pwn 0.4.925 → 0.4.926

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 95e29f47258340a1f26b4f8f3f990493a12ff14a285ce4916227df7464290b7b
4
- data.tar.gz: e3f2a000c0cd47f4546e20526262bb4d42e47915b1c3e24278415f891a3744f3
3
+ metadata.gz: 49492aee847341ef09e634d752652f813666ab6c751b1e7103630f5e30895c6a
4
+ data.tar.gz: 65e9cc6e778a4d42dac69f2f23ba2ccee0549be77cec59329dcddb6f57da16fe
5
5
  SHA512:
6
- metadata.gz: 3b20f15f1d8aacf2f4928879499359c91f43e6ea8d3382862ec333319fe32d91ed34571951cef586bfd837a6cf744556d103fdec4ed466b10a1cf5c53c52551d
7
- data.tar.gz: f10e765c037523abb3478aa7785045e746f2a4d50e644a7d08959bc96a867d1e9d8a2ac407fa0df93149c7dfccedaeea24dd9d56d4560e113915f03036d5e259
6
+ metadata.gz: 0af9375c6443bc146f3ddfd60a8b67c825ec581bccdf54cc6a4ca8cbb16bf7d47adda650de64e8c9084632a10f45f22fcc06231f3a38d4893a427ba15ef54b86
7
+ data.tar.gz: 718927c0bbf3d43a49e90996f63bdfd3ddaed3baf92910e473fe27fa654646f8b8d4146dc350e5bcaf9eab1a920b2950924cb101b03a3658e5723e9c8d608a8b
data/Gemfile CHANGED
@@ -69,7 +69,7 @@ gem 'rmagick', '5.3.0'
69
69
  gem 'rqrcode', '2.2.0'
70
70
  gem 'rspec', '3.12.0'
71
71
  gem 'rtesseract', '3.1.3'
72
- gem 'rubocop', '1.56.4'
72
+ gem 'rubocop', '1.57.0'
73
73
  gem 'rubocop-rake', '0.6.0'
74
74
  gem 'rubocop-rspec', '2.24.1'
75
75
  gem 'ruby-audio', '1.6.1'
@@ -83,7 +83,7 @@ gem 'sinatra', '3.1.0'
83
83
  gem 'slack-ruby-client', '2.2.0'
84
84
  gem 'socksify', '1.7.1'
85
85
  gem 'spreadsheet', '1.3.0'
86
- gem 'sqlite3', '1.6.6'
86
+ gem 'sqlite3', '1.6.7'
87
87
  gem 'thin', '1.8.2'
88
88
  gem 'tty-prompt', '0.23.1'
89
89
  gem 'tty-spinner', '0.9.3'
data/README.md CHANGED
@@ -37,7 +37,7 @@ $ rvm use ruby-3.2.2@pwn
37
37
  $ rvm list gemsets
38
38
  $ gem install --verbose pwn
39
39
  $ pwn
40
- pwn[v0.4.925]:001 >>> PWN.help
40
+ pwn[v0.4.926]:001 >>> PWN.help
41
41
  ```
42
42
 
43
43
  If you're using a multi-user install of RVM do:
@@ -48,7 +48,7 @@ $ rvm use ruby-3.2.2@pwn
48
48
  $ rvm list gemsets
49
49
  $ rvmsudo gem install --verbose pwn
50
50
  $ pwn
51
- pwn[v0.4.925]:001 >>> PWN.help
51
+ pwn[v0.4.926]:001 >>> PWN.help
52
52
  ```
53
53
 
54
54
  [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -63,7 +63,7 @@ $ rvm use ruby-3.2.2@pwn
63
63
  $ gem uninstall --all --executables pwn
64
64
  $ gem install --verbose pwn
65
65
  $ pwn
66
- pwn[v0.4.925]:001 >>> PWN.help
66
+ pwn[v0.4.926]:001 >>> PWN.help
67
67
  ```
68
68
 
69
69
  If you're using a multi-user install of RVM do:
@@ -73,7 +73,7 @@ $ rvm use ruby-3.2.2@pwn
73
73
  $ rvmsudo gem uninstall --all --executables pwn
74
74
  $ rvmsudo gem install --verbose pwn
75
75
  $ pwn
76
- pwn[v0.4.925]:001 >>> PWN.help
76
+ pwn[v0.4.926]:001 >>> PWN.help
77
77
  ```
78
78
 
79
79
 
data/bin/pwn_sast CHANGED
@@ -113,6 +113,7 @@ begin
113
113
  TaskTag
114
114
  ThrowErrors
115
115
  Token
116
+ TypeScriptTypeJuggling
116
117
  Version
117
118
  WindowLocationHash
118
119
  ]
@@ -34,8 +34,11 @@ module PWN
34
34
 
35
35
  test_case_filter = "
36
36
  grep -Fn \
37
- -e '==' #{entry} \ |
38
- grep -v '==='
37
+ -e '==' \
38
+ -e '!=' #{entry} \ |
39
+ grep -v \
40
+ -e '===' \
41
+ -e '!==' \
39
42
  "
40
43
 
41
44
  str = `#{test_case_filter}`.to_s.scrub
@@ -0,0 +1,147 @@
1
+ # frozen_string_literal: false
2
+
3
+ require 'socket'
4
+
5
+ module PWN
6
+ module SAST
7
+ # SAST Module used to identify loose comparisons
8
+ # (i.e. == instead of ===) within TypeScript source code.
9
+ module TypeScriptTypeJuggling
10
+ @@logger = PWN::Plugins::PWNLogger.create
11
+
12
+ # Supported Method Parameters::
13
+ # PWN::SAST::TypeScriptTypeJuggling.scan(
14
+ # dir_path: 'optional path to dir defaults to .'
15
+ # git_repo_root_uri: 'optional http uri of git repo scanned'
16
+ # )
17
+
18
+ public_class_method def self.scan(opts = {})
19
+ dir_path = opts[:dir_path]
20
+ git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
21
+ result_arr = []
22
+ logger_results = ''
23
+
24
+ PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
25
+ if (File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/) && File.extname(entry).include?('.ts') && entry !~ /test/i
26
+ line_no_and_contents_arr = []
27
+ entry_beautified = false
28
+
29
+ if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
30
+ js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
31
+ entry = "#{entry}.JS-BEAUTIFIED"
32
+ entry_beautified = true
33
+ end
34
+
35
+ test_case_filter = "
36
+ grep -Fn \
37
+ -e '==' \
38
+ -e '!=' #{entry} \ |
39
+ grep -v \
40
+ -e '===' \
41
+ -e '!==' \
42
+ "
43
+
44
+ str = `#{test_case_filter}`.to_s.scrub
45
+
46
+ if str.to_s.empty?
47
+ # If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
48
+ logger_results = "#{logger_results}~" # Catching bugs is good :)
49
+ else
50
+ str = "1:Result larger than 64KB -> Size: #{str.to_s.length}. Please click the \"Path\" link for more details." if str.to_s.length >= 64_000
51
+
52
+ hash_line = {
53
+ timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
54
+ security_references: security_references,
55
+ filename: { git_repo_root_uri: git_repo_root_uri, entry: entry },
56
+ line_no_and_contents: '',
57
+ raw_content: str,
58
+ test_case_filter: test_case_filter
59
+ }
60
+
61
+ # COMMMENT: Must be a better way to implement this (regex is kinda funky)
62
+ line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
63
+ line_no_count = line_contents_split.length # This should always be an even number
64
+ current_count = 0
65
+ while line_no_count > current_count
66
+ line_no = line_contents_split[current_count]
67
+ contents = line_contents_split[current_count + 1]
68
+ if Dir.exist?("#{dir_path}/.git") ||
69
+ Dir.exist?('.git')
70
+
71
+ repo_root = dir_path
72
+ repo_root = '.' if Dir.exist?('.git')
73
+
74
+ author = PWN::Plugins::Git.get_author(
75
+ repo_root: repo_root,
76
+ from_line: line_no,
77
+ to_line: line_no,
78
+ target_file: entry,
79
+ entry_beautified: entry_beautified
80
+ )
81
+ else
82
+ author = 'N/A'
83
+ end
84
+ hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(
85
+ line_no: line_no,
86
+ contents: contents,
87
+ author: author
88
+ )
89
+
90
+ current_count += 2
91
+ end
92
+ result_arr.push(hash_line)
93
+ logger_results = "#{logger_results}x" # Seeing progress is good :)
94
+ end
95
+ end
96
+ end
97
+ logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
98
+ if logger_results.empty?
99
+ @@logger.info("#{logger_banner}: No files applicable to this test case.\n")
100
+ else
101
+ @@logger.info("#{logger_banner} => #{logger_results}complete.\n")
102
+ end
103
+ result_arr
104
+ rescue StandardError => e
105
+ raise e
106
+ end
107
+
108
+ # Used primarily to map NIST 800-53 Revision 4 Security Controls
109
+ # https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
110
+ # to PWN Exploit & Static Code Anti-Pattern Matching Modules to
111
+ # Determine the level of Testing Coverage w/ PWN.
112
+
113
+ public_class_method def self.security_references
114
+ {
115
+ sast_module: self,
116
+ section: 'DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN',
117
+ nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=SA-17',
118
+ cwe_id: '661',
119
+ cwe_uri: 'https://cwe.mitre.org/data/definitions/661.html'
120
+ }
121
+ rescue StandardError => e
122
+ raise e
123
+ end
124
+
125
+ # Author(s):: 0day Inc. <request.pentest@0dayinc.com>
126
+
127
+ public_class_method def self.authors
128
+ "AUTHOR(S):
129
+ 0day Inc. <request.pentest@0dayinc.com>
130
+ "
131
+ end
132
+
133
+ # Display Usage for this Module
134
+
135
+ public_class_method def self.help
136
+ puts "USAGE:
137
+ sast_arr = #{self}.scan(
138
+ :dir_path => 'optional path to dir defaults to .',
139
+ :git_repo_root_uri => 'optional http uri of git repo scanned'
140
+ )
141
+
142
+ #{self}.authors
143
+ "
144
+ end
145
+ end
146
+ end
147
+ end
data/lib/pwn/sast.rb CHANGED
@@ -45,6 +45,7 @@ module PWN
45
45
  autoload :TaskTag, 'pwn/sast/task_tag'
46
46
  autoload :ThrowErrors, 'pwn/sast/throw_errors'
47
47
  autoload :Token, 'pwn/sast/token'
48
+ autoload :TypeScriptTypeJuggling, 'pwn/sast/type_script_type_juggling'
48
49
  autoload :Version, 'pwn/sast/version'
49
50
  autoload :WindowLocationHash, 'pwn/sast/window_location_hash'
50
51
 
data/lib/pwn/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module PWN
4
- VERSION = '0.4.925'
4
+ VERSION = '0.4.926'
5
5
  end
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'spec_helper'
4
+
5
+ describe PWN::SAST::TypeScriptTypeJuggling do
6
+ it 'scan method should exist' do
7
+ scan_response = PWN::SAST::TypeScriptTypeJuggling
8
+ expect(scan_response).to respond_to :scan
9
+ end
10
+
11
+ it 'should display information for security_references' do
12
+ security_references_response = PWN::SAST::TypeScriptTypeJuggling
13
+ expect(security_references_response).to respond_to :security_references
14
+ end
15
+
16
+ it 'should display information for authors' do
17
+ authors_response = PWN::SAST::TypeScriptTypeJuggling
18
+ expect(authors_response).to respond_to :authors
19
+ end
20
+
21
+ it 'should display information for existing help method' do
22
+ help_response = PWN::SAST::TypeScriptTypeJuggling
23
+ expect(help_response).to respond_to :help
24
+ end
25
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pwn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.925
4
+ version: 0.4.926
5
5
  platform: ruby
6
6
  authors:
7
7
  - 0day Inc.
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-10 00:00:00.000000000 Z
11
+ date: 2023-10-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -800,14 +800,14 @@ dependencies:
800
800
  requirements:
801
801
  - - '='
802
802
  - !ruby/object:Gem::Version
803
- version: 1.56.4
803
+ version: 1.57.0
804
804
  type: :runtime
805
805
  prerelease: false
806
806
  version_requirements: !ruby/object:Gem::Requirement
807
807
  requirements:
808
808
  - - '='
809
809
  - !ruby/object:Gem::Version
810
- version: 1.56.4
810
+ version: 1.57.0
811
811
  - !ruby/object:Gem::Dependency
812
812
  name: rubocop-rake
813
813
  requirement: !ruby/object:Gem::Requirement
@@ -996,14 +996,14 @@ dependencies:
996
996
  requirements:
997
997
  - - '='
998
998
  - !ruby/object:Gem::Version
999
- version: 1.6.6
999
+ version: 1.6.7
1000
1000
  type: :runtime
1001
1001
  prerelease: false
1002
1002
  version_requirements: !ruby/object:Gem::Requirement
1003
1003
  requirements:
1004
1004
  - - '='
1005
1005
  - !ruby/object:Gem::Version
1006
- version: 1.6.6
1006
+ version: 1.6.7
1007
1007
  - !ruby/object:Gem::Dependency
1008
1008
  name: thin
1009
1009
  requirement: !ruby/object:Gem::Requirement
@@ -1774,6 +1774,7 @@ files:
1774
1774
  - lib/pwn/sast/task_tag.rb
1775
1775
  - lib/pwn/sast/throw_errors.rb
1776
1776
  - lib/pwn/sast/token.rb
1777
+ - lib/pwn/sast/type_script_type_juggling.rb
1777
1778
  - lib/pwn/sast/version.rb
1778
1779
  - lib/pwn/sast/window_location_hash.rb
1779
1780
  - lib/pwn/version.rb
@@ -2086,6 +2087,7 @@ files:
2086
2087
  - spec/lib/pwn/sast/task_tag_spec.rb
2087
2088
  - spec/lib/pwn/sast/throw_errors_spec.rb
2088
2089
  - spec/lib/pwn/sast/token_spec.rb
2090
+ - spec/lib/pwn/sast/type_script_type_juggling_spec.rb
2089
2091
  - spec/lib/pwn/sast/version_spec.rb
2090
2092
  - spec/lib/pwn/sast/window_location_hash_spec.rb
2091
2093
  - spec/lib/pwn/sast_spec.rb