codesake-dawn 0.75 → 0.77

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2e14d7d2bb102da1da3ef6f03f1f688d93459937
-  data.tar.gz: 9b33c3f62e7a99f5cabd9e25ea07d8b6aeeca526
+  metadata.gz: 1704c064bfe4259ad7b2c335ce46c0a059a54487
+  data.tar.gz: 4fe5c2525c083a898595a20ab4f9e9e433506de2
 SHA512:
-  metadata.gz: 27f20f4202f1cddba9cd9432ab45aa58c1204ef7d6b00afe2b09d50f5e83158e29459acfa5ce56a6b445af64ffb96ddd1df546bee0b8c8d77a97782f9c5cabe0
-  data.tar.gz: c33b21202f9e5f17b403e93bb8fedf0be735e2652d3d482d8980ce30de2d7fccf6ed3e2682cd9f017ba42fe2fccd8ca20409523204436daae5e638ea31a25646
+  metadata.gz: 39835cc8d6eeaeed1ae987029f5641e79e4757b2961dfb03700603741bf3784039c434c5f914679a1f3a93995fa937c14bff50cfdb1334dbdf30477d5f8b1c3f
+  data.tar.gz: ab6bbab4930ddede813a8dc143caf1015763517e60a089d42e6cdc1844f7794fdaf3f66074a3068d1a1b0e88492e15b4c76bb8a2474e610486525c5406da3054

data/.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 *.log
 *.sw?
 *.gem

data/Competitive_matrix.md

@@ -130,9 +130,11 @@ applications will be supported as well.
 | CVE-2013-1933         | YES           | NO                |             |                   |             |
 | CVE-2013-1947         | YES           | NO                |             |                   |             |
 | CVE-2013-1948         | YES           | NO                |             |                   |             |
+| CVE-2013-2065         | YES           | NO                |             |                   |             |
 | CVE-2013-2616         | YES           | NO                |             |                   |             |
 | CVE-2013-2617         | YES           | NO                |             |                   |             |
 | CVE-2013-3221         | YES           | NO                |             |                   |             |
+| CVE-2013-4389         | YES           | NO                |             |                   |             |
 
 [0] This CVE must be confirmed
 

data/README.md

@@ -6,9 +6,9 @@ It supports [Sinatra](http://www.sinatrarb.com),
 frameworks. 
 
 [![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
-[![Build Status](https://travis-ci.org/codesake/codesake_dawn.png?branch=master)](https://travis-ci.org/codesake/codesake_dawn)
-[![Dependency Status](https://gemnasium.com/codesake/codesake_dawn.png)](https://gemnasium.com/codesake/codesake_dawn)
-[![Coverage Status](https://coveralls.io/repos/codesake/codesake_dawn/badge.png)](https://coveralls.io/r/codesake/codesake_dawn)
+[![Build Status](https://travis-ci.org/codesake/codesake-dawn.png?branch=master)](https://travis-ci.org/codesake/codesake-dawn)
+[![Dependency Status](https://gemnasium.com/codesake/codesake-dawn.png)](https://gemnasium.com/codesake/codesake-dawn)
+[![Coverage Status](https://coveralls.io/repos/codesake/codesake-dawn/badge.png)](https://coveralls.io/r/codesake/codesake-dawn)
 
 ## Useful links
 
@@ -16,7 +16,7 @@ www:      [http://codesake.com](http://codesake.com)
 
 twitter:  [https://twitter.com/codesake](https://twitter.com/codesake) #dawn hashtag
 
-github:   [https://github.com/codesake/codesake\_dawn](https://github.com/codesake/codesake\_dawn)
+github:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
 
 ## Installation
 
@@ -36,8 +36,8 @@ And then upgrade your bundle
 
 You may want to build it from source, so you have to check it out from github first:
 
-    $ git clone https://github.com/codesake/codesake_dawn/codesake_dawn.git
-    $ cd codesake_dawn
+    $ git clone https://github.com/codesake/codesake-dawn/codesake-dawn.git
+    $ cd codesake-dawn
     $ rake install
 
 And the codesake-dawn gem will be built in a pkg directory and then installed

data/Roadmap.md

@@ -77,7 +77,6 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 
 ## Version 0.80
 
-* Fix issue #1. You can read more about it in TODO.md
 * detect sinks for XSS in Padrino applications
 * detect reflected XSS in Padrino applications
 * detect stored XSS in Sinatra applications
@@ -88,6 +87,8 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * integration with [codesake.com](http://codesake.com) with a public available
   APIs to be consumed by codesake beta users.
 
+* adding test for CVE-2013-2065
+* adding test for CVE-2013-4389
 * adding test for CVE-2010-1330
 * adding test for CVE-2011-0446 
 * adding test for CVE-2011-0995
@@ -100,6 +101,8 @@ _latest update: Fri 17 May 2013 15:29:55 CEST_
 * adding test for RoRCheatSheet\_4
 * adding test for RoRCheatSheet\_7
 * adding test for RoRCheatSheet\_8
+* Fix issue #1. You can read more about it in TODO.md
+* Added internal API to scan a single Gemfile.lock
 
 
 ## Version 0.90

data/TODO.md

@@ -1,7 +1,12 @@
 # Codesake Dawn Todo 
 
-## #1 Introduce check dependency
+## #2 cloning target
 ### Status: Open
+Add a --github option to dawn to clone a remote repository, perform a bundle
+install and do a code review.
+
+## #1 Introduce check dependency
+### Status: Closed
 CVE-2013-1655 introduces a security issue that depends on a particular gem only
 when running a particular Ruby interpreter version. For such a reason in
 BasicCheck class I introduced a ruby\_version attribute as a String and a

data/bin/dawn

@@ -3,7 +3,7 @@
 require 'getoptlong'
 require 'json'
 
-require 'codesake_commons'
+require 'codesake-commons'
 require 'codesake-dawn'
 
 def dry_run(target, engine)
@@ -41,7 +41,7 @@ end
 def dump_knowledge_base(verbose = false)
   kb = Codesake::Dawn::KnowledgeBase.new
   lines = []
-  lines << "Security checks currently supported:\n\n"
+  lines << "Security checks currently supported:\n"
 
   kb.all.each do |check|
     if verbose
@@ -52,6 +52,7 @@ def dump_knowledge_base(verbose = false)
       lines << "#{check.name}"
     end
   end
+  lines << "-----\nTotal: #{kb.all.count}"
   
   lines.empty? ? 0 : lines.compact.join("\n")
 
@@ -66,6 +67,7 @@ def help
   printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application" 
   printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
   printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
+  printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
   printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
   printf "\n   -k, --list-knowledgebase [check_name]\tlist dawn known security checks. If check_name is specified dawn says if check is present or not"
   printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
@@ -83,12 +85,14 @@ LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
 $logger  = Codesake::Commons::Logging.instance
+$logger.helo APPNAME, Codesake::Dawn::VERSION
 opts    = GetoptLong.new(
   [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
   [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
   [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
-  [ '--list-known-framework',   '-f',   GetoptLong::NO_ARGUMENT ],
-  [ '--list-knowledgebase',     '-k',   GetoptLong::OPTIONAL_ARGUMENT ],
+  [ '--gem-lock',               '-G',   GetoptLong::NO_ARGUMENT],  
+  [ '--list-known-framework',   '-f',   GetoptLong::NO_ARGUMENT],
+  [ '--list-knowledgebase',     '-k',   GetoptLong::OPTIONAL_ARGUMENT],
   [ '--output',                 '-o',   GetoptLong::REQUIRED_ARGUMENT],
   [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
   [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
@@ -96,7 +100,7 @@ opts    = GetoptLong.new(
   [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
 )
 engine  = nil
-options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>nil}
+options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false}
 
 trap("INT")   { $logger.die('[INTERRUPTED]') }
 check = ""
@@ -108,13 +112,14 @@ opts.each do |opt, val|
     puts "#{Codesake::Dawn::VERSION}"
     Kernel.exit(0)
   when '--rails'
-    options[:mvc]=:force_rails
+    options[:mvc]=:rails
   when '--sinatra'
-    options[:mvc]=:force_sinatra
+    options[:mvc]=:sinatra
   when '--padrino'
-    options[:mvc]=:force_padrino
-    puts "sorry padrino is not yet supported"
-    Kernel.exit(1)
+    options[:mvc]=:padrino
+    $logger.die "sorry padrino is not yet supported"
+  when '--gem-lock'
+    options[:gemfile_scan] = true
   when '--verbose'
     options[:verbose]=true
   when '--output'
@@ -152,18 +157,20 @@ target=ARGV.shift
 
 $logger.die("missing target") if target.nil?
 $logger.die("invalid directory (#{target})") unless Codesake::Dawn::Core.is_good_target?(target)
+$logger.die("if scanning Gemfile.lock file you must force target MVC using one from -r, -s or -p flag") if options[:mvc].empty? && options[:gemfile_scan]
 
 
 ## MVC auto detect
 begin
-  engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].nil?
+  engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].empty?
 rescue ArgumentError => e
   $logger.die(e.message)
 end
 
-engine = Codesake::Dawn::Rails.new(target)        if options[:mvc] == :force_rails
-engine = Codesake::Dawn::Sinatra.new(target)      if options[:mvc] == :force_sinatra
-# engine = Codesake::Dawn::Padrino.new if options[:mvc] == :force_padrino
+engine = Codesake::Dawn::Rails.new(target)                      if options[:mvc] == :rails
+engine = Codesake::Dawn::Sinatra.new(target)                    if options[:mvc] == :sinatra
+# engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino
+engine = Codesake::Dawn::GemfileLock.new(target, options[:mvc]) if options[:gemfile_scan]
 
 $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
 
@@ -180,15 +187,14 @@ if options[:output] == "json"
   Kernel.exit(0)
 end
 
-$logger.helo "#{APPNAME} v#{Codesake::Dawn::VERSION} (C) 2013 - paolo@armoredcode.com is starting up"
 $logger.die "missing target framework option" if engine.nil?
 
-# engine.set_target(target) unless engine.nil?
 engine.load_knowledge_base
 
 $logger.die "nothing to do on #{target}" unless engine.can_apply?
 $logger.log "scanning #{target}"
-$logger.log "#{engine.name} v#{engine.get_mvc_version} detected"
+$logger.log "#{engine.name} v#{engine.get_mvc_version} detected" unless engine.name == "Gemfile.lock"
+$logger.log "#{engine.force} v#{engine.get_mvc_version} detected" if engine.name == "Gemfile.lock"
 $logger.log "applying all security checks" 
 if engine.apply_all 
   $logger.log "all security checks applied"
@@ -228,10 +234,4 @@ if engine.mitigated_issues.count != 0
   end
 end
 
-
-
-
-$logger.helo "#{APPNAME} is shutting down"
-Kernel.exit(0)
-
-
+$logger.bye

data/codesake-dawn.gemspec

@@ -17,13 +17,14 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency 'codesake_commons', '>= 0.67.0'
+  gem.add_dependency "codesake-commons", "~> 0.89.0"
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
   gem.add_dependency 'parser'
   gem.add_dependency 'ptools'
   gem.add_dependency 'ruby_parser'
   gem.add_dependency 'sys-uname'
+  gem.add_dependency 'grit'
 
   gem.add_dependency ('coveralls')
 

data/lib/codesake-dawn.rb

@@ -1,9 +1,11 @@
-require "codesake/dawn/core"
 require "codesake/dawn/utils"
+require "codesake/dawn/core"
 require "codesake/dawn/version"
 require "codesake/dawn/knowledge_base"
 require "codesake/dawn/rails"
 require "codesake/dawn/sinatra"
-require "codesake_commons"
+require "codesake/dawn/padrino"
+require "codesake/dawn/gemfile_lock"
+require "codesake-commons"
 
 require "date"

data/lib/codesake/dawn/engine.rb

@@ -3,8 +3,13 @@ require 'bundler'
 module Codesake
   module Dawn
     module Engine
+      include Codesake::Dawn::Utils
+
       attr_reader :target
       attr_reader :name
+      # This attribute is used when @name == "Gemfile.lock" to force the
+      # loading of specific MVC checks
+      attr_reader :force
       attr_reader :gemfile_lock
       attr_reader :mvc_version
       attr_reader :connected_gems
@@ -32,16 +37,26 @@ module Codesake
       # will see later 
       attr_reader :models
 
-      def initialize(dir=nil, name="")
+      attr_accessor :debug
+
+      def initialize(dir=nil, name="", options={})
         @name = name
         @mvc_version = ""
         @gemfile_lock = ""
+        @force = ""
         @connected_gems = []
         @checks = []
         @vulnerabilities = []
         @mitigated_issues = []
         @applied = []
         @engine_error = false
+        @debug = false
+        @debug = options[:debug] unless options[:debug].nil?
+
+        # Only honoring force option for Gemfile.lock engine. If no force is
+        # provided the default behaviour for Gemfile.lock engine is to load all
+        # security checks.
+        @force = options[:force] if ! options[:force].nil? and @name == "Gemfile.lock"
 
         set_target(dir) unless dir.nil?
 
@@ -105,7 +120,14 @@ module Codesake
       end
 
       def load_knowledge_base
-        @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(self.name)
+        if @name == "Gemfile.lock"
+          @checks = Codesake::Dawn::KnowledgeBase.new.all if @force.empty?
+          @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(@force) unless @force.empty? 
+        else
+          @checks = Codesake::Dawn::KnowledgeBase.new.all_by_mvc(@name) 
+
+        end
+        debug_me("#{@checks.count} checks loaded")
         @checks
       end
 
@@ -118,7 +140,10 @@ module Codesake
         Dir.chdir(@target) 
         lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
         lockfile.specs.each do |s|
-          ver= s.version.to_s if s.name == @name
+          # detecting MVC version using @name in case of sinatra, padrino or rails engine
+          ver= s.version.to_s if s.name == @name && @name != "Gemfile.lock" 
+          # detecting MVC version using @force in case of Gemfile.lock engine
+          ver= s.version.to_s if s.name == @force.to_s && @name == "Gemfile.lock" 
           @connected_gems << {:name=>s.name, :version=>s.version.to_s}
         end
         Dir.chdir(my_dir)
@@ -134,7 +159,7 @@ module Codesake
       end
 
       def can_apply?
-        target_is_dir? and is_good_mvc?
+        target_is_dir? && is_good_mvc?
       end
 
       def get_mvc_version

data/lib/codesake/dawn/gemfile_lock.rb

@@ -0,0 +1,12 @@
+module Codesake
+  module Dawn
+    class GemfileLock
+      include Codesake::Dawn::Engine
+
+      def initialize(dir = "./", mvc = "")
+        super(dir, "Gemfile.lock", {:force=>mvc.to_s})
+      end
+
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2012_4464.rb

@@ -17,7 +17,7 @@ module Codesake
             :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
             :message=>message,
             :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p286 or 2.0.0-p195 or latest version available",
-            :aux_links=>["ihttp://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
+            :aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
           })
 
           self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]

data/lib/codesake/dawn/kb/cve_2013_2065.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-10-22
+			class CVE_2013_2065
+				include RubyVersionCheck
+
+				def initialize
+          message = "Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised."
+
+          # TODO: fix links and info
+          super({
+            :name=>"CVE-2013-2065",
+            :cvss=>"",
+            :release_date => Date.new(2013, 5, 14),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p436 or 2.0.0-p195 or latest version available",
+            :aux_links=>["https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p426"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4389.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-10-22
+			class CVE_2013_4389
+				include DependencyCheck
+
+				def initialize
+          message = "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."
+           super({
+            :name=>'CVE-2013-4389', 
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",  
+            :release_date => Date.new(2013, 10, 17),
+            :cwe=>"134", 
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 3.0.21, 3.1.10 or 3.2.15. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.0.21', '3.1.10', '3.2.15']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb

@@ -30,7 +30,7 @@ module Codesake
             :vuln_if_all_fails => false
           })
 
-          @debug = true
+          # @debug = true
 
         end
       end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

@@ -20,7 +20,7 @@ module Codesake
               :attack_pattern => ["attr_accessor"],
               :negative_search=>true
             })
-            @debug = true
+            # @debug = true
           end
 
         end