Module: Dawn::Kb::PatternMatchCheck

Constant Summary collapse

EXCLUSION_LIST =
[
  "tags",
  "vendor/bundle", 
  "features",
  "specs",
  "test"
]

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary collapse

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Instance Attribute Details

#attack_patternObject (readonly)

Returns the value of attribute attack_pattern


9
10
11
# File 'lib/dawn/kb/pattern_match_check.rb', line 9

def attack_pattern
  @attack_pattern
end

#attack_pattern_is_regexObject (readonly)

This attribute is false by default. If true, it tells pattern matching check that the attack pattern is already a regular expression.


24
25
26
# File 'lib/dawn/kb/pattern_match_check.rb', line 24

def attack_pattern_is_regex
  @attack_pattern_is_regex
end

#avoid_commentsObject (readonly)

This attribute is false by default. If true, it tells pattern matching check to ignore strings starting with the ruby single line comment separator, '#'.


19
20
21
# File 'lib/dawn/kb/pattern_match_check.rb', line 19

def avoid_comments
  @avoid_comments
end

#negative_searchObject (readonly)

This attribute is false by default. If true, the vuln? method check if pattern attack is nor present.


14
15
16
# File 'lib/dawn/kb/pattern_match_check.rb', line 14

def negative_search
  @negative_search
end

#root_dirObject

Returns the value of attribute root_dir


10
11
12
# File 'lib/dawn/kb/pattern_match_check.rb', line 10

def root_dir
  @root_dir
end

Instance Method Details

#initialize(options = {}) ⇒ Object


34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/dawn/kb/pattern_match_check.rb', line 34

def initialize(options={})
  super(options)
  @negative_search          = false
  @avoid_comments           = false
  @attack_pattern_is_regex  = false
  @glob                     = "**"
  @attack_pattern           = options[:attack_pattern] unless options[:attack_pattern].nil?
  @negative_search          = options[:negative_search] unless options[:negative_search].nil? 
  @avoid_comments           = options[:avoid_comments] unless options[:avoid_comments].nil? 
  @evidences                = options[:evidences] unless options[:evidences].nil? 
  @attack_pattern_is_regex  = options[:attack_pattern_is_regex] unless options[:attack_pattern_is_regex].nil? 
  @glob                     = File.join(@glob, options[:glob]) unless options[:glob].nil?
  debug_me("EVIDENCES ARE #{@evidences.inspect}")
end

#must_exclude?(filename) ⇒ Boolean

Returns:

  • (Boolean)

49
50
51
52
53
54
55
# File 'lib/dawn/kb/pattern_match_check.rb', line 49

def must_exclude?(filename)
  EXCLUSION_LIST.each do |ex|
    debug_me "skipping #{filename}" if filename.start_with?(ex)
    return true if filename.start_with?(ex)
  end
  return false
end

#vuln?Boolean

Returns:

  • (Boolean)

57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/dawn/kb/pattern_match_check.rb', line 57

def vuln?
  found = false
  matches = nil
  Dir.glob(File.join("#{root_dir}", @glob)).each do |filename|
    debug_me("#{File.basename(__FILE__)}@#{__LINE__}: analyzing #{filename}: search is #{@negative_search}")
    matches = []
    begin
      matches = run(load_file(filename)) if File.exists?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
      found = ! matches.empty?
    rescue ArgumentError => e
      puts "Skipping pattern match check for #{filename}: #{e.message}"
    end
    @evidences << {:filename=>filename, :matches=>matches} unless found
  end

  debug_me("FOUND IS: #{found}")
  debug_me("EVIDENCES ARE: #{@evidences.inspect}")
  debug_me("MATCHES: #{matches}")

  ret_value = found unless @negative_search
  ret_value = ! found if @negative_search

  debug_me("#{File.basename(__FILE__)}@#{__LINE__}: evidences #=> #{@evidences}")
  debug_me("#{File.basename(__FILE__)}@#{__LINE__}: ret_value #=> #{ret_value}")

  @status = ret_value

  return ret_value
end