scanny 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +5 -0
- data/Gemfile +11 -0
- data/LICENSE +23 -0
- data/README.md +185 -0
- data/Rakefile +5 -0
- data/bin/scanny +61 -0
- data/lib/scanny.rb +12 -0
- data/lib/scanny/checks/access_control_check.rb +52 -0
- data/lib/scanny/checks/backticks_check.rb +18 -0
- data/lib/scanny/checks/before_filters_check.rb +35 -0
- data/lib/scanny/checks/check.rb +33 -0
- data/lib/scanny/checks/csrf_check.rb +19 -0
- data/lib/scanny/checks/denial_of_service_check.rb +42 -0
- data/lib/scanny/checks/file_open_check.rb +46 -0
- data/lib/scanny/checks/frameworks_check.rb +24 -0
- data/lib/scanny/checks/helpers.rb +28 -0
- data/lib/scanny/checks/http_basic_auth_check.rb +39 -0
- data/lib/scanny/checks/http_header/header_injection_check.rb +38 -0
- data/lib/scanny/checks/http_redirect_check.rb +37 -0
- data/lib/scanny/checks/http_request_check.rb +74 -0
- data/lib/scanny/checks/http_usage_check.rb +31 -0
- data/lib/scanny/checks/information_leak_check.rb +55 -0
- data/lib/scanny/checks/input_filtering_check.rb +39 -0
- data/lib/scanny/checks/insecure_config/set_rails_env_check.rb +24 -0
- data/lib/scanny/checks/insecure_config/set_secret_check.rb +25 -0
- data/lib/scanny/checks/insecure_config/set_session_key_check.rb +23 -0
- data/lib/scanny/checks/insecure_method/eval_method_check.rb +26 -0
- data/lib/scanny/checks/insecure_method/marshal_check.rb +33 -0
- data/lib/scanny/checks/insecure_method/system_method_check.rb +46 -0
- data/lib/scanny/checks/mass_assignment_check.rb +48 -0
- data/lib/scanny/checks/random_numbers_check.rb +54 -0
- data/lib/scanny/checks/redirect_with_params_check.rb +48 -0
- data/lib/scanny/checks/regexp_check.rb +23 -0
- data/lib/scanny/checks/reset_session_check.rb +24 -0
- data/lib/scanny/checks/session/access_to_session_check.rb +49 -0
- data/lib/scanny/checks/session/session_secure_check.rb +47 -0
- data/lib/scanny/checks/shell_expanding_methods_check.rb +54 -0
- data/lib/scanny/checks/skip_before_filters_check.rb +41 -0
- data/lib/scanny/checks/sql_injection/find_method_check.rb +81 -0
- data/lib/scanny/checks/sql_injection/find_method_with_dynamic_string_check.rb +43 -0
- data/lib/scanny/checks/sql_injection/find_method_with_params_check.rb +80 -0
- data/lib/scanny/checks/sql_injection/sanitize_sql_check.rb +25 -0
- data/lib/scanny/checks/sql_injection/sql_check.rb +14 -0
- data/lib/scanny/checks/sql_injection/string_interpolation_with_params_check.rb +39 -0
- data/lib/scanny/checks/ssl/verify_check.rb +53 -0
- data/lib/scanny/checks/ssl/verify_peer_check.rb +37 -0
- data/lib/scanny/checks/system_tools/gpg_usage_check.rb +51 -0
- data/lib/scanny/checks/system_tools/sudo_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_commands_check.rb +27 -0
- data/lib/scanny/checks/system_tools/unzip_check.rb +30 -0
- data/lib/scanny/checks/temp_file_open_check.rb +57 -0
- data/lib/scanny/checks/user_find_check.rb +40 -0
- data/lib/scanny/checks/validates_check.rb +32 -0
- data/lib/scanny/checks/verify_check.rb +44 -0
- data/lib/scanny/checks/xss/xss_flash_check.rb +70 -0
- data/lib/scanny/checks/xss/xss_logger_check.rb +78 -0
- data/lib/scanny/checks/xss/xss_mark_check.rb +48 -0
- data/lib/scanny/checks/xss/xss_send_check.rb +70 -0
- data/lib/scanny/cli.rb +47 -0
- data/lib/scanny/issue.rb +28 -0
- data/lib/scanny/rake_task.rb +56 -0
- data/lib/scanny/reporters.rb +3 -0
- data/lib/scanny/reporters/reporter.rb +22 -0
- data/lib/scanny/reporters/simple_reporter.rb +19 -0
- data/lib/scanny/reporters/xml_reporter.rb +64 -0
- data/lib/scanny/ruby_version_check.rb +15 -0
- data/lib/scanny/runner.rb +90 -0
- data/scanny.gemspec +22 -0
- data/spec/scanny/check_spec.rb +22 -0
- data/spec/scanny/checks/access_control_check_spec.rb +43 -0
- data/spec/scanny/checks/backticks_check_spec.rb +22 -0
- data/spec/scanny/checks/before_filters_check_spec.rb +45 -0
- data/spec/scanny/checks/csrf_check_spec.rb +16 -0
- data/spec/scanny/checks/denial_of_service_check_spec.rb +28 -0
- data/spec/scanny/checks/file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/frameworks_check_spec.rb +16 -0
- data/spec/scanny/checks/http_basic_auth_check_spec.rb +20 -0
- data/spec/scanny/checks/http_header/header_injection_check_spec.rb +21 -0
- data/spec/scanny/checks/http_redirect_check_spec.rb +15 -0
- data/spec/scanny/checks/http_request_check_spec.rb +37 -0
- data/spec/scanny/checks/http_usage_check_spec.rb +20 -0
- data/spec/scanny/checks/information_leak_check_spec.rb +32 -0
- data/spec/scanny/checks/input_filtering_check_spec.rb +19 -0
- data/spec/scanny/checks/insecure_config/set_rails_env_check_spec.rb +17 -0
- data/spec/scanny/checks/insecure_config/set_secret_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_config/set_session_key_check_spec.rb +21 -0
- data/spec/scanny/checks/insecure_method/eval_method_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_method/marshal_check_spec.rb +26 -0
- data/spec/scanny/checks/insecure_method/system_method_check_spec.rb +33 -0
- data/spec/scanny/checks/mass_assignment_check_spec.rb +30 -0
- data/spec/scanny/checks/random_numbers_check_spec.rb +41 -0
- data/spec/scanny/checks/redirect_with_params_check_spec.rb +24 -0
- data/spec/scanny/checks/regexp_check_spec.rb +22 -0
- data/spec/scanny/checks/reset_session_check_spec.rb +15 -0
- data/spec/scanny/checks/session/access_to_session_check_spec.rb +29 -0
- data/spec/scanny/checks/session/session_secure_check_spec.rb +22 -0
- data/spec/scanny/checks/shell_expanding_methods_check_spec.rb +67 -0
- data/spec/scanny/checks/skip_before_filters_check_spec.rb +81 -0
- data/spec/scanny/checks/sql_injection/find_method_check_spec.rb +62 -0
- data/spec/scanny/checks/sql_injection/find_method_with_dynamic_string_check_spec.rb +27 -0
- data/spec/scanny/checks/sql_injection/find_method_with_params_check_spec.rb +93 -0
- data/spec/scanny/checks/sql_injection/sanitize_sql_check_spec.rb +16 -0
- data/spec/scanny/checks/sql_injection/string_interpolation_with_params_check_spec.rb +18 -0
- data/spec/scanny/checks/ssl/verify_check_spec.rb +25 -0
- data/spec/scanny/checks/ssl/verify_peer_check_spec.rb +17 -0
- data/spec/scanny/checks/system_tools/gpg_usage_check_spec.rb +43 -0
- data/spec/scanny/checks/system_tools/sudo_check_spec.rb +24 -0
- data/spec/scanny/checks/system_tools/tar_check_spec.rb +20 -0
- data/spec/scanny/checks/system_tools/tar_commands_check_spec.rb +41 -0
- data/spec/scanny/checks/system_tools/unizp_check_spec.rb +29 -0
- data/spec/scanny/checks/temp_file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/user_find_check_spec.rb +22 -0
- data/spec/scanny/checks/validates_check_spec.rb +19 -0
- data/spec/scanny/checks/verify_check_spec.rb +27 -0
- data/spec/scanny/checks/xss/xss_flash_check_spec.rb +22 -0
- data/spec/scanny/checks/xss/xss_logger_check_spec.rb +24 -0
- data/spec/scanny/checks/xss/xss_mark_check_spec.rb +31 -0
- data/spec/scanny/checks/xss/xss_send_check_spec.rb +34 -0
- data/spec/scanny/cli_spec.rb +167 -0
- data/spec/scanny/issue_spec.rb +82 -0
- data/spec/scanny/rake_taks_spec.rb +82 -0
- data/spec/scanny/reporters/reporter_spec.rb +24 -0
- data/spec/scanny/reporters/simple_reporter_spec.rb +48 -0
- data/spec/scanny/reporters/xml_reporter_spec.rb +52 -0
- data/spec/scanny/ruby_version_check_spec.rb +24 -0
- data/spec/scanny/runner_spec.rb +128 -0
- data/spec/spec_helper.rb +10 -0
- data/spec/support/aruba.rb +4 -0
- data/spec/support/check_spec_helpers.rb +5 -0
- data/spec/support/checks/extend_test_check.rb +11 -0
- data/spec/support/checks/test_check.rb +15 -0
- data/spec/support/checks/test_strict_check.rb +17 -0
- data/spec/support/const_spec_helpers.rb +36 -0
- data/spec/support/matchers/check_matcher.rb +43 -0
- data/spec/support/matchers/xpath_matcher.rb +30 -0
- data/spec/support/mock_task.rb +43 -0
- metadata +242 -0
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module Session
|
|
4
|
+
class SessionSecureCheck < Check
|
|
5
|
+
def pattern
|
|
6
|
+
pattern_session_settings
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def check(node)
|
|
10
|
+
issue :info, warning_message, :cwe => 614
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def strict?
|
|
14
|
+
true
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
private
|
|
18
|
+
|
|
19
|
+
def warning_message
|
|
20
|
+
"Bad session security setting can cause problems"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# ActionController::Base.session_options[:session_secure]
|
|
24
|
+
def pattern_session_settings
|
|
25
|
+
<<-EOT
|
|
26
|
+
ElementAssignment<
|
|
27
|
+
arguments = ActualArguments<
|
|
28
|
+
array = [
|
|
29
|
+
SymbolLiteral<value = :session_secure | :secure>,
|
|
30
|
+
any
|
|
31
|
+
]
|
|
32
|
+
>,
|
|
33
|
+
name = :[]=,
|
|
34
|
+
receiver = Send<
|
|
35
|
+
name = :session_options,
|
|
36
|
+
receiver = ScopedConstant<
|
|
37
|
+
name = :Base,
|
|
38
|
+
parent = ConstantAccess<name = :ActionController>
|
|
39
|
+
>
|
|
40
|
+
>
|
|
41
|
+
>
|
|
42
|
+
EOT
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
# Checks for methods executing external commands that pass the command
|
|
4
|
+
# through shell expansion. This can cause unwanted code execution if the
|
|
5
|
+
# command includes unescaped input.
|
|
6
|
+
class ShellExpandingMethodsCheck < Check
|
|
7
|
+
def pattern
|
|
8
|
+
[
|
|
9
|
+
pattern_shell_expanding,
|
|
10
|
+
pattern_popen,
|
|
11
|
+
pattern_execute_string
|
|
12
|
+
].join("|")
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def check(node)
|
|
16
|
+
# The command goes through shell expansion only if it is passed as one
|
|
17
|
+
# argument.
|
|
18
|
+
issue :high, warning_message(node), :cwe => [88, 78]
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def warning_message(node = nil)
|
|
22
|
+
name = node.respond_to?(:name) ? node.name : "`"
|
|
23
|
+
"The \"#{name}\" method passes the executed command through shell expansion."
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
# system("rm -rf /")
|
|
27
|
+
def pattern_shell_expanding
|
|
28
|
+
<<-EOT
|
|
29
|
+
SendWithArguments<
|
|
30
|
+
receiver = Self | ConstantAccess<name = :Kernel>,
|
|
31
|
+
name = :` | :exec | :system | :spawn,
|
|
32
|
+
arguments = ActualArguments<array = [any]>
|
|
33
|
+
>
|
|
34
|
+
EOT
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# IO.popen
|
|
38
|
+
# IO.popen3
|
|
39
|
+
def pattern_popen
|
|
40
|
+
<<-EOT
|
|
41
|
+
SendWithArguments<
|
|
42
|
+
name ^= :popen,
|
|
43
|
+
arguments = ActualArguments<array = [any]>
|
|
44
|
+
>
|
|
45
|
+
EOT
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
# `system_command`
|
|
49
|
+
def pattern_execute_string
|
|
50
|
+
"ExecuteString"
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
# Checks for use of the "before_filter" method with certain filters.
|
|
4
|
+
class SkipBeforeFiltersCheck < Check
|
|
5
|
+
FILTERS = [
|
|
6
|
+
:login_required,
|
|
7
|
+
:admin_required,
|
|
8
|
+
:verify_authenticity_token,
|
|
9
|
+
:authenticate
|
|
10
|
+
]
|
|
11
|
+
|
|
12
|
+
# skip_before_filer :login_required
|
|
13
|
+
def pattern
|
|
14
|
+
<<-EOT
|
|
15
|
+
SendWithArguments<
|
|
16
|
+
receiver = Self,
|
|
17
|
+
name = :skip_before_filter,
|
|
18
|
+
arguments = ActualArguments<
|
|
19
|
+
array = [
|
|
20
|
+
any*,
|
|
21
|
+
SymbolLiteral<value = #{FILTERS.map(&:inspect).join(' | ')}>,
|
|
22
|
+
any*
|
|
23
|
+
]
|
|
24
|
+
>
|
|
25
|
+
>
|
|
26
|
+
EOT
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def check(node)
|
|
30
|
+
filter_node = node.arguments.array.find do |argument|
|
|
31
|
+
argument.is_a?(Rubinius::AST::SymbolLiteral) &&
|
|
32
|
+
FILTERS.include?(argument.value)
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
issue :info,
|
|
36
|
+
"The \"skip_before_filter\" method with :#{filter_node.value} filter is used.",
|
|
37
|
+
:cwe => [285, 288, 425]
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
require_relative "sql_check"
|
|
2
|
+
|
|
3
|
+
module Scanny
|
|
4
|
+
module Checks
|
|
5
|
+
module Sql
|
|
6
|
+
# Check for methods executing external params on
|
|
7
|
+
# database engine
|
|
8
|
+
class FindMethodCheck < SqlCheck
|
|
9
|
+
def pattern
|
|
10
|
+
[
|
|
11
|
+
pattern_find_by_sql_and_execute_on_models,
|
|
12
|
+
pattern_find_by_with_params,
|
|
13
|
+
pattern_find_by_with_conditions
|
|
14
|
+
].join("|")
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def check(node)
|
|
18
|
+
issue :low, warning_message, :cwe => 89
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
|
|
23
|
+
# User.find_by_sql
|
|
24
|
+
# @collection.paginate(options)
|
|
25
|
+
def pattern_find_by_sql_and_execute_on_models
|
|
26
|
+
<<-EOT
|
|
27
|
+
Send<name = :paginate>
|
|
28
|
+
|
|
|
29
|
+
SendWithArguments<
|
|
30
|
+
name = :execute | :find_by_sql | :paginate
|
|
31
|
+
>
|
|
32
|
+
EOT
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
# find_by_id(params[:search])
|
|
36
|
+
def pattern_find_by_with_params
|
|
37
|
+
<<-EOT
|
|
38
|
+
SendWithArguments<
|
|
39
|
+
arguments = ActualArguments<
|
|
40
|
+
array = [
|
|
41
|
+
any*,
|
|
42
|
+
SendWithArguments<
|
|
43
|
+
name = :[],
|
|
44
|
+
receiver = Send<
|
|
45
|
+
name = :params
|
|
46
|
+
>
|
|
47
|
+
>,
|
|
48
|
+
any*
|
|
49
|
+
]
|
|
50
|
+
>,
|
|
51
|
+
name ^= :find_by
|
|
52
|
+
>
|
|
53
|
+
EOT
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
# find(:first, :conditions => "string")
|
|
57
|
+
def pattern_find_by_with_conditions
|
|
58
|
+
<<-EOT
|
|
59
|
+
SendWithArguments<
|
|
60
|
+
arguments = ActualArguments<
|
|
61
|
+
array = [
|
|
62
|
+
any+,
|
|
63
|
+
HashLiteral<
|
|
64
|
+
array = [
|
|
65
|
+
any{even},
|
|
66
|
+
SymbolLiteral<
|
|
67
|
+
value = :conditions
|
|
68
|
+
>,
|
|
69
|
+
any{odd}
|
|
70
|
+
]
|
|
71
|
+
>
|
|
72
|
+
]
|
|
73
|
+
>,
|
|
74
|
+
name = :find
|
|
75
|
+
>
|
|
76
|
+
EOT
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
require_relative "sql_check"
|
|
2
|
+
|
|
3
|
+
module Scanny
|
|
4
|
+
module Checks
|
|
5
|
+
module Sql
|
|
6
|
+
# Check for methods executing external params on
|
|
7
|
+
# database engine with dynamic string
|
|
8
|
+
class FindMethodWithDynamicStringCheck < SqlCheck
|
|
9
|
+
def pattern
|
|
10
|
+
pattern_find_by_with_conditions_dynamic_string
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def check(node)
|
|
14
|
+
issue :medium, warning_message, :cwe => 89
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
private
|
|
18
|
+
|
|
19
|
+
# find(:first, :conditions => "#{string}")
|
|
20
|
+
def pattern_find_by_with_conditions_dynamic_string
|
|
21
|
+
<<-EOT
|
|
22
|
+
SendWithArguments<
|
|
23
|
+
arguments = ActualArguments<
|
|
24
|
+
array = [
|
|
25
|
+
any+,
|
|
26
|
+
HashLiteral<
|
|
27
|
+
array = [
|
|
28
|
+
any{even},
|
|
29
|
+
SymbolLiteral<value = :conditions>,
|
|
30
|
+
DynamicString,
|
|
31
|
+
any{even}
|
|
32
|
+
]
|
|
33
|
+
>
|
|
34
|
+
]
|
|
35
|
+
>,
|
|
36
|
+
name = :find
|
|
37
|
+
>
|
|
38
|
+
EOT
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
require_relative "sql_check"
|
|
2
|
+
|
|
3
|
+
module Scanny
|
|
4
|
+
module Checks
|
|
5
|
+
module Sql
|
|
6
|
+
# Check for methods executing external parameters on
|
|
7
|
+
# database engine with params attribute
|
|
8
|
+
class FindMethodWithParamsCheck < SqlCheck
|
|
9
|
+
def pattern
|
|
10
|
+
[
|
|
11
|
+
pattern_find_by_sql_and_execute_on_models_with_params,
|
|
12
|
+
pattern_find_with_conditions_and_params_or_limit
|
|
13
|
+
].join("|")
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def check(node)
|
|
17
|
+
issue :high, warning_message, :cwe => 89
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
private
|
|
21
|
+
|
|
22
|
+
# User.execute(params[:input])
|
|
23
|
+
def pattern_find_by_sql_and_execute_on_models_with_params
|
|
24
|
+
<<-EOT
|
|
25
|
+
SendWithArguments<
|
|
26
|
+
arguments = ActualArguments<
|
|
27
|
+
array = [
|
|
28
|
+
any*,
|
|
29
|
+
SendWithArguments<
|
|
30
|
+
name = :[],
|
|
31
|
+
receiver = Send<name = :params>
|
|
32
|
+
>
|
|
33
|
+
|
|
|
34
|
+
DynamicString<
|
|
35
|
+
array = [
|
|
36
|
+
any*,
|
|
37
|
+
ToString<
|
|
38
|
+
value = SendWithArguments<
|
|
39
|
+
name = :[],
|
|
40
|
+
receiver = Send<name = :params>
|
|
41
|
+
>
|
|
42
|
+
>,
|
|
43
|
+
any*
|
|
44
|
+
]
|
|
45
|
+
>,
|
|
46
|
+
any*
|
|
47
|
+
]
|
|
48
|
+
>,
|
|
49
|
+
name = :execute | :find_by_sql | :paginate
|
|
50
|
+
>
|
|
51
|
+
EOT
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
# find(:first, :conditions => params[:password])
|
|
55
|
+
def pattern_find_with_conditions_and_params_or_limit
|
|
56
|
+
<<-EOT
|
|
57
|
+
SendWithArguments<
|
|
58
|
+
arguments = ActualArguments<
|
|
59
|
+
array = [
|
|
60
|
+
any+,
|
|
61
|
+
HashLiteral<
|
|
62
|
+
array = [
|
|
63
|
+
any{even},
|
|
64
|
+
SymbolLiteral<value = :limit | :conditions>,
|
|
65
|
+
SendWithArguments<
|
|
66
|
+
name = :[],
|
|
67
|
+
receiver = Send<name = :params | :session>
|
|
68
|
+
>,
|
|
69
|
+
any{even}
|
|
70
|
+
]
|
|
71
|
+
>
|
|
72
|
+
]
|
|
73
|
+
>,
|
|
74
|
+
name = :find>
|
|
75
|
+
EOT
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require_relative "sql_check"
|
|
2
|
+
|
|
3
|
+
module Scanny
|
|
4
|
+
module Checks
|
|
5
|
+
module Sql
|
|
6
|
+
# Check for use of the "sanitize_sql" method
|
|
7
|
+
class SanitizeCheck < SqlCheck
|
|
8
|
+
def pattern
|
|
9
|
+
pattern_sanitize_sql
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def check(node)
|
|
13
|
+
issue :info, warning_message, :cwe => 89
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
# sanitize_sql()
|
|
19
|
+
def pattern_sanitize_sql
|
|
20
|
+
"SendWithArguments<name = :sanitize_sql>"
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
require_relative "sql_check"
|
|
2
|
+
|
|
3
|
+
module Scanny
|
|
4
|
+
module Checks
|
|
5
|
+
module Sql
|
|
6
|
+
# Checks for use of dynamic strings in when creating an SQL query
|
|
7
|
+
class StringInterpolationWithParamsCheck < SqlCheck
|
|
8
|
+
def pattern
|
|
9
|
+
pattern_params_in_select
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def check(node)
|
|
13
|
+
issue :high, warning_message, :cwe => 89
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
# "SELECT params[:input] FROM users"
|
|
19
|
+
def pattern_params_in_select
|
|
20
|
+
<<-EOT
|
|
21
|
+
DynamicString<
|
|
22
|
+
array = [
|
|
23
|
+
any*,
|
|
24
|
+
ToString<
|
|
25
|
+
value = SendWithArguments<
|
|
26
|
+
name = :[],
|
|
27
|
+
receiver = Send<name = :params>
|
|
28
|
+
>
|
|
29
|
+
>,
|
|
30
|
+
any*
|
|
31
|
+
],
|
|
32
|
+
string ^= "SELECT"
|
|
33
|
+
>
|
|
34
|
+
EOT
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SSL
|
|
4
|
+
class VerifyCheck < Check
|
|
5
|
+
def pattern
|
|
6
|
+
[
|
|
7
|
+
pattern_ssl_verify_none,
|
|
8
|
+
pattern_ca_file
|
|
9
|
+
].join("|")
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def check(node)
|
|
13
|
+
issue :high, warning_message, :cwe => [296, 297, 298, 299, 300, 599]
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def warning_message
|
|
19
|
+
"Disable certificate verification can " +
|
|
20
|
+
"lead to connect to an unauthorized server"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# OpenSSL::SSL::VERIFY_NONE
|
|
24
|
+
def pattern_ssl_verify_none
|
|
25
|
+
<<-EOT
|
|
26
|
+
ScopedConstant<
|
|
27
|
+
name = :VERIFY_NONE,
|
|
28
|
+
parent = ScopedConstant<
|
|
29
|
+
name = :SSL,
|
|
30
|
+
parent = ConstantAccess<name = :OpenSSL>
|
|
31
|
+
>
|
|
32
|
+
>
|
|
33
|
+
EOT
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
# ssl_context.ca_file = nil
|
|
38
|
+
def pattern_ca_file
|
|
39
|
+
<<-EOT
|
|
40
|
+
AttributeAssignment<
|
|
41
|
+
arguments = ActualArguments<
|
|
42
|
+
array = [
|
|
43
|
+
NilLiteral
|
|
44
|
+
]
|
|
45
|
+
>,
|
|
46
|
+
name = :ca_path= | :ca_file=
|
|
47
|
+
>
|
|
48
|
+
EOT
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|