codesake-dawn 0.85 → 1.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 860da13a7734a3fc89044ccb66eb006513df7f4d
-  data.tar.gz: 8266c446632c9e4945c758033a48103668b1fa2a
+  metadata.gz: b63f07bd799c32b7133442be694cfd87935f2bfb
+  data.tar.gz: 0f593c3a92707e690397f13a16868c23db1a99fc
 SHA512:
-  metadata.gz: e0a33db83ee98ebef83a616ee30e93d3c618f678724584559c8dfe20367169b1978509ebb75ed2475e9d19c3dfb9de453655e9afba2a04bc2d2598469d385cc1
-  data.tar.gz: ddd848c1482a567a2b963972dc5caea16409de7888b6ee6f70bf09fdf74398eee6d7dc59bb8e15462997e5dad1b93ec4e4f39b9cc1e57e60979e7662be1e9d8c
+  metadata.gz: f58fe979a27fd4ab321d22dab981f1a849a5c08a38865956add328a363749273e0c6b8674157d1ae5fa0b3af5c2dc407fd46fb2ad755188fdd13337b61811704
+  data.tar.gz: 1b40549d2559097dde2840955efc6fbe7d9e906bd841879a20f47ba5ac01497ccf8e4d498f9e8ede8a9a87fab3d114506dbaa44e383b9de589d50e200da12ca8

data/.ruby-version

@@ -1 +1 @@
-ruby-2.0.0-p247
+2.0.0

data/.travis.yml

@@ -4,5 +4,5 @@ rvm:
   - 1.9.2
   - 1.9.3
   - 2.0.0
+  - 2.1.0
   - jruby
-  - rbx

data/Changelog.md

@@ -5,7 +5,73 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
-_latest update: Tue Dec 17 08:12:19 CET 2013_
+_latest update: Wed Jan  8 23:50:05 CET 2014_
+
+## Version 1.0.0 - codename: Lightning McQueen (2014-01-10)
+
+* Fixing issue #19 (https://github.com/codesake/codesake-dawn/issues/19). There
+  was a problem on ```is_a_vulnerable_version?``` routine that flags a security
+  check as vulnerable even if it wasn't. During the dependency check, if the
+  vulnerable gem and the dependency has both major and minor version equal and
+  the patch number tells if the gem is vulnerable or not, this check failed.
+* ruby_version_check.rb: fixed an issue on is_vulnerable_patchlevel? that
+  caused a nil pointer exception when ruby interpreter patchlevel was evaluated
+* ruby_version_check.rb: fixed an issue on is_vulnerable_patchlevel? that loads
+  the safe patchlevels comparing the wrong parameter.
+* Added a rake task to better integrate codesake-dawn in a continous
+  development workflow. Now when you install codesake-dawn you have a 'rake
+  dawn' task executing the tool on the current directory.
+* Added a check for CVE-2004-0755
+* Added a check for CVE-2004-0983
+* Added a check for CVE-2005-1992
+* Added a check for CVE-2005-2337
+* Added a check for CVE-2006-1931
+* Added a check for CVE-2006-2582
+* Added a check for CVE-2006-3694
+* Added a check for CVE-2006-4112
+* Added a check for CVE-2006-5467
+* Added a check for CVE-2006-6303
+* Added a check for CVE-2006-6852
+* Added a check for CVE-2006-6979
+* Added a check for CVE-2007-0469
+* Added a check for CVE-2007-5162
+* Added a check for CVE-2007-5379
+* Added a check for CVE-2007-5380
+* Added a check for CVE-2007-5770
+* Added a check for CVE-2007-6077
+* Added a check for CVE-2007-6612
+* Added a check for CVE-2008-1145
+* Added a check for CVE-2008-1891
+* Added a check for CVE-2008-2376
+* Added a check for CVE-2008-2662
+* Added a check for CVE-2008-2663
+* Added a check for CVE-2008-2664
+* Added a check for CVE-2008-2725
+* Added a check for CVE-2008-3655
+* Added a check for CVE-2008-3657
+* Added a check for CVE-2008-3790
+* Added a check for CVE-2008-3905
+* Added a check for CVE-2008-4094
+* Added a check for CVE-2008-4310
+* Added a check for CVE-2008-5189
+* Added a check for CVE-2008-7248
+* Added a check for CVE-2009-4078
+* Added a check for CVE-2009-4124
+* Added a check for CVE-2009-4214
+* Added a check for CVE-2010-2489
+* Added a check for CVE-2010-3933
+* Added a check for CVE-2011-0188
+* Added a check for CVE-2011-0739
+* Added a check for CVE-2011-1004
+* Added a check for CVE-2011-1005
+* Added a check for CVE-2011-2686
+* Added a check for CVE-2011-2705
+* Added a check for CVE-2011-2930
+* Added a check for CVE-2011-3009
+* Added a check for CVE-2011-3187
+* Added a check for CVE-2011-4319
+* Added a check for CVE-2013-2090
+
 
 ## Version 0.85 - codename: elevator (2013-12-17)
 

data/README.md

@@ -1,22 +1,54 @@
-# Codesake::Dawn - The security code review tool for ruby powered code
+# Codesake::Dawn - The security code scanner for Ruby
 
-codesake-dawn is a source code review tool crafted to detect security issues in
-ruby written code. The main usage is to apply codesake-dawn to web
-applications, it supports [Sinatra](http://www.sinatrarb.com),
-[Padrino](http://www.padrinorb.com) and of course [Ruby on Rails](http://rubyonrails.org) frameworks. 
+Codesake::Dawn is a source code scanner designed to review your code for
+security issues. 
+
+Codesake::Dawn is able to scan your ruby standalone programs but its main usage
+is to deal with web applications. It supports applications written using majors
+MVC (Model View Controller) frameworks, like: 
+
+* [Ruby on Rails](http://rubyonrails.org)
+* [Sinatra](http://www.sinatrarb.com)
+* [Padrino](http://www.padrinorb.com) 
+
+---
 
 [![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
 [![Build Status](https://travis-ci.org/codesake/codesake-dawn.png?branch=master)](https://travis-ci.org/codesake/codesake-dawn)
 [![Dependency Status](https://gemnasium.com/codesake/codesake-dawn.png)](https://gemnasium.com/codesake/codesake-dawn)
 [![Coverage Status](https://coveralls.io/repos/codesake/codesake-dawn/badge.png)](https://coveralls.io/r/codesake/codesake-dawn)
 
-## Useful links
+---
+
+Codesake::Dawn version 1.0 has 131 security checks loaded in its knowledge
+base. Most of them are CVE bulletins, that applies to gems, framework or the
+ruby interpreter itself.
 
-www:      [http://codesake.com](http://codesake.com) 
+You candump all security checks in the knowledge base by using the -k
+flag:
+
+```
+$ dawn -k|--list-knowledge-base 
+```
 
-twitter:  [https://twitter.com/codesake](https://twitter.com/codesake) #dawnscanner hashtag
 
-github:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
+When you run Codesake::Dawn on your code it parses your project Gemfile.lock
+looking for the gems used and it tries to detect the ruby interpreter version
+you are using or you declared in your ruby version management tool you like
+most (RVM, rbenv, ...).
+
+Then the tool tries to detect the MVC framework your web application uses and
+it applies the security check accordingly. There checks designed to match rails
+application or checks that are appliable to any ruby code.
+
+Codesake::Dawn can also understand the code in your views and to backtrack
+sinks to spot cross site scripting and sql injections introduced by the code
+you actually wrote. In the project roadmap this is the code most of the future
+development effort will be focused on.
+
+Codesake::Dawn security scan result is a list of vulnerabilities with some
+mitigation actions you want to follow in order to build a stronger web
+application.
 
 ## Installation
 
@@ -50,36 +82,113 @@ that.
 You can start your code review with dawn very easily. Simply tell the tool
 where the project root directory. 
 
-Starting from an unofficial 0.68 release, underlying MVC framework is
-autodetected by dawn using target Gemfile.lock file. If autodetect fails for
-some reason, the tool will complain about it and you have to specify if it's a
-rails, sinatra or padrino web application by hand.
+Underlying MVC framework is autodetected by dawn using target Gemfile.lock
+file. If autodetect fails for some reason, the tool will complain about it and
+you have to specify if it's a rails, sinatra or padrino web application by
+hand.
+
+Basic usage is to specify some optional command line option to fit best your
+needs, and to specify the target directory where your code is stored.
 
-dawn command line is in this form with options and the target.
 ``` 
 $ dawn [options] target
 ```
 
-### As output you get
+In case of need, there is a quick command line option reference running ```dawn -h``` at your OS prompt.
+
+```
+$ bundle exec dawn -h
+08:05:21 [*] dawn v1.0.0.rc1 is starting up
+Usage: dawn [options] target_directory
+
+
+Examples:$ dawn a_sinatra_webapp_directory
+$ dawn -C the_rails_blog_engine
+$ dawn -C --output json a_sinatra_webapp_directory
+
+   -r, --rails					force dawn to consider the target a rails application
+   -s, --sinatra				force dawn to consider the target a sinatra application
+   -p, --padrino				force dawn to consider the target a padrino application
+   -G, --gem-lock				force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
+   -D, --debug					enters dawn debug mode
+   -f, --list-known-framework			list ruby MVC frameworks supported by dawn
+   -k, --list-knowledgebase [check_name]	list dawn known security checks. If check_name is specified dawn says if check is present or not
+   -o, --output [console, json. csv, html]	the output will be in the specified format
+   -V, --verbose				the output will be more verbose
+   -C, --count-only				dawn will only count vulnerabilities (useful for scripts)
+   -z, --exit-on-warn				dawn will return number of found vulnerabilities as exit code
+   -v, --version				show version information
+   -h, --help					show this help
+```
+
+### Codesake::Dawn security scan in action
 
 As output, dawn will put all security checks that are failed during the scan.
-In example, this is the output of a scan performed over a very simple Sinatra
-application:
+
+This the result of Codedake::Dawn running against a 
+[Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
+delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
+
+As you may see, Codesake::Dawn first detects MVC running the application by
+looking at Gemfile.lock, than it discards all security checks not appliable to
+Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
+Rails) and it applies them.
+
+``` 
+$ bundle exec dawn ~/src/hacking/railsberry2013
+08:09:47 [*] dawn v1.0.0.rc1 is starting up
+08:09:47 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
+08:09:47 [$] dawn: sinatra v1.4.2 detected
+08:09:47 [$] dawn: applying all security checks
+08:09:47 [$] dawn: 82 security checks applied - 0 security checks skipped
+08:09:47 [$] dawn: 1 vulnerabilities found
+08:09:47 [$] dawn: CVE-2013-1800 failed
+08:09:47 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+08:09:47 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
+08:09:47 [!] dawn: Evidence:
+08:09:47 [!] dawn: Vulnerable crack gem version found: 0.3.1
+08:09:47 [*] dawn is leaving
+``` 
+
+---
+
+When you run Codesake::Dawn on a web application with up to date dependencies,
+it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
+working that way!
+
+This is Codesake::Dawn running against a Padrino web application I wrote for [a
+scorecard quiz game about application security](http://scorecard.armoredcode.com). 
+Italian language only. Sorry.
+
+```
+08:17:09 [*] dawn v1.0.0.rc1 is starting up
+08:17:09 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
+08:17:09 [$] dawn: padrino v0.11.2 detected
+08:17:09 [$] dawn: applying all security checks
+08:17:09 [$] dawn: 82 security checks applied - 0 security checks skipped
+08:17:09 [*] dawn: no vulnerabilities found.
+08:17:09 [*] dawn is leaving
+```
+
+---
+
+Last example shows Codesake::Dawn against a very simple Sinatra application
+designed to be buggy:
 
 ```
 $ dawn target
-8:28:18 [*] dawn v0.80.0 is starting up
-08:28:18 [$] dawn: scanning spec/support/sinatra-vulnerable
+08:28:18 [*] dawn v1.0.0.rc1 is starting up
+08:28:18 [$] dawn: scanning /Users/thesp0nge/tmp/sinatra-vulnerable
 08:28:18 [$] dawn: sinatra v1.2.6 detected
 08:28:18 [$] dawn: applying all security checks
-08:28:18 [$] dawn: 37 security checks applied - 0 security checks skipped
+08:28:18 [$] dawn: 82 security checks applied - 0 security checks skipped
 08:28:18 [$] dawn: 5 vulnerabilities found
 08:28:18 [$] dawn: Not revised code failed
 08:28:18 [$] dawn: Description: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
 08:28:18 [$] dawn: Solution: Please review the file fixing the issue.
 08:28:18 [!] dawn: Evidence:
-08:28:18 [!] dawn: {:filename=>"spec/support/sinatra-vulnerable/application.rb", :matches=>[{:match=>"# FIXME: I must raise an error here\n", :line=>30}]}
+08:28:18 [!] dawn: {:filename=>"/Users/thesp0nge/tmp/sinatra-vulnerable/application.rb", :matches=>[{:match=>"# FIXME: I must raise an error here\n", :line=>30}]}
 08:28:18 [$] dawn: CVE-2013-0269 failed
 08:28:18 [$] dawn: Description: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
 08:28:18 [$] dawn: Solution: Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available
@@ -100,15 +209,15 @@ This check will analyze the source code looking for the following patterns: XXX,
 08:28:18 [*] dawn is leaving
 ```
 
+---
 
-You can also dump all security checks in the knowledge base by using the -k
-flag:
+## Useful links
 
-```
-$ dawn -k|--list-knowledge-base 
-```
+Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com) 
 
-In the 0.80 gem version, there are 75 security checks designed for application written in ruby. 
+Twitter progile:  [@dawnscanner](https://twitter.com/dawnscanner)
+
+Github repository:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
 
 ## Supporters
 
@@ -119,7 +228,6 @@ If you're a proud codesake-dawn user, if you find it useful, if you integrated
 it in your release process and if you want to openly support the project you
 can put your reference here.
 
-
 You can support the project by forking the repo, adding a success story, a
 statement saying how do you feel the tool or your company logo as well and then
 submitting a pull request.
@@ -138,7 +246,7 @@ Thank you for your support.
 
 ## LICENSE
 
-Copyright (c) 2013 Paolo Perego
+Copyright (c) 2013, 2014 Paolo Perego
 
 MIT License
 

data/Rakefile

@@ -23,7 +23,7 @@ task :default => [ :spec, :features ]
 task :test => :spec
 
 desc "Create a new CVE test"
-task :new_cve, :name do |t,args| 
+task :cve, :name do |t,args| 
   name      = args.name
   SRC_DIR   = "./lib/codesake/dawn/kb/"
   SPEC_DIR  = "./spec/lib/kb/"
@@ -59,6 +59,19 @@ task :new_cve, :name do |t,args|
   end
   puts "#{rb_filename} created"
 
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"needs some test...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+
   puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
   puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
   puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
@@ -74,7 +87,7 @@ end
 
 
 desc "Create a new Generic security check"
-task :new_check, :name do |t,args| 
+task :check, :name do |t,args| 
   name      = args.name
   SRC_DIR   = "./lib/codesake/dawn/kb/"
   SPEC_DIR  = "./spec/lib/kb/"
@@ -109,6 +122,20 @@ task :new_check, :name do |t,args|
   end
   puts "#{rb_filename} created"
 
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"needs some test...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+
+
   puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
   puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
   puts "require \"codesake/dawn/kb/#{class_name.downcase}\""

data/Roadmap.md

@@ -7,51 +7,15 @@ frameworks.
 
 This is an ongoing roadmap for the dawn source code review tool.
 
-_latest update: Fri Dec 13 07:55:54 CET 2013_
+_latest update: Thu Jan  9 08:58:00 CET 2014_
 
-## Version 0.90
+## Version 1.1.0
+
+* add a language check. It will handle a ruby script as input and a ruby\_parser line as unsafe pattern. It will compile the ruby and look for the unsafe pattern
+* add a check against deprecated ruby / gems version. I will handle MVC gems right now.
+
+## Version 1.2.0
 
-* adding test for CVE-2013-2090 _if CVE will be approved_
-* adding test for CVE-2013-2065 _if CVE will be approved_
-* adding test for CVE-2011-3186
-* adding test for CVE-2011-2197
-* adding test for CVE-2011-2932
-* adding test for CVE-2011-0447
-* adding test for CVE-2011-0995
-* adding test for CVE-2011-0446
-* adding test for CVE-2011-2929
-* adding test for CVE-2011-1005
-* adding test for CVE-2010-3933
-* adding test for CVE-2011-4319
-* adding test for CVE-2011-3009
-* adding test for CVE-2011-1004
-* adding test for CVE-2010-3119
-* adding test for CVE-2011-2930
-* adding test for CVE-2011-2854
-* adding test for CVE-2011-3187
-* adding test for CVE-2011-2686
-* adding test for CVE-2011-2705
-* adding test for CVE-2011-0188
-* adding test for CVE-2011-0446
-* adding test for CVE-2010-3933
-* adding test for CVE-2011-0739
-* adding test for CVE-2010-3928
-* adding test for CVE-2008-7248
-* adding test for CVE-2009-4124
-* adding test for CVE-2010-0541
-* adding test for CVE-2010-2489
-* adding test for CVE-2009-3857
-* adding test for CVE-2009-4078
-* adding test for CVE-2009-4214
-* adding test for CVE-2008-4310
-* adding test for CVE-2009-0161
-* adding test for CVE-2008-5189
-* adding test for CVE-2008-3657
-* adding test for CVE-2008-2376
-* adding test for CVE-2008-3655
-* adding test for CVE-2008-1145
-* adding test for CVE-2008-1891
-* adding test for CVE-2008-2725
 * adding test for RoRCheatSheet\_2
 * adding test for RoRCheatSheet\_3
 * adding test for RoRCheatSheet\_5
@@ -71,7 +35,6 @@ _latest update: Fri Dec 13 07:55:54 CET 2013_
 * detect insecure direct object reference in Rails applications
 * detect SQLi in Sinatra applications
 * detect SQLi in Padrino applications
-
 * detect sinks for XSS in Padrino applications
 * detect reflected XSS in Padrino applications
 * detect stored XSS in Sinatra applications
@@ -81,58 +44,12 @@ _latest update: Fri Dec 13 07:55:54 CET 2013_
 * support ERB for in detect\_views (for both Sinatra and Padrino)
 * integration with [codesake.com](http://codesake.com) with a public available
   APIs to be consumed by codesake beta users.
-
-## Version 1.00
-
-* adding test for CVE-2008-4310
-* adding test for CVE-2008-3657
-* adding test for CVE-2008-1891
-* adding test for CVE-2007-5162
-* adding test for CVE-2006-5467
-* adding test for CVE-2004-0983
-* adding test for CVE-2008-4094
-* adding test for CVE-2008-1447
-* adding test for CVE-2007-6612
-* adding test for CVE-2007-2666
-* adding test for CVE-2006-4112
-* adding test for CVE-2008-3905
-* adding test for CVE-2008-2662
-* adding test for CVE-2007-6183
-* adding test for CVE-2007-2383
-* adding test for CVE-2006-3694
-* adding test for CVE-2008-3790
-* adding test for CVE-2008-2663
-* adding test for CVE-2007-6077
-* adding test for CVE-2006-6979
-* adding test for CVE-2007-6183
-* adding test for CVE-2007-2383
-* adding test for CVE-2006-3694
-* adding test for CVE-2007-2666
-* adding test for CVE-2006-4112
-* adding test for CVE-2007-5770
-* adding test for CVE-2007-0469
-* adding test for CVE-2006-1931
-* adding test for CVE-2007-5380
-* adding test for CVE-2006-6303
-* adding test for CVE-2005-1992
-* adding test for CVE-2007-6077
-* adding test for CVE-2006-6979
-* adding test for CVE-2006-2582
-* adding test for CVE-2007-5162
-* adding test for CVE-2006-5467
-* adding test for CVE-2004-0983
-* adding test for CVE-2007-5379
-* adding test for CVE-2006-6852
-* adding test for CVE-2005-2337
-* adding test for CVE-2005-1992
-* adding test for CVE-2004-0755
-* adding test for CVE-2004-0983
 * dedicated web site under dawn.codesake.com
 * detect SQLi in Rails applications
 * integration with [codesake.com](http://codesake.com) with a public available
   APIs to be consumed by codesake users.
 * automatic mitigation patch generation 
 
-## Version 1.50
-
-* support for node.js
+## Version 2.0.0
+* Add a --github option to dawn to clone a remote repository, perform a bundle install and do a code review.
+* node.js support