├── test
├── apps
│ └── rails6.1
│ │ ├── log
│ │ └── .keep
│ │ ├── tmp
│ │ ├── .keep
│ │ └── pids
│ │ │ └── .keep
│ │ ├── storage
│ │ └── .keep
│ │ ├── vendor
│ │ └── .keep
│ │ ├── lib
│ │ ├── assets
│ │ │ └── .keep
│ │ └── tasks
│ │ │ └── .keep
│ │ ├── public
│ │ ├── favicon.ico
│ │ ├── apple-touch-icon.png
│ │ ├── apple-touch-icon-precomposed.png
│ │ ├── robots.txt
│ │ ├── 500.html
│ │ ├── 422.html
│ │ └── 404.html
│ │ ├── .ruby-version
│ │ ├── app
│ │ ├── assets
│ │ │ ├── images
│ │ │ │ └── .keep
│ │ │ ├── config
│ │ │ │ └── manifest.js
│ │ │ └── stylesheets
│ │ │ │ └── application.css
│ │ ├── models
│ │ │ ├── concerns
│ │ │ │ └── .keep
│ │ │ ├── post.rb
│ │ │ └── application_record.rb
│ │ ├── controllers
│ │ │ ├── concerns
│ │ │ │ └── .keep
│ │ │ ├── application_controller.rb
│ │ │ └── welcome_controller.rb
│ │ ├── views
│ │ │ ├── layouts
│ │ │ │ ├── mailer.text.erb
│ │ │ │ ├── mailer.html.erb
│ │ │ │ └── application.html.erb
│ │ │ └── welcome
│ │ │ │ └── index.html.erb
│ │ ├── helpers
│ │ │ ├── welcome_helper.rb
│ │ │ └── application_helper.rb
│ │ ├── channels
│ │ │ └── application_cable
│ │ │ │ ├── channel.rb
│ │ │ │ └── connection.rb
│ │ ├── mailers
│ │ │ └── application_mailer.rb
│ │ ├── javascript
│ │ │ ├── channels
│ │ │ │ ├── index.js
│ │ │ │ └── consumer.js
│ │ │ └── packs
│ │ │ │ └── application.js
│ │ └── jobs
│ │ │ └── application_job.rb
│ │ ├── config
│ │ ├── spring.rb
│ │ ├── environment.rb
│ │ ├── routes.rb
│ │ ├── initializers
│ │ │ ├── mime_types.rb
│ │ │ ├── application_controller_renderer.rb
│ │ │ ├── cookies_serializer.rb
│ │ │ ├── filter_parameter_logging.rb
│ │ │ ├── permissions_policy.rb
│ │ │ ├── wrap_parameters.rb
│ │ │ ├── backtrace_silencers.rb
│ │ │ ├── assets.rb
│ │ │ ├── inflections.rb
│ │ │ └── content_security_policy.rb
│ │ ├── boot.rb
│ │ ├── cable.yml
│ │ ├── credentials.yml.enc
│ │ ├── database.yml
│ │ ├── application.rb
│ │ ├── locales
│ │ │ └── en.yml
│ │ ├── storage.yml
│ │ ├── puma.rb
│ │ └── environments
│ │ │ ├── test.rb
│ │ │ ├── development.rb
│ │ │ └── production.rb
│ │ ├── bin
│ │ ├── rake
│ │ ├── rails
│ │ ├── spring
│ │ ├── yarn
│ │ └── setup
│ │ ├── config.ru
│ │ ├── Rakefile
│ │ ├── package.json
│ │ ├── .gitattributes
│ │ ├── db
│ │ └── seeds.rb
│ │ ├── README.md
│ │ ├── .gitignore
│ │ ├── Gemfile
│ │ └── Gemfile.lock
├── test_helper.rb
├── spektr_test.rb
└── spektr
│ ├── targets
│ ├── routes_test.rb
│ ├── view_test.rb
│ ├── base_test.rb
│ └── controller_test.rb
│ ├── app_test.rb
│ └── checks
│ ├── xss_test.rb
│ ├── send_test.rb
│ ├── cookie_serialization_test.rb
│ ├── basic_auth_test.rb
│ ├── file_access_test.rb
│ ├── file_disclosure_test.rb
│ ├── digest_dos_test.rb
│ ├── evaluations_test.rb
│ ├── content_tag_xss_test.rb
│ ├── basic_auth_timing_test.rb
│ ├── dynamic_finders_test.rb
│ ├── detailed_exceptions_test.rb
│ ├── json_entity_escape_test.rb
│ ├── json_parsing_test.rb
│ ├── default_routes_test.rb
│ ├── create_with_test.rb
│ ├── mass_assignment_test.rb
│ ├── link_to_href_test.rb
│ ├── sqli_test.rb
│ ├── command_injection_test.rb
│ ├── deserialize_test.rb
│ └── csrf_setting_test.rb
├── lib
├── spektr
│ ├── version.rb
│ ├── targets
│ │ ├── model.rb
│ │ ├── config.rb
│ │ ├── view.rb
│ │ ├── routes.rb
│ │ ├── controller.rb
│ │ └── base.rb
│ ├── checks.rb
│ ├── extractors
│ │ ├── calls.rb
│ │ └── methods.rb
│ ├── checks
│ │ ├── header_dos.rb
│ │ ├── i18n_xss.rb
│ │ ├── csrf.rb
│ │ ├── basic_auth_timing.rb
│ │ ├── cookie_serialization.rb
│ │ ├── send.rb
│ │ ├── csrf_setting.rb
│ │ ├── evaluation.rb
│ │ ├── basic_auth.rb
│ │ ├── file_disclosure.rb
│ │ ├── dynamic_finders.rb
│ │ ├── json_encoding.rb
│ │ ├── create_with.rb
│ │ ├── detailed_exceptions.rb
│ │ ├── digest_dos.rb
│ │ ├── filter_skipping.rb
│ │ ├── json_entity_escape.rb
│ │ ├── file_access.rb
│ │ ├── mass_assignment.rb
│ │ ├── sqli.rb
│ │ ├── link_to_href.rb
│ │ ├── json_parsing.rb
│ │ ├── default_routes.rb
│ │ ├── deserialize.rb
│ │ ├── command_injection.rb
│ │ ├── xss.rb
│ │ ├── content_tag_xss.rb
│ │ └── base.rb
│ ├── core_ext
│ │ └── string.rb
│ ├── warning.rb
│ ├── cli.rb
│ ├── erubi.rb
│ └── app.rb
└── spektr.rb
├── railsgoat-example.png
├── Gemfile
├── .travis.yml
├── .gitignore
├── CODE_OF_CONDUCT.md
├── bin
├── setup
├── spektr
└── console
├── Rakefile
├── CHANGELOG.md
├── .github
└── workflows
│ └── ci.yaml
├── LICENSE.txt
├── spektr.gemspec
├── Guardfile
└── README.md
/test/apps/rails6.1/log/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/tmp/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/storage/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/tmp/pids/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/vendor/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/lib/assets/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/lib/tasks/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/public/favicon.ico:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/.ruby-version:
--------------------------------------------------------------------------------
1 | 2.7.2
2 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/assets/images/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/models/concerns/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/public/apple-touch-icon.png:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/controllers/concerns/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/public/apple-touch-icon-precomposed.png:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/lib/spektr/version.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | VERSION = '0.5.0'
3 | end
4 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/views/layouts/mailer.text.erb:
--------------------------------------------------------------------------------
1 | <%= yield %>
2 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/models/post.rb:
--------------------------------------------------------------------------------
1 | class Post < ApplicationRecord
2 | end
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/helpers/welcome_helper.rb:
--------------------------------------------------------------------------------
1 | module WelcomeHelper
2 | end
3 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/helpers/application_helper.rb:
--------------------------------------------------------------------------------
1 | module ApplicationHelper
2 | end
3 |
--------------------------------------------------------------------------------
/railsgoat-example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gregmolnar/spektr/HEAD/railsgoat-example.png
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source "https://rubygems.org"
2 |
3 | # Specify your gem's dependencies in spektr.gemspec
4 | gemspec
5 |
--------------------------------------------------------------------------------
/lib/spektr/targets/model.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Targets
3 | class Model < Base
4 | end
5 | end
6 | end
7 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/assets/config/manifest.js:
--------------------------------------------------------------------------------
1 | //= link_tree ../images
2 | //= link_directory ../stylesheets .css
3 |
--------------------------------------------------------------------------------
/lib/spektr/targets/config.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Targets
3 | class Config < Base
4 | end
5 | end
6 | end
7 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: ruby
3 | cache: bundler
4 | rvm:
5 | - 2.7.2
6 | before_install: gem install bundler -v 2.1.4
7 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/models/application_record.rb:
--------------------------------------------------------------------------------
1 | class ApplicationRecord < ActiveRecord::Base
2 | self.abstract_class = true
3 | end
4 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/public/robots.txt:
--------------------------------------------------------------------------------
1 | # See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
2 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/channels/application_cable/channel.rb:
--------------------------------------------------------------------------------
1 | module ApplicationCable
2 | class Channel < ActionCable::Channel::Base
3 | end
4 | end
5 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/spring.rb:
--------------------------------------------------------------------------------
1 | Spring.watch(
2 | ".ruby-version",
3 | ".rbenv-vars",
4 | "tmp/restart.txt",
5 | "tmp/caching-dev.txt"
6 | )
7 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /.bundle/
2 | /.yardoc
3 | /_yardoc/
4 | /coverage/
5 | /doc/
6 | /pkg/
7 | /spec/reports/
8 | /tmp/
9 | .byebug_history
10 | Gemfile.lock
11 |
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Contributor Covenant Code of Conduct
2 |
3 | Same as Ruby: [https://www.ruby-lang.org/en/conduct/](https://www.ruby-lang.org/en/conduct/)
4 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/channels/application_cable/connection.rb:
--------------------------------------------------------------------------------
1 | module ApplicationCable
2 | class Connection < ActionCable::Connection::Base
3 | end
4 | end
5 |
--------------------------------------------------------------------------------
/bin/setup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -euo pipefail
3 | IFS=$'\n\t'
4 | set -vx
5 |
6 | bundle install
7 |
8 | # Do any other automated setup that you need to do here
9 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/mailers/application_mailer.rb:
--------------------------------------------------------------------------------
1 | class ApplicationMailer < ActionMailer::Base
2 | default from: 'from@example.com'
3 | layout 'mailer'
4 | end
5 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/bin/rake:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | load File.expand_path("spring", __dir__)
3 | require_relative "../config/boot"
4 | require "rake"
5 | Rake.application.run
6 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/environment.rb:
--------------------------------------------------------------------------------
1 | # Load the Rails application.
2 | require_relative "application"
3 |
4 | # Initialize the Rails application.
5 | Rails.application.initialize!
6 |
--------------------------------------------------------------------------------
/bin/spektr:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
3 | $VERBOSE = nil
4 | require 'spektr'
5 | require 'spektr/cli'
6 |
7 | Spektr::Cli.new.parse.scan
8 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/controllers/application_controller.rb:
--------------------------------------------------------------------------------
1 | class ApplicationController < ActionController::Base
2 | http_basic_authenticate_with name: "dhh", password: "secret", except: :index
3 | end
4 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config.ru:
--------------------------------------------------------------------------------
1 | # This file is used by Rack-based servers to start the application.
2 |
3 | require_relative "config/environment"
4 |
5 | run Rails.application
6 | Rails.application.load_server
7 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/routes.rb:
--------------------------------------------------------------------------------
1 | Rails.application.routes.draw do
2 | get 'welcome/index'
3 | # For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html
4 | end
5 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/mime_types.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Add new mime types for use in respond_to blocks:
4 | # Mime::Type.register "text/richtext", :rtf
5 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/bin/rails:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | load File.expand_path("spring", __dir__)
3 | APP_PATH = File.expand_path('../config/application', __dir__)
4 | require_relative "../config/boot"
5 | require "rails/commands"
6 |
--------------------------------------------------------------------------------
/test/test_helper.rb:
--------------------------------------------------------------------------------
1 | $LOAD_PATH.unshift File.expand_path("../lib", __dir__)
2 | require "spektr"
3 |
4 | require "byebug"
5 | require "minitest/pride"
6 | require "minitest/autorun"
7 |
8 | RAILS_6_1_ROOT = File.join(__dir__, "apps", "rails6.1")
9 |
--------------------------------------------------------------------------------
/Rakefile:
--------------------------------------------------------------------------------
1 | require "bundler/gem_tasks"
2 | require "rake/testtask"
3 |
4 | Rake::TestTask.new(:test) do |t|
5 | t.libs << "test"
6 | t.libs << "lib"
7 | t.test_files = FileList["test/**/*_test.rb"]
8 | end
9 |
10 | task :default => :test
11 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/boot.rb:
--------------------------------------------------------------------------------
1 | ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
2 |
3 | require "bundler/setup" # Set up gems listed in the Gemfile.
4 | require "bootsnap/setup" # Speed up boot time by caching expensive operations.
5 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/Rakefile:
--------------------------------------------------------------------------------
1 | # Add your own tasks in files placed in lib/tasks ending in .rake,
2 | # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
3 |
4 | require_relative "config/application"
5 |
6 | Rails.application.load_tasks
7 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/cable.yml:
--------------------------------------------------------------------------------
1 | development:
2 | adapter: async
3 |
4 | test:
5 | adapter: test
6 |
7 | production:
8 | adapter: redis
9 | url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
10 | channel_prefix: rails6_1_production
11 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/javascript/channels/index.js:
--------------------------------------------------------------------------------
1 | // Load all the channels within this directory and all subdirectories.
2 | // Channel files must be named *_channel.js.
3 |
4 | const channels = require.context('.', true, /_channel\.js$/)
5 | channels.keys().forEach(channels)
6 |
--------------------------------------------------------------------------------
/test/spektr_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class SpektrTest < Minitest::Test
4 | def test_that_it_has_a_version_number
5 | refute_nil ::Spektr::VERSION
6 | end
7 |
8 | # def test_it_does_something_useful
9 | # assert false
10 | # end
11 | end
12 |
--------------------------------------------------------------------------------
/lib/spektr/checks.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | def self.load(only = false)
4 | Checks.constants.select do |c|
5 | Checks.const_get(c).is_a?(Class) && (!only || only && only.to_s == c.to_s)
6 | end.map { |c| Checks.const_get(c) }
7 | end
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "rails6-1",
3 | "private": true,
4 | "dependencies": {
5 | "@rails/ujs": "^6.0.0",
6 | "turbolinks": "^5.2.0",
7 | "@rails/activestorage": "^6.0.0",
8 | "@rails/actioncable": "^6.0.0"
9 | },
10 | "version": "0.1.0"
11 | }
12 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/controllers/welcome_controller.rb:
--------------------------------------------------------------------------------
1 | class WelcomeController < ApplicationController
2 | def index
3 | @welcome_message = params[:welcome_message]
4 | @attr = params[:attr]
5 | @safe_attr = "class"
6 | @post = Post.last
7 | @posts = Post.all
8 | end
9 | end
10 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/application_controller_renderer.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # ActiveSupport::Reloader.to_prepare do
4 | # ApplicationController.renderer.defaults.merge!(
5 | # http_host: 'example.org',
6 | # https: false
7 | # )
8 | # end
9 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/cookies_serializer.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Specify a serializer for the signed and encrypted cookie jars.
4 | # Valid options are :json, :marshal, and :hybrid.
5 | Rails.application.config.action_dispatch.cookies_serializer = :json
6 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/jobs/application_job.rb:
--------------------------------------------------------------------------------
1 | class ApplicationJob < ActiveJob::Base
2 | # Automatically retry jobs that encountered a deadlock
3 | # retry_on ActiveRecord::Deadlocked
4 |
5 | # Most jobs are safe to ignore if the underlying records are no longer available
6 | # discard_on ActiveJob::DeserializationError
7 | end
8 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/javascript/channels/consumer.js:
--------------------------------------------------------------------------------
1 | // Action Cable provides the framework to deal with WebSockets in Rails.
2 | // You can generate new channels where WebSocket features live using the `bin/rails generate channel` command.
3 |
4 | import { createConsumer } from "@rails/actioncable"
5 |
6 | export default createConsumer()
7 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/views/layouts/mailer.html.erb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
8 |
9 |
10 |
11 | <%= yield %>
12 |
13 |
14 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/filter_parameter_logging.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Configure sensitive parameters which will be filtered from the log file.
4 | Rails.application.config.filter_parameters += [
5 | :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
6 | ]
7 |
--------------------------------------------------------------------------------
/test/spektr/targets/routes_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class RoutesTest < Minitest::Test
4 | def setup
5 | code = <<-CODE
6 | Rails3::Application.routes.draw do
7 | resources :products
8 | end
9 | CODE
10 |
11 | @routes = Spektr::Targets::Routes.new("routes.rb", code)
12 | end
13 |
14 | end
15 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/.gitattributes:
--------------------------------------------------------------------------------
1 | # See https://git-scm.com/docs/gitattributes for more about git attribute files.
2 |
3 | # Mark the database schema as having been generated.
4 | db/schema.rb linguist-generated
5 |
6 | # Mark the yarn lockfile as having been generated.
7 | yarn.lock linguist-generated
8 |
9 | # Mark any vendored files as having been vendored.
10 | vendor/* linguist-vendored
11 |
--------------------------------------------------------------------------------
/bin/console:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 |
3 | require "bundler/setup"
4 | require "spektr"
5 |
6 | # You can add fixtures and/or initialization code here to make experimenting
7 | # with your gem easier. You can also use a different console, if you like.
8 |
9 | # (If you use this, don't forget to add pry to your Gemfile!)
10 | # require "pry"
11 | # Pry.start
12 |
13 | require "irb"
14 | IRB.start(__FILE__)
15 |
--------------------------------------------------------------------------------
/test/spektr/app_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class AppTest < Minitest::Test
4 | def test_it_loads_files
5 | app = Spektr::App.new(checks: Spektr::Checks.load, root: "./test/apps/rails6.1")
6 | app.load
7 | assert_equal 2, app.controllers.size
8 | assert_equal 2, app.models.size
9 | assert_equal 3, app.views.size
10 | assert_equal 0, app.lib_files.size
11 | end
12 | end
13 |
--------------------------------------------------------------------------------
/test/spektr/checks/xss_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class XssTest < Minitest::Test
4 | def setup
5 | @app = Spektr::App.new(root: RAILS_6_1_ROOT, checks: [Spektr::Checks::Xss])
6 | end
7 |
8 | def test_it_fails_with_unescaped_user_input
9 | @app.load
10 | @app.rails_version = Gem::Version.new "2.3.1"
11 | @app.scan!
12 | assert_equal 9, @app.warnings.size
13 | end
14 | end
15 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/db/seeds.rb:
--------------------------------------------------------------------------------
1 | # This file should contain all the record creation needed to seed the database with its default values.
2 | # The data can then be loaded with the bin/rails db:seed command (or created alongside the database with db:setup).
3 | #
4 | # Examples:
5 | #
6 | # movies = Movie.create([{ name: 'Star Wars' }, { name: 'Lord of the Rings' }])
7 | # Character.create(name: 'Luke', movie: movies.first)
8 |
--------------------------------------------------------------------------------
/test/spektr/targets/view_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class ViewTest < Minitest::Test
4 | def setup
5 | code = <<-CODE
6 | <%= content_tag :div, 'foo' %>
7 | CODE
8 |
9 | @view = Spektr::Targets::View.new("index.html.erb", code)
10 | end
11 |
12 | def test_it_finds_call
13 | calls = @view.find_calls :content_tag
14 | refute_empty calls
15 | assert_equal 1, calls.size
16 | end
17 | end
18 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/permissions_policy.rb:
--------------------------------------------------------------------------------
1 | # Define an application-wide HTTP permissions policy. For further
2 | # information see https://developers.google.com/web/updates/2018/06/feature-policy
3 | #
4 | # Rails.application.config.permissions_policy do |f|
5 | # f.camera :none
6 | # f.gyroscope :none
7 | # f.microphone :none
8 | # f.usb :none
9 | # f.fullscreen :self
10 | # f.payment :self, "https://secure.example.com"
11 | # end
12 |
--------------------------------------------------------------------------------
/lib/spektr/extractors/calls.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Extractors
3 | class Calls < Prism::Visitor
4 | attr_accessor :result
5 |
6 | def initialize(name:)
7 | @name = name
8 | @result = []
9 | end
10 |
11 | def call(ast)
12 | ast.value.accept(self)
13 | self
14 | end
15 |
16 | def visit_call_node(node)
17 | @result << node if node.name == @name
18 | super
19 | end
20 | end
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/credentials.yml.enc:
--------------------------------------------------------------------------------
1 | E9pcEgi2EkiWodN5MioGDgDSvZJ2ELSu7+2SkeI8jEnj3CEOp3C5GhlY1VcM6KHH+G1pnnMI+MJfe94GQWwdbYcLMzlfpOIDQVIxRG4xJYuT0zQu3NliIlSasjANk3xJfHt6iw1cmBtpL8ac1g4EDwa+PSXiyVR5HJOWhf9JNgsTqRc9drx+JcwtWapdMMCyI+jtOyajV2xxaIX/wweLiP45/KnCAb5rNmS4zfwsCdv7PlAj9aVNd2Deeb+2zGFzldXL07i/T1povJe66mFjlcJ/fIfhVP+lWzMNwoJUAMS6vlGYcgxXdymkrrog75vHDOqXUP1XmUpy5hzSmb8c45+r6q/kFNBcnSW8OOtTZwHSk24tTLvPGp+8mYbYHPILRhQi3vCA7OTNFRK7TtItYUFYbuLS0su8QkEt--hpWMSbcLTkQ7mTaD--uTnawB2TbLIgwnnOGU7kUQ==
--------------------------------------------------------------------------------
/test/apps/rails6.1/README.md:
--------------------------------------------------------------------------------
1 | # README
2 |
3 | This README would normally document whatever steps are necessary to get the
4 | application up and running.
5 |
6 | Things you may want to cover:
7 |
8 | * Ruby version
9 |
10 | * System dependencies
11 |
12 | * Configuration
13 |
14 | * Database creation
15 |
16 | * Database initialization
17 |
18 | * How to run the test suite
19 |
20 | * Services (job queues, cache servers, search engines, etc.)
21 |
22 | * Deployment instructions
23 |
24 | * ...
25 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/views/layouts/application.html.erb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Rails61
5 |
6 | <%= csrf_meta_tags %>
7 | <%= csp_meta_tag %>
8 |
9 | <%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %>
10 | <%= javascript_pack_tag 'application', 'data-turbolinks-track': 'reload' %>
11 |
12 |
13 |
14 | <%= yield %>
15 |
16 |
17 |
--------------------------------------------------------------------------------
/test/spektr/checks/send_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class SendTest < Minitest::Test
4 | def setup
5 | @app = Spektr::App.new(checks: [Spektr::Checks::Send])
6 | end
7 |
8 | def test_it_fails_with_user_controller_value
9 | code = <<-CODE
10 | @content.send(params[:field])
11 | CODE
12 | controller = Spektr::Targets::Controller.new("blog_controller.rb", code)
13 | check = Spektr::Checks::Send.new(@app, controller)
14 | check.run
15 | assert_equal 1, @app.warnings.size
16 | end
17 | end
18 |
--------------------------------------------------------------------------------
/lib/spektr/checks/header_dos.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class HeaderDos < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "HTTP MIME type header DoS (CVE-2013-6414)"
8 | @type = "Denial of Service"
9 | @targets = ["Spektr::Targets::Base"]
10 | end
11 |
12 | def run
13 | return unless super
14 | if app_version_between?("3.0.0", "3.2.15")
15 | warn! "root", self, nil, "CVE_2013_6414"
16 | end
17 | end
18 | end
19 | end
20 | end
21 |
--------------------------------------------------------------------------------
/lib/spektr/core_ext/string.rb:
--------------------------------------------------------------------------------
1 | class String
2 | def blank?
3 | nil? || self == ""
4 | end
5 |
6 | def underscore
7 | camel_cased_word = self
8 | return camel_cased_word.to_s unless /[A-Z-]|::/.match?(camel_cased_word)
9 | word = camel_cased_word.to_s.gsub("::", "/")
10 | word.gsub!(/(?:(?<=([A-Za-z\d]))|\b)((?=a))(?=\b|[^a-z])/) { "#{$1 && '_' }#{$2.downcase}" }
11 | word.gsub!(/([A-Z]+)(?=[A-Z][a-z])|([a-z\d])(?=[A-Z])/) { ($1 || $2) << "_" }
12 | word.tr!("-", "_")
13 | word.downcase!
14 | word
15 | end
16 | end
17 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/bin/spring:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | if !defined?(Spring) && [nil, "development", "test"].include?(ENV["RAILS_ENV"])
3 | gem "bundler"
4 | require "bundler"
5 |
6 | # Load Spring without loading other gems in the Gemfile, for speed.
7 | Bundler.locked_gems&.specs&.find { |spec| spec.name == "spring" }&.tap do |spring|
8 | Gem.use_paths Gem.dir, Bundler.bundle_path.to_s, *Gem.path
9 | gem "spring", spring.version
10 | require "spring/binstub"
11 | rescue Gem::LoadError
12 | # Ignore when Spring is not installed.
13 | end
14 | end
15 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/javascript/packs/application.js:
--------------------------------------------------------------------------------
1 | // This file is automatically compiled by Webpack, along with any other files
2 | // present in this directory. You're encouraged to place your actual application logic in
3 | // a relevant structure within app/javascript and only use these pack files to reference
4 | // that code so it'll be compiled.
5 |
6 | import Rails from "@rails/ujs"
7 | import Turbolinks from "turbolinks"
8 | import * as ActiveStorage from "@rails/activestorage"
9 | import "channels"
10 |
11 | Rails.start()
12 | Turbolinks.start()
13 | ActiveStorage.start()
14 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/wrap_parameters.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # This file contains settings for ActionController::ParamsWrapper which
4 | # is enabled by default.
5 |
6 | # Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
7 | ActiveSupport.on_load(:action_controller) do
8 | wrap_parameters format: [:json]
9 | end
10 |
11 | # To enable root element in JSON for ActiveRecord objects.
12 | # ActiveSupport.on_load(:active_record) do
13 | # self.include_root_in_json = true
14 | # end
15 |
--------------------------------------------------------------------------------
/test/spektr/checks/cookie_serialization_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class CookieSerializationTest < Minitest::Test
4 | def test_it_fails_with_marshal
5 | code = <<-CODE
6 | Rails.application.config.action_dispatch.cookies_serializer = :marshal
7 | CODE
8 | app = Spektr::App.new(checks: [Spektr::Checks::CookieSerialization])
9 | initializer = Spektr::Targets::Base.new("cookies_serialization.rb", code)
10 | check = Spektr::Checks::CookieSerialization.new(app, initializer)
11 | check.run
12 | assert_equal 1, app.warnings.size
13 | end
14 | end
15 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/backtrace_silencers.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
4 | # Rails.backtrace_cleaner.add_silencer { |line| /my_noisy_library/.match?(line) }
5 |
6 | # You can also remove all the silencers if you're trying to debug a problem that might stem from framework code
7 | # by setting BACKTRACE=1 before calling your invocation, like "BACKTRACE=1 ./bin/rails runner 'MyClass.perform'".
8 | Rails.backtrace_cleaner.remove_silencers! if ENV["BACKTRACE"]
9 |
--------------------------------------------------------------------------------
/lib/spektr/checks/i18n_xss.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class I18nXss < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "XSS in i18n (CVE-2013-4491)"
8 | @type = "Cross-Site Scripting"
9 | @targets = ["Spektr::Targets::Base"]
10 | end
11 |
12 | def run
13 | return unless super
14 | if app_version_between?("3.0.6", "3.2.15") || app_version_between?("4.0.0", "4.0.1")
15 | warn! "root", self, nil, "I18n has a Cross-Site Scripting vulnerability (CVE_2013_4491)"
16 | end
17 | end
18 | end
19 | end
20 | end
21 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/bin/yarn:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | APP_ROOT = File.expand_path('..', __dir__)
3 | Dir.chdir(APP_ROOT) do
4 | yarn = ENV["PATH"].split(File::PATH_SEPARATOR).
5 | select { |dir| File.expand_path(dir) != __dir__ }.
6 | product(["yarn", "yarn.cmd", "yarn.ps1"]).
7 | map { |dir, file| File.expand_path(file, dir) }.
8 | find { |file| File.executable?(file) }
9 |
10 | if yarn
11 | exec yarn, *ARGV
12 | else
13 | $stderr.puts "Yarn executable was not detected in the system."
14 | $stderr.puts "Download Yarn at https://yarnpkg.com/en/docs/install"
15 | exit 1
16 | end
17 | end
18 |
--------------------------------------------------------------------------------
/test/spektr/checks/basic_auth_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class BasicAuthTest < Minitest::Test
4 |
5 | def setup
6 | end
7 |
8 | def test_it_fails_with_plaintext_password
9 | code = <<-CODE
10 | class ApplicationController
11 | http_basic_authenticate_with name: "dhh", password: "secret", except: :index
12 | end
13 | CODE
14 | app = Spektr::App.new(checks: [Spektr::Checks::BasicAuth])
15 | controller = Spektr::Targets::Controller.new("application_controller.rb", code)
16 | check = Spektr::Checks::BasicAuth.new(app, controller)
17 | check.run
18 | assert_equal 1, app.warnings.size
19 | end
20 | end
21 |
--------------------------------------------------------------------------------
/test/spektr/checks/file_access_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class FileAccessTest < Minitest::Test
4 | def setup
5 | @code = <<-CODE
6 | class ApplicationController
7 | def index
8 | File.open(params[:directory])
9 | end
10 | end
11 | CODE
12 | @app = Spektr::App.new(checks: [Spektr::Checks::FileAccess])
13 | @controller = Spektr::Targets::Controller.new("application_controller.rb", @code)
14 | @check = Spektr::Checks::FileAccess.new(@app, @controller)
15 | end
16 |
17 | def test_it_fails_with_user_supplied_value
18 | @check.run
19 | assert_equal 1, @app.warnings.size
20 | end
21 | end
22 |
--------------------------------------------------------------------------------
/test/spektr/checks/file_disclosure_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class FileDisclosureTest < Minitest::Test
4 |
5 | def test_it_fails_with_insecure_config
6 | code = <<-CODE
7 | Rails.application.configure do
8 | config.serve_static_assets = true
9 | end
10 | CODE
11 | app = Spektr::App.new(checks: [Spektr::Checks::FileDisclosure])
12 | app.rails_version = Gem::Version.new("4.0.0")
13 | config = Spektr::Targets::Base.new("production.rb", code)
14 | app.production_config = config
15 | check = Spektr::Checks::FileDisclosure.new(app, config)
16 | check.run
17 | assert_equal 1, app.warnings.size
18 | end
19 |
20 | end
21 |
--------------------------------------------------------------------------------
/test/spektr/checks/digest_dos_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class DigestDosTest < Minitest::Test
4 | def setup
5 | @code = <<-CODE
6 | class ApplicationController
7 | authenticate_or_request_with_http_digest
8 | end
9 | CODE
10 | @app = Spektr::App.new(checks: [Spektr::Checks::DigestDos])
11 | @app.rails_version = Gem::Version.new "3.0.1"
12 | @controller = Spektr::Targets::Controller.new("application_controller.rb", @code)
13 | @check = Spektr::Checks::DigestDos.new(@app, @controller)
14 | end
15 |
16 | def test_it_fails_with_affected_version
17 | @check.run
18 | assert_equal 1, @app.warnings.size
19 | end
20 | end
21 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/assets.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Version of your assets, change this if you want to expire all your assets.
4 | Rails.application.config.assets.version = '1.0'
5 |
6 | # Add additional assets to the asset load path.
7 | # Rails.application.config.assets.paths << Emoji.images_path
8 | # Add Yarn node_modules folder to the asset load path.
9 | Rails.application.config.assets.paths << Rails.root.join('node_modules')
10 |
11 | # Precompile additional assets.
12 | # application.js, application.css, and all non-JS/CSS in the app/assets
13 | # folder are already added.
14 | # Rails.application.config.assets.precompile += %w( admin.js admin.css )
15 |
--------------------------------------------------------------------------------
/test/spektr/checks/evaluations_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class EvaluationTest < Minitest::Test
4 | def setup
5 | @code = <<-CODE
6 | class ApplicationController
7 | def index
8 | eval("whoami")
9 | eval(`ls \#{params[:directory]}`)
10 | instance_eval params[:code]
11 | end
12 | end
13 | CODE
14 | @app = Spektr::App.new(checks: [Spektr::Checks::Evaluation])
15 | @controller = Spektr::Targets::Controller.new("application_controller.rb", @code)
16 | @check = Spektr::Checks::Evaluation.new(@app, @controller)
17 | end
18 |
19 | def test_it_fails_with_user_supplied_value
20 | @check.run
21 | assert_equal 2, @app.warnings.size
22 | end
23 | end
24 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Change Log
2 |
3 | ## Unreleased
4 |
5 | ## 0.5.0
6 |
7 | * change parser to Prism
8 |
9 | ## 0.4.1
10 |
11 | * fix core extension eager loading
12 |
13 | ## 0.4.0
14 |
15 | * make XSS check work without a Rails version
16 | * change parent class extraction to support Structs
17 | * fix parsing errors
18 |
19 | ## 0.3.4
20 |
21 | * Relax dependencies, to help with using spektr as a gem
22 | * Fix executable
23 |
24 | ## 0.3.3
25 |
26 | * Remove hard dependency of haml 5
27 |
28 | ## 0.3.2
29 |
30 | * Rescue from lib file parsing errors
31 |
32 | * Drop Active Support from dependencies
33 |
34 | * Improve Gemspec
35 |
36 | ## 0.3.0
37 |
38 | * Add support to ignore findings
39 |
40 | ## 0.2.0
41 |
42 | * add Slim support
43 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/inflections.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Add new inflection rules using the following format. Inflections
4 | # are locale specific, and you may define rules for as many different
5 | # locales as you wish. All of these examples are active by default:
6 | # ActiveSupport::Inflector.inflections(:en) do |inflect|
7 | # inflect.plural /^(ox)$/i, '\1en'
8 | # inflect.singular /^(ox)en/i, '\1'
9 | # inflect.irregular 'person', 'people'
10 | # inflect.uncountable %w( fish sheep )
11 | # end
12 |
13 | # These inflection rules are supported but not enabled by default:
14 | # ActiveSupport::Inflector.inflections(:en) do |inflect|
15 | # inflect.acronym 'RESTful'
16 | # end
17 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/database.yml:
--------------------------------------------------------------------------------
1 | # SQLite. Versions 3.8.0 and up are supported.
2 | # gem install sqlite3
3 | #
4 | # Ensure the SQLite 3 gem is defined in your Gemfile
5 | # gem 'sqlite3'
6 | #
7 | default: &default
8 | adapter: sqlite3
9 | pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
10 | timeout: 5000
11 |
12 | development:
13 | <<: *default
14 | database: db/development.sqlite3
15 |
16 | # Warning: The database defined as "test" will be erased and
17 | # re-generated from your development database when you run "rake".
18 | # Do not set this db to the same as development or production.
19 | test:
20 | <<: *default
21 | database: db/test.sqlite3
22 |
23 | production:
24 | <<: *default
25 | database: db/production.sqlite3
26 |
--------------------------------------------------------------------------------
/lib/spektr/extractors/methods.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Extractors
3 | class Methods < Prism::Visitor
4 | attr_accessor :result
5 |
6 | def initialize(visibility: :all)
7 | @visibility = visibility
8 | @current_visibility = :public
9 | @result = []
10 | end
11 |
12 | def call(ast)
13 | ast.value.accept(self)
14 | self
15 | end
16 |
17 | def visit_call_node(node)
18 | @current_visibility = node.name if %i[private protected public].include?(node.name)
19 | super
20 | end
21 |
22 | def visit_def_node(node)
23 | @result << node if @visibility == :all || @current_visibility == @visibility
24 | super
25 | end
26 | end
27 | end
28 | end
29 |
--------------------------------------------------------------------------------
/test/spektr/checks/content_tag_xss_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class ContentTagXssTest < Minitest::Test
4 |
5 | def setup
6 | @app = Spektr::App.new(root: RAILS_6_1_ROOT, checks: [Spektr::Checks::ContentTagXss])
7 | end
8 |
9 | def test_it_fails_with_rails_2
10 | @app.load
11 | @app.rails_version = Gem::Version.new "2.3.1"
12 | @app.scan!
13 | assert_equal 4, @app.warnings.size
14 | end
15 |
16 | def test_it_fails_for_cve_2016_6316
17 | @app.load
18 | @app.rails_version = Gem::Version.new "3.0.0"
19 | @app.scan!
20 | assert_equal 2, @app.warnings.size
21 | end
22 |
23 | def test_it_fails_for_unsafe_hash_attribute
24 | @app.load
25 | @app.scan!
26 | assert_equal 1, @app.warnings.size
27 | end
28 | end
29 |
--------------------------------------------------------------------------------
/lib/spektr/checks/csrf.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class Csrf < Base
4 | def initialize(app, target)
5 | super
6 | @name = "CSRF token forgery vulnerability (CVE-2020-8166)"
7 | @type = "Cross-Site Request Forgery"
8 | @targets = ["Spektr::Targets::Base"]
9 | end
10 |
11 | def run
12 | # disable this
13 | return false
14 | return unless super
15 | cve_2020_8186_check
16 | end
17 |
18 | def cve_2020_8186_check
19 | if app_version_between?('0.0.0', '5.2.4.2') || app_version_between?('6.0.0', '6.0.3')
20 | warn! @target, self, nil, "Rails #{@app.rails_version} has a vulnerability that may allow CSRF token forgery"
21 | end
22 | end
23 | end
24 | end
25 | end
26 |
--------------------------------------------------------------------------------
/lib/spektr/checks/basic_auth_timing.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class BasicAuthTiming < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "Timing attack in basic auth (CVE-2015-7576)"
8 | @type = "Timing attack"
9 | @targets = ["Spektr::Targets::Controller"]
10 | end
11 |
12 | def run
13 | return unless super
14 | if @target.find_calls(:http_basic_authenticate_with).any?
15 | warn! @target, self, @target.find_calls(:http_basic_authenticate_with).first.location, "Basic authentication in Rails #{@app.rails_version} is vulnerable to timing attacks."
16 | end
17 | end
18 |
19 | def version_affected
20 | Gem::Version.new("4.2.5")
21 | end
22 | end
23 | end
24 | end
25 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/assets/stylesheets/application.css:
--------------------------------------------------------------------------------
1 | /*
2 | * This is a manifest file that'll be compiled into application.css, which will include all the files
3 | * listed below.
4 | *
5 | * Any CSS and SCSS file within this directory, lib/assets/stylesheets, or any plugin's
6 | * vendor/assets/stylesheets directory can be referenced here using a relative path.
7 | *
8 | * You're free to add application-wide styles to this file and they'll appear at the bottom of the
9 | * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
10 | * files in this directory. Styles in this file should be added after the last require_* statement.
11 | * It is generally better to create a new file per style scope.
12 | *
13 | *= require_tree .
14 | *= require_self
15 | */
16 |
--------------------------------------------------------------------------------
/lib/spektr/checks/cookie_serialization.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class CookieSerialization < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "Unsafe deserialisation"
8 | @type = "Insecure Deserialization"
9 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
10 | end
11 |
12 | def run
13 | return unless super
14 | calls = @target.find_calls(:cookies_serializer=)
15 | if calls.any?{ |call| full_receiver(call) == "Rails.application.config.action_dispatch" && call.arguments.arguments.first.unescaped == "marshal" }
16 | warn! @target, self, calls.first.location, "Marshal cookie serialization strategy can lead to remote code execution"
17 | end
18 | end
19 | end
20 | end
21 | end
22 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/application.rb:
--------------------------------------------------------------------------------
1 | require_relative "boot"
2 |
3 | require "rails/all"
4 |
5 | # Require the gems listed in Gemfile, including any gems
6 | # you've limited to :test, :development, or :production.
7 | Bundler.require(*Rails.groups)
8 |
9 | module Rails61
10 | class Application < Rails::Application
11 | # Initialize configuration defaults for originally generated Rails version.
12 | config.load_defaults 6.1
13 |
14 | # Configuration for the application, engines, and railties goes here.
15 | #
16 | # These settings can be overridden in specific environments using the files
17 | # in config/environments, which are processed later.
18 | #
19 | # config.time_zone = "Central Time (US & Canada)"
20 | # config.eager_load_paths << Rails.root.join("extras")
21 | end
22 | end
23 |
--------------------------------------------------------------------------------
/lib/spektr/checks/send.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class Send < Base
4 | def initialize(app, target)
5 | super
6 | @name = "Dangerous send"
7 | @type = "Dangerous send"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Model", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
9 | end
10 |
11 | def run
12 | return unless super
13 | [:send, :try, :__send__, :public_send].each do |method|
14 | @target.find_calls(method).each do |call|
15 | argument = call.arguments.arguments.first
16 | if user_input?(argument)
17 | warn! @target, self, call.location, "User supplied value in send"
18 | end
19 | end
20 | end
21 | end
22 | end
23 | end
24 | end
25 |
--------------------------------------------------------------------------------
/lib/spektr/warning.rb:
--------------------------------------------------------------------------------
1 | require 'digest'
2 |
3 | module Spektr
4 | class Warning
5 | attr_accessor :path, :full_path, :check, :location, :message, :confidence, :line
6 |
7 | def initialize(path, full_path, check, location, message, confidence = :high)
8 | @path = path
9 | @check = check
10 | @location = location
11 | @message = message
12 | @confidence = confidence
13 | @line = IO.readlines(full_path)[@location.start_line - 1].strip if full_path && @location && File.exist?(full_path)
14 | end
15 |
16 | def full_message
17 | if @location
18 | "#{message} at line #{@location.start_line} of #{@path}"
19 | else
20 | "#{message}"
21 | end
22 | end
23 |
24 | def fingerprint
25 | Digest::MD5.hexdigest("#{path}:#{line}:#{check.name}")
26 | end
27 | end
28 | end
29 |
--------------------------------------------------------------------------------
/.github/workflows/ci.yaml:
--------------------------------------------------------------------------------
1 | # This workflow uses actions that are not certified by GitHub.
2 | # They are provided by a third-party and are governed by
3 | # separate terms of service, privacy policy, and support
4 | # documentation.
5 |
6 | name: CI
7 |
8 | on:
9 | push:
10 | branches: [ master ]
11 | pull_request:
12 | branches: [ master ]
13 |
14 | jobs:
15 | test:
16 |
17 | runs-on: ubuntu-latest
18 | strategy:
19 | fail-fast: false
20 | matrix:
21 | ruby: [3.2, 3.3, 3.4]
22 | steps:
23 | - uses: actions/checkout@v2
24 | - name: Set up Ruby
25 | uses: ruby/setup-ruby@v1
26 | with:
27 | bundler-cache: true
28 | ruby-version: ${{ matrix.ruby }}
29 | - name: Install dependencies
30 | run: bundle install
31 | - name: Run tests
32 | run: bundle exec rake
33 |
--------------------------------------------------------------------------------
/lib/spektr/checks/csrf_setting.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class CsrfSetting < Base
4 | def initialize(app, target)
5 | super
6 | @name = 'Cross-Site Request Forgery'
7 | @type = 'Cross-Site Request Forgery'
8 | @targets = ['Spektr::Targets::Controller']
9 | end
10 |
11 | def run
12 | return unless super
13 | return if @target.concern?
14 |
15 | target = @target
16 | return if @target.find_calls(:skip_forgery_protection).none?
17 |
18 | skip = @target.find_calls(:skip_forgery_protection).last
19 | return if skip && skip.arguments && skip.arguments.arguments.first.elements.map(&:key).map(&:unescaped).intersection(%w[only except]).any?
20 |
21 | warn! @target, self, nil, 'protect_from_forgery should be enabled'
22 | end
23 | end
24 | end
25 | end
26 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/app/views/welcome/index.html.erb:
--------------------------------------------------------------------------------
1 | Welcome#index
2 | Find me in app/views/welcome/index.html.erb
3 | <%= content_tag :div, @welcome_message %>
4 | <%= content_tag :div, @welcome_message, @safe_attr => "foobar" %>
5 | <%= "/users/#{current_user.id}/messages.json".inspect.html_safe %>
6 | <%== @safe_attr %>
7 | <%= @post.title %>
8 | <%= @safe_attr.html_safe %>
9 | <%= raw Sensor::NAMES.map{|n| {val: n, text: t(n, scope: "sensors.categories")} } %>
10 |
11 | <%= content_tag :div, @welcome_message, @attr => "foobar" %>
12 | <%== params[:foobar] %>
13 | <%== @attr %>
14 | <%== params[:foobar].html_safe %>
15 | <%= params[:foobar].html_safe %>
16 | <%= @attr.html_safe %>
17 | <%= @post.title.html_safe %>
18 | <%== @post.title %>
19 | <%= raw cookies[:font] %>
20 | <% @posts.each do |post| %>
21 | <%= post.title.html_safe %>
22 | <% end %>
23 |
--------------------------------------------------------------------------------
/test/spektr/checks/basic_auth_timing_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class BasicAuthTimingTest < Minitest::Test
4 |
5 | def setup
6 | @code = <<-CODE
7 | class ApplicationController
8 | http_basic_authenticate_with name: "dhh", password: "secret", except: :index
9 | end
10 | CODE
11 | @app = Spektr::App.new(checks: [Spektr::Checks::BasicAuthTiming])
12 | @controller = Spektr::Targets::Controller.new("application_controller.rb", @code)
13 | @check = Spektr::Checks::BasicAuthTiming.new(@app, @controller)
14 | end
15 |
16 | def test_it_fails_with_no_rails_version
17 | @check.run
18 | assert_equal 1, @app.warnings.size
19 | end
20 |
21 | def test_it_does_not_fail_with_non_affected_version
22 | @app.rails_version = Gem::Version.new "6.0.1"
23 | @check.run
24 | assert_equal 0, @app.warnings.size
25 | end
26 | end
27 |
--------------------------------------------------------------------------------
/lib/spektr/checks/evaluation.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class Evaluation < Base
4 | def initialize(app, target)
5 | super
6 | @name = "Arbitrary code execution"
7 | @type = "Remote Code Execution"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Model", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
9 | end
10 |
11 | def run
12 | return unless super
13 | [:eval, :instance_eval, :class_eval, :module_eval].each do |name|
14 | @target.find_calls(name).each do |call|
15 | call.arguments.arguments.each do |argument|
16 | if user_input?(argument)
17 | warn! @target, self, call.location, "User input in eval"
18 | end
19 | end
20 | end
21 | end
22 | end
23 | end
24 | end
25 | end
26 |
--------------------------------------------------------------------------------
/lib/spektr/checks/basic_auth.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class BasicAuth < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "Basic Authentication"
8 | @type = "Password Plaintext Storage"
9 | @targets = ["Spektr::Targets::Controller"]
10 | end
11 |
12 | def run
13 | return unless super
14 | check_filter
15 | end
16 |
17 | def check_filter
18 | calls = @target.find_calls(:http_basic_authenticate_with)
19 | calls.each do |call|
20 | password = call.arguments.arguments.first.elements.find{|e| e.key.unescaped == "password" }
21 | if password && password.value.type == :string_node
22 | warn! @target, self, call.location, "Basic authentication password stored in source code"
23 | end
24 | end
25 | end
26 | end
27 | end
28 | end
29 |
--------------------------------------------------------------------------------
/lib/spektr/checks/file_disclosure.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class FileDisclosure < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "File existence disclosure"
8 | @type = "Information Disclosure"
9 | @targets = ["Spektr::Targets::Base"]
10 | end
11 |
12 | def run
13 | return unless super
14 | config = @app.production_config.find_calls(:serve_static_assets=).first
15 | if config && config.arguments.arguments.first.type == :true_node
16 | warn! "root", self, nil, "File existence disclosure vulnerability"
17 | end
18 | end
19 |
20 | def should_run?
21 | app_version_between?("2.0.0", "2.3.18") || app_version_between?("3.0.0", "3.2.20") || app_version_between?("4.0.0", "4.0.11") || app_version_between?("4.1.0", "4.1.7")
22 | end
23 | end
24 | end
25 | end
26 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/.gitignore:
--------------------------------------------------------------------------------
1 | # See https://help.github.com/articles/ignoring-files for more about ignoring files.
2 | #
3 | # If you find yourself ignoring temporary files generated by your text editor
4 | # or operating system, you probably want to add a global ignore instead:
5 | # git config --global core.excludesfile '~/.gitignore_global'
6 |
7 | # Ignore bundler config.
8 | /.bundle
9 |
10 | # Ignore the default SQLite database.
11 | /db/*.sqlite3
12 | /db/*.sqlite3-*
13 |
14 | # Ignore all logfiles and tempfiles.
15 | /log/*
16 | /tmp/*
17 | !/log/.keep
18 | !/tmp/.keep
19 |
20 | # Ignore pidfiles, but keep the directory.
21 | /tmp/pids/*
22 | !/tmp/pids/
23 | !/tmp/pids/.keep
24 |
25 | # Ignore uploaded files in development.
26 | /storage/*
27 | !/storage/.keep
28 |
29 | /public/assets
30 | .byebug_history
31 |
32 | # Ignore master key for decrypting credentials and more.
33 | /config/master.key
34 |
--------------------------------------------------------------------------------
/lib/spektr/checks/dynamic_finders.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class DynamicFinders < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "SQL Injection by unsafe usage of find_by_*"
8 | @type = "SQL Injection"
9 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::View"]
10 | end
11 |
12 | def run
13 | return unless super
14 | if app_version_between?("2.0.0", "4.1.99") && @app.has_gem?("mysql")
15 | @target.find_calls(/^find_by_/).each do |call|
16 | call.arguments.arguments.each do |argument|
17 | if user_input?(argument)
18 | warn! @target, self, call.location, "MySQL integer conversion may cause 0 to match any string"
19 | end
20 | end
21 | end
22 | end
23 | end
24 | end
25 | end
26 | end
27 |
--------------------------------------------------------------------------------
/lib/spektr/checks/json_encoding.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class JsonEncoding < Base
4 | def initialize(app, target)
5 | super
6 | @name = "XSS by missing JSON encoding"
7 | @type = "Cross-Site Scripting"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
9 | end
10 |
11 | def run
12 | # TODO: write a test for this
13 | return unless super
14 | if app_version_between?("4.1.0", "4.1.10") || app_version_between?("4.2.0", "4.2.1")
15 | if calls = @target.find_calls(:to_json).any? || calls = @target.find_calls(:encode).any?
16 | warn! @target, self, calls.first.location, "Cross-Site Scripting CVE_2015_3226"
17 | else
18 | warn! "root", self, nil, "Cross-Site Scripting CVE_2015_3226"
19 | end
20 | end
21 | end
22 | end
23 | end
24 | end
25 |
--------------------------------------------------------------------------------
/lib/spektr/checks/create_with.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class CreateWith < Base
4 | def initialize(app, target)
5 | super
6 | @name = "Strong parameter bypass (CVE-2014-3514)"
7 | @type = "Input validation"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
9 | end
10 |
11 | def run
12 | return unless super
13 | if app_version_between?("4.0.0", "4.0.8") || app_version_between?("4.1.0", "4.1.5")
14 | calls = @target.find_calls(:create_with)
15 | calls.each do |call|
16 | call.arguments.arguments.each do |argument|
17 | if user_input?(argument)
18 | next if argument.name == :permit
19 | warn! @target, self, call.location, "create_with is vulnerable to strong params bypass"
20 | end
21 | end
22 | end
23 | end
24 | end
25 | end
26 | end
27 | end
28 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/locales/en.yml:
--------------------------------------------------------------------------------
1 | # Files in the config/locales directory are used for internationalization
2 | # and are automatically loaded by Rails. If you want to use locales other
3 | # than English, add the necessary files in this directory.
4 | #
5 | # To use the locales, use `I18n.t`:
6 | #
7 | # I18n.t 'hello'
8 | #
9 | # In views, this is aliased to just `t`:
10 | #
11 | # <%= t('hello') %>
12 | #
13 | # To use a different locale, set it with `I18n.locale`:
14 | #
15 | # I18n.locale = :es
16 | #
17 | # This would use the information in config/locales/es.yml.
18 | #
19 | # The following keys must be escaped otherwise they will not be retrieved by
20 | # the default I18n backend:
21 | #
22 | # true, false, on, off, yes, no
23 | #
24 | # Instead, surround them with single quotes.
25 | #
26 | # en:
27 | # 'true': 'foo'
28 | #
29 | # To learn more, please read the Rails Internationalization guide
30 | # available at https://guides.rubyonrails.org/i18n.html.
31 |
32 | en:
33 | hello: "Hello world"
34 |
--------------------------------------------------------------------------------
/test/spektr/checks/dynamic_finders_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class DynamicFindersTest < Minitest::Test
4 | def setup
5 | @code = <<-CODE
6 | class ApplicationController
7 | def index
8 | Post.find_by_title(params[:q])
9 | Post.find_by_title("test")
10 | end
11 | end
12 | CODE
13 | @app = Spektr::App.new(checks: [Spektr::Checks::DynamicFinders])
14 | @app.gem_specs = [Bundler::LazySpecification.new("mysql", 1, "linux")]
15 | @app.rails_version = Gem::Version.new "5.0.1"
16 | @controller = Spektr::Targets::Controller.new("application_controller.rb", @code)
17 | @check = Spektr::Checks::DynamicFinders.new(@app, @controller)
18 | end
19 |
20 | def test_it_does_not_fail_with_rails_5
21 | @check.run
22 | assert_equal 0, @app.warnings.size
23 | end
24 |
25 | def test_it_fails_with_rails_4
26 | @app.rails_version = Gem::Version.new "4.0.1"
27 | @check.run
28 | assert_equal 1, @app.warnings.size
29 | end
30 | end
31 |
--------------------------------------------------------------------------------
/lib/spektr/checks/detailed_exceptions.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class DetailedExceptions < Base
4 |
5 | def name
6 |
7 | end
8 |
9 | def initialize(app, target)
10 | super
11 | @name = "Information Disclosure"
12 | @type = "Information Disclosure"
13 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
14 | end
15 |
16 | def run
17 | return unless super
18 | call = @target.find_calls(:consider_all_requests_local=).last
19 | if call && call.arguments.arguments.first.type == :true_node
20 | warn! @target, self, call.location, "Detailed exceptions are enabled in production"
21 | end
22 | # TODO: make this better, by verifying that the method body is not empty, etc
23 | if call = @target.find_method(:show_detailed_exceptions?)
24 | warn! @target, self, call.location, "Detailed exceptions may be enabled in #{@target.name}"
25 | end
26 | end
27 | end
28 | end
29 | end
30 |
--------------------------------------------------------------------------------
/lib/spektr/checks/digest_dos.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class DigestDos < Base
4 | def initialize(app, target)
5 | super
6 | @name = "DoS in digest authentication(CVE-2012-3424)"
7 | @type = "Denial of Service"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller"]
9 | end
10 |
11 | def run
12 | return unless super
13 | return unless should_run?
14 | calls = @target.find_calls(:authenticate_or_request_with_http_digest)
15 | calls.concat(@target.find_calls(:authenticate_with_http_digest))
16 | if calls.any?
17 | warn! @target, self, calls.first.location, "Vulnerability in digest authentication CVE-2012-3424"
18 | else
19 | warn! "root", self, nil, "Vulnerability in digest authentication CVE-2012-3424"
20 | end
21 | end
22 |
23 | def should_run?
24 | app_version_between?("3.0.0", "3.0.15") || app_version_between?("3.1.0", "3.1.6") || app_version_between?("3.2.0", "3.2.5")
25 | end
26 | end
27 | end
28 | end
29 |
--------------------------------------------------------------------------------
/test/spektr/checks/detailed_exceptions_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class DetailedExceptionsTest < Minitest::Test
4 |
5 | def test_it_fails_with_insecure_config
6 | code = <<-CODE
7 | Rails.application.configure do
8 | config.consider_all_requests_local = true
9 | end
10 | CODE
11 | app = Spektr::App.new(checks: [Spektr::Checks::DetailedExceptions])
12 | config = Spektr::Targets::Base.new("production.rb", code)
13 | check = Spektr::Checks::DetailedExceptions.new(app, config)
14 | check.run
15 | assert_equal 1, app.warnings.size
16 | end
17 |
18 | def test_it_fails_with_insecure_controller
19 | code = <<-CODE
20 | class ApplicationController
21 | def show_detailed_exceptions?
22 | admin?
23 | end
24 | end
25 | CODE
26 | app = Spektr::App.new(checks: [Spektr::Checks::DetailedExceptions])
27 | config = Spektr::Targets::Controller.new("production.rb", code)
28 | check = Spektr::Checks::DetailedExceptions.new(app, config)
29 | check.run
30 | assert_equal 1, app.warnings.size
31 | end
32 | end
33 |
--------------------------------------------------------------------------------
/lib/spektr/checks/filter_skipping.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class FilterSkipping < Base
4 | def initialize(app, target)
5 | super
6 | @name = "Default routes filter skipping"
7 | @type = "Default Routes"
8 | @targets = ["Spektr::Targets::Routes"]
9 | end
10 |
11 | def run
12 | # TODO: write a test for this
13 | return unless super
14 | calls = %w{ match get post put delete }.inject([]) do |memo, method|
15 | memo.concat @target.find_calls(method.to_sym)
16 | memo
17 | end
18 | calls.each do |call|
19 | arguments = call.arguments.arguments
20 | if arguments && (arguments.first.name.include?(":action") or arguments.first.name.include?("*action"))
21 | warn! @target, self, call.location, "CVE-2011-2929 Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed"
22 | end
23 | end
24 | end
25 |
26 | def should_run?
27 | app_version_between?("3.0.0", "3.0.9")
28 | end
29 | end
30 | end
31 | end
32 |
--------------------------------------------------------------------------------
/test/spektr/checks/json_entity_escape_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class JsonEntityEscapeTest < Minitest::Test
4 |
5 | def test_it_fails_with_insecure_config
6 | code = <<-CODE
7 | Rails.application.configure do
8 | config.active_support.escape_html_entities_in_json = false
9 | end
10 | CODE
11 | app = Spektr::App.new(checks: [Spektr::Checks::JsonEntityEscape])
12 | config = Spektr::Targets::Base.new("production.rb", code)
13 | app.production_config = config
14 | check = Spektr::Checks::JsonEntityEscape.new(app, config)
15 | check.run
16 | assert_equal 1, app.warnings.size
17 | end
18 |
19 | def test_it_fails_when_disabled_in_initializer
20 | code = <<-CODE
21 | # frozen_string_literal: true
22 | ActiveSupport::JSON::Encoding::escape_html_entities_in_json = false
23 | CODE
24 | app = Spektr::App.new(checks: [Spektr::Checks::JsonEntityEscape])
25 | config = Spektr::Targets::Base.new("html_entities.rb", code)
26 | check = Spektr::Checks::JsonEntityEscape.new(app, config)
27 | check.run
28 | assert_equal 1, app.warnings.size
29 | end
30 | end
31 |
--------------------------------------------------------------------------------
/lib/spektr/targets/view.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Targets
3 | class View < Base
4 | TEMPLATE_EXTENSIONS = /.*\.(erb|rhtml|haml|slim|herb)$/
5 | attr_accessor :view_path
6 |
7 | def initialize(path, content)
8 | super
9 | @calls = []
10 | Spektr.logger.debug "loading #{path}"
11 | @view_path = nil
12 | @path = path
13 | if match_data = path.match(%r{views/(.+?)\.})
14 | @view_path = match_data[1]
15 | end
16 | @ast = Prism.parse(source(content))
17 | @ast.value.accept(self)
18 | @name = @view_path
19 | end
20 |
21 | def source(content)
22 | type = @path.match(TEMPLATE_EXTENSIONS)[1].to_sym
23 | case type
24 | when :erb, :rhtml, :herb
25 | Erubi.new(content, trim_mode: '-').src
26 | # Herb.extract_ruby(content)
27 | when :haml
28 | Haml::Engine.new(content).precompiled
29 | when :slim
30 | erb = Slim::ERBConverter.new.call(content)
31 | Erubi.new(erb, trim_mode: '-').src
32 | end
33 | end
34 | end
35 | end
36 | end
37 |
--------------------------------------------------------------------------------
/lib/spektr/targets/routes.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | module Targets
3 | class Routes < Base
4 | attr_accessor :routes
5 |
6 | def initialize(path, content)
7 | super
8 | end
9 |
10 | def find_actions
11 | @actions = find_methods(ast: @ast, type: :public ).map do |ast|
12 | Action.new(ast, self)
13 | end
14 | end
15 |
16 | class Action
17 | attr_accessor :controller, :template
18 | def initialize(ast, controller)
19 | super(ast)
20 | @template = File.join(controller.name.delete_suffix("Controller").underscore, name.to_s)
21 | @body.each do |exp|
22 | if exp.send?
23 | if exp.name == :render
24 | if exp.arguments.first.type == :sym
25 | @template = File.join(controller.name.delete_suffix("Controller").underscore, exp.arguments.first.name.to_s)
26 | elsif
27 | if exp.arguments.first.type == :str
28 | @template = exp.arguments.first.name
29 | end
30 | end
31 | end
32 | end
33 | end
34 | end
35 | end
36 | end
37 | end
38 | end
39 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/bin/setup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env ruby
2 | require "fileutils"
3 |
4 | # path to your application root.
5 | APP_ROOT = File.expand_path('..', __dir__)
6 |
7 | def system!(*args)
8 | system(*args) || abort("\n== Command #{args} failed ==")
9 | end
10 |
11 | FileUtils.chdir APP_ROOT do
12 | # This script is a way to set up or update your development environment automatically.
13 | # This script is idempotent, so that you can run it at any time and get an expectable outcome.
14 | # Add necessary setup steps to this file.
15 |
16 | puts '== Installing dependencies =='
17 | system! 'gem install bundler --conservative'
18 | system('bundle check') || system!('bundle install')
19 |
20 | # Install JavaScript dependencies
21 | system! 'bin/yarn'
22 |
23 | # puts "\n== Copying sample files =="
24 | # unless File.exist?('config/database.yml')
25 | # FileUtils.cp 'config/database.yml.sample', 'config/database.yml'
26 | # end
27 |
28 | puts "\n== Preparing database =="
29 | system! 'bin/rails db:prepare'
30 |
31 | puts "\n== Removing old logs and tempfiles =="
32 | system! 'bin/rails log:clear tmp:clear'
33 |
34 | puts "\n== Restarting application server =="
35 | system! 'bin/rails restart'
36 | end
37 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/storage.yml:
--------------------------------------------------------------------------------
1 | test:
2 | service: Disk
3 | root: <%= Rails.root.join("tmp/storage") %>
4 |
5 | local:
6 | service: Disk
7 | root: <%= Rails.root.join("storage") %>
8 |
9 | # Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
10 | # amazon:
11 | # service: S3
12 | # access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
13 | # secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
14 | # region: us-east-1
15 | # bucket: your_own_bucket
16 |
17 | # Remember not to checkin your GCS keyfile to a repository
18 | # google:
19 | # service: GCS
20 | # project: your_project
21 | # credentials: <%= Rails.root.join("path/to/gcs.keyfile") %>
22 | # bucket: your_own_bucket
23 |
24 | # Use rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key)
25 | # microsoft:
26 | # service: AzureStorage
27 | # storage_account_name: your_account_name
28 | # storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %>
29 | # container: your_container_name
30 |
31 | # mirror:
32 | # service: Mirror
33 | # primary: local
34 | # mirrors: [ amazon, google, microsoft ]
35 |
--------------------------------------------------------------------------------
/test/spektr/checks/json_parsing_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class JsonParsingTest < Minitest::Test
4 |
5 | def test_fails_with_json_gem_backend
6 | code = <<-CODE
7 | ActiveSupport::JSON.backend = JSONGem
8 | CODE
9 | app = Spektr::App.new(checks: [Spektr::Checks::JsonParsing])
10 | config = Spektr::Targets::Base.new("production.rb", code)
11 | check = Spektr::Checks::JsonParsing.new(app, config)
12 | check.run
13 | assert_equal 1, app.warnings.size
14 |
15 | end
16 |
17 | def test_it_fails_with_yajl_gem
18 | code = ""
19 | app = Spektr::App.new(checks: [Spektr::Checks::JsonParsing])
20 | app.gem_specs = [Bundler::LazySpecification.new("yajl", 1, "linux")]
21 | config = Spektr::Targets::Base.new("production.rb", code)
22 | check = Spektr::Checks::JsonParsing.new(app, config)
23 | check.run
24 | assert_equal 1, app.warnings.size
25 | end
26 |
27 | def test_it_fails_with_json_and_json_pure
28 | app = Spektr::App.new(checks: [Spektr::Checks::JsonParsing])
29 | app.gem_specs = [Bundler::LazySpecification.new("json", "1.7.2", "linux")]
30 | config = Spektr::Targets::Base.new("production.rb", "")
31 | check = Spektr::Checks::JsonParsing.new(app, config)
32 | check.run
33 | assert_equal 1, app.warnings.size
34 | end
35 | end
36 |
--------------------------------------------------------------------------------
/test/spektr/checks/default_routes_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class DefaultRoutesTest < Minitest::Test
4 |
5 | def setup
6 | @app = Spektr::App.new(root: RAILS_6_1_ROOT, checks: [Spektr::Checks::DefaultRoutes])
7 | end
8 |
9 | def test_match_all_actions_with_rails_3
10 | @app.rails_version = Gem::Version.new "3.0.1"
11 | code = <<-CODE
12 | Rails3::Application.routes.draw do
13 | match ':controller(/:action(/:id(.:format)))'
14 | match ':controller/:action'
15 | match 'posts/:action', controller: 'posts'
16 | match 'posts/*action', controller: 'posts'
17 | end
18 | CODE
19 | routes = Spektr::Targets::Routes.new("routes.rb", code)
20 | check = Spektr::Checks::DefaultRoutes.new(@app, routes)
21 | check.run
22 | assert_equal 5, @app.warnings.size
23 | end
24 |
25 | def test_verb_all_actions_with_rails_3
26 | @app.rails_version = Gem::Version.new "3.0.1"
27 | code = <<-CODE
28 | Rails3::Application.routes.draw do
29 | get ":controller/:action"
30 | get "/posts/:action"
31 | post "/posts/:action"
32 | end
33 | CODE
34 | routes = Spektr::Targets::Routes.new("routes.rb", code)
35 | check = Spektr::Checks::DefaultRoutes.new(@app, routes)
36 | check.run
37 | assert_equal 4, @app.warnings.size
38 | end
39 | end
40 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Spektr Public Use Licence
2 |
3 | Copyright (c) 2022 Spektr Security LLC
4 |
5 | Commercial Use of the Software for commercial purposes requires a commercial licence but any non-commercial use is
6 | allowed free of charge.
7 |
8 | Commercial use includes offering the software as part of a Software as a Service, or part of a distributed software
9 | where it is used as part of that software.
10 |
11 | Non-commercial use includes anything else, for instance when lincecee scans his own codebase for vulnerabilities,
12 | or as part of a security audit engagement the licencee scans the target's source code for vulnerabilities.
13 |
14 | Licencee is also permitted to embed the scanner into his own closed source application as long as they don't break
15 | the non-commercial use requirements of the software.
16 |
17 |
18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
24 | THE SOFTWARE.
25 |
26 | Software: Spektr Scanner
27 | Licensor: Spektr Security LLC
28 |
--------------------------------------------------------------------------------
/lib/spektr/checks/json_entity_escape.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class JsonEntityEscape < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "HTML escaping is disabled for JSON output"
8 | @type = "Cross-Site Scripting"
9 | @targets = ["Spektr::Targets::Config", "Spektr::Targets::Base"]
10 | end
11 |
12 | def run
13 | return unless super
14 | if @app.production_config
15 | config = @app.production_config.find_calls(:escape_html_entities_in_json=).first
16 | end
17 | if config and full_receiver(config) == "config.active_support" && config.arguments.arguments.first.type == :false_node
18 | warn! @app.production_config.path, self, nil, "HTML entities in JSON are not escaped by default"
19 | end
20 |
21 | if @target.find_calls(:escape_html_entities_in_json=, 'ActiveSupport'.to_sym).any?
22 | warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
23 | end
24 | calls = @target.find_calls(:escape_html_entities_in_json=, 'JSON::Encoding'.to_sym)
25 | calls.each do |call|
26 | if full_receiver(call) == 'ActiveSupport.JSON.Encoding'
27 | warn! @target, self, calls.first.location, "HTML entities in JSON are not escaped by default"
28 | end
29 | end
30 | end
31 | end
32 | end
33 | end
34 |
--------------------------------------------------------------------------------
/lib/spektr/checks/file_access.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class FileAccess < Base
4 |
5 | def name
6 | "File access"
7 | end
8 |
9 | def initialize(app, target)
10 | super
11 | @name = "File access"
12 | @type = "Information Disclosure"
13 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
14 | end
15 |
16 | def run
17 | return unless super
18 | targets = ["Dir", "File", "IO", "Kernel", "Net::FTP", "Net::HTTP", "PStore", "Pathname", "Shell"]
19 | methods = [:[], :chdir, :chroot, :delete, :entries, :foreach, :glob, :install, :lchmod, :lchown, :link, :load, :load_file, :makedirs, :move, :new, :open, :read, :readlines, :rename, :rmdir, :safe_unlink, :symlink, :syscopy, :sysopen, :truncate, :unlink]
20 | targets.each do |target|
21 | methods.each do |method|
22 | check_calls_for_user_input(@target.find_calls(method, target.to_sym))
23 | end
24 | end
25 | end
26 |
27 | def check_calls_for_user_input(calls)
28 | calls.each do |call|
29 | call.arguments.arguments.each do |argument|
30 | if user_input?(argument)
31 | warn! @target, self, call.location, "#{argument.name} is used for a filename, which enables an attacker to access arbitrary files."
32 | end
33 | end
34 | end
35 | end
36 | end
37 | end
38 | end
39 |
--------------------------------------------------------------------------------
/lib/spektr/cli.rb:
--------------------------------------------------------------------------------
1 | require 'tty/option'
2 | require 'json'
3 | module Spektr
4 | class Cli
5 | include TTY::Option
6 | usage do
7 | program 'Spektr'
8 | command 'scan'
9 | desc 'Find vulnerabilities in ruby code'
10 | end
11 |
12 | argument :root do
13 | optional
14 | desc 'Path to application root'
15 | end
16 |
17 | flag :output_format do
18 | long '--output_format string'
19 | desc 'output format terminal or json'
20 | default 'terminal'
21 | end
22 |
23 | flag :check do
24 | long '--check string'
25 | desc 'run this single check'
26 | end
27 |
28 | flag :ignore do
29 | long '--ignore string'
30 | desc 'comma separated list of fingerprints to ignore'
31 | end
32 |
33 | flag :debug do
34 | long '--debug'
35 | short '-d'
36 | desc 'output debug logs to STDOUT'
37 | end
38 |
39 | flag :help do
40 | short '-h'
41 | long '--help'
42 | desc 'Print usage'
43 | end
44 |
45 | def scan
46 | if params[:help]
47 | print help
48 | exit
49 | else
50 | ignore = params[:ignore] ? params[:ignore].split(',') : []
51 | report = Spektr.run(params[:root], params[:output_format], params[:debug], params[:check], ignore)
52 | case params[:output_format]
53 | when 'json'
54 | puts JSON.pretty_generate report
55 | exit 1 if report[:advisories].any?
56 | end
57 | end
58 | end
59 | end
60 | end
61 |
--------------------------------------------------------------------------------
/lib/spektr/checks/mass_assignment.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class MassAssignment < Base
4 |
5 | # TODO: Make this better
6 | def initialize(app, target)
7 | super
8 | @name = "Mass Assignment"
9 | @type = "Input Validation"
10 | @targets = ["Spektr::Targets::Controller"]
11 | end
12 |
13 | def run
14 | return unless super
15 | model_names = @app.models.collect(&:name)
16 | calls = []
17 | model_names.each do |receiver|
18 | [:new, :build, :create].each do |method|
19 | calls.concat @target.find_calls(method, receiver.to_sym)
20 | end
21 | end
22 | calls.each do |call|
23 | argument = call.arguments&.arguments&.first
24 | next if argument.nil?
25 | ::Spektr.logger.debug "Mass assignment check at #{call.location.start_line}"
26 | if user_input?(argument)
27 | # we check for permit! separately
28 | next if argument.name == :permit!
29 | # check for permit with arguments
30 | next if argument.name == :permit && argument.arguments
31 | warn! @target, self, call.location, "Mass assignment"
32 | end
33 | end
34 | @target.find_calls(:permit!).each do |call|
35 | unless call.arguments
36 | warn! @target, self, call.location, "permit! allows any keys, use it with caution!", :medium
37 | end
38 | end
39 | end
40 | end
41 | end
42 | end
43 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/config/initializers/content_security_policy.rb:
--------------------------------------------------------------------------------
1 | # Be sure to restart your server when you modify this file.
2 |
3 | # Define an application-wide content security policy
4 | # For further information see the following documentation
5 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
6 |
7 | # Rails.application.config.content_security_policy do |policy|
8 | # policy.default_src :self, :https
9 | # policy.font_src :self, :https, :data
10 | # policy.img_src :self, :https, :data
11 | # policy.object_src :none
12 | # policy.script_src :self, :https
13 | # policy.style_src :self, :https
14 | # # If you are using webpack-dev-server then specify webpack-dev-server host
15 | # policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
16 |
17 | # # Specify URI for violation reports
18 | # # policy.report_uri "/csp-violation-report-endpoint"
19 | # end
20 |
21 | # If you are using UJS then enable automatic nonce generation
22 | # Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
23 |
24 | # Set the nonce only to specific directives
25 | # Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
26 |
27 | # Report CSP violations to a specified URI
28 | # For further information see the following documentation:
29 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
30 | # Rails.application.config.content_security_policy_report_only = true
31 |
--------------------------------------------------------------------------------
/test/spektr/checks/create_with_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class CreateWithTest < Minitest::Test
4 | def test_it_fails_with_affected_versions
5 | code = <<-CODE
6 | user.blog_posts.create_with(params[:blog_post]).create
7 | CODE
8 | app = Spektr::App.new(checks: [Spektr::Checks::CreateWith])
9 | app.rails_version = Gem::Version.new "4.0.0"
10 | initializer = Spektr::Targets::Base.new("posts_controller.rb", code)
11 | check = Spektr::Checks::CreateWith.new(app, initializer)
12 | check.run
13 | assert_equal 1, app.warnings.size
14 | end
15 |
16 | def test_it_does_not_fail_with_non_user_input
17 | code = <<-CODE
18 | user.blog_posts.create_with({title: "test"}).create
19 | CODE
20 | app = Spektr::App.new(checks: [Spektr::Checks::CreateWith])
21 | app.rails_version = Gem::Version.new "4.0.0"
22 | initializer = Spektr::Targets::Base.new("posts_controller.rb", code)
23 | check = Spektr::Checks::CreateWith.new(app, initializer)
24 | check.run
25 | assert_equal 0, app.warnings.size
26 | end
27 |
28 | def test_it_does_not_fail_with_permitted_params
29 | code = <<-CODE
30 | user.blog_posts.create_with(params[:blog_post].permit(:title)).create
31 | CODE
32 | app = Spektr::App.new(checks: [Spektr::Checks::CreateWith])
33 | app.rails_version = Gem::Version.new "4.0.0"
34 | initializer = Spektr::Targets::Base.new("posts_controller.rb", code)
35 | check = Spektr::Checks::CreateWith.new(app, initializer)
36 | check.run
37 | assert_equal 0, app.warnings.size
38 | end
39 | end
40 |
--------------------------------------------------------------------------------
/lib/spektr/checks/sqli.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class Sqli < Base
4 | def initialize(app, target)
5 | super
6 | @name = "SQL Injection"
7 | @name = "SQL Injection"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Model"]
9 | end
10 |
11 | def run
12 | return unless super
13 |
14 | [
15 | :average, :count, :maximum, :minimum, :sum, :exists?,
16 | :find_by, :find_by!, :find_or_create_by, :find_or_create_by!,
17 | :find_or_initialize_by, :from, :group, :having, :join, :lock,
18 | :where, :not, :select, :rewhere, :reselect, :update_all, :find_by_sql
19 |
20 | ].each do |m|
21 | @target.find_calls(m).each do |call|
22 | check_argument(call.arguments&.arguments&.first, m, call)
23 | end
24 | end
25 | [:calculate].each do |m|
26 | @target.find_calls(m).each do |call|
27 | check_argument(call.arguments.arguments[1], m, call)
28 | end
29 | end
30 |
31 | [:delete_by, :destroy_by].each do |m|
32 | @target.find_calls(m).each do |call|
33 | if call.arguments.arguments.first
34 | check_argument(call.arguments.arguments.first, m, call)
35 | end
36 | end
37 | end
38 | end
39 |
40 | def check_argument(argument, method, call)
41 | return if argument.nil?
42 | if user_input?(argument)
43 | warn! @target, self, call.location, "Possible SQL Injection at #{method}"
44 | end
45 | end
46 | end
47 | end
48 | end
49 |
--------------------------------------------------------------------------------
/lib/spektr/checks/link_to_href.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class LinkToHref < Base
4 | def initialize(app, target)
5 | super
6 | @name = "XSS in href param of link_to"
7 | @type = "Cross-Site Scripting"
8 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::View"]
9 | end
10 |
11 | # TODO: check for user supplied model attributes too
12 | def run
13 | return unless super
14 | block_locations = []
15 | @target.find_calls_with_block(:link_to).each do |call|
16 | block_locations << call.location
17 | next unless call.arguments.arguments.first
18 | ::Spektr.logger.debug "#{@target.path} #{call.location.start_line} #{call.arguments.arguments.first.inspect}"
19 | if user_input? call.arguments.arguments.first
20 | warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
21 | end
22 | end
23 |
24 | @target.find_calls(:link_to).each do |call|
25 | next if block_locations.include? call.location
26 | next unless call.arguments
27 | ::Spektr.logger.debug "#{@target.path} #{call.location.start_line} #{call.arguments.arguments[1].inspect}"
28 | next unless call.arguments.arguments[1]
29 | next if call.arguments.arguments[1].name =~ /_url$|_path$/
30 | if user_input? call.arguments.arguments[1]
31 | warn! @target, self, call.location, "Cross-Site Scripting: Unsafe user supplied value in link_to"
32 | end
33 | end
34 | end
35 | end
36 | end
37 | end
38 |
--------------------------------------------------------------------------------
/test/spektr/checks/mass_assignment_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class MassAssignmentTest < Minitest::Test
4 | def setup
5 | model = <<-CODE
6 | class Post
7 | end
8 | CODE
9 | @app = Spektr::App.new(checks: [Spektr::Checks::MassAssignment])
10 | model = Spektr::Targets::Model.new("post.rb", model)
11 | @app.models << model
12 | end
13 |
14 | def test_it_fails_with_params_assignment
15 | code = <<-CODE
16 | class BlogController
17 | def create
18 | post = Post.new(params[:post])
19 | end
20 | end
21 | CODE
22 | controller = Spektr::Targets::Controller.new("blog_controller.rb", code)
23 | check = Spektr::Checks::MassAssignment.new(@app, controller)
24 | check.run
25 | assert_equal 1, @app.warnings.size
26 | end
27 |
28 | def test_it_doesnt_fail_with_permit
29 | code = <<-CODE
30 | class BlogController
31 | def create
32 | post = Post.new(params[:post].permit(:title, :body))
33 | end
34 | end
35 | CODE
36 | controller = Spektr::Targets::Controller.new("blog_controller.rb", code)
37 | check = Spektr::Checks::MassAssignment.new(@app, controller)
38 | check.run
39 | assert_equal 0, @app.warnings.size
40 | end
41 |
42 | def test_it_fails_with_permit_bang
43 | code = <<-CODE
44 | class BlogController
45 | def create
46 | post = Post.new(params[:post].permit!)
47 | end
48 | end
49 | CODE
50 | controller = Spektr::Targets::Controller.new("blog_controller.rb", code)
51 | check = Spektr::Checks::MassAssignment.new(@app, controller)
52 | check.run
53 | assert_equal 1, @app.warnings.size
54 | end
55 | end
56 |
--------------------------------------------------------------------------------
/lib/spektr/checks/json_parsing.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class JsonParsing < Base
4 | def initialize(app, target)
5 | super
6 | @name = "JSON parsing vulnerability"
7 | @type = "Remote Code Execution"
8 | @targets = ["Spektr::Targets::Base"]
9 | end
10 |
11 | def run
12 | return unless super
13 | check_cve_2013_0333
14 | check_cve_2013_0269
15 | end
16 |
17 | def check_cve_2013_0333
18 | return unless app_version_between?("0.0.0", "2.3.15") || app_version_between?("3.0.0", "3.0.19")
19 | if @app.has_gem?("yajl")
20 | warn! "root", self, nil, "Remote Code Execution CVE_2013_0333"
21 | end
22 | uses_json_gem?
23 | end
24 |
25 | def uses_json_gem?
26 | @target.find_calls(:backend=).each do |call|
27 | if full_receiver(call) == "ActiveSupport.JSON" && call.arguments.arguments.first&.name == :JSONGem
28 | warn! @target, self, call.location, "Remote Code Execution CVE_2013_0333"
29 | end
30 | end
31 | end
32 |
33 | def check_cve_2013_0269
34 | ["json", "json_pure"].each do |gem_name|
35 | if g = @app.gem_specs&.find { |g| g.name == gem_name }
36 | if version_between?("1.7.0", "1.7.6", g.version)
37 | warn! "Gemfile", self, nil, "Unsafe Object Creation Vulnerability in the #{g.name} gem"
38 | end
39 | if version_between?("0", "1.5.4", g.version) || version_between?("1.6.0", "1.6.7", g.version)
40 | warn! "Gemfile", self, nil, "Unsafe Object Creation Vulnerability in the #{g.name} gem"
41 | end
42 | end
43 | end
44 | end
45 | end
46 | end
47 | end
48 |
--------------------------------------------------------------------------------
/lib/spektr/checks/default_routes.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class DefaultRoutes < Base
4 | def initialize(app, target)
5 | super
6 | @name = "Dangerous default routes"
7 | @targets = ["Spektr::Targets::Routes"]
8 | end
9 |
10 | def run
11 | return unless super
12 | @type = "Remote Code Execution"
13 | check_for_cve_2014_0130
14 | @type = "Default routes"
15 | check_for_default_routes
16 | end
17 |
18 | def check_for_default_routes
19 | if app_version_between?(3, 4)
20 | calls = %w{ match get post put delete }.inject([]) do |memo, method|
21 | memo.concat @target.find_calls(method.to_sym)
22 | memo
23 | end
24 | calls.each do |call|
25 | argument_value = call.arguments.arguments.first.unescaped
26 | if argument_value == ":controller(/:action(/:id(.:format)))" or (argument_value.include?(":controller") && (argument_value.include?(":action") or argument_value.include?("*action")) )
27 | warn! @target, self, call.location, "All public methods in controllers are available as actions"
28 | end
29 |
30 | if argument_value.include?(":action") or argument_value.include?("*action")
31 | warn! @target, self, call.location, "All public methods in controllers are available as actions"
32 | end
33 | end
34 | end
35 | end
36 |
37 | def check_for_cve_2014_0130
38 | if app_version_between?("2.0.0", "2.3.18") || app_version_between?("3.0.0", "3.2.17") || app_version_between?("4.0.0", "4.0.4") || app_version_between?("4.1.0", "4.1.0")
39 | warn! @target, self, nil, "#{@app.rails_version} with globbing routes is vulnerable to directory traversal and remote code execution."
40 | end
41 | end
42 | end
43 | end
44 | end
45 |
--------------------------------------------------------------------------------
/lib/spektr/checks/deserialize.rb:
--------------------------------------------------------------------------------
1 | module Spektr
2 | class Checks
3 | class Deserialize < Base
4 |
5 | def initialize(app, target)
6 | super
7 | @name = "Unsafe object deserialization"
8 | @type = "Insecure Deserialization"
9 | @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
10 | end
11 |
12 | def run
13 | return unless super
14 | check_csv
15 | check_yaml
16 | check_marshal
17 | check_oj
18 | end
19 |
20 | def check_csv
21 | check_method(:load, :CSV)
22 | end
23 |
24 | # TODO: handle safe yaml
25 | def check_yaml
26 | [:load_documents, :load_stream, :parse_documents, :parse_stream].each do |method|
27 | check_method(method, :YAML)
28 | end
29 | end
30 |
31 | def check_marshal
32 | [:load, :restore].each do |method|
33 | check_method(method, :Marshal)
34 | end
35 | end
36 |
37 | def check_oj
38 | check_method(:object_load, :Oj)
39 | safe_default = false
40 | safe_default = true if @target.find_calls(:mimic_JSON, :Oj).any?
41 | call = @target.find_calls(:default_options=, :Oj).last
42 | safe_default = true if call && call.arguments.arguments.first.elements.find{|e| e.key.unescaped == "mode" }.value.unescaped != "object"
43 | unless safe_default
44 | check_method(:load, :Oj)
45 | end
46 | end
47 |
48 | def check_method(method, receiver)
49 | calls = @target.find_calls(method, receiver)
50 | calls.each do |call|
51 | if user_input?(call.arguments.arguments.first)
52 | warn! @target, self, call.location, "#{receiver}.#{method} is called with user supplied value"
53 | end
54 | end
55 | end
56 | end
57 | end
58 | end
59 |
--------------------------------------------------------------------------------
/test/spektr/checks/link_to_href_test.rb:
--------------------------------------------------------------------------------
1 | require "test_helper"
2 |
3 | class LinkToHrefTest < Minitest::Test
4 | def test_it_fails_with_a_user_supplied_value_with_block
5 | code = <<-CODE
6 | <%=
7 | link_to params[:blog] do
8 | "hello"
9 | end
10 | %>
11 | CODE
12 | app = Spektr::App.new(checks: [Spektr::Checks::LinkToHref])
13 | view = Spektr::Targets::View.new("index.html.erb", code)
14 | check = Spektr::Checks::LinkToHref.new(app, view)
15 | check.run
16 | assert_equal 1, app.warnings.size
17 | end
18 |
19 | def test_it_fails_with_a_user_supplied_value
20 | code = <<-CODE
21 | <%= link_to "Hello", params[:blog] %>
22 | <%= link_to "Hello".html_safe, params[:blog] %>
23 | link_to "\#{inline_svg_tag('email.svg', aria_hidden: true, class: 'crayons-icon', title: 'email')}Sign up with Email".html_safe,
24 | request.params.merge(state: "email_signup").except("i"),
25 | class: "crayons-btn crayons-btn--l crayons-btn--brand-email crayons-btn--icon-left whitespace-nowrap",
26 | data: { no_instant: "" }
27 | CODE
28 | app = Spektr::App.new(checks: [Spektr::Checks::LinkToHref])
29 | view = Spektr::Targets::View.new("index.html.erb", code)
30 | check = Spektr::Checks::LinkToHref.new(app, view)
31 | check.run
32 | assert_equal 2, app.warnings.size
33 | end
34 |
35 | def test_it_does_not_fail_with_url_helpers
36 | code = <<-CODE
37 | <%= link_to school.activities.count, school_activities_path(params[:id]) %>
38 | <%= link_to school.activities.count, school_activities_path(params[:id]) %>
39 | CODE
40 | app = Spektr::App.new(checks: [Spektr::Checks::LinkToHref])
41 | view = Spektr::Targets::View.new("index.html.erb", code)
42 | check = Spektr::Checks::LinkToHref.new(app, view)
43 | check.run
44 | assert_equal 0, app.warnings.size
45 | end
46 | end
47 |
--------------------------------------------------------------------------------
/test/apps/rails6.1/public/500.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | We're sorry, but something went wrong (500)
5 |
6 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
We're sorry, but something went wrong.
62 |
63 |
If you are the application owner check the logs for more information.
64 |
60 |
61 |
The change you wanted was rejected.
62 |
Maybe you tried to change something you didn't have access to.
63 |
64 |
If you are the application owner check the logs for more information.
65 |
60 |
61 |
The page you were looking for doesn't exist.
62 |
You may have mistyped the address or the page may have moved.
63 |
64 |
If you are the application owner check the logs for more information.
65 |