RubyGems - stratagem - Versions diffs - 0.1.7 - Mend

stratagem 0.1.7

Files changed (101) hide show

data/Manifest +99 -0
data/Rakefile +17 -0
data/bin/stratagem +10 -0
data/init.rb +2 -0
data/lib/bootstrap.rb +31 -0
data/lib/stratagem/authentication.rb +64 -0
data/lib/stratagem/auto_mock/aquifer.rb +86 -0
data/lib/stratagem/auto_mock/factory.rb +213 -0
data/lib/stratagem/auto_mock/value_generator.rb +174 -0
data/lib/stratagem/auto_mock.rb +6 -0
data/lib/stratagem/blocker.rb +16 -0
data/lib/stratagem/client.rb +32 -0
data/lib/stratagem/command.rb +13 -0
data/lib/stratagem/commands/analyze.rb +22 -0
data/lib/stratagem/commands/base.rb +11 -0
data/lib/stratagem/commands/devel_crawl.rb +27 -0
data/lib/stratagem/commands/devel_mock.rb +10 -0
data/lib/stratagem/commands.rb +7 -0
data/lib/stratagem/crawler/authentication.rb +109 -0
data/lib/stratagem/crawler/form.rb +101 -0
data/lib/stratagem/crawler/html_utils.rb +92 -0
data/lib/stratagem/crawler/session.rb +296 -0
data/lib/stratagem/crawler/site_model.rb +138 -0
data/lib/stratagem/crawler/trace_utils.rb +10 -0
data/lib/stratagem/crawler.rb +9 -0
data/lib/stratagem/extensions/class.rb +9 -0
data/lib/stratagem/extensions/hash.rb +16 -0
data/lib/stratagem/extensions/module.rb +11 -0
data/lib/stratagem/extensions/object.rb +15 -0
data/lib/stratagem/extensions/red_parse.rb +86 -0
data/lib/stratagem/extensions/string.rb +20 -0
data/lib/stratagem/extensions.rb +6 -0
data/lib/stratagem/framework_extensions/controllers/action_controller.rb +10 -0
data/lib/stratagem/framework_extensions/controllers/action_mailer.rb +12 -0
data/lib/stratagem/framework_extensions/controllers.rb +5 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/detect.rb +7 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/extensions.rb +35 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/metadata.rb +103 -0
data/lib/stratagem/framework_extensions/models/adapters/active_model/tracing.rb +50 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/detect.rb +11 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/extensions.rb +10 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/metadata.rb +30 -0
data/lib/stratagem/framework_extensions/models/adapters/authlogic/tracing.rb +4 -0
data/lib/stratagem/framework_extensions/models/adapters/common/authentication_metadata.rb +21 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/detect.rb +13 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/extensions.rb +19 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/metadata.rb +30 -0
data/lib/stratagem/framework_extensions/models/adapters/restful_authentication/tracing.rb +4 -0
data/lib/stratagem/framework_extensions/models/annotations.rb +79 -0
data/lib/stratagem/framework_extensions/models/detect.rb +7 -0
data/lib/stratagem/framework_extensions/models/metadata.rb +85 -0
data/lib/stratagem/framework_extensions/models/mocking.rb +23 -0
data/lib/stratagem/framework_extensions/models/tracing.rb +71 -0
data/lib/stratagem/framework_extensions/models.rb +21 -0
data/lib/stratagem/framework_extensions/rails.rb +8 -0
data/lib/stratagem/framework_extensions.rb +6 -0
data/lib/stratagem/interface/browser.rb +37 -0
data/lib/stratagem/interface/public/images/backgrounds/content.png +0 -0
data/lib/stratagem/interface/public/images/backgrounds/shadow.png +0 -0
data/lib/stratagem/interface/public/javascripts/jquery-1.4.2.min.js +154 -0
data/lib/stratagem/interface/public/javascripts/stratagem.js +27 -0
data/lib/stratagem/interface/public/javascripts/stratagem_debug.js +53 -0
data/lib/stratagem/interface/public/stylesheets/960.css +1 -0
data/lib/stratagem/interface/public/stylesheets/reset.css +10 -0
data/lib/stratagem/interface/public/stylesheets/stratagem.css +20 -0
data/lib/stratagem/interface/public/stylesheets/stratagem_debug.css +20 -0
data/lib/stratagem/interface/views/debug.haml +43 -0
data/lib/stratagem/interface/views/index.haml +35 -0
data/lib/stratagem/labs/auto_mock.rb +7 -0
data/lib/stratagem/labs/crawler.rb +0 -0
data/lib/stratagem/logger.rb +46 -0
data/lib/stratagem/model/application.rb +157 -0
data/lib/stratagem/model/components/base.rb +55 -0
data/lib/stratagem/model/components/controller.rb +118 -0
data/lib/stratagem/model/components/model.rb +170 -0
data/lib/stratagem/model/components/reference.rb +30 -0
data/lib/stratagem/model/components/route.rb +53 -0
data/lib/stratagem/model/components/static_file.rb +18 -0
data/lib/stratagem/model/components/view.rb +186 -0
data/lib/stratagem/model/parse_util.rb +61 -0
data/lib/stratagem/model.rb +12 -0
data/lib/stratagem/model_builder.rb +146 -0
data/lib/stratagem/recipes/deploy.rb +30 -0
data/lib/stratagem/scan/checks/capistrano/secure_deploy.rb +43 -0
data/lib/stratagem/scan/checks/email_address.rb +15 -0
data/lib/stratagem/scan/checks/error_pages.rb +25 -0
data/lib/stratagem/scan/checks/filter_parameter_logging.rb +6 -0
data/lib/stratagem/scan/checks/mongo_mapper/base.rb +19 -0
data/lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb +32 -0
data/lib/stratagem/scan/checks/routes.rb +16 -0
data/lib/stratagem/scan/checks/ssl/secure_login_page.rb +19 -0
data/lib/stratagem/scan/checks/ssl/secure_login_submit.rb +18 -0
data/lib/stratagem/scan/result.rb +45 -0
data/lib/stratagem/scan.rb +19 -0
data/lib/stratagem/scanner.rb +32 -0
data/lib/stratagem/site_crawler.rb +47 -0
data/lib/stratagem/snapshot.rb +33 -0
data/lib/stratagem.rb +77 -0
data/lib/tasks/_old_stratagem.rake +99 -0
data/stratagem.gemspec +56 -0
metadata +380 -0

data/lib/stratagem/model/components/view.rb ADDED Viewed

@@ -0,0 +1,186 @@
+module Stratagem::Model::Component
+  class View < Base
+    include Stratagem::Model::ParseUtil
+    RAILS_FORM_FIELDS = ['check_box', 'file_field', 'hidden_field', 'password_field', 'radio_button', 'text_area', 'text_field']
+    attr_reader :extension, :render_path # as seen by the controllers
+    def initialize(render_path)
+      render_path =~ /\.(.*)/
+      @extension = $1
+      @path = render_path
+      @render_path = render_path.gsub(/\..*/, '')
+    end
+    def read
+      File.open(full_path) {|file| file.readlines().join }
+    end
+    def partial?
+      File.basename(render_path) =~ /^_/
+    end
+    def full_path
+      File.join(RAILS_ROOT, 'app', 'views', render_path+'.'+extension)
+    end
+    def directory
+      File.dirname(full_path)
+    end
+    def export
+      begin
+        {
+          :type => :view,
+          :path => @path,
+          :render_path => @render_path,
+          :forms => forms.map {|form| form.export }
+        }
+      rescue
+        logger.fatal($!)
+        nil
+      end
+    end
+    def rendered_by
+    end
+    def forms
+      # extract ruby from the html
+      ruby = ruby_blocks(approximate_html).join("\n")
+      # dump ruby into a parse tree
+      begin
+        parse_tree = RedParse.new(ruby).parse
+        # find the form nodes and send to a specialized function
+        forms = []
+        walk_tree(parse_tree) do |node|
+          if (node.kind_of?(RedParse::CallNode) && (node.name =~ /form_/) && (node.block))
+            forms << walk_form(node)
+          end
+        end
+        forms
+      rescue
+        puts "ERROR: Unable to parse ruby. - #{$!.message}"
+        puts ruby
+        []
+      end
+    end
+    def approximate_html
+      html = read().gsub(RUBY_REGEX) do |match|
+        handle_render(match)
+      end
+      html
+    end
+    def handle_render(ruby)
+      # remove the surrounding ruby indicators
+      result = ruby
+      ruby = ruby.stratagem_strip_erb
+      if (ruby =~ /^render/)
+        # load into parse tree
+        parse_tree = RedParse.new(ruby).parse
+        parse_tree.walk {|parent,i,subi,node|
+          case node
+          when RedParse::CallNode #... do something with method calls
+            params = node.params.first # render always takes a hash
+            render_path = nil
+            passed_vars = {}
+            if (params.kind_of?(RedParse::StringNode))
+              render_path = params.first.to_s
+            else
+              render_path = params.get(:partial).first.split('/')
+              object = params.get(:object).name if params.get(:object)
+              locals = params.get(:locals)
+              render_path.last.gsub!(/^/, '_')
+              render_path = render_path.join('/')
+            end
+            full_path = nil
+            if (render_path =~ /\//)
+              full_path = File.join(RAILS_ROOT, 'app', 'views', render_path+"."+extension)
+            else
+              full_path = File.join(directory, render_path+"."+extension)
+            end
+            begin
+              result = File.read(full_path)
+            rescue
+              puts "ERROR: #{full_path} not found"
+            end
+          end
+        }
+      end
+      result
+    end
+    private
+    def walk_tree(tree)
+      tree.walk {|parent,i,subi,node|
+        yield node
+        case node
+        when RedParse::SequenceNode
+          node.each {|child|
+            walk_tree(child) { yield }
+          }
+        end
+      }
+    end
+    def walk_form(form_node)
+      form = Form.new(nil)
+      form_node.block.each {|node|
+        case node
+        when RedParse::CallNode
+          RAILS_FORM_FIELDS.each {|field_name|
+            if (node.name.include?(field_name) && node.params)
+              param = node.params.first
+              value = param.methods_include?(:val) ? param.val : param.to_s
+              form.add_field(value, node.name)
+              break
+            end
+          }
+        end
+      }
+      form
+    end
+  end
+  class Form
+    attr_reader :fields
+    def initialize(model)
+      @fields = []
+    end
+    def add_field(name, type)
+      @fields << FormField.new(name, type)
+    end
+    def export
+      {:model => @model, :fields => @fields.map {|f| f.export } }
+    end
+  end
+  class FormField
+    attr_reader :name, :field_type
+    def initialize(name, field_type)
+      @name = name
+      @field_type = field_type
+    end
+    def export
+      {:name => @name, :field_type => @field_type }
+    end
+  end
+end

data/lib/stratagem/model/parse_util.rb ADDED Viewed

@@ -0,0 +1,61 @@
+module Stratagem::Model
+  module ParseUtil
+    RUBY_REGEX = /\<\%(.*?\%)\>/m
+    RUBY_OUTPUT_REGEX = /\<\%\=(.*?\%)\>/m
+      def self.find_classes(parse_tree)
+        class_names = qualified_class_name(parse_tree)
+        class_names.map {|name|
+          clazz = Kernel
+          begin
+            name.split('::').each {|part| clazz = clazz.const_get(part) }
+            clazz
+          rescue
+            $!
+          end
+        }
+      end
+      # assumes a single class in the tree
+      # will return the qualified class name (modules + class)
+      def self.qualified_class_name(parse_tree)
+        qualified_names = []
+        path = []
+        parse_tree.walk {|parent,i,subi,node|
+          path.pop while (path.include?(parent) && (path.last != parent))
+          path << parent unless path.last == parent
+          qualified_names << (path.clone << node) if node.kind_of?(RedParse::ClassNode)
+          true
+        }
+        qualified_names.map! {|qualified_name|
+          qualified_name.select {|node| node.kind_of?(RedParse::ModuleNode) || node.kind_of?(RedParse::ClassNode)}.map {|node|
+            begin
+              node.name.ident
+            rescue
+              node.name
+            end
+          }.join('::')
+        }
+        qualified_names
+      end
+      def ruby_output_blocks(view_erb)
+        view_erb.scan(RUBY_OUTPUT_REGEX).flatten.map {|line|
+          line.strip.gsub(/^\=\s*/, '').gsub(/\%$/, '').gsub(/\-$/, '')
+        }
+      end
+      def ruby_blocks(view_erb)
+        view_erb.scan(RUBY_REGEX).flatten.map {|line|
+          line.strip.gsub(/^\=\s*/, '').gsub(/\%$/, '').gsub(/\-$/, '')
+        }
+      end
+      def gsub_ruby_blocks(view_erb)
+        view_erb.gsub(RUBY_REGEX) {|ruby|
+          yield ruby
+        }
+      end
+  end
+end

data/lib/stratagem/model.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Stratagem::Model
+end
+require 'stratagem/model/application'
+require 'stratagem/model/parse_util'
+require 'stratagem/model/components/base'
+require 'stratagem/model/components/reference'
+require 'stratagem/model/components/model'
+require 'stratagem/model/components/view'
+require 'stratagem/model/components/controller'
+require 'stratagem/model/components/route'
+require 'stratagem/model/components/static_file'

data/lib/stratagem/model_builder.rb ADDED Viewed

@@ -0,0 +1,146 @@
+module Stratagem
+  class ModelBuilder
+    attr_reader :parsed_models, :parsed_controllers, :aquifer
+    def initialize
+      @model = Stratagem::Model::Application.instance
+      @aquifer = Stratagem::AutoMock::Aquifer.init(@model)
+    end
+    def run
+      load_plugins
+      load_public
+      load_template_paths
+      load_routes
+      load_models
+      print_errors
+      @aquifer.fill
+      @model
+    end
+    def log(msg)
+      Stratagem.logger.debug msg
+    end
+    def print_errors
+      @model.routes.invalid.each {|route|
+        puts "route: #{route.route.to_s} is invalid"
+      }
+      @model.controllers.missing.each {|controller, routes|
+        puts "controller: #{controller}, with #{routes.size} routes is missing"
+      }
+    end
+    def load_plugins()
+      loader = Rails::Plugin::Loader.new(Rails::Initializer.new(Rails::Configuration.new))
+      loader.load_plugins
+      @model.plugins << loader.initializer.loaded_plugins
+    end
+    def load_models()
+      # load files into classes
+      log "loading models"
+      root = File.join(RAILS_ROOT, 'app','models')
+      load_files(File.join(root)).map {|model|
+        models = Stratagem::Model::Component::Model.load_all(File.join(root, model))
+        models.each do |c|
+          log "\t#{c.klass.name} loaded from #{model}"
+          references = []
+          @model.controllers.each do |controller|
+            references += controller.modifies(c)
+          end
+          log "\t\t#{references.size} references from controllers"
+          c.model_referenced_by = references
+        end
+        @model.models << models
+      }
+      log ""
+    end
+    def load_public
+      log "loading static files"
+      Dir[File.join(RAILS_ROOT, 'public', '**', '*.html')].each {|static|
+        static.gsub!(RAILS_ROOT, '').gsub!(/^\/public\//, '')
+        @model.static_files << Stratagem::Model::Component::StaticFile.new(static)
+        log "\t#{static}"
+      }
+      log ""
+    end
+    def load_template_paths
+      log "loading templates"
+      root = File.join(RAILS_ROOT, 'app','views')
+      load_files(root).map {|template|
+        @model.views << Stratagem::Model::Component::View.new(template)
+        log "\t#{template}"
+      }
+      log ""
+    end
+    def load_routes
+      log 'loading routes'
+      root = File.join(RAILS_ROOT, 'app','controllers')
+      ActionController::Routing::Routes.routes.each {|route|
+        route_container = Stratagem::Model::Component::Route.new(route)
+        @model.routes << route_container
+        begin
+          filename = File.join(root, "#{route.parameter_shell[:controller]}_controller.rb")
+          controllers = @model.controllers.select {|c| c.path == filename }
+          unless controllers.size > 0
+            controllers = Stratagem::Model::Component::Controller.load_all(filename)
+            puts "loading controllers from #{filename} -> controllers #{controllers.map {|c| c.klass.name }.inspect}"
+            @model.controllers << controllers
+          end
+          controller_name = route.parameter_shell[:controller].gsub('/','::').split('::').map {|part| part.camelcase }.join('::')
+          controller_name << 'Controller'
+          controller_class = controllers.find {|controller| controller.klass.name == controller_name }
+          controller_object = controller_class ? controller_class.klass.new : nil
+          controller_action = route.parameter_shell[:action].to_sym
+          if (controller_object) && (controller_object.methods_include?(controller_action))
+            controllers.each do |controller|
+              controller.add_routable_action(controller_action, route.conditions[:method] || :get)
+            end
+          else
+            # if the controller does not contain the indicated method
+            # then check for a template that may be rendered anyway
+            log "\tinvalid route #{route.to_s}"
+            unless @model.views.find {|v| v.render_path == "#{route.parameter_shell[:controller]}/#{controller_action}" }
+              # route is invalid
+              @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+              log "\tinvalid route #{route.to_s}"
+            end
+          end
+        rescue Errno::ENOENT
+          @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+        rescue MissingSourceFile
+          @model.routes.invalid << Stratagem::Model::Component::Route.new(route)
+        end
+      }
+      log ""
+    end
+    def load_files(base_dir,path=[],file_list=[])
+      dir = File.join(base_dir, *path)
+      files = Dir.new(dir).entries
+      files.each do |file|
+        next if file =~ /^\./
+        if (File.directory?(File.join(dir, file)))
+          load_files(base_dir, path + [file], file_list)
+        else
+          file_path = File.join(path, file)
+          file_list << file_path
+        end
+      end
+      file_list
+    end
+  end
+end

data/lib/stratagem/recipes/deploy.rb ADDED Viewed

@@ -0,0 +1,30 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :stratagem do
+    desc "Analyzes your server environments for correct configuration and gem versions."
+    task :default do
+      servers = find_servers_for_task(current_task)
+      servers.each do |server|
+        puts "listing gems on #{server.host}"
+        run "gem list", :hosts => server do |ch, stream, data|
+          if stream == :err
+            logger.fatal "ERROR listing gems #{data}"
+          else # stream == :out
+            gems = {}
+            data.split("\n").each do |line|
+              line =~ /(.*)\s\((.*)\)/
+              name = $1
+              versions = $2.split(', ')
+              gems[name] = versions
+            end
+          end
+        end
+      end
+      # variables.each do |k,v| p k; end
+      # run "echo 'hi'"
+    end
+  end
+end

data/lib/stratagem/scan/checks/capistrano/secure_deploy.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'uri'
+# Stratagem::Scan::Checks::SecureDeploy
+module Stratagem::Scan::Checks::Capistrano
+  class SecureDeploy < Stratagem::Scan::Checks::Base
+    SECURE_PROTOCOLS = ['https']
+    def run
+      begin
+        gem 'capistrano'
+        require 'capistrano/configuration'
+        begin
+          config = Capistrano::Configuration.new
+          config.load "config/deploy"
+          vars = config.variables
+          repository_url = vars[:repository]
+          if (repository_url)
+            uri = URI::parse(repository_url)
+            unless (SECURE_PROTOCOLS.include?(uri.scheme.downcase))
+              result(
+              :concern_type => :best_practice,
+              :unique => 'repository_url',
+              :component => nil,
+              :payload => repository_url)
+            end
+          else
+            puts "Unable to locate Capistrano repository in deploy script"
+          end
+        rescue ArgumentError
+          puts "Capistrano deploy script could not be loaded. - #{$!.message}"
+        rescue LoadError
+          puts "Capistrano deploy script not found. - #{$!.message}"
+          puts $!.class.name
+        end
+      rescue Gem::LoadError
+        puts "ERROR: Unable to load Capistrano"
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/email_address.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks
+  class EmailAddress < Base
+    include ViewBase
+    Scanner = Regexp.compile(/\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}\b/)
+    def scan(view)
+      view.scan(Scanner).uniq.each do |email|
+        result(:concern_type => :warning, :unique => email, :payload => email)
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/error_pages.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# Stratagem::Scan::Checks::ErrorPages
+module Stratagem::Scan::Checks
+  class ErrorPages < Base
+    include ViewBase
+    Strings = {
+      404 => ['The page you were looking for doesn\'t exist.', 'You may have mistyped the address or the page may have moved.'],
+      500 => ['We\'re sorry, but something went wrong.', 'We\'ve been notified about this issue and we\'ll take a look at it shortly.']
+    }
+    def scan(view)
+      Strings.each {|type, set|
+        matched = true
+        set.each {|s|
+          unless view.include?(s)
+            matched = false
+            break
+          end
+        }
+        result(:concern_type => :best_practice, :unique => type, :payload => type) if (matched)
+      }
+    end
+  end
+end

data/lib/stratagem/scan/checks/filter_parameter_logging.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# note -
+# should render views
+# look at form paths
+# anything that is "password"
+# should be filtered
+# also password, password_confirmation

data/lib/stratagem/scan/checks/mongo_mapper/base.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module Stratagem::Scan::Checks::MongoMapper
+  class Base < Stratagem::Scan::Checks::Base
+    alias_method :parent_result, :result
+    def run
+      if (self.class.method_defined?(:scan))
+        application_model.models.each {|model|
+          log "scanning model #{model.klass.name}"
+          scan(model)
+        }
+      end
+    end
+    def result(hash)
+      hash[:specialization] = :mongo_mapper
+      parent_result(hash)
+    end
+  end
+end

data/lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# Stratagem::Scan::Checks::MassAssignment
+module Stratagem::Scan::Checks::MongoMapper
+  class ForeignKeysExposed < Base
+    def description
+      "analyzes application to find models vulnerable to mass assignment"
+    end
+    def scan(model)
+      return unless model.methods_include?(:stratagem)
+      # look up the controllers that reference it
+      instance = model.klass.new
+      assignable_keys = model.model_assignable_attributes & instance.stratagem.foreign_keys
+      if (assignable_keys.size > 0)
+        references = application_model.controllers.map {|controller| controller.modifies(model) }.flatten.compact
+        concern_type = references.size > 0 ? :error : :best_practice
+        solution_payload = assignable_keys
+        result(
+          :concern_type => concern_type,
+          :unique => model.klass.name,
+          :payload => model.klass.name,
+          :component => model,
+          :confirmed => false,
+          :solution_payload => solution_payload
+        )
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/routes.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks
+  class Routes < Base
+    def run
+      application_model.routes.invalid.each {|route|
+        payload = {
+          :path => route.route.segments.inject("") { |str,s| str << s.to_s },
+          :method => route.route.conditions[:method],
+          :requirements => route.route.requirements
+        }
+        result :concern_type => :best_practice, :unique => payload.inspect, :payload => payload
+      }
+    end
+  end
+end

data/lib/stratagem/scan/checks/ssl/secure_login_page.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks::Ssl
+  class SecureLoginPage < Stratagem::Scan::Checks::Base
+    def run
+      auth = application_model.crawler.authentication
+      if (auth.success && !auth.login_page.response.request.ssl?)
+        route = application_model.routes.recognize(auth.login_page)
+        payload = {
+          :path => auth.login_page.response.request.path,
+          :method => auth.login_page.response.request.method,
+          :action => route.action
+        }
+        result :concern_type => :error, :unique => :secure_login_page, :component => route.controller, :payload => payload
+      end
+    end
+  end
+end

data/lib/stratagem/scan/checks/ssl/secure_login_submit.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# Stratagem::Scan::Checks::EmailAddress
+module Stratagem::Scan::Checks::Ssl
+  class SecureLoginSubmit < Stratagem::Scan::Checks::Base
+    def run
+      auth = application_model.crawler.authentication
+      if (auth.success && !auth.ssl)
+        route = application_model.routes.recognize(auth.response_page)
+        payload = {
+          :path => auth.response_page.response.request.path,
+          :method => auth.response_page.response.request.method,
+          :action => route.action
+        }
+        result :concern_type => :error, :unique => :secure_login_submit, :component => route.controller, :payload => payload
+      end
+    end
+  end
+end

data/lib/stratagem/scan/result.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# Stratagem::Scan::Result
+module Stratagem::Scan
+  # Each security check emits 1 or more result objects based on its findings
+  # Payload is an arbitrary piece of data that the check produces. It must be able to be encoded to JSON
+  # Unique is a value that identifies the check result within the namespace of the check
+  class Result
+    attr_accessor :unique, :check, :component, :payload, :line_number, :code, :passed, :concern_type, :confirmed, :solution_payload, :specialization
+    # passed = true / false
+    def initialize(args)
+      args.each {|key,value| self.send("#{key}=", value) }
+    end
+    def export
+      h = {
+        :guid => guid,
+        :check_name => check_name,
+        :specialization => specialization,
+        :component => component_name,
+        :payload => payload,
+        :line_number => line_number,
+        :code => code,
+        :concern_type => concern_type,
+        :confirmed => confirmed || false,
+        :solution_payload => solution_payload
+      }
+      h[:path] = component.path.gsub(RAILS_ROOT+'/', '') if component
+      h
+    end
+    def component_name
+      component ? component.name : nil
+    end
+    def check_name
+      check ? check.name : nil
+    end
+    def guid
+      "#{check_name.underscore}:#{(component_name || '').underscore}:#{unique.to_s.underscore}"
+    end
+  end
+end