owasp-glue 0.9.0

data/lib/glue/event.rb

@@ -0,0 +1,14 @@
+# Tracks internal glue events.
+# Can be used for control, but also tracking what happens.
+class Glue::Event
+  attr_reader :parent
+  attr_accessor :path
+  attr_accessor :appname
+
+  def initialize appname, parent = nil
+  	@appname = appname
+   	@parent = parent
+   	@timestamp = Time.now
+  end
+
+end

data/lib/glue/filters.rb

@@ -0,0 +1,41 @@
+class Glue::Filters
+  @filters = []
+
+  #Add a task. This will call +_klass_.new+ when running tests
+  def self.add klass
+    @filters << klass unless @filters.include? klass
+  end
+
+  def self.filters
+    @filters
+  end
+
+  def self.initialize_filters filters_directory = ""
+    Dir.glob(File.join(filters_directory, "*.rb")).sort.each do |f|
+      require f
+    end
+  end
+
+  #No need to use this directly.
+  def initialize options = { }
+  end
+
+  #Run all the tasks on the given Tracker.
+  #Returns a new instance of tasks with the results.
+  def self.filter(tracker)
+    @filters.each do |c|
+      filter = c.new()
+      begin
+        filter.filter tracker
+      rescue => e
+        Glue.error e.message
+        tracker.error e
+      end
+    end
+  end
+end
+
+#Load all files in filters/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/filters/*.rb").sort.each do |f|
+  require f.match(/(glue\/filters\/.*)\.rb$/)[0]
+end

data/lib/glue/filters/base_filter.rb

@@ -0,0 +1,19 @@
+class Glue::BaseFilter
+  attr_accessor :name
+  attr_accessor :description
+
+  def initialize()
+  end
+
+  def name
+    @name
+  end
+
+  def description
+    @description
+  end
+
+  def filter
+  end
+
+end

data/lib/glue/filters/jira_one_time_filter.rb

@@ -0,0 +1,57 @@
+require 'glue/filters/base_filter'
+require 'json'
+require 'curb'
+
+class Glue::JiraOneTimeFilter < Glue::BaseFilter
+
+  # Glue::Filters.add self
+
+  def initialize
+    @name = "Jira One Time Filter"
+    @description = "Checks that each issue that will be reported doesn't already exist in JIRA."
+  end
+
+  def filter tracker
+    @project = tracker.options[:jira_project.to_s]
+    @api = tracker.options[:jira_api_url.to_s]
+    @cookie = tracker.options[:jira_cookie.to_s]
+    @component = tracker.options[:jira_component.to_s]
+    @appname = tracker.options[:appname]
+
+    potential_findings = Array.new(tracker.findings)
+    tracker.findings.clear
+    potential_findings.each do |finding|
+    	if confirm_new finding
+    		tracker.report finding
+    	end
+    end
+  end
+
+  private
+  def confirm_new finding
+  	json = get_jira_query_json finding
+  	http = Curl.post("#{@api}/search", json.to_s) do |http|
+  		http.headers['Content-Type'] = "application/json"
+  		http.headers['Cookie'] = @cookie
+  	end
+  	if http.response_code != 200 # OK ...
+  		Glue.error "Problem with HTTP #{http.response_code} - #{http.body_str}"
+  	end
+
+  	result = JSON.parse(http.body_str)
+  	# Glue.error "Got back #{result} with #{result['total']}"
+
+  	if result['total'] < 1
+  		return true
+  	end
+  	return false
+  end
+
+  def get_jira_query_json finding
+    json =
+      {"jql"=>"project=#{@project} AND component='#{@component}' AND labels='#{@appname}' AND description ~ 'FINGERPRINT: #{finding.fingerprint}'"}.to_json
+    json
+  end
+end
+
+# project = APPS and component = "Automated Findings" and Labels = "service-portal" and description ~ "FINGERPRINT: bundlerauditgemsource"

data/lib/glue/filters/remove_all_filter.rb

@@ -0,0 +1,16 @@
+require 'glue/filters/base_filter'
+
+class Glue::RemoveAllFilter < Glue::BaseFilter
+
+  #Glue::Filters.add self
+
+  def initialize
+    @name = "Remove All Filter"
+    @description = "Remove all the things..."
+  end
+
+  def filter tracker
+    tracker.findings.clear
+  end
+
+end

data/lib/glue/filters/zap_consdensing_filter.rb

@@ -0,0 +1,76 @@
+require 'glue/filters/base_filter'
+
+class Glue::ZAPCondensingFilter < Glue::BaseFilter
+
+  Glue::Filters.add self
+
+  def initialize
+    @name = "ZAP Condensing Filter"
+    @description = "Consolidate N ZAP warnings to one per issue type."
+  end
+
+  def filter tracker
+    Glue.debug "Have #{tracker.findings.count} items pre ZAP filter."
+    tracker.findings.each do |finding|
+      if zap? finding
+        if xframe? finding
+          record tracker,finding
+        elsif xcontenttypeoptions? finding
+          record tracker, finding
+        elsif dirbrowsing? finding
+          record tracker, finding
+        elsif xxssprotection? finding
+          record tracker, finding
+        end
+      end
+    end
+    Glue.debug "Have #{tracker.findings.count} items post ZAP filter."
+  end
+
+  def zap? finding
+    if finding.source =~ /\AZAP/
+      return true
+    end
+    return false
+  end
+
+  def xframe? finding
+    if finding.description == "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks."
+      return true
+    end
+    return false
+  end
+
+  def xcontenttypeoptions? finding
+    if finding.description == "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing."
+      return true
+    end
+    return false
+  end
+
+  def dirbrowsing? finding
+    if finding.description == "It is possible to view the directory listing.  Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information."
+      return true
+    end
+    return false
+  end
+
+  def xxssprotection? finding
+    if finding.description == "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server"
+      return true
+    end
+    return false
+  end
+
+  # Is it always true that the findings will be on the same site?
+  # For now, we can assume that.
+  # Note that this may not be an efficient way to to do this, but it seems to work as a first pass.
+  def record tracker, finding
+    tracker.findings.delete_if do |to_delete|
+      to_delete.description == finding.description
+    end
+    finding.detail << "\n\t** Consolidated ** - Potentially identified in > 1 spot."  # Make sure to note that there were
+    tracker.findings.push finding
+  end
+
+end

data/lib/glue/finding.rb

@@ -0,0 +1,52 @@
+require 'json'
+
+class Glue::Finding
+  attr_reader :appname
+  attr_reader :timestamp
+  attr_reader :severity
+  attr_reader :source
+  attr_reader :description
+  attr_reader :detail
+  attr_reader :fingerprint
+
+  def initialize appname, description, detail, source, severity, fingerprint
+  	@appname = appname
+        @timestamp = Time.now
+  	@description = description
+  	@detail = detail
+  	@source = source
+        @stringsrc = source.to_s
+  	@severity = severity
+        @fingerprint = fingerprint
+  end
+
+  def to_string
+  	s = "Finding: #{@appname}"
+        s << "\n\tDescription: #{@description}"
+        s << "\n\tTimestamp: #{@timestamp}"
+        s << "\n\tSource: #{@stringsrc}"
+        s << "\n\tSeverity: #{@severity}"
+  	s << "\n\tFingerprint:  #{@fingerprint}"
+        s << "\n\tDetail:  #{@detail}"
+  	s
+  end
+
+  def to_csv
+    s = "#{@appname},#{@description},#{@timestamp},#{@source.to_s},#{@severity},#{@fingerprint},#{@detail}\n"
+    s
+  end
+
+  def to_json
+    json = {
+     'appname' => @appname,
+     'description' => @description,
+     'fingerprint' => @fingerprint,
+     'detail' => @detail,
+     'source' => @source,
+     'severity' => @severity,
+     'timestamp' => @timestamp
+    }.to_json
+    json
+  end
+
+end

data/lib/glue/mounters.rb

@@ -0,0 +1,55 @@
+# Knows how to test file types and then defer to the helper.
+
+require 'glue/event'
+
+class Glue::Mounters
+  @mounters = []
+
+  attr_reader :target
+  attr_reader :warnings
+
+  def self.add klass
+    @mounters << klass unless @mounters.include? klass
+  end
+
+  def self.mounters
+  	@mounters
+  end
+
+  def initialize
+  	@warnings = []
+  end
+
+  def add_warning warning
+    @warnings << warning
+  end
+
+  def self.mount tracker
+  	target = tracker.options[:target]
+  	Glue.debug "Mounting target: #{target}"
+  	trigger = Glue::Event.new(tracker.options[:appname])
+  	@mounters.each do | c |
+  	  mounter = c.new trigger, tracker.options
+ 	  begin
+	  	Glue.debug "Checking about mounting #{target} with #{mounter}"
+  	    if mounter.supports? target
+	  	  Glue.notify "Mounting #{target} with #{mounter}"
+	  	  path = mounter.mount target
+	  	  Glue.notify "Mounted #{target} with #{mounter}"
+		  return path
+	  	end
+	  rescue => e
+	  	Glue.notify e.message
+	  end
+  	end
+  end
+
+   def self.get_mounter_name mounter_class
+    mounter_class.to_s.split("::").last
+  end
+end
+
+#Load all files in mounters/ directory
+Dir.glob("#{File.expand_path(File.dirname(__FILE__))}/mounters/*.rb").sort.each do |f|
+  require f.match(/(glue\/mounters\/.*)\.rb$/)[0]
+end

data/lib/glue/mounters/base_mounter.rb

@@ -0,0 +1,31 @@
+  
+class Glue::BaseMounter
+  attr_reader :errors
+  attr_reader :trigger
+  attr_accessor :name
+  attr_accessor :description
+
+  def initialize(trigger)
+    @errors = []
+    @trigger = trigger
+  end
+
+  def error error
+    @errors << error
+  end
+
+  def name
+    @name
+  end
+
+  def description
+    @description
+  end
+
+  def mount
+  end
+
+  def supports? target
+  end
+
+end

data/lib/glue/mounters/docker_mounter.rb

@@ -0,0 +1,44 @@
+require 'glue/mounters/base_mounter'
+
+class Glue::DockerMounter < Glue::BaseMounter
+
+  Glue::Mounters.add self
+
+  #Pass in path to the root of the Rails application
+  def initialize trigger, options
+  	super(trigger)
+    @options = options
+  end
+
+  def mount target
+    base = @options[:working_dir]
+    target = target.slice(0, target.length - 7)
+    working_target = base + "/docker/" + target + "/"
+    Glue.notify "Cleaning directory: #{working_target}"
+    if ! working_target.match(/\A.*\/line\/tmp\/.*/)
+      Glue.notify "Bailing in case #{working_target} is malicious."
+    else
+      result = `rm -rf #{working_target}`
+      Glue.debug result
+      result = `mkdir -p #{working_target}`
+      Glue.debug result
+      result = `docker export #{target} > #{working_target}#{target}.tar`
+      Glue.debug result
+      result = `tar -C #{working_target} -xf #{working_target}#{target}.tar`
+      Glue.debug result
+      result = `rm #{working_target}#{target}.tar`
+      Glue.debug result
+    end
+    return working_target
+  end
+
+  def supports? target
+    last = target.slice(-7,target.length)
+    Glue.debug "In Docker mounter, target: #{target} became: #{last} ... wondering if it matched .docker"
+    if last === ".docker"
+      return true
+    else
+      return false
+    end
+  end
+end

data/lib/glue/mounters/filesystem_mounter.rb

@@ -0,0 +1,20 @@
+require 'glue/mounters/base_mounter'
+
+class Glue::FileSystemMounter < Glue::BaseMounter
+  Glue::Mounters.add self
+
+  def initialize trigger, options
+    super(trigger)
+    @options = options
+    @name = "FileSystem"
+    @description = "Mount a file via normal file system commands."
+  end
+
+  def mount target
+    return target
+  end
+
+  def supports? target
+    File.directory? target
+  end
+end

data/lib/glue/mounters/git_mounter.rb

@@ -0,0 +1,52 @@
+require 'glue/mounters/base_mounter'
+require 'fileutils'
+
+class Glue::GitMounter < Glue::BaseMounter
+
+  Glue::Mounters.add self
+
+  def initialize trigger, options
+    super(trigger)
+    @options = options
+    @name = "Git"
+    @description = "Pull a repo."
+  end
+
+  def mount target
+    base = @options[:working_dir]
+
+    Glue.debug "Making base."
+    FileUtils.mkdir_p base
+
+    # Grap the path part of the git url.
+    protocol, path, suffix = target.match(/\A(.*\/\/)(.*)(.git)\z/i).captures
+    working_target = File.expand_path(base + "" + path + "/")
+
+    Glue.notify "Cleaning directory: #{working_target}"
+    if ! Dir.exists? working_target
+      Glue.notify "#{working_target} is not a directory."
+      FileUtils.mkdir_p working_target
+    else
+      Glue.debug "Removing : #{working_target}"
+      FileUtils.rm_rf working_target
+      FileUtils.mkdir_p working_target
+    end
+      # result = `rm -rf #{working_target}`
+      # puts result
+    Glue.debug "Cloning into: #{working_target}"
+    result = `git clone -q #{target} #{working_target}`
+    # puts result
+    #end
+    return working_target
+  end
+
+  def supports? target
+    last = target.slice(-4,target.length)
+    if last === ".git"
+      return true
+    else
+      return false
+    end
+  end
+
+end