codesake 0.0.1 → 0.15.1

data/.gitignore

@@ -1,3 +1,5 @@
+coverage/
+tmp/
 *.swp
 *.gem
 *.rbc

data/History.md

@@ -0,0 +1,40 @@
+
+0.15.1 / 2012-12-20 
+==================
+
+  * v0.15.1 for fixing typo
+  * Add History
+
+0.15.0 / 2012-12-20 
+==================
+
+  * Improved -h output
+  * Jsp engine is now able to detect cookies in Jsp files...
+  * Adding -A, -C flag and the reflected xss scanning support
+  * Jsp files are scanned for secrets, import packages and attack entrypoints
+  * Added coverage e tmp
+  * Added cucumber for Jsp Engine
+  * First Codesake::Engine::Jsp scanning for imported packages
+  * Text processing output is green
+  * Working on analyse
+  * Added a Codesake::Engine::Core for all engine facilities
+  * Typo in test text
+  * Scenario from text file processing
+  * Improving scenario for text processing output
+  * Codesake::Engine::Text.is_txt? is now a class method
+  * Added a Codesake::Engine::Generic scanning engine Added some routine in Codesake::Kernel to detect a text file and choose the correct engine Add integration test for text file processing
+  * Adding Codesake::Kernel
+  * First cucumber scenario green. codesake now it's tested for missing target
+  * Adding cucumber and aruba
+  * Add a loop in the binary script...
+  * Changed Codesake::Cli for target building... now in a separate Hash
+  * v0.10
+  * All CLI checks are green now
+  * CLI parser improvements
+  * Changed scan to parse method name
+  * Fixed typo in test
+  * Now there is a Codesake::Utils::Secrets
+  * Working on secrests
+  * Text generic engine includes Secrets module
+  * refactoring and TDD utils, secrets and text generic engine
+  * Working defining TDD tests

data/README.md

@@ -1,6 +1,11 @@
-# Codesake
+# codesake
 
-TODO: Write a gem description
+codesake is a security source code scanning engine. It's used as core engine in
+[codesake.com](http://codesake.cokm) application security portal with a closed
+knowledge base inside the web application itself.
+
+codesake gem can be used in a security source code review to scan sources with
+regular expressions in order to detect insecure software patterns.
 
 ## Installation
 
@@ -18,7 +23,24 @@ Or install it yourself as:
 
 ## Usage
 
-TODO: Write usage instructions here
+To run codesake over a single file or a directory you simply specify the target
+name as parameter on command line.
+
+If you want to review a ruby source file named file1.rb, your command line will
+be:
+
+  $ codesake file1.rb
+
+
+## Known limitations
+
+Known limitation for version 0.1x are:
+
+* Only JSP, Plain text files are analysed
+* If target is a directory or a glob file expression codesake will understand
+  it but it doesn't expand the file list
+* codesake will use only stdout, stderr for output purposes
+
 
 ## Contributing
 

data/Rakefile

@@ -1,7 +1,27 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 
-RSpec::Core::RakeTask.new
+require 'cucumber'
+require 'cucumber/rake/task'
 
-task :default => :spec
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty -x"
+  t.fork = false
+end
+
+RSpec::Core::RakeTask.new do |t| 
+  t.rspec_opts = ["--color"]
+end
+
+task :default => [ :spec, :features ]
 task :test => :spec
+
+
+# namespace :spec do
+#   desc "Run specs with RCov" 
+#   RSpec::Core::RakeTask.new('simplecov') do |t|
+#     t.pattern = 'spec/**/*_spec.rb'
+#     t.simplecov = true
+#     t.simplecov_opts = ['--exclude', '\\/Library\\/Ruby']
+#   end 
+# end

data/bin/codesake

@@ -0,0 +1,36 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8 
+
+require 'codesake'
+require 'rainbow'
+
+trap("INT") { puts '['+'INTERRUPTED'.color(:red)+']'; exit -1 }
+
+
+cli = Codesake::Cli.new
+kernel = Codesake::Kernel.instance
+
+options=cli.parse(ARGV)
+puts "codesake v#{Codesake::VERSION} - (C) 2012 - paolo@armoredcode.com".color(:white) unless options[:version]
+abort("codesake v#{Codesake::VERSION}") if options[:version]
+abort("codesake: #{cli.error_message}".color(:red)) if cli.has_errors?
+abort("codesake: missing targets".color(:red)) if cli.targets.nil?
+
+cli.targets.each do |target|
+  puts "processing #{target[:target]}" if target[:valid]
+  $stderr.puts "can't find #{target[:target]}".color(:red) if ! target[:valid]
+
+  engine = kernel.choose_engine(target[:target], options)
+  if ! options[:keywords].nil?
+    options[:keywords].each do |key|
+      engine.add(key)
+    end
+  end
+
+
+  results = engine.analyse
+  results.each do |res|
+    $stdout.puts "#{res}"
+  end
+end
+

data/codesake.gemspec

@@ -22,5 +22,8 @@ Gem::Specification.new do |gem|
   gem.add_dependency('rainbow')
 
   gem.add_development_dependency('rake')
+  gem.add_development_dependency('tomdoc')
   gem.add_development_dependency('rspec')
+  gem.add_development_dependency('aruba')
+  gem.add_development_dependency('simplecov')
 end

data/features/codesake_complains_if_missing_target.feature

@@ -0,0 +1,8 @@
+Feature: codesake complains if targets are missing
+  When executed codesake needs one or more target to analyse
+
+  Scenario: codesake complains if targets are missing
+    #Given an empty command line
+    When I run `bundle exec codesake`
+    Then the stderr should contain "missing targets"
+

data/features/codesake_process_jsp_file.feature

@@ -0,0 +1,88 @@
+@WORK_IN_PROGRESS
+Feature: codesake process a jsp page
+  When a Jsp file is given as input, codesake analyses it with the
+  Codesake::Engine::Jsp engine for security issues.
+
+  When a Jsp file is analyzed the following information will be gathered:
+  * imported packages
+  * variable read from requests
+  * cookies created
+  * reserved keywords
+
+  Scenario:  the file doesn't exists and codesake gives an error message
+    Given the file "/tmp/test.jsp" doesn't exist
+    When I successfully run `bundle exec codesake /tmp/test.jsp`
+    Then the stderr should contain "can't find /tmp/test.jsp"
+
+  Scenario: the file exists and codesake says it's going to process it
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp`
+    Then the stdout should contain "processing /tmp/existing.jsp"
+
+  Scenario: codesake processing the file finds the "request" keyword we threat as reserved
+    Given the jsp file "/tmp/existing.jsp" does exist
+    And we add "request" as reserved word
+    When I successfully run `bundle exec codesake /tmp/existing.jsp --add-keys request` 
+    Then the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@8)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@24)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@25)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@26)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@27)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@28)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@32)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@44)"
+    And the stdout should contain "reserved keyword found: "request" (/tmp/existing.jsp@46)"
+
+  Scenario: codesake processing the file finds the imported packages
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp`
+    Then the stdout should contain "imported package found: \"com.codesake.test\""
+
+  Scenario: codesake processing the file finds attack entrypoints
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp`
+    Then the stdout should contain "attack entrypoint found: parameter \"message\" stored in \"message\" (/tmp/existing.jsp@32)"
+
+  Scenario: codesake processing the file finds potential reflected xss and it shows also suspiscious results
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp --all-vulnerabilities` 
+    Then the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@8)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@24)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@25)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@26)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@27)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@28)"
+    And the stdout should contain "reflected xss found: "message" (/tmp/existing.jsp@36)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@44)"
+    And the stdout should contain "suspicious reflected xss found: "request.getLocalName()" (/tmp/existing.jsp@46)"
+
+  Scenario: codesake processing the file finds potential reflected xss and it shows also suspiscious results (as default behaviour)
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp` 
+    Then the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@8)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@24)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@25)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@26)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@27)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@28)"
+    And the stdout should contain "reflected xss found: "message" (/tmp/existing.jsp@36)"
+    And the stdout should contain "suspicious reflected xss found: "request.getContextPath()" (/tmp/existing.jsp@44)"
+    And the stdout should contain "suspicious reflected xss found: "request.getLocalName()" (/tmp/existing.jsp@46)"
+
+
+
+  Scenario: codesake processing the file finds potential reflected xss and it shows only confirmed results
+    Given the jsp file "/tmp/existing.jsp" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp --confirmed-vulnerabilities` 
+    Then the stdout should contain "reflected xss found: "message" (/tmp/existing.jsp@36)"
+
+  Scenario: codesake processing the file finds cookies that are created by the page
+    Given the jsp file "/tmp/existing.jsp" with cookies does exist
+    When I successfully run `bundle exec codesake /tmp/existing.jsp` 
+    Then the stdout should contain "cookie \"name\" found with value: \"a_value\" (/tmp/existing.jsp@51)"
+    And the stdout should contain "cookie \"second\" found with value: \"12\" (/tmp/existing.jsp@52)"
+
+
+
+
+ 

data/features/codesake_process_text_file.feature

@@ -0,0 +1,23 @@
+Feature: codesake process a plain text file
+  When a text file is given as input, codesake analyses it with the
+  Codesake::Engine::Text engine looking for reserved words.
+
+  The idea is that some sort of secrets are stored in documentation or text
+  files in the sources.
+
+  Scenario: the file doesn't exists and codesake gives an error message
+    Given the file "/tmp/test.txt" doesn't exist
+    When I successfully run `bundle exec codesake /tmp/test.txt`
+    Then the stderr should contain "can't find /tmp/test.txt"
+
+  Scenario: the file exists and codesake says it's going to process it
+    Given the text file "/tmp/existing.txt" does exist
+    When I successfully run `bundle exec codesake /tmp/existing.txt`
+    Then the stdout should contain "processing /tmp/existing.txt"
+
+  Scenario: the file exists and codesake says it contains a secrets word
+    Given the text file "/tmp/secrets.txt" does exist
+    When I successfully run `bundle exec codesake /tmp/secrets.txt`
+    Then the stdout should contain "reserved keyword found: "password" (/tmp/secrets.txt@5)"
+    And the stdout should contain "reserved keyword found: "secret" (/tmp/secrets.txt@17)"
+    And the stdout should contain "reserved keyword found: "password" (/tmp/secrets.txt@21)"

data/features/step_definition/codesake_steps.rb

@@ -0,0 +1,164 @@
+Given /^the file "([^"]*)" doesn't exist$/ do |file|
+  FileUtils.rm(file) if File.exists?(file)
+end
+
+Given /^the jsp file "(.*?)" does exist$/ do |file|
+jsp_content =<<EOS
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<%@page import="com.codesake.test"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<link rel="stylesheet" type="text/CSS" href="<%=request.getContextPath()%>/css/style.css" />
+<title>Hello World</title>
+
+<script type="text/javascript">
+	function confirmSubmit(name) {
+		return alert("test here'"+ cacheName +"'");
+	}
+	
+	</script>
+	
+</head>
+<body>
+
+<div id="header">
+<h1>Hello World</h1>
+
+<a href="<%=request.getContextPath()%>/jsp/link1.jsp">Link 1</a>
+<a href="<%=request.getContextPath()%>/jsp/link2.jsp">Link 2</a>
+<a href="<%=request.getContextPath()%>/jsp/link3.jsp">Link 3</a>
+<a href="<%=request.getContextPath()%>/jsp/link4.jsp">Link 4</a>
+<a href="<%=request.getContextPath()%>/servlet">servlet</a>
+</div>
+
+<%
+ String message = (String) request.getAttribute("message");
+ if(message != null)
+ {
+%>
+<h4 id="message"><%=message%></h4>
+<% }
+else
+{
+ %>
+ <h4 id="message"></h4>
+<% } %>
+<div id="content">
+<form action="<%=request.getContextPath()%>/postHandler" method="post">
+<label for="message">message:</label>
+<input type="text" name="message" id="message" size="40" value="<%=request.getLocalName()%>"  />
+<input type="submit" value="submit" onclick="javascript: return confirmSubmit('Clienti');" />
+</form>
+</div>
+</body>
+EOS
+
+FileUtils.rm(file) if File.exists?(file)
+File.open(file, "w") do |f|
+  f.write(jsp_content)
+end
+
+end
+
+Given /^we add "(.*?)" as reserved word$/ do |key|
+  @keywords = key
+end
+
+Given /^the text file "([^"]*)" does exist$/ do |file|
+  FileUtils.rm(file) if File.exists?(file)
+lorem_ipsum = <<EOS
+Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh
+euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim
+ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl
+ut aliquip ex ea commodo consequat. Duis splople autem vel eum iriure dolor in
+hendrerit in vulputate velit esse password molestie consequat, vel illum dolore eu
+feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui
+blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla
+facilisi.
+
+Pellentesque at dolor non lectus sagittis semper. Donec quis mi. Duis eget
+pede. Phasellus arcu tellus, ultricies id, consequat id, lobortis nec, diam.
+Suspendisse sed nunc. Pellentesque id magna. Morbi interdum quam at est.
+Maecenas eleifend mi in urna. Praesent et lectus ac nibh luctus viverra. In vel
+dolor sed nibh sollicitudin tincidunt. Ut consequat nisi sit amet nibh. Nunc mi
+tortor, tristique sit amet, rhoncus porta, malesuada elementum, nisi. Integer
+vitae enim quis risus aliquet gravida. Curabitur vel lorem vel erat dapibus
+lobortis. Donec secret dignissim tellus at arcu. Quisque molestie pulvinar sem.
+
+Nulla magna neque, ullamcorper tempus, luctus eget, malesuada ut, velit. Morbi
+felis. Praesent in purus at ipsum cursus posuere. Morbi bibendum facilisis
+eros. Phasellus aliquam password sapien in erat. Praesent venenatis diam dignissim dui.
+Praesent risus erat, iaculis ac, dapibus sed, imperdiet ac, erat. Nullam sed
+ipsum. Phasellus non dolor. Donec ut elit.
+EOS
+
+  File.open(file, "w") do |f|
+    f.write(lorem_ipsum)
+  end
+end
+
+Given /^the jsp file "(.*?)" with cookies does exist$/ do |file|
+
+jsp_content =<<EOS
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<%@page import="com.codesake.test"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<link rel="stylesheet" type="text/CSS" href="<%=request.getContextPath()%>/css/style.css" />
+<title>Hello World</title>
+
+<script type="text/javascript">
+	function confirmSubmit(name) {
+		return alert("test here'"+ cacheName +"'");
+	}
+	
+	</script>
+	
+</head>
+<body>
+
+<div id="header">
+<h1>Hello World</h1>
+
+<a href="<%=request.getContextPath()%>/jsp/link1.jsp">Link 1</a>
+<a href="<%=request.getContextPath()%>/jsp/link2.jsp">Link 2</a>
+<a href="<%=request.getContextPath()%>/jsp/link3.jsp">Link 3</a>
+<a href="<%=request.getContextPath()%>/jsp/link4.jsp">Link 4</a>
+<a href="<%=request.getContextPath()%>/servlet">servlet</a>
+</div>
+
+<%
+ String message = (String) request.getAttribute("message");
+ if(message != null)
+ {
+%>
+<h4 id="message"><%=message%></h4>
+<% }
+else
+{
+ %>
+ <h4 id="message"></h4>
+<% } %>
+<div id="content">
+<form action="<%=request.getContextPath()%>/postHandler" method="post">
+<label for="message">message:</label>
+<input type="text" name="message" id="message" size="40" value="<%=request.getLocalName()%>"  />
+<input type="submit" value="submit" onclick="javascript: return confirmSubmit('Clienti');" />
+</form>
+</div>
+<%
+    Cookie c = new Cookie("name", "a_value")
+    Cookie cc = new Cookie("second", 12)
+%>
+</body>
+EOS
+  File.open(file, "w") do |f|
+    f.write(jsp_content)
+  end
+end