spektr 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1fc431414443b9c71ebb40106d82714215ba142d1226b3580e324faf786f86ad
+  data.tar.gz: d768f7a18250b9ad59f6331cf65a03fadd38a8501b2f24489a139c62c33d0730
+SHA512:
+  metadata.gz: 463d421a7a50013946fee4768b474fe2f0222522cd472351c2cb7a1a8d61a618c653944507fc7e101c606350a51731a30ec6d42a363da5e6b96d597035700ed9
+  data.tar.gz: 185c2584b1dba4e5a81fbf6c31b9ae029c2292eedd6c8366d1bb89eb146f02329810465306c2e0bc99482782d3fbe81782f36511c57c52a21341e8d26bd647ca

data/.github/workflows/ci.yaml

@@ -0,0 +1,32 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [2.7, 3.0]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
+        with:
+          bundler-cache: true
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install
+      - name: Run tests
+        run: bundle exec rake

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.byebug_history

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.7.2
+before_install: gem install bundler -v 2.1.4

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+# Change Log
+
+## Unreleased

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at molnargerg@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [https://contributor-covenant.org/version/1/4][version]
+
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in spektr.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,134 @@
+PATH
+  remote: .
+  specs:
+    spektr (0.1.0)
+      activesupport (~> 6.1.0)
+      erubi
+      haml (~> 5.1)
+      parser (~> 3.0.0)
+      pastel
+      ruby_parser (~> 3.13)
+      tty-color
+      tty-option
+      tty-spinner
+      tty-table
+      unparser (~> 0.6.0)
+      zeitwerk
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.1.6)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    ast (2.4.2)
+    byebug (11.1.3)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.10)
+    diff-lcs (1.5.0)
+    erubi (1.10.0)
+    ffi (1.15.5)
+    formatador (0.3.0)
+    guard (2.18.0)
+      formatador (>= 0.2.4)
+      listen (>= 2.7, < 4.0)
+      lumberjack (>= 1.0.12, < 2.0)
+      nenv (~> 0.1)
+      notiffany (~> 0.0)
+      pry (>= 0.13.0)
+      shellany (~> 0.0)
+      thor (>= 0.18.1)
+    guard-compat (1.2.1)
+    guard-minitest (2.4.6)
+      guard-compat (~> 1.2)
+      minitest (>= 3.0)
+    haml (5.2.2)
+      temple (>= 0.8.0)
+      tilt
+    i18n (1.10.0)
+      concurrent-ruby (~> 1.0)
+    listen (3.7.1)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    lumberjack (1.2.8)
+    method_source (1.0.0)
+    minitest (5.15.0)
+    nenv (0.3.0)
+    notiffany (0.1.3)
+      nenv (~> 0.1)
+      shellany (~> 0.0)
+    parallel (1.21.0)
+    parser (3.0.3.2)
+      ast (~> 2.4.1)
+    pastel (0.8.0)
+      tty-color (~> 0.5)
+    pry (0.14.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    rainbow (3.0.0)
+    rake (12.3.3)
+    rb-fsevent (0.11.0)
+    rb-inotify (0.10.1)
+      ffi (~> 1.0)
+    regexp_parser (2.2.0)
+    rexml (3.2.5)
+    rubocop (1.24.0)
+      parallel (~> 1.10)
+      parser (>= 3.0.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.15.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.15.0)
+      parser (>= 3.0.1.1)
+    ruby-progressbar (1.11.0)
+    ruby_parser (3.19.1)
+      sexp_processor (~> 4.16)
+    sexp_processor (4.16.1)
+    shellany (0.0.1)
+    strings (0.2.1)
+      strings-ansi (~> 0.2)
+      unicode-display_width (>= 1.5, < 3.0)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.2.0)
+    temple (0.8.2)
+    thor (1.2.1)
+    tilt (2.0.10)
+    tty-color (0.6.0)
+    tty-cursor (0.7.1)
+    tty-option (0.2.0)
+    tty-screen (0.8.1)
+    tty-spinner (0.9.3)
+      tty-cursor (~> 0.7)
+    tty-table (0.12.0)
+      pastel (~> 0.8)
+      strings (~> 0.2.0)
+      tty-screen (~> 0.8)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.1.0)
+    unicode_utils (1.4.0)
+    unparser (0.6.2)
+      diff-lcs (~> 1.3)
+      parser (>= 3.0.0)
+    zeitwerk (2.6.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  byebug
+  guard
+  guard-minitest
+  minitest (~> 5.0)
+  rake (~> 12.0)
+  rubocop
+  spektr!
+
+BUNDLED WITH
+   2.1.4

data/Guardfile

@@ -0,0 +1,45 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+## Uncomment and set this to only include directories you want to watch
+# directories %w(app lib config test spec features) \
+#  .select{|d| Dir.exist?(d) ? d : UI.warning("Directory #{d} does not exist")}
+
+## Note: if you are using the `directories` clause above and you are not
+## watching the project directory ('.'), then you will want to move
+## the Guardfile to a watched dir and symlink it back, e.g.
+#
+#  $ mkdir config
+#  $ mv Guardfile config/
+#  $ ln -s config/Guardfile .
+#
+# and, you'll have to watch "config/Guardfile" instead of "Guardfile"
+
+guard :minitest do
+  # with Minitest::Unit
+  watch(%r{^test/(.*)\/?(.*)_test\.rb$})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb$})     { |m|
+    puts "test/#{m[1]}#{m[2]}_test.rb"
+    "test/#{m[1]}#{m[2]}_test.rb"
+  }
+  watch(%r{^test/test_helper\.rb$})      { 'test' }
+
+  # with Minitest::Spec
+  # watch(%r{^spec/(.*)_spec\.rb$})
+  # watch(%r{^lib/(.+)\.rb$})         { |m| "spec/#{m[1]}_spec.rb" }
+  # watch(%r{^spec/spec_helper\.rb$}) { 'spec' }
+
+  # Rails 4
+  # watch(%r{^app/(.+)\.rb$})                               { |m| "test/#{m[1]}_test.rb" }
+  # watch(%r{^app/controllers/application_controller\.rb$}) { 'test/controllers' }
+  # watch(%r{^app/controllers/(.+)_controller\.rb$})        { |m| "test/integration/#{m[1]}_test.rb" }
+  # watch(%r{^app/views/(.+)_mailer/.+})                    { |m| "test/mailers/#{m[1]}_mailer_test.rb" }
+  # watch(%r{^lib/(.+)\.rb$})                               { |m| "test/lib/#{m[1]}_test.rb" }
+  # watch(%r{^test/.+_test\.rb$})
+  # watch(%r{^test/test_helper\.rb$}) { 'test' }
+
+  # Rails < 4
+  # watch(%r{^app/controllers/(.*)\.rb$}) { |m| "test/functional/#{m[1]}_test.rb" }
+  # watch(%r{^app/helpers/(.*)\.rb$})     { |m| "test/helpers/#{m[1]}_test.rb" }
+  # watch(%r{^app/models/(.*)\.rb$})      { |m| "test/unit/#{m[1]}_test.rb" }
+end

data/LICENSE.txt

@@ -0,0 +1,27 @@
+Spektr Public Use Licence
+
+Copyright (c) 2022 Spektr Security LLC
+
+Commercial Use of the Software for commercial purposes requires a commercial licence but any non-commercial use is
+allowed free of charge.
+
+Commercial use includes offering the software as part of a Software as a Service, or part of a distributed software
+where it is used as part of that software.
+
+Non-commercial use includes anything else, for instance when lincecee scans his own codebase for vulnerabilities,
+or as part of a security audit engagement the licencee scans the target's source code for vulnerabilities.
+
+Licencee is also permitted to embed the scanner into his own closed source application as long as they don't break
+the non-commercial use requirements of the software.
+
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+Software: Spektr Scanner
+Licensor: Spektr Security LLC

data/README.md

@@ -0,0 +1,70 @@
+# Spektr
+
+[![Ruby CI](https://github.com/gregmolnar/spektr/actions/workflows/ci.yaml/badge.svg?branch=master)](https://github.com/gregmolnar/spektr/actions/workflows/ci.yaml)
+
+Spektr is a static-code analyser for Ruby On Rails applications to find security issues.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'spektr'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install spektr
+
+## Usage
+
+If you are using in your app:
+
+```
+spektr
+```
+
+If you want to scan an app in another folder:
+
+```
+spektr path/to/app
+```
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/spektr. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gregmolnar/spektr/blob/master/CODE_OF_CONDUCT.md).
+
+
+## License
+
+The gem is available as open source under the terms described in the [licence](https://github.com/gregmolnar/spektr/blob/master/licence.txt). Non-commercial use is free of charge, to obtain a commercial licence, contact us at info[at]spektrhq.com.
+
+
+## Code of Conduct
+
+Everyone interacting in the Spektr project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/gregmolnar/spektr/blob/master/CODE_OF_CONDUCT.md).
+
+## FAQ
+
+### I use Spektr in my closed-source paid product making millions of dollars, is that non-commercial use?
+
+Yes, this is perfectly fine without obtaining a licence. You can however donate to the development here on Github.
+
+### I want to use Spektr in my automated code analyser SaaS, do I need a commercial licence?
+
+Yes, plese get in touch at info[at]spektrhq.com and we will work something out.
+
+### I am a penetration tester and I'd like to use Spektr to audit on a paid engagement. Do I need a commercial licence?
+
+No. You are free to use it for that purpose, happy bug hunting!

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "spektr"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bin/spektr

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
+$VERBOSE = nil
+require 'spektr'
+require 'spektr/cli'
+
+Spektr::Cli.new.parse.scan

data/lib/spektr/app.rb

@@ -0,0 +1,209 @@
+module Spektr
+  class App
+    attr_accessor :root, :checks, :initializers, :controllers, :models, :views, :lib_files, :routes, :warnings, :rails_version,
+                  :production_config, :gem_specs, :ruby_version
+
+    def self.parser
+      @@parser ||= Parser::CurrentRuby
+    end
+
+    def initialize(checks:, root: './')
+      @root = root
+      @checks = checks
+      @controllers = []
+      @models = []
+      @warnings = []
+      @json_output = {
+        app: {},
+        advisories: []
+      }
+      @ruby_version = '2.7.1'
+      version_file = File.join(root, '.ruby-version')
+      @ruby_version = File.read(version_file).lines.first if File.exist?(version_file)
+      case @ruby_version
+      when /^2\.0\./
+        require 'parser/ruby20'
+        @@parser = Parser::Ruby20
+      when /^2\.1\./
+        require 'parser/ruby21'
+        @@parser = Parser::Ruby21
+      when /^2\.2\./
+        require 'parser/ruby22'
+        @@parser = Parser::Ruby22
+      when /^2\.3/
+        require 'parser/ruby23'
+        @@parser = Parser::Ruby23
+      when /^2\.4\./
+        require 'parser/ruby24'
+        @@parser = Parser::Ruby24
+      when /^2\.5\./
+        require 'parser/ruby25'
+        @@parser = Parser::Ruby25
+      when /^2\.6\./
+        require 'parser/ruby26'
+        @@parser = Parser::Ruby26
+      when /^2\.7\./
+        require 'parser/ruby27'
+        @@parser = Parser::Ruby27
+      when /^3\.0\./
+        require 'parser/ruby30'
+        @@parser = Parser::Ruby30
+      when /^3\.1\./
+        require 'parser/ruby31'
+        @@parser = Parser::Ruby31
+      when /^3\.2\./
+        require 'parser/ruby32'
+        @@parser = Parser::Ruby32
+      else
+        @@parser = Parser::CurrentRuby
+      end
+    end
+
+    def load
+      loaded_files = []
+
+      config_path = File.join(@root, 'config', 'environments', 'production.rb')
+      if File.exist?(config_path)
+        @production_config = Targets::Config.new(config_path,
+                                                 File.read(config_path, encoding: 'utf-8'))
+      end
+
+      @initializers = initializer_paths.map do |path|
+        loaded_files << path
+        Targets::Base.new(path, File.read(path))
+      end
+      @controllers = controller_paths.map do |path|
+        loaded_files << path
+        Targets::Controller.new(path, File.read(path, encoding: 'utf-8'))
+      end
+      @models = model_paths.map do |path|
+        loaded_files << path
+        Targets::Model.new(path, File.read(path, encoding: 'utf-8'))
+      end
+      @views = view_paths.map do |path|
+        loaded_files << path
+        Targets::View.new(path, File.read(path, encoding: 'utf-8'))
+      end
+      @routes = [File.join(@root, 'config', 'routes.rb')].map do |path|
+        next unless File.exist? path
+
+        loaded_files << path
+        Targets::Routes.new(path, File.read(path, encoding: 'utf-8'))
+      end.reject(&:nil?)
+      # TODO: load non-app lib too
+      @lib_files = find_files('lib').map do |path|
+        next if loaded_files.include?(path)
+
+        Targets::Base.new(path, File.read(path, encoding: 'utf-8'))
+      end.reject(&:nil?)
+      self
+    end
+
+    def scan!
+      @checks.each do |check|
+        if @controllers
+          @controllers.each do |controller|
+            check.new(self, controller).run
+          end
+        end
+        if @views
+          @views.each do |view|
+            check.new(self, view).run
+          end
+        end
+        if @models
+          @models.each do |view|
+            check.new(self, view).run
+          end
+        end
+        if @routes
+          @routes.each do |view|
+            check.new(self, view).run
+          end
+        end
+        if @initializers
+          @initializers.each do |i|
+            check.new(self, i).run
+          end
+        end
+        if @lib_files
+          @lib_files.each do |i|
+            check.new(self, i).run
+          end
+        end
+
+        check.new(self, @production_config).run if @production_config
+      end
+      self
+    end
+
+    def report(_format = 'terminal')
+      @json_output[:app][:rails_version] = @rails_version
+      @json_output[:app][:initializers] = @initializers.size
+      @json_output[:app][:controllers] = @controllers.size
+      @json_output[:app][:models] = @models.size
+      @json_output[:app][:views] = @views.size
+      @json_output[:app][:routes] = @routes.size
+      @json_output[:app][:lib_files] = @lib_files.size
+
+      @warnings.each do |warning|
+        @json_output[:advisories] << {
+          name: warning.check.name,
+          description: warning.message,
+          path: warning.path,
+          location: warning.location&.line,
+          line: warning.line,
+          check: warning.check.class.name
+        }
+      end
+
+      @json_output[:summary] = []
+      @json_output[:checks] = @checks.collect(&:name)
+
+      @json_output[:advisories].group_by { |a| a[:name] }.each do |n, i|
+        @json_output[:summary] << {
+          n => i.size
+        }
+      end
+      @json_output
+    end
+
+    def initializer_paths
+      @initializer_paths ||= find_files('config/initializers')
+    end
+
+    def controller_paths
+      @controller_paths ||= find_files('app/**/controllers')
+    end
+
+    def model_paths
+      @model_paths ||= find_files('app/**/models')
+    end
+
+    def view_paths
+      @view_paths ||= find_files('app', "{#{%w[html.erb html.haml rhtml js.erb html.slim].join(',')}}")
+    end
+
+    def find_files(path, extensions = 'rb')
+      Dir.glob(File.join(@root, path, '**', "*.#{extensions}"))
+    end
+
+    def gem_specs
+      return unless File.exist? "#{@root}/Gemfile.lock"
+
+      @gem_specs ||= Bundler::LockfileParser.new(Bundler.read_file("#{@root}/Gemfile.lock")).specs
+    end
+
+    def has_gem?(name)
+      return false unless gem_specs
+
+      gem_specs.any? { |spec| spec.name == name }
+    end
+
+    def rails_version
+      return unless gem_specs
+
+      @rails_version ||= Gem::Version.new(gem_specs.find { |spec| spec.name == 'rails' }&.version)
+    end
+  end
+end