Namespace

Class/Module Index [+]

Quicksearch

Brakeman

Constants

CONFIG_FILES
DEPRECATED_CONFIG_FILES
Version
Warnings_Found_Exit_Code

This exit code is used when warnings are found and the --exit-on-warn option is set

Public Class Methods

compare(options) click to toggle source

Compare JSON ouptut from a previous scan and return the diff of the two scans

# File lib/brakeman.rb, line 316
def self.compare options
  require 'multi_json'
  require 'brakeman/differ'
  raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]

  begin
    previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
  rescue MultiJson::DecodeError
    self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
    exit!
  end

  tracker = run(options)

  new_results = MultiJson.load(tracker.report.to_json, :symbolize_keys => true)[:warnings]

  Brakeman::Differ.new(new_results, previous_results).diff
end
config_file(custom_location=nil) click to toggle source
# File lib/brakeman.rb, line 101
def self.config_file(custom_location=nil)
  DEPRECATED_CONFIG_FILES.each do |f|
    notify "#{f} is deprecated, please use one of #{CONFIG_FILES.join(", ")}" if File.file?(f)
  end
  supported_locations = [File.expand_path(custom_location || "")] + DEPRECATED_CONFIG_FILES + CONFIG_FILES
  supported_locations.detect{|f| File.file?(f) }
end
debug(message) click to toggle source
# File lib/brakeman.rb, line 311
def self.debug message
  $stderr.puts message if @debug
end
dump_config(options) click to toggle source

Output configuration to YAML

# File lib/brakeman.rb, line 215
def self.dump_config options
  if options[:create_config].is_a? String
    file = options[:create_config]
  else
    file = nil
  end

  options.delete :create_config

  options.each do |k,v|
    if v.is_a? Set
      options[k] = v.to_a
    end
  end

  if file
    File.open file, "w" do |f|
      YAML.dump options, f
    end
    puts "Output configuration to #{file}"
  else
    puts YAML.dump(options)
  end
  exit
end
get_defaults() click to toggle source

Default set of options

# File lib/brakeman.rb, line 110
def self.get_defaults
  { :assume_all_routes => true,
    :skip_checks => Set.new,
    :check_arguments => true,
    :safe_methods => Set.new,
    :min_confidence => 2,
    :combine_locations => true,
    :collapse_mass_assignment => true,
    :highlight_user_input => true,
    :ignore_redirect_to_model => true,
    :ignore_model_output => false,
    :message_limit => 100,
    :parallel_checks => true,
    :relative_path => false,
    :quiet => true,
    :report_progress => true,
    :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css"
  }
end
get_output_formats(options) click to toggle source

Determine output formats based on options or options

# File lib/brakeman.rb, line 132
def self.get_output_formats options
  #Set output format
  if options[:output_format] && options[:output_files] && options[:output_files].size > 1
    raise ArgumentError, "Cannot specify output format if multiple output files specified"
  end
  if options[:output_format]
    [
      case options[:output_format]
      when :html, :to_html
        :to_html
      when :csv, :to_csv
        :to_csv
      when :pdf, :to_pdf
        :to_pdf
      when :tabs, :to_tabs
        :to_tabs
      when :json, :to_json
        :to_json
      else
        :to_s
      end
    ]
  else
    return [:to_s] unless options[:output_files]
    options[:output_files].map do |output_file|
      case output_file
      when /\.html$/
        :to_html
      when /\.csv$/
        :to_csv
      when /\.pdf$/
        :to_pdf
      when /\.tabs$/
        :to_tabs
      when /\.json$/
        :to_json
      else
        :to_s
      end
    end
  end
end
install_rake_task() click to toggle source

Installs Rake task for running Brakeman, which basically means copying `lib/brakeman/brakeman.rake` to `lib/tasks/brakeman.rake` in the current Rails application.

# File lib/brakeman.rb, line 188
def self.install_rake_task
  if not File.exists? "Rakefile"
    abort "No Rakefile detected"
  elsif File.exists? "lib/tasks/brakeman.rake"
    abort "Task already exists"
  end

  require 'fileutils'

  if not File.exists? "lib/tasks"
    notify "Creating lib/tasks"
    FileUtils.mkdir_p "lib/tasks"
  end

  path = File.expand_path(File.dirname(__FILE__))

  FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake"

  if File.exists? "lib/tasks/brakeman.rake"
    notify "Task created in lib/tasks/brakeman.rake"
    notify "Usage: rake brakeman:run[output_file]"
  else
    notify "Could not create task"
  end
end
list_checks() click to toggle source

Output list of checks (for `-k` option)

# File lib/brakeman.rb, line 176
def self.list_checks
  require 'brakeman/scanner'
  $stderr.puts "Available Checks:"
  $stderr.puts "-" * 30
  $stderr.puts Checks.checks.map { |c|
    c.to_s.match(/^Brakeman::(.*)$/)[1].ljust(27) << c.description
  }.sort.join "\n"
end
load_options(custom_location) click to toggle source

Load options from YAML file

# File lib/brakeman.rb, line 89
def self.load_options custom_location
  #Load configuration file
  if config = config_file(custom_location)
    notify "[Notice] Using configuration in #{config}"
    options = YAML.load_file config
    options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
    options
  else
    {}
  end
end
notify(message) click to toggle source
# File lib/brakeman.rb, line 307
def self.notify message
  $stderr.puts message unless @quiet
end
rescan(tracker, files, options = {}) click to toggle source

Rescan a subset of files in a Rails application.

A full scan must have been run already to use this method. The returned Tracker object from Brakeman.run is used as a starting point for the rescan.

Options may be given as a hash with the same values as Brakeman.run. Note that these options will be merged into the Tracker.

This method returns a RescanReport object with information about the scan. However, the Tracker object will also be modified as the scan is run.

# File lib/brakeman.rb, line 296
def self.rescan tracker, files, options = {}
  require 'brakeman/rescanner'

  tracker.options.merge! options

  @quiet = !!tracker.options[:quiet]
  @debug = !!tracker.options[:debug]

  Rescanner.new(tracker.options, tracker.processor, files).recheck
end
run(options) click to toggle source

Run Brakeman scan. Returns Tracker object.

Options:

* :app_path - path to root of Rails app (required)
* :assume_all_routes - assume all methods are routes (default: true)
* :check_arguments - check arguments of methods (default: true)
* :collapse_mass_assignment - report unprotected models in single warning (default: true)
* :combine_locations - combine warning locations (default: true)
* :config_file - configuration file
* :escape_html - escape HTML by default (automatic)
* :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
* :highlight_user_input - highlight user input in reported warnings (default: true)
* :html_style - path to CSS file
* :ignore_model_output - consider models safe (default: false)
* :interprocedural - limited interprocedural processing of method calls (default: false)
* :message_limit - limit length of messages
* :min_confidence - minimum confidence (0-2, 0 is highest)
* :output_files - files for output
* :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
* :parallel_checks - run checks in parallel (default: true)
* :print_report - if no output file specified, print to stdout (default: false)
* :quiet - suppress most messages (default: true)
* :rails3 - force Rails 3 mode (automatic)
* :report_routes - show found routes on controllers (default: false)
* :run_checks - array of checks to run (run all if not specified)
* :safe_methods - array of methods to consider safe
* :skip_libs - do not process lib/ directory (default: false)
* :skip_checks - checks not to run (run all if not specified)
* :relative_path - show relative path of each file(default: false)
* :summary_only - only output summary section of report
                  (does not apply to tabs format)

Alternatively, just supply a path as a string.

# File lib/brakeman.rb, line 48
def self.run options
  options = set_options options

  @quiet = !!options[:quiet]
  @debug = !!options[:debug]

  if @quiet
    options[:report_progress] = false
  end
  scan options
end
scan(options) click to toggle source

Run a scan. Generally called from Brakeman.run instead of directly.

# File lib/brakeman.rb, line 242
def self.scan options
  #Load scanner
  notify "Loading scanner..."

  begin
    require 'brakeman/scanner'
  rescue LoadError
    abort "Cannot find lib/ directory."
  end

  #Start scanning
  scanner = Scanner.new options

  notify "Processing application in #{options[:app_path]}"
  tracker = scanner.process

  if options[:parallel_checks]
    notify "Running checks in parallel..."
  else
    notify "Runnning checks..."
  end
  tracker.run_checks

  if options[:output_files]
    notify "Generating report..."

    options[:output_files].each_with_index do |output_file, idx|
      File.open output_file, "w" do |f|
        f.write tracker.report.send(options[:output_formats][idx])
      end
      notify "Report saved in '#{output_file}'"
    end
  elsif options[:print_report]
    notify "Generating report..."

    options[:output_formats].each do |output_format|
      puts tracker.report.send(output_format)
    end
  end

  tracker
end
set_options(options) click to toggle source

Sets up options for run, checks given application path

# File lib/brakeman.rb, line 61
def self.set_options options
  if options.is_a? String
    options = { :app_path => options }
  end

  options[:app_path] = File.expand_path(options[:app_path])

  options = load_options(options[:config_file]).merge! options
  options = get_defaults.merge! options
  options[:output_formats] = get_output_formats options

  options
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.