codesake-dawn 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Changelog.md +16 -1
- data/KnowledgeBase.md +2 -2
- data/README.md +3 -1
- data/Roadmap.md +11 -0
- data/bin/dawn +4 -3
- data/doc/dawn_1_0_announcement.md +18 -0
- data/lib/codesake/dawn/kb/basic_check.rb +1 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +4 -2
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +2 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +4 -1
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +2 -3
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +4 -1
- data/lib/codesake/dawn/kb/pattern_match_check.rb +25 -4
- data/lib/codesake/dawn/knowledge_base.rb +16 -2
- data/lib/codesake/dawn/version.rb +6 -2
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 50302c4bb86ae606ef4f93d1e5d16d7e52a1e708
|
4
|
+
data.tar.gz: 533b978503b39f885bd988ad40bd32a790190b9b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ec34ea8b25dc518ee795743289023c653911830a971586f9db27ee71321d677b28471f376d095c8f7005d0db0b79d64085573c57045816d06afce6e311e4c92d
|
7
|
+
data.tar.gz: c8930c0b3add71f583cbd62b3cfc40c11630eda2187d8939061bf8611e16be155f9cb2d366145d3597bee8deb5f03154f53a4c9e646aac7feeaf64d02f26332d
|
data/Changelog.md
CHANGED
@@ -5,7 +5,22 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update:
|
8
|
+
_latest update: Fri Jan 24 07:57:58 CET 2014_
|
9
|
+
|
10
|
+
## Version 1.0.1 - codename: Lightning McQueen (2014-xx-xx)
|
11
|
+
|
12
|
+
* Fixing issue #22. PatternMatchingCheck evaluates lines starting with the '#'
|
13
|
+
when applying regular expresion to get the job done. Of course this can be an
|
14
|
+
issue when it finds offending patterns inside comments (and this is why using
|
15
|
+
pattern matching in a security code review is EVIL!). Now there is an
|
16
|
+
attribute, avoid\_comments that tells the class to eventually strip leading
|
17
|
+
whitespaces from string and not to apply regex if the line is starting with
|
18
|
+
'#'.
|
19
|
+
Again, applying pattern matching approach to security leads to a lot of false
|
20
|
+
positives and should be avoided when possible, even with low severity checks
|
21
|
+
like this.
|
22
|
+
* Fixing issue #21. RoR cheatsheet security checks now have a detailed message
|
23
|
+
telling what's wen wrong with the code and why the check fired.
|
9
24
|
|
10
25
|
## Version 1.0.0 - codename: Lightning McQueen (2014-01-21)
|
11
26
|
|
data/KnowledgeBase.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Codesake::Dawn Knowledge base
|
2
2
|
|
3
|
-
The knowledge base library for Codesake::Dawn version 1.0.0
|
3
|
+
The knowledge base library for Codesake::Dawn version 1.0.0 contains 142 security checks.
|
4
4
|
---
|
5
5
|
* Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
|
6
6
|
This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
|
@@ -150,4 +150,4 @@ XML documents with carefully crafted entity expansion strings which can cause th
|
|
150
150
|
* [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
|
151
151
|
|
152
152
|
|
153
|
-
_Last updated:
|
153
|
+
_Last updated: Tue 21 Jan 15:45:13 CET 2014_
|
data/README.md
CHANGED
@@ -233,12 +233,14 @@ This check will analyze the source code looking for the following patterns: XXX,
|
|
233
233
|
|
234
234
|
Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com)
|
235
235
|
|
236
|
-
Twitter
|
236
|
+
Twitter profile: [@dawnscanner](https://twitter.com/dawnscanner)
|
237
237
|
|
238
238
|
Github repository: [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
|
239
239
|
|
240
240
|
The list of knowledge base content: [http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base)
|
241
241
|
|
242
|
+
Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://groups.google.com/forum/#!forum/codesake-dawn)
|
243
|
+
|
242
244
|
## Supporters
|
243
245
|
|
244
246
|
To me as project leader it's very important to have feedbacks.
|
data/Roadmap.md
CHANGED
@@ -21,6 +21,11 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
|
|
21
21
|
* CVE-2013-2513
|
22
22
|
* CVE-2013-2512
|
23
23
|
* CVE-2013-1607
|
24
|
+
* CVE-2013-0262
|
25
|
+
* CVE-2013-0184
|
26
|
+
* CVE-2013-0183
|
27
|
+
* CVE-2012-6109
|
28
|
+
* CVE-2011-5036
|
24
29
|
* CVE-2007-6183
|
25
30
|
* move is\_vulnerable\_version? and is\_vulnerable\_patchlevel? to an adhoc
|
26
31
|
class handling version comparison
|
@@ -35,6 +40,11 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
|
|
35
40
|
* Add a --github option to Codesake::Dawn to clone a remote repository, perform
|
36
41
|
a bundle install and do a code review.
|
37
42
|
* Add support for github hooks
|
43
|
+
* Add a ruby deprecation check, accordingly to https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
|
44
|
+
* Add a severity attribute to basic check. It must be calculated automatically
|
45
|
+
on the cvss_score or it may be overriden upon check creation.
|
46
|
+
* Better bin/dawn script output formatting using some library like PrettyPrint
|
47
|
+
(this can involve a change in codesake-commons package).
|
38
48
|
|
39
49
|
## Version 1.2.0
|
40
50
|
|
@@ -55,6 +65,7 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
|
|
55
65
|
|
56
66
|
## Version 1.5.0
|
57
67
|
|
68
|
+
* add support for pure Rack applications
|
58
69
|
* detect stored XSS in Rails applications
|
59
70
|
* detect reflected XSS in Rails applications
|
60
71
|
* detect insecure direct object reference in Rails applications
|
data/bin/dawn
CHANGED
@@ -139,6 +139,7 @@ end
|
|
139
139
|
$logger.die "missing target framework option" if engine.nil?
|
140
140
|
|
141
141
|
engine.load_knowledge_base
|
142
|
+
$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
|
142
143
|
|
143
144
|
$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply?
|
144
145
|
|
@@ -155,12 +156,12 @@ end
|
|
155
156
|
if engine.count_vulnerabilities != 0
|
156
157
|
$logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
|
157
158
|
engine.vulnerabilities.each do |vuln|
|
158
|
-
$logger.
|
159
|
+
$logger.err "#{vuln[:name]} check failed"
|
159
160
|
$logger.log "Description: #{vuln[:message]}"
|
160
161
|
$logger.log "Solution: #{vuln[:remediation]}"
|
161
|
-
$logger.
|
162
|
+
$logger.log "Evidence:"
|
162
163
|
vuln[:evidences].each do |evidence|
|
163
|
-
$logger.
|
164
|
+
$logger.log "\t#{evidence}"
|
164
165
|
end
|
165
166
|
end
|
166
167
|
if engine.has_reflected_xss?
|
@@ -1,3 +1,5 @@
|
|
1
|
+
## Press announcement
|
2
|
+
|
1
3
|
After 9 months of development, it's now time for Codesake::Dawn security source
|
2
4
|
code scanner first major release.
|
3
5
|
|
@@ -38,3 +40,19 @@ $ gem install codesake-dawn
|
|
38
40
|
You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/)
|
39
41
|
Enjoy it!
|
40
42
|
Paolo - paolo@codesake.com
|
43
|
+
|
44
|
+
## Twitter announcement
|
45
|
+
@dawnscanner version 1.0.0 is out. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/ #ruby #rails #sinatra #padrina #security #scanner
|
46
|
+
|
47
|
+
## Linkedin announcement
|
48
|
+
@dawnscanner version 1.0.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box.
|
49
|
+
|
50
|
+
$ gem install codesake-dawn
|
51
|
+
$ have fun
|
52
|
+
|
53
|
+
## HN Link
|
54
|
+
https://news.ycombinator.com/item?id=7094470
|
55
|
+
## Reddit
|
56
|
+
http://www.reddit.com/r/security/comments/1vr4ur/ann_codesakedawn_v100_released/
|
57
|
+
http://www.reddit.com/r/ruby/comments/1vr4u0/ann_codesakedawn_v100_released/
|
58
|
+
|
@@ -15,10 +15,12 @@ module Codesake
|
|
15
15
|
:glob=>"*.rb",
|
16
16
|
:aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
|
17
17
|
:message=>message,
|
18
|
-
:attack_pattern => ["eval", "System", "\`", "Kernel.exec"]
|
18
|
+
:attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
|
19
|
+
:avoid_comments => true,
|
20
|
+
:mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
|
19
21
|
})
|
22
|
+
# @debug = true
|
20
23
|
end
|
21
|
-
|
22
24
|
end
|
23
25
|
end
|
24
26
|
end
|
@@ -16,7 +16,8 @@ module Codesake
|
|
16
16
|
:aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
|
17
17
|
:message=>message,
|
18
18
|
:attack_pattern => ["protect_from_forgery"],
|
19
|
-
:negative_search=>true
|
19
|
+
:negative_search=>true,
|
20
|
+
:mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb"
|
20
21
|
})
|
21
22
|
# @debug = true
|
22
23
|
end
|
@@ -18,7 +18,10 @@ module Codesake
|
|
18
18
|
:aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
|
19
19
|
:message=>message,
|
20
20
|
:attack_pattern => ["attr_accessor"],
|
21
|
-
:negative_search=>
|
21
|
+
:negative_search=>false,
|
22
|
+
:avoid_comments=>true,
|
23
|
+
:evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
|
24
|
+
:mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
|
22
25
|
})
|
23
26
|
# @debug = true
|
24
27
|
end
|
@@ -24,10 +24,9 @@ module Codesake
|
|
24
24
|
'X-Content-Type-Options' => 'nosniff',
|
25
25
|
'X-XSS-Protection' => '1;'
|
26
26
|
}"],
|
27
|
-
:negative_search=>true
|
27
|
+
:negative_search=>true,
|
28
|
+
:mitigation=>"Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project."
|
28
29
|
})
|
29
|
-
|
30
|
-
|
31
30
|
end
|
32
31
|
end
|
33
32
|
end
|
@@ -17,7 +17,10 @@ module Codesake
|
|
17
17
|
:aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
|
18
18
|
:message=>message,
|
19
19
|
:attack_pattern => ["Application.config.session_store :active_record_store"],
|
20
|
-
:negative_search=>true
|
20
|
+
:negative_search=>true,
|
21
|
+
:avoid_comments=>true,
|
22
|
+
:evidences=>["In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
|
23
|
+
:mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
|
21
24
|
})
|
22
25
|
# @debug = true
|
23
26
|
end
|
@@ -14,6 +14,11 @@ module Codesake
|
|
14
14
|
# if pattern attack is nor present.
|
15
15
|
attr_reader :negative_search
|
16
16
|
|
17
|
+
# This attribute is false by default. If true, it tells pattern
|
18
|
+
# matching check to ignore strings starting with the ruby single line
|
19
|
+
# comment separator, '#'.
|
20
|
+
attr_reader :avoid_comments
|
21
|
+
|
17
22
|
EXCLUSION_LIST = [
|
18
23
|
"tags",
|
19
24
|
"vendor/bundle",
|
@@ -24,11 +29,15 @@ module Codesake
|
|
24
29
|
|
25
30
|
def initialize(options={})
|
26
31
|
super(options)
|
27
|
-
@attack_pattern = options[:attack_pattern]
|
28
32
|
@negative_search = false
|
33
|
+
@avoid_comments = false
|
34
|
+
@attack_pattern = options[:attack_pattern] unless options[:attack_pattern].nil?
|
29
35
|
@negative_search = options[:negative_search] unless options[:negative_search].nil?
|
36
|
+
@avoid_comments = options[:avoid_comments] unless options[:avoid_comments].nil?
|
37
|
+
@evidences = options[:evidences] unless options[:evidences].nil?
|
30
38
|
@glob = "**"
|
31
39
|
@glob = File.join(@glob, options[:glob]) unless options[:glob].nil?
|
40
|
+
debug_me("EVIDENCES ARE #{@evidences.inspect}")
|
32
41
|
end
|
33
42
|
|
34
43
|
def must_exclude?(filename)
|
@@ -40,19 +49,26 @@ module Codesake
|
|
40
49
|
end
|
41
50
|
|
42
51
|
def vuln?
|
52
|
+
found = false
|
53
|
+
matches = nil
|
43
54
|
Dir.glob(File.join("#{root_dir}", @glob)).each do |filename|
|
44
55
|
debug_me("#{File.basename(__FILE__)}@#{__LINE__}: analyzing #{filename}: search is #{@negative_search}")
|
45
56
|
matches = []
|
46
57
|
begin
|
47
58
|
matches = run(load_file(filename)) if File.exists?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
|
59
|
+
found = ! matches.empty?
|
48
60
|
rescue ArgumentError => e
|
49
61
|
puts "Skipping pattern match check for #{filename}: #{e.message}"
|
50
62
|
end
|
51
|
-
@evidences << {:filename=>filename, :matches=>matches} unless
|
63
|
+
@evidences << {:filename=>filename, :matches=>matches} unless found
|
52
64
|
end
|
53
65
|
|
54
|
-
|
55
|
-
|
66
|
+
debug_me("FOUND IS: #{found}")
|
67
|
+
debug_me("EVIDENCES ARE: #{@evidences.inspect}")
|
68
|
+
debug_me("MATCHES: #{matches}")
|
69
|
+
|
70
|
+
ret_value = found unless @negative_search
|
71
|
+
ret_value = ! found if @negative_search
|
56
72
|
|
57
73
|
debug_me("#{File.basename(__FILE__)}@#{__LINE__}: evidences #=> #{@evidences}")
|
58
74
|
debug_me("#{File.basename(__FILE__)}@#{__LINE__}: ret_value #=> #{ret_value}")
|
@@ -86,11 +102,16 @@ module Codesake
|
|
86
102
|
|
87
103
|
regex=/#{pat}/
|
88
104
|
|
105
|
+
debug_me "@avoid_comments is #{@avoid_comments}"
|
106
|
+
|
89
107
|
lines.each_with_index do |line,i|
|
108
|
+
debug_me("LINE IS: #{line}")
|
109
|
+
line = "" if line.strip.start_with?('#') && @avoid_comments
|
90
110
|
hits << {:match=>line, :line=>i} unless (regex =~ line).nil?
|
91
111
|
end
|
92
112
|
end
|
93
113
|
|
114
|
+
debug_me("HITS IS: #{hits}")
|
94
115
|
hits
|
95
116
|
end
|
96
117
|
|
@@ -7,8 +7,17 @@ require "codesake/dawn/kb/operating_system_check"
|
|
7
7
|
require "codesake/dawn/kb/combo_check"
|
8
8
|
|
9
9
|
# Q&A related checks
|
10
|
+
## Not revised code
|
10
11
|
require "codesake/dawn/kb/not_revised_code"
|
11
|
-
require "codesake/dawn/kb/owasp_ror_cheatsheet"
|
12
|
+
# require "codesake/dawn/kb/owasp_ror_cheatsheet"
|
13
|
+
|
14
|
+
## Owasp ROR Cheatsheet
|
15
|
+
|
16
|
+
require 'codesake/dawn/kb/owasp_ror_cheatsheet/command_injection'
|
17
|
+
require 'codesake/dawn/kb/owasp_ror_cheatsheet/csrf'
|
18
|
+
require 'codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
|
19
|
+
require 'codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model'
|
20
|
+
require 'codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers'
|
12
21
|
|
13
22
|
# Security checks with no or pending CVE
|
14
23
|
|
@@ -249,7 +258,12 @@ module Codesake
|
|
249
258
|
def self.load_security_checks
|
250
259
|
[
|
251
260
|
Codesake::Dawn::Kb::NotRevisedCode.new,
|
252
|
-
Codesake::Dawn::Kb::
|
261
|
+
Codesake::Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
|
262
|
+
Codesake::Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
|
263
|
+
Codesake::Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
|
264
|
+
Codesake::Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new,
|
265
|
+
Codesake::Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new,
|
266
|
+
# Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
|
253
267
|
Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
|
254
268
|
Codesake::Dawn::Kb::NokogiriDos20131217.new,
|
255
269
|
Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217.new,
|
@@ -1,5 +1,8 @@
|
|
1
1
|
module Codesake
|
2
2
|
module Dawn
|
3
|
+
# codesake-dawn when in development has RELASE equal to '(development)' and
|
4
|
+
# the version number is set for the next release.
|
5
|
+
#
|
3
6
|
# codesake-dawn v 1.x.y release codename will be Disney Pixar Cars / Cars2
|
4
7
|
# characters. My son Daniele loves those films and since I love him too,
|
5
8
|
# this is a kinda sort of tribute of my son's passion.
|
@@ -13,9 +16,10 @@ module Codesake
|
|
13
16
|
# "Guido"
|
14
17
|
# "Luigi"
|
15
18
|
|
16
|
-
VERSION = "1.0.
|
19
|
+
VERSION = "1.0.1"
|
17
20
|
CODENAME = "Lightning McQueen"
|
18
|
-
RELEASE = "
|
21
|
+
# RELEASE = "(development)"
|
22
|
+
RELEASE = "20140125"
|
19
23
|
|
20
24
|
end
|
21
25
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: codesake-dawn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0.
|
4
|
+
version: 1.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-01-
|
11
|
+
date: 2014-01-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codesake-commons
|