codesake-dawn 0.50 → 0.60
Sign up to get free protection for your applications and to get access to all the features.
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/Competitive_matrix.md +148 -0
- data/README.md +105 -14
- data/Rakefile +24 -17
- data/Roadmap.md +166 -9
- data/TODO.md +59 -0
- data/bin/dawn +60 -7
- data/codesake_dawn.gemspec +4 -1
- data/features/dawn_complains_about_an_incorrect_command_line.feature +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature +31 -0
- data/features/step_definition/dawn_steps.rb +13 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake/dawn/engine.rb +30 -1
- data/lib/codesake/dawn/kb/basic_check.rb +37 -1
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +2 -1
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +2 -1
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +11 -4
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +11 -4
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +21 -4
- data/lib/codesake/dawn/kb/pattern_match_check.rb +1 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +50 -0
- data/lib/codesake/dawn/knowledge_base.rb +59 -8
- data/lib/codesake/dawn/version.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +130 -0
- data/spec/lib/dawn/codesake_rails_engine_spec.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_spec.rb +4 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +39 -0
- data/spec/spec_helper.rb +1 -1
- metadata +100 -38
- data/.rvmrc +0 -48
- data/spec/lib/kb/codesake_cve_2013_1800_spec.rb +0 -66
- data/spec/lib/kb/codesake_cve_2013_1855_spec.rb +0 -16
- data/spec/lib/kb/cve_2011_2931_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2660_spec.rb +0 -9
- data/spec/lib/kb/cve_2012_2661_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2694_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2695_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_3465_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_6496_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_6497_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0155_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0269_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0333_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_1857_spec.rb +0 -13
@@ -2,17 +2,24 @@ module Codesake
|
|
2
2
|
module Dawn
|
3
3
|
module Kb
|
4
4
|
class CVE_2013_1855
|
5
|
-
|
5
|
+
include DependencyCheck
|
6
6
|
|
7
7
|
def initialize
|
8
|
+
message = "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
|
9
|
+
|
8
10
|
super({
|
9
|
-
:fixes_version => ['2.3.18', '3.2.13', '3.1.12'],
|
10
|
-
:attack_pattern => ["sanitize_css"],
|
11
11
|
:name=>'CVE-2013-1855',
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
13
|
+
:release_date => Date.new(2013, 3, 19),
|
14
|
+
:cwe=>"79",
|
15
|
+
:owasp=>"A3",
|
12
16
|
:applies=>["rails"],
|
13
|
-
:kind => Codesake::Dawn::KnowledgeBase::
|
17
|
+
:kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message => message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
|
14
20
|
:aux_links => ["https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"]
|
15
21
|
})
|
22
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
|
16
23
|
end
|
17
24
|
end
|
18
25
|
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-16
|
5
|
+
class CVE_2013_1856
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message= "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference."
|
10
|
+
super({
|
11
|
+
:name=>'CVE-2013-1856',
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:P",
|
13
|
+
:release_date => Date.new(2013, 3, 19),
|
14
|
+
:cwe=>"20",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message => message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain"]
|
21
|
+
})
|
22
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.13', '3.1.12']}]
|
23
|
+
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -3,17 +3,24 @@ module Codesake
|
|
3
3
|
module Kb
|
4
4
|
# Automatically created with rake on 2013-05-02
|
5
5
|
class CVE_2013_1857
|
6
|
-
include
|
6
|
+
include DependencyCheck
|
7
7
|
|
8
8
|
def initialize
|
9
|
+
message = "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence."
|
10
|
+
|
9
11
|
super({
|
10
|
-
:fixes_version => ['2.3.18', '3.2.13', '3.1.12'],
|
11
|
-
:attack_pattern => ["sanitize"],
|
12
12
|
:name=>'CVE-2013-1857',
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
14
|
+
:release_date => Date.new(2013, 3, 19),
|
15
|
+
:cwe=>"79",
|
16
|
+
:owasp=>"A3",
|
13
17
|
:applies=>["rails"],
|
14
|
-
:kind => Codesake::Dawn::KnowledgeBase::
|
18
|
+
:kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message => message,
|
20
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
|
15
21
|
:aux_links => [ "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ" ]
|
16
22
|
})
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
|
17
24
|
|
18
25
|
end
|
19
26
|
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-17
|
5
|
+
class CVE_2013_1875
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message="command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1875",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 3, 20),
|
14
|
+
:cwe=>"94",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade command_wrap gem to a newer version",
|
20
|
+
:aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/175"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"fastreader", :version=>['1.0.9']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_1898
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1898",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 4, 9),
|
14
|
+
:cwe=>"94",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade Thumbshooter version to the latest version available.",
|
20
|
+
:aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/218"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"thumbshooter", :version=>['0.1.6']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_1911
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1911",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 4, 3),
|
14
|
+
:cwe=>"20",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade ldoce version to the latest version available.",
|
20
|
+
:aux_links=>["http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"ldoce", :version=>['0.0.3']}]
|
24
|
+
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_1933
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1933",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
|
13
|
+
:release_date => Date.new(2013, 4, 25),
|
14
|
+
:cwe=>"78",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade karteek-docsplit version to the latest version available.",
|
20
|
+
:aux_links=>["http://www.openwall.com/lists/oss-security/2013/04/08/15"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"karteek-docsplit", :version=>['0.5.5']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_1947
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1947",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
|
13
|
+
:release_date => Date.new(2013, 4, 25),
|
14
|
+
:cwe=>"78",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade kelredd-pruview version to the latest version available.",
|
20
|
+
:aux_links=>["http://www.openwall.com/lists/oss-security/2013/04/10/3"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"kelredd-pruview", :version=>['0.3.9']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_1948
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-1948",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
13
|
+
:release_date => Date.new(2013, 4, 25),
|
14
|
+
:cwe=>"",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade md2pdf gem version to the latest version available.",
|
20
|
+
:aux_links=>["http://www.securityfocus.com/bid/59061"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"md2pdf", :version=>['0.0.2']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-17
|
5
|
+
class CVE_2013_2615
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-2615",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 3, 20),
|
14
|
+
:cwe=>"94",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade fastreader gem to a newer version",
|
20
|
+
:aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/122"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"fastreader", :version=>['1.0.9']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_2616
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-2616",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 3, 20),
|
14
|
+
:cwe=>"94",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade mini_magick gem version to the latest version available.",
|
20
|
+
:aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/123"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"mini_magick", :version=>['1.3.2']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_2617
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-2617",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2013, 3, 20),
|
14
|
+
:cwe=>"94",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "padrino", "sinatra"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please consider not using curl rubygem. The project seems to be abandoned and the vulnerability has not been fixed",
|
20
|
+
:aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/124"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"curl", :version=>['99.99.99']}]
|
24
|
+
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-05-27
|
5
|
+
class CVE_2013_3221
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the \"typed XML\" feature and a MySQL database."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-3221",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
13
|
+
:release_date => Date.new(2013, 4, 22),
|
14
|
+
:cwe=>"20",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.16, 3.2.9, 3.1.9 or 3.0.21. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce?dmode=source&output=gplain"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"railse", :version=>['2.3.16', '3.2.9', '3.1.9', '3.0.21']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -5,7 +5,14 @@ module Codesake
|
|
5
5
|
include BasicCheck
|
6
6
|
|
7
7
|
attr_accessor :dependencies
|
8
|
-
|
8
|
+
|
9
|
+
# This attribute replaces fixed_dependency in 20130521.
|
10
|
+
# There are cve checks like
|
11
|
+
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that
|
12
|
+
# addresses two different gems firing up the vulnerability. You can
|
13
|
+
# read this like, "if you use gem A version A1 or if you use gem B
|
14
|
+
# version B1 you can occur in this issue".
|
15
|
+
attr_accessor :safe_dependencies
|
9
16
|
attr_accessor :aux_mitigation_gem
|
10
17
|
|
11
18
|
|
@@ -18,10 +25,20 @@ module Codesake
|
|
18
25
|
# don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future.
|
19
26
|
@mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil?
|
20
27
|
|
21
|
-
|
22
|
-
|
23
|
-
|
28
|
+
@safe_dependencies.each do |safe_dep|
|
29
|
+
if @ruby_vulnerable_versions.empty?
|
30
|
+
if dep[:name] == safe_dep[:name] and is_vulnerable_version?(dep[:version], safe_dep[:version])
|
31
|
+
ret = true
|
32
|
+
message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
|
33
|
+
end
|
34
|
+
else
|
35
|
+
if dep[:name] == safe_dep[:name] and is_vulnerable_version?(dep[:version], safe_dep[:version]) and is_ruby_vulnerable_version?
|
36
|
+
ret = true
|
37
|
+
message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
|
38
|
+
end
|
39
|
+
end
|
24
40
|
end
|
41
|
+
|
25
42
|
end
|
26
43
|
|
27
44
|
if ret and @mitigated
|
@@ -0,0 +1,50 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
module RubyVersionCheck
|
5
|
+
include BasicCheck
|
6
|
+
|
7
|
+
# Array of hashes in the {:version=>"1.9.3", :patchlevel=>"p342"} form
|
8
|
+
attr_accessor :safe_rubies
|
9
|
+
# Hash in the {:version=>"1.9.3", :patchlevel=>"p342"} form
|
10
|
+
attr_accessor :detected_ruby
|
11
|
+
|
12
|
+
def vuln?
|
13
|
+
vv_a = []
|
14
|
+
vv_p = []
|
15
|
+
vp = false
|
16
|
+
|
17
|
+
@safe_rubies.each do |ss|
|
18
|
+
vv_a << ss[:version]
|
19
|
+
vv_p << ss[:patchlevel].split("p")[1].to_i
|
20
|
+
end
|
21
|
+
vv = self.is_vulnerable_version?(detected_ruby[:version], vv_a)
|
22
|
+
|
23
|
+
# Since we have also the patch level a fixes version can be the same
|
24
|
+
# as the vulnerable... we must consider this
|
25
|
+
ve = self.is_same_version?(detected_ruby[:version], vv_a) unless vv
|
26
|
+
vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], vv_p) if ve
|
27
|
+
|
28
|
+
return true if vv
|
29
|
+
return (ve and vp)
|
30
|
+
end
|
31
|
+
|
32
|
+
def is_same_version?(target, fixes = [])
|
33
|
+
fixes.each do |f|
|
34
|
+
return true if f == target
|
35
|
+
end
|
36
|
+
false
|
37
|
+
end
|
38
|
+
|
39
|
+
def is_vulnerable_patchlevel?(target, fixes = [])
|
40
|
+
t = target.split("p")[1].to_i
|
41
|
+
fixes.each do |f|
|
42
|
+
return true if f > t
|
43
|
+
end
|
44
|
+
false
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|