hedra 1.0.1 → 2.0.1

data/config/example_config.yml

@@ -1,17 +1,95 @@
-# Hedra Configuration Example
-# Copy to ~/.hedra/config.yml to customize
+# Hedra Configuration File
+# Place this file at ~/.hedra/config.yml
 
-# HTTP client settings
+# ============================================
+# HTTP Client Settings
+# ============================================
+
+# Request timeout in seconds
 timeout: 10
+
+# Number of concurrent requests for batch operations
 concurrency: 10
-follow_redirects: false
-user_agent: "Hedra/1.0.0"
 
-# Proxy settings (optional)
+# Custom User-Agent header
+user_agent: "Hedra/2.0.0 Security Scanner"
+
+# Follow HTTP redirects automatically
+follow_redirects: true
+
+# Maximum number of retry attempts for failed requests
+max_retries: 3
+
+# ============================================
+# Proxy Settings (optional)
+# ============================================
+
+# HTTP/HTTPS/SOCKS proxy URL
+# Uncomment to use a proxy
 # proxy: "http://127.0.0.1:8080"
 
-# Output preferences
-output_format: table  # table, json, or csv
+# ============================================
+# Cache Settings
+# ============================================
+
+# Enable response caching to speed up repeated scans
+cache_enabled: false
+
+# Cache time-to-live in seconds (1 hour = 3600)
+cache_ttl: 3600
+
+# ============================================
+# Security Check Settings
+# ============================================
+
+# Check SSL/TLS certificate validity and strength
+check_certificates: true
+
+# Check for security.txt file (RFC 9116)
+check_security_txt: false
+
+# ============================================
+# Output Settings
+# ============================================
+
+# Default output format: table, json, csv, html
+output_format: "table"
+
+# Show progress bars for batch operations
+progress_bar: true
+
+# ============================================
+# Rate Limiting (optional)
+# ============================================
+
+# Limit request rate to prevent server overload
+# Format: number/period where period is s (second), m (minute), or h (hour)
+# Examples: "10/s", "100/m", "1000/h"
+# Uncomment to enable
+# rate_limit: "10/s"
+
+# ============================================
+# Circuit Breaker Settings
+# ============================================
+
+# Number of failures before circuit opens
+circuit_breaker_threshold: 5
+
+# Timeout in seconds before attempting to close circuit
+circuit_breaker_timeout: 60
+
+# ============================================
+# Scoring Weights (optional)
+# ============================================
 
-# Rate limiting (optional)
-# rate_limit: "5/s"
+# Customize header importance weights (default shown)
+# scoring:
+#   content-security-policy: 25
+#   strict-transport-security: 25
+#   x-frame-options: 15
+#   x-content-type-options: 10
+#   referrer-policy: 10
+#   permissions-policy: 5
+#   cross-origin-opener-policy: 5
+#   cross-origin-embedder-policy: 3
+#   cross-origin-resource-policy: 2

data/lib/hedra/analyzer.rb

@@ -61,13 +61,15 @@ module Hedra
       }
     }.freeze
 
-    def initialize
+    def initialize(check_certificates: true, check_security_txt: false)
       @plugin_manager = PluginManager.new
       @scorer = Scorer.new
+      @certificate_checker = check_certificates ? CertificateChecker.new : nil
+      @security_txt_checker = check_security_txt ? SecurityTxtChecker.new : nil
       load_custom_rules
     end
 
-    def analyze(url, headers)
+    def analyze(url, headers, http_client: nil)
       normalized_headers = normalize_headers(headers)
       findings = []
 
@@ -94,6 +96,12 @@ module Hedra
       # Run plugin checks
       findings.concat(@plugin_manager.run_checks(normalized_headers))
 
+      # Check SSL certificate
+      findings.concat(@certificate_checker.check(url)) if @certificate_checker
+
+      # Check security.txt
+      findings.concat(@security_txt_checker.check(url, http_client)) if @security_txt_checker && http_client
+
       # Calculate security score
       score = @scorer.calculate(normalized_headers, findings)
 
@@ -109,7 +117,14 @@ module Hedra
     private
 
     def normalize_headers(headers)
-      headers.transform_keys { |k| k.to_s.downcase }
+      normalized = {}
+      headers.each do |key, value|
+        normalized_key = key.to_s.downcase
+        # Handle array values (multiple header values)
+        normalized_value = value.is_a?(Array) ? value.join(', ') : value.to_s
+        normalized[normalized_key] = normalized_value
+      end
+      normalized
     end
 
     def validate_header_values(headers)
@@ -117,7 +132,7 @@ module Hedra
 
       # Validate CSP
       if headers['content-security-policy']
-        csp = headers['content-security-policy']
+        csp = headers['content-security-policy'].to_s.downcase
         if csp.include?('unsafe-inline') || csp.include?('unsafe-eval')
           findings << {
             header: 'content-security-policy',
@@ -126,11 +141,21 @@ module Hedra
             recommended_fix: 'Remove unsafe-inline and unsafe-eval, use nonces or hashes'
           }
         end
+        
+        # Check for wildcard sources
+        if csp =~ /\*(?!\.)/ && !csp.include?("'unsafe-inline'")
+          findings << {
+            header: 'content-security-policy',
+            issue: 'CSP uses wildcard (*) source',
+            severity: :info,
+            recommended_fix: 'Restrict sources to specific domains'
+          }
+        end
       end
 
       # Validate HSTS
       if headers['strict-transport-security']
-        hsts = headers['strict-transport-security']
+        hsts = headers['strict-transport-security'].to_s
         if hsts =~ /max-age=(\d+)/
           max_age = ::Regexp.last_match(1).to_i
           if max_age < 31_536_000
@@ -141,12 +166,29 @@ module Hedra
               recommended_fix: 'Set max-age to at least 31536000'
             }
           end
+        else
+          findings << {
+            header: 'strict-transport-security',
+            issue: 'HSTS header missing max-age directive',
+            severity: :critical,
+            recommended_fix: 'Add max-age directive with value >= 31536000'
+          }
+        end
+        
+        # Check for includeSubDomains
+        unless hsts.downcase.include?('includesubdomains')
+          findings << {
+            header: 'strict-transport-security',
+            issue: 'HSTS missing includeSubDomains directive',
+            severity: :info,
+            recommended_fix: 'Add includeSubDomains to protect all subdomains'
+          }
         end
       end
 
       # Validate X-Frame-Options
       if headers['x-frame-options']
-        xfo = headers['x-frame-options'].upcase
+        xfo = headers['x-frame-options'].to_s.upcase
         unless %w[DENY SAMEORIGIN].include?(xfo.split.first)
           findings << {
             header: 'x-frame-options',
@@ -159,7 +201,7 @@ module Hedra
 
       # Validate X-Content-Type-Options
       if headers['x-content-type-options']
-        xcto = headers['x-content-type-options'].downcase
+        xcto = headers['x-content-type-options'].to_s.downcase.strip
         unless xcto == 'nosniff'
           findings << {
             header: 'x-content-type-options',
@@ -169,6 +211,25 @@ module Hedra
           }
         end
       end
+      
+      # Check for information disclosure headers
+      if headers['server']
+        findings << {
+          header: 'server',
+          issue: 'Server header exposes server information',
+          severity: :info,
+          recommended_fix: 'Remove or obfuscate Server header'
+        }
+      end
+      
+      if headers['x-powered-by']
+        findings << {
+          header: 'x-powered-by',
+          issue: 'X-Powered-By header exposes technology stack',
+          severity: :info,
+          recommended_fix: 'Remove X-Powered-By header'
+        }
+      end
 
       findings
     end
@@ -178,8 +239,13 @@ module Hedra
       config_path = File.expand_path('~/.hedra/rules.yml')
       return unless File.exist?(config_path)
 
-      rules = YAML.load_file(config_path)
+      content = File.read(config_path)
+      return if content.strip.empty?
+
+      rules = YAML.safe_load(content, permitted_classes: [Symbol])
       @custom_rules = rules['rules'] || []
+    rescue Psych::SyntaxError => e
+      warn "Invalid YAML in rules file: #{e.message}"
     rescue StandardError => e
       warn "Failed to load custom rules: #{e.message}"
     end

data/lib/hedra/baseline.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'fileutils'
+
+module Hedra
+  # Manage security baselines for comparison
+  class Baseline
+    BASELINE_DIR = File.join(Config::CONFIG_DIR, 'baselines')
+
+    def initialize
+      FileUtils.mkdir_p(BASELINE_DIR)
+    end
+
+    def save(name, results)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      data = {
+        name: name,
+        created_at: Time.now.iso8601,
+        results: results
+      }
+      File.write(baseline_file, JSON.pretty_generate(data))
+    end
+
+    def load(name)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      raise Error, "Baseline not found: #{name}" unless File.exist?(baseline_file)
+
+      JSON.parse(File.read(baseline_file), symbolize_names: true)
+    end
+
+    def list
+      Dir.glob(File.join(BASELINE_DIR, '*.json')).map do |file|
+        data = JSON.parse(File.read(file), symbolize_names: true)
+        {
+          name: data[:name],
+          created_at: data[:created_at],
+          url_count: data[:results].length
+        }
+      end
+    rescue StandardError
+      []
+    end
+
+    def delete(name)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      raise Error, "Baseline not found: #{name}" unless File.exist?(baseline_file)
+
+      File.delete(baseline_file)
+    end
+
+    def compare(baseline_name, current_results)
+      baseline = load(baseline_name)
+      baseline_results = baseline[:results]
+
+      comparisons = []
+
+      current_results.each do |current|
+        baseline_result = baseline_results.find { |b| b[:url] == current[:url] }
+        next unless baseline_result
+
+        comparison = {
+          url: current[:url],
+          baseline_score: baseline_result[:score],
+          current_score: current[:score],
+          score_change: current[:score] - baseline_result[:score],
+          new_findings: current[:findings] - baseline_result[:findings],
+          resolved_findings: baseline_result[:findings] - current[:findings]
+        }
+
+        comparisons << comparison
+      end
+
+      comparisons
+    end
+
+    private
+
+    def sanitize_name(name)
+      name.gsub(/[^a-zA-Z0-9_-]/, '_')
+    end
+  end
+end

data/lib/hedra/cache.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'json'
+require 'fileutils'
+
+module Hedra
+  # Simple file-based cache for HTTP responses
+  class Cache
+    DEFAULT_TTL = 3600 # 1 hour
+    MAX_CACHE_SIZE = 1000 # Maximum number of cache files
+
+    def initialize(cache_dir: nil, ttl: DEFAULT_TTL, verbose: false)
+      @cache_dir = cache_dir || File.join(Config::CONFIG_DIR, 'cache')
+      @ttl = ttl
+      @verbose = verbose
+      FileUtils.mkdir_p(@cache_dir)
+      cleanup_if_needed
+    end
+
+    def get(key)
+      cache_file = cache_path(key)
+      return nil unless File.exist?(cache_file)
+
+      data = JSON.parse(File.read(cache_file))
+      
+      if expired?(data['timestamp'])
+        File.delete(cache_file) # Clean up expired file immediately
+        return nil
+      end
+
+      data['value']
+    rescue JSON::ParserError
+      # Corrupted cache file, delete it
+      File.delete(cache_file) if File.exist?(cache_file)
+      nil
+    rescue StandardError => e
+      warn "Cache read error: #{e.message}" if @verbose
+      nil
+    end
+
+    def set(key, value)
+      cache_file = cache_path(key)
+      data = {
+        'timestamp' => Time.now.to_i,
+        'value' => value
+      }
+      
+      # Atomic write to prevent corruption
+      temp_file = "#{cache_file}.tmp"
+      File.write(temp_file, JSON.generate(data))
+      File.rename(temp_file, cache_file)
+    rescue StandardError => e
+      warn "Cache write error: #{e.message}" if @verbose
+      File.delete(temp_file) if File.exist?(temp_file)
+    end
+
+    def clear
+      FileUtils.rm_rf(@cache_dir)
+      FileUtils.mkdir_p(@cache_dir)
+    end
+
+    def clear_expired
+      Dir.glob(File.join(@cache_dir, '*')).each do |file|
+        data = JSON.parse(File.read(file))
+        File.delete(file) if expired?(data['timestamp'])
+      rescue StandardError
+        # Skip invalid cache files
+      end
+    end
+
+    private
+
+    def cache_path(key)
+      hash = Digest::SHA256.hexdigest(key)
+      File.join(@cache_dir, hash)
+    end
+
+    def expired?(timestamp)
+      (Time.now.to_i - timestamp) > @ttl
+    end
+
+    def cleanup_if_needed
+      cache_files = Dir.glob(File.join(@cache_dir, '*'))
+      return if cache_files.length < MAX_CACHE_SIZE
+
+      # Remove oldest files if cache is too large
+      cache_files.sort_by { |f| File.mtime(f) }
+                 .first(cache_files.length - MAX_CACHE_SIZE + 100)
+                 .each { |f| File.delete(f) rescue nil }
+    end
+  end
+end

data/lib/hedra/certificate_checker.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'socket'
+require 'uri'
+
+module Hedra
+  # Check SSL/TLS certificate validity and security
+  class CertificateChecker
+    EXPIRY_WARNING_DAYS = 30
+
+    def check(url)
+      uri = URI.parse(url)
+      return nil unless uri.scheme == 'https'
+
+      findings = []
+      cert_info = fetch_certificate(uri.host, uri.port || 443)
+
+      return findings unless cert_info
+
+      # Check expiry
+      days_until_expiry = ((cert_info[:not_after] - Time.now) / 86_400).to_i
+      if days_until_expiry.negative?
+        findings << {
+          header: 'ssl-certificate',
+          issue: 'SSL certificate has expired',
+          severity: :critical,
+          recommended_fix: 'Renew SSL certificate immediately'
+        }
+      elsif days_until_expiry < EXPIRY_WARNING_DAYS
+        findings << {
+          header: 'ssl-certificate',
+          issue: "SSL certificate expires in #{days_until_expiry} days",
+          severity: :warning,
+          recommended_fix: 'Renew SSL certificate soon'
+        }
+      end
+
+      # Check signature algorithm
+      if weak_signature_algorithm?(cert_info[:signature_algorithm])
+        findings << {
+          header: 'ssl-certificate',
+          issue: "Weak signature algorithm: #{cert_info[:signature_algorithm]}",
+          severity: :warning,
+          recommended_fix: 'Use SHA256 or stronger'
+        }
+      end
+
+      # Check key size
+      if cert_info[:key_size] && cert_info[:key_size] < 2048
+        findings << {
+          header: 'ssl-certificate',
+          issue: "Weak key size: #{cert_info[:key_size]} bits",
+          severity: :critical,
+          recommended_fix: 'Use at least 2048-bit RSA or 256-bit ECC'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "Certificate check failed: #{e.message}"
+      []
+    end
+
+    private
+
+    def fetch_certificate(host, port)
+      tcp_socket = TCPSocket.new(host, port)
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+      ssl_socket.connect
+
+      cert = ssl_socket.peer_cert
+
+      {
+        subject: cert.subject.to_s,
+        issuer: cert.issuer.to_s,
+        not_before: cert.not_before,
+        not_after: cert.not_after,
+        signature_algorithm: cert.signature_algorithm,
+        key_size: cert.public_key.respond_to?(:n) ? cert.public_key.n.num_bits : nil
+      }
+    ensure
+      ssl_socket&.close
+      tcp_socket&.close
+    end
+
+    def weak_signature_algorithm?(algorithm)
+      weak_algorithms = %w[md5 sha1]
+      weak_algorithms.any? { |weak| algorithm.downcase.include?(weak) }
+    end
+  end
+end

data/lib/hedra/circuit_breaker.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Hedra
+  # Circuit breaker pattern to prevent cascading failures
+  class CircuitBreaker
+    FAILURE_THRESHOLD = 5
+    TIMEOUT_SECONDS = 60
+    HALF_OPEN_ATTEMPTS = 3
+
+    attr_reader :state, :failure_count, :last_failure_time
+
+    def initialize(failure_threshold: FAILURE_THRESHOLD, timeout: TIMEOUT_SECONDS)
+      @failure_threshold = failure_threshold
+      @timeout = timeout
+      @failure_count = 0
+      @last_failure_time = nil
+      @state = :closed
+      @half_open_attempts = 0
+    end
+
+    def call
+      raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
+
+      if open? && should_attempt_reset?
+        @state = :half_open
+        @half_open_attempts = 0
+      end
+
+      begin
+        result = yield
+        on_success
+        result
+      rescue StandardError => e
+        on_failure
+        raise e
+      end
+    end
+
+    def open?
+      @state == :open
+    end
+
+    def closed?
+      @state == :closed
+    end
+
+    def half_open?
+      @state == :half_open
+    end
+
+    private
+
+    def on_success
+      if half_open?
+        @half_open_attempts += 1
+        if @half_open_attempts >= HALF_OPEN_ATTEMPTS
+          @state = :closed
+          @failure_count = 0
+        end
+      else
+        @failure_count = 0
+      end
+    end
+
+    def on_failure
+      @failure_count += 1
+      @last_failure_time = Time.now
+
+      return unless @failure_count >= @failure_threshold
+
+      @state = :open
+    end
+
+    def should_attempt_reset?
+      @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+    end
+  end
+
+  class CircuitOpenError < Error; end
+end