Forum: Italian Ruby user group [ANN] Codesake::Dawn v1.0.0 released

857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-21 09:52
(Received via mailing list)
Ciao a tutti, dopo 9 mesi di lavoro ho appena rilasciato la versione
1.0.0 di Codesake::Dawn, un tool di scansione di codice Ruby per issue
di security.

La prima major release ha 142 security check[1] ed include tutti i
bollettini di security emessi dal NIST fino ad oggi
(http://nvd.nist.gov/home.cfm). Ci sono 2 bollettini del 2014 per i
quali non ci sono nel CVE elementi sufficienti per scrivere un check,
sono gi in roadmap per 1.1.0.

Vi chiedo di installare Codesake::Dawn e di provarlo, magari
affiancandolo al tool che usate al momento per verificare le vostre
issue di security e di dirmi cosa ne pensate.

L'annuncio sul web:
http://dawn.codesake.com/blog/announce-codesake-da...

[1] http://dawn.codesake.com/knowledge-base/

Enjoy it!
Paolo
--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
114ff87909d3f24150ff3d70d5254338?d=identicon&s=25 Luca Guidi (Guest)
on 2014-01-21 11:24
(Received via mailing list)
Ciao Paolo,
Complimenti per il risultato.
Sarebbe possibile aggiungere il supporto per applicazioni Rack?

Luca


2014/1/21 Paolo Perego <thesp0nge@gmail.com>
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-21 11:32
(Received via mailing list)
Ciao Luca, scusa per la dimenticanza. Aggiungo nella Roadmap:
https://github.com/codesake/codesake-dawn/commit/a...

In una prima fase introdurr i 5 CVE che mi sono rimasti indietro e
relativi a Rack, in una seconda fase creer un engine adhoc per
gestire le applicazioni scritte usando solo Rack.

Paolo

2014/1/21 Luca Guidi <guidi.luca@gmail.com>:
>> 1.0.0 di Codesake::Dawn, un tool di scansione di codice Ruby per issue
>> issue di security e di dirmi cosa ne pensate.
>> $ more beer
>
> --
> lucaguidi.com
> _______________________________________________
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml



--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
2dd4747f79885cbdb629d703a9a64ff4?d=identicon&s=25 Rocco Galluzzo (byterussian)
on 2014-01-21 18:01
(Received via mailing list)
Ciao,

ho provato la gem su un app rails e mi salta fuori questo errore, non
essendo formattato per essere letto presumo sia qualche bug(
http://imgur.com/Y5fG5kA):

17:51:53 [$] dawn: Solution: Please refere to the Ruby on Rails
cheatsheet
available from owasp.org to mitigate this vulnerability

17:51:53 [!] dawn: Evidence:

17:51:53 [!] dawn: [{:filename=>"./config/deploy.rb",
:matches=>[{:match=>"# ask :branch, proc { `git rev-parse --abbrev-ref
HEAD`.chomp }\n", :line=>3}]},
{:filename=>"./config/environments/production.rb", :matches=>[{:match=>"
#
Add `rack-cache` to your Gemfile before enabling this.\n", :line=>17}]},
{:filename=>"./config/initializers/devise.rb", :matches=>[{:match=>"  #
given strategies, for example, `config.params_authenticatable =
[:database]` will\n", :line=>52}, {:match=>"  # given strategies, for
example, `config.http_authenticatable = [:token]` will\n", :line=>58},
{:match=>"  # passing :skip => :sessions to `devise_for` in your
config/routes.rb\n", :line=>81}, {:match=>"  # Require the
`devise-encryptable` gem when using anything other than bcrypt\n",
:line=>195}, {:match=>"  # When using Devise inside an engine, let's
call
it `MyEngine`, and this engine\n", :line=>245}, {:match=>"  # The router
that invoked `devise_for`, in the example above, would be:\n",
:line=>251}]}, {:filename=>"./config/initializers/secret_token.rb",
:matches=>[{:match=>"# You can use `rake secret` to generate a secure
secret key.\n", :line=>7}]},
{:filename=>"./config/initializers/simple_form.rb",
:matches=>[{:match=>"
  # given input by passing: `f.input EXTENSION_NAME => false`.\n",
:line=>11}, {:match=>"    # renaming `b.use` to `b.optional`.\n",
:line=>13}, {:match=>"    # They are disabled unless you pass `f.input
EXTENSION_NAME => :lookup`\n", :line=>24}, {:match=>"    # extensions by
default, you can change `b.optional` to `b.use`.\n", :line=>27}]}]

17:51:53 [!] dawn: []


2014/1/21 Paolo Perego <thesp0nge@gmail.com>
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-21 18:05
(Received via mailing list)
Ciao Rocco, in realt non  un bug. Codesake::Dawn ti sta dicendo che
il tuo codice fallisce un controllo descritto nel Cheatsheet Ruby
Owasp.
Come da issue #21
(https://github.com/codesake/codesake-dawn/issues/21), nelle prossime
release spacchetter i controlli del cheatsheet in modo da avere
messaggi di errore pi puntuali.

Ciao ciao
Paolo

On 21 January 2014 18:00, Rocco Galluzzo <mail@roccogalluzzo.com> wrote:
>
> config/routes.rb\n", :line=>81}, {:match=>"  # Require the
> :line=>13}, {:match=>"    # They are disabled unless you pass `f.input
>>
https://github.com/codesake/codesake-dawn/commit/a...
>> > Sarebbe possibile aggiungere il supporto per applicazioni Rack?
>> >> La prima major release ha 142 security check[1] ed include tutti i
>> >> http://dawn.codesake.com/blog/announce-codesake-da...
>> >> http://armoredcode.com
>> > _______________________________________________
>> The Application Security blog you really want to read:
>> http://armoredcode.com
>> _______________________________________________
>> Ml mailing list
>> Ml@lists.ruby-it.org
>> http://lists.ruby-it.org/mailman/listinfo/ml
>>
> _______________________________________________
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml



--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
2dd4747f79885cbdb629d703a9a64ff4?d=identicon&s=25 Rocco Galluzzo (byterussian)
on 2014-01-21 18:16
(Received via mailing list)
capito,

altra cosa, il check del codice commentato  voluto?

esempio, il primo errore postato nel messaggio precedente:

[{:filename=>"./config/deploy.rb", :matches=>[{:match=>"# ask :branch,
proc
{ `git rev-parse --abbrev-ref HEAD`.chomp }\n", :line=>3}]},

sono andato nel file di capistrano e la riga era commentata:

# ask :branch, proc { `git rev-parse --abbrev-ref HEAD`.chomp }
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-21 18:27
(Received via mailing list)
In questo caso no.
Dipende dal fatto che i controlli del cheatsheet sono fatti col pattern
matching quindi questo sembra essere effettivamente meritevole di
enhancement.

Mi apri una issue su github per favore?
Il 21/gen/2014 18:15 "Rocco Galluzzo" <mail@roccogalluzzo.com> ha
scritto:
Cb8e3a1650513848561ca38f84399fa1?d=identicon&s=25 Fabrizio Regini (freegenie)
on 2014-01-21 21:26
(Received via mailing list)
Ho lo stesso problema con il commento. Inoltre ho dovuto agganciarmi al
repo su github per farlo funzionare con una Rails 3.2.


2014/1/21 Paolo Perego <thesp0nge@gmail.com>
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-22 10:49
(Received via mailing list)
Il problema legato al codice commentato (issue 22)  stato risolto con
l'ultimo commit di questa mattina
(https://github.com/codesake/codesake-dawn/tree/iss...).
E' in un branch a parte, visto che deve essere chiusa la issue 21 prima.
Poi verr portato prima in development e poi in master per far uscire una
1.0.1.

Aggiorner anche la doc, intanto per chiunque voglia partecipare il
branching model utilizzato  questo:
http://nvie.com/posts/a-successful-git-branching-model/
Quindi se volete lavorare su una fix o su una feature, non fate un
branch da master ma da development e lavorate su un branch adhoc per
la fix o la feature che state sviluppando.

@Fabrizio: in che senso? dawn  agnostico sulla versione del framework...
thanks
Paolo

2014/1/21 Fabrizio Regini <freegenie@gmail.com>:
>>
>> proc
>> >
>> > >
>> > > > available from owasp.org to mitigate this vulnerability
>> > > > Add `rack-cache` to your Gemfile before enabling this.\n",
>> > > > :line=>195}, {:match=>"  # When using Devise inside an engine, let's
>> > > > :line=>11}, {:match=>"    # renaming `b.use` to `b.optional`.\n",
>> > > >
>> > > >>
>> > > >> > 2014/1/21 Paolo Perego <thesp0nge@gmail.com>
>> > > >> >> (http://nvd.nist.gov/home.cfm). Ci sono 2 bollettini del 2014
>> > > >> >>
>> > > >> >> $ more beer
>> > > >> >
>> > > >> $ cd /pub
>> > > > Ml mailing list
>> > > http://armoredcode.com
>> _______________________________________________
>> Ml mailing list
>> Ml@lists.ruby-it.org
>> http://lists.ruby-it.org/mailman/listinfo/ml
>>
> _______________________________________________
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml



--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
E555a767a33427bfee0bb0878566293c?d=identicon&s=25 gabriele renzi (Guest)
on 2014-01-22 10:57
(Received via mailing list)
fwiw,

$ gem install codesake-dawn

ERROR:  While executing gem ... (Gem::ImpossibleDependenciesError)
    mechanize-2.7.3 requires mime-types (~> 2.0) but it conflicted:
  Activated mime-types-2.0 instead of (~> 1.15) via:
    grit-2.5.0, codesake-dawn-1.0.0
$ ruby -v
ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-darwin10.8.0]
$ gem -v
2.1.11

Con un rubygems pi recente invece funziona tutto.



2014/1/22 Paolo Perego <thesp0nge@gmail.com>

> branching model utilizzato  questo:
> > Ho lo stesso problema con il commento. Inoltre ho dovuto agganciarmi al
> >> Mi apri una issue su github per favore?
> >> proc
> >> >
> >> > > Ciao ciao
> >> > > >
> >> > > > {:filename=>"./config/environments/production.rb",
> >> > > > example, `config.http_authenticatable = [:token]` will\n",
> >> > > > :line=>251}]},
> >> > > > EXTENSION_NAME => :lookup`\n", :line=>24}, {:match=>"    #
> >> > > >>
> >> > > >>
> >> > > >> > 2014/1/21 Paolo Perego <thesp0nge@gmail.com>
> >> i
> >> vostre
> >> > > >> >> Paolo
> >> > > >> >>
> >> > > >>
> >> > > >> http://lists.ruby-it.org/mailman/listinfo/ml
> >> > > $ more beer
> >> > Ml@lists.ruby-it.org
> > http://lists.ruby-it.org/mailman/listinfo/ml
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml
>



--
twitter: @riffraff
blog (en, it): www.riffraff.info riffraff.blogsome.com
work: circleme.com
Fdfc8990e036917ea7ba14cb88027259?d=identicon&s=25 Alessandro Lepore (Guest)
on 2014-01-22 11:04
(Received via mailing list)
2014/1/22 gabriele renzi <rff.rff@gmail.com>

ERROR:  While executing gem ... (Gem::ImpossibleDependenciesError)
> Con un rubygems pi recente invece funziona tutto.


anche io ho avuto problemi con rubygems < 2.2, ma con tante gemme, non
solo
con dawn.
Gem::DependencyError everywhere.
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-22 11:09
(Received via mailing list)
Gi, con la stessa versione di Ruby ma gem 2.2.1 funzica
(https://travis-ci.org/codesake/codesake-dawn/jobs/17394659).

Con la tua versione di gem e un ruby 2.0.0 funziona:
/src/hacking/codesake-dawn(development)  gem install codesake-dawn



      (ruby-2.0.0-p353@codesake)
Successfully installed codesake-dawn-1.0.0
Parsing documentation for codesake-dawn-1.0.0
1 gem installed
~/src/hacking/codesake-dawn(development)  gem -v



       (ruby-2.0.0-p353@codesake)
2.1.11
~/src/hacking/codesake-dawn(development)  ruby -v



       (ruby-2.0.0-p353@codesake)
ruby 2.0.0p353 (2013-11-22 revision 43784) [x86_64-darwin13.0.0]
~/src/hacking/codesake-dawn(development)

Sinceramente non saprei come uscire da questo ginepraio...
Suggerimenti?

2014/1/22 gabriele renzi <rff.rff@gmail.com>:
> $ gem -v
>> (
>> branch da master ma da development e lavorate su un branch adhoc per
>> >
>> >>
>> >> > sono andato nel file di capistrano e la riga era commentata:
>> >> > > il tuo codice fallisce un controllo descritto nel Cheatsheet Ruby
>> >> > > On 21 January 2014 18:00, Rocco Galluzzo <mail@roccogalluzzo.com>
>> >> > > > available from owasp.org to mitigate this vulnerability
>> >> > > > Add `rack-cache` to your Gemfile before enabling this.\n",
>> >> > > > config/routes.rb\n", :line=>81}, {:match=>"  # Require the
>> secure
>> >> > > > default, you can change `b.optional` to `b.use`.\n", :line=>27}]}]
>> >> >
>> >> > > >> 2014/1/21 Luca Guidi <guidi.luca@gmail.com>:
>> >> > versione
>> >> per
>> >> > > >> >> L'annuncio sul web:
>> >> > > >> >> $ more beer
>> >> > > >> >
>> >> > > >> $ cd /pub
>> >> > > > Ml mailing list
>> >> > > http://armoredcode.com
>> >> _______________________________________________
>>
>>
> http://lists.ruby-it.org/mailman/listinfo/ml
--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
2dd4747f79885cbdb629d703a9a64ff4?d=identicon&s=25 Rocco Galluzzo (byterussian)
on 2014-01-22 11:10
(Received via mailing list)
Come feature sarebbe utile una rake task che aggiorna il database della
gem.

(Stasera do un occhiata al codice)





2014/1/22 gabriele renzi <rff.rff@gmail.com>
E555a767a33427bfee0bb0878566293c?d=identicon&s=25 gabriele renzi (Guest)
on 2014-01-22 11:15
(Received via mailing list)
no, ma puoi mettere una nota di installazione :)


2014/1/22 Paolo Perego <thesp0nge@gmail.com>

> Parsing documentation for codesake-dawn-1.0.0
>
> > $ gem install codesake-dawn
> > Con un rubygems pi recente invece funziona tutto.
> >> ).
> >> la fix o la feature che state sviluppando.
> >> >
> >> >> Il 21/gen/2014 18:15 "Rocco Galluzzo" <mail@roccogalluzzo.com> ha
> >> >> proc
> >> >> wrote:
> >> >> > >
> >> non
> >> >> > > > :matches=>[{:match=>"# ask :branch, proc { `git rev-parse
> >> >> > > > given strategies, for example, `config.params_authenticatable =
> >> >> > > > :line=>195}, {:match=>"  # When using Devise inside an engine,
> >> >> > > > secret key.\n", :line=>7}]},
> >> >> > by
> >> >> > > >>
> >> >> > > >> gestire le applicazioni scritte usando solo Rack.
> >> >> > > >> >
> >> >> > > >> >>
> >> >> > check,
> >> >> > > >> >>
> >> >> > > >> >>
> >> >> > > >> > --
> >> >> > > >> $ more beer
> >> >> > > > Ml@lists.ruby-it.org
> >> >> > > _______________________________________________
> >> >> Ml mailing list
> >> --
> >
>
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml
>



--
twitter: @riffraff
blog (en, it): www.riffraff.info riffraff.blogsome.com
work: circleme.com
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-22 11:53
(Received via mailing list)
Ciao Rocco, per scelta di design il codice non  implementato usando
un database ma delle classi java.
E' in roadmap invece un task per vedere dai dal sito del NVD se ci
sono altre issue riguardanti ruby.

Paolo

2014/1/22 Rocco Galluzzo <mail@roccogalluzzo.com>:
>
>> $ gem -v
>> > (
>> > Quindi se volete lavorare su una fix o su una feature, non fate un
>> > >
>> > >> Il 21/gen/2014 18:15 "Rocco Galluzzo" <mail@roccogalluzzo.com> ha
>> > >> proc
>> > >> >
>> > >> > > Ciao ciao
>> > >> > > > http://imgur.com/Y5fG5kA):
>> > >> > > > HEAD`.chomp }\n", :line=>3}]},
>> strategies,
>> > >> > > > it `MyEngine`, and this engine\n", :line=>245}, {:match=>"  #
>> > >> > > >   # given input by passing: `f.input EXTENSION_NAME =>
>> > >> > > >
>> > >>
>> > >> > > >> 2014/1/21 Luca Guidi <guidi.luca@gmail.com>:
>> > >> > > >> >> Ciao a tutti, dopo 9 mesi di lavoro ho appena rilasciato la
>> > >> > > >> >> (http://nvd.nist.gov/home.cfm). Ci sono 2 bollettini del
>> > >> vostre
>> > >> > > >> >> Paolo
>> > >> > > >> >>
>> > >> > > >>
>> > >> > > >> http://lists.ruby-it.org/mailman/listinfo/ml
>> > >> > > $ more beer
>> > >> > Ml@lists.ruby-it.org
>> > > http://lists.ruby-it.org/mailman/listinfo/ml
>> > Ml mailing list
>> _______________________________________________
>> Ml mailing list
>> Ml@lists.ruby-it.org
>> http://lists.ruby-it.org/mailman/listinfo/ml
>>
> _______________________________________________
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml



--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
857c770ccb0a8e869994f663f09b22ec?d=identicon&s=25 Paolo Perego (Guest)
on 2014-01-22 12:02
(Received via mailing list)
Mi apri una issue? Cos mi traccio l'improvement da fare :)

Grazie

2014/1/22 gabriele renzi <rff.rff@gmail.com>:
>>
>>        (ruby-2.0.0-p353@codesake)
>> Suggerimenti?
>> > $ ruby -v
>> >> Il problema legato al codice commentato (issue 22)  stato risolto con
>> >> Aggiorner anche la doc, intanto per chiunque voglia partecipare il
>> >>
>> pattern
>> >> >> >
>> >> >> >
>> >> >> > > Come da issue #21
>> >> >> wrote:
>> >> >> > > > available from owasp.org to mitigate this vulnerability
>> >> >> > > > Add `rack-cache` to your Gemfile before enabling this.\n",
>> >> >> > > > {:match=>"  # passing :skip => :sessions to `devise_for` in
>> >> >> > > > that invoked `devise_for`, in the example above, would be:\n",
>> `b.optional`.\n",
>> >> >> > > >
>> >> >> > > >>
>> >> >> > > >> > Complimenti per il risultato.
>> >> >> > > >> >> 1.0.0 di Codesake::Dawn, un tool di scansione di codice
>> 2014
>> le
>> >> >> > > >> >> Enjoy it!
>> >> >> > > >> >> http://lists.ruby-it.org/mailman/listinfo/ml
>> >> >> > > >>
>> >> >> > > >> Ml@lists.ruby-it.org
>> >> >> > > $ cd /pub
>> >> >> > Ml mailing list
>> >> > Ml@lists.ruby-it.org
>> >> _______________________________________________
>> > work: circleme.com
>>
> --
> twitter: @riffraff
> blog (en, it): www.riffraff.info riffraff.blogsome.com
> work: circleme.com
> _______________________________________________
> Ml mailing list
> Ml@lists.ruby-it.org
> http://lists.ruby-it.org/mailman/listinfo/ml



--
$ cd /pub
$ more beer

The Application Security blog you really want to read:
http://armoredcode.com
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.