scanny 0.1.0

data/spec/scanny/checks/http_usage_check_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe HTTPUsageCheck do
+    before do
+      @runner = Scanny::Runner.new(HTTPUsageCheck.new)
+      @message =  "Connecting to the server without encryption " +
+                  "can facilitate sniffing traffic"
+      @issue = issue(:low, @message, 319)
+    end
+
+    it "reports \"http://\" correctly" do
+      @runner.should check("'http://'").with_issue(@issue)
+    end
+
+    it "reports \"@http.connect('http://server.com')\" correctly" do
+      @runner.should check("@http.connect('http://server.com')").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/information_leak_check_spec.rb

@@ -0,0 +1,32 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe InformationLeakCheck do
+    before do
+      @runner = Scanny::Runner.new(InformationLeakCheck.new)
+      @message = "There is a possibility of data leakage"
+      @issue = issue(:medium, @message, 200)
+    end
+
+    it "reports \"filter_parameter_logging\" correctly" do
+      @runner.should check("filter_parameter_logging").with_issue(@issue)
+    end
+
+    it "reports \"filter_parameter_logging :password\" correctly" do
+      @runner.should  check("filter_parameter_logging :password").
+                      with_issue(@issue)
+    end
+
+    it "reports \"User.find(params[:id])\" correctly" do
+      @runner.should check("User.find(params[:id])").with_issue(@issue)
+    end
+
+    it "reports \"User.find_by_id(params[:id])\" correctly" do
+      @runner.should check("User.find_by_id(params[:id])").with_issue(@issue)
+    end
+
+    it "reports \"User.find_by_object_id(params[:name])\" correctly" do
+      @runner.should check("User.find_by_object_id(params[:id])").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/input_filtering_check_spec.rb

@@ -0,0 +1,19 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe InputFilteringCheck do
+    before do
+      @runner = Scanny::Runner.new(InputFilteringCheck.new)
+      @message =  "Possible injection vulnerabilities"
+      @issue = issue(:low, @message, 20)
+    end
+
+    it "reports \"logger(params[:password])\" correctly" do
+      @runner.should check("params[:password]").with_issue(@issue)
+    end
+
+    it "reports \"system('\\033]30;command\\007')\" correctly" do
+      @runner.should check('system("\\033]30;command\\007")').with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/insecure_config/set_rails_env_check_spec.rb

@@ -0,0 +1,17 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe SetRailsEnvCheck do
+    before :each do
+      @runner = Scanny::Runner.new(SetRailsEnvCheck.new)
+      @issue = issue(:info,
+        "Setting ENV[\"RAILS_ENV\"] can indicate insecure configuration.", 209)
+    end
+
+    it "reports setting ENV[\"RAILS_ENV\"] correctly" do
+      @runner.should check('ENV["RAILS_ENV"] = "test"').with_issue(@issue)
+      @runner.should check('FOO["RAILS_ENV"] = "test"').without_issues
+      @runner.should check('ENV["FOO"] = "test"').without_issues
+    end
+  end
+end

data/spec/scanny/checks/insecure_config/set_secret_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe SetSecretCheck do
+    before :each do
+      @runner = Scanny::Runner.new(SetSecretCheck.new)
+      @issue = issue(:info,
+        "Setting :secret can indicate using hard-coded cryptographic key.", 321)
+    end
+
+    it "reports setting :secret correctly" do
+      @runner.should check('{ :secret => "secret" }').with_issue(@issue)
+      @runner.should check(
+        '{ :foo => 42, :secret => "secret", :bar => 43 }'
+      ).with_issue(@issue)
+      @runner.should check('{}').without_issues(@issue)
+      @runner.should check(
+        '{ :foo => 42, :bar => 43, :baz => 43 }'
+      ).without_issues(@issue)
+    end
+  end
+end

data/spec/scanny/checks/insecure_config/set_session_key_check_spec.rb

@@ -0,0 +1,21 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe SetSessionKeyCheck do
+    before :each do
+      @runner = Scanny::Runner.new(SetSessionKeyCheck.new)
+      @issue = issue(:info, "Setting :session_key.", nil)
+    end
+
+    it "reports setting :session_key correctly" do
+      @runner.should check('{ :session_key => "secret" }').with_issue(@issue)
+      @runner.should check(
+        '{ :foo => 42, :session_key => "secret", :bar => 43 }'
+      ).with_issue(@issue)
+      @runner.should check('{}').without_issues(@issue)
+      @runner.should check(
+        '{ :foo => 42, :bar => 43, :baz => 43 }'
+      ).without_issues(@issue)
+    end
+  end
+end

data/spec/scanny/checks/insecure_method/eval_method_check_spec.rb

@@ -0,0 +1,22 @@
+module Scanny
+  module Checks
+    module InsecureMethod
+      describe EvalMethodCheck do
+        before do
+          @runner = Scanny::Runner.new(EvalMethodCheck.new)
+          @message = "Execute eval method can lead the ruby interpreter to run dangerous code"
+
+          @issue = issue(:high, @message, 95)
+        end
+
+        it "reports \"eval\" correctly" do
+          @runner.should check("eval").without_issues
+        end
+
+        it "reports \"eval('ruby_code')\" correctly" do
+          @runner.should check("eval('ruby_code')").with_issue(@issue)
+        end
+      end
+    end
+  end
+end

data/spec/scanny/checks/insecure_method/marshal_check_spec.rb

@@ -0,0 +1,26 @@
+require "spec_helper"
+
+module Scanny
+  module Checks
+    module InsecureMethod
+      describe MarshalCheck do
+        before do
+          @runner = Scanny::Runner.new(MarshalCheck.new)
+          @message =  "Execute deserialize method can load to memory dangerous object"
+
+          @issue = issue(:high, @message, 502)
+        end
+
+        it "reports \"object.deserialize\" correctly" do
+          @runner.should check("Marshal.load(object)").with_issue(@issue)
+          @runner.should check("load(object)").without_issues
+        end
+
+        it "reports \"deserialize('string')\" correctly" do
+          @runner.should check("Marshal.restore(object)").with_issue(@issue)
+          @runner.should check("restore(object)").without_issues
+        end
+      end
+    end
+  end
+end

data/spec/scanny/checks/insecure_method/system_method_check_spec.rb

@@ -0,0 +1,33 @@
+require "spec_helper"
+
+module Scanny
+  module Checks
+    module InsecureMethod
+      describe SystemMethodCheck do
+        before do
+          @runner = Scanny::Runner.new(SystemMethodCheck.new)
+          @message = "Execute system commands can lead the system to run dangerous code"
+
+          @issue = issue(:high, @message, [88, 78])
+        end
+
+        it "reports \"popen\" correctly" do
+          @runner.should check("IO.popen(arguments)").with_issue(@issue)
+          @runner.should check("IO.popen3(arguments)").with_issue(@issue)
+        end
+
+        it "reports \"system\" correctly" do
+          @runner.should check("system('rm -rf /')").with_issue(@issue)
+        end
+
+        it "reports \"spawn\" correctly" do
+          @runner.should check("spawn('rm -rf /')").with_issue(@issue)
+        end
+
+        it "reports \"`ls`\" correctly" do
+          @runner.should check("`ls`").with_issue(@issue)
+        end
+      end
+    end
+  end
+end

data/spec/scanny/checks/mass_assignment_check_spec.rb

@@ -0,0 +1,30 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe MassAssignmentCheck do
+    before do
+      @runner = Scanny::Runner.new(MassAssignmentCheck.new)
+      @message =  "Create objects without defense against mass assignment" +
+                  "can cause dangerous errors in the database"
+      @issue = issue(:high, @message, 642)
+    end
+
+    it "reports \"User.new(params[:user])\" correctly" do
+      @runner.should check("User.new(params[:user])").with_issue(@issue)
+    end
+
+    it "reports \"User.new(:email => params[:input])\" correctly" do
+      @runner.should check("User.new(:email => params[:input])").with_issue(@issue)
+      @runner.should check("User.new(params[:input] => :value)").without_issues
+    end
+
+    it "reports \"User.create(params[:user])\" correctly" do
+      @runner.should check("User.create(params[:user])").with_issue(@issue)
+    end
+
+    it "reports \"@user.update_attributes(params[:user])\" correctly" do
+      @runner.should check("@user.update_attributes(params[:user])").with_issue(@issue)
+    end
+
+  end
+end

data/spec/scanny/checks/random_numbers_check_spec.rb

@@ -0,0 +1,41 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe RandomNumbersCheck do
+    before :each do
+      @runner = Scanny::Runner.new(RandomNumbersCheck.new)
+      @message = "This action indicates using low-entropy random number generator"
+      @issue = issue(:medium, @message, 331)
+    end
+
+    it "reports \"Kernel.rand\" correctly" do
+      @runner.should check('rand').with_issue(@issue)
+      @runner.should check('Kernel.rand').with_issue(@issue)
+      @runner.should check('Foo.rand').without_issues
+      @runner.should check('foo.rand').without_issues
+    end
+
+    it "reports \"Kernel.srand\" correctly" do
+      @runner.should check('srand').with_issue(@issue)
+      @runner.should check('Kernel.srand').with_issue(@issue)
+      @runner.should check('Foo.srand').without_issues
+      @runner.should check('foo.srand').without_issues
+    end
+
+    it "reports calls with one argument only" do
+      @runner.should check('rand').with_issue(@issue)
+      @runner.should check('rand(42)').with_issue(@issue)
+      @runner.should check('rand(42, 43, 44)').with_issue(@issue)
+    end
+
+    it "reports \"urandom\" usage" do
+      @runner.should check('File.open("/dev/urandom")').with_issue(@issue)
+      @runner.should check('urandom').without_issues
+    end
+
+    it "reports \"seed\" correctly" do
+      @runner.should check('seed').with_issue(@issue)
+      @runner.should check('seed(Time.now)').with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/redirect_with_params_check_spec.rb

@@ -0,0 +1,24 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe RedirectWithParamsCheck do
+    before do
+      @runner = Scanny::Runner.new(RedirectWithParamsCheck.new)
+      @message =  "Use of external parameters in redirect_to method" +
+                  "can lead to unauthorized redirects"
+      @issue = issue(:medium, @message, [79, 113, 601, 698])
+    end
+
+    it "reports \"redirect_to(params[:to])\" correctly" do
+      @runner.should check("redirect_to(params[:to])").with_issue(@issue)
+      @runner.should check("redirect_to(@user)").without_issues
+    end
+
+    it "reports \"redirect_to\" with hash correctly" do
+      @runner.should
+        check("redirect_to :controller => :my, :action => params[:action]").with_issue(@issue)
+      @runner.should
+        check("redirect_to :controller => :my, :action => :new").without_issues
+    end
+  end
+end

data/spec/scanny/checks/regexp_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe RegexpCheck do
+    before :each do
+      @runner = Scanny::Runner.new(RegexpCheck.new)
+      @issue = issue(:low,
+        "Possible improper regular expression usage.",
+        [185, 625, 791])
+    end
+
+    it "reports regexps with starting with \"^\" or ending with \"$\" correctly" do
+      @runner.should check('/^foo/').with_issue(@issue)
+      @runner.should check('/foo$/').with_issue(@issue)
+      @runner.should check('/foo/').without_issues
+
+      @runner.should check('/^foo#{bar}baz/').with_issue(@issue)
+      @runner.should check('/foo#{bar}baz$/').with_issue(@issue)
+      @runner.should check('/foo#{bar}baz/').without_issues
+    end
+  end
+end

data/spec/scanny/checks/reset_session_check_spec.rb

@@ -0,0 +1,15 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe ResetSessionCheck do
+    before do
+      @runner = Scanny::Runner.new(ResetSessionCheck.new)
+      @message = "Improper resetting the session may lead to security problems"
+      @issue = issue(:info, @message, 384)
+    end
+
+    it "reports \"reset_session\" correctly" do
+      @runner.should check("reset_session").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/session/access_to_session_check_spec.rb

@@ -0,0 +1,29 @@
+require "spec_helper"
+
+module Scanny::Checks::Session
+  describe AccessToSessionCheck do
+    before do
+      @runner = Scanny::Runner.new(AccessToSessionCheck.new)
+      @message =  "Referring to a session in the wrong way" +
+                  "can lead to errors that reduce security level"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"session[:password]\" correctly" do
+      @runner.should check("session[:password]").with_issue(@issue)
+    end
+
+    it "reports \"cookie[:password]\" correctly" do
+      @runner.should check("cookie[:password]").with_issue(@issue)
+    end
+
+    it "reports \"session[:password] = params[:input]\" correctly" do
+      @runner.should check("session[:password] = nil").with_issue(@issue)
+    end
+
+    it "reports \"cookie[:password] = params[:input]\" correctly" do
+      @runner.should check("cookie[:password] = nil").with_issue(@issue)
+    end
+  end
+end
+

data/spec/scanny/checks/session/session_secure_check_spec.rb

@@ -0,0 +1,22 @@
+require "spec_helper"
+
+module Scanny::Checks::Session
+  describe SessionSecureCheck do
+    before do
+      @runner = Scanny::Runner.new(SessionSecureCheck.new)
+      @message = "Bad session security setting can cause problems"
+      @issue = issue(:info, @message, 614)
+    end
+
+    it "reports \"ActionController::Base.session_options[:session_secure] = false\" correctly" do
+      @runner.should  check("ActionController::Base.session_options[:session_secure] = false").
+                      with_issue(@issue)
+    end
+
+    it "reports \"ActionController::Base.session_options[:secure] = false\" correctly" do
+      @runner.should  check("ActionController::Base.session_options[:secure] = false").
+                      with_issue(@issue)
+    end
+  end
+end
+

data/spec/scanny/checks/shell_expanding_methods_check_spec.rb

@@ -0,0 +1,67 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe ShellExpandingMethodsCheck do
+    before :each do
+      @runner = Scanny::Runner.new(ShellExpandingMethodsCheck.new)
+
+      @backtick_issue = issue(:high,
+        "The \"`\" method passes the executed command through shell expansion.",
+        [88, 78])
+      @exec_issue = issue(:high,
+        "The \"exec\" method passes the executed command through shell expansion.",
+        [88, 78])
+      @system_issue = issue(:high,
+        "The \"system\" method passes the executed command through shell expansion.",
+        [88, 78])
+      @popen_issue = issue(:high,
+        "The \"popen\" method passes the executed command through shell expansion.",
+        [88, 78])
+      @popen3_issue = issue(:high,
+      "The \"popen3\" method passes the executed command through shell expansion.",
+        [88, 78])
+      @spawn_issue = issue(:high,
+        "The \"spawn\" method passes the executed command through shell expansion.",
+        [88, 78])
+    end
+
+    it "reports \"Kernel.`\" correctly" do
+      @runner.should check('Kernel.` "ls -l"').with_issue(@backtick_issue)
+      @runner.should check('Foo.` "ls -l"').without_issues
+      @runner.should check('foo.` "ls -l"').without_issues
+    end
+
+    it "reports \"Kernel.exec\" correctly" do
+      @runner.should check('exec "ls -l"').with_issue(@exec_issue)
+      @runner.should check('Kernel.exec "ls -l"').with_issue(@exec_issue)
+      @runner.should check('Foo.exec "ls -l"').without_issues
+      @runner.should check('foo.exec "ls -l"').without_issues
+    end
+
+    it "reports \"Kernel.system\" correctly" do
+      @runner.should check('system "ls -l"').with_issue(@system_issue)
+      @runner.should check('Kernel.system "ls -l"').with_issue(@system_issue)
+      @runner.should check('Foo.system "ls -l"').without_issues
+      @runner.should check('foo.system "ls -l"').without_issues
+    end
+
+    it "reports calls with one argument only" do
+      @runner.should check('exec').without_issues
+      @runner.should check('exec "ls -l"').with_issue(@exec_issue)
+      @runner.should check('exec "ls", "-l"').without_issues
+    end
+
+    it "reports \"popen\" correctly" do
+      @runner.should check("IO.popen(arguments)").with_issue(@popen_issue)
+      @runner.should check("IO.popen3(arguments)").with_issue(@popen3_issue)
+    end
+
+    it "reports \"spawn\" correctly" do
+      @runner.should check("spawn('rm -rf /')").with_issue(@spawn_issue)
+    end
+
+    it "reports \"`ls`\" correctly" do
+      @runner.should check("`ls`").with_issue(@backtick_issue)
+    end
+  end
+end