codesake-dawn 0.85 → 1.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/.travis.yml +1 -1
- data/Changelog.md +67 -1
- data/README.md +137 -29
- data/Rakefile +29 -2
- data/Roadmap.md +10 -93
- data/features/{dawn_complains_about_an_incorrect_command_line.feature → dawn_complains_about_an_incorrect_command_line.feature.disabled} +0 -0
- data/features/{dawn_scan_a_secure_sinatra_app.feature → dawn_scan_a_secure_sinatra_app.feature.disabled} +0 -0
- data/features/{dawn_scan_a_vulnerable_sinatra_app.feature → dawn_scan_a_vulnerable_sinatra_app.feature.disabled} +0 -0
- data/lib/codesake/dawn/kb/basic_check.rb +7 -1
- data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
- data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
- data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
- data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
- data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
- data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2011_2930.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_3187.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_4319.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +1 -1
- data/lib/codesake/dawn/kb/dependency_check.rb +2 -2
- data/lib/codesake/dawn/kb/nokogiri_dos_20131217.rb +1 -0
- data/lib/codesake/dawn/kb/operating_system_check.rb +4 -3
- data/lib/codesake/dawn/kb/ruby_version_check.rb +9 -3
- data/lib/codesake/dawn/knowledge_base.rb +113 -0
- data/lib/codesake/dawn/padrino.rb +1 -1
- data/lib/codesake/dawn/version.rb +14 -2
- data/lib/tasks/dawn.rake +4 -0
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +256 -0
- data/spec/lib/dawn/{codesake_padrino_engine_spec.rb → codesake_padrino_engine_disabled.rb} +0 -0
- data/spec/lib/dawn/{codesake_rails_engine_spec.rb → codesake_rails_engine_disabled.rb} +0 -0
- data/spec/lib/dawn/{codesake_sinatra_engine_spec.rb → codesake_sinatra_engine_disabled.rb} +5 -5
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +40 -0
- data/spec/lib/kb/{codesake_cve_2013_6416.rb → codesake_cve_2013_6416_spec.rb} +5 -5
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +1 -0
- data/spec/lib/kb/cve_2004_0983_spec.rb +8 -0
- data/spec/lib/kb/cve_2005_1992_spec.rb +8 -0
- data/spec/lib/kb/cve_2005_2337_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_1931_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_2582_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_3694_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_4112_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_5467_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_6303_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_6852_spec.rb +8 -0
- data/spec/lib/kb/cve_2006_6979_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_0469_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_5162_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_5379_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_5380_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_5770_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_6077_spec.rb +8 -0
- data/spec/lib/kb/cve_2007_6612_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_1145_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_1891_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_2376_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_2662_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_2663_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_2664_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_2725_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_3655_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_3657_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_3790_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_3905_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_4094_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_4310_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_5189_spec.rb +8 -0
- data/spec/lib/kb/cve_2008_7248_spec.rb +8 -0
- data/spec/lib/kb/cve_2009_4078_spec.rb +8 -0
- data/spec/lib/kb/cve_2009_4124_spec.rb +8 -0
- data/spec/lib/kb/cve_2009_4214_spec.rb +8 -0
- data/spec/lib/kb/cve_2010_2489_spec.rb +8 -0
- data/spec/lib/kb/cve_2010_3933_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_0188_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_0739_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_1004_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_1005_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_2686_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_2705_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_2930_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_3009_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_3187_spec.rb +8 -0
- data/spec/lib/kb/cve_2011_4319_spec.rb +8 -0
- data/spec/lib/kb/cve_2013_2090_spec.rb +8 -0
- data/spec/lib/kb/{owasp_ror_cheatsheet_spec.rb → owasp_ror_cheatsheet_disabled.rb} +0 -0
- metadata +172 -395
- data/Competitive_matrix.md +0 -177
- data/TODO.md +0 -64
- data/spec/support/hello_world_3.0.19/Gemfile +0 -31
- data/spec/support/hello_world_3.0.19/README +0 -256
- data/spec/support/hello_world_3.0.19/Rakefile +0 -7
- data/spec/support/hello_world_3.0.19/app/controllers/application_controller.rb +0 -3
- data/spec/support/hello_world_3.0.19/app/helpers/application_helper.rb +0 -2
- data/spec/support/hello_world_3.0.19/app/views/layouts/application.html.erb +0 -14
- data/spec/support/hello_world_3.0.19/config.ru +0 -4
- data/spec/support/hello_world_3.0.19/config/application.rb +0 -42
- data/spec/support/hello_world_3.0.19/config/boot.rb +0 -6
- data/spec/support/hello_world_3.0.19/config/database.yml +0 -22
- data/spec/support/hello_world_3.0.19/config/environment.rb +0 -5
- data/spec/support/hello_world_3.0.19/config/environments/development.rb +0 -26
- data/spec/support/hello_world_3.0.19/config/environments/production.rb +0 -49
- data/spec/support/hello_world_3.0.19/config/environments/test.rb +0 -35
- data/spec/support/hello_world_3.0.19/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/support/hello_world_3.0.19/config/initializers/inflections.rb +0 -10
- data/spec/support/hello_world_3.0.19/config/initializers/mime_types.rb +0 -5
- data/spec/support/hello_world_3.0.19/config/initializers/secret_token.rb +0 -7
- data/spec/support/hello_world_3.0.19/config/initializers/session_store.rb +0 -8
- data/spec/support/hello_world_3.0.19/config/locales/en.yml +0 -5
- data/spec/support/hello_world_3.0.19/config/routes.rb +0 -58
- data/spec/support/hello_world_3.0.19/db/seeds.rb +0 -7
- data/spec/support/hello_world_3.0.19/lib/tasks/.gitkeep +0 -0
- data/spec/support/hello_world_3.0.19/public/404.html +0 -26
- data/spec/support/hello_world_3.0.19/public/422.html +0 -26
- data/spec/support/hello_world_3.0.19/public/500.html +0 -26
- data/spec/support/hello_world_3.0.19/public/favicon.ico +0 -0
- data/spec/support/hello_world_3.0.19/public/images/rails.png +0 -0
- data/spec/support/hello_world_3.0.19/public/index.html +0 -239
- data/spec/support/hello_world_3.0.19/public/javascripts/application.js +0 -2
- data/spec/support/hello_world_3.0.19/public/javascripts/controls.js +0 -965
- data/spec/support/hello_world_3.0.19/public/javascripts/dragdrop.js +0 -974
- data/spec/support/hello_world_3.0.19/public/javascripts/effects.js +0 -1123
- data/spec/support/hello_world_3.0.19/public/javascripts/prototype.js +0 -6001
- data/spec/support/hello_world_3.0.19/public/javascripts/rails.js +0 -202
- data/spec/support/hello_world_3.0.19/public/robots.txt +0 -5
- data/spec/support/hello_world_3.0.19/public/stylesheets/.gitkeep +0 -0
- data/spec/support/hello_world_3.0.19/script/rails +0 -6
- data/spec/support/hello_world_3.0.19/test/performance/browsing_test.rb +0 -9
- data/spec/support/hello_world_3.0.19/test/test_helper.rb +0 -13
- data/spec/support/hello_world_3.0.19/vendor/plugins/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/Gemfile +0 -33
- data/spec/support/hello_world_3.1.0/README +0 -261
- data/spec/support/hello_world_3.1.0/Rakefile +0 -7
- data/spec/support/hello_world_3.1.0/app/assets/images/rails.png +0 -0
- data/spec/support/hello_world_3.1.0/app/assets/javascripts/application.js +0 -9
- data/spec/support/hello_world_3.1.0/app/assets/stylesheets/application.css +0 -7
- data/spec/support/hello_world_3.1.0/app/controllers/application_controller.rb +0 -3
- data/spec/support/hello_world_3.1.0/app/helpers/application_helper.rb +0 -2
- data/spec/support/hello_world_3.1.0/app/mailers/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/app/models/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/app/views/layouts/application.html.erb +0 -14
- data/spec/support/hello_world_3.1.0/config.ru +0 -4
- data/spec/support/hello_world_3.1.0/config/application.rb +0 -48
- data/spec/support/hello_world_3.1.0/config/boot.rb +0 -6
- data/spec/support/hello_world_3.1.0/config/database.yml +0 -25
- data/spec/support/hello_world_3.1.0/config/environment.rb +0 -5
- data/spec/support/hello_world_3.1.0/config/environments/development.rb +0 -30
- data/spec/support/hello_world_3.1.0/config/environments/production.rb +0 -60
- data/spec/support/hello_world_3.1.0/config/environments/test.rb +0 -42
- data/spec/support/hello_world_3.1.0/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/support/hello_world_3.1.0/config/initializers/inflections.rb +0 -10
- data/spec/support/hello_world_3.1.0/config/initializers/mime_types.rb +0 -5
- data/spec/support/hello_world_3.1.0/config/initializers/secret_token.rb +0 -7
- data/spec/support/hello_world_3.1.0/config/initializers/session_store.rb +0 -8
- data/spec/support/hello_world_3.1.0/config/initializers/wrap_parameters.rb +0 -14
- data/spec/support/hello_world_3.1.0/config/locales/en.yml +0 -5
- data/spec/support/hello_world_3.1.0/config/routes.rb +0 -58
- data/spec/support/hello_world_3.1.0/db/seeds.rb +0 -7
- data/spec/support/hello_world_3.1.0/lib/assets/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/lib/tasks/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/log/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/public/404.html +0 -26
- data/spec/support/hello_world_3.1.0/public/422.html +0 -26
- data/spec/support/hello_world_3.1.0/public/500.html +0 -26
- data/spec/support/hello_world_3.1.0/public/favicon.ico +0 -0
- data/spec/support/hello_world_3.1.0/public/index.html +0 -241
- data/spec/support/hello_world_3.1.0/public/robots.txt +0 -5
- data/spec/support/hello_world_3.1.0/script/rails +0 -6
- data/spec/support/hello_world_3.1.0/test/fixtures/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/test/functional/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/test/integration/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/test/performance/browsing_test.rb +0 -12
- data/spec/support/hello_world_3.1.0/test/test_helper.rb +0 -13
- data/spec/support/hello_world_3.1.0/test/unit/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/vendor/assets/stylesheets/.gitkeep +0 -0
- data/spec/support/hello_world_3.1.0/vendor/plugins/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/Gemfile +0 -38
- data/spec/support/hello_world_3.2.13/README.rdoc +0 -261
- data/spec/support/hello_world_3.2.13/Rakefile +0 -7
- data/spec/support/hello_world_3.2.13/app/assets/images/rails.png +0 -0
- data/spec/support/hello_world_3.2.13/app/assets/javascripts/application.js +0 -15
- data/spec/support/hello_world_3.2.13/app/assets/stylesheets/application.css +0 -13
- data/spec/support/hello_world_3.2.13/app/controllers/application_controller.rb +0 -3
- data/spec/support/hello_world_3.2.13/app/helpers/application_helper.rb +0 -10
- data/spec/support/hello_world_3.2.13/app/mailers/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/app/models/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/app/models/test.rb +0 -3
- data/spec/support/hello_world_3.2.13/app/views/layouts/application.html.erb +0 -14
- data/spec/support/hello_world_3.2.13/config.ru +0 -4
- data/spec/support/hello_world_3.2.13/config/application.rb +0 -62
- data/spec/support/hello_world_3.2.13/config/boot.rb +0 -6
- data/spec/support/hello_world_3.2.13/config/database.yml +0 -25
- data/spec/support/hello_world_3.2.13/config/environment.rb +0 -5
- data/spec/support/hello_world_3.2.13/config/environments/development.rb +0 -37
- data/spec/support/hello_world_3.2.13/config/environments/production.rb +0 -67
- data/spec/support/hello_world_3.2.13/config/environments/test.rb +0 -37
- data/spec/support/hello_world_3.2.13/config/initializers/backtrace_silencers.rb +0 -7
- data/spec/support/hello_world_3.2.13/config/initializers/inflections.rb +0 -15
- data/spec/support/hello_world_3.2.13/config/initializers/mime_types.rb +0 -5
- data/spec/support/hello_world_3.2.13/config/initializers/secret_token.rb +0 -7
- data/spec/support/hello_world_3.2.13/config/initializers/session_store.rb +0 -8
- data/spec/support/hello_world_3.2.13/config/initializers/wrap_parameters.rb +0 -14
- data/spec/support/hello_world_3.2.13/config/locales/en.yml +0 -5
- data/spec/support/hello_world_3.2.13/config/routes.rb +0 -58
- data/spec/support/hello_world_3.2.13/db/seeds.rb +0 -7
- data/spec/support/hello_world_3.2.13/lib/assets/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/lib/tasks/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/log/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/public/404.html +0 -26
- data/spec/support/hello_world_3.2.13/public/422.html +0 -26
- data/spec/support/hello_world_3.2.13/public/500.html +0 -25
- data/spec/support/hello_world_3.2.13/public/favicon.ico +0 -0
- data/spec/support/hello_world_3.2.13/public/index.html +0 -241
- data/spec/support/hello_world_3.2.13/public/robots.txt +0 -5
- data/spec/support/hello_world_3.2.13/script/rails +0 -6
- data/spec/support/hello_world_3.2.13/test/fixtures/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/test/functional/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/test/integration/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/test/performance/browsing_test.rb +0 -12
- data/spec/support/hello_world_3.2.13/test/test_helper.rb +0 -13
- data/spec/support/hello_world_3.2.13/test/unit/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/vendor/assets/javascripts/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/vendor/assets/stylesheets/.gitkeep +0 -0
- data/spec/support/hello_world_3.2.13/vendor/plugins/.gitkeep +0 -0
- data/spec/support/hello_world_padrino/.components +0 -9
- data/spec/support/hello_world_padrino/.gitignore +0 -8
- data/spec/support/hello_world_padrino/Gemfile +0 -42
- data/spec/support/hello_world_padrino/Rakefile +0 -6
- data/spec/support/hello_world_padrino/app/app.rb +0 -61
- data/spec/support/hello_world_padrino/config.ru +0 -9
- data/spec/support/hello_world_padrino/config/apps.rb +0 -39
- data/spec/support/hello_world_padrino/config/boot.rb +0 -46
- data/spec/support/hello_world_padrino/config/database.rb +0 -19
- data/spec/support/hello_world_padrino/cucumber.yml +0 -2
- data/spec/support/hello_world_padrino/db/migrate/001_create_users.rb +0 -16
- data/spec/support/hello_world_padrino/dispatcher/app.rb +0 -61
- data/spec/support/hello_world_padrino/features/add.feature +0 -11
- data/spec/support/hello_world_padrino/features/step_definitions/add_steps.rb +0 -15
- data/spec/support/hello_world_padrino/features/support/env.rb +0 -10
- data/spec/support/hello_world_padrino/features/support/url.rb +0 -17
- data/spec/support/hello_world_padrino/models/user.rb +0 -11
- data/spec/support/hello_world_padrino/public/favicon.ico +0 -0
- data/spec/support/hello_world_padrino/public/javascripts/application.js +0 -1
- data/spec/support/hello_world_padrino/public/javascripts/jquery-ujs.js +0 -95
- data/spec/support/hello_world_padrino/public/javascripts/jquery.js +0 -4
- data/spec/support/lorem.txt +0 -23
- data/spec/support/sinatra-safe/.gems +0 -4
- data/spec/support/sinatra-safe/Gemfile +0 -18
- data/spec/support/sinatra-safe/MIT-LICENSE +0 -20
- data/spec/support/sinatra-safe/README.rdoc +0 -35
- data/spec/support/sinatra-safe/Rakefile +0 -32
- data/spec/support/sinatra-safe/application.rb +0 -23
- data/spec/support/sinatra-safe/config.ru +0 -11
- data/spec/support/sinatra-safe/environment.rb +0 -25
- data/spec/support/sinatra-safe/lib/profile.rb +0 -11
- data/spec/support/sinatra-safe/public/main.css +0 -52
- data/spec/support/sinatra-safe/script/console +0 -16
- data/spec/support/sinatra-safe/views/layout.haml +0 -14
- data/spec/support/sinatra-safe/views/root.haml +0 -4
- data/spec/support/sinatra-vulnerable/.gems +0 -4
- data/spec/support/sinatra-vulnerable/Gemfile +0 -17
- data/spec/support/sinatra-vulnerable/MIT-LICENSE +0 -20
- data/spec/support/sinatra-vulnerable/README.rdoc +0 -35
- data/spec/support/sinatra-vulnerable/Rakefile +0 -32
- data/spec/support/sinatra-vulnerable/application.rb +0 -34
- data/spec/support/sinatra-vulnerable/config.ru +0 -11
- data/spec/support/sinatra-vulnerable/disabled.png +0 -0
- data/spec/support/sinatra-vulnerable/environment.rb +0 -25
- data/spec/support/sinatra-vulnerable/lib/profile.rb +0 -11
- data/spec/support/sinatra-vulnerable/public/main.css +0 -52
- data/spec/support/sinatra-vulnerable/script/console +0 -16
- data/spec/support/sinatra-vulnerable/views/layout.haml +0 -14
- data/spec/support/sinatra-vulnerable/views/root.haml +0 -4
- data/spec/support/sinatra-vulnerable/views/xss.haml +0 -3
@@ -0,0 +1,39 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_3657
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check \"taintness\" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2008-3657",
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
14
|
+
:release_date => Date.new(2008, 8, 13),
|
15
|
+
:cwe=>"20",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_rubies = [
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
|
26
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
|
27
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
|
28
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
29
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
30
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
31
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
32
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
33
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
|
34
|
+
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_3790
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an \"XML entity explosion.\""
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2008-3790",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
+
:release_date => Date.new(2008, 8, 27),
|
14
|
+
:cwe=>"20",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_rubies = [
|
24
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
|
25
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
|
26
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p1"}
|
27
|
+
]
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_3905
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2008-3905",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:P",
|
13
|
+
:release_date => Date.new(2008, 9, 4),
|
14
|
+
:cwe=>"287",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_rubies = [
|
24
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
|
25
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
|
26
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
|
27
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
28
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
29
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
30
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
31
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
32
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
|
33
|
+
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_4094
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2008-4094",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2008, 9, 30),
|
14
|
+
:cwe=>"89",
|
15
|
+
:owasp=>"A1",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.1.1 or higher. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"]
|
21
|
+
})
|
22
|
+
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.1.1', '2.0.999', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,103 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
class CVE_2008_4310_a
|
5
|
+
include RubyVersionCheck
|
6
|
+
def initialize
|
7
|
+
message = "CVE_2008_4310_a: ruby 1.8.1 and 1.8.5 have problems"
|
8
|
+
super({
|
9
|
+
:name=>"CVE-2008_4310_a",
|
10
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
11
|
+
})
|
12
|
+
self.safe_rubies = [
|
13
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
14
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}
|
15
|
+
]
|
16
|
+
end
|
17
|
+
end
|
18
|
+
|
19
|
+
class CVE_2008_4310_b
|
20
|
+
include OperatingSystemCheck
|
21
|
+
|
22
|
+
def initialize
|
23
|
+
|
24
|
+
message = "CVE_2008_4310_b: Only on RedHat EL 4 and 5"
|
25
|
+
|
26
|
+
super({
|
27
|
+
:name=>"CVE-2008_4310_b",
|
28
|
+
:kind=>Codesake::Dawn::KnowledgeBase::OS_CHECK,
|
29
|
+
})
|
30
|
+
|
31
|
+
self.safe_os=[
|
32
|
+
#RHEL 5.10
|
33
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-371']},
|
34
|
+
#RHEL 5.9
|
35
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-348']},
|
36
|
+
#RHEL 5.8
|
37
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-308']},
|
38
|
+
#RHEL 5.7
|
39
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-274']},
|
40
|
+
#RHEL 5.6
|
41
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-238']},
|
42
|
+
#RHEL 5.5
|
43
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-194']},
|
44
|
+
#RHEL 5.4
|
45
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-164']},
|
46
|
+
#RHEL 5.3
|
47
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-128']},
|
48
|
+
#RHEL 5.2
|
49
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-92']},
|
50
|
+
#RHEL 5.1
|
51
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-53']},
|
52
|
+
#RHEL 5.0
|
53
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-8']},
|
54
|
+
#RHEL 4.9
|
55
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-100']},
|
56
|
+
#RHEL 4.8
|
57
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-89']},
|
58
|
+
#RHEL 4.7
|
59
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-78']},
|
60
|
+
#RHEL 4.6
|
61
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-67']},
|
62
|
+
#RHEL 4.5
|
63
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-55']},
|
64
|
+
#RHEL 4.4
|
65
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-42']},
|
66
|
+
#RHEL 4.3
|
67
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-34']},
|
68
|
+
#RHEL 4.2
|
69
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-22']},
|
70
|
+
#RHEL 4.1
|
71
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-11']},
|
72
|
+
#RHEL 4.0
|
73
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-5']}
|
74
|
+
]
|
75
|
+
end
|
76
|
+
end
|
77
|
+
|
78
|
+
class CVE_2008_4310
|
79
|
+
include ComboCheck
|
80
|
+
|
81
|
+
def initialize
|
82
|
+
message = "httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656."
|
83
|
+
|
84
|
+
super({
|
85
|
+
:name=>"CVE-2008-4310",
|
86
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
87
|
+
:release_date => Date.new(2008, 12, 9),
|
88
|
+
:cwe=>"399",
|
89
|
+
:owasp=>"A9",
|
90
|
+
:applies=>["sinatra", "padrino", "rails"],
|
91
|
+
:kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
|
92
|
+
:message=>message,
|
93
|
+
:mitigation=>"Please upgrade your ruby interpreter",
|
94
|
+
:aux_links=>["http://secunia.com/advisories/33013"],
|
95
|
+
:checks=>[CVE_2008_4310_a.new, CVE_2008_4310_b.new]
|
96
|
+
})
|
97
|
+
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
102
|
+
end
|
103
|
+
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_5189
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2008-5189",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
13
|
+
:release_date => Date.new(2008, 11, 21),
|
14
|
+
:cwe=>"352",
|
15
|
+
:owasp=>"A8",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.0.5 or higher. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.0.5', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2008_7248
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2008-7248",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
13
|
+
:release_date => Date.new(2009, 12, 16),
|
14
|
+
:cwe=>"20",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.1.3 or 2.2.2 or higher. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.1.3', '2.2.2']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2009_4078
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2009-4078",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
13
|
+
:release_date => Date.new(2009, 11, 25),
|
14
|
+
:cwe=>"79",
|
15
|
+
:owasp=>"A3",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade redmine version at least to 0.8.6 or higher. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["http://www.redmine.org/wiki/redmine/Changelog#v086-2009-11-04"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [
|
24
|
+
{:name=>"redmine", :version=>['0.8.5', '0.7.999', '0.6.999', '0.5.999', '0.4.999', '0.3.999', '0.2.999', '0.1.999']}
|
25
|
+
]
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2009_4124
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2009-4124",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
13
|
+
:release_date => Date.new(2009, 12, 11),
|
14
|
+
:cwe=>"119",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_rubies = [
|
24
|
+
{:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p376"},
|
25
|
+
]
|
26
|
+
|
27
|
+
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2009_4214
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2009-4214",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
13
|
+
:release_date => Date.new(2009, 12, 7),
|
14
|
+
:cwe=>"79",
|
15
|
+
:owasp=>"A3",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.5 or higher. As a general rule, using the latest stable rails version is recommended.",
|
20
|
+
:aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.5', '2.2.999', '2.1.999', '1.999.999', '0.999.999']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,62 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-01-09
|
5
|
+
class CVE_2010_2489_a
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "CVE_2010_2489_a: ruby 1.9.2-p429 has problems"
|
10
|
+
super({
|
11
|
+
:name=>"CVE_2010_2489_a",
|
12
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
13
|
+
})
|
14
|
+
self.safe_rubies = [
|
15
|
+
{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p430"},
|
16
|
+
{:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p999"},
|
17
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p999"}
|
18
|
+
]
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
class CVE_2010_2489_b
|
23
|
+
include OperatingSystemCheck
|
24
|
+
def initialize
|
25
|
+
message = "CVE_2010_2489_a: Only on Windows"
|
26
|
+
super({
|
27
|
+
:name=>"CVE_2010_2489_ab",
|
28
|
+
:kind=>Codesake::Dawn::KnowledgeBase::OS_CHECK,
|
29
|
+
})
|
30
|
+
|
31
|
+
self.safe_os = [
|
32
|
+
{:family=>"windows", :vendor=>"microsoft", :version=>['none']}
|
33
|
+
]
|
34
|
+
|
35
|
+
end
|
36
|
+
|
37
|
+
end
|
38
|
+
|
39
|
+
class CVE_2010_2489
|
40
|
+
include ComboCheck
|
41
|
+
|
42
|
+
def initialize
|
43
|
+
message = "Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files"
|
44
|
+
super({
|
45
|
+
:name=>"CVE-2010-2489",
|
46
|
+
:cvss=>"AV:L/AC:L/Au:N/C:C/I:C/A:C",
|
47
|
+
:release_date => Date.new(2010, 7, 10),
|
48
|
+
:cwe=>"119",
|
49
|
+
:owasp=>"A9",
|
50
|
+
:applies=>["sinatra", "padrino", "rails"],
|
51
|
+
:kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
|
52
|
+
:message=>message,
|
53
|
+
:mitigation=>"Please upgrade your ruby interpreter",
|
54
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/"],
|
55
|
+
:checks=>[CVE_2010_2489_a.new, CVE_2010_2489_b.new]
|
56
|
+
})
|
57
|
+
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|