lint_fu 0.5.0

data/lib/lint_fu/rails/model_application.rb

@@ -0,0 +1,16 @@
+module LintFu
+  module Rails
+    class ModelApplication
+      include LintFu::ModelElement
+      include LintFu::SuperModel
+
+      def controllers
+        submodels.select { |m| m.kind_of?(LintFu::ActionPack::ModelController) }
+      end
+
+      def models
+        submodels.select { |m| m.kind_of?(LintFu::ActiveRecord::ModelModel) }
+      end
+    end
+  end
+end

data/lib/lint_fu/rails/model_application_builder.rb

@@ -0,0 +1,32 @@
+module LintFu
+  module Rails
+    class ModelApplicationBuilder < ModelElementBuilder
+      def initialize(fs_root)
+        super()
+        
+        application = ModelApplication.new(fs_root)
+
+        models_dir = File.join(fs_root, 'app', 'models')
+        builder = ActiveRecord::ModelModelBuilder.new
+        #TODO ensure the Rails app is using ActiveRecord
+        Dir.glob(File.join(models_dir, '**', '*.rb')).each do |f|
+          sexp = Parser.parse_ruby(f)
+          builder.process(sexp)
+        end
+        builder.model_elements.each { |elem| application.add_submodel(elem) }
+
+        controllers_dir = File.join(fs_root, 'app', 'controllers')
+        builder = ActionPack::ModelControllerBuilder.new
+        Dir.glob(File.join(controllers_dir, '**', '*.rb')).each do |f|
+          contents = File.read(f)
+          sexp = RubyParser.new.parse(contents)
+          sexp.file = f
+          builder.process(sexp)
+        end
+        builder.model_elements.each { |elem| application.add_submodel(elem) }
+
+        self.model_elements << application        
+      end
+    end
+  end
+end

data/lib/lint_fu/rails/scan_builder.rb

@@ -0,0 +1,43 @@
+module LintFu
+  module Rails
+    class ScanBuilder
+      attr_reader :fs_root
+
+      def initialize(fs_root)
+        @fs_root = fs_root
+      end
+
+      def scan(context)
+        scan    = LintFu::Scan.new(@fs_root)
+
+        models_dir      = File.join(@fs_root, 'app', 'models')
+        controllers_dir = File.join(@fs_root, 'app', 'controllers')
+        views_dir       = File.join(@fs_root, 'app', 'views')
+
+        #Scan controllers
+        Dir.glob(File.join(controllers_dir, '**', '*.rb')).each do |filename|
+          contents = File.read(filename)
+          parser = RubyParser.new
+          sexp = parser.parse(contents, filename)
+          visitor = LintFu::Visitor.new
+          visitor.observers << BuggyEagerLoadChecker.new(scan, context, filename)
+          visitor.observers << SqlInjectionChecker.new(scan, context, filename)
+          visitor.observers << UnsafeFindChecker.new(scan, context, filename)
+          visitor.process(sexp)
+        end
+
+        #Scan models
+        Dir.glob(File.join(models_dir, '**', '*.rb')).each do |filename|
+          contents = File.read(filename)
+          parser = RubyParser.new
+          sexp = parser.parse(contents, filename)
+          visitor = LintFu::Visitor.new
+          visitor.observers << SqlInjectionChecker.new(scan, context, filename, 0.2)
+          visitor.process(sexp)          
+        end
+
+        return scan
+      end
+    end
+  end
+end

data/lib/lint_fu/rails/sql_injection_checker.rb

@@ -0,0 +1,133 @@
+module LintFu
+  module Rails
+    class SqlInjection < Issue
+      def initialize(scan, file, sexp, subject, confidence=1.0)
+        super(scan, file, sexp, confidence)
+        @subject = subject
+      end
+
+      def brief
+        "SQL Injection"
+      end
+
+      def detail
+        return "Could a bad guy insert SQL fragments into <code>#{@subject}</code>?"
+      end
+
+      def reference_info
+        return <<EOF
+h4. What is it?
+
+A SQL injection vulnerability happens when input from an untrusted source is passed to ActiveRecord in a way that causes it to be interpreted as SQL. If users can inject SQL, they own your database, game over.
+
+"Untrusted source" is usually the network but it could be a file on disk, or even a column in the database.
+
+h4. When does it happen?
+
+The most common source of SQL injection is request parameters that are used without properly escaping them.
+
+bc. Account.first(:conditions=>"name like '\#{params[:name]}'")
+User.all(:order=>params[:order_by])
+
+h4. How do I fix it?
+
+Instead of using query parameters directly, make a habit of _always_ using query parameter replacement:
+
+bc. Account.first(:conditions=>[ 'name like ?', params[:name] ])
+
+If you cannot use parameter replacement, escape the string manually using @ActiveRecord::Base#sanitize@.
+
+bc. User.all(:order=>ActiveRecord::Base.sanitize(params[:order_by]))
+EOF
+      end
+    end
+
+    # Visit a Rails controller looking for ActiveRecord queries that contain interpolated
+    # strings. 
+    class SqlInjectionChecker < Checker
+      FINDER_REGEXP = /^(find|first|all)(_or_initialize)?(_by_.*_id)?/
+      SINK_OPTIONS  = Set.new([:conditions, :select, :order, :group, :from, :include, :join])
+      
+      def initialize(scan, context, filename, base_confidence=1.0)
+        super(scan, context, filename)
+        @class_definition_scope = []
+        @base_confidence = base_confidence
+      end
+
+      def observe_class_begin(sexp)
+        @class_definition_scope.push sexp
+      end
+
+      def observe_class_end(sexp)
+        @class_definition_scope.pop
+      end
+
+      def observe_defn_begin(sexp)
+        
+        @in_method = true
+      end
+
+      def observe_defn_end(sexp)
+        @in_method = false
+      end
+
+      def observe_call(sexp)
+        return if @class_definition_scope.empty? || !@in_method
+
+        call    = sexp[2].to_s
+        arglist = sexp[3]
+
+        tp = tainted_params(arglist)
+        if finder?(call) && !tp.empty?
+          scan.issues << SqlInjection.new(scan, self.file, sexp, tp[0].to_ruby_string, @base_confidence)
+        end
+      end
+
+      private
+
+      def finder?(call)
+        # We consider a method call to be a finder if it looks like an AR finder,
+        # if it matches the name of ANY named scope, or it matches the name of
+        # ANY association. This may create a false positive now and again, but
+        # it's better than trying to puzzle out which class/association is being
+        # called (until we have type inference and other cool stuff).
+        ( call =~ FINDER_REGEXP ||
+          self.context.models.detect { |m| m.named_scopes.has_key?(call) } ||
+          self.context.models.detect { |m| m.associations.has_key?(call) })
+      end
+
+      def tainted_params(arglist)
+        tainted_params = []
+
+        #Find potentially-tainted members of the arglist's options hash(es)
+        hash_params = arglist.find_all_recursively { |se| (Sexp === se) && (se[0] == :hash) }
+        hash_params ||= []
+        
+        hash_params.each do |hash|
+          hash = hash.clone
+          hash.shift #get rid of the leading :hash marker
+
+          #Iterate through the hash sexp, searching for keys whose values are known
+          #to be vulnerable to taint.
+          (0...hash.size).each do |n|
+            next if n.odd?
+            tainted_params << hash[n+1] if (hash[n][0] == :lit) && SINK_OPTIONS.include?(hash[n][1])
+          end
+        end
+
+        #Find only those params whose values actually seem to be tainted
+        #A param is tainted if it contains a dstr, unless it's an Array
+        #in which case it's only tainted if its 0th member is a dstr.
+        tainted_params = tainted_params.select do |value|
+          next false unless (Sexp === value)
+          is_array        = (value[0] == :array )
+          first_elem_dstr = (is_array && value[1] && value[1][0] == :dstr)
+          has_dstr        = value.find_recursively { |se| se[0] == :dstr }
+          next (!is_array || first_elem_dstr) && has_dstr
+        end
+
+        return tainted_params
+      end      
+    end
+  end
+end

data/lib/lint_fu/rails/unsafe_find_checker.rb

@@ -0,0 +1,122 @@
+module LintFu
+  module Rails
+    class UnsafeFind < Issue
+      def initialize(scan, file, sexp, subject)
+        super(scan, file, sexp)
+        @subject = subject
+      end
+
+
+      def detail
+        return "Could a bad guy manipulate <code>#{@subject}</code> and get/change stuff he shouldn't?"
+      end
+      
+      def reference_info
+        return <<EOF
+h4. What is it?
+
+An unsafe find is an ActiveRecord query that is performed without checking whether the logged-in user is authorized to view or manipulate the resulting models.
+
+h4. When does it happen?
+
+Some trivial examples:
+
+bc. BankAccount.first(params[:id]).destroy
+Account.all(:conditions=>{:nickname=>params[:nickname]})
+
+In reality, it is often hard to determine whether a find is safe. Authorization can happen in many ways and the "right" way to do it depends on the application requirements.
+
+Here are some things to consider when evaluating whether a find is safe:
+
+* Is authorization checked beforehand or afterward, e.g. by checking ownership of the model?
+* Do the query's conditions scope it in some way to the current user or account?
+* How will the results be used? What information is displayed in the view?
+* Are the results scoped afterward, e.g. by calling @select@ on the result set?
+
+h4. How do I fix it?
+
+Use named scopes to scope your queries instead of calling the class-level finders:
+
+bc. current_user.bank_accounts.first(params[:id])
+
+If a named scope is not convenient, include conditions that scope the query:
+
+bc. BankAccount.find(:conditions=>{:owner_id=>current_user})
+
+If your authorization rules are so complex that neither of those approaches work, always make sure to perform authorization yourself:
+
+bc. #My bank allows customers to access ANY account on their birthday
+@bank_account = BankAccount.first(params[:id])
+raise ActiveRecord::RecordNotFound unless current_user.born_on = Date.today
+EOF
+      end
+    end
+    
+    # Visit a Rails controller looking for ActiveRecord finders being called in a way that
+    # might allow an attacker to perform unauthorized operations on resources, e.g. creating,
+    # updating or deleting someone else's records.
+    class UnsafeFindChecker < Checker
+      FINDER_REGEXP  = /^(find|first|all)(_or_initialize)?(_by_.*_id)?/
+
+      #sexp:: s(:class, <class_name>, <superclass>, s(:scope, <class_definition>))
+      def observe_class_begin(sexp)
+        #TODO get rid of RightScale-specific assumption
+        @in_admin_controller = !!(sexp[1].to_ruby_string =~ /^Admin/)
+      end
+
+      #sexp:: s(:class, <class_name>, <superclass>, s(:scope, <class_definition>))
+      def observe_class_end(sexp)
+        @in_admin_controller = false
+      end
+
+      #sexp:: s(:call, <target>, <method_name>, s(:arglist))
+      def observe_call(sexp)
+        check_suspicious_finder(sexp)
+      end
+
+      protected
+
+      def check_suspicious_finder(sexp)
+        return if @in_admin_controller
+
+        #sexp:: :call, <target>, <method_name>, <argslist...>
+        if (sexp[1] != nil) && (sexp[1][0] == :const || sexp[1][0] == :colon2)
+          name = sexp[1].to_ruby_string
+          type = self.context.models.detect { |m| m.modeled_class_name == name }
+          call   = sexp[2].to_s
+          params = sexp[3]
+          if finder?(type, call) && !params.constant? && !sexp_contains_scope?(params)
+            scan.issues << UnsafeFind.new(scan, self.file, sexp, params.to_ruby_string)
+          end
+        end        
+      end
+
+      def finder?(type, call)
+        type.kind_of?(LintFu::ActiveRecord::ModelModel) &&
+                     ( call =~ FINDER_REGEXP || type.associations.has_key?(call) )
+      end
+
+      def sexp_contains_scope?(sexp)
+        return false if !sexp.kind_of?(Sexp) || sexp.empty?
+        
+        sexp_type = sexp[0]
+
+        #If calling a method -- check to see if we're accessing a current_* method
+        if (sexp_type == :call) && (sexp[1] == nil)
+          #TODO get rid of RightScale-specific assumptions
+          return true if (sexp[2] == :current_user)
+          return true if (sexp[2] == :current_account)
+        end
+
+        #Generic case: check all subexpressions of the sexp
+        sexp.each do |subexp|
+          if subexp.kind_of?(Sexp)
+            return true if sexp_contains_scope?(subexp)            
+          end
+        end
+
+        return false
+      end
+    end
+  end
+end

data/lib/lint_fu/rails.rb

@@ -0,0 +1,6 @@
+require 'lint_fu/rails/model_application'
+require 'lint_fu/rails/model_application_builder'
+require 'lint_fu/rails/buggy_eager_load_checker'
+require 'lint_fu/rails/sql_injection_checker'
+require 'lint_fu/rails/unsafe_find_checker'
+require 'lint_fu/rails/scan_builder'

data/lib/lint_fu/report.rb

@@ -0,0 +1,239 @@
+
+module LintFu
+  class Report
+    attr_reader :scan, :scm
+    
+    def initialize(scan, scm, included_issues)
+      @scan   = scan
+      @scm    = scm
+      @issues = included_issues
+    end
+
+    def generate(output_stream)
+      raise NotImplemented
+    end
+  end
+
+  class HtmlReport < Report
+    STYLESHEET = <<-EOF
+      table { border: 2px solid black }
+      th    { color: white; background: black }
+      td    { border-right: 1px dotted black; border-bottom: 1px dotted black }
+      h1    { font-family: Arial,Helvetica,sans-serif }
+      h2    { font-family: Arial,Helvetica,sans-serif; color: white; background: black }
+      h3    { font-family: Arial,Helvetica,sans-serif }
+      h4    { border-bottom: 1px dotted grey }
+      .detail code { background: yellow }
+    EOF
+
+    def generate(output_stream)
+      #Build map of contributors to issues they created
+
+      @issues_by_author = Hash.new
+
+      @issues.each do |issue|
+        commit, author = scm.blame(issue.relative_file, issue.line)
+        @issues_by_author[author] ||= []
+        @issues_by_author[author] << issue
+      end
+      #Sort contributors in decreasing order of number of issues created
+      @authors_by_issue_count = @issues_by_author.keys.sort { |x,y| @issues_by_author[y].size <=> @issues_by_author[x].size }
+
+      @issues_by_class = Hash.new
+      @issues.each do |issue|
+        klass = issue.class
+        @issues_by_class[klass] ||= []
+        @issues_by_class[klass] << issue
+      end
+
+      #Build map of files to issues they contain
+      @issues_by_file = Hash.new
+      @issues.each do |issue|
+        @issues_by_file[issue.relative_file] ||= []
+        @issues_by_file[issue.relative_file] << issue
+      end
+      #Sort files in decreasing order of number of issues contained
+      @files_by_issue_count = @issues_by_file.keys.sort { |x,y| @issues_by_file[y].size <=> @issues_by_file[x].size }
+      #Sort files in increasing lexical order of path
+      @files_by_name = @issues_by_file.keys.sort { |x,y| x <=> y }
+
+      #Write the report in HTML format
+      x = Builder::XmlMarkup.new(:target => output_stream, :indent => 2)
+      x << %Q{<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n}
+      x.html do |html|
+        html.head do |head|
+          head.title 'Static Analysis Results'
+          include_external_javascripts(head)
+          include_external_stylesheets(head)
+          head.style(STYLESHEET, :type=>'text/css')
+        end
+        html.body do |body|
+          body.h1 'Summary'
+          body.p "#{@issues.size} issues found."
+
+          body.h2 'Issues by Type'
+          body.table do |table|
+            table.thead do |thead|
+              thead.tr do |tr|
+                tr.th 'Type'
+                tr.th '#'
+                tr.th 'Issues'
+              end
+
+              @issues_by_class.each_pair do |klass, issues|
+                table.tr do |tr|
+                  sample_issue = issues.first
+                  tr.td(sample_issue.brief)
+                  tr.td(issues.size.to_s)
+                  tr.td do |td|
+                    issues.each do |issue|
+                      td.a(issue.issue_hash[0..4], :href=>"#issue_#{issue.issue_hash}")
+                      td.text!(' ')
+                    end
+                  end
+                end
+              end
+            end
+          end
+
+          body.h2 'Issues by Contributor'
+          body.table do |table|
+            table.thead do |thead|
+              thead.tr do |tr|
+                tr.th 'Name'
+                tr.th '#'
+                tr.th 'Issues'
+              end
+            end
+            table.tbody do |tbody|
+              @authors_by_issue_count.each do |author|
+                table.tr do |tr|
+                  tr.td(author)
+                  tr.td(@issues_by_author[author].size.to_s)
+                  tr.td do |td|
+                    @issues_by_author[author].each do |issue|
+                      td.a(issue.issue_hash[0..4], :href=>"#issue_#{issue.issue_hash}")
+                      td.text!(' ')
+                    end
+                  end
+                end
+              end
+            end
+          end
+
+          body.h2 'Issues by File'
+          body.table do |table|
+            table.thead do |thead|
+              thead.tr do |tr|
+                tr.th 'File'
+                tr.th '#'
+                tr.th 'Issues'
+              end
+            end
+            table.tbody do |tbody|
+              @files_by_issue_count.each do |file|
+                tbody.tr do |tr|
+                  tr.td(file)
+                  tr.td(@issues_by_file[file].size.to_s)
+                  tr.td do |td|
+                    @issues_by_file[file].each do |issue|
+                      td.a(issue.issue_hash[0..4], :href=>"#issue_#{issue.issue_hash}")
+                      td.text!(' ')
+                    end
+                  end
+                end
+              end
+            end
+          end
+
+          body.h1 'Detailed Results'
+          @files_by_name.each do |file|
+            body.h2 file
+
+            issues = @issues_by_file[file]
+            issues = issues.to_a.sort { |x,y| x.line <=> y.line }
+            issues.each do |issue|
+              body.div(:class=>'issue', :id=>"issue_#{issue.issue_hash}") do |div_issue|
+                div_issue.h4 do |h4|
+                  reference_link(div_issue, issue)
+                  h4.text! ", #{File.basename(issue.file)}:#{issue.line}"
+                end
+                div_issue.div(:class=>'detail') do |div_detail|
+                  div_detail << RedCloth.new(issue.detail).to_html
+                end
+
+                first   = issue.line-3
+                first   = 1 if first < 1
+                last    = issue.line + 3
+                excerpt = scm.excerpt(issue.file, (first..last), :blame=>false)
+                highlighted_code_snippet(div_issue, excerpt, first, issue.line)
+              end
+            end
+          end
+
+          body.h1 'Reference Information'
+          @issues_by_class.values.each do |array|
+            sample_issue = array.first
+            body.h2 sample_issue.brief
+            body.div(:id=>id_for_issue_class(sample_issue.class)) do |div|
+              div << RedCloth.new(sample_issue.reference_info).to_html 
+            end
+          end
+
+          activate_syntax_highlighter(body)
+        end
+      end
+    end
+
+    private
+
+    def reference_link(parent, issue)
+      href = "#TB_inline?width=800&height=600&inlineId=#{id_for_issue_class(issue.class)}"
+      parent.a(issue.brief, :href=>href.to_sym, :title=>issue.brief, :class=>'thickbox')      
+    end
+
+    def highlighted_code_snippet(parent, snippet, first_line, highlight)
+      parent.pre(snippet, :class=>"brush: ruby; first-line: #{first_line}; highlight: [#{highlight}]")
+    end
+
+    def include_external_javascripts(head)
+      #Note that we pass an empty block {} to the script tag in order to make
+      #Builder create a beginning-and-end tag; most browsers won't parse
+      #"empty" script tags even if they point to a src!!!      
+      head.script(:src=>'http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js', :type=>'text/javascript') {}
+      head.script(:src=>'https://s3.amazonaws.com/lint_fu/assets/js/thickbox.min.js', :type=>'text/javascript') {}
+      head.script(:src=>'https://s3.amazonaws.com/lint_fu/assets/js/xregexp.min.js', :type=>'text/javascript') {}
+      head.script(:src=>'https://s3.amazonaws.com/lint_fu/assets/js/shCore.js', :type=>'text/javascript') {}
+      head.script(:src=>'https://s3.amazonaws.com/lint_fu/assets/js/shBrushRuby.js', :type=>'text/javascript') {}
+    end
+
+    def include_external_stylesheets(head)
+      head.link(:rel=>'stylesheet', :type=>'text/css', :href=>'https://s3.amazonaws.com/lint_fu/assets/css/thickbox.css')
+      head.link(:rel=>'stylesheet', :type=>'text/css', :href=>'https://s3.amazonaws.com/lint_fu/assets/css/shCore.css')
+      head.link(:rel=>'stylesheet', :type=>'text/css', :href=>'https://s3.amazonaws.com/lint_fu/assets/css/shThemeDefault.css')
+    end
+
+    def id_for_issue_class(klass)
+      "reference_#{klass.name.split('::')[-1].underscore}"      
+    end
+
+    def activate_syntax_highlighter(body)
+      body.script('SyntaxHighlighter.all()', :type=>'text/javascript')
+    end
+  end
+
+  class TextReport < Report
+    def generate(output_stream)
+      counter = 1
+
+      @issues.each do |issue|
+        #commit, author = scm.blame(issue.relative_file, issue.line)
+        output_stream.puts " #{counter}) Failure:"
+        output_stream.puts "#{issue.brief}, #{issue.relative_file}:#{issue.line}"
+        output_stream.puts
+        output_stream.puts
+        counter += 1
+      end
+    end
+  end
+end

data/lib/lint_fu/scan.rb

@@ -0,0 +1,64 @@
+module LintFu
+  class ScanNotFinalized < Exception; end
+  
+  class Scan
+    COMMENT                  = /^\s*#/
+    VERBOSE_BLESSING_COMMENT = /#\s*(lint|security)\s*[-:]\s*not\s*a?n?\s*([a-z0-9 ]*) ?(as|because|;)\s*(.*)/i
+    BLESSING_COMMENT         = /#\s*(lint|security)\s*[-:]\s*not\s*a?n?\s*([a-z0-9 ]*)/i
+
+    attr_reader :fs_root, :issues
+
+    def initialize(fs_root)
+      @fs_root = fs_root
+      @issues = Set.new
+    end
+
+    def blessed?(issue)
+      comments = preceeding_comments(issue.sexp)
+      return false unless comments
+
+      match = nil
+      comments.each do |line|
+        match = VERBOSE_BLESSING_COMMENT.match(line)
+        match = BLESSING_COMMENT.match(line) unless match
+        break if match
+      end
+
+      return false unless match
+      blessed_issue_class = match[2].downcase.split(/\s+/).join('_').camelize
+
+      # Determine whether the blessed issue class appears anywhere in the class hierarchy of
+      # issue_class.
+      klass = issue.class
+      while klass
+        return true if klass.name.index(blessed_issue_class)
+        klass = klass.superclass
+      end
+
+      return false
+    end
+
+    def preceeding_comments(sexp)
+      @file_contents ||= {}
+      @file_contents[sexp.file] ||= File.readlines(sexp.file)
+      cont = @file_contents[sexp.file]
+
+      comments = ''
+
+      max_line = sexp.line - 1 - 1
+      max_line = 0 if max_line < 0
+      min_line = max_line
+
+      while cont[min_line] =~ COMMENT && min_line >= 0
+        min_line -= 1
+      end
+
+      if cont[max_line] =~ COMMENT
+        min_line +=1 unless min_line == max_line
+        return cont[min_line..max_line]
+      else
+        return nil
+      end
+    end    
+  end
+end