Merge branch 'load_dependencies_on_demand'

Load dependencies on demand, add brakeman-min gemspec

Merge branch 'load_dependencies_on_demand'
Load dependencies on demand, add brakeman-min gemspec
7b37f84a · Justin Collins · 47fa69ab · 80a9f136 · 7b37f84a · 7b37f84a
13 changed file
--- a/Gemfile
+++ b/Gemfile
 source "http://rubygems.org"

-gemspec
+gemspec :name => "brakeman"

 gem "rake"
 gem "coveralls", :require => false
--- a/brakeman-min.gemspec
+++ b/brakeman-min.gemspec
+require './lib/brakeman/version'
+
+Gem::Specification.new do |s|
+  s.name = %q{brakeman-min}
+  s.version = Brakeman::Version
+  s.authors = ["Justin Collins"]
+  s.summary = "Security vulnerability scanner for Ruby on Rails."
+  s.description = "Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis. This version of the gem only requires the minimum number of dependencies. Use the 'brakeman' gem for a full install."
+  s.homepage = "http://brakemanscanner.org"
+  s.files = ["bin/brakeman", "CHANGES", "WARNING_TYPES", "FEATURES", "README.md"] + Dir["lib/**/*"]
+  s.executables = ["brakeman"]
+  s.license = "MIT"
+  s.add_dependency "ruby_parser", "~>3.1.1"
+  s.add_dependency "ruby2ruby", "~>2.0.5"
+  s.add_dependency "multi_json", "~>1.2"
+end
--- a/lib/brakeman.rb
+++ b/lib/brakeman.rb
@@ -10,6 +10,7 @@ module Brakeman

  @debug = false
  @quiet = false
+  @loaded_dependencies = []

  #Run Brakeman scan. Returns Tracker object.
  #
@@ -144,7 +145,12 @@ module Brakeman
    elsif options[:output_files]
      get_formats_from_output_files options[:output_files]
    else
-      return [:to_s]
+      begin
+        require 'terminal-table'
+        return [:to_s]
+      rescue LoadError
+        return [:to_json]
+      end
    end
  end
  
@@ -366,6 +372,19 @@ module Brakeman
    Brakeman::Differ.new(new_results, previous_results).diff
  end

+  def self.load_dependency name
+    return if @loaded_dependencies.include? name
+
+    begin
+      require name
+    rescue LoadError => e
+      $stderr.puts e.message
+      $stderr.puts "Please install the appropriate dependency."
+      exit! -1
+    end
+  end
+
+  class DependencyError < RuntimeError; end
  class RakeInstallError < RuntimeError; end
  class NoBrakemanError < RuntimeError; end
  class NoApplication < RuntimeError; end

--- a/lib/brakeman/parsers/rails2_erubis.rb
+++ b/lib/brakeman/parsers/rails2_erubis.rb
+Brakeman.load_dependency 'erubis'
+
 #Erubis processor which ignores any output which is plain text.
 class Brakeman::ScannerErubis < Erubis::Eruby
  include Erubis::NoTextEnhancer

--- a/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+++ b/lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
+Brakeman.load_dependency 'erubis'
+
 #This is from the rails_xss plugin for Rails 2
 class Brakeman::Rails2XSSPluginErubis < ::Erubis::Eruby
  def add_preamble(src)

--- a/lib/brakeman/parsers/rails3_erubis.rb
+++ b/lib/brakeman/parsers/rails3_erubis.rb
+Brakeman.load_dependency 'erubis'
+
 #This is from Rails 3 version of the Erubis handler
 class Brakeman::Rails3Erubis < ::Erubis::Eruby


--- a/lib/brakeman/report/renderer.rb
+++ b/lib/brakeman/report/renderer.rb
+require 'erb'
+
 class Brakeman::Report
  class Renderer
    def initialize(template_file, hash = {})

--- a/lib/brakeman/report/report_base.rb
+++ b/lib/brakeman/report/report_base.rb
 require 'set'
-require 'highline'
 require 'brakeman/util'
 require 'brakeman/version'
 require 'brakeman/report/renderer'

--- a/lib/brakeman/report/report_csv.rb
+++ b/lib/brakeman/report/report_csv.rb
-require "csv"
+Brakeman.load_dependency 'csv'
 require "brakeman/report/initializers/faster_csv"
 require "brakeman/report/report_table"


--- a/lib/brakeman/report/report_json.rb
+++ b/lib/brakeman/report/report_json.rb
-require 'multi_json'
+Brakeman.load_dependency 'multi_json'
 require 'brakeman/report/initializers/multi_json'

 class Brakeman::Report::JSON < Brakeman::Report::Base

--- a/lib/brakeman/report/report_table.rb
+++ b/lib/brakeman/report/report_table.rb
-require 'terminal-table'
+Brakeman.load_dependency 'terminal-table'

 class Brakeman::Report::Table < Brakeman::Report::Base
  def generate_report

--- a/lib/brakeman/scanner.rb
+++ b/lib/brakeman/scanner.rb
 require 'rubygems'
+
 begin
  require 'ruby_parser'
  require 'ruby_parser/bm_sexp.rb'
  require 'ruby_parser/bm_sexp_processor.rb'
-
-  require 'haml'
-  require 'sass'
-  require 'erb'
-  require 'erubis'
-  require 'slim'
  require 'brakeman/processor'
  require 'brakeman/app_tree'
-  require 'brakeman/parsers/rails2_erubis'
-  require 'brakeman/parsers/rails2_xss_plugin_erubis'
-  require 'brakeman/parsers/rails3_erubis'
 rescue LoadError => e
  $stderr.puts e.message
  $stderr.puts "Please install the appropriate dependency."
@@ -272,24 +264,33 @@ class Brakeman::Scanner
        if tracker.config[:escape_html]
          type = :erubis
          if options[:rails3]
+            require 'brakeman/parsers/rails3_erubis'
            src = Brakeman::Rails3Erubis.new(text).src
          else
+            require 'brakeman/parsers/rails2_xss_plugin_erubis'
            src = Brakeman::Rails2XSSPluginErubis.new(text).src
          end
        elsif tracker.config[:erubis]
+          require 'brakeman/parsers/rails2_erubis'
          type = :erubis
          src = Brakeman::ScannerErubis.new(text).src
        else
+          require 'erb'
          src = ERB.new(text, nil, "-").src
          src.sub!(/^#.*\n/, '') if RUBY_1_9
        end

        parsed = parse_ruby src
      elsif type == :haml
+        Brakeman.load_dependency 'haml'
+        Brakeman.load_dependency 'sass'
+
        src = Haml::Engine.new(text,
                               :escape_html => !!tracker.config[:escape_html]).precompiled
        parsed = parse_ruby src
      elsif type == :slim
+        Brakeman.load_dependency 'slim'
+
        src = Slim::Template.new(:disable_capture => true,
                                 :generator => Temple::Generators::RailsOutputBuffer) { text }.precompiled_template

@@ -356,3 +357,6 @@ class Brakeman::Scanner
    @ruby_parser.new.parse input
  end
 end
+
+# This is to allow operation without loading the Haml library
+module Haml; class Error < StandardError; end; end
--- a/lib/brakeman/util.rb
+++ b/lib/brakeman/util.rb
@@ -385,6 +385,7 @@ module Brakeman::Util

  def truncate_table str
    @terminal_width ||= if $stdin && $stdin.tty?
+                          Brakeman.load_dependency 'highline'
                          ::HighLine.new.terminal_size[0]
                        else
                          80
@@ -402,6 +403,7 @@ module Brakeman::Util

  # rely on Terminal::Table to build the structure, extract the data out in CSV format
  def table_to_csv table
+    Brakeman.load_dependency 'terminal-table'
    output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
    table.rows.each do |row|
      output << CSV.generate_line(row.cells.map{|cell| cell.to_s.strip})