codesake-dawn 0.50 → 0.60

data/.ruby-gemset

@@ -0,0 +1 @@
+codesake

data/.ruby-version

@@ -0,0 +1 @@
+ruby-1.9.3-p429

data/Competitive_matrix.md

@@ -0,0 +1,148 @@
+# Competitive matrix between dawn and other security static code scanners
+
+This is the point where I try to answer the very good question: _dawn? it is a
+great tool but which are the differences between it and ( put your favorite
+tool here )?_
+
+Of course, as you may wonder, I'm the dawn author so I can be less impartial
+than a third party review that it is strongly encouraged and that it will put
+linked to this page (even in case you will make criticisms to my tool)
+
+## The competitors
+
+As [@presidentbeef](https://twitter.com/presidentbeef) pointed me out, there
+are a couple of security source code static analyzers (lets'call them SAST from
+this point) supporting ruby.
+
+* [brakeman scanner](http://brakemanscanner.org/) 
+* [Excellent](https://github.com/simplabs/excellent)
+* [ror-sec-scanner](http://gitorious.org/code-scanner/ror-sec-scanner/)
+* [Scanny](https://github.com/openSUSE/scanny)
+* [dawn](https://github.com/codesake/codesake\_dawn)
+
+### Brakeman
+
+[Brakeman](http://brakemanscanner.org) is a good tool, it is mature and it is
+widespread among the community. It's approaching the second major release of
+its history.
+
+It is born to support [Ruby on Rails](http://rubyonrails.org) written web
+applications.
+
+### Dawn
+
+Dawn is born to support the application security startup I'm building,
+[codesake.com](http://codesake.com). Since community gives me a lot in all
+these years, the statica analyzer will be opensource and **I won't change this
+decision, ever**.
+
+Dawn supports web applications written using 
+[Ruby on Rails](http://rubyonrails.org), [Sinatra](http://sinatrarb.com) and
+[Padrino](http://padrinorb.com)
+
+Since a lot of javascript code is used in the web applications nowadays, I'll
+introduce a preliminary support for javascript before launching version 1.0.
+Javascript support it will be focused on checking for reflected and DOM based
+Cross site scripting attacks.
+
+In a future (on version 1.5 accordingly to the Roadmap), node.js written web
+applications will be supported as well.
+
+## The comparison
+
+### Basic features
+
+|Feature                | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
+|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
+| Version               | 0.51          | 1.9.5             |             |                   |             |
+| Production ready?     | NO            | YES               |             |                   |             |
+| Sinatra support       | YES           | NO                |             |                   |             |
+| Padrino support       | NO *planned*  | NO                |             |                   |             |
+| Rails support         | YES           | YES               |             |                   |             |
+| Node.js support       | NO *planned*  | NO                |             |                   |             |
+| Plain text output     | YES           | YES               |             |                   |             |
+| Json output           | YES           | YES               |             |                   |             |
+| HTML output           | NO            | YES               |             |                   |             |
+
+### CVE security checks
+
+| CVE Check             | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
+|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
+| CVE-2011-2931         | YES           | YES               |             |                   |             |
+| CVE-2012-2660         | YES           | YES               |             |                   |             |
+| CVE-2012-2661         | YES           | YES               |             |                   |             |
+| CVE-2012-2694         | YES           | YES               |             |                   |             |
+| CVE-2012-2695         | YES           | YES               |             |                   |             |
+| CVE-2012-3465         | YES           | YES               |             |                   |             |
+| CVE-2012-3464         | NO            | YES               |             |                   |             |
+| CVE-2012-3463         | NO            | YES               |             |                   |             |
+| CVE-2012-6496         | YES           | NO                |             |                   |             |
+| CVE-2012-5664         | NO            | YES               |             |                   |             |
+| CVE-2012-6497         | YES           | NO                |             |                   |             |
+| CVE-2013-1855         | YES           | YES               |             |                   |             |
+| CVE-2013-1800         | YES           | NO                |             |                   |             |
+| CVE-2013-0333         | YES           | YES               |             |                   |             |
+| CVE-2013-0269         | YES           | YES               |             |                   |             |
+| CVE-2013-1857         | YES           | YES               |             |                   |             |
+| CVE-2013-0155         | YES           | YES               |             |                   |             |
+| CVE-2013-0333         | YES           | YES               |             |                   |             |
+| CVE-2011-0447         | NO            | YES               |             |                   |             |
+| CVE-2011-0446         | NO            | YES               |             |                   |             |
+| CVE-2013-1854         | YES           | YES               |             |                   |             |
+| CVE-2013-1856         | YES           | YES               |             |                   |             |
+| CVE-2013-0276         | YES           | YES               |             |                   |             |
+| CVE-2013-0277         | YES           | YES               |             |                   |             |
+| CVE-2013-0156         | YES           | YES               |             |                   |             |
+| CVE-2013-2090 [0]     | NO            | NO                |             |                   |             |
+| CVE-2013-2615         | YES           | NO                |             |                   |             |
+| CVE-2013-1875         | YES           | NO                |             |                   |             |
+| CVE-2013-1655         | YES           | NO                |             |                   |             |
+| CVE-2013-1656         | YES           | NO                |             |                   |             |
+| CVE-2013-0175         | YES           | NO                |             |                   |             |
+| CVE-2013-0233         | YES           | NO                |             |                   |             |
+| CVE-2013-0284         | YES           | NO                |             |                   |             |
+| CVE-2013-0285         | YES           | NO                |             |                   |             |
+| CVE-2013-1801         | YES           | NO                |             |                   |             |
+| CVE-2013-1802         | YES           | NO                |             |                   |             |
+| CVE-2013-1821         | YES           | NO                |             |                   |             |
+| CVE-2013-1898         | YES           | NO                |             |                   |             |
+| CVE-2013-1911         | YES           | NO                |             |                   |             |
+| CVE-2013-1933         | YES           | NO                |             |                   |             |
+| CVE-2013-1947         | YES           | NO                |             |                   |             |
+| CVE-2013-1948         | YES           | NO                |             |                   |             |
+| CVE-2013-2616         | YES           | NO                |             |                   |             |
+| CVE-2013-2617         | YES           | NO                |             |                   |             |
+| CVE-2013-3221         | YES           | NO                |             |                   |             |
+
+[0] This CVE must be confirmed
+
+### Quality checks
+
+| Quality check         | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
+|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
+| Not revised code      | YES           | NO                |             |                   |             |
+
+
+### Application specific security checks
+
+| Security check              | Dawn          | Brakeman   | Excellent   | ror-sec-scanner   | Scanny      |
+|-----------------------------|---------------|------------|-------------|-------------------|-------------|
+| Reflected XSS               | NO            | YES        |             |                   |             |
+| Stored XSS                  | NO            | YES        |             |                   |             |
+| DOM Based XSS               | NO            | NO         |             |                   |             |
+| SQL injection               | NO            | YES        |             |                   |             |
+| Broken authentication       | NO            | NO         |             |                   |             |
+| Insecure object reference   | NO            | NO         |             |                   |             |
+| CSRF                        | NO            | YES [1]    |             |                   |             |
+
+[1] Brakeman warns if an application does not use protect_from_forgery, but it
+doesn't warn about vulnerable forms (e.g. those not using view helpers) -
+[@presidentbeef](https://github.com/codesake/codesake_dawn/issues/2)
+
+## Third party reviews
+
+If you blogged, twitted or in any case if you compare dawn with other SAST
+available out there supporting ruby, please tell me and I'll add your review
+here.
+
+

data/README.md

@@ -1,25 +1,44 @@
 # Codesake::Dawn - code review engine for ruby powered code
 
-This is an ongoing roadmap for the dawn source code review tool.
-
 Dawn is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
+## Useful links
+
+www:      [http://codesake.com](http://codesake.com) 
+
+twitter:  [https://twitter.com/codesake](https://twitter.com/codesake) #dawn hashtag
+
+github:   [https://github.com/codesake/codesake\_dawn](https://github.com/codesake/codesake\_dawn)
+
 ## Installation
 
-Add this line to your application's Gemfile:
+You can install dawn, directly using [Rubygems](https://rubygems.org) by typing:
 
-    gem 'codesake_dawn'
+    gem 'codesake-dawn'
 
-And then execute:
+If you want to add dawn to your project Gemfile, you must add the following:
+    
+    group :development do
+      gem 'codesake-dawn', :require=>false
+    end
 
-    $ bundle
+And then upgrade your bundle 
 
-Or install it yourself as:
+    $ bundle install
 
-    $ gem install codesake_dawn
+You may want to build it from source, so you have to check it out from github first:
+
+    $ git clone https://github.com/codesake/codesake_dawn/codesake_dawn.git
+    $ cd codesake_dawn
+    $ rake install
+
+And the codesake-dawn gem will be built in a pkg directory and then installed
+on your system. Please note that you have to manage dependencies on your own
+this way. It makes sense only if you want to hack the code or something like
+that.
 
 ## Usage
 
@@ -35,6 +54,55 @@ dawn command line is in this form with options and the target.
 $ dawn [options] target
 ```
 
+The options you can specify tell down the MVC used in your application and some
+triggers you may want to be active during the scan.
+
+### Scanning a Sinatra web application
+
+dawn will scan application stored in hello_world directory which is a Sinatra application
+
+```
+$ dawn -s hello_world 
+```
+
+### Scanning a Ruby on Rails web application
+
+dawn will scan application stored in hello_world directory which is a Ruby on Rails application
+
+```
+$ dawn -r hello_world 
+```
+
+### Scanning a Padrino web application
+
+dawn will scan application stored in hello_world directory which is a Padrino application
+
+```
+$ dawn -p hello_world 
+```
+
+### As output you get
+
+As output, dawn will put all security checks that are failed during the scan.
+In example, this is the output of a scan performed over a very simple Sinatra
+application:
+
+```
+$ bundle exec bin/dawn -s target
+
+[*] dawn v0.51 (C) 2013 - paolo@armoredcode.com is starting up at 08:09:11
+08:09:11: scanning target
+08:09:11: sinatra vsinatra 1.4.2 detected
+08:09:11: applying all security checks
+08:09:11 [*] all security checks applied
+08:09:11: 1 vulnerabilities found
+08:09:11 [!] CVE-2013-1800 failed
+08:09:11: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+08:09:11: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
+08:09:11 [!] Evidence:
+08:09:11 [!] Vulnerable crack gem version found: 0.3.1
+[*] dawn is shutting down at 08:09:11
+```
 
 
 You can also dump all security checks in the knowledge base by using the -k
@@ -44,11 +112,34 @@ flag:
 $ dawn -k|--list-knowledge-base 
 ```
 
+## Thanks to
+
+[saten](https://github.com/saten): first issue posted about a typo in the README
+
+[presidentbeef](https://githbu.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is your :)
+
+## LICENSE
+
+Copyright (c) 2013 Paolo Perego
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
 
-## Contributing
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request

data/Rakefile

@@ -1,12 +1,24 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
+# require "highline/import"
+
+require 'cucumber'
+require 'cucumber/rake/task'
 
 require 'fileutils'
 require "codesake/dawn/knowledge_base"
 
-RSpec::Core::RakeTask.new
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty -x"
+  t.fork = false
+end
+
+RSpec::Core::RakeTask.new do |t| 
+  t.rspec_opts = ["--color"]
+end
+
 
-task :default => :spec
+task :default => [ :spec, :features ]
 task :test => :spec
 
 desc "Create a new CVE test"
@@ -32,12 +44,10 @@ task :new_cve, :name do |t,args|
     file.puts "\t\tmodule Kb"
     file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
     file.puts "\t\t\tclass #{class_name}"
-    file.puts "\t\t\t\t#"
     file.puts "\t\t\t\t# Include the testing skeleton for this CVE"
     file.puts "\t\t\t\t# include PatternMatchCheck"
     file.puts "\t\t\t\t# include DependencyCheck"
-    file.puts "\t\t\t\t#"
-    file.puts ""
+    file.puts "\t\t\t\t# include RubyVersionCheck"
     file.puts ""
     file.puts "\t\t\t\tdef initialize"
     file.puts "\t\t\t\tend"
@@ -48,17 +58,14 @@ task :new_cve, :name do |t,args|
   end
   puts "#{rb_filename} created"
 
-  open(spec_filename, "w") do |file|
-    file.puts "require \"spec_helper\""
-    file.puts "# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
-    file.puts ""
-    file.puts "describe \"Security check for #{name}\" do"
-    file.puts "\tlet(:check) {Codesake::Dawn::Kb::#{class_name}.new}"
-    file.puts "\tit \"should be added to rspec\""
-    file.puts "end"
-  end
-  puts "#{spec_filename} created"
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+
 
-  puts "*** PLEASE ADD #{name} to spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
-  puts "*** PLEASE ADD #{name} to lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
 end

data/Roadmap.md

@@ -1,44 +1,201 @@
 # Codesake Dawn - roadmap
 
-This is an ongoing roadmap for the dawn source code review tool.
-
 Dawn is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
-This is an ongoing roadmap for the project.
+This is an ongoing roadmap for the dawn source code review tool.
 
-_latest update: Fri May 10 09:43:11 CEST 2013_
+_latest update: Fri 17 May 2013 15:29:55 CEST_
 
-## Version 0.50 (First public release)
+## Version 0.50 (2013-05-13) - First public release
 
 * adding test for CVE\_2013\_0269
 * adding test for CVE\_2013\_0155
 * adding test for CVE\_2011\_2931
 * adding test for CVE\_2012\_3465
 
-## Version 0.60
+## Version 0.60 (2013-05-28)
 
+* adding cucumber dependency
+* adding test for CVE-2013-1854
+* adding test for CVE-2013-1856
+* adding test for CVE-2013-0276
+* adding test for CVE-2013-0277
+* adding test for CVE-2013-0156
+* adding test for CVE-2013-2615
+* adding test for CVE-2013-1875
+* adding test for CVE-2013-1655
+* adding test for CVE-2013-1656
+* adding test for CVE-2013-0175
+* adding test for CVE-2013-0233
+* adding test for CVE-2013-0284
+* adding test for CVE-2013-0285
+* adding test for CVE-2013-1801
+* adding test for CVE-2013-1802
+* adding test for CVE-2013-1821
+* adding test for CVE-2013-1898
+* adding test for CVE-2013-1911
+* adding test for CVE-2013-1933
+* adding test for CVE-2013-1947
+* adding test for CVE-2013-1948
+* adding test for CVE-2013-2616
+* adding test for CVE-2013-2617
+* adding test for CVE-2013-3221
 * make output less verbose. Only vulnerabilities and severity will be shown 
 * adding a '--verbose' option to see also the whole knowledge base info about each findings
-* grepping views for XSS attempts (sinatra)
+* adding a '--output' option
+* adding a '--count-only' option
+* support JSON output
 
 ## Version 0.70 
 
+* adding test for CVE-2011-0447
+* adding test for CVE-2011-3186
+* adding test for CVE-2012-1099
+* adding test for CVE-2012-1241
+* adding test for CVE-2012-2140
+* adding test for CVE-2012-5370
+* adding test for CVE-2012-5371
+* adding test for CVE-2011-2197
+* adding test for CVE-2011-2932
+* adding test for CVE-2012-3463
+* adding test for CVE-2012-3464
+* adding test for CVE-2012-4464
+* adding test for CVE-2012-4466
+* adding test for CVE-2012-4481
+* adding test for CVE-2012-5664
+* adding test for CVE-2012-6134
 * add ruby\_parser dependency
+* parsing HAML for XSS
+* write '--help'
 * support sinatra application controllers parsing for XSS
-* grepping views for XSS attempts (rails)
+* Fix issue #1. You can read more about it in TODO.md
 
 ## Version 0.80
 
+* adding test for CVE-2013-2090 _if CVE will be approved_
+* adding test for CVE-2010-1330
+* adding test for CVE-2011-0447 
+* adding test for CVE-2011-0446 
+* adding test for CVE-2011-0995
+* adding test for CVE-2011-2197
+* adding test for CVE-2011-2929
+* adding test for CVE-2011-2932
+* adding test for CVE-2011-3186
+* adding test for CVE-2011-4815
+* adding test for CVE-2012-5370
+* adding test for CVE-2012-3424
+* adding test for CVE-2012-1241
+* adding test for CVE-2012-2140
+* adding test for CVE-2012-1099
+* adding test for CVE-2012-5380
+* adding test for CVE-2012-2694
+* adding test for CVE-2012-4522
+* adding test for CVE-2012-3464
+* adding test for CVE-2012-3463
 * support sinatra application controllers parsing for SQLi
 * support rails application controllers parsing for XSS
-* grepping views for XSS attempts (padrino)
+* parsing ERB for XSS
+
+## Version 0.90
+
+* adding test for CVE-2011-3186
+* adding test for CVE-2011-2197
+* adding test for CVE-2011-2932
+* adding test for CVE-2011-0447
+* adding test for CVE-2011-0995
+* adding test for CVE-2011-0446
+* adding test for CVE-2011-2929
+* adding test for CVE-2011-1005
+* adding test for CVE-2010-3933
+* adding test for CVE-2011-4319
+* adding test for CVE-2011-3009
+* adding test for CVE-2011-1004
+* adding test for CVE-2010-3119
+* adding test for CVE-2011-2930
+* adding test for CVE-2011-2854
+* adding test for CVE-2011-3187
+* adding test for CVE-2011-2686
+* adding test for CVE-2011-2705
+* adding test for CVE-2011-0188
+* adding test for CVE-2011-0446
+* adding test for CVE-2010-3933
+* adding test for CVE-2011-0739
+* adding test for CVE-2010-3928
+* adding test for CVE-2008-7248
+* adding test for CVE-2009-4124
+* adding test for CVE-2010-0541
+* adding test for CVE-2010-2489
+* adding test for CVE-2009-3857
+* adding test for CVE-2009-4078
+* adding test for CVE-2009-4214
+* adding test for CVE-2008-4310
+* adding test for CVE-2009-0161
+* adding test for CVE-2008-5189
+* adding test for CVE-2008-3657
+* adding test for CVE-2008-2376
+* adding test for CVE-2008-3655
+* adding test for CVE-2008-1145
+* adding test for CVE-2008-1891
+* adding test for CVE-2008-2725
+* preliminary javascript support
+* adding test for CVE-2011-4969  XSS in jquery < 1.6.2 
 
 ## Version 1.00
 
+* adding test for CVE-2008-4310
+* adding test for CVE-2008-3657
+* adding test for CVE-2008-1891
+* adding test for CVE-2007-5162
+* adding test for CVE-2006-5467
+* adding test for CVE-2004-0983
+* adding test for CVE-2008-4094
+* adding test for CVE-2008-1447
+* adding test for CVE-2007-6612
+* adding test for CVE-2007-2666
+* adding test for CVE-2006-4112
+* adding test for CVE-2008-3905
+* adding test for CVE-2008-2662
+* adding test for CVE-2007-6183
+* adding test for CVE-2007-2383
+* adding test for CVE-2006-3694
+* adding test for CVE-2008-3790
+* adding test for CVE-2008-2663
+* adding test for CVE-2007-6077
+* adding test for CVE-2006-6979
+* adding test for CVE-2007-6183
+* adding test for CVE-2007-2383
+* adding test for CVE-2006-3694
+* adding test for CVE-2007-2666
+* adding test for CVE-2006-4112
+* adding test for CVE-2007-5770
+* adding test for CVE-2007-0469
+* adding test for CVE-2006-1931
+* adding test for CVE-2007-5380
+* adding test for CVE-2006-6303
+* adding test for CVE-2005-1992
+* adding test for CVE-2007-6077
+* adding test for CVE-2006-6979
+* adding test for CVE-2006-2582
+* adding test for CVE-2007-5162
+* adding test for CVE-2006-5467
+* adding test for CVE-2004-0983
+* adding test for CVE-2007-5379
+* adding test for CVE-2006-6852
+* adding test for CVE-2005-2337
+* adding test for CVE-2005-1992
+* adding test for CVE-2004-0755
+* adding test for CVE-2004-0983
 * dedicated web site under dawn.codesake.com
 * support rails application controllers parsing for SQLi
 * support padrino application controllers parsing for XSS
 * support padrino application controllers parsing for SQLi
+* integration with [codesake.com](http://codesake.com) with a public available
+  APIs to be consumed by codesake users.
+* automatic mitigation patch generation 
+
+## Version 1.50
+
+* support for node.js