RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/checks/check_weak_hash.rb ADDED Viewed

@@ -0,0 +1,148 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckWeakHash < Railroader::BaseCheck
+  Railroader::Checks.add_optional self
+  @description = "Checks for use of weak hashes like MD5"
+  DIGEST_CALLS = [:base64digest, :digest, :hexdigest, :new]
+  def run_check
+    tracker.find_call(:targets => [:'Digest::MD5', :'Digest::SHA1', :'OpenSSL::Digest::MD5', :'OpenSSL::Digest::SHA1'], :nested => true).each do |result|
+      process_hash_result result
+    end
+    tracker.find_call(:target => :'Digest::HMAC', :methods => [:new, :hexdigest], :nested => true).each do |result|
+      process_hmac_result result
+    end
+    tracker.find_call(:targets => [:'OpenSSL::Digest::Digest', :'OpenSSL::Digest'], :method => :new).each do |result|
+      process_openssl_result result
+    end
+  end
+  def process_hash_result result
+    return unless original? result
+    input = nil
+    call = result[:call]
+    if DIGEST_CALLS.include? call.method
+      if input = user_input_as_arg?(call)
+        confidence = :high
+      elsif input = hashing_password?(call)
+        confidence = :high
+      else
+        confidence = :medium
+      end
+    else
+      confidence = :medium
+    end
+    alg = case call.target.last
+          when :MD5
+           " (MD5)"
+           when :SHA1
+            " (SHA1)"
+          else
+            ""
+          end
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_digest,
+      :message => "Weak hashing algorithm#{alg} used",
+      :confidence => confidence,
+      :user_input => input
+  end
+  def process_hmac_result result
+    return unless original? result
+    call = result[:call]
+    alg = case call.third_arg.last
+           when :MD5
+             'MD5'
+           when :SHA1
+             'SHA1'
+           else
+             return
+           end
+    warn :result => result,
+      :warning_type => "Weak Hash",
+      :warning_code => :weak_hash_hmac,
+      :message => "Weak hashing algorithm (#{alg}) used in HMAC",
+      :confidence => :medium
+  end
+  def process_openssl_result result
+    return unless original? result
+    arg = result[:call].first_arg
+    if string? arg
+      alg = arg.value.upcase
+      if alg == 'MD5' or alg == 'SHA1'
+        warn :result => result,
+          :warning_type => "Weak Hash",
+          :warning_code => :weak_hash_digest,
+          :message => "Weak hashing algorithm (#{alg}) used",
+          :confidence => :medium
+      end
+    end
+  end
+  def user_input_as_arg? call
+    call.each_arg do |arg|
+      if input = include_user_input?(arg)
+        return input
+      end
+    end
+    nil
+  end
+  def hashing_password? call
+    call.each_arg do |arg|
+      @has_password = false
+      process arg
+      if @has_password
+        return @has_password
+      end
+    end
+    nil
+  end
+  def process_call exp
+    if exp.method == :password
+      @has_password = exp
+    else
+      process_default exp
+    end
+    exp
+  end
+  def process_ivar exp
+    if exp.value == :@password
+      @has_password = exp
+    end
+    exp
+  end
+  def process_lvar exp
+    if exp.value == :password
+      @has_password = exp
+    end
+    exp
+  end
+end

data/lib/railroader/checks/check_without_protection.rb ADDED Viewed

@@ -0,0 +1,80 @@
+require 'railroader/checks/base_check'
+#Check for bypassing mass assignment protection
+#with without_protection => true
+#
+#Only for Rails 3.1
+class Railroader::CheckWithoutProtection < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Check for mass assignment using without_protection"
+  def run_check
+    if version_between? "0.0.0", "3.0.99"
+      return
+    end
+    return if active_record_models.empty?
+    Railroader.debug "Finding all mass assignments"
+    calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
+      :attributes=,
+      :update_attributes,
+      :update_attributes!,
+      :create,
+      :create!]
+    Railroader.debug "Processing all mass assignments"
+    calls.each do |result|
+      process_result result
+    end
+  end
+  #All results should be Model.new(...) or Model.attributes=() calls
+  def process_result res
+    call = res[:call]
+    last_arg = call.last_arg
+    if hash? last_arg and not call.original_line and not duplicate? res
+      if value = hash_access(last_arg, :without_protection)
+        if true? value
+          add_result res
+          if input = include_user_input?(call.arglist)
+            confidence = :high
+          elsif all_literals? call
+            return
+          else
+            confidence = :medium
+          end
+          warn :result => res,
+            :warning_type => "Mass Assignment",
+            :warning_code => :mass_assign_without_protection,
+            :message => "Unprotected mass assignment",
+            :code => call,
+            :user_input => input,
+            :confidence => confidence
+        end
+      end
+    end
+  end
+  def all_literals? call
+    call.each_arg do |arg|
+      if hash? arg
+        hash_iterate arg do |k, v|
+          unless node_type? k, :str, :lit, :false, :true and node_type? v, :str, :lit, :false, :true
+            return false
+          end
+        end
+      else
+        return false
+      end
+    end
+    true
+  end
+end

data/lib/railroader/checks/check_xml_dos.rb ADDED Viewed

@@ -0,0 +1,45 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckXMLDoS < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for XML denial of service (CVE-2015-3227)"
+  def run_check
+    version = rails_version
+    fix_version = case
+                  when version_between?("2.0.0", "3.2.21")
+                    "3.2.22"
+                  when version_between?("4.1.0", "4.1.10")
+                    "4.1.11"
+                  when version_between?("4.2.0", "4.2.1")
+                    "4.2.2"
+                  when version_between?("4.0.0", "4.0.99")
+                    "4.2.2"
+                  else
+                    return
+                  end
+    return if has_workaround?
+    message = "Rails #{version} is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version #{fix_version}"
+    warn :warning_type => "Denial of Service",
+      :warning_code => :CVE_2015_3227,
+      :message => message,
+      :confidence => :medium,
+      :gem_info => gemfile_or_environment,
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
+  end
+  def has_workaround?
+    tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).any? do |match|
+      arg = match.call.first_arg
+      if string? arg
+        value = arg.value
+        value == 'Nokogiri' or value == 'LibXML'
+      end
+    end
+  end
+end

data/lib/railroader/checks/check_yaml_parsing.rb ADDED Viewed

@@ -0,0 +1,121 @@
+require 'railroader/checks/base_check'
+class Railroader::CheckYAMLParsing < Railroader::BaseCheck
+  Railroader::Checks.add self
+  @description = "Checks for YAML parsing vulnerabilities (CVE-2013-0156)"
+  def run_check
+    return unless version_between? "0.0.0", "2.3.14" or
+                  version_between? "3.0.0", "3.0.18" or
+                  version_between? "3.1.0", "3.1.9" or
+                  version_between? "3.2.0", "3.2.10"
+    unless disabled_xml_parser? or disabled_xml_dangerous_types?
+      new_version = if version_between? "0.0.0", "2.3.14"
+                      "2.3.15"
+                    elsif version_between? "3.0.0", "3.0.18"
+                      "3.0.19"
+                    elsif version_between? "3.1.0", "3.1.9"
+                      "3.1.10"
+                    elsif version_between? "3.2.0", "3.2.10"
+                      "3.2.11"
+                    end
+      message = "Rails #{rails_version} has a remote code execution vulnerability: upgrade to #{new_version} or disable XML parsing"
+      warn :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0156,
+        :message => message,
+        :confidence => :high,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+    #Warn if app accepts YAML
+    if version_between?("0.0.0", "2.3.14") and enabled_yaml_parser?
+      message = "Parsing YAML request parameters enables remote code execution: disable YAML parser"
+      warn :warning_type => "Remote Code Execution",
+        :warning_code => :CVE_2013_0156,
+        :message => message,
+        :confidence => :high,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+    end
+  end
+  def disabled_xml_parser?
+    if version_between? "0.0.0", "2.3.14"
+      #Look for ActionController::Base.param_parsers.delete(Mime::XML)
+      params_parser = s(:call,
+                        s(:colon2, s(:const, :ActionController), :Base),
+                        :param_parsers)
+      matches = tracker.check_initializers(params_parser, :delete)
+    else
+      #Look for ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
+      matches = tracker.check_initializers(:"ActionDispatch::ParamsParser::DEFAULT_PARSERS", :delete)
+    end
+    unless matches.empty?
+      mime_xml = s(:colon2, s(:const, :Mime), :XML)
+      matches.each do |result|
+        if result.call.first_arg == mime_xml
+          return true
+        end
+      end
+    end
+    false
+  end
+  #Look for ActionController::Base.param_parsers[Mime::YAML] = :yaml
+  #in Rails 2.x apps
+  def enabled_yaml_parser?
+    param_parsers = s(:call,
+                      s(:colon2, s(:const, :ActionController), :Base),
+                      :param_parsers)
+    matches = tracker.check_initializers(param_parsers, :[]=)
+    mime_yaml = s(:colon2, s(:const, :Mime), :YAML)
+    matches.each do |result|
+      if result.call.first_arg == mime_yaml and
+        symbol? result.call.second_arg and
+        result.call.second_arg.value == :yaml
+        return true
+      end
+    end
+    false
+  end
+  def disabled_xml_dangerous_types?
+    if version_between? "0.0.0", "2.3.14"
+      matches = tracker.check_initializers(:"ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING", :delete)
+    else
+      matches = tracker.check_initializers(:"ActiveSupport::XmlMini::PARSING", :delete)
+    end
+    symbols_off = false
+    yaml_off = false
+    matches.each do |result|
+      arg = result.call.first_arg
+      if string? arg
+        if arg.value == "yaml"
+          yaml_off = true
+        elsif arg.value == "symbol"
+          symbols_off = true
+        end
+      end
+    end
+    symbols_off and yaml_off
+  end
+end

data/lib/railroader/checks.rb ADDED Viewed

@@ -0,0 +1,209 @@
+require 'thread'
+require 'railroader/differ'
+#Collects up results from running different checks.
+#
+#Checks can be added with +Check.add(check_class)+
+#
+#All .rb files in checks/ will be loaded.
+class Railroader::Checks
+  @checks = []
+  @optional_checks = []
+  attr_reader :warnings, :controller_warnings, :model_warnings, :template_warnings, :checks_run
+  #Add a check. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @checks << klass unless @checks.include? klass
+  end
+  #Add an optional check
+  def self.add_optional klass
+    @optional_checks << klass unless @checks.include? klass
+  end
+  def self.checks
+    @checks + @optional_checks
+  end
+  def self.optional_checks
+    @optional_checks
+  end
+  def self.initialize_checks check_directory = ""
+    #Load all files in check_directory
+    Dir.glob(File.join(check_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+  def self.missing_checks included_checks, excluded_checks
+    included_checks = included_checks.map(&:to_s).to_set
+    excluded_checks = excluded_checks.map(&:to_s).to_set
+    if included_checks == Set['CheckNone']
+      return []
+    else
+      loaded = self.checks.map { |name| name.to_s.gsub('Railroader::', '') }.to_set
+      missing = (included_checks - loaded) + (excluded_checks - loaded)
+      unless missing.empty?
+        return missing
+      end
+    end
+    []
+  end
+  #No need to use this directly.
+  def initialize options = { }
+    if options[:min_confidence]
+      @min_confidence = options[:min_confidence]
+    else
+      @min_confidence = Railroader.get_defaults[:min_confidence]
+    end
+    @warnings = []
+    @template_warnings = []
+    @model_warnings = []
+    @controller_warnings = []
+    @checks_run = []
+  end
+  #Add Warning to list of warnings to report.
+  #Warnings are split into four different arrays
+  #for template, controller, model, and generic warnings.
+  #
+  #Will not add warnings which are below the minimum confidence level.
+  def add_warning warning
+    unless warning.confidence > @min_confidence
+      case warning.warning_set
+      when :template
+        @template_warnings << warning
+      when :warning
+        @warnings << warning
+      when :controller
+        @controller_warnings << warning
+      when :model
+        @model_warnings << warning
+      else
+        raise "Unknown warning: #{warning.warning_set}"
+      end
+    end
+  end
+  #Return a hash of arrays of new and fixed warnings
+  #
+  #    diff = checks.diff old_checks
+  #    diff[:fixed]  # [...]
+  #    diff[:new]    # [...]
+  def diff other_checks
+    my_warnings = self.all_warnings
+    other_warnings = other_checks.all_warnings
+    Railroader::Differ.new(my_warnings, other_warnings).diff
+  end
+  #Return an array of all warnings found.
+  def all_warnings
+    @warnings + @template_warnings + @controller_warnings + @model_warnings
+  end
+  #Run all the checks on the given Tracker.
+  #Returns a new instance of Checks with the results.
+  def self.run_checks(app_tree, tracker)
+    checks = self.checks_to_run(tracker)
+    check_runner = self.new :min_confidence => tracker.options[:min_confidence]
+    self.actually_run_checks(checks, check_runner, app_tree, tracker)
+  end
+  def self.actually_run_checks(checks, check_runner, app_tree, tracker)
+    threads = [] # Results for parallel
+    results = [] # Results for sequential
+    parallel = tracker.options[:parallel_checks]
+    error_mutex = Mutex.new
+    checks.each do |c|
+      check_name = get_check_name c
+      Railroader.notify " - #{check_name}"
+      if parallel
+        threads << Thread.new do
+          self.run_a_check(c, error_mutex, app_tree, tracker)
+        end
+      else
+        results << self.run_a_check(c, error_mutex, app_tree, tracker)
+      end
+      #Maintain list of which checks were run
+      #mainly for reporting purposes
+      check_runner.checks_run << check_name[5..-1]
+    end
+    threads.each { |t| t.join }
+    Railroader.notify "Checks finished, collecting results..."
+    if parallel
+      threads.each do |thread|
+        thread.value.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    else
+      results.each do |warnings|
+        warnings.each do |warning|
+          check_runner.add_warning warning
+        end
+      end
+    end
+    check_runner
+  end
+  private
+  def self.get_check_name check_class
+    check_class.to_s.split("::").last
+  end
+  def self.checks_to_run tracker
+    to_run = if tracker.options[:run_all_checks] or tracker.options[:run_checks]
+               @checks + @optional_checks
+             else
+               @checks
+             end
+    self.filter_checks to_run, tracker
+  end
+  def self.filter_checks checks, tracker
+    skipped = tracker.options[:skip_checks]
+    explicit = tracker.options[:run_checks]
+    checks.reject do |c|
+      check_name = self.get_check_name(c)
+      skipped.include? check_name or
+        (explicit and not explicit.include? check_name)
+    end
+  end
+  def self.run_a_check klass, mutex, app_tree, tracker
+    check = klass.new(app_tree, tracker)
+    begin
+      check.run_check
+    rescue => e
+      mutex.synchronize do
+        tracker.error e
+      end
+    end
+    check.warnings
+  end
+end
+#Load all files in checks/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/checks/*.rb").sort.each do |f|
+  require f.match(/(railroader\/checks\/.*)\.rb$/)[0]
+end

data/lib/railroader/codeclimate/engine_configuration.rb ADDED Viewed

@@ -0,0 +1,97 @@
+require 'pathname'
+module Railroader
+  module Codeclimate
+    class EngineConfiguration
+      def initialize(engine_config = {})
+        @engine_config = engine_config
+      end
+      def options
+        default_options.merge(configured_options)
+      end
+      private
+      attr_reader :engine_config
+      def default_options
+        @default_options = {
+          :output_format => :codeclimate,
+          :quiet => true,
+          :pager => false,
+          :app_path => Dir.pwd
+        }
+        if system("test -w /dev/stdout")
+          @default_options[:output_files] = ["/dev/stdout"]
+        end
+        @default_options
+      end
+      def configured_options
+        @configured_options = {}
+        # ATM this gets parsed as a string instead of bool: "config":{ "debug":"true" }
+        if railroader_configuration["debug"] && railroader_configuration["debug"].to_s.downcase == "true"
+          @configured_options[:debug] = true
+          @configured_options[:report_progress] = false
+        end
+        if active_include_paths
+          @configured_options[:only_files] = active_include_paths
+        end
+        if railroader_configuration["app_path"]
+          @configured_options[:path_prefix] = railroader_configuration["app_path"]
+          path = Pathname.new(Dir.pwd) + railroader_configuration["app_path"]
+          @configured_options[:app_path] = path.to_s
+        end
+        @configured_options
+      end
+      def railroader_configuration
+        if engine_config["config"]
+          engine_config["config"]
+        else
+          {}
+        end
+      end
+      def active_include_paths
+        @active_include_paths ||=
+          if railroader_configuration["app_path"]
+            stripped_include_paths(railroader_configuration["app_path"])
+          else
+            engine_config["include_paths"] && engine_config["include_paths"].compact
+          end
+      end
+      def stripped_include_paths(prefix)
+        subprefixes = path_subprefixes(prefix)
+        engine_config["include_paths"] && engine_config["include_paths"].map do |path|
+          next unless path
+          stripped_include_path(prefix, subprefixes, path)
+        end.compact
+      end
+      def path_subprefixes(path)
+        Pathname.new(path).each_filename.inject([]) do |memo, piece|
+         memo <<
+           if memo.any?
+             File.join(memo.last, piece)
+           else
+             File.join(piece)
+           end
+        end
+      end
+      def stripped_include_path(prefix, subprefixes, path)
+        if path.start_with?(prefix)
+          path.sub(%r{^#{prefix}/?}, "/")
+        elsif subprefixes.any? { |subprefix| path =~ %r{^#{subprefix}/?$} }
+          "/"
+        end
+      end
+    end
+  end
+end