codesake-dawn 1.1.2 → 1.1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/Changelog.md +4 -0
  5. data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
  6. data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
  7. data/lib/codesake/dawn/knowledge_base.rb +2 -0
  8. data/lib/codesake/dawn/version.rb +2 -2
  9. data/spec/lib/dawn/codesake_knowledgebase_spec.rb +5 -0
  10. data/spec/lib/kb/cve_2014_0130_spec.rb +20 -0
  11. metadata +6 -2
  12. metadata.gz.sig +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9c98dc1ac9b498221f9259088c579414dc2c1702
4
- data.tar.gz: adebc95880499394348fb5216bc625f4facb82e4
3
+ metadata.gz: 3cb817c04da264b3660491ef777d7587d0ef3fac
4
+ data.tar.gz: 45d432e7628eca11e300c2d15b65b1db181e39ee
5
5
  SHA512:
6
- metadata.gz: 10f26e434ae808c9ec4407ca24be27cf42c45651b36938348ab972e77ce65e84315b208da040d0e72e7e40bf955101a909cd724293b4b8489ebaafe5ca6ea3e3
7
- data.tar.gz: 08534937ffc51cf3e01a02fdad729caaeb5c7d69a12e29699fa3628ff0aaf08d3008cc0ed0934ecfcccf116c526309f7679a322d90be350fd21b7d6b547750a9
6
+ metadata.gz: 33261298a42ed1929845a29379f278b01bc445a892cb35c695568341aafe717a5b51b16333f99781fe67acde8dfd9ec35a0a2d7298de6f4f5ea2056bb3089f92
7
+ data.tar.gz: 086af2f4ac028b0443dc38fbf1f5cadf48f8bfae4015f572d0438d2ae0d3006e3edba384221ffa453e27be022d687fa4f9706e6e28960bcc10955856d20ebbe5
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/Changelog.md CHANGED
@@ -7,6 +7,10 @@ frameworks.
7
7
 
8
8
  _latest update: Fri Apr 18 07:55:10 CEST 2014_
9
9
 
10
+ ## Version 1.1.3 - codename: Lightning McQueen (2014-05-06)
11
+
12
+ * Adding a check for CVE-2014-0130: directory traversal for ruby on rails
13
+
10
14
  ## Version 1.1.2 - codename: Lightning McQueen (2014-04-22)
11
15
 
12
16
  * Adding a check for OSVDB-105971: remote code execution for sfpagent ruby gem
data/checksum/codesake-dawn-1.1.2.gem.sha512 ADDED
@@ -0,0 +1 @@
1
+ 393bc34a0e41fd18b8f49e1637c73fe84ef948efffdca9ebda9c476613cbc90941b8dc53eca09b55575b8c2276096d22178092df59cfefc569a1c9b4db9afb10
data/lib/codesake/dawn/kb/cve_2014_0130.rb ADDED
@@ -0,0 +1,28 @@
1
+ module Codesake
2
+ module Dawn
3
+ module Kb
4
+ # Automatically created with rake on 2014-05-06
5
+ class CVE_2014_0130
6
+ include DependencyCheck
7
+
8
+ def initialize
9
+ message = "The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server."
10
+ super({
11
+ :name=>"CVE-2014-0130",
12
+ :cvss=>"",
13
+ :release_date => Date.new(2014, 5, 6),
14
+ :cwe=>"",
15
+ :owasp=>"A9",
16
+ :applies=>["rails"],
17
+ :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade rails version up to version 3.2.18, 4.0.5 or 4.1.1.",
20
+ :aux_links=>["https://groups.google.com/forum/#!msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"]
21
+ })
22
+ self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.0.5', '4.1.1']}]
23
+
24
+ end
25
+ end
26
+ end
27
+ end
28
+ end
data/lib/codesake/dawn/knowledge_base.rb CHANGED
@@ -211,6 +211,7 @@ require "codesake/dawn/kb/cve_2014_0036"
211
211
  require "codesake/dawn/kb/cve_2014_0080"
212
212
  require "codesake/dawn/kb/cve_2014_0081"
213
213
  require "codesake/dawn/kb/cve_2014_0082"
214
+ require "codesake/dawn/kb/cve_2014_0130"
214
215
  require "codesake/dawn/kb/cve_2014_1233"
215
216
  require "codesake/dawn/kb/cve_2014_1234"
216
217
  require "codesake/dawn/kb/cve_2014_2322"
@@ -454,6 +455,7 @@ module Codesake
454
455
  Codesake::Dawn::Kb::CVE_2014_0080.new,
455
456
  Codesake::Dawn::Kb::CVE_2014_0081.new,
456
457
  Codesake::Dawn::Kb::CVE_2014_0082.new,
458
+ Codesake::Dawn::Kb::CVE_2014_0130.new,
457
459
  Codesake::Dawn::Kb::CVE_2014_1233.new,
458
460
  Codesake::Dawn::Kb::CVE_2014_1234.new,
459
461
  Codesake::Dawn::Kb::CVE_2014_2322.new,
data/lib/codesake/dawn/version.rb CHANGED
@@ -19,10 +19,10 @@ module Codesake
19
19
  # | "Luigi" | 7.0.0 |
20
20
  # | "Doc Hudson" | 8.0.0 |
21
21
 
22
- VERSION = "1.1.2"
22
+ VERSION = "1.1.3"
23
23
  CODENAME = "Lightning McQueen"
24
24
  # RELEASE = "(development)"
25
- RELEASE = "20140422"
25
+ RELEASE = "20140506"
26
26
 
27
27
  end
28
28
  end
data/spec/lib/dawn/codesake_knowledgebase_spec.rb CHANGED
@@ -893,4 +893,9 @@ end
893
893
  sc.class.should == Codesake::Dawn::Kb::OSVDB_105971
894
894
  end
895
895
 
896
+ it "must have test for CVE-2014-0130" do
897
+ sc = kb.find("CVE-2014-0130")
898
+ sc.should_not be_nil
899
+ sc.class.should == Codesake::Dawn::Kb::CVE_2014_0130
900
+ end
896
901
  end
data/spec/lib/kb/cve_2014_0130_spec.rb ADDED
@@ -0,0 +1,20 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2014-0130 vulnerability" do
3
+ before(:all) do
4
+ @check = Codesake::Dawn::Kb::CVE_2014_0130.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when rails 4.1.0 is detected" do
8
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.0'}]
9
+ @check.vuln?.should be_true
10
+ end
11
+ it "is reported when rails 4.0.4 is detected" do
12
+ @check.dependencies = [{:name=>"rails", :version=>'4.0.4'}]
13
+ @check.vuln?.should be_true
14
+ end
15
+ it "is reported when rails 3.2.17 is detected" do
16
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
17
+ @check.vuln?.should be_true
18
+ end
19
+ it "must be filled with CVSS information"
20
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: codesake-dawn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.2
4
+ version: 1.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
30
30
  Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
31
31
  1LyVQIFlhF6nL0casp0ixer8N60=
32
32
  -----END CERTIFICATE-----
33
- date: 2014-04-22 00:00:00.000000000 Z
33
+ date: 2014-05-06 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: codesake-commons
@@ -285,6 +285,7 @@ files:
285
285
  - checksum/codesake-dawn-1.1.0.gem.sha512
286
286
  - checksum/codesake-dawn-1.1.0.rc1.gem.sha512
287
287
  - checksum/codesake-dawn-1.1.1.gem.sha512
288
+ - checksum/codesake-dawn-1.1.2.gem.sha512
288
289
  - codesake-dawn.gemspec
289
290
  - doc/codesake-dawn.yaml.sample
290
291
  - doc/dawn_1_0_announcement.md
@@ -457,6 +458,7 @@ files:
457
458
  - lib/codesake/dawn/kb/cve_2014_0080.rb
458
459
  - lib/codesake/dawn/kb/cve_2014_0081.rb
459
460
  - lib/codesake/dawn/kb/cve_2014_0082.rb
461
+ - lib/codesake/dawn/kb/cve_2014_0130.rb
460
462
  - lib/codesake/dawn/kb/cve_2014_1233.rb
461
463
  - lib/codesake/dawn/kb/cve_2014_1234.rb
462
464
  - lib/codesake/dawn/kb/cve_2014_2322.rb
@@ -537,6 +539,7 @@ files:
537
539
  - spec/lib/kb/cve_2014_0080_spec.rb
538
540
  - spec/lib/kb/cve_2014_0081_spec.rb
539
541
  - spec/lib/kb/cve_2014_0082_spec.rb
542
+ - spec/lib/kb/cve_2014_0130_spec.rb
540
543
  - spec/lib/kb/cve_2014_1233_spec.rb
541
544
  - spec/lib/kb/cve_2014_1234_spec.rb
542
545
  - spec/lib/kb/cve_2014_2322_spec.rb
@@ -627,6 +630,7 @@ test_files:
627
630
  - spec/lib/kb/cve_2014_0080_spec.rb
628
631
  - spec/lib/kb/cve_2014_0081_spec.rb
629
632
  - spec/lib/kb/cve_2014_0082_spec.rb
633
+ - spec/lib/kb/cve_2014_0130_spec.rb
630
634
  - spec/lib/kb/cve_2014_1233_spec.rb
631
635
  - spec/lib/kb/cve_2014_1234_spec.rb
632
636
  - spec/lib/kb/cve_2014_2322_spec.rb
metadata.gz.sig CHANGED
@@ -1 +1 @@
1
- _���jJ2*t � �*/8"8" ���ͬ���c����k�m��l� O��3jdΏ�f ����cM9�bC0s��G�r�9���R�^��MdQ�J���S`Z�(���Wtl��W�Gw���9':%2�~���D�Sg��^yr'��ߔEԑ7t��I�ܜ_�@��#�������C�s���c�Ξ���K;Ћlf`亘7�Y<U`�YXS���zW��ퟟ��Կ�}�@�f�$�\�
1
+ SIC��/[�--�vB[���#�-��Î���B$W����1��c4N���q��Eeg�^Q�:��`�� ��.䝕@AuTEE�ϔxo���Ӿ)- "+�yM�mؘN!�|NH��j-h6(�����vɃ�*�!'OjzjFX;f�����T��u���#������9�1��4���� $?Ǡտ¯��_tܝ��I"a,��y�·o�P%�v_rG�:?m:��h��`��62ݨ�4�϶�