codesake-dawn 0.50

data/lib/codesake/dawn/kb/basic_check.rb

@@ -0,0 +1,93 @@
+require 'cvss'
+
+module Codesake
+  module Dawn
+    module Kb
+      module BasicCheck
+
+        attr_reader :name
+        attr_reader :cvss
+        attr_reader :cwe
+        attr_reader :owasp
+        attr_reader :release_date
+        attr_reader :applies
+        attr_reader :kind
+        attr_reader :message
+        attr_reader :remediation
+        attr_reader :aux_links
+        attr_reader :mitigated
+
+        # The framework target version
+        attr_reader   :target_version
+        # The versions of the framework that fixes the vulnerability
+        attr_reader   :fixes_version
+
+        # Vulnerability evidences
+        attr_reader   :evidences
+
+        def initialize(options={})
+          @name         = options[:name]
+          @cvss         = options[:cvss]
+          @cwe          = options[:cwe]
+          @owasp        = options[:owasp]
+          @release_date = options[:release_date]
+          @applies      = []
+          @applies      = options[:applies] unless options[:applies].nil?
+          @kind         = options[:kind]
+          @message      = options[:message]
+          @remediation  = options[:mitigation]
+          @aux_links    = options[:aux_links]
+
+          @target_version = options[:target_version]
+          @fixes_version  = options[:fixes_version]
+
+          @evidences    = []
+          @mitigated    = false
+    
+        end
+
+
+        def applies_to?(name)
+          ! @applies.find_index(name).nil?
+        end
+        def cve_link
+          "http://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@name}"
+        end
+        def nvd_link
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=#{@name}"
+        end
+
+        # @target_version = '2.3.11'
+        # @fixes_version = ['2.3.18', '3.2.13', '3.1.12' ] 
+        def is_vulnerable_version?(target = nil, fixes = nil)
+          target  = @target_version if target.nil?
+          fixes   = @fixes_version  if fixes.nil?
+          return false if target.nil? or fixes.empty?
+
+          ret = false
+
+          target_v_array = target.split(".").map! { |n| n.to_i }
+          fixes.each do |fv|
+            fixes_v_array = fv.split(".").map! { |n| n.to_i }
+            if target_v_array[0] == fixes_v_array[0]
+              ret = true if target_v_array[1] < fixes_v_array[1] # same major but previous minor
+              ret = true if target_v_array[1] == fixes_v_array[1] and target_v_array[2] < fixes_v_array[2] 
+            end
+          end
+
+          ret
+        end
+
+        def cvss_score
+          return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
+          "    "
+        end
+
+        def mitigated?
+          self.mitigated
+        end
+
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2011_2931.rb

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-13
+			class CVE_2011_2931
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name." 
+          super({
+            :name=>"CVE-2011-2931",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2011, 8, 29),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.13, 3.0.10, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['2.3.13', '3.0.10', '3.1.0']}
+
+
+          
+          
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_2660.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-02
+			class CVE_2012_2660
+				include DependencyCheck
+
+				def initialize
+          message = "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2694."
+
+          super({
+            :name=>"CVE-2012-2660",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
+            :release_date => Date.new(2012, 6, 22),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.15, 3.2.5, 3.1.5 or 3.0.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/8SA-M3as7A8/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['2.3.15', '3.0.13', '3.2.5', '3.1.5']}
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_2661.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-06
+			class CVE_2012_2661
+				include DependencyCheck
+
+				def initialize
+          message = "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695."
+
+          super({
+            :name=>"CVE-2012-2661",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2012, 6, 22),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.2.5, 3.1.5 or 3.0.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/dUaiOOGWL1k/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['3.0.13', '3.2.5', '3.1.5']}
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_2694.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-03
+			class CVE_2012_2694
+				include DependencyCheck
+
+				def initialize
+          message = "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain \"['xyz', nil]\" values, a related issue to CVE-2012-2660."
+
+          super({
+            :name=>"CVE-2012-2694",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2012, 6, 22),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.15, 3.2.6, 3.1.6 or 3.0.14. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['2.3.15', '3.0.14', '3.2.6', '3.1.6']}
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_2695.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-06
+			class CVE_2012_2695
+				include DependencyCheck
+
+				def initialize
+          message = "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661."
+
+          super({
+            :name=>"CVE-2012-2695",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2012, 6, 22),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.2.6, 3.1.6 or 3.0.14. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['3.0.14', '3.2.6', '3.1.6']}
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_3465.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-13
+			class CVE_2012_3465
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup."
+          super({
+            :name=>"CVE-2012-3465",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2012, 8, 10),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.13, 3.0.10, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"]
+          })
+          self.fixed_dependency = {:name=>"rails", :version=>['2.3.14', '3.0.17', '3.1.8', '3.2.8']}
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_6496.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-06
+			class CVE_2012_6496
+				include DependencyCheck
+
+				def initialize
+          message = "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls."
+
+          super({
+            :name=>"CVE-2012-6496",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 1, 4),
+            :cwe=>"200",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.2.10, 3.1.9 or 3.0.18. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['3.0.18', '3.2.10', '3.1.9']}
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_6497.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-06
+			class CVE_2012_6497
+				include DependencyCheck
+
+				def initialize
+          message = "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product."
+
+          super({
+            :name=>"CVE-2012-6497",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2013, 1, 4),
+            :cwe=>"200",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version to the latest stable rails version.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"authlogic", :version=>['3.2.10']}
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0155.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-10
+			class CVE_2013_0155
+				include DependencyCheck
+
+				def initialize
+          message = "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694."
+
+          super({
+            :name=>"CVE-2013-0155",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
+            :release_date => Date.new(2013, 1, 13),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.0.19, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['3.0.19', '3.1.10', '3.2.11']}
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0269.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-10
+			class CVE_2013_0269
+				include DependencyCheck
+
+				def initialize
+          message = "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
+
+          super({
+            :name=>"CVE-2013-0269",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 2, 13),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available",
+            :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"]
+          })
+
+          self.fixed_dependency = {:name=>"json", :version=>['1.5.5', '1.6.8', '1.7.7']}
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0333.rb

@@ -0,0 +1,33 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-04-30
+			class CVE_2013_0333
+				#
+				# Include the testing skeleton for this CVE
+				# include PatternMatchCheck
+				include DependencyCheck
+
+
+				def initialize
+          message = "lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156." 
+          super({
+            :name=>"CVE-2013-0333",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 1, 30),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.16 or 3.0.20. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo"]
+          })
+
+          self.fixed_dependency = {:name=>"rails", :version=>['2.3.16', '3.0.20']}
+          self.aux_mitigation_gem = {:name=>"yajl", :versione=>['any']}
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1800.rb

@@ -0,0 +1,28 @@
+module Codesake
+  module Dawn
+    module Kb
+      class CVE_2013_1800  
+        include DependencyCheck
+        
+
+        def initialize
+
+          message = "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+
+          super({:name=>"CVE-2013-1800", 
+                :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P", 
+                :release_date => Date.new(2013, 4, 9),
+                :cwe=>"264",
+                :owasp=>"A9", 
+                :applies=>["sinatra", "padrino", "rails"],
+                :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+                :message=>message,
+                :mitigation=>"Please use crack gem version 0.3.2 or above. Correct your gemfile"
+          })
+          self.fixed_dependency = {:name=>'crack', :version=>['0.3.2']}
+        end
+
+      end
+    end
+  end
+end