spektr 0.4.1 → 0.5.0

data/lib/spektr/checks/file_access.rb

@@ -19,15 +19,15 @@ module Spektr
         methods = [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :readlines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
         targets.each do |target|
           methods.each do |method|
-            check_calls_for_user_input(@target.find_calls(method, target))
+            check_calls_for_user_input(@target.find_calls(method, target.to_sym))
           end
         end
       end
 
       def check_calls_for_user_input(calls)
         calls.each do |call|
-          call.arguments.each do |argument|
-            if user_input?(argument.type, argument.name, argument.ast)
+          call.arguments.arguments.each do |argument|
+            if user_input?(argument)
               warn! @target, self, call.location, "#{argument.name} is used for a filename, which enables an attacker to access arbitrary files."
             end
           end

data/lib/spektr/checks/file_disclosure.rb

@@ -12,7 +12,7 @@ module Spektr
       def run
         return unless super
         config = @app.production_config.find_calls(:serve_static_assets=).first
-        if config && config.arguments.first.type == :true
+        if config && config.arguments.arguments.first.type == :true_node
           warn! "root", self, nil, "File existence disclosure vulnerability"
         end
       end

data/lib/spektr/checks/filter_skipping.rb

@@ -9,13 +9,15 @@ module Spektr
       end
 
       def run
+        # TODO: write a test for this
         return unless super
         calls = %w{ match get post put delete }.inject([]) do |memo, method|
           memo.concat @target.find_calls(method.to_sym)
           memo
         end
         calls.each do |call|
-          if !call.arguments.empty? && (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action"))
+          arguments = call.arguments.arguments
+          if arguments && (arguments.first.name.include?(":action") or arguments.first.name.include?("*action"))
             warn! @target, self, call.location, "CVE-2011-2929 Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed"
           end
         end

data/lib/spektr/checks/json_encoding.rb

@@ -9,6 +9,7 @@ module Spektr
       end
 
       def run
+        # TODO: write a test for this
         return unless super
         if app_version_between?("4.1.0", "4.1.10") || app_version_between?("4.2.0", "4.2.1")
           if calls = @target.find_calls(:to_json).any? || calls = @target.find_calls(:encode).any?

data/lib/spektr/checks/json_entity_escape.rb

@@ -14,12 +14,16 @@ module Spektr
         if @app.production_config
           config = @app.production_config.find_calls(:escape_html_entities_in_json=).first
         end
-        if config and config.receiver.expanded == "config.active_support" && config.arguments.first.type == :false
+        if config and full_receiver(config) == "config.active_support" && config.arguments.arguments.first.type == :false_node
           warn! @app.production_config.path, self, nil, "HTML entities in JSON are not escaped by default"
         end
-        ['ActiveSupport', 'ActiveSupport.JSON.Encoding'].each do |receiver|
-          calls = @target.find_calls(:escape_html_entities_in_json=, receiver)
-          if calls.any?
+
+        if @target.find_calls(:escape_html_entities_in_json=, 'ActiveSupport'.to_sym).any?
+          warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
+        end
+        calls = @target.find_calls(:escape_html_entities_in_json=, 'JSON::Encoding'.to_sym)
+        calls.each do |call|
+          if full_receiver(call) == 'ActiveSupport.JSON.Encoding'
             warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
           end
         end
@@ -27,4 +31,3 @@ module Spektr
     end
   end
 end
-

data/lib/spektr/checks/json_parsing.rb

@@ -24,7 +24,7 @@ module Spektr
 
       def uses_json_gem?
         @target.find_calls(:backend=).each do |call|
-          if call.receiver.expanded == "ActiveSupport.JSON" && call.arguments.first&.name == :JSONGem
+          if full_receiver(call) == "ActiveSupport.JSON" && call.arguments.arguments.first&.name == :JSONGem
             warn! @target, self, call.location, "Remote Code Execution CVE_2013_0333"
           end
         end

data/lib/spektr/checks/link_to_href.rb

@@ -14,18 +14,20 @@ module Spektr
         block_locations = []
         @target.find_calls_with_block(:link_to).each do |call|
           block_locations << call.location
-          next unless call.arguments.first
-          ::Spektr.logger.debug "#{@target.path}  #{call.location.line} #{call.arguments.first.inspect}"
-          if user_input? call.arguments.first.type, call.arguments.first.name, call.arguments.first.ast, call.arguments.first
+          next unless call.arguments.arguments.first
+          ::Spektr.logger.debug "#{@target.path}  #{call.location.start_line} #{call.arguments.arguments.first.inspect}"
+          if user_input? call.arguments.arguments.first
             warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
           end
         end
 
         @target.find_calls(:link_to).each do |call|
           next if block_locations.include? call.location
-          ::Spektr.logger.debug "#{@target.path}  #{call.location.line} #{call.arguments[1].inspect}"
-          next unless call.arguments[1] || call.arguments[1]&.name =~ /_url$|_path$/
-          if user_input? call.arguments[1].type, call.arguments[1].name, call.arguments[1].ast, call.arguments[1]
+          next unless call.arguments
+          ::Spektr.logger.debug "#{@target.path}  #{call.location.start_line} #{call.arguments.arguments[1].inspect}"
+          next unless call.arguments.arguments[1]
+          next if call.arguments.arguments[1].name =~ /_url$|_path$/
+          if user_input? call.arguments.arguments[1]
             warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
           end
         end

data/lib/spektr/checks/mass_assignment.rb

@@ -16,23 +16,23 @@ module Spektr
         calls = []
         model_names.each do |receiver|
           [:new, :build, :create].each do |method|
-            calls.concat @target.find_calls(method, receiver)
+            calls.concat @target.find_calls(method, receiver.to_sym)
           end
         end
         calls.each do |call|
-          argument = call.arguments.first
+          argument = call.arguments&.arguments&.first
           next if argument.nil?
-          ::Spektr.logger.debug "Mass assignment check at #{call.location.line}"
-          if user_input?(argument.type, argument.name, call.ast)
+          ::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
+          if user_input?(argument)
             # we check for permit! separately
-            next if argument.ast.children[1] == :permit!
+            next if argument.name == :permit!
             # check for permit with arguments
-            next if argument.ast.children[1] == :permit && argument.ast.children[2]
+            next if argument.name == :permit && argument.arguments
             warn! @target, self, call.location, "Mass assignment"
           end
         end
         @target.find_calls(:permit!).each do |call|
-          if call.arguments.none?
+          unless call.arguments
             warn! @target, self, call.location, "permit! allows any keys, use it with caution!", :medium
           end
         end

data/lib/spektr/checks/send.rb

@@ -12,8 +12,8 @@ module Spektr
         return unless super
         [:send, :try, :__send__, :public_send].each do |method|
           @target.find_calls(method).each do |call|
-            argument = call.arguments.first
-            if user_input?(argument.type, argument.name, argument.ast)
+            argument = call.arguments.arguments.first
+            if user_input?(argument)
               warn! @target, self, call.location, "User supplied value in send"
             end
           end

data/lib/spektr/checks/sqli.rb

@@ -15,27 +15,23 @@ module Spektr
           :average, :count, :maximum, :minimum, :sum, :exists?,
           :find_by, :find_by!, :find_or_create_by, :find_or_create_by!,
           :find_or_initialize_by, :from, :group, :having, :join, :lock,
-          :where, :not, :select, :rewhere, :reselect, :update_all
+          :where, :not, :select, :rewhere, :reselect, :update_all, :find_by_sql
 
         ].each do |m|
           @target.find_calls(m).each do |call|
-            check_argument(call.arguments.first, m, call)
+            check_argument(call.arguments&.arguments&.first, m, call)
           end
         end
         [:calculate].each do |m|
           @target.find_calls(m).each do |call|
-            check_argument(call.arguments[1], m, call)
+            check_argument(call.arguments.arguments[1], m, call)
           end
         end
 
         [:delete_by, :destroy_by].each do |m|
           @target.find_calls(m).each do |call|
-            if call.arguments.first
-              check_argument(call.arguments.first, m, call)
-            end
-            call.options.values.each do |option|
-              check_argument(@target.ast_to_exp(option.key), m, call)
-              check_argument(@target.ast_to_exp(option.value), m, call)
+            if call.arguments.arguments.first
+              check_argument(call.arguments.arguments.first, m, call)
             end
           end
         end
@@ -43,7 +39,7 @@ module Spektr
 
       def check_argument(argument, method, call)
         return if argument.nil?
-        if user_input?(argument.type, argument.name, argument.ast, argument)
+        if user_input?(argument)
           warn! @target, self, call.location, "Possible SQL Injection at #{method}"
         end
       end

data/lib/spektr/checks/xss.rb

@@ -15,28 +15,31 @@ module Spektr
         calls = @target.find_calls(:safe_expr_append=)
         calls.concat(@target.find_calls(:raw))
         calls.each do |call|
-          call.arguments.each do |argument|
-            if user_input?(argument.type, argument.name, argument.ast)
+          ::Spektr.logger.debug "Checking arguments in #{@target.path} at line #{call.location.start_line}"
+          call.arguments.arguments.each do |argument|
+            if user_input?(argument)
               warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
             end
             if model_attribute?(argument)
-              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{argument.name}"
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute"
             end
           end
         end
         calls.each do |call|
-          call.arguments.each do |argument|
-            if user_input?(argument.type, argument.name, argument.ast)
+          ::Spektr.logger.debug "Checking arguments in #{@target.path} at line #{call.location.start_line}"
+          call.arguments.arguments.each do |argument|
+            if user_input?(argument)
               warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
             end
             if model_attribute?(argument)
-              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{argument.name}"
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute"
             end
           end
         end
         calls = @target.find_calls(:html_safe)
         calls.each do |call|
-          if user_input?(call.receiver.type, call.receiver.name, call.receiver.ast, call.receiver)
+          ::Spektr.logger.debug "Checking arguments in #{@target.path} at line #{call.location.start_line}"
+          if user_input?(call.receiver)
             warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
           end
           if model_attribute?(call.receiver)

data/lib/spektr/extractors/calls.rb

@@ -0,0 +1,22 @@
+module Spektr
+  module Extractors
+    class Calls < Prism::Visitor
+      attr_accessor :result
+
+      def initialize(name:)
+        @name = name
+        @result = []
+      end
+
+      def call(ast)
+        ast.value.accept(self)
+        self
+      end
+
+      def visit_call_node(node)
+        @result << node if node.name == @name
+        super
+      end
+    end
+  end
+end

data/lib/spektr/extractors/methods.rb

@@ -0,0 +1,28 @@
+module Spektr
+  module Extractors
+    class Methods < Prism::Visitor
+      attr_accessor :result
+
+      def initialize(visibility: :all)
+        @visibility = visibility
+        @current_visibility = :public
+        @result = []
+      end
+
+      def call(ast)
+        ast.value.accept(self)
+        self
+      end
+
+      def visit_call_node(node)
+        @current_visibility = node.name if %i[private protected public].include?(node.name)
+        super
+      end
+
+      def visit_def_node(node)
+        @result << node if @visibility == :all || @current_visibility == @visibility
+        super
+      end
+    end
+  end
+end

data/lib/spektr/targets/base.rb

@@ -1,118 +1,117 @@
 module Spektr
   module Targets
-    class Base
-      attr_accessor :path, :name, :options, :ast, :parent, :processor
+    class Base < Prism::Visitor
+      attr_accessor :path, :name, :options, :ast, :parent, :parent_modules, :methods, :calls, :interpolated_xstrings, :lvars
 
       def initialize(path, content)
         Spektr.logger.debug "loading #{path}"
-        @ast = Spektr::App.parser.parse(content)
+        @ast = Prism.parse(content)
         @path = path
         return unless @ast
+        @parent = ""
+        @parent_modules = []
+        @methods = []
+        @lvars = []
+        @ivars = []
+        @calls = []
+        @interpolated_xstrings = []
+        @ast.value.accept(self)
+        @name = @path.split('/').last if @name&.blank?
+        @name = @name.prepend("#{@parent_modules.map(&:name).join('::')}::") if @name && @parent_modules.any?
+      end
 
-        @processor = Spektr::Processors::Base.new
-        @processor.process(@ast)
-        @name = @processor.name
-        @name = @path.split('/').last if @name.blank?
+      def method_definitions
+        @method_definitions ||= find_methods(node: @ast)
+      end
 
-        @current_method_type = :public
-        @parent = @processor.parent_name
+      def public_methods
+        @public_methods ||= find_methods(node: @ast, visibility: :public)
       end
 
       def find_calls(name, receiver = nil)
-        calls = find(:send, name, @ast).map { |ast| Exp::Send.new(ast) }
-        if receiver
-          calls.select! { |call| call.receiver&.expanded == receiver }
-        elsif receiver == false
-          calls.select! { |call| call.receiver.nil? }
+        if name.is_a? Regexp
+          operator = :=~
+        else
+          operator = :==
+        end
+        @calls.select do |node|
+          if receiver.nil?
+            node.name.send(operator, name)
+          elsif receiver == false
+            node.name.send(operator, name) && node.receiver.nil?
+          else
+            node_receiver = node.receiver.name if node.receiver.respond_to?(:name)
+            if node.receiver.respond_to?(:parent)
+              node_receiver = node_receiver.to_s.prepend("#{node.receiver.parent.name}::").to_sym
+            end
+            node.name.send(operator, name) && node.receiver && receiver == node_receiver
+          end
         end
-        calls
       end
 
       def find_calls_with_block(name, _receiver = nil)
-        blocks = find(:block, nil, @ast)
-        blocks.each_with_object([]) do |block, memo|
-          if block.children.first.children[1] == name
-            result = find(:send, name, block).map { |ast| Exp::Send.new(ast) }
-            memo << result.first
-          end
+        find_calls(name).select do |call|
+          call.block
         end
       end
 
       def find_method(name)
-        find(:def, name, @ast).last
+        @methods.find{|method| method.name == name }
       end
 
-      def find_xstr
-        find(:xstr, nil, @ast).map { |ast| Exp::Xstr.new(ast) }
+      def find_methods(node:, visibility: :all)
+        Spektr::Extractors::Methods.new(visibility:).call(node).result
       end
 
-      def find(type, name, ast, result = [])
-        return result unless ast.is_a? Parser::AST::Node
 
-        name_index = case type
-                     when :def
-                       0
-                     else
-                       1
-                     end
-        if node_matches?(ast.type, ast.children[name_index], type, name)
-          result << ast
-        elsif ast.children.any?
-          ast.children.each do |child|
-            result = find(type, name, child, result)
-          end
-        end
-        result
+      def visit_call_node(node)
+        @calls << node
+        super
       end
 
-      def node_matches?(node_type, node_name, type, name)
-        if node_type == type
-          if name.is_a? Regexp
-            return node_name =~ name
-          elsif name.nil?
-            return true
-          else
-            return node_name == name
+      def visit_class_node(node)
+        @name = node.name.to_s
+        case node.superclass
+        when Prism::CallNode
+          @parent = node.superclass.receiver.name.to_s
+        when Prism::ConstantPathNode, Prism::ConstantReadNode
+          @parent = node.superclass.name.to_s
+          @parent.prepend("#{node.superclass.parent.name}::") if node.superclass.respond_to?(:parent)
+          if node.superclass.respond_to?(:parent) && node.superclass.parent.respond_to?(:parent)
+            @parent.prepend("#{node.superclass.parent.parent.name}::")
           end
         end
-        false
+        if node.is_a?(Prism::ClassNode) && node.constant_path && node.constant_path.respond_to?(:parent)
+          @parent = node.constant_path.parent.name.to_s
+        end
+        @parent = @parent.prepend("#{@parent_modules.map(&:name).join('::')}::") if @parent_modules.any?
+        super
       end
 
-      def find_methods(ast:, result: [], type: :all)
-        return result unless ast.is_a?(Parser::AST::Node)
+      def visit_module_node(node)
+        @parent_modules << node.constant_path.parent.name if node.constant_path && node.constant_path.respond_to?(:parent)
+        @parent_modules << node
+        super
+      end
 
-        if ast.type == :send && %i[private public protected].include?(ast.children.last)
-          @current_method_type = ast.children.last
-        end
-        if ast.type == :def && [:all, @current_method_type].include?(type)
-          result << ast
-        elsif ast.children.any?
-          ast.children.map do |child|
-            result = find_methods(ast: child, result: result, type: type)
-          end
-        end
-        result
+      def visit_def_node(node)
+        @methods << node
+        super
       end
 
-      def ast_to_exp(ast)
-        case ast.type
-        when :send
-          Exp::Send.new(ast)
-        when :def
-          Exp::Definition.new(ast)
-        when :ivasgn, :ivar
-          Exp::Ivasgin.new(ast)
-        when :lvasign, :lvar
-          Exp::Lvasign.new(ast)
-        when :const
-          Exp::Const.new(ast)
-        when :xstr
-          Exp::Xstr.new(ast)
-        when :sym, :int, :str
-          Exp::Base.new(ast)
-        else
-          raise "Unknown type #{ast.type} #{ast.inspect}"
-        end
+      def visit_interpolated_x_string_node(node)
+        @interpolated_xstrings << node
+        super
+      end
+
+      def visit_local_variable_write_node(node)
+        @lvars << node
+        super
+      end
+
+      def visit_instance_variable_write_node(node)
+        @ivars << node
+        super
       end
     end
   end

data/lib/spektr/targets/controller.rb

@@ -1,27 +1,28 @@
 module Spektr
   module Targets
     class Controller < Base
-      attr_accessor :actions
 
       def initialize(path, content)
         super
-        find_actions
       end
 
       def concern?
         !name.match('Controller')
       end
 
-      def find_actions
-        @actions = find_methods(ast: @ast, type: :public).map do |ast|
-          Action.new(ast, self)
+      def actions
+        @actions ||= public_methods.map do |node|
+          Action.new(node, self)
         end
       end
 
+      def find_action(action)
+        @actions.find{|a| a.name == action }
+      end
+
       def find_parent(controllers)
-        parent_name = @processor.parent_name
-        result = find_in_set(parent_name, controllers)
-        result ||= find_in_set(processor.parent_name_with_modules, controllers)
+        result = find_in_set(@parent, controllers)
+        # result ||= find_in_set(processor.parent_name_with_modules, controllers)
         return nil if result&.name == name
 
         result
@@ -40,33 +41,43 @@ module Spektr
         result
       end
 
-      class Action < Spektr::Exp::Definition
-        attr_accessor :controller, :template
+      class Action
+        attr_accessor :node, :name, :controller, :template
 
-        def initialize(ast, controller)
-          super(ast)
+        def initialize(node, controller)
+          @node = node
+          @name = node.name
           @template = nil
+          @controller = controller
           split = []
-          if controller.parent
+          if controller.parent && controller.parent != 'ApplicationController'
             split = controller.parent.split('::').map { |e| e.delete_suffix('Controller') }.map(&:downcase)
             if split.size > 1
               split.pop
               @template = "#{split.join('/')}/#{@template}"
             end
           end
-          split = split.concat(controller.name.delete_suffix('Controller').split('::').map(&:downcase)).uniq
+
+          split = split.concat(controller.name.split('::').map do |n|
+            n.delete_suffix('Controller')
+          end.map(&:downcase)).uniq
           split.delete('application')
           @template = File.join(*split, name.to_s)
-          @body.each do |exp|
-            if exp.send? && (exp.name == :render && exp.arguments.any?)
-              if exp.arguments.first.type == :sym
-                @template = File.join(controller.name.delete_suffix('Controller').underscore,
-                                      exp.arguments.first.name.to_s)
-              elsif exp.arguments.first.type == :str
-                @template = exp.arguments.first.name
-              end
-            end
-          end
+          # TODO: set template from render
+          # @body.each do |exp|
+          #   if exp.send? && exp.name == :render && exp.arguments.any?
+          #     if exp.arguments.first.type == :sym
+          #       @template = File.join(controller.name.delete_suffix('Controller').underscore,
+          #                             exp.arguments.first.name.to_s)
+          #     elsif exp.arguments.first.type == :str
+          #       @template = exp.arguments.first.name
+          #     end
+          #   end
+          # end
+        end
+
+        def body
+          @node.body.respond_to?(:body) ? @node.body.body : @node.body
         end
       end
     end

data/lib/spektr/targets/routes.rb

@@ -13,7 +13,7 @@ module Spektr
         end
       end
 
-      class Action < Spektr::Exp::Definition
+      class Action
         attr_accessor :controller, :template
         def initialize(ast, controller)
           super(ast)

data/lib/spektr/targets/view.rb

@@ -1,30 +1,29 @@
 module Spektr
   module Targets
     class View < Base
-      TEMPLATE_EXTENSIONS = /.*\.(erb|rhtml|haml|slim)$/
+      TEMPLATE_EXTENSIONS = /.*\.(erb|rhtml|haml|slim|herb)$/
       attr_accessor :view_path
 
       def initialize(path, content)
+        super
+        @calls = []
         Spektr.logger.debug "loading #{path}"
         @view_path = nil
         @path = path
         if match_data = path.match(%r{views/(.+?)\.})
           @view_path = match_data[1]
         end
-        begin
-          @ast = Spektr::App.parser.parse(source(content))
-        rescue Parser::SyntaxError => e
-          @ast = Spektr::App.parser.parse('')
-          ::Spektr.logger.error "Parser::SyntaxError when parsing #{@view_path}: #{e.message}"
-        end
-        @name = @view_path # @ast.children.first.children.last.to_s
+        @ast = Prism.parse(source(content))
+        @ast.value.accept(self)
+        @name = @view_path
       end
 
       def source(content)
         type = @path.match(TEMPLATE_EXTENSIONS)[1].to_sym
         case type
-        when :erb, :rhtml
+        when :erb, :rhtml, :herb
           Erubi.new(content, trim_mode: '-').src
+          # Herb.extract_ruby(content)
         when :haml
           Haml::Engine.new(content).precompiled
         when :slim

data/lib/spektr/version.rb

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = '0.4.1'
+  VERSION = '0.5.0'
 end