hedra 2.0.2 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14f6f09e8b0bf8318f6f190c0f671aaa901f08a575983ed8c1cad890c965e2a7
-  data.tar.gz: 74054507d7d981da9fedcd4830d66e6a0c7207c2d2c399f958d814c470d843d9
+  metadata.gz: 04726510b1778538e154b1eea4d68bbbed1fe306d9e026e73275e6f6cbf586ed
+  data.tar.gz: 36f7716980ea5fb86bd431c2b6f48ea591b4b9e793557893623d0a4c1f88a6fd
 SHA512:
-  metadata.gz: d4a3fde0ef57eb572aba47c037a874461e140da579f644dad0b5d8ae53e09917433481734a010be02bb80a605b030f11e70b8a1c38ef64d2925f88090d58172d
-  data.tar.gz: 85a6bc6e254bc2636d38b58bb02931d52aeabe77c1cf18cd2667b99256c9b5fb1c3508e93e595e9ef38f93be628e02e96d1f1c49b54ceeb53e0d73aeead9c39d
+  metadata.gz: d7396aca2eb8bc377f7a203c15729aa48864b3394a79b53b3490c4c2e06719696e313b3ebd097fce4f69b9006c5a44903b8ab94a7dd68da257289e584c811539
+  data.tar.gz: b50e9f48dda4b48c505ce948a01d3b5b2d5f2a669d459d6398f6c8801ce18bda53edf1da2132b045743e8575225c194fde6e42deb20eb530d5175aa1af6f54a1

data/lib/hedra/analyzer.rb

@@ -66,6 +66,8 @@ module Hedra
       @scorer = Scorer.new
       @certificate_checker = check_certificates ? CertificateChecker.new : nil
       @security_txt_checker = check_security_txt ? SecurityTxtChecker.new : nil
+      @custom_rules = []
+      @mutex = Mutex.new # Thread safety for custom rules
       load_custom_rules
     end
 
@@ -119,9 +121,15 @@ module Hedra
     def normalize_headers(headers)
       normalized = {}
       headers.each do |key, value|
+        next if value.nil? # Skip nil values
+
         normalized_key = key.to_s.downcase
         # Handle array values (multiple header values)
-        normalized_value = value.is_a?(Array) ? value.join(', ') : value.to_s
+        normalized_value = if value.is_a?(Array)
+                             value.compact.join(', ')
+                           else
+                             value.to_s
+                           end
         normalized[normalized_key] = normalized_value
       end
       normalized
@@ -253,30 +261,38 @@ module Hedra
     def apply_custom_rules(headers)
       findings = []
 
-      @custom_rules.each do |rule|
-        header_name = rule['header'].downcase
-        pattern = Regexp.new(rule['pattern']) if rule['pattern']
+      @mutex.synchronize do
+        @custom_rules.each do |rule|
+          header_name = rule['header'].downcase
+          pattern = rule['pattern'] ? Regexp.new(rule['pattern']) : nil
 
-        if rule['type'] == 'missing' && !headers.key?(header_name)
-          findings << {
-            header: header_name,
-            issue: rule['message'],
-            severity: rule['severity'].to_sym,
-            recommended_fix: rule['fix']
-          }
-        elsif rule['type'] == 'pattern' && headers[header_name]
-          if pattern && headers[header_name] =~ pattern
+          if rule['type'] == 'missing' && !headers.key?(header_name)
             findings << {
               header: header_name,
               issue: rule['message'],
               severity: rule['severity'].to_sym,
               recommended_fix: rule['fix']
             }
+          elsif rule['type'] == 'pattern' && headers[header_name]
+            if pattern && headers[header_name] =~ pattern
+              findings << {
+                header: header_name,
+                issue: rule['message'],
+                severity: rule['severity'].to_sym,
+                recommended_fix: rule['fix']
+              }
+            end
           end
         end
       end
 
       findings
     end
+
+    def reload_custom_rules
+      @mutex.synchronize do
+        load_custom_rules
+      end
+    end
   end
 end

data/lib/hedra/banner.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Hedra
+  # Display banner and security quotes
+  class Banner
+    SECURITY_QUOTES = [
+      "Security is not a product, but a process. - Bruce Schneier",
+      "The only truly secure system is one that is powered off. - Gene Spafford",
+      "HTTPS everywhere is not optional, it's essential. - Let's Encrypt",
+      "A chain is only as strong as its weakest link. - Security Headers",
+      "Defense in depth: Layer your security like an onion. - OWASP",
+      "CSP is your first line of defense against XSS attacks.",
+      "HSTS ensures your users always connect securely.",
+      "Security headers are the low-hanging fruit of web security.",
+      "TLS 1.3: Faster, stronger, more secure.",
+      "X-Frame-Options: Because clickjacking is still a thing.",
+      "Trust, but verify. Then verify again. - Security Principle",
+      "Security is a journey, not a destination.",
+      "Good security is invisible until it's needed.",
+      "Headers don't lie, but they can tell you everything.",
+      "CORS: Sharing is caring, but be careful who you trust.",
+      "Every header matters. Every connection counts.",
+      "Secure by default, not by accident.",
+      "Your security posture is only as good as your weakest header.",
+      "SSL/TLS: The foundation of web security.",
+      "Content-Security-Policy: Your app's security bouncer."
+    ].freeze
+
+    ASCII_ART = <<~ART
+       _   _          _           
+      | | | | ___  __| |_ __ __ _ 
+      | |_| |/ _ \\/ _` | '__/ _` |
+      |  _  |  __/ (_| | | | (_| |
+      |_| |_|\\___|\\__,_|_|  \\__,_|
+    ART
+
+    def self.show
+      require 'pastel'
+      pastel = Pastel.new
+
+      puts "\n"
+      puts pastel.cyan.bold(ASCII_ART)
+      puts "  #{pastel.bold('Security Header Analyzer')} #{pastel.dim("v#{VERSION}")}"
+      puts "  #{pastel.italic.dim(random_quote)}"
+      puts "\n"
+      puts "  Usage: #{pastel.yellow('hedra')} #{pastel.green('[command]')} #{pastel.dim('[options]')}"
+      puts "  Run '#{pastel.yellow('hedra help')}' for more information"
+      puts "\n"
+    end
+
+    def self.random_quote
+      SECURITY_QUOTES.sample
+    end
+  end
+end

data/lib/hedra/cache.rb

@@ -14,22 +14,38 @@ module Hedra
       @cache_dir = cache_dir || File.join(Config::CONFIG_DIR, 'cache')
       @ttl = ttl
       @verbose = verbose
+      @mutex = Mutex.new # Thread safety for cache operations
+      @memory_cache = {} # In-memory cache to reduce disk I/O
+      @memory_cache_size = 100
       FileUtils.mkdir_p(@cache_dir)
       cleanup_if_needed
     end
 
     def get(key)
-      cache_file = cache_path(key)
-      return nil unless File.exist?(cache_file)
-
-      data = JSON.parse(File.read(cache_file))
-      
-      if expired?(data['timestamp'])
-        File.delete(cache_file) # Clean up expired file immediately
-        return nil
-      end
+      @mutex.synchronize do
+        # Check memory cache first
+        if @memory_cache.key?(key)
+          cached = @memory_cache[key]
+          return cached[:value] unless expired?(cached[:timestamp])
+
+          @memory_cache.delete(key)
+        end
+
+        cache_file = cache_path(key)
+        return nil unless File.exist?(cache_file)
+
+        data = JSON.parse(File.read(cache_file))
 
-      data['value']
+        if expired?(data['timestamp'])
+          File.delete(cache_file) # Clean up expired file immediately
+          return nil
+        end
+
+        # Store in memory cache
+        store_in_memory(key, data['timestamp'], data['value'])
+
+        data['value']
+      end
     rescue JSON::ParserError
       # Corrupted cache file, delete it
       File.delete(cache_file) if File.exist?(cache_file)
@@ -40,24 +56,33 @@ module Hedra
     end
 
     def set(key, value)
-      cache_file = cache_path(key)
-      data = {
-        'timestamp' => Time.now.to_i,
-        'value' => value
-      }
-      
-      # Atomic write to prevent corruption
-      temp_file = "#{cache_file}.tmp"
-      File.write(temp_file, JSON.generate(data))
-      File.rename(temp_file, cache_file)
+      @mutex.synchronize do
+        timestamp = Time.now.to_i
+        cache_file = cache_path(key)
+        data = {
+          'timestamp' => timestamp,
+          'value' => value
+        }
+
+        # Store in memory cache
+        store_in_memory(key, timestamp, value)
+
+        # Atomic write to prevent corruption
+        temp_file = "#{cache_file}.tmp"
+        File.write(temp_file, JSON.generate(data))
+        File.rename(temp_file, cache_file)
+      end
     rescue StandardError => e
       warn "Cache write error: #{e.message}" if @verbose
       File.delete(temp_file) if File.exist?(temp_file)
     end
 
     def clear
-      FileUtils.rm_rf(@cache_dir)
-      FileUtils.mkdir_p(@cache_dir)
+      @mutex.synchronize do
+        @memory_cache.clear
+        FileUtils.rm_rf(@cache_dir)
+        FileUtils.mkdir_p(@cache_dir)
+      end
     end
 
     def clear_expired
@@ -89,5 +114,16 @@ module Hedra
                  .first(cache_files.length - MAX_CACHE_SIZE + 100)
                  .each { |f| File.delete(f) rescue nil }
     end
+
+    def store_in_memory(key, timestamp, value)
+      # Limit memory cache size to prevent memory leaks
+      if @memory_cache.size >= @memory_cache_size
+        # Remove oldest entry
+        oldest_key = @memory_cache.keys.first
+        @memory_cache.delete(oldest_key)
+      end
+
+      @memory_cache[key] = { timestamp: timestamp, value: value }
+    end
   end
 end

data/lib/hedra/circuit_breaker.rb

@@ -16,14 +16,17 @@ module Hedra
       @last_failure_time = nil
       @state = :closed
       @half_open_attempts = 0
+      @mutex = Mutex.new # Thread safety
     end
 
     def call
-      raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
+      @mutex.synchronize do
+        raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
 
-      if open? && should_attempt_reset?
-        @state = :half_open
-        @half_open_attempts = 0
+        if open? && should_attempt_reset?
+          @state = :half_open
+          @half_open_attempts = 0
+        end
       end
 
       begin
@@ -51,28 +54,34 @@ module Hedra
     private
 
     def on_success
-      if half_open?
-        @half_open_attempts += 1
-        if @half_open_attempts >= HALF_OPEN_ATTEMPTS
-          @state = :closed
+      @mutex.synchronize do
+        if half_open?
+          @half_open_attempts += 1
+          if @half_open_attempts >= HALF_OPEN_ATTEMPTS
+            @state = :closed
+            @failure_count = 0
+          end
+        else
           @failure_count = 0
         end
-      else
-        @failure_count = 0
       end
     end
 
     def on_failure
-      @failure_count += 1
-      @last_failure_time = Time.now
+      @mutex.synchronize do
+        @failure_count += 1
+        @last_failure_time = Time.now
 
-      return unless @failure_count >= @failure_threshold
+        return unless @failure_count >= @failure_threshold
 
-      @state = :open
+        @state = :open
+      end
     end
 
     def should_attempt_reset?
-      @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+      @mutex.synchronize do
+        @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+      end
     end
   end
 

data/lib/hedra/cli.rb

@@ -155,6 +155,14 @@ module Hedra
       true
     end
 
+    # Override to show banner when no command is given
+    def self.start(given_args = ARGV, config = {})
+      if given_args.empty? || (given_args.length == 1 && %w[-h --help help].include?(given_args.first))
+        Banner.show unless given_args.include?('help')
+      end
+      super
+    end
+
     desc 'scan URL_OR_FILE', 'Scan one or multiple URLs for security headers'
     option :file, type: :boolean, aliases: '-f', desc: 'Treat argument as file with URLs'
     option :concurrency, type: :numeric, aliases: '-c', default: 10, desc: 'Concurrent requests'
@@ -328,6 +336,11 @@ module Hedra
       say "Exported to #{options[:output]}", :green unless options[:quiet]
     end
 
+    desc 'version', 'Show version information'
+    def version
+      Banner.show
+    end
+
     desc 'plugin SUBCOMMAND', 'Manage plugins'
     subcommand 'plugin', Hedra::PluginCLI
 
@@ -432,10 +445,7 @@ module Hedra
     end
 
     def valid_url?(url)
-      uri = URI.parse(url)
-      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
-    rescue URI::InvalidURIError
-      false
+      UrlValidator.valid?(url)
     end
 
     def with_concurrency(items, concurrency)

data/lib/hedra/config.rb

@@ -14,17 +14,26 @@ module Hedra
       'follow_redirects' => true,
       'user_agent' => "Hedra/#{VERSION}",
       'proxy' => nil,
-      'output_format' => 'table'
+      'output_format' => 'table',
+      'cache_enabled' => false,
+      'cache_ttl' => 3600,
+      'check_certificates' => true,
+      'check_security_txt' => false,
+      'max_retries' => 3
     }.freeze
 
     def self.load
       ensure_config_dir
 
       if File.exist?(CONFIG_FILE)
-        YAML.load_file(CONFIG_FILE)
+        config = YAML.safe_load(File.read(CONFIG_FILE), permitted_classes: [Symbol])
+        DEFAULT_CONFIG.merge(config || {})
       else
         DEFAULT_CONFIG
       end
+    rescue Psych::SyntaxError => e
+      warn "Invalid YAML in config file: #{e.message}"
+      DEFAULT_CONFIG
     rescue StandardError => e
       warn "Failed to load config: #{e.message}"
       DEFAULT_CONFIG

data/lib/hedra/plugin_manager.rb

@@ -16,9 +16,17 @@ module Hedra
 
     def install(path)
       raise Error, "Plugin file not found: #{path}" unless File.exist?(path)
+      raise Error, "Not a Ruby file: #{path}" unless path.end_with?('.rb')
+
+      # Validate plugin syntax before installing
+      validate_plugin_syntax(path)
 
       plugin_name = File.basename(path)
       dest = File.join(@plugin_dir, plugin_name)
+      
+      # Backup existing plugin if it exists
+      backup_existing_plugin(dest) if File.exist?(dest)
+      
       FileUtils.cp(path, dest)
       load_plugin(dest)
     end
@@ -48,7 +56,7 @@ module Hedra
     def load_plugins
       @plugins = []
 
-      Dir.glob(File.join(@plugin_dir, '*.rb')).each do |file|
+      Dir.glob(File.join(@plugin_dir, '*.rb')).sort.each do |file|
         load_plugin(file)
       end
     end
@@ -59,6 +67,20 @@ module Hedra
     rescue StandardError => e
       warn "Failed to load plugin #{file}: #{e.message}"
     end
+
+    def validate_plugin_syntax(path)
+      code = File.read(path)
+      RubyVM::InstructionSequence.compile(code)
+    rescue SyntaxError => e
+      raise Error, "Plugin has syntax errors: #{e.message}"
+    end
+
+    def backup_existing_plugin(dest)
+      backup_path = "#{dest}.backup"
+      FileUtils.cp(dest, backup_path)
+    rescue StandardError => e
+      warn "Failed to backup existing plugin: #{e.message}"
+    end
   end
 
   # Base class for plugins

data/lib/hedra/progress_tracker.rb

@@ -23,7 +23,12 @@ module Hedra
 
       puts "\n"
       elapsed = Time.now - @start_time
-      puts "Completed #{@total} items in #{elapsed.round(2)}s"
+      rate = @total / elapsed
+      puts "Completed #{@total} items in #{elapsed.round(2)}s (#{rate.round(2)} items/s)"
+    end
+
+    def percentage
+      (@current.to_f / @total * 100).round(1)
     end
 
     private

data/lib/hedra/rate_limiter.rb

@@ -51,10 +51,16 @@ module Hedra
     def refill_tokens
       now = Time.now
       elapsed = now - @last_refill
+      return if elapsed <= 0
 
       tokens_to_add = (elapsed / @period) * @requests
       @tokens = [@tokens + tokens_to_add, @requests].min
       @last_refill = now
     end
+
+    def reset
+      @tokens = @requests
+      @last_refill = Time.now
+    end
   end
 end

data/lib/hedra/scorer.rb

@@ -23,9 +23,10 @@ module Hedra
     def calculate(headers, findings)
       base_score = calculate_base_score(headers)
       penalty = calculate_penalty(findings)
+      bonus = calculate_bonus(headers)
 
-      score = [base_score - penalty, 0].max
-      score.round
+      score = [base_score - penalty + bonus, 0].max
+      [score.round, 100].min # Cap at 100
     end
 
     private
@@ -50,5 +51,26 @@ module Hedra
 
       penalty
     end
+
+    def calculate_bonus(headers)
+      bonus = 0
+
+      # Bonus for HSTS with includeSubDomains
+      if headers['strict-transport-security']&.include?('includeSubDomains')
+        bonus += 2
+      end
+
+      # Bonus for HSTS with preload
+      if headers['strict-transport-security']&.include?('preload')
+        bonus += 3
+      end
+
+      # Bonus for having all recommended headers
+      if HEADER_WEIGHTS.keys.all? { |h| headers.key?(h) }
+        bonus += 5
+      end
+
+      bonus
+    end
   end
 end

data/lib/hedra/security_txt_checker.rb

@@ -10,7 +10,12 @@ module Hedra
 
     def check(url, http_client)
       uri = URI.parse(url)
-      base_url = "#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port && ![80, 443].include?(uri.port)}"
+      port_part = if uri.port && ![80, 443].include?(uri.port)
+                    ":#{uri.port}"
+                  else
+                    ''
+                  end
+      base_url = "#{uri.scheme}://#{uri.host}#{port_part}"
 
       findings = []
       found = false
@@ -19,7 +24,9 @@ module Hedra
         response = http_client.get("#{base_url}#{path}")
         if response.status.success?
           found = true
-          findings.concat(validate_security_txt(response.body.to_s))
+          content = response.body.to_s
+          findings.concat(validate_security_txt(content))
+          findings.concat(check_signed(content))
           break
         end
       rescue StandardError
@@ -43,6 +50,22 @@ module Hedra
 
     private
 
+    def check_signed(content)
+      findings = []
+
+      # Check if security.txt is signed (PGP signature)
+      unless content.include?('-----BEGIN PGP SIGNATURE-----')
+        findings << {
+          header: 'security.txt',
+          issue: 'security.txt is not digitally signed',
+          severity: :info,
+          recommended_fix: 'Consider signing security.txt with PGP for authenticity'
+        }
+      end
+
+      findings
+    end
+
     def validate_security_txt(content)
       findings = []
       required_fields = %w[Contact]

data/lib/hedra/url_validator.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+module Hedra
+  # URL validation and sanitization
+  class UrlValidator
+    ALLOWED_SCHEMES = %w[http https].freeze
+    MAX_URL_LENGTH = 2048
+    DANGEROUS_CHARS = ['<', '>', '"', '{', '}', '|', '\\', '^', '`', '[', ']'].freeze
+
+    class << self
+      def valid?(url)
+        return false if url.nil? || url.empty?
+        return false if url.length > MAX_URL_LENGTH
+
+        uri = parse_url(url)
+        return false unless uri
+        return false unless ALLOWED_SCHEMES.include?(uri.scheme)
+        return false unless valid_host?(uri.host)
+        return false if contains_dangerous_chars?(url)
+
+        true
+      rescue StandardError
+        false
+      end
+
+      def validate!(url)
+        raise Error, 'URL cannot be empty' if url.nil? || url.empty?
+        raise Error, "URL too long (max #{MAX_URL_LENGTH} characters)" if url.length > MAX_URL_LENGTH
+
+        uri = parse_url(url)
+        raise Error, 'Invalid URL format' unless uri
+        raise Error, "Invalid scheme: #{uri.scheme}. Only HTTP/HTTPS allowed" unless ALLOWED_SCHEMES.include?(uri.scheme)
+        raise Error, 'Invalid or missing host' unless valid_host?(uri.host)
+        raise Error, 'URL contains dangerous characters' if contains_dangerous_chars?(url)
+
+        uri
+      end
+
+      def sanitize(url)
+        url = url.strip
+        url = "https://#{url}" unless url.start_with?('http://', 'https://')
+        url
+      end
+
+      def normalize(url)
+        uri = parse_url(url)
+        return url unless uri
+
+        # Remove default ports
+        port = if (uri.scheme == 'http' && uri.port == 80) || (uri.scheme == 'https' && uri.port == 443)
+                 nil
+               else
+                 uri.port
+               end
+
+        # Rebuild URL
+        normalized = "#{uri.scheme}://#{uri.host}"
+        normalized += ":#{port}" if port
+        normalized += uri.path if uri.path && uri.path != '/'
+        normalized += "?#{uri.query}" if uri.query
+        normalized
+      end
+
+      private
+
+      def parse_url(url)
+        URI.parse(url)
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      def valid_host?(host)
+        return false if host.nil? || host.empty?
+        return false if host.length > 253 # Max domain length
+
+        # Check for valid hostname format
+        return false if host.start_with?('.') || host.end_with?('.')
+        return false if host.include?('..')
+
+        # Check for localhost/private IPs in production
+        return false if host == 'localhost'
+        return false if host.start_with?('127.', '10.', '192.168.', '172.')
+
+        true
+      end
+
+      def contains_dangerous_chars?(url)
+        DANGEROUS_CHARS.any? { |char| url.include?(char) }
+      end
+    end
+  end
+end

data/lib/hedra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Hedra
-  VERSION = '2.0.2'
+  VERSION = '2.0.3'
 end

data/lib/hedra.rb

@@ -7,6 +7,8 @@ module Hedra
 end
 
 require_relative 'hedra/version'
+require_relative 'hedra/banner'
+require_relative 'hedra/url_validator'
 require_relative 'hedra/config'
 require_relative 'hedra/scorer'
 require_relative 'hedra/circuit_breaker'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hedra
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.0.3
 platform: ruby
 authors:
 - bl4ckstack
@@ -123,6 +123,7 @@ files:
 - config/example_rules.yml
 - lib/hedra.rb
 - lib/hedra/analyzer.rb
+- lib/hedra/banner.rb
 - lib/hedra/baseline.rb
 - lib/hedra/cache.rb
 - lib/hedra/certificate_checker.rb
@@ -137,6 +138,7 @@ files:
 - lib/hedra/rate_limiter.rb
 - lib/hedra/scorer.rb
 - lib/hedra/security_txt_checker.rb
+- lib/hedra/url_validator.rb
 - lib/hedra/version.rb
 homepage: https://github.com/bl4ckstack/hedra
 licenses: