codesake-dawn 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 914a2707ab6f6f0ddf7966e68d892631f10442e2
-  data.tar.gz: c699f50ca63a6faaa85ce13cf173cd00f0824e8a
+  metadata.gz: a3cfd7dcde00df1e924802c9a980ca4df702a01e
+  data.tar.gz: d4b4a80895d4ac4067beb45d0f1bab10314c9c6f
 SHA512:
-  metadata.gz: 3384ce19d54e70a4cda683b45840f6c77a78dabffc78507f5b734ed539f0b82d83c2a13578aa256e68aad31af159657080aa73e3f5edcef72193902a8adfc293
-  data.tar.gz: 9afe07268b10933f21dd169dd9bae01b9ceb3f668f475ea5a354cc43e93d096b4b502581f739cf4c834703e7f6458dee8808e70fa307af726d1915a41dc44a9d
+  metadata.gz: 69fc2f353ffa35c92268c36bf12863df8fd9b248dd0706c505d4d240f9a923b433fe9daa120e5b9bd9898d3bdcfa5dab6944aa6f5390a02c962d2bce9ef99d24
+  data.tar.gz: 1058acec0fe728506c2d2014938061f316617aefab6b2f43a2f491997a5a1a3cd8a3085dd248650c72708060838f4ef527cb1bd942feb907a810635edc6bb8dc

data/Changelog.md

@@ -3,9 +3,14 @@
 Codesake::Dawn is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
-frameworks. 
+frameworks.
 
-_latest update: Fri Jan 24 07:57:58 CET 2014_
+_latest update: Tue Mar 18 15:57:42 CET 2014_
+
+## Version 1.0.5 - codename: Lightning McQueen (2014-03-18)
+
+* Added a check for CVE-2014-2322
+* Added a check for CVE-2014-0036
 
 ## Version 1.0.4 - codename: Lightning McQueen (2014-03-14)
 

data/doc/dawn_1_0_announcement.md

@@ -43,6 +43,18 @@ Paolo - paolo@codesake.com
 
 ## Twitter announcement
 
+### version 1.0.5
+
+@dawnscanner version 1.0.5 is out. 2 new security checks: CVE-2014-2322 and CVE-2014-0036 #ruby #security #rails #sinatra #padrino
+
+### version 1.0.4
+
+@dawnscanner version 1.0.4 is out. 10 security checks actually in development were backported to master release. https://twitter.com/rubygems/status/444389931851718656 #ruby #security #rails
+
+### version 1.0.3
+
+@dawnscanner version 1.0.3 is out. It fixes the rake task that it wasn't available. https://github.com/codesake/codesake-dawn/issues/37 #sinatra #padrino #rails
+
 ### version 1.0.2
 
 @dawnscanner version 1.0.2 is out. It fixes an annoying bug whit rainbow gem 2.0.0 #sinatra #padrino #rubyonrails #security #scanner 
@@ -57,6 +69,32 @@ Paolo - paolo@codesake.com
 
 ## Linkedin announcement 
 
+### version 1.0.5
+
+@dawnscanner version 1.0.r54 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/
+Codesake::Dawn v1.0.5 introduces 2 newly released CVE bullettins: CVE-2014-006 and CVE-2014-2322 about a MitM Spoofing Weakness in rbovirt gem and command injection in arabic prawn gem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.4
+
+@dawnscanner version 1.0.4 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-4-released/
+Codesake::Dawn v1.0.4 introduces 10 security checks backported from upcoming version 1.1.x and released in the latest months. Now the knowledge base has 152 security checks. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.3
+@dawnscanner version 1.0.3 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+Now you can add the ```require 'codesake/dawn/tasks'``` line in your Rakefile taking advantages from the rake ```dawn:run``` task
+
+https://twitter.com/rubygems/status/433913686659702784
+
+$ gem install codesake-dawn 
+$ have fun
+
 ### version 1.0.2
 @dawnscanner version 1.0.2 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
 

data/lib/codesake/dawn/kb/cve_2014_0036.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-14
+			class CVE_2014_0036
+				include DependencyCheck
+
+				def initialize
+          message = "rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream."
+
+           super({
+            :name=>"CVE-2014-0036",
+            :cvss=>"",
+            :release_date => Date.new(2014, 3, 5),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rbovirt version at least to 0.0.24. As a general rule, using the latest version is recommended.",
+            :aux_links=>["http://www.securityfocus.com/bid/66006"]
+           })
+
+           self.safe_dependencies = [{:name=>"rbovirt", :version=>['0.0.24']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2014_2322.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-14
+			class CVE_2014_2322
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message = "Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands."
+
+           super({
+            :name=>"CVE-2014-2322",
+            :cvss=>"",
+            :release_date => Date.new(2014, 3, 10),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"At March, 14 2014 a fixed Arabic-Prawn release is not available. Please sanitize your input before passing it to this gem and upgrade to higher versions as soon as possible",
+            :aux_links=>["http://packetstormsecurity.com/files/125679/Ruby-Gem-Arabic-Prawn-0.0.1-Command-Injection.html"]
+           })
+
+           self.safe_dependencies = [{:name=>"Arabic-Prawn", :version=>['0.0.2']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb

@@ -7,14 +7,26 @@ module Codesake
           include PatternMatchCheck
 
           def initialize
-            message = <<EOT
-          Web applications often require the ability to dynamically redirect users based on client-supplied data. To clarify, dynamic redirection usually entails the client including a URL in a parameter within a request to the application. Once received by the application, the user is redirected to the URL specified in the request. For example:
-            http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
-          The above request would redirect the user to http://www.example.com/checkout. The security concern associated with this functionality is leveraging an organization’s trusted brand to phish users and trick them into visiting a malicious site, in our example, “badhacker.com”. Example:
-            http://www.example.com/redirect?url=http://badhacker.com
-          The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.
-
-EOT
+            message = <<-EOT
+Web applications often require the ability to dynamically redirect users based
+on client-supplied data. To clarify, dynamic redirection usually entails the
+client including a URL in a parameter within a request to the application. Once
+received by the application, the user is redirected to the URL specified in the
+request.
+
+For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
+
+The above request would redirect the user to http://www.example.com/checkout.
+
+The security concern associated with this functionality is leveraging an
+organization's trusted brand to phish users and trick them into visiting a
+malicious site, in our example, "badhacker.com".
+
+Example: http://www.example.com/redirect?url=http://badhacker.com
+
+The most basic, but restrictive protection is to use the :only_path option.
+Setting this to true will essentially strip out any host information.
+            EOT
 
             super({
               :name=>"Owasp Ror CheatSheet: Check for safe redirect and forward",

data/lib/codesake/dawn/knowledge_base.rb

@@ -196,10 +196,12 @@ require "codesake/dawn/kb/cve_2013_7086"
 
 # CVE - 2014
 
+require "codesake/dawn/kb/cve_2014_0036"
 require "codesake/dawn/kb/cve_2014_0081"
 require "codesake/dawn/kb/cve_2014_0082"
 require "codesake/dawn/kb/cve_2014_1233"
 require "codesake/dawn/kb/cve_2014_1234"
+require "codesake/dawn/kb/cve_2014_2322"
 
 module Codesake
   module Dawn
@@ -410,10 +412,12 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_6421.new, 
           Codesake::Dawn::Kb::CVE_2013_6459.new, 
           Codesake::Dawn::Kb::CVE_2013_7086.new, 
-          Codesake::Dawn::Kb::CVE_2014_1233.new,
-          Codesake::Dawn::Kb::CVE_2014_1234.new,
+          Codesake::Dawn::Kb::CVE_2014_0036.new, 
           Codesake::Dawn::Kb::CVE_2014_0081.new, 
           Codesake::Dawn::Kb::CVE_2014_0082.new, 
+          Codesake::Dawn::Kb::CVE_2014_1233.new,
+          Codesake::Dawn::Kb::CVE_2014_1234.new,
+          Codesake::Dawn::Kb::CVE_2014_2322.new,
 
         ]
       end

data/lib/codesake/dawn/version.rb

@@ -16,10 +16,10 @@ module Codesake
     # "Guido"
     # "Luigi"
 
-    VERSION   = "1.0.4"
+    VERSION   = "1.0.5"
     CODENAME  = "Lightning McQueen"
     # RELEASE   = "(development)"
-    RELEASE   = "20140314"
+    RELEASE   = "20140318"
 
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -768,4 +768,15 @@ end
   sc.should_not   be_nil
   sc.class.should == Codesake::Dawn::Kb::CVE_2013_1756
 end
+  it "must have test for CVE-2014-2322" do
+      sc = kb.find("CVE-2014-2322")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2322
+  end
+
+  it "must have test for CVE-2014-0036" do
+      sc = kb.find("CVE-2014-0036")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
+  end
 end

data/spec/lib/kb/cve_2014_0036_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+describe "The CVE-2014-0036 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_0036.new
+		# @check.debug = true
+	end
+  it "must be filled with CVSS information"
+  it "is reported when a vulnerable rbovirt gem version is detected (0.0.23)" do
+    @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.23'}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a sage rbovirt gem version is detected (0.0.24)" do
+    @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.24'}]
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/cve_2014_2322_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+describe "The CVE-2014-2322 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_2322.new
+		# @check.debug = true
+	end
+  it "must be filled with CVSS information"
+  it "is reported when a vulnerable arabic prawn gem version is found (0.0.1)" do
+    @check.dependencies = [{:name=>"Arabic-Prawn", :version=>'0.0.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a sage vulnerable arabic prawn gem version is found (0.0.2)" do
+    @check.dependencies = [{:name=>"Arabic-Prawn", :version=>'0.0.2'}]
+    @check.vuln?.should   be_false
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-14 00:00:00.000000000 Z
+date: 2014-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -379,10 +379,12 @@ files:
 - lib/codesake/dawn/kb/cve_2013_6421.rb
 - lib/codesake/dawn/kb/cve_2013_6459.rb
 - lib/codesake/dawn/kb/cve_2013_7086.rb
+- lib/codesake/dawn/kb/cve_2014_0036.rb
 - lib/codesake/dawn/kb/cve_2014_0081.rb
 - lib/codesake/dawn/kb/cve_2014_0082.rb
 - lib/codesake/dawn/kb/cve_2014_1233.rb
 - lib/codesake/dawn/kb/cve_2014_1234.rb
+- lib/codesake/dawn/kb/cve_2014_2322.rb
 - lib/codesake/dawn/kb/dependency_check.rb
 - lib/codesake/dawn/kb/nokogiri_dos_20131217.rb
 - lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb
@@ -436,10 +438,12 @@ files:
 - spec/lib/kb/cve_2013_5647_spec.rb
 - spec/lib/kb/cve_2013_6459_spec.rb
 - spec/lib/kb/cve_2013_7086_spec.rb
+- spec/lib/kb/cve_2014_0036_spec.rb
 - spec/lib/kb/cve_2014_0081_spec.rb
 - spec/lib/kb/cve_2014_0082_spec.rb
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
+- spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb
 homepage: http://dawn.codesake.com
@@ -499,9 +503,11 @@ test_files:
 - spec/lib/kb/cve_2013_5647_spec.rb
 - spec/lib/kb/cve_2013_6459_spec.rb
 - spec/lib/kb/cve_2013_7086_spec.rb
+- spec/lib/kb/cve_2014_0036_spec.rb
 - spec/lib/kb/cve_2014_0081_spec.rb
 - spec/lib/kb/cve_2014_0082_spec.rb
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
+- spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb