hedra 2.0.2 → 2.1.0

data/lib/hedra/dns_checker.rb

@@ -0,0 +1,274 @@
+# frozen_string_literal: true
+
+require 'resolv'
+require 'uri'
+
+module Hedra
+  # Check DNS security features (DNSSEC, CAA records)
+  class DnsChecker
+    CAA_TAG_ISSUE = 'issue'
+    CAA_TAG_ISSUEWILD = 'issuewild'
+    CAA_TAG_IODEF = 'iodef'
+
+    def initialize
+      @resolver = Resolv::DNS.new
+    end
+
+    def check(url)
+      findings = []
+      uri = URI.parse(url)
+      domain = uri.host
+
+      return findings unless domain
+
+      # Check DNSSEC
+      findings.concat(check_dnssec(domain))
+
+      # Check CAA records
+      findings.concat(check_caa_records(domain))
+
+      findings
+    rescue StandardError => e
+      warn "DNS check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def check_dnssec(domain)
+      findings = []
+
+      dnssec_enabled = dnssec_enabled?(domain)
+
+      unless dnssec_enabled
+        findings << {
+          header: 'dnssec',
+          issue: 'DNSSEC not enabled for domain',
+          severity: :warning,
+          recommended_fix: 'Enable DNSSEC to prevent DNS spoofing and cache poisoning attacks'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "DNSSEC check failed: #{e.message}" if ENV['DEBUG']
+      [{
+        header: 'dnssec',
+        issue: 'Unable to verify DNSSEC status',
+        severity: :info,
+        recommended_fix: 'Manually verify DNSSEC configuration'
+      }]
+    end
+
+    def check_caa_records(domain)
+      findings = []
+
+      caa_records = fetch_caa_records(domain)
+
+      if caa_records.empty?
+        findings << {
+          header: 'caa-records',
+          issue: 'No CAA records found - any CA can issue certificates',
+          severity: :warning,
+          recommended_fix: 'Add CAA records to restrict which CAs can issue certificates for your domain'
+        }
+      else
+        # Validate CAA records
+        findings.concat(validate_caa_records(caa_records, domain))
+      end
+
+      findings
+    rescue StandardError => e
+      warn "CAA check failed: #{e.message}" if ENV['DEBUG']
+      [{
+        header: 'caa-records',
+        issue: 'Unable to query CAA records',
+        severity: :info,
+        recommended_fix: 'Manually verify CAA record configuration'
+      }]
+    end
+
+    def dnssec_enabled?(domain)
+      # Check for DNSSEC by querying DNSKEY records
+      # This is a simplified check - full validation would require signature verification
+      
+      begin
+        # Try to get DNSKEY records
+        dnskey_records = query_dns(domain, Resolv::DNS::Resource::IN::ANY)
+        
+        # Look for RRSIG or DNSKEY records
+        has_dnssec = dnskey_records.any? do |record|
+          record.is_a?(String) && (record.include?('RRSIG') || record.include?('DNSKEY'))
+        end
+
+        return true if has_dnssec
+
+        # Alternative: check if resolver supports DNSSEC validation
+        # by looking for AD (Authenticated Data) flag
+        # This requires a DNSSEC-validating resolver
+        
+        # For now, we'll do a basic check by trying to resolve with DO flag
+        check_dnssec_with_dig(domain)
+      rescue StandardError => e
+        warn "DNSSEC detection error: #{e.message}" if ENV['DEBUG']
+        false
+      end
+    end
+
+    def check_dnssec_with_dig(domain)
+      # Use system dig command if available for more accurate DNSSEC check
+      return false unless command_available?('dig')
+
+      output = `dig +dnssec #{domain} 2>&1`
+      
+      # Check for RRSIG in response
+      output.include?('RRSIG') && !output.include?('SERVFAIL')
+    rescue StandardError
+      false
+    end
+
+    def fetch_caa_records(domain)
+      caa_records = []
+
+      # Try to fetch CAA records using Resolv
+      # Note: Ruby's Resolv doesn't have built-in CAA support
+      # We'll try using system tools as fallback
+      
+      caa_records = fetch_caa_with_dig(domain) if command_available?('dig')
+      
+      # If dig not available, try host command
+      caa_records = fetch_caa_with_host(domain) if caa_records.empty? && command_available?('host')
+
+      caa_records
+    rescue StandardError => e
+      warn "CAA fetch error: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    def fetch_caa_with_dig(domain)
+      output = `dig +short CAA #{domain} 2>&1`
+      return [] if output.nil? || output.empty? || output.include?('SERVFAIL')
+
+      parse_caa_from_dig(output)
+    rescue StandardError
+      []
+    end
+
+    def fetch_caa_with_host(domain)
+      output = `host -t CAA #{domain} 2>&1`
+      return [] if output.nil? || output.empty? || output.include?('has no CAA')
+
+      parse_caa_from_host(output)
+    rescue StandardError
+      []
+    end
+
+    def parse_caa_from_dig(output)
+      records = []
+      
+      output.each_line do |line|
+        line = line.strip
+        next if line.empty?
+
+        # CAA format: flags tag "value"
+        # Example: 0 issue "letsencrypt.org"
+        if line.match(/(\d+)\s+(\w+)\s+"([^"]+)"/)
+          flags = ::Regexp.last_match(1).to_i
+          tag = ::Regexp.last_match(2)
+          value = ::Regexp.last_match(3)
+
+          records << {
+            flags: flags,
+            tag: tag,
+            value: value
+          }
+        end
+      end
+
+      records
+    end
+
+    def parse_caa_from_host(output)
+      records = []
+      
+      output.each_line do |line|
+        # Example: example.com has CAA record 0 issue "letsencrypt.org"
+        if line.match(/has CAA record (\d+)\s+(\w+)\s+"([^"]+)"/)
+          flags = ::Regexp.last_match(1).to_i
+          tag = ::Regexp.last_match(2)
+          value = ::Regexp.last_match(3)
+
+          records << {
+            flags: flags,
+            tag: tag,
+            value: value
+          }
+        end
+      end
+
+      records
+    end
+
+    def validate_caa_records(caa_records, domain)
+      findings = []
+
+      # Check for issue tag
+      issue_records = caa_records.select { |r| r[:tag] == CAA_TAG_ISSUE }
+      
+      if issue_records.empty?
+        findings << {
+          header: 'caa-records',
+          issue: 'No CAA "issue" tag found - consider adding to restrict certificate issuance',
+          severity: :info,
+          recommended_fix: 'Add CAA record with issue tag: example.com. CAA 0 issue "ca.example.com"'
+        }
+      end
+
+      # Check for wildcard protection
+      issuewild_records = caa_records.select { |r| r[:tag] == CAA_TAG_ISSUEWILD }
+      
+      if issuewild_records.empty? && issue_records.any?
+        findings << {
+          header: 'caa-records',
+          issue: 'No CAA "issuewild" tag - wildcard certificates not explicitly controlled',
+          severity: :info,
+          recommended_fix: 'Add CAA issuewild record to control wildcard certificate issuance'
+        }
+      end
+
+      # Check for incident reporting
+      iodef_records = caa_records.select { |r| r[:tag] == CAA_TAG_IODEF }
+      
+      if iodef_records.empty?
+        findings << {
+          header: 'caa-records',
+          issue: 'No CAA "iodef" tag for incident reporting',
+          severity: :info,
+          recommended_fix: 'Add CAA iodef record for certificate issuance violation notifications'
+        }
+      end
+
+      # Check for overly permissive CAA
+      if issue_records.any? { |r| r[:value] == ';' || r[:value].empty? }
+        findings << {
+          header: 'caa-records',
+          issue: 'CAA record allows all CAs (empty value)',
+          severity: :warning,
+          recommended_fix: 'Specify explicit CA domains in CAA records'
+        }
+      end
+
+      findings
+    end
+
+    def query_dns(domain, type)
+      @resolver.getresources(domain, type)
+    rescue StandardError
+      []
+    end
+
+    def command_available?(command)
+      system("which #{command} > /dev/null 2>&1")
+    end
+  end
+end

data/lib/hedra/plugin_manager.rb

@@ -16,9 +16,17 @@ module Hedra
 
     def install(path)
       raise Error, "Plugin file not found: #{path}" unless File.exist?(path)
+      raise Error, "Not a Ruby file: #{path}" unless path.end_with?('.rb')
+
+      # Validate plugin syntax before installing
+      validate_plugin_syntax(path)
 
       plugin_name = File.basename(path)
       dest = File.join(@plugin_dir, plugin_name)
+      
+      # Backup existing plugin if it exists
+      backup_existing_plugin(dest) if File.exist?(dest)
+      
       FileUtils.cp(path, dest)
       load_plugin(dest)
     end
@@ -48,7 +56,7 @@ module Hedra
     def load_plugins
       @plugins = []
 
-      Dir.glob(File.join(@plugin_dir, '*.rb')).each do |file|
+      Dir.glob(File.join(@plugin_dir, '*.rb')).sort.each do |file|
         load_plugin(file)
       end
     end
@@ -59,6 +67,20 @@ module Hedra
     rescue StandardError => e
       warn "Failed to load plugin #{file}: #{e.message}"
     end
+
+    def validate_plugin_syntax(path)
+      code = File.read(path)
+      RubyVM::InstructionSequence.compile(code)
+    rescue SyntaxError => e
+      raise Error, "Plugin has syntax errors: #{e.message}"
+    end
+
+    def backup_existing_plugin(dest)
+      backup_path = "#{dest}.backup"
+      FileUtils.cp(dest, backup_path)
+    rescue StandardError => e
+      warn "Failed to backup existing plugin: #{e.message}"
+    end
   end
 
   # Base class for plugins

data/lib/hedra/progress_tracker.rb

@@ -23,7 +23,12 @@ module Hedra
 
       puts "\n"
       elapsed = Time.now - @start_time
-      puts "Completed #{@total} items in #{elapsed.round(2)}s"
+      rate = @total / elapsed
+      puts "Completed #{@total} items in #{elapsed.round(2)}s (#{rate.round(2)} items/s)"
+    end
+
+    def percentage
+      (@current.to_f / @total * 100).round(1)
     end
 
     private

data/lib/hedra/protocol_checker.rb

@@ -0,0 +1,228 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'socket'
+require 'uri'
+
+module Hedra
+  # Check HTTP protocol version and TLS version
+  class ProtocolChecker
+    MINIMUM_TLS_VERSION = 'TLSv1.2'
+    RECOMMENDED_TLS_VERSION = 'TLSv1.3'
+
+    TLS_VERSION_MAP = {
+      0x0300 => 'SSLv3',
+      0x0301 => 'TLSv1.0',
+      0x0302 => 'TLSv1.1',
+      0x0303 => 'TLSv1.2',
+      0x0304 => 'TLSv1.3'
+    }.freeze
+
+    def check(url, response = nil)
+      findings = []
+      uri = URI.parse(url)
+
+      # Check HTTP protocol version
+      if response
+        findings.concat(check_http_version(response))
+      end
+
+      # Check TLS version for HTTPS
+      if uri.scheme == 'https'
+        findings.concat(check_tls_version(uri.host, uri.port || 443))
+      elsif uri.scheme == 'http'
+        findings << {
+          header: 'protocol',
+          issue: 'Using insecure HTTP protocol instead of HTTPS',
+          severity: :critical,
+          recommended_fix: 'Migrate to HTTPS with valid SSL/TLS certificate'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "Protocol check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def check_http_version(response)
+      findings = []
+
+      # Try to detect HTTP version from response
+      http_version = detect_http_version(response)
+
+      case http_version
+      when '1.0'
+        findings << {
+          header: 'protocol',
+          issue: 'Using outdated HTTP/1.0 protocol',
+          severity: :warning,
+          recommended_fix: 'Upgrade to HTTP/2 or HTTP/3 for better performance and security'
+        }
+      when '1.1'
+        findings << {
+          header: 'protocol',
+          issue: 'Using HTTP/1.1 - consider upgrading to HTTP/2 or HTTP/3',
+          severity: :info,
+          recommended_fix: 'Upgrade to HTTP/2 or HTTP/3 for multiplexing and improved security'
+        }
+      when '2', '2.0'
+        # HTTP/2 is good, but HTTP/3 is better
+        findings << {
+          header: 'protocol',
+          issue: 'Using HTTP/2 - HTTP/3 available for better performance',
+          severity: :info,
+          recommended_fix: 'Consider upgrading to HTTP/3 (QUIC) for improved performance'
+        }
+      when '3', '3.0'
+        # HTTP/3 is optimal - no finding
+      when nil
+        # Unable to detect - skip
+      else
+        findings << {
+          header: 'protocol',
+          issue: "Unknown HTTP version: #{http_version}",
+          severity: :info,
+          recommended_fix: 'Verify HTTP protocol version'
+        }
+      end
+
+      findings
+    end
+
+    def detect_http_version(response)
+      # Try to get version from response object
+      if response.respond_to?(:version)
+        return response.version.to_s
+      end
+
+      # Try to detect from headers
+      # HTTP/2 typically has lowercase headers
+      if response.headers.keys.all? { |k| k == k.downcase }
+        return '2'
+      end
+
+      # Check for HTTP/2 specific pseudo-headers
+      if response.headers.keys.any? { |k| k.start_with?(':') }
+        return '2'
+      end
+
+      # Check alt-svc header for HTTP/3
+      if response.headers['alt-svc']&.include?('h3')
+        return '3'
+      end
+
+      # Default assumption for HTTPS
+      '1.1'
+    rescue StandardError
+      nil
+    end
+
+    def check_tls_version(host, port)
+      findings = []
+
+      tls_info = probe_tls_versions(host, port)
+      return findings if tls_info.empty?
+
+      # Check if weak protocols are supported
+      weak_protocols = tls_info.select { |v| weak_tls_version?(v) }
+      if weak_protocols.any?
+        findings << {
+          header: 'tls-version',
+          issue: "Weak TLS versions supported: #{weak_protocols.join(', ')}",
+          severity: :critical,
+          recommended_fix: "Disable #{weak_protocols.join(', ')} and use only TLS 1.2 or higher"
+        }
+      end
+
+      # Check if TLS 1.2 is the minimum
+      if tls_info.include?('TLSv1.1') || tls_info.include?('TLSv1.0')
+        findings << {
+          header: 'tls-version',
+          issue: 'TLS 1.0/1.1 supported - deprecated and insecure',
+          severity: :critical,
+          recommended_fix: 'Disable TLS 1.0 and 1.1, use TLS 1.2+ only'
+        }
+      end
+
+      # Recommend TLS 1.3 if not supported
+      unless tls_info.include?('TLSv1.3')
+        findings << {
+          header: 'tls-version',
+          issue: 'TLS 1.3 not supported',
+          severity: :info,
+          recommended_fix: 'Enable TLS 1.3 for improved security and performance'
+        }
+      end
+
+      # Check negotiated version
+      negotiated = tls_info.last
+      if negotiated && negotiated < MINIMUM_TLS_VERSION
+        findings << {
+          header: 'tls-version',
+          issue: "Negotiated TLS version #{negotiated} is below minimum (#{MINIMUM_TLS_VERSION})",
+          severity: :critical,
+          recommended_fix: "Enforce minimum TLS version #{MINIMUM_TLS_VERSION}"
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "TLS version check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    def probe_tls_versions(host, port)
+      supported_versions = []
+      timeout = 5
+
+      # Try to connect with different TLS versions
+      [
+        OpenSSL::SSL::TLS1_3_VERSION,
+        OpenSSL::SSL::TLS1_2_VERSION,
+        OpenSSL::SSL::TLS1_1_VERSION,
+        OpenSSL::SSL::TLS1_VERSION
+      ].each do |version|
+        begin
+          tcp_socket = Socket.tcp(host, port, connect_timeout: timeout)
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          
+          # Set specific TLS version
+          ssl_context.min_version = version
+          ssl_context.max_version = version
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+          ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+          ssl_socket.sync_close = true
+          ssl_socket.connect
+
+          # Get actual version
+          actual_version = ssl_socket.ssl_version
+          supported_versions << actual_version unless supported_versions.include?(actual_version)
+
+          ssl_socket.close
+        rescue OpenSSL::SSL::SSLError, Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketError
+          # Version not supported or connection failed
+          next
+        rescue StandardError => e
+          warn "TLS probe error for #{version}: #{e.message}" if ENV['DEBUG']
+          next
+        ensure
+          tcp_socket&.close rescue nil
+        end
+      end
+
+      supported_versions.uniq.sort
+    rescue StandardError => e
+      warn "TLS version probe failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    def weak_tls_version?(version)
+      weak_versions = ['SSLv2', 'SSLv3', 'TLSv1', 'TLSv1.0', 'TLSv1.1']
+      weak_versions.include?(version)
+    end
+  end
+end

data/lib/hedra/rate_limiter.rb

@@ -51,10 +51,16 @@ module Hedra
     def refill_tokens
       now = Time.now
       elapsed = now - @last_refill
+      return if elapsed <= 0
 
       tokens_to_add = (elapsed / @period) * @requests
       @tokens = [@tokens + tokens_to_add, @requests].min
       @last_refill = now
     end
+
+    def reset
+      @tokens = @requests
+      @last_refill = Time.now
+    end
   end
 end

data/lib/hedra/scorer.rb

@@ -23,9 +23,10 @@ module Hedra
     def calculate(headers, findings)
       base_score = calculate_base_score(headers)
       penalty = calculate_penalty(findings)
+      bonus = calculate_bonus(headers)
 
-      score = [base_score - penalty, 0].max
-      score.round
+      score = [base_score - penalty + bonus, 0].max
+      [score.round, 100].min # Cap at 100
     end
 
     private
@@ -50,5 +51,26 @@ module Hedra
 
       penalty
     end
+
+    def calculate_bonus(headers)
+      bonus = 0
+
+      # Bonus for HSTS with includeSubDomains
+      if headers['strict-transport-security']&.include?('includeSubDomains')
+        bonus += 2
+      end
+
+      # Bonus for HSTS with preload
+      if headers['strict-transport-security']&.include?('preload')
+        bonus += 3
+      end
+
+      # Bonus for having all recommended headers
+      if HEADER_WEIGHTS.keys.all? { |h| headers.key?(h) }
+        bonus += 5
+      end
+
+      bonus
+    end
   end
 end

data/lib/hedra/security_txt_checker.rb

@@ -10,7 +10,12 @@ module Hedra
 
     def check(url, http_client)
       uri = URI.parse(url)
-      base_url = "#{uri.scheme}://#{uri.host}#{":#{uri.port}" if uri.port && ![80, 443].include?(uri.port)}"
+      port_part = if uri.port && ![80, 443].include?(uri.port)
+                    ":#{uri.port}"
+                  else
+                    ''
+                  end
+      base_url = "#{uri.scheme}://#{uri.host}#{port_part}"
 
       findings = []
       found = false
@@ -19,7 +24,9 @@ module Hedra
         response = http_client.get("#{base_url}#{path}")
         if response.status.success?
           found = true
-          findings.concat(validate_security_txt(response.body.to_s))
+          content = response.body.to_s
+          findings.concat(validate_security_txt(content))
+          findings.concat(check_signed(content))
           break
         end
       rescue StandardError
@@ -43,6 +50,22 @@ module Hedra
 
     private
 
+    def check_signed(content)
+      findings = []
+
+      # Check if security.txt is signed (PGP signature)
+      unless content.include?('-----BEGIN PGP SIGNATURE-----')
+        findings << {
+          header: 'security.txt',
+          issue: 'security.txt is not digitally signed',
+          severity: :info,
+          recommended_fix: 'Consider signing security.txt with PGP for authenticity'
+        }
+      end
+
+      findings
+    end
+
     def validate_security_txt(content)
       findings = []
       required_fields = %w[Contact]