paraxial 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1bd3d81eda937e486869f0796af505440ba3268ef365a59170ac0545dcf06a10
+  data.tar.gz: '099afef44bbc41beb2fdad948610864fa4592837428701c77d0f965d047e7d68'
+SHA512:
+  metadata.gz: 59db9199f831f0d4b65d8aa56bfca1ed976da91c03799b237c5b2d4fe62d5df1fd76c9de6dbf4969c90c6a0c50d6cfedfe57762f89a36f63997f1df7f811178c
+  data.tar.gz: 5efcc6c94e05db287a6679e06188f86b354ec4c098c8f2f4276e10a73385895cbbf3b2c6bc2a7364e11c26d3ae4e953ff18109193d533eec6e41e0356895c9b8

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2024-07-19
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 dt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,13 @@
+# Paraxial
+
+The Paraxial.io ruby agent. 
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

data/exe/paraxial

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require 'paraxial/cli'
+Paraxial::CLI.start

data/lib/paraxial/cli.rb

@@ -0,0 +1,34 @@
+require 'thor'
+require 'paraxial'
+require 'net/http'
+require 'uri'
+require 'json'
+require 'time'
+
+module Paraxial
+  class CLI < Thor
+    desc "scan", "Run scan"
+    def scan
+      puts "[Paraxial] Scan NOW"
+      cops = "Paraxial,Security/Eval,Security/IoMethods,Security/JSONLoad,Security/MarshalLoad,Security/Open,Security/YAMLLoad"
+      rubocop = `rubocop --only #{cops} --format json`
+      lockfile = File.read("./Gemfile.lock")
+      api_key = ENV['PARAXIAL_API_KEY']
+      uri = URI.parse(ENV['PARAXIAL_URL'] + "/api/ruby_scan")
+      headers = { 'Content-Type': 'application/json' }
+
+      body = { rubocop: rubocop, lockfile: lockfile, api_key: api_key, timestamp: Paraxial.get_timestamp() }
+      response = Net::HTTP.post(uri, body.to_json, headers)
+      puts response.body
+
+      if ENV['PARAXIAL_API_KEY'] == nil
+        puts "[Paraxial] Environment variable PARAXIAL_API_KEY not found, set with: "
+        puts "[Paraxial] export PARAXIAL_API_KEY=your_site_api_key_here"
+        puts "[Paraxial] Exiting"
+        exit()
+      else
+        puts "[Paraxial] Scan result here"
+      end
+    end
+  end
+end

data/lib/paraxial/engine.rb

@@ -0,0 +1,12 @@
+module Paraxial
+  if defined?(Rails::Engine)
+    class Engine < ::Rails::Engine
+      initializer 'paraxial.load_initializers' do
+        # Load the initializers from the `initializers` directory
+        Dir.glob(File.expand_path('initializers/*.rb', __dir__)).each do |file|
+          require_dependency file
+        end
+      end
+    end
+  end
+end

data/lib/paraxial/initializers/startup.rb

@@ -0,0 +1,25 @@
+require 'bundler'
+require 'paraxial'
+Bundler.setup
+
+Rails.application.config.to_prepare do
+  # Your code here
+  puts "[Paraxial] Runtime start"
+
+  deps_and_licenses = []
+  Bundler.load.specs.each do |spec|
+    # Print the gem name and license
+    h = { name: spec.name, version: spec.version.to_s, description: Paraxial.trim_dep(spec.description), license: spec.license || 'None' }
+    deps_and_licenses << h
+  end
+  deps_and_licenses << { name: "ruby", version: RUBY_VERSION, description: "The Ruby Programming Language", license: "Ruby"}
+  api_key = ENV['PARAXIAL_API_KEY']
+  uri = URI.parse(ENV['PARAXIAL_URL'] + "/api/ruby_app_lic")
+  headers = { 'Content-Type': 'application/json' }
+
+  body = { app_lic: deps_and_licenses, api_key: api_key, timestamp: Paraxial.get_timestamp() }
+  Thread.new do
+    response = Net::HTTP.post(uri, body.to_json, headers)
+  end
+
+end

data/lib/paraxial/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Paraxial
+  VERSION = "0.1.0"
+end

data/lib/paraxial.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'thor'
+require 'paraxial/engine'
+require 'rubocop'
+require_relative 'rubocop/cop/paraxial/csrf'
+require_relative 'rubocop/cop/paraxial/system'
+require_relative 'rubocop/cop/paraxial/send'
+require_relative 'rubocop/cop/paraxial/constantize'
+require_relative 'rubocop/cop/paraxial/html_safe'
+require_relative 'rubocop/cop/paraxial/sql'
+require_relative "paraxial/version"
+require_relative 'paraxial/cli'
+
+
+module Paraxial
+  class Error < StandardError; end
+  # Your code goes here...
+
+  def self.get_timestamp
+    utc_time = Time.now.utc
+    utc_time.strftime("%Y-%m-%d %H:%M:%S.%6N") + "Z"
+  end
+
+  def self.trim_dep(input)
+    if input == nil
+      nil
+    else
+      cleaned_string = input.gsub(/\n/, '')
+
+      # Find the position of the first period
+      period_index = cleaned_string.index('.')
+
+      # If there's a period, truncate the string up to that point
+      if period_index
+        cleaned_string = cleaned_string[0..period_index]
+      end
+
+      cleaned_string
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/constantize.rb

@@ -0,0 +1,23 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class Constantize < Base
+        MSG = '`constantize` methods cause remote code execution if called on user input.'
+
+        def on_send(node)
+          method_name = node.method_name
+          return unless send_methods.include?(method_name)
+
+          add_offense(node, message: format(MSG, method: method_name))
+        end
+
+        private
+
+        def send_methods
+          [:constantize, :safe_constantize, :const_get, :qualified_const_get]
+        end
+
+      end
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/csrf.rb

@@ -0,0 +1,23 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class CSRF < Base
+        MSG = 'CSRF, no protect_from_forgery in ApplicationController.'
+
+        def_node_search :protect_from_forgery_call, <<~PATTERN
+          (send nil? :protect_from_forgery ...)
+        PATTERN
+
+        def on_class(node)
+          class_name = node.loc.name.source
+
+          return unless class_name == 'ApplicationController'
+
+          protect_from_forgery = protect_from_forgery_call(node).first
+
+          add_offense(node) unless protect_from_forgery
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/html_safe.rb

@@ -0,0 +1,22 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class HTMLSafe < Base
+        MSG = '`html_safe` leads to XSS when called on user input'
+
+        def on_send(node)
+          method_name = node.method_name
+          return unless send_methods.include?(method_name)
+
+          add_offense(node, message: format(MSG, method: method_name))
+        end
+
+        private
+
+        def send_methods
+          [:html_safe]
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/send.rb

@@ -0,0 +1,23 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class Send < Base
+        MSG = '`send` causes remote code execution if called on user input.'
+
+        def on_send(node)
+          method_name = node.method_name
+          return unless send_methods.include?(method_name)
+
+          add_offense(node, message: format(MSG, method: method_name))
+        end
+
+        private
+
+        def send_methods
+          [:send, :try, :__send__, :public_send]
+        end
+
+      end
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/sql.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Paraxial
+      # This cop checks that Active Record queries use literal keys in all of
+      # their conditions. Using dynamic keys in queries can make code
+      # susceptible to SQL injection attacks.
+      #
+      # @example
+      #   # bad
+      #   Model.where("order_count > #{params[:orders]}")
+      #   Model.having("order_count > #{params[:orders]}")
+      #   Model.exists?("order_count > #{params[:orders]}")
+      #
+      #   # good
+      #   Model.where('order_count > ?', params[:orders])
+      #   Model.having('order_count > ?', params[:orders])
+      #   Model.exists?('order_count > ?', params[:orders])
+      #
+      # @example EnforcedStyle: params (default)
+      #   # bad
+      #   Model.find_by(params['id'])
+      #
+      #   # good
+      #   Model.find_by(id: params['id'])
+      #   Model.find_by(Group.arel_table[:id].in([1, 2, 3]))
+      #
+      # @example EnforcedStyle: all
+      #
+      #   # bad
+      #   Model.find_by(params['id'])
+      #   # Value from Strong Parameters could still cause a SQLi.
+      #   Model.find_by(model_params['id'])
+      #   # Unfortunately there are false positives too.
+      #   Model.find_by(Group.arel_table[:id].in([1, 2, 3]))
+      #
+      #   # good
+      #   Model.find_by(id: params['id'])
+      #   Model.find_by(id: model_params['id'])
+      class SQL < Base
+        include ConfigurableEnforcedStyle
+
+        MSG = 'SQL injection via dynamic query key.'
+
+        RESTRICT_ON_SEND = %i[
+          all
+          average
+          calculate
+          count
+          count_by_sql
+          create_with
+          delete_all
+          delete_by
+          destroy_all
+          destroy_by
+          exists?
+          find_by
+          find_by!
+          find_by_sql
+          find_or_create_by
+          find_or_create_by!
+          find_or_initialize_by
+          find_or_initialize_by!
+          first
+          from
+          group
+          having
+          joins
+          last
+          lock
+          maximum
+          minimum
+          named_scope
+          not
+          order
+          pluck
+          reorder
+          reselect
+          rewhere
+          scope
+          select
+          sql
+          sum
+          update_all
+          where
+        ].freeze
+
+        def_node_matcher :non_literal_condition?, <<~'PATTERN'
+          (
+            send _ _                             # Match `where` and `Model.find_by`
+            ({dstr <begin ...> | send #matching_send?} ...)  # Match where(params[:id]) and where("#{method}")
+          )
+        PATTERN
+
+        def_node_matcher :params?, '(send nil? :params)'
+
+        def matching_send?(node)
+          style == :all ? true : params?(node)
+        end
+
+        def on_send(node)
+          return unless non_literal_condition?(node)
+
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/paraxial/system.rb

@@ -0,0 +1,31 @@
+module RuboCop
+  module Cop
+    module Paraxial
+      class System < Base
+        MSG = '`system` causes remote code execution if called on user input.'
+
+        # Restrict the cop to only the `puts` method
+        RESTRICT_ON_SEND = %i[system].freeze
+
+        # @!method puts_call?(node)
+        def_node_matcher :system_call?, <<~PATTERN
+          (send nil? :system ...)
+        PATTERN
+
+        def on_send(node)
+          return unless in_app_directory?(node)
+          system_call?(node) do
+            add_offense(node.loc.selector, message: MSG)
+          end
+        end
+
+        private
+
+        def in_app_directory?(node)
+          processed_source.file_path.start_with?(File.join(Dir.pwd, 'app'))
+        end
+
+      end
+    end
+  end
+end

data/sig/paraxial.rbs

@@ -0,0 +1,4 @@
+module Paraxial
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: paraxial
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Michael Lubas
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-07-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- michael@paraxial.io
+executables:
+- paraxial
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- exe/paraxial
+- lib/paraxial.rb
+- lib/paraxial/cli.rb
+- lib/paraxial/engine.rb
+- lib/paraxial/initializers/startup.rb
+- lib/paraxial/version.rb
+- lib/rubocop/cop/paraxial/constantize.rb
+- lib/rubocop/cop/paraxial/csrf.rb
+- lib/rubocop/cop/paraxial/html_safe.rb
+- lib/rubocop/cop/paraxial/send.rb
+- lib/rubocop/cop/paraxial/sql.rb
+- lib/rubocop/cop/paraxial/system.rb
+- sig/paraxial.rbs
+homepage: https://paraxial.io/
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org/
+  homepage_uri: https://paraxial.io/
+  source_code_uri: https://paraxial.io/
+  changelog_uri: https://paraxial.io/
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Paraxial.io Ruby Agent
+test_files: []