diff --git a/lib/brakeman.rb b/lib/brakeman.rb index 2a8723c811e1ff3d07b9e0294b642d868437b6db..84a49aa995ed6d1596e07c7fe0bb864eb075cb70 100644 --- a/lib/brakeman.rb +++ b/lib/brakeman.rb @@ -8,6 +8,9 @@ module Brakeman #option is set Warnings_Found_Exit_Code = 3 + @debug = false + @quiet = false + #Run Brakeman scan. Returns Tracker object. # #Options: @@ -42,10 +45,10 @@ module Brakeman def self.run options options = set_options options - if options[:quiet] - options[:report_progress] = false - $VERBOSE = nil - end + @quiet = !!options[:quiet] + @debug = !!options[:debug] + + options[:report_progress] = !@quiet scan options end @@ -68,7 +71,7 @@ module Brakeman if File.exist? app_path + "/script/rails" options[:rails3] = true - warn "[Notice] Detected Rails 3 application" + notify "[Notice] Detected Rails 3 application" end options @@ -86,7 +89,7 @@ module Brakeman "#{File.expand_path(File.dirname(__FILE__))}/../lib/config.yaml"].each do |f| if File.exist? f and not File.directory? f - warn "[Notice] Using configuration in #{f}" unless options[:quiet] + notify "[Notice] Using configuration in #{f}" options = YAML.load_file f options.each do |k,v| if v.is_a? Array @@ -173,7 +176,7 @@ module Brakeman require 'fileutils' if not File.exists? "lib/tasks" - warn "Creating lib/tasks" + notify "Creating lib/tasks" FileUtils.mkdir_p "lib/tasks" end @@ -182,10 +185,10 @@ module Brakeman FileUtils.cp "#{path}/brakeman/brakeman.rake", "lib/tasks/brakeman.rake" if File.exists? "lib/tasks/brakeman.rake" - warn "Task created in lib/tasks/brakeman.rake" - warn "Usage: rake brakeman:run[output_file]" + notify "Task created in lib/tasks/brakeman.rake" + notify "Usage: rake brakeman:run[output_file]" else - warn "Could not create task" + notify "Could not create task" end end @@ -219,7 +222,7 @@ module Brakeman #Run a scan. Generally called from Brakeman.run instead of directly. def self.scan options #Load scanner - warn "Loading scanner..." + notify "Loading scanner..." begin require 'brakeman/scanner' @@ -230,27 +233,27 @@ module Brakeman #Start scanning scanner = Scanner.new options - warn "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application." + notify "[Notice] Using Ruby #{RUBY_VERSION}. Please make sure this matches the one used to run your Rails application." - warn "Processing application in #{options[:app_path]}" + notify "Processing application in #{options[:app_path]}" tracker = scanner.process if options[:parallel_checks] - warn "Running checks in parallel..." + notify "Running checks in parallel..." else - warn "Runnning checks..." + notify "Runnning checks..." end tracker.run_checks if options[:output_file] - warn "Generating report..." + notify "Generating report..." File.open options[:output_file], "w" do |f| f.puts tracker.report.send(options[:output_format]) end - warn "Report saved in '#{options[:output_file]}'" + notify "Report saved in '#{options[:output_file]}'" elsif options[:print_report] - warn "Generating report..." + notify "Generating report..." puts tracker.report.send(options[:output_format]) end @@ -273,11 +276,27 @@ module Brakeman #The returned Tracker object from Brakeman.run is used as a starting point #for the rescan. # + #Options may be given as a hash with the same values as Brakeman.run. + #Note that these options will be merged into the Tracker. + # #This method returns a RescanReport object with information about the scan. #However, the Tracker object will also be modified as the scan is run. - def self.rescan tracker, files + def self.rescan tracker, files, options = {} require 'brakeman/rescanner' + tracker.options.merge! options + + @quiet = !!tracker.options[:quiet] + @debug = !!tracker.options[:debug] + Rescanner.new(tracker.options, tracker.processor, files).recheck end + + def self.notify message + $stderr.puts message unless @quiet + end + + def self.debug message + $stderr.puts message if @debug + end end diff --git a/lib/brakeman/call_index.rb b/lib/brakeman/call_index.rb index bdf338f95d2e742c5868fe7ba6ea360af31c5ee1..b162ad9434bae164047ba0cb28979fab853d97d6 100644 --- a/lib/brakeman/call_index.rb +++ b/lib/brakeman/call_index.rb @@ -55,7 +55,7 @@ class Brakeman::CallIndex elsif method calls = calls_by_method method else - warn "Invalid arguments to CallCache#find_calls: #{options.inspect}" + notify "Invalid arguments to CallCache#find_calls: #{options.inspect}" end return [] if calls.nil? diff --git a/lib/brakeman/checks.rb b/lib/brakeman/checks.rb index 9df220e0f790ccb1a3f46c5d6d8d7a0824eb4aff..7dcacb5db567da553674fe5bfcc758fc7b6d455d 100644 --- a/lib/brakeman/checks.rb +++ b/lib/brakeman/checks.rb @@ -89,7 +89,7 @@ class Brakeman::Checks unless tracker.options[:skip_checks].include? check_name or (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name) - warn " - #{check_name}" + Brakeman.notify " - #{check_name}" check = c.new(tracker) check.run_check @@ -120,7 +120,7 @@ class Brakeman::Checks unless tracker.options[:skip_checks].include? check_name or (tracker.options[:run_checks] and not tracker.options[:run_checks].include? check_name) - warn " - #{check_name}" + Brakeman.notify " - #{check_name}" threads << Thread.new do begin @@ -128,7 +128,7 @@ class Brakeman::Checks check.run_check check.warnings rescue Exception => e - warn "[#{check_name}] #{e}" + Brakeman.notify "[#{check_name}] #{e}" [] end end @@ -141,7 +141,7 @@ class Brakeman::Checks threads.each { |t| t.join } - warn "Checks finished, collecting results..." + Brakeman.notify "Checks finished, collecting results..." #Collect results threads.each do |thread| diff --git a/lib/brakeman/checks/check_cross_site_scripting.rb b/lib/brakeman/checks/check_cross_site_scripting.rb index 3f7d72a366fcd44696783c1f03be9e67a772950e..42f51de20256cd9de02f9312be02a53e066ee317 100644 --- a/lib/brakeman/checks/check_cross_site_scripting.rb +++ b/lib/brakeman/checks/check_cross_site_scripting.rb @@ -59,10 +59,10 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck tracker.each_template do |name, template| @current_template = template template[:outputs].each do |out| - debug_info "Checking #{name} for direct XSS" + Brakeman.debug "Checking #{name} for direct XSS" unless check_for_immediate_xss out - debug_info "Checking #{name} for indirect XSS" + Brakeman.debug "Checking #{name} for indirect XSS" @matched = false @mark = false diff --git a/lib/brakeman/checks/check_default_routes.rb b/lib/brakeman/checks/check_default_routes.rb index 7d9ddf9cc50de135b8ccdf64ceab3e408ea6e8f1..f96c61c53c8fcae81fbc95b20771cf6df54ef31b 100644 --- a/lib/brakeman/checks/check_default_routes.rb +++ b/lib/brakeman/checks/check_default_routes.rb @@ -15,7 +15,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck :confidence => CONFIDENCE[:high], :file => "#{tracker.options[:app_path]}/config/routes.rb" else #Report each controller separately - debug_info "Checking each controller for default routes" + Brakeman.debug "Checking each controller for default routes" tracker.routes.each do |name, actions| if actions.is_a? Array and actions[0] == :allow_all_actions diff --git a/lib/brakeman/checks/check_evaluation.rb b/lib/brakeman/checks/check_evaluation.rb index 445261d45d421d2499ba229fa9279cc810528f82..3158d52e6034e29351df5562e8f53300b4aad7fb 100644 --- a/lib/brakeman/checks/check_evaluation.rb +++ b/lib/brakeman/checks/check_evaluation.rb @@ -7,10 +7,10 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck #Process calls def run_check - debug_info "Finding eval-like calls" + Brakeman.debug "Finding eval-like calls" calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval] - debug_info "Processing eval-like calls" + Brakeman.debug "Processing eval-like calls" calls.each do |call| process_result call end diff --git a/lib/brakeman/checks/check_execute.rb b/lib/brakeman/checks/check_execute.rb index 44b990e6fa859970e82297db1bd046cab52d4dd8..736452185e4f214ff4b7b53347d59e0fe40ba051 100644 --- a/lib/brakeman/checks/check_execute.rb +++ b/lib/brakeman/checks/check_execute.rb @@ -13,13 +13,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck #Check models, controllers, and views for command injection. def run_check - debug_info "Finding system calls using ``" + Brakeman.debug "Finding system calls using ``" check_for_backticks tracker - debug_info "Finding other system calls" + Brakeman.debug "Finding other system calls" calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, nil], :methods => [:exec, :popen, :popen3, :syscall, :system] - debug_info "Processing system calls" + Brakeman.debug "Processing system calls" calls.each do |result| process_result result end diff --git a/lib/brakeman/checks/check_file_access.rb b/lib/brakeman/checks/check_file_access.rb index e2af71e723b96e735ef2e12893967ff385877b93..48f868267968404a1f3e00f053c30a1893cec5de 100644 --- a/lib/brakeman/checks/check_file_access.rb +++ b/lib/brakeman/checks/check_file_access.rb @@ -6,16 +6,16 @@ class Brakeman::CheckFileAccess < Brakeman::BaseCheck Brakeman::Checks.add self def run_check - debug_info "Finding possible file access" + Brakeman.debug "Finding possible file access" methods = tracker.find_call :targets => [:Dir, :File, :IO, :Kernel, :"Net::FTP", :"Net::HTTP", :PStore, :Pathname, :Shell, :YAML], :methods => [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :read_lines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink] - debug_info "Finding calls to load()" + Brakeman.debug "Finding calls to load()" methods.concat tracker.find_call :target => false, :method => :load - debug_info "Finding calls using FileUtils" + Brakeman.debug "Finding calls using FileUtils" methods.concat tracker.find_call :target => :FileUtils - debug_info "Processing found calls" + Brakeman.debug "Processing found calls" methods.each do |call| process_result call end diff --git a/lib/brakeman/checks/check_mail_to.rb b/lib/brakeman/checks/check_mail_to.rb index 1f55b2d9e0abf26d858e6ad87118cde07ba04836..5a297d5cc7d5d100f26af1d17b4e72731a9989d8 100644 --- a/lib/brakeman/checks/check_mail_to.rb +++ b/lib/brakeman/checks/check_mail_to.rb @@ -28,7 +28,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck #Check for javascript encoding of mail_to address # mail_to email, name, :encode => :javascript def mail_to_javascript? - debug_info "Checking calls to mail_to for javascript encoding" + Brakeman.debug "Checking calls to mail_to for javascript encoding" tracker.find_call(:target => false, :method => :mail_to).each do |result| call = result[:call] diff --git a/lib/brakeman/checks/check_mass_assignment.rb b/lib/brakeman/checks/check_mass_assignment.rb index 3a8e22dfde511cddef28f677a921bbb30873d9d7..ca2c61078f8475de1f497e68c087f71c715f492a 100644 --- a/lib/brakeman/checks/check_mass_assignment.rb +++ b/lib/brakeman/checks/check_mass_assignment.rb @@ -21,7 +21,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck @results = Set.new - debug_info "Finding possible mass assignment calls on #{models.length} models" + Brakeman.debug "Finding possible mass assignment calls on #{models.length} models" calls = tracker.find_call :chained => true, :targets => models, :methods => [:new, :attributes=, :update_attribute, @@ -30,7 +30,7 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck :create, :create!] - debug_info "Processing possible mass assignment calls" + Brakeman.debug "Processing possible mass assignment calls" calls.each do |result| process_result result end diff --git a/lib/brakeman/checks/check_quote_table_name.rb b/lib/brakeman/checks/check_quote_table_name.rb index 5770e237dac4f0c817adefac47ce25c637c53141..a817b2169dbe5c0a551c5ddd9fd6d4f72d166c23 100644 --- a/lib/brakeman/checks/check_quote_table_name.rb +++ b/lib/brakeman/checks/check_quote_table_name.rb @@ -29,7 +29,7 @@ class Brakeman::CheckQuoteTableName < Brakeman::BaseCheck end def uses_quote_table_name? - debug_info "Finding calls to quote_table_name()" + Brakeman.debug "Finding calls to quote_table_name()" not tracker.find_call(:target => false, :method => :quote_table_name).empty? end diff --git a/lib/brakeman/checks/check_redirect.rb b/lib/brakeman/checks/check_redirect.rb index ef85598464e39dda9024aa7fea9dbd5b04cc1925..ce795ff4053356aacee7a1752079a72082bf26e2 100644 --- a/lib/brakeman/checks/check_redirect.rb +++ b/lib/brakeman/checks/check_redirect.rb @@ -9,7 +9,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck Brakeman::Checks.add self def run_check - debug_info "Finding calls to redirect_to()" + Brakeman.debug "Finding calls to redirect_to()" @tracker.find_call(:target => false, :method => :redirect_to).each do |res| process_result res @@ -42,7 +42,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck #which can be used to enable/disable reporting output of method calls which use #user input as arguments. def include_user_input? call - debug_info "Checking if call includes user input" + Brakeman.debug "Checking if call includes user input" if tracker.options[:ignore_redirect_to_model] and call? call[3][1] and call[3][1][2] == :new and call[3][1][1] diff --git a/lib/brakeman/checks/check_send_file.rb b/lib/brakeman/checks/check_send_file.rb index 589a41e79c222aca74e396845c2679d545f26755..7cf05bf2b5bf669de307613e63bf1b4f028089a1 100644 --- a/lib/brakeman/checks/check_send_file.rb +++ b/lib/brakeman/checks/check_send_file.rb @@ -6,7 +6,7 @@ class Brakeman::CheckSendFile < Brakeman::CheckFileAccess Brakeman::Checks.add self def run_check - debug_info "Finding all calls to send_file()" + Brakeman.debug "Finding all calls to send_file()" methods = tracker.find_call :target => false, :method => :send_file diff --git a/lib/brakeman/checks/check_sql.rb b/lib/brakeman/checks/check_sql.rb index bcbe32ac42ecf2197c7cedc272745a55c7c4b80d..554e559c9f07172a8a71d20ee98d2f6dd9b126f5 100644 --- a/lib/brakeman/checks/check_sql.rb +++ b/lib/brakeman/checks/check_sql.rb @@ -14,7 +14,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck def run_check @rails_version = tracker.config[:rails_version] - debug_info "Finding possible SQL calls on models" + Brakeman.debug "Finding possible SQL calls on models" if tracker.options[:rails3] calls = tracker.find_call :targets => tracker.models.keys, :methods => /^(find.*|first|last|all|where|order|group|having)$/, @@ -25,16 +25,16 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck :chained => true end - debug_info "Finding possible SQL calls with no target" + Brakeman.debug "Finding possible SQL calls with no target" calls.concat tracker.find_call(:target => nil, :method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/) - debug_info "Finding possible SQL calls using constantized()" + Brakeman.debug "Finding possible SQL calls using constantized()" calls.concat tracker.find_call(:method => /^(find.*|last|first|all|count|sum|average|minumum|maximum|count_by_sql)$/).select { |result| constantize_call? result } - debug_info "Finding calls to named_scope or scope" + Brakeman.debug "Finding calls to named_scope or scope" calls.concat find_scope_calls - debug_info "Processing possible SQL calls" + Brakeman.debug "Processing possible SQL calls" calls.each do |c| process_result c end diff --git a/lib/brakeman/checks/check_strip_tags.rb b/lib/brakeman/checks/check_strip_tags.rb index 214eba787675b5e9ca8c7ac58b621c2bf03a6527..1fdd59311a6596e4a9f2e5517a2a6da7925c6778 100644 --- a/lib/brakeman/checks/check_strip_tags.rb +++ b/lib/brakeman/checks/check_strip_tags.rb @@ -23,7 +23,7 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck end def uses_strip_tags? - debug_info "Finding calls to strip_tags()" + Brakeman.debug "Finding calls to strip_tags()" not tracker.find_call(:target => false, :method => :strip_tags).empty? end diff --git a/lib/brakeman/checks/check_translate_bug.rb b/lib/brakeman/checks/check_translate_bug.rb index fa0040b4ad561924e77ce1edb7de5a252d37a1ca..8b9d8b1d92f7f014ce654315e8443ac39fb2a58e 100644 --- a/lib/brakeman/checks/check_translate_bug.rb +++ b/lib/brakeman/checks/check_translate_bug.rb @@ -34,7 +34,7 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck end def uses_translate? - debug_info "Finding calls to translate() or t()" + Brakeman.debug "Finding calls to translate() or t()" not tracker.find_call(:target => nil, :methods => [:t, :translate]).empty? end diff --git a/lib/brakeman/checks/check_without_protection.rb b/lib/brakeman/checks/check_without_protection.rb index fe2c45f2c3ab226cdea643dbbba5e86e816fa2ac..4d5fa14718b14efcfea5d6b6e5ae110ffd51bb8b 100644 --- a/lib/brakeman/checks/check_without_protection.rb +++ b/lib/brakeman/checks/check_without_protection.rb @@ -23,7 +23,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck @results = Set.new - debug_info "Finding all mass assignments" + Brakeman.debug "Finding all mass assignments" calls = tracker.find_call :targets => models, :methods => [:new, :attributes=, :update_attribute, @@ -32,7 +32,7 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck :create, :create!] - debug_info "Processing all mass assignments" + Brakeman.debug "Processing all mass assignments" calls.each do |result| process_result result end diff --git a/lib/brakeman/processors/controller_alias_processor.rb b/lib/brakeman/processors/controller_alias_processor.rb index 403ec4006e39e9a817b02461136dc7211dac7c5a..952de88ab92390f0dfa4c2126aabf8e8b167b091 100644 --- a/lib/brakeman/processors/controller_alias_processor.rb +++ b/lib/brakeman/processors/controller_alias_processor.rb @@ -87,7 +87,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor method = find_method name, @current_class if method.nil? - warn "[Notice] Could not find filter #{name}" if @tracker.options[:debug] + Brakeman.debug "[Notice] Could not find filter #{name}" return end @@ -207,7 +207,7 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor when :lit, :str filter[option] = value[1] else - warn "[Notice] Unknown before_filter value: #{option} => #{value}" if @tracker.options[:debug] + Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}" end else filter[:all] = true diff --git a/lib/brakeman/processors/controller_processor.rb b/lib/brakeman/processors/controller_processor.rb index 1a0fb604087c44e3a2a9f4c9eeaaa58f54eea87f..9a3c961aac470e42f79ff40f737b6cc007d3e7c6 100644 --- a/lib/brakeman/processors/controller_processor.rb +++ b/lib/brakeman/processors/controller_processor.rb @@ -22,7 +22,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor #s(:class, NAME, PARENT, s(:scope ...)) def process_class exp if @controller - warn "[Notice] Skipping inner class: #{class_name exp[1]}" if @tracker.options[:debug] + Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}" return ignore end @@ -83,7 +83,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor unless Dir.glob("#{@tracker.options[:app_path]}/app/views/layouts/#{name}.html.{erb,haml}").empty? @controller[:layout] = "layouts/#{name}" else - warn "[Notice] Layout not found: #{name}" if @tracker.options[:debug] + Brakeman.debug "[Notice] Layout not found: #{name}" end elsif sexp? args[-1] and (args[-1][0] == :nil or args[-1][0] == :false) #layout :false or layout nil diff --git a/lib/brakeman/processors/lib/rails2_config_processor.rb b/lib/brakeman/processors/lib/rails2_config_processor.rb index d12a30a6e5e0d2aaf1b94cd75e07336db3ad0459..400adcbc0d7e354539f422199afaebfbc8875c60 100644 --- a/lib/brakeman/processors/lib/rails2_config_processor.rb +++ b/lib/brakeman/processors/lib/rails2_config_processor.rb @@ -37,7 +37,7 @@ class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor target = process target if sexp? target if exp[2] == :gem and exp[3][1][1] == "erubis" - warn "[Notice] Using Erubis for ERB templates" + Brakeman.notify "[Notice] Using Erubis for ERB templates" @tracker.config[:erubis] = true end diff --git a/lib/brakeman/processors/lib/render_helper.rb b/lib/brakeman/processors/lib/render_helper.rb index 77e0d753163c590e89e0f3a3051dae42951ad4e9..a2f4854559c3022cd0a73633f15608c5e2a75a4b 100644 --- a/lib/brakeman/processors/lib/render_helper.rb +++ b/lib/brakeman/processors/lib/render_helper.rb @@ -50,7 +50,7 @@ module Brakeman::RenderHelper name = name.to_s.gsub(/^\//, "") template = @tracker.templates[name.to_sym] unless template - warn "[Notice] No such template: #{name}" if @tracker.options[:debug] + Brakeman.debug "[Notice] No such template: #{name}" return end diff --git a/lib/brakeman/processors/model_processor.rb b/lib/brakeman/processors/model_processor.rb index 7766b48a39f972ca6a0594cd968e38001aea385f..58bc740201614f9853803e5b3d592dea26cf2ec6 100644 --- a/lib/brakeman/processors/model_processor.rb +++ b/lib/brakeman/processors/model_processor.rb @@ -19,7 +19,7 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor #s(:class, NAME, PARENT, s(:scope ...)) def process_class exp if @model - warn "[Notice] Skipping inner class: #{class_name exp[1]}" if @tracker.options[:debug] + Brakeman.debug "[Notice] Skipping inner class: #{class_name exp[1]}" ignore else @model = { :name => class_name(exp[1]), diff --git a/lib/brakeman/processors/output_processor.rb b/lib/brakeman/processors/output_processor.rb index 108ab562ceba0bb284eabe1d73858730489bb54b..c96b482917e6d2ede4e707620259ff27a176294a 100644 --- a/lib/brakeman/processors/output_processor.rb +++ b/lib/brakeman/processors/output_processor.rb @@ -19,7 +19,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby begin super exp if sexp? exp and not exp.empty? rescue Exception => e - warn "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" if @tracker.options[:debug] + Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" end end diff --git a/lib/brakeman/report.rb b/lib/brakeman/report.rb index 92dda2762af92314a3d1899b4427739b00767963..c29e4d8993a7d248095300b76ef4d66ce8332ccc 100644 --- a/lib/brakeman/report.rb +++ b/lib/brakeman/report.rb @@ -83,7 +83,7 @@ class Brakeman::Report tracker.errors.each do |w| - p w if tracker.options[:debug] + Brakeman.debug w.inspect if html w[:error] = CGI.escapeHTML w[:error] diff --git a/lib/brakeman/rescanner.rb b/lib/brakeman/rescanner.rb index a2a81193023bfe927b99f9eb8ff5953375f37d2f..4eec22f9188073123c93592417003edc94ee3508 100644 --- a/lib/brakeman/rescanner.rb +++ b/lib/brakeman/rescanner.rb @@ -45,7 +45,7 @@ class Brakeman::Rescanner < Brakeman::Scanner SCAN_ORDER.each do |type| paths_by_type[type].each do |path| - warn "Rescanning #{path} as #{type}" if tracker.options[:debug] + Brakeman.debug "Rescanning #{path} as #{type}" if rescan_file path, type @changes = true diff --git a/lib/brakeman/scanner.rb b/lib/brakeman/scanner.rb index 16d112468252e2b4fc40ceb9fa32ca279fa0393f..7c45d928be2b6e36bd809328babdb3f03dfd9cda 100644 --- a/lib/brakeman/scanner.rb +++ b/lib/brakeman/scanner.rb @@ -51,23 +51,23 @@ class Brakeman::Scanner #Process everything in the Rails application def process - warn "Processing configuration..." + Brakeman.notify "Processing configuration..." process_config - warn "Processing gems..." + Brakeman.notify "Processing gems..." process_gems - warn "Processing initializers..." + Brakeman.notify "Processing initializers..." process_initializers - warn "Processing libs..." + Brakeman.notify "Processing libs..." process_libs - warn "Processing routes... " + Brakeman.notify "Processing routes... " process_routes - warn "Processing templates... " + Brakeman.notify "Processing templates... " process_templates - warn "Processing models... " + Brakeman.notify "Processing models... " process_models - warn "Processing controllers... " + Brakeman.notify "Processing controllers... " process_controllers - warn "Indexing call sites... " + Brakeman.notify "Indexing call sites... " index_call_sites tracker end @@ -89,7 +89,7 @@ class Brakeman::Scanner (File.exists? "#@path/Gemfile" and File.read("#@path/Gemfile").include? "rails_xss") tracker.config[:escape_html] = true - warn "[Notice] Escaping HTML by default" + Brakeman.notify "[Notice] Escaping HTML by default" end end @@ -99,7 +99,7 @@ class Brakeman::Scanner end rescue Exception => e - warn "[Notice] Error while processing config/#{file}" + Brakeman.notify "[Notice] Error while processing config/#{file}" tracker.error e.exception(e.message + "\nwhile processing Gemfile"), e.backtrace end @@ -115,7 +115,7 @@ class Brakeman::Scanner end end rescue Exception => e - warn "[Notice] Error while processing Gemfile." + Brakeman.notify "[Notice] Error while processing Gemfile." tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace end @@ -144,7 +144,7 @@ class Brakeman::Scanner #Adds parsed information to tracker.libs. def process_libs if options[:skip_libs] - warn '[Skipping]' + Brakeman.notify '[Skipping]' return end @@ -153,7 +153,7 @@ class Brakeman::Scanner current = 0 lib_files.each do |f| - warn "Processing #{f}" if options[:debug] + Brakeman.debug "Processing #{f}" if @report_progress $stderr.print " #{current}/#{total} files processed\r" current += 1 @@ -183,11 +183,11 @@ class Brakeman::Scanner @processor.process_routes parse_ruby(File.read("#@path/config/routes.rb")) rescue Exception => e tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace - warn "[Notice] Error while processing routes - assuming all public controller methods are actions." + Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions." options[:assume_all_routes] = true end else - warn "[Notice] No route information found" + Brakeman.notify "[Notice] No route information found" end end @@ -200,7 +200,7 @@ class Brakeman::Scanner current = 0 controller_files.each do |f| - warn "Processing #{f}" if options[:debug] + Brakeman.debug "Processing #{f}" if @report_progress $stderr.print " #{current}/#{total} files processed\r" current += 1 @@ -212,7 +212,7 @@ class Brakeman::Scanner current = 0 total = tracker.controllers.length - warn "Processing data flow in controllers..." + Brakeman.notify "Processing data flow in controllers..." tracker.controllers.each do |name, controller| if @report_progress @@ -258,7 +258,7 @@ class Brakeman::Scanner total = tracker.templates.length count = 0 - warn "Processing data flow in templates..." + Brakeman.notify "Processing data flow in templates..." tracker.templates.keys.dup.each do |name| if @report_progress