RubyGems - codesake - Versions diffs - 0.0.1 → 0.15.1 - Mend

codesake 0.0.1 → 0.15.1

Files changed (30) hide show

data/.gitignore +2 -0
data/History.md +40 -0
data/README.md +25 -3
data/Rakefile +22 -2
data/bin/codesake +36 -0
data/codesake.gemspec +3 -0
data/features/codesake_complains_if_missing_target.feature +8 -0
data/features/codesake_process_jsp_file.feature +88 -0
data/features/codesake_process_text_file.feature +23 -0
data/features/step_definition/codesake_steps.rb +164 -0
data/features/support/env.rb +1 -0
data/lib/codesake.rb +8 -3
data/lib/codesake/cli.rb +90 -0
data/lib/codesake/engine/core.rb +10 -0
data/lib/codesake/engine/generic.rb +12 -0
data/lib/codesake/engine/jsp.rb +165 -0
data/lib/codesake/engine/text.rb +36 -0
data/lib/codesake/kernel.rb +39 -0
data/lib/codesake/utils/files.rb +25 -0
data/lib/codesake/utils/secrets.rb +45 -0
data/lib/codesake/version.rb +2 -1
data/spec/cli_spec.rb +65 -0
data/spec/engine_core_spec.rb +45 -0
data/spec/file_utils_spec.rb +59 -0
data/spec/jsp_engine_spec.rb +114 -0
data/spec/kernel_spec.rb +63 -0
data/spec/secrets_utils_spec.rb +79 -0
data/spec/spec_helper.rb +3 -0
data/spec/text_engine_spec.rb +72 -0
metadata +92 -3

@@ -1,3 +1,4 @@
 module Codesake
-  VERSION = "0.0.1"
+  VERSION   = "0.15.1"
+  CODENAME  = "BluePint"
 end

data/spec/cli_spec.rb ADDED

@@ -0,0 +1,65 @@
+require 'spec_helper'
+describe "codesake command line interface" do
+  before(:all) do
+    @cli = Codesake::Cli.new
+  end
+  it "has a parse method" do
+    @cli.should respond_to(:parse)
+  end
+  it "returns an empty has if no command line is given" do
+    @cli.parse(nil).should    == {:vulnerabilities=>:all}
+    @cli.parse("").should     == {:vulnerabilities=>:all}
+  end
+  it "understands --version flag" do
+    @cli.parse("--version").should == {:version=>true, :vulnerabilities=>:all}
+  end
+  it "understands --output flag" do
+    @cli.parse("-o file").should  ==  {:output=>:file, :vulnerabilities=>:all}
+    @cli.parse("-o json").should  ==  {:output=>:json, :vulnerabilities=>:all}
+    @cli.parse("-o db").should    ==  {:output=>:db, :vulnerabilities=>:all}
+  end
+  it "understands --verbose flag" do
+    @cli.parse("--verbose").should  == {:verbose=>true, :vulnerabilities=>:all}
+    @cli.parse("-V").should         == {:verbose=>true, :vulnerabilities=>:all}
+  end
+  it "saves targets" do
+    @cli.parse("file1")
+    @cli.targets.should        == [{:target=>"file1", :valid=>false}]
+    @cli.parse("file1 file2")
+    @cli.targets.should  == [{:target=>"file1", :valid=>false}, {:target=>"file2", :valid=>false}]
+    @cli.parse("Gemfile")
+    @cli.targets.should      == [{:target=>"Gemfile", :valid=>true}]
+  end
+  it "the target should be either a file or a directory" do
+    @cli.is_good_target?("Gemfile").should  be_true
+    @cli.is_good_target?("file1").should    be_false
+  end
+  it "must produce a non nil option Hash" do
+    @cli.parse("").should_not           be_nil
+    @cli.parse("-nonsense").should_not  be_nil
+    @cli.parse("-v -h").should_not      be_nil
+    @cli.parse("-j drift").should_not   be_nil
+  end
+  it "understand --keys flag" do
+    ret = {:keywords => ["a","b","c"], :vulnerabilities=>:all}
+    @cli.parse("-k a,b,c").should == ret
+  end
+  it "understand --all-vulnerabilities" do
+    ret = {:vulnerabilities=>:all}
+    @cli.parse("-A").should == ret
+  end
+  it "understand --confirmed-vulnerabilities" do
+    ret = {:vulnerabilities=>:confirmed}
+    @cli.parse("-C").should == ret
+  end
+end

data/spec/engine_core_spec.rb ADDED

@@ -0,0 +1,45 @@
+require 'spec_helper'
+dummy_text = <<EOT
+This is a text
+This is a text
+This is a text
+This is a text
+secret
+This is a text
+This is a text
+This is a text
+EOT
+class Test
+  include Codesake::Utils::Files
+  include Codesake::Engine::Core
+end
+shared_examples_for Codesake::Engine::Core do
+  before(:all) do
+    @mock = Test.new
+    File.open("test_secrets.txt", "w") do |f|
+        f.puts(dummy_text)
+      end
+    @mock.filename="test_secrets.txt"
+    @mock.read_file
+  end
+  after(:all) do
+    File.delete("test_secrets.txt")
+  end
+  it "provide an analyse method" do
+    @mock.should    respond_to(:analyse)
+  end
+  context "has an analyse method returning an empty array if the input is" do
+    it "null" do
+      @mock.analyse.class.should  == Array
+      @mock.analyse.should  be_empty
+    end
+  end
+end

data/spec/file_utils_spec.rb ADDED

@@ -0,0 +1,59 @@
+require 'spec_helper'
+dummy_text = <<EOT
+This is a text
+This is a text
+This is a text
+This is a text
+EOT
+class Test
+  include Codesake::Utils::Files
+end
+shared_examples_for Codesake::Utils::Files do
+    before(:all) do
+      @mock = Test.new
+      File.open("test_utils.txt", "w") do |f|
+        f.puts(dummy_text)
+      end
+    end
+    after(:all) do
+      File.delete("test_utils.txt")
+    end
+    ## Reading the file
+    it "has a read_file method" do
+      @mock.should respond_to(:read_file)
+    end
+    it "complains if we request to read a non existing file" do
+      @mock.filename = "test"
+      @mock.read_file.should be_false
+      @mock.file_content.should be_empty
+    end
+    it "read an existing file" do
+      @mock.filename = "test_utils.txt"
+      @mock.read_file.should be_true
+      @mock.file_content.should_not be_empty
+    end
+    it "has a loc method" do
+      @mock.should respond_to(:loc)
+    end
+    it "has a lines method" do
+      @mock.should respond_to(:lines)
+    end
+    it "has a lines_of_comment method" do
+      @mock.should respond_to(:lines_of_comment)
+    end
+  end

data/spec/jsp_engine_spec.rb ADDED

@@ -0,0 +1,114 @@
+require 'spec_helper'
+jsp_content =<<EOS
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<%@page import="com.codesake.test"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<link rel="stylesheet" type="text/CSS" href="<%=request.getContextPath()%>/css/style.css" />
+<title>Hello World</title>
+<script type="text/javascript">
+	function confirmSubmit(name) {
+		return alert("test here'"+ cacheName +"'");
+	}
+	</script>
+</head>
+<body>
+<div id="header">
+<h1>Hello World</h1>
+<a href="<%=request.getContextPath()%>/jsp/link1.jsp">Link 1</a>
+<a href="<%=request.getContextPath()%>/jsp/link2.jsp">Link 2</a>
+<a href="<%=request.getContextPath()%>/jsp/link3.jsp">Link 3</a>
+<a href="<%=request.getContextPath()%>/jsp/link4.jsp">Link 4</a>
+<a href="<%=request.getContextPath()%>/servlet">servlet</a>
+</div>
+<%
+ String message = (String) request.getAttribute("message");
+ if(message != null)
+ {
+%>
+<h4 id="message"><%=message%></h4>
+<% }
+else
+{
+ %>
+ <h4 id="message"></h4>
+<% } %>
+<div id="content">
+<form action="<%=request.getContextPath()%>/postHandler" method="post">
+<label for="message">message:</label>
+<input type="text" name="message" id="message" size="40" value="<%=request.getLocalName()%>"  />
+<input type="submit" value="submit" onclick="javascript: return confirmSubmit('Clienti');" />
+</form>
+</div>
+<%
+    Cookie c = new Cookie("name", "a_value")
+    Cookie cc = new Cookie("second", 12)
+%>
+</body>
+EOS
+describe Codesake::Engine::Jsp do
+  before(:all) do
+    File.open("test.jsp", "w") do |f|
+      f.write(jsp_content)
+    end
+    @jsp = Codesake::Engine::Jsp.new("test.jsp", {})
+    @jsp.analyse
+  end
+  after(:all) do
+    File.delete("test.jsp") if File.exists?("test.jsp")
+  end
+  it_behaves_like Codesake::Utils::Files
+  # it_behaves_like Codesake::Utils::Secrets
+  it_behaves_like Codesake::Engine::Core
+  it "takes a filename as input" do
+    @jsp.filename.should_not be_nil
+    @jsp.filename.should_not be_empty
+  end
+  it "analyses a jsp for imported packages" do
+    expected_result = [{:package=>"com.codesake.test", :line=>3}]
+    @jsp.imports.should == expected_result
+  end
+  it "analyses a jsp file for attack entrypoints" do
+    expected_result = [{:line=>32, :param=>"message", :var=>"message"}]
+    @jsp.attack_entrypoints.should == expected_result
+  end
+  it "analyses a jsp file for reflected variables" do
+    expected_result = [{:line=>8, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>24, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>25, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>26, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>27, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>28, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>36, :var=>"message", :false_positive=>false},
+      {:line=>44, :var=>"request.getContextPath()", :false_positive=>true},
+      {:line=>46, :var=>"request.getLocalName()", :false_positive=>true}
+    ]
+    @jsp.reflected_xss.should == expected_result
+  end
+ it "analyses a jsp file for cookies" do
+   expected_result = [{:line=>51, :name=>"name", :value=>"a_value", :var=>"c"}, {:line=>52, :name=>"second", :value=>"12", :var=>"cc"}]
+   @jsp.cookies.should == expected_result
+ end
+end

data/spec/kernel_spec.rb ADDED

@@ -0,0 +1,63 @@
+require 'spec_helper'
+describe Codesake::Kernel do
+  before(:all) do
+    @kernel = Codesake::Kernel.instance
+  end
+  it "has a choose_engine method" do
+    @kernel.should  respond_to(:choose_engine)
+  end
+  it "has a detect method" do
+    @kernel.should  respond_to(:detect)
+  end
+  it "detects a text file from its extension" do
+    @kernel.detect("Gemfile").should == Codesake::Kernel::TEXT
+    @kernel.detect("foo.txt").should == Codesake::Kernel::TEXT
+  end
+  it "detects a jsp file from its extension" do
+    @kernel.detect("test.jsp").should == Codesake::Kernel::JSP
+  end
+  #
+  # TODO: I plan to add specialized engines for those languages before
+  # reaching 1.0 - 20121211
+  #
+  it "detects a java file from its extension"
+  it "detects a c file from its extension"
+  it "detects a shell script from its extension"
+  it "detects an html file from its extension"
+  it "detects an haml file from its extension"
+  it "detects a markdown file from its extension"
+  it "detects a ruby file from its extension"
+  it "detects a php file from its extension"
+  it "detects a js file from its extension"
+  it "detects a perl file from its extension"
+  # Engine choosing tests
+  it "chooses Codesake::Engine::Text for a text file" do
+    @kernel.choose_engine("a_text_file", {}).class.should   == Codesake::Engine::Text
+  end
+  it "chooses Codesake::Engine::Jsp for a jsp file" do
+    @kernel.choose_engine("test.jsp", {}).class.should  == Codesake::Engine::Jsp
+  end
+  it "chooses Codesake::Engine::Java for a java file"
+  it "chooses Codesake::Engine::Text for a c file"
+  it "chooses Codesake::Engine::Text for a shell script"
+  it "chooses Codesake::Engine::Text for a html file"
+  it "chooses Codesake::Engine::Text for a haml file"
+  it "chooses Codesake::Engine::Text for a markdown file"
+  it "chooses Codesake::Engine::Text for a ruby file"
+  it "chooses Codesake::Engine::Text for a php file"
+  it "chooses Codesake::Engine::Text for a js file"
+  it "chooses Codesake::Engine::Text for a perl file"
+end

data/spec/secrets_utils_spec.rb ADDED

@@ -0,0 +1,79 @@
+require 'spec_helper'
+dummy_text = <<EOT
+This is a text
+This is a text
+This is a text
+This is a text
+secret
+This is a text
+This is a text
+This is a text
+EOT
+class Test
+  include Codesake::Utils::Files
+  include Codesake::Utils::Secrets
+end
+shared_examples_for Codesake::Utils::Secrets do
+  before(:all) do
+    @mock = Test.new
+    File.open("test_secrets.txt", "w") do |f|
+        f.puts(dummy_text)
+      end
+    @mock.filename="test_secrets.txt"
+    @mock.read_file
+  end
+  after(:all) do
+    File.delete("test_secrets.txt")
+  end
+  context "has a list of reserved words containing" do
+    it "password" do
+      @mock.reserved?("password").should be_true
+    end
+    it "username" do
+      @mock.reserved?("username").should be_true
+    end
+    it "login" do
+      @mock.reserved?("login").should be_true
+    end
+    it "fixme" do
+      @mock.reserved?("fixme").should be_true
+    end
+    it "xxx" do
+      @mock.reserved?("xxx").should be_true
+    end
+    it "fix" do
+      @mock.reserved?("fix").should be_true
+    end
+  end
+  it "let user add a reserver word" do
+    @mock.reserved?("foo").should be_false
+    @mock.add("foo")
+    @mock.reserved?("foo").should be_true
+  end
+  context "has a find method" do
+    it "that is public" do
+      @mock.should  respond_to(:find_reserved_keywords)
+    end
+    it "returns an empty array if 'secret' is not a reserved word in the example source" do
+      @mock.secrets=["noodle", "compain", "foo"]
+      @mock.find_reserved_keywords.should be_empty
+    end
+    it "returns true if 'secret' is a reserved word in the example source" do
+      @mock.secrets=["secret"]
+      @mock.find_reserved_keywords.should == [{:line=>5, :matcher=>"secret"}]
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -1 +1,4 @@
+require 'simplecov'
+SimpleCov.start
 require 'codesake'

data/spec/text_engine_spec.rb ADDED

@@ -0,0 +1,72 @@
+require 'spec_helper'
+lorem_ipsum = <<EOS
+Lorem ipsum dolor sit amet, secret consectetuer adipiscing elit, sed diam nonummy nibh
+euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim
+ad minim veniam, quis nostrud secret exerci tation ullamcorper suscipit lobortis nisl
+ut aliquip ex ea commodo consequat. Duis splople autem vel eum iriure dolor in
+hendrerit in vulputate velit esse secret molestie consequat, vel illum dolore eu
+feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui
+blandit praesent luptatum zzril password delenit augue duis dolore te feugait nulla
+facilisi.
+Pellentesque at dolor non lectus sagittis semper. Donec quis mi. Duis eget
+pede. Phasellus arcu tellus, ultricies id, consequat id, lobortis nec, diam.
+Suspendisse sed nunc. Pellentesque id magna. Morbi interdum quam at est.
+Maecenas eleifend mi in urna. Praesent et lectus ac nibh luctus viverra. In vel
+dolor sed nibh sollicitudin tincidunt. Ut consequat nisi sit amet nibh. Nunc mi
+tortor, tristique sit amet, rhoncus porta, malesuada elementum, nisi. Integer
+vitae enim quis risus aliquet gravida. Curabitur vel lorem vel erat dapibus
+lobortis. Donec dignissim tellus at arcu. Quisque molestie pulvinar sem.
+Nulla magna neque, ullamcorper tempus, luctus eget, malesuada ut, velit. Morbi
+felis. Praesent in purus at ipsum cursus posuere. Morbi bibendum facilisis
+eros. Phasellus aliquam sapien in erat. Praesent venenatis diam dignissim dui.
+Praesent risus erat, iaculis ac, dapibus sed, imperdiet ac, erat. Nullam sed
+ipsum. Phasellus non dolor. Donec ut elit.
+EOS
+describe Codesake::Engine::Text do
+  before(:all) do
+    File.open("lorem.txt", "w") do |f|
+      f.write(lorem_ipsum)
+    end
+    @text = Codesake::Engine::Text.new("lorem.txt")
+  end
+  after(:all) do
+    File.delete("lorem.txt") if File.exists?("lorem.txt")
+  end
+  it_behaves_like Codesake::Utils::Files
+  it_behaves_like Codesake::Utils::Secrets
+  it_behaves_like Codesake::Engine::Core
+  it "takes a filename as input" do
+    @text.filename.should_not be_nil
+    @text.filename.should_not be_empty
+  end
+  context "has a is_txt? method" do
+    it "and this method is public" do
+      Codesake::Engine::Text.should respond_to(:is_txt?)
+    end
+    it "returns false if file extension is not .txt" do
+      Codesake::Engine::Text.is_txt?("text.jsp").should   be_false
+    end
+    it "returns true if file extension is .txt" do
+      Codesake::Engine::Text.is_txt?("text.txt").should   be_true
+    end
+  end
+  it "analyse the file for reserved words" do
+    # secret @1, 3, 5
+    # password @7
+    expected_result = [{:line=>1, :matcher=>"secret"}, {:line=>3, :matcher=>"secret"}, {:line=>5, :matcher=>"secret"}, {:line=>7, :matcher=>"password"}]
+    @text.analyse.should_not  be_nil
+    @text.reserved_keywords.size.should == 4
+    @text.reserved_keywords.should == expected_result
+  end
+end