scnr-introspector 0.1 → 0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5682baf4ae51753f560e40d01c437b110fb798e9dda4e780799832e397177597
-  data.tar.gz: 6ccac3fd0802d210ae62105c97a27b407337df4a5460e556836201744f6f54c4
+  metadata.gz: '06581df63125568c3bcd2c6f996bc81e20426d750397806e47ccf7d31a6a6ff2'
+  data.tar.gz: 814cd55b04084b83615ffcd3433b336ee5ffd3e5b65539b0bcdd7d75d9e16c8b
 SHA512:
-  metadata.gz: b3256314a27a42c47c2e37b770d953827d487db5cb91f5fb01895a865bebfe7eff0078b435143575d56dbcc11d43accefcabc57ff35891d38d0631c96fc5f86b
-  data.tar.gz: cb0d31f2ad427fc23f04b13092dabf0d801badee3f4cedd41f06a1376535ad254055fca29f6c81ac2cf65ad1b3a696838497777108404c3fdd0d31154c1f2b3d
+  metadata.gz: bc324b142de05b4152a54d1e501e018fbc84ec3264edadc4b4640ad02253667755b28f2ed2c68929c11f305ba57c5584f9efda5784c74859d8154ca700ad0ef2
+  data.tar.gz: 8c6d81443c7b86f417a86fb671719863fc2c9e463644b5b9811d902e26e7e680d72bef7cfe9793d89814d5cae8700b6cca6edd1a44ed88d49815c0a9e01a6490

data/lib/scnr/introspector/data_flow/sink.rb

@@ -1,3 +1,5 @@
+require_relative '../utilities/my_method_source/code_helpers'
+
 module SCNR
 class Introspector
 class DataFlow
@@ -7,6 +9,10 @@ class Sink
     attr_accessor :object
 
     attr_accessor :method_name
+    attr_accessor :method_source
+    attr_accessor :method_source_location
+
+    attr_accessor :source
 
     attr_accessor :arguments
 
@@ -23,6 +29,27 @@ class Sink
 
             send( "#{k}=", v )
         end
+
+        if !@method_source && @method_source_location
+            filepath = @method_source_location.first
+            lineno   = @method_source_location.last
+
+            if File.exists? filepath
+                File.open filepath do |f|
+                    begin
+                        @method_source = MyMethodSource::CodeHelpers.expression_at( File.open( f ), lineno )
+                    rescue SyntaxError
+                    end
+                end
+            end
+        end
+
+        if !@source && @backtrace
+            source_location = @backtrace.first.split( ':' ).first
+            if File.exists? source_location
+                @source = IO.read( source_location )
+            end
+        end
     end
 
     def marshal_dump

data/lib/scnr/introspector/execution_flow/point.rb

@@ -1,3 +1,5 @@
+require 'thread'
+
 module SCNR
 class Introspector
 class ExecutionFlow
@@ -26,6 +28,8 @@ class Point
     #   Event name.
     attr_accessor :event
 
+    attr_accessor :source
+
     # @param    [Hash]  options
     def initialize( options = {} )
         options.each do |k, v|
@@ -76,10 +80,26 @@ class Point
                 line_number: tp.lineno,
                 class_name:  defined_class,
                 method_name: tp.method_id,
-                event:       tp.event
+                event:       tp.event,
+                source:      source_line( tp.path, tp.lineno )
             })
         end
+
+        def source_line_mutex( &block )
+            (@mutex ||= Mutex.new).synchronize( &block )
+        end
+
+        def source_line( path, line )
+            return if !path || !line
+
+            source_line_mutex do
+                @@lines ||= {}
+                @@lines[path] ||= IO.readlines( path )
+                @@lines[path][line-1]
+            end
+        end
     end
+    source_line_mutex {}
 
 end
 

data/lib/scnr/introspector/execution_flow.rb

@@ -6,6 +6,8 @@ class Introspector
 
 class ExecutionFlow
 
+    ALLOWED_EVENTS = Set.new([:line, :call, :c_call])
+
     # @return   [Scope]
     attr_accessor :scope
 
@@ -49,6 +51,7 @@ class ExecutionFlow
     #   `self`
     def trace( &block )
         TracePoint.new do |tp|
+            next if !ALLOWED_EVENTS.include? tp.event
             next if @scope.out?( tp.path )
 
             @points << create_point_from_trace_point( tp )

data/lib/scnr/introspector/utilities/my_method_source/code_helpers.rb

@@ -0,0 +1,156 @@
+module MyMethodSource
+
+  module CodeHelpers
+    # Retrieve the first expression starting on the given line of the given file.
+    #
+    # This is useful to get module or method source code.
+    #
+    # @param [Array<String>, File, String] file  The file to parse, either as a File or as
+    # @param [Integer]  line_number  The line number at which to look.
+    #                             NOTE: The first line in a file is
+    #                           line 1!
+    # @param [Hash] options The optional configuration parameters.
+    # @option options [Boolean] :strict  If set to true, then only completely
+    #   valid expressions are returned. Otherwise heuristics are used to extract
+    #   expressions that may have been valid inside an eval.
+    # @option options [Integer] :consume  A number of lines to automatically
+    #   consume (add to the expression buffer) without checking for validity.
+    # @return [String]  The first complete expression
+    # @raise [SyntaxError]  If the first complete expression can't be identified
+    def expression_at(file, line_number, options={})
+      options = {
+        :strict  => false,
+        :consume => 0
+      }.merge!(options)
+
+      lines = file.is_a?(Array) ? file : file.each_line.to_a
+
+      relevant_lines = lines[(line_number - 1)..-1] || []
+
+      extract_first_expression(relevant_lines, options[:consume])
+    rescue SyntaxError => e
+      raise if options[:strict]
+
+      begin
+        extract_first_expression(relevant_lines) do |code|
+          code.gsub(/\#\{.*?\}/, "temp")
+        end
+      rescue SyntaxError
+        raise e
+      end
+    end
+
+    # Retrieve the comment describing the expression on the given line of the given file.
+    #
+    # This is useful to get module or method documentation.
+    #
+    # @param [Array<String>, File, String] file  The file to parse, either as a File or as
+    #                                            a String or an Array of lines.
+    # @param [Integer]  line_number  The line number at which to look.
+    #                             NOTE: The first line in a file is line 1!
+    # @return [String]  The comment
+    def comment_describing(file, line_number)
+      lines = file.is_a?(Array) ? file : file.each_line.to_a
+
+      extract_last_comment(lines[0..(line_number - 2)])
+    end
+
+    # Determine if a string of code is a complete Ruby expression.
+    # @param [String] code The code to validate.
+    # @return [Boolean] Whether or not the code is a complete Ruby expression.
+    # @raise [SyntaxError] Any SyntaxError that does not represent incompleteness.
+    # @example
+    #   complete_expression?("class Hello") #=> false
+    #   complete_expression?("class Hello; end") #=> true
+    #   complete_expression?("class 123") #=> SyntaxError: unexpected tINTEGER
+    def complete_expression?(str)
+      old_verbose = $VERBOSE
+      $VERBOSE = nil
+
+      catch(:valid) do
+        eval("BEGIN{throw :valid}\n#{str}")
+      end
+
+      # Assert that a line which ends with a , or \ is incomplete.
+      str !~ /[,\\]\s*\z/
+    rescue IncompleteExpression
+      false
+    ensure
+      $VERBOSE = old_verbose
+    end
+
+    private
+
+    # Get the first expression from the input.
+    #
+    # @param [Array<String>]  lines
+    # @param [Integer] consume A number of lines to automatically
+    #   consume (add to the expression buffer) without checking for validity.
+    # @yield a clean-up function to run before checking for complete_expression
+    # @return [String]  a valid ruby expression
+    # @raise [SyntaxError]
+    def extract_first_expression(lines, consume=0, &block)
+      code = consume.zero? ? +"" : lines.slice!(0..(consume - 1)).join
+
+      lines.each do |v|
+        code << v
+        return code if complete_expression?(block ? block.call(code) : code)
+      end
+      raise SyntaxError, "unexpected $end"
+    end
+
+    # Get the last comment from the input.
+    #
+    # @param [Array<String>]  lines
+    # @return [String]
+    def extract_last_comment(lines)
+      buffer = +""
+
+      lines.each do |line|
+        # Add any line that is a valid ruby comment,
+        # but clear as soon as we hit a non comment line.
+        if (line =~ /^\s*#/) || (line =~ /^\s*$/)
+          buffer << line.lstrip
+        else
+          buffer.clear
+        end
+      end
+
+      buffer
+    end
+
+    # An exception matcher that matches only subsets of SyntaxErrors that can be
+    # fixed by adding more input to the buffer.
+    module IncompleteExpression
+      GENERIC_REGEXPS = [
+        /unexpected (\$end|end-of-file|end-of-input|END_OF_FILE)/, # mri, jruby, ruby-2.0, ironruby
+        /embedded document meets end of file/, # =begin
+        /unterminated (quoted string|string|regexp|list) meets end of file/, # "quoted string" is ironruby
+        /can't find string ".*" anywhere before EOF/, # rbx and jruby
+        /missing 'end' for/, /expecting kWHEN/ # rbx
+      ]
+
+      RBX_ONLY_REGEXPS = [
+        /expecting '[})\]]'(?:$|:)/, /expecting keyword_end/
+      ]
+
+      def self.===(ex)
+        return false unless SyntaxError === ex
+        case ex.message
+        when *GENERIC_REGEXPS
+          true
+        when *RBX_ONLY_REGEXPS
+          rbx?
+        else
+          false
+        end
+      end
+
+      def self.rbx?
+        RbConfig::CONFIG['ruby_install_name'] == 'rbx'
+      end
+    end
+
+    extend self
+  end
+end

data/lib/scnr/introspector/version

@@ -1 +1 @@
-0.1
+0.2

data/lib/scnr/introspector.rb

@@ -1,4 +1,5 @@
 require 'rbconfig'
+require 'securerandom'
 require 'rack/utils'
 require 'pp'
 
@@ -23,47 +24,29 @@ class Introspector
     module Overloads
     end
 
-    OVERLOAD.each do |m, object|
-        if object.is_a? Array
-            name      = object.pop
-            namespace = Object
-
-            n = false
-            object.each do |o|
-                begin
-                    namespace = namespace.const_get( o )
-                rescue
-                    n = true
-                    break
-                end
-            end
-            next if n
-
-            object = namespace.const_get( name ) rescue next
-        else
-            object = Object.const_get( object ) rescue next
-        end
-
-        overload( object, m )
-    end
-
     @mutex  = Mutex.new
     class <<self
         def overload( object, m )
+            method_source_location = object.allocate.method(m).source_location
+            rnd = SecureRandom.hex(10)
+
             ov = <<EORUBY
         module Overloads
-        module #{object.to_s.split( '::' ).join}Overload
+        module #{object.to_s.split( '::' ).join}#{rnd}Overload
             def #{m}( *args )
-                SCNR::Introspector.find_and_log_taint( #{object}, :#{m}, args )   
+                SCNR::Introspector.find_and_log_taint( #{object}, :#{m}, #{method_source_location.inspect}, args )
                 super *args
             end
         end
         end
 
-        #{object}.prepend Overloads::#{object.to_s.split( '::' ).join}Overload
+        #{object}.prepend Overloads::#{object.to_s.split( '::' ).join}#{rnd}Overload
 EORUBY
             eval ov
-            eval ov
+        rescue => e
+            # puts ov
+            # pp e
+            # pp e.backtrace
         end
 
         def taint_seed=( t )
@@ -95,7 +78,7 @@ EORUBY
             end
         end
 
-        def find_and_log_taint( object, method, args )
+        def find_and_log_taint( object, method, method_source_location, args )
             taint = @taint
             return if !taint
 
@@ -108,7 +91,8 @@ EORUBY
               arguments:    args,
               tainted_argument_index: tainted[0],
               tainted_value:          tainted[1].to_s,
-              backtrace:    filter_caller( Kernel.caller )
+              backtrace:    filter_caller( Kernel.caller[1..-1] ),
+              method_source_location: method_source_location
             )
             log_sinks( taint, sink )
         end
@@ -149,19 +133,65 @@ EORUBY
         end
     end
 
+    OVERLOAD.each do |m, object|
+        if object.is_a? Array
+            name      = object.pop
+            namespace = Object
+
+            n = false
+            object.each do |o|
+                begin
+                    namespace = namespace.const_get( o )
+                rescue
+                    n = true
+                    break
+                end
+            end
+            next if n
+
+            object = namespace.const_get( name ) rescue next
+        else
+            object = Object.const_get( object ) rescue next
+        end
+
+        overload( object, m )
+    end
+
     def initialize( app, options = {} )
         @app     = app
         @options = options
 
         overload_application
+        overload_rails if rails?
 
         @mutex = Mutex.new
     end
 
     def overload_application
-        @app.methods.each do |m|
-            next if @app.method( m ).parameters.empty?
-            self.class.overload( @app.class, m )
+        overload_class @app.class
+    end
+
+    def overload_rails
+        Rails.application.eager_load!
+
+        klasses = [
+          ActionController::Base,
+          ActiveRecord::Base
+        ]
+        descendants = klasses.map do |k|
+            ObjectSpace.each_object( Class ).select { |klass| klass < k }
+        end.flatten.reject { |k| k.to_s.start_with? '#' }
+
+        descendants.each do |klass|
+            overload_class klass
+        end
+    end
+
+    def overload_class( klass )
+        k = klass.allocate
+        k.methods.each do |m|
+            next if k.method( m ).parameters.empty?
+            self.class.overload( klass, m )
         end
     end
 
@@ -221,11 +251,14 @@ EORUBY
         code    = response.shift
         headers = response.shift
         body    = response.shift
+        body    = body.respond_to?( :body ) ? body.body : body
 
+        body = [body].flatten
         body << "<!-- #{seed}\n#{JSON.dump( data )}\n#{seed} -->"
-        headers['Content-Length'] = body.map(&:bytesize).inject(&:+)
 
-        [code, headers, body ]
+        headers['Content-Length'] = body.map(&:bytesize).inject(:+)
+
+        [code, headers, [body].flatten ]
     end
 
     def platforms
@@ -282,9 +315,7 @@ EORUBY
     end
 
     def rails?
-        if defined? Rails
-            return @app.is_a? Rails::Application
-        end
+        !!defined?( Rails )
     end
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: scnr-introspector
 version: !ruby/object:Gem::Version
-  version: '0.1'
+  version: '0.2'
 platform: ruby
 authors:
 - Tasos Laskos
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-21 00:00:00.000000000 Z
+date: 2024-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -100,6 +100,7 @@ files:
 - lib/scnr/introspector/execution_flow/point.rb
 - lib/scnr/introspector/execution_flow/scope.rb
 - lib/scnr/introspector/scope.rb
+- lib/scnr/introspector/utilities/my_method_source/code_helpers.rb
 - lib/scnr/introspector/version
 - lib/scnr/introspector/version.rb
 homepage: http://ecsypno.com