codesake-dawn 0.79.99 → 0.80.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: de9e08c8270b35f54fa2b233e5998d9e66e5772c
-  data.tar.gz: 7a10a5787cb7b03a335fc4b62d56e630de1738a4
+  metadata.gz: fd0be76a00038c8c874cafa1b5b89df3b9005989
+  data.tar.gz: 1caa7812bac2921b96a84e37f864e1871c786d26
 SHA512:
-  metadata.gz: 88ceeabc3abadd5b795d2c17e3d24492f4cb0e35ce3b965890a43c8dd035ff4b9436c36d2a1280c921553b2741f6cfc2875591db2d25e4d0271d15a740f3d1d2
-  data.tar.gz: d0d515fcda51b7a127923416f555772fb32280df8aa1077ed4e581d8fd567a1401ddc3da123e37da2fd14059730a58e22297c0717bad34aa199f456813992e12
+  metadata.gz: aebfc77a671f9ab1ec9db67dad4d3d0f6e82b3289a089a9446b325552503826fa528fed5ad222ab5c514e4c447906dcd6e7a4055b569c119d9f2d73cddbd6660
+  data.tar.gz: f4d7745163ce6ba4bc0d06bc7c02803bcd247d439287045871bfbfb85558850ec35ddbb775343b3f6a995f6602e6b55e4f28ed7dae56353410d7bbb5e37c646b

data/Competitive_matrix.md

@@ -135,6 +135,13 @@ applications will be supported as well.
 | CVE-2013-2617         | YES           | NO                |             |                   |             |
 | CVE-2013-3221         | YES           | NO                |             |                   |             |
 | CVE-2013-4389         | YES           | NO                |             |                   |             |
+| CVE-2013-4491         | YES           | NO                |             |                   |             |
+| CVE-2013-4492         | YES           | NO                |             |                   |             |
+| CVE-2013-4562         | YES           | NO                |             |                   |             |
+| CVE-2013-6414         | YES           | NO                |             |                   |             |
+| CVE-2013-6415         | YES           | NO                |             |                   |             |
+| CVE-2013-6416         | YES           | NO                |             |                   |             |
+| CVE-2013-6417         | YES           | NO                |             |                   |             |
 
 [0] This CVE must be confirmed
 

data/README.md

@@ -1,9 +1,9 @@
-# Codesake::Dawn - code review engine for ruby powered code
+# Codesake::Dawn - The security code review tool for ruby powered code
 
-Dawn is a static analysis security scanner for ruby written web applications.
-It supports [Sinatra](http://www.sinatrarb.com),
-[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
-frameworks. 
+codesake-dawn is a source code review tool crafted to detect security issues in
+ruby written code. The main usage is to apply codesake-dawn to web
+applications, it supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and of course [Ruby on Rails](http://rubyonrails.org) frameworks. 
 
 [![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
 [![Build Status](https://travis-ci.org/codesake/codesake-dawn.png?branch=master)](https://travis-ci.org/codesake/codesake-dawn)
@@ -22,7 +22,7 @@ github:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesa
 
 You can install dawn, directly using [Rubygems](https://rubygems.org) by typing:
 
-    gem 'codesake-dawn'
+    gem install codesake-dawn
 
 If you want to add dawn to your project Gemfile, you must add the following:
     
@@ -68,17 +68,36 @@ application:
 
 ```
 $ dawn target
-08:34:53 [*] dawn v0.79.99 is starting up
-08:34:54 [$] dawn: scanning target
-08:34:54 [$] dawn: sinatra v1.4.2 detected
-08:34:54 [$] dawn: applying all security checks
-08:34:54 [$] dawn: 32 security checks applied - 0 security checks skipped
-08:34:54 [$] dawn: 1 vulnerabilities found
-08:34:54 [$] dawn: CVE-2013-1800 failed
-08:34:54 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
-08:34:54 [!] dawn: Evidence:
-08:34:54 [!] dawn: Vulnerable crack gem version found: 0.3.1
-08:34:54 [*] dawn is leaving
+8:28:18 [*] dawn v0.80.0 is starting up
+08:28:18 [$] dawn: scanning spec/support/sinatra-vulnerable
+08:28:18 [$] dawn: sinatra v1.2.6 detected
+08:28:18 [$] dawn: applying all security checks
+08:28:18 [$] dawn: 37 security checks applied - 0 security checks skipped
+08:28:18 [$] dawn: 5 vulnerabilities found
+08:28:18 [$] dawn: Not revised code failed
+08:28:18 [$] dawn: Description: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
+This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
+08:28:18 [$] dawn: Solution: Please review the file fixing the issue.
+08:28:18 [!] dawn: Evidence:
+08:28:18 [!] dawn: {:filename=>"spec/support/sinatra-vulnerable/application.rb", :matches=>[{:match=>"# FIXME: I must raise an error here\n", :line=>30}]}
+08:28:18 [$] dawn: CVE-2013-0269 failed
+08:28:18 [$] dawn: Description: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
+08:28:18 [$] dawn: Solution: Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available
+08:28:18 [!] dawn: Evidence:
+08:28:18 [!] dawn: Vulnerable json gem version found: 1.4.6
+08:28:18 [$] dawn: CVE-2013-1800 failed
+08:28:18 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+08:28:18 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
+08:28:18 [!] dawn: Evidence:
+08:28:18 [!] dawn: Vulnerable crack gem version found: 0.3.1
+08:28:18 [$] dawn: CVE-2013-4164 failed
+08:28:18 [$] dawn: Description: Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
+08:28:18 [$] dawn: Solution: All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.
+08:28:18 [!] dawn: Evidence:
+08:28:18 [!] dawn: ruby v2.0.0-p247 detected
+08:28:18 [$] dawn: 1 reflected XSS found
+08:28:18 [$] dawn: request parameter "name"
+08:28:18 [*] dawn is leaving
 ```
 
 
@@ -89,6 +108,24 @@ flag:
 $ dawn -k|--list-knowledge-base 
 ```
 
+In the 0.80 gem version, there are 75 security checks designed for application written in ruby. 
+
+## Supporters
+
+To me as project leader it's very important to have feedbacks. I really want to
+ear your voice. 
+
+If you're a proud codesake-dawn user, if you find it useful, if you integrated
+it in your release process and if you want to openly support the project you
+can put your reference here.
+
+
+You can support the project by forking the repo, adding a success story, a
+statement saying how do you feel the tool or your company logo as well and then
+submitting a pull request.
+
+Thank you for your support.
+
 ## Thanks to
 
 [saten](https://github.com/saten): first issue posted about a typo in the README

data/Rakefile

@@ -70,3 +70,53 @@ task :new_cve, :name do |t,args|
 
 
 end
+
+
+
+desc "Create a new Generic security check"
+task :new_check, :name do |t,args| 
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+
+  puts "Adding #{name} to knowledge base..."
+
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this Security Check"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+
+
+end

data/Roadmap.md

@@ -99,15 +99,18 @@ able to scan something. It deserves a special release.
 
 ## Version 0.80
 
-* detect sinks for XSS in Padrino applications
-* detect reflected XSS in Padrino applications
-* detect stored XSS in Sinatra applications
-* detect stored XSS in Padrino applications
-* detect insecure direct object reference in Sinatra applications
-* detect insecure direct object reference in Padrino applications
-* support ERB for in detect\_views (for both Sinatra and Padrino)
-* integration with [codesake.com](http://codesake.com) with a public available
-  APIs to be consumed by codesake beta users.
+* adding test for CVE-2013-4164
+* adding test for CVE-2013-4457
+* adding test for CVE-2013-4562
+* added a '-z' flag to exit the process with the number of issues found as exit code
+* added a Cross Site Scripting in Simple Form gem
+* adding test for CVE-2013-4492
+* adding test for CVE-2013-4491
+* adding test for CVE-2013-6414
+* adding test for CVE-2013-6415
+* adding test for CVE-2013-6416
+* adding test for CVE-2013-6417
+
 
 ## Version 0.90
 
@@ -172,6 +175,16 @@ able to scan something. It deserves a special release.
 * detect SQLi in Sinatra applications
 * detect SQLi in Padrino applications
 
+* detect sinks for XSS in Padrino applications
+* detect reflected XSS in Padrino applications
+* detect stored XSS in Sinatra applications
+* detect stored XSS in Padrino applications
+* detect insecure direct object reference in Sinatra applications
+* detect insecure direct object reference in Padrino applications
+* support ERB for in detect\_views (for both Sinatra and Padrino)
+* integration with [codesake.com](http://codesake.com) with a public available
+  APIs to be consumed by codesake beta users.
+
 ## Version 1.00
 
 * adding test for CVE-2008-4310

data/bin/dawn

@@ -74,6 +74,7 @@ def help
   printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
   printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
   printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
+  printf "\n   -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
   printf "\n   -v, --version\t\t\t\tshow version information"
   printf "\n   -h, --help\t\t\t\t\tshow this help\n"
 
@@ -98,11 +99,12 @@ opts    = GetoptLong.new(
   [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
   [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
   [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
+  [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
   [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
   [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
 )
 engine  = nil
-options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false}
+options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false, :exit_on_warn => false}
 
 trap("INT")   { $logger.die('[INTERRUPTED]') }
 check = ""
@@ -135,6 +137,8 @@ opts.each do |opt, val|
     options[:count_only] = true
   when '--debug'
     options[:debug] = true
+  when '--exit-on-warn'
+    options[:exit_on_warn] = true
 
   when '--list-knowledgebase'
     options[:dump_kb]=true
@@ -187,6 +191,14 @@ engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], options
 
 $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
 
+if options[:exit_on_warn]
+  Kernel.at_exit do
+    if engine.count_vulnerabilities != 0
+      Kernel.exit(engine.count_vulnerabilities)
+    end
+  end
+end
+
 if options[:count_only] 
   ret = dry_run(target, engine)
 
@@ -220,7 +232,7 @@ if engine.count_vulnerabilities != 0
   $logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
   engine.vulnerabilities.each do |vuln|
     $logger.log "#{vuln[:name]} failed"
-    $logger.log "Description: #{vuln[:message]}" if options[:verbose]
+    $logger.log "Description: #{vuln[:message]}" 
     $logger.log "Solution: #{vuln[:remediation]}"
     $logger.err "Evidence:"
     vuln[:evidences].each do |evidence|

data/lib/codesake/dawn/kb/cve_2013_4164.rb

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-11-26
+			class CVE_2013_4164
+				include RubyVersionCheck
+
+        def initialize
+          message = "Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable."
+
+          super({
+            :name=>"CVE-2013-4164",
+            :cvss=>"not assigned",
+            :release_date => Date.new(2013, 11, 23),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.",
+            :aux_links=>["https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/"]
+          })
+
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p484"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p353"}, 
+            {:engine=>"ruby", :version=>"2.1.0", :patchlevel=>"preview2"}]
+
+				end
+
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4457.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-11-26
+			class CVE_2013_4457
+				include DependencyCheck
+
+				def initialize
+          message="The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation."
+          super({
+            :name=>"CVE-2013-4457",
+            :cvss=>"not assigned",
+            :release_date => Date.new(2013, 10, 22),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"You must upgrade to cocain gem version 0.5.3 or later",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/3XTGFbAJoTg"]
+          })
+
+          self.safe_dependencies = [{:name=>"cocaine", :version=>['0.5.3', '0.4.9999']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4491.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-11
+			class CVE_2013_4491
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
+          
+          super({
+            :name=>"CVE-2013-4491",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"79",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4492.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-11
+			class CVE_2013_4492
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call."
+
+          super({
+            :name=>"CVE-2013-4492",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"79",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby-i18n to version 0.6.6. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"ruby-i18n", :version=>['0.6.6']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4562.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-11-26
+			class CVE_2013_4562
+				include DependencyCheck
+
+				def initialize
+          message = "Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0."
+          super({
+            :name=>"CVE-2013-4562",
+            :cvss=>"not assigned",
+            :release_date => Date.new(2013, 11, 14),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"You must upgrade at least to 1.5.0 or later",
+            :aux_links=>["https://groups.google.com/forum/#!msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"omniauth-facebook", :version=>['1.5.0']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_6414.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-12
+			class CVE_2013_6414
+				include DependencyCheck
+
+				def initialize
+          message = "actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching."
+
+
+          super({
+            :name=>"CVE-2013-6414",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"20",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_6415.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-12
+			class CVE_2013_6415
+				include DependencyCheck
+
+				def initialize
+          message="Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter."
+          super({
+            :name=>"CVE-2013-6415",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"79",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/9WiRn2nhfq0/2K2KRB4LwCMJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_6416.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-12
+			class CVE_2013_6416
+				include DependencyCheck
+
+				def initialize
+          message = "Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute."
+
+          super({
+            :name=>"CVE-2013-6416",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N) ",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"79",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails to version 4.0.2. As a general rule, using the latest stable version is recommended. Versions 3.x are not affected",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['4.0.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_6417.rb

@@ -0,0 +1,31 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-12
+			class CVE_2013_6417
+				include DependencyCheck
+
+				def initialize
+          message ="actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
+
+           super({
+            :name=>"CVE-2013-6417",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"264",
+            :owasp=>"A9", 
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"]
+          })
+
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/ruby_version_check.rb

@@ -29,12 +29,12 @@ module Codesake
           ve = self.is_same_version?(detected_ruby[:version], vv_a) 
           vp = is_vulnerable_patchlevel?(detected_ruby[:patchlevel], detected_ruby[:version]) 
 
-          # XXX Debug statements to be replaced with logger call
           debug_me("D:#{self.name}, VENGINE=#{vengine}, VV=#{vv}, VE=#{ve}, VP=#{vp}->#{vv && vengine}, #{(ve && vp && vengine )}")
           debug_me("S:#{@safe_rubies}")
           debug_me("DD:#{@detected_ruby}")
 
 
+
           if ( vv && vengine)
             @status = vp if ve
             @status = true unless ve
@@ -43,6 +43,7 @@ module Codesake
           end
 
           debug_me("STATUS:#{@status}")
+          self.evidences << "#{@detected_ruby[:engine]} v#{@detected_ruby[:version]}-#{@detected_ruby[:patchlevel]} detected" if @status
           
           return @status
 

data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-11
+			class SimpleForm_Xss_20131129
+				include DependencyCheck
+
+				def initialize
+          message = "There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe."
+
+          super({
+            :name=>"Simple Form XSS - 20131129",
+            :cvss=>"none",
+            :release_date => Date.new(2013, 11, 29),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade Simple Form the 3.0.1 and 2.1.1 releases are available at the normal locations.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE"]
+          })
+
+          self.safe_dependencies = [{:name=>"simple_form", :version=>['3.0.1', '2.1.1']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/knowledge_base.rb

@@ -10,6 +10,14 @@ require "codesake/dawn/kb/combo_check"
 require "codesake/dawn/kb/not_revised_code"
 require "codesake/dawn/kb/owasp_ror_cheatsheet"
 
+# Security checks with no or pending CVE
+
+# A XSS issue on Simple Form gem reported by Rafael Mendonça França on
+# November, 29 2013
+# 
+# https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
+require "codesake/dawn/kb/simpleform_xss_20131129"
+
 # CVE - 2010
 require "codesake/dawn/kb/cve_2010_1330"
 
@@ -79,7 +87,16 @@ require "codesake/dawn/kb/cve_2013_2615"
 require "codesake/dawn/kb/cve_2013_2616"
 require "codesake/dawn/kb/cve_2013_2617"
 require "codesake/dawn/kb/cve_2013_3221"
+require "codesake/dawn/kb/cve_2013_4164"
 require "codesake/dawn/kb/cve_2013_4389"
+require "codesake/dawn/kb/cve_2013_4457"
+require "codesake/dawn/kb/cve_2013_4491"
+require "codesake/dawn/kb/cve_2013_4492"
+require "codesake/dawn/kb/cve_2013_4562"
+require "codesake/dawn/kb/cve_2013_6414"
+require "codesake/dawn/kb/cve_2013_6415"
+require "codesake/dawn/kb/cve_2013_6416"
+require "codesake/dawn/kb/cve_2013_6417"
 
 
 module Codesake
@@ -145,6 +162,7 @@ module Codesake
         [  
           Codesake::Dawn::Kb::NotRevisedCode.new,
           Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
+          Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
           Codesake::Dawn::Kb::CVE_2010_1330.new, 
           Codesake::Dawn::Kb::CVE_2011_0446.new, 
           Codesake::Dawn::Kb::CVE_2011_0447.new, 
@@ -207,7 +225,17 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_2616.new, 
           Codesake::Dawn::Kb::CVE_2013_2617.new, 
           Codesake::Dawn::Kb::CVE_2013_3221.new, 
+          Codesake::Dawn::Kb::CVE_2013_4164.new, 
           Codesake::Dawn::Kb::CVE_2013_4389.new, 
+          Codesake::Dawn::Kb::CVE_2013_4457.new,
+          Codesake::Dawn::Kb::CVE_2013_4491.new,
+          Codesake::Dawn::Kb::CVE_2013_4492.new,
+          Codesake::Dawn::Kb::CVE_2013_4562.new, 
+          Codesake::Dawn::Kb::CVE_2013_6414.new, 
+          Codesake::Dawn::Kb::CVE_2013_6415.new, 
+          Codesake::Dawn::Kb::CVE_2013_6416.new, 
+          Codesake::Dawn::Kb::CVE_2013_6417.new, 
+
         ]
       end
     end

data/lib/codesake/dawn/version.rb

@@ -1,6 +1,6 @@
 module Codesake
   module Dawn
-    VERSION   = "0.79.99"
-    CODENAME  = "OdditY"
+    VERSION   = "0.80.0"
+    CODENAME  = "ElevatoR"
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -371,4 +371,59 @@ describe "The Codesake Dawn knowledge base" do
     sc.class.should == Codesake::Dawn::Kb::CVE_2013_4389
   end
 
+  it "must have test for CVE-2013-4164" do
+    sc = kb.find("CVE-2013-4164")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4164
+  end
+
+  it "must have test for CVE-2013-4562" do
+    sc = kb.find("CVE-2013-4562")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4562
+  end
+  it "must have test for CVE-2013-4457" do
+    sc = kb.find("CVE-2013-4457")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4457
+  end
+
+  it "must have test for 20131129-SimpleForm-Xss" do
+    sc = kb.find("Simple Form XSS - 20131129")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::SimpleForm_Xss_20131129
+  end
+
+  it "must have test for CVE-2013-4491" do
+    sc = kb.find("CVE-2013-4491")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4491
+  end
+
+  it "must have test for CVE-2013-4492" do
+    sc = kb.find("CVE-2013-4492")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4492
+  end
+  it "must have test for CVE-2013-6414" do
+    sc = kb.find("CVE-2013-6414")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6414
+  end
+  it "must have test for CVE-2013-6415" do
+    sc = kb.find("CVE-2013-6415")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6415
+  end
+  it "must have test for CVE-2013-6416" do
+    sc = kb.find("CVE-2013-6416")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6416
+  end
+
+  it "must have test for CVE-2013-6417" do
+    sc = kb.find("CVE-2013-6417")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6417
+  end
 end

data/spec/lib/kb/codesake_cve_2013_6416.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe "The CVE-2013-6416 vulnerability" do
+  before(:all) do 
+    @check = Codesake::Dawn::Kb::CVE_2013_6416.new
+    # @check.debug = true
+  end
+  it "is detected if vulnerable version of rails rubygem is detected" do
+    @check.options[:dependencies]=[{:name=>"rails", :version=>'4.0.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "is ignored if rails version is 3.2.x" do 
+    @check.options[:dependencies]=[{:name=>"rails", :version=>'3.2.16'}]
+    @check.vuln?.should   be_false
+  end
+
+  it "is ignored if rails version is 3.1.x" do 
+    @check.options[:dependencies]=[{:name=>"rails", :version=>'3.1.16'}]
+    @check.vuln?.should   be_false
+  end
+  it "is ignored if rails version is 3.0.x" do 
+    @check.options[:dependencies]=[{:name=>"rails", :version=>'3.0.16'}]
+    @check.vuln?.should   be_false
+  end
+  it "is ignored if rails version is 2.3.x" do 
+    @check.options[:dependencies]=[{:name=>"rails", :version=>'2.3.16'}]
+    @check.vuln?.should   be_false
+  end
+
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 0.79.99
+  version: 0.80.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-14 00:00:00.000000000 Z
+date: 2013-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -303,7 +303,16 @@ files:
 - lib/codesake/dawn/kb/cve_2013_2616.rb
 - lib/codesake/dawn/kb/cve_2013_2617.rb
 - lib/codesake/dawn/kb/cve_2013_3221.rb
+- lib/codesake/dawn/kb/cve_2013_4164.rb
 - lib/codesake/dawn/kb/cve_2013_4389.rb
+- lib/codesake/dawn/kb/cve_2013_4457.rb
+- lib/codesake/dawn/kb/cve_2013_4491.rb
+- lib/codesake/dawn/kb/cve_2013_4492.rb
+- lib/codesake/dawn/kb/cve_2013_4562.rb
+- lib/codesake/dawn/kb/cve_2013_6414.rb
+- lib/codesake/dawn/kb/cve_2013_6415.rb
+- lib/codesake/dawn/kb/cve_2013_6416.rb
+- lib/codesake/dawn/kb/cve_2013_6417.rb
 - lib/codesake/dawn/kb/dependency_check.rb
 - lib/codesake/dawn/kb/not_revised_code.rb
 - lib/codesake/dawn/kb/operating_system_check.rb
@@ -315,6 +324,7 @@ files:
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb
 - lib/codesake/dawn/kb/pattern_match_check.rb
 - lib/codesake/dawn/kb/ruby_version_check.rb
+- lib/codesake/dawn/kb/simpleform_xss_20131129.rb
 - lib/codesake/dawn/knowledge_base.rb
 - lib/codesake/dawn/padrino.rb
 - lib/codesake/dawn/rails.rb
@@ -327,6 +337,7 @@ files:
 - spec/lib/dawn/codesake_sinatra_engine_spec.rb
 - spec/lib/kb/codesake_cve_2013_0175_spec.rb
 - spec/lib/kb/codesake_cve_2013_1655_spec.rb
+- spec/lib/kb/codesake_cve_2013_6416.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_spec.rb
 - spec/spec_helper.rb
@@ -552,6 +563,7 @@ test_files:
 - spec/lib/dawn/codesake_sinatra_engine_spec.rb
 - spec/lib/kb/codesake_cve_2013_0175_spec.rb
 - spec/lib/kb/codesake_cve_2013_1655_spec.rb
+- spec/lib/kb/codesake_cve_2013_6416.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_spec.rb
 - spec/spec_helper.rb