search

david-a-wheeler / railroader

A static analysis security vulnerability scanner for Ruby on Rails applications (OSS fork of Brakeman)
MIT License
47 stars 1 forks source link

Cant launch scan #34

Open sv-atoslav opened 2 years ago

sv-atoslav commented 2 years ago

Background

Railroader version: 4.3.8 Rails version: 5.1.1 Ruby version: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu] OS version:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04 LTS
Release:    22.04
Codename:   jammy

Link to Rails application code

Issue

// What problem are you seeing? Consult the relevant section below if possible. I can scan example with vulnerable rails app.

Relevant code

Parse Error

Consult https://railroaderscanner.org/docs/troubleshooting/parse_errors/ first image

$ ping -c 5 railroaderscanner.org
ping: railroaderscanner.org: No address associated with hostname

Full warning from Railroader: 

$ railroader -A -o rail_output.json --path /home/sviatoslav/Downloads/VulnerableRubyAppMaster/
Loading scanner...
Processing application in /home/sviatoslav/Downloads/VulnerableRubyAppMaster
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Error while processing config/application.rb
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:81:in `process': Result must be a Sexp, was Array:[:arglist, s(:str, "1.0")] (SexpTypeError)
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:172:in `process_attrasgn'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:110:in `block in process_block'
    from (eval):3:in `map!'
    from (eval):3:in `map!'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:109:in `process_block'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:23:in `process_file'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processor.rb:92:in `process_initializer'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:185:in `process_initializer'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:179:in `block in process_initializers'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:302:in `block in track_progress'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `each'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `track_progress'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:177:in `process_initializers'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:47:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:354:in `scan'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:77:in `run'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:133:in `run_railroader'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:118:in `regular_report'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:142:in `run_report'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:35:in `run'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:20:in `start'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/bin/railroader:8:in `<top (required)>'
    from /usr/local/bin/railroader:25:in `load'
    from /usr/local/bin/railroader:25:in `<main>'

Other Error

// Please run Railroader with --debug to see the full stack trace.

Stack trace:

$ railroader --debug --path /home/sviatoslav/Downloads/VulnerableRubyAppMaster/
Loading scanner...
Processing application in /home/sviatoslav/Downloads/VulnerableRubyAppMaster
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
undefined method `each_sexp' for [s(:class, :Application, s(:colon2, s(:const, :Rails), :Application), s(:call, s(:call, nil, :config), :load_defaults, s(:lit, 5.1)))]:Array
Did you mean?  each_slice
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:4:in `process_all'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:55:in `process_module'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:63:in `block in process_default'
(eval):3:in `map!'
(eval):3:in `map!'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:61:in `process_default'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:396:in `block in process_block'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/sexp_processor-4.12.0/lib/sexp_processor.rb:452:in `scope'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:395:in `process_block'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/alias_processor.rb:51:in `process_safely'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/rails3_config_processor.rb:29:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processor.rb:26:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:121:in `process_config_file'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:98:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:43:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:354:in `scan'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:77:in `run'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:133:in `run_railroader'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:118:in `regular_report'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:142:in `run_report'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:35:in `run'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:20:in `start'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/bin/railroader:8:in `<top (required)>'
/usr/local/bin/railroader:25:in `load'
/usr/local/bin/railroader:25:in `<main>'
[Notice] Error while processing config/application.rb
undefined method `each_sexp' for [s(:class, :Application, s(:colon2, s(:const, :Rails), :Application), s(:call, s(:call, nil, :config), :load_defaults, s(:lit, 5.1)))]:Array
Did you mean?  each_slice
while processing config/application.rb
Did you mean?  each_slice
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:4:in `process_all'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:55:in `process_module'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:5:in `block in process_all'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/sexp_processor-4.12.0/lib/sexp.rb:134:in `block in each_sexp'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/sexp_processor-4.12.0/lib/sexp.rb:131:in `each'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/sexp_processor-4.12.0/lib/sexp.rb:131:in `each_sexp'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/processor_helper.rb:4:in `process_all'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/basic_processor.rb:17:in `process_default'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:77:in `block in process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/lib/rails3_config_processor.rb:30:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processor.rb:26:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:121:in `process_config_file'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:98:in `process_config'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:43:in `process'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:354:in `scan'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:77:in `run'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:133:in `run_railroader'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:118:in `regular_report'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:142:in `run_report'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:35:in `run'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:20:in `start'
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/bin/railroader:8:in `<top (required)>'
/usr/local/bin/railroader:25:in `load'
/usr/local/bin/railroader:25:in `<main>'
[Notice] Escaping HTML by default
Parsing files...
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/application_controller_renderer.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/assets.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/backtrace_silencers.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/cookies_serializer.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/filter_parameter_logging.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/inflections.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/mime_types.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/wrap_parameters.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/controllers/application_controller.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/controllers/high_scores_controller.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/models/application_record.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/models/high_score.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/helpers/application_helper.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/helpers/high_scores_helper.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/jobs/application_job.rb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/_form.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/_form.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/edit.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/edit.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/index.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/index.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/new.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/new.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/show.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/high_scores/show.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/layouts/application.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/layouts/application.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/layouts/mailer.html.erb
Parsing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/app/views/layouts/mailer.html.erb
Processing initializers...
Processing /home/sviatoslav/Downloads/VulnerableRubyAppMaster/config/initializers/assets.rb
/home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:81:in `process': Result must be a Sexp, was Array:[:arglist, s(:str, "1.0")] (SexpTypeError)
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:172:in `process_attrasgn'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:110:in `block in process_block'
    from (eval):3:in `map!'
    from (eval):3:in `map!'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:109:in `process_block'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:75:in `block in process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:112:in `in_context'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/ruby_parser/bm_sexp_processor.rb:71:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processors/base_processor.rb:23:in `process_file'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/processor.rb:92:in `process_initializer'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:185:in `process_initializer'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:179:in `block in process_initializers'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:302:in `block in track_progress'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `each'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:299:in `track_progress'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:177:in `process_initializers'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/scanner.rb:47:in `process'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:354:in `scan'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader.rb:77:in `run'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:133:in `run_railroader'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:118:in `regular_report'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:142:in `run_report'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:35:in `run'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/lib/railroader/commandline.rb:20:in `start'
    from /home/sviatoslav/.local/share/gem/ruby/3.0.0/gems/railroader-4.3.8/bin/railroader:8:in `<top (required)>'
    from /usr/local/bin/railroader:25:in `load'
    from /usr/local/bin/railroader:25:in `<main>'

My Issue is Completely Different

Try scan this app, if you can...