codesake-dawn 0.79.99 → 0.80.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Competitive_matrix.md +7 -0
- data/README.md +54 -17
- data/Rakefile +50 -0
- data/Roadmap.md +22 -9
- data/bin/dawn +14 -2
- data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6416.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +2 -1
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
- data/lib/codesake/dawn/knowledge_base.rb +28 -0
- data/lib/codesake/dawn/version.rb +2 -2
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +55 -0
- data/spec/lib/kb/codesake_cve_2013_6416.rb +31 -0
- metadata +14 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fd0be76a00038c8c874cafa1b5b89df3b9005989
|
4
|
+
data.tar.gz: 1caa7812bac2921b96a84e37f864e1871c786d26
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: aebfc77a671f9ab1ec9db67dad4d3d0f6e82b3289a089a9446b325552503826fa528fed5ad222ab5c514e4c447906dcd6e7a4055b569c119d9f2d73cddbd6660
|
7
|
+
data.tar.gz: f4d7745163ce6ba4bc0d06bc7c02803bcd247d439287045871bfbfb85558850ec35ddbb775343b3f6a995f6602e6b55e4f28ed7dae56353410d7bbb5e37c646b
|
data/Competitive_matrix.md
CHANGED
@@ -135,6 +135,13 @@ applications will be supported as well.
|
|
135
135
|
| CVE-2013-2617 | YES | NO | | | |
|
136
136
|
| CVE-2013-3221 | YES | NO | | | |
|
137
137
|
| CVE-2013-4389 | YES | NO | | | |
|
138
|
+
| CVE-2013-4491 | YES | NO | | | |
|
139
|
+
| CVE-2013-4492 | YES | NO | | | |
|
140
|
+
| CVE-2013-4562 | YES | NO | | | |
|
141
|
+
| CVE-2013-6414 | YES | NO | | | |
|
142
|
+
| CVE-2013-6415 | YES | NO | | | |
|
143
|
+
| CVE-2013-6416 | YES | NO | | | |
|
144
|
+
| CVE-2013-6417 | YES | NO | | | |
|
138
145
|
|
139
146
|
[0] This CVE must be confirmed
|
140
147
|
|
data/README.md
CHANGED
@@ -1,9 +1,9 @@
|
|
1
|
-
# Codesake::Dawn - code review
|
1
|
+
# Codesake::Dawn - The security code review tool for ruby powered code
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
[
|
6
|
-
frameworks.
|
3
|
+
codesake-dawn is a source code review tool crafted to detect security issues in
|
4
|
+
ruby written code. The main usage is to apply codesake-dawn to web
|
5
|
+
applications, it supports [Sinatra](http://www.sinatrarb.com),
|
6
|
+
[Padrino](http://www.padrinorb.com) and of course [Ruby on Rails](http://rubyonrails.org) frameworks.
|
7
7
|
|
8
8
|
[![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
|
9
9
|
[![Build Status](https://travis-ci.org/codesake/codesake-dawn.png?branch=master)](https://travis-ci.org/codesake/codesake-dawn)
|
@@ -22,7 +22,7 @@ github: [https://github.com/codesake/codesake\-dawn](https://github.com/codesa
|
|
22
22
|
|
23
23
|
You can install dawn, directly using [Rubygems](https://rubygems.org) by typing:
|
24
24
|
|
25
|
-
gem
|
25
|
+
gem install codesake-dawn
|
26
26
|
|
27
27
|
If you want to add dawn to your project Gemfile, you must add the following:
|
28
28
|
|
@@ -68,17 +68,36 @@ application:
|
|
68
68
|
|
69
69
|
```
|
70
70
|
$ dawn target
|
71
|
-
|
72
|
-
08:
|
73
|
-
08:
|
74
|
-
08:
|
75
|
-
08:
|
76
|
-
08:
|
77
|
-
08:
|
78
|
-
08:
|
79
|
-
|
80
|
-
08:
|
81
|
-
08:
|
71
|
+
8:28:18 [*] dawn v0.80.0 is starting up
|
72
|
+
08:28:18 [$] dawn: scanning spec/support/sinatra-vulnerable
|
73
|
+
08:28:18 [$] dawn: sinatra v1.2.6 detected
|
74
|
+
08:28:18 [$] dawn: applying all security checks
|
75
|
+
08:28:18 [$] dawn: 37 security checks applied - 0 security checks skipped
|
76
|
+
08:28:18 [$] dawn: 5 vulnerabilities found
|
77
|
+
08:28:18 [$] dawn: Not revised code failed
|
78
|
+
08:28:18 [$] dawn: Description: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
|
79
|
+
This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
|
80
|
+
08:28:18 [$] dawn: Solution: Please review the file fixing the issue.
|
81
|
+
08:28:18 [!] dawn: Evidence:
|
82
|
+
08:28:18 [!] dawn: {:filename=>"spec/support/sinatra-vulnerable/application.rb", :matches=>[{:match=>"# FIXME: I must raise an error here\n", :line=>30}]}
|
83
|
+
08:28:18 [$] dawn: CVE-2013-0269 failed
|
84
|
+
08:28:18 [$] dawn: Description: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
|
85
|
+
08:28:18 [$] dawn: Solution: Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available
|
86
|
+
08:28:18 [!] dawn: Evidence:
|
87
|
+
08:28:18 [!] dawn: Vulnerable json gem version found: 1.4.6
|
88
|
+
08:28:18 [$] dawn: CVE-2013-1800 failed
|
89
|
+
08:28:18 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
|
90
|
+
08:28:18 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
|
91
|
+
08:28:18 [!] dawn: Evidence:
|
92
|
+
08:28:18 [!] dawn: Vulnerable crack gem version found: 0.3.1
|
93
|
+
08:28:18 [$] dawn: CVE-2013-4164 failed
|
94
|
+
08:28:18 [$] dawn: Description: Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
|
95
|
+
08:28:18 [$] dawn: Solution: All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.
|
96
|
+
08:28:18 [!] dawn: Evidence:
|
97
|
+
08:28:18 [!] dawn: ruby v2.0.0-p247 detected
|
98
|
+
08:28:18 [$] dawn: 1 reflected XSS found
|
99
|
+
08:28:18 [$] dawn: request parameter "name"
|
100
|
+
08:28:18 [*] dawn is leaving
|
82
101
|
```
|
83
102
|
|
84
103
|
|
@@ -89,6 +108,24 @@ flag:
|
|
89
108
|
$ dawn -k|--list-knowledge-base
|
90
109
|
```
|
91
110
|
|
111
|
+
In the 0.80 gem version, there are 75 security checks designed for application written in ruby.
|
112
|
+
|
113
|
+
## Supporters
|
114
|
+
|
115
|
+
To me as project leader it's very important to have feedbacks. I really want to
|
116
|
+
ear your voice.
|
117
|
+
|
118
|
+
If you're a proud codesake-dawn user, if you find it useful, if you integrated
|
119
|
+
it in your release process and if you want to openly support the project you
|
120
|
+
can put your reference here.
|
121
|
+
|
122
|
+
|
123
|
+
You can support the project by forking the repo, adding a success story, a
|
124
|
+
statement saying how do you feel the tool or your company logo as well and then
|
125
|
+
submitting a pull request.
|
126
|
+
|
127
|
+
Thank you for your support.
|
128
|
+
|
92
129
|
## Thanks to
|
93
130
|
|
94
131
|
[saten](https://github.com/saten): first issue posted about a typo in the README
|
data/Rakefile
CHANGED
@@ -70,3 +70,53 @@ task :new_cve, :name do |t,args|
|
|
70
70
|
|
71
71
|
|
72
72
|
end
|
73
|
+
|
74
|
+
|
75
|
+
|
76
|
+
desc "Create a new Generic security check"
|
77
|
+
task :new_check, :name do |t,args|
|
78
|
+
name = args.name
|
79
|
+
SRC_DIR = "./lib/codesake/dawn/kb/"
|
80
|
+
SPEC_DIR = "./spec/lib/kb/"
|
81
|
+
|
82
|
+
raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
|
83
|
+
raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
|
84
|
+
raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
|
85
|
+
|
86
|
+
puts "Adding #{name} to knowledge base..."
|
87
|
+
|
88
|
+
rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
|
89
|
+
spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
|
90
|
+
class_name = name.gsub("-", "_")
|
91
|
+
|
92
|
+
open(rb_filename, "w") do |file|
|
93
|
+
file.puts "module Codesake"
|
94
|
+
file.puts "\tmodule Dawn"
|
95
|
+
file.puts "\t\tmodule Kb"
|
96
|
+
file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
|
97
|
+
file.puts "\t\t\tclass #{class_name}"
|
98
|
+
file.puts "\t\t\t\t# Include the testing skeleton for this Security Check"
|
99
|
+
file.puts "\t\t\t\t# include PatternMatchCheck"
|
100
|
+
file.puts "\t\t\t\t# include DependencyCheck"
|
101
|
+
file.puts "\t\t\t\t# include RubyVersionCheck"
|
102
|
+
file.puts ""
|
103
|
+
file.puts "\t\t\t\tdef initialize"
|
104
|
+
file.puts "\t\t\t\tend"
|
105
|
+
file.puts "\t\t\tend"
|
106
|
+
file.puts "\t\tend"
|
107
|
+
file.puts "\tend"
|
108
|
+
file.puts "end"
|
109
|
+
end
|
110
|
+
puts "#{rb_filename} created"
|
111
|
+
|
112
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
|
113
|
+
puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
|
114
|
+
puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
|
115
|
+
puts "it \"must have test for #{name}\" do"
|
116
|
+
puts " sc = kb.find(\"#{name}\")"
|
117
|
+
puts " sc.should_not be_nil"
|
118
|
+
puts " sc.class.should == Codesake::Dawn::Kb::#{class_name}"
|
119
|
+
puts "end"
|
120
|
+
|
121
|
+
|
122
|
+
end
|
data/Roadmap.md
CHANGED
@@ -99,15 +99,18 @@ able to scan something. It deserves a special release.
|
|
99
99
|
|
100
100
|
## Version 0.80
|
101
101
|
|
102
|
-
*
|
103
|
-
*
|
104
|
-
*
|
105
|
-
*
|
106
|
-
*
|
107
|
-
*
|
108
|
-
*
|
109
|
-
*
|
110
|
-
|
102
|
+
* adding test for CVE-2013-4164
|
103
|
+
* adding test for CVE-2013-4457
|
104
|
+
* adding test for CVE-2013-4562
|
105
|
+
* added a '-z' flag to exit the process with the number of issues found as exit code
|
106
|
+
* added a Cross Site Scripting in Simple Form gem
|
107
|
+
* adding test for CVE-2013-4492
|
108
|
+
* adding test for CVE-2013-4491
|
109
|
+
* adding test for CVE-2013-6414
|
110
|
+
* adding test for CVE-2013-6415
|
111
|
+
* adding test for CVE-2013-6416
|
112
|
+
* adding test for CVE-2013-6417
|
113
|
+
|
111
114
|
|
112
115
|
## Version 0.90
|
113
116
|
|
@@ -172,6 +175,16 @@ able to scan something. It deserves a special release.
|
|
172
175
|
* detect SQLi in Sinatra applications
|
173
176
|
* detect SQLi in Padrino applications
|
174
177
|
|
178
|
+
* detect sinks for XSS in Padrino applications
|
179
|
+
* detect reflected XSS in Padrino applications
|
180
|
+
* detect stored XSS in Sinatra applications
|
181
|
+
* detect stored XSS in Padrino applications
|
182
|
+
* detect insecure direct object reference in Sinatra applications
|
183
|
+
* detect insecure direct object reference in Padrino applications
|
184
|
+
* support ERB for in detect\_views (for both Sinatra and Padrino)
|
185
|
+
* integration with [codesake.com](http://codesake.com) with a public available
|
186
|
+
APIs to be consumed by codesake beta users.
|
187
|
+
|
175
188
|
## Version 1.00
|
176
189
|
|
177
190
|
* adding test for CVE-2008-4310
|
data/bin/dawn
CHANGED
@@ -74,6 +74,7 @@ def help
|
|
74
74
|
printf "\n -o, --output [console, json. csv, html]\tthe output will be in the specified format"
|
75
75
|
printf "\n -V, --verbose\t\t\t\tthe output will be more verbose"
|
76
76
|
printf "\n -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
|
77
|
+
printf "\n -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
|
77
78
|
printf "\n -v, --version\t\t\t\tshow version information"
|
78
79
|
printf "\n -h, --help\t\t\t\t\tshow this help\n"
|
79
80
|
|
@@ -98,11 +99,12 @@ opts = GetoptLong.new(
|
|
98
99
|
[ '--verbose', '-V', GetoptLong::NO_ARGUMENT],
|
99
100
|
[ '--debug', '-D', GetoptLong::NO_ARGUMENT],
|
100
101
|
[ '--count-only', '-C', GetoptLong::NO_ARGUMENT],
|
102
|
+
[ '--exit-on-warn', '-z', GetoptLong::NO_ARGUMENT],
|
101
103
|
[ '--version', '-v', GetoptLong::NO_ARGUMENT],
|
102
104
|
[ '--help', '-h', GetoptLong::NO_ARGUMENT]
|
103
105
|
)
|
104
106
|
engine = nil
|
105
|
-
options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false}
|
107
|
+
options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false, :exit_on_warn => false}
|
106
108
|
|
107
109
|
trap("INT") { $logger.die('[INTERRUPTED]') }
|
108
110
|
check = ""
|
@@ -135,6 +137,8 @@ opts.each do |opt, val|
|
|
135
137
|
options[:count_only] = true
|
136
138
|
when '--debug'
|
137
139
|
options[:debug] = true
|
140
|
+
when '--exit-on-warn'
|
141
|
+
options[:exit_on_warn] = true
|
138
142
|
|
139
143
|
when '--list-knowledgebase'
|
140
144
|
options[:dump_kb]=true
|
@@ -187,6 +191,14 @@ engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], options
|
|
187
191
|
|
188
192
|
$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
|
189
193
|
|
194
|
+
if options[:exit_on_warn]
|
195
|
+
Kernel.at_exit do
|
196
|
+
if engine.count_vulnerabilities != 0
|
197
|
+
Kernel.exit(engine.count_vulnerabilities)
|
198
|
+
end
|
199
|
+
end
|
200
|
+
end
|
201
|
+
|
190
202
|
if options[:count_only]
|
191
203
|
ret = dry_run(target, engine)
|
192
204
|
|
@@ -220,7 +232,7 @@ if engine.count_vulnerabilities != 0
|
|
220
232
|
$logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
|
221
233
|
engine.vulnerabilities.each do |vuln|
|
222
234
|
$logger.log "#{vuln[:name]} failed"
|
223
|
-
$logger.log "Description: #{vuln[:message]}"
|
235
|
+
$logger.log "Description: #{vuln[:message]}"
|
224
236
|
$logger.log "Solution: #{vuln[:remediation]}"
|
225
237
|
$logger.err "Evidence:"
|
226
238
|
vuln[:evidences].each do |evidence|
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-11-26
|
5
|
+
class CVE_2013_4164
|
6
|
+
include RubyVersionCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2013-4164",
|
13
|
+
:cvss=>"not assigned",
|
14
|
+
:release_date => Date.new(2013, 11, 23),
|
15
|
+
:cwe=>"",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.",
|
21
|
+
:aux_links=>["https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p484"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p353"},
|
25
|
+
{:engine=>"ruby", :version=>"2.1.0", :patchlevel=>"preview2"}]
|
26
|
+
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-11-26
|
5
|
+
class CVE_2013_4457
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message="The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-4457",
|
12
|
+
:cvss=>"not assigned",
|
13
|
+
:release_date => Date.new(2013, 10, 22),
|
14
|
+
:cwe=>"",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"You must upgrade to cocain gem version 0.5.3 or later",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/3XTGFbAJoTg"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"cocaine", :version=>['0.5.3', '0.4.9999']}]
|
24
|
+
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-11
|
5
|
+
class CVE_2013_4491
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2013-4491",
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
14
|
+
:release_date => Date.new(2013, 12, 7),
|
15
|
+
:cwe=>"79",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
|
21
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-11
|
5
|
+
class CVE_2013_4492
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2013-4492",
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
14
|
+
:release_date => Date.new(2013, 12, 7),
|
15
|
+
:cwe=>"79",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade ruby-i18n to version 0.6.6. As a general rule, using the latest stable version is recommended.",
|
21
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"ruby-i18n", :version=>['0.6.6']}]
|
25
|
+
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-11-26
|
5
|
+
class CVE_2013_4562
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-4562",
|
12
|
+
:cvss=>"not assigned",
|
13
|
+
:release_date => Date.new(2013, 11, 14),
|
14
|
+
:cwe=>"",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"You must upgrade at least to 1.5.0 or later",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/#!msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"omniauth-facebook", :version=>['1.5.0']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-12
|
5
|
+
class CVE_2013_6414
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching."
|
10
|
+
|
11
|
+
|
12
|
+
super({
|
13
|
+
:name=>"CVE-2013-6414",
|
14
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
15
|
+
:release_date => Date.new(2013, 12, 7),
|
16
|
+
:cwe=>"20",
|
17
|
+
:owasp=>"A9",
|
18
|
+
:applies=>["rails"],
|
19
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
20
|
+
:message=>message,
|
21
|
+
:mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
|
22
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"]
|
23
|
+
})
|
24
|
+
|
25
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-12
|
5
|
+
class CVE_2013_6415
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message="Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2013-6415",
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
13
|
+
:release_date => Date.new(2013, 12, 7),
|
14
|
+
:cwe=>"79",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
|
24
|
+
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-12
|
5
|
+
class CVE_2013_6416
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2013-6416",
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N) ",
|
14
|
+
:release_date => Date.new(2013, 12, 7),
|
15
|
+
:cwe=>"79",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade rails to version 4.0.2. As a general rule, using the latest stable version is recommended. Versions 3.x are not affected",
|
21
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['4.0.2']}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-12
|
5
|
+
class CVE_2013_6417
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message ="actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"CVE-2013-6417",
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
14
|
+
:release_date => Date.new(2013, 12, 7),
|
15
|
+
:cwe=>"264",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
|
21
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
|
25
|
+
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -29,12 +29,12 @@ module Codesake
|
|
29
29
|
ve = self.is_same_version?(detected_ruby[:version], vv_a)
|
30
30
|
vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], detected_ruby[:version])
|
31
31
|
|
32
|
-
# XXX Debug statements to be replaced with logger call
|
33
32
|
debug_me("D:#{self.name}, VENGINE=#{vengine}, VV=#{vv}, VE=#{ve}, VP=#{vp}->#{vv && vengine}, #{(ve && vp && vengine )}")
|
34
33
|
debug_me("S:#{@safe_rubies}")
|
35
34
|
debug_me("DD:#{@detected_ruby}")
|
36
35
|
|
37
36
|
|
37
|
+
|
38
38
|
if ( vv && vengine)
|
39
39
|
@status = vp if ve
|
40
40
|
@status = true unless ve
|
@@ -43,6 +43,7 @@ module Codesake
|
|
43
43
|
end
|
44
44
|
|
45
45
|
debug_me("STATUS:#{@status}")
|
46
|
+
self.evidences << "#{@detected_ruby[:engine]} v#{@detected_ruby[:version]}-#{@detected_ruby[:patchlevel]} detected" if @status
|
46
47
|
|
47
48
|
return @status
|
48
49
|
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2013-12-11
|
5
|
+
class SimpleForm_Xss_20131129
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe."
|
10
|
+
|
11
|
+
super({
|
12
|
+
:name=>"Simple Form XSS - 20131129",
|
13
|
+
:cvss=>"none",
|
14
|
+
:release_date => Date.new(2013, 11, 29),
|
15
|
+
:cwe=>"",
|
16
|
+
:owasp=>"A9",
|
17
|
+
:applies=>["rails", "padrino", "sinatra"],
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade Simple Form the 3.0.1 and 2.1.1 releases are available at the normal locations.",
|
21
|
+
:aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"simple_form", :version=>['3.0.1', '2.1.1']}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -10,6 +10,14 @@ require "codesake/dawn/kb/combo_check"
|
|
10
10
|
require "codesake/dawn/kb/not_revised_code"
|
11
11
|
require "codesake/dawn/kb/owasp_ror_cheatsheet"
|
12
12
|
|
13
|
+
# Security checks with no or pending CVE
|
14
|
+
|
15
|
+
# A XSS issue on Simple Form gem reported by Rafael Mendonça França on
|
16
|
+
# November, 29 2013
|
17
|
+
#
|
18
|
+
# https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
|
19
|
+
require "codesake/dawn/kb/simpleform_xss_20131129"
|
20
|
+
|
13
21
|
# CVE - 2010
|
14
22
|
require "codesake/dawn/kb/cve_2010_1330"
|
15
23
|
|
@@ -79,7 +87,16 @@ require "codesake/dawn/kb/cve_2013_2615"
|
|
79
87
|
require "codesake/dawn/kb/cve_2013_2616"
|
80
88
|
require "codesake/dawn/kb/cve_2013_2617"
|
81
89
|
require "codesake/dawn/kb/cve_2013_3221"
|
90
|
+
require "codesake/dawn/kb/cve_2013_4164"
|
82
91
|
require "codesake/dawn/kb/cve_2013_4389"
|
92
|
+
require "codesake/dawn/kb/cve_2013_4457"
|
93
|
+
require "codesake/dawn/kb/cve_2013_4491"
|
94
|
+
require "codesake/dawn/kb/cve_2013_4492"
|
95
|
+
require "codesake/dawn/kb/cve_2013_4562"
|
96
|
+
require "codesake/dawn/kb/cve_2013_6414"
|
97
|
+
require "codesake/dawn/kb/cve_2013_6415"
|
98
|
+
require "codesake/dawn/kb/cve_2013_6416"
|
99
|
+
require "codesake/dawn/kb/cve_2013_6417"
|
83
100
|
|
84
101
|
|
85
102
|
module Codesake
|
@@ -145,6 +162,7 @@ module Codesake
|
|
145
162
|
[
|
146
163
|
Codesake::Dawn::Kb::NotRevisedCode.new,
|
147
164
|
Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
|
165
|
+
Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
|
148
166
|
Codesake::Dawn::Kb::CVE_2010_1330.new,
|
149
167
|
Codesake::Dawn::Kb::CVE_2011_0446.new,
|
150
168
|
Codesake::Dawn::Kb::CVE_2011_0447.new,
|
@@ -207,7 +225,17 @@ module Codesake
|
|
207
225
|
Codesake::Dawn::Kb::CVE_2013_2616.new,
|
208
226
|
Codesake::Dawn::Kb::CVE_2013_2617.new,
|
209
227
|
Codesake::Dawn::Kb::CVE_2013_3221.new,
|
228
|
+
Codesake::Dawn::Kb::CVE_2013_4164.new,
|
210
229
|
Codesake::Dawn::Kb::CVE_2013_4389.new,
|
230
|
+
Codesake::Dawn::Kb::CVE_2013_4457.new,
|
231
|
+
Codesake::Dawn::Kb::CVE_2013_4491.new,
|
232
|
+
Codesake::Dawn::Kb::CVE_2013_4492.new,
|
233
|
+
Codesake::Dawn::Kb::CVE_2013_4562.new,
|
234
|
+
Codesake::Dawn::Kb::CVE_2013_6414.new,
|
235
|
+
Codesake::Dawn::Kb::CVE_2013_6415.new,
|
236
|
+
Codesake::Dawn::Kb::CVE_2013_6416.new,
|
237
|
+
Codesake::Dawn::Kb::CVE_2013_6417.new,
|
238
|
+
|
211
239
|
]
|
212
240
|
end
|
213
241
|
end
|
@@ -371,4 +371,59 @@ describe "The Codesake Dawn knowledge base" do
|
|
371
371
|
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4389
|
372
372
|
end
|
373
373
|
|
374
|
+
it "must have test for CVE-2013-4164" do
|
375
|
+
sc = kb.find("CVE-2013-4164")
|
376
|
+
sc.should_not be_nil
|
377
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4164
|
378
|
+
end
|
379
|
+
|
380
|
+
it "must have test for CVE-2013-4562" do
|
381
|
+
sc = kb.find("CVE-2013-4562")
|
382
|
+
sc.should_not be_nil
|
383
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4562
|
384
|
+
end
|
385
|
+
it "must have test for CVE-2013-4457" do
|
386
|
+
sc = kb.find("CVE-2013-4457")
|
387
|
+
sc.should_not be_nil
|
388
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4457
|
389
|
+
end
|
390
|
+
|
391
|
+
it "must have test for 20131129-SimpleForm-Xss" do
|
392
|
+
sc = kb.find("Simple Form XSS - 20131129")
|
393
|
+
sc.should_not be_nil
|
394
|
+
sc.class.should == Codesake::Dawn::Kb::SimpleForm_Xss_20131129
|
395
|
+
end
|
396
|
+
|
397
|
+
it "must have test for CVE-2013-4491" do
|
398
|
+
sc = kb.find("CVE-2013-4491")
|
399
|
+
sc.should_not be_nil
|
400
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4491
|
401
|
+
end
|
402
|
+
|
403
|
+
it "must have test for CVE-2013-4492" do
|
404
|
+
sc = kb.find("CVE-2013-4492")
|
405
|
+
sc.should_not be_nil
|
406
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_4492
|
407
|
+
end
|
408
|
+
it "must have test for CVE-2013-6414" do
|
409
|
+
sc = kb.find("CVE-2013-6414")
|
410
|
+
sc.should_not be_nil
|
411
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_6414
|
412
|
+
end
|
413
|
+
it "must have test for CVE-2013-6415" do
|
414
|
+
sc = kb.find("CVE-2013-6415")
|
415
|
+
sc.should_not be_nil
|
416
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_6415
|
417
|
+
end
|
418
|
+
it "must have test for CVE-2013-6416" do
|
419
|
+
sc = kb.find("CVE-2013-6416")
|
420
|
+
sc.should_not be_nil
|
421
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_6416
|
422
|
+
end
|
423
|
+
|
424
|
+
it "must have test for CVE-2013-6417" do
|
425
|
+
sc = kb.find("CVE-2013-6417")
|
426
|
+
sc.should_not be_nil
|
427
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_6417
|
428
|
+
end
|
374
429
|
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe "The CVE-2013-6416 vulnerability" do
|
4
|
+
before(:all) do
|
5
|
+
@check = Codesake::Dawn::Kb::CVE_2013_6416.new
|
6
|
+
# @check.debug = true
|
7
|
+
end
|
8
|
+
it "is detected if vulnerable version of rails rubygem is detected" do
|
9
|
+
@check.options[:dependencies]=[{:name=>"rails", :version=>'4.0.1'}]
|
10
|
+
@check.vuln?.should be_true
|
11
|
+
end
|
12
|
+
it "is ignored if rails version is 3.2.x" do
|
13
|
+
@check.options[:dependencies]=[{:name=>"rails", :version=>'3.2.16'}]
|
14
|
+
@check.vuln?.should be_false
|
15
|
+
end
|
16
|
+
|
17
|
+
it "is ignored if rails version is 3.1.x" do
|
18
|
+
@check.options[:dependencies]=[{:name=>"rails", :version=>'3.1.16'}]
|
19
|
+
@check.vuln?.should be_false
|
20
|
+
end
|
21
|
+
it "is ignored if rails version is 3.0.x" do
|
22
|
+
@check.options[:dependencies]=[{:name=>"rails", :version=>'3.0.16'}]
|
23
|
+
@check.vuln?.should be_false
|
24
|
+
end
|
25
|
+
it "is ignored if rails version is 2.3.x" do
|
26
|
+
@check.options[:dependencies]=[{:name=>"rails", :version=>'2.3.16'}]
|
27
|
+
@check.vuln?.should be_false
|
28
|
+
end
|
29
|
+
|
30
|
+
|
31
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: codesake-dawn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.80.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-
|
11
|
+
date: 2013-12-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codesake-commons
|
@@ -303,7 +303,16 @@ files:
|
|
303
303
|
- lib/codesake/dawn/kb/cve_2013_2616.rb
|
304
304
|
- lib/codesake/dawn/kb/cve_2013_2617.rb
|
305
305
|
- lib/codesake/dawn/kb/cve_2013_3221.rb
|
306
|
+
- lib/codesake/dawn/kb/cve_2013_4164.rb
|
306
307
|
- lib/codesake/dawn/kb/cve_2013_4389.rb
|
308
|
+
- lib/codesake/dawn/kb/cve_2013_4457.rb
|
309
|
+
- lib/codesake/dawn/kb/cve_2013_4491.rb
|
310
|
+
- lib/codesake/dawn/kb/cve_2013_4492.rb
|
311
|
+
- lib/codesake/dawn/kb/cve_2013_4562.rb
|
312
|
+
- lib/codesake/dawn/kb/cve_2013_6414.rb
|
313
|
+
- lib/codesake/dawn/kb/cve_2013_6415.rb
|
314
|
+
- lib/codesake/dawn/kb/cve_2013_6416.rb
|
315
|
+
- lib/codesake/dawn/kb/cve_2013_6417.rb
|
307
316
|
- lib/codesake/dawn/kb/dependency_check.rb
|
308
317
|
- lib/codesake/dawn/kb/not_revised_code.rb
|
309
318
|
- lib/codesake/dawn/kb/operating_system_check.rb
|
@@ -315,6 +324,7 @@ files:
|
|
315
324
|
- lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
|
316
325
|
- lib/codesake/dawn/kb/pattern_match_check.rb
|
317
326
|
- lib/codesake/dawn/kb/ruby_version_check.rb
|
327
|
+
- lib/codesake/dawn/kb/simpleform_xss_20131129.rb
|
318
328
|
- lib/codesake/dawn/knowledge_base.rb
|
319
329
|
- lib/codesake/dawn/padrino.rb
|
320
330
|
- lib/codesake/dawn/rails.rb
|
@@ -327,6 +337,7 @@ files:
|
|
327
337
|
- spec/lib/dawn/codesake_sinatra_engine_spec.rb
|
328
338
|
- spec/lib/kb/codesake_cve_2013_0175_spec.rb
|
329
339
|
- spec/lib/kb/codesake_cve_2013_1655_spec.rb
|
340
|
+
- spec/lib/kb/codesake_cve_2013_6416.rb
|
330
341
|
- spec/lib/kb/codesake_ruby_version_check_spec.rb
|
331
342
|
- spec/lib/kb/owasp_ror_cheatsheet_spec.rb
|
332
343
|
- spec/spec_helper.rb
|
@@ -552,6 +563,7 @@ test_files:
|
|
552
563
|
- spec/lib/dawn/codesake_sinatra_engine_spec.rb
|
553
564
|
- spec/lib/kb/codesake_cve_2013_0175_spec.rb
|
554
565
|
- spec/lib/kb/codesake_cve_2013_1655_spec.rb
|
566
|
+
- spec/lib/kb/codesake_cve_2013_6416.rb
|
555
567
|
- spec/lib/kb/codesake_ruby_version_check_spec.rb
|
556
568
|
- spec/lib/kb/owasp_ror_cheatsheet_spec.rb
|
557
569
|
- spec/spec_helper.rb
|