Module: Brakeman

Defined in:
lib/brakeman.rb,
lib/brakeman/version.rb,
lib/brakeman/processor.rb

Defined Under Namespace

Modules: Options, ProcessorHelper, RenderHelper, RouteHelper, Util Classes: AliasProcessor, BaseCheck, BaseProcessor, CallIndex, CheckBasicAuth, CheckCrossSiteScripting, CheckDefaultRoutes, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFilterSkipping, CheckForgerySetting, CheckLinkTo, CheckMailTo, CheckMassAssignment, CheckModelAttributes, CheckNestedAttributes, CheckQuoteTableName, CheckRedirect, CheckRender, CheckResponseSplitting, CheckSQL, CheckSendFile, CheckSessionSettings, CheckStripTags, CheckTranslateBug, CheckValidationRegex, CheckWithoutProtection, Checks, ConfigAliasProcessor, ConfigProcessor, ControllerAliasProcessor, ControllerProcessor, ErbTemplateProcessor, ErubisEscape, ErubisTemplateProcessor, FindAllCalls, FindCall, GemProcessor, HamlTemplateProcessor, LibraryProcessor, ModelProcessor, OutputProcessor, ParamsProcessor, Processor, Rails2ConfigProcessor, Rails2RoutesProcessor, Rails3ConfigProcessor, Rails3RoutesProcessor, RailsXSSErubis, Report, RescanReport, Rescanner, RouteAliasProcessor, RoutesProcessor, Scanner, ScannerErubis, TemplateAliasProcessor, TemplateProcessor, Tracker, Warning

Constant Summary

Warnings_Found_Exit_Code =

This exit code is used when warnings are found and the --exit-on-warn option is set

3
Version = 
"1.1.0"

Class Method Summary (collapse)

Class Method Details

+ (Object) dump_config(options) 



179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
 
# File 'lib/brakeman.rb', line 179

def self.dump_config options
  if options[:create_config].is_a? String
    file = options[:create_config]
  else
    file = nil
  end

  options.delete :create_config

  options.each do |k,v|
    if v.is_a? Set
      options[k] = v.to_a
    end
  end

  if file
    File.open file, "w" do |f|
      YAML.dump options, f
    end
    puts "Output configuration to #{file}"
  else
    puts YAML.dump(options)
  end
  exit
end

+ (Object) get_defaults 



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
 
# File 'lib/brakeman.rb', line 98

def self.get_defaults
  { :skip_checks => Set.new, 
    :check_arguments => true, 
    :safe_methods => Set.new,
    :min_confidence => 2,
    :combine_locations => true,
    :collapse_mass_assignment => true,
    :ignore_redirect_to_model => true,
    :ignore_model_output => false,
    :message_limit => 100,
    :parallel_checks => true,
    :quiet => true,
    :report_progress => true,
    :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css" 
  }
end

+ (Object) get_output_format(options) 



115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
# File 'lib/brakeman.rb', line 115

def self.get_output_format options
  #Set output format
  if options[:output_format]
    case options[:output_format]
    when :html, :to_html
      :to_html
    when :csv, :to_csv
      :to_csv
    when :pdf, :to_pdf
      :to_pdf
    when :tabs, :to_tabs
      :to_tabs
    else
      :to_s
    end
  else
    case options[:output_file]
    when /\.html$/i
      :to_html
    when /\.csv$/i
      :to_csv
    when /\.pdf$/i
      :to_pdf
    when /\.tabs$/i
      :to_tabs
    else
      :to_s
    end
  end
end

+ (Object) install_rake_task 



153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/brakeman.rb', line 153

def self.install_rake_task
  if not File.exists? "Rakefile"
    abort "No Rakefile detected"
  elsif File.exists? "lib/tasks/brakeman.rake"
    abort "Task already exists"
  end

  require 'fileutils'

  if not File.exists? "lib/tasks"
    warn "Creating lib/tasks"
    FileUtils.mkdir_p "lib/tasks"
  end

  path = File.expand_path(File.dirname(__FILE__))

  FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake"

  if File.exists? "lib/tasks/brakeman.rake"
    warn "Task created in lib/tasks/brakeman.rake"
    warn "Usage: rake brakeman:run[output_file]"
  else
    warn "Could not create task"
  end
end

+ (Object) list_checks 



146
147
148
149
150
151
 
# File 'lib/brakeman.rb', line 146

def self.list_checks
  require 'brakeman/scanner'
  $stderr.puts "Available Checks:"
  $stderr.puts "-" * 30
  $stderr.puts Checks.checks.map { |c| c.to_s.match(/^Brakeman::(.*)$/)[1] }.sort.join "\n"
end

+ (Object) load_options(config_file) 



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/brakeman.rb', line 72

def self.load_options config_file
  config_file ||= ""

  #Load configuration file
  [File.expand_path(config_file),
    File.expand_path("./config.yaml"),
    File.expand_path("~/.brakeman/config.yaml"),
    File.expand_path("/etc/brakeman/config.yaml"),
    "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f|

    if File.exist? f and not File.directory? f
      warn "[Notice] Using configuration in #{f}" unless options[:quiet]
      options = YAML.load_file f
      options.each do |k,v|
        if v.is_a? Array
          options[k] = Set.new v
        end
      end

      return options
    end
    end

  return {}
end

+ (Object) rescan(tracker, files) 



255
256
257
258
259
 
# File 'lib/brakeman.rb', line 255

def self.rescan tracker, files
  require 'brakeman/rescanner'

  Rescanner.new(tracker.options, tracker.processor, files).recheck
end

+ (Object) run(options)

Run Brakeman scan. Returns Tracker object.

Options:

* :app_path - path to root of Rails app (required)
* :assume_all_routes - assume all methods are routes (default: false)
* :check_arguments - check arguments of methods (default: true)
* :collapse_mass_assignment - report unprotected models in single warning (default: true)
* :combine_locations - combine warning locations (default: true)
* :config_file - configuration file
* :escape_html - escape HTML by default (automatic)
* :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
* :html_style - path to CSS file
* :ignore_model_output - consider models safe (default: false)
* :message_limit - limit length of messages
* :min_confidence - minimum confidence (0-2, 0 is highest)
* :output_file - file for output
* :output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)
* :parallel_checks - run checks in parallel (default: true)
* :print_report - if no output file specified, print to stdout (default: false)
* :quiet - suppress most messages (default: true)
* :rails3 - force Rails 3 mode (automatic)
* :report_routes - show found routes on controllers (default: false)
* :run_checks - array of checks to run (run all if not specified)
* :safe_methods - array of methods to consider safe
* :skip_libs - do not process lib/ directory (default: false)
* :skip_checks - checks not to run (run all if not specified)

Alternatively, just supply a path as a string.



40
41
42
43
44
45
46
47
48
49
 
# File 'lib/brakeman.rb', line 40

def self.run options
  options = set_options options

  if options[:quiet]
    options[:report_progress] = false
    $VERBOSE = nil
  end

  scan options
end

+ (Object) scan(options) 



205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
 
# File 'lib/brakeman.rb', line 205

def self.scan options
  #Load scanner
  warn "Loading scanner..."

  begin
    require 'brakeman/scanner'
  rescue LoadError
    abort "Cannot find lib/ directory."
  end

  #Start scanning
  scanner = Scanner.new options

  warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application."

  warn "Processing application in #{options[:app_path]}"
  tracker = scanner.process

  if options[:parallel_checks]
    warn "Running checks in parallel..."
  else
    warn "Runnning checks..."
  end
  tracker.run_checks

  if options[:output_file]
    warn "Generating report..."

    File.open options[:output_file], "w" do |f|
      f.puts tracker.report.send(options[:output_format])
    end
    warn "Report saved in '#{options[:output_file]}'"
  elsif options[:print_report]
    warn "Generating report..."

    puts tracker.report.send(options[:output_format])
  end

  if options[:exit_on_warn]
    tracker.checks.all_warnings.each do |warning|
      next if warning.confidence > options[:min_confidence]
      return false
    end
    
    return true
  end

  tracker
end

+ (Object) set_options(options) 



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/brakeman.rb', line 51

def self.set_options options
  if options.is_a? String
    options = { :app_path => options }
  end

  options = load_options(options[:config_file]).merge! options
  options = get_defaults.merge! options
  options[:output_format] = get_output_format options

  app_path = options[:app_path]

  abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app"

  if File.exist? app_path + "/script/rails"
    options[:rails3] = true
    warn "[Notice] Detected Rails 3 application" 
  end

  options
end