codesake-dawn 0.75 → 0.77

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb

@@ -19,10 +19,10 @@ module Codesake
               :attack_pattern => ["Application.config.session_store :active_record_store"],
               :negative_search=>true
             })
-            @debug = true
+            # @debug = true
           end 
         end
-  end
-  end
+      end
+    end
   end
 end

data/lib/codesake/dawn/knowledge_base.rb

@@ -74,10 +74,12 @@ require "codesake/dawn/kb/cve_2013_1911"
 require "codesake/dawn/kb/cve_2013_1933"
 require "codesake/dawn/kb/cve_2013_1947"
 require "codesake/dawn/kb/cve_2013_1948"
+require "codesake/dawn/kb/cve_2013_2065"
 require "codesake/dawn/kb/cve_2013_2615"
 require "codesake/dawn/kb/cve_2013_2616"
 require "codesake/dawn/kb/cve_2013_2617"
 require "codesake/dawn/kb/cve_2013_3221"
+require "codesake/dawn/kb/cve_2013_4389"
 
 
 module Codesake
@@ -85,6 +87,8 @@ module Codesake
     # XXX: Check if it best using a singleton here
     class KnowledgeBase
 
+      include Codesake::Dawn::Utils
+
       DEPENDENCY_CHECK    = :dependency_check
       PATTERN_MATCH_CHECK = :pattern_match_check
       RUBY_VERSION_CHECK  = :ruby_version_check
@@ -118,23 +122,23 @@ module Codesake
         @security_checks.each do |sc|
           ret << sc if sc.applies_to?(mvc)
         end
-
+        ret
       end
 
       def all_sinatra_checks
-        self.all_by_mvc(:sinatra)
+        self.all_by_mvc("sinatra")
       end
 
       def all_rails_checks
-        self.all_by_mvc(:rails)
+        self.all_by_mvc("rails")
       end
 
       def all_padrino_checks
-        self.all_by_mvc(:padrino)
+        self.all_by_mvc("padrino")
       end
 
       def all_rack_checks
-        self.all_by_mvc(:rack)
+        self.all_by_mvc("rack")
       end
 
       def self.load_security_checks
@@ -198,10 +202,12 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_1933.new, 
           Codesake::Dawn::Kb::CVE_2013_1947.new, 
           Codesake::Dawn::Kb::CVE_2013_1948.new, 
+          Codesake::Dawn::Kb::CVE_2013_2065.new, 
           Codesake::Dawn::Kb::CVE_2013_2615.new, 
           Codesake::Dawn::Kb::CVE_2013_2616.new, 
           Codesake::Dawn::Kb::CVE_2013_2617.new, 
           Codesake::Dawn::Kb::CVE_2013_3221.new, 
+          Codesake::Dawn::Kb::CVE_2013_4389.new, 
         ]
       end
     end

data/lib/codesake/dawn/padrino.rb

@@ -0,0 +1,55 @@
+require 'ruby_parser'
+module Codesake
+  module Dawn
+    class Padrino
+      include Codesake::Dawn::Engine
+
+      attr_reader :apps
+
+      def initialize(dir=nil)
+        super(dir, "padrino", {:debug=>true}) 
+        @apps = detect_apps
+      end
+
+      def detect_apps
+
+        apps_rb = File.join(@target, "config", "apps.rb")
+        return nil unless File.exist?(apps_rb)
+        lines = File.readlines(apps_rb)
+        p = RubyParser.new
+        apps = []
+
+        lines.each do |line|
+          if /^Padrino\.mount/ =~ line
+
+            begin
+              tree = p.parse(line)
+              if ! tree.nil? && tree.sexp_type == :call
+                body_a = tree.sexp_body.to_a
+                mp = body_a[2][1]
+                sinatra_app_rb = body_a[0][4][2][3][1] if is_mount_call?(body_a[0])
+                debug_me("BODY_A=#{body_a[0]}")
+                debug_me("IS_MOUNT_CALL? #{is_mount_call?(body_a[0])}")
+                debug_me("MP = #{mp}")
+                target = File.dirname(sinatra_app_rb )
+                apps << Codesake::Dawn::Sinatra.new(target, mp)
+              end
+            rescue Racc::ParseError => e
+              debug_me(e.message)
+            end
+          end
+
+          
+          # if line.start_with?("Padrino.mount")
+
+        end
+        apps
+      end
+
+      def is_mount_call?(a)
+        return (a[0] == :call && a[1] == [:const, :Padrino] && a[2] == :mount)
+      end
+
+    end
+  end
+end

data/lib/codesake/dawn/sinatra.rb

@@ -9,13 +9,18 @@ module Codesake
       attr_reader :sinks
       attr_reader :appname
 
-      def initialize(dir=nil)
+      # mount_point is the mounting point for this Sinatra application. It's
+      # filled up only in padrino engines
+      attr_reader :mount_point
+
+      def initialize(dir=nil, mp=nil)
         super(dir, "sinatra")
         @appname = detect_appname(self.target)
         error! if self.appname == ""
         @views = detect_views
         @sinks = detect_sinks(self.appname) unless self.appname == ""
         @reflected_xss = detect_reflected_xss unless self.appname == ""
+        @mount_point = (mp.nil?)? "" : mp
       end
 
       # TODO: appname should be hopefully autodetect from config.ru

data/lib/codesake/dawn/version.rb

@@ -1,5 +1,5 @@
 module Codesake
   module Dawn
-    VERSION = "0.75"
+    VERSION = "0.77"
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -360,5 +360,15 @@ describe "The Codesake Dawn knowledge base" do
     sc.should_not   be_nil
     sc.class.should == Codesake::Dawn::Kb::CVE_2012_4522
   end
+  it "must have test for CVE-2013-2065" do
+    sc = kb.find("CVE-2013-2065")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_2065
+  end
+  it "must have test for CVE-2013-4389" do
+    sc = kb.find("CVE-2013-4389")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4389
+  end
 
 end

data/spec/lib/dawn/codesake_padrino_engine_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+
+describe "The Codesake::Dawn engine for padrino applications" do 
+  before(:all) do 
+    @engine = Codesake::Dawn::Padrino.new('./spec/support/hello_world_padrino')
+  end
+    
+
+  it "has a proper name" do
+    @engine.name.should   ==    "padrino"
+  end
+
+  it "has a valid target" do
+    @engine.target.should ==   "./spec/support/hello_world_padrino"
+    @engine.target_is_dir?.should  be_true
+  end
+
+  it "detects the applications declared in config/apps.rb" do
+    @engine.should  respond_to(:detect_apps)
+    @engine.apps.should_not     be_nil
+    @engine.apps.count.should   == 3
+  end
+
+  it "creates a valid pool of Sinatra engines" do
+    @engine.apps[0].mount_point.should == "/"
+    @engine.apps[1].mount_point.should == "/log"
+    @engine.apps[2].mount_point.should == "/dispatcher"
+  end
+
+
+  it "has a good Gemfile.lock" do
+    @engine.has_gemfile_lock?.should   be_true
+  end
+
+  it "detects padrino v0.11.2" do
+    @engine.mvc_version.should   == "0.11.2"
+  end
+
+  
+  # describe "analyzing the main application" do
+  # end
+  
+  
+end

data/spec/support/hello_world_padrino/.components

@@ -0,0 +1,9 @@
+---
+:orm: datamapper
+:test: cucumber
+:mock: none
+:script: jquery
+:renderer: haml
+:stylesheet: none
+:namespace: HelloWorldPadrino
+:migration_format: number

data/spec/support/hello_world_padrino/.gitignore

@@ -0,0 +1,8 @@
+.DS_Store
+log/**/*
+tmp/**/*
+bin/*
+vendor/gems/*
+!vendor/gems/cache/
+.sass-cache/*
+db/*.db

data/spec/support/hello_world_padrino/Gemfile

@@ -0,0 +1,42 @@
+source 'https://rubygems.org'
+
+# Distribute your app as a gem
+# gemspec
+
+# Server requirements
+# gem 'thin' # or mongrel
+# gem 'trinidad', :platform => 'jruby'
+
+# Optional JSON codec (faster performance)
+# gem 'oj'
+
+# Project requirements
+gem 'rake'
+
+# Component requirements
+gem 'haml'
+gem 'dm-sqlite-adapter'
+gem 'dm-validations'
+gem 'dm-timestamps'
+gem 'dm-migrations'
+gem 'dm-constraints'
+gem 'dm-aggregates'
+gem 'dm-types'
+gem 'dm-core'
+
+# Test requirements
+gem 'rspec', :group => 'test'
+gem 'capybara', :group => 'test'
+gem 'cucumber', :group => 'test'
+gem 'rack-test', :require => 'rack/test', :group => 'test'
+
+# Padrino Stable Gem
+gem 'padrino', '0.11.2'
+
+# Or Padrino Edge
+# gem 'padrino', :github => 'padrino/padrino-framework'
+
+# Or Individual Gems
+# %w(core gen helpers cache mailer admin).each do |g|
+#   gem 'padrino-' + g, '0.11.2'
+# end

data/spec/support/hello_world_padrino/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/setup'
+require 'padrino-core/cli/rake'
+
+PadrinoTasks.use(:database)
+PadrinoTasks.use(:datamapper)
+PadrinoTasks.init

data/spec/support/hello_world_padrino/app/app.rb

@@ -0,0 +1,61 @@
+module HelloWorldPadrino
+  class App < Padrino::Application
+    register Padrino::Rendering
+    register Padrino::Mailer
+    register Padrino::Helpers
+
+    enable :sessions
+
+    ##
+    # Caching support
+    #
+    # register Padrino::Cache
+    # enable :caching
+    #
+    # You can customize caching store engines:
+    #
+    # set :cache, Padrino::Cache::Store::Memcache.new(::Memcached.new('127.0.0.1:11211', :exception_retry_limit => 1))
+    # set :cache, Padrino::Cache::Store::Memcache.new(::Dalli::Client.new('127.0.0.1:11211', :exception_retry_limit => 1))
+    # set :cache, Padrino::Cache::Store::Redis.new(::Redis.new(:host => '127.0.0.1', :port => 6379, :db => 0))
+    # set :cache, Padrino::Cache::Store::Memory.new(50)
+    # set :cache, Padrino::Cache::Store::File.new(Padrino.root('tmp', app_name.to_s, 'cache')) # default choice
+    #
+
+    ##
+    # Application configuration options
+    #
+    # set :raise_errors, true       # Raise exceptions (will stop application) (default for test)
+    # set :dump_errors, true        # Exception backtraces are written to STDERR (default for production/development)
+    # set :show_exceptions, true    # Shows a stack trace in browser (default for development)
+    # set :logging, true            # Logging in STDOUT for development and file for production (default only for development)
+    # set :public_folder, 'foo/bar' # Location for static assets (default root/public)
+    # set :reload, false            # Reload application files (default in development)
+    # set :default_builder, 'foo'   # Set a custom form builder (default 'StandardFormBuilder')
+    # set :locale_path, 'bar'       # Set path for I18n translations (default your_apps_root_path/locale)
+    # disable :sessions             # Disabled sessions by default (enable if needed)
+    # disable :flash                # Disables sinatra-flash (enabled by default if Sinatra::Flash is defined)
+    # layout  :my_layout            # Layout can be in views/layouts/foo.ext or views/foo.ext (default :application)
+    #
+
+    ##
+    # You can configure for a specified environment like:
+    #
+    #   configure :development do
+    #     set :foo, :bar
+    #     disable :asset_stamp # no asset timestamping for dev
+    #   end
+    #
+
+    ##
+    # You can manage errors like:
+    #
+    #   error 404 do
+    #     render 'errors/404'
+    #   end
+    #
+    #   error 505 do
+    #     render 'errors/505'
+    #   end
+    #
+  end
+end

data/spec/support/hello_world_padrino/config.ru

@@ -0,0 +1,9 @@
+#!/usr/bin/env rackup
+# encoding: utf-8
+
+# This file can be used to start Padrino,
+# just execute it from the command line.
+
+require File.expand_path("../config/boot.rb", __FILE__)
+
+run Padrino.application

data/spec/support/hello_world_padrino/config/apps.rb

@@ -0,0 +1,39 @@
+##
+# This file mounts each app in the Padrino project to a specified sub-uri.
+# You can mount additional applications using any of these commands below:
+#
+#   Padrino.mount('blog').to('/blog')
+#   Padrino.mount('blog', :app_class => 'BlogApp').to('/blog')
+#   Padrino.mount('blog', :app_file =>  'path/to/blog/app.rb').to('/blog')
+#
+# You can also map apps to a specified host:
+#
+#   Padrino.mount('Admin').host('admin.example.org')
+#   Padrino.mount('WebSite').host(/.*\.?example.org/)
+#   Padrino.mount('Foo').to('/foo').host('bar.example.org')
+#
+# Note 1: Mounted apps (by default) should be placed into the project root at '/app_name'.
+# Note 2: If you use the host matching remember to respect the order of the rules.
+#
+# By default, this file mounts the primary app which was generated with this project.
+# However, the mounted app can be modified as needed:
+#
+#   Padrino.mount('AppName', :app_file => 'path/to/file', :app_class => 'BlogApp').to('/')
+#
+
+##
+# Setup global project settings for your apps. These settings are inherited by every subapp. You can
+# override these settings in the subapps as needed.
+#
+Padrino.configure_apps do
+  # enable :sessions
+  set :session_secret, 'dfb3c40b836796c198245c9770ca6048884942b0a7f33671dcee1cb60efefe39'
+  set :protection, true
+  set :protect_from_csrf, true
+end
+
+# Mounts the core application for this project
+Padrino.mount('HelloWorldPadrino::App', :app_file => Padrino.root('app/app.rb')).to('/')
+
+Padrino.mount('HelloWorldPadrino::Log', :app_file => Padrino.root('log/app.rb')).to('/log')
+Padrino.mount('HelloWorldPadrino::Dispatcher', :app_file => Padrino.root('dispatcher/app.rb')).to('/dispatcher')

data/spec/support/hello_world_padrino/config/boot.rb

@@ -0,0 +1,46 @@
+# Defines our constants
+PADRINO_ENV  = ENV['PADRINO_ENV'] ||= ENV['RACK_ENV'] ||= 'development'  unless defined?(PADRINO_ENV)
+PADRINO_ROOT = File.expand_path('../..', __FILE__) unless defined?(PADRINO_ROOT)
+
+# Load our dependencies
+require 'rubygems' unless defined?(Gem)
+require 'bundler/setup'
+Bundler.require(:default, PADRINO_ENV)
+
+##
+# ## Enable devel logging
+#
+# Padrino::Logger::Config[:development][:log_level]  = :devel
+# Padrino::Logger::Config[:development][:log_static] = true
+#
+# ## Configure your I18n
+#
+# I18n.default_locale = :en
+#
+# ## Configure your HTML5 data helpers
+#
+# Padrino::Helpers::TagHelpers::DATA_ATTRIBUTES.push(:dialog)
+# text_field :foo, :dialog => true
+# Generates: <input type="text" data-dialog="true" name="foo" />
+#
+# ## Add helpers to mailer
+#
+# Mail::Message.class_eval do
+#   include Padrino::Helpers::NumberHelpers
+#   include Padrino::Helpers::TranslationHelpers
+# end
+
+##
+# Add your before (RE)load hooks here
+#
+Padrino.before_load do
+end
+
+##
+# Add your after (RE)load hooks here
+#
+Padrino.after_load do
+  DataMapper.finalize
+end
+
+Padrino.load!