presidentbeef

Loading development environment (Rails 3.2.11)
1.9.3p374 :001 > s = "<script>alert('hello')</script>"
 => "<script>alert('hello')</script>" 
1.9.3p374 :002 > ERB::Util.html_escape s
 => "&lt;script&gt;alert(&#x27;hello&#x27;)&lt;/script&gt;" 
1.9.3p374 :003 > safe = s.html_safe
 => "<script>alert('hello')</script>" 
1.9.3p374 :004 > ERB::Util.html_escape safe
 => "<script>alert('hello')</script>"

presidentbeef

#activesupport/lib/active_support/core_ext/hash/conversions.rb
        unless defined?(XML_PARSING)
           XML_PARSING = {
-            "symbol"       => Proc.new  { |symbol|  symbol.to_sym },
+            "symbol"       => Proc.new  { |symbol|  symbol.to_s },
             "date"         => Proc.new  { |date|    ::Date.parse(date) },
             "datetime"     => Proc.new  { |time|    ::Time.parse(time).utc rescue ::DateTime.parse(time).utc },
             "integer"      => Proc.new  { |integer| integer.to_i },
@@ -76,7 +76,7 @@ module ActiveSupport #:nodoc:
             "decimal"      => Proc.new  { |number|  BigDecimal(number) },

presidentbeef

#!/usr/bin/env ruby

require 'rubygems'
require 'ruby_parser'
require 'pp'

pp RubyParser.new.parse ARGV[0]

presidentbeef

======================================================
Used jruby 1.6.5 (ruby-1.8.7-p330) (2011-10-25 9dcd388) (OpenJDK 64-Bit Server VM 1.6.0_22) [linux-amd64-java]
Started at Thu Jan 26 13:17:21 -0800 2012
Finished at Thu Jan 26 13:25:56 -0800 2012
Scanned 2 path(s)
Total time: 515.036000013351s
-------------------------------------------------------
../nventory/trunk/server/ @ Thu Jan 26 13:17:55 -0800 2012
  66 controllers, 59 models, 1568 templates, 0 errors
  total_time:                  480.528000 (480.528000)

presidentbeef

my_rails_app = "your/path/here"
changed_files = ["changed/files/here"]

require 'brakeman'

#Do initial scan
tracker = Brakeman.run :app_path => my_rails_app

puts "Warnings: #{tracker.checks.all_warnings.length}"
puts "Errors: #{tracker.errors.length}"

presidentbeef

$LOAD_PATH.unshift "/home/justin/work/brakeman/lib"
require 'brakeman'
require 'ruby_parser/ruby_parser'
require 'brakeman/tracker'
require 'brakeman/processors/route_processor'

tracker = Brakeman::Tracker.new
tracker.options[:rails3] = true

route_processor = Brakeman::RoutesProcessor.new tracker

presidentbeef

require 'ruby_parser'
require 'ruby2ruby'
require 'brakeman'
require 'brakeman/processors/alias_processor'

#Local variables for clarity
def process code
  sexp = RubyParser.new.parse code
  processed_sexp = Brakeman::AliasProcessor.new.process_safely sexp
  pretty_code = Ruby2Ruby.new.process processed_sexp

presidentbeef

jruby 1.6.5 (ruby-1.8.7-p330) (2011-10-25 9dcd388) (Java HotSpot(TM) Client VM 1.6.0_26) [linux-i386-java]

Single core, no threads, Linux:

jruby 1.6.5:     60.91 user 279.93 system 7:13.53 elapsed 78% CPU
   --server:     60.51 user 175.19 system 4:55.54 elapsed 79% CPU
ruby 1.9.2-p290: 61.11 user 17.47  system 1:31.40 elapsed 85% CPU

Single core, with threads, Linux:

presidentbeef

require 'cgi'

abort "Please supply hostname" unless ARGV[0]

hostname = ARGV[0]

depth = (ARGV[1] || 12 ).to_i

1.upto(depth) do |n|
  $stderr.puts "Depth: #{n}"

presidentbeef

/* Parse tab-separated output from Brakeman
 * Use: 
 *  brakeman -o example.tabs
 *  java BrakemanScanner example.tabs
 */

import java.util.regex.Pattern;
import java.util.regex.Matcher;
import java.io.RandomAccessFile;