Module: Brakeman
- Defined in:
- lib/brakeman.rb,
lib/brakeman/version.rb,
lib/brakeman/app_tree.rb,
lib/brakeman/processor.rb,
lib/brakeman/report/ignore/config.rb,
lib/brakeman/report/ignore/interactive.rb
Defined Under Namespace
Modules: Options, ProcessorHelper, RenderHelper, RouteHelper, Util, WarningCodes Classes: AliasProcessor, AppTree, BaseCheck, BaseProcessor, CallIndex, CheckBasicAuth, CheckContentTag, CheckCrossSiteScripting, CheckDefaultRoutes, CheckDeserialize, CheckDetailedExceptions, CheckDigestDoS, CheckEscapeFunction, CheckEvaluation, CheckExecute, CheckFileAccess, CheckFilterSkipping, CheckForgerySetting, CheckHeaderDoS, CheckI18nXSS, CheckJRubyXML, CheckJSONParsing, CheckLinkTo, CheckLinkToHref, CheckMailTo, CheckMassAssignment, CheckModelAttrAccessible, CheckModelAttributes, CheckModelSerialize, CheckNestedAttributes, CheckNumberToCurrency, CheckQuoteTableName, CheckRedirect, CheckRender, CheckResponseSplitting, CheckSQL, CheckSSLVerify, CheckSafeBufferManipulation, CheckSanitizeMethods, CheckSelectTag, CheckSelectVulnerability, CheckSend, CheckSendFile, CheckSessionSettings, CheckSimpleFormat, CheckSingleQuotes, CheckSkipBeforeFilter, CheckStripTags, CheckSymbolDoS, CheckTranslateBug, CheckUnsafeReflection, CheckValidationRegex, CheckWithoutProtection, CheckYAMLParsing, Checks, ConfigAliasProcessor, ConfigProcessor, ControllerAliasProcessor, ControllerProcessor, DependencyError, Differ, ErbTemplateProcessor, ErubisTemplateProcessor, FindAllCalls, FindCall, FindReturnValue, GemProcessor, HamlTemplateProcessor, IgnoreConfig, InteractiveIgnorer, LibraryProcessor, ModelProcessor, NoApplication, NoBrakemanError, OutputProcessor, Processor, Rails2ConfigProcessor, Rails2RoutesProcessor, Rails2XSSPluginErubis, Rails3ConfigProcessor, Rails3Erubis, Rails3RoutesProcessor, RakeInstallError, Report, RescanReport, Rescanner, RouteAliasProcessor, RoutesProcessor, Scanner, ScannerErubis, SexpProcessor, SlimTemplateProcessor, TemplateAliasProcessor, TemplateProcessor, Tracker, Warning
Constant Summary collapse
- Warnings_Found_Exit_Code =
This exit code is used when warnings are found and the –exit-on-warn option is set
3
- CONFIG_FILES =
[ File.("./config/brakeman.yml"), File.("~/.brakeman/config.yml"), File.("/etc/brakeman/config.yml") ]
- Version =
"2.4.0"
Class Method Summary collapse
-
.compare(options) ⇒ Object
Compare JSON ouptut from a previous scan and return the diff of the two scans.
- .config_file(custom_location = nil) ⇒ Object
- .debug(message) ⇒ Object
-
.default_options ⇒ Object
Default set of options.
-
.dump_config(options) ⇒ Object
Output configuration to YAML.
- .filter_warnings(tracker, options) ⇒ Object
- .get_output_formats(options) ⇒ Object
-
.install_rake_task(install_path = nil) ⇒ Object
Installs Rake task for running Brakeman, which basically means copying ‘lib/brakeman/brakeman.rake` to `lib/tasks/brakeman.rake` in the current Rails application.
-
.list_checks ⇒ Object
Output list of checks (for ‘-k` option).
- .load_brakeman_dependency(name) ⇒ Object
-
.load_options(custom_location, quiet) ⇒ Object
Load options from YAML file.
- .notify(message) ⇒ Object
-
.rescan(tracker, files, options = {}) ⇒ Object
Rescan a subset of files in a Rails application.
-
.run(options) ⇒ Object
Run Brakeman scan.
-
.scan(options) ⇒ Object
Run a scan.
-
.set_options(options) ⇒ Object
Sets up options for run, checks given application path.
Class Method Details
.compare(options) ⇒ Object
Compare JSON ouptut from a previous scan and return the diff of the two scans
359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 |
# File 'lib/brakeman.rb', line 359 def self.compare require 'multi_json' require 'brakeman/differ' raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? [:previous_results_json] begin previous_results = MultiJson.load(File.read([:previous_results_json]), :symbolize_keys => true)[:warnings] rescue MultiJson::DecodeError self.notify "Error parsing comparison file: #{[:previous_results_json]}" exit! end tracker = run() new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings] Brakeman::Differ.new(new_results, previous_results).diff end |
.config_file(custom_location = nil) ⇒ Object
111 112 113 114 |
# File 'lib/brakeman.rb', line 111 def self.config_file custom_location = nil supported_locations = [File.(custom_location || "")] + CONFIG_FILES supported_locations.detect {|f| File.file?(f) } end |
.debug(message) ⇒ Object
354 355 356 |
# File 'lib/brakeman.rb', line 354 def self.debug $stderr.puts if @debug end |
.default_options ⇒ Object
Default set of options
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'lib/brakeman.rb', line 117 def self. { :assume_all_routes => true, :skip_checks => Set.new, :check_arguments => true, :safe_methods => Set.new, :min_confidence => 2, :combine_locations => true, :collapse_mass_assignment => true, :highlight_user_input => true, :ignore_redirect_to_model => true, :ignore_model_output => false, :message_limit => 100, :parallel_checks => true, :relative_path => false, :report_progress => true, :html_style => "#{File.(File.dirname(__FILE__))}/brakeman/format/style.css" } end |
.dump_config(options) ⇒ Object
Output configuration to YAML
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 |
# File 'lib/brakeman.rb', line 245 def self.dump_config if [:create_config].is_a? String file = [:create_config] else file = nil end .delete :create_config .each do |k,v| if v.is_a? Set [k] = v.to_a end end if file File.open file, "w" do |f| YAML.dump , f end puts "Output configuration to #{file}" else puts YAML.dump() end exit end |
.filter_warnings(tracker, options) ⇒ Object
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 |
# File 'lib/brakeman.rb', line 390 def self.filter_warnings tracker, require 'brakeman/report/ignore/config' app_tree = Brakeman::AppTree.() if [:ignore_file] file = [:ignore_file] elsif app_tree.exists? "config/brakeman.ignore" file = app_tree.("config/brakeman.ignore") elsif not [:interactive_ignore] return end notify "Filtering warnings..." if [:interactive_ignore] require 'brakeman/report/ignore/interactive' config = InteractiveIgnorer.new(file, tracker.warnings).start else notify "[Notice] Using '#{file}' to filter warnings" config = IgnoreConfig.new(file, tracker.warnings) config.read_from_file config.filter_ignored end tracker.ignored_filter = config end |
.get_output_formats(options) ⇒ Object
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# File 'lib/brakeman.rb', line 138 def self.get_output_formats #Set output format if [:output_format] && [:output_files] && [:output_files].size > 1 raise ArgumentError, "Cannot specify output format if multiple output files specified" end if [:output_format] get_formats_from_output_format [:output_format] elsif [:output_files] get_formats_from_output_files [:output_files] else begin require 'terminal-table' return [:to_s] rescue LoadError return [:to_json] end end end |
.install_rake_task(install_path = nil) ⇒ Object
Installs Rake task for running Brakeman, which basically means copying ‘lib/brakeman/brakeman.rake` to `lib/tasks/brakeman.rake` in the current Rails application.
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 |
# File 'lib/brakeman.rb', line 210 def self.install_rake_task install_path = nil if install_path rake_path = File.join(install_path, "Rakefile") task_path = File.join(install_path, "lib", "tasks", "brakeman.rake") else rake_path = "Rakefile" task_path = File.join("lib", "tasks", "brakeman.rake") end if not File.exists? rake_path raise RakeInstallError, "No Rakefile detected" elsif File.exists? task_path raise RakeInstallError, "Task already exists" end require 'fileutils' if not File.exists? "lib/tasks" notify "Creating lib/tasks" FileUtils.mkdir_p "lib/tasks" end path = File.(File.dirname(__FILE__)) FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path if File.exists? task_path notify "Task created in #{task_path}" notify "Usage: rake brakeman:run[output_file]" else raise RakeInstallError, "Could not create task" end end |
.list_checks ⇒ Object
Output list of checks (for ‘-k` option)
196 197 198 199 200 201 202 203 204 205 |
# File 'lib/brakeman.rb', line 196 def self.list_checks require 'brakeman/scanner' format_length = 30 $stderr.puts "Available Checks:" $stderr.puts "-" * format_length Checks.checks.each do |check| $stderr.printf("%-#{format_length}s%s\n", check.name, check.description) end end |
.load_brakeman_dependency(name) ⇒ Object
378 379 380 381 382 383 384 385 386 387 388 |
# File 'lib/brakeman.rb', line 378 def self.load_brakeman_dependency name return if @loaded_dependencies.include? name begin require name rescue LoadError => e $stderr.puts e. $stderr.puts "Please install the appropriate dependency." exit! -1 end end |
.load_options(custom_location, quiet) ⇒ Object
Load options from YAML file
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
# File 'lib/brakeman.rb', line 91 def self. custom_location, quiet #Load configuration file if config = config_file(custom_location) = YAML.load_file config if .each { |k, v| [k] = Set.new v if v.is_a? Array } # notify if options[:quiet] and quiet is nil||false notify "[Notice] Using configuration in #{config}" unless ([:quiet] || quiet) else notify "[Notice] Empty configuration file: #{config}" unless quiet {} end else {} end end |
.notify(message) ⇒ Object
350 351 352 |
# File 'lib/brakeman.rb', line 350 def self.notify $stderr.puts unless @quiet end |
.rescan(tracker, files, options = {}) ⇒ Object
Rescan a subset of files in a Rails application.
A full scan must have been run already to use this method. The returned Tracker object from Brakeman.run is used as a starting point for the rescan.
Options may be given as a hash with the same values as Brakeman.run. Note that these options will be merged into the Tracker.
This method returns a RescanReport object with information about the scan. However, the Tracker object will also be modified as the scan is run.
339 340 341 342 343 344 345 346 347 348 |
# File 'lib/brakeman.rb', line 339 def self.rescan tracker, files, = {} require 'brakeman/rescanner' tracker..merge! @quiet = !!tracker.[:quiet] @debug = !!tracker.[:debug] Rescanner.new(tracker., tracker.processor, files).recheck end |
.run(options) ⇒ Object
Run Brakeman scan. Returns Tracker object.
Options:
* :app_path - path to root of Rails app (required)
* :assume_all_routes - assume all methods are routes (default: true)
* :check_arguments - check arguments of methods (default: true)
* :collapse_mass_assignment - report unprotected models in single warning (default: true)
* :combine_locations - combine warning locations (default: true)
* :config_file - configuration file
* :escape_html - escape HTML by default (automatic)
* :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
* :highlight_user_input - highlight user input in reported warnings (default: true)
* :html_style - path to CSS file
* :ignore_model_output - consider models safe (default: false)
* :interprocedural - limited interprocedural processing of method calls (default: false)
* :message_limit - limit length of messages
* :min_confidence - minimum confidence (0-2, 0 is highest)
* :output_files - files for output
* :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
* :parallel_checks - run checks in parallel (default: true)
* :print_report - if no output file specified, print to stdout (default: false)
* :quiet - suppress most messages (default: true)
* :rails3 - force Rails 3 mode (automatic)
* :report_routes - show found routes on controllers (default: false)
* :run_checks - array of checks to run (run all if not specified)
* :safe_methods - array of methods to consider safe
* :skip_libs - do not process lib/ directory (default: false)
* :skip_checks - checks not to run (run all if not specified)
* :absolute_paths - show absolute path of each file (default: false)
* :summary_only - only output summary section of report
(does not apply to tabs format)
Alternatively, just supply a path as a string.
49 50 51 52 53 54 55 56 57 58 59 |
# File 'lib/brakeman.rb', line 49 def self.run = @quiet = !![:quiet] @debug = !![:debug] if @quiet [:report_progress] = false end scan end |
.scan(options) ⇒ Object
Run a scan. Generally called from Brakeman.run instead of directly.
272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 |
# File 'lib/brakeman.rb', line 272 def self.scan #Load scanner notify "Loading scanner..." begin require 'brakeman/scanner' rescue LoadError raise NoBrakemanError, "Cannot find lib/ directory." end #Start scanning scanner = Scanner.new notify "Processing application in #{[:app_path]}" tracker = scanner.process if [:parallel_checks] notify "Running checks in parallel..." else notify "Runnning checks..." end tracker.run_checks self.filter_warnings tracker, if [:output_files] notify "Generating report..." write_report_to_files tracker, [:output_files] elsif [:print_report] notify "Generating report..." write_report_to_formats tracker, [:output_formats] end tracker end |
.set_options(options) ⇒ Object
Sets up options for run, checks given application path
62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
# File 'lib/brakeman.rb', line 62 def self. if .is_a? String = { :app_path => } end if [:quiet] == :command_line command_line = true .delete :quiet end = .merge(([:config_file], [:quiet])).merge() if [:quiet].nil? and not command_line [:quiet] = true end [:app_path] = File.([:app_path]) [:output_formats] = get_output_formats end |