codesake-dawn 0.60 → 0.70

data/{codesake_dawn.gemspec → codesake-dawn.gemspec}

@@ -19,6 +19,11 @@ Gem::Specification.new do |gem|
 
   gem.add_dependency 'codesake_commons', '>= 0.67.0'
   gem.add_dependency 'cvss'
+  gem.add_dependency 'haml'
+  gem.add_dependency 'parser'
+  gem.add_dependency 'ptools'
+
+  gem.add_dependency ('coveralls')
 
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'rspec'

data/features/dawn_complains_about_an_incorrect_command_line.feature

@@ -3,7 +3,7 @@ Feature: dawn complains on its command line when incomplete
 
   Scenario: dawn complains if you don't specify the target framework
     When I run `bundle exec dawn`
-    Then the stderr should contain "missing target framework option"
+    Then the stderr should contain "missing target"
 
   Scenario: dawn complains if you don't specify the target
     When I run `bundle exec dawn -s`
@@ -12,7 +12,7 @@ Feature: dawn complains on its command line when incomplete
   Scenario: dawn complains if the target doesn't exist
     Given the generic project "/tmp/this_is_foo" doesn't exist
     When I run `bundle exec dawn -s /tmp/this_is_foo`
-    Then the stderr should contain "/tmp/this_is_foo doesn't exist"
+    Then the stderr should contain "invalid directory (/tmp/this_is_foo)"
 
   Scenario: dawn complains if the target uses a different framework than the one specified
     Given the hello world rails project does exist

data/features/dawn_scan_a_secure_sinatra_app.feature

@@ -3,19 +3,19 @@ Feature: dawn reports no security issues
 
   Scenario: dawn detects the sinatra version
     Given a safe sinatra application exists
-    When I run `bundle exec dawn -s /tmp/sinatra-safe`
+    When I run `bundle exec dawn /tmp/sinatra-safe`
     Then the stdout should contain "1.4.2"
 
   Scenario: dawn tells there are no vulnerabilities
     Given a safe sinatra application exists
-    When I run `bundle exec dawn -s /tmp/sinatra-safe`
+    When I run `bundle exec dawn /tmp/sinatra-safe`
     Then the stdout should contain "no vulnerabilities found"
 
     # Test for --output json
   Scenario: dawn can give a brief json output as well
     Given a safe sinatra application exists
     When I run `bundle exec dawn -s /tmp/sinatra-safe --output json`
-    Then the stdout should contain "{:status=>"OK", :target=>"/tmp/sinatra-safe", :mvc=>"sinatra", :mvc_version=>"1.4.2", :vulnerabilities_count=>0, :vulnerabilities=>[], :mitigated_vuln_count=>0, :mitigated_vuln=>[]}"
+    Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-safe",\"mvc\":"sinatra",\"mvc_version\":"1.4.2",\"vulnerabilities_count\":0,\"vulnerabilities\":[],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":[]}"
 
 
     # Tests for --count-only option
@@ -27,5 +27,5 @@ Feature: dawn reports no security issues
   Scenario: dawn can give just the number of issues found as output
     Given a safe sinatra application exists
     When I run `bundle exec dawn --count-only -s /tmp/sinatra-safe --output json`
-    Then the stdout should contain "{:status=>"OK", :vulnerabilities_count=>0}"
+    Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":0}"
 

data/features/dawn_scan_a_vulnerable_sinatra_app.feature

@@ -0,0 +1,36 @@
+Feature: dawn reports security issues 
+  When it scans a sinatra application that it is not updated and it has XSS
+
+  Scenario: dawn detects the sinatra version
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-vulnerable`
+    Then the stdout should contain "1.2.6"
+
+  Scenario: dawn tells there are no vulnerabilities
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-vulnerable`
+    Then the stdout should contain "4 vulnerabilities found"
+    And the stdout should contain "Not revised code failed"
+    And the stdout should contain "CVE-2013-0269 failed"
+    And the stdout should contain "CVE-2013-1800 failed"
+    And the stdout should contain "1 reflected XSS found"
+    And the stdout should contain "request parameter \"name\""
+
+    # Test for --output json
+  Scenario: dawn can give a brief json output as well
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn -s /tmp/sinatra-vulnerable --output json`
+    Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-vulnerable",\"mvc\":"sinatra",\"mvc_version\":"1.2.6",\"vulnerabilities_count\":4,\"vulnerabilities\":["Not revised code","CVE-2013-0269","CVE-2013-1800"],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":["request parameter \"name\""]}"
+
+
+    # Tests for --count-only option
+  Scenario: dawn can give just the number of issues found as output
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable`
+    Then the stdout should contain "4"
+
+  Scenario: dawn can give just the number of issues found as output
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable --output json`
+    Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":4}"
+

data/features/step_definition/dawn_steps.rb

@@ -3,11 +3,17 @@ Given /^the generic project "(.*?)" doesn't exist$/ do |file|
 end
 
 Given /^the hello world rails project does exist$/ do
-  system("cp -a ./spec/support/hello_world_3.2.13 /tmp") unless File.exists?("/tmp/hello_world_3.2.13")
+  system("rm -rf /tmp/hello_world_3.2.13")
+  system("cp -a ./spec/support/hello_world_3.2.13 /tmp") 
 end
 
 Given /^a safe sinatra application exists$/ do
-  system("cp -a ./spec/support/sinatra-safe /tmp") unless File.exists?("/tmp/sinatra-safe")
+  system("rm -rf /tmp/sinatra-safe")
+  system("cp -a ./spec/support/sinatra-safe /tmp") 
+end
 
+Given /^a vulnerable sinatra application exists$/ do
+  system("rm -rf /tmp/sinatra-vulnerable")
+  system("cp -a ./spec/support/sinatra-vulnerable /tmp") 
 end
 

data/lib/codesake-dawn.rb

@@ -1,3 +1,4 @@
+require "codesake/dawn/core"
 require "codesake/dawn/version"
 require "codesake/dawn/knowledge_base"
 require "codesake/dawn/rails"

data/lib/codesake/dawn/core.rb

@@ -0,0 +1,22 @@
+module Codesake
+  module Dawn
+    class Core
+      def self.detect_mvc(target)
+        gemfile_lock =  File.join(target, "Gemfile.lock")
+        raise ArgumentError.new("no Gemfile.lock in #{target}") unless File.exist?(gemfile_lock)
+
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file(gemfile_lock))
+        lockfile.specs.each do |s|
+          return Codesake::Dawn::Rails.new(target)    if s.name == "rails"
+          # return Codesake::Dawn::Padrino.new  if s.name == "padrino"
+        end
+
+        return Codesake::Dawn::Sinatra.new(target) 
+      end
+
+      def self.is_good_target?(target)
+        (File.exist?(target) and File.directory?(target))
+      end
+    end
+  end
+end

data/lib/codesake/dawn/engine.rb

@@ -13,6 +13,25 @@ module Codesake
       attr_reader :mitigated_issues
       attr_reader :ruby_version
 
+      attr_reader :engine_error
+
+      attr_reader :reflected_xss
+
+      # Typical MVC elements here
+
+      # Each view will be something like {:filename=>"target/views/index.haml", :language=>:haml}
+      attr_reader :views
+
+      # Each controller will be a little bit more complex. Of course for
+      # Sinatra, the controller filename will be the sole web application ruby
+      # file.
+      # {:filename=>"target/controllers/this_controller.rb", :actions=>[{:name=>"index", :method=>:get, :map=>"/"]}
+      attr_reader :controllers
+
+      # Models I don't know right now. Let them initialized as Array... we
+      # will see later 
+      attr_reader :models
+
       def initialize(dir=nil, name="")
         @name = name
         @mvc_version = ""
@@ -22,17 +41,54 @@ module Codesake
         @vulnerabilities = []
         @mitigated_issues = []
         @applied = []
+        @engine_error = false
+
         set_target(dir) unless dir.nil?
+
+        @views        = detect_views 
+        @controllers  = detect_controllers
+        @models       = detect_models
+        
         load_knowledge_base
       end
 
+      def detect_views
+        []
+      end
+      def error!
+        @error = true
+      end
+      def error?
+        @error
+      end
+
+      def build_view_array(dir)
+
+        return [] unless File.exist?(dir) and File.directory?(dir) 
+
+        ret = []
+        Dir.glob(File.join("#{dir}", "*")).each do |filename| 
+          ret << {:filename=>filename, :language=>:haml} if File.extname(filename) == ".haml"
+        end
+
+        ret
+      end
+
+      def detect_controllers
+        []
+      end
+
+      def detect_models
+        []
+      end
+
       def get_ruby_version
         # does target use rbenv?
         ver = get_rbenv_ruby_ver
         # does the target use rvm?
         ver = get_rvm_ruby_ver if ver[:version].empty? and ver[:patchlevel].empty?
         # take the running ruby otherwise
-        ver = {:version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} if ver[:version].empty? and ver[:patchlevel].empty? 
+        ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} if ver[:version].empty? and ver[:patchlevel].empty? 
 
         ver
       end
@@ -100,6 +156,7 @@ module Codesake
       # otherwise
       def apply(name)
         load_knowledge_base if @checks.nil?
+        return false if @checks.empty?
 
         @checks.each do |check|
           if check.name == name
@@ -156,6 +213,14 @@ module Codesake
 
         false
       end
+      def has_reflected_xss?
+        (@reflected_xss.count != 0)
+      end
+
+      def count_vulnerabilities
+        @vulnerabilities.count + @reflected_xss.count
+      end
+
       private
       def get_rbenv_ruby_ver
         return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".rbenv-version"))

data/lib/codesake/dawn/kb/cve_2011_0447.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-29
+			class CVE_2011_0447
+				include DependencyCheck
+
+				def initialize
+          message = "Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696."
+
+          super({
+            :name=>"CVE-2011-0447",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2011, 2, 14),
+            :cwe=>"352",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.11 or 3.0.4. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.1.9999', '2.2.9999', '2.3.11', '3.0.4']}]
+ 
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2011_2197.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2011_2197
+				include DependencyCheck
+
+				def initialize
+          message="The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method."
+          super({
+            :name=>"CVE-2011-2197",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2011, 6, 30),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.12, 3.0.8, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.12', '3.0.8', '3.1.0']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2011_2932.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2011_2932
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a \"UTF-8 escaping vulnerability.\""
+          super({
+            :name=>"CVE-2011-2932",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2011, 8, 29),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.13, 3.0.10, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://secunia.com/advisories/45917"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13', '3.0.10', '3.1.0']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2011_3186.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-29
+			class CVE_2011_3186
+				include DependencyCheck
+
+				def initialize
+          message="CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header."
+
+          super({
+            :name=>"CVE-2011-3186",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2011, 8, 29),
+            :cwe=>"94",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13']}]
+ 
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_1099.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_1099
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements."
+          super({
+            :name=>"CVE-2012-1099",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2012, 3, 13),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.0.12, 3.1.4 and 3.2.2. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.12', '3.1.4', '3.2.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_1241.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_1241
+				include DependencyCheck
+
+				def initialize
+          message="GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arbitrary Ruby code via a crafted HTML document."
+          super({
+            :name=>"CVE-2012-1241",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2012, 4, 16),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ActiveScriptRuby to version 1.8.7. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9"]
+          })
+
+          self.safe_dependencies = [{:name=>"activescriptruby", :version=>['1.8.7']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_2140.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_2140
+				include DependencyCheck
+
+				def initialize
+          message = "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery."
+          super({
+            :name=>"CVE-2012-2140",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2012, 7, 18),
+            :cwe=>"20",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade Mail gem version to version 2.4.3. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://secunia.com/advisories/48970"]
+          })
+
+          self.safe_dependencies = [{:name=>"mail_gem", :version=>['2.4.3', '2.3.4']}]
+
+				end
+			end
+		end
+	end
+end