RubyGems - railroader - Versions diffs - 4.3.4 - Mend

railroader 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (165) hide show

checksums.yaml +7 -0
data/CHANGES.md +1091 -0
data/FEATURES +16 -0
data/README.md +174 -0
data/bin/railroader +8 -0
data/lib/railroader/app_tree.rb +191 -0
data/lib/railroader/call_index.rb +219 -0
data/lib/railroader/checks/base_check.rb +505 -0
data/lib/railroader/checks/check_basic_auth.rb +88 -0
data/lib/railroader/checks/check_basic_auth_timing_attack.rb +33 -0
data/lib/railroader/checks/check_content_tag.rb +200 -0
data/lib/railroader/checks/check_create_with.rb +74 -0
data/lib/railroader/checks/check_cross_site_scripting.rb +381 -0
data/lib/railroader/checks/check_default_routes.rb +86 -0
data/lib/railroader/checks/check_deserialize.rb +56 -0
data/lib/railroader/checks/check_detailed_exceptions.rb +55 -0
data/lib/railroader/checks/check_digest_dos.rb +38 -0
data/lib/railroader/checks/check_divide_by_zero.rb +42 -0
data/lib/railroader/checks/check_dynamic_finders.rb +48 -0
data/lib/railroader/checks/check_escape_function.rb +21 -0
data/lib/railroader/checks/check_evaluation.rb +35 -0
data/lib/railroader/checks/check_execute.rb +189 -0
data/lib/railroader/checks/check_file_access.rb +71 -0
data/lib/railroader/checks/check_file_disclosure.rb +35 -0
data/lib/railroader/checks/check_filter_skipping.rb +31 -0
data/lib/railroader/checks/check_forgery_setting.rb +81 -0
data/lib/railroader/checks/check_header_dos.rb +31 -0
data/lib/railroader/checks/check_i18n_xss.rb +48 -0
data/lib/railroader/checks/check_jruby_xml.rb +36 -0
data/lib/railroader/checks/check_json_encoding.rb +47 -0
data/lib/railroader/checks/check_json_parsing.rb +107 -0
data/lib/railroader/checks/check_link_to.rb +132 -0
data/lib/railroader/checks/check_link_to_href.rb +146 -0
data/lib/railroader/checks/check_mail_to.rb +49 -0
data/lib/railroader/checks/check_mass_assignment.rb +196 -0
data/lib/railroader/checks/check_mime_type_dos.rb +39 -0
data/lib/railroader/checks/check_model_attr_accessible.rb +55 -0
data/lib/railroader/checks/check_model_attributes.rb +119 -0
data/lib/railroader/checks/check_model_serialize.rb +67 -0
data/lib/railroader/checks/check_nested_attributes.rb +38 -0
data/lib/railroader/checks/check_nested_attributes_bypass.rb +58 -0
data/lib/railroader/checks/check_number_to_currency.rb +74 -0
data/lib/railroader/checks/check_permit_attributes.rb +43 -0
data/lib/railroader/checks/check_quote_table_name.rb +40 -0
data/lib/railroader/checks/check_redirect.rb +256 -0
data/lib/railroader/checks/check_regex_dos.rb +68 -0
data/lib/railroader/checks/check_render.rb +97 -0
data/lib/railroader/checks/check_render_dos.rb +37 -0
data/lib/railroader/checks/check_render_inline.rb +53 -0
data/lib/railroader/checks/check_response_splitting.rb +21 -0
data/lib/railroader/checks/check_route_dos.rb +42 -0
data/lib/railroader/checks/check_safe_buffer_manipulation.rb +31 -0
data/lib/railroader/checks/check_sanitize_methods.rb +112 -0
data/lib/railroader/checks/check_secrets.rb +40 -0
data/lib/railroader/checks/check_select_tag.rb +59 -0
data/lib/railroader/checks/check_select_vulnerability.rb +60 -0
data/lib/railroader/checks/check_send.rb +47 -0
data/lib/railroader/checks/check_send_file.rb +19 -0
data/lib/railroader/checks/check_session_manipulation.rb +35 -0
data/lib/railroader/checks/check_session_settings.rb +176 -0
data/lib/railroader/checks/check_simple_format.rb +58 -0
data/lib/railroader/checks/check_single_quotes.rb +101 -0
data/lib/railroader/checks/check_skip_before_filter.rb +60 -0
data/lib/railroader/checks/check_sql.rb +700 -0
data/lib/railroader/checks/check_sql_cves.rb +106 -0
data/lib/railroader/checks/check_ssl_verify.rb +48 -0
data/lib/railroader/checks/check_strip_tags.rb +89 -0
data/lib/railroader/checks/check_symbol_dos.rb +71 -0
data/lib/railroader/checks/check_symbol_dos_cve.rb +30 -0
data/lib/railroader/checks/check_translate_bug.rb +45 -0
data/lib/railroader/checks/check_unsafe_reflection.rb +50 -0
data/lib/railroader/checks/check_unscoped_find.rb +57 -0
data/lib/railroader/checks/check_validation_regex.rb +116 -0
data/lib/railroader/checks/check_weak_hash.rb +148 -0
data/lib/railroader/checks/check_without_protection.rb +80 -0
data/lib/railroader/checks/check_xml_dos.rb +45 -0
data/lib/railroader/checks/check_yaml_parsing.rb +121 -0
data/lib/railroader/checks.rb +209 -0
data/lib/railroader/codeclimate/engine_configuration.rb +97 -0
data/lib/railroader/commandline.rb +179 -0
data/lib/railroader/differ.rb +66 -0
data/lib/railroader/file_parser.rb +54 -0
data/lib/railroader/format/style.css +133 -0
data/lib/railroader/options.rb +339 -0
data/lib/railroader/parsers/rails2_erubis.rb +6 -0
data/lib/railroader/parsers/rails2_xss_plugin_erubis.rb +48 -0
data/lib/railroader/parsers/rails3_erubis.rb +81 -0
data/lib/railroader/parsers/template_parser.rb +108 -0
data/lib/railroader/processor.rb +102 -0
data/lib/railroader/processors/alias_processor.rb +1229 -0
data/lib/railroader/processors/base_processor.rb +295 -0
data/lib/railroader/processors/config_processor.rb +14 -0
data/lib/railroader/processors/controller_alias_processor.rb +278 -0
data/lib/railroader/processors/controller_processor.rb +249 -0
data/lib/railroader/processors/erb_template_processor.rb +77 -0
data/lib/railroader/processors/erubis_template_processor.rb +92 -0
data/lib/railroader/processors/gem_processor.rb +64 -0
data/lib/railroader/processors/haml_template_processor.rb +191 -0
data/lib/railroader/processors/lib/basic_processor.rb +37 -0
data/lib/railroader/processors/lib/call_conversion_helper.rb +90 -0
data/lib/railroader/processors/lib/find_all_calls.rb +224 -0
data/lib/railroader/processors/lib/find_call.rb +183 -0
data/lib/railroader/processors/lib/find_return_value.rb +166 -0
data/lib/railroader/processors/lib/module_helper.rb +111 -0
data/lib/railroader/processors/lib/processor_helper.rb +88 -0
data/lib/railroader/processors/lib/rails2_config_processor.rb +145 -0
data/lib/railroader/processors/lib/rails2_route_processor.rb +313 -0
data/lib/railroader/processors/lib/rails3_config_processor.rb +132 -0
data/lib/railroader/processors/lib/rails3_route_processor.rb +308 -0
data/lib/railroader/processors/lib/render_helper.rb +181 -0
data/lib/railroader/processors/lib/render_path.rb +107 -0
data/lib/railroader/processors/lib/route_helper.rb +68 -0
data/lib/railroader/processors/lib/safe_call_helper.rb +16 -0
data/lib/railroader/processors/library_processor.rb +74 -0
data/lib/railroader/processors/model_processor.rb +91 -0
data/lib/railroader/processors/output_processor.rb +144 -0
data/lib/railroader/processors/route_processor.rb +17 -0
data/lib/railroader/processors/slim_template_processor.rb +111 -0
data/lib/railroader/processors/template_alias_processor.rb +118 -0
data/lib/railroader/processors/template_processor.rb +85 -0
data/lib/railroader/report/config/remediation.yml +71 -0
data/lib/railroader/report/ignore/config.rb +153 -0
data/lib/railroader/report/ignore/interactive.rb +362 -0
data/lib/railroader/report/pager.rb +112 -0
data/lib/railroader/report/renderer.rb +24 -0
data/lib/railroader/report/report_base.rb +292 -0
data/lib/railroader/report/report_codeclimate.rb +79 -0
data/lib/railroader/report/report_csv.rb +55 -0
data/lib/railroader/report/report_hash.rb +23 -0
data/lib/railroader/report/report_html.rb +216 -0
data/lib/railroader/report/report_json.rb +45 -0
data/lib/railroader/report/report_markdown.rb +107 -0
data/lib/railroader/report/report_table.rb +117 -0
data/lib/railroader/report/report_tabs.rb +17 -0
data/lib/railroader/report/report_text.rb +198 -0
data/lib/railroader/report/templates/controller_overview.html.erb +22 -0
data/lib/railroader/report/templates/controller_warnings.html.erb +21 -0
data/lib/railroader/report/templates/error_overview.html.erb +29 -0
data/lib/railroader/report/templates/header.html.erb +58 -0
data/lib/railroader/report/templates/ignored_warnings.html.erb +25 -0
data/lib/railroader/report/templates/model_warnings.html.erb +21 -0
data/lib/railroader/report/templates/overview.html.erb +38 -0
data/lib/railroader/report/templates/security_warnings.html.erb +23 -0
data/lib/railroader/report/templates/template_overview.html.erb +21 -0
data/lib/railroader/report/templates/view_warnings.html.erb +34 -0
data/lib/railroader/report/templates/warning_overview.html.erb +17 -0
data/lib/railroader/report.rb +88 -0
data/lib/railroader/rescanner.rb +483 -0
data/lib/railroader/scanner.rb +321 -0
data/lib/railroader/tracker/collection.rb +93 -0
data/lib/railroader/tracker/config.rb +154 -0
data/lib/railroader/tracker/constants.rb +171 -0
data/lib/railroader/tracker/controller.rb +161 -0
data/lib/railroader/tracker/library.rb +17 -0
data/lib/railroader/tracker/model.rb +90 -0
data/lib/railroader/tracker/template.rb +33 -0
data/lib/railroader/tracker.rb +362 -0
data/lib/railroader/util.rb +503 -0
data/lib/railroader/version.rb +3 -0
data/lib/railroader/warning.rb +294 -0
data/lib/railroader/warning_codes.rb +117 -0
data/lib/railroader.rb +544 -0
data/lib/ruby_parser/bm_sexp.rb +626 -0
data/lib/ruby_parser/bm_sexp_processor.rb +116 -0
metadata +386 -0

data/lib/railroader/tracker.rb ADDED Viewed

@@ -0,0 +1,362 @@
+require 'set'
+require 'railroader/call_index'
+require 'railroader/checks'
+require 'railroader/report'
+require 'railroader/processors/lib/find_call'
+require 'railroader/processors/lib/find_all_calls'
+require 'railroader/tracker/config'
+require 'railroader/tracker/constants'
+#The Tracker keeps track of all the processed information.
+class Railroader::Tracker
+  attr_accessor :controllers, :constants, :templates, :models, :errors,
+    :checks, :initializers, :config, :routes, :processor, :libs,
+    :template_cache, :options, :filter_cache, :start_time, :end_time,
+    :duration, :ignored_filter
+  #Place holder when there should be a model, but it is not
+  #clear what model it will be.
+  UNKNOWN_MODEL = :RailroaderUnresolvedModel
+  #Creates a new Tracker.
+  #
+  #The Processor argument is only used by other Processors
+  #that might need to access it.
+  def initialize(app_tree, processor = nil, options = {})
+    @app_tree = app_tree
+    @processor = processor
+    @options = options
+    @config = Railroader::Config.new(self)
+    @templates = {}
+    @controllers = {}
+    #Initialize models with the unknown model so
+    #we can match models later without knowing precisely what
+    #class they are.
+    @models = {}
+    @models[UNKNOWN_MODEL] = Railroader::Model.new(UNKNOWN_MODEL, nil, nil, nil, self)
+    @routes = {}
+    @initializers = {}
+    @errors = []
+    @libs = {}
+    @constants = Railroader::Constants.new
+    @checks = nil
+    @processed = nil
+    @template_cache = Set.new
+    @filter_cache = {}
+    @call_index = nil
+    @start_time = Time.now
+    @end_time = nil
+    @duration = nil
+  end
+  #Add an error to the list. If no backtrace is given,
+  #the one from the exception will be used.
+  def error exception, backtrace = nil
+    backtrace ||= exception.backtrace
+    unless backtrace.is_a? Array
+      backtrace = [ backtrace ]
+    end
+    Railroader.debug exception
+    Railroader.debug backtrace
+    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+  end
+  #Run a set of checks on the current information. Results will be stored
+  #in Tracker#checks.
+  def run_checks
+    @checks = Railroader::Checks.run_checks(@app_tree, self)
+    @end_time = Time.now
+    @duration = @end_time - @start_time
+    @checks
+  end
+  def app_path
+    @app_path ||= File.expand_path @options[:app_path]
+  end
+  #Iterate over all methods in controllers and models.
+  def each_method
+    classes = [self.controllers, self.models]
+    if @options[:index_libs]
+      classes << self.libs
+    end
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.each_method do |method_name, definition|
+          src = definition[:src]
+          yield src, set_name, method_name, definition[:file]
+        end
+      end
+    end
+  end
+  #Iterates over each template, yielding the name and the template.
+  #Prioritizes templates which have been rendered.
+  def each_template
+    if @processed.nil?
+      @processed, @rest = templates.keys.sort_by{|template| template.to_s}.partition { |k| k.to_s.include? "." }
+    end
+    @processed.each do |k|
+      yield k, templates[k]
+    end
+    @rest.each do |k|
+      yield k, templates[k]
+    end
+  end
+  def each_class
+    classes = [self.controllers, self.models]
+    if @options[:index_libs]
+      classes << self.libs
+    end
+    classes.each do |set|
+      set.each do |set_name, collection|
+        collection.src.each do |file, src|
+          yield src, set_name, file
+        end
+      end
+    end
+  end
+  #Find a method call.
+  #
+  #Options:
+  #  * :target => target name(s)
+  #  * :method => method name(s)
+  #  * :chained => search in method chains
+  #
+  #If :target => false or :target => nil, searches for methods without a target.
+  #Targets and methods can be specified as a symbol, an array of symbols,
+  #or a regular expression.
+  #
+  #If :chained => true, matches target at head of method chain and method at end.
+  #
+  #For example:
+  #
+  #    find_call :target => User, :method => :all, :chained => true
+  #
+  #could match
+  #
+  #    User.human.active.all(...)
+  #
+  def find_call options
+    index_call_sites unless @call_index
+    @call_index.find_calls options
+  end
+  #Searches the initializers for a method call
+  def check_initializers target, method
+    finder = Railroader::FindCall.new target, method, self
+    initializers.sort.each do |name, initializer|
+      finder.process_source initializer
+    end
+    finder.matches
+  end
+  #Returns a Report with this Tracker's information
+  def report
+    Railroader::Report.new(@app_tree, self)
+  end
+  def warnings
+    self.checks.all_warnings
+  end
+  def filtered_warnings
+    if self.ignored_filter
+      self.warnings.reject do |w|
+        self.ignored_filter.ignored? w
+      end
+    else
+      self.warnings
+    end
+  end
+  def unused_fingerprints
+    return [] unless self.ignored_filter
+    self.ignored_filter.obsolete_fingerprints
+  end
+  def add_constant name, value, context = nil
+    @constants.add name, value, context unless @options[:disable_constant_tracking]
+  end
+  def constant_lookup name
+    @constants.get_literal name unless @options[:disable_constant_tracking]
+  end
+  def find_class name
+    [@controllers, @models, @libs].each do |collection|
+      if c = collection[name]
+        return c
+      end
+    end
+    nil
+  end
+  def index_call_sites
+    finder = Railroader::FindAllCalls.new self
+    self.each_method do |definition, set_name, method_name, file|
+      finder.process_source definition, :class => set_name, :method => method_name, :file => file
+    end
+    self.each_class do |definition, set_name, file|
+      finder.process_source definition, :class => set_name, :file => file
+    end
+    self.each_template do |_name, template|
+      finder.process_source template.src, :template => template, :file => template.file
+    end
+    @call_index = Railroader::CallIndex.new finder.calls
+  end
+  #Reindex call sites
+  #
+  #Takes a set of symbols which can include :templates, :models,
+  #or :controllers
+  #
+  #This will limit reindexing to the given sets
+  def reindex_call_sites locations
+    #If reindexing templates, models, and controllers, just redo
+    #everything
+    if locations.length == 3
+      return index_call_sites
+    end
+    if locations.include? :templates
+      @call_index.remove_template_indexes
+    end
+    classes_to_reindex = Set.new
+    method_sets = []
+    if locations.include? :models
+      classes_to_reindex.merge self.models.keys
+      method_sets << self.models
+    end
+    if locations.include? :controllers
+      classes_to_reindex.merge self.controllers.keys
+      method_sets << self.controllers
+    end
+    @call_index.remove_indexes_by_class classes_to_reindex
+    finder = Railroader::FindAllCalls.new self
+    method_sets.each do |set|
+      set.each do |set_name, info|
+        info.each_method do |method_name, definition|
+          src = definition[:src]
+          finder.process_source src, :class => set_name, :method => method_name, :file => definition[:file]
+        end
+      end
+    end
+    if locations.include? :templates
+      self.each_template do |_name, template|
+        finder.process_source template.src, :template => template, :file => template.file
+      end
+    end
+    @call_index.index_calls finder.calls
+  end
+  #Clear information related to templates.
+  #If :only_rendered => true, will delete templates rendered from
+  #controllers (but not those rendered from other templates)
+  def reset_templates options = { :only_rendered => false }
+    if options[:only_rendered]
+      @templates.delete_if do |_name, template|
+        template.rendered_from_controller?
+      end
+    else
+      @templates = {}
+    end
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+  #Clear information related to template
+  def reset_template name
+    name = name.to_sym
+    @templates.delete name
+    @processed = nil
+    @rest = nil
+    @template_cache.clear
+  end
+  #Clear information related to model
+  def reset_model path
+    model_name = nil
+    @models.each do |name, model|
+      if model.files.include?(path)
+        model_name = name
+        break
+      end
+    end
+    @models.delete model_name
+  end
+  #Clear information related to model
+  def reset_lib path
+    lib_name = nil
+    @libs.each do |name, lib|
+      if lib.files.include?(path)
+        lib_name = name
+        break
+      end
+    end
+    @libs.delete lib_name
+  end
+  def reset_controller path
+    controller_name = nil
+    #Remove from controller
+    @controllers.each do |name, controller|
+      if controller.files.include?(path)
+        controller_name = name
+        #Remove templates rendered from this controller
+        @templates.each do |template_name, template|
+          if template.render_path and template.render_path.include_controller? name
+            reset_template template_name
+            @call_index.remove_template_indexes template_name
+          end
+        end
+        #Remove calls indexed from this controller
+        @call_index.remove_indexes_by_class [name]
+        break
+      end
+    end
+    @controllers.delete controller_name
+  end
+  #Clear information about routes
+  def reset_routes
+    @routes = {}
+  end
+end