codesake-dawn 0.75 → 0.77
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/Competitive_matrix.md +2 -0
- data/README.md +6 -6
- data/Roadmap.md +4 -1
- data/TODO.md +6 -1
- data/bin/dawn +24 -24
- data/codesake-dawn.gemspec +2 -1
- data/lib/codesake-dawn.rb +4 -2
- data/lib/codesake/dawn/engine.rb +29 -4
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +1 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +1 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +3 -3
- data/lib/codesake/dawn/knowledge_base.rb +11 -5
- data/lib/codesake/dawn/padrino.rb +55 -0
- data/lib/codesake/dawn/sinatra.rb +6 -1
- data/lib/codesake/dawn/version.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +10 -0
- data/spec/lib/dawn/codesake_padrino_engine_spec.rb +45 -0
- data/spec/support/hello_world_padrino/.components +9 -0
- data/spec/support/hello_world_padrino/.gitignore +8 -0
- data/spec/support/hello_world_padrino/Gemfile +42 -0
- data/spec/support/hello_world_padrino/Rakefile +6 -0
- data/spec/support/hello_world_padrino/app/app.rb +61 -0
- data/spec/support/hello_world_padrino/config.ru +9 -0
- data/spec/support/hello_world_padrino/config/apps.rb +39 -0
- data/spec/support/hello_world_padrino/config/boot.rb +46 -0
- data/spec/support/hello_world_padrino/config/database.rb +19 -0
- data/spec/support/hello_world_padrino/cucumber.yml +2 -0
- data/spec/support/hello_world_padrino/db/migrate/001_create_users.rb +16 -0
- data/spec/support/hello_world_padrino/dispatcher/app.rb +61 -0
- data/spec/support/hello_world_padrino/features/add.feature +11 -0
- data/spec/support/hello_world_padrino/features/step_definitions/add_steps.rb +15 -0
- data/spec/support/hello_world_padrino/features/support/env.rb +10 -0
- data/spec/support/hello_world_padrino/features/support/url.rb +17 -0
- data/spec/support/hello_world_padrino/models/user.rb +11 -0
- data/spec/support/hello_world_padrino/public/favicon.ico +0 -0
- data/spec/support/hello_world_padrino/public/javascripts/application.js +1 -0
- data/spec/support/hello_world_padrino/public/javascripts/jquery-ujs.js +95 -0
- data/spec/support/hello_world_padrino/public/javascripts/jquery.js +4 -0
- metadata +71 -7
    
        checksums.yaml
    CHANGED
    
    | @@ -1,7 +1,7 @@ | |
| 1 1 | 
             
            ---
         | 
| 2 2 | 
             
            SHA1:
         | 
| 3 | 
            -
              metadata.gz:  | 
| 4 | 
            -
              data.tar.gz:  | 
| 3 | 
            +
              metadata.gz: 1704c064bfe4259ad7b2c335ce46c0a059a54487
         | 
| 4 | 
            +
              data.tar.gz: 4fe5c2525c083a898595a20ab4f9e9e433506de2
         | 
| 5 5 | 
             
            SHA512:
         | 
| 6 | 
            -
              metadata.gz:  | 
| 7 | 
            -
              data.tar.gz:  | 
| 6 | 
            +
              metadata.gz: 39835cc8d6eeaeed1ae987029f5641e79e4757b2961dfb03700603741bf3784039c434c5f914679a1f3a93995fa937c14bff50cfdb1334dbdf30477d5f8b1c3f
         | 
| 7 | 
            +
              data.tar.gz: ab6bbab4930ddede813a8dc143caf1015763517e60a089d42e6cdc1844f7794fdaf3f66074a3068d1a1b0e88492e15b4c76bb8a2474e610486525c5406da3054
         | 
    
        data/.gitignore
    CHANGED
    
    
    
        data/Competitive_matrix.md
    CHANGED
    
    | @@ -130,9 +130,11 @@ applications will be supported as well. | |
| 130 130 | 
             
            | CVE-2013-1933         | YES           | NO                |             |                   |             |
         | 
| 131 131 | 
             
            | CVE-2013-1947         | YES           | NO                |             |                   |             |
         | 
| 132 132 | 
             
            | CVE-2013-1948         | YES           | NO                |             |                   |             |
         | 
| 133 | 
            +
            | CVE-2013-2065         | YES           | NO                |             |                   |             |
         | 
| 133 134 | 
             
            | CVE-2013-2616         | YES           | NO                |             |                   |             |
         | 
| 134 135 | 
             
            | CVE-2013-2617         | YES           | NO                |             |                   |             |
         | 
| 135 136 | 
             
            | CVE-2013-3221         | YES           | NO                |             |                   |             |
         | 
| 137 | 
            +
            | CVE-2013-4389         | YES           | NO                |             |                   |             |
         | 
| 136 138 |  | 
| 137 139 | 
             
            [0] This CVE must be confirmed
         | 
| 138 140 |  | 
    
        data/README.md
    CHANGED
    
    | @@ -6,9 +6,9 @@ It supports [Sinatra](http://www.sinatrarb.com), | |
| 6 6 | 
             
            frameworks. 
         | 
| 7 7 |  | 
| 8 8 | 
             
            [](http://badge.fury.io/rb/codesake-dawn)
         | 
| 9 | 
            -
            [](https://travis-ci.org/codesake/codesake-dawn)
         | 
| 10 | 
            +
            [](https://gemnasium.com/codesake/codesake-dawn)
         | 
| 11 | 
            +
            [](https://coveralls.io/r/codesake/codesake-dawn)
         | 
| 12 12 |  | 
| 13 13 | 
             
            ## Useful links
         | 
| 14 14 |  | 
| @@ -16,7 +16,7 @@ www:      [http://codesake.com](http://codesake.com) | |
| 16 16 |  | 
| 17 17 | 
             
            twitter:  [https://twitter.com/codesake](https://twitter.com/codesake) #dawn hashtag
         | 
| 18 18 |  | 
| 19 | 
            -
            github:   [https://github.com/codesake/codesake | 
| 19 | 
            +
            github:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
         | 
| 20 20 |  | 
| 21 21 | 
             
            ## Installation
         | 
| 22 22 |  | 
| @@ -36,8 +36,8 @@ And then upgrade your bundle | |
| 36 36 |  | 
| 37 37 | 
             
            You may want to build it from source, so you have to check it out from github first:
         | 
| 38 38 |  | 
| 39 | 
            -
                $ git clone https://github.com/codesake/ | 
| 40 | 
            -
                $ cd  | 
| 39 | 
            +
                $ git clone https://github.com/codesake/codesake-dawn/codesake-dawn.git
         | 
| 40 | 
            +
                $ cd codesake-dawn
         | 
| 41 41 | 
             
                $ rake install
         | 
| 42 42 |  | 
| 43 43 | 
             
            And the codesake-dawn gem will be built in a pkg directory and then installed
         | 
    
        data/Roadmap.md
    CHANGED
    
    | @@ -77,7 +77,6 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_ | |
| 77 77 |  | 
| 78 78 | 
             
            ## Version 0.80
         | 
| 79 79 |  | 
| 80 | 
            -
            * Fix issue #1. You can read more about it in TODO.md
         | 
| 81 80 | 
             
            * detect sinks for XSS in Padrino applications
         | 
| 82 81 | 
             
            * detect reflected XSS in Padrino applications
         | 
| 83 82 | 
             
            * detect stored XSS in Sinatra applications
         | 
| @@ -88,6 +87,8 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_ | |
| 88 87 | 
             
            * integration with [codesake.com](http://codesake.com) with a public available
         | 
| 89 88 | 
             
              APIs to be consumed by codesake beta users.
         | 
| 90 89 |  | 
| 90 | 
            +
            * adding test for CVE-2013-2065
         | 
| 91 | 
            +
            * adding test for CVE-2013-4389
         | 
| 91 92 | 
             
            * adding test for CVE-2010-1330
         | 
| 92 93 | 
             
            * adding test for CVE-2011-0446 
         | 
| 93 94 | 
             
            * adding test for CVE-2011-0995
         | 
| @@ -100,6 +101,8 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_ | |
| 100 101 | 
             
            * adding test for RoRCheatSheet\_4
         | 
| 101 102 | 
             
            * adding test for RoRCheatSheet\_7
         | 
| 102 103 | 
             
            * adding test for RoRCheatSheet\_8
         | 
| 104 | 
            +
            * Fix issue #1. You can read more about it in TODO.md
         | 
| 105 | 
            +
            * Added internal API to scan a single Gemfile.lock
         | 
| 103 106 |  | 
| 104 107 |  | 
| 105 108 | 
             
            ## Version 0.90
         | 
    
        data/TODO.md
    CHANGED
    
    | @@ -1,7 +1,12 @@ | |
| 1 1 | 
             
            # Codesake Dawn Todo 
         | 
| 2 2 |  | 
| 3 | 
            -
            ## # | 
| 3 | 
            +
            ## #2 cloning target
         | 
| 4 4 | 
             
            ### Status: Open
         | 
| 5 | 
            +
            Add a --github option to dawn to clone a remote repository, perform a bundle
         | 
| 6 | 
            +
            install and do a code review.
         | 
| 7 | 
            +
             | 
| 8 | 
            +
            ## #1 Introduce check dependency
         | 
| 9 | 
            +
            ### Status: Closed
         | 
| 5 10 | 
             
            CVE-2013-1655 introduces a security issue that depends on a particular gem only
         | 
| 6 11 | 
             
            when running a particular Ruby interpreter version. For such a reason in
         | 
| 7 12 | 
             
            BasicCheck class I introduced a ruby\_version attribute as a String and a
         | 
    
        data/bin/dawn
    CHANGED
    
    | @@ -3,7 +3,7 @@ | |
| 3 3 | 
             
            require 'getoptlong'
         | 
| 4 4 | 
             
            require 'json'
         | 
| 5 5 |  | 
| 6 | 
            -
            require ' | 
| 6 | 
            +
            require 'codesake-commons'
         | 
| 7 7 | 
             
            require 'codesake-dawn'
         | 
| 8 8 |  | 
| 9 9 | 
             
            def dry_run(target, engine)
         | 
| @@ -41,7 +41,7 @@ end | |
| 41 41 | 
             
            def dump_knowledge_base(verbose = false)
         | 
| 42 42 | 
             
              kb = Codesake::Dawn::KnowledgeBase.new
         | 
| 43 43 | 
             
              lines = []
         | 
| 44 | 
            -
              lines << "Security checks currently supported:\n | 
| 44 | 
            +
              lines << "Security checks currently supported:\n"
         | 
| 45 45 |  | 
| 46 46 | 
             
              kb.all.each do |check|
         | 
| 47 47 | 
             
                if verbose
         | 
| @@ -52,6 +52,7 @@ def dump_knowledge_base(verbose = false) | |
| 52 52 | 
             
                  lines << "#{check.name}"
         | 
| 53 53 | 
             
                end
         | 
| 54 54 | 
             
              end
         | 
| 55 | 
            +
              lines << "-----\nTotal: #{kb.all.count}"
         | 
| 55 56 |  | 
| 56 57 | 
             
              lines.empty? ? 0 : lines.compact.join("\n")
         | 
| 57 58 |  | 
| @@ -66,6 +67,7 @@ def help | |
| 66 67 | 
             
              printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application" 
         | 
| 67 68 | 
             
              printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
         | 
| 68 69 | 
             
              printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
         | 
| 70 | 
            +
              printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
         | 
| 69 71 | 
             
              printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
         | 
| 70 72 | 
             
              printf "\n   -k, --list-knowledgebase [check_name]\tlist dawn known security checks. If check_name is specified dawn says if check is present or not"
         | 
| 71 73 | 
             
              printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
         | 
| @@ -83,12 +85,14 @@ LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino) | |
| 83 85 | 
             
            VALID_OUTPUT_FORMAT   = %w(console json csv html)
         | 
| 84 86 |  | 
| 85 87 | 
             
            $logger  = Codesake::Commons::Logging.instance
         | 
| 88 | 
            +
            $logger.helo APPNAME, Codesake::Dawn::VERSION
         | 
| 86 89 | 
             
            opts    = GetoptLong.new(
         | 
| 87 90 | 
             
              [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
         | 
| 88 91 | 
             
              [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
         | 
| 89 92 | 
             
              [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
         | 
| 90 | 
            -
              [ '-- | 
| 91 | 
            -
              [ '--list- | 
| 93 | 
            +
              [ '--gem-lock',               '-G',   GetoptLong::NO_ARGUMENT],  
         | 
| 94 | 
            +
              [ '--list-known-framework',   '-f',   GetoptLong::NO_ARGUMENT],
         | 
| 95 | 
            +
              [ '--list-knowledgebase',     '-k',   GetoptLong::OPTIONAL_ARGUMENT],
         | 
| 92 96 | 
             
              [ '--output',                 '-o',   GetoptLong::REQUIRED_ARGUMENT],
         | 
| 93 97 | 
             
              [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
         | 
| 94 98 | 
             
              [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
         | 
| @@ -96,7 +100,7 @@ opts    = GetoptLong.new( | |
| 96 100 | 
             
              [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
         | 
| 97 101 | 
             
            )
         | 
| 98 102 | 
             
            engine  = nil
         | 
| 99 | 
            -
            options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=> | 
| 103 | 
            +
            options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false}
         | 
| 100 104 |  | 
| 101 105 | 
             
            trap("INT")   { $logger.die('[INTERRUPTED]') }
         | 
| 102 106 | 
             
            check = ""
         | 
| @@ -108,13 +112,14 @@ opts.each do |opt, val| | |
| 108 112 | 
             
                puts "#{Codesake::Dawn::VERSION}"
         | 
| 109 113 | 
             
                Kernel.exit(0)
         | 
| 110 114 | 
             
              when '--rails'
         | 
| 111 | 
            -
                options[:mvc]=: | 
| 115 | 
            +
                options[:mvc]=:rails
         | 
| 112 116 | 
             
              when '--sinatra'
         | 
| 113 | 
            -
                options[:mvc]=: | 
| 117 | 
            +
                options[:mvc]=:sinatra
         | 
| 114 118 | 
             
              when '--padrino'
         | 
| 115 | 
            -
                options[:mvc]=: | 
| 116 | 
            -
                 | 
| 117 | 
            -
             | 
| 119 | 
            +
                options[:mvc]=:padrino
         | 
| 120 | 
            +
                $logger.die "sorry padrino is not yet supported"
         | 
| 121 | 
            +
              when '--gem-lock'
         | 
| 122 | 
            +
                options[:gemfile_scan] = true
         | 
| 118 123 | 
             
              when '--verbose'
         | 
| 119 124 | 
             
                options[:verbose]=true
         | 
| 120 125 | 
             
              when '--output'
         | 
| @@ -152,18 +157,20 @@ target=ARGV.shift | |
| 152 157 |  | 
| 153 158 | 
             
            $logger.die("missing target") if target.nil?
         | 
| 154 159 | 
             
            $logger.die("invalid directory (#{target})") unless Codesake::Dawn::Core.is_good_target?(target)
         | 
| 160 | 
            +
            $logger.die("if scanning Gemfile.lock file you must force target MVC using one from -r, -s or -p flag") if options[:mvc].empty? && options[:gemfile_scan]
         | 
| 155 161 |  | 
| 156 162 |  | 
| 157 163 | 
             
            ## MVC auto detect
         | 
| 158 164 | 
             
            begin
         | 
| 159 | 
            -
              engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc]. | 
| 165 | 
            +
              engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].empty?
         | 
| 160 166 | 
             
            rescue ArgumentError => e
         | 
| 161 167 | 
             
              $logger.die(e.message)
         | 
| 162 168 | 
             
            end
         | 
| 163 169 |  | 
| 164 | 
            -
            engine = Codesake::Dawn::Rails.new(target) | 
| 165 | 
            -
            engine = Codesake::Dawn::Sinatra.new(target) | 
| 166 | 
            -
            # engine = Codesake::Dawn::Padrino.new | 
| 170 | 
            +
            engine = Codesake::Dawn::Rails.new(target)                      if options[:mvc] == :rails
         | 
| 171 | 
            +
            engine = Codesake::Dawn::Sinatra.new(target)                    if options[:mvc] == :sinatra
         | 
| 172 | 
            +
            # engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino
         | 
| 173 | 
            +
            engine = Codesake::Dawn::GemfileLock.new(target, options[:mvc]) if options[:gemfile_scan]
         | 
| 167 174 |  | 
| 168 175 | 
             
            $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
         | 
| 169 176 |  | 
| @@ -180,15 +187,14 @@ if options[:output] == "json" | |
| 180 187 | 
             
              Kernel.exit(0)
         | 
| 181 188 | 
             
            end
         | 
| 182 189 |  | 
| 183 | 
            -
            $logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
         | 
| 184 190 | 
             
            $logger.die "missing target framework option" if engine.nil?
         | 
| 185 191 |  | 
| 186 | 
            -
            # engine.set_target(target) unless engine.nil?
         | 
| 187 192 | 
             
            engine.load_knowledge_base
         | 
| 188 193 |  | 
| 189 194 | 
             
            $logger.die "nothing to do on #{target}" unless engine.can_apply?
         | 
| 190 195 | 
             
            $logger.log "scanning #{target}"
         | 
| 191 | 
            -
            $logger.log "#{engine.name} v#{engine.get_mvc_version} detected"
         | 
| 196 | 
            +
            $logger.log "#{engine.name} v#{engine.get_mvc_version} detected" unless engine.name == "Gemfile.lock"
         | 
| 197 | 
            +
            $logger.log "#{engine.force} v#{engine.get_mvc_version} detected" if engine.name == "Gemfile.lock"
         | 
| 192 198 | 
             
            $logger.log "applying all security checks" 
         | 
| 193 199 | 
             
            if engine.apply_all 
         | 
| 194 200 | 
             
              $logger.log "all security checks applied"
         | 
| @@ -228,10 +234,4 @@ if engine.mitigated_issues.count != 0 | |
| 228 234 | 
             
              end
         | 
| 229 235 | 
             
            end
         | 
| 230 236 |  | 
| 231 | 
            -
             | 
| 232 | 
            -
             | 
| 233 | 
            -
             | 
| 234 | 
            -
            $logger.helo "#{APPNAME} is shutting down"
         | 
| 235 | 
            -
            Kernel.exit(0)
         | 
| 236 | 
            -
             | 
| 237 | 
            -
             | 
| 237 | 
            +
            $logger.bye
         | 
    
        data/codesake-dawn.gemspec
    CHANGED
    
    | @@ -17,13 +17,14 @@ Gem::Specification.new do |gem| | |
| 17 17 | 
             
              gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
         | 
| 18 18 | 
             
              gem.require_paths = ["lib"]
         | 
| 19 19 |  | 
| 20 | 
            -
              gem.add_dependency  | 
| 20 | 
            +
              gem.add_dependency "codesake-commons", "~> 0.89.0"
         | 
| 21 21 | 
             
              gem.add_dependency 'cvss'
         | 
| 22 22 | 
             
              gem.add_dependency 'haml'
         | 
| 23 23 | 
             
              gem.add_dependency 'parser'
         | 
| 24 24 | 
             
              gem.add_dependency 'ptools'
         | 
| 25 25 | 
             
              gem.add_dependency 'ruby_parser'
         | 
| 26 26 | 
             
              gem.add_dependency 'sys-uname'
         | 
| 27 | 
            +
              gem.add_dependency 'grit'
         | 
| 27 28 |  | 
| 28 29 | 
             
              gem.add_dependency ('coveralls')
         | 
| 29 30 |  | 
    
        data/lib/codesake-dawn.rb
    CHANGED
    
    | @@ -1,9 +1,11 @@ | |
| 1 | 
            -
            require "codesake/dawn/core"
         | 
| 2 1 | 
             
            require "codesake/dawn/utils"
         | 
| 2 | 
            +
            require "codesake/dawn/core"
         | 
| 3 3 | 
             
            require "codesake/dawn/version"
         | 
| 4 4 | 
             
            require "codesake/dawn/knowledge_base"
         | 
| 5 5 | 
             
            require "codesake/dawn/rails"
         | 
| 6 6 | 
             
            require "codesake/dawn/sinatra"
         | 
| 7 | 
            -
            require " | 
| 7 | 
            +
            require "codesake/dawn/padrino"
         | 
| 8 | 
            +
            require "codesake/dawn/gemfile_lock"
         | 
| 9 | 
            +
            require "codesake-commons"
         | 
| 8 10 |  | 
| 9 11 | 
             
            require "date"
         | 
    
        data/lib/codesake/dawn/engine.rb
    CHANGED
    
    | @@ -3,8 +3,13 @@ require 'bundler' | |
| 3 3 | 
             
            module Codesake
         | 
| 4 4 | 
             
              module Dawn
         | 
| 5 5 | 
             
                module Engine
         | 
| 6 | 
            +
                  include Codesake::Dawn::Utils
         | 
| 7 | 
            +
             | 
| 6 8 | 
             
                  attr_reader :target
         | 
| 7 9 | 
             
                  attr_reader :name
         | 
| 10 | 
            +
                  # This attribute is used when @name == "Gemfile.lock" to force the
         | 
| 11 | 
            +
                  # loading of specific MVC checks
         | 
| 12 | 
            +
                  attr_reader :force
         | 
| 8 13 | 
             
                  attr_reader :gemfile_lock
         | 
| 9 14 | 
             
                  attr_reader :mvc_version
         | 
| 10 15 | 
             
                  attr_reader :connected_gems
         | 
| @@ -32,16 +37,26 @@ module Codesake | |
| 32 37 | 
             
                  # will see later 
         | 
| 33 38 | 
             
                  attr_reader :models
         | 
| 34 39 |  | 
| 35 | 
            -
                   | 
| 40 | 
            +
                  attr_accessor :debug
         | 
| 41 | 
            +
             | 
| 42 | 
            +
                  def initialize(dir=nil, name="", options={})
         | 
| 36 43 | 
             
                    @name = name
         | 
| 37 44 | 
             
                    @mvc_version = ""
         | 
| 38 45 | 
             
                    @gemfile_lock = ""
         | 
| 46 | 
            +
                    @force = ""
         | 
| 39 47 | 
             
                    @connected_gems = []
         | 
| 40 48 | 
             
                    @checks = []
         | 
| 41 49 | 
             
                    @vulnerabilities = []
         | 
| 42 50 | 
             
                    @mitigated_issues = []
         | 
| 43 51 | 
             
                    @applied = []
         | 
| 44 52 | 
             
                    @engine_error = false
         | 
| 53 | 
            +
                    @debug = false
         | 
| 54 | 
            +
                    @debug = options[:debug] unless options[:debug].nil?
         | 
| 55 | 
            +
             | 
| 56 | 
            +
                    # Only honoring force option for Gemfile.lock engine. If no force is
         | 
| 57 | 
            +
                    # provided the default behaviour for Gemfile.lock engine is to load all
         | 
| 58 | 
            +
                    # security checks.
         | 
| 59 | 
            +
                    @force = options[:force] if ! options[:force].nil? and @name == "Gemfile.lock"
         | 
| 45 60 |  | 
| 46 61 | 
             
                    set_target(dir) unless dir.nil?
         | 
| 47 62 |  | 
| @@ -105,7 +120,14 @@ module Codesake | |
| 105 120 | 
             
                  end
         | 
| 106 121 |  | 
| 107 122 | 
             
                  def load_knowledge_base
         | 
| 108 | 
            -
                    @ | 
| 123 | 
            +
                    if @name == "Gemfile.lock"
         | 
| 124 | 
            +
                      @checks = Codesake::Dawn::KnowledgeBase.new.all if @force.empty?
         | 
| 125 | 
            +
                      @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(@force) unless @force.empty? 
         | 
| 126 | 
            +
                    else
         | 
| 127 | 
            +
                      @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(@name) 
         | 
| 128 | 
            +
             | 
| 129 | 
            +
                    end
         | 
| 130 | 
            +
                    debug_me("#{@checks.count} checks loaded")
         | 
| 109 131 | 
             
                    @checks
         | 
| 110 132 | 
             
                  end
         | 
| 111 133 |  | 
| @@ -118,7 +140,10 @@ module Codesake | |
| 118 140 | 
             
                    Dir.chdir(@target) 
         | 
| 119 141 | 
             
                    lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
         | 
| 120 142 | 
             
                    lockfile.specs.each do |s|
         | 
| 121 | 
            -
                       | 
| 143 | 
            +
                      # detecting MVC version using @name in case of sinatra, padrino or rails engine
         | 
| 144 | 
            +
                      ver= s.version.to_s if s.name == @name && @name != "Gemfile.lock" 
         | 
| 145 | 
            +
                      # detecting MVC version using @force in case of Gemfile.lock engine
         | 
| 146 | 
            +
                      ver= s.version.to_s if s.name == @force.to_s && @name == "Gemfile.lock" 
         | 
| 122 147 | 
             
                      @connected_gems << {:name=>s.name, :version=>s.version.to_s}
         | 
| 123 148 | 
             
                    end
         | 
| 124 149 | 
             
                    Dir.chdir(my_dir)
         | 
| @@ -134,7 +159,7 @@ module Codesake | |
| 134 159 | 
             
                  end
         | 
| 135 160 |  | 
| 136 161 | 
             
                  def can_apply?
         | 
| 137 | 
            -
                    target_is_dir?  | 
| 162 | 
            +
                    target_is_dir? && is_good_mvc?
         | 
| 138 163 | 
             
                  end
         | 
| 139 164 |  | 
| 140 165 | 
             
                  def get_mvc_version
         | 
| @@ -17,7 +17,7 @@ module Codesake | |
| 17 17 | 
             
                        :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
         | 
| 18 18 | 
             
                        :message=>message,
         | 
| 19 19 | 
             
                        :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p286 or 2.0.0-p195 or latest version available",
         | 
| 20 | 
            -
                        :aux_links=>[" | 
| 20 | 
            +
                        :aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
         | 
| 21 21 | 
             
                      })
         | 
| 22 22 |  | 
| 23 23 | 
             
                      self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
         | 
| @@ -0,0 +1,31 @@ | |
| 1 | 
            +
            module Codesake
         | 
| 2 | 
            +
            	module Dawn
         | 
| 3 | 
            +
            		module Kb
         | 
| 4 | 
            +
            			# Automatically created with rake on 2013-10-22
         | 
| 5 | 
            +
            			class CVE_2013_2065
         | 
| 6 | 
            +
            				include RubyVersionCheck
         | 
| 7 | 
            +
             | 
| 8 | 
            +
            				def initialize
         | 
| 9 | 
            +
                      message = "Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised."
         | 
| 10 | 
            +
             | 
| 11 | 
            +
                      # TODO: fix links and info
         | 
| 12 | 
            +
                      super({
         | 
| 13 | 
            +
                        :name=>"CVE-2013-2065",
         | 
| 14 | 
            +
                        :cvss=>"",
         | 
| 15 | 
            +
                        :release_date => Date.new(2013, 5, 14),
         | 
| 16 | 
            +
                        :cwe=>"264",
         | 
| 17 | 
            +
                        :owasp=>"A9", 
         | 
| 18 | 
            +
                        :applies=>["rails", "sinatra", "padrino"],
         | 
| 19 | 
            +
                        :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
         | 
| 20 | 
            +
                        :message=>message,
         | 
| 21 | 
            +
                        :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p436 or 2.0.0-p195 or latest version available",
         | 
| 22 | 
            +
                        :aux_links=>["https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/"]
         | 
| 23 | 
            +
                      })
         | 
| 24 | 
            +
             | 
| 25 | 
            +
                      self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p426"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
         | 
| 26 | 
            +
             | 
| 27 | 
            +
            				end
         | 
| 28 | 
            +
            			end
         | 
| 29 | 
            +
            		end
         | 
| 30 | 
            +
            	end
         | 
| 31 | 
            +
            end
         | 
| @@ -0,0 +1,28 @@ | |
| 1 | 
            +
            module Codesake
         | 
| 2 | 
            +
            	module Dawn
         | 
| 3 | 
            +
            		module Kb
         | 
| 4 | 
            +
            			# Automatically created with rake on 2013-10-22
         | 
| 5 | 
            +
            			class CVE_2013_4389
         | 
| 6 | 
            +
            				include DependencyCheck
         | 
| 7 | 
            +
             | 
| 8 | 
            +
            				def initialize
         | 
| 9 | 
            +
                      message = "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."
         | 
| 10 | 
            +
                       super({
         | 
| 11 | 
            +
                        :name=>'CVE-2013-4389', 
         | 
| 12 | 
            +
                        :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",  
         | 
| 13 | 
            +
                        :release_date => Date.new(2013, 10, 17),
         | 
| 14 | 
            +
                        :cwe=>"134", 
         | 
| 15 | 
            +
                        :owasp=>"A9",
         | 
| 16 | 
            +
                        :applies=>["rails"],
         | 
| 17 | 
            +
                        :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
         | 
| 18 | 
            +
                        :message => message,
         | 
| 19 | 
            +
                        :mitigation=>"Please upgrade rails version at least to 3.0.21, 3.1.10 or 3.2.15. As a general rule, using the latest stable rails version is recommended.",
         | 
| 20 | 
            +
                        :aux_links => ["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"]
         | 
| 21 | 
            +
                      })
         | 
| 22 | 
            +
             | 
| 23 | 
            +
                      self.safe_dependencies = [{:name=>"rails", :version=>['3.0.21', '3.1.10', '3.2.15']}]
         | 
| 24 | 
            +
            				end
         | 
| 25 | 
            +
            			end
         | 
| 26 | 
            +
            		end
         | 
| 27 | 
            +
            	end
         | 
| 28 | 
            +
            end
         |