[Feature] Security Tests

[bararchy]

It would be really nice to add some security tests and checks to ameba.

• Check for old and insecure hashing algorithms (MD5, etc..)
• Check for unsanitized DB insertion queries (SQL Injections)
• Check for XSS attacks by unsanitized user input rendered in HTML content
• Check for unsafe memory allocation (bufferoverflow, etc..)
• Check for bad manual SSL Cipher configurations (EXP::MD5::RC4 , etc..)
• Check for bad manual SSL protocol usage (SSLv3, TLS1)

Take a look at Microsoft DevSkim and take some logic and ideas.

Take a look at Breakman and take some logic and ideas.

[veelenga]

Since security tests give a lot of false positiveness, I think it is reasonable to create an external extension for these kinds of tests.

[kimburgess]

@veelenga are there any references or documentation for putting together such an extension? Current tooling for Crystal-Lang looks to be very light in this area. This looks like a great spot to start solving this.

[veelenga]

Docs are here:

https://crystal-ameba.github.io/2019/07/22/how-to-write-extension

I appreciate any help on this. Let me know if you would like to give it a try, i can create a repo and basic extension skeleton.

[kimburgess]

Nice writeup! There's enough info there to get started.

I can't make any commitments around time that I can spend on this, but will start exploring.