search

openSUSE / scanny

Scanny — Ruby on Rails security scanner
MIT License
27 stars 5 forks source link

Port patterns from 10_info_special_tools.rule #15

Closed dmajda closed 12 years ago

dmajda commented 13 years ago

We need to port patterns form the rules/10_info_special_tools.rule file from the old scanner:

Desc: Special tools

# impact        CWE identifier          regex
info            CWE-000                 (GPG|Gpg|gpg|GpgKey)
medium          CWE-000                 sudo
# man unzip: -: option allows ../ in archived file path, dir traversal
medium          CWE-23,CWE-88           [^\w]unzip\s+[^(=|&)]
high            CWE-23,CWE-88           unzip.*\-\:
# man tar
medium          CWE-88                  [^\w]tar\s+
high            CWE-88                  tar.*\-\-to\-command
high            CWE-88                  tar.*\-\-rmt\-command
# http://www.unix.com/302279785-post3.html tar --rsh-command=`which ssh` -zcvf remote_host:filename.tar.gz -- directory_to_tar
high            CWE-88                  tar.*\-\-rsh\-command
dmajda commented 12 years ago 
medium          CWE-000                 sudo
# man unzip: -: option allows ../ in archived file path, dir traversal
medium          CWE-23,CWE-88           [^\w]unzip\s+[^(=|&)]
high            CWE-23,CWE-88           unzip.*\-\:
# man tar
medium          CWE-88                  [^\w]tar\s+
high            CWE-88                  tar.*\-\-to\-command
high            CWE-88                  tar.*\-\-rmt\-command
# http://www.unix.com/302279785-post3.html tar --rsh-command=`which ssh` -zcvf remote_host:filename.tar.gz -- directory_to_tar
high            CWE-88                  tar.*\-\-rsh\-command

Ported in SystemTools::SudoCheck, SystemTools::UnzipCheck, SystemTools::TarCheck and SystemTools::TarCommandsCheck.

@LTe One thing I noted is that build_pattern_exec_command does not check for spawn — it should probably be extended.

info            CWE-000                 (GPG|Gpg|gpg|GpgKey)

Ported in SystemTools::GpgUsageCheck.

@LTe We discussed this already in #75. Assuming that the intention was to detect all uses of GPG, what about generalizing this check a bit? My idea:

  1. Check for the "gpg" command (using build_pattern_exec_command).
  2. Check for all methods containing "gpg" (currently it checks only for methods named exactly gpg).
  3. Check for all classes containing "GPG" in any case (currently it checks only for classes named exactly GPG, Gpg and GpgKey).

Checks 2. and 3. would cover the libraries you mentioned in #75.

dmajda commented 12 years ago

All issues resolved, closing.