codesake-dawn 0.50

data/.gitignore

@@ -0,0 +1,18 @@
+*.sw?
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rvmrc

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# This is an RVM Project .rvmrc file, used to automatically load the ruby
+# development environment upon cd'ing into the directory
+
+# First we specify our desired <ruby>[@<gemset>], the @gemset name is optional,
+# Only full ruby name is supported here, for short names use:
+#     echo "rvm use 1.9.3" > .rvmrc
+environment_id="ruby-1.9.3-p194@codesake"
+
+# Uncomment the following lines if you want to verify rvm version per project
+# rvmrc_rvm_version="1.16.10 (stable)" # 1.10.1 seams as a safe start
+# eval "$(echo ${rvm_version}.${rvmrc_rvm_version} | awk -F. '{print "[[ "$1*65536+$2*256+$3" -ge "$4*65536+$5*256+$6" ]]"}' )" || {
+#   echo "This .rvmrc file requires at least RVM ${rvmrc_rvm_version}, aborting loading."
+#   return 1
+# }
+
+# First we attempt to load the desired environment directly from the environment
+# file. This is very fast and efficient compared to running through the entire
+# CLI and selector. If you want feedback on which environment was used then
+# insert the word 'use' after --create as this triggers verbose mode.
+if [[ -d "${rvm_path:-$HOME/.rvm}/environments"
+  && -s "${rvm_path:-$HOME/.rvm}/environments/$environment_id" ]]
+then
+  \. "${rvm_path:-$HOME/.rvm}/environments/$environment_id"
+  [[ -s "${rvm_path:-$HOME/.rvm}/hooks/after_use" ]] &&
+    \. "${rvm_path:-$HOME/.rvm}/hooks/after_use" || true
+else
+  # If the environment file has not yet been created, use the RVM CLI to select.
+  rvm --create  "$environment_id" || {
+    echo "Failed to create RVM environment '${environment_id}'."
+    return 1
+  }
+fi
+
+# If you use bundler, this might be useful to you:
+# if [[ -s Gemfile ]] && {
+#   ! builtin command -v bundle >/dev/null ||
+#   builtin command -v bundle | GREP_OPTIONS= \grep $rvm_path/bin/bundle >/dev/null
+# }
+# then
+#   printf "%b" "The rubygem 'bundler' is not installed. Installing it now.\n"
+#   gem install bundler
+# fi
+# if [[ -s Gemfile ]] && builtin command -v bundle >/dev/null
+# then
+#   bundle install | GREP_OPTIONS= \grep -vE '^Using|Your bundle is complete'
+# fi

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in codesake_dawn.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Paolo Perego
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# Codesake::Dawn - code review engine for ruby powered code
+
+This is an ongoing roadmap for the dawn source code review tool.
+
+Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks. 
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'codesake_dawn'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install codesake_dawn
+
+## Usage
+
+You can start your code review with dawn very easily. Simply tell the tool
+where the project root directory is and which is the framework you used to
+write the web application. 
+
+_Sorry for non autodetect this; at this point we prefere working hard over core
+features like adding new vulnerabilities and having valuable output._
+
+dawn command line is in this form with options and the target.
+``` 
+$ dawn [options] target
+```
+
+
+
+You can also dump all security checks in the knowledge base by using the -k
+flag:
+
+```
+$ dawn -k|--list-knowledge-base 
+```
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,64 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+require 'fileutils'
+require "codesake/dawn/knowledge_base"
+
+RSpec::Core::RakeTask.new
+
+task :default => :spec
+task :test => :spec
+
+desc "Create a new CVE test"
+task :new_cve, :name do |t,args| 
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+
+  puts "Adding #{name} to knowledge base..."
+
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t#"
+    file.puts "\t\t\t\t# Include the testing skeleton for this CVE"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t#"
+    file.puts ""
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+
+  open(spec_filename, "w") do |file|
+    file.puts "require \"spec_helper\""
+    file.puts "# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts ""
+    file.puts "describe \"Security check for #{name}\" do"
+    file.puts "\tlet(:check) {Codesake::Dawn::Kb::#{class_name}.new}"
+    file.puts "\tit \"should be added to rspec\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+
+  puts "*** PLEASE ADD #{name} to spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD #{name} to lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+end

data/Roadmap.md

@@ -0,0 +1,44 @@
+# Codesake Dawn - roadmap
+
+This is an ongoing roadmap for the dawn source code review tool.
+
+Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks. 
+
+This is an ongoing roadmap for the project.
+
+_latest update: Fri May 10 09:43:11 CEST 2013_
+
+## Version 0.50 (First public release)
+
+* adding test for CVE\_2013\_0269
+* adding test for CVE\_2013\_0155
+* adding test for CVE\_2011\_2931
+* adding test for CVE\_2012\_3465
+
+## Version 0.60
+
+* make output less verbose. Only vulnerabilities and severity will be shown 
+* adding a '--verbose' option to see also the whole knowledge base info about each findings
+* grepping views for XSS attempts (sinatra)
+
+## Version 0.70 
+
+* add ruby\_parser dependency
+* support sinatra application controllers parsing for XSS
+* grepping views for XSS attempts (rails)
+
+## Version 0.80
+
+* support sinatra application controllers parsing for SQLi
+* support rails application controllers parsing for XSS
+* grepping views for XSS attempts (padrino)
+
+## Version 1.00
+
+* dedicated web site under dawn.codesake.com
+* support rails application controllers parsing for SQLi
+* support padrino application controllers parsing for XSS
+* support padrino application controllers parsing for SQLi

data/bin/dawn

@@ -0,0 +1,106 @@
+#!/usr/bin/env ruby
+
+require 'getoptlong'
+
+require 'codesake_commons'
+require 'codesake-dawn'
+
+APPNAME = File.basename($0)
+LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino)
+
+logger  = Codesake::Commons::Logging.instance
+opts    = GetoptLong.new(
+  [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
+  [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
+  [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
+  [ '--list-known-framework',   '-f', GetoptLong::NO_ARGUMENT ],
+  [ '--list-knowledgebase',     '-k', GetoptLong::NO_ARGUMENT ],
+  [ '--version',                '-v', GetoptLong::NO_ARGUMENT],
+  [ '--help',                   '-h', GetoptLong::NO_ARGUMENT]
+)
+engine  = nil
+
+trap("INT")   { logger.die('[INTERRUPTED]') }
+
+
+opts.each do |opt, val|
+  case opt
+  when '--version'
+    puts "#{Codesake::Dawn::VERSION}"
+    Kernel.exit(0)
+  when '--rails'
+    engine = Codesake::Dawn::Rails.new
+  when '--sinatra'
+    engine = Codesake::Dawn::Sinatra.new
+  when '--padrino'
+    puts "sorry padrino is not yet supported"
+    Kernel.exit(1)
+  when '--list-knowledgebase'
+    kb = Codesake::Dawn::KnowledgeBase.new
+    puts "Security checks currently supported:\n\n"
+
+    kb.all.each do |check|
+      puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
+      puts "Description\n#{check.message}"
+      puts "Remediation\n#{check.remediation}\n\n"
+    end
+    Kernel.exit(0)
+
+  when '--list-known-framework'
+    puts "Ruby MVC framework supported by #{APPNAME}:"
+    LIST_KNOWN_FRAMEWORK.each do |mvc|
+      puts "* #{mvc}"
+    end
+    Kernel.exit(0)
+  end
+end
+
+target=ARGV.shift
+
+logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
+logger.die "please specify the target language" if engine.nil?
+
+engine.set_target(target) unless engine.nil?
+engine.load_knowledge_base
+
+logger.die "nothing to do on #{target}" unless engine.can_apply?
+logger.log "scanning #{target}"
+logger.log "#{engine.name} v#{engine.get_mvc_version} detected"
+logger.log "applying all security checks" 
+if engine.apply_all 
+  logger.ok "all security checks applied"
+else
+  logger.err "no security checks in the knowledge base"
+end
+
+if engine.vulnerabilities.count != 0
+
+logger.log "#{engine.vulnerabilities.count} vulnerabilities found"
+engine.vulnerabilities.each do |vuln|
+  logger.err "#{vuln[:name]} failed"
+  logger.log "Description: #{vuln[:message]}"
+  logger.log "Solution: #{vuln[:remediation]}"
+  logger.err "Evidence:"
+  vuln[:evidences].each do |evidence|
+    logger.err evidence
+  end
+end
+else
+  logger.ok "no vulnerabilities found."
+end
+
+if engine.mitigated_issues.count != 0
+  logger.log "#{engine.mitigated_issues.count} mitigated vulnerabilities found"
+  engine.mitigated_issues.each do |vuln|
+    logger.ok "#{vuln[:name]} mitigated"
+    vuln[:evidences].each do |evidence|
+      logger.err evidence
+    end
+  end
+end
+
+
+
+logger.helo "#{APPNAME} is shutting down"
+Kernel.exit(0)
+

data/codesake_dawn.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'codesake/dawn/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "codesake-dawn"
+  gem.version       = Codesake::Dawn::VERSION
+  gem.authors       = ["Paolo Perego"]
+  gem.email         = ["thesp0nge@gmail.com"]
+  gem.description   = %q{dawn is a security static source code analyzer for web applications written in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails. dawn output is a list of security vulnerabilities affecting your code with a suggestion on how to mitigate all of them.}
+  gem.summary       = %q{dawn is a security static source code analyzer for sinatra, padrino and ruby on rails web applicartions.}
+  gem.homepage      = "http://codesake.com"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency 'codesake_commons', '> 0.50.0'
+  gem.add_dependency 'cvss'
+
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec'
+end

data/lib/codesake-dawn.rb

@@ -0,0 +1,7 @@
+require "codesake/dawn/version"
+require "codesake/dawn/knowledge_base"
+require "codesake/dawn/rails"
+require "codesake/dawn/sinatra"
+require "codesake_commons"
+
+require "date"

data/lib/codesake/dawn/engine.rb

@@ -0,0 +1,144 @@
+require 'bundler'
+
+module Codesake
+  module Dawn
+    module Engine
+      attr_reader :target
+      attr_reader :name
+      attr_reader :gemfile_lock
+      attr_reader :mvc_version
+      attr_reader :connected_gems
+      attr_reader :checks
+      attr_reader :vulnerabilities
+      attr_reader :mitigated_issues
+
+      def initialize(dir=nil, name="")
+        @name = name
+        @mvc_version = ""
+        @gemfile_lock = ""
+        @connected_gems = []
+        @checks = []
+        @vulnerabilities = []
+        @mitigated_issues = []
+        @applied = []
+        set_target(dir) unless dir.nil?
+        load_knowledge_base
+      end
+
+      def set_target(dir)
+        @target = dir
+        @gemfile_lock = File.join(@target, "Gemfile.lock")
+        @mvc_version = set_mvc_version
+      end
+
+      def target_is_dir?
+        File.directory?(@target)
+      end
+
+      def load_knowledge_base
+        @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(self.name)
+        @checks
+      end
+
+      def set_mvc_version
+        ver = ""
+        return ver unless target_is_dir?
+        return ver unless has_gemfile_lock?
+
+        my_dir = Dir.pwd
+        Dir.chdir(@target) 
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
+        lockfile.specs.each do |s|
+          ver= s.version.to_s if s.name == @name
+          @connected_gems << {:name=>s.name, :version=>s.version.to_s}
+        end
+        Dir.chdir(my_dir)
+        return ver
+      end
+
+      def has_gemfile_lock?
+        File.exist?(@gemfile_lock)
+      end
+
+      def is_good_mvc?
+        (@mvc_version != "")
+      end
+
+      def can_apply?
+        target_is_dir? and is_good_mvc?
+      end
+
+      def get_mvc_version
+        "#{@name} #{@mvc_version}" if is_good_mvc? 
+      end
+
+      ## Security stuff applies here
+      #
+      # Public it applies a single security check given by its name
+      #
+      # name - the security check to be applied
+      #
+      # Examples
+      #   
+      #   engine.apply("CVE-2013-1800") 
+      #   # => boolean
+      #
+      # Returns a true value if the security check was successfully applied or false
+      # otherwise
+      def apply(name)
+        load_knowledge_base if @checks.nil?
+
+        @checks.each do |check|
+          if check.name == name
+            @applied << { :name=>name }
+            check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+            check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+            @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.vuln?
+            @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.mitigated?
+            return true
+          end
+        end
+
+        false
+      end
+
+      def apply_all
+        load_knowledge_base if @checks.nil?
+        return false if @checks.empty?
+
+        @checks.each do |check|
+          @applied << { :name => name }
+          check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+          check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+          @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation , :evidences=>check.evidences} if check.vuln?
+          @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.mitigated?
+        end
+
+        true
+
+      end
+      
+      def is_applied?(name)
+        @applied.each do |a|
+          return true if a[:name] == name
+        end
+        return false
+      end
+
+      def vulnerabilities
+        apply_all if @applied.empty?
+        @vulnerabilities
+      end
+
+      def is_vulnerable_to?(name)
+        apply(name) unless is_applied?(name)
+        
+        @vulnerabilities.each do |v|
+          return true if v[:name] == name
+        end
+
+        false
+      end
+    end
+  end
+end