stratagem 0.1.7

data/Manifest

@@ -0,0 +1,99 @@
+Manifest
+Rakefile
+bin/stratagem
+init.rb
+lib/bootstrap.rb
+lib/stratagem.rb
+lib/stratagem/authentication.rb
+lib/stratagem/auto_mock.rb
+lib/stratagem/auto_mock/aquifer.rb
+lib/stratagem/auto_mock/factory.rb
+lib/stratagem/auto_mock/value_generator.rb
+lib/stratagem/blocker.rb
+lib/stratagem/client.rb
+lib/stratagem/command.rb
+lib/stratagem/commands.rb
+lib/stratagem/commands/analyze.rb
+lib/stratagem/commands/base.rb
+lib/stratagem/commands/devel_crawl.rb
+lib/stratagem/commands/devel_mock.rb
+lib/stratagem/crawler.rb
+lib/stratagem/crawler/authentication.rb
+lib/stratagem/crawler/form.rb
+lib/stratagem/crawler/html_utils.rb
+lib/stratagem/crawler/session.rb
+lib/stratagem/crawler/site_model.rb
+lib/stratagem/crawler/trace_utils.rb
+lib/stratagem/extensions.rb
+lib/stratagem/extensions/class.rb
+lib/stratagem/extensions/hash.rb
+lib/stratagem/extensions/module.rb
+lib/stratagem/extensions/object.rb
+lib/stratagem/extensions/red_parse.rb
+lib/stratagem/extensions/string.rb
+lib/stratagem/framework_extensions.rb
+lib/stratagem/framework_extensions/controllers.rb
+lib/stratagem/framework_extensions/controllers/action_controller.rb
+lib/stratagem/framework_extensions/controllers/action_mailer.rb
+lib/stratagem/framework_extensions/models.rb
+lib/stratagem/framework_extensions/models/adapters/active_model/detect.rb
+lib/stratagem/framework_extensions/models/adapters/active_model/extensions.rb
+lib/stratagem/framework_extensions/models/adapters/active_model/metadata.rb
+lib/stratagem/framework_extensions/models/adapters/active_model/tracing.rb
+lib/stratagem/framework_extensions/models/adapters/authlogic/detect.rb
+lib/stratagem/framework_extensions/models/adapters/authlogic/extensions.rb
+lib/stratagem/framework_extensions/models/adapters/authlogic/metadata.rb
+lib/stratagem/framework_extensions/models/adapters/authlogic/tracing.rb
+lib/stratagem/framework_extensions/models/adapters/common/authentication_metadata.rb
+lib/stratagem/framework_extensions/models/adapters/restful_authentication/detect.rb
+lib/stratagem/framework_extensions/models/adapters/restful_authentication/extensions.rb
+lib/stratagem/framework_extensions/models/adapters/restful_authentication/metadata.rb
+lib/stratagem/framework_extensions/models/adapters/restful_authentication/tracing.rb
+lib/stratagem/framework_extensions/models/annotations.rb
+lib/stratagem/framework_extensions/models/detect.rb
+lib/stratagem/framework_extensions/models/metadata.rb
+lib/stratagem/framework_extensions/models/mocking.rb
+lib/stratagem/framework_extensions/models/tracing.rb
+lib/stratagem/framework_extensions/rails.rb
+lib/stratagem/interface/browser.rb
+lib/stratagem/interface/public/images/backgrounds/content.png
+lib/stratagem/interface/public/images/backgrounds/shadow.png
+lib/stratagem/interface/public/javascripts/jquery-1.4.2.min.js
+lib/stratagem/interface/public/javascripts/stratagem.js
+lib/stratagem/interface/public/javascripts/stratagem_debug.js
+lib/stratagem/interface/public/stylesheets/960.css
+lib/stratagem/interface/public/stylesheets/reset.css
+lib/stratagem/interface/public/stylesheets/stratagem.css
+lib/stratagem/interface/public/stylesheets/stratagem_debug.css
+lib/stratagem/interface/views/debug.haml
+lib/stratagem/interface/views/index.haml
+lib/stratagem/labs/auto_mock.rb
+lib/stratagem/labs/crawler.rb
+lib/stratagem/logger.rb
+lib/stratagem/model.rb
+lib/stratagem/model/application.rb
+lib/stratagem/model/components/base.rb
+lib/stratagem/model/components/controller.rb
+lib/stratagem/model/components/model.rb
+lib/stratagem/model/components/reference.rb
+lib/stratagem/model/components/route.rb
+lib/stratagem/model/components/static_file.rb
+lib/stratagem/model/components/view.rb
+lib/stratagem/model/parse_util.rb
+lib/stratagem/model_builder.rb
+lib/stratagem/recipes/deploy.rb
+lib/stratagem/scan.rb
+lib/stratagem/scan/checks/capistrano/secure_deploy.rb
+lib/stratagem/scan/checks/email_address.rb
+lib/stratagem/scan/checks/error_pages.rb
+lib/stratagem/scan/checks/filter_parameter_logging.rb
+lib/stratagem/scan/checks/mongo_mapper/base.rb
+lib/stratagem/scan/checks/mongo_mapper/foreign_keys_exposed.rb
+lib/stratagem/scan/checks/routes.rb
+lib/stratagem/scan/checks/ssl/secure_login_page.rb
+lib/stratagem/scan/checks/ssl/secure_login_submit.rb
+lib/stratagem/scan/result.rb
+lib/stratagem/scanner.rb
+lib/stratagem/site_crawler.rb
+lib/stratagem/snapshot.rb
+lib/tasks/_old_stratagem.rake

data/Rakefile

@@ -0,0 +1,17 @@
+require 'rubygems'
+require 'rake'
+require 'echoe'
+
+Echoe.new('stratagem', '0.1.7') do |p|
+  p.description    = "Intuitive security analysis of your Rails applications"
+  p.url            = "http://github.com/stratagem/stratagem"
+  p.author         = "Charles Grimes"
+  p.email          = "cj@stratagemapp.com"
+  p.executable_pattern = ['bin/*']
+  p.ignore_pattern = ["tmp/*", "script/*", "spec/*", "webapp/*"]
+  p.runtime_dependencies = ["launchy >=0.3.5", "redparse >=0.8.4", "haml >=3.0.0"]
+  p.development_dependencies = ["launchy >=0.3.5", "redparse >=0.8.4", "sinatra =1.0", "haml >=3.0.0", "webrat >=0.4.3"]
+  # p.requirements ["Install the stratagem-ui gem for the web browser interface."]
+end
+
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }

data/bin/stratagem

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+RAILS_ENV='test'
+
+require 'rubygems'
+require File.join(Dir.pwd, 'config', 'boot')
+require 'bootstrap'
+require './config/environment'
+
+Stratagem::Command.run(ARGV[0])

data/init.rb

@@ -0,0 +1,2 @@
+require 'launchy'
+require 'stratagem'

data/lib/bootstrap.rb

@@ -0,0 +1,31 @@
+
+# inject environment helpers into Rails class to be used during bootstrapping
+Rails.class_eval do
+  def self.stratagem_production_env
+    @stratagem_initial_env ||= @_env
+    @_env = ActiveSupport::StringInquirer.new('production')
+  end
+
+  def self.stratagem_restore_env
+    @_env = @stratagem_initial_env
+  end
+end
+
+
+# Inject env change into Rails initializer prior to loading controllers
+# but after framework is initialized. This is to force SSL to work as
+# if the app were running in production mode
+Rails::Initializer.class_eval do
+  alias_method :rails_load_application_classes, :load_application_classes
+
+  def load_application_classes
+    puts "LOADING APPLICATION CLASSES"
+    # load stratagem
+    require 'stratagem'
+
+    Rails.stratagem_production_env
+    rails_load_application_classes
+    Rails.stratagem_restore_env
+  end
+
+end

data/lib/stratagem/authentication.rb

@@ -0,0 +1,64 @@
+require 'open-uri'
+require 'singleton'
+
+module Stratagem
+  class Authentication
+    include Singleton
+
+    FILENAME = '.stratagem'
+    
+    attr_reader :token, :project
+
+    def store_credentials(account, token, project)
+      File.open(FILENAME, 'w') do |f|
+        f.puts account
+        f.puts token
+        f.puts project
+      end
+      reload_credentials
+    end
+
+    def url
+      if (credentials.nil?)
+        base_url+"/project_links/new"
+      else
+        base_url+"/project_links/validate/#{credentials[:token]}/#{credentials[:project]}"
+      end
+    end
+
+    def base_url
+      subdomain = credentials ? credentials[:account] : 'www' 
+      "http://#{subdomain}.#{Stratagem.domain}"
+    end
+
+    def project_url
+      "#{base_url}/projects/#{credentials[:project]}?api_key=#{credentials[:token]}"
+    end
+
+    def credentials
+      @credentials ||= load_credentials  
+    end
+
+    private
+      def reload_credentials
+        @credentials = nil
+        credentials
+      end
+
+      def load_credentials
+        if File.exists?(FILENAME)
+          credentials = nil
+          File.open(FILENAME) do |f|
+            credentials = {
+              :account => f.readline.strip,
+              :token => f.readline.strip,
+              :project => f.readline.strip
+            }
+          end
+          return credentials
+        else
+          return nil
+        end
+      end
+  end
+end

data/lib/stratagem/auto_mock/aquifer.rb

@@ -0,0 +1,86 @@
+require 'timeout'
+
+module Stratagem::AutoMock
+  class Aquifer
+    include Singleton
+    include Factory
+
+    attr_accessor :application
+
+    def self.init(application)
+      at_exit { self.instance.destroy }
+      self.instance.application = application
+      self.instance
+    end
+
+    def destroy
+      objects = self.repo.values.inject([]) {|memo,obj| memo += obj.compact }
+      i = 0
+      while (objects.size > 0 && ((i+=1) < objects.size))
+        objects = objects.select do |instance|
+          puts "deleting #{instance.class.name}"
+          begin
+            instance.destroy
+          rescue
+            begin
+              instance.delete
+            rescue
+              puts "Unable to delete object: #{instance.class.name} - #{$!.message}"
+              puts $!.backtrace
+            end
+          end
+          !instance.frozen?
+        end
+      end
+    end
+
+    def instances_of(model_klass)
+      repo[model_klass].clone
+    end
+
+    def random_instance(model_klass)
+      objects = repo[model_klass]
+      puts "found #{objects.size} instances in well"
+      instance = objects[rand objects.size]
+      instance
+    end
+
+    def fill
+      Stratagem.logger.phase "mocking_models"
+      application.models.each do |meta_model|
+        models = mock_model(meta_model.klass) if (meta_model.stratagem?)
+      end
+      puts "aquifer full"
+      application.models.each do |meta_model|
+        puts "#{meta_model.klass.name}"
+        (repo[meta_model.klass] || []).each do |instance|
+          puts "\t#{instance.id}"
+        end
+      end
+    end
+
+    def mock_model(klass, count=2)
+      count.times do |i|
+        instance,valid = mock(klass)
+      end
+    end
+
+    protected
+
+    def instance_call(instance, method, *args)
+      begin
+        timeout(3) do
+          instance.send(method, *args)
+        end
+      rescue Timeout::Error
+        e = StratagemError.new("unable to call method #{method} on model #{instance.class.name}, timed out") # log it
+        puts e.message
+      end
+    end
+
+
+    def repo
+      mocked
+    end
+  end
+end

data/lib/stratagem/auto_mock/factory.rb

@@ -0,0 +1,213 @@
+module Stratagem::AutoMock
+  @@bank = {} # key is model class, value is an array of mocked instances
+
+  # todo - move these to a generic automock file
+  class MockError < StratagemError; end
+  class UnsupportedModelError < MockError; end
+  class UnsupportedColumnTypeError < MockError; end
+  class ColumnValidationError < MockError; end
+  class ParentsExhaustedError < MockError; end
+
+  module Factory
+    include ValueGenerator
+
+    def mock(model,mock_chain=[], belongs_to=nil)
+      return if mock_chain.select {|m| m == model }.size > 1
+      mock_chain << model
+
+      object,valid = model.new, nil
+      begin
+        10.times do |i|
+          log "mocking model #{model.name}"
+          populate_attributes(object, mock_chain)
+          correct_invalid_columns(object, mock_chain)
+          
+          valid = populate_relations(object, mock_chain, belongs_to)
+
+          # allow relationship attributes to be invalid
+          valid = save_object(object) if (valid)
+        
+          if valid
+            add_mocked(object)
+            break
+          end
+        end
+      rescue
+        puts $!.class.name
+        puts $!.message
+        puts $!.backtrace
+        e = MockError.new("Unexpected error mocking model #{model.name}")
+        e.target = $!
+        # raise e
+      end
+
+      return [object,valid] if valid
+    end
+
+    protected
+
+    def add_mocked(instance)
+      (mocked[instance.class] ||= []) << instance
+    end
+
+    def mocked(model=nil)
+      @mocked ||= {}
+      if (model)
+        @mocked[model] ||= []
+      else
+        @mocked
+      end
+    end
+
+    def populate_attributes(object, mock_chain)
+      exclude = [:created_at, :updated_at] + object.stratagem.relation_names + object.stratagem.foreign_keys + object.stratagem.internal_attributes
+      
+      # exclude the confirmation attributes, as they will be set automatically
+      exclude += object.stratagem.validations(nil, :validates_confirmation_of).map {|v| (v.field.to_s+"_confirmation").to_sym }
+      exclude += object.stratagem.exclude_attributes_for_mocking
+      exclude += object.stratagem.internal_attributes
+
+      exclude_regex = [/^photo/, /picture/]
+      names = object.stratagem.attribute_names.select {|n| n !~ /_id$/ } - exclude
+      puts "mocking names: #{names.inspect}"
+      puts "excluded: #{exclude.inspect}"
+      puts "internal: #{object.stratagem.internal_attributes.inspect}"
+      names.each do |attr_name|
+        next if exclude_regex.find {|r| attr_name =~ r }
+        set_attribute_value(object, attr_name, mock_chain)
+      end
+
+      # check for fields that should be forced into specific values
+      object.stratagem.validations.select {|v| [:validates_acceptance_of, :validates_presence_of].include?(v.validation) }.each do |validator|
+        value = validator.args[:with] || validator.args[:accept]
+        set_attribute_value(object, validator.field, mock_chain, value) if (value && value.kind_of?(String))
+      end
+
+      (object.stratagem.invalid_columns(object)).size == 0
+    end
+
+    def populate_relations(object, mock_chain, belongs_to=nil)
+      # belongs_to relations
+      object.stratagem.relation_names(:belongs_to).each do |attr_name|
+        relation = object.stratagem.relation(attr_name)
+        if (belongs_to && belongs_to.class == relation.klass)
+          object.send(attr_name.to_s+"=", belongs_to)
+        else
+          instances = mocked(relation.klass)
+          if (instances.size > 1)
+            object.send(attr_name.to_s+"=", instances[rand instances.size])
+          else
+            set_attribute_value(object, attr_name, mock_chain)
+          end
+        end
+      end
+
+      # has_many relations
+      # object.stratagem.relation_names(:has_many).each do |attr_name|
+      #   relation = object.stratagem.relation(attr_name)
+      #   # select the instances that don't have an existing belongs_to for this relation type
+      #   instances = mocked(relation.klass).select {|i| 
+      #     br = i.stratagem.relations.find {|r| r.klass == i.class }
+      #     if (br && !i.send(br.name).nil?)
+      #       false
+      #     else
+      #       true
+      #     end
+      #   }
+      #   if (instances.size > 2)
+      #     collection = object.send(attr_name.to_s)
+      #     collection << instances[rand instances.size]
+      #   else
+      #     mock(relation.klass, mock_chain, object)
+      #   end
+      # end
+
+      (object.stratagem.invalid_columns(object)).size == 0
+    end
+
+    def correct_invalid_columns(object, mock_chain)
+      exclude = [:created_at, :updated_at] + object.stratagem.relation_names + object.stratagem.foreign_keys
+
+      # randomize over incorrect values and try to correct
+      (object.stratagem.invalid_columns(object) - exclude).each do |error_column|
+        puts "\t\terrors for #{error_column}: #{object.errors[error_column].inspect}"
+
+        i = 0
+        begin
+          value = set_attribute_value(object, error_column, mock_chain)
+          print_value = value || 'nil'
+          #log "\tattempting value #{print_value} for column #{error_column} to correct error - invalid columns: #{object.stratagem.invalid_columns(object)}" 
+          i += 1
+        end while object.stratagem.invalid_columns(object).include?(error_column) && (i < 200)
+
+        if object.stratagem.invalid_columns(object).include?(error_column)
+          raise Stratagem::AutoMock::ColumnValidationError.new("Column #{error_column} cannot be resolved") 
+        end
+      end
+      object
+    end
+
+    def save_object(object)
+      valid = true
+      retries = 0
+      begin
+        object.save!
+      rescue Stratagem::AutoMock::MockError
+        puts "Error mocking #{klass.name}"
+        valid = false
+      rescue
+        puts object.stratagem.mock_attributes.inspect
+        puts "Error mocking #{object.class.name} - #{$!.message}"
+        error_column = object.stratagem.column_from_error($!)
+        puts "\terror column: #{error_column}"
+        if error_column && !object.stratagem.foreign_keys.include?(error_column)
+          if retries < 100
+            puts "\tretrying to correct field #{error_column} that was missing validation"
+            set_attribute_value(object, error_column, [])
+            retries += 1
+            retry 
+          else
+            valid = false
+          end
+        else
+          valid = false
+        end
+        puts $!.backtrace unless valid
+      end
+      valid
+    end
+
+    def set_attribute_value(object, attr_name, mock_chain=[], value=nil)
+      return if attr_name.to_s =~ /_confirmation$/ # ignore confirmation fields
+
+      unless value
+        if (object.stratagem.relation_names.include?(attr_name))
+          puts "\tmocking relation #{attr_name} for #{object.class.name}"
+          relation = object.stratagem.relation(attr_name)
+          value,valid = mock(relation.klass, mock_chain+[object.class])
+          value = nil unless valid
+        else
+          value = generate_value(attr_name, object.stratagem.attribute_type(attr_name))
+          #puts "#{attr_name} -> #{value}"
+        end
+      end
+
+      object.send("#{attr_name}=", value)
+      object.stratagem.write_mock_attribute(attr_name, value)
+
+      confirmation_writer = "#{attr_name}_confirmation="
+      if object.methods_include?(confirmation_writer) || (object.stratagem.validations(attr_name, :validates_confirmation_of).size > 0)
+        puts "setting confirmation field for #{attr_name}"
+        object.send(confirmation_writer, value)
+        object.stratagem.write_mock_attribute("#{attr_name}_confirmation".to_sym, value)
+      end
+
+
+      value
+    end
+
+    def log(msg)
+      Stratagem.logger.debug msg
+    end
+  end
+end