codesake-dawn 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 11a7412929a49ef9ba3ba1abad00d6ae8fe80341
-  data.tar.gz: 844716c3213283dfbe5786d5cbdc684f5719ed84
+  metadata.gz: 50302c4bb86ae606ef4f93d1e5d16d7e52a1e708
+  data.tar.gz: 533b978503b39f885bd988ad40bd32a790190b9b
 SHA512:
-  metadata.gz: 63a503f4dc8c18d3cdb6430e9000b91a86cbfb69cf0196ec26d48c4f48ab6343ecfdf80ac6d9d392bc1b9ab112d850c563bcb2b8d46ad13adf893d47620d4595
-  data.tar.gz: a789b7c768a07192fa6d5357009b153b3b700588a44b359696e28111adcc45ae25aeadfc3b612d5c4831fd708830651167ddf5644d339bac6204e54b49470b24
+  metadata.gz: ec34ea8b25dc518ee795743289023c653911830a971586f9db27ee71321d677b28471f376d095c8f7005d0db0b79d64085573c57045816d06afce6e311e4c92d
+  data.tar.gz: c8930c0b3add71f583cbd62b3cfc40c11630eda2187d8939061bf8611e16be155f9cb2d366145d3597bee8deb5f03154f53a4c9e646aac7feeaf64d02f26332d

data/Changelog.md

@@ -5,7 +5,22 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
-_latest update: Tue Jan 21 08:13:32 CET 2014_
+_latest update: Fri Jan 24 07:57:58 CET 2014_
+
+## Version 1.0.1 - codename: Lightning McQueen (2014-xx-xx)
+
+* Fixing issue #22. PatternMatchingCheck evaluates lines starting with the '#'
+  when applying regular expresion to get the job done. Of course this can be an
+  issue when it finds offending patterns inside comments (and this is why using
+  pattern matching in a security code review is EVIL!). Now there is an
+  attribute, avoid\_comments that tells the class to eventually strip leading
+  whitespaces from string and not to apply regex if the line is starting with
+  '#'.
+  Again, applying pattern matching approach to security leads to a lot of false
+  positives and should be avoided when possible, even with low severity checks
+  like this.
+* Fixing issue #21. RoR cheatsheet security checks now have a detailed message
+  telling what's wen wrong with the code and why the check fired.
 
 ## Version 1.0.0 - codename: Lightning McQueen (2014-01-21)
 

data/KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Codesake::Dawn Knowledge base
 
-The knowledge base library for Codesake::Dawn version 1.0.0.rc2 contains 142 security checks.
+The knowledge base library for Codesake::Dawn version 1.0.0 contains 142 security checks.
 ---
 * Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
@@ -150,4 +150,4 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
 
 
-_Last updated: Thu 16 Jan 08:38:28 CET 2014_
+_Last updated: Tue 21 Jan 15:45:13 CET 2014_

data/README.md

@@ -233,12 +233,14 @@ This check will analyze the source code looking for the following patterns: XXX,
 
 Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com) 
 
-Twitter progile:  [@dawnscanner](https://twitter.com/dawnscanner)
+Twitter profile:  [@dawnscanner](https://twitter.com/dawnscanner)
 
 Github repository:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
 
 The list of knowledge base content: [http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base)
 
+Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://groups.google.com/forum/#!forum/codesake-dawn)
+
 ## Supporters
 
 To me as project leader it's very important to have feedbacks. 

data/Roadmap.md

@@ -21,6 +21,11 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 * CVE-2013-2513
 * CVE-2013-2512
 * CVE-2013-1607
+* CVE-2013-0262
+* CVE-2013-0184
+* CVE-2013-0183
+* CVE-2012-6109
+* CVE-2011-5036
 * CVE-2007-6183
 * move is\_vulnerable\_version? and is\_vulnerable\_patchlevel? to an adhoc
   class handling version comparison
@@ -35,6 +40,11 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 * Add a --github option to Codesake::Dawn to clone a remote repository, perform
   a bundle install and do a code review.
 * Add support for github hooks
+* Add a ruby deprecation check, accordingly to https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+* Add a severity attribute to basic check. It must be calculated automatically
+  on the cvss_score or it may be overriden upon check creation.
+* Better bin/dawn script output formatting using some library like PrettyPrint
+  (this can involve a change in codesake-commons package).
 
 ## Version 1.2.0
 
@@ -55,6 +65,7 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 
 ## Version 1.5.0
 
+* add support for pure Rack applications
 * detect stored XSS in Rails applications
 * detect reflected XSS in Rails applications
 * detect insecure direct object reference in Rails applications

data/bin/dawn

@@ -139,6 +139,7 @@ end
 $logger.die "missing target framework option" if engine.nil?
 
 engine.load_knowledge_base
+$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
 
 $logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply? 
 
@@ -155,12 +156,12 @@ end
 if engine.count_vulnerabilities != 0
   $logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
   engine.vulnerabilities.each do |vuln|
-    $logger.log "#{vuln[:name]} failed"
+    $logger.err "#{vuln[:name]} check failed"
     $logger.log "Description: #{vuln[:message]}" 
     $logger.log "Solution: #{vuln[:remediation]}"
-    $logger.err "Evidence:"
+    $logger.log "Evidence:"
     vuln[:evidences].each do |evidence|
-      $logger.err evidence
+      $logger.log "\t#{evidence}"
     end
   end
   if engine.has_reflected_xss?

data/doc/dawn_1_0_announcement.md

@@ -1,3 +1,5 @@
+## Press announcement
+
 After 9 months of development, it's now time for Codesake::Dawn security source
 code scanner first major release.
 
@@ -38,3 +40,19 @@ $ gem install codesake-dawn
 You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/)
 Enjoy it!
 Paolo - paolo@codesake.com
+
+## Twitter announcement
+@dawnscanner version 1.0.0 is out. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/ #ruby #rails #sinatra #padrina #security #scanner
+
+## Linkedin announcement 
+@dawnscanner version 1.0.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+$ gem install codesake-dawn 
+$ have fun
+
+## HN Link
+https://news.ycombinator.com/item?id=7094470
+## Reddit
+http://www.reddit.com/r/security/comments/1vr4ur/ann_codesakedawn_v100_released/
+http://www.reddit.com/r/ruby/comments/1vr4u0/ann_codesakedawn_v100_released/
+

data/lib/codesake/dawn/kb/basic_check.rb

@@ -74,6 +74,7 @@ module Codesake
           @ruby_version   = options[:ruby_version]
 
           @evidences    = []
+          @evidences    = options[:evidences] unless options[:evidences].nil?
           @mitigated    = false
           @status       = false
           @debug        = false

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb

@@ -15,10 +15,12 @@ module Codesake
               :glob=>"*.rb",
               :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
               :message=>message,
-              :attack_pattern => ["eval", "System", "\`", "Kernel.exec"]
+              :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
+              :avoid_comments => true,
+              :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
             })
+            # @debug = true
           end
-
         end
       end
     end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb

@@ -16,7 +16,8 @@ module Codesake
               :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
               :message=>message,
               :attack_pattern => ["protect_from_forgery"],
-              :negative_search=>true
+              :negative_search=>true,
+              :mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb"
             })
             # @debug = true
           end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

@@ -18,7 +18,10 @@ module Codesake
               :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
               :message=>message,
               :attack_pattern => ["attr_accessor"],
-              :negative_search=>true
+              :negative_search=>false,
+              :avoid_comments=>true,
+              :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
+              :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
             })
             # @debug = true
           end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb

@@ -24,10 +24,9 @@ module Codesake
                     'X-Content-Type-Options' => 'nosniff',	  	
                     'X-XSS-Protection' => '1;'
                   }"],
-              :negative_search=>true
+              :negative_search=>true,
+              :mitigation=>"Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project."
             })
-
-            
           end
         end
       end

data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb

@@ -17,7 +17,10 @@ module Codesake
               :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
               :message=>message,
               :attack_pattern => ["Application.config.session_store :active_record_store"],
-              :negative_search=>true
+              :negative_search=>true,
+              :avoid_comments=>true,
+              :evidences=>["In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
+              :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
             })
             # @debug = true
           end 

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -14,6 +14,11 @@ module Codesake
         # if pattern attack is nor present.
         attr_reader   :negative_search
 
+        # This attribute is false by default. If true, it tells pattern
+        # matching check to ignore strings starting with the ruby single line
+        # comment separator, '#'.
+        attr_reader   :avoid_comments
+
         EXCLUSION_LIST = [
           "tags",
           "vendor/bundle", 
@@ -24,11 +29,15 @@ module Codesake
 
         def initialize(options={})
           super(options)
-          @attack_pattern   = options[:attack_pattern]
           @negative_search  = false
+          @avoid_comments = false
+          @attack_pattern   = options[:attack_pattern] unless options[:attack_pattern].nil?
           @negative_search  = options[:negative_search] unless options[:negative_search].nil? 
+          @avoid_comments  = options[:avoid_comments] unless options[:avoid_comments].nil? 
+          @evidences  = options[:evidences] unless options[:evidences].nil? 
           @glob = "**"
           @glob = File.join(@glob, options[:glob]) unless options[:glob].nil?
+          debug_me("EVIDENCES ARE #{@evidences.inspect}")
         end
 
         def must_exclude?(filename)
@@ -40,19 +49,26 @@ module Codesake
         end
 
         def vuln?
+          found = false
+          matches = nil
           Dir.glob(File.join("#{root_dir}", @glob)).each do |filename|
             debug_me("#{File.basename(__FILE__)}@#{__LINE__}: analyzing #{filename}: search is #{@negative_search}")
             matches = []
             begin
               matches = run(load_file(filename)) if File.exists?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
+              found = ! matches.empty?
             rescue ArgumentError => e
               puts "Skipping pattern match check for #{filename}: #{e.message}"
             end
-            @evidences << {:filename=>filename, :matches=>matches} unless matches.empty?
+            @evidences << {:filename=>filename, :matches=>matches} unless found
           end
          
-          ret_value = ! @evidences.empty? unless @negative_search
-          ret_value = @evidences.empty? if @negative_search
+          debug_me("FOUND IS: #{found}")
+          debug_me("EVIDENCES ARE: #{@evidences.inspect}")
+          debug_me("MATCHES: #{matches}")
+
+          ret_value = found unless @negative_search
+          ret_value = ! found if @negative_search
 
           debug_me("#{File.basename(__FILE__)}@#{__LINE__}: evidences #=> #{@evidences}")
           debug_me("#{File.basename(__FILE__)}@#{__LINE__}: ret_value #=> #{ret_value}")
@@ -86,11 +102,16 @@ module Codesake
 
             regex=/#{pat}/
 
+            debug_me "@avoid_comments is #{@avoid_comments}"
+
             lines.each_with_index do |line,i|
+              debug_me("LINE IS: #{line}")
+              line = "" if line.strip.start_with?('#') && @avoid_comments
               hits << {:match=>line, :line=>i} unless (regex =~ line).nil?
             end
           end
 
+          debug_me("HITS IS: #{hits}")
           hits
         end
 

data/lib/codesake/dawn/knowledge_base.rb

@@ -7,8 +7,17 @@ require "codesake/dawn/kb/operating_system_check"
 require "codesake/dawn/kb/combo_check"
 
 # Q&A related checks
+## Not revised code
 require "codesake/dawn/kb/not_revised_code"
-require "codesake/dawn/kb/owasp_ror_cheatsheet"
+# require "codesake/dawn/kb/owasp_ror_cheatsheet"
+
+## Owasp ROR Cheatsheet
+
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/command_injection'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/csrf'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model'
+require 'codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers'
 
 # Security checks with no or pending CVE
 
@@ -249,7 +258,12 @@ module Codesake
       def self.load_security_checks
         [  
           Codesake::Dawn::Kb::NotRevisedCode.new,
-          Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
+          Codesake::Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
+          Codesake::Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
+          Codesake::Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
+          Codesake::Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new, 
+          Codesake::Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new, 
+          # Codesake::Dawn::Kb::OwaspRorCheatsheet.new,
           Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
           Codesake::Dawn::Kb::NokogiriDos20131217.new,
           Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217.new,

data/lib/codesake/dawn/version.rb

@@ -1,5 +1,8 @@
 module Codesake
   module Dawn
+    # codesake-dawn when in development has RELASE equal to '(development)' and
+    # the version number is set for the next release.
+    #
     # codesake-dawn v 1.x.y release codename will be Disney Pixar Cars / Cars2
     # characters. My son Daniele loves those films and since I love him too,
     # this is a kinda sort of tribute of my son's passion.
@@ -13,9 +16,10 @@ module Codesake
     # "Guido"           
     # "Luigi"           
 
-    VERSION   = "1.0.0"
+    VERSION   = "1.0.1"
     CODENAME  = "Lightning McQueen"
-    RELEASE   = "20140121"
+    # RELEASE   = "(development)"
+    RELEASE   = "20140125"
 
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-21 00:00:00.000000000 Z
+date: 2014-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons