RubyGems - codesake-dawn - Versions diffs - 0.50 → 0.60 - Mend

codesake-dawn 0.50 → 0.60

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/Competitive_matrix.md +148 -0
data/README.md +105 -14
data/Rakefile +24 -17
data/Roadmap.md +166 -9
data/TODO.md +59 -0
data/bin/dawn +60 -7
data/codesake_dawn.gemspec +4 -1
data/features/dawn_complains_about_an_incorrect_command_line.feature +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature +31 -0
data/features/step_definition/dawn_steps.rb +13 -0
data/features/support/env.rb +1 -0
data/lib/codesake/dawn/engine.rb +30 -1
data/lib/codesake/dawn/kb/basic_check.rb +37 -1
data/lib/codesake/dawn/kb/cve_2011_2931.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_2660.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_2661.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_2694.rb +2 -1
data/lib/codesake/dawn/kb/cve_2012_2695.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_3465.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_6496.rb +1 -1
data/lib/codesake/dawn/kb/cve_2012_6497.rb +1 -1
data/lib/codesake/dawn/kb/cve_2013_0155.rb +2 -1
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +1 -1
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +1 -1
data/lib/codesake/dawn/kb/cve_2013_1655.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +1 -1
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +11 -4
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +11 -4
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +21 -4
data/lib/codesake/dawn/kb/pattern_match_check.rb +1 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +50 -0
data/lib/codesake/dawn/knowledge_base.rb +59 -8
data/lib/codesake/dawn/version.rb +1 -1
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +130 -0
data/spec/lib/dawn/codesake_rails_engine_spec.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_spec.rb +4 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +39 -0
data/spec/spec_helper.rb +1 -1
metadata +100 -38
data/.rvmrc +0 -48
data/spec/lib/kb/codesake_cve_2013_1800_spec.rb +0 -66
data/spec/lib/kb/codesake_cve_2013_1855_spec.rb +0 -16
data/spec/lib/kb/cve_2011_2931_spec.rb +0 -7
data/spec/lib/kb/cve_2012_2660_spec.rb +0 -9
data/spec/lib/kb/cve_2012_2661_spec.rb +0 -7
data/spec/lib/kb/cve_2012_2694_spec.rb +0 -7
data/spec/lib/kb/cve_2012_2695_spec.rb +0 -7
data/spec/lib/kb/cve_2012_3465_spec.rb +0 -7
data/spec/lib/kb/cve_2012_6496_spec.rb +0 -7
data/spec/lib/kb/cve_2012_6497_spec.rb +0 -7
data/spec/lib/kb/cve_2013_0155_spec.rb +0 -7
data/spec/lib/kb/cve_2013_0269_spec.rb +0 -7
data/spec/lib/kb/cve_2013_0333_spec.rb +0 -7
data/spec/lib/kb/cve_2013_1857_spec.rb +0 -13

data/lib/codesake/dawn/kb/cve_2012_3465.rb CHANGED

@@ -19,7 +19,7 @@ module Codesake
             :mitigation=>"Please upgrade rails version at least to 2.3.13, 3.0.10, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
             :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"]
           })
-          self.fixed_dependency = {:name=>"rails", :version=>['2.3.14', '3.0.17', '3.1.8', '3.2.8']}
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.14', '3.0.17', '3.1.8', '3.2.8']}]
 				end
 			end

data/lib/codesake/dawn/kb/cve_2012_6496.rb CHANGED

@@ -21,7 +21,7 @@ module Codesake
             :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
           })
-          self.fixed_dependency = {:name=>"rails", :version=>['3.0.18', '3.2.10', '3.1.9']}
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.18', '3.2.10', '3.1.9']}]
 				end
 			end

data/lib/codesake/dawn/kb/cve_2012_6497.rb CHANGED

@@ -21,7 +21,7 @@ module Codesake
             :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
           })
-          self.fixed_dependency = {:name=>"authlogic", :version=>['3.2.10']}
+          self.safe_dependencies = [{:name=>"authlogic", :version=>['3.2.10']}]
 				end
 			end

data/lib/codesake/dawn/kb/cve_2013_0155.rb CHANGED

@@ -21,7 +21,8 @@ module Codesake
             :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"]
           })
-          self.fixed_dependency = {:name=>"rails", :version=>['3.0.19', '3.1.10', '3.2.11']}
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.19', '3.1.10', '3.2.11']}]
 				end
 			end

data/lib/codesake/dawn/kb/cve_2013_0156.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-17
+			class CVE_2013_0156
+				include DependencyCheck
+				def initialize
+          message = "active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion."
+         super({
+            :name=>'CVE-2013-0156',
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 1, 13),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.15, 3.0.19, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.15', '3.0.19', '3.2.11', '3.1.10']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0175.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_0175
+				include DependencyCheck
+				def initialize
+          message = "multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>'CVE-2013-0175',
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade multi_xml gem or grape gem",
+            :aux_links => ["https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0"]
+          })
+          self.safe_dependencies = [{:name=>"multi_xml", :version=>['0.5.3']}, {:name=>"grape", :version=>['0.2.6']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0233.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_0233
+				include DependencyCheck
+				def initialize
+          message = "Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts."
+          super({
+            :name=>"CVE-2013-0233",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"399",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade Devise gem to version 2.2.3, 2.1.3, 2.0.5, 1.5.4 or latest version available",
+            :aux_links=>["http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/"]
+          })
+          self.safe_dependencies = [{:name=>"devise", :version=>['1.5.4', '2.0.5', '2.1.3', '2.2.3']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0269.rb CHANGED

@@ -21,7 +21,7 @@ module Codesake
             :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"]
           })
-          self.fixed_dependency = {:name=>"json", :version=>['1.5.5', '1.6.8', '1.7.7']}
+          self.safe_dependencies = [{:name=>"json", :version=>['1.5.5', '1.6.8', '1.7.7']}]
 				end
 			end
 		end

data/lib/codesake/dawn/kb/cve_2013_0276.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-16
+			class CVE_2013_0276
+				include DependencyCheck
+				def initialize
+          message = "ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request."
+          super({
+            :name=>'CVE-2013-0276',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 2, 13),
+            :cwe=>"264",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.17, 3.1.11 and 3.2.12. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.17', '3.2.12', '3.1.11']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0277.rb ADDED

@@ -0,0 +1,27 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-17
+			class CVE_2013_0277
+				include DependencyCheck
+				def initialize
+          message = "ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML."
+          super({
+            :name=>'CVE-2013-0277',
+            :cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
+            :release_date => Date.new(2013, 2, 13),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.17 and 3.1.0. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.17', '3.0.9999999', '3.1.0']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0284.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_0284
+				include DependencyCheck
+				def initialize
+          message = "Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data."
+          super({
+            :name=>"CVE-2013-0284",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"200",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby_agent gem to version 3.5.2 or latest version available",
+            :aux_links=>["https://newrelic.com/docs/ruby/ruby-agent-security-notification"]
+          })
+          self.safe_dependencies = [{:name=>"ruby_agent", :version=>['3.5.2']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0285.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_0285
+				include DependencyCheck
+				def initialize
+          message= "The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>"CVE-2013-0285",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nori gem to version 2.0.2, 1.1.4, 1.0.3 or latest version available",
+            :aux_links=>["https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"]
+          })
+          self.safe_dependencies = [{:name=>"nori", :version=>['1.0.3', '1.1.4', '2.0.2']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0333.rb CHANGED

@@ -24,7 +24,7 @@ module Codesake
             :aux_links=>["https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"]
           })
-          self.fixed_dependency = {:name=>"rails", :version=>['2.3.16', '3.0.20']}
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.16', '3.0.20']}]
           self.aux_mitigation_gem = {:name=>"yajl", :versione=>['any']}
 				end
 			end

data/lib/codesake/dawn/kb/cve_2013_1655.rb ADDED

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-20
+			class CVE_2013_1655
+				include DependencyCheck
+				def initialize
+          message = "Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to \"serialized attributes.\""
+          super({
+            :name=>"CVE-2013-1655",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade puppet gem to a newer version",
+            :aux_links=>["https://puppetlabs.com/security/cve/cve-2013-1655/"],
+            :ruby_vulnerable_versions =>['1.9.3', '2.0.0']
+          })
+          self.safe_dependencies = [{:name=>"puppet", :version=>['2.7.21', '3.1.1']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1656.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-20
+			class CVE_2013_1656
+				include DependencyCheck
+				def initialize
+          message = "Spree Commerce 1.0.x through 1.3.2 allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function."
+          super({
+            :name=>'CVE-2013-1656',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 3, 8),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade Spree commerce rubygem",
+            :aux_links => ["http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"]
+          })
+          self.safe_dependencies = [{:name=>"spree", :version=>['1.3.3']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1800.rb CHANGED

@@ -19,7 +19,7 @@ module Codesake
                 :message=>message,
                 :mitigation=>"Please use crack gem version 0.3.2 or above. Correct your gemfile"
           })
-          self.fixed_dependency = {:name=>'crack', :version=>['0.3.2']}
+          self.safe_dependencies = [{:name=>'crack', :version=>['0.3.2']}]
         end
       end

data/lib/codesake/dawn/kb/cve_2013_1801.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_1801
+				include DependencyCheck
+				def initialize
+          message = "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>"CVE-2013-1801",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"264",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade httparty gem to version 0.9.0 or latest version available",
+            :aux_links=>["https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"]
+          })
+          self.safe_dependencies = [{:name=>"httparty", :version=>['0.9.0']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1802.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_1802
+				include DependencyCheck
+				def initialize
+          message= "The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>"CVE-2013-1802",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"264",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade extlib gem to version 0.9.16 or latest version available",
+            :aux_links=>["https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"]
+          })
+          self.safe_dependencies = [{:name=>"extlib", :version=>['0.9.16']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1821.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-22
+			class CVE_2013_1821
+				include RubyVersionCheck
+				def initialize
+          message="lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 and 2.0.0-p0 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack."
+          super({
+            :name=>"CVE-2013-1821",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p392 or 2.0.0-p195 or latest version available",
+            :aux_links=>["http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/"]
+          })
+          self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p195"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1854.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-16
+			class CVE_2013_1854
+				include DependencyCheck
+				def initialize
+          message = "The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method."
+          super({
+            :name=>'CVE-2013-1854',
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.2.13', '3.1.12']}]
+				end
+			end
+		end
+	end
+end