scanny 0.1.0

data/lib/scanny/checks/xss/xss_logger_check.rb

@@ -0,0 +1,78 @@
+module Scanny
+  module Checks
+    # Check for logger methods that are called with request params or
+    # a dynamic string. This allows us to avoid executing dangerous code.
+    class XssLoggerCheck < Check
+      def pattern
+        [
+          pattern_logger_with_params,
+          pattern_dynamic_string,
+        ].join("|")
+      end
+
+      def check(node)
+        issue :low, warning_message, :cwe => [20, 79]
+      end
+
+      private
+
+      def warning_message
+        "Assigning request parameters into logger can lead to XSS issues."
+      end
+
+      # logger(params[:password])
+      # logger("User password: #{params[:password]} is...")
+      def pattern_logger_with_params
+        <<-EOT
+          SendWithArguments<
+            arguments = ActualArguments<
+              array = [
+                any*,
+                SendWithArguments<
+                  name = :[],
+                  receiver = Send<name = :params>
+                >
+                |
+                DynamicString<
+                  array = [
+                    any*,
+                    ToString<
+                      value = SendWithArguments<
+                        name = :[],
+                        receiver = Send<name = :params>
+                      >
+                    >,
+                    any*
+                  ]
+                >,
+                any*
+              ]
+
+            >,
+            name = :logger
+          >
+        EOT
+      end
+
+      # logger "#{secure_data}"
+      def pattern_dynamic_string
+        <<-EOT
+          SendWithArguments<
+            arguments = ActualArguments<
+              array = [
+                DynamicString<
+                  array = [
+                    any*,
+                    ToString,
+                    any*
+                  ]
+                >
+              ]
+            >,
+            name = :logger
+          >
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/checks/xss/xss_mark_check.rb

@@ -0,0 +1,48 @@
+module Scanny
+  module Checks
+    # Check for methods mark_as_xss_protected and mark_methods_as_xss_safe
+    # that are called and can mark dangerous string as safe for html.
+    class XssMarkCheck < Check
+      def pattern
+        [
+          pattern_mark_as_safe,
+          pattern_xss_safe,
+          pattern_mark_methods_as_xss_safe
+        ].join("|")
+      end
+
+      def check(node)
+        issue :info, warning_message
+      end
+
+      private
+
+      def warning_message
+        "Marking string as safe can lead to XSS issues."
+      end
+
+      # xss_safe()
+      def pattern_xss_safe
+        "Send<name = :xss_safe>"
+      end
+
+      # mark_as_xss_protected()
+      def pattern_mark_as_safe
+        <<-EOT
+          Send<name =
+            :mark_as_xss_protected    |
+            :to_s_xss_protected
+          >
+        EOT
+      end
+
+      def pattern_mark_methods_as_xss_safe
+        <<-EOT
+          SendWithArguments<name = :mark_methods_as_xss_safe>
+          |
+          Send<name = :mark_methods_as_xss_safe>
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/checks/xss/xss_send_check.rb

@@ -0,0 +1,70 @@
+module Scanny
+  module Checks
+    # Checks for send_* methods that are called with :disposition => 'inline'.
+    # This can lead to download of private files from a server or to a XSS issue.
+    class XssSendCheck < Check
+      def pattern
+        [
+          pattern_send,
+          pattern_send_with_param
+        ].join("|")
+      end
+
+      def check(node)
+        if Machete.matches?(node, pattern_send)
+          issue :medium, warning_message, :cwe => [79, 115, 200]
+        elsif Machete.matches?(node, pattern_send_with_param)
+          issue :high, warning_message, :cwe => 201
+        end
+      end
+
+      private
+
+      def warning_message
+        "Send file or data to client in \"inline\" " +
+        "mode or with param can lead to XSS issues."
+      end
+
+      # send_file "file.txt", :disposition => "inline"
+      # send_data "file.txt", :disposition => "inline"
+      def pattern_send
+        <<-EOT
+        SendWithArguments<
+          name = :send_file | :send_data,
+          arguments = ActualArguments<
+            array = [
+              any,
+              HashLiteral<
+                array = [
+                  any{even},
+                  SymbolLiteral<value   = :disposition>,
+                  StringLiteral<string  = "inline">,
+                  any{even}
+                ]
+              >
+            ]
+          >
+        >
+        EOT
+      end
+
+      def pattern_send_with_param
+        <<-EOT
+        SendWithArguments<
+          name = :send_file | :send_data,
+          arguments = ActualArguments<
+            array = [
+              any*,
+              SendWithArguments<
+                name = :[],
+                receiver = Send<name = :params>
+              >,
+              any*
+            ]
+          >
+        >
+        EOT
+      end
+    end
+  end
+end

data/lib/scanny/cli.rb

@@ -0,0 +1,47 @@
+module Scanny
+  module CLI
+    def build_paths
+      paths = ARGV.map do |path|
+        path += "/**/*.rb" if File.directory?(path)
+        path
+      end
+      paths << "./app/**/*.rb" if paths.size == 0
+
+      paths.map { |path| path.gsub('//', '/') }
+    end
+
+    def require_checks(checks)
+      checks = checks.to_s.split(",").map(&:strip)
+
+      checks.each do |directory|
+        Dir[directory + "/**/*.rb"].each do |file|
+          require File.expand_path(file, Dir.pwd)
+        end
+      end
+    end
+
+    def runner_with_custom_checks(runner, disabled_checks, strict = false)
+      disabled_checks = disabled_checks.to_s.split(",").map(&:strip)
+
+      runner.checks.reject! do |check|
+        disabled_checks.any? { |ch| check.class.name == ch } ||
+        (check.strict? && !strict)
+      end
+
+      runner
+    end
+
+    def use_parser(version)
+      return unless version
+      case version
+        when '18'
+          Rubinius::Melbourne
+        when '19'
+          Rubinius::Melbourne19
+        else
+          $stderr.puts "I can not recognize the version of the parser: #{version}"
+          exit 2
+      end
+    end
+  end
+end

data/lib/scanny/issue.rb

@@ -0,0 +1,28 @@
+module Scanny
+  class Issue
+    attr_reader :file, :line, :impact, :message, :cwe
+
+    def initialize(file, line, impact, message, cwe = nil)
+      @file, @line, @impact, @message, @cwe = file, line, impact, message, cwe
+    end
+
+    def ==(other)
+      other.instance_of?(self.class) &&
+        @file == other.file &&
+        @line == other.line &&
+        @impact == other.impact &&
+        @message == other.message &&
+        @cwe == other.cwe
+    end
+
+    def to_s
+      cwe_suffix = if @cwe
+        " (" + Array(@cwe).map { |cwe| "CWE-#{cwe}" }.join(", ") + ")"
+      else
+        ""
+      end
+
+      "[#{@impact}] #{@file}:#{@line}: #{@message}#{cwe_suffix}"
+    end
+  end
+end

data/lib/scanny/rake_task.rb

@@ -0,0 +1,56 @@
+require 'rake'
+require 'rake/tasklib'
+
+module Scanny
+  class RakeTask < ::Rake::TaskLib
+    # name of rake task
+    attr_accessor :name
+    # paths to custom checks
+    attr_accessor :include
+    # list of disabled checks
+    attr_accessor :disable
+    # output format
+    attr_accessor :format
+    # strict mode
+    attr_accessor :strict
+    # custom path to scan
+    attr_accessor :path
+    # raise exception on error
+    attr_accessor :fail_on_error
+    # ruby mode
+    attr_accessor :ruby_mode
+
+    def initialize(name=:scanny)
+      @name           = name
+      @include        = []
+      @disable        = []
+      @format         = nil
+      @strict         = nil
+      @path           = nil
+      @fail_on_error  = nil
+      @ruby_mode      = nil
+
+      yield self if block_given?
+      define
+    end
+
+    def define
+      desc("Run scanny security scanner")
+
+      task name do
+        cmd =   ["scanny"]
+        cmd <<  ["-i"] + [@include]   unless @include.empty?
+        cmd <<  ["-d"] + [@disable]   unless @disable.empty?
+        cmd <<  ["-f #{@format}"]     if @format
+        cmd <<  ["-s"]                if @strict
+        cmd <<  ["-m #{@ruby_mode}"]  if @ruby_mode
+        cmd <<  [@path]               if @path
+        cmd = cmd.flatten.join(" ")
+
+        unless system(cmd)
+          raise("Command #{cmd} failed") if fail_on_error
+        end
+      end
+    end
+  end
+end

data/lib/scanny/reporters.rb

@@ -0,0 +1,3 @@
+require_relative "reporters/reporter"
+require_relative "reporters/simple_reporter"
+require_relative "reporters/xml_reporter"

data/lib/scanny/reporters/reporter.rb

@@ -0,0 +1,22 @@
+module Scanny
+  module Reporters
+    class Reporter
+      attr_accessor :file, :checks_performed, :nodes_inspected, :issues
+
+      def initialize(arguments = {})
+        arguments.each do |key, value|
+          instance_variable_set("@#{key}", value) unless value.nil?
+        end
+        set_default_values!
+      end
+
+      private
+
+      def set_default_values!
+        @check_performed  ||= 0
+        @nodes_inspected  ||= 0
+        @issues           ||= []
+      end
+    end
+  end
+end

data/lib/scanny/reporters/simple_reporter.rb

@@ -0,0 +1,19 @@
+require_relative 'reporter'
+
+module Scanny
+  module Reporters
+    class SimpleReporter < Reporter
+      def report
+        string =  "#{file} [#{checks_performed} checks done | "
+        string += "#{nodes_inspected} nodes inspected | #{issues.size} issues]"
+
+        issues.each do |issue|
+          string += "\n  - #{issue.to_s}"
+        end
+        puts string unless issues.empty?
+
+        string
+      end
+    end
+  end
+end

data/lib/scanny/reporters/xml_reporter.rb

@@ -0,0 +1,64 @@
+require_relative 'reporter'
+require 'rexml/document'
+
+module Scanny
+  module Reporters
+    class XMLReporter < Reporter
+
+      def initialize(*)
+        prepare_reports_directory
+        super
+      end
+
+      def report
+        out = ""
+        doc = REXML::Document.new
+
+        testsuite = REXML::Element.new("testsuite")
+        testsuite.add_attributes('assertions' => nodes_inspected.to_s,
+                                 'errors'     => issues.size.to_s,
+                                 'skipped'    => '0',
+                                 'tests'      => checks_performed.to_s,
+                                 'failures'   => '0',
+                                 'name'       => file)
+        #TODO: track time?
+
+        issues.each do |issue|
+          testcase = REXML::Element.new 'testcase'
+          testcase.add_attributes("name" => "#{issue.file}:#{issue.line}")
+
+          error = REXML::Element.new 'error'
+          error.add_attributes('type'    => issue.impact.to_s,
+                               'message' => issue.message)
+          error.text = issue.to_s
+
+          testcase.add_element error
+          testsuite.add_element testcase
+        end
+        testsuite.add_element REXML::Element.new("system-out")
+        testsuite.add_element REXML::Element.new("system-err")
+
+        doc << testsuite
+        doc.write(out, 2)
+        File.open(output, "w") { |f| f.write(out) }
+
+        out
+      end
+
+      private
+
+      def output
+        file_name = file.gsub('/', '\\')
+        "reports/Test-#{file_name}.xml"
+      end
+
+      def prepare_reports_directory
+        if File.exists?('reports')
+          puts "Removing 'reports' directory"
+          FileUtils.rm_rf 'reports'
+        end
+        FileUtils.mkdir 'reports'
+      end
+    end
+  end
+end