scanny 0.1.0

data/.gitignore

@@ -0,0 +1,5 @@
+.rbenv-version
+Gemfile.lock
+*.rbc
+.rbx
+reports

data/Gemfile

@@ -0,0 +1,11 @@
+source :gemcutter
+
+# Specify your gem's dependencies in scanny.gemspec
+gemspec
+
+# Explicitly requiring test/unit here so that testing works on Ruby 1.9
+group :test do
+  gem 'rspec'
+  gem 'rake'
+  gem 'aruba'
+end

data/LICENSE

@@ -0,0 +1,23 @@
+Copyright (c) 2011 SUSE
+Copyright (c) 2008 Marty Andrews
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,185 @@
+Scanny
+======
+
+Scanny is a Ruby on Rails security scanner. It parses Ruby files, looks for various suspicious patterns in them (by traversing the AST) and produces a report. Scanny aims to be simple (it does one thing well) and extensible (it is easy to define new patterns).
+
+**This is currently work in progress and it's probably not useful yet.**
+
+Installation
+------------
+
+You need to install the current development version of [Rubinius](http://rubini.us/) first. You can then install Scanny:
+
+    $ gem install scanny
+
+Usage
+-----
+
+To scan one or more Ruby file, use the `scanny` command and pass the files to scan as arguments. Scanny will check the files and print a nice report:
+
+    $ cat bad.rb
+    `ls #{ARGV[1]}`
+    $ scanny bad.rb
+    bad.rb [2 checks done | 2 nodes inspected | 1 issues]
+      - [high] bad.rb:1: Backticks and %x{...} pass the executed command through shell expansion. (CWE-88, CWE-78)
+
+    Found 1 issues.
+
+Rake task
+---------
+
+To create scanny rake task you need to edit Rakefile.
+
+```ruby
+require "scanny/rake_task"
+
+Scanny::RakeTask.new do |t|
+  t.name    = "scanny"              # name of rake-task
+  t.include = "./custom/checks"     # directory with custom checks
+  t.disable = "HTTPRedirectCheck"   # checks to disable
+  t.format  = :stdout               # output format
+  t.strict  = true                  # scanny strict mode
+  t.path    = "./custom/app"        # path to scan
+  t.fail_on_error = true            # raise exception on error
+  t.ruby_mode = "18"                # ruby parser mode (default 19)
+end
+```
+
+CI (Continuous Integration)
+---------------------------
+
+### Common for all CLI
+
+* Add to ```Gemfile``` scanny gem
+
+```ruby
+gem 'scanny'
+```
+
+* Create [Rake task](https://github.com/openSUSE/scanny#rake-task).
+
+```ruby
+Scanny::RakeTask.new do |t|
+  t.format  = :stdout       # you will see output on travis website
+  t.fail_on_error = false   # security errors should not break build
+end
+```
+
+### Travis
+
+* Update your ```.travis.yml``` file. You need add ```before_script``` section.
+
+```yaml
+before_script:
+- test -s "$HOME/.rvm/scripts/rvm" && source "$HOME/.rvm/scripts/rvm"
+- rvm rbx-19mode
+- bundle install
+- bundle exec rake scanny
+- rvm $TRAVIS_RUBY_VERSION
+```
+
+### Jenkins
+
+* Add build step
+
+```
+bash -l -c '
+rvm rbx-head &&
+rvm gemset create scanny &&
+rvm gemset use scanny &&
+bundle install &&
+bundle exec rake scanny'
+```
+
+* Install [Log Parser Plugin](https://wiki.jenkins-ci.org/display/JENKINS/Log+Parser+Plugin) for Jenkins
+* Create rules file
+
+```ruby
+# /var/lib/jenkins/rules
+
+info /- \[info\]/
+warning /- \[low\]/
+error /- \[(medium|high)\]/
+```
+
+* Go to ```Manage Jenkins > Configure System > Console Output Parsing```.
+Add path to rules with in **Parsing Rules File** field
+
+* Go to and check ```[Project] > Configure > Console output (build log) parsing```
+* Select proper **Select Parsing Rules**
+* Warnings you can find in ```[Build] > Parsed Console Output```
+
+
+Writing New Checks
+------------------
+Internally, Scanny consists of multiple *checks*, each responsible for finding and reporting one suspicious pattern in the code. You can easily extend Scanny by writing new checks.
+
+The checks are loaded automatically from files in the `lib/scanny/checks` directory. Let's look how a simple check may look like:
+
+    module Scanny
+      module Checks
+        # Finds all invocations of "boo" and "moo" methods.
+        class BooMooCheck < Check
+          def pattern
+            'Send<name = :boo | :moo> | SendWithArguments<name = :boo | :moo>'
+          end
+
+          def check(node)
+            issue :high, "The \"#{node.name}\" method indicates wandering cows in the code.",
+                  :cwe => 999
+          end
+        end
+      end
+    end
+
+Checks are subclasses of the `Scanny::Checks::Check` class and they implement two methods: `pattern` and `check`.
+
+### The `pattern` method
+
+The `pattern` method returns a [Machete](https://github.com/openSUSE/machete) pattern describing Rubinius AST nodes this check is interested in. See [Machete documentation](https://github.com/openSUSE/machete/blob/master/README.md) to learn about the pattern syntax.
+
+**Tip:** When creating a check pattern it's often useful to inspect how Rubinius transforms some Ruby constructs into AST nodes. You can do this using the `to_ast` method:
+
+    '42'.to_ast # => #<Rubinius::AST::FixnumLiteral:0x36fc @value=42 @line=1>
+
+### The `check` method
+
+The `check` method will be called on all AST nodes in the scanned files matched by the pattern returned by the `pattern` method. It will be passed the suspicious node. It can perform additional checks on it and report an issue if the node really is problematic.
+
+Issues are reported using the `issue` method. As its arguments it accepts issue impact level (`:info`, `:low`, `:medium` or `:high`) and a message for the user, optionally followed by an options hash. The only currently implemented option is `:cwe`, which allows associating the issue with a [CWE number](http://www.cvedetails.com/cwe-definitions.php) (or multiple numbers if you pass an array).
+
+### Tests
+
+Each check should be tested. The tests are written in RSpec and they are stored in  the `spec/scanny/checks` directory. This is how a test for our sample check may look like:
+
+    require "spec_helper"
+
+    module Scanny::Checks
+      describe BooMooCheck do
+        it "reports \"boo\" correctly" do
+          @runner.should check('boo').with_issue(
+            issue(:high, "The \"boo\" method indicates wandering cows in the code.", 999)
+          )
+        end
+
+        it "reports \"moo\" correctly" do
+          @runner.should check('moo').with_issue(
+            issue(:high, "The \"moo\" method indicates wandering cows in the code.", 999)
+          )
+        end
+      end
+    end
+
+Aim to create as simple test cases as possible. Also test different kinds of issues separately. See the existing tests to learn how more complex checks are tested.
+
+Compatibility
+-------------
+
+Scanny requires Rubinius 1.9 mode to run.
+
+Acknowledgement
+---------------
+
+The tool was written as a replacement of Thomas Biege's [Ruby on Rails scanner](http://gitorious.org/code-scanner/ror-sec-scanner/) which was used internally at [SUSE](http://www.suse.com/). This tool needed replacement because it look for suspicious patterns using just regular expressions, which is very rough and has expressivity problems with more complex patterns.
+
+The original AST parsing and checking code was copied and adapted from [Roodi](http://roodi.rubyforge.org/), a tool for detecting Ruby code design issues.

data/Rakefile

@@ -0,0 +1,5 @@
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+task :default => :spec

data/bin/scanny

@@ -0,0 +1,61 @@
+#!/usr/bin/env ruby
+
+require "docopt"
+require_relative "../lib/scanny"
+include Scanny::CLI
+
+doc = "Scanny RoR secutiry scanner
+
+Usage:
+  scanny [options] <files_or_dirs>...
+
+Options:
+  -h, --help                        Show this screen.
+  -i <check>, --include <check>     Include check to scanning process (file or directory).
+  -d <check>, --disable <check>     Disable check class from scanning process.
+  -f <format>, --format <format>    Output format (stdout, html, xml) [default: stdout].
+  -s, --strict                      Enable strict mode (for security guys) [default: false].
+  -m <mode>, --mode <mode>          Ruby parser mode (18 or 19) [default: 19]"
+
+
+options = Docopt(doc)
+
+require_checks(options[:include])
+
+runner = Scanny::Runner.new(:parser => use_parser(options[:mode]))
+
+runner_with_custom_checks(runner, options[:disable], options[:strict])
+issues  = 0
+
+files = build_paths.map { |arg| Dir[arg].to_a }.flatten
+
+begin
+  runner.run(*files)
+rescue SyntaxError => e
+  $stderr.puts "Can't parse #{runner.file} as Ruby file.",
+               "Parser currently is working in #{options[:mode]} mode.",
+               "It is possible that your project works with another version of ruby",
+               "You can change parser mode with '-m' flag"
+  exit 2
+end
+
+runner.checks_data.each do |check_data|
+  case options[:format]
+    when 'xml'
+      Scanny::Reporters::XMLReporter.new(check_data).report
+    when 'stdout'
+      Scanny::Reporters::SimpleReporter.new(check_data).report
+    else
+      raise "Format #{options[:format]} is not supported"
+  end
+  issues += check_data[:issues].size
+end
+puts
+
+if issues == 0
+  puts "Found no issues."
+  exit 0
+else
+  puts "Found #{issues} issues."
+  exit 1
+end

data/lib/scanny.rb

@@ -0,0 +1,12 @@
+require_relative "scanny/ruby_version_check"
+require_relative "scanny/cli"
+require_relative "scanny/issue"
+require_relative "scanny/reporters"
+require_relative "scanny/runner"
+require_relative "scanny/checks/check"
+require_relative "scanny/checks/helpers"
+require_relative "scanny/rake_task"
+
+Dir[File.dirname(__FILE__) + "/scanny/checks/**/*_check.rb"].each do |file|
+  require file
+end

data/lib/scanny/checks/access_control_check.rb

@@ -0,0 +1,52 @@
+module Scanny
+  module Checks
+    # Checks for use of "params[:id]" in parameters of certain methods that
+    # requires authorizaton checks.
+    class AccessControlCheck < Check
+      # User.new(params[:id])
+      def pattern
+        <<-EOT
+          SendWithArguments<
+            name      = :new | :create,
+            arguments = ActualArguments<
+              array = [
+                HashLiteral<
+                  array = [
+                    any{odd},
+                    SendWithArguments<
+                      receiver  = Send<name = :params>,
+                      name      = :[],
+                      arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
+                    >,
+                    any{even}
+                  ]
+                >
+              ]
+            >
+          >
+          |
+          SendWithArguments<
+            name      = :delete | :destroy,
+            arguments = ActualArguments<
+              array = [
+                any*,
+                SendWithArguments<
+                  receiver  = Send<name = :params>,
+                  name      = :[],
+                  arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
+                >,
+                any*
+              ]
+            >
+          >
+        EOT
+      end
+
+      def check(node)
+        issue :medium,
+          "Using \"params[:id]\" requires proper authorization check.",
+          :cwe => 285
+      end
+    end
+  end
+end

data/lib/scanny/checks/backticks_check.rb

@@ -0,0 +1,18 @@
+module Scanny
+  module Checks
+    # Checks for backticks and %x{...} that pass the command through shell
+    # expansion. This can cause unwanted code execution if the command includes
+    # unescaped input.
+    class BackticksCheck < Check
+      # `command`
+      def pattern
+        'ExecuteString | DynamicExecuteString'
+      end
+
+      def check(node)
+        issue :high, "Backticks and %x{...} pass the executed command through shell expansion.",
+              :cwe => [88, 78]
+      end
+    end
+  end
+end

data/lib/scanny/checks/before_filters_check.rb

@@ -0,0 +1,35 @@
+module Scanny
+  module Checks
+    # Checks for use of the "before_filter" method with certain filters.
+    class BeforeFiltersCheck < Check
+      FILTERS = [:login_required, :admin_required]
+
+      # before_filter :login_required
+      def pattern
+        <<-EOT
+          SendWithArguments<
+            receiver  = Self,
+            name      = :before_filter,
+            arguments = ActualArguments<
+              array = [
+                any*,
+                SymbolLiteral<value = #{FILTERS.map(&:inspect).join(' | ')}>,
+                any*
+              ]
+            >
+          >
+        EOT
+      end
+
+      def check(node)
+        filter_node = node.arguments.array.find do |argument|
+          argument.is_a?(Rubinius::AST::SymbolLiteral) &&
+            FILTERS.include?(argument.value)
+        end
+
+        issue :info,
+          "The \"before_filter\" method with :#{filter_node.value} filter is used."
+      end
+    end
+  end
+end

data/lib/scanny/checks/check.rb

@@ -0,0 +1,33 @@
+module Scanny
+  module Checks
+    class Check
+      def visit(file, node)
+        @file = file
+        @line = node.line
+        @issues = []
+
+        check(node)
+
+        @issues
+      end
+
+      # @return [String] pattern used to find relevant nodes. It must respect Machete's syntax.
+      def pattern
+        raise "The Check class requires its childrens to provide an "\
+              "implementation of the 'pattern' method."
+      end
+
+      def issue(impact, message, options = {})
+        @issues << Issue.new(@file, @line, impact, message, options[:cwe])
+      end
+
+      def strict?
+        false
+      end
+
+      def compiled_pattern
+        @compiled_pattern ||= Machete::Parser.new.parse(pattern)
+      end
+    end
+  end
+end