spektr 0.1.0

data/lib/spektr/checks/base.rb

@@ -0,0 +1,151 @@
+module Spektr
+  class Checks::Base
+    attr_accessor :name
+
+    def initialize(app, target)
+      @app = app
+      @target = target
+      @targets = []
+    end
+
+    def run
+      ::Spektr.logger.debug "Running #{self.class.name} on #{@target.path}"
+      target_affected? && should_run?
+    end
+
+    def target_affected?
+      @targets.include?(@target.class.name)
+    end
+
+    def should_run?
+      if version_affected && @app.rails_version
+        version_affected > @app.rails_version
+      else
+        true
+      end
+    end
+
+    def warn!(target, check, location, message, confidence = :high)
+      full_path = target.is_a?(String) ? target : target.path
+      path = full_path.gsub(@app.root, "")
+      return if dupe?(path, location, message)
+
+      @app.warnings << Warning.new(path, full_path, check, location, message, confidence)
+    end
+
+    def dupe?(path, location, message)
+      @app.warnings.find do |w|
+        w.path == path &&
+          (w.location.nil? || w.location&.line == location&.line) &&
+          w.message == message
+      end
+    end
+
+    def version_affected; end
+
+    def user_input?(type, name, ast = nil, object = nil)
+      case type
+      when :ivar, :lvar
+        # TODO: handle helpers here too
+        return false unless @target.instance_of?(Spektr::Targets::View)
+
+        actions = []
+        @app.controllers.each do |controller|
+          actions = actions.concat controller.actions.select { |action|
+            action.template == @target.view_path
+          }
+        end
+        actions.each do |action|
+          action.body.each do |exp|
+            return exp.user_input? if exp.is_a?(Exp::Ivasign) && exp.name == name
+          end
+        end
+        false
+      when :send
+        if ast.children.first&.type == :send
+          child = ast.children.first
+          return user_input?(child.type, child.children.last, child)
+        end
+        return true if %i[params cookies request].include? name
+      when :xstr, :begin
+        ast.children.each do |child|
+          next unless child.is_a?(Parser::AST::Node)
+          return true if user_input?(child.type, child.children.last, child)
+        end
+      when :dstr
+        object&.children&.each do |child|
+          if child.is_a?(Parser::AST::Node)
+            name = nil
+            ast = child
+          else
+            name = child.name
+            ast = child.ast
+          end
+          return true if user_input?(child.type, name, ast)
+        end
+      when :lvasgn
+        ast.children.each do |child|
+          next unless child.is_a?(Parser::AST::Node)
+          return true if user_input?(child.type, child.children.last, child)
+        end
+      when :block, :pair, :hash, :if
+        ast.children.each do |child|
+          next unless child.is_a?(Parser::AST::Node)
+          return true if user_input?(child.type, child.children.last, child)
+        end
+      when :sym, :str, :const, :int, :cbase, :true, :self, :args, :nil, :yield
+        # do nothing
+      else
+        raise "Unknown argument type #{type} #{name} #{ast.inspect}"
+      end
+    end
+
+    # TODO: this doesn't work properly
+    def model_attribute?(item)
+      model_names = @app.models.collect(&:name)
+      case item.type
+      when :ivar, :lvar
+        # TODO: handle helpers here too
+        if ["Spektr::Targets::Controller", "Spektr::Targets::View"].include?(@target.class.name)
+          actions = []
+          @app.controllers.each do |controller|
+            actions = actions.concat controller.actions.select { |action|
+              action.template == @target.view_path if @target.respond_to? :view_path
+            }
+          end
+          actions.each do |action|
+            action.body.each do |exp|
+              return exp.user_input? if exp.is_a?(Exp::Ivasign) && exp.name == item.name
+            end
+          end
+        end
+      when :send
+        ast = item.is_a?(Parser::AST::Node) ? item : item.ast
+        _send = Exp::Send.new(ast)
+        return true if _send.receiver && model_names.include?(_send.receiver.name)
+      when :const
+        return true if model_names.include? item.name
+      when :block, :pair, :hash, :if
+        item.children.each do |child|
+          next unless child.is_a?(Parser::AST::Node)
+          return true if model_attribute?(child)
+        end
+      when :dstr
+        # TODO: implement this
+      when :sym, :str, :nil, :yield
+        # do nothing
+      else
+        raise "Unknown argument type #{item.type}"
+      end
+    end
+
+    def app_version_between?(a, b)
+      version_between?(a, b, @app.rails_version)
+    end
+
+    def version_between?(a, b, version)
+      version = Gem::Version.new(version) unless version.is_a? Gem::Version
+      version >= Gem::Version.new(a) && version <= Gem::Version.new(b)
+    end
+  end
+end

data/lib/spektr/checks/basic_auth.rb

@@ -0,0 +1,27 @@
+module Spektr
+  class Checks
+    class BasicAuth < Base
+
+      def initialize(app, target)
+        super
+        @name = "Basic Authentication"
+        @type = "Password Plaintext Storage"
+        @targets = ["Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        check_filter
+      end
+
+      def check_filter
+        calls = @target.find_calls(:http_basic_authenticate_with)
+        calls.each do |call|
+          if call.options[:password] && call.options[:password].value_type == :str
+            warn! @target, self, call.location, "Basic authentication password stored in source code"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/basic_auth_timing.rb

@@ -0,0 +1,24 @@
+module Spektr
+  class Checks
+    class BasicAuthTiming < Base
+
+      def initialize(app, target)
+        super
+        @name = "Timing attack in basic auth (CVE-2015-7576)"
+        @type = "Timing attack"
+        @targets = ["Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        if @target.find_calls(:http_basic_authenticate_with).any?
+          warn! @target, self, @target.find_calls(:http_basic_authenticate_with).first.location, "Basic authentication in Rails #{@app.rails_version} is vulnerable to timing attacks."
+        end
+      end
+
+      def version_affected
+        Gem::Version.new("4.2.5")
+      end
+    end
+  end
+end

data/lib/spektr/checks/command_injection.rb

@@ -0,0 +1,48 @@
+module Spektr
+  class Checks
+    class CommandInjection < Base
+      def initialize(app, target)
+        super
+        @name = "Command Injection"
+        @type = "Command Injection"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Model", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        # backticks
+        @target.find_xstr.each do |call|
+          argument = call.arguments.first
+          next unless argument
+          if user_input?(argument.type, argument.name, argument.ast, argument)
+            warn! @target, self, call.location, "Command injection in #{call.name}"
+          end
+        end
+
+        targets = ["IO", "Open3", "Kernel", "POSIX::Spawn", "Process", false]
+        methods = [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
+        :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
+        :popen3, :spawn, :syscall, :system, :open]
+        targets.each do |target|
+          methods.each do |method|
+            check_calls(@target.find_calls(method, target))
+          end
+        end
+      end
+
+      def check_calls(calls)
+        # TODO: might need to exclude tempfile and ActiveStorage::Filename
+        calls.each do |call|
+          file_name = call.arguments.first
+          next unless file_name
+          if user_input?(file_name.type, file_name.name, file_name.ast, file_name)
+            warn! @target, self, call.location, "Command injection in #{call.name}"
+          # TODO: interpolation, but might be safe, we should make this better
+          elsif file_name.type == :dstr
+            warn! @target, self, call.location, "Command injection in #{call.name}", :low
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/content_tag_xss.rb

@@ -0,0 +1,54 @@
+module Spektr
+  class Checks
+    class ContentTagXss < Base
+      # Checks for unescaped values in `content_tag`
+      #
+      #    content_tag :tag, body
+      #                       ^-- Unescaped in Rails 2.x
+      #
+      #    content_tag, :tag, body, attribute => value
+      #                                ^-- Unescaped in all versions
+      # TODO:
+      #    content_tag, :tag, body, attribute => value
+      #                                            ^
+      #                                            |
+      #            Escaped by default, can be explicitly escaped
+      #            or not by passing in (true|false) as fourth argument
+      def initialize(app, target)
+        super
+        @name = "XSS in content_tag"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        calls = @target.find_calls(:content_tag)
+        # https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ
+        cve_2016_6316_check(calls)
+
+        calls.each do |call|
+          call.arguments.each do |argument|
+            if user_input?(argument.type, argument.name, argument.ast) && @app.rails_version < Gem::Version.new("3.0")
+              warn! @target, self, call.location, "Unescaped parameter in content_tag"
+            end
+          end
+
+          if call.options.any?
+            call.options.each_value do |option|
+              if user_input?(option.key.type, option.key.children.last)
+                warn! @target, self, call.location, "Unescaped attribute name in content_tag"
+              end
+            end
+          end
+        end
+      end
+
+      def cve_2016_6316_check(calls)
+        if calls.any? && app_version_between?("3.0.0", "3.2.22.3") || app_version_between?("4.0.0", "4.2.7.0") || app_version_between?("5.0.0", "5.0.0.0")
+          warn! @target, self, calls.first.location, "Rails #{@app.rails_version} does not escape double quotes in attribute values"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/cookie_serialization.rb

@@ -0,0 +1,21 @@
+module Spektr
+  class Checks
+    class CookieSerialization < Base
+
+      def initialize(app, target)
+        super
+        @name = "Unsafe deserialisation"
+        @type = "Insecure Deserialization"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        calls = @target.find_calls(:cookies_serializer=)
+        if calls.any?{ |call| call.receiver.expanded == "Rails.application.config.action_dispatch" && call.arguments.first.name == :marshal }
+          warn! @target, self, calls.first.location, "Marshal cookie serialization strategy can lead to remote code execution"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/create_with.rb

@@ -0,0 +1,27 @@
+module Spektr
+  class Checks
+    class CreateWith < Base
+      def initialize(app, target)
+        super
+        @name = "Strong parameter bypass (CVE-2014-3514)"
+        @type = "Input validation"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        if app_version_between?("4.0.0", "4.0.8") || app_version_between?("4.1.0", "4.1.5")
+          calls = @target.find_calls(:create_with)
+          calls.each do |call|
+            call.arguments.each do |argument|
+              if user_input?(argument.type, argument.name, argument.ast)
+                next if argument.ast.children[1] == :permit
+                warn! @target, self, call.location, "create_with is vulnerable to strong params bypass"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/csrf.rb

@@ -0,0 +1,25 @@
+module Spektr
+  class Checks
+    class Csrf < Base
+      def initialize(app, target)
+        super
+        @name = "CSRF token forgery vulnerability (CVE-2020-8166)"
+        @type = "Cross-Site Request Forgery"
+        @targets = ["Spektr::Targets::Base"]
+      end
+
+      def run
+        # disable this
+        return false
+        return unless super
+        cve_2020_8186_check
+      end
+
+      def cve_2020_8186_check
+        if app_version_between?('0.0.0', '5.2.4.2') || app_version_between?('6.0.0', '6.0.3')
+          warn! @target, self, nil, "Rails #{@app.rails_version} has a vulnerability that may allow CSRF token forgery"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/csrf_setting.rb

@@ -0,0 +1,39 @@
+module Spektr
+  class Checks
+    class CsrfSetting < Base
+      def initialize(app, target)
+        super
+        @name = 'Cross-Site Request Forgery'
+        @type = 'Cross-Site Request Forgery'
+        @targets = ['Spektr::Targets::Controller']
+      end
+
+      def run
+        return unless super
+        return if @target.concern?
+
+        enabled = false
+        target = @target
+        while target
+          parent_controller = target.find_parent(@app.controllers)
+          enabled = parent_controller && parent_controller.find_calls(:protect_from_forgery).any?
+          break if enabled || parent_controller.nil?
+
+          target = parent_controller
+        end
+        return if enabled && @target.find_calls(:skip_forgery_protection).none?
+
+        if @target.find_calls(:protect_from_forgery).none? || (enabled && @target.find_calls(:skip_forgery_protection).any?)
+          skip = @target.find_calls(:skip_forgery_protection).last
+          return if enabled && skip && skip.options.keys.intersection(%i[only except]).any?
+
+          warn! @target, self, nil, 'protect_from_forgery should be enabled'
+        end
+        if @target.find_calls(:skip_forgery_protection).any?
+          return @target.find_calls(:skip_forgery_protection).last.options.keys.intersection(%i[only except]).any?
+          warn! @target, self, nil, 'protect_from_forgery should be enabled'
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/default_routes.rb

@@ -0,0 +1,43 @@
+module Spektr
+  class Checks
+    class DefaultRoutes < Base
+      def initialize(app, target)
+        super
+        @name = "Dangerous default routes"
+        @targets = ["Spektr::Targets::Routes"]
+      end
+
+      def run
+        return unless super
+        @type = "Remote Code Execution"
+        check_for_cve_2014_0130
+        @type = "Default routes"
+        check_for_default_routes
+      end
+
+      def check_for_default_routes
+        if app_version_between?(3, 4)
+          calls = %w{ match get post put delete }.inject([]) do |memo, method|
+            memo.concat @target.find_calls(method.to_sym)
+            memo
+          end
+          calls.each do |call|
+            if call.arguments.first.name == ":controller(/:action(/:id(.:format)))" or (call.arguments.first.name.include?(":controller") &&  (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action")) )
+              warn! @target, self, call.location, "All public methods in controllers are available as actions"
+            end
+
+            if call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action")
+              warn! @target, self, call.location, "All public methods in controllers are available as actions"
+            end
+          end
+        end
+      end
+
+      def check_for_cve_2014_0130
+        if app_version_between?("2.0.0", "2.3.18") || app_version_between?("3.0.0", "3.2.17") || app_version_between?("4.0.0", "4.0.4") || app_version_between?("4.1.0", "4.1.0")
+          warn! @target, self, nil, "#{@app.rails_version} with globbing routes is vulnerable to directory traversal and remote code execution."
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/deserialize.rb

@@ -0,0 +1,62 @@
+module Spektr
+  class Checks
+    class Deserialize < Base
+
+      def initialize(app, target)
+        super
+        @name = "Unsafe object deserialization"
+        @type = "Insecure Deserialization"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        check_csv
+        check_yaml
+        check_marshal
+        check_oj
+      end
+
+      def check_csv
+        check_method(:load, "CSV")
+      end
+
+      # TODO: handle safe yaml
+      def check_yaml
+        [:load_documents, :load_stream, :parse_documents, :parse_stream].each do |method|
+          check_method(method, "YAML")
+        end
+      end
+
+      def check_marshal
+        [:load, :restore].each do |method|
+          check_method(method, "Marshal")
+        end
+      end
+
+      def check_oj
+        check_method(:object_load, "Oj")
+        safe_default = false
+        safe_default = true if @target.find_calls(:mimic_JSON, "Oj").any?
+        call = @target.find_calls(:default_options=, "Oj").last
+        safe_default = true if call && call.options[:mode]&.value != :object
+        unless safe_default
+          check_method(:load, "Oj")
+        end
+      end
+
+      def check_method(method, receiver)
+        calls = @target.find_calls(method, receiver)
+        calls.each do |call|
+          argument = call.arguments.first
+          if argument.ast.type == :send && argument.ast.children.last.children.first.is_a?(Parser::AST::Node)
+            argument = Exp::Argument.new(argument.ast.children.last.children.first)
+          end
+          if user_input?(argument.type, argument.name, argument.ast)
+            warn! @target, self, call.location, "#{receiver}.#{method} is called with user supplied value"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/detailed_exceptions.rb

@@ -0,0 +1,29 @@
+module Spektr
+  class Checks
+    class DetailedExceptions < Base
+
+      def name
+
+      end
+
+      def initialize(app, target)
+        super
+        @name = "Information Disclosure"
+        @type = "Information Disclosure"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        call = @target.find_calls(:consider_all_requests_local=).last
+        if call && call.arguments.first.type == :true
+          warn! @target, self, call.location, "Detailed exceptions are enabled in production"
+        end
+        # TODO: make this better, by verifying that the method body is not empty, etc
+        if method = @target.find_method(:show_detailed_exceptions?)
+          warn! @target, self, method.location, "Detailed exceptions may be enabled in #{@target.name}"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/digest_dos.rb

@@ -0,0 +1,28 @@
+module Spektr
+  class Checks
+    class DigestDos < Base
+      def initialize(app, target)
+        super
+        @name = "DoS in digest authentication(CVE-2012-3424)"
+        @type = "Denial of Service"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        return unless should_run?
+        calls = @target.find_calls(:authenticate_or_request_with_http_digest)
+        calls.concat(@target.find_calls(:authenticate_with_http_digest))
+        if calls.any?
+          warn! @target, self, calls.first.location, "Vulnerability in digest authentication CVE-2012-3424"
+        else
+          warn! "root", self, nil, "Vulnerability in digest authentication CVE-2012-3424"
+        end
+      end
+
+      def should_run?
+        app_version_between?("3.0.0", "3.0.15") || app_version_between?("3.1.0", "3.1.6") || app_version_between?("3.2.0", "3.2.5")
+      end
+    end
+  end
+end

data/lib/spektr/checks/dynamic_finders.rb

@@ -0,0 +1,26 @@
+module Spektr
+  class Checks
+    class DynamicFinders < Base
+
+      def initialize(app, target)
+        super
+        @name = "SQL Injection by unsafe usage of find_by_*"
+        @type = "SQL Injection"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        if app_version_between?("2.0.0", "4.1.99") && @app.has_gem?("mysql")
+          @target.find_calls(/^find_by_/).each do |call|
+            call.arguments.each do |argument|
+              if user_input?(argument.type, argument.name, argument.ast)
+                warn! @target, self, call.location, "MySQL integer conversion may cause 0 to match any string"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/evaluation.rb

@@ -0,0 +1,25 @@
+module Spektr
+  class Checks
+    class Evaluation < Base
+      def initialize(app, target)
+        super
+        @name = "Arbitrary code execution"
+        @type = "Remote Code Execution"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Model", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        [:eval, :instance_eval, :class_eval, :module_eval].each do |name|
+          @target.find_calls(name).each do |call|
+            call.arguments.each do |argument|
+              if user_input?(argument.type, argument.name, argument.ast)
+                warn! @target, self, call.location, "User input in eval"
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/file_access.rb

@@ -0,0 +1,38 @@
+module Spektr
+  class Checks
+    class FileAccess < Base
+
+      def name
+        "File access"
+      end
+
+      def initialize(app, target)
+        super
+        @name = "File access"
+        @type = "Information Disclosure"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        targets = ["Dir", "File", "IO", "Kernel", "Net::FTP", "Net::HTTP", "PStore", "Pathname", "Shell"]
+        methods = [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :readlines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
+        targets.each do |target|
+          methods.each do |method|
+            check_calls_for_user_input(@target.find_calls(method, target))
+          end
+        end
+      end
+
+      def check_calls_for_user_input(calls)
+        calls.each do |call|
+          call.arguments.each do |argument|
+            if user_input?(argument.type, argument.name, argument.ast)
+              warn! @target, self, call.location, "#{argument.name} is used for a filename, which enables an attacker to access arbitrary files."
+            end
+          end
+        end
+      end
+    end
+  end
+end