scanny 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +5 -0
- data/Gemfile +11 -0
- data/LICENSE +23 -0
- data/README.md +185 -0
- data/Rakefile +5 -0
- data/bin/scanny +61 -0
- data/lib/scanny.rb +12 -0
- data/lib/scanny/checks/access_control_check.rb +52 -0
- data/lib/scanny/checks/backticks_check.rb +18 -0
- data/lib/scanny/checks/before_filters_check.rb +35 -0
- data/lib/scanny/checks/check.rb +33 -0
- data/lib/scanny/checks/csrf_check.rb +19 -0
- data/lib/scanny/checks/denial_of_service_check.rb +42 -0
- data/lib/scanny/checks/file_open_check.rb +46 -0
- data/lib/scanny/checks/frameworks_check.rb +24 -0
- data/lib/scanny/checks/helpers.rb +28 -0
- data/lib/scanny/checks/http_basic_auth_check.rb +39 -0
- data/lib/scanny/checks/http_header/header_injection_check.rb +38 -0
- data/lib/scanny/checks/http_redirect_check.rb +37 -0
- data/lib/scanny/checks/http_request_check.rb +74 -0
- data/lib/scanny/checks/http_usage_check.rb +31 -0
- data/lib/scanny/checks/information_leak_check.rb +55 -0
- data/lib/scanny/checks/input_filtering_check.rb +39 -0
- data/lib/scanny/checks/insecure_config/set_rails_env_check.rb +24 -0
- data/lib/scanny/checks/insecure_config/set_secret_check.rb +25 -0
- data/lib/scanny/checks/insecure_config/set_session_key_check.rb +23 -0
- data/lib/scanny/checks/insecure_method/eval_method_check.rb +26 -0
- data/lib/scanny/checks/insecure_method/marshal_check.rb +33 -0
- data/lib/scanny/checks/insecure_method/system_method_check.rb +46 -0
- data/lib/scanny/checks/mass_assignment_check.rb +48 -0
- data/lib/scanny/checks/random_numbers_check.rb +54 -0
- data/lib/scanny/checks/redirect_with_params_check.rb +48 -0
- data/lib/scanny/checks/regexp_check.rb +23 -0
- data/lib/scanny/checks/reset_session_check.rb +24 -0
- data/lib/scanny/checks/session/access_to_session_check.rb +49 -0
- data/lib/scanny/checks/session/session_secure_check.rb +47 -0
- data/lib/scanny/checks/shell_expanding_methods_check.rb +54 -0
- data/lib/scanny/checks/skip_before_filters_check.rb +41 -0
- data/lib/scanny/checks/sql_injection/find_method_check.rb +81 -0
- data/lib/scanny/checks/sql_injection/find_method_with_dynamic_string_check.rb +43 -0
- data/lib/scanny/checks/sql_injection/find_method_with_params_check.rb +80 -0
- data/lib/scanny/checks/sql_injection/sanitize_sql_check.rb +25 -0
- data/lib/scanny/checks/sql_injection/sql_check.rb +14 -0
- data/lib/scanny/checks/sql_injection/string_interpolation_with_params_check.rb +39 -0
- data/lib/scanny/checks/ssl/verify_check.rb +53 -0
- data/lib/scanny/checks/ssl/verify_peer_check.rb +37 -0
- data/lib/scanny/checks/system_tools/gpg_usage_check.rb +51 -0
- data/lib/scanny/checks/system_tools/sudo_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_commands_check.rb +27 -0
- data/lib/scanny/checks/system_tools/unzip_check.rb +30 -0
- data/lib/scanny/checks/temp_file_open_check.rb +57 -0
- data/lib/scanny/checks/user_find_check.rb +40 -0
- data/lib/scanny/checks/validates_check.rb +32 -0
- data/lib/scanny/checks/verify_check.rb +44 -0
- data/lib/scanny/checks/xss/xss_flash_check.rb +70 -0
- data/lib/scanny/checks/xss/xss_logger_check.rb +78 -0
- data/lib/scanny/checks/xss/xss_mark_check.rb +48 -0
- data/lib/scanny/checks/xss/xss_send_check.rb +70 -0
- data/lib/scanny/cli.rb +47 -0
- data/lib/scanny/issue.rb +28 -0
- data/lib/scanny/rake_task.rb +56 -0
- data/lib/scanny/reporters.rb +3 -0
- data/lib/scanny/reporters/reporter.rb +22 -0
- data/lib/scanny/reporters/simple_reporter.rb +19 -0
- data/lib/scanny/reporters/xml_reporter.rb +64 -0
- data/lib/scanny/ruby_version_check.rb +15 -0
- data/lib/scanny/runner.rb +90 -0
- data/scanny.gemspec +22 -0
- data/spec/scanny/check_spec.rb +22 -0
- data/spec/scanny/checks/access_control_check_spec.rb +43 -0
- data/spec/scanny/checks/backticks_check_spec.rb +22 -0
- data/spec/scanny/checks/before_filters_check_spec.rb +45 -0
- data/spec/scanny/checks/csrf_check_spec.rb +16 -0
- data/spec/scanny/checks/denial_of_service_check_spec.rb +28 -0
- data/spec/scanny/checks/file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/frameworks_check_spec.rb +16 -0
- data/spec/scanny/checks/http_basic_auth_check_spec.rb +20 -0
- data/spec/scanny/checks/http_header/header_injection_check_spec.rb +21 -0
- data/spec/scanny/checks/http_redirect_check_spec.rb +15 -0
- data/spec/scanny/checks/http_request_check_spec.rb +37 -0
- data/spec/scanny/checks/http_usage_check_spec.rb +20 -0
- data/spec/scanny/checks/information_leak_check_spec.rb +32 -0
- data/spec/scanny/checks/input_filtering_check_spec.rb +19 -0
- data/spec/scanny/checks/insecure_config/set_rails_env_check_spec.rb +17 -0
- data/spec/scanny/checks/insecure_config/set_secret_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_config/set_session_key_check_spec.rb +21 -0
- data/spec/scanny/checks/insecure_method/eval_method_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_method/marshal_check_spec.rb +26 -0
- data/spec/scanny/checks/insecure_method/system_method_check_spec.rb +33 -0
- data/spec/scanny/checks/mass_assignment_check_spec.rb +30 -0
- data/spec/scanny/checks/random_numbers_check_spec.rb +41 -0
- data/spec/scanny/checks/redirect_with_params_check_spec.rb +24 -0
- data/spec/scanny/checks/regexp_check_spec.rb +22 -0
- data/spec/scanny/checks/reset_session_check_spec.rb +15 -0
- data/spec/scanny/checks/session/access_to_session_check_spec.rb +29 -0
- data/spec/scanny/checks/session/session_secure_check_spec.rb +22 -0
- data/spec/scanny/checks/shell_expanding_methods_check_spec.rb +67 -0
- data/spec/scanny/checks/skip_before_filters_check_spec.rb +81 -0
- data/spec/scanny/checks/sql_injection/find_method_check_spec.rb +62 -0
- data/spec/scanny/checks/sql_injection/find_method_with_dynamic_string_check_spec.rb +27 -0
- data/spec/scanny/checks/sql_injection/find_method_with_params_check_spec.rb +93 -0
- data/spec/scanny/checks/sql_injection/sanitize_sql_check_spec.rb +16 -0
- data/spec/scanny/checks/sql_injection/string_interpolation_with_params_check_spec.rb +18 -0
- data/spec/scanny/checks/ssl/verify_check_spec.rb +25 -0
- data/spec/scanny/checks/ssl/verify_peer_check_spec.rb +17 -0
- data/spec/scanny/checks/system_tools/gpg_usage_check_spec.rb +43 -0
- data/spec/scanny/checks/system_tools/sudo_check_spec.rb +24 -0
- data/spec/scanny/checks/system_tools/tar_check_spec.rb +20 -0
- data/spec/scanny/checks/system_tools/tar_commands_check_spec.rb +41 -0
- data/spec/scanny/checks/system_tools/unizp_check_spec.rb +29 -0
- data/spec/scanny/checks/temp_file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/user_find_check_spec.rb +22 -0
- data/spec/scanny/checks/validates_check_spec.rb +19 -0
- data/spec/scanny/checks/verify_check_spec.rb +27 -0
- data/spec/scanny/checks/xss/xss_flash_check_spec.rb +22 -0
- data/spec/scanny/checks/xss/xss_logger_check_spec.rb +24 -0
- data/spec/scanny/checks/xss/xss_mark_check_spec.rb +31 -0
- data/spec/scanny/checks/xss/xss_send_check_spec.rb +34 -0
- data/spec/scanny/cli_spec.rb +167 -0
- data/spec/scanny/issue_spec.rb +82 -0
- data/spec/scanny/rake_taks_spec.rb +82 -0
- data/spec/scanny/reporters/reporter_spec.rb +24 -0
- data/spec/scanny/reporters/simple_reporter_spec.rb +48 -0
- data/spec/scanny/reporters/xml_reporter_spec.rb +52 -0
- data/spec/scanny/ruby_version_check_spec.rb +24 -0
- data/spec/scanny/runner_spec.rb +128 -0
- data/spec/spec_helper.rb +10 -0
- data/spec/support/aruba.rb +4 -0
- data/spec/support/check_spec_helpers.rb +5 -0
- data/spec/support/checks/extend_test_check.rb +11 -0
- data/spec/support/checks/test_check.rb +15 -0
- data/spec/support/checks/test_strict_check.rb +17 -0
- data/spec/support/const_spec_helpers.rb +36 -0
- data/spec/support/matchers/check_matcher.rb +43 -0
- data/spec/support/matchers/xpath_matcher.rb +30 -0
- data/spec/support/mock_task.rb +43 -0
- metadata +242 -0
@@ -0,0 +1,29 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks::SystemTools
|
4
|
+
describe UnzipCheck do
|
5
|
+
before do
|
6
|
+
@runner = Scanny::Runner.new(UnzipCheck.new)
|
7
|
+
@message = "Unzip option allows '../' in archived file path, dir traversal"
|
8
|
+
@issue_medium = issue(:medium, @message, [23, 88])
|
9
|
+
@issue_high = issue(:high, @message, [23, 88])
|
10
|
+
end
|
11
|
+
|
12
|
+
it "reports \"system('unzip -tq *.zip')\" correctly" do
|
13
|
+
@runner.should check("system('unzip -tq *.zip')").with_issue(@issue_medium)
|
14
|
+
end
|
15
|
+
|
16
|
+
it "reports \"`unzip -tq *.zip'`\" correctly" do
|
17
|
+
@runner.should check("`unzip -tq *.zip'`").with_issue(@issue_medium)
|
18
|
+
end
|
19
|
+
|
20
|
+
it "reports \"system('unzip -: archive.zip ../../')\" correctly" do
|
21
|
+
@runner.should check("system('unzip -: archive.zip ../../')").
|
22
|
+
with_issue(@issue_high)
|
23
|
+
end
|
24
|
+
|
25
|
+
it "reports \"`unzip -: archive.zip ../../`\" correctly" do
|
26
|
+
@runner.should check("`unzip -: archive.zip ../../`").with_issue(@issue_high)
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe TempFileOpenCheck do
|
5
|
+
before do
|
6
|
+
@runner = Scanny::Runner.new(TempFileOpenCheck.new)
|
7
|
+
@message = "Access to the temporary files can lead to" +
|
8
|
+
"unauthorized access to data"
|
9
|
+
@issue = issue(:medium, @message, 377)
|
10
|
+
end
|
11
|
+
|
12
|
+
it "reports \"File.open('/home/app/tmp/file')\" correctly" do
|
13
|
+
@runner.should check("File.open('/home/app/tmp/file')").
|
14
|
+
with_issues([@issue, @issue])
|
15
|
+
end
|
16
|
+
|
17
|
+
it "reports \"mkdir_p('/rails/tmp/my/dir')\" correctly" do
|
18
|
+
@runner.should check("mkdir_p('/rails/tmp/my/dir')").
|
19
|
+
with_issues([@issue, @issue])
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe UserFindCheck do
|
5
|
+
before do
|
6
|
+
@runner = Scanny::Runner.new(UserFindCheck.new)
|
7
|
+
@message = "Create a user object using the " +
|
8
|
+
"parameters can cause security problems"
|
9
|
+
@issue = issue(:medium, @message, [89, 592])
|
10
|
+
end
|
11
|
+
|
12
|
+
it "reports \"User.find(params[:input])\" correctly" do
|
13
|
+
@runner.should check("User.find(params[:input])").
|
14
|
+
with_issue(@issue)
|
15
|
+
end
|
16
|
+
|
17
|
+
it "reports \"User.find(:first)\" correctly" do
|
18
|
+
@runner.should check("User.find(:first)").
|
19
|
+
without_issues
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe ValidatesCheck do
|
5
|
+
before do
|
6
|
+
@runner = Scanny::Runner.new(ValidatesCheck.new)
|
7
|
+
@message = "Incorrect validations may allow malicious data transmission"
|
8
|
+
@issue = issue(:info, @message)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "reports \"validates_presence_of :email\" correctly" do
|
12
|
+
@runner.should check("validates_presence_of :email").with_issue(@issue)
|
13
|
+
end
|
14
|
+
|
15
|
+
it "reports \"validates_uniqueness_of :username\" correctly" do
|
16
|
+
@runner.should check("validates_uniqueness_of :username").with_issue(@issue)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe VerifyMethodCheck do
|
5
|
+
before do
|
6
|
+
@runner = Scanny::Runner.new(VerifyMethodCheck.new)
|
7
|
+
@message = "Incorrect to use the verify method can lead to " +
|
8
|
+
"accept additional parameters from request"
|
9
|
+
@issue = issue(:info, @message)
|
10
|
+
end
|
11
|
+
|
12
|
+
it "reports \"verify :method => :post, :only => [:create]\" correctly" do
|
13
|
+
@runner.should check("verify :method => :post, :only => [:create]").
|
14
|
+
with_issue(@issue)
|
15
|
+
end
|
16
|
+
|
17
|
+
it "reports \"verify :params => 'user', :only => :update_password\" correctly" do
|
18
|
+
@runner.should check("verify :params => 'user', :only => :update_password").
|
19
|
+
without_issues
|
20
|
+
end
|
21
|
+
|
22
|
+
it "does not report \"verify :argument, :method => :post\"" do
|
23
|
+
@runner.should check("verify :argument, :method => :post").
|
24
|
+
without_issues
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe XssFlashCheck do
|
5
|
+
before :each do
|
6
|
+
@runner = Scanny::Runner.new(XssFlashCheck.new)
|
7
|
+
@warning_message = "Assigning request parameters into flash can lead to XSS issues."
|
8
|
+
@issue_high = Scanny::Issue.new("scanned_file.rb", 1, :high, @warning_message, 79)
|
9
|
+
@issue_medium = Scanny::Issue.new("scanned_file.rb", 1, :medium, @warning_message, 79)
|
10
|
+
end
|
11
|
+
|
12
|
+
it "reports \"flash[:warning] = params[:password]\" correctly" do
|
13
|
+
@runner.should check("flash[:warning] = params[:password]").with_issue(@issue_high)
|
14
|
+
end
|
15
|
+
|
16
|
+
it "reports \"flash[:warning] = \"\#{interpolation}\" correctly" do
|
17
|
+
@runner.should check('flash[:warning] = "#{value}"').with_issue(@issue_medium)
|
18
|
+
@runner.should check('flash[:warning] = "#{value} and #{value2}"').with_issue(@issue_medium)
|
19
|
+
@runner.should check("flash[:warning] = \"Static warning\"").without_issues
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe XssLoggerCheck do
|
5
|
+
before :each do
|
6
|
+
@runner = Scanny::Runner.new(XssLoggerCheck.new)
|
7
|
+
@warning_message = "Assigning request parameters into logger can lead to XSS issues."
|
8
|
+
@issue = Scanny::Issue.new("scanned_file.rb", 1, :low, @warning_message, [20, 79])
|
9
|
+
end
|
10
|
+
|
11
|
+
it "reports \"logger(\"User \#{params[:password]} log\") correctly" do
|
12
|
+
@runner.should check('logger("User #{params[:password]} log")').with_issues(@issue)
|
13
|
+
end
|
14
|
+
|
15
|
+
it "reports \"logger(params[:password])\" correctly" do
|
16
|
+
@runner.should check("logger(params[:password])").with_issue(@issue)
|
17
|
+
end
|
18
|
+
|
19
|
+
it "reports \"logger(\"\#{interpolation}\")\" correctly" do
|
20
|
+
@runner.should check('logger("#{i1} and #{i1}")').with_issue(@issue)
|
21
|
+
@runner.should check('logger("#{interpolation}")').with_issue(@issue)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe XssMarkCheck do
|
5
|
+
before :each do
|
6
|
+
@runner = Scanny::Runner.new(XssMarkCheck.new)
|
7
|
+
@warning_message = "Marking string as safe can lead to XSS issues."
|
8
|
+
@issue = Scanny::Issue.new("scanned_file.rb", 1, :info, @warning_message)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "reports \"'string'.xss_safe\" correctly" do
|
12
|
+
@runner.should check("'string'.xss_safe").with_issue(@issue)
|
13
|
+
end
|
14
|
+
|
15
|
+
it "reports \"'string'.mark_as_xss_protected\" correctly" do
|
16
|
+
@runner.should check("'string'.mark_as_xss_protected").with_issue(@issue)
|
17
|
+
end
|
18
|
+
|
19
|
+
it "reports \"'string'.mark_methods_as_xss_safe\" correctly" do
|
20
|
+
@runner.should check("'string'.mark_methods_as_xss_safe").with_issue(@issue)
|
21
|
+
end
|
22
|
+
|
23
|
+
it "reports \"mark_methods_as_xss_safe('string')\" correctly" do
|
24
|
+
@runner.should check("mark_methods_as_xss_safe('string')").with_issue(@issue)
|
25
|
+
end
|
26
|
+
|
27
|
+
it "reports \"'string'.to_s_xss_protected\" correctly" do
|
28
|
+
@runner.should check("'string'.to_s_xss_protected").with_issue(@issue)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny::Checks
|
4
|
+
describe XssSendCheck do
|
5
|
+
before :each do
|
6
|
+
@runner = Scanny::Runner.new(XssSendCheck.new)
|
7
|
+
@warning_message = "Send file or data to client in \"inline\" " +
|
8
|
+
"mode or with param can lead to XSS issues."
|
9
|
+
@issue = Scanny::Issue.new("scanned_file.rb", 1, :medium, @warning_message, [79, 115, 200])
|
10
|
+
@issue_201 = Scanny::Issue.new("scanned_file.rb", 1, :high, @warning_message, 201)
|
11
|
+
end
|
12
|
+
|
13
|
+
it "reports \"send_file :disposition => 'inline'\" correctly" do
|
14
|
+
@runner.should check("send_file 'file', :disposition => 'inline'").with_issue(@issue)
|
15
|
+
@runner.should check("send_file 'file', :disposition => 'attachment'").without_issues
|
16
|
+
end
|
17
|
+
|
18
|
+
it "reports \"send_data :disposition => 'inline'\" correctly" do
|
19
|
+
@runner.should check("send_data 'file', :disposition => 'inline'").with_issue(@issue)
|
20
|
+
@runner.should check("send_data 'file', :disposition => 'attachment'").without_issues
|
21
|
+
end
|
22
|
+
|
23
|
+
it "reports \"send_data file :type => 'image/jpeg', :disposition => 'inline'\" correctly" do
|
24
|
+
@runner.should
|
25
|
+
check("send_data 'file', :type => 'image/jpeg', :disposition => 'inline'").
|
26
|
+
with_issue(@issue)
|
27
|
+
end
|
28
|
+
|
29
|
+
it "reports \"send_(data|file) file, params[:file]\" correctly" do
|
30
|
+
@runner.should check("send_data file, params[:file]").with_issue(@issue_201)
|
31
|
+
@runner.should check("send_file file, params[:file]").with_issue(@issue_201)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,167 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe "Command line interface" do
|
4
|
+
before(:all) do
|
5
|
+
@help_message_prefix = "Scanny RoR secutiry scanner"
|
6
|
+
@aruba_timeout_seconds = 10
|
7
|
+
end
|
8
|
+
|
9
|
+
after { FileUtils.rm_rf(File.expand_path("../../../tmp", __FILE__)) }
|
10
|
+
|
11
|
+
describe "when given --help argument" do
|
12
|
+
before { run 'scanny --help' }
|
13
|
+
it { assert_partial_output @help_message_prefix, all_stdout }
|
14
|
+
it { assert_exit_status 0 }
|
15
|
+
end
|
16
|
+
|
17
|
+
context "scan files" do
|
18
|
+
before do
|
19
|
+
write_file('app/test.rb', 'reset_session')
|
20
|
+
write_file('app/test/sub_test.rb', 'reset_session')
|
21
|
+
end
|
22
|
+
|
23
|
+
describe "when given no argument" do
|
24
|
+
before { run 'scanny' }
|
25
|
+
|
26
|
+
it "scans all files in current app directory" do
|
27
|
+
assert_matching_output "./app/test.rb", all_stdout
|
28
|
+
end
|
29
|
+
|
30
|
+
it "scans all files in subdirectories" do
|
31
|
+
assert_matching_output "./app/test/sub_test.rb", all_stdout
|
32
|
+
end
|
33
|
+
|
34
|
+
it { assert_exit_status 1 }
|
35
|
+
end
|
36
|
+
|
37
|
+
describe "when given path argument" do
|
38
|
+
before { run 'scanny ./app/test/' }
|
39
|
+
|
40
|
+
it "scans all files in ./test directory" do
|
41
|
+
assert_matching_output "./test/sub_test.rb", all_stdout
|
42
|
+
end
|
43
|
+
|
44
|
+
it "not scans files in current directory" do
|
45
|
+
assert_no_partial_output "./test.rb", all_stdout
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
context "require checks" do
|
51
|
+
before do
|
52
|
+
write_file('./checks/check.rb', 'puts "check loaded"')
|
53
|
+
write_file('./checks2/check.rb', 'puts "check2 loaded"')
|
54
|
+
write_file('./app/project.rb', 'puts("hello world")')
|
55
|
+
end
|
56
|
+
|
57
|
+
describe "when given --include argument with one directory" do
|
58
|
+
before { run 'scanny --include ./checks' }
|
59
|
+
|
60
|
+
it { assert_partial_output "check loaded", all_stdout }
|
61
|
+
it { assert_no_partial_output "check2 loaded", all_stdout }
|
62
|
+
it { assert_exit_status 0 }
|
63
|
+
end
|
64
|
+
|
65
|
+
describe "when given --include argument with many directories" do
|
66
|
+
before { run 'scanny --include ./checks,./checks2' }
|
67
|
+
|
68
|
+
it { assert_partial_output "check loaded", all_stdout }
|
69
|
+
it { assert_partial_output "check2 loaded", all_stdout }
|
70
|
+
it { assert_exit_status 0 }
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
context "disable checks" do
|
75
|
+
before do
|
76
|
+
@check_output = "[medium] ./security.rb:1: Use of external " +
|
77
|
+
"parameters in redirect_to methodcan lead to " +
|
78
|
+
"unauthorized redirects " +
|
79
|
+
"(CWE-79, CWE-113, CWE-601, CWE-698)"
|
80
|
+
write_file("./security.rb", "redirect_to params[:input]")
|
81
|
+
end
|
82
|
+
|
83
|
+
describe "when all checks are enabled" do
|
84
|
+
before { run 'scanny ./security.rb' }
|
85
|
+
|
86
|
+
it { assert_partial_output @check_output, all_stdout }
|
87
|
+
it { assert_exit_status 1 }
|
88
|
+
end
|
89
|
+
|
90
|
+
describe "when given --disable argument" do
|
91
|
+
before { run 'scanny --disable Scanny::Checks::RedirectWithParamsCheck ./security.rb' }
|
92
|
+
|
93
|
+
it { assert_no_partial_output @check_output, all_stdout }
|
94
|
+
it { assert_exit_status 1 }
|
95
|
+
end
|
96
|
+
end
|
97
|
+
|
98
|
+
context "reports" do
|
99
|
+
before { write_file('test.rb', 'reset_session') }
|
100
|
+
|
101
|
+
describe "when given -f xml argument" do
|
102
|
+
before { run 'scanny -f xml ./test.rb' }
|
103
|
+
it { check_directory_presence(['reports'], true) }
|
104
|
+
it { check_file_presence(['reports/Test-.\\test.rb.xml'], true) }
|
105
|
+
it { assert_exit_status 1 }
|
106
|
+
end
|
107
|
+
|
108
|
+
describe "when given -f strange_format argument" do
|
109
|
+
before { run 'scanny -f strange_format ./test.rb' }
|
110
|
+
it { assert_matching_output "Format strange_format is not supported", all_stderr }
|
111
|
+
it { assert_exit_status 1 }
|
112
|
+
end
|
113
|
+
end
|
114
|
+
|
115
|
+
context "strict" do
|
116
|
+
before { write_file("check.rb", "42") }
|
117
|
+
|
118
|
+
describe "when given --strict argument" do
|
119
|
+
before { run 'scanny --strict --include ../../spec/support/checks ./check.rb' }
|
120
|
+
it { assert_partial_output "strict checked", all_stdout }
|
121
|
+
it { assert_exit_status 1 }
|
122
|
+
end
|
123
|
+
|
124
|
+
describe "when given no argument" do
|
125
|
+
before { run 'scanny --include ../../spec/support/checks ./check.rb' }
|
126
|
+
it { assert_no_partial_output "strict checked", all_stdout }
|
127
|
+
it { assert_exit_status 1 }
|
128
|
+
end
|
129
|
+
end
|
130
|
+
|
131
|
+
context "parser mode" do
|
132
|
+
before { write_file("check.rb", "case s;when :m: P; end") }
|
133
|
+
|
134
|
+
describe "when given --mode 18 argument" do
|
135
|
+
before { run 'scanny --mode 18 ./check.rb' }
|
136
|
+
it { assert_no_partial_output "Can't parse ./check.rb as Ruby file", all_stderr }
|
137
|
+
end
|
138
|
+
|
139
|
+
describe "when given --mode 19 argument" do
|
140
|
+
before { run 'scanny --mode 19 ./check.rb' }
|
141
|
+
it { assert_partial_output "Can't parse ./check.rb as Ruby file", all_stderr }
|
142
|
+
end
|
143
|
+
|
144
|
+
describe "when given --mode invalid argument" do
|
145
|
+
before do
|
146
|
+
@message = "I can not recognize the version of the parser: invalid"
|
147
|
+
run 'scanny --mode invalid ./check'
|
148
|
+
end
|
149
|
+
|
150
|
+
it { assert_partial_output @message, all_stderr }
|
151
|
+
it { assert_exit_status 2 }
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
context "parse error" do
|
156
|
+
before do
|
157
|
+
write_file("check.rb", "+1+")
|
158
|
+
@message = "Parser currently is working in 19 mode.\n" +
|
159
|
+
"It is possible that your project works with another version of ruby\n"
|
160
|
+
"You can change parser mode with '-m' flag\n"
|
161
|
+
run 'scanny ./check.rb'
|
162
|
+
end
|
163
|
+
|
164
|
+
it { assert_partial_output @message , all_stderr }
|
165
|
+
it { assert_exit_status 2 }
|
166
|
+
end
|
167
|
+
end
|
@@ -0,0 +1,82 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
module Scanny
|
4
|
+
describe Issue do
|
5
|
+
describe "initialize" do
|
6
|
+
describe "when not passed \"cwe\"" do
|
7
|
+
it "sets attributes correctly" do
|
8
|
+
issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!")
|
9
|
+
|
10
|
+
issue.file.should == "unsecure.rb"
|
11
|
+
issue.line.should == 42
|
12
|
+
issue.impact.should == :high
|
13
|
+
issue.message.should == "Hey, I found unsecure code!"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
describe "when passed \"cwe\"" do
|
18
|
+
it "sets \"cwe\" correctly" do
|
19
|
+
issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
20
|
+
|
21
|
+
issue.cwe.should == 43
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
describe "==" do
|
27
|
+
before :each do
|
28
|
+
@issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
29
|
+
end
|
30
|
+
|
31
|
+
it "returns true when passed the same object" do
|
32
|
+
@issue.should == @issue
|
33
|
+
end
|
34
|
+
|
35
|
+
it "returns true when passed an Issue initialized with the same parameters" do
|
36
|
+
@issue.should == Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
37
|
+
end
|
38
|
+
|
39
|
+
it "returns false when passed some random object" do
|
40
|
+
@issue.should_not == Object.new
|
41
|
+
end
|
42
|
+
|
43
|
+
it "returns false when passed a subclass of Issue initialized with the same parameters" do
|
44
|
+
class SubclassedIssue < Issue
|
45
|
+
end
|
46
|
+
|
47
|
+
@issue.should_not == SubclassedIssue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
48
|
+
end
|
49
|
+
|
50
|
+
it "returns false when passed a ChoiceMatcher initialized with different parameters" do
|
51
|
+
@issue.should_not == Issue.new("secure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
52
|
+
@issue.should_not == Issue.new("unsecure.rb", 43, :high, "Hey, I found unsecure code!", 43)
|
53
|
+
@issue.should_not == Issue.new("unsecure.rb", 42, :low, "Hey, I found unsecure code!", 43)
|
54
|
+
@issue.should_not == Issue.new("unsecure.rb", 42, :high, "Hey, I didn't find unsecure code!", 43)
|
55
|
+
@issue.should_not == Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 44)
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
describe "to_s" do
|
60
|
+
describe "called on issue without CWE" do
|
61
|
+
it "returns correctly formatted string" do
|
62
|
+
issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!")
|
63
|
+
issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code!"
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
describe "called on issue with one CWE" do
|
68
|
+
it "returns correctly formatted string" do
|
69
|
+
issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
|
70
|
+
issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code! (CWE-43)"
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
describe "called on issue with multiple CWEs" do
|
75
|
+
it "returns correctly formatted string" do
|
76
|
+
issue = Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", [43, 44, 45])
|
77
|
+
issue.to_s.should == "[high] unsecure.rb:42: Hey, I found unsecure code! (CWE-43, CWE-44, CWE-45)"
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|