codesake-dawn 0.80.0 → 0.85

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fd0be76a00038c8c874cafa1b5b89df3b9005989
-  data.tar.gz: 1caa7812bac2921b96a84e37f864e1871c786d26
+  metadata.gz: 860da13a7734a3fc89044ccb66eb006513df7f4d
+  data.tar.gz: 8266c446632c9e4945c758033a48103668b1fa2a
 SHA512:
-  metadata.gz: aebfc77a671f9ab1ec9db67dad4d3d0f6e82b3289a089a9446b325552503826fa528fed5ad222ab5c514e4c447906dcd6e7a4055b569c119d9f2d73cddbd6660
-  data.tar.gz: f4d7745163ce6ba4bc0d06bc7c02803bcd247d439287045871bfbfb85558850ec35ddbb775343b3f6a995f6602e6b55e4f28ed7dae56353410d7bbb5e37c646b
+  metadata.gz: e0a33db83ee98ebef83a616ee30e93d3c618f678724584559c8dfe20367169b1978509ebb75ed2475e9d19c3dfb9de453655e9afba2a04bc2d2598469d385cc1
+  data.tar.gz: ddd848c1482a567a2b963972dc5caea16409de7888b6ee6f70bf09fdf74398eee6d7dc59bb8e15462997e5dad1b93ec4e4f39b9cc1e57e60979e7662be1e9d8c

data/Changelog.md

@@ -0,0 +1,124 @@
+# Codesake Dawn - changelog
+
+Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks. 
+
+_latest update: Tue Dec 17 08:12:19 CET 2013_
+
+## Version 0.85 - codename: elevator (2013-12-17)
+
+* refactoring bin/dawn script: some stuff were moved into Codesake::Core class
+* Added a check against Denial of Service vulnerability for Nokogiri 1.5.x 
+  and 1.6.0 when used with JRuby.
+* Added a check against Denial of Service vulnerability due to entity expansion
+  for Nokogiri 1.5.x and 1.6.0 when used with JRuby.
+* Added a check for CVE-2013-4478 (sup remote code execution)
+* Added a check for CVE-2013-4479 (sup remote code execution)
+* Added a check for CVE-2013-1812 (ruby-openid denial of service)
+* Added a check for CVE-2013-6421 (sprout remote code execution)
+
+
+
+## Version 0.80 - codename: elevator (2013-12-12)
+
+* adding test for CVE-2013-4164
+* adding test for CVE-2013-4457
+* adding test for CVE-2013-4562
+* added a '-z' flag to exit the process with the number of issues found as exit code
+* added a Cross Site Scripting in Simple Form gem
+* adding test for CVE-2013-4492
+* adding test for CVE-2013-4491
+* adding test for CVE-2013-6414
+* adding test for CVE-2013-6415
+* adding test for CVE-2013-6416
+* adding test for CVE-2013-6417
+
+## Version 0.79.99 - codename:oddity (2013-11-14)
+
+This is the first codesake-dawn version making codesake.com web application
+able to scan something. It deserves a special release.
+
+* adding test for CVE-2013-2065
+* adding test for CVE-2013-4389
+* adding test for CVE-2010-1330
+* adding test for CVE-2011-0446 
+* adding test for CVE-2011-0995
+* adding test for CVE-2011-2929
+* adding test for CVE-2011-4815
+* adding test for CVE-2012-3424
+* adding test for CVE-2012-5380
+* adding test for CVE-2012-4522
+* adding test for RoRCheatSheet\_1
+* adding test for RoRCheatSheet\_4
+* adding test for RoRCheatSheet\_7
+* adding test for RoRCheatSheet\_8
+* Fix issue #1. You can read more about it in TODO.md
+* Added API to scan a single Gemfile.lock using -G flag
+
+## Version 0.70 (2013-06-19)
+
+* adding test for CVE-2011-0447
+* adding test for CVE-2011-3186
+* adding test for CVE-2012-1099
+* adding test for CVE-2012-1241
+* adding test for CVE-2012-2140
+* adding test for CVE-2012-5370
+* adding test for CVE-2012-5371
+* adding test for CVE-2011-2197
+* adding test for CVE-2011-2932
+* adding test for CVE-2012-3463
+* adding test for CVE-2012-3464
+* adding test for CVE-2012-4464
+* adding test for CVE-2012-4466
+* adding test for CVE-2012-4481
+* adding test for CVE-2012-6134
+* Fix issue #4. PatternMatching complains when applied to binary files. We must
+  skip them
+* add ruby\_parser dependency
+* add haml dependency
+* add target MVC autodetect
+* write '--help'
+* detect sinks for XSS in Sinatra applications
+* detect reflected XSS in Sinatra applications
+
+## Version 0.60 (2013-05-28)
+
+* adding cucumber dependency
+* adding test for CVE-2013-1854
+* adding test for CVE-2013-1856
+* adding test for CVE-2013-0276
+* adding test for CVE-2013-0277
+* adding test for CVE-2013-0156
+* adding test for CVE-2013-2615
+* adding test for CVE-2013-1875
+* adding test for CVE-2013-1655
+* adding test for CVE-2013-1656
+* adding test for CVE-2013-0175
+* adding test for CVE-2013-0233
+* adding test for CVE-2013-0284
+* adding test for CVE-2013-0285
+* adding test for CVE-2013-1801
+* adding test for CVE-2013-1802
+* adding test for CVE-2013-1821
+* adding test for CVE-2013-1898
+* adding test for CVE-2013-1911
+* adding test for CVE-2013-1933
+* adding test for CVE-2013-1947
+* adding test for CVE-2013-1948
+* adding test for CVE-2013-2616
+* adding test for CVE-2013-2617
+* adding test for CVE-2013-3221
+* make output less verbose. Only vulnerabilities and severity will be shown 
+* adding a '--verbose' option to see also the whole knowledge base info about each findings
+* adding a '--output' option
+* adding a '--count-only' option
+* support JSON output
+
+## Version 0.50 (2013-05-13) - First public release
+
+* adding test for CVE\_2013\_0269
+* adding test for CVE\_2013\_0155
+* adding test for CVE\_2011\_2931
+* adding test for CVE\_2012\_3465

data/Roadmap.md

@@ -7,110 +7,7 @@ frameworks.
 
 This is an ongoing roadmap for the dawn source code review tool.
 
-_latest update: Fri 17 May 2013 15:29:55 CEST_
-
-## Version 0.50 (2013-05-13) - First public release
-
-* adding test for CVE\_2013\_0269
-* adding test for CVE\_2013\_0155
-* adding test for CVE\_2011\_2931
-* adding test for CVE\_2012\_3465
-
-## Version 0.60 (2013-05-28)
-
-* adding cucumber dependency
-* adding test for CVE-2013-1854
-* adding test for CVE-2013-1856
-* adding test for CVE-2013-0276
-* adding test for CVE-2013-0277
-* adding test for CVE-2013-0156
-* adding test for CVE-2013-2615
-* adding test for CVE-2013-1875
-* adding test for CVE-2013-1655
-* adding test for CVE-2013-1656
-* adding test for CVE-2013-0175
-* adding test for CVE-2013-0233
-* adding test for CVE-2013-0284
-* adding test for CVE-2013-0285
-* adding test for CVE-2013-1801
-* adding test for CVE-2013-1802
-* adding test for CVE-2013-1821
-* adding test for CVE-2013-1898
-* adding test for CVE-2013-1911
-* adding test for CVE-2013-1933
-* adding test for CVE-2013-1947
-* adding test for CVE-2013-1948
-* adding test for CVE-2013-2616
-* adding test for CVE-2013-2617
-* adding test for CVE-2013-3221
-* make output less verbose. Only vulnerabilities and severity will be shown 
-* adding a '--verbose' option to see also the whole knowledge base info about each findings
-* adding a '--output' option
-* adding a '--count-only' option
-* support JSON output
-
-## Version 0.70 (2013-06-19)
-
-* adding test for CVE-2011-0447
-* adding test for CVE-2011-3186
-* adding test for CVE-2012-1099
-* adding test for CVE-2012-1241
-* adding test for CVE-2012-2140
-* adding test for CVE-2012-5370
-* adding test for CVE-2012-5371
-* adding test for CVE-2011-2197
-* adding test for CVE-2011-2932
-* adding test for CVE-2012-3463
-* adding test for CVE-2012-3464
-* adding test for CVE-2012-4464
-* adding test for CVE-2012-4466
-* adding test for CVE-2012-4481
-* adding test for CVE-2012-6134
-* Fix issue #4. PatternMatching complains when applied to binary files. We must
-  skip them
-* add ruby\_parser dependency
-* add haml dependency
-* add target MVC autodetect
-* write '--help'
-* detect sinks for XSS in Sinatra applications
-* detect reflected XSS in Sinatra applications
-
-## Version 0.79.99 - codename:oddity (2013-11-14)
-
-This is the first codesake-dawn version making codesake.com web application
-able to scan something. It deserves a special release.
-
-* adding test for CVE-2013-2065
-* adding test for CVE-2013-4389
-* adding test for CVE-2010-1330
-* adding test for CVE-2011-0446 
-* adding test for CVE-2011-0995
-* adding test for CVE-2011-2929
-* adding test for CVE-2011-4815
-* adding test for CVE-2012-3424
-* adding test for CVE-2012-5380
-* adding test for CVE-2012-4522
-* adding test for RoRCheatSheet\_1
-* adding test for RoRCheatSheet\_4
-* adding test for RoRCheatSheet\_7
-* adding test for RoRCheatSheet\_8
-* Fix issue #1. You can read more about it in TODO.md
-* Added API to scan a single Gemfile.lock using -G flag
-
-## Version 0.80
-
-* adding test for CVE-2013-4164
-* adding test for CVE-2013-4457
-* adding test for CVE-2013-4562
-* added a '-z' flag to exit the process with the number of issues found as exit code
-* added a Cross Site Scripting in Simple Form gem
-* adding test for CVE-2013-4492
-* adding test for CVE-2013-4491
-* adding test for CVE-2013-6414
-* adding test for CVE-2013-6415
-* adding test for CVE-2013-6416
-* adding test for CVE-2013-6417
-
+_latest update: Fri Dec 13 07:55:54 CET 2013_
 
 ## Version 0.90
 

data/bin/dawn

@@ -6,84 +6,8 @@ require 'json'
 require 'codesake-commons'
 require 'codesake-dawn'
 
-def dry_run(target, engine)
-  engine.set_target(target) 
-  engine.load_knowledge_base
-  engine.apply_all
-end
-
-def output_json_run(target = "", engine = nil)
-  result = {}
-  return {:status=>"KO", :message=>"BUG at #{__FILE__}@#{__LINE__}: target is empty or engine is nil."}.to_json if target.empty? or engine.nil?
-  return {:status=>"KO", :message=>"#{target} doesn't exist"}.to_json if ! Dir.exist?(target)
-  check_applied = dry_run(target, engine)
-  return {:status=>"KO", :message=>"no security checks applied"}.to_json unless check_applied
-
-  result[:status]="OK"
-  result[:target]=target
-  result[:mvc]=engine.name
-  result[:mvc_version]=engine.get_mvc_version
-  result[:vulnerabilities_count]=engine.count_vulnerabilities
-  result[:vulnerabilities]=[]
-  engine.vulnerabilities.each do |v|
-    result[:vulnerabilities] << v[:name]
-  end
-  result[:mitigated_vuln_count]=engine.mitigated_issues.count
-  result[:mitigated_vuln] = engine.mitigated_issues
-   result[:reflected_xss] = []
-  engine.reflected_xss.each do |r|
-    result[:reflected_xss] << "request parameter \"#{r[:sink_source]}\""
-  end
-
-  result.to_json
-end 
-
-def dump_knowledge_base(verbose = false)
-  kb = Codesake::Dawn::KnowledgeBase.new
-  lines = []
-  lines << "Security checks currently supported:\n"
-
-  kb.all.each do |check|
-    if verbose
-      lines << "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
-      lines << "Description\n#{check.message}"
-      lines << "Remediation\n#{check.remediation}\n\n"
-    else
-      lines << "#{check.name}"
-    end
-  end
-  lines << "-----\nTotal: #{kb.all.count}"
-  
-  lines.empty? ? 0 : lines.compact.join("\n")
-
-end
-
-def help
-  puts "Usage: dawn [options] target_directory"
-  printf "\n\nExamples:"
-  puts "$ dawn a_sinatra_webapp_directory"
-  puts "$ dawn -C the_rails_blog_engine"
-  puts "$ dawn -C --output json a_sinatra_webapp_directory"
-  printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application" 
-  printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
-  printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
-  printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
-  printf "\n   -D, --debug\t\t\t\t\tenters dawn debug mode"
-  printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
-  printf "\n   -k, --list-knowledgebase [check_name]\tlist dawn known security checks. If check_name is specified dawn says if check is present or not"
-  printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
-  printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
-  printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
-  printf "\n   -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
-  printf "\n   -v, --version\t\t\t\tshow version information"
-  printf "\n   -h, --help\t\t\t\t\tshow this help\n"
-
-  0
-end
-
-
 APPNAME = File.basename($0)
-LIST_KNOWN_FRAMEWORK  = %w(rails sinatra) #padrino)
+LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
 $logger  = Codesake::Commons::Logging.instance
@@ -122,7 +46,6 @@ opts.each do |opt, val|
     options[:mvc]=:sinatra
   when '--padrino'
     options[:mvc]=:padrino
-    $logger.die "sorry padrino is not yet supported"
   when '--gem-lock'
     options[:gemfile_scan] = true
     options[:gemfile_name] = val unless val.nil?
@@ -151,12 +74,12 @@ opts.each do |opt, val|
     end
     Kernel.exit(0)
   when '--help'
-    Kernel.exit(help)
+    Kernel.exit(Codesake::Dawn::Core.help)
   end
 end
 
 if options[:dump_kb]
-  puts dump_knowledge_base(options[:verbose]) if check.empty?
+  puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose]) if check.empty?
   if ! check.empty?
     found = Codesake::Dawn::KnowledgeBase.find(nil, check)
     puts "#{check} found in knowledgebase." if found
@@ -184,9 +107,10 @@ unless options[:gemfile_scan]
   end
 end
 
+
 engine = Codesake::Dawn::Rails.new(target)                      if options[:mvc] == :rails && options[:gemfile_scan].nil?
 engine = Codesake::Dawn::Sinatra.new(target)                    if options[:mvc] == :sinatra && options[:gemfile_scan].nil?
-# engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino && options[:gemfile_scan].nil? 
+engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino && options[:gemfile_scan].nil? 
 engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], options[:debug], guess) if options[:gemfile_scan]
 
 $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
@@ -200,7 +124,7 @@ if options[:exit_on_warn]
 end
 
 if options[:count_only] 
-  ret = dry_run(target, engine)
+  ret = Codesake::Dawn::Core.dry_run(target, engine)
 
   puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
   puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
@@ -208,7 +132,7 @@ if options[:count_only]
 end
 
 if options[:output] == "json"
-  puts output_json_run(target, engine) 
+  puts Codesake::Dawn::Core.output_json_run(target, engine) 
   Kernel.exit(0)
 end
 
@@ -242,7 +166,8 @@ if engine.count_vulnerabilities != 0
   if engine.has_reflected_xss?
     $logger.log "#{engine.reflected_xss.count} reflected XSS found"
     engine.reflected_xss.each do |vuln|
-      $logger.log "request parameter \"#{vuln[:sink_source]}\""
+      $logger.log "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
+      $logger.err "evidence: #{vuln[:sink_evidence]}"
     end
   end
 

data/codesake-dawn.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |gem|
   gem.email         = ["thesp0nge@gmail.com"]
   gem.description   = %q{dawn is a security static source code analyzer for web applications written in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails. dawn output is a list of security vulnerabilities affecting your code with a suggestion on how to mitigate all of them.}
   gem.summary       = %q{dawn is a security static source code analyzer for sinatra, padrino and ruby on rails web applicartions.}
-  gem.homepage      = "http://codesake.com"
+  gem.homepage      = "http://dawn.codesake.com"
 
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }

data/lib/codesake/dawn/core.rb

@@ -2,6 +2,83 @@ module Codesake
   module Dawn
     class Core
 
+      def self.help
+        puts "Usage: dawn [options] target_directory"
+        printf "\n\nExamples:"
+        puts "$ dawn a_sinatra_webapp_directory"
+        puts "$ dawn -C the_rails_blog_engine"
+        puts "$ dawn -C --output json a_sinatra_webapp_directory"
+        printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application" 
+        printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application" 
+        printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application" 
+        printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
+        printf "\n   -D, --debug\t\t\t\t\tenters dawn debug mode"
+        printf "\n   -f, --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
+        printf "\n   -k, --list-knowledgebase [check_name]\tlist dawn known security checks. If check_name is specified dawn says if check is present or not"
+        printf "\n   -o, --output [console, json. csv, html]\tthe output will be in the specified format"
+        printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
+        printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
+        printf "\n   -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
+        printf "\n   -v, --version\t\t\t\tshow version information"
+        printf "\n   -h, --help\t\t\t\t\tshow this help\n"
+
+        0
+      end
+
+
+      def self.output_json_run(target = "", engine = nil)
+        result = {}
+        return {:status=>"KO", :message=>"BUG at #{__FILE__}@#{__LINE__}: target is empty or engine is nil."}.to_json if target.empty? or engine.nil?
+        return {:status=>"KO", :message=>"#{target} doesn't exist"}.to_json if ! Dir.exist?(target)
+        check_applied = Codesake::Dawn::Core.dry_run(target, engine)
+        return {:status=>"KO", :message=>"no security checks applied"}.to_json unless check_applied
+
+        result[:status]="OK"
+        result[:target]=target
+        result[:mvc]=engine.name
+        result[:mvc_version]=engine.get_mvc_version
+        result[:vulnerabilities_count]=engine.count_vulnerabilities
+        result[:vulnerabilities]=[]
+        engine.vulnerabilities.each do |v|
+          result[:vulnerabilities] << v[:name]
+        end
+        result[:mitigated_vuln_count]=engine.mitigated_issues.count
+        result[:mitigated_vuln] = engine.mitigated_issues
+        result[:reflected_xss] = []
+        engine.reflected_xss.each do |r|
+          result[:reflected_xss] << "request parameter \"#{r[:sink_source]}\""
+        end
+
+        result.to_json
+      end 
+
+
+      def self.dump_knowledge_base(verbose = false)
+        kb = Codesake::Dawn::KnowledgeBase.new
+        lines = []
+        lines << "Security checks currently supported:\n"
+
+        kb.all.each do |check|
+          if verbose
+            lines << "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
+            lines << "Description\n#{check.message}"
+            lines << "Remediation\n#{check.remediation}\n\n"
+          else
+            lines << "#{check.name}"
+          end
+        end
+        lines << "-----\nTotal: #{kb.all.count}"
+
+        lines.empty? ? 0 : lines.compact.join("\n")
+
+      end
+
+
+      def self.dry_run(target, engine)
+        engine.set_target(target) 
+        engine.load_knowledge_base
+        engine.apply_all
+      end
       
       # guess_mvc is very close to detect_mvc despite it accepts a
       # filename as input and it tries to guess the mvc framework used from the
@@ -39,7 +116,7 @@ module Codesake
         Dir.chdir(my_dir)
         lockfile.specs.each do |s|
           return Codesake::Dawn::Rails.new(target)    if s.name == "rails"
-          # return Codesake::Dawn::Padrino.new  if s.name == "padrino"
+          return Codesake::Dawn::Padrino.new(target)  if s.name == "padrino"
         end
 
         return Codesake::Dawn::Sinatra.new(target) 

data/lib/codesake/dawn/kb/cve_2013_1656.rb

@@ -15,7 +15,7 @@ module Codesake
             :release_date => Date.new(2013, 3, 8),
             :cwe=>"20", 
             :owasp=>"A9",
-            :applies=>["rails"],
+            :applies=>["rails", "sinatra", "padrino"],
             :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
             :message => message,
             :mitigation=>"Please upgrade Spree commerce rubygem",

data/lib/codesake/dawn/kb/cve_2013_1812.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-17
+			class CVE_2013_1812
+				include DependencyCheck
+
+				def initialize
+          message = "The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack."
+
+           super({
+            :name=>'CVE-2013-1812', 
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",  
+            :release_date => Date.new(2013, 12, 12),
+            :cwe=>"399", 
+            :owasp=>"A9",
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade ruby-openid rubygem",
+            :aux_links => ["http://www.openwall.com/lists/oss-security/2013/03/03/8"]
+          })
+          self.safe_dependencies = [{:name=>"ruby-openid", :version=>['2.2.2']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4478.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-17
+			class CVE_2013_4478
+				include DependencyCheck
+
+				def initialize
+          message = "Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment."
+          super({
+            :name=>'CVE-2013-4478', 
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",  
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"94", 
+            :owasp=>"A9",
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade sup rubygem",
+            :aux_links => ["http://www.openwall.com/lists/oss-security/2013/10/30/2"]
+          })
+          self.safe_dependencies = [{:name=>"sup", :version=>['0.13.2.1', '0.14.1.1']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_4479.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-17
+			class CVE_2013_4479
+				include DependencyCheck
+
+				def initialize
+          message = "lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment."
+          super({
+            :name=>'CVE-2013-4479', 
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",  
+            :release_date => Date.new(2013, 12, 7),
+            :cwe=>"94", 
+            :owasp=>"A9",
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade sup rubygem",
+            :aux_links => ["http://www.openwall.com/lists/oss-security/2013/10/30/2"]
+          })
+          self.safe_dependencies = [{:name=>"sup", :version=>['0.13.2.1', '0.14.1.1']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_6421.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-17
+			class CVE_2013_6421
+				include DependencyCheck
+
+				def initialize
+          message = "The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path."
+
+           super({
+            :name=>'CVE-2013-6421', 
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",  
+            :release_date => Date.new(2013, 12, 12),
+            :cwe=>"94", 
+            :owasp=>"A9",
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade sprout rubygem",
+            :aux_links => ["http://www.openwall.com/lists/oss-security/2013/12/03/1"]
+          })
+          self.safe_dependencies = [{:name=>"sprout", :version=>['0.7.247']}]
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/nokogiri_dos_20131217.rb

@@ -0,0 +1,57 @@
+module Codesake
+	module Dawn
+		module Kb
+
+      class NokogiriDos20131217_a
+        include DependencyCheck
+
+        def initialize
+          message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
+          super({
+            :name=>"NokogiriDos20131217_a",
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+          })
+          self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
+        end
+
+      end
+
+      class NokogiriDos20131217_b
+        include RubyVersionCheck
+        def initialize
+          message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
+          super({
+            :name=>"NokogiriDos20131217_b",
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+          })
+          self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
+        end
+      end
+
+			class NokogiriDos20131217
+        include ComboCheck
+
+				def initialize
+          message = "There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash."
+
+          super({
+            :name=>"Nokogiri - Denial of service - 20131217",
+            :cvss=>"",
+            :release_date => Date.new(2013, 12, 15),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to a newer version",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
+            :checks=>[NokogiriDos20131217_a.new, NokogiriDos20131217_b.new]
+          })
+
+
+          
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb

@@ -0,0 +1,59 @@
+module Codesake
+	module Dawn
+		module Kb
+
+      class Nokogiri_EntityExpansion_Dos_20131217_a
+        include DependencyCheck
+
+        def initialize
+          message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
+          super({
+            :name=>"Nokogiri_EntityExpansion_Dos_20131217_a",
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+          })
+          self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
+        end
+
+      end
+
+      class Nokogiri_EntityExpansion_Dos_20131217_b
+        include RubyVersionCheck
+        def initialize
+          message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
+          super({
+            :name=>"Nokogiri_EntityExpansion_Dos_20131217_b",
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+          })
+          self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
+        end
+      end
+
+			class Nokogiri_EntityExpansion_Dos_20131217
+        include ComboCheck
+
+				def initialize
+          message = "There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension.  Attackers can send
+XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash."
+          super({
+            :name=>"Nokogiri - Entity expasion denial of service - 20131217",
+            :cvss=>"",
+            :release_date => Date.new(2013, 12, 15),
+            :cwe=>"",
+            :owasp=>"A9", 
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to a newer version",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
+            :checks=>[Nokogiri_EntityExpansion_Dos_20131217_a.new, Nokogiri_EntityExpansion_Dos_20131217_b.new]
+          })
+
+
+
+
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/knowledge_base.rb

@@ -18,6 +18,13 @@ require "codesake/dawn/kb/owasp_ror_cheatsheet"
 # https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
 require "codesake/dawn/kb/simpleform_xss_20131129"
 
+# Two different denial of service issues affecting Nokogiri gem when using Jruby interpreter
+# December, 17 2013
+#
+# https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
+require "codesake/dawn/kb/nokogiri_dos_20131217"
+require "codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217"
+
 # CVE - 2010
 require "codesake/dawn/kb/cve_2010_1330"
 
@@ -71,6 +78,7 @@ require "codesake/dawn/kb/cve_2013_1656"
 require "codesake/dawn/kb/cve_2013_1800"
 require "codesake/dawn/kb/cve_2013_1801"
 require "codesake/dawn/kb/cve_2013_1802"
+require "codesake/dawn/kb/cve_2013_1812"
 require "codesake/dawn/kb/cve_2013_1821"
 require "codesake/dawn/kb/cve_2013_1854"
 require "codesake/dawn/kb/cve_2013_1855"
@@ -90,6 +98,8 @@ require "codesake/dawn/kb/cve_2013_3221"
 require "codesake/dawn/kb/cve_2013_4164"
 require "codesake/dawn/kb/cve_2013_4389"
 require "codesake/dawn/kb/cve_2013_4457"
+require "codesake/dawn/kb/cve_2013_4478"
+require "codesake/dawn/kb/cve_2013_4479"
 require "codesake/dawn/kb/cve_2013_4491"
 require "codesake/dawn/kb/cve_2013_4492"
 require "codesake/dawn/kb/cve_2013_4562"
@@ -97,6 +107,7 @@ require "codesake/dawn/kb/cve_2013_6414"
 require "codesake/dawn/kb/cve_2013_6415"
 require "codesake/dawn/kb/cve_2013_6416"
 require "codesake/dawn/kb/cve_2013_6417"
+require "codesake/dawn/kb/cve_2013_6421"
 
 
 module Codesake
@@ -163,6 +174,8 @@ module Codesake
           Codesake::Dawn::Kb::NotRevisedCode.new,
           Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
           Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
+          Codesake::Dawn::Kb::NokogiriDos20131217.new,
+          Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217.new,
           Codesake::Dawn::Kb::CVE_2010_1330.new, 
           Codesake::Dawn::Kb::CVE_2011_0446.new, 
           Codesake::Dawn::Kb::CVE_2011_0447.new, 
@@ -209,6 +222,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_1800.new,
           Codesake::Dawn::Kb::CVE_2013_1801.new,
           Codesake::Dawn::Kb::CVE_2013_1802.new,
+          Codesake::Dawn::Kb::CVE_2013_1812.new,
           Codesake::Dawn::Kb::CVE_2013_1821.new,
           Codesake::Dawn::Kb::CVE_2013_1854.new, 
           Codesake::Dawn::Kb::CVE_2013_1855.new, 
@@ -228,6 +242,8 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_4164.new, 
           Codesake::Dawn::Kb::CVE_2013_4389.new, 
           Codesake::Dawn::Kb::CVE_2013_4457.new,
+          Codesake::Dawn::Kb::CVE_2013_4478.new,
+          Codesake::Dawn::Kb::CVE_2013_4479.new,
           Codesake::Dawn::Kb::CVE_2013_4491.new,
           Codesake::Dawn::Kb::CVE_2013_4492.new,
           Codesake::Dawn::Kb::CVE_2013_4562.new, 
@@ -235,6 +251,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_6415.new, 
           Codesake::Dawn::Kb::CVE_2013_6416.new, 
           Codesake::Dawn::Kb::CVE_2013_6417.new, 
+          Codesake::Dawn::Kb::CVE_2013_6421.new, 
 
         ]
       end

data/lib/codesake/dawn/padrino.rb

@@ -11,6 +11,13 @@ module Codesake
         @apps = detect_apps
       end
 
+      def get_sinatra_version
+        self.connected_gems.each do |gem|
+          return gem[:version] if gem[:name] == "sinatra"
+        end
+
+        return ""
+      end
       def detect_apps
 
         apps_rb = File.join(@target, "config", "apps.rb")
@@ -26,11 +33,25 @@ module Codesake
               tree = p.parse(line)
               if ! tree.nil? && tree.sexp_type == :call
                 body_a = tree.sexp_body.to_a
-                mp = body_a[2][1]
-                sinatra_app_rb = body_a[0][4][2][3][1] if is_mount_call?(body_a[0])
-                debug_me("BODY_A=#{body_a[0]}")
+                debug_me("BODY_A=#{body_a[0]} - BODY_A_SIZE=#{body_a[0].size}")
                 debug_me("IS_MOUNT_CALL? #{is_mount_call?(body_a[0])}")
+                mp = body_a[2][1]
                 debug_me("MP = #{mp}")
+
+                # Padrino.mount('HelloWorldPadrino::App', :app_file => Padrino.root('app/app.rb')).to('/')
+                sinatra_app_rb = body_a[0][4][2][3][1] if body_a[0].size == 5 && is_mount_call?(body_a[0]) 
+
+                # Padrino.mount("HelloWorldPadrino:App").to('/')
+                if body_a[0].size == 4
+
+                  # Defaulting the application name if mount point is /
+                  sinatra_app_rb = "app/app.rb" if mp == "/"
+
+                  # Take the app name as mountpoint/app.rb
+                  sinatra_app_rb = body_a[0][3][1].downcase+"/app.rb" unless mp == "/"
+
+                end
+
                 target = File.dirname(sinatra_app_rb )
                 apps << Codesake::Dawn::Sinatra.new(target, mp)
               end
@@ -43,6 +64,12 @@ module Codesake
           # if line.start_with?("Padrino.mount")
 
         end
+
+
+        debug_me("sinatra version is: #{self.get_sinatra_version}")
+        apps.each do |a|
+          debug_me("detected sinatra application at #{a.mount_point} ")
+        end
         apps
       end
 

data/lib/codesake/dawn/sinatra.rb

@@ -37,7 +37,10 @@ module Codesake
         @views.each do |v|
           view_content = File.read(v[:filename])
           @sinks.each do |sink|
-            ret << sink if view_content.match(sink[:sink_name])
+            if view_content.match(sink[:sink_name])
+              sink[:sink_view] = v[:filename]
+              ret << sink
+            end
           end
         end
         ret
@@ -72,14 +75,14 @@ module Codesake
 
                     sink_source = "#{body[3].to_a[1][2].to_s}[#{body[3].to_a[3][1].to_s}]"
 
-                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source}
+                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source, :sink_file=>appname, :sink_evidence=>line}
                   end
                   if body[0][0] == :ivar
                     sink_name=body[0][1].to_s
                     sink_pos=body[2][1].to_i
                     sink_source=body[3][3][1]
 
-                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source}
+                    ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source, :sink_file=>appname, :sink_evidence=>line}
                   end
 
                 end
@@ -91,7 +94,7 @@ module Codesake
                 if is_assignement_from_params?(body, :iasgn)
                   sink_name = body[0].to_s
                   sink_source = "#{body[1][3][1].to_s}"
-                  ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source }
+                  ret << {:sink_name=>sink_name, :sink_kind=>:params, :sink_line=>i+1, :sink_source=>sink_source, :sink_file=>appname, :sink_evidence=>line}
                 end
               end
             rescue Racc::ParseError => e

data/lib/codesake/dawn/version.rb

@@ -1,6 +1,6 @@
 module Codesake
   module Dawn
-    VERSION   = "0.80.0"
+    VERSION   = "0.85"
     CODENAME  = "ElevatoR"
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -426,4 +426,35 @@ describe "The Codesake Dawn knowledge base" do
     sc.should_not   be_nil
     sc.class.should == Codesake::Dawn::Kb::CVE_2013_6417
   end
+
+  it "must have test for NokogiriDos20131217_1" do
+    sc = kb.find("Nokogiri - Denial of service - 20131217")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::NokogiriDos20131217
+  end
+  it "must have test for Nokogiri_EntityExpansion_Dos_20131217" do
+    sc = kb.find("Nokogiri - Entity expasion denial of service - 20131217")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217
+  end
+  it "must have test for CVE-2013-4478" do
+    sc = kb.find("CVE-2013-4478")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4478
+  end
+  it "must have test for CVE-2013-4479" do
+    sc = kb.find("CVE-2013-4479")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4479
+  end
+  it "must have test for CVE-2013-1812" do
+    sc = kb.find("CVE-2013-1812")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_1812
+  end
+  it "must have test for CVE-2013-6421" do
+    sc = kb.find("CVE-2013-6421")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_6421
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 0.80.0
+  version: '0.85'
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-12 00:00:00.000000000 Z
+date: 2013-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -221,6 +221,7 @@ files:
 - .ruby-gemset
 - .ruby-version
 - .travis.yml
+- Changelog.md
 - Competitive_matrix.md
 - Gemfile
 - LICENSE.txt
@@ -287,6 +288,7 @@ files:
 - lib/codesake/dawn/kb/cve_2013_1800.rb
 - lib/codesake/dawn/kb/cve_2013_1801.rb
 - lib/codesake/dawn/kb/cve_2013_1802.rb
+- lib/codesake/dawn/kb/cve_2013_1812.rb
 - lib/codesake/dawn/kb/cve_2013_1821.rb
 - lib/codesake/dawn/kb/cve_2013_1854.rb
 - lib/codesake/dawn/kb/cve_2013_1855.rb
@@ -306,6 +308,8 @@ files:
 - lib/codesake/dawn/kb/cve_2013_4164.rb
 - lib/codesake/dawn/kb/cve_2013_4389.rb
 - lib/codesake/dawn/kb/cve_2013_4457.rb
+- lib/codesake/dawn/kb/cve_2013_4478.rb
+- lib/codesake/dawn/kb/cve_2013_4479.rb
 - lib/codesake/dawn/kb/cve_2013_4491.rb
 - lib/codesake/dawn/kb/cve_2013_4492.rb
 - lib/codesake/dawn/kb/cve_2013_4562.rb
@@ -313,7 +317,10 @@ files:
 - lib/codesake/dawn/kb/cve_2013_6415.rb
 - lib/codesake/dawn/kb/cve_2013_6416.rb
 - lib/codesake/dawn/kb/cve_2013_6417.rb
+- lib/codesake/dawn/kb/cve_2013_6421.rb
 - lib/codesake/dawn/kb/dependency_check.rb
+- lib/codesake/dawn/kb/nokogiri_dos_20131217.rb
+- lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb
 - lib/codesake/dawn/kb/not_revised_code.rb
 - lib/codesake/dawn/kb/operating_system_check.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb
@@ -527,7 +534,7 @@ files:
 - spec/support/sinatra-vulnerable/views/layout.haml
 - spec/support/sinatra-vulnerable/views/root.haml
 - spec/support/sinatra-vulnerable/views/xss.haml
-homepage: http://codesake.com
+homepage: http://dawn.codesake.com
 licenses: []
 metadata: {}
 post_install_message: