scanny 0.1.0

data/spec/scanny/checks/skip_before_filters_check_spec.rb

@@ -0,0 +1,81 @@
+require "spec_helper"
+
+module Scanny::Checks
+  describe SkipBeforeFiltersCheck do
+    before :each do
+      @runner = Scanny::Runner.new(SkipBeforeFiltersCheck.new)
+      @login_required_issue = issue(:info,
+        "The \"skip_before_filter\" method with :login_required filter is used.",
+        [285, 288, 425])
+      @admin_required_issue = issue(:info,
+        "The \"skip_before_filter\" method with :admin_required filter is used.",
+        [285, 288, 425])
+      @verify_authenticity_token_issue = issue(:info,
+        "The \"skip_before_filter\" method with :verify_authenticity_token filter is used.",
+        [285, 288, 425])
+      @authenticate_issue = issue(:info,
+        "The \"skip_before_filter\" method with :authenticate filter is used.",
+        [285, 288, 425])
+    end
+
+    it "reports \"skip_before_filter\" with :login_required filter correctly" do
+      @runner.should check(
+        'skip_before_filter :login_required'
+      ).with_issue(@login_required_issue)
+      @runner.should check(
+        'self.skip_before_filter :login_required'
+      ).with_issue(@login_required_issue)
+      @runner.should check('foo.skip_before_filter :login_required').without_issues
+      @runner.should check('skip_after_filter :login_required').without_issues
+      @runner.should check(
+        'skip_before_filter :some_filter, :login_required, :another_filter'
+      ).with_issue(@login_required_issue)
+      @runner.should check('skip_before_filter :some_filter').without_issues
+    end
+
+    it "reports \"skip_before_filter\" with :admin_required filter correctly" do
+      @runner.should check(
+        'skip_before_filter :admin_required'
+      ).with_issue(@admin_required_issue)
+      @runner.should check(
+        'self.skip_before_filter :admin_required'
+      ).with_issue(@admin_required_issue)
+      @runner.should check('foo.skip_before_filter :admin_required').without_issues
+      @runner.should check('skip_after_filter :admin_required').without_issues
+      @runner.should check(
+        'skip_before_filter :some_filter, :admin_required, :another_filter'
+      ).with_issue(@admin_required_issue)
+      @runner.should check('skip_before_filter :some_filter').without_issues
+    end
+
+    it "reports \"skip_before_filter\" with :verify_authenticity_token filter correctly" do
+      @runner.should check(
+        'skip_before_filter :verify_authenticity_token'
+      ).with_issue(@verify_authenticity_token_issue)
+      @runner.should check(
+        'self.skip_before_filter :verify_authenticity_token'
+      ).with_issue(@verify_authenticity_token_issue)
+      @runner.should check('foo.skip_before_filter :verify_authenticity_token').without_issues
+      @runner.should check('skip_after_filter :verify_authenticity_token').without_issues
+      @runner.should check(
+        'skip_before_filter :some_filter, :verify_authenticity_token, :another_filter'
+      ).with_issue(@verify_authenticity_token_issue)
+      @runner.should check('skip_before_filter :some_filter').without_issues
+    end
+
+    it "reports \"skip_before_filter\" with :authenticate filter correctly" do
+      @runner.should check(
+        'skip_before_filter :authenticate'
+      ).with_issue(@authenticate_issue)
+      @runner.should check(
+        'self.skip_before_filter :authenticate'
+      ).with_issue(@authenticate_issue)
+      @runner.should check('foo.skip_before_filter :authenticate').without_issues
+      @runner.should check('skip_after_filter :authenticate').without_issues
+      @runner.should check(
+        'skip_before_filter :some_filter, :authenticate, :another_filter'
+      ).with_issue(@authenticate_issue)
+      @runner.should check('skip_before_filter :some_filter').without_issues
+    end
+  end
+end

data/spec/scanny/checks/sql_injection/find_method_check_spec.rb

@@ -0,0 +1,62 @@
+require "spec_helper"
+
+module Scanny::Checks::Sql
+  describe FindMethodCheck do
+    before do
+      @runner = Scanny::Runner.new(FindMethodCheck.new)
+      @message = "Use of external parameters in queries to the database " +
+                 "can lead to SQL injection issue"
+      @issue_low = issue(:low, @message, 89)
+    end
+
+    it "reports \"find\" calls with :conditions key and static value correctly" do
+      @runner.should  check("find(:first, :conditions => { :id => 10 })").
+                      with_issue(@issue_low)
+    end
+
+    it "does not report \"find\" calls without first argument" do
+      @runner.should  check("find(:conditions => { :id => 10 })").
+                      without_issues
+    end
+
+    it "does not report \"find\" with wrong key" do
+      @runner.should  check("find(:first, :hello => :conditions)").
+                      without_issues
+    end
+
+    it "reports \"find\" calls with :conditions key and dynamic value correctly" do
+      @runner.should  check('find(:first, :conditions => "#{method}")').
+                      with_issue(@issue_low)
+    end
+
+    it "reports \"find\" calls with :conditions key and params method as value correctly" do
+      @runner.should  check("find(:first, :conditions => params[:id])").
+                      with_issue(@issue_low)
+    end
+
+    it "reports \"execute\" calls on class correctly" do
+      @runner.should check('User.execute("sql")').with_issue(@issue_low)
+    end
+
+    it "reports \"find_by_sql\" calls on class correctly" do
+      @runner.should check('User.find_by_sql("sql")').with_issue(@issue_low)
+    end
+
+    it "reports \"paginate\" calls on class correctly" do
+      @runner.should check('User.paginate').with_issue(@issue_low)
+    end
+
+    it "reports \"paginage\" calls on object correctly" do
+      @runner.should check("array.paginate").with_issue(@issue_low)
+    end
+
+    it "reports \"paginage\" calls on object with arguments correctly" do
+      @runner.should check("array.paginate(options)").with_issue(@issue_low)
+    end
+
+    it "reports \"find_by_sql\" calls on class with params correctly" do
+      @runner.should  check('User.find_by_sql params[:password]').
+                      with_issue(@issue_low)
+    end
+  end
+end

data/spec/scanny/checks/sql_injection/find_method_with_dynamic_string_check_spec.rb

@@ -0,0 +1,27 @@
+require "spec_helper"
+
+module Scanny::Checks::Sql
+  describe FindMethodWithDynamicStringCheck do
+    before do
+      @runner = Scanny::Runner.new(FindMethodWithDynamicStringCheck.new)
+      @message =  "Use of external parameters in queries to the database " +
+                  "can lead to SQL injection issue"
+      @issue_medium = issue(:medium, @message, 89)
+    end
+
+    it "reports \"find\" calls with :conditions key and dynamic value correctly" do
+      @runner.should  check('find(:first, :conditions => "#{method}")').
+                      with_issue(@issue_medium)
+      @runner.should check('find(:first, :conditions => "normal_string")').without_issues
+    end
+
+    it "does not report \"find\" calls without first argument" do
+      @runner.should check("find(:conditions => :value)").without_issues
+    end
+
+    it "does not report \"find\" calls with incorrect hash value" do
+      @runner.should  check('find(:first, "#{conditions}" => :value)').
+                      without_issues
+    end
+  end
+end

data/spec/scanny/checks/sql_injection/find_method_with_params_check_spec.rb

@@ -0,0 +1,93 @@
+require "spec_helper"
+
+module Scanny::Checks::Sql
+  describe FindMethodWithParamsCheck do
+    before do
+      @runner = Scanny::Runner.new(FindMethodWithParamsCheck.new)
+      @message =  "Use of external parameters in queries to the database " +
+                  "can lead to SQL injection issue"
+      @issue_high = issue(:high, @message, 89)
+    end
+
+    it "reports \"find\" calls with :conditions key and params method as value correctly" do
+      @runner.should  check("find(:first, :conditions => params[:id])").
+                      with_issue(@issue_high)
+      @runner.should_not  check("find(:first, :conditions => no_params[:id])").
+                          with_issue(@issue_high)
+    end
+
+    it "reports \"find\" calls with :limit key and params method as value correctly" do
+      @runner.should  check("find(:first, :limit => params[:id])").
+                      with_issue(@issue_high)
+      @runner.should_not  check("find(:first, :limit => no_params[:id])").
+                          with_issue(@issue_high)
+    end
+
+    it "reports \"find\" calls with :conditions key and session method as value correctly" do
+      @runner.should  check("find(:first, :conditions => session[:password])").
+                      with_issue(@issue_high)
+      @runner.should_not  check("find(:first, :conditions => no_session[:password])").
+                          with_issue(@issue_high)
+    end
+
+    it "reports \"find\" calls with :limit key and session method as value correctly" do
+      @runner.should  check("find(:first, :limit => session[:password])").
+                      with_issue(@issue_high)
+      @runner.should_not  check("find(:first, :limit => no_session[:password])").
+                          with_issue(@issue_high)
+    end
+
+    it "does not report \"find\" calls when no first argument is given" do
+      @runner.should  check("find(:limit => session[:password])").
+                      without_issues
+    end
+
+    it "does not report \"find\" when hash keys are incorrect" do
+      @runner.should  check("find(:first, :key => :limit, params[:hello] => :value)").
+                      without_issues
+    end
+
+    it "reports \"execute\" calls on class with params correctly" do
+      @runner.should check('User.execute params[:password]').with_issue(@issue_high)
+    end
+
+    it "reports \"find_by_sql\" calls on class with params correctly" do
+      @runner.should  check('User.find_by_sql params[:password]').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"paginate\" calls on class with params correctly" do
+      @runner.should check('User.paginate params[:password]').with_issue(@issue_high)
+    end
+
+    it "reports \"execute\" calls on class with string interpolation correctly" do
+      @runner.should  check('User.execute "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"find_by_sql\" calls on class with string interpolation correctly" do
+      @runner.should  check('User.find_by_sql "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"paginate\" calls on class with string interpolation correctly" do
+      @runner.should  check('User.paginate "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"execute\" calls on object with string interpolation correctly" do
+      @runner.should  check('@object.execute "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"find_by_sql\" calls on object with string interpolation correctly" do
+      @runner.should  check('@object.find_by_sql "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+
+    it "reports \"paginate\" calls on object with string interpolation correctly" do
+      @runner.should  check('@object.paginate "#{params[:password]}"').
+                      with_issue(@issue_high)
+    end
+  end
+end

data/spec/scanny/checks/sql_injection/sanitize_sql_check_spec.rb

@@ -0,0 +1,16 @@
+require "spec_helper"
+
+module Scanny::Checks::Sql
+  describe SanitizeCheck do
+    before do
+      @runner = Scanny::Runner.new(SanitizeCheck.new)
+      @message =  "Use of external parameters in queries to the database " +
+                  "can lead to SQL injection issue"
+      @issue_info = issue(:info, @message, 89)
+    end
+
+    it "reports \"sanitize_sql\" calls correctly" do
+      @runner.should check("sanitize_sql('mysql_query')").with_issue(@issue_info)
+    end
+  end
+end

data/spec/scanny/checks/sql_injection/string_interpolation_with_params_check_spec.rb

@@ -0,0 +1,18 @@
+require "spec_helper"
+
+module Scanny::Checks::Sql
+  describe StringInterpolationWithParamsCheck do
+    before do
+      @runner = Scanny::Runner.new(StringInterpolationWithParamsCheck.new)
+      @message =  "Use of external parameters in queries to the database " +
+                  "can lead to SQL injection issue"
+      @issue_high = issue(:high, @message, 89)
+    end
+
+    it "reports string interpolation with \"params[:input]\" correctly" do
+      @runner.should check('"SELECT #{params[:input]}"').with_issue(@issue_high)
+    end
+  end
+end
+
+

data/spec/scanny/checks/ssl/verify_check_spec.rb

@@ -0,0 +1,25 @@
+require "spec_helper"
+
+module Scanny::Checks::SSL
+  describe VerifyCheck do
+    before do
+      @runner = Scanny::Runner.new(VerifyCheck.new)
+      @message =  "Disable certificate verification can " +
+                  "lead to connect to an unauthorized server"
+      @issue = issue(:high, @message, [296, 297, 298, 299, 300, 599])
+    end
+
+    it "reports usage of \"OpenSSL::SSL::VERIFY_NONE\" correctly" do
+      @runner.should  check("OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE").
+                      with_issue(@issue)
+    end
+
+    it "reports \"ca_file = nil\" correctly" do
+      @runner.should check("ssl_context.ca_file = nil").with_issue(@issue)
+    end
+
+    it "reports \"ca_file = nil\" correctly" do
+      @runner.should check("ssl_context.ca_path = nil").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/ssl/verify_peer_check_spec.rb

@@ -0,0 +1,17 @@
+require "spec_helper"
+
+module Scanny::Checks::SSL
+  describe VerifyPeerCheck do
+    before do
+      @runner = Scanny::Runner.new(VerifyPeerCheck.new)
+      @message =  "Change the value of of VERIFY_PEER" +
+                  "can lead to faulty accepted certificate"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE\" correctly" do
+      @runner.should  check("OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE").
+                      with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/system_tools/gpg_usage_check_spec.rb

@@ -0,0 +1,43 @@
+require "spec_helper"
+
+module Scanny::Checks::SystemTools
+  describe GpgUsageCheck do
+    before do
+      @runner = Scanny::Runner.new(GpgUsageCheck.new)
+      @message =  "Using gpg tool in the wrong way can lead to security problems"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"GPG.method\" correctly" do
+      @runner.should check("GPG.method").with_issue(@issue)
+    end
+
+    it "reports \"Gpg.method\" correctly" do
+      @runner.should check("Gpg.method").with_issue(@issue)
+    end
+
+    it "reports \"GpgKey.method\" correctly" do
+      @runner.should check("GpgKey.method").with_issue(@issue)
+    end
+
+    it "reports \"GPGME.method\" correctly" do
+      @runner.should check("GPGME.method").with_issue(@issue)
+    end
+
+    it "reports \"Gpgr.method\" correctly" do
+      @runner.should check("Gpgr.method").with_issue(@issue)
+    end
+
+    it "reports \"RubyGpg.method\" correctly" do
+      @runner.should check("RubyGpg.method").with_issue(@issue)
+    end
+
+    it "reports \"system('gpg --example-flag')\" correctly" do
+      @runner.should check("system('gpg --example-flag')").with_issue(@issue)
+    end
+
+    it "reports \"`gpg --example-flag`\" correctly" do
+      @runner.should check("`gpg --example-flag`").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/system_tools/sudo_check_spec.rb

@@ -0,0 +1,24 @@
+require "spec_helper"
+
+module Scanny::Checks::SystemTools
+  describe SudoCheck do
+    before do
+      @runner = Scanny::Runner.new(SudoCheck.new)
+      @message =  "Using sudo can lead to the execution" +
+                  "of programs on root administrator rights"
+      @issue = issue(:info, @message)
+    end
+
+    it "reports \"system('sudo shutdown -h now')\" correctly" do
+      @runner.should check("system('sudo shutdown -h now')").with_issue(@issue)
+    end
+
+    it "reports \"exec('sudo shutdown -h now')\" correctly" do
+      @runner.should check("exec('sudo shutdown -h now')").with_issue(@issue)
+    end
+
+    it "reports \"`sudo shutdown -h now`\" correctly" do
+      @runner.should check("`sudo shutdown -h now`").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/system_tools/tar_check_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+module Scanny::Checks::SystemTools
+  describe TarCheck do
+    before do
+      @runner = Scanny::Runner.new(TarCheck.new)
+      @message =  "Tar command can execute dangerous operations on files" +
+                  "and can travel through directories"
+      @issue = issue(:medium, @message, 88)
+    end
+
+    it "reports \"system('tar xvf archive.tar.gz')\" correctly" do
+      @runner.should check("system('tar xvf archive.tar.gz')").with_issue(@issue)
+    end
+
+    it "reports \"`tar xvf archive.tar.gz`\" correctly" do
+      @runner.should check("`tar xvf archive.tar.gz`").with_issue(@issue)
+    end
+  end
+end

data/spec/scanny/checks/system_tools/tar_commands_check_spec.rb

@@ -0,0 +1,41 @@
+require "spec_helper"
+
+module Scanny::Checks::SystemTools
+  describe TarCommandsCheck do
+    before do
+      @runner = Scanny::Runner.new(TarCommandsCheck.new)
+      @message = "Tar command has an option that allows to run external programs"
+      @issue = issue(:high, @message, 88)
+    end
+
+    it "reports \"system('tar xvf --to-command=exploit archive.tar')`\" correctly" do
+      @runner.should  check("system('tar xvf --to-command=exploit archive.tar')").
+                          with_issue(@issue)
+    end
+
+    it "reports \"`tar xvf --to-command=exploit archive.tar`\" correctly" do
+      @runner.should  check("`tar xvf --to-command=exploit archive.tar`").
+                      with_issue(@issue)
+    end
+
+    it "reports \"system('tar xvf --rmt-command=exploit archive.tar')`\" correctly" do
+      @runner.should  check("system('tar xvf --rmt-command=exploit archive.tar')").
+                          with_issue(@issue)
+    end
+
+    it "reports \"`tar xvf --rmt-command=exploit archive.tar`\" correctly" do
+      @runner.should  check("`tar xvf --rmt-command=exploit archive.tar`").
+                          with_issue(@issue)
+    end
+
+    it "reports \"system('tar xvf --rsh-command=exploit archive.tar')`\" correctly" do
+      @runner.should  check("system('tar xvf --rsh-command=exploit archive.tar')").
+                          with_issue(@issue)
+    end
+
+    it "reports \"`tar xvf --rsh-command=exploit archive.tar`\" correctly" do
+      @runner.should  check("`tar xvf --rsh-command=exploit archive.tar`").
+                          with_issue(@issue)
+    end
+  end
+end