Module: Dawn::Kb::RubyVersionCheck

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary collapse

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #initialize, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Instance Attribute Details

#detected_rubyObject

Hash in the :version=>“1.9.3”, :patchlevel=>“p342” form


8
9
10
# File 'lib/dawn/kb/ruby_version_check.rb', line 8

def detected_ruby
  @detected_ruby
end

#safe_rubiesObject

Array of hashes in the :version=>“1.9.3”, :patchlevel=>“p342” form


6
7
8
# File 'lib/dawn/kb/ruby_version_check.rb', line 6

def safe_rubies
  @safe_rubies
end

Instance Method Details

#is_same_version?(target, fixes = []) ⇒ Boolean

Returns:

  • (Boolean)

59
60
61
62
63
64
65
# File 'lib/dawn/kb/ruby_version_check.rb', line 59

def is_same_version?(target, fixes = [])
  fixes.each do |f|
    debug_me("F=#{f}, TARGET=#{target}")
    return true if f == target
  end
  false
end

#is_vulnerable_engine?(target, fixes = []) ⇒ Boolean

return true if ( vv && vengine ) return (ve && vp && vengine )

Returns:

  • (Boolean)

52
53
54
55
56
57
# File 'lib/dawn/kb/ruby_version_check.rb', line 52

def is_vulnerable_engine?(target, fixes = [])
  fixes.each do |f|
    return true if f == target
  end
  false
end

#is_vulnerable_patchlevel?(version, patchlevel) ⇒ Boolean

Returns:

  • (Boolean)

67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'lib/dawn/kb/ruby_version_check.rb', line 67

def is_vulnerable_patchlevel?(version, patchlevel)
  fixes = []
  debug_me "is_vulnerable_patchlevel? called with VERSION=#{version} and PLEVEL=#{patchlevel}"
  @safe_rubies.each do |ss|
    fixes << ss[:patchlevel].split("p")[1].to_i if ss[:version] == version
  end

  debug_me "FIXES IS EMPTY" if fixes.empty?
  debug_me "FIXES LIST IS #{fixes}" unless fixes.empty?
  return true if fixes.empty?

  t = patchlevel.split("p")[1].to_i if patchlevel.include? 'p'
  t = patchlevel.to_i unless patchlevel.include? 'p'
  fixes.each do |f|
    debug_me "PATCHLEVEL FIXES = #{f}, PATCHLEVEL TARGET = #{t}"
    return true if f > t
  end
  false
end

#vuln?Boolean

Returns:

  • (Boolean)

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# File 'lib/dawn/kb/ruby_version_check.rb', line 10

def vuln?
  vv_a = []
  vv_p = []
  vv_e = []
  vp = false
  ve = false


  @safe_rubies.each do |ss|
    vv_e << ss[:engine]
    vv_a << ss[:version]
    vv_p << ss[:patchlevel].split("p")[1].to_i
  end

  version_check = Dawn::Kb::VersionCheck.new(:safe=>vv_a,:detected=>detected_ruby[:version], :debug=>@debug, :save_major=>true)

  vengine = self.is_vulnerable_engine?(detected_ruby[:engine], vv_e)
  vv = version_check.vuln?

  ve = self.is_same_version?(detected_ruby[:version], vv_a)
  vp = is_vulnerable_patchlevel?(detected_ruby[:version], detected_ruby[:patchlevel])

  debug_me("#{__FILE__}@#{__LINE__}: check: #{self.name}, engine is vulnerable?=#{vengine}, version is vulnerable?=#{vv}, is same version?=#{ve}, is_vulnerable_patchlevel?=#{vp}->#{vv && vengine}, #{(ve && vp && vengine )}")
  debug_me("#{__FILE__}@#{__LINE__}: safe ruby is: #{@safe_rubies}")
  debug_me("#{__FILE__}@#{__LINE__}: detected ruby is: #{@detected_ruby}")



  if ( vv && vengine)
    @status = vp if ve
    @status = true unless ve
  else
    @status = (ve && vp && vengine )
  end

  debug_me("STATUS:#{@status}")
  self.evidences << "#{@detected_ruby[:engine]} v#{@detected_ruby[:version]}-#{@detected_ruby[:patchlevel]} detected" if @status
  return @status

  # return true if ( vv && vengine )
  # return (ve && vp && vengine )
end