scanny 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +5 -0
- data/Gemfile +11 -0
- data/LICENSE +23 -0
- data/README.md +185 -0
- data/Rakefile +5 -0
- data/bin/scanny +61 -0
- data/lib/scanny.rb +12 -0
- data/lib/scanny/checks/access_control_check.rb +52 -0
- data/lib/scanny/checks/backticks_check.rb +18 -0
- data/lib/scanny/checks/before_filters_check.rb +35 -0
- data/lib/scanny/checks/check.rb +33 -0
- data/lib/scanny/checks/csrf_check.rb +19 -0
- data/lib/scanny/checks/denial_of_service_check.rb +42 -0
- data/lib/scanny/checks/file_open_check.rb +46 -0
- data/lib/scanny/checks/frameworks_check.rb +24 -0
- data/lib/scanny/checks/helpers.rb +28 -0
- data/lib/scanny/checks/http_basic_auth_check.rb +39 -0
- data/lib/scanny/checks/http_header/header_injection_check.rb +38 -0
- data/lib/scanny/checks/http_redirect_check.rb +37 -0
- data/lib/scanny/checks/http_request_check.rb +74 -0
- data/lib/scanny/checks/http_usage_check.rb +31 -0
- data/lib/scanny/checks/information_leak_check.rb +55 -0
- data/lib/scanny/checks/input_filtering_check.rb +39 -0
- data/lib/scanny/checks/insecure_config/set_rails_env_check.rb +24 -0
- data/lib/scanny/checks/insecure_config/set_secret_check.rb +25 -0
- data/lib/scanny/checks/insecure_config/set_session_key_check.rb +23 -0
- data/lib/scanny/checks/insecure_method/eval_method_check.rb +26 -0
- data/lib/scanny/checks/insecure_method/marshal_check.rb +33 -0
- data/lib/scanny/checks/insecure_method/system_method_check.rb +46 -0
- data/lib/scanny/checks/mass_assignment_check.rb +48 -0
- data/lib/scanny/checks/random_numbers_check.rb +54 -0
- data/lib/scanny/checks/redirect_with_params_check.rb +48 -0
- data/lib/scanny/checks/regexp_check.rb +23 -0
- data/lib/scanny/checks/reset_session_check.rb +24 -0
- data/lib/scanny/checks/session/access_to_session_check.rb +49 -0
- data/lib/scanny/checks/session/session_secure_check.rb +47 -0
- data/lib/scanny/checks/shell_expanding_methods_check.rb +54 -0
- data/lib/scanny/checks/skip_before_filters_check.rb +41 -0
- data/lib/scanny/checks/sql_injection/find_method_check.rb +81 -0
- data/lib/scanny/checks/sql_injection/find_method_with_dynamic_string_check.rb +43 -0
- data/lib/scanny/checks/sql_injection/find_method_with_params_check.rb +80 -0
- data/lib/scanny/checks/sql_injection/sanitize_sql_check.rb +25 -0
- data/lib/scanny/checks/sql_injection/sql_check.rb +14 -0
- data/lib/scanny/checks/sql_injection/string_interpolation_with_params_check.rb +39 -0
- data/lib/scanny/checks/ssl/verify_check.rb +53 -0
- data/lib/scanny/checks/ssl/verify_peer_check.rb +37 -0
- data/lib/scanny/checks/system_tools/gpg_usage_check.rb +51 -0
- data/lib/scanny/checks/system_tools/sudo_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_check.rb +24 -0
- data/lib/scanny/checks/system_tools/tar_commands_check.rb +27 -0
- data/lib/scanny/checks/system_tools/unzip_check.rb +30 -0
- data/lib/scanny/checks/temp_file_open_check.rb +57 -0
- data/lib/scanny/checks/user_find_check.rb +40 -0
- data/lib/scanny/checks/validates_check.rb +32 -0
- data/lib/scanny/checks/verify_check.rb +44 -0
- data/lib/scanny/checks/xss/xss_flash_check.rb +70 -0
- data/lib/scanny/checks/xss/xss_logger_check.rb +78 -0
- data/lib/scanny/checks/xss/xss_mark_check.rb +48 -0
- data/lib/scanny/checks/xss/xss_send_check.rb +70 -0
- data/lib/scanny/cli.rb +47 -0
- data/lib/scanny/issue.rb +28 -0
- data/lib/scanny/rake_task.rb +56 -0
- data/lib/scanny/reporters.rb +3 -0
- data/lib/scanny/reporters/reporter.rb +22 -0
- data/lib/scanny/reporters/simple_reporter.rb +19 -0
- data/lib/scanny/reporters/xml_reporter.rb +64 -0
- data/lib/scanny/ruby_version_check.rb +15 -0
- data/lib/scanny/runner.rb +90 -0
- data/scanny.gemspec +22 -0
- data/spec/scanny/check_spec.rb +22 -0
- data/spec/scanny/checks/access_control_check_spec.rb +43 -0
- data/spec/scanny/checks/backticks_check_spec.rb +22 -0
- data/spec/scanny/checks/before_filters_check_spec.rb +45 -0
- data/spec/scanny/checks/csrf_check_spec.rb +16 -0
- data/spec/scanny/checks/denial_of_service_check_spec.rb +28 -0
- data/spec/scanny/checks/file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/frameworks_check_spec.rb +16 -0
- data/spec/scanny/checks/http_basic_auth_check_spec.rb +20 -0
- data/spec/scanny/checks/http_header/header_injection_check_spec.rb +21 -0
- data/spec/scanny/checks/http_redirect_check_spec.rb +15 -0
- data/spec/scanny/checks/http_request_check_spec.rb +37 -0
- data/spec/scanny/checks/http_usage_check_spec.rb +20 -0
- data/spec/scanny/checks/information_leak_check_spec.rb +32 -0
- data/spec/scanny/checks/input_filtering_check_spec.rb +19 -0
- data/spec/scanny/checks/insecure_config/set_rails_env_check_spec.rb +17 -0
- data/spec/scanny/checks/insecure_config/set_secret_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_config/set_session_key_check_spec.rb +21 -0
- data/spec/scanny/checks/insecure_method/eval_method_check_spec.rb +22 -0
- data/spec/scanny/checks/insecure_method/marshal_check_spec.rb +26 -0
- data/spec/scanny/checks/insecure_method/system_method_check_spec.rb +33 -0
- data/spec/scanny/checks/mass_assignment_check_spec.rb +30 -0
- data/spec/scanny/checks/random_numbers_check_spec.rb +41 -0
- data/spec/scanny/checks/redirect_with_params_check_spec.rb +24 -0
- data/spec/scanny/checks/regexp_check_spec.rb +22 -0
- data/spec/scanny/checks/reset_session_check_spec.rb +15 -0
- data/spec/scanny/checks/session/access_to_session_check_spec.rb +29 -0
- data/spec/scanny/checks/session/session_secure_check_spec.rb +22 -0
- data/spec/scanny/checks/shell_expanding_methods_check_spec.rb +67 -0
- data/spec/scanny/checks/skip_before_filters_check_spec.rb +81 -0
- data/spec/scanny/checks/sql_injection/find_method_check_spec.rb +62 -0
- data/spec/scanny/checks/sql_injection/find_method_with_dynamic_string_check_spec.rb +27 -0
- data/spec/scanny/checks/sql_injection/find_method_with_params_check_spec.rb +93 -0
- data/spec/scanny/checks/sql_injection/sanitize_sql_check_spec.rb +16 -0
- data/spec/scanny/checks/sql_injection/string_interpolation_with_params_check_spec.rb +18 -0
- data/spec/scanny/checks/ssl/verify_check_spec.rb +25 -0
- data/spec/scanny/checks/ssl/verify_peer_check_spec.rb +17 -0
- data/spec/scanny/checks/system_tools/gpg_usage_check_spec.rb +43 -0
- data/spec/scanny/checks/system_tools/sudo_check_spec.rb +24 -0
- data/spec/scanny/checks/system_tools/tar_check_spec.rb +20 -0
- data/spec/scanny/checks/system_tools/tar_commands_check_spec.rb +41 -0
- data/spec/scanny/checks/system_tools/unizp_check_spec.rb +29 -0
- data/spec/scanny/checks/temp_file_open_check_spec.rb +22 -0
- data/spec/scanny/checks/user_find_check_spec.rb +22 -0
- data/spec/scanny/checks/validates_check_spec.rb +19 -0
- data/spec/scanny/checks/verify_check_spec.rb +27 -0
- data/spec/scanny/checks/xss/xss_flash_check_spec.rb +22 -0
- data/spec/scanny/checks/xss/xss_logger_check_spec.rb +24 -0
- data/spec/scanny/checks/xss/xss_mark_check_spec.rb +31 -0
- data/spec/scanny/checks/xss/xss_send_check_spec.rb +34 -0
- data/spec/scanny/cli_spec.rb +167 -0
- data/spec/scanny/issue_spec.rb +82 -0
- data/spec/scanny/rake_taks_spec.rb +82 -0
- data/spec/scanny/reporters/reporter_spec.rb +24 -0
- data/spec/scanny/reporters/simple_reporter_spec.rb +48 -0
- data/spec/scanny/reporters/xml_reporter_spec.rb +52 -0
- data/spec/scanny/ruby_version_check_spec.rb +24 -0
- data/spec/scanny/runner_spec.rb +128 -0
- data/spec/spec_helper.rb +10 -0
- data/spec/support/aruba.rb +4 -0
- data/spec/support/check_spec_helpers.rb +5 -0
- data/spec/support/checks/extend_test_check.rb +11 -0
- data/spec/support/checks/test_check.rb +15 -0
- data/spec/support/checks/test_strict_check.rb +17 -0
- data/spec/support/const_spec_helpers.rb +36 -0
- data/spec/support/matchers/check_matcher.rb +43 -0
- data/spec/support/matchers/xpath_matcher.rb +30 -0
- data/spec/support/mock_task.rb +43 -0
- metadata +242 -0
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SSL
|
|
4
|
+
class VerifyPeerCheck < Check
|
|
5
|
+
def pattern
|
|
6
|
+
pattern_ssl_verify_peer
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def check(node)
|
|
10
|
+
issue :info, warning_message
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
private
|
|
14
|
+
|
|
15
|
+
def warning_message
|
|
16
|
+
"Change the value of of VERIFY_PEER" +
|
|
17
|
+
"can lead to faulty accepted certificate"
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
# OpenSSL::SSL::VERIFY_PEER
|
|
21
|
+
def pattern_ssl_verify_peer
|
|
22
|
+
<<-EOT
|
|
23
|
+
ConstantAssignment<
|
|
24
|
+
constant = ScopedConstant<
|
|
25
|
+
name = :VERIFY_PEER,
|
|
26
|
+
parent = ScopedConstant<
|
|
27
|
+
name = :SSL,
|
|
28
|
+
parent = ConstantAccess<name = :OpenSSL>
|
|
29
|
+
>
|
|
30
|
+
>
|
|
31
|
+
>
|
|
32
|
+
EOT
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SystemTools
|
|
4
|
+
class GpgUsageCheck < Check
|
|
5
|
+
include Scanny::Checks::Helpers
|
|
6
|
+
|
|
7
|
+
def pattern
|
|
8
|
+
[
|
|
9
|
+
pattern_gpg_class,
|
|
10
|
+
pattern_gpg_method,
|
|
11
|
+
build_pattern_exec_command('gpg')
|
|
12
|
+
].join("|")
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def check(node)
|
|
16
|
+
issue :info, warning_message
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
|
|
21
|
+
def warning_message
|
|
22
|
+
"Using gpg tool in the wrong way can lead to security problems"
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# GPG.method
|
|
26
|
+
def pattern_gpg_class
|
|
27
|
+
<<-EOT
|
|
28
|
+
Send
|
|
29
|
+
<
|
|
30
|
+
receiver = ConstantAccess<
|
|
31
|
+
name *= /gpg/i
|
|
32
|
+
>
|
|
33
|
+
>
|
|
34
|
+
|
|
|
35
|
+
SendWithArguments
|
|
36
|
+
<
|
|
37
|
+
receiver = ConstantAccess<
|
|
38
|
+
name *= /gpg/i
|
|
39
|
+
>
|
|
40
|
+
>
|
|
41
|
+
EOT
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# gpg()
|
|
45
|
+
def pattern_gpg_method
|
|
46
|
+
"Send<name *= 'gpg'> | SendWithArguments<name *= 'gpg'>"
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SystemTools
|
|
4
|
+
class SudoCheck < Check
|
|
5
|
+
include Scanny::Checks::Helpers
|
|
6
|
+
|
|
7
|
+
def pattern
|
|
8
|
+
build_pattern_exec_command('sudo')
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def check(node)
|
|
12
|
+
issue :info, warning_message
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
private
|
|
16
|
+
|
|
17
|
+
def warning_message
|
|
18
|
+
"Using sudo can lead to the execution" +
|
|
19
|
+
"of programs on root administrator rights"
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SystemTools
|
|
4
|
+
class TarCheck < Check
|
|
5
|
+
include Scanny::Checks::Helpers
|
|
6
|
+
|
|
7
|
+
def pattern
|
|
8
|
+
build_pattern_exec_command(/tar\s+/)
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def check(node)
|
|
12
|
+
issue :medium, warning_message, :cwe => 88
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
private
|
|
16
|
+
|
|
17
|
+
def warning_message
|
|
18
|
+
"Tar command can execute dangerous operations on files" +
|
|
19
|
+
"and can travel through directories"
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SystemTools
|
|
4
|
+
class TarCommandsCheck < Check
|
|
5
|
+
include Scanny::Checks::Helpers
|
|
6
|
+
|
|
7
|
+
def pattern
|
|
8
|
+
[
|
|
9
|
+
build_pattern_exec_command(/tar.*\-\-to\-command/),
|
|
10
|
+
build_pattern_exec_command(/tar.*\-\-rmt\-command/),
|
|
11
|
+
build_pattern_exec_command(/tar.*\-\-rsh\-command/)
|
|
12
|
+
].join("|")
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def check(node)
|
|
16
|
+
issue :high, warning_message, :cwe => 88
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
|
|
21
|
+
def warning_message
|
|
22
|
+
"Tar command has an option that allows to run external programs"
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
module SystemTools
|
|
4
|
+
class UnzipCheck < Check
|
|
5
|
+
include Scanny::Checks::Helpers
|
|
6
|
+
|
|
7
|
+
def pattern
|
|
8
|
+
[
|
|
9
|
+
build_pattern_exec_command(/unzip\s+[^(=|&)]/),
|
|
10
|
+
build_pattern_exec_command(/unzip.*-:/)
|
|
11
|
+
].join("|")
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def check(node)
|
|
15
|
+
if Machete.matches?(node, build_pattern_exec_command(/unzip.*-:/))
|
|
16
|
+
issue :high, warning_message, :cwe => [23, 88]
|
|
17
|
+
elsif Machete.matches?(node, build_pattern_exec_command(/unzip\s+[^(=|&)]/))
|
|
18
|
+
issue :medium, warning_message, :cwe => [23, 88]
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
|
|
24
|
+
def warning_message
|
|
25
|
+
"Unzip option allows '../' in archived file path, dir traversal"
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
class TempFileOpenCheck < Check
|
|
4
|
+
def pattern
|
|
5
|
+
[
|
|
6
|
+
pattern_temp,
|
|
7
|
+
pattern_file_open,
|
|
8
|
+
pattern_mkdir_p
|
|
9
|
+
].join("|")
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def check(node)
|
|
13
|
+
issue :medium, warning_message, :cwe => 377
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def warning_message
|
|
19
|
+
"Access to the temporary files can lead to" +
|
|
20
|
+
"unauthorized access to data"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# File.open("/app/path/tmp_file")
|
|
24
|
+
def pattern_file_open
|
|
25
|
+
<<-EOT
|
|
26
|
+
SendWithArguments<
|
|
27
|
+
arguments = ActualArguments<
|
|
28
|
+
array = [
|
|
29
|
+
StringLiteral<string *= "tmp">
|
|
30
|
+
]
|
|
31
|
+
>,
|
|
32
|
+
receiver = ConstantAccess<name = :File>,
|
|
33
|
+
name = :open
|
|
34
|
+
>
|
|
35
|
+
EOT
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
# mkdir_p("long/path/tmp/file")
|
|
39
|
+
def pattern_mkdir_p
|
|
40
|
+
<<-EOT
|
|
41
|
+
SendWithArguments<
|
|
42
|
+
arguments = ActualArguments<
|
|
43
|
+
array = [
|
|
44
|
+
StringLiteral<string *= "tmp">
|
|
45
|
+
]
|
|
46
|
+
>,
|
|
47
|
+
name = :mkdir_p
|
|
48
|
+
>
|
|
49
|
+
EOT
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def pattern_temp
|
|
53
|
+
'StringLiteral<string *= /\/tmp\//>'
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
class UserFindCheck < Check
|
|
4
|
+
def pattern
|
|
5
|
+
pattern_user_find
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def check(node)
|
|
9
|
+
issue :medium, warning_message, :cwe => [89, 592]
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
|
|
14
|
+
def warning_message
|
|
15
|
+
"Create a user object using the " +
|
|
16
|
+
"parameters can cause security problems"
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
# User.find(params[:input])
|
|
20
|
+
def pattern_user_find
|
|
21
|
+
<<-EOT
|
|
22
|
+
SendWithArguments<
|
|
23
|
+
arguments = ActualArguments<
|
|
24
|
+
array = [
|
|
25
|
+
any*,
|
|
26
|
+
SendWithArguments<
|
|
27
|
+
name = :[],
|
|
28
|
+
receiver = Send<name = :params>
|
|
29
|
+
>,
|
|
30
|
+
any*
|
|
31
|
+
]
|
|
32
|
+
>,
|
|
33
|
+
name = :find,
|
|
34
|
+
receiver = ConstantAccess<name = :User>
|
|
35
|
+
>
|
|
36
|
+
EOT
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
class ValidatesCheck < Check
|
|
4
|
+
def pattern
|
|
5
|
+
pattern_validates
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def check(node)
|
|
9
|
+
issue :info, warning_message
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def strict?
|
|
13
|
+
true
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def warning_message
|
|
19
|
+
"Incorrect validations may allow malicious data transmission"
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
# validates_presence_of :email
|
|
23
|
+
def pattern_validates
|
|
24
|
+
<<-EOT
|
|
25
|
+
SendWithArguments<
|
|
26
|
+
name *= /validates_[\\w]*_of/
|
|
27
|
+
>
|
|
28
|
+
EOT
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
class VerifyMethodCheck < Check
|
|
4
|
+
def pattern
|
|
5
|
+
pattern_verify
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def check(node)
|
|
9
|
+
issue :info, warning_message
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def strict?
|
|
13
|
+
true
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def warning_message
|
|
19
|
+
"Incorrect to use the verify method can lead to " +
|
|
20
|
+
"accept additional parameters from request"
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# verify :method => :get
|
|
24
|
+
def pattern_verify
|
|
25
|
+
<<-EOT
|
|
26
|
+
SendWithArguments<
|
|
27
|
+
arguments = ActualArguments<
|
|
28
|
+
array = [
|
|
29
|
+
HashLiteral<
|
|
30
|
+
array = [
|
|
31
|
+
any{even},
|
|
32
|
+
SymbolLiteral<value = :method>,
|
|
33
|
+
any{odd}
|
|
34
|
+
]
|
|
35
|
+
>
|
|
36
|
+
]
|
|
37
|
+
>,
|
|
38
|
+
name = :verify
|
|
39
|
+
>
|
|
40
|
+
EOT
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
end
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
module Scanny
|
|
2
|
+
module Checks
|
|
3
|
+
# Check for flash methods that are called with request params or
|
|
4
|
+
# dynamic a string. This allows us to avoid showing dangerous
|
|
5
|
+
# HTML code to users
|
|
6
|
+
class XssFlashCheck < Check
|
|
7
|
+
def pattern
|
|
8
|
+
[
|
|
9
|
+
pattern_params,
|
|
10
|
+
pattern_dynamic_string
|
|
11
|
+
].join("|")
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def check(node)
|
|
15
|
+
if Machete.matches?(node, pattern_params)
|
|
16
|
+
issue :high, warning_message, :cwe => 79
|
|
17
|
+
elsif Machete.matches?(node, pattern_dynamic_string)
|
|
18
|
+
issue :medium, warning_message, :cwe => 79
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
|
|
24
|
+
def warning_message
|
|
25
|
+
"Assigning request parameters into flash can lead to XSS issues."
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
# flash[:warning] = params[:password]
|
|
29
|
+
def pattern_params
|
|
30
|
+
<<-EOT
|
|
31
|
+
ElementAssignment<
|
|
32
|
+
arguments = ActualArguments<
|
|
33
|
+
array = [
|
|
34
|
+
SymbolLiteral<value = :warning>,
|
|
35
|
+
SendWithArguments<
|
|
36
|
+
name = :[],
|
|
37
|
+
receiver = Send<name = :params>
|
|
38
|
+
>
|
|
39
|
+
]
|
|
40
|
+
>,
|
|
41
|
+
name = :[]=,
|
|
42
|
+
receiver = Send<name = :flash>
|
|
43
|
+
>
|
|
44
|
+
EOT
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
# flash[:warning] = "#{secure_data}"
|
|
48
|
+
def pattern_dynamic_string
|
|
49
|
+
<<-EOT
|
|
50
|
+
ElementAssignment<
|
|
51
|
+
arguments = ActualArguments<
|
|
52
|
+
array = [
|
|
53
|
+
SymbolLiteral<value = :warning>,
|
|
54
|
+
DynamicString<
|
|
55
|
+
array = [
|
|
56
|
+
any*,
|
|
57
|
+
ToString,
|
|
58
|
+
any*
|
|
59
|
+
]
|
|
60
|
+
>
|
|
61
|
+
]
|
|
62
|
+
>,
|
|
63
|
+
name = :[]=,
|
|
64
|
+
receiver = Send<name = :flash>
|
|
65
|
+
>
|
|
66
|
+
EOT
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|