RubyGems - stratagem - Versions diffs - 0.1.7 - Mend

stratagem 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

data/Manifest +99 -0
data/Rakefile +17 -0
data/bin/stratagem +10 -0
data/init.rb +2 -0
data/lib/bootstrap.rb +31 -0
data/lib/stratagem/authentication.rb +64 -0
data/lib/stratagem/auto_mock/aquifer.rb +86 -0
data/lib/stratagem/auto_mock/factory.rb +213 -0
data/lib/stratagem/auto_mock/value_generator.rb +174 -0
data/lib/stratagem/auto_mock.rb +6 -0
data/lib/stratagem/blocker.rb +16 -0
data/lib/stratagem/client.rb +32 -0
data/lib/stratagem/command.rb +13 -0
data/lib/stratagem/commands/analyze.rb +22 -0
data/lib/stratagem/commands/base.rb +11 -0
data/lib/stratagem/commands/devel_crawl.rb +27 -0
data/lib/stratagem/commands/devel_mock.rb +10 -0
data/lib/stratagem/commands.rb +7 -0
data/lib/stratagem/crawler/authentication.rb +109 -0
data/lib/stratagem/crawler/form.rb +101 -0
data/lib/stratagem/crawler/html_utils.rb +92 -0
data/lib/stratagem/crawler/session.rb +296 -0
data/lib/stratagem/crawler/site_model.rb +138 -0
data/lib/stratagem/crawler/trace_utils.rb +10 -0
data/lib/stratagem/crawler.rb +9 -0
data/lib/stratagem/extensions/class.rb +9 -0
data/lib/stratagem/extensions/hash.rb +16 -0
data/lib/stratagem/extensions/module.rb +11 -0
data/lib/stratagem/extensions/object.rb +15 -0
data/lib/stratagem/extensions/red_parse.rb +86 -0
data/lib/stratagem/extensions/string.rb +20 -0
data/lib/stratagem/extensions.rb +6 -0
data/lib/stratagem/framework_extensions/controllers/action_controller.rb +10 -0
data/lib/stratagem/framework_extensions/controllers/action_mailer.rb +12 -0
data/lib/stratagem/framework_extensions/controllers.rb +5 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/detect.rb +7 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/extensions.rb +35 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/metadata.rb +103 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/tracing.rb +50 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/detect.rb +11 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/extensions.rb +10 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/metadata.rb +30 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/tracing.rb +4 -0
data/lib/stratagem/framework_extensions/models/adapters/common/authentication_metadata.rb +21 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/detect.rb +13 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/extensions.rb +19 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/metadata.rb +30 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/tracing.rb +4 -0
data/lib/stratagem/framework_extensions/models/annotations.rb +79 -0
data/lib/stratagem/framework_extensions/models/detect.rb +7 -0
data/lib/stratagem/framework_extensions/models/metadata.rb +85 -0
data/lib/stratagem/framework_extensions/models/mocking.rb +23 -0
data/lib/stratagem/framework_extensions/models/tracing.rb +71 -0
data/lib/stratagem/framework_extensions/models.rb +21 -0
data/lib/stratagem/framework_extensions/rails.rb +8 -0
data/lib/stratagem/framework_extensions.rb +6 -0
data/lib/stratagem/interface/browser.rb +37 -0
data/lib/stratagem/interface/public/images/backgrounds/content.png +0 -0
data/lib/stratagem/interface/public/images/backgrounds/shadow.png +0 -0
data/lib/stratagem/interface/public/javascripts/jquery-1.4.2.min.js +154 -0
data/lib/stratagem/interface/public/javascripts/stratagem.js +27 -0
data/lib/stratagem/interface/public/javascripts/stratagem_debug.js +53 -0
data/lib/stratagem/interface/public/stylesheets/960.css +1 -0
data/lib/stratagem/interface/public/stylesheets/reset.css +10 -0
data/lib/stratagem/interface/public/stylesheets/stratagem.css +20 -0
data/lib/stratagem/interface/public/stylesheets/stratagem_debug.css +20 -0
data/lib/stratagem/interface/views/debug.haml +43 -0
data/lib/stratagem/interface/views/index.haml +35 -0
data/lib/stratagem/labs/auto_mock.rb +7 -0
data/lib/stratagem/labs/crawler.rb +0 -0
data/lib/stratagem/logger.rb +46 -0
data/lib/stratagem/model/application.rb +157 -0
data/lib/stratagem/model/components/base.rb +55 -0
data/lib/stratagem/model/components/controller.rb +118 -0
data/lib/stratagem/model/components/model.rb +170 -0
data/lib/stratagem/model/components/reference.rb +30 -0
data/lib/stratagem/model/components/route.rb +53 -0
data/lib/stratagem/model/components/static_file.rb +18 -0
data/lib/stratagem/model/components/view.rb +186 -0
data/lib/stratagem/model/parse_util.rb +61 -0
data/lib/stratagem/model.rb +12 -0
data/lib/stratagem/model_builder.rb +146 -0
data/lib/stratagem/recipes/deploy.rb +30 -0
data/lib/stratagem/scan/checks/capistrano/secure_deploy.rb +43 -0
data/lib/stratagem/scan/checks/email_address.rb +15 -0
data/lib/stratagem/scan/checks/error_pages.rb +25 -0
data/lib/stratagem/scan/checks/filter_parameter_logging.rb +6 -0
data/lib/stratagem/scan/checks/mongo_mapper/base.rb +19 -0
data/lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb +32 -0
data/lib/stratagem/scan/checks/routes.rb +16 -0
data/lib/stratagem/scan/checks/ssl/secure_login_page.rb +19 -0
data/lib/stratagem/scan/checks/ssl/secure_login_submit.rb +18 -0
data/lib/stratagem/scan/result.rb +45 -0
data/lib/stratagem/scan.rb +19 -0
data/lib/stratagem/scanner.rb +32 -0
data/lib/stratagem/site_crawler.rb +47 -0
data/lib/stratagem/snapshot.rb +33 -0
data/lib/stratagem.rb +77 -0
data/lib/tasks/_old_stratagem.rake +99 -0
data/stratagem.gemspec +56 -0
metadata +380 -0

data/lib/stratagem/model/components/view.rb ADDED Viewed

@@ -0,0 +1,186 @@
+module Stratagem::Model::Component
+  class View < Base
+    include Stratagem::Model::ParseUtil
+    RAILS_FORM_FIELDS = ['check_box', 'file_field', 'hidden_field', 'password_field', 'radio_button', 'text_area', 'text_field']
+    attr_reader :extension, :render_path # as seen by the controllers
+    def initialize(render_path)
+      render_path =~ /\.(.*)/
+      @extension = $1
+      @path = render_path
+      @render_path = render_path.gsub(/\..*/, '')
+    end
+    def read
+      File.open(full_path) {|file| file.readlines().join }
+    end
+    def partial?
+      File.basename(render_path) =~ /^_/
+    end
+    def full_path
+      File.join(RAILS_ROOT, 'app', 'views', render_path+'.'+extension)
+    end
+    def directory
+      File.dirname(full_path)
+    end
+    def export
+      begin
+        {
+          :type => :view,
+          :path => @path,
+          :render_path => @render_path,
+          :forms => forms.map {|form| form.export }
+        }
+      rescue
+        logger.fatal($!)
+        nil
+      end
+    end
+    def rendered_by
+    end
+    def forms
+      # extract ruby from the html
+      ruby = ruby_blocks(approximate_html).join("\n")
+      # dump ruby into a parse tree
+      begin
+        parse_tree = RedParse.new(ruby).parse
+        # find the form nodes and send to a specialized function
+        forms = []
+        walk_tree(parse_tree) do |node|
+          if (node.kind_of?(RedParse::CallNode) && (node.name =~ /form_/) && (node.block))
+            forms << walk_form(node)
+          end
+        end
+        forms
+      rescue
+        puts "ERROR: Unable to parse ruby. - #{$!.message}"
+        puts ruby
+        []
+      end
+    end
+    def approximate_html
+      html = read().gsub(RUBY_REGEX) do |match|
+        handle_render(match)
+      end
+      html
+    end
+    def handle_render(ruby)
+      # remove the surrounding ruby indicators
+      result = ruby
+      ruby = ruby.stratagem_strip_erb
+      if (ruby =~ /^render/)
+        # load into parse tree
+        parse_tree = RedParse.new(ruby).parse
+        parse_tree.walk {|parent,i,subi,node|
+          case node
+          when RedParse::CallNode #... do something with method calls
+            params = node.params.first # render always takes a hash
+            render_path = nil
+            passed_vars = {}
+            if (params.kind_of?(RedParse::StringNode))
+              render_path = params.first.to_s
+            else
+              render_path = params.get(:partial).first.split('/')
+              object = params.get(:object).name if params.get(:object)
+              locals = params.get(:locals)
+              render_path.last.gsub!(/^/, '_')
+              render_path = render_path.join('/')
+            end
+            full_path = nil
+            if (render_path =~ /\//)
+              full_path = File.join(RAILS_ROOT, 'app', 'views', render_path+"."+extension)
+            else
+              full_path = File.join(directory, render_path+"."+extension)
+            end
+            begin
+              result = File.read(full_path)
+            rescue
+              puts "ERROR: #{full_path} not found"
+            end
+          end
+        }
+      end
+      result
+    end
+    private
+    def walk_tree(tree)
+      tree.walk {|parent,i,subi,node|
+        yield node
+        case node
+        when RedParse::SequenceNode
+          node.each {|child|
+            walk_tree(child) { yield }
+          }
+        end
+      }
+    end
+    def walk_form(form_node)
+      form = Form.new(nil)
+      form_node.block.each {|node|
+        case node
+        when RedParse::CallNode
+          RAILS_FORM_FIELDS.each {|field_name|
+            if (node.name.include?(field_name) && node.params)
+              param = node.params.first
+              value = param.methods_include?(:val) ? param.val : param.to_s
+              form.add_field(value, node.name)
+              break
+            end
+          }
+        end
+      }
+      form
+    end
+  end
+  class Form
+    attr_reader :fields
+    def initialize(model)
+      @fields = []
+    end
+    def add_field(name, type)
+      @fields << FormField.new(name, type)
+    end
+    def export
+      {:model => @model, :fields => @fields.map {|f| f.export } }
+    end
+  end
+  class FormField
+    attr_reader :name, :field_type
+    def initialize(name, field_type)
+      @name = name
+      @field_type = field_type
+    end
+    def export
+      {:name => @name, :field_type => @field_type }
+    end
+  end
+end

data/lib/stratagem/model/parse_util.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module Stratagem::Model
+  module ParseUtil
+    RUBY_REGEX = /\<\%(.*?\%)\>/m
+    RUBY_OUTPUT_REGEX = /\<\%\=(.*?\%)\>/m
+      def self.find_classes(parse_tree)
+        class_names = qualified_class_name(parse_tree)
+        class_names.map {|name|
+          clazz = Kernel
+          begin
+            name.split('::').each {|part| clazz = clazz.const_get(part) }
+            clazz
+          rescue
+            $!
+          end
+        }
+      end
+      # assumes a single class in the tree
+      # will return the qualified class name (modules + class)
+      def self.qualified_class_name(parse_tree)
+        qualified_names = []
+        path = []
+        parse_tree.walk {|parent,i,subi,node|
+          path.pop while (path.include?(parent) && (path.last != parent))
+          path << parent unless path.last == parent
+          qualified_names << (path.clone << node) if node.kind_of?(RedParse::ClassNode)
+          true
+        }
+        qualified_names.map! {|qualified_name|
+          qualified_name.select {|node| node.kind_of?(RedParse::ModuleNode) || node.kind_of?(RedParse::ClassNode)}.map {|node|
+            begin
+              node.name.ident
+            rescue
+              node.name
+            end
+          }.join('::')
+        }
+        qualified_names
+      end
+      def ruby_output_blocks(view_erb)
+        view_erb.scan(RUBY_OUTPUT_REGEX).flatten.map {|line|
+          line.strip.gsub(/^\=\s*/, '').gsub(/\%$/, '').gsub(/\-$/, '')
+        }
+      end
+      def ruby_blocks(view_erb)
+        view_erb.scan(RUBY_REGEX).flatten.map {|line|
+          line.strip.gsub(/^\=\s*/, '').gsub(/\%$/, '').gsub(/\-$/, '')
+        }
+      end
+      def gsub_ruby_blocks(view_erb)
+        view_erb.gsub(RUBY_REGEX) {|ruby|
+          yield ruby
+        }
+      end
+  end
+end

data/lib/stratagem/model.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Stratagem::Model
+end
+require 'stratagem/model/application'
+require 'stratagem/model/parse_util'
+require 'stratagem/model/components/base'
+require 'stratagem/model/components/reference'
+require 'stratagem/model/components/model'
+require 'stratagem/model/components/view'
+require 'stratagem/model/components/controller'
+require 'stratagem/model/components/route'
+require 'stratagem/model/components/static_file'

data/lib/stratagem/model_builder.rb ADDED Viewed

@@ -0,0 +1,146 @@
+module Stratagem
+  class ModelBuilder
+    attr_reader :parsed_models, :parsed_controllers, :aquifer
+    def initialize
+      @model = Stratagem::Model::Application.instance
+      @aquifer = Stratagem::AutoMock::Aquifer.init(@model)
+    end
+    def run
+      load_plugins
+      load_public
+      load_template_paths
+      load_routes
+      load_models
+      print_errors
+      @aquifer.fill
+      @model
+    end
+    def log(msg)
+      Stratagem.logger.debug msg
+    end
+    def print_errors
+      @model.routes.invalid.each {|route|
+        puts "route: #{route.route.to_s} is invalid"
+      }
+      @model.controllers.missing.each {|controller, routes|
+        puts "controller: #{controller}, with #{routes.size} routes is missing"
+      }
+    end
+    def load_plugins()
+      loader = Rails::Plugin::Loader.new(Rails::Initializer.new(Rails::Configuration.new))
+      loader.load_plugins
+      @model.plugins << loader.initializer.loaded_plugins
+    end
+    def load_models()
+      # load files into classes
+      log "loading models"
+      root = File.join(RAILS_ROOT, 'app','models')
+      load_files(File.join(root)).map {|model|
+        models = Stratagem::Model::Component::Model.load_all(File.join(root, model))
+        models.each do |c|
+          log "\t#{c.klass.name} loaded from #{model}"
+          references = []
+          @model.controllers.each do |controller|
+            references += controller.modifies(c)
+          end
+          log "\t\t#{references.size} references from controllers"
+          c.model_referenced_by = references
+        end
+        @model.models << models
+      }
+      log ""
+    end
+    def load_public
+      log "loading static files"
+      Dir[File.join(RAILS_ROOT, 'public', '**', '*.html')].each {|static|
+        static.gsub!(RAILS_ROOT, '').gsub!(/^\/public\//, '')
+        @model.static_files << Stratagem::Model::Component::StaticFile.new(static)
+        log "\t#{static}"
+      }
+      log ""
+    end
+    def load_template_paths
+      log "loading templates"
+      root = File.join(RAILS_ROOT, 'app','views')
+      load_files(root).map {|template|
+        @model.views << Stratagem::Model::Component::View.new(template)
+        log "\t#{template}"
+      }
+      log ""
+    end
+    def load_routes
+      log 'loading routes'
+      root = File.join(RAILS_ROOT, 'app','controllers')
+      ActionController::Routing::Routes.routes.each {|route|
+        route_container = Stratagem::Model::Component::Route.new(route)
+        @model.routes << route_container
+        begin
+          filename = File.join(root, "#{route.parameter_shell[:controller]}_controller.rb")
+          controllers = @model.controllers.select {|c| c.path == filename }
+          unless controllers.size > 0
+            controllers = Stratagem::Model::Component::Controller.load_all(filename)
+            puts "loading controllers from #{filename} -> controllers #{controllers.map {|c| c.klass.name }.inspect}"
+            @model.controllers << controllers
+          end
+          controller_name = route.parameter_shell[:controller].gsub('/','::').split('::').map {|part| part.camelcase }.join('::')
+          controller_name << 'Controller'
+          controller_class = controllers.find {|controller| controller.klass.name == controller_name }
+          controller_object = controller_class ? controller_class.klass.new : nil
+          controller_action = route.parameter_shell[:action].to_sym
+          if (controller_object) && (controller_object.methods_include?(controller_action))
+            controllers.each do |controller|
+              controller.add_routable_action(controller_action, route.conditions[:method] || :get)
+            end
+          else
+            # if the controller does not contain the indicated method
+            # then check for a template that may be rendered anyway
+            log "\tinvalid route #{route.to_s}"
+            unless @model.views.find {|v| v.render_path == "#{route.parameter_shell[:controller]}/#{controller_action}" }
+              # route is invalid
+              @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+              log "\tinvalid route #{route.to_s}"
+            end
+          end
+        rescue Errno::ENOENT
+          @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+        rescue MissingSourceFile
+          @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+        end
+      }
+      log ""
+    end
+    def load_files(base_dir,path=[],file_list=[])
+      dir = File.join(base_dir, *path)
+      files = Dir.new(dir).entries
+      files.each do |file|
+        next if file =~ /^\./
+        if (File.directory?(File.join(dir, file)))
+          load_files(base_dir, path + [file], file_list)
+        else
+          file_path = File.join(path, file)
+          file_list << file_path
+        end
+      end
+      file_list
+    end
+  end
+end

data/lib/stratagem/recipes/deploy.rb ADDED Viewed

@@ -0,0 +1,30 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :stratagem do
+    desc "Analyzes your server environments for correct configuration and gem versions."
+    task :default do
+      servers = find_servers_for_task(current_task)
+      servers.each do |server|
+        puts "listing gems on #{server.host}"
+        run "gem list", :hosts => server do |ch, stream, data|
+          if stream == :err
+            logger.fatal "ERROR listing gems #{data}"
+          else # stream == :out
+            gems = {}
+            data.split("\n").each do |line|
+              line =~ /(.*)\s\((.*)\)/
+              name = $1
+              versions = $2.split(', ')
+              gems[name] = versions
+            end
+          end
+        end
+      end
+      # variables.each do |k,v| p k; end
+      # run "echo 'hi'"
+    end
+  end
+end

data/lib/stratagem/scan/checks/capistrano/secure_deploy.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'uri'
+# Stratagem::Scan::Checks::SecureDeploy
+module Stratagem::Scan::Checks::Capistrano
+  class SecureDeploy < Stratagem::Scan::Checks::Base
+    SECURE_PROTOCOLS = ['https']
+    def run
+      begin
+        gem 'capistrano'
+        require 'capistrano/configuration'
+        begin
+          config = Capistrano::Configuration.new
+          config.load "config/deploy"
+          vars = config.variables
+          repository_url = vars[:repository]
+          if (repository_url)
+            uri = URI::parse(repository_url)
+            unless (SECURE_PROTOCOLS.include?(uri.scheme.downcase))
+              result(
+              :concern_type => :best_practice,
+              :unique => 'repository_url',
+              :component => nil,
+              :payload => repository_url)
+            end
+          else
+            puts "Unable to locate Capistrano repository in deploy script"
+          end
+        rescue ArgumentError
+          puts "Capistrano deploy script could not be loaded. - #{$!.message}"
+        rescue LoadError
+          puts "Capistrano deploy script not found. - #{$!.message}"
+          puts $!.class.name
+        end
+      rescue Gem::LoadError
+        puts "ERROR: Unable to load Capistrano"
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/email_address.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks
+  class EmailAddress < Base
+    include ViewBase
+    Scanner = Regexp.compile(/\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}\b/)
+    def scan(view)
+      view.scan(Scanner).uniq.each do |email|
+        result(:concern_type => :warning, :unique => email, :payload => email)
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/error_pages.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# Stratagem::Scan::Checks::ErrorPages
+module Stratagem::Scan::Checks
+  class ErrorPages < Base
+    include ViewBase
+    Strings = {
+      404 => ['The page you were looking for doesn\'t exist.', 'You may have mistyped the address or the page may have moved.'],
+      500 => ['We\'re sorry, but something went wrong.', 'We\'ve been notified about this issue and we\'ll take a look at it shortly.']
+    }
+    def scan(view)
+      Strings.each {|type, set|
+        matched = true
+        set.each {|s|
+          unless view.include?(s)
+            matched = false
+            break
+          end
+        }
+        result(:concern_type => :best_practice, :unique => type, :payload => type) if (matched)
+      }
+    end
+  end
+end

data/lib/stratagem/scan/checks/filter_parameter_logging.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# note -
+# should render views
+# look at form paths
+# anything that is "password"
+# should be filtered
+# also password, password_confirmation

data/lib/stratagem/scan/checks/mongo_mapper/base.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module Stratagem::Scan::Checks::MongoMapper
+  class Base < Stratagem::Scan::Checks::Base
+    alias_method :parent_result, :result
+    def run
+      if (self.class.method_defined?(:scan))
+        application_model.models.each {|model|
+          log "scanning model #{model.klass.name}"
+          scan(model)
+        }
+      end
+    end
+    def result(hash)
+      hash[:specialization] = :mongo_mapper
+      parent_result(hash)
+    end
+  end
+end

data/lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# Stratagem::Scan::Checks::MassAssignment
+module Stratagem::Scan::Checks::MongoMapper
+  class ForeignKeysExposed < Base
+    def description
+      "analyzes application to find models vulnerable to mass assignment"
+    end
+    def scan(model)
+      return unless model.methods_include?(:stratagem)
+      # look up the controllers that reference it
+      instance = model.klass.new
+      assignable_keys = model.model_assignable_attributes & instance.stratagem.foreign_keys
+      if (assignable_keys.size > 0)
+        references = application_model.controllers.map {|controller| controller.modifies(model) }.flatten.compact
+        concern_type = references.size > 0 ? :error : :best_practice
+        solution_payload = assignable_keys
+        result(
+          :concern_type => concern_type,
+          :unique => model.klass.name,
+          :payload => model.klass.name,
+          :component => model,
+          :confirmed => false,
+          :solution_payload => solution_payload
+        )
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/routes.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks
+  class Routes < Base
+    def run
+      application_model.routes.invalid.each {|route|
+        payload = {
+          :path => route.route.segments.inject("") { |str,s| str << s.to_s },
+          :method => route.route.conditions[:method],
+          :requirements => route.route.requirements
+        }
+        result :concern_type => :best_practice, :unique => payload.inspect, :payload => payload
+      }
+    end
+  end
+end

data/lib/stratagem/scan/checks/ssl/secure_login_page.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks::Ssl
+  class SecureLoginPage < Stratagem::Scan::Checks::Base
+    def run
+      auth = application_model.crawler.authentication
+      if (auth.success && !auth.login_page.response.request.ssl?)
+        route = application_model.routes.recognize(auth.login_page)
+        payload = {
+          :path => auth.login_page.response.request.path,
+          :method => auth.login_page.response.request.method,
+          :action => route.action
+        }
+        result :concern_type => :error, :unique => :secure_login_page, :component => route.controller, :payload => payload
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/ssl/secure_login_submit.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks::Ssl
+  class SecureLoginSubmit < Stratagem::Scan::Checks::Base
+    def run
+      auth = application_model.crawler.authentication
+      if (auth.success && !auth.ssl)
+        route = application_model.routes.recognize(auth.response_page)
+        payload = {
+          :path => auth.response_page.response.request.path,
+          :method => auth.response_page.response.request.method,
+          :action => route.action
+        }
+        result :concern_type => :error, :unique => :secure_login_submit, :component => route.controller, :payload => payload
+      end
+    end
+  end
+end

data/lib/stratagem/scan/result.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# Stratagem::Scan::Result
+module Stratagem::Scan
+  # Each security check emits 1 or more result objects based on its findings
+  # Payload is an arbitrary piece of data that the check produces. It must be able to be encoded to JSON
+  # Unique is a value that identifies the check result within the namespace of the check
+  class Result
+    attr_accessor :unique, :check, :component, :payload, :line_number, :code, :passed, :concern_type, :confirmed, :solution_payload, :specialization
+    # passed = true / false
+    def initialize(args)
+      args.each {|key,value| self.send("#{key}=", value) }
+    end
+    def export
+      h = {
+        :guid => guid,
+        :check_name => check_name,
+        :specialization => specialization,
+        :component => component_name,
+        :payload => payload,
+        :line_number => line_number,
+        :code => code,
+        :concern_type => concern_type,
+        :confirmed => confirmed || false,
+        :solution_payload => solution_payload
+      }
+      h[:path] = component.path.gsub(RAILS_ROOT+'/', '') if component
+      h
+    end
+    def component_name
+      component ? component.name : nil
+    end
+    def check_name
+      check ? check.name : nil
+    end
+    def guid
+      "#{check_name.underscore}:#{(component_name || '').underscore}:#{unique.to_s.underscore}"
+    end
+  end
+end