codesake-dawn 0.50

data/lib/codesake/dawn/kb/cve_2013_1855.rb

@@ -0,0 +1,20 @@
+module Codesake
+  module Dawn
+    module Kb
+      class CVE_2013_1855 
+        include PatternMatchCheck
+
+        def initialize
+          super({
+            :fixes_version => ['2.3.18', '3.2.13', '3.1.12'], 
+            :attack_pattern => ["sanitize_css"], 
+            :name=>'CVE-2013-1855', 
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :aux_links => ["https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"]
+          })
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2013_1857.rb

@@ -0,0 +1,22 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-02
+			class CVE_2013_1857
+				include PatternMatchCheck
+
+        def initialize
+          super({
+            :fixes_version => ['2.3.18', '3.2.13', '3.1.12'], 
+            :attack_pattern => ["sanitize"], 
+            :name=>'CVE-2013-1857', 
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+            :aux_links => [ "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ" ]
+          })
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/dependency_check.rb

@@ -0,0 +1,39 @@
+module Codesake
+  module Dawn
+    module Kb
+      module DependencyCheck
+        include BasicCheck
+
+        attr_accessor :dependencies
+        attr_accessor :fixed_dependency
+        attr_accessor :aux_mitigation_gem
+
+
+        def vuln?
+          ret         = false
+          @mitigated  = false
+          message     = ""
+
+          @dependencies.each do |dep|
+            # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future.
+            @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil?
+
+            if dep[:name] == @fixed_dependency[:name] and is_vulnerable_version?(dep[:version], @fixed_dependency[:version]) 
+              ret = true
+              message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
+            end
+          end
+
+          if ret and @mitigated 
+            ret = false
+            message += "Vulnerability has been mitigated by gem #{@aux_mitigation_gem[:name]}. Don't remove it from your Gemfile"
+          end
+
+          self.evidences << message unless message.empty?
+
+          ret
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/not_revised_code.rb

@@ -0,0 +1,24 @@
+module Codesake
+  module Dawn
+    module Kb
+      class NotRevisedCode
+        include PatternMatchCheck
+
+
+        def initialize
+          super({:name=>"Not revised code",
+                :cvss=>"",
+                :release_date=>nil,
+                :cwe=>"",
+                :owasp=>"",
+                :applies=>["sinatra", "rails", "padrino"],
+                :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+                :message=>"Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.\nThis check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME",
+                :mitigation=>"Please review the file fixing the issue.",
+                :attack_pattern => ["XXX", "TO_CHECK", "CHECKME", "CHECK", "FIXME"]
+          })
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -0,0 +1,60 @@
+module Codesake
+  module Dawn
+    module Kb
+      module PatternMatchCheck
+        include BasicCheck
+
+
+        attr_reader   :attack_pattern
+        attr_accessor :root_dir
+
+        def initialize(options={})
+          super(options)
+          @attack_pattern = options[:attack_pattern]
+        end
+
+        def vuln?
+          Dir.glob(File.join("#{root_dir}", "*")).each do |filename|
+            matches = run(load_file(filename))
+            @evidences << {:filename=>filename, :matches=>matches} unless matches.empty?
+          end
+          return ! @evidences.empty?
+        end
+
+        private 
+        def string_to_array(par)
+          return par if par.class == Array
+          %w(par)  
+        end
+
+        def load_file(filename)
+          return [] unless File.exists?(filename) and File.file?(filename)
+
+          f = File.open(filename)
+          lines = f.readlines
+          f.close 
+
+          lines
+        end
+
+        def run(lines)
+          hits = []
+
+          patterns = string_to_array(@attack_pattern)
+          
+          patterns.each do |pat|
+
+            regex=/#{pat}/
+
+            lines.each_with_index do |line,i|
+              hits << {:match=>line, :line=>i} unless (regex =~ line).nil?
+            end
+          end
+
+          hits
+        end
+
+      end
+    end
+  end
+end

data/lib/codesake/dawn/knowledge_base.rb

@@ -0,0 +1,105 @@
+# Core KB 
+require "codesake/dawn/kb/basic_check"
+require "codesake/dawn/kb/pattern_match_check"
+require "codesake/dawn/kb/dependency_check"
+
+# Q&A related checks
+require "codesake/dawn/kb/not_revised_code"
+
+# CVE - 2011
+require "codesake/dawn/kb/cve_2011_2931"
+
+# CVE - 2012
+require "codesake/dawn/kb/cve_2012_2660"
+require "codesake/dawn/kb/cve_2012_2661"
+require "codesake/dawn/kb/cve_2012_2694"
+require "codesake/dawn/kb/cve_2012_2695"
+require "codesake/dawn/kb/cve_2012_3465"
+require "codesake/dawn/kb/cve_2012_6496"
+require "codesake/dawn/kb/cve_2012_6497"
+
+# CVE - 2013
+require "codesake/dawn/kb/cve_2013_1855"
+require "codesake/dawn/kb/cve_2013_1857"
+require "codesake/dawn/kb/cve_2013_1800"
+require "codesake/dawn/kb/cve_2013_0333"
+require "codesake/dawn/kb/cve_2013_0269"
+require "codesake/dawn/kb/cve_2013_0155"
+
+module Codesake
+  module Dawn
+    # XXX: Check if it best using a singleton here
+    class KnowledgeBase
+
+      DEPENDENCY_CHECK    = :dependency_check
+      PATTERN_MATCH_CHECK = :pattern_match_check
+
+      def initialize
+        @security_checks = Codesake::Dawn::KnowledgeBase.load_security_checks
+      end
+
+      def self.find(checks=nil, name)
+        return nil if name.nil? or name.empty?
+        checks = Codesake::Dawn::KnowledgeBase.load_security_checks if checks.nil?
+
+        checks.each do |sc|
+          return sc if sc.name == name
+        end
+        nil
+      end
+
+      def find(name)
+        Codesake::Dawn::KnowledgeBase.find(@security_checks, name)
+      end
+
+      def all
+        @security_checks
+      end
+
+      def all_by_mvc(mvc)
+        ret = []
+        @security_checks.each do |sc|
+          ret << sc if sc.applies_to?(mvc)
+        end
+
+      end
+
+      def all_sinatra_checks
+        self.all_by_mvc(:sinatra)
+      end
+
+      def all_rails_checks
+        self.all_by_mvc(:rails)
+      end
+
+      def all_padrino_checks
+        self.all_by_mvc(:padrino)
+      end
+
+      def all_rack_checks
+        self.all_by_mvc(:rack)
+      end
+
+      def self.load_security_checks
+        [  
+          Codesake::Dawn::Kb::NotRevisedCode.new,
+          Codesake::Dawn::Kb::CVE_2011_2931.new, 
+          Codesake::Dawn::Kb::CVE_2012_2660.new, 
+          Codesake::Dawn::Kb::CVE_2012_2661.new, 
+          Codesake::Dawn::Kb::CVE_2012_2694.new, 
+          Codesake::Dawn::Kb::CVE_2012_2695.new, 
+          Codesake::Dawn::Kb::CVE_2012_3465.new, 
+          Codesake::Dawn::Kb::CVE_2012_6496.new, 
+          Codesake::Dawn::Kb::CVE_2012_6497.new,
+          Codesake::Dawn::Kb::CVE_2013_1855.new, 
+          Codesake::Dawn::Kb::CVE_2013_1800.new,
+          Codesake::Dawn::Kb::CVE_2013_0333.new,
+          Codesake::Dawn::Kb::CVE_2013_0269.new,
+          Codesake::Dawn::Kb::CVE_2013_1857.new, 
+          Codesake::Dawn::Kb::CVE_2013_0155.new,
+        ]
+      end
+    end
+
+  end
+end

data/lib/codesake/dawn/rails.rb

@@ -0,0 +1,17 @@
+require "codesake/dawn/engine"
+
+module Codesake
+  module Dawn
+    class Rails
+      include Codesake::Dawn::Engine
+
+
+      def initialize(dir=nil)
+        super(dir, "rails")
+      end
+      
+     
+
+    end
+  end
+end

data/lib/codesake/dawn/sinatra.rb

@@ -0,0 +1,14 @@
+require "codesake/dawn/engine"
+
+module Codesake
+  module Dawn
+    class Sinatra
+      include Codesake::Dawn::Engine
+
+      def initialize(dir=nil)
+        super(dir, "sinatra")
+      end
+
+    end
+  end
+end

data/lib/codesake/dawn/version.rb

@@ -0,0 +1,5 @@
+module Codesake
+  module Dawn
+    VERSION = "0.50"
+  end
+end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -0,0 +1,100 @@
+require 'spec_helper'
+
+describe "The Codesake Dawn knowledge base" do
+  let (:kb) {Codesake::Dawn::KnowledgeBase.new}
+  it "must not be empty" do
+    kb.all.size.should_not  == 0
+
+  end
+  it "must have a find method" do
+    kb.should   respond_to(:find)
+  end
+
+  it "must have an all_by_mvc method" do
+    kb.should   respond_to(:all_by_mvc)
+  end
+
+    
+  it "will return a nil object if it doesn't find a particular security check"  do
+    kb.find("A non existant security check name").should    be_nil
+  end
+
+  it "must have at least a test for sinatra" do
+    kb.all_by_mvc("sinatra").size.should   > 0
+  end
+
+  # KB Content
+  it "must have test for CVE_2013_1855" do
+    sc = kb.find("CVE-2013-1855")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_1855
+  end 
+
+
+  it "must have test for CVE_2013_0333" do 
+    sc = kb.find("CVE-2013-0333")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_0333
+  end
+
+  it "must have test for CVE_2013_1857" do
+    sc = kb.find("CVE-2013-1857")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_1857
+  end
+
+  it "must have test for CVE_2012_2660" do
+    sc = kb.find("CVE-2012-2660")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_2660
+  end
+  it "must have test for CVE_2012_2661" do
+    sc = kb.find("CVE-2012-2661")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_2661
+  end
+  it "must have test for CVE_2012_2694" do
+    sc = kb.find("CVE-2012-2694")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_2694
+  end
+  it "must have test for CVE_2012_2695" do
+    sc = kb.find("CVE-2012-2695")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_2695
+  end
+  it "must have test for CVE_2012_6496" do
+    sc = kb.find("CVE-2012-6496")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_6496
+  end
+  it "must have test for CVE_2012_6497" do
+    sc = kb.find("CVE-2012-6496")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_6496
+  end
+
+  it "must have test for CVE_2013_0269" do
+    sc = kb.find("CVE-2013-0269")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_0269
+  end
+
+  it "must have test for CVE_2013_0155" do
+    sc = kb.find("CVE-2013-0155")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_0155
+  end
+  it "must have test for CVE_2011_2931" do
+    sc = kb.find("CVE-2011-2931")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2011_2931
+  end
+  it "must have test for CVE_2012_3465" do
+    sc = kb.find("CVE-2012-3465")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_3465
+  end
+
+
+end

data/spec/lib/dawn/codesake_sinatra_engine_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe "The Codesake::Dawn engine for sinatra applications" do
+  before(:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-safe')}
+
+  it "has a proper name" do
+    @engine.name.should   ==    "sinatra"
+  end
+
+  it "has a valid target" do
+    @engine.target.should ==   "./spec/support/sinatra-safe"
+    @engine.target_is_dir?.should  be_true
+  end
+
+  it "has a good Gemfile.lock" do
+    @engine.has_gemfile_lock?.should   be_true
+  end
+
+  it "detects a sinatra 1.4.2" do
+    @engine.mvc_version.should   == "1.4.2"
+  end
+
+  it "has some check in the knowledge base" do
+    @engine.checks.should_not be_nil 
+    @engine.checks.should_not be_empty
+  end
+  it "has check for CVE-2013-1800" do
+    Codesake::Dawn::KnowledgeBase.find(@engine.checks, "CVE-2013-1800").should_not  be_nil
+  end
+
+  it "applies all checks" do
+    @engine.apply_all.should  be_true
+  end
+  it "applies check for CVE-2013-1800" do
+    @engine.apply("CVE-2013-1800").should   be_true
+  end
+  
+  it "applies check for \"Not revised code\"" do
+    @engine.apply("Not revised code").should  be_true
+  end 
+
+  describe "applied to sinatra-safe application" do
+    it "reports it's not vulnerable to CVE-2013-1800" do
+      @engine.is_vulnerable_to?("CVE-2013-1800").should be_false
+    end
+
+    it "reports it's not vulnerable to \"Not revised code\"" do
+      @engine.is_vulnerable_to?("Not revised code").should  be_false
+    end
+
+    it "reports it has no vulnerabilities" do
+      @engine.vulnerabilities.should  be_empty
+    end
+  end  
+
+  describe "applied do the sinatra-vulnerable application do" do
+    before (:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')}
+    it "has a valid target" do
+      @engine.target.should ==   "./spec/support/sinatra-vulnerable"
+      @engine.target_is_dir?.should  be_true
+    end
+
+    it "reports it's vulnerable to CVE-2013-1800" do
+      @engine.is_vulnerable_to?("CVE-2013-1800").should be_true
+    end
+
+    it "reports it's vulnerable to \"Not revised code\"" do
+      @engine.is_vulnerable_to?("Not revised code").should  be_true
+    end
+
+    it "reports it has vulnerabilities" do
+      @engine.vulnerabilities.should_not  be_empty
+    end
+
+    it "applies automagically all the tests if no test has been applied" do
+      e2 =  Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')
+      e2.vulnerabilities.should_not be_empty
+    end
+  end
+end