codesake-dawn 0.60 → 0.70

data/lib/codesake/dawn/kb/cve_2012_3463.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_3463
+				include DependencyCheck
+
+				def initialize
+          message="Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper."
+          super({
+            :name=>"CVE-2012-3463",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2012, 8, 10),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.0.17, 3.1.8 or 3.2.8. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.17', '3.1.8', '3.2.8']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_3464.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_3464
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character."
+          super({
+            :name=>"CVE-2012-3464",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2012, 8, 10),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.0.17, 3.1.8 or 3.2.8. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.17', '3.1.8', '3.2.8']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_4464.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_4464
+				include RubyVersionCheck
+
+				def initialize
+          message = "Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression."
+          super({
+            :name=>"CVE-2012-4464",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p286 or 2.0.0-p195 or latest version available",
+            :aux_links=>["ihttp://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_4466.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_4466
+				include RubyVersionCheck
+
+				def initialize
+          message="Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005."
+          super({
+            :name=>"CVE-2012-4466",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 4, 25),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.8.7-p371, 1.9.3-p286 or 2.0.0-p195 or latest version available",
+            :aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p371"}, {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_4481.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-31
+			class CVE_2012_4481
+				include RubyVersionCheck
+
+				def initialize
+          message="The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005."
+          super({
+            :name=>"CVE-2012-4481",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 5, 2),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3 or 2.0.0 or latest version available",
+            :aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=863484"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p9999"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_5370.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_5370
+				include RubyVersionCheck
+
+				def initialize
+          message="JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
+           super({
+            :name=>"CVE-2012-5370",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2012, 11, 28),
+            :cwe=>"310",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"At the moment we're writing this (May 2013) there is no mitigation against this vulnerability. You must consider changing your hashing algorithm",
+            :aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=880671"]
+          })
+
+          self.safe_rubies = [{:engine=>"jruby", :version=>"999.999.999", :patchlevel=>"p999"}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_5371.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-30
+			class CVE_2012_5371
+				include RubyVersionCheck
+
+				def initialize
+          message="Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815."
+         super({
+            :name=>"CVE-2012-5371",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2012, 11, 28),
+            :cwe=>"310",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p327 or 2.0.0-p195 or latest version available",
+            :aux_links=>["http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p327"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
+ 
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2012_6134.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-31
+			class CVE_2012_6134
+				include DependencyCheck
+
+				def initialize
+          message="Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state."
+          super({
+            :name=>"CVE-2012-6134",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"352",
+            :owasp=>"A8", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade omniauth-oauth2 version to the latest one",
+            :aux_links=>["https://github.com/intridea/omniauth-oauth2/pull/25"]
+          })
+
+          self.safe_dependencies = [{:name=>"omniauth-oauth2", :version=>['1.1.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_0333.rb

@@ -3,9 +3,6 @@ module Codesake
 		module Kb
 			# Automatically created with rake on 2013-04-30
 			class CVE_2013_0333
-				#
-				# Include the testing skeleton for this CVE
-				# include PatternMatchCheck
 				include DependencyCheck
 
 

data/lib/codesake/dawn/kb/cve_2013_1821.rb

@@ -20,7 +20,7 @@ module Codesake
             :aux_links=>["http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/"]
           })
 
-          self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p195"}]
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p392"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
 
 
 				end

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -1,4 +1,5 @@
-# encoding: utf-8
+require 'ptools'
+
 module Codesake
   module Dawn
     module Kb
@@ -16,7 +17,8 @@ module Codesake
 
         def vuln?
           Dir.glob(File.join("#{root_dir}", "*")).each do |filename|
-            matches = run(load_file(filename))
+            matches = []
+            matches = run(load_file(filename)) if File.exists?(filename) and File.file?(filename) and ! File.binary?(filename)
             @evidences << {:filename=>filename, :matches=>matches} unless matches.empty?
           end
           return ! @evidences.empty?
@@ -29,7 +31,6 @@ module Codesake
         end
 
         def load_file(filename)
-          return [] unless File.exists?(filename) and File.file?(filename)
 
           f = File.open(filename)
           lines = f.readlines

data/lib/codesake/dawn/kb/ruby_version_check.rb

@@ -4,20 +4,24 @@ module Codesake
       module RubyVersionCheck
         include BasicCheck
         
-        # Array of hashes in the {:version=>"1.9.3", :patchlevel=>"p342"} form
+        # Array of hashes in the {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p342"} form
         attr_accessor   :safe_rubies
-        # Hash in the {:version=>"1.9.3", :patchlevel=>"p342"} form
+        # Hash in the {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p342"} form
         attr_accessor   :detected_ruby
 
         def vuln?
           vv_a = []
           vv_p = []
+          vv_e = []
           vp = false
 
+
           @safe_rubies.each do |ss|
+            vv_e << ss[:engine]
             vv_a << ss[:version]
             vv_p << ss[:patchlevel].split("p")[1].to_i
           end
+          vengine = self.is_vulnerable_engine?(detected_ruby[:engine], vv_e)
           vv = self.is_vulnerable_version?(detected_ruby[:version], vv_a)
 
           # Since we have also the patch level a fixes version can be the same
@@ -25,10 +29,16 @@ module Codesake
           ve = self.is_same_version?(detected_ruby[:version], vv_a) unless vv
           vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], vv_p) if ve
 
-          return true if vv
-          return (ve and vp)
+          return true if ( vv and vengine )
+          return (ve and vp and vengine )
         end
         
+        def is_vulnerable_engine?(target, fixes = [])
+          fixes.each do |f|
+            return true if f == target
+          end
+        end
+
         def is_same_version?(target, fixes = [])
           fixes.each do |f|
             return true if f == target

data/lib/codesake/dawn/knowledge_base.rb

@@ -8,14 +8,29 @@ require "codesake/dawn/kb/ruby_version_check"
 require "codesake/dawn/kb/not_revised_code"
 
 # CVE - 2011
+require "codesake/dawn/kb/cve_2011_0447"
+require "codesake/dawn/kb/cve_2011_2197"
 require "codesake/dawn/kb/cve_2011_2931"
+require "codesake/dawn/kb/cve_2011_2932"
+require "codesake/dawn/kb/cve_2011_3186"
 
 # CVE - 2012
+require "codesake/dawn/kb/cve_2012_1099"
+require "codesake/dawn/kb/cve_2012_1241"
+require "codesake/dawn/kb/cve_2012_2140"
 require "codesake/dawn/kb/cve_2012_2660"
 require "codesake/dawn/kb/cve_2012_2661"
 require "codesake/dawn/kb/cve_2012_2694"
 require "codesake/dawn/kb/cve_2012_2695"
+require "codesake/dawn/kb/cve_2012_3463"
+require "codesake/dawn/kb/cve_2012_3464"
 require "codesake/dawn/kb/cve_2012_3465"
+require "codesake/dawn/kb/cve_2012_4464"
+require "codesake/dawn/kb/cve_2012_4466"
+require "codesake/dawn/kb/cve_2012_4481"
+require "codesake/dawn/kb/cve_2012_5370"
+require "codesake/dawn/kb/cve_2012_5371"
+require "codesake/dawn/kb/cve_2012_6134"
 require "codesake/dawn/kb/cve_2012_6496"
 require "codesake/dawn/kb/cve_2012_6497"
 
@@ -110,12 +125,27 @@ module Codesake
       def self.load_security_checks
         [  
           Codesake::Dawn::Kb::NotRevisedCode.new,
+          Codesake::Dawn::Kb::CVE_2011_0447.new, 
+          Codesake::Dawn::Kb::CVE_2011_2197.new, 
           Codesake::Dawn::Kb::CVE_2011_2931.new, 
+          Codesake::Dawn::Kb::CVE_2011_2932.new, 
+          Codesake::Dawn::Kb::CVE_2011_3186.new, 
+          Codesake::Dawn::Kb::CVE_2012_1099.new, 
+          Codesake::Dawn::Kb::CVE_2012_1241.new, 
+          Codesake::Dawn::Kb::CVE_2012_2140.new, 
           Codesake::Dawn::Kb::CVE_2012_2660.new, 
           Codesake::Dawn::Kb::CVE_2012_2661.new, 
           Codesake::Dawn::Kb::CVE_2012_2694.new, 
           Codesake::Dawn::Kb::CVE_2012_2695.new, 
+          Codesake::Dawn::Kb::CVE_2012_3463.new, 
+          Codesake::Dawn::Kb::CVE_2012_3464.new, 
           Codesake::Dawn::Kb::CVE_2012_3465.new, 
+          Codesake::Dawn::Kb::CVE_2012_4464.new, 
+          Codesake::Dawn::Kb::CVE_2012_4466.new, 
+          Codesake::Dawn::Kb::CVE_2012_4481.new, 
+          Codesake::Dawn::Kb::CVE_2012_5370.new, 
+          Codesake::Dawn::Kb::CVE_2012_5371.new, 
+          Codesake::Dawn::Kb::CVE_2012_6134.new, 
           Codesake::Dawn::Kb::CVE_2012_6496.new, 
           Codesake::Dawn::Kb::CVE_2012_6497.new,
           Codesake::Dawn::Kb::CVE_2013_0155.new,

data/lib/codesake/dawn/sinatra.rb

@@ -1,14 +1,119 @@
 require "codesake/dawn/engine"
+require 'ruby_parser'
 
 module Codesake
   module Dawn
     class Sinatra
       include Codesake::Dawn::Engine
 
+      attr_reader :sinks
+      attr_reader :appname
+
       def initialize(dir=nil)
         super(dir, "sinatra")
+        @appname = detect_appname(self.target)
+        error! if self.appname == ""
+        @sinks = detect_sinks(self.appname) unless self.appname == ""
+        @reflected_xss = detect_reflected_xss unless self.appname == ""
+      end
+
+      # TODO: appname should be hopefully autodetect from config.ru
+      def detect_appname(target)
+        return "app.rb" if File.exist?(File.join(self.target, "app.rb"))
+        return "application.rb" if File.exist?(File.join(self.target, "application.rb"))
+        file_array = Dir.glob(File.join("#{target}", "*.rb"))
+        return file_array[0] if ! file_array.nil? and file_array.count == 1
+        return "" # gracefully failure
+      end
+
+      def detect_reflected_xss
+        ret = []
+        @views.each do |v|
+          view_content = File.read(v[:filename])
+          @sinks.each do |sink|
+            ret << sink if view_content.match(sink[:sink_name])
+          end
+        end
+        ret
+      end
+
+      def detect_sinks(appname=nil)
+        ret = []
+        appname = "app.rb" if appname.nil? and self.appname == ""
+        app_rb = File.readlines(File.join(self.target, appname)) if File.exist?(File.join(self.target, appname))
+        return [] if app_rb.nil?
+
+        parser = RubyParser.new
+
+        app_rb.each_with_index do |line, i|
+          line = line.chomp
+
+          unless line.match(/params/).nil?
+
+            begin
+              t = parser.parse(line)
+
+              # a[1] = params["foo"]
+              #
+              if (! t.nil? and t.sexp_type == :attrasgn)
+                body = t.sexp_body.to_a
+
+                if is_assignement_from_params?(body, :attrasgn)
+
+                  if body[0][0] == :call
+                    sink_name=body[0][2].to_s unless body[1].to_s == "[]=" 
+                    sink_name="#{body[2].to_a[1].to_s}" if body[1].to_s == "[]=" # the sink is assigned to an Array
+
+                    sink_source = "#{body[3].to_a[1][2].to_s}[#{body[3].to_a[3][1].to_s}]"
+
+                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source}
+                  end
+                  if body[0][0] == :ivar
+                    sink_name=body[0][1].to_s
+                    sink_pos=body[2][1].to_i
+                    sink_source=body[3][3][1]
+
+                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source}
+                  end
+
+                end
+              end
+
+              # a = params["foo"]
+              if (! t.nil? and t.sexp_type == :iasgn)
+                body = t.sexp_body.to_a
+                if is_assignement_from_params?(body, :iasgn)
+                  sink_name = body[0].to_s
+                  sink_source = "#{body[1][3][1].to_s}"
+                  ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source }
+                end
+              end
+            rescue Racc::ParseError => e
+              # TODO: we must pass logger instance to engines if we want some error message
+              # For now... silently discard parse errors
+              return []
+            end
+          end
+
+        end
+
+        ret
       end
 
+
+      def is_assignement_from_params?(body, kind)
+        return ( ! body[3].nil? and body[3].to_a[1][2].to_s == "params") if kind == :attrasgn
+        return ( ! body[1].nil? and ! body[1][1].nil? and body[1][1][2].to_s == "params") if kind == :iasgn
+      end
+
+      def detect_views
+        build_view_array(File.join(self.target, "views")) if File.exist?(File.join(self.target, "views"))
+      end
+
+      # e = Haml::Engine.new(File.read(template))
+      # e.precompiled  and grep for format_script
+
+
     end
   end
 end