codesake-dawn 1.1.2 → 1.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/Changelog.md +4 -0
- data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
- data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
- data/lib/codesake/dawn/knowledge_base.rb +2 -0
- data/lib/codesake/dawn/version.rb +2 -2
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +5 -0
- data/spec/lib/kb/cve_2014_0130_spec.rb +20 -0
- metadata +6 -2
- metadata.gz.sig +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3cb817c04da264b3660491ef777d7587d0ef3fac
|
4
|
+
data.tar.gz: 45d432e7628eca11e300c2d15b65b1db181e39ee
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 33261298a42ed1929845a29379f278b01bc445a892cb35c695568341aafe717a5b51b16333f99781fe67acde8dfd9ec35a0a2d7298de6f4f5ea2056bb3089f92
|
7
|
+
data.tar.gz: 086af2f4ac028b0443dc38fbf1f5cadf48f8bfae4015f572d0438d2ae0d3006e3edba384221ffa453e27be022d687fa4f9706e6e28960bcc10955856d20ebbe5
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/Changelog.md
CHANGED
@@ -7,6 +7,10 @@ frameworks.
|
|
7
7
|
|
8
8
|
_latest update: Fri Apr 18 07:55:10 CEST 2014_
|
9
9
|
|
10
|
+
## Version 1.1.3 - codename: Lightning McQueen (2014-05-06)
|
11
|
+
|
12
|
+
* Adding a check for CVE-2014-0130: directory traversal for ruby on rails
|
13
|
+
|
10
14
|
## Version 1.1.2 - codename: Lightning McQueen (2014-04-22)
|
11
15
|
|
12
16
|
* Adding a check for OSVDB-105971: remote code execution for sfpagent ruby gem
|
@@ -0,0 +1 @@
|
|
1
|
+
393bc34a0e41fd18b8f49e1637c73fe84ef948efffdca9ebda9c476613cbc90941b8dc53eca09b55575b8c2276096d22178092df59cfefc569a1c9b4db9afb10
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Codesake
|
2
|
+
module Dawn
|
3
|
+
module Kb
|
4
|
+
# Automatically created with rake on 2014-05-06
|
5
|
+
class CVE_2014_0130
|
6
|
+
include DependencyCheck
|
7
|
+
|
8
|
+
def initialize
|
9
|
+
message = "The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server."
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2014-0130",
|
12
|
+
:cvss=>"",
|
13
|
+
:release_date => Date.new(2014, 5, 6),
|
14
|
+
:cwe=>"",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails version up to version 3.2.18, 4.0.5 or 4.1.1.",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/#!msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"]
|
21
|
+
})
|
22
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.0.5', '4.1.1']}]
|
23
|
+
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -211,6 +211,7 @@ require "codesake/dawn/kb/cve_2014_0036"
|
|
211
211
|
require "codesake/dawn/kb/cve_2014_0080"
|
212
212
|
require "codesake/dawn/kb/cve_2014_0081"
|
213
213
|
require "codesake/dawn/kb/cve_2014_0082"
|
214
|
+
require "codesake/dawn/kb/cve_2014_0130"
|
214
215
|
require "codesake/dawn/kb/cve_2014_1233"
|
215
216
|
require "codesake/dawn/kb/cve_2014_1234"
|
216
217
|
require "codesake/dawn/kb/cve_2014_2322"
|
@@ -454,6 +455,7 @@ module Codesake
|
|
454
455
|
Codesake::Dawn::Kb::CVE_2014_0080.new,
|
455
456
|
Codesake::Dawn::Kb::CVE_2014_0081.new,
|
456
457
|
Codesake::Dawn::Kb::CVE_2014_0082.new,
|
458
|
+
Codesake::Dawn::Kb::CVE_2014_0130.new,
|
457
459
|
Codesake::Dawn::Kb::CVE_2014_1233.new,
|
458
460
|
Codesake::Dawn::Kb::CVE_2014_1234.new,
|
459
461
|
Codesake::Dawn::Kb::CVE_2014_2322.new,
|
@@ -0,0 +1,20 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2014-0130 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Codesake::Dawn::Kb::CVE_2014_0130.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when rails 4.1.0 is detected" do
|
8
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.0'}]
|
9
|
+
@check.vuln?.should be_true
|
10
|
+
end
|
11
|
+
it "is reported when rails 4.0.4 is detected" do
|
12
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.0.4'}]
|
13
|
+
@check.vuln?.should be_true
|
14
|
+
end
|
15
|
+
it "is reported when rails 3.2.17 is detected" do
|
16
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
|
17
|
+
@check.vuln?.should be_true
|
18
|
+
end
|
19
|
+
it "must be filled with CVSS information"
|
20
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: codesake-dawn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
|
31
31
|
1LyVQIFlhF6nL0casp0ixer8N60=
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2014-
|
33
|
+
date: 2014-05-06 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: codesake-commons
|
@@ -285,6 +285,7 @@ files:
|
|
285
285
|
- checksum/codesake-dawn-1.1.0.gem.sha512
|
286
286
|
- checksum/codesake-dawn-1.1.0.rc1.gem.sha512
|
287
287
|
- checksum/codesake-dawn-1.1.1.gem.sha512
|
288
|
+
- checksum/codesake-dawn-1.1.2.gem.sha512
|
288
289
|
- codesake-dawn.gemspec
|
289
290
|
- doc/codesake-dawn.yaml.sample
|
290
291
|
- doc/dawn_1_0_announcement.md
|
@@ -457,6 +458,7 @@ files:
|
|
457
458
|
- lib/codesake/dawn/kb/cve_2014_0080.rb
|
458
459
|
- lib/codesake/dawn/kb/cve_2014_0081.rb
|
459
460
|
- lib/codesake/dawn/kb/cve_2014_0082.rb
|
461
|
+
- lib/codesake/dawn/kb/cve_2014_0130.rb
|
460
462
|
- lib/codesake/dawn/kb/cve_2014_1233.rb
|
461
463
|
- lib/codesake/dawn/kb/cve_2014_1234.rb
|
462
464
|
- lib/codesake/dawn/kb/cve_2014_2322.rb
|
@@ -537,6 +539,7 @@ files:
|
|
537
539
|
- spec/lib/kb/cve_2014_0080_spec.rb
|
538
540
|
- spec/lib/kb/cve_2014_0081_spec.rb
|
539
541
|
- spec/lib/kb/cve_2014_0082_spec.rb
|
542
|
+
- spec/lib/kb/cve_2014_0130_spec.rb
|
540
543
|
- spec/lib/kb/cve_2014_1233_spec.rb
|
541
544
|
- spec/lib/kb/cve_2014_1234_spec.rb
|
542
545
|
- spec/lib/kb/cve_2014_2322_spec.rb
|
@@ -627,6 +630,7 @@ test_files:
|
|
627
630
|
- spec/lib/kb/cve_2014_0080_spec.rb
|
628
631
|
- spec/lib/kb/cve_2014_0081_spec.rb
|
629
632
|
- spec/lib/kb/cve_2014_0082_spec.rb
|
633
|
+
- spec/lib/kb/cve_2014_0130_spec.rb
|
630
634
|
- spec/lib/kb/cve_2014_1233_spec.rb
|
631
635
|
- spec/lib/kb/cve_2014_1234_spec.rb
|
632
636
|
- spec/lib/kb/cve_2014_2322_spec.rb
|
metadata.gz.sig
CHANGED
@@ -1 +1 @@
|
|
1
|
-
�
|
1
|
+
S�IC��/[�--�vB[���#�-��Î���B$W����1��c4N���q��Eeg�^Q�:��`����.䝕@AuT�EE�ϔxo���Ӿ)- "+�yM�mؘN!�|NH��j-h�6�(�����vɃ�*�!'Ojz�jF�X;f�����T��u���#������9�1��4���� $?Ǡտ¯��_tܝ��I"a,��y�·o�P%�v_r�G�:?m:��h��`��62ݨ�4�϶�
|