Module: Brakeman
- Defined in:
- lib/brakeman.rb,
lib/brakeman/version.rb,
lib/brakeman/app_tree.rb,
lib/brakeman/processor.rb,
lib/brakeman/file_parser.rb,
lib/brakeman/report/ignore/config.rb,
lib/brakeman/parsers/template_parser.rb,
lib/brakeman/report/ignore/interactive.rb
Defined Under Namespace
Modules: Options, ProcessorHelper, RenderHelper, RouteHelper, Util, WarningCodes Classes: ASTFile, AliasProcessor, AppTree, BaseCheck, BaseProcessor, BasicProcessor, CallIndex, CheckBasicAuth, CheckContentTag, CheckCreateWith, CheckCrossSiteScripting, CheckDefaultRoutes, CheckDeserialize, CheckDetailedExceptions, CheckDigestDoS, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFileDisclosure, CheckFilterSkipping, CheckForgerySetting, CheckHeaderDoS, CheckI18nXSS, CheckJRubyXML, CheckJSONParsing, CheckLinkTo, CheckLinkToHref, CheckMailTo, CheckMassAssignment, CheckModelAttrAccessible, CheckModelAttributes, CheckModelSerialize, CheckNestedAttributes, CheckNumberToCurrency, CheckQuoteTableName, CheckRedirect, CheckRegexDoS, CheckRender, CheckRenderDoS, CheckRenderInline, CheckResponseSplitting, CheckSQL, CheckSQLCVEs, CheckSSLVerify, CheckSafeBufferManipulation, CheckSanitizeMethods, CheckSelectTag, CheckSelectVulnerability, CheckSend, CheckSendFile, CheckSessionSettings, CheckSimpleFormat, CheckSingleQuotes, CheckSkipBeforeFilter, CheckStripTags, CheckSymbolDoS, CheckSymbolDoSCVE, CheckTranslateBug, CheckUnsafeReflection, CheckUnscopedFind, CheckValidationRegex, CheckWithoutProtection, CheckYAMLParsing, Checks, ConfigAliasProcessor, ConfigProcessor, ControllerAliasProcessor, ControllerProcessor, DependencyError, Differ, ErbTemplateProcessor, ErubisTemplateProcessor, FileParser, FindAllCalls, FindCall, FindReturnValue, GemProcessor, HamlTemplateProcessor, IgnoreConfig, InteractiveIgnorer, LibraryProcessor, ModelProcessor, NoApplication, NoBrakemanError, OutputProcessor, Processor, Rails2ConfigProcessor, Rails2RoutesProcessor, Rails2XSSPluginErubis, Rails3ConfigProcessor, Rails3Erubis, Rails3RoutesProcessor, RakeInstallError, Report, RescanReport, Rescanner, RouteAliasProcessor, RoutesProcessor, Scanner, ScannerErubis, SexpProcessor, SlimTemplateProcessor, TemplateAliasProcessor, TemplateParser, TemplateProcessor, Tracker, Warning
Constant Summary collapse
- Warnings_Found_Exit_Code =
This exit code is used when warnings are found and the –exit-on-warn option is set
3
- CONFIG_FILES =
[ File.("./config/brakeman.yml"), File.("~/.brakeman/config.yml"), File.("/etc/brakeman/config.yml") ]
- Version =
"3.0.0"
Class Method Summary collapse
- .add_external_checks(options) ⇒ Object
-
.compare(options) ⇒ Object
Compare JSON ouptut from a previous scan and return the diff of the two scans.
- .config_file(custom_location = nil) ⇒ Object
- .debug(message) ⇒ Object
-
.default_options ⇒ Object
Default set of options.
-
.dump_config(options) ⇒ Object
Output configuration to YAML.
- .filter_warnings(tracker, options) ⇒ Object
- .get_output_formats(options) ⇒ Object
-
.install_rake_task(install_path = nil) ⇒ Object
Installs Rake task for running Brakeman, which basically means copying ‘lib/brakeman/brakeman.rake` to `lib/tasks/brakeman.rake` in the current Rails application.
-
.list_checks(options) ⇒ Object
Output list of checks (for ‘-k` option).
- .load_brakeman_dependency(name) ⇒ Object
-
.load_options(custom_location, quiet) ⇒ Object
Load options from YAML file.
- .notify(message) ⇒ Object
-
.rescan(tracker, files, options = {}) ⇒ Object
Rescan a subset of files in a Rails application.
-
.run(options) ⇒ Object
Run Brakeman scan.
-
.scan(options) ⇒ Object
Run a scan.
-
.set_options(options) ⇒ Object
Sets up options for run, checks given application path.
Class Method Details
.add_external_checks(options) ⇒ Object
456 457 458 459 460 |
# File 'lib/brakeman.rb', line 456 def self.add_external_checks [:additional_checks_path].each do |path| Brakeman::Checks.initialize_checks path end if [:additional_checks_path] end |
.compare(options) ⇒ Object
Compare JSON ouptut from a previous scan and return the diff of the two scans
395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 |
# File 'lib/brakeman.rb', line 395 def self.compare require 'multi_json' require 'brakeman/differ' raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? [:previous_results_json] add_external_checks begin previous_results = MultiJson.load(File.read([:previous_results_json]), :symbolize_keys => true)[:warnings] rescue MultiJson::DecodeError self.notify "Error parsing comparison file: #{[:previous_results_json]}" exit! end tracker = run() new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings] Brakeman::Differ.new(new_results, previous_results).diff end |
.config_file(custom_location = nil) ⇒ Object
113 114 115 116 |
# File 'lib/brakeman.rb', line 113 def self.config_file custom_location = nil supported_locations = [File.(custom_location || "")] + CONFIG_FILES supported_locations.detect {|f| File.file?(f) } end |
.debug(message) ⇒ Object
390 391 392 |
# File 'lib/brakeman.rb', line 390 def self.debug $stderr.puts if @debug end |
.default_options ⇒ Object
Default set of options
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/brakeman.rb', line 119 def self. { :assume_all_routes => true, :skip_checks => Set.new, :check_arguments => true, :safe_methods => Set.new, :min_confidence => 2, :combine_locations => true, :collapse_mass_assignment => false, :highlight_user_input => true, :ignore_redirect_to_model => true, :ignore_model_output => false, :index_libs => true, :message_limit => 100, :parallel_checks => true, :relative_path => false, :report_progress => true, :html_style => "#{File.(File.dirname(__FILE__))}/brakeman/format/style.css" } end |
.dump_config(options) ⇒ Object
Output configuration to YAML
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 |
# File 'lib/brakeman.rb', line 278 def self.dump_config if [:create_config].is_a? String file = [:create_config] else file = nil end .delete :create_config .each do |k,v| if v.is_a? Set [k] = v.to_a end end if file File.open file, "w" do |f| YAML.dump , f end puts "Output configuration to #{file}" else puts YAML.dump() end exit end |
.filter_warnings(tracker, options) ⇒ Object
428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 |
# File 'lib/brakeman.rb', line 428 def self.filter_warnings tracker, require 'brakeman/report/ignore/config' app_tree = Brakeman::AppTree.() if [:ignore_file] file = [:ignore_file] elsif app_tree.exists? "config/brakeman.ignore" file = app_tree.("config/brakeman.ignore") elsif not [:interactive_ignore] return end notify "Filtering warnings..." if [:interactive_ignore] require 'brakeman/report/ignore/interactive' config = InteractiveIgnorer.new(file, tracker.warnings).start else notify "[Notice] Using '#{file}' to filter warnings" config = IgnoreConfig.new(file, tracker.warnings) config.read_from_file config.filter_ignored end tracker.ignored_filter = config end |
.get_output_formats(options) ⇒ Object
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'lib/brakeman.rb', line 141 def self.get_output_formats #Set output format if [:output_format] && [:output_files] && [:output_files].size > 1 raise ArgumentError, "Cannot specify output format if multiple output files specified" end if [:output_format] get_formats_from_output_format [:output_format] elsif [:output_files] get_formats_from_output_files [:output_files] else begin require 'terminal-table' return [:to_s] rescue LoadError return [:to_json] end end end |
.install_rake_task(install_path = nil) ⇒ Object
Installs Rake task for running Brakeman, which basically means copying ‘lib/brakeman/brakeman.rake` to `lib/tasks/brakeman.rake` in the current Rails application.
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 |
# File 'lib/brakeman.rb', line 243 def self.install_rake_task install_path = nil if install_path rake_path = File.join(install_path, "Rakefile") task_path = File.join(install_path, "lib", "tasks", "brakeman.rake") else rake_path = "Rakefile" task_path = File.join("lib", "tasks", "brakeman.rake") end if not File.exists? rake_path raise RakeInstallError, "No Rakefile detected" elsif File.exists? task_path raise RakeInstallError, "Task already exists" end require 'fileutils' if not File.exists? "lib/tasks" notify "Creating lib/tasks" FileUtils.mkdir_p "lib/tasks" end path = File.(File.dirname(__FILE__)) FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path if File.exists? task_path notify "Task created in #{task_path}" notify "Usage: rake brakeman:run[output_file]" else raise RakeInstallError, "Could not create task" end end |
.list_checks(options) ⇒ Object
Output list of checks (for ‘-k` option)
219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 |
# File 'lib/brakeman.rb', line 219 def self.list_checks require 'brakeman/scanner' add_external_checks if [:list_optional_checks] $stderr.puts "Optional Checks:" checks = Checks.optional_checks else $stderr.puts "Available Checks:" checks = Checks.checks end format_length = 30 $stderr.puts "-" * format_length checks.each do |check| $stderr.printf("%-#{format_length}s%s\n", check.name, check.description) end end |
.load_brakeman_dependency(name) ⇒ Object
416 417 418 419 420 421 422 423 424 425 426 |
# File 'lib/brakeman.rb', line 416 def self.load_brakeman_dependency name return if @loaded_dependencies.include? name begin require name rescue LoadError => e $stderr.puts e. $stderr.puts "Please install the appropriate dependency." exit! -1 end end |
.load_options(custom_location, quiet) ⇒ Object
Load options from YAML file
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
# File 'lib/brakeman.rb', line 93 def self. custom_location, quiet #Load configuration file if config = config_file(custom_location) = YAML.load_file config if .each { |k, v| [k] = Set.new v if v.is_a? Array } # notify if options[:quiet] and quiet is nil||false notify "[Notice] Using configuration in #{config}" unless ([:quiet] || quiet) else notify "[Notice] Empty configuration file: #{config}" unless quiet {} end else {} end end |
.notify(message) ⇒ Object
386 387 388 |
# File 'lib/brakeman.rb', line 386 def self.notify $stderr.puts unless @quiet end |
.rescan(tracker, files, options = {}) ⇒ Object
Rescan a subset of files in a Rails application.
A full scan must have been run already to use this method. The returned Tracker object from Brakeman.run is used as a starting point for the rescan.
Options may be given as a hash with the same values as Brakeman.run. Note that these options will be merged into the Tracker.
This method returns a RescanReport object with information about the scan. However, the Tracker object will also be modified as the scan is run.
375 376 377 378 379 380 381 382 383 384 |
# File 'lib/brakeman.rb', line 375 def self.rescan tracker, files, = {} require 'brakeman/rescanner' tracker..merge! @quiet = !!tracker.[:quiet] @debug = !!tracker.[:debug] Rescanner.new(tracker., tracker.processor, files).recheck end |
.run(options) ⇒ Object
Run Brakeman scan. Returns Tracker object.
Options:
* :app_path - path to root of Rails app (required)
* :assume_all_routes - assume all methods are routes (default: true)
* :check_arguments - check arguments of methods (default: true)
* :collapse_mass_assignment - report unprotected models in single warning (default: false)
* :combine_locations - combine warning locations (default: true)
* :config_file - configuration file
* :escape_html - escape HTML by default (automatic)
* :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
* :github_repo - github repo to use for file links (user/repo[/path][@ref])
* :highlight_user_input - highlight user input in reported warnings (default: true)
* :html_style - path to CSS file
* :ignore_model_output - consider models safe (default: false)
* :index_libs - add libraries to call index (default: true)
* :interprocedural - limited interprocedural processing of method calls (default: false)
* :message_limit - limit length of messages
* :min_confidence - minimum confidence (0-2, 0 is highest)
* :output_files - files for output
* :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
* :parallel_checks - run checks in parallel (default: true)
* :print_report - if no output file specified, print to stdout (default: false)
* :quiet - suppress most messages (default: true)
* :rails3 - force Rails 3 mode (automatic)
* :report_routes - show found routes on controllers (default: false)
* :run_checks - array of checks to run (run all if not specified)
* :safe_methods - array of methods to consider safe
* :skip_libs - do not process lib/ directory (default: false)
* :skip_checks - checks not to run (run all if not specified)
* :absolute_paths - show absolute path of each file (default: false)
* :summary_only - only output summary section of report
(does not apply to tabs format)
Alternatively, just supply a path as a string.
51 52 53 54 55 56 57 58 59 60 61 |
# File 'lib/brakeman.rb', line 51 def self.run = @quiet = !![:quiet] @debug = !![:debug] if @quiet [:report_progress] = false end scan end |
.scan(options) ⇒ Object
Run a scan. Generally called from Brakeman.run instead of directly.
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
# File 'lib/brakeman.rb', line 305 def self.scan #Load scanner notify "Loading scanner..." begin require 'brakeman/scanner' rescue LoadError raise NoBrakemanError, "Cannot find lib/ directory." end add_external_checks #Start scanning scanner = Scanner.new tracker = scanner.tracker notify "Processing application in #{tracker.app_path}" scanner.process if [:parallel_checks] notify "Running checks in parallel..." else notify "Runnning checks..." end tracker.run_checks self.filter_warnings tracker, if [:output_files] notify "Generating report..." write_report_to_files tracker, [:output_files] elsif [:print_report] notify "Generating report..." write_report_to_formats tracker, [:output_formats] end tracker end |
.set_options(options) ⇒ Object
Sets up options for run, checks given application path
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/brakeman.rb', line 64 def self. if .is_a? String = { :app_path => } end if [:quiet] == :command_line command_line = true .delete :quiet end = .merge(([:config_file], [:quiet])).merge() if [:quiet].nil? and not command_line [:quiet] = true end [:output_formats] = get_output_formats [:github_url] = get_github_url end |