above, so this is a separate check for
+    #including ActiveModel::ForbiddenAttributesProtection in
+    #ActiveRecord::Base in an initializer.
+    if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config[:gems][:strong_parameters]
+      matches = tracker.check_initializers([], :include)
+
+      matches.each do |result|
+        call = result.call
+        if call? call
+          if call.first_arg == Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
             @mass_assign_disabled = true
-            break
           end
         end
       end
@@ -216,17 +251,6 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     false
   end
 
-  #Ignores ignores
-  def process_ignore exp
-    exp
-  end
-
-  #Does not actually process string interpolation, but notes that it occurred.
-  def process_string_interp exp
-    @string_interp = Match.new(:interp, exp)
-    exp
-  end
-
   #Checks if an expression contains string interpolation.
   #
   #Returns Match with :interp type if found.
@@ -364,7 +388,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Checks if +exp+ is a model name.
   #
-  #Prior to using this method, either @tracker must be set to 
+  #Prior to using this method, either @tracker must be set to
   #the current tracker, or else @models should contain an array of the model
   #names, which is available via tracker.models.keys
   def model_name? exp
@@ -387,14 +411,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
 
   #Finds entire method call chain where +target+ is a target in the chain
   def find_chain exp, target
-    return unless sexp? exp 
+    return unless sexp? exp
 
     case exp.node_type
     when :output, :format
       find_chain exp.value, target
     when :call
       if exp == target or include_target? exp, target
-        return exp 
+        return exp
       end
     else
       exp.each do |e|
@@ -448,7 +472,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   end
 
   def gemfile_or_environment
-    if File.exist? File.expand_path "#{tracker.options[:app_path]}/Gemfile"
+    if @app_tree.exists?("Gemfile")
       "Gemfile"
     else
       "config/environment.rb"