RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/rescanner.rb ADDED Viewed

@@ -0,0 +1,483 @@
+require 'railroader/scanner'
+require 'railroader/util'
+require 'railroader/differ'
+#Class for rescanning changed files after an initial scan
+class Railroader::Rescanner < Railroader::Scanner
+ include Railroader::Util
+  KNOWN_TEMPLATE_EXTENSIONS = Railroader::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
+  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+    :model, :controller]
+  #Create new Rescanner to scan changed files
+  def initialize options, processor, changed_files
+    super(options, processor)
+    @paths = changed_files.map {|f| @app_tree.expand_path(f) }
+    @old_results = tracker.filtered_warnings  #Old warnings from previous scan
+    @changes = nil                 #True if files had to be rescanned
+    @reindex = Set.new
+  end
+  #Runs checks.
+  #Will rescan files if they have not already been scanned
+  def recheck
+    rescan if @changes.nil?
+    tracker.run_checks if @changes
+    Railroader::RescanReport.new @old_results, tracker
+  end
+  #Rescans changed files
+  def rescan
+    tracker.template_cache.clear
+    paths_by_type = {}
+    SCAN_ORDER.each do |type|
+      paths_by_type[type] = []
+    end
+    @paths.each do |path|
+      type = file_type(path)
+      paths_by_type[type] << path unless type == :unknown
+    end
+    @changes = false
+    SCAN_ORDER.each do |type|
+      paths_by_type[type].each do |path|
+        Railroader.debug "Rescanning #{path} as #{type}"
+        if rescan_file path, type
+          @changes = true
+        end
+      end
+    end
+    if @changes and not @reindex.empty?
+      tracker.reindex_call_sites @reindex
+    end
+    self
+  end
+  #Rescans a single file
+  def rescan_file path, type = nil
+    type ||= file_type path
+    unless @app_tree.path_exists?(path)
+      return rescan_deleted_file path, type
+    end
+    case type
+    when :controller
+      rescan_controller path
+    when :template
+      rescan_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_lib path
+    when :config
+      process_config
+    when :initializer
+      rescan_initializer path
+    when :routes
+      rescan_routes
+    when :gemfile
+      if tracker.config.has_gem? :rails_xss and tracker.config.escape_html?
+        tracker.config.escape_html = false
+      end
+      process_gems
+    else
+      return false #Nothing to do, file hopefully does not need to be rescanned
+    end
+    true
+  end
+  def rescan_controller path
+    controller = tracker.reset_controller path
+    paths = controller.nil? ? [path] : controller.files
+    parse_ruby_files(paths).each do |astfile|
+      process_controller astfile
+    end
+    #Process data flow and template rendering
+    #from the controller
+    tracker.controllers.each do |name, controller|
+      if controller.files.include?(path)
+        tracker.templates.each do |template_name, template|
+          next unless template.render_path
+          if template.render_path.include_controller? name
+            tracker.reset_template template_name
+          end
+        end
+        controller.src.each do |file, src|
+          @processor.process_controller_alias controller.name, src, nil, file
+        end
+      end
+    end
+    @reindex << :templates << :controllers
+  end
+  def rescan_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS and @app_tree.path_exists?(path)
+    template_name = template_path_to_name(path)
+    tracker.reset_template template_name
+    fp = Railroader::FileParser.new(tracker, @app_tree)
+    template_parser = Railroader::TemplateParser.new(tracker, fp)
+    template_parser.parse_template path, @app_tree.read_path(path)
+    process_template fp.file_list[:templates].first
+    @processor.process_template_alias tracker.templates[template_name]
+    rescan = Set.new
+    #Search for processed template and process it.
+    #Search for rendered versions of template and re-render (if necessary)
+    tracker.templates.each do |_name, template|
+      if template.file == path or template.file.nil?
+        next unless template.render_path and template.name.to_sym == template_name.to_sym
+        template.render_path.each do |from|
+          case from[:type]
+          when :template
+            rescan << [:template, from[:name]]
+          when :controller
+            rescan << [:controller, from[:class], from[:method]]
+          end
+        end
+      end
+    end
+    rescan.each do |r|
+      if r[0] == :controller
+        controller = tracker.controllers[r[1]]
+        controller.src.each do |file, src|
+          unless @paths.include? file
+            @processor.process_controller_alias controller.name, src, r[2], file
+          end
+        end
+      elsif r[0] == :template
+        template = tracker.templates[r[1]]
+        rescan_template template.file
+      end
+    end
+    @reindex << :templates
+  end
+  def rescan_model path
+    num_models = tracker.models.length
+    model = tracker.reset_model path
+    paths = model.nil? ? [path] : model.files
+    parse_ruby_files(paths).each do |astfile|
+      process_model astfile.path, astfile.ast
+    end
+    #Only need to rescan other things if a model is added or removed
+    if num_models != tracker.models.length
+      process_template_data_flows
+      process_controller_data_flows
+      @reindex << :templates << :controllers
+    end
+    @reindex << :models
+  end
+  def rescan_lib path
+    lib = tracker.reset_lib path
+    paths = lib.nil? ? [path] : lib.files
+    parse_ruby_files(paths).each do |astfile|
+      process_lib astfile
+    end
+    lib = nil
+    tracker.libs.each do |_name, library|
+      if library.files.include?(path)
+        lib = library
+        break
+      end
+    end
+    rescan_mixin lib if lib
+  end
+  def rescan_routes
+    # Routes affect which controller methods are treated as actions
+    # which affects which templates are rendered, so routes, controllers,
+    # and templates rendered from controllers must be rescanned
+    tracker.reset_routes
+    tracker.reset_templates :only_rendered => true
+    process_routes
+    process_controller_data_flows
+    @reindex << :controllers << :templates
+  end
+  def rescan_initializer path
+    parse_ruby_files([path]).each do |astfile|
+      process_initializer astfile
+    end
+  end
+  #Handle rescanning when a file is deleted
+  def rescan_deleted_file path, type
+    case type
+    when :controller
+      rescan_controller path
+    when :template
+      rescan_deleted_template path
+    when :model
+      rescan_model path
+    when :lib
+      rescan_deleted_lib path
+    when :initializer
+      rescan_deleted_initializer path
+    else
+      if remove_deleted_file path
+        return true
+      else
+        Railroader.notify "Ignoring deleted file: #{path}"
+      end
+    end
+    true
+  end
+  def rescan_deleted_template path
+    return unless path.match KNOWN_TEMPLATE_EXTENSIONS
+    template_name = template_path_to_name(path)
+    #Remove template
+    tracker.reset_template template_name
+    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
+    rendered_from_view = /^#{template_name}\.Template:(.+)/
+    #Remove any rendered versions, or partials rendered from it
+    tracker.templates.delete_if do |_name, template|
+      template.file == path or template.name.to_sym == template_name.to_sym
+    end
+  end
+  def rescan_deleted_lib path
+    deleted_lib = nil
+    tracker.libs.delete_if do |_name, lib|
+      if lib.files.include?(path)
+        deleted_lib = lib
+        true
+      end
+    end
+    rescan_mixin deleted_lib if deleted_lib
+  end
+  def rescan_deleted_initializer path
+    tracker.initializers.delete Pathname.new(path).basename.to_s
+  end
+  #Check controllers, templates, models and libs for data from file
+  #and delete it.
+  def remove_deleted_file path
+    deleted = false
+    [:controllers, :models, :libs].each do |collection|
+      tracker.send(collection).delete_if do |_name, data|
+        if data.files.include?(path)
+          deleted = true
+          true
+        end
+      end
+    end
+    tracker.templates.delete_if do |_name, data|
+      if data.file == path
+        deleted = true
+        true
+      end
+    end
+    deleted
+  end
+  #Guess at what kind of file the path contains
+  def file_type path
+    case path
+    when /\/app\/controllers/
+      :controller
+    when /\/app\/views/
+      :template
+    when /\/app\/models/
+      :model
+    when /\/lib/
+      :lib
+    when /\/config\/initializers/
+      :initializer
+    when /config\/routes\.rb/
+      :routes
+    when /\/config\/.+\.(rb|yml)/
+      :config
+    when /Gemfile|gems\./
+      :gemfile
+    else
+      :unknown
+    end
+  end
+  def rescan_mixin lib
+    method_names = []
+    lib.each_method do |name, _meth|
+      method_names << name
+    end
+    to_rescan = []
+    #Rescan controllers that mixed in library
+    tracker.controllers.each do |_name, controller|
+      if controller.includes.include? lib.name
+        controller.files.each do |path|
+          unless @paths.include? path
+            to_rescan << path
+          end
+        end
+      end
+    end
+    to_rescan.each do |controller|
+      tracker.reset_controller controller
+      rescan_file controller
+    end
+    to_rescan = []
+    #Check if a method from this mixin was used to render a template.
+    #This is not precise, because a different controller might have the
+    #same method...
+    tracker.templates.each do |name, template|
+      next unless template.render_path
+      if template.render_path.include_any_method? method_names
+        name.to_s.match /^([^.]+)/
+        original = tracker.templates[$1.to_sym]
+        if original
+          to_rescan << [name, original.file]
+        end
+      end
+    end
+    to_rescan.each do |template|
+      tracker.reset_template template[0]
+      rescan_file template[1]
+    end
+  end
+  def parse_ruby_files list
+    paths = list.select { |path| @app_tree.path_exists? path }
+    file_parser = Railroader::FileParser.new(tracker, @app_tree)
+    file_parser.parse_files paths, :rescan
+    file_parser.file_list[:rescan]
+  end
+end
+#Class to make reporting of rescan results simpler to deal with
+class Railroader::RescanReport
+  include Railroader::Util
+  attr_reader :old_results, :new_results
+  def initialize old_results, tracker
+    @tracker = tracker
+    @old_results = old_results
+    @all_warnings = nil
+    @diff = nil
+  end
+  #Returns true if any warnings were found (new or old)
+  def any_warnings?
+    not all_warnings.empty?
+  end
+  #Returns an array of all warnings found
+  def all_warnings
+    @all_warnings ||= @tracker.filtered_warnings
+  end
+  #Returns an array of warnings which were in the old report but are not in the
+  #new report after rescanning
+  def fixed_warnings
+    diff[:fixed]
+  end
+  #Returns an array of warnings which were in the new report but were not in
+  #the old report
+  def new_warnings
+    diff[:new]
+  end
+  #Returns true if there are any new or fixed warnings
+  def warnings_changed?
+    not (diff[:new].empty? and diff[:fixed].empty?)
+  end
+  #Returns a hash of arrays for :new and :fixed warnings
+  def diff
+    @diff ||= Railroader::Differ.new(all_warnings, @old_results).diff
+  end
+  #Returns an array of warnings which were in the old report and the new report
+  def existing_warnings
+    @old ||= all_warnings.select do |w|
+      not new_warnings.include? w
+    end
+  end
+  #Output total, fixed, and new warnings
+  def to_s(verbose = false)
+    Railroader.load_railroader_dependency 'terminal-table'
+    if !verbose
+      <<-OUTPUT
+Total warnings: #{all_warnings.length}
+Fixed warnings: #{fixed_warnings.length}
+New warnings: #{new_warnings.length}
+      OUTPUT
+    else
+      #Eventually move this to different method, or make default to_s
+      out = ""
+      {:fixed => fixed_warnings, :new => new_warnings, :existing => existing_warnings}.each do |warning_type, warnings|
+        if warnings.length > 0
+          out << "#{warning_type.to_s.titleize} warnings: #{warnings.length}\n"
+          table = Terminal::Table.new(:headings => ["Confidence", "Class", "Method", "Warning Type", "Message"]) do |t|
+            warnings.sort_by { |w| w.confidence}.each do |warning|
+              w = warning.to_row
+              w["Confidence"] = Railroader::Report::TEXT_CONFIDENCE[w["Confidence"]]
+              t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
+            end
+          end
+          out << truncate_table(table.to_s)
+        end
+      end
+      out
+    end
+  end
+end