Parent

Class/Module Index [+]

Quicksearch

Brakeman::Scanner

Scans the Rails application.

Attributes

options[R]

Public Class Methods

new(options, processor = nil) click to toggle source

Pass in path to the root of the Rails application

# File lib/brakeman/scanner.rb, line 30
def initialize options, processor = nil
  @options = options
  @app_tree = Brakeman::AppTree.from_options(options)

  if !@app_tree.root || !@app_tree.exists?("app")
    abort("Please supply the path to a Rails application.")
  end

  if @app_tree.exists?("script/rails")
    options[:rails3] = true
    Brakeman.notify "[Notice] Detected Rails 3 application"
  end

  @ruby_parser = ::RubyParser
  @processor = processor || Brakeman::Processor.new(@app_tree, options)
end

Public Instance Methods

index_call_sites() click to toggle source
# File lib/brakeman/scanner.rb, line 342
def index_call_sites
  tracker.index_call_sites
end
parse_ruby(input) click to toggle source
# File lib/brakeman/scanner.rb, line 346
def parse_ruby input
  @ruby_parser.new.parse input
end
process() click to toggle source

Process everything in the Rails application

# File lib/brakeman/scanner.rb, line 53
def process
  Brakeman.notify "Processing configuration..."
  process_config
  Brakeman.notify "Processing gems..."
  process_gems
  Brakeman.notify "Processing initializers..."
  process_initializers
  Brakeman.notify "Processing libs..."
  process_libs
  Brakeman.notify "Processing routes...          "
  process_routes
  Brakeman.notify "Processing templates...       "
  process_templates
  Brakeman.notify "Processing models...          "
  process_models
  Brakeman.notify "Processing controllers...     "
  process_controllers
  Brakeman.notify "Indexing call sites...        "
  index_call_sites
  tracker
end
process_config() click to toggle source

Process config/environment.rb and config/gems.rb

Stores parsed information in tracker.config

# File lib/brakeman/scanner.rb, line 78
def process_config
  if options[:rails3]
    process_config_file "application.rb"
    process_config_file "environments/production.rb"
  else
    process_config_file "environment.rb"
    process_config_file "gems.rb"
  end

  if @app_tree.exists?("vendor/plugins/rails_xss") or
    options[:rails3] or options[:escape_html]

    tracker.config[:escape_html] = true
    Brakeman.notify "[Notice] Escaping HTML by default"
  end
end
process_controller(path) click to toggle source
# File lib/brakeman/scanner.rb, line 221
def process_controller path
  begin
    @processor.process_controller(parse_ruby(@app_tree.read_path(path)), path)
  rescue Racc::ParseError => e
    tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
  rescue Exception => e
    tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
  end
end
process_controllers() click to toggle source

Process all .rb files in controllers/

Adds processed controllers to tracker.controllers

# File lib/brakeman/scanner.rb, line 194
def process_controllers
  total = @app_tree.controller_paths.length
  current = 0

  @app_tree.controller_paths.each do |f|
    Brakeman.debug "Processing #{f}"
    report_progress(current, total)
    current += 1
    process_controller f
  end

  current = 0
  total = tracker.controllers.length

  Brakeman.notify "Processing data flow in controllers..."

  tracker.controllers.sort_by{|name| name.to_s}.each do |name, controller|
    Brakeman.debug "Processing #{name}"
    report_progress(current, total, "controllers")
    current += 1
    @processor.process_controller_alias name, controller[:src]
  end

  #No longer need these processed filter methods
  tracker.filter_cache.clear
end
process_gems() click to toggle source

Process Gemfile

# File lib/brakeman/scanner.rb, line 110
def process_gems
  if @app_tree.exists? "Gemfile"
    if @app_tree.exists? "Gemfile.lock"
      @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")), @app_tree.read("Gemfile.lock"))
    else
      @processor.process_gems(parse_ruby(@app_tree.read("Gemfile")))
    end
  end
rescue Exception => e
  Brakeman.notify "[Notice] Error while processing Gemfile."
  tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
end
process_initializer(path) click to toggle source

Process an initializer

# File lib/brakeman/scanner.rb, line 133
def process_initializer path
  begin
    @processor.process_initializer(path, parse_ruby(@app_tree.read_path(path)))
  rescue Racc::ParseError => e
    tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
  rescue Exception => e
    tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
  end
end
process_initializers() click to toggle source

Process all the .rb files in config/initializers/

Adds parsed information to tracker.initializers

# File lib/brakeman/scanner.rb, line 126
def process_initializers
  @app_tree.initializer_paths.each do |f|
    process_initializer f
  end
end
process_lib(path) click to toggle source

Process a library

# File lib/brakeman/scanner.rb, line 164
def process_lib path
  begin
    @processor.process_lib parse_ruby(@app_tree.read_path(path)), path
  rescue Racc::ParseError => e
    tracker.error e, "could not parse #{path}. There is probably a typo in the file. Test it with 'ruby_parse #{path}'"
  rescue Exception => e
    tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
  end
end
process_libs() click to toggle source

Process all .rb in lib/

Adds parsed information to tracker.libs.

# File lib/brakeman/scanner.rb, line 146
def process_libs
  if options[:skip_libs]
    Brakeman.notify '[Skipping]'
    return
  end

  total = @app_tree.lib_paths.length
  current = 0

  @app_tree.lib_paths.each do |f|
    Brakeman.debug "Processing #{f}"
    report_progress(current, total)
    current += 1
    process_lib f
  end
end
process_model(path) click to toggle source
# File lib/brakeman/scanner.rb, line 327
def process_model path
  begin
    @processor.process_model(parse_ruby(@app_tree.read_path(path)), path)
  rescue Racc::ParseError => e
    tracker.error e, "could not parse #{path}"
  rescue Exception => e
    tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
  end
end
process_models() click to toggle source

Process all the .rb files in models/

Adds the processed models to tracker.models

# File lib/brakeman/scanner.rb, line 315
def process_models
  total = @app_tree.model_paths.length
  current = 0

  @app_tree.model_paths.each do |f|
    Brakeman.debug "Processing #{f}"
    report_progress(current, total)
    current += 1
    process_model f
  end
end
process_routes() click to toggle source

Process config/routes.rb

Adds parsed information to tracker.routes

# File lib/brakeman/scanner.rb, line 177
def process_routes
  if @app_tree.exists?("config/routes.rb")
    begin
      @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
    rescue Exception => e
      tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
      Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
      options[:assume_all_routes] = true
    end
  else
    Brakeman.notify "[Notice] No route information found"
  end
end
process_template(path) click to toggle source
# File lib/brakeman/scanner.rb, line 260
def process_template path
  type = path.match(KNOWN_TEMPLATE_EXTENSIONS)[1].to_sym
  type = :erb if type == :rhtml
  name = template_path_to_name path
  text = @app_tree.read_path path

  begin
    if type == :erb
      if tracker.config[:escape_html]
        type = :erubis
        if options[:rails3]
          src = Brakeman::Rails3Erubis.new(text).src
        else
          src = Brakeman::Rails2XSSPluginErubis.new(text).src
        end
      elsif tracker.config[:erubis]
        type = :erubis
        src = Brakeman::ScannerErubis.new(text).src
      else
        src = ERB.new(text, nil, "-").src
        src.sub!(/^#.*\n/, '') if RUBY_1_9
      end

      parsed = parse_ruby src
    elsif type == :haml
      src = Haml::Engine.new(text,
                             :escape_html => !!tracker.config[:escape_html]).precompiled
      parsed = parse_ruby src
    else
      tracker.error "Unkown template type in #{path}"
    end

    @processor.process_template(name, parsed, type, nil, path)

  rescue Racc::ParseError => e
    tracker.error e, "could not parse #{path}"
  rescue Haml::Error => e
    tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
  rescue Exception => e
    tracker.error e.exception(e.message + "\nWhile processing #{path}"), e.backtrace
  end
end
process_templates() click to toggle source

Process all views and partials in views/

Adds processed views to tracker.views

# File lib/brakeman/scanner.rb, line 234
def process_templates
  $stdout.sync = true

  count = 0
  total = @app_tree.template_paths.length

  @app_tree.template_paths.each do |path|
    Brakeman.debug "Processing #{path}"
    report_progress(count, total)
    count += 1
    process_template path
  end

  total = tracker.templates.length
  count = 0

  Brakeman.notify "Processing data flow in templates..."

  tracker.templates.keys.dup.sort_by{|name| name.to_s}.each do |name|
    Brakeman.debug "Processing #{name}"
    report_progress(count, total, "templates")
    count += 1
    @processor.process_template_alias tracker.templates[name]
  end
end
report_progress(current, total, type = "files") click to toggle source
# File lib/brakeman/scanner.rb, line 337
def report_progress(current, total, type = "files")
  return unless @options[:report_progress]
  $stderr.print " #{current}/#{total} #{type} processed\r"
end
template_path_to_name(path) click to toggle source

Convert path/filename to view name

views/test/something.html.erb -> test/something
# File lib/brakeman/scanner.rb, line 306
def template_path_to_name path
  names = path.split("/")
  names.last.gsub!(/(\.(html|js)\..*|\.rhtml)$/, '')
  names[(names.index("views") + 1)..-1].join("/").to_sym
end
tracker() click to toggle source

Returns the Tracker generated from the scan

# File lib/brakeman/scanner.rb, line 48
def tracker
  @processor.tracked_events
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.