RubyGems - codesake-dawn - Versions diffs - 1.1.2 → 1.1.3 - Mend

codesake-dawn 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/Changelog.md +4 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/knowledge_base.rb +2 -0
data/lib/codesake/dawn/version.rb +2 -2
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +5 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +20 -0
metadata +6 -2
metadata.gz.sig +1 -1

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9c98dc1ac9b498221f9259088c579414dc2c1702
-  data.tar.gz: adebc95880499394348fb5216bc625f4facb82e4
+  metadata.gz: 3cb817c04da264b3660491ef777d7587d0ef3fac
+  data.tar.gz: 45d432e7628eca11e300c2d15b65b1db181e39ee
 SHA512:
-  metadata.gz: 10f26e434ae808c9ec4407ca24be27cf42c45651b36938348ab972e77ce65e84315b208da040d0e72e7e40bf955101a909cd724293b4b8489ebaafe5ca6ea3e3
-  data.tar.gz: 08534937ffc51cf3e01a02fdad729caaeb5c7d69a12e29699fa3628ff0aaf08d3008cc0ed0934ecfcccf116c526309f7679a322d90be350fd21b7d6b547750a9
+  metadata.gz: 33261298a42ed1929845a29379f278b01bc445a892cb35c695568341aafe717a5b51b16333f99781fe67acde8dfd9ec35a0a2d7298de6f4f5ea2056bb3089f92
+  data.tar.gz: 086af2f4ac028b0443dc38fbf1f5cadf48f8bfae4015f572d0438d2ae0d3006e3edba384221ffa453e27be022d687fa4f9706e6e28960bcc10955856d20ebbe5

checksums.yaml.gz.sig CHANGED

Binary file

data.tar.gz.sig CHANGED

Binary file

data/Changelog.md CHANGED

@@ -7,6 +7,10 @@ frameworks.
 _latest update: Fri Apr 18 07:55:10 CEST 2014_
+## Version 1.1.3 - codename: Lightning McQueen (2014-05-06)
+* Adding a check for CVE-2014-0130: directory traversal for ruby on rails
 ## Version 1.1.2 - codename: Lightning McQueen (2014-04-22)
 * Adding a check for OSVDB-105971: remote code execution for sfpagent ruby gem

data/checksum/codesake-dawn-1.1.2.gem.sha512 ADDED

	@@ -0,0 +1 @@
1	+ 393bc34a0e41fd18b8f49e1637c73fe84ef948efffdca9ebda9c476613cbc90941b8dc53eca09b55575b8c2276096d22178092df59cfefc569a1c9b4db9afb10

data/lib/codesake/dawn/kb/cve_2014_0130.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-05-06
+			class CVE_2014_0130
+				include DependencyCheck
+				def initialize
+          message = "The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server."
+          super({
+            :name=>"CVE-2014-0130",
+            :cvss=>"",
+            :release_date => Date.new(2014, 5, 6),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version up to version 3.2.18, 4.0.5 or 4.1.1.",
+            :aux_links=>["https://groups.google.com/forum/#!msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.0.5', '4.1.1']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/knowledge_base.rb CHANGED

@@ -211,6 +211,7 @@ require "codesake/dawn/kb/cve_2014_0036"
 require "codesake/dawn/kb/cve_2014_0080"
 require "codesake/dawn/kb/cve_2014_0081"
 require "codesake/dawn/kb/cve_2014_0082"
+require "codesake/dawn/kb/cve_2014_0130"
 require "codesake/dawn/kb/cve_2014_1233"
 require "codesake/dawn/kb/cve_2014_1234"
 require "codesake/dawn/kb/cve_2014_2322"
@@ -454,6 +455,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2014_0080.new,
           Codesake::Dawn::Kb::CVE_2014_0081.new,
           Codesake::Dawn::Kb::CVE_2014_0082.new,
+          Codesake::Dawn::Kb::CVE_2014_0130.new,
           Codesake::Dawn::Kb::CVE_2014_1233.new,
           Codesake::Dawn::Kb::CVE_2014_1234.new,
           Codesake::Dawn::Kb::CVE_2014_2322.new,

data/lib/codesake/dawn/version.rb CHANGED

@@ -19,10 +19,10 @@ module Codesake
     # |   "Luigi"       |  7.0.0  |
     # | "Doc Hudson"    |  8.0.0  |
-    VERSION   = "1.1.2"
+    VERSION   = "1.1.3"
     CODENAME  = "Lightning McQueen"
     # RELEASE   = "(development)"
-    RELEASE   = "20140422"
+    RELEASE   = "20140506"
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb CHANGED

@@ -893,4 +893,9 @@ end
     sc.class.should == Codesake::Dawn::Kb::OSVDB_105971
   end
+  it "must have test for CVE-2014-0130" do
+      sc = kb.find("CVE-2014-0130")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0130
+  end
 end

data/spec/lib/kb/cve_2014_0130_spec.rb ADDED

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe "The CVE-2014-0130 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_0130.new
+		# @check.debug = true
+	end
+  it "is reported when rails 4.1.0 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'4.1.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rails 4.0.4 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'4.0.4'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rails 3.2.17 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
+    @check.vuln?.should   be_true
+  end
+  it "must be filled with CVSS information"
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.1.3
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
   1LyVQIFlhF6nL0casp0ixer8N60=
   -----END CERTIFICATE-----
-date: 2014-04-22 00:00:00.000000000 Z
+date: 2014-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -285,6 +285,7 @@ files:
 - checksum/codesake-dawn-1.1.0.gem.sha512
 - checksum/codesake-dawn-1.1.0.rc1.gem.sha512
 - checksum/codesake-dawn-1.1.1.gem.sha512
+- checksum/codesake-dawn-1.1.2.gem.sha512
 - codesake-dawn.gemspec
 - doc/codesake-dawn.yaml.sample
 - doc/dawn_1_0_announcement.md
@@ -457,6 +458,7 @@ files:
 - lib/codesake/dawn/kb/cve_2014_0080.rb
 - lib/codesake/dawn/kb/cve_2014_0081.rb
 - lib/codesake/dawn/kb/cve_2014_0082.rb
+- lib/codesake/dawn/kb/cve_2014_0130.rb
 - lib/codesake/dawn/kb/cve_2014_1233.rb
 - lib/codesake/dawn/kb/cve_2014_1234.rb
 - lib/codesake/dawn/kb/cve_2014_2322.rb
@@ -537,6 +539,7 @@ files:
 - spec/lib/kb/cve_2014_0080_spec.rb
 - spec/lib/kb/cve_2014_0081_spec.rb
 - spec/lib/kb/cve_2014_0082_spec.rb
+- spec/lib/kb/cve_2014_0130_spec.rb
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
@@ -627,6 +630,7 @@ test_files:
 - spec/lib/kb/cve_2014_0080_spec.rb
 - spec/lib/kb/cve_2014_0081_spec.rb
 - spec/lib/kb/cve_2014_0082_spec.rb
+- spec/lib/kb/cve_2014_0130_spec.rb
 - spec/lib/kb/cve_2014_1233_spec.rb
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb

metadata.gz.sig CHANGED

	@@ -1 +1 @@
1	- �~~_��jJ~~�~~2t�~~ ~~�/8~~"~~8" ��ͬ��c��k�~~m��~~l�~~ �~~O��3jdΏ�f~~�~~��c~~�M�~~9�bC0s~~��~~G�r�~~9~~��R�^��M~~�~~dQ�J��S`Z�(��Wtl��W�Gw��9':%2�~��D�Sg��^yr'��ߔEԑ7t��~~I~~�ܜ_�@��#��C�s��c�Ξ��K;Ћlf`亘7�Y<U`�Y~~�~~XS��zW��ퟟ��Կ�}�@�f�$�\�~~
1	+ S�IC��/[�--�vB[��#�-��Î��B$W��1��c4N��q��Eeg�^Q�:��`��.䝕@AuT�EE�ϔxo��Ӿ)- "+�yM�mؘN!�\|NH��j-h�6�(��vɃ�*�!'Ojz�jF�X;f��T��u��#��9�1��4�� $?Ǡտ¯��_tܝ��I"a,��y�·o�P%�v_r�G�:?m:��h��`��62ݨ�4�϶�