Class: Dawn::Kb::OwaspRorCheatSheet::CommandInjection

Inherits:
Object
  • Object
show all
Includes:
PatternMatchCheck
Defined in:
lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb

Constant Summary

Constants included from PatternMatchCheck

PatternMatchCheck::EXCLUSION_LIST

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

Attributes included from PatternMatchCheck

#attack_pattern, #attack_pattern_is_regex, #avoid_comments, #negative_search, #root_dir

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from PatternMatchCheck

#must_exclude?, #vuln?

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initializeCommandInjection

Returns a new instance of CommandInjection.


7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# File 'lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb', line 7

def initialize
  message = "Ruby offers a function called \"eval\" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection."

  super({
    :name=>"Owasp Ror CheatSheet: Command Injection",
    :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
    :applies=>["rails"],
    :glob=>"*.rb",
    :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
    :message=>message,
    :attack_pattern => ["eval", "System", "\`", "Kernel.exec"],
    :avoid_comments => true,
    :check_family=>:owasp_ror_cheatsheet,
    :severity=>:info,
    :mitigation=>"Please validate the code you pass as argument to eval, System, Kernel.exec and friends. If you generate your command line with user controlled values, can lead to an arbitrary code execution."
  })
  # @debug = true
end