Merge branch 'v1-5-3' into benchmark

.travis.yml

@@ -1,8 +1,15 @@
 language: ruby
 rvm:
+  - 2.3.0
   - 2.2.3
   - 2.1.0
   - 2.0.0
-  - 1.9.3
   - ruby-head
   - rbx
+notifications:
+  webhooks:
+    urls:
+      - https://webhooks.gitter.im/e/968de5e2c7eb03759e38
+    on_success: change  # options: [always|never|change] default: always
+    on_failure: always  # options: [always|never|change] default: always
+    on_start: never     # options: [always|never|change] default: always

Changelog.md

@@ -5,7 +5,75 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Thu Dec  3 18:29:33 CET 2015_
+_latest update: Thu Jan 28 23:30:47 CET 2016_
+
+## Version 1.5.3 - codename: Tow Mater (2016-xx-xx)
+
+* Issue #186 - Adding a check for CVE-2015-7576: Timing attack vulnerability in
+  basic authentication in Action Controller
+* Issue #185 - Adding a check for CVE-2016-0751: Possible Object Leak and
+  Denial of Service attack in Action Pack
+* BUGFIX in is_vulnerable_minor? in case of version length mismatch, there was
+  an error evaluating if safe_version.length > detected_version.length block
+* BUGFIX in is_vulnerable_aux_patch? when detected version has no auxiliary
+  patch (eg. 3.5.3) and safe version has it (eg. 3.5.3.1) the check was not
+  triggered the right way. Now aux patch is forced to 0 when missing and when
+  one of twos has it.
+* Issue #184 - Adding a check for CVE-2015-7577: Nested attributes rejection
+  proc bypass in Active Record.
+* Issue #183 - Adding a check for CVE-2015-7579: XSS vulnerability in
+  rails-html-sanitizer
+* Issue #182 - Adding a check for CVE-2016-0752: Possible Information Leak
+  Vulnerability in Action View
+* Issue #181 - Adding a check for CVE-2016:0753: Possible Input Validation
+  Circumvention in Active Model
+* Issue #180 - Adding a check for CVE-2015-7578: Possible XSS vulnerability in
+  rails-html-sanitizer
+* Issue #179 - Adding a check for CVE-2015-7581: Object leak vulnerability for
+  wildcard controller routes in Action Pack
+* BUGFIX in is_higher? when a version with an aux patch number was compared
+  with a one without ('1.2.3.4' vs '1.2.3') the incorrect result were
+  triggered.
+* BUGFIX in is_same_version? when a beta version is to be evaluated, during
+  comparison the beta number must be discarded.
+* BUGFIX in is_vulnerable_beta? handling situation when either safe version or
+  detected version doesn't have the beta number
+* BUGFIX in is_vulnerable_rc? handling situation when either safe version or
+  detected version doesn't have the rc number
+* BUGFIX in is_vulnerable_pre? handling situation when either safe version or
+  detected version doesn't have the pre number
+* Issue #173 handles a lot of CVE about nokogiri rubygem due to libxml version embedded on it:
+  - CVE-2015-5312: DoS in xmlStringLenDecodeEntities()
+  - CVE-2015-7497: DoS in xmlDictComputeFastQKey()
+  - CVE-2015-7498: DoS in xmlParseXmlDecl()
+  - CVE-2015-7499: In memory information disclosure due to heap-based buffer
+    overflow in the xmlGROW()
+  - CVE-2015-7500: DoS in xmlParseMisc()
+  - CVE-2015-8241: Information disclosure and DoS in xmlNextChar()
+  - CVE-2015-8242: Information disclosure and DoS in xmlSAX2TextNode()
+  - CVE-2015-8317: Information disclosure in xmlParseXMLDecl()
+* Issue #171 - Adding a check for CVE-2015-7541: colorscore Gem for Ruby
+  lib/colorscore/histogram.rb Arbitrary Command Injection
+* Issue #169 - Adding a check for CVE-2015-7519: Phusion Passenger Server
+  allows to overwrite headers in some cases
+* BUGFIX in bin/dawn when target from command line is '.'. The directory name
+  must be expanded to save results
+* Issue #177 BUGFIX. HTML reporting is broken. The line "support_path =
+  File.join(Dir.pwd, 'support')" in reporter.rb:40 is used to build the path
+  for support files (css, js) to be copied in the output directory. If you call
+  dawn using '.' as target directory name, an exeception is raised. Fixed
+  changing the line this way: "support_path = File.join(File.dirname(__FILE__),
+  '..', '..', 'support')"
+* Issue #177 BUGFIX. HTML filename creation is honored when -F flag is used.
+* Issue #177 IMPROVEMENT. As @mort666 suggested, now bootstrap and jquery are
+  loaded from CDN and specific CSS is now embedded in the HTML report in a
+  minified form.
+
+
+## Version 1.5.2 - codename: Tow Mater (2015-12-16)
+
+* Back on issue #170. Engine.rb still requires code metrics stuff. Commented
+  out.
 
 ## Version 1.5.1 - codename: Tow Mater (2015-12-09)
 

README.md

@@ -20,10 +20,11 @@ box:
 [![Coverage Status](https://coveralls.io/repos/thesp0nge/dawnscanner/badge.png)](https://coveralls.io/r/thesp0nge/dawnscanner)
 [![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/thesp0nge/dawnscanner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
 [![Inline docs](http://inch-ci.org/github/thesp0nge/dawnscanner.png?branch=master)](http://inch-ci.org/github/thesp0nge/dawnscanner)
+[![Gitter](https://badges.gitter.im/thesp0nge/dawnscanner.svg)](https://gitter.im/thesp0nge/dawnscanner?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 
 ---
 
-dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge
+dawnscanner version 1.5.2 has 209 security checks loaded in its knowledge
 base. Most of them are CVE bulletins applying to gems or the ruby interpreter
 itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
 

VERSION

@@ -13,4 +13,4 @@
 # |   "Guido"       |  x.x.0  |
 # |   "Luigi"       |  x.x.0  |
 # | "Doc Hudson"    |  x.x.0  |
-1.5.0 - Tow Mater
+1.5.2 - Tow Mater

bin/dawn

@@ -197,6 +197,8 @@ end
 
 target=ARGV.shift
 
+target = File.expand_path(".") if target == "."
+
 $logger.helo APPNAME, Dawn::VERSION
 r = Dawn::Registry.new
 
@@ -309,11 +311,8 @@ if options[:output] == "count"
   Kernel.exit(0)
 end
 
-<<<<<<< HEAD
 Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report unless engine.benchmarking
 
-=======
-Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
 if (r.do_save({:target=>File.basename(engine.target),
            :scan_started=>engine.scan_start,
            :scan_duration => engine.scan_time.round(3),
@@ -326,5 +325,4 @@ else
     $logger.error error
   end
 end
->>>>>>> v1-5-0
 $logger.bye

checksum/dawnscanner-1.5.1.gem.sha1

@@ -0,0 +1 @@
+cf4452f73eebf4d51e6c7116be78ab835f05157d

checksum/dawnscanner-1.5.2.gem.sha1

@@ -0,0 +1 @@
+632579913def064e10c4d6c76cb722140bcb5925

lib/dawn/engine.rb

@@ -1,5 +1,5 @@
 # Statistics stuff
-require 'code_metrics/statistics'
+# require 'code_metrics/statistics'
 
 module Dawn
   module Engine
@@ -45,13 +45,10 @@ module Engine
     attr_reader   :applied_checks
     attr_reader   :skipped_checks
 
-<<<<<<< HEAD
     # We introduce benchmarking for apply* methods
     attr_accessor :benchmarking
     attr_reader   :benchmark
-=======
     attr_reader   :output_dir_name
->>>>>>> v1-5-0
 
     def initialize(dir=nil, name="", options={})
       @name = name
@@ -224,7 +221,6 @@ def can_apply?
 
     def get_mvc_version
       "#{@mvc_version}" if is_good_mvc?
-<<<<<<< HEAD
     end
 
     def reset_benchmark
@@ -238,8 +234,6 @@ def reset
       @skipped_checks = 0
       @vulnerabilities = []
       @mitigated_issues = []
-=======
->>>>>>> v1-5-0
     end
 
     ########################################################################
@@ -458,11 +452,11 @@ def _do_apply(check)
       true
     end
 
-    def gather_statistics
-      dirs = CodeMetrics::StatsDirectories.new
-      puts target
-      dirs.add_directories("#{target}/**/*.rb", "#{target}")
-      puts CodeMetrics::Statistics.new(*dirs).to_s
-    end
+    # def gather_statistics
+      # dirs = CodeMetrics::StatsDirectories.new
+      # puts target
+      # dirs.add_directories("#{target}/**/*.rb", "#{target}")
+      # puts CodeMetrics::Statistics.new(*dirs).to_s
+    # end
   end
 end

lib/dawn/kb/cve_2015_5312.rb

@@ -0,0 +1,30 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-01
+			class CVE_2015_5312
+				include DependencyCheck
+
+				def initialize
+          message = "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-5312",
+            :cve=>"2015-5312",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:C",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+				end
+			end
+		end
+end

lib/dawn/kb/cve_2015_7497.rb

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_7497
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message ="Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors."
+          super({
+            :title=>title,
+            :name=> "CVE-2015-7497",
+            :cve=>"2015-7497",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+
+				end
+			end
+		end
+end

lib/dawn/kb/cve_2015_7498.rb

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_7498
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message = "Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-7498",
+            :cve=>"2015-7498",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+
+				end
+			end
+		end
+end

lib/dawn/kb/cve_2015_7499.rb

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_7499
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message="Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-7499",
+            :cve=>"2015-7499",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+
+				end
+			end
+		end
+end

lib/dawn/kb/cve_2015_7500.rb

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_7500
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message = "The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-7500",
+            :cve=>"2015-7500",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+
+				end
+			end
+		end
+end

lib/dawn/kb/cve_2015_7519.rb

@@ -0,0 +1,31 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_7519
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+
+				def initialize
+          message ="agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header."
+          super({
+            :title=>title,
+            :name=> "CVE-2015-7519",
+            :cve=>"2015-7519",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2016, 1, 8),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade passenger gem to version 4.0.60, 5.0.22 or later.",
+            :aux_links=>["https://blog.phusion.nl/2015/12/07/cve-2015-7519/"]
+           })
+
+          self.safe_dependencies = [{:name=>"passenger", :version=>['4.0.60', '5.0.22']}]
+
+				end
+			end
+		end
+end