Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'issue_46_add_cve_2014_2538' into development
Conflicts: Changelog.md codesake-dawn.gemspec lib/codesake/dawn/knowledge_base.rb lib/codesake/dawn/version.rb spec/lib/dawn/codesake_knowledgebase_spec.rb
- Loading branch information
Showing
8 changed files
with
98 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
module Codesake | ||
module Dawn | ||
module Kb | ||
# Automatically created with rake on 2014-03-23 | ||
class CVE_2014_2538 | ||
include DependencyCheck | ||
|
||
def initialize | ||
message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server." | ||
super({ | ||
:name=>"CVE-2014-2538", | ||
:cvss=>"", | ||
:release_date => Date.new(2013, 7, 9), | ||
:cwe=>"79", | ||
:owasp=>"A3", | ||
:applies=>["rails"], | ||
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK, | ||
:message=>message, | ||
:mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.4.1 or higher.", | ||
:aux_links=>["http://seclists.org/oss-sec/2014/q1/594"] | ||
}) | ||
|
||
self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.4.1']}] | ||
end | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
require 'spec_helper' | ||
describe "The CVE-2014-2538 vulnerability" do | ||
before(:all) do | ||
@check = Codesake::Dawn::Kb::CVE_2014_2538.new | ||
# @check.debug = true | ||
end | ||
it "is reported when rack-ssl vulnerable version it has been found (1.4.0)" do | ||
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.4.0'}] | ||
@check.vuln?.should be_true | ||
end | ||
it "is reported when rack-ssl not vulnerable version it has been found (1.5.0)" do | ||
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.5.0'}] | ||
@check.vuln?.should be_false | ||
end | ||
it "must be filled with CVSS information" | ||
end |