codesake-dawn 0.72 → 0.75

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb

@@ -0,0 +1,39 @@
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/command_injection'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/csrf'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers'
+
+module Codesake
+  module Dawn
+    module Kb
+      class OwaspRorCheatsheet
+        include ComboCheck
+
+        def initialize
+          message = "This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core.  The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide."
+
+          super({
+            :name=>"Owasp Ror Cheatsheet", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+            :checks=>[
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new, 
+              Codesake::Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new, 
+
+
+            ],
+            :vuln_if_all_fails => false
+          })
+
+          @debug = true
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb

@@ -0,0 +1,26 @@
+module Codesake
+  module Dawn 
+    module Kb
+      module OwaspRorCheatSheet
+        class CommandInjection
+          include PatternMatchCheck
+
+          def initialize
+            message = "Ruby offers a function called “eval” which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Command Injection",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["eval", "System", "\`", "Kernel.exec"]
+            })
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb

@@ -0,0 +1,28 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+        class Csrf
+          include PatternMatchCheck
+
+          def initialize
+            message = "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Cross Site Request Forgery",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"application_controller.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["protect_from_forgery"],
+              :negative_search=>true
+            })
+            # @debug = true
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

@@ -0,0 +1,30 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+
+        class MassAssignmentInModel
+
+           include PatternMatchCheck
+
+          def initialize
+            message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"**/model/*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["attr_accessor"],
+              :negative_search=>true
+            })
+            @debug = true
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb

@@ -0,0 +1,37 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+        class SecurityRelatedHeaders
+          include PatternMatchCheck 
+
+          def initialize
+            message = "To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the \"default_headers\" functionality that will automatically apply the values supplied. This works for most headers in almost all cases."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Security Related Headers",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"**/controllers/*.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => [
+                "response.headers\\['X-Frame-Options'\\] = 'DENY'", 
+                "response.headers\\['X-Content-Type-Options'\\] = 'nosniff'", 
+                "response.headers\\['X-XSS-Protection'\\] = '1'", 
+                "ActionDispatch::Response.default_headers = {	  	
+                    'X-Frame-Options' => 'DENY', 	
+                    'X-Content-Type-Options' => 'nosniff',	  	
+                    'X-XSS-Protection' => '1;'
+                  }"],
+              :negative_search=>true
+            })
+
+            
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb

@@ -0,0 +1,28 @@
+module Codesake
+  module Dawn
+    module Kb
+      module OwaspRorCheatSheet
+
+        class SessionStoredInDatabase
+          include PatternMatchCheck
+
+          def initialize
+            message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."
+
+            super({
+              :name=>"Owasp Ror CheatSheet: Session management",
+              :kind=>Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
+              :applies=>["rails"],
+              :glob=>"session_store.rb",
+              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
+              :message=>message,
+              :attack_pattern => ["Application.config.session_store :active_record_store"],
+              :negative_search=>true
+            })
+            @debug = true
+          end 
+        end
+  end
+  end
+  end
+end

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -10,13 +10,22 @@ module Codesake
         attr_reader   :attack_pattern
         attr_accessor :root_dir
 
+        # This attribute is false by default. If true, the vuln? method check
+        # if pattern attack is nor present.
+        attr_reader   :negative_search
+
         def initialize(options={})
           super(options)
-          @attack_pattern = options[:attack_pattern]
+          @attack_pattern   = options[:attack_pattern]
+          @negative_search  = false
+          @negative_search  = options[:negative_search] unless options[:negative_search].nil? 
+          @glob = "**"
+          @glob = File.join(@glob, options[:glob]) unless options[:glob].nil?
         end
 
         def vuln?
-          Dir.glob(File.join("#{root_dir}", "*")).each do |filename|
+          Dir.glob(File.join("#{root_dir}", @glob)).each do |filename|
+            debug_me("#{File.basename(__FILE__)}@#{__LINE__}: analyzing #{filename}: search is #{@negative_search}")
             matches = []
             begin
               matches = run(load_file(filename)) if File.exists?(filename) and File.file?(filename) and ! File.binary?(filename)
@@ -25,7 +34,16 @@ module Codesake
             end
             @evidences << {:filename=>filename, :matches=>matches} unless matches.empty?
           end
-          return ! @evidences.empty?
+         
+          ret_value = ! @evidences.empty? unless @negative_search
+          ret_value = @evidences.empty? if @negative_search
+
+          debug_me("#{File.basename(__FILE__)}@#{__LINE__}: evidences #=> #{@evidences}")
+          debug_me("#{File.basename(__FILE__)}@#{__LINE__}: ret_value #=> #{ret_value}")
+
+          @status = ret_value
+
+          return ret_value
         end
 
         private 

data/lib/codesake/dawn/kb/ruby_version_check.rb

@@ -21,32 +21,56 @@ module Codesake
             vv_a << ss[:version]
             vv_p << ss[:patchlevel].split("p")[1].to_i
           end
+
           vengine = self.is_vulnerable_engine?(detected_ruby[:engine], vv_e)
           vv = self.is_vulnerable_version?(detected_ruby[:version], vv_a)
+          ve = false
+
+          ve = self.is_same_version?(detected_ruby[:version], vv_a) 
+          vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], detected_ruby[:version]) 
+
+          # XXX Debug statements to be replaced with logger call
+          debug_me("D:#{self.name}, VENGINE=#{vengine}, VV=#{vv}, VE=#{ve}, VP=#{vp}->#{vv && vengine}, #{(ve && vp && vengine )}")
+          debug_me("S:#{@safe_rubies}")
+          debug_me("DD:#{@detected_ruby}")
+
+
+          if ( vv && vengine)
+            @status = vp if ve
+            @status = true unless ve
+          else
+            @status = (ve && vp && vengine )
+          end
 
-          # Since we have also the patch level a fixes version can be the same
-          # as the vulnerable... we must consider this
-          ve = self.is_same_version?(detected_ruby[:version], vv_a) unless vv
-          vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], vv_p) if ve
+          debug_me("STATUS:#{@status}")
+          
+          return @status
 
-          return true if ( vv and vengine )
-          return (ve and vp and vengine )
+          # return true if ( vv && vengine )
+          # return (ve && vp && vengine )
         end
         
         def is_vulnerable_engine?(target, fixes = [])
           fixes.each do |f|
             return true if f == target
           end
+          false
         end
 
         def is_same_version?(target, fixes = [])
           fixes.each do |f|
+            debug_me("F=#{f}, TARGET=#{target}")
             return true if f == target
           end
           false
         end
 
-        def is_vulnerable_patchlevel?(target, fixes = [])
+        def is_vulnerable_patchlevel?(target, version)
+          fixes = []
+          @safe_rubies.each do |ss|
+            fixes << ss[:patchlevel].split("p")[1].to_i if ss[:version] == version
+          end
+
           t = target.split("p")[1].to_i
           fixes.each do |f|
             return true if f > t

data/lib/codesake/dawn/knowledge_base.rb

@@ -3,16 +3,26 @@ require "codesake/dawn/kb/basic_check"
 require "codesake/dawn/kb/pattern_match_check"
 require "codesake/dawn/kb/dependency_check"
 require "codesake/dawn/kb/ruby_version_check"
+require "codesake/dawn/kb/operating_system_check"
+require "codesake/dawn/kb/combo_check"
 
 # Q&A related checks
 require "codesake/dawn/kb/not_revised_code"
+require "codesake/dawn/kb/owasp_ror_cheatsheet"
+
+# CVE - 2010
+require "codesake/dawn/kb/cve_2010_1330"
 
 # CVE - 2011
+require "codesake/dawn/kb/cve_2011_0446"
 require "codesake/dawn/kb/cve_2011_0447"
+require "codesake/dawn/kb/cve_2011_0995"
 require "codesake/dawn/kb/cve_2011_2197"
+require "codesake/dawn/kb/cve_2011_2929"
 require "codesake/dawn/kb/cve_2011_2931"
 require "codesake/dawn/kb/cve_2011_2932"
 require "codesake/dawn/kb/cve_2011_3186"
+require "codesake/dawn/kb/cve_2011_4815"
 
 # CVE - 2012
 require "codesake/dawn/kb/cve_2012_1099"
@@ -22,14 +32,17 @@ require "codesake/dawn/kb/cve_2012_2660"
 require "codesake/dawn/kb/cve_2012_2661"
 require "codesake/dawn/kb/cve_2012_2694"
 require "codesake/dawn/kb/cve_2012_2695"
+require "codesake/dawn/kb/cve_2012_3424"
 require "codesake/dawn/kb/cve_2012_3463"
 require "codesake/dawn/kb/cve_2012_3464"
 require "codesake/dawn/kb/cve_2012_3465"
 require "codesake/dawn/kb/cve_2012_4464"
 require "codesake/dawn/kb/cve_2012_4466"
 require "codesake/dawn/kb/cve_2012_4481"
+require "codesake/dawn/kb/cve_2012_4522"
 require "codesake/dawn/kb/cve_2012_5370"
 require "codesake/dawn/kb/cve_2012_5371"
+require "codesake/dawn/kb/cve_2012_5380"
 require "codesake/dawn/kb/cve_2012_6134"
 require "codesake/dawn/kb/cve_2012_6496"
 require "codesake/dawn/kb/cve_2012_6497"
@@ -75,6 +88,8 @@ module Codesake
       DEPENDENCY_CHECK    = :dependency_check
       PATTERN_MATCH_CHECK = :pattern_match_check
       RUBY_VERSION_CHECK  = :ruby_version_check
+      OS_CHECK            = :os_check
+      COMBO_CHECK         = :combo_check
 
       def initialize
         @security_checks = Codesake::Dawn::KnowledgeBase.load_security_checks
@@ -125,11 +140,17 @@ module Codesake
       def self.load_security_checks
         [  
           Codesake::Dawn::Kb::NotRevisedCode.new,
+          Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
+          Codesake::Dawn::Kb::CVE_2010_1330.new, 
+          Codesake::Dawn::Kb::CVE_2011_0446.new, 
           Codesake::Dawn::Kb::CVE_2011_0447.new, 
+          Codesake::Dawn::Kb::CVE_2011_0995.new, 
           Codesake::Dawn::Kb::CVE_2011_2197.new, 
+          Codesake::Dawn::Kb::CVE_2011_2929.new, 
           Codesake::Dawn::Kb::CVE_2011_2931.new, 
           Codesake::Dawn::Kb::CVE_2011_2932.new, 
           Codesake::Dawn::Kb::CVE_2011_3186.new, 
+          Codesake::Dawn::Kb::CVE_2011_4815.new, 
           Codesake::Dawn::Kb::CVE_2012_1099.new, 
           Codesake::Dawn::Kb::CVE_2012_1241.new, 
           Codesake::Dawn::Kb::CVE_2012_2140.new, 
@@ -137,14 +158,17 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2012_2661.new, 
           Codesake::Dawn::Kb::CVE_2012_2694.new, 
           Codesake::Dawn::Kb::CVE_2012_2695.new, 
+          Codesake::Dawn::Kb::CVE_2012_3424.new, 
           Codesake::Dawn::Kb::CVE_2012_3463.new, 
           Codesake::Dawn::Kb::CVE_2012_3464.new, 
           Codesake::Dawn::Kb::CVE_2012_3465.new, 
           Codesake::Dawn::Kb::CVE_2012_4464.new, 
           Codesake::Dawn::Kb::CVE_2012_4466.new, 
           Codesake::Dawn::Kb::CVE_2012_4481.new, 
+          Codesake::Dawn::Kb::CVE_2012_4522.new, 
           Codesake::Dawn::Kb::CVE_2012_5370.new, 
           Codesake::Dawn::Kb::CVE_2012_5371.new, 
+          Codesake::Dawn::Kb::CVE_2012_5380.new, 
           Codesake::Dawn::Kb::CVE_2012_6134.new, 
           Codesake::Dawn::Kb::CVE_2012_6496.new, 
           Codesake::Dawn::Kb::CVE_2012_6497.new,

data/lib/codesake/dawn/sinatra.rb

@@ -13,6 +13,7 @@ module Codesake
         super(dir, "sinatra")
         @appname = detect_appname(self.target)
         error! if self.appname == ""
+        @views = detect_views
         @sinks = detect_sinks(self.appname) unless self.appname == ""
         @reflected_xss = detect_reflected_xss unless self.appname == ""
       end
@@ -107,8 +108,7 @@ module Codesake
       end
 
       def detect_views
-        build_view_array(File.join(self.target, "views")) if File.exist?(File.join(self.target, "views"))
-        []
+        return build_view_array(File.join(self.target, "views")) if File.exist?(File.join(self.target, "views"))
       end
 
       # e = Haml::Engine.new(File.read(template))

data/lib/codesake/dawn/utils.rb

@@ -0,0 +1,10 @@
+module Codesake
+  module Dawn
+    module Utils
+
+      def debug_me(msg)
+        $logger.log(msg) if @debug
+      end
+    end
+  end
+end

data/lib/codesake/dawn/version.rb

@@ -1,5 +1,5 @@
 module Codesake
   module Dawn
-    VERSION = "0.72"
+    VERSION = "0.75"
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -313,5 +313,52 @@ describe "The Codesake Dawn knowledge base" do
     sc.class.should == Codesake::Dawn::Kb::CVE_2012_6497
   end
 
+  it "must have test for CVE-2010-1330" do
+    sc = kb.find("CVE-2010-1330")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2010_1330
+  end
+
+  it "must have test for CVE-2011-0446" do
+    sc = kb.find("CVE-2011-0446")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2011_0446
+  end
+
+  it "must have test for CVE-2011-0995" do
+    sc = kb.find("CVE-2011-0995")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2011_0995
+  end
+
+  it "must have test for CVE-2011-2929" do
+    sc = kb.find("CVE-2011-2929")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2011_2929
+  end
+
+  it "must have test for CVE-2011-4815" do
+    sc = kb.find("CVE-2011-4815")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2011_4815
+  end
+
+  it "must have test for CVE-2012-3424" do
+    sc = kb.find("CVE-2012-3424")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_3424
+  end
+
+  it "must have test for CVE-2012-5380" do
+    sc = kb.find("CVE-2012-5380")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_5380
+  end
+
+  it "must have test for CVE-2012-4522" do
+    sc = kb.find("CVE-2012-4522")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2012_4522
+  end
 
 end