Merge branch 'add_cve_2014_0130' into development

Conflicts:
	Changelog.md
	lib/codesake/dawn/version.rb

Changelog.md

@@ -7,7 +7,11 @@ frameworks.
 
 _latest update: Fri Apr 18 07:55:10 CEST 2014_
 
-## Version 1.1.1 - codename: Lightning McQueen (2014-04-22)
+## Version 1.1.3 - codename: Lightning McQueen (2014-05-06)
+
+* Adding a check for CVE-2014-0130: directory traversal for ruby on rails
+
+## Version 1.1.2 - codename: Lightning McQueen (2014-04-22)
 
 * Adding a check for OSVDB-105971: remote code execution for sfpagent ruby gem
 

checksum/codesake-dawn-1.1.2.gem.sha512

@@ -0,0 +1 @@
+393bc34a0e41fd18b8f49e1637c73fe84ef948efffdca9ebda9c476613cbc90941b8dc53eca09b55575b8c2276096d22178092df59cfefc569a1c9b4db9afb10

lib/codesake/dawn/kb/cve_2014_0130.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-05-06
+			class CVE_2014_0130
+				include DependencyCheck
+
+				def initialize
+          message = "The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server."
+          super({
+            :name=>"CVE-2014-0130",
+            :cvss=>"",
+            :release_date => Date.new(2014, 5, 6),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version up to version 3.2.18, 4.0.5 or 4.1.1.",
+            :aux_links=>["https://groups.google.com/forum/#!msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.0.5', '4.1.1']}]
+
+				end
+			end
+		end
+	end
+end

lib/codesake/dawn/knowledge_base.rb

@@ -211,6 +211,7 @@
 require "codesake/dawn/kb/cve_2014_0080"
 require "codesake/dawn/kb/cve_2014_0081"
 require "codesake/dawn/kb/cve_2014_0082"
+require "codesake/dawn/kb/cve_2014_0130"
 require "codesake/dawn/kb/cve_2014_1233"
 require "codesake/dawn/kb/cve_2014_1234"
 require "codesake/dawn/kb/cve_2014_2322"
@@ -454,6 +455,7 @@ def load_security_checks
           Codesake::Dawn::Kb::CVE_2014_0080.new,
           Codesake::Dawn::Kb::CVE_2014_0081.new,
           Codesake::Dawn::Kb::CVE_2014_0082.new,
+          Codesake::Dawn::Kb::CVE_2014_0130.new,
           Codesake::Dawn::Kb::CVE_2014_1233.new,
           Codesake::Dawn::Kb::CVE_2014_1234.new,
           Codesake::Dawn::Kb::CVE_2014_2322.new,

spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -893,4 +893,9 @@
     sc.class.should == Codesake::Dawn::Kb::OSVDB_105971
   end
 
+  it "must have test for CVE-2014-0130" do
+      sc = kb.find("CVE-2014-0130")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0130
+  end
 end

spec/lib/kb/cve_2014_0130_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe "The CVE-2014-0130 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_0130.new
+		# @check.debug = true
+	end
+  it "is reported when rails 4.1.0 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'4.1.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rails 4.0.4 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'4.0.4'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rails 3.2.17 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
+    @check.vuln?.should   be_true
+  end
+  it "must be filled with CVSS information"
+end