tainted_love 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0d4b253cbb40cf8c1c658682f4c9a9a8695a4a1b1d1b61d62124abc181e9d12
-  data.tar.gz: ead923b6e9b2e8fb89121cca2dc6af2c6d1211973ca2718ecd190ded5d72e815
+  metadata.gz: 6d5eb5ea6986c6fffe63248c5145f9fb26d7bf7b9d6ad410aa0a4964470caf0b
+  data.tar.gz: 3d0b52d13d15d2c2b05e9ef923b2a058259379ba4d863f81764b577276c01eb3
 SHA512:
-  metadata.gz: 34b5745138153509199f446220de3e3a398d5c342af104c2a0e6e8ef9ee35bbda9efbdccb60c8c05ec0fbeadc723213a23e8d68f77773004c8ef07ff1122c80d
-  data.tar.gz: 3d821a663b21ca2e3c9071a8df1b76f2958def79565bd4025c3523ad7d8aab0386298913688b729d6767faf7a475834207aa117dc5a66336f16a68f595f22e16
+  metadata.gz: 74bd34b8c35b692160f2fb63ffaba86d50f7e4dd88e23dedfc7838e65bb116068f79ca026d02534c5b82b8a1dcfa6f8af52b5446416942d4fe5b90bb550d824e
+  data.tar.gz: 9a28610d1f6c337ea91dd11b45a1f6d089279fbdcdd49feb7fc2c8aa5d78a21cde439dae16fdc9b78f74844834c37acb167780bc79f757e878045a3b37f8b7c1

data/.gitignore

@@ -9,4 +9,5 @@
 
 # rspec failure tracking
 .rspec_status
-notes.org
+notes.org
+/docs

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    tainted_love (0.1.3)
+    tainted_love (0.1.4)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -1,7 +1,15 @@
+![License](https://img.shields.io/github/license/shopify/tainted_love.svg)
+![Version](https://img.shields.io/gem/v/tainted_love.svg)
+
+
 # TaintedLove
 
 TaintedLove is a dynamic security analysis tool for Ruby. It leverages Ruby's object tainting and monkey patching features to identify vulnerable code paths at runtime.
 
+- [Getting Started](https://github.com/Shopify/tainted_love/wiki/Getting-Started)
+- [Wiki](https://github.com/Shopify/tainted_love/wiki)
+- [API documentation](https://www.rubydoc.info/gems/tainted_love/)
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/example/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    tainted_love (0.1.3)
+    tainted_love (0.1.4)
 
 GEM
   remote: https://rubygems.org/

data/example/test/test_helper.rb

@@ -10,7 +10,9 @@ module TaintedLoveHelpers
     mock = Minitest::Mock.new
 
     n.times do
-      mock.expect(:call, nil, [Object, Object])
+      mock.expect(:call, nil) do
+        true
+      end
     end
 
     TaintedLove.stub(:report, mock, &block)

data/lib/tainted_love/replacer/replace_action_view.rb

@@ -28,7 +28,7 @@ module TaintedLove
           def render(*args, &block)
             super(*args) do |*sub_args, &sub_block|
               block.call(*sub_args, &sub_block).untaint
-            end
+            end.untaint
           end
         end
 

data/lib/tainted_love/reporter/file_reporter.rb

@@ -8,10 +8,9 @@ module TaintedLove
     class FileReporter < Base
       attr_reader :file_path
 
-      def initialize
-        super
-
-        @file_path = '/tmp/tainted_love.json'
+      def initialize(file_path = '/tmp/tainted_love.json')
+        super()
+        @file_path = file_path
       end
 
       def add_warning(warning)
@@ -21,7 +20,12 @@ module TaintedLove
       end
 
       def update_file
-        File.write(@file_path, @warnings.to_json)
+        report = {
+          'warnings': @warnings,
+          'application_path': Dir.pwd,
+        }
+
+        File.write(@file_path, report.to_json)
       end
     end
   end

data/lib/tainted_love/reporter/stdout_reporter.rb

@@ -4,26 +4,46 @@ module TaintedLove
   module Reporter
     # Reporter that outputs warnings in the console
     class StdoutReporter < Base
+      attr_reader :stack_trace_size, :app_path
+
+      def initialize
+        super
+
+        @stack_trace_size = 5
+        @app_path = Dir.pwd
+      end
+
       def add_warning(warning)
-        puts ''
-        puts format_warning(warning)
-        puts ''
+        puts
+        format_warning(warning)
+        puts
       end
 
       def format_warning(warning)
-        out = []
-        out << "[!] Tainted input found by #{warning.replacer}"
-        out << warning.stack_trace.trace_hash
+        puts '[!] TaintedLove'
+        puts "#{warning.stack_trace.trace_hash[0...8]} #{warning.message} [#{warning.tags.join(', ')}]"
 
-        out << if warning.tainted_input.size < 100
+        tainted_input = if warning.tainted_input.size < 100
           warning.tainted_input.inspect
         else
           warning.tainted_input.inspect[0..100] + '...'
         end
 
-        out << warning.stack_trace.lines.take(5)
+        puts 'Tainted input: ' + tainted_input
+
+        warning.stack_trace.lines.take(@stack_trace_size).each do |line|
+          puts format_line(line)
+
+          next unless line[:file].starts_with?(@app_path)
+
+          File.read(line[:file]).lines.each_with_index.drop(line[:line_number] - 2).take(3).each do |(code, n)|
+            puts "| #{n}\t#{code}"
+          end
+        end
+      end
 
-        out.join("\n")
+      def format_line(line)
+        line[:file].sub(Dir.pwd, '.') + ':' + line[:line_number].to_s + ' in ' + line[:method]
       end
     end
   end

data/lib/tainted_love/validator/railties_yaml_load.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module TaintedLove
+  module Validator
+    class RailtiesYamlLoad < Base
+      def remove?(warning)
+        line = warning.stack_trace_line
+
+        Object.const_defined?('Rails') &&
+          warning.replacer == :ReplaceYAML &&
+          line[:file]['rails/application.rb'] &&
+          line[:method] == 'config_for'
+      end
+    end
+  end
+end

data/lib/tainted_love/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TaintedLove
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

data/tools/web/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/tools/web/Gemfile

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+gem 'sinatra'

data/tools/web/application.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'sinatra'
+require 'json'
+
+REPORT_PATH = ARGV[0]
+
+unless REPORT_PATH
+  puts "usage: ruby application.rb path/to/report.json"
+  exit(1)
+end
+
+unless File.exist?(REPORT_PATH)
+  puts "Cannot open report file: #{REPORT_PATH}"
+  exit(1)
+end
+
+helpers do
+  def prepare_inputs(warning)
+    warning['inputs'].sort_by { |_, reported_at| -reported_at }
+  end
+
+  def h(text)
+    Rack::Utils.escape_html(text)
+  end
+
+  def render_source(file, line)
+    File.read(file).lines.each.with_index.drop(line - 2).take(3).to_a
+  end
+end
+
+get '/' do
+  @report = JSON.parse(File.read(REPORT_PATH))
+  @warnings = @report['warnings'].sort_by do |_, code_path|
+    -code_path['inputs'].map { |_, reported_at| reported_at }.max
+  end.to_h
+
+  erb :index
+end

data/tools/web/public/application.css

@@ -0,0 +1,79 @@
+body {
+    font-family: sans-serif;
+    margin: 0;
+    background-color: #efefef;
+}
+
+.clear {
+    clear: both;
+}
+
+nav {
+    background-color: #0081d3;
+    color: white;
+    padding: 1em;
+}
+
+h1, ul {
+    margin: 0;
+    font-size: 1em;
+}
+
+nav h1 {
+    float: left;
+}
+
+nav ul {
+    float: right;
+}
+
+nav li {
+    display: inline;
+    margin-left: 1em;
+}
+
+nav a {
+    color: white;
+}
+
+#wrapper {
+    padding: 1em;
+}
+
+.warning {
+    background-color: white;
+    padding: 1em;
+    margin-bottom: 1em;
+}
+
+h2 {
+    margin: 0;
+    font-size: 1em;
+}
+
+.stack_trace .line {
+    font-family: monospace;
+}
+
+.tag {
+    font-size: 0.8em;
+    background-color: #9EBABA;
+    padding: 0.1em 0.3em;
+}
+
+details summary {
+    font-size: 0.8em;
+}
+
+.code {
+    padding-left: 1em;
+}
+
+.code pre {
+    margin: 0;
+}
+
+.code pre:before {
+    content: attr(data-line);
+    margin-right: 1em;
+}

data/tools/web/views/index.erb

@@ -0,0 +1,57 @@
+<div id="warnings">
+  <% @warnings.each do |trace_hash, warning| %>
+    <div class="warning">
+      <h2>
+        <%= trace_hash[0...8] %>
+        -
+        <%= warning['message'] %>
+      </h2>
+
+      <div class="details">
+        <p class="stack_trace">
+          <% warning['stack_trace'].take(5).each do |line| %>
+            <%= erb :line, locals: { line: line }  %>
+          <% end %>
+
+          <details>
+            <summary>Show more</summary>
+
+            <% warning['stack_trace'].drop(5).each do |line| %>
+              <%= erb :line, locals: { line: line }  %>
+            <% end %>
+          </details>
+        </p>
+        <hr/>
+        <p class="inputs">
+          <% inputs = prepare_inputs(warning) %>
+
+          <% inputs.take(5).each do |(input, reported_at)|  %>
+            <div class="input">
+              <code><%=h input.inspect %></code>
+              <small>reported at <%= Time.at(reported_at) %></small>
+            </div>
+          <% end %>
+
+          <% if inputs.size > 5 %>
+            <details>
+              <summary>Show more</summary>
+
+              <% inputs.drop(5).each do |(input, reported_at)|  %>
+                <div class="input">
+                  <code><%=h input.inspect %></code>
+                  <small>reported at <%= Time.at(reported_at) %></small>
+                </div>
+              <% end %>
+            </details>
+          <% end %>
+        </p>
+
+        <div>
+          <% warning['tags'].each do |tag| %>
+            <span class="tag">#<%= tag %></span>
+          <% end %>
+        </div>
+      </div>
+    </div>
+  <% end %>
+</div>

data/tools/web/views/layout.erb

@@ -0,0 +1,25 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8"/>
+    <title>TaintedLove</title>
+    <link href="application.css" rel="stylesheet"/>
+  </head>
+  <body>
+    <nav>
+      <h1>TaintedLove</h1>
+      <ul>
+        <li><%= @warnings.size %> warnings</li>
+        <li><a href="?">Refresh</a></li>
+      </ul>
+
+      <div class="clear"></div>
+    </nav>
+
+    <div id="wrapper">
+      <%= yield %>
+    </div>
+
+    <script src="application.js"></script>
+  </body>
+</html>

data/tools/web/views/line.erb

@@ -0,0 +1,11 @@
+<div class="line">
+  <a href="file://<%= line['file'] %>">
+    <%= line['file'].sub(@report['application_path'], '.') %></a><span>:<%= line['line_number'] %></span> in <%= line['method'] %>
+  <% if line['file'].start_with?(@report['application_path']) %>
+    <div class="code">
+    <% render_source(line['file'], line['line_number']).each do |(code, line_number)| %>
+      <pre data-line="<%= line_number %>"><%= code %></pre>
+    <% end %>
+    </div>
+  <% end %>
+</div>

data/tools/web/views/warning.erb

@@ -0,0 +1,3 @@
+<div class="warning">
+  <%= warning.class %>
+</div>

data/tools/web/views/warnings.erb

@@ -0,0 +1,3 @@
+<% @warnings.each do |warning|%>
+  <%= erb :warning, layout: false, locals: { warning: warning } %>
+<% end %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tainted_love
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Benoit Cote-Jodoin
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-24 00:00:00.000000000 Z
+date: 2019-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -103,57 +103,6 @@ files:
 - bin/setup
 - bin/test
 - dev.yml
-- docs/TaintedLove.html
-- docs/TaintedLove/Configuration.html
-- docs/TaintedLove/Replacer.html
-- docs/TaintedLove/Replacer/ActionViewHelpersMod.html
-- docs/TaintedLove/Replacer/Base.html
-- docs/TaintedLove/Replacer/HelperMod.html
-- docs/TaintedLove/Replacer/HelpersMod.html
-- docs/TaintedLove/Replacer/MarshalMod.html
-- docs/TaintedLove/Replacer/ObjectMod.html
-- docs/TaintedLove/Replacer/ReplaceActionController.html
-- docs/TaintedLove/Replacer/ReplaceActionView.html
-- docs/TaintedLove/Replacer/ReplaceActiveRecord.html
-- docs/TaintedLove/Replacer/ReplaceDigest.html
-- docs/TaintedLove/Replacer/ReplaceFile.html
-- docs/TaintedLove/Replacer/ReplaceKernel.html
-- docs/TaintedLove/Replacer/ReplaceMarshal.html
-- docs/TaintedLove/Replacer/ReplaceObject.html
-- docs/TaintedLove/Replacer/ReplaceRailsUserInput.html
-- docs/TaintedLove/Replacer/ReplaceSprokets.html
-- docs/TaintedLove/Replacer/SprocketsHelperMod.html
-- docs/TaintedLove/Reporter.html
-- docs/TaintedLove/Reporter/Base.html
-- docs/TaintedLove/Reporter/RackReporter.html
-- docs/TaintedLove/Reporter/SinatraReporter.html
-- docs/TaintedLove/Reporter/SinatraReporter/App.html
-- docs/TaintedLove/Reporter/StdoutReporter.html
-- docs/TaintedLove/SinatraReporter.html
-- docs/TaintedLove/SinatraReporter/App.html
-- docs/TaintedLove/StackTrace.html
-- docs/TaintedLove/Utils.html
-- docs/TaintedLove/Validator.html
-- docs/TaintedLove/Validator/ActionViewObjectSend.html
-- docs/TaintedLove/Validator/Base.html
-- docs/TaintedLove/Validator/ErbEval.html
-- docs/TaintedLove/Validator/RedisStoreSerialization.html
-- docs/TaintedLove/Validator/SproketsMarshal.html
-- docs/TaintedLove/Warning.html
-- docs/_index.html
-- docs/class_list.html
-- docs/css/common.css
-- docs/css/full_list.css
-- docs/css/style.css
-- docs/file.README.html
-- docs/file_list.html
-- docs/frames.html
-- docs/index.html
-- docs/js/app.js
-- docs/js/full_list.js
-- docs/js/jquery.js
-- docs/method_list.html
-- docs/top-level-namespace.html
 - example/.gitignore
 - example/.ruby-version
 - example/Gemfile
@@ -283,11 +232,22 @@ files:
 - lib/tainted_love/validator/action_view_object_send.rb
 - lib/tainted_love/validator/base.rb
 - lib/tainted_love/validator/erb_eval.rb
+- lib/tainted_love/validator/railties_yaml_load.rb
 - lib/tainted_love/validator/redis_store_serialization.rb
 - lib/tainted_love/validator/sprokets_marshal.rb
 - lib/tainted_love/version.rb
 - lib/tainted_love/warning.rb
 - tainted_love.gemspec
+- tools/web/.gitignore
+- tools/web/Gemfile
+- tools/web/application.rb
+- tools/web/public/application.css
+- tools/web/public/application.js
+- tools/web/views/index.erb
+- tools/web/views/layout.erb
+- tools/web/views/line.erb
+- tools/web/views/warning.erb
+- tools/web/views/warnings.erb
 homepage: https://github.com/Shopify/tainted_love
 licenses:
 - MIT