scanny 0.1.0

data/lib/scanny/ruby_version_check.rb

@@ -0,0 +1,15 @@
+unless defined?(RUBY_ENGINE) && RUBY_ENGINE == "rbx" && RUBY_VERSION >= '1.9'
+  desc = defined?(RUBY_DESCRIPTION) ? RUBY_DESCRIPTION : "ruby #{RUBY_VERSION} (#{RUBY_RELEASE_DATE})"
+  abort <<-end_message
+
+      Scanny requires Rubinius in 1.9 mode.
+
+      You're running
+        #{desc}
+
+      Please change your Ruby implementation to continue.
+
+  end_message
+
+  raise abort
+end

data/lib/scanny/runner.rb

@@ -0,0 +1,90 @@
+require "yaml"
+require "machete"
+require "ostruct"
+
+module Scanny
+  class Runner
+    attr_reader :checks, :checks_data, :file, :parser
+
+    def initialize(*checks)
+      options = checks.last.is_a?(Hash) ? checks.pop : {}
+
+      if checks.empty?
+        @checks = check_classes
+      else
+        @checks = checks
+      end
+
+      @checks_data = []
+      @parser = options[:parser] || Rubinius::Melbourne19
+    end
+
+    def check(file, input)
+      ast               = parser.new("(eval)", 1).parse_string(input)
+      ignored_lines     = extract_ignored_lines(input)
+      checks_performed  = 0
+      nodes_inspected   = 0
+      issues            = []
+
+      @checks.each do |check|
+        nodes_to_inspect = Machete.find(ast, check.compiled_pattern)
+        checks_performed += 1 unless nodes_to_inspect.empty?
+        nodes_inspected  += nodes_to_inspect.size
+
+        nodes_to_inspect.each do |node|
+          issues += check.visit(file, node)
+        end
+        issues.reject! { |i| ignored_lines.include?(i.line) }
+      end
+
+      {
+        :issues             => issues,
+        :checks_performed   => checks_performed,
+        :nodes_inspected    => nodes_inspected,
+        :file               => file
+      }
+    end
+
+    def check_file(file)
+      @file = file
+      @checks_data << check(file, File.read(file))
+    end
+
+    def check_files(*files)
+      files.each { |f| check_file(f) }
+    end
+    alias :run :check_files
+
+    private
+
+    def check_classes
+      # Get list of all subclasses of Scanny::Checks::Check.
+      classes = []
+      ObjectSpace.each_object(Class) do |klass|
+        classes << klass if klass < Scanny::Checks::Check
+      end
+
+      # Filter out classes that are a superclass of some other class in the list.
+      # This way only "leaf" classes remain.
+      classes.reject! do |klass|
+        classes.any? { |c| c < klass }
+      end
+
+      classes.map(&:new)
+    end
+
+    def extract_ignored_lines(input)
+      ignored_lines = []
+      input.split("\n").each_with_index do |line, i|
+        if line =~ /SCANNY_IGNORE(_NEXT(?:_(\d+))?)?/
+          if $2
+            ignored_lines += ((i + 2)..(i + 1 + $2.to_i)).to_a
+          else
+            ignored_lines << i + ($1 ? 2 : 1)
+          end
+        end
+      end
+      ignored_lines
+    end
+  end
+end

data/scanny.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name        = "scanny"
+  s.version     = '0.1.0'
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['Thomas Biege', 'Flavio Castelli', 'David Majda', 'Piotr Niełacny']
+  s.email       = ['thomas@suse.de', 'fcastelli@novell.com', 'dmajda@suse.cz', 'piotr.nielacny@gmail.com']
+  s.homepage    = "https://github.com/openSUSE/scanny"
+  s.summary     = "Ruby security scanner"
+  s.description = "Find all security issues affecting your code."
+
+  s.required_rubygems_version = ">= 1.3.6"
+  s.rubyforge_project         = "scanny"
+
+  s.add_dependency "machete", "0.5.0"
+  s.add_dependency "docopt", "0.0.4"
+
+  s.files        = `git ls-files`.split("\n")
+  s.executables  = `git ls-files`.split("\n").map{|f| f =~ /^bin\/(.*)/ ? $1 : nil}.compact
+  s.require_path = 'lib'
+end

data/spec/scanny/check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe Check do
+    it "reports issues" do
+      check = TestCheck.new
+      issues = check.visit("unsecure.rb", Rubinius::AST::FixnumLiteral.new(1, 42))
+
+      issues.should == [
+        Scanny::Issue.new("unsecure.rb", 1, :high, "Hey, I found unsecure code!", 42),
+        Scanny::Issue.new("unsecure.rb", 1, :high, "Hey, I found more unsecure code!", 43),
+        Scanny::Issue.new("unsecure.rb", 1, :low,  "OK, this is unsecure too, but not that much")
+      ]
+    end
+
+    it "returns compiled pattern" do
+      check = TestCheck.new
+      compiled_pattern = check.compiled_pattern
+      compiled_pattern.should be_kind_of(Machete::Matchers::NodeMatcher)
+    end
+  end
+end

data/spec/scanny/checks/access_control_check_spec.rb

@@ -0,0 +1,43 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe AccessControlCheck do
+    before :each do
+      @runner = Scanny::Runner.new(AccessControlCheck.new)
+      @issue = issue(:medium,
+        "Using \"params[:id]\" requires proper authorization check.", 285)
+    end
+
+    it "reports \"new\" calls with \"params[:id]\" in the attributes hash correctly" do
+      @runner.should check('User.new(:id => params[:id])').with_issue(@issue)
+      @runner.should check(
+        'User.new(:foo => 42, :id => params[:id], :bar => 43)'
+      ).with_issue(@issue)
+      @runner.should check('User.new(:id => not_params[:id])').without_issues
+      @runner.should check('User.new(:id => params[:not_id])').without_issues
+    end
+
+    it "reports \"create\" calls with \"params[:id]\" in the attributes hash correctly" do
+      @runner.should check('User.create(:id => params[:id])').with_issue(@issue)
+      @runner.should check(
+        'User.create(:foo => 42, :id => params[:id], :bar => 43)'
+      ).with_issue(@issue)
+      @runner.should check('User.create(:id => not_params[:id])').without_issues
+      @runner.should check('User.create(:id => params[:not_id])').without_issues
+    end
+
+    it "reports \"delete\" calls with \"params[:id]\" in the arguments" do
+      @runner.should check('User.delete(params[:id])').with_issue(@issue)
+      @runner.should check('User.delete(42, params[:id], 43)').with_issue(@issue)
+      @runner.should check('User.new(not_params[:id])').without_issues
+      @runner.should check('User.new(params[:not_id])').without_issues
+    end
+
+    it "reports \"destroy\" calls with \"params[:id]\" in the arguments" do
+      @runner.should check('User.destroy(params[:id])').with_issue(@issue)
+      @runner.should check('User.destroy(42, params[:id], 43)').with_issue(@issue)
+      @runner.should check('User.new(not_params[:id])').without_issues
+      @runner.should check('User.new(params[:not_id])').without_issues
+    end
+  end
+end

data/spec/scanny/checks/backticks_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe BackticksCheck do
+    before :each do
+      @runner = Scanny::Runner.new(BackticksCheck.new)
+      @issue = issue(:high,
+        "Backticks and %x{...} pass the executed command through shell expansion.",
+        [88, 78])
+    end
+
+    it "reports backticks correctly" do
+      @runner.should check('`ls -l`').with_issue(@issue)
+      @runner.should check('`ls #{options}`').with_issue(@issue)
+    end
+
+    it "reports %x{...} correctly" do
+      @runner.should check('%x{ls -l}').with_issue(@issue)
+      @runner.should check('%x{ls #{options}}').with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/before_filters_check_spec.rb

@@ -0,0 +1,45 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe BeforeFiltersCheck do
+    before :each do
+      @runner = Scanny::Runner.new(BeforeFiltersCheck.new)
+      @login_required_issue = issue(:info,
+        "The \"before_filter\" method with :login_required filter is used.",
+        nil)
+      @admin_required_issue = issue(:info,
+        "The \"before_filter\" method with :admin_required filter is used.",
+        nil)
+    end
+
+    it "reports \"before_filter\" with :login_required filter correctly" do
+      @runner.should check(
+        'before_filter :login_required'
+      ).with_issue(@login_required_issue)
+      @runner.should check(
+        'self.before_filter :login_required'
+      ).with_issue(@login_required_issue)
+      @runner.should check('foo.before_filter :login_required').without_issues
+      @runner.should check('after_filter :login_required').without_issues
+      @runner.should check(
+        'before_filter :some_filter, :login_required, :another_filter'
+      ).with_issue(@login_required_issue)
+      @runner.should check('before_filter :some_filter').without_issues
+    end
+
+    it "reports \"before_filter\" with :admin_required filter correctly" do
+      @runner.should check(
+        'before_filter :admin_required'
+      ).with_issue(@admin_required_issue)
+      @runner.should check(
+        'self.before_filter :admin_required'
+      ).with_issue(@admin_required_issue)
+      @runner.should check('foo.before_filter :admin_required').without_issues
+      @runner.should check('after_filter :admin_required').without_issues
+      @runner.should check(
+        'before_filter :some_filter, :admin_required, :another_filter'
+      ).with_issue(@admin_required_issue)
+      @runner.should check('before_filter :some_filter').without_issues
+    end
+  end
+end

data/spec/scanny/checks/csrf_check_spec.rb

@@ -0,0 +1,16 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe CSRFCheck do
+    before :each do
+      @runner = Scanny::Runner.new(CSRFCheck.new)
+      @issue = issue(:info, "The \"protect_from_forgery\" method is used.", 352)
+    end
+
+    it "reports \"protect_from_forgery\" correctly" do
+      @runner.should check('protect_from_forgery').with_issue(@issue)
+      @runner.should check('self.protect_from_forgery').with_issue(@issue)
+      @runner.should check('foo.protect_from_forgery').without_issues
+    end
+  end
+end

data/spec/scanny/checks/denial_of_service_check_spec.rb

@@ -0,0 +1,28 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe DenialOfServiceCheck do
+    before do
+      @runner = Scanny::Runner.new(DenialOfServiceCheck.new)
+      @message =  "Using \"LIKE\" in queries may lead to " +
+                  "the unavailability of the application"
+      @issue = issue(:medium, @message, 400)
+    end
+
+    it "reports \"User.find(:first, :conditions => \"name LIKE '%bob%'\" )\" correctly" do
+      @runner.should  check("User.find(:first, :conditions => \"name LIKE '%bob%'\" )").
+                      with_issue(@issue)
+      @runner.should  check("User.find(:conditions => \"name LIKE '%bob%'\")").
+                      without_issues
+    end
+
+    it "reports \"User.find(:first, :limit => \"name LIKE '%bob%'\" )\" correctly" do
+      @runner.should  check("User.find(:first, :limit => \"name LIKE '%bob%'\" )").
+                      with_issue(@issue)
+      @runner.should  check("User.find(:limit => \"name LIKE '%bob%'\")").
+                      without_issues
+    end
+
+
+  end
+end

data/spec/scanny/checks/file_open_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe FileOpenCheck do
+    before do
+      @runner = Scanny::Runner.new(FileOpenCheck.new)
+      @message =  "Operations on files in code can lead to" +
+                  "unauthorized access to data"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"File.open('/home/app/tmp/file')\" correctly" do
+      @runner.should  check("File.open('/home/app/tmp/file')").
+                      with_issue(@issue)
+    end
+
+    it "reports \"FileUtils.chmod(0755, '/usr/bin/ruby')\" correctly" do
+      @runner.should  check("FileUtils.chmod(0755, '/usr/bin/ruby')").
+                      with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/frameworks_check_spec.rb

@@ -0,0 +1,16 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe FrameworksCheck do
+    before do
+      @runner = Scanny::Runner.new(FrameworksCheck.new)
+      @message = "Using the methods from frameworks can lead to security problems"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"env['HTTP_X_USERNAME']\" correctly" do
+      @runner.should check("env['HTTP_X_USERNAME']").with_issue(@issue)
+    end
+
+  end
+end

data/spec/scanny/checks/http_basic_auth_check_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe HTTPBasicAuthCheck do
+    before do
+      @runner = Scanny::Runner.new(HTTPBasicAuthCheck.new)
+      @message = "Basic HTTP authentication can lead to security problems"
+      @issue = issue(:info, @message, [301, 718])
+    end
+
+    it "reports \"Net::HTTPHeader#basic_auth'\" correctly" do
+      @runner.should check("basic_auth('user', 'password')").with_issue(@issue)
+      @runner.should check("basic_auth").without_issues
+    end
+
+    it "reports \"HttpAuthentication\" correctly" do
+      @runner.should check("HttpAuthentication").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/http_header/header_injection_check_spec.rb

@@ -0,0 +1,21 @@
+require "spec_helper"
+
+module Scanny::Checks::HttpHeader
+  describe HeaderInjectionCheck do
+    before do
+      @runner = Scanny::Runner.new(HeaderInjectionCheck.new)
+      @message =  "Directly use of the HTTP_* headers in code. " +
+                  "Possible injection vulnerabilities"
+      @issue = issue(:medium, @message, [20, 113])
+    end
+
+    it "reports \"env['HTTP_HEADER']\" correctly" do
+      @runner.should check("env['HTTP_HEADER']").with_issue(@issue)
+    end
+
+    it "reports \"headers['HTTP_HEADER']\" correctly" do
+      @runner.should check("headers['HTTP_HEADER']").with_issue(@issue)
+      @runner.should check("headers['NORMAL_HEADER']").without_issues
+    end
+  end
+end

data/spec/scanny/checks/http_redirect_check_spec.rb

@@ -0,0 +1,15 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe HTTPRedirectCheck do
+    before do
+      @runner = Scanny::Runner.new(HTTPRedirectCheck.new)
+      @message = "HTTP redirects can be emitted by the Application"
+      @issue = issue(:medium, @message, 441)
+    end
+
+    it "reports \"require 'open-uri'\" correctly" do
+      @runner.should check("require 'open-uri'").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/http_request_check_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe HTTPRequestCheck do
+    before do
+      @runner = Scanny::Runner.new(HTTPRequestCheck.new)
+      @message =  "Connecting to the server without encryption " +
+          "can facilitate sniffing traffic"
+      @issue = issue(:low, @message, 441)
+    end
+
+    it "reports \"Net::HTTP.new('http://example.com/')\" correctly" do
+      @runner.should  check("Net::HTTP.new('http://example.com/')").
+                      with_issue(@issue)
+    end
+
+    it "reports \"Net::HTTP::Get.new('http://example.com/')\" correctly" do
+      @runner.should  check("Net::HTTP::Get.new('http://example.com/')").
+                      with_issue(@issue)
+    end
+
+    it "reports \"Net::HTTP::Post.new('http://example.com/')\" correctly" do
+      @runner.should  check("Net::HTTP::Post.new('http://example.com/')").
+                      with_issue(@issue)
+    end
+
+    it "reports \"Net::HTTP::Method.new('http://example.com/')\" correctly" do
+      @runner.should  check("Net::HTTP::Method.new('http://example.com/')").
+                      with_issue(@issue)
+    end
+
+    it "reports \"Net::HTTP::Proxy('proxy.example.com', 8080)\" correctly" do
+      @runner.should  check("Net::HTTP::Proxy('proxy.example.com', 8080)").
+                      with_issue(@issue)
+    end
+  end
+end