Merge branch 'master' of github.com:presidentbeef/brakeman

lib/brakeman/app_tree.rb

@@ -8,17 +8,20 @@ module Brakeman
       root = options[:app_path]
 
       # Convert files into Regexp for matching
+      init_options = {}
       if options[:skip_files]
-        list = "(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$"
-        new(root, Regexp.new(list))
-      else
-        new(root)
+        init_options[:skip_files] = Regexp.new("(?:" << options[:skip_files].map { |f| Regexp.escape f }.join("|") << ")$")
       end
+      if options[:only_files]
+        init_options[:only_files] = Regexp.new("(?:" << options[:only_files].map { |f| Regexp.escape f }.join("|") << ")")
+      end
+      new(root, init_options)
     end
 
-    def initialize(root, skip_files = nil)
+    def initialize(root, init_options = {})
       @root = root
-      @skip_files = skip_files
+      @skip_files = init_options[:skip_files]
+      @only_files = init_options[:only_files]
     end
 
     def expand_path(path)
@@ -76,14 +79,22 @@ module Brakeman
     def find_paths(directory, extensions = "*.rb")
       pattern = @root + "/#{directory}/**/#{extensions}"
 
-      Dir.glob(pattern).sort.tap do |paths|
-        reject_skipped_files(paths)
-      end
+      select_files(Dir.glob(pattern).sort)
+    end
+
+    def select_files(paths)
+      paths = select_only_files(paths)
+      reject_skipped_files(paths)
+    end
+
+    def select_only_files(paths)
+      return paths unless @only_files
+      paths.select { |f| @only_files.match f }
     end
 
     def reject_skipped_files(paths)
-      return unless @skip_files
-      paths.reject! { |f| @skip_files.match f }
+      return paths unless @skip_files
+      paths.reject { |f| @skip_files.match f }
     end
 
   end

lib/brakeman/options.rb

@@ -91,13 +91,18 @@ module Brakeman::Options
         opts.on "--url-safe-methods method1,method2,etc", Array, "Do not warn of XSS if the link_to href parameter is wrapped in a safe method" do |methods|
           options[:url_safe_methods] ||= Set.new
           options[:url_safe_methods].merge methods.map {|e| e.to_sym }
-        end        
+        end
 
         opts.on "--skip-files file1,file2,etc", Array, "Skip processing of these files" do |files|
           options[:skip_files] ||= Set.new
           options[:skip_files].merge files
         end
 
+        opts.on "--only-files file1,file2,etc", Array, "Process only these files" do |files|
+          options[:only_files] ||= Set.new
+          options[:only_files].merge files
+        end
+
         opts.on "--skip-libs", "Skip processing lib directory" do
           options[:skip_libs] = true
         end
@@ -128,11 +133,11 @@ module Brakeman::Options
         opts.separator "Output options:"
 
         opts.on "-d", "--debug", "Lots of output" do
-          options[:debug] = true 
+          options[:debug] = true
         end
 
-        opts.on "-f", 
-          "--format TYPE", 
+        opts.on "-f",
+          "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json],
           "Specify output formats. Default is text" do |type|
 
@@ -177,9 +182,9 @@ module Brakeman::Options
           options[:relative_paths] = true
         end
 
-        opts.on "-w", 
-          "--confidence-level LEVEL", 
-          ["1", "2", "3"], 
+        opts.on "-w",
+          "--confidence-level LEVEL",
+          ["1", "2", "3"],
           "Set minimal confidence level (1 - 3)" do |level|
 
           options[:min_confidence] =  3 - level.to_i

test/tests/test_only_files_option.rb

+abort "Please run using test/test.rb" unless defined? BrakemanTester
+
+Rails32OnlyFiles = BrakemanTester.run_scan "rails3.2", "Rails 3.2", { :only_files => ["app/views/users/"], :skip_files => ["app/views/users/sanitized.html.erb"] }
+
+class OnlyFilesOptionTests < Test::Unit::TestCase
+  include BrakemanTester::FindWarning
+  include BrakemanTester::CheckExpected
+
+  def expected
+    @expected ||= {
+      :controller => 0,
+      :model => 0,
+      :template => 1,
+      :warning => 4 }
+
+
+    if RUBY_PLATFORM == 'java'
+      @expected[:warning] += 1
+    end
+
+    @expected
+  end
+
+  def report
+    Rails32OnlyFiles
+  end
+
+  def test_escaped_params_to_json
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 21,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /show\.html\.erb/
+  end
+
+  def test_cross_site_scripting_slim_partial_param
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 6,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /_slimmer\.html\.slim/
+  end
+
+  # This is the template that is skipped, should be no warning
+  def test_xss_sanitize_css_CVE_2013_1855
+    assert_no_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Rails\ 3\.2\.9\.rc2\ has\ a\ vulnerability\ in\ s/,
+      :confidence => 0,
+      :file => /sanitized\.html\.erb/
+  end
+
+end