spektr 0.1.0

data/lib/spektr/checks/file_disclosure.rb

@@ -0,0 +1,25 @@
+module Spektr
+  class Checks
+    class FileDisclosure < Base
+
+      def initialize(app, target)
+        super
+        @name = "File existence disclosure"
+        @type = "Information Disclosure"
+        @targets = ["Spektr::Targets::Base"]
+      end
+
+      def run
+        return unless super
+        config = @app.production_config.find_calls(:serve_static_assets=).first
+        if config && config.arguments.first.type == :true
+          warn! "root", self, nil, "File existence disclosure vulnerability"
+        end
+      end
+
+      def should_run?
+        app_version_between?("2.0.0", "2.3.18") || app_version_between?("3.0.0", "3.2.20") || app_version_between?("4.0.0", "4.0.11") || app_version_between?("4.1.0", "4.1.7")
+      end
+    end
+  end
+end

data/lib/spektr/checks/filter_skipping.rb

@@ -0,0 +1,29 @@
+module Spektr
+  class Checks
+    class FilterSkipping < Base
+      def initialize(app, target)
+        super
+        @name = "Default routes filter skipping"
+        @type = "Default Routes"
+        @targets = ["Spektr::Targets::Routes"]
+      end
+
+      def run
+        return unless super
+        calls = %w{ match get post put delete }.inject([]) do |memo, method|
+          memo.concat @target.find_calls(method.to_sym)
+          memo
+        end
+        calls.each do |call|
+          if !call.arguments.empty? && (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action"))
+            warn! @target, self, call.location, "CVE-2011-2929 Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed"
+          end
+        end
+      end
+
+      def should_run?
+        app_version_between?("3.0.0", "3.0.9")
+      end
+    end
+  end
+end

data/lib/spektr/checks/header_dos.rb

@@ -0,0 +1,20 @@
+module Spektr
+  class Checks
+    class HeaderDos < Base
+
+      def initialize(app, target)
+        super
+        @name = "HTTP MIME type header DoS (CVE-2013-6414)"
+        @type = "Denial of Service"
+        @targets = ["Spektr::Targets::Base"]
+      end
+
+      def run
+        return unless super
+        if app_version_between?("3.0.0", "3.2.15")
+          warn! "root", self, nil, "CVE_2013_6414"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/i18n_xss.rb

@@ -0,0 +1,20 @@
+module Spektr
+  class Checks
+    class I18nXss < Base
+
+      def initialize(app, target)
+        super
+        @name = "XSS in i18n (CVE-2013-4491)"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Base"]
+      end
+
+      def run
+        return unless super
+        if app_version_between?("3.0.6", "3.2.15") || app_version_between?("4.0.0", "4.0.1")
+          warn! "root", self, nil, "I18n has a Cross-Site Scripting vulnerability (CVE_2013_4491)"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/json_encoding.rb

@@ -0,0 +1,23 @@
+module Spektr
+  class Checks
+    class JsonEncoding < Base
+      def initialize(app, target)
+        super
+        @name = "XSS by missing JSON encoding"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        if app_version_between?("4.1.0", "4.1.10") || app_version_between?("4.2.0", "4.2.1")
+          if calls = @target.find_calls(:to_json).any? || calls = @target.find_calls(:encode).any?
+            warn! @target, self, calls.first.location, "Cross-Site Scripting CVE_2015_3226"
+          else
+            warn! "root", self, nil, "Cross-Site Scripting CVE_2015_3226"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/json_entity_escape.rb

@@ -0,0 +1,30 @@
+module Spektr
+  class Checks
+    class JsonEntityEscape < Base
+
+      def initialize(app, target)
+        super
+        @name = "HTML escaping is disabled for JSON output"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Config", "Spektr::Targets::Base"]
+      end
+
+      def run
+        return unless super
+        if @app.production_config
+          config = @app.production_config.find_calls(:escape_html_entities_in_json=).first
+        end
+        if config and config.receiver.expanded == "config.active_support" && config.arguments.first.type == :false
+          warn! @app.production_config.path, self, nil, "HTML entities in JSON are not escaped by default"
+        end
+        ['ActiveSupport', 'ActiveSupport.JSON.Encoding'].each do |receiver|
+          calls = @target.find_calls(:escape_html_entities_in_json=, receiver)
+          if calls.any?
+            warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/spektr/checks/json_parsing.rb

@@ -0,0 +1,47 @@
+module Spektr
+  class Checks
+    class JsonParsing < Base
+      def initialize(app, target)
+        super
+        @name = "JSON parsing vulnerability"
+        @type = "Remote Code Execution"
+        @targets = ["Spektr::Targets::Base"]
+      end
+
+      def run
+        return unless super
+        check_cve_2013_0333
+        check_cve_2013_0269
+      end
+
+      def check_cve_2013_0333
+        return unless app_version_between?("0.0.0", "2.3.15") || app_version_between?("3.0.0", "3.0.19")
+        if @app.has_gem?("yajl")
+          warn! "root", self, nil, "Remote Code Execution CVE_2013_0333"
+        end
+        uses_json_gem?
+      end
+
+      def uses_json_gem?
+        @target.find_calls(:backend=).each do |call|
+          if call.receiver.expanded == "ActiveSupport.JSON" && call.arguments.first&.name == :JSONGem
+            warn! @target, self, call.location, "Remote Code Execution CVE_2013_0333"
+          end
+        end
+      end
+
+      def check_cve_2013_0269
+        ["json", "json_pure"].each do |gem_name|
+          if g = @app.gem_specs&.find { |g| g.name == gem_name }
+            if version_between?("1.7.0", "1.7.6", g.version)
+              warn! "Gemfile", self, nil, "Unsafe Object Creation Vulnerability in the #{g.name} gem"
+            end
+            if version_between?("0", "1.5.4", g.version) || version_between?("1.6.0", "1.6.7", g.version)
+              warn! "Gemfile", self, nil, "Unsafe Object Creation Vulnerability in the  #{g.name} gem"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/link_to_href.rb

@@ -0,0 +1,35 @@
+module Spektr
+  class Checks
+    class LinkToHref < Base
+      def initialize(app, target)
+        super
+        @name = "XSS in href param of link_to"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::View"]
+      end
+
+      # TODO: check for user supplied model attributes too
+      def run
+        return unless super
+        block_locations = []
+        @target.find_calls_with_block(:link_to).each do |call|
+          block_locations << call.location
+          next unless call.arguments.first
+          ::Spektr.logger.debug "#{@target.path}  #{call.location.line} #{call.arguments.first.inspect}"
+          if user_input? call.arguments.first.type, call.arguments.first.name, call.arguments.first.ast, call.arguments.first
+            warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
+          end
+        end
+
+        @target.find_calls(:link_to).each do |call|
+          next if block_locations.include? call.location
+          ::Spektr.logger.debug "#{@target.path}  #{call.location.line} #{call.arguments[1].inspect}"
+          next unless call.arguments[1] || call.arguments[1]&.name =~ /_url$|_path$/
+          if user_input? call.arguments[1].type, call.arguments[1].name, call.arguments[1].ast, call.arguments[1]
+            warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/mass_assignment.rb

@@ -0,0 +1,42 @@
+module Spektr
+  class Checks
+    class MassAssignment < Base
+
+      # TODO: Make this better
+      def initialize(app, target)
+        super
+        @name = "Mass Assignment"
+        @type = "Input Validation"
+        @targets = ["Spektr::Targets::Controller"]
+      end
+
+      def run
+        return unless super
+        model_names = @app.models.collect(&:name)
+        calls = []
+        model_names.each do |receiver|
+          [:new, :build, :create].each do |method|
+            calls.concat @target.find_calls(method, receiver)
+          end
+        end
+        calls.each do |call|
+          argument = call.arguments.first
+          next if argument.nil?
+          ::Spektr.logger.debug "Mass assignment check at #{call.location.line}"
+          if user_input?(argument.type, argument.name, call.ast)
+            # we check for permit! separately
+            next if argument.ast.children[1] == :permit!
+            # check for permit with arguments
+            next if argument.ast.children[1] == :permit && argument.ast.children[2]
+            warn! @target, self, call.location, "Mass assignment"
+          end
+        end
+        @target.find_calls(:permit!).each do |call|
+          if call.arguments.none?
+            warn! @target, self, call.location, "permit! allows any keys, use it with caution!", :medium
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/send.rb

@@ -0,0 +1,24 @@
+module Spektr
+  class Checks
+    class Send < Base
+      def initialize(app, target)
+        super
+        @name = "Dangerous send"
+        @type = "Dangerous send"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Model", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
+      end
+
+      def run
+        return unless super
+        [:send, :try, :__send__, :public_send].each do |method|
+          @target.find_calls(method).each do |call|
+            argument = call.arguments.first
+            if user_input?(argument.type, argument.name, argument.ast)
+              warn! @target, self, call.location, "User supplied value in send"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/sqli.rb

@@ -0,0 +1,52 @@
+module Spektr
+  class Checks
+    class Sqli < Base
+      def initialize(app, target)
+        super
+        @name = "SQL Injection"
+        @name = "SQL Injection"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Model"]
+      end
+
+      def run
+        return unless super
+
+        [
+          :average, :count, :maximum, :minimum, :sum, :exists?,
+          :find_by, :find_by!, :find_or_create_by, :find_or_create_by!,
+          :find_or_initialize_by, :from, :group, :having, :join, :lock,
+          :where, :not, :select, :rewhere, :reselect, :update_all
+
+        ].each do |m|
+          @target.find_calls(m).each do |call|
+            check_argument(call.arguments.first, m, call)
+          end
+        end
+        [:calculate].each do |m|
+          @target.find_calls(m).each do |call|
+            check_argument(call.arguments[1], m, call)
+          end
+        end
+
+        [:delete_by, :destroy_by].each do |m|
+          @target.find_calls(m).each do |call|
+            if call.arguments.first
+              check_argument(call.arguments.first, m, call)
+            end
+            call.options.values.each do |option|
+              check_argument(@target.ast_to_exp(option.key), m, call)
+              check_argument(@target.ast_to_exp(option.value), m, call)
+            end
+          end
+        end
+      end
+
+      def check_argument(argument, method, call)
+        return if argument.nil?
+        if user_input?(argument.type, argument.name, argument.ast, argument)
+          warn! @target, self, call.location, "Possible SQL Injection at #{method}"
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks/xss.rb

@@ -0,0 +1,49 @@
+module Spektr
+  class Checks
+    class Xss < Base
+      def initialize(app, target)
+        super
+        @name = "XSS"
+        @type = "Cross-Site Scripting"
+        @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::View"]
+      end
+
+      # TODO: tests for haml, xml, js
+      # TODO: add check for raw calls
+      def run
+        return unless super
+        calls = @target.find_calls(:safe_expr_append=)
+        calls.concat(@target.find_calls(:raw))
+        calls.each do |call|
+          call.arguments.each do |argument|
+            if user_input?(argument.type, argument.name, argument.ast)
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
+            end
+            if model_attribute?(argument)
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{argument.name}"
+            end
+          end
+        end
+        calls.each do |call|
+          call.arguments.each do |argument|
+            if user_input?(argument.type, argument.name, argument.ast)
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
+            end
+            if model_attribute?(argument)
+              warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{argument.name}"
+            end
+          end
+        end
+        calls = @target.find_calls(:html_safe)
+        calls.each do |call|
+          if user_input?(call.receiver.type, call.receiver.name, call.receiver.ast, call.receiver)
+            warn! @target, self, call.location, "Cross-Site Scripting: Unescaped user input"
+          end
+          if model_attribute?(call.receiver)
+            warn! @target, self, call.location, "Cross-Site Scripting: Unescaped model attribute #{call.receiver.name}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/checks.rb

@@ -0,0 +1,9 @@
+module Spektr
+  class Checks
+    def self.load(only = false)
+      Checks.constants.select do |c|
+        Checks.const_get(c).is_a?(Class) && (!only || only && only.to_s == c.to_s)
+      end.map { |c| Checks.const_get(c) }
+    end
+  end
+end

data/lib/spektr/cli.rb

@@ -0,0 +1,53 @@
+require 'tty/option'
+require 'json'
+module Spektr
+  class Cli
+    include TTY::Option
+    usage do
+      program 'Spektr'
+      command 'scan'
+      desc 'Find vulnerabilities in ruby code'
+    end
+
+    argument :root do
+      optional
+      desc 'Path to application root'
+    end
+
+    flag :output_format do
+      long '--output_format string'
+      desc 'output format terminal or json'
+      default 'terminal'
+    end
+
+    flag :check do
+      long '--check string'
+      desc 'run this single check'
+    end
+
+    flag :debug do
+      long '--debug'
+      short '-d'
+      desc 'output debug logs to STDOUT'
+    end
+
+    flag :help do
+      short '-h'
+      long '--help'
+      desc 'Print usage'
+    end
+
+    def scan
+      if params[:help]
+        print help
+        exit
+      else
+        report = Spektr.run(params[:root], params[:output_format], params[:debug], params[:check])
+        case params[:output_format]
+        when 'json'
+          puts JSON.pretty_generate report
+        end
+      end
+    end
+  end
+end

data/lib/spektr/erubi.rb

@@ -0,0 +1,78 @@
+require "erubi"
+# This is a copy of module ActionView::Template::Handlers::ERB::Erubi
+module Spektr
+  class Erubi < ::Erubi::Engine
+    def initialize(input, properties = {})
+      @newline_pending = 0
+
+      # Dup properties so that we don't modify argument
+      properties = Hash[properties]
+      properties[:preamble]   = ""
+      properties[:postamble]  = "@output_buffer.to_s"
+      properties[:bufvar]     = "@output_buffer"
+      properties[:escapefunc] = ""
+
+      super
+    end
+
+    def evaluate(action_view_erb_handler_context)
+      src = @src
+      view = Class.new(ActionView::Base) {
+        include action_view_erb_handler_context._routes.url_helpers
+        class_eval("define_method(:_template) { |local_assigns, output_buffer| #{src} }", defined?(@filename) ? @filename : "(erubi)", 0)
+      }.empty
+      view._run(:_template, nil, {}, ActionView::OutputBuffer.new)
+    end
+
+  private
+    def add_text(text)
+      return if text.empty?
+
+      if text == "\n"
+        @newline_pending += 1
+      else
+        src << "@output_buffer.safe_append='"
+        src << "\n" * @newline_pending if @newline_pending > 0
+        src << text.gsub(/['\\]/, '\\\\\&')
+        src << "'.freeze;"
+
+        @newline_pending = 0
+      end
+    end
+
+    BLOCK_EXPR = /\s*((\s+|\))do|\{)(\s*\|[^|]*\|)?\s*\Z/
+
+    def add_expression(indicator, code)
+      flush_newline_if_pending(src)
+
+      if (indicator == "==") || @escape
+        src << "@output_buffer.safe_expr_append="
+      else
+        src << "@output_buffer.append="
+      end
+
+      if BLOCK_EXPR.match?(code)
+        src << " " << code
+      else
+        src << "(" << code << ");"
+      end
+    end
+
+    def add_code(code)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def add_postamble(_)
+      flush_newline_if_pending(src)
+      super
+    end
+
+    def flush_newline_if_pending(src)
+      if @newline_pending > 0
+        src << "@output_buffer.safe_append='#{"\n" * @newline_pending}'.freeze;"
+        @newline_pending = 0
+      end
+    end
+  end
+end

data/lib/spektr/exp/assignment.rb

@@ -0,0 +1,20 @@
+module Spektr
+  module Exp
+    module Assignment
+      def user_input?
+        if ast.children[1].type == :send
+          _send = Send.new(ast.children[1])
+          name = if _send.receiver && _send.receiver.type == :send
+            _send.receiver.name
+          else
+            nil
+          end
+          if [:params, :cookies, :request].include? name
+            return true
+          end
+        end
+        false
+      end
+    end
+  end
+end

data/lib/spektr/exp/base.rb

@@ -0,0 +1,32 @@
+module Spektr
+  module Exp
+    class Base
+      attr_accessor :ast, :name, :type, :options, :arguments, :body, :location
+
+      def initialize(ast)
+        @ast = ast
+        @type = ast.type
+        @location = ast.location
+        @name = ast.children.first
+        @options = {}
+        @arguments = []
+        @body = []
+      end
+
+      def send?
+        is_a? Send
+      end
+
+      include AST::Processor::Mixin
+
+      def process(ast)
+        return unless ast.respond_to?(:to_ast)
+        super
+      end
+
+      def handler_missing(node)
+        # puts "handler missing for #{node.type}"
+      end
+    end
+  end
+end

data/lib/spektr/exp/const.rb

@@ -0,0 +1,7 @@
+module Spektr
+  module Exp
+    class Const < Base
+      include Spektr::Exp::Assignment
+    end
+  end
+end

data/lib/spektr/exp/definition.rb

@@ -0,0 +1,32 @@
+module Spektr
+  module Exp
+    class Definition < Base
+      attr_accessor :private, :protected
+
+      def initialize(ast)
+        super
+        process @ast.children
+      end
+
+      def process(ast)
+        ast&.each do |node|
+          next unless Parser::AST::Node === node
+          case node.type
+          when :args
+            node.children.each do |argument|
+              @arguments << argument.children.first
+            end
+          when :begin
+            process(node.children)
+          when :lvasgn
+            @body << Lvasign.new(node)
+          when :ivasgn
+            @body << Ivasign.new(node)
+          when :send
+            @body << Send.new(node)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/spektr/exp/ivasign.rb

@@ -0,0 +1,7 @@
+module Spektr
+  module Exp
+    class Ivasign < Base
+      include Spektr::Exp::Assignment
+    end
+  end
+end

data/lib/spektr/exp/lvasign.rb

@@ -0,0 +1,7 @@
+module Spektr
+  module Exp
+    class Lvasign < Base
+      include Spektr::Exp::Assignment
+    end
+  end
+end