scanny 0.1.0

data/spec/scanny/checks/system_tools/unizp_check_spec.rb

@@ -0,0 +1,29 @@
+require "spec_helper"
+
+module Scanny::Checks::SystemTools
+  describe UnzipCheck do
+    before do
+      @runner = Scanny::Runner.new(UnzipCheck.new)
+      @message = "Unzip option allows '../' in archived file path, dir traversal"
+      @issue_medium = issue(:medium, @message, [23, 88])
+      @issue_high = issue(:high, @message, [23, 88])
+    end
+
+    it "reports \"system('unzip -tq *.zip')\" correctly" do
+      @runner.should check("system('unzip -tq *.zip')").with_issue(@issue_medium)
+    end
+
+    it "reports \"`unzip -tq *.zip'`\" correctly" do
+      @runner.should check("`unzip -tq *.zip'`").with_issue(@issue_medium)
+    end
+
+    it "reports \"system('unzip -: archive.zip ../../')\" correctly" do
+      @runner.should  check("system('unzip -: archive.zip ../../')").
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"`unzip -: archive.zip ../../`\" correctly" do
+      @runner.should check("`unzip -: archive.zip ../../`").with_issue(@issue_high)
+    end
+  end
+end

data/spec/scanny/checks/temp_file_open_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe TempFileOpenCheck do
+    before do
+      @runner = Scanny::Runner.new(TempFileOpenCheck.new)
+      @message =  "Access to the temporary files can lead to" +
+                  "unauthorized access to data"
+      @issue = issue(:medium, @message, 377)
+    end
+
+    it "reports \"File.open('/home/app/tmp/file')\" correctly" do
+      @runner.should  check("File.open('/home/app/tmp/file')").
+                      with_issues([@issue, @issue])
+    end
+
+    it "reports \"mkdir_p('/rails/tmp/my/dir')\" correctly" do
+      @runner.should  check("mkdir_p('/rails/tmp/my/dir')").
+                      with_issues([@issue, @issue])
+    end
+  end
+end

data/spec/scanny/checks/user_find_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe UserFindCheck do
+    before do
+      @runner = Scanny::Runner.new(UserFindCheck.new)
+      @message =  "Create a user object using the " +
+                  "parameters can cause security problems"
+      @issue = issue(:medium, @message, [89, 592])
+    end
+
+    it "reports \"User.find(params[:input])\" correctly" do
+      @runner.should  check("User.find(params[:input])").
+                      with_issue(@issue)
+    end
+
+    it "reports \"User.find(:first)\" correctly" do
+      @runner.should  check("User.find(:first)").
+                      without_issues
+    end
+  end
+end

data/spec/scanny/checks/validates_check_spec.rb

@@ -0,0 +1,19 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe ValidatesCheck do
+    before do
+      @runner = Scanny::Runner.new(ValidatesCheck.new)
+      @message = "Incorrect validations may allow malicious data transmission"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"validates_presence_of :email\" correctly" do
+      @runner.should check("validates_presence_of :email").with_issue(@issue)
+    end
+
+    it "reports \"validates_uniqueness_of :username\" correctly" do
+      @runner.should check("validates_uniqueness_of :username").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/verify_check_spec.rb

@@ -0,0 +1,27 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe VerifyMethodCheck do
+    before do
+      @runner = Scanny::Runner.new(VerifyMethodCheck.new)
+      @message =  "Incorrect to use the verify method can lead to " +
+                  "accept additional parameters from request"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"verify :method => :post, :only => [:create]\" correctly" do
+      @runner.should  check("verify :method => :post, :only => [:create]").
+                      with_issue(@issue)
+    end
+
+    it "reports \"verify :params => 'user', :only => :update_password\" correctly" do
+      @runner.should  check("verify :params => 'user', :only => :update_password").
+                      without_issues
+    end
+
+    it "does not report \"verify :argument, :method => :post\"" do
+      @runner.should  check("verify :argument, :method => :post").
+                      without_issues
+    end
+  end
+end

data/spec/scanny/checks/xss/xss_flash_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe XssFlashCheck do
+    before :each do
+      @runner = Scanny::Runner.new(XssFlashCheck.new)
+      @warning_message = "Assigning request parameters into flash can lead to XSS issues."
+      @issue_high = Scanny::Issue.new("scanned_file.rb", 1, :high, @warning_message, 79)
+      @issue_medium = Scanny::Issue.new("scanned_file.rb", 1, :medium, @warning_message, 79)
+    end
+
+    it "reports \"flash[:warning] = params[:password]\" correctly" do
+      @runner.should check("flash[:warning] = params[:password]").with_issue(@issue_high)
+    end
+
+    it "reports \"flash[:warning] = \"\#{interpolation}\" correctly" do
+      @runner.should check('flash[:warning] = "#{value}"').with_issue(@issue_medium)
+      @runner.should check('flash[:warning] = "#{value} and #{value2}"').with_issue(@issue_medium)
+      @runner.should check("flash[:warning] = \"Static warning\"").without_issues
+    end
+  end
+end

data/spec/scanny/checks/xss/xss_logger_check_spec.rb

@@ -0,0 +1,24 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe XssLoggerCheck do
+    before :each do
+      @runner = Scanny::Runner.new(XssLoggerCheck.new)
+      @warning_message = "Assigning request parameters into logger can lead to XSS issues."
+      @issue  = Scanny::Issue.new("scanned_file.rb", 1, :low, @warning_message, [20, 79])
+    end
+
+    it "reports \"logger(\"User \#{params[:password]} log\") correctly" do
+      @runner.should check('logger("User #{params[:password]} log")').with_issues(@issue)
+    end
+
+    it "reports \"logger(params[:password])\" correctly" do
+      @runner.should check("logger(params[:password])").with_issue(@issue)
+    end
+
+    it "reports \"logger(\"\#{interpolation}\")\" correctly" do
+      @runner.should check('logger("#{i1} and #{i1}")').with_issue(@issue)
+      @runner.should check('logger("#{interpolation}")').with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/xss/xss_mark_check_spec.rb

@@ -0,0 +1,31 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe XssMarkCheck do
+    before :each do
+      @runner = Scanny::Runner.new(XssMarkCheck.new)
+      @warning_message = "Marking string as safe can lead to XSS issues."
+      @issue  = Scanny::Issue.new("scanned_file.rb", 1, :info, @warning_message)
+    end
+
+    it "reports \"'string'.xss_safe\" correctly" do
+      @runner.should check("'string'.xss_safe").with_issue(@issue)
+    end
+
+    it "reports \"'string'.mark_as_xss_protected\" correctly" do
+      @runner.should check("'string'.mark_as_xss_protected").with_issue(@issue)
+    end
+
+    it "reports \"'string'.mark_methods_as_xss_safe\" correctly" do
+      @runner.should check("'string'.mark_methods_as_xss_safe").with_issue(@issue)
+    end
+
+    it "reports \"mark_methods_as_xss_safe('string')\" correctly" do
+      @runner.should check("mark_methods_as_xss_safe('string')").with_issue(@issue)
+    end
+
+    it "reports \"'string'.to_s_xss_protected\" correctly" do
+      @runner.should check("'string'.to_s_xss_protected").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/xss/xss_send_check_spec.rb

@@ -0,0 +1,34 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe XssSendCheck do
+    before :each do
+      @runner = Scanny::Runner.new(XssSendCheck.new)
+      @warning_message =  "Send file or data to client in \"inline\" " +
+                          "mode or with param can lead to XSS issues."
+      @issue = Scanny::Issue.new("scanned_file.rb", 1, :medium, @warning_message, [79, 115, 200])
+      @issue_201 = Scanny::Issue.new("scanned_file.rb", 1, :high, @warning_message, 201)
+    end
+
+    it "reports \"send_file :disposition => 'inline'\" correctly" do
+      @runner.should check("send_file 'file', :disposition => 'inline'").with_issue(@issue)
+      @runner.should check("send_file 'file', :disposition => 'attachment'").without_issues
+    end
+
+    it "reports \"send_data :disposition => 'inline'\" correctly" do
+      @runner.should check("send_data 'file', :disposition => 'inline'").with_issue(@issue)
+      @runner.should check("send_data 'file', :disposition => 'attachment'").without_issues
+    end
+
+    it "reports \"send_data file :type => 'image/jpeg', :disposition => 'inline'\" correctly" do
+      @runner.should
+        check("send_data 'file', :type => 'image/jpeg', :disposition => 'inline'").
+        with_issue(@issue)
+    end
+
+    it "reports \"send_(data|file) file, params[:file]\" correctly" do
+      @runner.should check("send_data file, params[:file]").with_issue(@issue_201)
+      @runner.should check("send_file file, params[:file]").with_issue(@issue_201)
+    end
+  end
+end

data/spec/scanny/cli_spec.rb

@@ -0,0 +1,167 @@
+require "spec_helper"
+
+describe "Command line interface" do
+  before(:all) do
+    @help_message_prefix = "Scanny RoR secutiry scanner"
+    @aruba_timeout_seconds = 10
+  end
+
+  after { FileUtils.rm_rf(File.expand_path("../../../tmp", __FILE__)) }
+
+  describe "when given --help argument" do
+    before { run 'scanny --help' }
+    it { assert_partial_output @help_message_prefix, all_stdout }
+    it { assert_exit_status 0 }
+  end
+
+  context "scan files" do
+    before do
+      write_file('app/test.rb', 'reset_session')
+      write_file('app/test/sub_test.rb', 'reset_session')
+    end
+
+    describe "when given no argument" do
+      before { run 'scanny' }
+
+      it "scans all files in current app directory" do
+        assert_matching_output "./app/test.rb", all_stdout
+      end
+
+      it "scans all files in subdirectories" do
+        assert_matching_output "./app/test/sub_test.rb", all_stdout
+      end
+
+      it { assert_exit_status 1 }
+    end
+
+    describe "when given path argument" do
+      before { run 'scanny ./app/test/' }
+
+      it "scans all files in ./test directory" do
+        assert_matching_output "./test/sub_test.rb", all_stdout
+      end
+
+      it "not scans files in current directory" do
+        assert_no_partial_output "./test.rb", all_stdout
+      end
+    end
+  end
+
+  context "require checks" do
+    before do
+      write_file('./checks/check.rb', 'puts "check loaded"')
+      write_file('./checks2/check.rb', 'puts "check2 loaded"')
+      write_file('./app/project.rb', 'puts("hello world")')
+    end
+
+    describe "when given --include argument with one directory" do
+      before { run 'scanny --include ./checks' }
+
+      it { assert_partial_output "check loaded", all_stdout }
+      it { assert_no_partial_output "check2 loaded", all_stdout }
+      it { assert_exit_status 0 }
+    end
+
+    describe "when given --include argument with many directories" do
+      before { run 'scanny --include ./checks,./checks2' }
+
+      it { assert_partial_output "check loaded", all_stdout }
+      it { assert_partial_output "check2 loaded", all_stdout }
+      it { assert_exit_status 0 }
+    end
+  end
+
+  context "disable checks" do
+    before do
+      @check_output = "[medium] ./security.rb:1: Use of external " +
+                      "parameters in redirect_to methodcan lead to " +
+                      "unauthorized redirects " +
+                      "(CWE-79, CWE-113, CWE-601, CWE-698)"
+      write_file("./security.rb", "redirect_to params[:input]")
+    end
+
+    describe "when all checks are enabled" do
+      before { run 'scanny ./security.rb' }
+
+      it { assert_partial_output @check_output, all_stdout }
+      it { assert_exit_status 1 }
+    end
+
+    describe "when given --disable argument" do
+      before { run 'scanny --disable Scanny::Checks::RedirectWithParamsCheck ./security.rb' }
+
+      it { assert_no_partial_output @check_output, all_stdout }
+      it { assert_exit_status 1 }
+    end
+  end
+
+  context "reports" do
+    before { write_file('test.rb', 'reset_session') }
+
+    describe "when given -f xml argument" do
+      before { run 'scanny -f xml ./test.rb' }
+      it { check_directory_presence(['reports'], true) }
+      it { check_file_presence(['reports/Test-.\\test.rb.xml'], true) }
+      it { assert_exit_status 1 }
+    end
+
+    describe "when given -f strange_format argument" do
+      before { run 'scanny -f strange_format ./test.rb' }
+      it { assert_matching_output "Format strange_format is not supported", all_stderr }
+      it { assert_exit_status 1 }
+    end
+  end
+
+  context "strict" do
+    before { write_file("check.rb", "42") }
+
+    describe "when given --strict argument" do
+      before { run 'scanny --strict --include ../../spec/support/checks ./check.rb' }
+      it { assert_partial_output "strict checked", all_stdout }
+      it { assert_exit_status 1 }
+    end
+
+    describe "when given no argument" do
+      before { run 'scanny --include ../../spec/support/checks ./check.rb' }
+      it { assert_no_partial_output "strict checked", all_stdout }
+      it { assert_exit_status 1 }
+    end
+  end
+
+  context "parser mode" do
+    before { write_file("check.rb", "case s;when :m: P; end") }
+
+    describe "when given --mode 18 argument" do
+      before { run 'scanny --mode 18 ./check.rb' }
+      it { assert_no_partial_output "Can't parse ./check.rb as Ruby file", all_stderr }
+    end
+
+    describe "when given --mode 19 argument" do
+      before { run 'scanny --mode 19 ./check.rb' }
+      it { assert_partial_output "Can't parse ./check.rb as Ruby file", all_stderr }
+    end
+
+    describe "when given --mode invalid argument" do
+      before do
+        @message = "I can not recognize the version of the parser: invalid"
+        run 'scanny --mode invalid ./check'
+      end
+
+      it { assert_partial_output @message, all_stderr }
+      it { assert_exit_status 2 }
+    end
+  end
+
+  context "parse error" do
+    before do
+      write_file("check.rb", "+1+")
+      @message =  "Parser currently is working in 19 mode.\n" +
+                  "It is possible that your project works with another version of ruby\n"
+                  "You can change parser mode with '-m' flag\n"
+      run 'scanny ./check.rb'
+    end
+
+    it { assert_partial_output @message , all_stderr }
+    it { assert_exit_status 2 }
+  end
+end

data/spec/scanny/issue_spec.rb

@@ -0,0 +1,82 @@
+require "spec_helper"
+
+module Scanny
+  describe Issue do
+    describe "initialize" do
+      describe "when not passed \"cwe\"" do
+        it "sets attributes correctly" do
+          issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!")
+
+          issue.file.should == "unsecure.rb"
+          issue.line.should == 42
+          issue.impact.should == :high
+          issue.message.should == "Hey, I found unsecure code!"
+        end
+      end
+
+      describe "when passed \"cwe\"" do
+        it "sets \"cwe\" correctly" do
+          issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+
+          issue.cwe.should == 43
+        end
+      end
+    end
+
+    describe "==" do
+      before :each do
+        @issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+      end
+
+      it "returns true when passed the same object" do
+        @issue.should == @issue
+      end
+
+      it "returns true when passed an Issue initialized with the same parameters" do
+        @issue.should == Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+      end
+
+      it "returns false when passed some random object" do
+        @issue.should_not == Object.new
+      end
+
+      it "returns false when passed a subclass of Issue initialized with the same parameters" do
+        class SubclassedIssue < Issue
+        end
+
+        @issue.should_not == SubclassedIssue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+      end
+
+      it "returns false when passed a ChoiceMatcher initialized with different parameters" do
+        @issue.should_not == Issue.new("secure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+        @issue.should_not == Issue.new("unsecure.rb", 43, :high, "Hey, I found unsecure code!", 43)
+        @issue.should_not == Issue.new("unsecure.rb", 42, :low, "Hey, I found unsecure code!", 43)
+        @issue.should_not == Issue.new("unsecure.rb", 42, :high, "Hey, I didn't find unsecure code!", 43)
+        @issue.should_not == Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 44)
+      end
+    end
+
+    describe "to_s" do
+      describe "called on issue without CWE" do
+        it "returns correctly formatted string" do
+          issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!")
+          issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code!"
+        end
+      end
+
+      describe "called on issue with one CWE" do
+        it "returns correctly formatted string" do
+          issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+          issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code! (CWE-43)"
+        end
+      end
+
+      describe "called on issue with multiple CWEs" do
+        it "returns correctly formatted string" do
+          issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", [43, 44, 45])
+          issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code! (CWE-43, CWE-44, CWE-45)"
+        end
+      end
+    end
+  end
+end