codesake-dawn 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a3cfd7dcde00df1e924802c9a980ca4df702a01e
-  data.tar.gz: d4b4a80895d4ac4067beb45d0f1bab10314c9c6f
+  metadata.gz: 533e7cbdaed92f7f1dfd4e9edf9e0f7a3a7eface
+  data.tar.gz: ab8a1b8696885fd7e4974b4e2b290306450da5e3
 SHA512:
-  metadata.gz: 69fc2f353ffa35c92268c36bf12863df8fd9b248dd0706c505d4d240f9a923b433fe9daa120e5b9bd9898d3bdcfa5dab6944aa6f5390a02c962d2bce9ef99d24
-  data.tar.gz: 1058acec0fe728506c2d2014938061f316617aefab6b2f43a2f491997a5a1a3cd8a3085dd248650c72708060838f4ef527cb1bd942feb907a810635edc6bb8dc
+  metadata.gz: 5c1065fe087482d80c4d8cbaf8d40be918c2fc076097e2fbc45425c5cd9f77e3d60088bac26ee759a9f04e582c00a93b031fc76e27e050106c9406b110bf2ab6
+  data.tar.gz: 742f0d74ab39c0301ecc29a60dbc564bb1e12fb793796970d8229a4bd14b4487ba4eac6272684ab81eaf033fc8d0ffb64e4a460f6e812e06e2481c2e746a9c3f

data/Changelog.md

@@ -5,7 +5,11 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Tue Mar 18 15:57:42 CET 2014_
+_latest update: Sun Mar 23 22:36:42 CET 2014_
+
+## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
+
+* Added a check for CVE-2014-2538
 
 ## Version 1.0.5 - codename: Lightning McQueen (2014-03-18)
 

data/KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Codesake::Dawn Knowledge base
 
-The knowledge base library for Codesake::Dawn version 1.0.4 contains 152 security checks.
+The knowledge base library for Codesake::Dawn version 1.0.5 contains 155 security checks.
 ---
 * Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
@@ -9,12 +9,24 @@ This check will analyze the source code looking for the following patterns: XXX,
 * Owasp Ror CheatSheet: Session management: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
 * Owasp Ror CheatSheet: Mass Assignement in model: Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed.
 * Owasp Ror CheatSheet: Security Related Headers: To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.
-* Owasp Ror CheatSheet: Check for safe redirect and forward:           Web applications often require the ability to dynamically redirect users based on client-supplied data. To clarify, dynamic redirection usually entails the client including a URL in a parameter within a request to the application. Once received by the application, the user is redirected to the URL specified in the request. For example:
-            http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
-          The above request would redirect the user to http://www.example.com/checkout. The security concern associated with this functionality is leveraging an organization’s trusted brand to phish users and trick them into visiting a malicious site, in our example, “badhacker.com”. Example:
-            http://www.example.com/redirect?url=http://badhacker.com
-          The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.
+* Owasp Ror CheatSheet: Check for safe redirect and forward: Web applications often require the ability to dynamically redirect users based
+on client-supplied data. To clarify, dynamic redirection usually entails the
+client including a URL in a parameter within a request to the application. Once
+received by the application, the user is redirected to the URL specified in the
+request.
 
+For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
+
+The above request would redirect the user to http://www.example.com/checkout.
+
+The security concern associated with this functionality is leveraging an
+organization's trusted brand to phish users and trick them into visiting a
+malicious site, in our example, "badhacker.com".
+
+Example: http://www.example.com/redirect?url=http://badhacker.com
+
+The most basic, but restrictive protection is to use the :only_path option.
+Setting this to true will essentially strip out any host information.
 * Owasp Ror CheatSheet: Sensitive Files: Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed.
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * Nokogiri - Denial of service - 20131217: There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash.
@@ -159,10 +171,13 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2013-6421](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6421): The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.
 * [CVE-2013-6459](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6459): Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.
 * [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
-* [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
-* [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
+* [CVE-2014-0036](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0036): rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream.
 * [CVE-2014-0081](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
 * [CVE-2014-0082](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
+* [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
+* [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
+* [CVE-2014-2322](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2322): Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands.
+* [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 
 
-_Last updated: Fri 14 Mar 08:36:40 CET 2014_
+_Last updated: Sun 23 Mar 22:44:00 CET 2014_

data/codesake-dawn.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |gem|
   gem.version       = Codesake::Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
   gem.email         = ["thesp0nge@gmail.com"]
-  gem.description   = %q{dawn is a security static source code analyzer for web applications written in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails. dawn output is a list of security vulnerabilities affecting your code. It provides more than 140 security checks with their own mitigation suggestion.}
-  gem.summary       = %q{dawn is a security static source code analyzer for sinatra, padrino and ruby on rails web applications.}
+  gem.description   = %q{dawn is a security static source code scanner for web applications written in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails. dawn output is a list of security vulnerabilities affecting your code. Latest stable version contains more than 150 secutiy checks with their own mitigation suggestion.}
+  gem.summary       = %q{dawn is a security static source code scanner for sinatra, padrino and ruby on rails web applications.}
   gem.homepage      = "http://dawn.codesake.com"
 
   gem.files         = `git ls-files`.split($/)

data/doc/dawn_1_0_announcement.md

@@ -1,3 +1,4 @@
+
 ## Press announcement
 
 After 9 months of development, it's now time for Codesake::Dawn security source
@@ -43,6 +44,10 @@ Paolo - paolo@codesake.com
 
 ## Twitter announcement
 
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. A new security check: CVE-2014-2538 #ruby #security #rails #sinatra #padrino
+
 ### version 1.0.5
 
 @dawnscanner version 1.0.5 is out. 2 new security checks: CVE-2014-2322 and CVE-2014-0036 #ruby #security #rails #sinatra #padrino
@@ -69,9 +74,17 @@ Paolo - paolo@codesake.com
 
 ## Linkedin announcement 
 
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-6-released/
+Codesake::Dawn v1.0.6 introduces a newly released CVE bullettin: CVE-2014-2538 about a reflected xss in rack-ssl rubygem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
 ### version 1.0.5
 
-@dawnscanner version 1.0.r54 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/
+@dawnscanner version 1.0.5 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/
 Codesake::Dawn v1.0.5 introduces 2 newly released CVE bullettins: CVE-2014-006 and CVE-2014-2322 about a MitM Spoofing Weakness in rbovirt gem and command injection in arabic prawn gem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
 
 $ gem install codesake-dawn 

data/lib/codesake/dawn/kb/cve_2014_2538.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-23
+			class CVE_2014_2538
+				include DependencyCheck
+
+				def initialize
+          message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
+           super({
+            :name=>"CVE-2014-2538",
+            :cvss=>"",
+            :release_date => Date.new(2013, 7, 9),
+            :cwe=>"79",
+            :owasp=>"A3",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.4.1 or higher.",
+            :aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
+           })
+
+           self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.4.1']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/knowledge_base.rb

@@ -202,6 +202,7 @@ require "codesake/dawn/kb/cve_2014_0082"
 require "codesake/dawn/kb/cve_2014_1233"
 require "codesake/dawn/kb/cve_2014_1234"
 require "codesake/dawn/kb/cve_2014_2322"
+require "codesake/dawn/kb/cve_2014_2538"
 
 module Codesake
   module Dawn
@@ -418,6 +419,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2014_1233.new,
           Codesake::Dawn::Kb::CVE_2014_1234.new,
           Codesake::Dawn::Kb::CVE_2014_2322.new,
+          Codesake::Dawn::Kb::CVE_2014_2538.new,
 
         ]
       end

data/lib/codesake/dawn/version.rb

@@ -16,10 +16,10 @@ module Codesake
     # "Guido"
     # "Luigi"
 
-    VERSION   = "1.0.5"
+    VERSION   = "1.0.6"
     CODENAME  = "Lightning McQueen"
     # RELEASE   = "(development)"
-    RELEASE   = "20140318"
+    RELEASE   = "20140323"
 
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -779,4 +779,9 @@ end
         sc.should_not   be_nil
           sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
   end
+  it "must have test for CVE-2014-2538" do
+      sc = kb.find("CVE-2014-2538")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
+  end
 end

data/spec/lib/kb/cve_2014_2538_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+describe "The CVE-2014-2538 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_2538.new
+		# @check.debug = true
+	end
+  it "is reported when rack-ssl vulnerable version it has been found (1.4.0)" do
+    @check.dependencies = [{:name=>'rack-ssl', :version=>'1.4.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rack-ssl not vulnerable version it has been found (1.5.0)" do
+    @check.dependencies = [{:name=>'rack-ssl', :version=>'1.5.0'}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVSS information"
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.6
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-18 00:00:00.000000000 Z
+date: 2014-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -206,10 +206,10 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: dawn is a security static source code analyzer for web applications written
+description: dawn is a security static source code scanner for web applications written
   in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails.
-  dawn output is a list of security vulnerabilities affecting your code. It provides
-  more than 140 security checks with their own mitigation suggestion.
+  dawn output is a list of security vulnerabilities affecting your code. Latest stable
+  version contains more than 150 secutiy checks with their own mitigation suggestion.
 email:
 - thesp0nge@gmail.com
 executables:
@@ -385,6 +385,7 @@ files:
 - lib/codesake/dawn/kb/cve_2014_1233.rb
 - lib/codesake/dawn/kb/cve_2014_1234.rb
 - lib/codesake/dawn/kb/cve_2014_2322.rb
+- lib/codesake/dawn/kb/cve_2014_2538.rb
 - lib/codesake/dawn/kb/dependency_check.rb
 - lib/codesake/dawn/kb/nokogiri_dos_20131217.rb
 - lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb
@@ -444,6 +445,7 @@ files:
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
+- spec/lib/kb/cve_2014_2538_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb
 homepage: http://dawn.codesake.com
@@ -468,7 +470,7 @@ rubyforge_project:
 rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
-summary: dawn is a security static source code analyzer for sinatra, padrino and ruby
+summary: dawn is a security static source code scanner for sinatra, padrino and ruby
   on rails web applications.
 test_files:
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
@@ -509,5 +511,6 @@ test_files:
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
+- spec/lib/kb/cve_2014_2538_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb