codesake-dawn 0.72 → 0.75

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2e14d7d2bb102da1da3ef6f03f1f688d93459937
+  data.tar.gz: 9b33c3f62e7a99f5cabd9e25ea07d8b6aeeca526
+SHA512:
+  metadata.gz: 27f20f4202f1cddba9cd9432ab45aa58c1204ef7d6b00afe2b09d50f5e83158e29459acfa5ce56a6b445af64ffb96ddd1df546bee0b8c8d77a97782f9c5cabe0
+  data.tar.gz: c33b21202f9e5f17b403e93bb8fedf0be735e2652d3d482d8980ce30de2d7fccf6ed3e2682cd9f017ba42fe2fccd8ca20409523204436daae5e638ea31a25646

data/.ruby-version

@@ -1 +1 @@
-ruby-1.9.3-p429
+ruby-2.0.0-p247

data/.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - jruby
+  - rbx

data/Competitive_matrix.md

@@ -68,11 +68,16 @@ applications will be supported as well.
 
 | CVE Check             | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
 |-----------------------|---------------|-------------------|-------------|-------------------|-------------|
+| CVE-2010-1330         | YES           | NO                |             |                   |             |
+| CVE-2011-0446         | YES           | NO                |             |                   |             |
 | CVE-2011-0447         | YES           | NO                |             |                   |             |
+| CVE-2011-0995         | YES           | NO                |             |                   |             |
 | CVE-2011-2197         | YES           | NO                |             |                   |             |
+| CVE-2011-2929         | YES           | YES               |             |                   |             |
 | CVE-2011-2931         | YES           | YES               |             |                   |             |
 | CVE-2011-2932         | YES           | NO                |             |                   |             |
 | CVE-2011-3186         | YES           | NO                |             |                   |             |
+| CVE-2011-4815         | YES           | NO                |             |                   |             |
 | CVE-2012-1099         | YES           | NO                |             |                   |             |
 | CVE-2012-1241         | YES           | NO                |             |                   |             |
 | CVE-2012-2140         | YES           | NO                |             |                   |             |
@@ -80,14 +85,17 @@ applications will be supported as well.
 | CVE-2012-2661         | YES           | YES               |             |                   |             |
 | CVE-2012-2694         | YES           | YES               |             |                   |             |
 | CVE-2012-2695         | YES           | YES               |             |                   |             |
+| CVE-2012-3424         | YES           | YES               |             |                   |             |
 | CVE-2012-3463         | YES           | YES               |             |                   |             |
 | CVE-2012-3464         | YES           | YES               |             |                   |             |
 | CVE-2012-3465         | YES           | YES               |             |                   |             |
 | CVE-2012-4464         | YES           | NO                |             |                   |             |
 | CVE-2012-4466         | YES           | NO                |             |                   |             |
 | CVE-2012-4481         | YES           | NO                |             |                   |             |
+| CVE-2012-4522         | YES           | NO                |             |                   |             |
 | CVE-2012-5370         | YES           | NO                |             |                   |             |
 | CVE-2012-5371         | YES           | NO                |             |                   |             |
+| CVE-2012-5380         | YES           | NO                |             |                   |             |
 | CVE-2012-6134         | YES           | NO                |             |                   |             |
 | CVE-2012-6496         | YES           | NO                |             |                   |             |
 | CVE-2012-5664         | NO            | YES               |             |                   |             |
@@ -99,8 +107,6 @@ applications will be supported as well.
 | CVE-2013-1857         | YES           | YES               |             |                   |             |
 | CVE-2013-0155         | YES           | YES               |             |                   |             |
 | CVE-2013-0333         | YES           | YES               |             |                   |             |
-| CVE-2011-0447         | NO            | YES               |             |                   |             |
-| CVE-2011-0446         | NO            | YES               |             |                   |             |
 | CVE-2013-1854         | YES           | YES               |             |                   |             |
 | CVE-2013-1856         | YES           | YES               |             |                   |             |
 | CVE-2013-0276         | YES           | YES               |             |                   |             |

data/Rakefile

@@ -6,6 +6,7 @@ require 'cucumber'
 require 'cucumber/rake/task'
 
 require 'fileutils'
+require "codesake/dawn/utils"
 require "codesake/dawn/knowledge_base"
 
 Cucumber::Rake::Task.new(:features) do |t|

data/Roadmap.md

@@ -77,27 +77,7 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 
 ## Version 0.80
 
-* adding test for CVE-2013-2090 _if CVE will be approved_
-* adding test for CVE-2013-2065 _if CVE will be approved_
-* adding test for CVE-2010-1330
-* adding test for CVE-2011-0447 
-* adding test for CVE-2011-0446 
-* adding test for CVE-2011-0995
-* adding test for CVE-2011-2197
-* adding test for CVE-2011-2929
-* adding test for CVE-2011-2932
-* adding test for CVE-2011-3186
-* adding test for CVE-2011-4815
-* adding test for CVE-2012-5370
-* adding test for CVE-2012-3424
-* adding test for CVE-2012-1241
-* adding test for CVE-2012-2140
-* adding test for CVE-2012-1099
-* adding test for CVE-2012-5380
-* adding test for CVE-2012-2694
-* adding test for CVE-2012-4522
-* adding test for CVE-2012-3464
-* adding test for CVE-2012-3463
+* Fix issue #1. You can read more about it in TODO.md
 * detect sinks for XSS in Padrino applications
 * detect reflected XSS in Padrino applications
 * detect stored XSS in Sinatra applications
@@ -105,13 +85,27 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * detect insecure direct object reference in Sinatra applications
 * detect insecure direct object reference in Padrino applications
 * support ERB for in detect\_views (for both Sinatra and Padrino)
-* Fix issue #1. You can read more about it in TODO.md
 * integration with [codesake.com](http://codesake.com) with a public available
   APIs to be consumed by codesake beta users.
 
+* adding test for CVE-2010-1330
+* adding test for CVE-2011-0446 
+* adding test for CVE-2011-0995
+* adding test for CVE-2011-2929
+* adding test for CVE-2011-4815
+* adding test for CVE-2012-3424
+* adding test for CVE-2012-5380
+* adding test for CVE-2012-4522
+* adding test for RoRCheatSheet\_1
+* adding test for RoRCheatSheet\_4
+* adding test for RoRCheatSheet\_7
+* adding test for RoRCheatSheet\_8
+
 
 ## Version 0.90
 
+* adding test for CVE-2013-2090 _if CVE will be approved_
+* adding test for CVE-2013-2065 _if CVE will be approved_
 * adding test for CVE-2011-3186
 * adding test for CVE-2011-2197
 * adding test for CVE-2011-2932
@@ -151,6 +145,18 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for CVE-2008-1145
 * adding test for CVE-2008-1891
 * adding test for CVE-2008-2725
+* adding test for RoRCheatSheet\_2
+* adding test for RoRCheatSheet\_3
+* adding test for RoRCheatSheet\_5
+* adding test for RoRCheatSheet\_6
+* adding test for RoRCheatSheet\_9
+* adding test for RoRCheatSheet\_10
+* adding test for RoRCheatSheet\_11
+* adding test for RoRCheatSheet\_12
+* adding test for RoRCheatSheet\_13
+* adding test for RoRCheatSheet\_14
+* adding test for RoRCheatSheet\_15
+* adding test for RoRCheatSheet\_16
 * preliminary javascript support
 * adding test for CVE-2011-4969  XSS in jquery < 1.6.2 
 * detect stored XSS in Rails applications

data/bin/dawn

@@ -67,7 +67,7 @@ def help
   printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
   printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
   printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
-  printf "\n   -k, --list-knowledgebase\t\t\tlist dawn known security checks"
+  printf "\n   -k, --list-knowledgebase [check_name]\tlist dawn known security checks. If check_name is specified dawn says if check is present or not"
   printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
   printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
   printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
@@ -82,13 +82,13 @@ APPNAME = File.basename($0)
 LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
-logger  = Codesake::Commons::Logging.instance
+$logger  = Codesake::Commons::Logging.instance
 opts    = GetoptLong.new(
   [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
   [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
   [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
   [ '--list-known-framework',   '-f',   GetoptLong::NO_ARGUMENT ],
-  [ '--list-knowledgebase',     '-k',   GetoptLong::NO_ARGUMENT ],
+  [ '--list-knowledgebase',     '-k',   GetoptLong::OPTIONAL_ARGUMENT ],
   [ '--output',                 '-o',   GetoptLong::REQUIRED_ARGUMENT],
   [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
   [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
@@ -98,7 +98,8 @@ opts    = GetoptLong.new(
 engine  = nil
 options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>nil}
 
-trap("INT")   { logger.die('[INTERRUPTED]') }
+trap("INT")   { $logger.die('[INTERRUPTED]') }
+check = ""
 
 
 opts.each do |opt, val|
@@ -123,6 +124,7 @@ opts.each do |opt, val|
 
   when '--list-knowledgebase'
     options[:dump_kb]=true
+    check = val unless val.nil?
    
   when '--list-known-framework'
     puts "Ruby MVC framework supported by #{APPNAME}:"
@@ -135,24 +137,35 @@ opts.each do |opt, val|
   end
 end
 
+if options[:dump_kb]
+  puts dump_knowledge_base(options[:verbose]) if check.empty?
+  if ! check.empty?
+    found = Codesake::Dawn::KnowledgeBase.find(nil, check)
+    puts "#{check} found in knowledgebase." if found
+    puts "#{check} not found in knowledgebase" if ! found
+  end
+
+  Kernel.exit(0)
+end
+
 target=ARGV.shift
 
-logger.die("missing target") if target.nil?
-logger.die("invalid directory (#{target})") unless Codesake::Dawn::Core.is_good_target?(target)
+$logger.die("missing target") if target.nil?
+$logger.die("invalid directory (#{target})") unless Codesake::Dawn::Core.is_good_target?(target)
 
 
 ## MVC auto detect
 begin
   engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].nil?
 rescue ArgumentError => e
-  logger.die(e.message)
+  $logger.die(e.message)
 end
 
 engine = Codesake::Dawn::Rails.new(target)        if options[:mvc] == :force_rails
 engine = Codesake::Dawn::Sinatra.new(target)      if options[:mvc] == :force_sinatra
 # engine = Codesake::Dawn::Padrino.new if options[:mvc] == :force_padrino
 
-logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
+$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
 
 if options[:count_only] 
   ret = dry_run(target, engine)
@@ -167,55 +180,50 @@ if options[:output] == "json"
   Kernel.exit(0)
 end
 
-if options[:dump_kb]
-  puts dump_knowledge_base(options[:verbose])
-  Kernel.exit(0)
-end
-
-logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
-logger.die "missing target framework option" if engine.nil?
+$logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
+$logger.die "missing target framework option" if engine.nil?
 
 # engine.set_target(target) unless engine.nil?
 engine.load_knowledge_base
 
-logger.die "nothing to do on #{target}" unless engine.can_apply?
-logger.log "scanning #{target}"
-logger.log "#{engine.name} v#{engine.get_mvc_version} detected"
-logger.log "applying all security checks" 
+$logger.die "nothing to do on #{target}" unless engine.can_apply?
+$logger.log "scanning #{target}"
+$logger.log "#{engine.name} v#{engine.get_mvc_version} detected"
+$logger.log "applying all security checks" 
 if engine.apply_all 
-  logger.log "all security checks applied"
+  $logger.log "all security checks applied"
 else
-  logger.err "no security checks in the knowledge base"
+  $logger.err "no security checks in the knowledge base"
 end
 
 if engine.count_vulnerabilities != 0
-  logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
+  $logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
   engine.vulnerabilities.each do |vuln|
-    logger.log "#{vuln[:name]} failed"
-    logger.log "Description: #{vuln[:message]}" if options[:verbose]
-    logger.log "Solution: #{vuln[:remediation]}"
-    logger.err "Evidence:"
+    $logger.log "#{vuln[:name]} failed"
+    $logger.log "Description: #{vuln[:message]}" if options[:verbose]
+    $logger.log "Solution: #{vuln[:remediation]}"
+    $logger.err "Evidence:"
     vuln[:evidences].each do |evidence|
-      logger.err evidence
+      $logger.err evidence
     end
   end
   if engine.has_reflected_xss?
-    logger.log "#{engine.reflected_xss.count} reflected XSS found"
+    $logger.log "#{engine.reflected_xss.count} reflected XSS found"
     engine.reflected_xss.each do |vuln|
-      logger.log "request parameter \"#{vuln[:sink_source]}\""
+      $logger.log "request parameter \"#{vuln[:sink_source]}\""
     end
   end
 
 else
-  logger.ok "no vulnerabilities found."
+  $logger.ok "no vulnerabilities found."
 end
 
 if engine.mitigated_issues.count != 0
-  logger.log "#{engine.mitigated_issues.count} mitigated vulnerabilities found"
+  $logger.log "#{engine.mitigated_issues.count} mitigated vulnerabilities found"
   engine.mitigated_issues.each do |vuln|
-    logger.ok "#{vuln[:name]} mitigated"
+    $logger.ok "#{vuln[:name]} mitigated"
     vuln[:evidences].each do |evidence|
-      logger.err evidence
+      $logger.err evidence
     end
   end
 end
@@ -223,7 +231,7 @@ end
 
 
 
-logger.helo "#{APPNAME} is shutting down"
+$logger.helo "#{APPNAME} is shutting down"
 Kernel.exit(0)
 
 

data/codesake-dawn.gemspec

@@ -23,6 +23,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'parser'
   gem.add_dependency 'ptools'
   gem.add_dependency 'ruby_parser'
+  gem.add_dependency 'sys-uname'
 
   gem.add_dependency ('coveralls')
 

data/lib/codesake-dawn.rb

@@ -1,4 +1,5 @@
 require "codesake/dawn/core"
+require "codesake/dawn/utils"
 require "codesake/dawn/version"
 require "codesake/dawn/knowledge_base"
 require "codesake/dawn/rails"

data/lib/codesake/dawn/engine.rb

@@ -161,12 +161,19 @@ module Codesake
         @checks.each do |check|
           if check.name == name
             @applied << { :name=>name }
-            check.ruby_version = self.ruby_version[:version]
-            check.detected_ruby  = self.ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+            check.ruby_version = @ruby_version[:version]
+            check.detected_ruby  = @ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
             check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
             check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
-            @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.vuln?
-            @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.mitigated?
+            check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+
+            check_vuln = check.vuln?
+
+            @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+
+            @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+
+            @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
             return true
           end
         end
@@ -180,12 +187,18 @@ module Codesake
 
         @checks.each do |check|
           @applied << { :name => name }
-          check.ruby_version = self.ruby_version[:version]
-          check.detected_ruby  = self.ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+
+          check.ruby_version = @ruby_version[:version]
+          check.detected_ruby  = @ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
           check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
           check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
-          @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation , :evidences=>check.evidences} if check.vuln?
-          @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences} if check.mitigated?
+          check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+          check_vuln = check.vuln?
+
+          @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+
+          @vulnerabilities  << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+          @mitigated_issues << {:name=> check.name, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
         end
 
         true
@@ -204,17 +217,22 @@ module Codesake
         @vulnerabilities
       end
 
-      def is_vulnerable_to?(name)
+      def find_vulnerability_by_name(name)
         apply(name) unless is_applied?(name)
-        
         @vulnerabilities.each do |v|
-          return true if v[:name] == name
+          return v if v[:name] == name
         end
 
-        false
+        nil
       end
+
+      def is_vulnerable_to?(name)
+        return (find_vulnerability_by_name(name) != nil)
+      end
+
+
       def has_reflected_xss?
-        (@reflected_xss.count != 0)
+        (@reflected_xss.count != 0) unless @reflected_xss.nil?
       end
 
       def count_vulnerabilities

data/lib/codesake/dawn/kb/basic_check.rb

@@ -5,6 +5,8 @@ module Codesake
     module Kb
       module BasicCheck
 
+        include Codesake::Dawn::Utils
+
         attr_reader :name
         attr_reader :cvss
         attr_reader :cwe
@@ -36,6 +38,12 @@ module Codesake
         # Vulnerability evidences
         attr_reader   :evidences
 
+        # Check status. Returns the latest vuln? call result
+        attr_reader   :status
+
+        # Put the check in debug mode
+        attr_accessor :debug
+
         def initialize(options={})
           @applies                  = []
           @ruby_version             = ""
@@ -57,10 +65,11 @@ module Codesake
 
           @evidences    = []
           @mitigated    = false
+          @status       = false
+          @debug        = false
     
         end
 
-
         def applies_to?(name)
           ! @applies.find_index(name).nil?
         end

data/lib/codesake/dawn/kb/combo_check.rb

@@ -0,0 +1,63 @@
+module Codesake
+  module Dawn
+    module Kb
+      module ComboCheck
+        include BasicCheck
+
+        attr_reader   :checks
+        attr_accessor :options
+        attr_reader   :vulnerable_checks
+
+
+        def initialize(options={})
+          super(options)
+          @vuln_if_all_fails = true
+          @vuln_if_all_fails = options[:vuln_if_all_fails] unless options[:vuln_if_all_fails].nil?
+          @checks = options[:checks]
+          @vulnerable_checks = []
+          @options = options
+        end
+
+        def vuln?
+          ret = true
+          at_least_one = false
+          @checks.each do |check|
+            check_vuln = false
+            check.detected_ruby   = @options[:detected_ruby]    if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+            check.dependencies    = @options[:dependencies]     if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+            check.root_dir        = @options[:root_dir]         if check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+
+            check_vuln = check.vuln? if check.respond_to?(:vuln?)
+
+            ret = ret && check_vuln
+            at_least_one = true if check_vuln
+            @evidences << check.evidences if check_vuln 
+            @vulnerable_checks << check if check_vuln
+            raise "A check class doesn't respond to vuln? in combo (#{check.class})" unless check.respond_to?(:vuln?)
+          end
+
+          dump_status
+          debug_me("AVIAF = #{@vuln_if_all_fails}, RET = #{ret}, AL1= #{at_least_one}") 
+          return ret if @vuln_if_all_fails
+          return at_least_one unless @vuln_if_all_fails
+        end
+
+        def dump_status
+          @checks.each do |check|
+            debug_me("#{File.basename(__FILE__)}@#{__LINE__}:#{check.name}: #{check.status}")
+          end
+
+          true
+        end
+
+        def self.find_vulnerable_checks_by_class(list=[], klass=Object)
+          list.each do |l|
+            return l if l.instance_of?(klass)
+          end
+          nil
+        end
+
+      end
+    end
+  end
+end