codesake-dawn 0.50 → 0.60

data/lib/codesake/dawn/kb/cve_2013_1855.rb

@@ -2,17 +2,24 @@ module Codesake
   module Dawn
     module Kb
       class CVE_2013_1855 
-        include PatternMatchCheck
+				include DependencyCheck
 
         def initialize
+          message = "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
+
           super({
-            :fixes_version => ['2.3.18', '3.2.13', '3.1.12'], 
-            :attack_pattern => ["sanitize_css"], 
             :name=>'CVE-2013-1855', 
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",  
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"79", 
+            :owasp=>"A3",
             :applies=>["rails"],
-            :kind => Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
             :aux_links => ["https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"]
           })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
         end
       end
     end

data/lib/codesake/dawn/kb/cve_2013_1856.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-16
+			class CVE_2013_1856
+				include DependencyCheck
+
+				def initialize
+          message= "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference."
+         super({
+            :name=>'CVE-2013-1856', 
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:P",  
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"20", 
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.13', '3.1.12']}]
+ 
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1857.rb

@@ -3,17 +3,24 @@ module Codesake
 		module Kb
 			# Automatically created with rake on 2013-05-02
 			class CVE_2013_1857
-				include PatternMatchCheck
+				include DependencyCheck
 
         def initialize
+          message = "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence."
+
           super({
-            :fixes_version => ['2.3.18', '3.2.13', '3.1.12'], 
-            :attack_pattern => ["sanitize"], 
             :name=>'CVE-2013-1857', 
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N", 
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"79", 
+            :owasp=>"A3",
             :applies=>["rails"],
-            :kind => Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
             :aux_links => [ "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ" ]
           })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
 
         end
       end

data/lib/codesake/dawn/kb/cve_2013_1875.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-17
+			class CVE_2013_1875
+				include DependencyCheck
+
+				def initialize
+          message="command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename."
+         super({
+            :name=>"CVE-2013-1875",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade command_wrap gem to a newer version",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/175"]
+          })
+
+          self.safe_dependencies = [{:name=>"fastreader", :version=>['1.0.9']}]
+ 
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1898.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_1898
+				include DependencyCheck
+
+				def initialize
+          message = "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
+          super({
+            :name=>"CVE-2013-1898",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade Thumbshooter version to the latest version available.",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/218"]
+          })
+
+          self.safe_dependencies = [{:name=>"thumbshooter", :version=>['0.1.6']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1911.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_1911
+				include DependencyCheck
+
+				def initialize
+          message = "lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name."
+          super({
+            :name=>"CVE-2013-1911",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 3),
+            :cwe=>"20",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ldoce version to the latest version available.",
+            :aux_links=>["http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html"]
+          })
+
+          self.safe_dependencies = [{:name=>"ldoce", :version=>['0.0.3']}]
+
+          
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1933.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_1933
+				include DependencyCheck
+
+				def initialize
+          message = "The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename."
+          super({
+            :name=>"CVE-2013-1933",
+            :cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"78",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade karteek-docsplit version to the latest version available.",
+            :aux_links=>["http://www.openwall.com/lists/oss-security/2013/04/08/15"]
+          })
+
+          self.safe_dependencies = [{:name=>"karteek-docsplit", :version=>['0.5.5']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1947.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_1947
+				include DependencyCheck
+
+				def initialize
+          message = "kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb."
+          super({
+            :name=>"CVE-2013-1947",
+            :cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"78",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade kelredd-pruview version to the latest version available.",
+            :aux_links=>["http://www.openwall.com/lists/oss-security/2013/04/10/3"]
+          })
+
+          self.safe_dependencies = [{:name=>"kelredd-pruview", :version=>['0.3.9']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1948.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_1948
+				include DependencyCheck
+
+				def initialize
+          message = "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
+          super({
+            :name=>"CVE-2013-1948",
+            :cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade md2pdf gem version to the latest version available.",
+            :aux_links=>["http://www.securityfocus.com/bid/59061"]
+          })
+
+          self.safe_dependencies = [{:name=>"md2pdf", :version=>['0.0.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_2615.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-17
+			class CVE_2013_2615
+				include DependencyCheck
+
+				def initialize
+          message = "lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
+          super({
+            :name=>"CVE-2013-2615",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade fastreader gem to a newer version",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/122"]
+          })
+
+          self.safe_dependencies = [{:name=>"fastreader", :version=>['1.0.9']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_2616.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_2616
+				include DependencyCheck
+
+				def initialize
+          message = "lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
+          super({
+            :name=>"CVE-2013-2616",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade mini_magick gem version to the latest version available.",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/123"]
+          })
+
+          self.safe_dependencies = [{:name=>"mini_magick", :version=>['1.3.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_2617.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_2617
+				include DependencyCheck
+
+				def initialize
+          message = "lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
+          super({
+            :name=>"CVE-2013-2617",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please consider not using curl rubygem. The project seems to be abandoned and the vulnerability has not been fixed",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/124"]
+          })
+
+          self.safe_dependencies = [{:name=>"curl", :version=>['99.99.99']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_3221.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-27
+			class CVE_2013_3221
+				include DependencyCheck
+
+				def initialize
+          message = "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
+           super({
+            :name=>"CVE-2013-3221",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
+            :release_date => Date.new(2013, 4, 22),
+            :cwe=>"20",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.16, 3.2.9, 3.1.9 or 3.0.21. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"]
+          })
+
+          self.safe_dependencies = [{:name=>"railse", :version=>['2.3.16', '3.2.9', '3.1.9', '3.0.21']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/dependency_check.rb

@@ -5,7 +5,14 @@ module Codesake
         include BasicCheck
 
         attr_accessor :dependencies
-        attr_accessor :fixed_dependency
+
+        # This attribute replaces fixed_dependency in 20130521. 
+        # There are cve checks like
+        # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that
+        # addresses two different gems firing up the vulnerability. You can
+        # read this like, "if you use gem A version A1 or if you use gem B
+        # version B1 you can occur in this issue".
+        attr_accessor :safe_dependencies
         attr_accessor :aux_mitigation_gem
 
 
@@ -18,10 +25,20 @@ module Codesake
             # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future.
             @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil?
 
-            if dep[:name] == @fixed_dependency[:name] and is_vulnerable_version?(dep[:version], @fixed_dependency[:version]) 
-              ret = true
-              message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
+            @safe_dependencies.each do |safe_dep|
+              if @ruby_vulnerable_versions.empty?
+                if dep[:name] == safe_dep[:name] and is_vulnerable_version?(dep[:version], safe_dep[:version]) 
+                  ret = true
+                  message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
+                end
+              else
+                if dep[:name] == safe_dep[:name] and is_vulnerable_version?(dep[:version], safe_dep[:version]) and is_ruby_vulnerable_version?
+                  ret = true
+                  message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
+                end
+              end
             end
+
           end
 
           if ret and @mitigated 

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -1,3 +1,4 @@
+# encoding: utf-8
 module Codesake
   module Dawn
     module Kb

data/lib/codesake/dawn/kb/ruby_version_check.rb

@@ -0,0 +1,50 @@
+module Codesake
+  module Dawn
+    module Kb
+      module RubyVersionCheck
+        include BasicCheck
+        
+        # Array of hashes in the {:version=>"1.9.3", :patchlevel=>"p342"} form
+        attr_accessor   :safe_rubies
+        # Hash in the {:version=>"1.9.3", :patchlevel=>"p342"} form
+        attr_accessor   :detected_ruby
+
+        def vuln?
+          vv_a = []
+          vv_p = []
+          vp = false
+
+          @safe_rubies.each do |ss|
+            vv_a << ss[:version]
+            vv_p << ss[:patchlevel].split("p")[1].to_i
+          end
+          vv = self.is_vulnerable_version?(detected_ruby[:version], vv_a)
+
+          # Since we have also the patch level a fixes version can be the same
+          # as the vulnerable... we must consider this
+          ve = self.is_same_version?(detected_ruby[:version], vv_a) unless vv
+          vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], vv_p) if ve
+
+          return true if vv
+          return (ve and vp)
+        end
+        
+        def is_same_version?(target, fixes = [])
+          fixes.each do |f|
+            return true if f == target
+          end
+          false
+        end
+
+        def is_vulnerable_patchlevel?(target, fixes = [])
+          t = target.split("p")[1].to_i
+          fixes.each do |f|
+            return true if f > t
+          end
+          false
+        end
+      end
+    end
+  end
+end
+