gitrob 0.0.1

data/lib/gitrob/progressbar.rb

@@ -0,0 +1,52 @@
+# coding: utf-8
+
+module Gitrob
+  class ProgressBar
+    TITLE_MAX_LENGTH = 25
+
+    def initialize(message, options)
+      @options = {
+        :format         => " #{Paint['[*]', :bright, :blue]} %c/%C %B %j% %e",
+        :progress_mark  => Paint['▓', :bright, :blue],
+        :remainder_mark => '░',
+      }.merge(options)
+      Gitrob::status(message)
+      @mutex = Mutex.new
+      @progress_bar = ::ProgressBar::Base.new(@options)
+    end
+
+    def finish!
+      @mutex.synchronize { @progress_bar.finish }
+    end
+
+    def log(message)
+      @mutex.synchronize do
+        @progress_bar.log(" #{Paint['[>]', :bright, :blue]} #{message}")
+      end
+    end
+
+    def log_error(message)
+      @mutex.synchronize do
+        @progress_bar.log(" #{Paint['[!]', :bright, :red]} #{message}")
+      end
+    end
+
+    def method_missing(method, *args, &block)
+      if @progress_bar.respond_to?(method)
+        @mutex.synchronize { @progress_bar.send(method, *args, &block) }
+      else
+        super
+      end
+    end
+
+  private
+
+    def make_title(t)
+      t = t.to_s
+      if t.size > TITLE_MAX_LENGTH
+        t = "#{t[0, (TITLE_MAX_LENGTH-3)]}..."
+      end
+      " #{Paint['[>]', :bright, :blue]} #{Paint[t.rjust(TITLE_MAX_LENGTH), :bright, :blue]}"
+    end
+  end
+end

data/lib/gitrob/util.rb

@@ -0,0 +1,11 @@
+module Gitrob
+  module Util
+    def self.pluralize(count, singular, plural)
+      if count.to_i == 1
+        "#{count} #{singular}"
+      else
+        "#{count} #{plural}"
+      end
+    end
+  end
+end

data/lib/gitrob/version.rb

@@ -0,0 +1,3 @@
+module Gitrob
+  VERSION = "0.0.1"
+end

data/lib/gitrob/webapp.rb

@@ -0,0 +1,76 @@
+module Gitrob
+  class WebApp < Sinatra::Base
+    set :logging, false
+    set :sessions, false
+    set :app_file, __FILE__
+    set :root, File.expand_path("#{File.dirname(__FILE__)}/../../")
+    set :public_folder, Proc.new { File.join(root, "public") }
+    set :views, Proc.new { File.join(root, "views") }
+    set :run, Proc.new { false }
+
+    helpers do
+      HUMAN_PREFIXES = %W(TB GB MB KB B).freeze
+
+      alias_method :h, :escape_html
+
+      def number_to_human_size(number)
+        s = number.to_f
+        i = HUMAN_PREFIXES.length - 1
+        while s > 512 && i > 0
+          i -= 1
+          s /= 1024
+        end
+        ((s > 9 || s.modulo(1) < 0.1 ? '%d' : '%.1f') % s) + ' ' + HUMAN_PREFIXES[i]
+      end
+
+      def format_path(path)
+        dirname  = File.dirname(path)
+        basename = File.basename(path)
+        if dirname == '.'
+          "<strong>#{h basename}</strong>"
+        else
+          "#{h dirname}/<strong>#{h basename}</strong>"
+        end
+      end
+    end
+
+    before do
+      response.headers['Content-Security-Policy'] = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'"
+      response.headers['X-Content-Security-Policy'] = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'"
+      response.headers['X-WebKit-CSP'] = "default-src *; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'"
+    end
+
+    get '/' do
+      @orgs = Gitrob::Organization.all(:order => [:created_at.desc])
+      erb :index
+    end
+
+    get '/orgs/:id' do
+      @org = Gitrob::Organization.get(params['id'])
+      @blobs_with_findings = @org.blobs.all(:findings_count.gt => 0)
+      @repos = @org.repos.all(:order => [:owner_name, :name])
+      erb :organization
+    end
+
+    get '/repos/:id' do
+      @repo = Gitrob::Repo.get(params['id'])
+      erb :repository
+    end
+
+    get '/ajax/users/:username' do
+      if params['type'] == 'org'
+        @user  = Gitrob::Organization.first(:name => params['username'])
+        @repos = @user.repos.all(:user => nil)
+      else
+        @user  = Gitrob::User.first(:username => params['username'])
+        @repos = @user.repos.all
+      end
+      erb :user, :layout => false
+    end
+
+    get '/ajax/blobs/:id' do
+      @blob = Gitrob::Blob.get(params['id'])
+      erb :blob, :layout => false
+    end
+  end
+end

data/models/blob.rb

@@ -0,0 +1,35 @@
+module Gitrob
+  class Blob
+    include DataMapper::Resource
+
+    property :id,             Serial
+    property :path,           String,  :length => 1024, :index => true
+    property :filename,       String,  :length => 255,  :index => true
+    property :extension,      String,  :length => 255,  :index => true
+    property :size,           Integer, :index => true
+    property :findings_count, Integer, :index => true,  :default => 0
+    property :created_at,     DateTime
+
+    has n, :findings, :constraint => :destroy
+    belongs_to :repo
+    belongs_to :organization
+
+    def url
+      "https://github.com/#{URI.escape(owner_name)}/#{URI.escape(repo.name)}/blob/master/#{URI.escape(path)}"
+    end
+
+    def owner_name
+      repo.user.nil? ? repo.organization.login : repo.user.username
+    end
+
+    def content
+      @content ||= fetch_content
+    end
+
+  private
+
+    def fetch_content
+      HTTParty.get("https://raw.githubusercontent.com/#{URI.escape(owner_name)}/#{URI.escape(repo.name)}/master/#{URI.escape(path)}").body
+    end
+  end
+end

data/models/finding.rb

@@ -0,0 +1,14 @@
+module Gitrob
+  class Finding
+    include DataMapper::Resource
+
+    property :id,          Serial
+    property :caption,     String, :length => 255
+    property :description, Text
+
+    belongs_to :blob
+    belongs_to :repo
+    belongs_to :user,         :required => false
+    belongs_to :organization
+  end
+end

data/models/organization.rb

@@ -0,0 +1,32 @@
+module Gitrob
+  class Organization
+    include DataMapper::Resource
+
+    property :id,         Serial
+    property :name,       String, :length => 255, :index => true
+    property :login,      String, :length => 255, :index => true
+    property :website,    String, :length => 255
+    property :location,   String, :length => 255
+    property :email,      String, :length => 255
+    property :avatar_url, String, :length => 255
+    property :url,        String, :length => 255
+    property :created_at, DateTime
+
+    has n, :repos,        :constraint => :destroy
+    has n, :users,        :constraint => :destroy
+    has n, :blobs,        :constraint => :destroy
+    has n, :findings,     :constraint => :destroy
+
+    def username
+      @login
+    end
+
+    def bio
+      nil
+    end
+
+    def name
+      @name.to_s.empty? ? @login : @name
+    end
+  end
+end

data/models/repo.rb

@@ -0,0 +1,22 @@
+module Gitrob
+  class Repo
+    include DataMapper::Resource
+
+    property :id, Serial
+    property :name, String,        :index => true, :length => 255
+    property :owner_name, String,  :index => true
+    property :description, String, :length => 1024
+    property :website, String,     :length => 255
+    property :url, String,         :length => 255
+    property :created_at, DateTime
+
+    has n, :blobs,            :constraint => :destroy
+    has n, :findings,         :constraint => :destroy
+    belongs_to :user,         :required => false
+    belongs_to :organization
+
+    def full_name
+      [owner_name, name].join('/')
+    end
+  end
+end

data/models/user.rb

@@ -0,0 +1,28 @@
+module Gitrob
+  class User
+    include DataMapper::Resource
+
+    property :id,         Serial
+    property :username,   String, :index => true
+    property :name,       String, :index => true, :length => 255
+    property :website,    String, :length => 255
+    property :location,   String, :length => 512
+    property :email,      String, :length => 255
+    property :avatar_url, String, :length => 255
+    property :url,        String, :length => 255
+    property :bio,        String, :length => 1024
+    property :created_at, DateTime
+
+    has n, :repos,            :constraint => :destroy
+    has n, :blobs,            :constraint => :destroy, :through => :repos
+    has n, :findings,         :constraint => :destroy
+    belongs_to :organization, :required => false
+
+    def name
+      if @name.empty?
+        return @username
+      end
+      super
+    end
+  end
+end

data/patterns.json

@@ -0,0 +1,303 @@
+[
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "id_rsa",
+        "caption": "Private SSH key",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "id_ed25519",
+        "caption": "Private SSH key",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "id_ecdsa",
+        "caption": "Private SSH key",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "pem",
+        "caption": "Potential cryptographic private key",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "key",
+        "caption": "Potential cryptographic private key",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "pkcs12",
+        "caption": "Potential cryptographic key bundle",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "pfx",
+        "caption": "Potential cryptographic key bundle",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "p12",
+        "caption": "Potential cryptographic key bundle",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "asc",
+        "caption": "Potential cryptographic key bundle",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "otr.private_key",
+        "caption": "Pidgin OTR private key",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?(bash_|zsh_|z)?history\\z",
+        "caption": "Shell command history file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?mysql_history\\z",
+        "caption": "MySQL client command history file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?psql_history\\z",
+        "caption": "PostgreSQL client command history file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?irb_history\\z",
+        "caption": "Ruby IRB console history file",
+        "description": null
+    },
+    {
+        "part": "path",
+        "type": "regex",
+        "pattern": "\\.?purple\\/accounts\\.xml\\z",
+        "caption": "Pidgin chat client account configuration file",
+        "description": null
+    },
+    {
+        "part": "path",
+        "type": "regex",
+        "pattern": "\\.?xchat2?\\/servlist_?\\.conf\\z",
+        "caption": "Hexchat/XChat IRC client server list configuration file",
+        "description": null
+    },
+    {
+        "part": "path",
+        "type": "regex",
+        "pattern": "\\.?irrsi\\/config\\z",
+        "caption": "Irrsi IRC client configuration file",
+        "description": null
+    },
+    {
+        "part": "path",
+        "type": "regex",
+        "pattern": "\\.?recon-ng\\/keys\\.db\\z",
+        "caption": "Recon-ng web reconnaissance framework API key database",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?dbeaver-data-sources.xml\\z",
+        "caption": "DBeaver SQL database manager configuration file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?muttrc\\z",
+        "caption": "Mutt e-mail client configuration file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?s3cfg\\z",
+        "caption": "S3cmd configuration file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?trc\\z",
+        "caption": "T command-line Twitter client configuration file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "ovpn",
+        "caption": "OpenVPN client configuration file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?gitrobrc\\z",
+        "caption": "Well, this is awkward... Gitrob configuration file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?(bash|zsh)rc\\z",
+        "caption": "Shell configuration file",
+        "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys."
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?(bash_|zsh_)?profile\\z",
+        "caption": "Shell profile configuration file",
+        "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys."
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "\\A\\.?(bash_|zsh_)?aliases\\z",
+        "caption": "Shell command alias configuration file",
+        "description": "Shell configuration files might contain information such as server hostnames, passwords and API keys."
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "secret_token.rb",
+        "caption": "Ruby On Rails secret token configuration file",
+        "description": "If the Rails secret token is known, it can allow for remote code execution. (http://www.exploit-db.com/exploits/27527/)"
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "omniauth.rb",
+        "caption": "OmniAuth configuration file",
+        "description": "The OmniAuth configuration file might contain client application secrets."
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "carrierwave.rb",
+        "caption": "Carrierwave configuration file",
+        "description": "Can contain credentials for online storage systems such as Amazon S3 and Google Storage."
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "schema.rb",
+        "caption": "Ruby On Rails database schema file",
+        "description": "Contains information on the database schema of a Ruby On Rails application."
+    },
+    {
+        "part": "filename",
+        "type": "match",
+        "pattern": "database.yml",
+        "caption": "Potential Ruby On Rails database configuration file",
+        "description": "Might contain database credentials."
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "kdb",
+        "caption": "KeePass password manager database file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "agilekeychain",
+        "caption": "1Password password manager database file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "keychain",
+        "caption": "Apple Keychain database file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "regex",
+        "pattern": "\\Akey(store|ring)\\z",
+        "caption": "GNOME Keyring database file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "log",
+        "caption": "Log file",
+        "description": "Log files might contain information such as references to secret HTTP endpoints, session IDs, user information, passwords and API keys."
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "pcap",
+        "caption": "Network traffic capture file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "regex",
+        "pattern": "\\Asql(dump)?\\z",
+        "caption": "SQL dump file",
+        "description": null
+    },
+    {
+        "part": "extension",
+        "type": "match",
+        "pattern": "gnucash",
+        "caption": "GnuCash database file",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "backup",
+        "caption": "Contains word: backup",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "dump",
+        "caption": "Contains word: dump",
+        "description": null
+    },
+    {
+        "part": "filename",
+        "type": "regex",
+        "pattern": "password",
+        "caption": "Contains word: password",
+        "description": null
+    }
+]