tainted_love 0.1.3 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (73) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -1
  3. data/Gemfile.lock +1 -1
  4. data/README.md +8 -0
  5. data/example/Gemfile.lock +1 -1
  6. data/example/test/test_helper.rb +3 -1
  7. data/lib/tainted_love/replacer/replace_action_view.rb +1 -1
  8. data/lib/tainted_love/reporter/file_reporter.rb +9 -5
  9. data/lib/tainted_love/reporter/stdout_reporter.rb +29 -9
  10. data/lib/tainted_love/validator/railties_yaml_load.rb +16 -0
  11. data/lib/tainted_love/version.rb +1 -1
  12. data/tools/web/.gitignore +1 -0
  13. data/tools/web/Gemfile +3 -0
  14. data/tools/web/application.rb +39 -0
  15. data/tools/web/public/application.css +79 -0
  16. data/tools/web/public/application.js +0 -0
  17. data/tools/web/views/index.erb +57 -0
  18. data/tools/web/views/layout.erb +25 -0
  19. data/tools/web/views/line.erb +11 -0
  20. data/tools/web/views/warning.erb +3 -0
  21. data/tools/web/views/warnings.erb +3 -0
  22. metadata +13 -53
  23. data/docs/TaintedLove.html +0 -482
  24. data/docs/TaintedLove/Configuration.html +0 -499
  25. data/docs/TaintedLove/Replacer.html +0 -129
  26. data/docs/TaintedLove/Replacer/ActionViewHelpersMod.html +0 -230
  27. data/docs/TaintedLove/Replacer/Base.html +0 -320
  28. data/docs/TaintedLove/Replacer/HelperMod.html +0 -226
  29. data/docs/TaintedLove/Replacer/HelpersMod.html +0 -230
  30. data/docs/TaintedLove/Replacer/MarshalMod.html +0 -178
  31. data/docs/TaintedLove/Replacer/ObjectMod.html +0 -282
  32. data/docs/TaintedLove/Replacer/ReplaceActionController.html +0 -329
  33. data/docs/TaintedLove/Replacer/ReplaceActionView.html +0 -317
  34. data/docs/TaintedLove/Replacer/ReplaceActiveRecord.html +0 -341
  35. data/docs/TaintedLove/Replacer/ReplaceDigest.html +0 -369
  36. data/docs/TaintedLove/Replacer/ReplaceFile.html +0 -245
  37. data/docs/TaintedLove/Replacer/ReplaceKernel.html +0 -211
  38. data/docs/TaintedLove/Replacer/ReplaceMarshal.html +0 -219
  39. data/docs/TaintedLove/Replacer/ReplaceObject.html +0 -231
  40. data/docs/TaintedLove/Replacer/ReplaceRailsUserInput.html +0 -374
  41. data/docs/TaintedLove/Replacer/ReplaceSprokets.html +0 -297
  42. data/docs/TaintedLove/Replacer/SprocketsHelperMod.html +0 -226
  43. data/docs/TaintedLove/Reporter.html +0 -117
  44. data/docs/TaintedLove/Reporter/Base.html +0 -466
  45. data/docs/TaintedLove/Reporter/RackReporter.html +0 -309
  46. data/docs/TaintedLove/Reporter/SinatraReporter.html +0 -402
  47. data/docs/TaintedLove/Reporter/SinatraReporter/App.html +0 -210
  48. data/docs/TaintedLove/Reporter/StdoutReporter.html +0 -305
  49. data/docs/TaintedLove/SinatraReporter.html +0 -387
  50. data/docs/TaintedLove/SinatraReporter/App.html +0 -210
  51. data/docs/TaintedLove/StackTrace.html +0 -650
  52. data/docs/TaintedLove/Utils.html +0 -550
  53. data/docs/TaintedLove/Validator.html +0 -129
  54. data/docs/TaintedLove/Validator/ActionViewObjectSend.html +0 -233
  55. data/docs/TaintedLove/Validator/Base.html +0 -200
  56. data/docs/TaintedLove/Validator/ErbEval.html +0 -229
  57. data/docs/TaintedLove/Validator/RedisStoreSerialization.html +0 -238
  58. data/docs/TaintedLove/Validator/SproketsMarshal.html +0 -233
  59. data/docs/TaintedLove/Warning.html +0 -665
  60. data/docs/_index.html +0 -371
  61. data/docs/class_list.html +0 -51
  62. data/docs/css/common.css +0 -1
  63. data/docs/css/full_list.css +0 -58
  64. data/docs/css/style.css +0 -496
  65. data/docs/file.README.html +0 -134
  66. data/docs/file_list.html +0 -56
  67. data/docs/frames.html +0 -17
  68. data/docs/index.html +0 -134
  69. data/docs/js/app.js +0 -292
  70. data/docs/js/full_list.js +0 -216
  71. data/docs/js/jquery.js +0 -4
  72. data/docs/method_list.html +0 -523
  73. data/docs/top-level-namespace.html +0 -110
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d0d4b253cbb40cf8c1c658682f4c9a9a8695a4a1b1d1b61d62124abc181e9d12
4
- data.tar.gz: ead923b6e9b2e8fb89121cca2dc6af2c6d1211973ca2718ecd190ded5d72e815
3
+ metadata.gz: 6d5eb5ea6986c6fffe63248c5145f9fb26d7bf7b9d6ad410aa0a4964470caf0b
4
+ data.tar.gz: 3d0b52d13d15d2c2b05e9ef923b2a058259379ba4d863f81764b577276c01eb3
5
5
  SHA512:
6
- metadata.gz: 34b5745138153509199f446220de3e3a398d5c342af104c2a0e6e8ef9ee35bbda9efbdccb60c8c05ec0fbeadc723213a23e8d68f77773004c8ef07ff1122c80d
7
- data.tar.gz: 3d821a663b21ca2e3c9071a8df1b76f2958def79565bd4025c3523ad7d8aab0386298913688b729d6767faf7a475834207aa117dc5a66336f16a68f595f22e16
6
+ metadata.gz: 74bd34b8c35b692160f2fb63ffaba86d50f7e4dd88e23dedfc7838e65bb116068f79ca026d02534c5b82b8a1dcfa6f8af52b5446416942d4fe5b90bb550d824e
7
+ data.tar.gz: 9a28610d1f6c337ea91dd11b45a1f6d089279fbdcdd49feb7fc2c8aa5d78a21cde439dae16fdc9b78f74844834c37acb167780bc79f757e878045a3b37f8b7c1
data/.gitignore CHANGED
@@ -9,4 +9,5 @@
9
9
 
10
10
  # rspec failure tracking
11
11
  .rspec_status
12
- notes.org
12
+ notes.org
13
+ /docs
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- tainted_love (0.1.3)
4
+ tainted_love (0.1.4)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -1,7 +1,15 @@
1
+ ![License](https://img.shields.io/github/license/shopify/tainted_love.svg)
2
+ ![Version](https://img.shields.io/gem/v/tainted_love.svg)
3
+
4
+
1
5
  # TaintedLove
2
6
 
3
7
  TaintedLove is a dynamic security analysis tool for Ruby. It leverages Ruby's object tainting and monkey patching features to identify vulnerable code paths at runtime.
4
8
 
9
+ - [Getting Started](https://github.com/Shopify/tainted_love/wiki/Getting-Started)
10
+ - [Wiki](https://github.com/Shopify/tainted_love/wiki)
11
+ - [API documentation](https://www.rubydoc.info/gems/tainted_love/)
12
+
5
13
  ## Installation
6
14
 
7
15
  Add this line to your application's Gemfile:
data/example/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- tainted_love (0.1.3)
4
+ tainted_love (0.1.4)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
@@ -10,7 +10,9 @@ module TaintedLoveHelpers
10
10
  mock = Minitest::Mock.new
11
11
 
12
12
  n.times do
13
- mock.expect(:call, nil, [Object, Object])
13
+ mock.expect(:call, nil) do
14
+ true
15
+ end
14
16
  end
15
17
 
16
18
  TaintedLove.stub(:report, mock, &block)
@@ -28,7 +28,7 @@ module TaintedLove
28
28
  def render(*args, &block)
29
29
  super(*args) do |*sub_args, &sub_block|
30
30
  block.call(*sub_args, &sub_block).untaint
31
- end
31
+ end.untaint
32
32
  end
33
33
  end
34
34
 
@@ -8,10 +8,9 @@ module TaintedLove
8
8
  class FileReporter < Base
9
9
  attr_reader :file_path
10
10
 
11
- def initialize
12
- super
13
-
14
- @file_path = '/tmp/tainted_love.json'
11
+ def initialize(file_path = '/tmp/tainted_love.json')
12
+ super()
13
+ @file_path = file_path
15
14
  end
16
15
 
17
16
  def add_warning(warning)
@@ -21,7 +20,12 @@ module TaintedLove
21
20
  end
22
21
 
23
22
  def update_file
24
- File.write(@file_path, @warnings.to_json)
23
+ report = {
24
+ 'warnings': @warnings,
25
+ 'application_path': Dir.pwd,
26
+ }
27
+
28
+ File.write(@file_path, report.to_json)
25
29
  end
26
30
  end
27
31
  end
@@ -4,26 +4,46 @@ module TaintedLove
4
4
  module Reporter
5
5
  # Reporter that outputs warnings in the console
6
6
  class StdoutReporter < Base
7
+ attr_reader :stack_trace_size, :app_path
8
+
9
+ def initialize
10
+ super
11
+
12
+ @stack_trace_size = 5
13
+ @app_path = Dir.pwd
14
+ end
15
+
7
16
  def add_warning(warning)
8
- puts ''
9
- puts format_warning(warning)
10
- puts ''
17
+ puts
18
+ format_warning(warning)
19
+ puts
11
20
  end
12
21
 
13
22
  def format_warning(warning)
14
- out = []
15
- out << "[!] Tainted input found by #{warning.replacer}"
16
- out << warning.stack_trace.trace_hash
23
+ puts '[!] TaintedLove'
24
+ puts "#{warning.stack_trace.trace_hash[0...8]} #{warning.message} [#{warning.tags.join(', ')}]"
17
25
 
18
- out << if warning.tainted_input.size < 100
26
+ tainted_input = if warning.tainted_input.size < 100
19
27
  warning.tainted_input.inspect
20
28
  else
21
29
  warning.tainted_input.inspect[0..100] + '...'
22
30
  end
23
31
 
24
- out << warning.stack_trace.lines.take(5)
32
+ puts 'Tainted input: ' + tainted_input
33
+
34
+ warning.stack_trace.lines.take(@stack_trace_size).each do |line|
35
+ puts format_line(line)
36
+
37
+ next unless line[:file].starts_with?(@app_path)
38
+
39
+ File.read(line[:file]).lines.each_with_index.drop(line[:line_number] - 2).take(3).each do |(code, n)|
40
+ puts "| #{n}\t#{code}"
41
+ end
42
+ end
43
+ end
25
44
 
26
- out.join("\n")
45
+ def format_line(line)
46
+ line[:file].sub(Dir.pwd, '.') + ':' + line[:line_number].to_s + ' in ' + line[:method]
27
47
  end
28
48
  end
29
49
  end
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+
3
+ module TaintedLove
4
+ module Validator
5
+ class RailtiesYamlLoad < Base
6
+ def remove?(warning)
7
+ line = warning.stack_trace_line
8
+
9
+ Object.const_defined?('Rails') &&
10
+ warning.replacer == :ReplaceYAML &&
11
+ line[:file]['rails/application.rb'] &&
12
+ line[:method] == 'config_for'
13
+ end
14
+ end
15
+ end
16
+ end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module TaintedLove
4
- VERSION = '0.1.3'
4
+ VERSION = '0.1.4'
5
5
  end
@@ -0,0 +1 @@
1
+ Gemfile.lock
data/tools/web/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ # frozen_string_literal: true
2
+
3
+ gem 'sinatra'
@@ -0,0 +1,39 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'sinatra'
4
+ require 'json'
5
+
6
+ REPORT_PATH = ARGV[0]
7
+
8
+ unless REPORT_PATH
9
+ puts "usage: ruby application.rb path/to/report.json"
10
+ exit(1)
11
+ end
12
+
13
+ unless File.exist?(REPORT_PATH)
14
+ puts "Cannot open report file: #{REPORT_PATH}"
15
+ exit(1)
16
+ end
17
+
18
+ helpers do
19
+ def prepare_inputs(warning)
20
+ warning['inputs'].sort_by { |_, reported_at| -reported_at }
21
+ end
22
+
23
+ def h(text)
24
+ Rack::Utils.escape_html(text)
25
+ end
26
+
27
+ def render_source(file, line)
28
+ File.read(file).lines.each.with_index.drop(line - 2).take(3).to_a
29
+ end
30
+ end
31
+
32
+ get '/' do
33
+ @report = JSON.parse(File.read(REPORT_PATH))
34
+ @warnings = @report['warnings'].sort_by do |_, code_path|
35
+ -code_path['inputs'].map { |_, reported_at| reported_at }.max
36
+ end.to_h
37
+
38
+ erb :index
39
+ end
@@ -0,0 +1,79 @@
1
+ body {
2
+ font-family: sans-serif;
3
+ margin: 0;
4
+ background-color: #efefef;
5
+ }
6
+
7
+ .clear {
8
+ clear: both;
9
+ }
10
+
11
+ nav {
12
+ background-color: #0081d3;
13
+ color: white;
14
+ padding: 1em;
15
+ }
16
+
17
+ h1, ul {
18
+ margin: 0;
19
+ font-size: 1em;
20
+ }
21
+
22
+ nav h1 {
23
+ float: left;
24
+ }
25
+
26
+ nav ul {
27
+ float: right;
28
+ }
29
+
30
+ nav li {
31
+ display: inline;
32
+ margin-left: 1em;
33
+ }
34
+
35
+ nav a {
36
+ color: white;
37
+ }
38
+
39
+ #wrapper {
40
+ padding: 1em;
41
+ }
42
+
43
+ .warning {
44
+ background-color: white;
45
+ padding: 1em;
46
+ margin-bottom: 1em;
47
+ }
48
+
49
+ h2 {
50
+ margin: 0;
51
+ font-size: 1em;
52
+ }
53
+
54
+ .stack_trace .line {
55
+ font-family: monospace;
56
+ }
57
+
58
+ .tag {
59
+ font-size: 0.8em;
60
+ background-color: #9EBABA;
61
+ padding: 0.1em 0.3em;
62
+ }
63
+
64
+ details summary {
65
+ font-size: 0.8em;
66
+ }
67
+
68
+ .code {
69
+ padding-left: 1em;
70
+ }
71
+
72
+ .code pre {
73
+ margin: 0;
74
+ }
75
+
76
+ .code pre:before {
77
+ content: attr(data-line);
78
+ margin-right: 1em;
79
+ }
File without changes
@@ -0,0 +1,57 @@
1
+ <div id="warnings">
2
+ <% @warnings.each do |trace_hash, warning| %>
3
+ <div class="warning">
4
+ <h2>
5
+ <%= trace_hash[0...8] %>
6
+ -
7
+ <%= warning['message'] %>
8
+ </h2>
9
+
10
+ <div class="details">
11
+ <p class="stack_trace">
12
+ <% warning['stack_trace'].take(5).each do |line| %>
13
+ <%= erb :line, locals: { line: line } %>
14
+ <% end %>
15
+
16
+ <details>
17
+ <summary>Show more</summary>
18
+
19
+ <% warning['stack_trace'].drop(5).each do |line| %>
20
+ <%= erb :line, locals: { line: line } %>
21
+ <% end %>
22
+ </details>
23
+ </p>
24
+ <hr/>
25
+ <p class="inputs">
26
+ <% inputs = prepare_inputs(warning) %>
27
+
28
+ <% inputs.take(5).each do |(input, reported_at)| %>
29
+ <div class="input">
30
+ <code><%=h input.inspect %></code>
31
+ <small>reported at <%= Time.at(reported_at) %></small>
32
+ </div>
33
+ <% end %>
34
+
35
+ <% if inputs.size > 5 %>
36
+ <details>
37
+ <summary>Show more</summary>
38
+
39
+ <% inputs.drop(5).each do |(input, reported_at)| %>
40
+ <div class="input">
41
+ <code><%=h input.inspect %></code>
42
+ <small>reported at <%= Time.at(reported_at) %></small>
43
+ </div>
44
+ <% end %>
45
+ </details>
46
+ <% end %>
47
+ </p>
48
+
49
+ <div>
50
+ <% warning['tags'].each do |tag| %>
51
+ <span class="tag">#<%= tag %></span>
52
+ <% end %>
53
+ </div>
54
+ </div>
55
+ </div>
56
+ <% end %>
57
+ </div>
@@ -0,0 +1,25 @@
1
+ <!doctype html>
2
+ <html lang="en">
3
+ <head>
4
+ <meta charset="UTF-8"/>
5
+ <title>TaintedLove</title>
6
+ <link href="application.css" rel="stylesheet"/>
7
+ </head>
8
+ <body>
9
+ <nav>
10
+ <h1>TaintedLove</h1>
11
+ <ul>
12
+ <li><%= @warnings.size %> warnings</li>
13
+ <li><a href="?">Refresh</a></li>
14
+ </ul>
15
+
16
+ <div class="clear"></div>
17
+ </nav>
18
+
19
+ <div id="wrapper">
20
+ <%= yield %>
21
+ </div>
22
+
23
+ <script src="application.js"></script>
24
+ </body>
25
+ </html>
@@ -0,0 +1,11 @@
1
+ <div class="line">
2
+ <a href="file://<%= line['file'] %>">
3
+ <%= line['file'].sub(@report['application_path'], '.') %></a><span>:<%= line['line_number'] %></span> in <%= line['method'] %>
4
+ <% if line['file'].start_with?(@report['application_path']) %>
5
+ <div class="code">
6
+ <% render_source(line['file'], line['line_number']).each do |(code, line_number)| %>
7
+ <pre data-line="<%= line_number %>"><%= code %></pre>
8
+ <% end %>
9
+ </div>
10
+ <% end %>
11
+ </div>
@@ -0,0 +1,3 @@
1
+ <div class="warning">
2
+ <%= warning.class %>
3
+ </div>
@@ -0,0 +1,3 @@
1
+ <% @warnings.each do |warning|%>
2
+ <%= erb :warning, layout: false, locals: { warning: warning } %>
3
+ <% end %>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tainted_love
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Benoit Cote-Jodoin
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-04-24 00:00:00.000000000 Z
11
+ date: 2019-04-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -103,57 +103,6 @@ files:
103
103
  - bin/setup
104
104
  - bin/test
105
105
  - dev.yml
106
- - docs/TaintedLove.html
107
- - docs/TaintedLove/Configuration.html
108
- - docs/TaintedLove/Replacer.html
109
- - docs/TaintedLove/Replacer/ActionViewHelpersMod.html
110
- - docs/TaintedLove/Replacer/Base.html
111
- - docs/TaintedLove/Replacer/HelperMod.html
112
- - docs/TaintedLove/Replacer/HelpersMod.html
113
- - docs/TaintedLove/Replacer/MarshalMod.html
114
- - docs/TaintedLove/Replacer/ObjectMod.html
115
- - docs/TaintedLove/Replacer/ReplaceActionController.html
116
- - docs/TaintedLove/Replacer/ReplaceActionView.html
117
- - docs/TaintedLove/Replacer/ReplaceActiveRecord.html
118
- - docs/TaintedLove/Replacer/ReplaceDigest.html
119
- - docs/TaintedLove/Replacer/ReplaceFile.html
120
- - docs/TaintedLove/Replacer/ReplaceKernel.html
121
- - docs/TaintedLove/Replacer/ReplaceMarshal.html
122
- - docs/TaintedLove/Replacer/ReplaceObject.html
123
- - docs/TaintedLove/Replacer/ReplaceRailsUserInput.html
124
- - docs/TaintedLove/Replacer/ReplaceSprokets.html
125
- - docs/TaintedLove/Replacer/SprocketsHelperMod.html
126
- - docs/TaintedLove/Reporter.html
127
- - docs/TaintedLove/Reporter/Base.html
128
- - docs/TaintedLove/Reporter/RackReporter.html
129
- - docs/TaintedLove/Reporter/SinatraReporter.html
130
- - docs/TaintedLove/Reporter/SinatraReporter/App.html
131
- - docs/TaintedLove/Reporter/StdoutReporter.html
132
- - docs/TaintedLove/SinatraReporter.html
133
- - docs/TaintedLove/SinatraReporter/App.html
134
- - docs/TaintedLove/StackTrace.html
135
- - docs/TaintedLove/Utils.html
136
- - docs/TaintedLove/Validator.html
137
- - docs/TaintedLove/Validator/ActionViewObjectSend.html
138
- - docs/TaintedLove/Validator/Base.html
139
- - docs/TaintedLove/Validator/ErbEval.html
140
- - docs/TaintedLove/Validator/RedisStoreSerialization.html
141
- - docs/TaintedLove/Validator/SproketsMarshal.html
142
- - docs/TaintedLove/Warning.html
143
- - docs/_index.html
144
- - docs/class_list.html
145
- - docs/css/common.css
146
- - docs/css/full_list.css
147
- - docs/css/style.css
148
- - docs/file.README.html
149
- - docs/file_list.html
150
- - docs/frames.html
151
- - docs/index.html
152
- - docs/js/app.js
153
- - docs/js/full_list.js
154
- - docs/js/jquery.js
155
- - docs/method_list.html
156
- - docs/top-level-namespace.html
157
106
  - example/.gitignore
158
107
  - example/.ruby-version
159
108
  - example/Gemfile
@@ -283,11 +232,22 @@ files:
283
232
  - lib/tainted_love/validator/action_view_object_send.rb
284
233
  - lib/tainted_love/validator/base.rb
285
234
  - lib/tainted_love/validator/erb_eval.rb
235
+ - lib/tainted_love/validator/railties_yaml_load.rb
286
236
  - lib/tainted_love/validator/redis_store_serialization.rb
287
237
  - lib/tainted_love/validator/sprokets_marshal.rb
288
238
  - lib/tainted_love/version.rb
289
239
  - lib/tainted_love/warning.rb
290
240
  - tainted_love.gemspec
241
+ - tools/web/.gitignore
242
+ - tools/web/Gemfile
243
+ - tools/web/application.rb
244
+ - tools/web/public/application.css
245
+ - tools/web/public/application.js
246
+ - tools/web/views/index.erb
247
+ - tools/web/views/layout.erb
248
+ - tools/web/views/line.erb
249
+ - tools/web/views/warning.erb
250
+ - tools/web/views/warnings.erb
291
251
  homepage: https://github.com/Shopify/tainted_love
292
252
  licenses:
293
253
  - MIT