codesake-dawn 0.75 → 0.77
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/Competitive_matrix.md +2 -0
- data/README.md +6 -6
- data/Roadmap.md +4 -1
- data/TODO.md +6 -1
- data/bin/dawn +24 -24
- data/codesake-dawn.gemspec +2 -1
- data/lib/codesake-dawn.rb +4 -2
- data/lib/codesake/dawn/engine.rb +29 -4
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +1 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +1 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +3 -3
- data/lib/codesake/dawn/knowledge_base.rb +11 -5
- data/lib/codesake/dawn/padrino.rb +55 -0
- data/lib/codesake/dawn/sinatra.rb +6 -1
- data/lib/codesake/dawn/version.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +10 -0
- data/spec/lib/dawn/codesake_padrino_engine_spec.rb +45 -0
- data/spec/support/hello_world_padrino/.components +9 -0
- data/spec/support/hello_world_padrino/.gitignore +8 -0
- data/spec/support/hello_world_padrino/Gemfile +42 -0
- data/spec/support/hello_world_padrino/Rakefile +6 -0
- data/spec/support/hello_world_padrino/app/app.rb +61 -0
- data/spec/support/hello_world_padrino/config.ru +9 -0
- data/spec/support/hello_world_padrino/config/apps.rb +39 -0
- data/spec/support/hello_world_padrino/config/boot.rb +46 -0
- data/spec/support/hello_world_padrino/config/database.rb +19 -0
- data/spec/support/hello_world_padrino/cucumber.yml +2 -0
- data/spec/support/hello_world_padrino/db/migrate/001_create_users.rb +16 -0
- data/spec/support/hello_world_padrino/dispatcher/app.rb +61 -0
- data/spec/support/hello_world_padrino/features/add.feature +11 -0
- data/spec/support/hello_world_padrino/features/step_definitions/add_steps.rb +15 -0
- data/spec/support/hello_world_padrino/features/support/env.rb +10 -0
- data/spec/support/hello_world_padrino/features/support/url.rb +17 -0
- data/spec/support/hello_world_padrino/models/user.rb +11 -0
- data/spec/support/hello_world_padrino/public/favicon.ico +0 -0
- data/spec/support/hello_world_padrino/public/javascripts/application.js +1 -0
- data/spec/support/hello_world_padrino/public/javascripts/jquery-ujs.js +95 -0
- data/spec/support/hello_world_padrino/public/javascripts/jquery.js +4 -0
- metadata +71 -7
@@ -74,10 +74,12 @@ require "codesake/dawn/kb/cve_2013_1911"
|
|
74
74
|
require "codesake/dawn/kb/cve_2013_1933"
|
75
75
|
require "codesake/dawn/kb/cve_2013_1947"
|
76
76
|
require "codesake/dawn/kb/cve_2013_1948"
|
77
|
+
require "codesake/dawn/kb/cve_2013_2065"
|
77
78
|
require "codesake/dawn/kb/cve_2013_2615"
|
78
79
|
require "codesake/dawn/kb/cve_2013_2616"
|
79
80
|
require "codesake/dawn/kb/cve_2013_2617"
|
80
81
|
require "codesake/dawn/kb/cve_2013_3221"
|
82
|
+
require "codesake/dawn/kb/cve_2013_4389"
|
81
83
|
|
82
84
|
|
83
85
|
module Codesake
|
@@ -85,6 +87,8 @@ module Codesake
|
|
85
87
|
# XXX: Check if it best using a singleton here
|
86
88
|
class KnowledgeBase
|
87
89
|
|
90
|
+
include Codesake::Dawn::Utils
|
91
|
+
|
88
92
|
DEPENDENCY_CHECK = :dependency_check
|
89
93
|
PATTERN_MATCH_CHECK = :pattern_match_check
|
90
94
|
RUBY_VERSION_CHECK = :ruby_version_check
|
@@ -118,23 +122,23 @@ module Codesake
|
|
118
122
|
@security_checks.each do |sc|
|
119
123
|
ret << sc if sc.applies_to?(mvc)
|
120
124
|
end
|
121
|
-
|
125
|
+
ret
|
122
126
|
end
|
123
127
|
|
124
128
|
def all_sinatra_checks
|
125
|
-
self.all_by_mvc(
|
129
|
+
self.all_by_mvc("sinatra")
|
126
130
|
end
|
127
131
|
|
128
132
|
def all_rails_checks
|
129
|
-
self.all_by_mvc(
|
133
|
+
self.all_by_mvc("rails")
|
130
134
|
end
|
131
135
|
|
132
136
|
def all_padrino_checks
|
133
|
-
self.all_by_mvc(
|
137
|
+
self.all_by_mvc("padrino")
|
134
138
|
end
|
135
139
|
|
136
140
|
def all_rack_checks
|
137
|
-
self.all_by_mvc(
|
141
|
+
self.all_by_mvc("rack")
|
138
142
|
end
|
139
143
|
|
140
144
|
def self.load_security_checks
|
@@ -198,10 +202,12 @@ module Codesake
|
|
198
202
|
Codesake::Dawn::Kb::CVE_2013_1933.new,
|
199
203
|
Codesake::Dawn::Kb::CVE_2013_1947.new,
|
200
204
|
Codesake::Dawn::Kb::CVE_2013_1948.new,
|
205
|
+
Codesake::Dawn::Kb::CVE_2013_2065.new,
|
201
206
|
Codesake::Dawn::Kb::CVE_2013_2615.new,
|
202
207
|
Codesake::Dawn::Kb::CVE_2013_2616.new,
|
203
208
|
Codesake::Dawn::Kb::CVE_2013_2617.new,
|
204
209
|
Codesake::Dawn::Kb::CVE_2013_3221.new,
|
210
|
+
Codesake::Dawn::Kb::CVE_2013_4389.new,
|
205
211
|
]
|
206
212
|
end
|
207
213
|
end
|
@@ -0,0 +1,55 @@
|
|
1
|
+
require 'ruby_parser'
|
2
|
+
module Codesake
|
3
|
+
module Dawn
|
4
|
+
class Padrino
|
5
|
+
include Codesake::Dawn::Engine
|
6
|
+
|
7
|
+
attr_reader :apps
|
8
|
+
|
9
|
+
def initialize(dir=nil)
|
10
|
+
super(dir, "padrino", {:debug=>true})
|
11
|
+
@apps = detect_apps
|
12
|
+
end
|
13
|
+
|
14
|
+
def detect_apps
|
15
|
+
|
16
|
+
apps_rb = File.join(@target, "config", "apps.rb")
|
17
|
+
return nil unless File.exist?(apps_rb)
|
18
|
+
lines = File.readlines(apps_rb)
|
19
|
+
p = RubyParser.new
|
20
|
+
apps = []
|
21
|
+
|
22
|
+
lines.each do |line|
|
23
|
+
if /^Padrino\.mount/ =~ line
|
24
|
+
|
25
|
+
begin
|
26
|
+
tree = p.parse(line)
|
27
|
+
if ! tree.nil? && tree.sexp_type == :call
|
28
|
+
body_a = tree.sexp_body.to_a
|
29
|
+
mp = body_a[2][1]
|
30
|
+
sinatra_app_rb = body_a[0][4][2][3][1] if is_mount_call?(body_a[0])
|
31
|
+
debug_me("BODY_A=#{body_a[0]}")
|
32
|
+
debug_me("IS_MOUNT_CALL? #{is_mount_call?(body_a[0])}")
|
33
|
+
debug_me("MP = #{mp}")
|
34
|
+
target = File.dirname(sinatra_app_rb )
|
35
|
+
apps << Codesake::Dawn::Sinatra.new(target, mp)
|
36
|
+
end
|
37
|
+
rescue Racc::ParseError => e
|
38
|
+
debug_me(e.message)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
|
43
|
+
# if line.start_with?("Padrino.mount")
|
44
|
+
|
45
|
+
end
|
46
|
+
apps
|
47
|
+
end
|
48
|
+
|
49
|
+
def is_mount_call?(a)
|
50
|
+
return (a[0] == :call && a[1] == [:const, :Padrino] && a[2] == :mount)
|
51
|
+
end
|
52
|
+
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
@@ -9,13 +9,18 @@ module Codesake
|
|
9
9
|
attr_reader :sinks
|
10
10
|
attr_reader :appname
|
11
11
|
|
12
|
-
|
12
|
+
# mount_point is the mounting point for this Sinatra application. It's
|
13
|
+
# filled up only in padrino engines
|
14
|
+
attr_reader :mount_point
|
15
|
+
|
16
|
+
def initialize(dir=nil, mp=nil)
|
13
17
|
super(dir, "sinatra")
|
14
18
|
@appname = detect_appname(self.target)
|
15
19
|
error! if self.appname == ""
|
16
20
|
@views = detect_views
|
17
21
|
@sinks = detect_sinks(self.appname) unless self.appname == ""
|
18
22
|
@reflected_xss = detect_reflected_xss unless self.appname == ""
|
23
|
+
@mount_point = (mp.nil?)? "" : mp
|
19
24
|
end
|
20
25
|
|
21
26
|
# TODO: appname should be hopefully autodetect from config.ru
|
@@ -360,5 +360,15 @@ describe "The Codesake Dawn knowledge base" do
|
|
360
360
|
sc.should_not be_nil
|
361
361
|
sc.class.should == Codesake::Dawn::Kb::CVE_2012_4522
|
362
362
|
end
|
363
|
+
it "must have test for CVE-2013-2065" do
|
364
|
+
sc = kb.find("CVE-2013-2065")
|
365
|
+
sc.should_not be_nil
|
366
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_2065
|
367
|
+
end
|
368
|
+
it "must have test for CVE-2013-4389" do
|
369
|
+
sc = kb.find("CVE-2013-4389")
|
370
|
+
sc.should_not be_nil
|
371
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4389
|
372
|
+
end
|
363
373
|
|
364
374
|
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
|
4
|
+
describe "The Codesake::Dawn engine for padrino applications" do
|
5
|
+
before(:all) do
|
6
|
+
@engine = Codesake::Dawn::Padrino.new('./spec/support/hello_world_padrino')
|
7
|
+
end
|
8
|
+
|
9
|
+
|
10
|
+
it "has a proper name" do
|
11
|
+
@engine.name.should == "padrino"
|
12
|
+
end
|
13
|
+
|
14
|
+
it "has a valid target" do
|
15
|
+
@engine.target.should == "./spec/support/hello_world_padrino"
|
16
|
+
@engine.target_is_dir?.should be_true
|
17
|
+
end
|
18
|
+
|
19
|
+
it "detects the applications declared in config/apps.rb" do
|
20
|
+
@engine.should respond_to(:detect_apps)
|
21
|
+
@engine.apps.should_not be_nil
|
22
|
+
@engine.apps.count.should == 3
|
23
|
+
end
|
24
|
+
|
25
|
+
it "creates a valid pool of Sinatra engines" do
|
26
|
+
@engine.apps[0].mount_point.should == "/"
|
27
|
+
@engine.apps[1].mount_point.should == "/log"
|
28
|
+
@engine.apps[2].mount_point.should == "/dispatcher"
|
29
|
+
end
|
30
|
+
|
31
|
+
|
32
|
+
it "has a good Gemfile.lock" do
|
33
|
+
@engine.has_gemfile_lock?.should be_true
|
34
|
+
end
|
35
|
+
|
36
|
+
it "detects padrino v0.11.2" do
|
37
|
+
@engine.mvc_version.should == "0.11.2"
|
38
|
+
end
|
39
|
+
|
40
|
+
|
41
|
+
# describe "analyzing the main application" do
|
42
|
+
# end
|
43
|
+
|
44
|
+
|
45
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
source 'https://rubygems.org'
|
2
|
+
|
3
|
+
# Distribute your app as a gem
|
4
|
+
# gemspec
|
5
|
+
|
6
|
+
# Server requirements
|
7
|
+
# gem 'thin' # or mongrel
|
8
|
+
# gem 'trinidad', :platform => 'jruby'
|
9
|
+
|
10
|
+
# Optional JSON codec (faster performance)
|
11
|
+
# gem 'oj'
|
12
|
+
|
13
|
+
# Project requirements
|
14
|
+
gem 'rake'
|
15
|
+
|
16
|
+
# Component requirements
|
17
|
+
gem 'haml'
|
18
|
+
gem 'dm-sqlite-adapter'
|
19
|
+
gem 'dm-validations'
|
20
|
+
gem 'dm-timestamps'
|
21
|
+
gem 'dm-migrations'
|
22
|
+
gem 'dm-constraints'
|
23
|
+
gem 'dm-aggregates'
|
24
|
+
gem 'dm-types'
|
25
|
+
gem 'dm-core'
|
26
|
+
|
27
|
+
# Test requirements
|
28
|
+
gem 'rspec', :group => 'test'
|
29
|
+
gem 'capybara', :group => 'test'
|
30
|
+
gem 'cucumber', :group => 'test'
|
31
|
+
gem 'rack-test', :require => 'rack/test', :group => 'test'
|
32
|
+
|
33
|
+
# Padrino Stable Gem
|
34
|
+
gem 'padrino', '0.11.2'
|
35
|
+
|
36
|
+
# Or Padrino Edge
|
37
|
+
# gem 'padrino', :github => 'padrino/padrino-framework'
|
38
|
+
|
39
|
+
# Or Individual Gems
|
40
|
+
# %w(core gen helpers cache mailer admin).each do |g|
|
41
|
+
# gem 'padrino-' + g, '0.11.2'
|
42
|
+
# end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
module HelloWorldPadrino
|
2
|
+
class App < Padrino::Application
|
3
|
+
register Padrino::Rendering
|
4
|
+
register Padrino::Mailer
|
5
|
+
register Padrino::Helpers
|
6
|
+
|
7
|
+
enable :sessions
|
8
|
+
|
9
|
+
##
|
10
|
+
# Caching support
|
11
|
+
#
|
12
|
+
# register Padrino::Cache
|
13
|
+
# enable :caching
|
14
|
+
#
|
15
|
+
# You can customize caching store engines:
|
16
|
+
#
|
17
|
+
# set :cache, Padrino::Cache::Store::Memcache.new(::Memcached.new('127.0.0.1:11211', :exception_retry_limit => 1))
|
18
|
+
# set :cache, Padrino::Cache::Store::Memcache.new(::Dalli::Client.new('127.0.0.1:11211', :exception_retry_limit => 1))
|
19
|
+
# set :cache, Padrino::Cache::Store::Redis.new(::Redis.new(:host => '127.0.0.1', :port => 6379, :db => 0))
|
20
|
+
# set :cache, Padrino::Cache::Store::Memory.new(50)
|
21
|
+
# set :cache, Padrino::Cache::Store::File.new(Padrino.root('tmp', app_name.to_s, 'cache')) # default choice
|
22
|
+
#
|
23
|
+
|
24
|
+
##
|
25
|
+
# Application configuration options
|
26
|
+
#
|
27
|
+
# set :raise_errors, true # Raise exceptions (will stop application) (default for test)
|
28
|
+
# set :dump_errors, true # Exception backtraces are written to STDERR (default for production/development)
|
29
|
+
# set :show_exceptions, true # Shows a stack trace in browser (default for development)
|
30
|
+
# set :logging, true # Logging in STDOUT for development and file for production (default only for development)
|
31
|
+
# set :public_folder, 'foo/bar' # Location for static assets (default root/public)
|
32
|
+
# set :reload, false # Reload application files (default in development)
|
33
|
+
# set :default_builder, 'foo' # Set a custom form builder (default 'StandardFormBuilder')
|
34
|
+
# set :locale_path, 'bar' # Set path for I18n translations (default your_apps_root_path/locale)
|
35
|
+
# disable :sessions # Disabled sessions by default (enable if needed)
|
36
|
+
# disable :flash # Disables sinatra-flash (enabled by default if Sinatra::Flash is defined)
|
37
|
+
# layout :my_layout # Layout can be in views/layouts/foo.ext or views/foo.ext (default :application)
|
38
|
+
#
|
39
|
+
|
40
|
+
##
|
41
|
+
# You can configure for a specified environment like:
|
42
|
+
#
|
43
|
+
# configure :development do
|
44
|
+
# set :foo, :bar
|
45
|
+
# disable :asset_stamp # no asset timestamping for dev
|
46
|
+
# end
|
47
|
+
#
|
48
|
+
|
49
|
+
##
|
50
|
+
# You can manage errors like:
|
51
|
+
#
|
52
|
+
# error 404 do
|
53
|
+
# render 'errors/404'
|
54
|
+
# end
|
55
|
+
#
|
56
|
+
# error 505 do
|
57
|
+
# render 'errors/505'
|
58
|
+
# end
|
59
|
+
#
|
60
|
+
end
|
61
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
##
|
2
|
+
# This file mounts each app in the Padrino project to a specified sub-uri.
|
3
|
+
# You can mount additional applications using any of these commands below:
|
4
|
+
#
|
5
|
+
# Padrino.mount('blog').to('/blog')
|
6
|
+
# Padrino.mount('blog', :app_class => 'BlogApp').to('/blog')
|
7
|
+
# Padrino.mount('blog', :app_file => 'path/to/blog/app.rb').to('/blog')
|
8
|
+
#
|
9
|
+
# You can also map apps to a specified host:
|
10
|
+
#
|
11
|
+
# Padrino.mount('Admin').host('admin.example.org')
|
12
|
+
# Padrino.mount('WebSite').host(/.*\.?example.org/)
|
13
|
+
# Padrino.mount('Foo').to('/foo').host('bar.example.org')
|
14
|
+
#
|
15
|
+
# Note 1: Mounted apps (by default) should be placed into the project root at '/app_name'.
|
16
|
+
# Note 2: If you use the host matching remember to respect the order of the rules.
|
17
|
+
#
|
18
|
+
# By default, this file mounts the primary app which was generated with this project.
|
19
|
+
# However, the mounted app can be modified as needed:
|
20
|
+
#
|
21
|
+
# Padrino.mount('AppName', :app_file => 'path/to/file', :app_class => 'BlogApp').to('/')
|
22
|
+
#
|
23
|
+
|
24
|
+
##
|
25
|
+
# Setup global project settings for your apps. These settings are inherited by every subapp. You can
|
26
|
+
# override these settings in the subapps as needed.
|
27
|
+
#
|
28
|
+
Padrino.configure_apps do
|
29
|
+
# enable :sessions
|
30
|
+
set :session_secret, 'dfb3c40b836796c198245c9770ca6048884942b0a7f33671dcee1cb60efefe39'
|
31
|
+
set :protection, true
|
32
|
+
set :protect_from_csrf, true
|
33
|
+
end
|
34
|
+
|
35
|
+
# Mounts the core application for this project
|
36
|
+
Padrino.mount('HelloWorldPadrino::App', :app_file => Padrino.root('app/app.rb')).to('/')
|
37
|
+
|
38
|
+
Padrino.mount('HelloWorldPadrino::Log', :app_file => Padrino.root('log/app.rb')).to('/log')
|
39
|
+
Padrino.mount('HelloWorldPadrino::Dispatcher', :app_file => Padrino.root('dispatcher/app.rb')).to('/dispatcher')
|
@@ -0,0 +1,46 @@
|
|
1
|
+
# Defines our constants
|
2
|
+
PADRINO_ENV = ENV['PADRINO_ENV'] ||= ENV['RACK_ENV'] ||= 'development' unless defined?(PADRINO_ENV)
|
3
|
+
PADRINO_ROOT = File.expand_path('../..', __FILE__) unless defined?(PADRINO_ROOT)
|
4
|
+
|
5
|
+
# Load our dependencies
|
6
|
+
require 'rubygems' unless defined?(Gem)
|
7
|
+
require 'bundler/setup'
|
8
|
+
Bundler.require(:default, PADRINO_ENV)
|
9
|
+
|
10
|
+
##
|
11
|
+
# ## Enable devel logging
|
12
|
+
#
|
13
|
+
# Padrino::Logger::Config[:development][:log_level] = :devel
|
14
|
+
# Padrino::Logger::Config[:development][:log_static] = true
|
15
|
+
#
|
16
|
+
# ## Configure your I18n
|
17
|
+
#
|
18
|
+
# I18n.default_locale = :en
|
19
|
+
#
|
20
|
+
# ## Configure your HTML5 data helpers
|
21
|
+
#
|
22
|
+
# Padrino::Helpers::TagHelpers::DATA_ATTRIBUTES.push(:dialog)
|
23
|
+
# text_field :foo, :dialog => true
|
24
|
+
# Generates: <input type="text" data-dialog="true" name="foo" />
|
25
|
+
#
|
26
|
+
# ## Add helpers to mailer
|
27
|
+
#
|
28
|
+
# Mail::Message.class_eval do
|
29
|
+
# include Padrino::Helpers::NumberHelpers
|
30
|
+
# include Padrino::Helpers::TranslationHelpers
|
31
|
+
# end
|
32
|
+
|
33
|
+
##
|
34
|
+
# Add your before (RE)load hooks here
|
35
|
+
#
|
36
|
+
Padrino.before_load do
|
37
|
+
end
|
38
|
+
|
39
|
+
##
|
40
|
+
# Add your after (RE)load hooks here
|
41
|
+
#
|
42
|
+
Padrino.after_load do
|
43
|
+
DataMapper.finalize
|
44
|
+
end
|
45
|
+
|
46
|
+
Padrino.load!
|