RubyGems - dawnscanner - Versions diffs - 1.6.8 → 2.0.0.rc4 - Mend

dawnscanner 1.6.8 → 2.0.0.rc4

Files changed (387) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.ruby-version +1 -1
data/Changelog.md +27 -1
data/LICENSE.txt +1 -1
data/README.md +59 -57
data/Rakefile +10 -242
data/Roadmap.md +15 -23
data/VERSION +1 -1
data/bin/dawn +17 -273
data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
data/dawnscanner.gemspec +10 -9
data/doc/change.sh +13 -0
data/doc/kickstart_kb.tar.gz +0 -0
data/doc/knowledge_base.rb +650 -0
data/docs/.placeholder +0 -0
data/docs/CNAME +1 -0
data/docs/_config.yml +1 -0
data/lib/dawn/cli/dawn_cli.rb +139 -0
data/lib/dawn/core.rb +8 -7
data/lib/dawn/engine.rb +93 -34
data/lib/dawn/gemfile_lock.rb +2 -2
data/lib/dawn/kb/basic_check.rb +1 -2
data/lib/dawn/kb/combo_check.rb +1 -1
data/lib/dawn/kb/dependency_check.rb +1 -1
data/lib/dawn/kb/operating_system_check.rb +1 -1
data/lib/dawn/kb/pattern_match_check.rb +10 -9
data/lib/dawn/kb/ruby_version_check.rb +11 -10
data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
data/lib/dawn/kb/version_check.rb +41 -24
data/lib/dawn/knowledge_base.rb +259 -595
data/lib/dawn/reporter.rb +2 -1
data/lib/dawn/utils.rb +5 -2
data/lib/dawn/version.rb +5 -5
data/lib/dawnscanner.rb +7 -6
data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
data/spec/lib/kb/dependency_check.yml +29 -0
metadata +30 -496
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
data/lib/dawn/kb/cve_2004_0755.rb +0 -33
data/lib/dawn/kb/cve_2004_0983.rb +0 -31
data/lib/dawn/kb/cve_2005_1992.rb +0 -31
data/lib/dawn/kb/cve_2005_2337.rb +0 -33
data/lib/dawn/kb/cve_2006_1931.rb +0 -30
data/lib/dawn/kb/cve_2006_2582.rb +0 -28
data/lib/dawn/kb/cve_2006_3694.rb +0 -31
data/lib/dawn/kb/cve_2006_4112.rb +0 -27
data/lib/dawn/kb/cve_2006_5467.rb +0 -28
data/lib/dawn/kb/cve_2006_6303.rb +0 -28
data/lib/dawn/kb/cve_2006_6852.rb +0 -27
data/lib/dawn/kb/cve_2006_6979.rb +0 -29
data/lib/dawn/kb/cve_2007_0469.rb +0 -29
data/lib/dawn/kb/cve_2007_5162.rb +0 -28
data/lib/dawn/kb/cve_2007_5379.rb +0 -27
data/lib/dawn/kb/cve_2007_5380.rb +0 -29
data/lib/dawn/kb/cve_2007_5770.rb +0 -30
data/lib/dawn/kb/cve_2007_6077.rb +0 -31
data/lib/dawn/kb/cve_2007_6612.rb +0 -30
data/lib/dawn/kb/cve_2008_1145.rb +0 -38
data/lib/dawn/kb/cve_2008_1891.rb +0 -38
data/lib/dawn/kb/cve_2008_2376.rb +0 -30
data/lib/dawn/kb/cve_2008_2662.rb +0 -33
data/lib/dawn/kb/cve_2008_2663.rb +0 -32
data/lib/dawn/kb/cve_2008_2664.rb +0 -33
data/lib/dawn/kb/cve_2008_2725.rb +0 -31
data/lib/dawn/kb/cve_2008_3655.rb +0 -37
data/lib/dawn/kb/cve_2008_3657.rb +0 -37
data/lib/dawn/kb/cve_2008_3790.rb +0 -30
data/lib/dawn/kb/cve_2008_3905.rb +0 -36
data/lib/dawn/kb/cve_2008_4094.rb +0 -27
data/lib/dawn/kb/cve_2008_4310.rb +0 -100
data/lib/dawn/kb/cve_2008_5189.rb +0 -27
data/lib/dawn/kb/cve_2008_7248.rb +0 -27
data/lib/dawn/kb/cve_2009_4078.rb +0 -29
data/lib/dawn/kb/cve_2009_4124.rb +0 -30
data/lib/dawn/kb/cve_2009_4214.rb +0 -27
data/lib/dawn/kb/cve_2010_1330.rb +0 -28
data/lib/dawn/kb/cve_2010_2489.rb +0 -60
data/lib/dawn/kb/cve_2010_3933.rb +0 -27
data/lib/dawn/kb/cve_2011_0188.rb +0 -67
data/lib/dawn/kb/cve_2011_0446.rb +0 -28
data/lib/dawn/kb/cve_2011_0447.rb +0 -28
data/lib/dawn/kb/cve_2011_0739.rb +0 -28
data/lib/dawn/kb/cve_2011_0995.rb +0 -61
data/lib/dawn/kb/cve_2011_1004.rb +0 -34
data/lib/dawn/kb/cve_2011_1005.rb +0 -31
data/lib/dawn/kb/cve_2011_2197.rb +0 -27
data/lib/dawn/kb/cve_2011_2686.rb +0 -29
data/lib/dawn/kb/cve_2011_2705.rb +0 -32
data/lib/dawn/kb/cve_2011_2929.rb +0 -27
data/lib/dawn/kb/cve_2011_2930.rb +0 -28
data/lib/dawn/kb/cve_2011_2931.rb +0 -30
data/lib/dawn/kb/cve_2011_2932.rb +0 -27
data/lib/dawn/kb/cve_2011_3009.rb +0 -28
data/lib/dawn/kb/cve_2011_3186.rb +0 -29
data/lib/dawn/kb/cve_2011_3187.rb +0 -29
data/lib/dawn/kb/cve_2011_4319.rb +0 -30
data/lib/dawn/kb/cve_2011_4815.rb +0 -28
data/lib/dawn/kb/cve_2011_5036.rb +0 -26
data/lib/dawn/kb/cve_2012_1098.rb +0 -30
data/lib/dawn/kb/cve_2012_1099.rb +0 -27
data/lib/dawn/kb/cve_2012_1241.rb +0 -27
data/lib/dawn/kb/cve_2012_2139.rb +0 -26
data/lib/dawn/kb/cve_2012_2140.rb +0 -27
data/lib/dawn/kb/cve_2012_2660.rb +0 -28
data/lib/dawn/kb/cve_2012_2661.rb +0 -27
data/lib/dawn/kb/cve_2012_2671.rb +0 -28
data/lib/dawn/kb/cve_2012_2694.rb +0 -30
data/lib/dawn/kb/cve_2012_2695.rb +0 -27
data/lib/dawn/kb/cve_2012_3424.rb +0 -29
data/lib/dawn/kb/cve_2012_3463.rb +0 -27
data/lib/dawn/kb/cve_2012_3464.rb +0 -27
data/lib/dawn/kb/cve_2012_3465.rb +0 -26
data/lib/dawn/kb/cve_2012_4464.rb +0 -27
data/lib/dawn/kb/cve_2012_4466.rb +0 -27
data/lib/dawn/kb/cve_2012_4481.rb +0 -26
data/lib/dawn/kb/cve_2012_4522.rb +0 -27
data/lib/dawn/kb/cve_2012_5370.rb +0 -27
data/lib/dawn/kb/cve_2012_5371.rb +0 -27
data/lib/dawn/kb/cve_2012_5380.rb +0 -28
data/lib/dawn/kb/cve_2012_6109.rb +0 -25
data/lib/dawn/kb/cve_2012_6134.rb +0 -27
data/lib/dawn/kb/cve_2012_6496.rb +0 -28
data/lib/dawn/kb/cve_2012_6497.rb +0 -28
data/lib/dawn/kb/cve_2012_6684.rb +0 -28
data/lib/dawn/kb/cve_2013_0155.rb +0 -29
data/lib/dawn/kb/cve_2013_0156.rb +0 -27
data/lib/dawn/kb/cve_2013_0162.rb +0 -28
data/lib/dawn/kb/cve_2013_0175.rb +0 -27
data/lib/dawn/kb/cve_2013_0183.rb +0 -25
data/lib/dawn/kb/cve_2013_0184.rb +0 -25
data/lib/dawn/kb/cve_2013_0233.rb +0 -26
data/lib/dawn/kb/cve_2013_0256.rb +0 -59
data/lib/dawn/kb/cve_2013_0262.rb +0 -26
data/lib/dawn/kb/cve_2013_0263.rb +0 -26
data/lib/dawn/kb/cve_2013_0269.rb +0 -27
data/lib/dawn/kb/cve_2013_0276.rb +0 -28
data/lib/dawn/kb/cve_2013_0277.rb +0 -25
data/lib/dawn/kb/cve_2013_0284.rb +0 -27
data/lib/dawn/kb/cve_2013_0285.rb +0 -27
data/lib/dawn/kb/cve_2013_0333.rb +0 -28
data/lib/dawn/kb/cve_2013_0334.rb +0 -25
data/lib/dawn/kb/cve_2013_1607.rb +0 -25
data/lib/dawn/kb/cve_2013_1655.rb +0 -65
data/lib/dawn/kb/cve_2013_1656.rb +0 -28
data/lib/dawn/kb/cve_2013_1756.rb +0 -26
data/lib/dawn/kb/cve_2013_1800.rb +0 -26
data/lib/dawn/kb/cve_2013_1801.rb +0 -27
data/lib/dawn/kb/cve_2013_1802.rb +0 -27
data/lib/dawn/kb/cve_2013_1812.rb +0 -27
data/lib/dawn/kb/cve_2013_1821.rb +0 -28
data/lib/dawn/kb/cve_2013_1854.rb +0 -26
data/lib/dawn/kb/cve_2013_1855.rb +0 -25
data/lib/dawn/kb/cve_2013_1856.rb +0 -26
data/lib/dawn/kb/cve_2013_1857.rb +0 -27
data/lib/dawn/kb/cve_2013_1875.rb +0 -27
data/lib/dawn/kb/cve_2013_1898.rb +0 -27
data/lib/dawn/kb/cve_2013_1911.rb +0 -28
data/lib/dawn/kb/cve_2013_1933.rb +0 -27
data/lib/dawn/kb/cve_2013_1947.rb +0 -27
data/lib/dawn/kb/cve_2013_1948.rb +0 -27
data/lib/dawn/kb/cve_2013_2065.rb +0 -29
data/lib/dawn/kb/cve_2013_2090.rb +0 -28
data/lib/dawn/kb/cve_2013_2105.rb +0 -26
data/lib/dawn/kb/cve_2013_2119.rb +0 -27
data/lib/dawn/kb/cve_2013_2512.rb +0 -26
data/lib/dawn/kb/cve_2013_2513.rb +0 -25
data/lib/dawn/kb/cve_2013_2516.rb +0 -26
data/lib/dawn/kb/cve_2013_2615.rb +0 -27
data/lib/dawn/kb/cve_2013_2616.rb +0 -27
data/lib/dawn/kb/cve_2013_2617.rb +0 -28
data/lib/dawn/kb/cve_2013_3221.rb +0 -27
data/lib/dawn/kb/cve_2013_4164.rb +0 -30
data/lib/dawn/kb/cve_2013_4203.rb +0 -25
data/lib/dawn/kb/cve_2013_4389.rb +0 -26
data/lib/dawn/kb/cve_2013_4413.rb +0 -27
data/lib/dawn/kb/cve_2013_4457.rb +0 -29
data/lib/dawn/kb/cve_2013_4478.rb +0 -26
data/lib/dawn/kb/cve_2013_4479.rb +0 -26
data/lib/dawn/kb/cve_2013_4489.rb +0 -28
data/lib/dawn/kb/cve_2013_4491.rb +0 -29
data/lib/dawn/kb/cve_2013_4492.rb +0 -29
data/lib/dawn/kb/cve_2013_4562.rb +0 -27
data/lib/dawn/kb/cve_2013_4593.rb +0 -27
data/lib/dawn/kb/cve_2013_5647.rb +0 -29
data/lib/dawn/kb/cve_2013_5671.rb +0 -26
data/lib/dawn/kb/cve_2013_6414.rb +0 -30
data/lib/dawn/kb/cve_2013_6415.rb +0 -29
data/lib/dawn/kb/cve_2013_6416.rb +0 -29
data/lib/dawn/kb/cve_2013_6417.rb +0 -30
data/lib/dawn/kb/cve_2013_6421.rb +0 -28
data/lib/dawn/kb/cve_2013_6459.rb +0 -28
data/lib/dawn/kb/cve_2013_6460.rb +0 -53
data/lib/dawn/kb/cve_2013_6461.rb +0 -57
data/lib/dawn/kb/cve_2013_7086.rb +0 -27
data/lib/dawn/kb/cve_2014_0036.rb +0 -27
data/lib/dawn/kb/cve_2014_0080.rb +0 -29
data/lib/dawn/kb/cve_2014_0081.rb +0 -27
data/lib/dawn/kb/cve_2014_0082.rb +0 -27
data/lib/dawn/kb/cve_2014_0130.rb +0 -27
data/lib/dawn/kb/cve_2014_1233.rb +0 -27
data/lib/dawn/kb/cve_2014_1234.rb +0 -26
data/lib/dawn/kb/cve_2014_2322.rb +0 -28
data/lib/dawn/kb/cve_2014_2525.rb +0 -59
data/lib/dawn/kb/cve_2014_2538.rb +0 -26
data/lib/dawn/kb/cve_2014_3482.rb +0 -28
data/lib/dawn/kb/cve_2014_3483.rb +0 -28
data/lib/dawn/kb/cve_2014_3916.rb +0 -29
data/lib/dawn/kb/cve_2014_4975.rb +0 -28
data/lib/dawn/kb/cve_2014_7818.rb +0 -27
data/lib/dawn/kb/cve_2014_7819.rb +0 -31
data/lib/dawn/kb/cve_2014_7829.rb +0 -30
data/lib/dawn/kb/cve_2014_8090.rb +0 -30
data/lib/dawn/kb/cve_2014_9490.rb +0 -29
data/lib/dawn/kb/cve_2015_1819.rb +0 -34
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
data/lib/dawn/kb/cve_2015_2963.rb +0 -27
data/lib/dawn/kb/cve_2015_3224.rb +0 -26
data/lib/dawn/kb/cve_2015_3225.rb +0 -28
data/lib/dawn/kb/cve_2015_3226.rb +0 -27
data/lib/dawn/kb/cve_2015_3227.rb +0 -28
data/lib/dawn/kb/cve_2015_3448.rb +0 -29
data/lib/dawn/kb/cve_2015_4020.rb +0 -34
data/lib/dawn/kb/cve_2015_5312.rb +0 -30
data/lib/dawn/kb/cve_2015_7497.rb +0 -32
data/lib/dawn/kb/cve_2015_7498.rb +0 -32
data/lib/dawn/kb/cve_2015_7499.rb +0 -32
data/lib/dawn/kb/cve_2015_7500.rb +0 -32
data/lib/dawn/kb/cve_2015_7519.rb +0 -31
data/lib/dawn/kb/cve_2015_7541.rb +0 -31
data/lib/dawn/kb/cve_2015_7576.rb +0 -35
data/lib/dawn/kb/cve_2015_7577.rb +0 -34
data/lib/dawn/kb/cve_2015_7578.rb +0 -30
data/lib/dawn/kb/cve_2015_7579.rb +0 -30
data/lib/dawn/kb/cve_2015_7581.rb +0 -33
data/lib/dawn/kb/cve_2015_8241.rb +0 -32
data/lib/dawn/kb/cve_2015_8242.rb +0 -32
data/lib/dawn/kb/cve_2015_8317.rb +0 -32
data/lib/dawn/kb/cve_2016_0751.rb +0 -32
data/lib/dawn/kb/cve_2016_0752.rb +0 -35
data/lib/dawn/kb/cve_2016_0753.rb +0 -31
data/lib/dawn/kb/cve_2016_2097.rb +0 -35
data/lib/dawn/kb/cve_2016_2098.rb +0 -35
data/lib/dawn/kb/cve_2016_5697.rb +0 -30
data/lib/dawn/kb/cve_2016_6316.rb +0 -33
data/lib/dawn/kb/cve_2016_6317.rb +0 -32
data/lib/dawn/kb/cve_2016_6582.rb +0 -43
data/lib/dawn/kb/not_revised_code.rb +0 -22
data/lib/dawn/kb/osvdb_105971.rb +0 -29
data/lib/dawn/kb/osvdb_108530.rb +0 -27
data/lib/dawn/kb/osvdb_108563.rb +0 -28
data/lib/dawn/kb/osvdb_108569.rb +0 -28
data/lib/dawn/kb/osvdb_108570.rb +0 -27
data/lib/dawn/kb/osvdb_115654.rb +0 -33
data/lib/dawn/kb/osvdb_116010.rb +0 -30
data/lib/dawn/kb/osvdb_117903.rb +0 -30
data/lib/dawn/kb/osvdb_118579.rb +0 -31
data/lib/dawn/kb/osvdb_118830.rb +0 -32
data/lib/dawn/kb/osvdb_118954.rb +0 -33
data/lib/dawn/kb/osvdb_119878.rb +0 -32
data/lib/dawn/kb/osvdb_119927.rb +0 -33
data/lib/dawn/kb/osvdb_120415.rb +0 -31
data/lib/dawn/kb/osvdb_120857.rb +0 -34
data/lib/dawn/kb/osvdb_121701.rb +0 -30
data/lib/dawn/kb/osvdb_132234.rb +0 -34
data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
data/lib/dawn/knowledge_base_experimental.rb +0 -245
data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
metadata.gz.sig +0 -0

data/lib/dawn/kb/osvdb_118579.rb DELETED Viewed

@@ -1,31 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-04-04
-			class OSVDB_118579
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message = "xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information."
-          super({
-            :name=> "OSVDB_118579",
-            :cve=>"2015-2179",
-            :osvdb=>"118579",
-            :cvss=>"",
-            :release_date => Date.new(2015, 2, 17),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"We are not currently aware of a solution for this vulnerability (4 April 2015)",
-            :aux_links=>[""]
-           })
-           self.safe_dependencies = [{:name=>"xaviershay-dm-rails", :version=>['0.8.0']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_118830.rb DELETED Viewed

@@ -1,32 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-04-05
-			class OSVDB_118830
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message = "Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. The issue is due to the program storing sensitive information in production logs. This may allow a local attacker to gain access to sensitive information."
-          super({
-            :name=> "OSVDB_118830",
-            :cve=>"",
-            :osvdb=>"118830",
-            :cvss=>"",
-            :release_date => Date.new(2015, 2, 10),
-            :cwe=>"",
-            :owasp=>"A6",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade doorkeeper gem version at least to 2.1.2. As a general rule, using the latest stable version is recommended.",
-            :aux_links=>[""]
-           })
-           self.safe_dependencies = [{:name=>"doorkeeper", :version=>['2.1.2']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_118954.rb DELETED Viewed

@@ -1,33 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-04-04
-			class OSVDB_118954
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message = "Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service."
-          super({
-            :name=> "OSVDB_118954",
-            :cve=>"",
-            :osvdb=>"118954",
-            :cvss=>"",
-            :release_date => Date.new(2015, 2, 28),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade to latest rails ruby gems",
-            :aux_links=>["https://github.com/rails/rails/pull/19055", "https://github.com/rails/rails/issues/19050"]
-           })
-          self.save_minor=true
-          self.save_major=true
-          self.safe_dependencies = [{:name=>"rails", :version=>['4.2.1.rc3']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_119878.rb DELETED Viewed

@@ -1,32 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-04-04
-			class OSVDB_119878
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message="rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked."
-          super({
-            :name=> "OSVDB_119878",
-            :cve=>"2015-1820",
-            :osvdb=>"119878",
-            :cvss=>"",
-            :release_date => Date.new(2015, 3, 24),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade rest-client gem version to 1.8.0 or later.",
-            :aux_links=>["https://github.com/rest-client/rest-client/issues/369"]
-           })
-          self.safe_dependencies = [{:name=>"rest-client", :version=>['1.8.0', '2.0.0.rc1', '2.0.0.rc2']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_119927.rb DELETED Viewed

@@ -1,33 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-03-27
-			class OSVDB_119927
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message = "http Gem for Ruby contains a flaw related to certificate validation. The issue is due to a failure to call the OpenSSL::SSL::SSLSocket#post_connection_check method, leading to hostnames not being properly verified. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data."
-           super({
-            :name=> "OSVDB_119927",
-            :cve=>"2015-1828",
-            :osvdb=>"119927",
-            :cvss=>"",
-            :release_date => Date.new(2015, 3, 25),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade http gem version at least to 0.8.0. As a general rule, using the latest stable version is recommended.",
-            :aux_links=>[""]
-           })
-           self.safe_dependencies = [{:name=>"http", :version=>['0.8.0']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_120415.rb DELETED Viewed

@@ -1,31 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-01
-			class OSVDB_120415
-				include DependencyCheck
-				def initialize
-          title = "redcarpet Gem for Ruby markdown.c parse_inline() Function XSS"
-          message = "redcarpet gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
-          super({
-            :title=>title,
-            :name=> "OSVDB_120415",
-            :cve=>"",
-            :osvdb=>"120415",
-            :cvss=>"",
-            :release_date => Date.new(2015, 4, 7),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade redcarpet gem to version 3.2.3 or later.",
-            :aux_links=>[""]
-           })
-          self.safe_dependencies = [{:name=>"redcarpet", :version=>['3.2.3']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_120857.rb DELETED Viewed

@@ -1,34 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-02
-			class OSVDB_120857
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          title = "refile Gem for Ruby remote_image_url Attachment Remote Command Execution"
-          message = "refile Gem for Ruby contains a flaw that is triggered when input is not sanitized when handling the 'remote_image_url' field in a form, where 'image' is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands."
-          super({
-            :title=>title,
-            :name=> "OSVDB_120857",
-            :cve=>"",
-            :osvdb=>"120857",
-            :cvss=>"",
-            :release_date => Date.new(2015, 4, 15),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade refile gem to version 0.5.4 or later.",
-            :aux_links=>[""]
-           })
-          self.save_minor = true
-          self.safe_dependencies=[{:name=>"refile", :version=>['0.5.4', '0.4.-1', '0.3.-1', '0.2.-1', '0.1.-1']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_121701.rb DELETED Viewed

@@ -1,30 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-02
-			class OSVDB_121701
-				include DependencyCheck
-				def initialize
-          title = "open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation"
-          message = "open-uri-cached Gem for Ruby contains a flaw that is due to the program creating temporary files in a predictable, unsafe manner when using YAML. This may allow a local attacker to gain elevated privileges."
-          super({
-            :title=>title,
-            :name=> "OSVDB_121701",
-            :cve=>"",
-            :osvdb=>"121701",
-            :cvss=>"",
-            :release_date => Date.new(2015, 5, 5),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade open-uri-cached gem to version 0.0.5 or later.",
-            :aux_links=>[""]
-           })
-          self.safe_dependencies = [{:name=>"open-uri-cached", :version=>['0.0.5']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_132234.rb DELETED Viewed

@@ -1,34 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2016-10-02
-			class OSVDB_132234
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-					title   = "rack-attack Gem for Ruby missing normalization before request path processing"
-					message = "When using rack-attack with a rails app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path \"/login/\" becomes \"/login\" by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and blacklists to not work as expected. E.g., a throttle: throttle('logins', ...) {|req| req.path == \"/login\" } would not match a request to '/login/', though Rails would route '/login/' to the same '/login' action."
-          super({
-            :title=>title,
-            :name=> "OSVDB_132234",
-            :cve=>"",
-            :osvdb=>"132234",
-            :cvss=>"",
-            :release_date => Date.new(2015, 12, 15),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade rack-attack gem to version 4.3.1 or later.",
-            :aux_links=>['https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1']
-           })
-          self.safe_dependencies = [{:name=>"rack-attack", :version=>['4.3.1']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet.rb DELETED Viewed

@@ -1,33 +0,0 @@
-module Dawn
-  module Kb
-    class OwaspRorCheatsheet
-      include ComboCheck
-      def initialize
-        message = "This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core.  The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide."
-        super({
-          :name=>"Owasp Ror Cheatsheet",
-          :applies=>["rails"],
-          :kind=>Dawn::KnowledgeBase::COMBO_CHECK,
-          :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-          :message=>message,
-          :mitigation=>"Please refere to the Ruby on Rails cheatsheet available from owasp.org to mitigate this vulnerability",
-          :checks=>[
-            Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
-            Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
-            Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
-            Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new,
-            Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new,
-          ],
-          :vuln_if_all_fails => false
-        })
-        # @debug = true
-      end
-    end
-  end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb DELETED Viewed

@@ -1,18 +0,0 @@
-# It will be completely rewritten in dawnscanner v2.0.0
-#
-# require 'anemone'
-# require 'httpclient'
-# h=HTTPClient.new()
-# Anemone.crawl(ARGV[0]) do |anemone|
-  # anemone.on_every_page do |page|
-      # response = h.get(page.url)
-      # puts "Original: #{page.url}: #{response.code}"
-      # response = h.get(page.url.to_s.split(";")[0].concat(".bak"))
-      # puts "BAK: #{page.url.to_s.split(";")[0].concat(".bak")}: #{response.code}"
-      # response = h.get(page.url.to_s.split(";")[0].concat(".old"))
-      # puts "OLD: #{page.url.to_s.split(";")[0].concat(".old")}: #{response.code}"
-      # response = h.get(page.url.to_s.split(";")[0].concat("~"))
-      # puts "~: #{page.url.to_s.split(";")[0].concat("~")}: #{response.code}"
-  # end
-# end

data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb DELETED Viewed

@@ -1,57 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class CheckForSafeRedirectAndForward
-        include PatternMatchCheck
-        def initialize
-          message = <<-EOT
-Web applications often require the ability to dynamically redirect users based
-on client-supplied data. To clarify, dynamic redirection usually entails the
-client including a URL in a parameter within a request to the application. Once
-received by the application, the user is redirected to the URL specified in the
-request.
-For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
-The above request would redirect the user to http://www.example.com/checkout.
-The security concern associated with this functionality is leveraging an
-organization's trusted brand to phish users and trick them into visiting a
-malicious site, in our example, "badhacker.com".
-Example: http://www.example.com/redirect?url=http://badhacker.com
-The most basic, but restrictive protection is to use the :only_path option.
-Setting this to true will essentially strip out any host information.
-          EOT
-          super({
-            :name=>"Owasp Ror CheatSheet: Check for safe redirect and forward",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>"*.rb",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :attack_pattern => ["redirect_to"],
-            :mitigation=>"The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.",
-            :severity=>:info,
-            :check_family=>:owasp_ror_cheatsheet
-          })
-          # @debug = true
-        end
-        def vuln?
-          super
-          ret = []
-          @evidences.each do |ev|
-            ret << ev unless ev[:matches].include? ":only_path => true"
-          end
-          @evidences = ret unless ret.empty?
-          return @evidences.empty?
-        end
-      end
-    end
-  end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb DELETED Viewed

@@ -1,28 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class CommandInjection
-        include PatternMatchCheck
-        def initialize
-          message = "Ruby offers a function called \"eval\" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."
-          super({
-            :name=>"Owasp Ror CheatSheet: Command Injection",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>"*.rb",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
-            :avoid_comments => true,
-            :check_family=>:owasp_ror_cheatsheet,
-            :severity=>:info,
-            :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
-          })
-          # @debug = true
-        end
-      end
-    end
-  end
-end