omamori 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 047332a1b52e201377fafce4a1556aaff4653c6f8982914d35486b0ae6413f48
-  data.tar.gz: 2ae4023aec70fcd7242c035787787cf5ab0803bcb242ec93d347a8eb98daff70
+  metadata.gz: 2c6e52c517c84f78c559299c80b6d0c3817ea6b1cc7cdb9e0bc041bb2c6ccad1
+  data.tar.gz: c654919d2b1db48f3bb286e55ccd8909a82b9c69d4c3fd88d67fadfe03a621e7
 SHA512:
-  metadata.gz: 125dad0b11d11a647b943e4761049e34176f7b628ebb28487f4e30221aed3b967cedaf7f23f3ef547f3f5096c1a9bb38898213fa5e8cd97c641e5ecd26131df7
-  data.tar.gz: a972855f407359eaafee5e524e2b20d7ae303afc3dd2d8b972d2e385c45ed91ee5d84aa78007edd37c746d9e285c9958ebc205bb5008f575839632be31de07fa
+  metadata.gz: ded5134ca28c5835ba121b637c7105a5cbe6930777275562fbc49b45fcfc021ddb7d57f5c26c1bbb5958a56f52d1f7e9df6175de1274de19fee2683081db3bfa
+  data.tar.gz: c495125630ff1467816c47c21888d4e984c08a5e074cc8f904a10045860c11e17212432ef146bd5a37324601589dca67c4ffe1546b2196518d9b3faa216e79cf

data/Gemfile

@@ -4,6 +4,3 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in omamori.gemspec
 gemspec
-gem "brakeman", "~> 7.0"
-
-gem "bundler-audit", "~> 0.9.2"

data/Gemfile.lock

@@ -1,19 +1,15 @@
 PATH
   remote: .
   specs:
-    omamori (0.1.0)
+    omamori (0.1.2)
       colorize (~> 0.8)
       dotenv (~> 2.0)
+      ruby-gemini-api (~> 0.1.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
-    brakeman (7.0.2)
-      racc
-    bundler-audit (0.9.2)
-      bundler (>= 1.2.0, < 3)
-      thor (~> 1.0)
     colorize (0.8.1)
     diff-lcs (1.6.1)
     dotenv (2.8.1)
@@ -68,12 +64,11 @@ GEM
     rubocop-ast (1.44.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    ruby-gemini-api (0.1.0)
+    ruby-gemini-api (0.1.1)
       faraday (~> 2.0)
       faraday-multipart (~> 1.0)
       json (~> 2.0)
     ruby-progressbar (1.13.0)
-    thor (1.3.2)
     unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
@@ -84,14 +79,11 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  brakeman (~> 7.0)
   bundler (~> 2.0)
-  bundler-audit (~> 0.9.2)
   omamori!
   rake (~> 13.0)
   rspec (~> 3.0)
   rubocop (~> 1.0)
-  ruby-gemini-api (~> 0.1.0)
 
 BUNDLED WITH
    2.5.17

data/lib/omamori/ai_analysis_engine/gemini_client.rb

@@ -18,7 +18,8 @@ module Omamori
           response = @client.generate_content(
             prompt,
             model: model,
-            response_schema: json_schema # Use response_schema for Structured Output
+            response_schema: json_schema, # Use response_schema for Structured Output
+            temperature: 0.0
           )
 
           # Debug: Inspect the response object

data/lib/omamori/ai_analysis_engine/prompt_manager.rb

@@ -5,7 +5,7 @@ module Omamori
     class PromptManager
       # TODO: Load prompt templates from config file
     DEFAULT_PROMPT_TEMPLATE = <<~TEXT
-      You are a security expert specializing in Ruby. Analyze the following code and detect any potential security risks.
+      You are a security expert specializing in Ruby. Analyze the following code and detect any potential security risks. Think step by step.
       Focus particularly on identifying the following types of vulnerabilities: %{risk_list}
       Report any detected risks in the format specified by the following JSON Schema:
       %{json_schema}
@@ -16,43 +16,77 @@ module Omamori
       %{code_content}
     TEXT
 
+# dangerous_eval の説明、脆弱なRubyコード例、検出ステップ（導入文付き）を定義する文字列
+dangerous_eval_prompt = <<~PROMPT
+  Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection.
 
+  **Vulnerable Ruby Code Examples:**
+  ```ruby
+  # Direct eval of user input (e.g., from HTTP parameters like params[:user_code])
+  result = eval(params[:user_code])
+
+  # User input embedded in evaluated string (String interpolation)
+  log_message = "User action: \#{params[:action]}"
+  # Even if log_message seems harmless, injecting code like "'); malicious_code; # " might be possible
+  eval("log('\#{log_message}')") # Note: Interpolation inside eval string needs care with escaping
+
+  # OS Command injection via system() or backticks (`) using user input
+  # Assumes params[:directory] or params[:filename] comes directly from user input
+  output = `ls \#{params[:directory]}` # User input determines command executed
+  system("process_file.sh \#{params[:filename]}") # User input determines command argument
+
+  # Dynamic method invocation using send() or public_send() with user-controlled method names or arguments
+  # Assumes params[:method_name] or params[:argument] comes from user input
+  target_object = SomeClass.new
+  target_object.send(params[:method_name], params[:argument]) # User can potentially call dangerous methods
+
+  # Using instance_eval or class_eval with user-provided code strings
+  user_script = params[:custom_script]
+  some_object.instance_eval(user_script) # Executes arbitrary Ruby code in the object's context
+  To detect code vulnerable to Dangerous Code Execution like the examples provided above, perform the following detection steps:
+
+  Search for methods enabling dynamic code execution in Ruby code (e.g., eval, instance_eval, class_eval, send, public_send, system, exec, backticks `).
+  Check if arguments passed to these methods originate from or are directly influenced by external untrusted input (e.g., HTTP request parameters params, data from files, network responses). Look for patterns similar to the vulnerable Ruby examples shown above.
+  Verify if user input is rigorously sanitized or validated specifically to prevent code injection vectors before being used in these methods. Standard escaping for HTML (like XSS prevention) is not sufficient here. Check if execution is restricted only to a predefined, absolutely safe allowlist of commands or methods if dynamic execution cannot be avoided.
+  Assess if safer alternatives exist that can achieve the same functionality without dynamic code execution. Examples include using Hash lookups for dispatching actions, case statements based on input values, leveraging safe templating engines, or using specific library functions designed for the task instead of generic execution methods. 
+  PROMPT
+    
       RISK_PROMPTS = {
-        xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim’s browser. Look for unsanitized input and missing output encoding.",
-        csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detect missing CSRF tokens or absence of referer/origin validation.",
-        idor: "Insecure Direct Object Reference (IDOR): Occurs when object identifiers (e.g., IDs) are exposed and access control is missing, allowing unauthorized access to other users’ data.",
-        open_redirect: "Open Redirect: Redirecting users to external URLs based on user-supplied input without proper validation. Check for lack of domain or whitelist restrictions.",
-        ssrf: "Server-Side Request Forgery (SSRF): The server makes HTTP requests to an arbitrary destination supplied by the user, potentially exposing internal resources or metadata.",
-        session_fixation: "Session Fixation: The server accepts a pre-supplied session ID, allowing an attacker to hijack the session after authentication. Look for missing session ID regeneration after login.",
-        inappropriate_cookie_attributes: "Insecure Cookie Attributes: Missing HttpOnly, Secure, or SameSite flags, which may lead to session theft or CSRF.",
-        insufficient_encryption: "Insufficient Encryption: Use of weak algorithms (e.g., MD5, SHA1) or lack of encryption for sensitive data. Check for insecure hash functions or plain-text handling.",
-        insecure_deserialization_rce: "Insecure Deserialization leading to RCE: Deserializing untrusted data can lead to arbitrary code execution. Detect unsafe use of deserialization functions without validation.",
-        directory_traversal: "Directory Traversal: Allows attackers to access files outside the intended directory using ../ patterns. Check for path manipulation and missing canonicalization.",
-        dangerous_eval: "Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection.",
-        inappropriate_file_permissions: "Insecure File Permissions: Files or directories with overly permissive modes (e.g., 777), allowing unauthorized read/write/execute access.",
-        temporary_backup_file_leak: "Temporary or Backup File Exposure: Sensitive files like .bak, .tmp, or ~ versions are publicly accessible due to poor file handling.",
-        overly_detailed_errors: "Excessive Error Information Disclosure: Stack traces or internal error messages exposed to users, leaking implementation details.",
-        csp_not_set: "Missing Content Security Policy (CSP): Absence of CSP headers increases risk of XSS. Look for missing Content-Security-Policy header.",
-        mime_sniffing_vulnerability: "MIME Sniffing Vulnerability: Missing X-Content-Type-Options: nosniff header can allow browsers to misinterpret content types.",
-        clickjacking_vulnerability: "Clickjacking Protection Missing: Absence of X-Frame-Options or frame-ancestors directive allows malicious framing of pages.",
-        auto_index_exposure: "Auto Indexing Enabled: Directory listing is active, exposing files and internal structure to users.",
-        inappropriate_password_policy: "Weak Password Policy: Inadequate rules such as short length, lack of complexity, or missing brute-force protections.",
-        two_factor_auth_missing: "Missing Two-Factor Authentication (2FA): Lack of secondary authentication factor for sensitive operations.",
-        race_condition: "Race Condition: Concurrent access without proper locking can lead to inconsistent states or privilege escalation.",
-        server_error_information_exposure: "Server Error Information Exposure: Internal errors (e.g., 500) reveal stack traces or server information in responses.",
-        dependency_trojan_package: "Dependency Trojan Package Risk: Installation of malicious or typosquatted packages from untrusted sources.",
-        api_overexposure: "Excessive API Exposure: Public APIs exposed without authentication, leading to data leakage or unauthorized access.",
-        security_middleware_disabled: "Security Middleware Disabled: Important protections (e.g., CSRF tokens, input sanitization) are turned off or removed.",
-        security_header_inconsistency: "Security Header Inconsistency: Inconsistent or missing security headers across environments or routes.",
-        excessive_login_attempts: "Excessive Login Attempts Allowed: Lack of rate limiting allows brute-force login attempts.",
-        inappropriate_cache_settings: "Insecure Cache Settings: Sensitive pages are cached publicly (e.g., with Cache-Control: public), risking data leakage.",
-        secret_key_committed: "Secret Key Committed to Repository: Credentials, JWT secrets, or API keys are hardcoded or pushed to version control.",
-        third_party_script_validation_missing: "Missing Validation for Third-Party Scripts: External scripts are loaded without integrity checks (e.g., Subresource Integrity).",
-        over_logging: "Over-Logging: Logging sensitive information such as passwords, tokens, or personal data.",
-        fail_open_design: "Fail-Open Design: On error or exception, access is granted instead of safely denied.",
-        environment_differences: "Uncontrolled Environment Differences: Security settings differ between development and production without strict controls.",
-        audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability.",
-        time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison)."
+        xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim's browser. Detection steps: 1) Identify where user input is output to HTML/JS context. 2) Check if proper encoding/escaping is applied (e.g., html_safe, raw, sanitize, escape_javascript). 3) Look for unsafe methods that bypass default Rails escaping (html_safe, raw, <%==). 4) Examine JavaScript that incorporates user input via template interpolation. 5) Check for improper content-type headers that might enable XSS. 6) Verify if user input is passed to eval(), setTimeout(), document.write() or DOM manipulation functions. 7) Look for attribute injection possibilities where user input sets HTML attributes.",
+        csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detection steps: 1) Check if CSRF protection is disabled globally or for specific controllers/actions (skip_before_action :verify_authenticity_token). 2) Look for APIs or endpoints that handle state-changing operations (POST, PUT, DELETE methods). 3) Verify if authenticity tokens are properly validated for forms and AJAX requests. 4) Check if the application relies solely on cookies for authentication without additional CSRF protection. 5) Look for custom CSRF protection implementations that might be incomplete. 6) Verify if SameSite cookie attributes are properly set. 7) Check if the application validates the Origin or Referer header for cross-origin requests.",
+        idor: "Insecure Direct Object Reference (IDOR): Occurs when object identifiers (e.g., IDs) are exposed and access control is missing, allowing unauthorized access to other users' data. Detection steps: 1) Identify endpoints that access data using user-supplied identifiers (e.g., params[:id]). 2) Check if proper authorization checks exist before accessing the data (e.g., current_user.orders vs Order.find). 3) Look for functions retrieving data without verifying the current user's ownership or access rights. 4) Check for sequential or predictable IDs that can be enumerated. 5) Verify if sensitive operations verify resource ownership before modifications. 6) Look for authorization checks that can be bypassed through parameter manipulation. 7) Examine APIs that return data based on user-supplied identifiers.",
+        open_redirect: "Open Redirect: Redirecting users to external URLs based on user-supplied input without proper validation. Detection steps: 1) Identify redirect methods or functions (redirect_to, headers['Location'], response.redirect, etc.). 2) Check if the redirect URL or destination can be controlled by user input. 3) Verify if there is proper validation of the redirect URL to prevent external redirects. 4) Look for validation patterns that only check for URL prefixes that could be bypassed. 5) Check if the code restricts redirects to only allowed domains or uses relative paths. 6) Watch for URL manipulation techniques that might bypass validation (using //, additional domains in path, URL encoding).",
+        ssrf: "Server-Side Request Forgery (SSRF): The server makes HTTP requests to an arbitrary destination supplied by the user, potentially exposing internal resources or metadata. Detection steps: 1) Identify code that makes network requests (HTTP, TCP, etc.). 2) Check if the URL or destination can be influenced by user input. 3) Verify if there is proper validation of user-supplied URLs or IPs to prevent access to internal resources. 4) Look for use of libraries like Net::HTTP, open-uri, rest-client, faraday, or HTTP clients where the URL is constructed dynamically. 5) Check if the code restricts requests to only allowed domains or IP ranges.",
+        session_fixation: "Session Fixation: The server accepts a pre-supplied session ID, allowing an attacker to hijack the session after authentication. Detection steps: 1) Check if the application regenerates session IDs upon authentication (reset_session, new session creation). 2) Look for login methods that don't rotate session identifiers. 3) Examine session management code for proper session invalidation after login/logout. 4) Verify if the application accepts externally provided session identifiers. 5) Check if cookie settings include proper security flags (HttpOnly, Secure, SameSite). 6) Examine how session state is maintained across privilege changes (e.g., becoming admin). 7) Look for custom session handling that bypasses Rails' built-in protection mechanisms.",
+        inappropriate_cookie_attributes: "Insecure Cookie Attributes: Missing HttpOnly, Secure, or SameSite flags, which may lead to session theft or CSRF. Detection steps: 1) Examine cookie configuration in session store settings. 2) Check for explicit cookie setting in controllers with cookies[:name] assignments. 3) Verify if sensitive cookies have the HttpOnly flag to prevent JavaScript access. 4) Check if cookies transmitting sensitive data have the Secure flag to prevent transmission over HTTP. 5) Verify if cookies have appropriate SameSite attribute (Strict, Lax, or None with Secure) to prevent CSRF and information leakage. 6) Look for custom session management that might not set proper cookie attributes. 7) Check if cookie expiration times are appropriate for the sensitivity of the data they contain.",
+        insufficient_encryption: "Insufficient Encryption: Use of weak algorithms (e.g., MD5, SHA1) or lack of encryption for sensitive data. Check for insecure hash functions or plain-text handling. Detection steps: 1) Identify code handling sensitive data (passwords, API keys, PII). 2) Check if data at rest (database) or in transit (network) is encrypted. 3) Identify algorithms used for hashing/encryption (e.g., Digest::MD5, Digest::SHA1). 4) Verify if algorithms meet current security standards (e.g., bcrypt, scrypt, SHA-256+ for hashing; AES for encryption). 5) Check secure management of encryption keys.",
+        insecure_deserialization_rce: "Insecure Deserialization leading to RCE: Deserializing untrusted data can lead to arbitrary code execution. Detect unsafe use of deserialization functions without validation. Detection steps: 1) Locate code performing deserialization (e.g., Marshal.load, YAML.load, JSON.parse). 2) Determine if the input data comes from untrusted sources (user input, network). 3) Verify if the data is validated or sanitized before deserialization. 4) Check if safe alternatives are used (e.g., YAML.safe_load, JSON.parse with appropriate options). 5) Analyze custom deserializers for vulnerabilities.",
+        directory_traversal: "Directory Traversal: Allows attackers to access files outside the intended directory using ../ patterns. Check for path manipulation and missing canonicalization. Detection steps: 1) Identify code accessing the file system using paths derived from user input. 2) Check if user input influencing file paths is sanitized (e.g., removing '../'). 3) Verify if path canonicalization functions (e.g., File.expand_path, Pathname#cleanpath) are used correctly. 4) Ensure the final path is validated to be within the intended base directory before access.",
+        dangerous_eval: "Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection. Detection steps: 1) Search for methods enabling dynamic code execution (eval, instance_eval, class_eval, send, public_send, system, exec, ` ``). 2) Check if arguments passed to these methods originate from or are influenced by user input. 3) Verify if user input is rigorously sanitized or validated before use, or if execution is restricted to safe, predefined commands/methods. 4) Assess if safer alternatives can replace dynamic execution.",
+        inappropriate_file_permissions: "Insecure File Permissions: Files or directories with overly permissive modes (e.g., 777), allowing unauthorized read/write/execute access. Detection steps: 1) Find code that creates files/directories or changes permissions (e.g., FileUtils.chmod, File.chmod, Dir.mkdir with mode). 2) Examine the permission modes being set (e.g., 0777, 0666). 3) Evaluate if permissions follow the principle of least privilege, especially avoiding world-writable (o+w) or world-readable (o+r) for sensitive files. 4) Check permissions of configuration files, log files, and uploaded files.",
+        temporary_backup_file_leak: "Temporary or Backup File Exposure: Sensitive files like .bak, .tmp, or ~ versions are publicly accessible due to poor file handling. Detection steps: 1) Identify logic creating temporary or backup files. 2) Check if common backup extensions (.bak, .tmp, ~, .old) are used. 3) Verify these files are not created within web-accessible directories. 4) Ensure temporary/backup files are securely deleted after use. 5) Check if .gitignore excludes these file patterns.",
+        overly_detailed_errors: "Excessive Error Information Disclosure: Stack traces or internal error messages exposed to users, leaking implementation details. Detection steps: 1) Examine error handling code (rescue blocks, error page rendering). 2) Check error messages displayed to users in the production environment. 3) Verify that stack traces, internal paths, database queries, or configuration details are not included in user-facing errors. 4) Confirm framework settings disable detailed errors in production (e.g., Rails `config.consider_all_requests_local = false`). 5) Ensure generic errors are shown to users, while details are logged server-side.",
+        csp_not_set: "Missing Content Security Policy (CSP): Absence of CSP headers increases risk of XSS. Look for missing Content-Security-Policy header. Detection steps: 1) Identify code setting HTTP response headers (middleware, controllers). 2) Check for the presence of the `Content-Security-Policy` header. 3) If missing or policy is overly permissive (e.g., includes 'unsafe-inline', 'unsafe-eval', '*'), report as risk. 4) Check framework CSP configuration mechanisms (e.g., Rails `config.content_security_policy`).",
+        mime_sniffing_vulnerability: "MIME Sniffing Vulnerability: Missing X-Content-Type-Options: nosniff header can allow browsers to misinterpret content types. Detection steps: 1) Identify code setting HTTP response headers. 2) Check for the presence of the `X-Content-Type-Options` header. 3) If the header is missing or its value is not exactly `nosniff`, report as risk. 4) Check framework defaults or security middleware for automatic inclusion.",
+        clickjacking_vulnerability: "Clickjacking Protection Missing: Absence of X-Frame-Options or frame-ancestors directive allows malicious framing of pages. Detection steps: 1) Identify code setting HTTP response headers. 2) Check for the `X-Frame-Options` header (e.g., `DENY`, `SAMEORIGIN`). 3) Alternatively, check for the `frame-ancestors` directive in the `Content-Security-Policy` header (e.g., `'none'`, `'self'`). 4) If neither is present or configured securely, report as risk. 5) Check framework defaults or security middleware.",
+        auto_index_exposure: "Auto Indexing Enabled: Directory listing is active, exposing files and internal structure to users. Detection steps: 1) Review web server configuration files (Nginx, Apache). 2) Look for directives enabling directory listing (e.g., Apache `Options +Indexes`, Nginx `autoindex on`). 3) Check if directory listing is unintentionally enabled for specific locations. 4) If the application framework serves static files, ensure its directory listing feature is disabled.",
+        inappropriate_password_policy: "Weak Password Policy: Inadequate rules such as short length, lack of complexity, or missing brute-force protections. Detection steps: 1) Locate code related to password setting/changing. 2) Check validation logic for minimum length, complexity requirements (character types). 3) Verify if checks against common weak passwords (dictionaries, patterns) exist. 4) Look for enforcement of password history (reuse prevention) and expiration. 5) Check for related brute-force protection (see `excessive_login_attempts`).",
+        two_factor_auth_missing: "Missing Two-Factor Authentication (2FA): Lack of secondary authentication factor for sensitive operations. Detection steps: 1) Identify login process and code for sensitive operations (e.g., profile change, payment). 2) Check if a second factor (SMS, TOTP, key) is required beyond the password. 3) Look for 2FA setup and management features. 4) Determine if 2FA is mandatory or optional for users.",
+        race_condition: "Race Condition: Concurrent access without proper locking can lead to inconsistent states or privilege escalation. Detection steps: 1) Identify code accessing shared resources (database records, files, cache). 2) Find sections where multiple threads/processes might read/write concurrently. 3) Look for non-atomic check-then-act patterns. 4) Verify use of proper locking mechanisms (database transactions, Mutex, file locks). 5) Focus on critical operations like balance updates, inventory control.",
+        server_error_information_exposure: "Server Error Information Exposure: Internal errors (e.g., 500) reveal stack traces or server information in responses. Detection steps: 1) Examine error handling for server-side errors (e.g., HTTP 500). 2) Check the content of error responses sent to the client in production. 3) Verify that server-specific information (software type/version, OS details) is not included. 4) Check server configuration to suppress revealing headers (e.g., `Server` header; Nginx `server_tokens off;`). 5) Ensure detailed errors are logged only, with generic messages shown to users. (Similar to `overly_detailed_errors` but focusing on server info).",
+        dependency_trojan_package: "Dependency Trojan Package Risk: Installation of malicious or typosquatted packages from untrusted sources. Detection steps: 1) Review dependency files (`Gemfile`, `Gemfile.lock`). 2) Scan the list of Gems for typosquatting or unfamiliar names. 3) Check Gem sources (avoid untrusted Git repos if possible). 4) Investigate reputation and maintenance status of less-known Gems. 5) Ensure `Gemfile.lock` is committed to version control. 6) Check if dependency scanning tools (e.g., `bundler-audit`) are used.",
+        api_overexposure: "Excessive API Exposure: Public APIs exposed without authentication, leading to data leakage or unauthorized access. Detection steps: 1) Identify all API endpoint definitions. 2) Verify that appropriate authentication and authorization checks are applied to each endpoint. 3) Check if rate limiting or access controls are in place, even for public APIs. 4) Ensure sensitive data or internal-only information is not returned by unauthenticated endpoints. 5) Review API documentation for unintended exposure.",
+        security_middleware_disabled: "Security Middleware Disabled: Important protections (e.g., CSRF tokens, input sanitization) are turned off or removed. Detection steps: 1) Review framework initialization and configuration files. 2) Look for intentional disabling or removal of standard security middleware (e.g., CSRF protection, secure session handling). 3) Check for route-specific or controller-specific disabling of security features (e.g., `skip_before_action :verify_authenticity_token`) and evaluate the justification.",
+        security_header_inconsistency: "Security Header Inconsistency: Inconsistent or missing security headers across environments or routes. Detection steps: 1) Locate code setting security headers (CSP, X-Frame-Options, HSTS, etc.). 2) Compare header settings across different environments (dev, staging, prod), ensuring production is not weaker. 3) Verify consistent application of headers across different routes/pages within the application. 4) Check for conflicts if headers are set in multiple places (middleware, reverse proxy).",
+        excessive_login_attempts: "Excessive Login Attempts Allowed: Lack of rate limiting allows brute-force login attempts. Detection steps: 1) Identify the login authentication code. 2) Check for logic that counts and limits login attempts per account and/or IP address within a time window. 3) Verify that countermeasures (account lockout, CAPTCHA, delay) are triggered upon exceeding the limit. 4) Check configuration of rate-limiting libraries (e.g., `rack-attack`). 5) Ensure similar limits exist for password reset functions.",
+        inappropriate_cache_settings: "Insecure Cache Settings: Sensitive pages are cached publicly (e.g., with Cache-Control: public), risking data leakage. Detection steps: 1) Identify code setting `Cache-Control` or `Pragma` headers. 2) Locate code generating pages containing user-specific or sensitive data. 3) Ensure these pages have restrictive cache directives (`private`, `no-store`, `no-cache`). 4) Look for inappropriate use of `public` or long `max-age`. 5) Review framework caching (page, action, fragment) usage for sensitive content. 6) Consider cache settings in reverse proxies/CDNs.",
+        secret_key_committed: "Secret Key Committed to Repository: Credentials, JWT secrets, or API keys are hardcoded or pushed to version control. Detection steps: 1) Scan codebase for hardcoded secrets (passwords, API keys, tokens). 2) Review configuration files (`database.yml`, `secrets.yml`, `.env`) for secrets and ensure they are gitignored if present. 3) Verify secrets are loaded from environment variables or dedicated secret management systems. 4) Scan version control history for accidentally committed secrets (and rotate if found). 5) Consider using secret scanning tools (e.g., `truffleHog`, `gitleaks`).",
+        third_party_script_validation_missing: 'Missing Validation for Third-Party Scripts: External scripts are loaded without integrity checks (e.g., Subresource Integrity). Detection steps: 1) Find HTML templates loading external JS/CSS (`<script src="...">`, `<link href="...">`). 2) Check if these tags include the `integrity` attribute (for SRI). 3) Report as risk if `integrity` attribute is missing or empty. 4) Verify the `crossorigin="anonymous"` attribute is also present when using SRI. 5) Check dynamically loaded scripts for similar integrity validation mechanisms.',
+        over_logging: "Over-Logging: Logging sensitive information such as passwords, tokens, or personal data. Detection steps: 1) Identify all logging statements (`Rails.logger.*`, `puts`, etc.). 2) Examine the data being logged. 3) Check specifically for sensitive data like passwords, tokens, API keys, PII, credit card numbers. 4) Pay attention to logging of entire request parameters or exception objects. 5) Verify framework parameter filtering (e.g., Rails `config.filter_parameters`) is configured correctly to mask sensitive fields.",
+        fail_open_design: "Fail-Open Design: On error or exception, access is granted instead of safely denied. Detection steps: 1) Identify security check code (authentication, authorization, access control). 2) Examine behavior within exception handling blocks (`rescue`). 3) Verify that exceptions during security checks default to denying access (fail-close/fail-safe), not granting it. 4) Look for checks where an error state might be misinterpreted as permissive. 5) Ensure critical operations use transactions and roll back safely on error.",
+        environment_differences: "Uncontrolled Environment Differences: Security settings differ between development and production without strict controls. Detection steps: 1) Compare configuration files across environments (`environments/development.rb` vs `environments/production.rb`). 2) Identify differences in security settings (error reporting, SSL, headers, auth). 3) Evaluate if differences weaken security in production. 4) Check for a process to manage and review environment-specific configurations. 5) Consider potential infrastructure differences (firewalls, server settings).",
+        audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability. Detection steps: 1) Identify code performing critical actions (login, permission change, sensitive data access/modification, config change). 2) Verify these actions generate logs including who (user), when (timestamp), what (action/resource), result (success/fail), and where (IP address). 3) Check if authentication successes/failures and authorization failures are logged. 4) Assess if logs are stored securely and retained appropriately. 5) Ensure log format is consistent and useful for monitoring.",
+        time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison). Detection steps: 1) Locate code comparing secret values (passwords, tokens, API keys). 2) Check if standard comparison operators (`==`) are used for secrets. 3) Verify use of constant-time comparison functions (e.g., `ActiveSupport::SecurityUtils.secure_compare`, `Rack::Utils.secure_compare`). 4) Analyze cryptographic operations for potential timing leaks (may depend on library implementation). 5) Consider if database query times varying based on input could leak information."
       }.freeze
       
 

data/lib/omamori/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Omamori
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omamori
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - rira100000000
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2025-04-29 00:00:00.000000000 Z
+date: 2025-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-gemini-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.1
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -94,20 +108,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: ruby-gemini-api
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.1.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.1.0
 description: omamori scans Ruby code and diffs using AI (Google Gemini) to detect
   security vulnerabilities often missed by traditional tools.
 email:
@@ -130,14 +130,6 @@ files:
 - demo/open_redirect_vulnerability.rb
 - demo/static_analysis_vulnerability.rb
 - demo/xss_vulnerability.rb
-- demo_/ai_analysis_vulnerability.rb
-- demo_/csrf_vulnerability.rb
-- demo_/eval_vulnerability.rb
-- demo_/idor_vulnerability.rb
-- demo_/insecure_cookie_vulnerability.rb
-- demo_/open_redirect_vulnerability.rb
-- demo_/static_analysis_vulnerability.rb
-- demo_/xss_vulnerability.rb
 - exe/omamori
 - lib/omamori.rb
 - lib/omamori/ai_analysis_engine/diff_splitter.rb

data/demo_/ai_analysis_vulnerability.rb

@@ -1,28 +0,0 @@
-# This file contains vulnerabilities that AI analysis can help detect.
-
-require 'net/http'
-require 'uri'
-
-API_KEY = "HARDCODED_SECRET_API_KEY_12345" # Hardcoded sensitive information
-
-def fetch_data(user_input)
-  # Insufficient input validation
-  if user_input.length > 100
-    puts "Input too long, truncating."
-    user_input = user_input[0..99]
-  end
-
-  uri = URI("https://api.example.com/data?query=#{user_input}&api_key=#{API_KEY}")
-  response = Net::HTTP.get_response(uri)
-
-  if response.is_a?(Net::HTTPSuccess)
-    puts "Data fetched successfully: #{response.body}"
-  else
-    # Poor error handling - reveals internal details
-    puts "Error fetching data: #{response.code} - #{response.message}"
-  end
-end
-
-# Example usage
-# fetch_data("some data")
-# fetch_data("a" * 200) # Long input

data/demo_/csrf_vulnerability.rb

@@ -1,31 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# CSRF (Cross-Site Request Forgery) の脆弱性を含むデモコード
-# フォーム送信時にCSRFトークンによる検証を行っていない例
-
-# ユーザー情報を更新する想定のPOSTエンドポイント
-post '/update_profile' do
-  # 本来はここでCSRFトークンの検証が必要だが、省略されている
-  user_id = params['user_id']
-  new_email = params['email']
-
-  # ユーザー情報の更新処理 (実際には行わない)
-  puts "ユーザー #{user_id} のメールアドレスを #{new_email} に更新しました。"
-
-  "Profile updated for user #{user_id}."
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/csrf_vulnerability.rb` を実行
-# 3. 攻撃者は、このエンドポイントへのPOSTリクエストをユーザーに意図せず実行させるような細工を施したページを作成し、ユーザーを誘導する。
-#    例えば、以下のようなHTMLを含むページを別のサイトに用意する:
-#    <form action="http://localhost:4567/update_profile" method="post">
-#      <input type="hidden" name="user_id" value="123">
-#      <input type="hidden" name="email" value="attacker@example.com">
-#      <input type="submit" value="Click me!">
-#    </form>
-#    または、JavaScriptを使って自動的にPOSTリクエストを送信させる。
-#    ユーザーがログインした状態でこのページを閲覧すると、意図せずプロファイルが更新される可能性がある。

data/demo_/eval_vulnerability.rb

@@ -1,29 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# 危険な eval／動的コード実行の脆弱性を含むデモコード
-# ユーザーからの入力を eval で直接評価している例
-
-get '/calculate' do
-  # ユーザーからの入力 (expression) を取得
-  expression = params['expression']
-
-  # 取得した入力を eval で評価
-  # ここにコードインジェクションの脆弱性がある
-  # 攻撃者は任意のRubyコードを実行させることが可能になる
-  begin
-    result = eval(expression)
-    "Result: #{result}"
-  rescue StandardError => e
-    status 500
-    "Error: #{e.message}"
-  end
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/eval_vulnerability.rb` を実行
-# 3. ブラウザで `http://localhost:4567/calculate?expression=2%2B2` にアクセスすると "Result: 4" が表示される。
-# 4. 悪意のある入力を与える例: `http://localhost:4567/calculate?expression=system('ls%20-l')`
-#    サーバー側で `ls -l` コマンドが実行されてしまう可能性がある。

data/demo_/idor_vulnerability.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# IDOR (Insecure Direct Object Reference) の脆弱性を含むデモコード
-# ユーザーからの入力（ID）を直接使用してリソースにアクセスし、認可チェックを行っていない例
-
-# ユーザー情報を表示する想定のエンドポイント
-get '/user_info/:user_id' do
-  user_id = params['user_id']
-
-  # 本来はここで、リクエストを行ったユーザーが、指定された user_id の情報にアクセスする権限があるかチェックが必要だが、省略されている
-  user_data = fetch_user_data(user_id) # ユーザーIDに基づいてデータを取得する関数を想定
-
-  if user_data
-    "User Info for ID #{user_id}: #{user_data}"
-  else
-    status 404
-    "User not found."
-  end
-end
-
-# ダミーのユーザーデータ取得関数
-def fetch_user_data(user_id)
-  # 実際にはデータベースなどからデータを取得する
-  users = {
-    '101' => 'Alice',
-    '102' => 'Bob',
-    '103' => 'Charlie'
-  }
-  users[user_id]
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/idor_vulnerability.rb` を実行
-# 3. ブラウザで `http://localhost:4567/user_info/101` にアクセスすると Alice の情報が表示される。
-# 4. ログインしていない、または権限のないユーザーが `http://localhost:4567/user_info/102` にアクセスすると、
-#    本来アクセス権限がないはずの Bob の情報が表示されてしまう可能性がある。

data/demo_/insecure_cookie_vulnerability.rb

@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# 不適切なクッキー属性（HttpOnly, Secure, SameSite 未設定）の脆弱性を含むデモコード
-# セキュリティ関連の属性が設定されていないクッキーを発行する例
-
-# ログイン成功時にセッションクッキーを発行する想定のエンドポイント
-get '/login' do
-  user_id = params['user_id'] # ダミーのユーザーID取得
-
-  # セッションIDをクッキーに設定
-  # HttpOnly, Secure, SameSite 属性が設定されていない
-  # これにより、XSS攻撃によるクッキー情報の窃盗や、CSRF攻撃のリスクが高まる
-  response.set_cookie('session_id', value: "user_#{user_id}_#{Time.now.to_i}")
-
-  "Logged in as user #{user_id}. Session cookie set."
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/insecure_cookie_vulnerability.rb` を実行
-# 3. ブラウザで `http://localhost:4567/login?user_id=test_user` にアクセス
-#    開発者ツールなどでクッキーを確認すると、session_id クッキーに HttpOnly, Secure, SameSite 属性が付与されていないことがわかる。
-#    HTTPSでアクセスした場合でもSecure属性が付かない。

data/demo_/open_redirect_vulnerability.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# オープンリダイレクトの脆弱性を含むデモコード
-# ユーザーからの入力（URL）を検証せずにリダイレクト先に指定している例
-
-get '/redirect' do
-  # ユーザーからの入力 (url) を取得
-  redirect_url = params['url']
-
-  # 取得した入力をそのままリダイレクト先に指定
-  # ここにオープンリダイレクトの脆弱性がある
-  redirect redirect_url
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/open_redirect_vulnerability.rb` を実行
-# 3. ブラウザで `http://localhost:4567/redirect?url=https://malicious-site.example.com` にアクセス
-#    悪意のあるサイトにリダイレクトされてしまう。
-#    フィッシング詐欺などに悪用される可能性がある。

data/demo_/static_analysis_vulnerability.rb

@@ -1,18 +0,0 @@
-# This file contains a vulnerability detectable by static analysis tools like Brakeman.
-
-require 'sqlite3'
-
-def find_user(username)
-  db = SQLite3::Database.open 'users.db'
-  # Vulnerable to SQL injection
-  query = "SELECT * FROM users WHERE username = '#{username}'"
-  puts "Executing query: #{query}"
-  db.execute query
-rescue SQLite3::Exception => e
-  puts "Exception occurred: #{e}"
-ensure
-  db.close if db
-end
-
-# Example usage (vulnerable)
-# find_user("' OR '1'='1")

data/demo_/xss_vulnerability.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-require 'sinatra'
-
-# XSS (Cross-Site Scripting) の脆弱性を含むデモコード
-# ユーザーからの入力を適切にエスケープせずにHTMLに出力している例
-
-get '/greet' do
-  # ユーザーからの入力 (name) を取得
-  name = params['name']
-
-  # 取得した入力をそのままHTMLに埋め込んで出力
-  # ここにXSSの脆弱性がある
-  "<h1>Hello, #{name}!</h1>"
-end
-
-# 実行方法:
-# 1. このファイルを保存
-# 2. ターミナルで `ruby demo/xss_vulnerability.rb` を実行
-# 3. ブラウザで `http://localhost:4567/greet?name=<script>alert('XSS')</script>` にアクセス
-#    アラートが表示されれば脆弱性がある