Merge branch 'issue_46_add_cve_2014_2538' into development

Conflicts:
	Changelog.md
	codesake-dawn.gemspec
	lib/codesake/dawn/knowledge_base.rb
	lib/codesake/dawn/version.rb
	spec/lib/dawn/codesake_knowledgebase_spec.rb

Changelog.md

@@ -5,7 +5,7 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Thu Feb 13 08:31:37 CET 2014_
+_latest update: Sun Mar 23 23:06:38 CET 2014_
 
 ## Version 1.1.0 - codename: Tom Mater (2014-xx-xx)
 
@@ -51,6 +51,15 @@ _latest update: Thu Feb 13 08:31:37 CET 2014_
   link saying which are MVC gem version to be considered officially deprecated
   or just old. I enabled only check against ruby
 
+=======
+
+## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
+
+* Added a check for CVE-2014-2538
+
+## Version 1.0.5 - codename: Lightning McQueen (2014-03-18)
+
+>>>>>>> issue_46_add_cve_2014_2538
 * Added a check for CVE-2014-2322
 * Added a check for CVE-2014-0036
 

KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Codesake::Dawn Knowledge base
 
-The knowledge base library for Codesake::Dawn version 1.0.4 contains 152 security checks.
+The knowledge base library for Codesake::Dawn version 1.0.5 contains 155 security checks.
 ---
 * Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
@@ -9,12 +9,24 @@ This check will analyze the source code looking for the following patterns: XXX,
 * Owasp Ror CheatSheet: Session management: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
 * Owasp Ror CheatSheet: Mass Assignement in model: Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed.
 * Owasp Ror CheatSheet: Security Related Headers: To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.
-* Owasp Ror CheatSheet: Check for safe redirect and forward:           Web applications often require the ability to dynamically redirect users based on client-supplied data. To clarify, dynamic redirection usually entails the client including a URL in a parameter within a request to the application. Once received by the application, the user is redirected to the URL specified in the request. For example:
-            http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
-          The above request would redirect the user to http://www.example.com/checkout. The security concern associated with this functionality is leveraging an organization’s trusted brand to phish users and trick them into visiting a malicious site, in our example, “badhacker.com”. Example:
-            http://www.example.com/redirect?url=http://badhacker.com
-          The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.
+* Owasp Ror CheatSheet: Check for safe redirect and forward: Web applications often require the ability to dynamically redirect users based
+on client-supplied data. To clarify, dynamic redirection usually entails the
+client including a URL in a parameter within a request to the application. Once
+received by the application, the user is redirected to the URL specified in the
+request.
 
+For example: http://www.example.com/redirect?url=http://www.example_commerce_site.com/checkout
+
+The above request would redirect the user to http://www.example.com/checkout.
+
+The security concern associated with this functionality is leveraging an
+organization's trusted brand to phish users and trick them into visiting a
+malicious site, in our example, "badhacker.com".
+
+Example: http://www.example.com/redirect?url=http://badhacker.com
+
+The most basic, but restrictive protection is to use the :only_path option.
+Setting this to true will essentially strip out any host information.
 * Owasp Ror CheatSheet: Sensitive Files: Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed.
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * Nokogiri - Denial of service - 20131217: There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash.
@@ -159,10 +171,13 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2013-6421](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6421): The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.
 * [CVE-2013-6459](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6459): Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.
 * [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
-* [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
-* [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
+* [CVE-2014-0036](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0036): rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream.
 * [CVE-2014-0081](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
 * [CVE-2014-0082](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
+* [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
+* [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
+* [CVE-2014-2322](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2322): Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands.
+* [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 
 
-_Last updated: Fri 14 Mar 08:36:40 CET 2014_
+_Last updated: Sun 23 Mar 22:44:00 CET 2014_

codesake-dawn.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
   gem.version       = Codesake::Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
   gem.email         = ["paolo@codesake.com"]
-  gem.description   = %q{Codesake::Dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Codesake::Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 140 security checks with their own mitigation suggestion.}
+  gem.description   = %q{Codesake::Dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Codesake::Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
   gem.summary       = %q{Codesake::Dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
   gem.homepage      = "http://dawn.codesake.com"
 

doc/dawn_1_0_announcement.md

@@ -44,6 +44,10 @@ Paolo - paolo@codesake.com
 
 ## Twitter announcement
 
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. A new security check: CVE-2014-2538 #ruby #security #rails #sinatra #padrino
+
 ### version 1.0.5
 
 @dawnscanner version 1.0.5 is out. 2 new security checks: CVE-2014-2322 and CVE-2014-0036 #ruby #security #rails #sinatra #padrino
@@ -70,6 +74,14 @@ Paolo - paolo@codesake.com
 
 ## Linkedin announcement 
 
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-6-released/
+Codesake::Dawn v1.0.6 introduces a newly released CVE bullettin: CVE-2014-2538 about a reflected xss in rack-ssl rubygem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
 ### version 1.0.5
 
 @dawnscanner version 1.0.5 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/

lib/codesake/dawn/kb/cve_2014_2538.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-23
+			class CVE_2014_2538
+				include DependencyCheck
+
+				def initialize
+          message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
+           super({
+            :name=>"CVE-2014-2538",
+            :cvss=>"",
+            :release_date => Date.new(2013, 7, 9),
+            :cwe=>"79",
+            :owasp=>"A3",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.4.1 or higher.",
+            :aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
+           })
+
+           self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.4.1']}]
+				end
+			end
+		end
+	end
+end

lib/codesake/dawn/knowledge_base.rb

@@ -218,6 +218,7 @@
 require "codesake/dawn/kb/cve_2014_1233"
 require "codesake/dawn/kb/cve_2014_1234"
 require "codesake/dawn/kb/cve_2014_2322"
+require "codesake/dawn/kb/cve_2014_2538"
 
 module Codesake
   module Dawn
@@ -441,15 +442,14 @@ def self.load_security_checks
           Codesake::Dawn::Kb::CVE_2013_6421.new, 
           Codesake::Dawn::Kb::CVE_2013_6459.new, 
           Codesake::Dawn::Kb::CVE_2013_7086.new, 
-          Codesake::Dawn::Kb::CVE_2014_1233.new,
-          Codesake::Dawn::Kb::CVE_2014_1234.new,
           Codesake::Dawn::Kb::CVE_2014_0036.new, 
           Codesake::Dawn::Kb::CVE_2014_0080.new, 
           Codesake::Dawn::Kb::CVE_2014_0081.new, 
           Codesake::Dawn::Kb::CVE_2014_0082.new, 
           Codesake::Dawn::Kb::CVE_2014_1233.new,
           Codesake::Dawn::Kb::CVE_2014_1234.new,
           Codesake::Dawn::Kb::CVE_2014_2322.new,
+          Codesake::Dawn::Kb::CVE_2014_2538.new,
 
         ]
       end

spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -872,4 +872,9 @@
         sc.should_not   be_nil
           sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
   end
+  it "must have test for CVE-2014-2538" do
+      sc = kb.find("CVE-2014-2538")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
+  end
 end

spec/lib/kb/cve_2014_2538_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+describe "The CVE-2014-2538 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_2538.new
+		# @check.debug = true
+	end
+  it "is reported when rack-ssl vulnerable version it has been found (1.4.0)" do
+    @check.dependencies = [{:name=>'rack-ssl', :version=>'1.4.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when rack-ssl not vulnerable version it has been found (1.5.0)" do
+    @check.dependencies = [{:name=>'rack-ssl', :version=>'1.5.0'}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVSS information"
+end