RubyGems - scanny - Versions diffs - 0.1.0 - Mend

scanny 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

data/.gitignore +5 -0
data/Gemfile +11 -0
data/LICENSE +23 -0
data/README.md +185 -0
data/Rakefile +5 -0
data/bin/scanny +61 -0
data/lib/scanny.rb +12 -0
data/lib/scanny/checks/access_control_check.rb +52 -0
data/lib/scanny/checks/backticks_check.rb +18 -0
data/lib/scanny/checks/before_filters_check.rb +35 -0
data/lib/scanny/checks/check.rb +33 -0
data/lib/scanny/checks/csrf_check.rb +19 -0
data/lib/scanny/checks/denial_of_service_check.rb +42 -0
data/lib/scanny/checks/file_open_check.rb +46 -0
data/lib/scanny/checks/frameworks_check.rb +24 -0
data/lib/scanny/checks/helpers.rb +28 -0
data/lib/scanny/checks/http_basic_auth_check.rb +39 -0
data/lib/scanny/checks/http_header/header_injection_check.rb +38 -0
data/lib/scanny/checks/http_redirect_check.rb +37 -0
data/lib/scanny/checks/http_request_check.rb +74 -0
data/lib/scanny/checks/http_usage_check.rb +31 -0
data/lib/scanny/checks/information_leak_check.rb +55 -0
data/lib/scanny/checks/input_filtering_check.rb +39 -0
data/lib/scanny/checks/insecure_config/set_rails_env_check.rb +24 -0
data/lib/scanny/checks/insecure_config/set_secret_check.rb +25 -0
data/lib/scanny/checks/insecure_config/set_session_key_check.rb +23 -0
data/lib/scanny/checks/insecure_method/eval_method_check.rb +26 -0
data/lib/scanny/checks/insecure_method/marshal_check.rb +33 -0
data/lib/scanny/checks/insecure_method/system_method_check.rb +46 -0
data/lib/scanny/checks/mass_assignment_check.rb +48 -0
data/lib/scanny/checks/random_numbers_check.rb +54 -0
data/lib/scanny/checks/redirect_with_params_check.rb +48 -0
data/lib/scanny/checks/regexp_check.rb +23 -0
data/lib/scanny/checks/reset_session_check.rb +24 -0
data/lib/scanny/checks/session/access_to_session_check.rb +49 -0
data/lib/scanny/checks/session/session_secure_check.rb +47 -0
data/lib/scanny/checks/shell_expanding_methods_check.rb +54 -0
data/lib/scanny/checks/skip_before_filters_check.rb +41 -0
data/lib/scanny/checks/sql_injection/find_method_check.rb +81 -0
data/lib/scanny/checks/sql_injection/find_method_with_dynamic_string_check.rb +43 -0
data/lib/scanny/checks/sql_injection/find_method_with_params_check.rb +80 -0
data/lib/scanny/checks/sql_injection/sanitize_sql_check.rb +25 -0
data/lib/scanny/checks/sql_injection/sql_check.rb +14 -0
data/lib/scanny/checks/sql_injection/string_interpolation_with_params_check.rb +39 -0
data/lib/scanny/checks/ssl/verify_check.rb +53 -0
data/lib/scanny/checks/ssl/verify_peer_check.rb +37 -0
data/lib/scanny/checks/system_tools/gpg_usage_check.rb +51 -0
data/lib/scanny/checks/system_tools/sudo_check.rb +24 -0
data/lib/scanny/checks/system_tools/tar_check.rb +24 -0
data/lib/scanny/checks/system_tools/tar_commands_check.rb +27 -0
data/lib/scanny/checks/system_tools/unzip_check.rb +30 -0
data/lib/scanny/checks/temp_file_open_check.rb +57 -0
data/lib/scanny/checks/user_find_check.rb +40 -0
data/lib/scanny/checks/validates_check.rb +32 -0
data/lib/scanny/checks/verify_check.rb +44 -0
data/lib/scanny/checks/xss/xss_flash_check.rb +70 -0
data/lib/scanny/checks/xss/xss_logger_check.rb +78 -0
data/lib/scanny/checks/xss/xss_mark_check.rb +48 -0
data/lib/scanny/checks/xss/xss_send_check.rb +70 -0
data/lib/scanny/cli.rb +47 -0
data/lib/scanny/issue.rb +28 -0
data/lib/scanny/rake_task.rb +56 -0
data/lib/scanny/reporters.rb +3 -0
data/lib/scanny/reporters/reporter.rb +22 -0
data/lib/scanny/reporters/simple_reporter.rb +19 -0
data/lib/scanny/reporters/xml_reporter.rb +64 -0
data/lib/scanny/ruby_version_check.rb +15 -0
data/lib/scanny/runner.rb +90 -0
data/scanny.gemspec +22 -0
data/spec/scanny/check_spec.rb +22 -0
data/spec/scanny/checks/access_control_check_spec.rb +43 -0
data/spec/scanny/checks/backticks_check_spec.rb +22 -0
data/spec/scanny/checks/before_filters_check_spec.rb +45 -0
data/spec/scanny/checks/csrf_check_spec.rb +16 -0
data/spec/scanny/checks/denial_of_service_check_spec.rb +28 -0
data/spec/scanny/checks/file_open_check_spec.rb +22 -0
data/spec/scanny/checks/frameworks_check_spec.rb +16 -0
data/spec/scanny/checks/http_basic_auth_check_spec.rb +20 -0
data/spec/scanny/checks/http_header/header_injection_check_spec.rb +21 -0
data/spec/scanny/checks/http_redirect_check_spec.rb +15 -0
data/spec/scanny/checks/http_request_check_spec.rb +37 -0
data/spec/scanny/checks/http_usage_check_spec.rb +20 -0
data/spec/scanny/checks/information_leak_check_spec.rb +32 -0
data/spec/scanny/checks/input_filtering_check_spec.rb +19 -0
data/spec/scanny/checks/insecure_config/set_rails_env_check_spec.rb +17 -0
data/spec/scanny/checks/insecure_config/set_secret_check_spec.rb +22 -0
data/spec/scanny/checks/insecure_config/set_session_key_check_spec.rb +21 -0
data/spec/scanny/checks/insecure_method/eval_method_check_spec.rb +22 -0
data/spec/scanny/checks/insecure_method/marshal_check_spec.rb +26 -0
data/spec/scanny/checks/insecure_method/system_method_check_spec.rb +33 -0
data/spec/scanny/checks/mass_assignment_check_spec.rb +30 -0
data/spec/scanny/checks/random_numbers_check_spec.rb +41 -0
data/spec/scanny/checks/redirect_with_params_check_spec.rb +24 -0
data/spec/scanny/checks/regexp_check_spec.rb +22 -0
data/spec/scanny/checks/reset_session_check_spec.rb +15 -0
data/spec/scanny/checks/session/access_to_session_check_spec.rb +29 -0
data/spec/scanny/checks/session/session_secure_check_spec.rb +22 -0
data/spec/scanny/checks/shell_expanding_methods_check_spec.rb +67 -0
data/spec/scanny/checks/skip_before_filters_check_spec.rb +81 -0
data/spec/scanny/checks/sql_injection/find_method_check_spec.rb +62 -0
data/spec/scanny/checks/sql_injection/find_method_with_dynamic_string_check_spec.rb +27 -0
data/spec/scanny/checks/sql_injection/find_method_with_params_check_spec.rb +93 -0
data/spec/scanny/checks/sql_injection/sanitize_sql_check_spec.rb +16 -0
data/spec/scanny/checks/sql_injection/string_interpolation_with_params_check_spec.rb +18 -0
data/spec/scanny/checks/ssl/verify_check_spec.rb +25 -0
data/spec/scanny/checks/ssl/verify_peer_check_spec.rb +17 -0
data/spec/scanny/checks/system_tools/gpg_usage_check_spec.rb +43 -0
data/spec/scanny/checks/system_tools/sudo_check_spec.rb +24 -0
data/spec/scanny/checks/system_tools/tar_check_spec.rb +20 -0
data/spec/scanny/checks/system_tools/tar_commands_check_spec.rb +41 -0
data/spec/scanny/checks/system_tools/unizp_check_spec.rb +29 -0
data/spec/scanny/checks/temp_file_open_check_spec.rb +22 -0
data/spec/scanny/checks/user_find_check_spec.rb +22 -0
data/spec/scanny/checks/validates_check_spec.rb +19 -0
data/spec/scanny/checks/verify_check_spec.rb +27 -0
data/spec/scanny/checks/xss/xss_flash_check_spec.rb +22 -0
data/spec/scanny/checks/xss/xss_logger_check_spec.rb +24 -0
data/spec/scanny/checks/xss/xss_mark_check_spec.rb +31 -0
data/spec/scanny/checks/xss/xss_send_check_spec.rb +34 -0
data/spec/scanny/cli_spec.rb +167 -0
data/spec/scanny/issue_spec.rb +82 -0
data/spec/scanny/rake_taks_spec.rb +82 -0
data/spec/scanny/reporters/reporter_spec.rb +24 -0
data/spec/scanny/reporters/simple_reporter_spec.rb +48 -0
data/spec/scanny/reporters/xml_reporter_spec.rb +52 -0
data/spec/scanny/ruby_version_check_spec.rb +24 -0
data/spec/scanny/runner_spec.rb +128 -0
data/spec/spec_helper.rb +10 -0
data/spec/support/aruba.rb +4 -0
data/spec/support/check_spec_helpers.rb +5 -0
data/spec/support/checks/extend_test_check.rb +11 -0
data/spec/support/checks/test_check.rb +15 -0
data/spec/support/checks/test_strict_check.rb +17 -0
data/spec/support/const_spec_helpers.rb +36 -0
data/spec/support/matchers/check_matcher.rb +43 -0
data/spec/support/matchers/xpath_matcher.rb +30 -0
data/spec/support/mock_task.rb +43 -0
metadata +242 -0

data/lib/scanny/checks/input_filtering_check.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module Scanny
+  module Checks
+    class InputFilteringCheck < Check
+      def pattern
+        [
+          pattern_terminal_escape_sequences,
+          pattern_params
+        ].join("|")
+      end
+      def check(node)
+        issue :low, warning_message, :cwe => 20
+      end
+      private
+      def warning_message
+        "Possible injection vulnerabilities"
+      end
+      # params[:input]
+      def pattern_params
+        <<-EOT
+          SendWithArguments<
+            name = :[],
+            receiver = Send<name = :params>
+          >
+        EOT
+      end
+      # system("\033]30;command\007")
+      def pattern_terminal_escape_sequences
+        <<-EOT
+          StringLiteral<string *= /\\033\]30;.*\\007/>
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_config/set_rails_env_check.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module Scanny
+  module Checks
+    # Checks for places where ENV["RAILS_ENV"] is set.
+    class SetRailsEnvCheck < Check
+      # ENV["RAILS_ENV"] = "test"
+      def pattern
+        <<-EOT
+          ElementAssignment<
+            receiver  = ConstantAccess<name = :ENV>,
+            arguments = ActualArguments<
+              array = [StringLiteral<string = "RAILS_ENV">, any]
+            >
+          >
+        EOT
+      end
+      def check(node)
+        issue :info,
+          "Setting ENV[\"RAILS_ENV\"] can indicate insecure configuration.",
+          :cwe => 209
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_config/set_secret_check.rb ADDED Viewed

@@ -0,0 +1,25 @@
+module Scanny
+  module Checks
+    # Checks for places where :secret hash key is set.
+    class SetSecretCheck < Check
+      # :secret
+      def pattern
+        <<-EOT
+          HashLiteral<
+            array = [any{even}, SymbolLiteral<value = :secret>, any{odd}]
+          >
+        EOT
+      end
+      def check(node)
+        issue :info,
+          "Setting :secret can indicate using hard-coded cryptographic key.",
+          :cwe => 321
+      end
+      def strict?
+        true
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_config/set_session_key_check.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module Scanny
+  module Checks
+    # Checks for places where :session_key hash key is set.
+    class SetSessionKeyCheck < Check
+      # :session_key
+      def pattern
+        <<-EOT
+          HashLiteral<
+            array = [any{even}, SymbolLiteral<value = :session_key>, any{odd}]
+          >
+        EOT
+      end
+      def check(node)
+        issue :info, "Setting :session_key."
+      end
+      def strict?
+        true
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_method/eval_method_check.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module Scanny
+  module Checks
+    module InsecureMethod
+      class EvalMethodCheck < Check
+        def pattern
+          pattern_eval_call
+        end
+        def check(node)
+          issue :high, warning_message, :cwe => 95
+        end
+        private
+        def warning_message
+          "Execute eval method can lead the ruby interpreter to run dangerous code"
+        end
+        # eval("ruby_code")
+        def pattern_eval_call
+          "SendWithArguments<name = :eval>"
+        end
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_method/marshal_check.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Scanny
+  module Checks
+    module InsecureMethod
+      class MarshalCheck < Check
+        def pattern
+          pattern_load_call
+        end
+        def check(node)
+          issue :high, warning_message, :cwe => 502
+        end
+        private
+        def warning_message
+          "Execute deserialize method can load to memory dangerous object"
+        end
+        # Marshal.load(object)
+        def pattern_load_call
+          <<-EOT
+            SendWithArguments<
+              name = :load | :restore,
+              receiver = ConstantAccess<
+                name = :Marshal
+              >
+            >
+          EOT
+        end
+      end
+    end
+  end
+end

data/lib/scanny/checks/insecure_method/system_method_check.rb ADDED Viewed

@@ -0,0 +1,46 @@
+module Scanny
+  module Checks
+    module InsecureMethod
+      class SystemMethodCheck < Check
+        def pattern
+          [
+            pattern_system_calls,
+            pattern_execute_string,
+            pattern_popen
+          ].join("|")
+        end
+        def check(node)
+          issue :high, warning_message, :cwe => [88, 78]
+        end
+        private
+        def warning_message
+          "Execute system commands can lead the system to run dangerous code"
+        end
+        # system("rm -rf /")
+        def pattern_system_calls
+          <<-EOT
+            SendWithArguments
+              <
+                name =  :system         |
+                        :spawn          |
+                        :exec
+              >
+          EOT
+        end
+        def pattern_popen
+          "SendWithArguments<name ^= :popen>"
+        end
+        # `system_command`
+        def pattern_execute_string
+          "ExecuteString"
+        end
+      end
+    end
+  end
+end

data/lib/scanny/checks/mass_assignment_check.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module Scanny
+  module Checks
+    class MassAssignmentCheck < Check
+      def pattern
+        pattern_create_object_from_params
+      end
+      def check(node)
+        issue :high, warning_message, :cwe => 642
+      end
+      private
+      def warning_message
+        "Create objects without defense against mass assignment" +
+        "can cause dangerous errors in the database"
+      end
+      # User.new(params[:user])
+      def pattern_create_object_from_params
+        <<-EOT
+          SendWithArguments<
+            arguments = ActualArguments<
+              array = [
+                SendWithArguments<
+                  name = :[],
+                  receiver = Send<name = :params>
+                >
+                |
+                HashLiteral<
+                array = [
+                  any{odd},
+                  SendWithArguments<
+                    name = :[],
+                    receiver = Send<name = :params>
+                  >,
+                  any{even}
+                ]
+                >
+              ]
+            >,
+            name = :new | :create | :update_attributes
+          >
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/checks/random_numbers_check.rb ADDED Viewed

@@ -0,0 +1,54 @@
+module Scanny
+  module Checks
+    # Checks for indication that a low-entropy random number generator is used.
+    class RandomNumbersCheck < Check
+      def pattern
+        [
+          pattern_rand,
+          pattern_seed,
+          pattern_urandom
+        ].join("|")
+      end
+      def check(node)
+        issue :medium, warning_message, :cwe => 331
+      end
+      private
+      def warning_message
+        "This action indicates using low-entropy random number generator"
+      end
+      # Kernel.srand
+      # Kernel.rand
+      def pattern_rand
+        <<-EOT
+          Send<
+            receiver = Self | ConstantAccess<name = :Kernel>,
+            name = :rand | :srand
+          >
+          |
+          SendWithArguments<
+            receiver = Self | ConstantAccess<name = :Kernel>,
+            name = :rand | :srand
+          >
+        EOT
+      end
+      # seed()
+      def pattern_seed
+        <<-EOT
+          Send<name = :seed>
+          |
+          SendWithArguments<name = :seed>
+        EOT
+      end
+      # File.open("/dev/urandom", "r").read(100)
+      def pattern_urandom
+        "StringLiteral<string *= 'urandom'>"
+      end
+    end
+  end
+end

data/lib/scanny/checks/redirect_with_params_check.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module Scanny
+  module Checks
+    class RedirectWithParamsCheck < Check
+      def pattern
+        pattern_redirect
+      end
+      def check(node)
+        issue :medium, warning_message, :cwe => [79, 113, 601, 698]
+      end
+      private
+      def warning_message
+        "Use of external parameters in redirect_to method" +
+        "can lead to unauthorized redirects"
+      end
+      # redirect_to params[:input]
+      def pattern_redirect
+        <<-EOT
+          SendWithArguments<
+            arguments = ActualArguments<
+              array = [
+                HashLiteral<
+                  array = [
+                    any{odd},
+                    SendWithArguments<
+                      name = :[],
+                      receiver = Send<name = :params>
+                    >,
+                    any{even}
+                  ]
+                >
+                |
+                SendWithArguments<
+                  name = :[],
+                  receiver = Send<name = :params>
+                >
+              ]
+            >,
+            name = :redirect_to
+          >
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/checks/regexp_check.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module Scanny
+  module Checks
+    # Checks for possible improper regular expression usage.
+    class RegexpCheck < Check
+      def pattern
+        <<-EOT
+          RegexLiteral<source ^= "^">
+          |
+          RegexLiteral<source $= "$">
+          |
+          DynamicRegex<string ^= "^">
+          |
+          DynamicRegex<array = [any*, StringLiteral<string $= "$">]>
+        EOT
+      end
+      def check(node)
+        issue :low, "Possible improper regular expression usage.",
+          :cwe => [185, 625, 791]
+      end
+    end
+  end
+end

data/lib/scanny/checks/reset_session_check.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module Scanny
+  module Checks
+    class ResetSessionCheck < Check
+      def pattern
+        pattern_reset_session
+      end
+      def check(node)
+        issue :info, warning_message, :cwe => 384
+      end
+      private
+      def warning_message
+        "Improper resetting the session may lead to security problems"
+      end
+      # reset_session()
+      def pattern_reset_session
+        "Send<name = :reset_session>"
+      end
+    end
+  end
+end

data/lib/scanny/checks/session/access_to_session_check.rb ADDED Viewed

@@ -0,0 +1,49 @@
+module Scanny
+  module Checks
+    module Session
+      class AccessToSessionCheck < Check
+        def pattern
+          [
+              pattern_session_access,
+              pattern_session_assignment
+          ].join("|")
+        end
+        def check(node)
+          issue :info, warning_message
+        end
+        def strict?
+          true
+        end
+        private
+        def warning_message
+          "Referring to a session in the wrong way" +
+          "can lead to errors that reduce security level"
+        end
+        # session[:password]
+        def pattern_session_access
+          <<-EOT
+          SendWithArguments<
+            name = :[],
+            receiver = Send<name = :session | :cookie>
+          >
+          EOT
+        end
+        # session[:admin] = true
+        def pattern_session_assignment
+          <<-EOT
+          ElementAssignment<
+            name = :[]=,
+            receiver = Send<name = :session | :cookie>
+          >
+          EOT
+        end
+      end
+    end
+  end
+end