RubyGems - dradis-burp - Versions diffs - 4.7.0 → 4.9.0 - Mend

dradis-burp 4.7.0 → 4.9.0

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +6 -0
data/dradis-burp.gemspec +1 -1
data/lib/burp/issue.rb +2 -0
data/lib/dradis/plugins/burp/gem_version.rb +1 -1
data/spec/burp_upload_spec.rb +17 -16
data/spec/fixtures/files/burp.html +2 -2
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e36138449714a89063eb970a838373c5006942431532ae0a8ac33dbb4a29b26
-  data.tar.gz: 565c8fc0940e43b42925f292a80378dc36ced6318f5efa1e47f1f5dd1ac9446f
+  metadata.gz: 190762a1cb56f840eda06155d3919b77979e1600ed04fcf9250d181079cb721f
+  data.tar.gz: ecfad110a2d6693434a52970447590bd580563d4b33f46f346f66a940fab4b1b
 SHA512:
-  metadata.gz: 3f63035c7ff856b3536440ee419f8f52bdf046516a2d6ab0b84222718f78f1bd73606e88849a7f410d82277236126bb6b6f5256ca8985642aebcd2e2f242cafa
-  data.tar.gz: 06be5e8e13187cac88ebf5fabc24552c74981ce0a5dbb811aacd919197940c3b5235412cba0160509419065829ff247c00445af7e13be825d3c9d2c2ef5641b2
+  metadata.gz: 86a3eafbdb9bebf8be2760c831d13e6cfb532743e29d997be640027b725e8ed1d3cf6c6c571aa619969da5c19c02282a1944c1f52fd8d3dadcda2457040882f1
+  data.tar.gz: '030139682d837062cf3d7d26f8bb6b40bf3be1299d7301271e1e1be499f08eb055c3c769e45ba2ffae5d4b6301bf1139d2cd78d4a85f9cfbfa44c22430a19706'

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+v4.9.0 (June 2023)
+  - Adds strong and code tags parsing
+v4.8.0 (April 2023)
+  - No changes
 v4.7.0 (February 2023)
   - Add support for large base64 response

data/dradis-burp.gemspec CHANGED Viewed

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'nokogiri', '~> 1.3'
   spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
   spec.add_development_dependency 'rspec-rails'
   spec.add_development_dependency 'combustion', '~> 0.5.2'
 end

data/lib/burp/issue.rb CHANGED Viewed

@@ -36,6 +36,8 @@ module Burp
       result.gsub!(/<table>(.*?)<\/table>/m){|m| "\n\n#{ $1 }\n\n" }
       result.gsub!(/<tr>(.*?)<\/tr>/m){|m| "|#{ $1 }\n" }
       result.gsub!(/<td>(.*?)<\/td>/, '\1|')
+      result.gsub!(/<strong>(.*?)<\/strong>/, '*\1*')
+      result.gsub!(/<code>(.*?)<\/code>/, '@\1@')
       result
     end

data/lib/dradis/plugins/burp/gem_version.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Dradis
       module VERSION
         MAJOR = 4
-        MINOR = 7
+        MINOR = 9
         TINY = 0
         PRE = nil

data/spec/burp_upload_spec.rb CHANGED Viewed

@@ -9,11 +9,11 @@ describe 'Burp upload plugin' do
       xml_issue = doc.xpath('issues/issue').first
       issue = Burp::Xml::Issue.new(xml_issue)
-      expect{ issue.request.encode('utf-8') }.to_not raise_error
+      expect { issue.request.encode('utf-8') }.to_not raise_error
     end
   end
-  describe  Dradis::Plugins::Burp::Xml::Importer do
+  describe Dradis::Plugins::Burp::Xml::Importer do
     before(:each) do
       # Stub template service
       templates_dir = File.expand_path('../../templates', __FILE__)
@@ -66,9 +66,9 @@ describe 'Burp upload plugin' do
         OpenStruct.new(args)
       end.once
       expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:content]).to include('Lorem ipsum dolor sit amet')
         expect(args[:issue].text).to include("#[Title]#\nIssue 1")
-        expect(args[:node].label).to eq("10.0.0.1")
+        expect(args[:node].label).to eq('10.0.0.1')
       end.once
       expect(@content_service).to receive(:create_issue) do |args|
@@ -77,9 +77,9 @@ describe 'Burp upload plugin' do
         OpenStruct.new(args)
       end.once
       expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:content]).to include('Lorem ipsum dolor sit amet')
         expect(args[:issue].text).to include("#[Title]#\nIssue 2")
-        expect(args[:node].label).to eq("10.0.0.1")
+        expect(args[:node].label).to eq('10.0.0.1')
       end.once
       # Issue 3 is an Extension finding so we need to confirm
@@ -87,13 +87,13 @@ describe 'Burp upload plugin' do
       # and the plugin_id is not set to the Type (134217728)
       expect(@content_service).to receive(:create_issue) do |args|
         expect(args[:text]).to include("#[Title]#\nIssue 3")
-        expect(args[:id]).to eq("Issue3")
+        expect(args[:id]).to eq('Issue3')
         OpenStruct.new(args)
       end.once
       expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:content]).to include('Lorem ipsum dolor sit amet')
         expect(args[:issue].text).to include("#[Title]#\nIssue 3")
-        expect(args[:node].label).to eq("10.0.0.1")
+        expect(args[:node].label).to eq('10.0.0.1')
       end.once
       expect(@content_service).to receive(:create_issue) do |args|
@@ -102,12 +102,11 @@ describe 'Burp upload plugin' do
         OpenStruct.new(args)
       end.once
       expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:content]).to include('Lorem ipsum dolor sit amet')
         expect(args[:issue].text).to include("#[Title]#\nIssue 4")
-        expect(args[:node].label).to eq("10.0.0.1")
+        expect(args[:node].label).to eq('10.0.0.1')
       end.once
       # Run the import
       @importer.import(file: 'spec/fixtures/files/burp.xml')
     end
@@ -153,7 +152,7 @@ describe 'Burp upload plugin' do
     end
   end
-  describe  Dradis::Plugins::Burp::Html::Importer do
+  describe Dradis::Plugins::Burp::Html::Importer do
     before(:each) do
       # Stub template service
       templates_dir = File.expand_path('../../templates', __FILE__)
@@ -189,7 +188,7 @@ describe 'Burp upload plugin' do
       end
     end
-    it "creates nodes, issues, and evidence as needed" do
+    it 'creates nodes, issues, and evidence as needed' do
       # Host node
       #
@@ -202,14 +201,16 @@ describe 'Burp upload plugin' do
       # # create_issue should be called once for each issue in the xml
       expect(@content_service).to receive(:create_issue) do |args|
         expect(args[:text]).to include("#[Title]#\nStrict transport security not enforced")
+        expect(args[:text]).to include('*application*', '@Wi-Fi@')
         expect(args[:id]).to eq(16777984)
         OpenStruct.new(args)
       end.once
       expect(@content_service).to receive(:create_evidence) do |args|
-        expect(args[:content]).to include("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
+        expect(args[:content]).to include('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
         expect(args[:content]).to include("#[Location]#\nhttp://1.1.1.1/dradis/sessions")
         expect(args[:issue].text).to include("#[Title]#\nStrict transport security not enforced")
-        expect(args[:node].label).to eq("github.com/dradis/dradis-burp")
+        expect(args[:issue].text).to include('*application*', '@Wi-Fi@')
+        expect(args[:node].label).to eq('github.com/dradis/dradis-burp')
       end.once
       # Run the import

data/spec/fixtures/files/burp.html CHANGED Viewed

@@ -208,9 +208,9 @@ div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image:
 </tr>
 </table>
 <h2>Issue description</h2>
-<span class="TEXT"><p> The application fails to prevent users from connecting  to it over unencrypted connections.  An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool  automates this process. </p>
+<span class="TEXT"><p> The <strong>application</strong> fails to prevent users from connecting  to it over unencrypted connections.  An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool  automates this process. </p>
 <p>
-To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p></span>
+To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify the victim's network traffic.This scenario typically occurs when a client communicates with the server over an insecure connection such as public <code>Wi-Fi</code>, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. </p></span>
 <h2>Issue remediation</h2>
 <span class="TEXT"><p>The application should instruct web browsers to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate.</p>
 <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never accessed the application will never have seen the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload' flag to the HSTS header, and submit the domain for review by browser vendors.</p></span>

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-burp
 version: !ruby/object:Gem::Version
-  version: 4.7.0
+  version: 4.9.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-20 00:00:00.000000000 Z
+date: 2023-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -56,16 +56,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement