stratagem 0.1.7

data/lib/stratagem/scan.rb

@@ -0,0 +1,19 @@
+module Stratagem::Scan
+end
+
+# require 'stratagem/scan/result'
+# require 'stratagem/scan/checks/base'
+# require 'stratagem/scan/checks/email_address'
+# require 'stratagem/scan/checks/error_pages'
+# require 'stratagem/scan/checks/routes'
+# require 'stratagem/scan/checks/filter_parameter_logging'
+# require 'stratagem/scan/checks/erb/xss_global'
+# require 'stratagem/scan/checks/ssl/secure_login_page'
+# require 'stratagem/scan/checks/ssl/secure_login_submit'
+# require 'stratagem/scan/checks/capistrano/secure_deploy'
+# require 'stratagem/scan/checks/active_record/base'
+# require 'stratagem/scan/checks/active_record/attr_accessible'
+# require 'stratagem/scan/checks/active_record/internal_attributes_exposed'
+# require 'stratagem/scan/checks/active_record/foreign_keys_exposed'
+# require 'stratagem/scan/checks/mongo_mapper/base'
+# require 'stratagem/scan/checks/mongo_mapper/foreign_keys_exposed'

data/lib/stratagem/scanner.rb

@@ -0,0 +1,32 @@
+module Stratagem
+  class Scanner
+    attr_reader :results
+    
+    def initialize(model)
+      @model = model
+      @results = []
+    end
+    
+    def run
+      # Object.subclasses_of(Stratagem::Scan::Checks::Base).each {|check|
+      #   log "running security check: #{check}"
+      #   puts "running #{check}"
+      #   check = check.new(@model)
+      #   check.run
+      #   @results += check.results
+      #   log ""
+      # }
+      # self
+    end
+    
+    def export
+      { :results => [] }
+    end
+
+    def log(msg)
+      Stratagem.logger.debug msg
+    end
+    
+  end
+
+end

data/lib/stratagem/site_crawler.rb

@@ -0,0 +1,47 @@
+module Stratagem
+  class SiteCrawler
+    include Stratagem::Crawler::Session
+
+    def initialize(application_model)
+      @application_model = application_model
+    end
+    
+    def run
+      crawler_session(@application_model) do
+        log "crawling site"
+        phase(:unauthenticated)
+        crawl
+        display
+        authenticated = authenticate
+        
+        if (authenticated)
+          phase(:authenticated)
+          crawl
+          display
+        end
+      end
+      
+      self
+    end  
+    
+    def export
+      phases = site_models.map {|phase,model| 
+        h = model.export
+        h[:name] = phase
+        h
+      }
+      {
+        :authentication => {
+          :success => authentication.success, 
+          :login_page_external_id => authentication.login_page.object_id, 
+          :response_page_external_id => authentication.response_page.object_id,
+          :ssl => authentication.ssl
+        },
+        :phases => phases
+      }
+    end
+
+    attr_accessor :success, :login_page, :form, :response_page, :ssl
+
+  end
+end

data/lib/stratagem/snapshot.rb

@@ -0,0 +1,33 @@
+module Stratagem
+  class Snapshot
+    attr_reader :project_name, :timestamp, :model, :scanner
+
+    def self.create(project_name)
+      
+      logger.phase('modeling_application')
+      model = Stratagem::ModelBuilder.new.run
+
+      # Crawl site 
+      logger.phase('traversing_site')
+      model.crawler = Stratagem::SiteCrawler.new(model).run
+
+      logger.phase('vulnerability_scanning')
+      scanner = Stratagem::Scanner.new(model).run
+
+      snapshot = self.new(project_name, Time.now, model, scanner)
+    end
+
+    def self.logger
+      Stratagem.logger
+    end
+
+    protected
+
+    def initialize(project_name, timestamp, model, scanner)
+      @project_name = project_name
+      @timestamp = timestamp
+      @model = model
+      @scanner = scanner
+    end
+  end
+end

data/lib/stratagem.rb

@@ -0,0 +1,77 @@
+class StratagemError < RuntimeError
+  attr_accessor :target
+
+  def initialize(*args)
+    super(*args)
+    (@@all ||= []) << self
+  end
+end
+
+require 'rubygems'
+require 'haml'
+require 'launchy'
+require 'redparse'
+require 'stratagem/blocker'
+require 'stratagem/logger'
+require 'stratagem/extensions'
+require 'stratagem/framework_extensions'
+
+require 'stratagem/model'
+require 'stratagem/auto_mock'
+
+require 'stratagem/authentication'
+require 'stratagem/client'
+require 'stratagem/command'
+require 'stratagem/model_builder'
+require 'stratagem/scanner'
+require 'stratagem/scan'
+require 'stratagem/crawler'
+require 'stratagem/site_crawler'
+require 'stratagem/snapshot'
+
+require 'stratagem/commands'
+
+module Stratagem
+  @@blocker = Blocker.new
+  @@running = false
+  @@session_id = Time.now.to_f.to_s # the interface uses this to determine which instance of the client it's talking to
+
+  def self.session_id
+    @@session_id
+  end
+
+  def self.logger
+    Stratagem::Logger.instance
+  end
+
+  def self.domain
+    ENV['STRATAGEM_HOST'] || 'stratagemapp.com'
+  end
+
+  def self.wait_for_completion
+    @@blocker.wait
+  end
+
+  def self.complete
+    @@blocker.notify
+  end
+
+  def self.analyze
+    unless (@@running)
+      @@running = true
+      Thread.new {
+        begin
+          authentication = Stratagem::Authentication.instance
+          snapshot = Stratagem::Snapshot.create(authentication.project)
+          Stratagem::Client.new(authentication).send(snapshot)
+        rescue
+          puts $!.message
+          puts $!.backtrace
+        ensure
+          complete
+        end
+      }
+    end
+  end
+end
+

data/lib/tasks/_old_stratagem.rake

@@ -0,0 +1,99 @@
+
+# this is a hack for the integration test session. some versions do not correctly
+# close the body from the Rack request, causing an error
+require 'rack/lint'
+module Rack
+  # Rack::Lint validates your application and the requests and
+  # responses according to the Rack spec.
+
+  class Lint
+    alias_method :old_call, :call
+
+    def call(env)
+      status, headers, body = old_call(env)
+      body.close
+      [status,headers,body]
+    end
+  end
+end
+
+namespace :stratagem do
+  task :default => [:analyze]
+
+  task :analyze => :environment do
+    require 'stratagem'
+
+    authentication = Stratagem::Authentication.new
+
+    snapshot = Stratagem::Snapshot.create(authentication.project)
+    Stratagem::Client.new(authentication).send(snapshot)
+
+    puts "--------------"
+    snapshot.model.views.each do |view|
+      next if view.partial?
+      puts "#{view.render_path} - #{view.forms.map {|f| f.export }.inspect}"
+    end
+    
+    Launchy::Browser.run("#{authentication.base_url}/projects/#{authentication.project}")
+  end
+
+  task :exercise => :environment do
+    require 'stratagem'
+
+    class Mocker
+      include Stratagem::AutoMock
+    end
+    
+    include ActionController::Integration::Runner
+    model = Stratagem::ModelBuilder.new.run
+
+    @mocker = Mocker.new
+    
+    model.models.each do |model|
+      model_builder = @mocker.setup_model(model.klass)
+      if (model_builder)
+        begin
+          mocked = model_builder.mock{}
+          puts "VALID? #{mocked.valid?}"
+        rescue
+          puts $!.message
+          puts "^^^^^^^^^^^^^^^^^^^"
+        end
+        
+      else
+        puts "unable to locate builder for #{model.klass.name}"
+      end
+      
+    end
+
+    open_session do |session|
+      model.routes.each {|route_container|
+        route = route_container.route
+        name = ActionController::Routing::Routes.named_routes.routes.index(route).to_s
+        verb = route.conditions[:method].to_s
+        segs = route.segments.inject("") { |str,s| str << s.to_s }
+        segs.chop! if segs.length > 1
+        reqs = route.requirements.empty? ? "" : route.requirements.inspect
+        route = {:name => name, :verb => verb, :segs => segs, :reqs => reqs}
+
+        if ((route[:verb] != '') && (route[:verb] != 'any'))
+          path = route[:segs].gsub('(.:format)', '')
+
+          puts route[:verb]
+          puts path
+
+          self.send(route[:verb], path)
+          session.reset!
+
+        end
+  #      puts route[:name]
+  #      p route.requirements
+      }
+    end
+
+#    routes.each do |r|
+#      puts "#{r[:name].rjust(name_width)} #{r[:verb].ljust(verb_width)} #{r[:segs].ljust(segs_width)} #{r[:reqs]}"
+#    end
+
+  end
+end

data/stratagem.gemspec

@@ -0,0 +1,56 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{stratagem}
+  s.version = "0.1.7"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Charles Grimes"]
+  s.date = %q{2010-08-09}
+  s.default_executable = %q{stratagem}
+  s.description = %q{Intuitive security analysis of your Rails applications}
+  s.email = %q{cj@stratagemapp.com}
+  s.executables = ["stratagem"]
+  s.extra_rdoc_files = ["bin/stratagem", "lib/bootstrap.rb", "lib/stratagem.rb", "lib/stratagem/authentication.rb", "lib/stratagem/auto_mock.rb", "lib/stratagem/auto_mock/aquifer.rb", "lib/stratagem/auto_mock/factory.rb", "lib/stratagem/auto_mock/value_generator.rb", "lib/stratagem/blocker.rb", "lib/stratagem/client.rb", "lib/stratagem/command.rb", "lib/stratagem/commands.rb", "lib/stratagem/commands/analyze.rb", "lib/stratagem/commands/base.rb", "lib/stratagem/commands/devel_crawl.rb", "lib/stratagem/commands/devel_mock.rb", "lib/stratagem/crawler.rb", "lib/stratagem/crawler/authentication.rb", "lib/stratagem/crawler/form.rb", "lib/stratagem/crawler/html_utils.rb", "lib/stratagem/crawler/session.rb", "lib/stratagem/crawler/site_model.rb", "lib/stratagem/crawler/trace_utils.rb", "lib/stratagem/extensions.rb", "lib/stratagem/extensions/class.rb", "lib/stratagem/extensions/hash.rb", "lib/stratagem/extensions/module.rb", "lib/stratagem/extensions/object.rb", "lib/stratagem/extensions/red_parse.rb", "lib/stratagem/extensions/string.rb", "lib/stratagem/framework_extensions.rb", "lib/stratagem/framework_extensions/controllers.rb", "lib/stratagem/framework_extensions/controllers/action_controller.rb", "lib/stratagem/framework_extensions/controllers/action_mailer.rb", "lib/stratagem/framework_extensions/models.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/detect.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/tracing.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/detect.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/tracing.rb", "lib/stratagem/framework_extensions/models/adapters/common/authentication_metadata.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/detect.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/tracing.rb", "lib/stratagem/framework_extensions/models/annotations.rb", "lib/stratagem/framework_extensions/models/detect.rb", "lib/stratagem/framework_extensions/models/metadata.rb", "lib/stratagem/framework_extensions/models/mocking.rb", "lib/stratagem/framework_extensions/models/tracing.rb", "lib/stratagem/framework_extensions/rails.rb", "lib/stratagem/interface/browser.rb", "lib/stratagem/interface/public/images/backgrounds/content.png", "lib/stratagem/interface/public/images/backgrounds/shadow.png", "lib/stratagem/interface/public/javascripts/jquery-1.4.2.min.js", "lib/stratagem/interface/public/javascripts/stratagem.js", "lib/stratagem/interface/public/javascripts/stratagem_debug.js", "lib/stratagem/interface/public/stylesheets/960.css", "lib/stratagem/interface/public/stylesheets/reset.css", "lib/stratagem/interface/public/stylesheets/stratagem.css", "lib/stratagem/interface/public/stylesheets/stratagem_debug.css", "lib/stratagem/interface/views/debug.haml", "lib/stratagem/interface/views/index.haml", "lib/stratagem/labs/auto_mock.rb", "lib/stratagem/labs/crawler.rb", "lib/stratagem/logger.rb", "lib/stratagem/model.rb", "lib/stratagem/model/application.rb", "lib/stratagem/model/components/base.rb", "lib/stratagem/model/components/controller.rb", "lib/stratagem/model/components/model.rb", "lib/stratagem/model/components/reference.rb", "lib/stratagem/model/components/route.rb", "lib/stratagem/model/components/static_file.rb", "lib/stratagem/model/components/view.rb", "lib/stratagem/model/parse_util.rb", "lib/stratagem/model_builder.rb", "lib/stratagem/recipes/deploy.rb", "lib/stratagem/scan.rb", "lib/stratagem/scan/checks/capistrano/secure_deploy.rb", "lib/stratagem/scan/checks/email_address.rb", "lib/stratagem/scan/checks/error_pages.rb", "lib/stratagem/scan/checks/filter_parameter_logging.rb", "lib/stratagem/scan/checks/mongo_mapper/base.rb", "lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb", "lib/stratagem/scan/checks/routes.rb", "lib/stratagem/scan/checks/ssl/secure_login_page.rb", "lib/stratagem/scan/checks/ssl/secure_login_submit.rb", "lib/stratagem/scan/result.rb", "lib/stratagem/scanner.rb", "lib/stratagem/site_crawler.rb", "lib/stratagem/snapshot.rb", "lib/tasks/_old_stratagem.rake"]
+  s.files = ["Manifest", "Rakefile", "bin/stratagem", "init.rb", "lib/bootstrap.rb", "lib/stratagem.rb", "lib/stratagem/authentication.rb", "lib/stratagem/auto_mock.rb", "lib/stratagem/auto_mock/aquifer.rb", "lib/stratagem/auto_mock/factory.rb", "lib/stratagem/auto_mock/value_generator.rb", "lib/stratagem/blocker.rb", "lib/stratagem/client.rb", "lib/stratagem/command.rb", "lib/stratagem/commands.rb", "lib/stratagem/commands/analyze.rb", "lib/stratagem/commands/base.rb", "lib/stratagem/commands/devel_crawl.rb", "lib/stratagem/commands/devel_mock.rb", "lib/stratagem/crawler.rb", "lib/stratagem/crawler/authentication.rb", "lib/stratagem/crawler/form.rb", "lib/stratagem/crawler/html_utils.rb", "lib/stratagem/crawler/session.rb", "lib/stratagem/crawler/site_model.rb", "lib/stratagem/crawler/trace_utils.rb", "lib/stratagem/extensions.rb", "lib/stratagem/extensions/class.rb", "lib/stratagem/extensions/hash.rb", "lib/stratagem/extensions/module.rb", "lib/stratagem/extensions/object.rb", "lib/stratagem/extensions/red_parse.rb", "lib/stratagem/extensions/string.rb", "lib/stratagem/framework_extensions.rb", "lib/stratagem/framework_extensions/controllers.rb", "lib/stratagem/framework_extensions/controllers/action_controller.rb", "lib/stratagem/framework_extensions/controllers/action_mailer.rb", "lib/stratagem/framework_extensions/models.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/detect.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/active_model/tracing.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/detect.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/authlogic/tracing.rb", "lib/stratagem/framework_extensions/models/adapters/common/authentication_metadata.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/detect.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/extensions.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/metadata.rb", "lib/stratagem/framework_extensions/models/adapters/restful_authentication/tracing.rb", "lib/stratagem/framework_extensions/models/annotations.rb", "lib/stratagem/framework_extensions/models/detect.rb", "lib/stratagem/framework_extensions/models/metadata.rb", "lib/stratagem/framework_extensions/models/mocking.rb", "lib/stratagem/framework_extensions/models/tracing.rb", "lib/stratagem/framework_extensions/rails.rb", "lib/stratagem/interface/browser.rb", "lib/stratagem/interface/public/images/backgrounds/content.png", "lib/stratagem/interface/public/images/backgrounds/shadow.png", "lib/stratagem/interface/public/javascripts/jquery-1.4.2.min.js", "lib/stratagem/interface/public/javascripts/stratagem.js", "lib/stratagem/interface/public/javascripts/stratagem_debug.js", "lib/stratagem/interface/public/stylesheets/960.css", "lib/stratagem/interface/public/stylesheets/reset.css", "lib/stratagem/interface/public/stylesheets/stratagem.css", "lib/stratagem/interface/public/stylesheets/stratagem_debug.css", "lib/stratagem/interface/views/debug.haml", "lib/stratagem/interface/views/index.haml", "lib/stratagem/labs/auto_mock.rb", "lib/stratagem/labs/crawler.rb", "lib/stratagem/logger.rb", "lib/stratagem/model.rb", "lib/stratagem/model/application.rb", "lib/stratagem/model/components/base.rb", "lib/stratagem/model/components/controller.rb", "lib/stratagem/model/components/model.rb", "lib/stratagem/model/components/reference.rb", "lib/stratagem/model/components/route.rb", "lib/stratagem/model/components/static_file.rb", "lib/stratagem/model/components/view.rb", "lib/stratagem/model/parse_util.rb", "lib/stratagem/model_builder.rb", "lib/stratagem/recipes/deploy.rb", "lib/stratagem/scan.rb", "lib/stratagem/scan/checks/capistrano/secure_deploy.rb", "lib/stratagem/scan/checks/email_address.rb", "lib/stratagem/scan/checks/error_pages.rb", "lib/stratagem/scan/checks/filter_parameter_logging.rb", "lib/stratagem/scan/checks/mongo_mapper/base.rb", "lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb", "lib/stratagem/scan/checks/routes.rb", "lib/stratagem/scan/checks/ssl/secure_login_page.rb", "lib/stratagem/scan/checks/ssl/secure_login_submit.rb", "lib/stratagem/scan/result.rb", "lib/stratagem/scanner.rb", "lib/stratagem/site_crawler.rb", "lib/stratagem/snapshot.rb", "lib/tasks/_old_stratagem.rake", "stratagem.gemspec"]
+  s.homepage = %q{http://github.com/stratagem/stratagem}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Stratagem"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{stratagem}
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{Intuitive security analysis of your Rails applications}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<launchy>, [">= 0.3.5"])
+      s.add_runtime_dependency(%q<redparse>, [">= 0.8.4"])
+      s.add_runtime_dependency(%q<haml>, [">= 3.0.0"])
+      s.add_development_dependency(%q<launchy>, [">= 0.3.5"])
+      s.add_development_dependency(%q<redparse>, [">= 0.8.4"])
+      s.add_development_dependency(%q<sinatra>, ["= 1.0"])
+      s.add_development_dependency(%q<haml>, [">= 3.0.0"])
+      s.add_development_dependency(%q<webrat>, [">= 0.4.3"])
+    else
+      s.add_dependency(%q<launchy>, [">= 0.3.5"])
+      s.add_dependency(%q<redparse>, [">= 0.8.4"])
+      s.add_dependency(%q<haml>, [">= 3.0.0"])
+      s.add_dependency(%q<launchy>, [">= 0.3.5"])
+      s.add_dependency(%q<redparse>, [">= 0.8.4"])
+      s.add_dependency(%q<sinatra>, ["= 1.0"])
+      s.add_dependency(%q<haml>, [">= 3.0.0"])
+      s.add_dependency(%q<webrat>, [">= 0.4.3"])
+    end
+  else
+    s.add_dependency(%q<launchy>, [">= 0.3.5"])
+    s.add_dependency(%q<redparse>, [">= 0.8.4"])
+    s.add_dependency(%q<haml>, [">= 3.0.0"])
+    s.add_dependency(%q<launchy>, [">= 0.3.5"])
+    s.add_dependency(%q<redparse>, [">= 0.8.4"])
+    s.add_dependency(%q<sinatra>, ["= 1.0"])
+    s.add_dependency(%q<haml>, [">= 3.0.0"])
+    s.add_dependency(%q<webrat>, [">= 0.4.3"])
+  end
+end