railroader 4.3.4

data/FEATURES

@@ -0,0 +1,16 @@
+Can detect:
+-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
+-Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
+-String interpolation in find_by_sql (SQL Injection)
+-String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
+-Unrestricted mass assignments
+-Global restriction of mass assignment
+-Missing call to protect_from_forgery in ApplicationController (CSRF protection)
+-Default routes, per-controller and globally
+-Redirects based on params (probably too broad currently)
+-Validation regexes not using \A and \z
+-Calls to render with dynamic paths
+
+General capabilities:
+-Search for method calls based on target class and/or method name
+-Determine 'output' of templates using ERB, Erubis, or HAML. Can handle automatic escaping

data/README.md

@@ -0,0 +1,174 @@
+[![Railroader Logo](http://railroader.org/images/logo_medium.png)](http://railroader.org/)
+
+[![Build Status](https://travis-ci.org/david-a-wheeler/railroader.svg?branch=master)](https://travis-ci.org/david-a-wheeler/railroader)
+[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/david-a-wheeler/railroader/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/david-a-wheeler/railroader/test_coverage)
+[![Gitter](https://badges.gitter.im/david-a-wheeler/railroader.svg)](https://gitter.im/david-a-wheeler/railroader)
+
+# Railroader
+
+Railroader is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
+
+Railroader is a fork of the Brakeman analysis tool version 4.3.1 (the last version of Brakeman that was open source software).  A key distinguishing feature is that Railroader is open source software (OSS), while Brakeman is not open source software any more.  Railroader is licensed under the [MIT-LICENSE](MIT-LICENSE). As a result, Railroader can be freely used for any purpose, including any commercial purposes.  In addition, contributors to Railroader (unlike Brakeman) retain their copyrights.
+
+If you are interested in Brakeman, please see the [Brakeman site instead](https://brakemanscanner.org/) instead!
+
+We are currently in a transition process, because we have just started creating Railroader as a fork of Brakeman.  Some names in the process of changing - help is wanted to complete it. We need to change the name, because we assume that Synopsys owns the trademarks and in any case we want to make sure there is *no* confusion by anyone that Railroader is Brakeman (they are now different projects).
+
+# Installation
+
+Using RubyGems:
+
+    gem install railroader
+
+Using Bundler:
+
+    group :development do
+      gem 'railroader', :require => false
+    end
+
+# Usage
+
+From a Rails application's root directory:
+
+    railroader
+
+Outside of Rails root:
+
+    railroader /path/to/rails/application
+
+# Compatibility
+
+Railroader should work with any version of Rails from 2.3.x to 5.x.
+
+Railroader can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.
+
+# Basic Options
+
+For a full list of options, use `railroader --help` or see the [OPTIONS.md](OPTIONS.md) file.
+
+To specify an output file for the results:
+
+    railroader -o output_file
+
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+
+Multiple output files can be specified:
+
+    railroader -o output.html -o output.json
+
+To suppress informational warnings and just output the report:
+
+    railroader -q
+
+Note all Railroader output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
+
+To see all kinds of debugging information:
+
+    railroader -d
+
+Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (`DefaultRoutes`):
+
+    railroader -x DefaultRoutes
+
+Multiple checks should be separated by a comma:
+
+    railroader -x DefaultRoutes,Redirect
+
+To do the opposite and only run a certain set of tests:
+
+    railroader -t SQL,ValidationRegex
+
+If Railroader is running a bit slow, try
+
+    railroader --faster
+
+This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Railroader to miss some vulnerabilities.
+
+By default, Railroader will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
+
+    railroader --no-exit-on-warn --no-exit-on-error
+
+To skip certain files or directories that Railroader may have trouble parsing, use:
+
+    railroader --skip-files file1,/path1/,path2/
+
+To compare results of a scan with a previous scan, use the JSON output option and then:
+
+    railroader --compare old_report.json
+
+This will output JSON with two lists: one of fixed warnings and one of new warnings.
+
+Railroader will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/railroader.ignore`.
+To create and manage this file, use:
+
+    railroader -I
+
+# Warning information
+
+See [warning\_types](docs/warning_types) for more information on the warnings reported by this tool.
+
+# Warning context
+
+The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.
+
+# Confidence levels
+
+Railroader assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.
+
+There are three levels of confidence:
+
+ + High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
+ + Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
+ + Weak - Typically means user input was indirectly used in a potentially unsafe manner.
+
+To only get warnings above a given confidence level:
+
+    railroader -w3
+
+The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
+
+# Configuration files
+
+Railroader options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+
+Options passed in on the commandline have priority over configuration files.
+
+The default config locations are `./config/railroader.yml`, `~/.railroader/config.yml`, and `/etc/railroader/config.yml`
+
+The `-c` option can be used to specify a configuration file to use.
+
+# Continuous Integration
+
+There is a [plugin available](http://railroaderscanner.org/docs/jenkins/) for Jenkins/Hudson.
+
+For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-railroader).
+
+# Building
+
+    git clone git://github.com/david-a-wheeler/railroader.git
+    cd railroader
+    gem build railroader.gemspec
+    gem install railroader*.gem
+
+<!-- # Who is Using Railroader?
+
+* [Code Climate](https://codeclimate.com/)
+* [GitHub](https://github.com/)
+* [Groupon](http://www.groupon.com/)
+* [New Relic](http://newrelic.com)
+* [Twitter](https://twitter.com/)
+
+[..and more!](http://railroaderscanner.org/railroader_users)
+
+-->
+
+# Homepage/News
+
+Website: http://railroader.org/
+
+Twitter: https://twitter.com/railroader
+
+# License
+
+See [MIT-LICENSE](MIT-LICENSE).

data/bin/railroader

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+#Adjust path in case called directly and not through gem
+$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
+
+require 'railroader'
+require 'railroader/commandline'
+
+Railroader::Commandline.start

data/lib/railroader/app_tree.rb

@@ -0,0 +1,191 @@
+require 'pathname'
+
+module Railroader
+  class AppTree
+    VIEW_EXTENSIONS = %w[html.erb html.haml rhtml js.erb html.slim].join(",")
+
+    attr_reader :root
+
+    def self.from_options(options)
+      root = File.expand_path options[:app_path]
+
+      # Convert files into Regexp for matching
+      init_options = {}
+      if options[:skip_files]
+        init_options[:skip_files] = regex_for_paths(options[:skip_files])
+      end
+
+      if options[:only_files]
+        init_options[:only_files] = regex_for_paths(options[:only_files])
+      end
+      init_options[:additional_libs_path] = options[:additional_libs_path]
+      init_options[:engine_paths] = options[:engine_paths]
+      new(root, init_options)
+    end
+
+    # Accepts an array of filenames and paths with the following format and
+    # returns a Regexp to match them:
+    #   * "path1/file1.rb" - Matches a specific filename in the project directory.
+    #   * "path1/" - Matches any path that conatains "path1" in the project directory.
+    #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
+    #
+    def self.regex_for_paths(paths)
+      path_regexes = paths.map do |f|
+        # If path ends in a file separator then we assume it is a path rather
+        # than a filename.
+        if f.end_with?(File::SEPARATOR)
+          # If path starts with a file separator then we assume that they
+          # want the project relative path to start with this path prefix.
+          if f.start_with?(File::SEPARATOR)
+            "\\A#{Regexp.escape f}"
+          # If it ends in a file separator, but does not begin with a file
+          # separator then we assume the path can match any path component in
+          # the project.
+          else
+            Regexp.escape f
+          end
+        else
+          "#{Regexp.escape f}\\z"
+        end
+      end
+      Regexp.new("(?:" << path_regexes.join("|") << ")")
+    end
+    private_class_method(:regex_for_paths)
+
+    def initialize(root, init_options = {})
+      @root = root
+      @project_root_path = Pathname.new(@root)
+      @skip_files = init_options[:skip_files]
+      @only_files = init_options[:only_files]
+      @additional_libs_path = init_options[:additional_libs_path] || []
+      @engine_paths = init_options[:engine_paths] || []
+      @absolute_engine_paths = @engine_paths.select { |path| path.start_with?(File::SEPARATOR) }
+      @relative_engine_paths = @engine_paths - @absolute_engine_paths
+    end
+
+    def expand_path(path)
+      File.expand_path(path, @root)
+    end
+
+    def read(path)
+      File.read(File.join(@root, path))
+    end
+
+    # This variation requires full paths instead of paths based
+    # off the project root. I'd prefer to get all the code outside
+    # of AppTree using project-root based paths (e.g. app/models/user.rb)
+    # instead of full paths, but I suspect it's an incompatible change.
+    def read_path(path)
+      File.read(path)
+    end
+
+    def exists?(path)
+      File.exist?(File.join(@root, path))
+    end
+
+    # This is a pair for #read_path. Again, would like to kill these
+    def path_exists?(path)
+      File.exist?(path)
+    end
+
+    def initializer_paths
+      @initializer_paths ||= prioritize_concerns(find_paths("config/initializers"))
+    end
+
+    def controller_paths
+      @controller_paths ||= prioritize_concerns(find_paths("app/**/controllers"))
+    end
+
+    def model_paths
+      @model_paths ||= prioritize_concerns(find_paths("app/**/models"))
+    end
+
+    def template_paths
+      @template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
+                          find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| File.basename(path).count(".") > 1 }
+    end
+
+    def layout_exists?(name)
+      !Dir.glob("#{root_search_pattern}app/views/layouts/#{name}.html.{erb,haml,slim}").empty?
+    end
+
+    def lib_paths
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" or path.include? "lib/templates/" } +
+                     find_additional_lib_paths +
+                     find_helper_paths +
+                     find_job_paths
+    end
+
+  private
+
+    def find_helper_paths
+      find_paths "app/helpers"
+    end
+
+    def find_job_paths
+      find_paths "app/jobs"
+    end
+
+    def find_additional_lib_paths
+      @additional_libs_path.collect{ |path| find_paths path }.flatten
+    end
+
+    def find_paths(directory, extensions = ".rb")
+      select_files(glob_files(directory, "*", extensions).sort)
+    end
+
+    def glob_files(directory, name, extensions = ".rb")
+      pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+
+      Dir.glob(pattern)
+    end
+
+    def select_files(paths)
+      paths = select_only_files(paths)
+      reject_skipped_files(paths)
+    end
+
+    def select_only_files(paths)
+      return paths unless @only_files
+
+      paths.select do |path|
+        match_path @only_files, path
+      end
+    end
+
+    def reject_skipped_files(paths)
+      return paths unless @skip_files
+
+      paths.reject do |path|
+        match_path @skip_files, path
+      end
+    end
+
+    def match_path files, path
+      absolute_path = Pathname.new(path)
+      # relative root never has a leading separator. But, we use a leading
+      # separator in a @skip_files entry to imply that a directory is
+      # "absolute" with respect to the project directory.
+      project_relative_path = File.join(
+        File::SEPARATOR,
+        absolute_path.relative_path_from(@project_root_path).to_s
+      )
+
+      files.match(project_relative_path)
+    end
+
+    def root_search_pattern
+      return @root_search_pattern if @root_search_pattern
+      abs = @absolute_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+      rel = @relative_engine_paths.to_a.map { |path| path.gsub /#{File::SEPARATOR}+$/, '' }
+
+      roots = ([@root] + abs).join(",")
+      rel_engines = (rel + [""]).join("/,")
+      @root_search_patrern = "{#{roots}}/{#{rel_engines}}"
+    end
+
+    def prioritize_concerns paths
+      paths.partition { |path| path.include? "concerns" }.flatten
+    end
+  end
+end

data/lib/railroader/call_index.rb

@@ -0,0 +1,219 @@
+require 'set'
+
+#Stores call sites to look up later.
+class Railroader::CallIndex
+
+  #Initialize index with calls from FindAllCalls
+  def initialize calls
+    @calls_by_method = Hash.new { |h, k| h[k] = [] }
+    @calls_by_target = Hash.new { |h, k| h[k] = [] }
+
+    index_calls calls
+  end
+
+  #Find calls matching specified option hash.
+  #
+  #Options:
+  #
+  #  * :target - symbol, array of symbols, or regular expression to match target(s)
+  #  * :method - symbol, array of symbols, or regular expression to match method(s)
+  #  * :chained - boolean, whether or not to match against a whole method chain (false by default)
+  #  * :nested - boolean, whether or not to match against a method call that is a target itself (false by default)
+  def find_calls options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+    nested = options[:nested]
+
+    if options[:chained]
+      return find_chain options
+    #Find by narrowest category
+    elsif target and method and target.is_a? Array and method.is_a? Array
+      if target.length > method.length
+        calls = filter_by_target calls_by_methods(method), target
+      else
+        calls = calls_by_targets(target)
+        calls = filter_by_method calls, method
+      end
+
+    #Find by target, then by methods, if provided
+    elsif target
+      calls = calls_by_target target
+
+      if calls and method
+        calls = filter_by_method calls, method
+      end
+
+    #Find calls with no explicit target
+    #with either :target => nil or :target => false
+    elsif (options.key? :target or options.key? :targets) and not target and method
+      calls = calls_by_method method
+      calls = filter_by_target calls, nil
+
+    #Find calls by method
+    elsif method
+      calls = calls_by_method method
+    else
+      raise "Invalid arguments to CallCache#find_calls: #{options.inspect}"
+    end
+
+    return [] if calls.nil?
+
+    #Remove calls that are actually targets of other calls
+    #Unless those are explicitly desired
+    calls = filter_nested calls unless nested
+
+    calls
+  end
+
+  def remove_template_indexes template_name = nil
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          from_template call, template_name
+        end
+      end
+    end
+  end
+
+  def remove_indexes_by_class classes
+    [@calls_by_method, @calls_by_target].each do |calls_by|
+      calls_by.each do |_name, calls|
+        calls.delete_if do |call|
+          call[:location][:type] == :class and classes.include? call[:location][:class]
+        end
+      end
+    end
+  end
+
+  def index_calls calls
+    calls.each do |call|
+      @calls_by_method[call[:method]] << call
+
+      target = call[:target]
+
+      if not target.is_a? Sexp
+        @calls_by_target[target] << call
+      elsif target.node_type == :params or target.node_type == :session
+        @calls_by_target[target.node_type] << call
+      end
+    end
+  end
+
+  private
+
+  def find_chain options
+    target = options[:target] || options[:targets]
+    method = options[:method] || options[:methods]
+
+    calls = calls_by_method method
+
+    return [] if calls.nil?
+
+    calls = filter_by_chain calls, target
+  end
+
+  def calls_by_target target
+    if target.is_a? Array
+      calls_by_targets target
+    else
+      @calls_by_target[target]
+    end
+  end
+
+  def calls_by_targets targets
+    calls = []
+
+    targets.each do |target|
+      calls.concat @calls_by_target[target] if @calls_by_target.key? target
+    end
+
+    calls
+  end
+
+  def calls_by_method method
+    if method.is_a? Array
+      calls_by_methods method
+    elsif method.is_a? Regexp
+      calls_by_methods_regex method
+    else
+      @calls_by_method[method.to_sym]
+    end
+  end
+
+  def calls_by_methods methods
+    methods = methods.map { |m| m.to_sym }
+    calls = []
+
+    methods.each do |method|
+      calls.concat @calls_by_method[method] if @calls_by_method.key? method
+    end
+
+    calls
+  end
+
+  def calls_by_methods_regex methods_regex
+    calls = []
+    @calls_by_method.each do |key, value|
+      calls.concat value if key.to_s.match methods_regex
+    end
+    calls
+  end
+
+  def calls_with_no_target
+    @calls_by_target[nil]
+  end
+
+  def filter calls, key, value
+    if value.is_a? Array
+      values = Set.new value
+
+      calls.select do |call|
+        values.include? call[key]
+      end
+    elsif value.is_a? Regexp
+      calls.select do |call|
+        call[key].to_s.match value
+      end
+    else
+      calls.select do |call|
+        call[key] == value
+      end
+    end
+  end
+
+  def filter_by_method calls, method
+    filter calls, :method, method
+  end
+
+  def filter_by_target calls, target
+    filter calls, :target, target
+  end
+
+  def filter_nested calls
+    filter calls, :nested, false
+  end
+
+  def filter_by_chain calls, target
+    if target.is_a? Array
+      targets = Set.new target
+
+      calls.select do |call|
+        targets.include? call[:chain].first
+      end
+    elsif target.is_a? Regexp
+      calls.select do |call|
+        call[:chain].first.to_s.match target
+      end
+    else
+      calls.select do |call|
+        call[:chain].first == target
+      end
+    end
+  end
+
+  def from_template call, template_name
+    return false unless call[:location][:type] == :template
+    return true if template_name.nil?
+    call[:location][:template] == template_name
+  end
+end