hedra 2.0.2 → 2.1.0

data/lib/hedra/sri_checker.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'digest'
+
+module Hedra
+  # Check for Subresource Integrity (SRI) on external resources
+  class SriChecker
+    EXTERNAL_RESOURCE_PATTERN = /<(script|link)\s+[^>]*>/i.freeze
+    SRC_PATTERN = /(?:src|href)=["']([^"']+)["']/i.freeze
+    INTEGRITY_PATTERN = /integrity=["']([^"']+)["']/i.freeze
+    CROSSORIGIN_PATTERN = /crossorigin(?:=["']([^"']+)["'])?/i.freeze
+
+    def initialize(http_client: nil)
+      @http_client = http_client
+    end
+
+    def check(url, html_content = nil)
+      findings = []
+      
+      # Fetch HTML if not provided
+      html_content ||= fetch_html(url)
+      return findings unless html_content
+
+      base_uri = URI.parse(url)
+      external_resources = extract_external_resources(html_content, base_uri)
+
+      return findings if external_resources.empty?
+
+      external_resources.each do |resource|
+        next if resource[:has_integrity]
+
+        findings << {
+          header: 'subresource-integrity',
+          issue: "External #{resource[:type]} missing SRI: #{truncate_url(resource[:url])}",
+          severity: :warning,
+          recommended_fix: "Add integrity attribute with hash: integrity=\"sha384-...\" crossorigin=\"anonymous\""
+        }
+      end
+
+      # Check for crossorigin without integrity
+      external_resources.each do |resource|
+        if resource[:has_integrity] && !resource[:has_crossorigin]
+          findings << {
+            header: 'subresource-integrity',
+            issue: "SRI without crossorigin attribute: #{truncate_url(resource[:url])}",
+            severity: :info,
+            recommended_fix: 'Add crossorigin="anonymous" when using integrity attribute'
+          }
+        end
+      end
+
+      findings
+    rescue StandardError => e
+      warn "SRI check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def fetch_html(url)
+      return nil unless @http_client
+
+      response = @http_client.get(url)
+      content_type = response.headers['Content-Type'].to_s
+      
+      # Only process HTML content
+      return nil unless content_type.include?('text/html')
+
+      response.body.to_s
+    rescue StandardError => e
+      warn "Failed to fetch HTML for SRI check: #{e.message}" if ENV['DEBUG']
+      nil
+    end
+
+    def extract_external_resources(html, base_uri)
+      resources = []
+      
+      html.scan(EXTERNAL_RESOURCE_PATTERN) do |match|
+        tag = match[0]
+        full_tag = ::Regexp.last_match(0)
+        
+        # Extract src/href
+        src_match = full_tag.match(SRC_PATTERN)
+        next unless src_match
+
+        resource_url = src_match[1]
+        next if resource_url.nil? || resource_url.empty?
+
+        # Skip data URIs, inline scripts, and relative URLs to same origin
+        next if resource_url.start_with?('data:', 'blob:', '#', 'javascript:')
+        
+        # Resolve relative URLs
+        absolute_url = resolve_url(resource_url, base_uri)
+        next unless absolute_url
+
+        # Check if external
+        resource_uri = URI.parse(absolute_url)
+        next if same_origin?(base_uri, resource_uri)
+
+        # Check for integrity and crossorigin attributes
+        has_integrity = full_tag.match?(INTEGRITY_PATTERN)
+        has_crossorigin = full_tag.match?(CROSSORIGIN_PATTERN)
+
+        resources << {
+          type: tag.downcase,
+          url: absolute_url,
+          has_integrity: has_integrity,
+          has_crossorigin: has_crossorigin
+        }
+      rescue URI::InvalidURIError
+        # Skip invalid URIs
+        next
+      end
+
+      resources.uniq { |r| r[:url] }
+    end
+
+    def resolve_url(url, base_uri)
+      return url if url.match?(%r{^https?://})
+
+      if url.start_with?('//')
+        "#{base_uri.scheme}:#{url}"
+      elsif url.start_with?('/')
+        "#{base_uri.scheme}://#{base_uri.host}#{base_uri.port && ![80, 443].include?(base_uri.port) ? ":#{base_uri.port}" : ''}#{url}"
+      else
+        # Relative URL
+        base_path = base_uri.path.split('/')[0..-2].join('/')
+        "#{base_uri.scheme}://#{base_uri.host}#{base_uri.port && ![80, 443].include?(base_uri.port) ? ":#{base_uri.port}" : ''}#{base_path}/#{url}"
+      end
+    rescue StandardError
+      nil
+    end
+
+    def same_origin?(uri1, uri2)
+      uri1.scheme == uri2.scheme &&
+        uri1.host == uri2.host &&
+        (uri1.port || default_port(uri1.scheme)) == (uri2.port || default_port(uri2.scheme))
+    end
+
+    def default_port(scheme)
+      scheme == 'https' ? 443 : 80
+    end
+
+    def truncate_url(url, max_length = 60)
+      return url if url.length <= max_length
+
+      "#{url[0...max_length]}..."
+    end
+  end
+end

data/lib/hedra/url_validator.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+module Hedra
+  # URL validation and sanitization
+  class UrlValidator
+    ALLOWED_SCHEMES = %w[http https].freeze
+    MAX_URL_LENGTH = 2048
+    DANGEROUS_CHARS = ['<', '>', '"', '{', '}', '|', '\\', '^', '`', '[', ']'].freeze
+
+    class << self
+      def valid?(url)
+        return false if url.nil? || url.empty?
+        return false if url.length > MAX_URL_LENGTH
+
+        uri = parse_url(url)
+        return false unless uri
+        return false unless ALLOWED_SCHEMES.include?(uri.scheme)
+        return false unless valid_host?(uri.host)
+        return false if contains_dangerous_chars?(url)
+
+        true
+      rescue StandardError
+        false
+      end
+
+      def validate!(url)
+        raise Error, 'URL cannot be empty' if url.nil? || url.empty?
+        raise Error, "URL too long (max #{MAX_URL_LENGTH} characters)" if url.length > MAX_URL_LENGTH
+
+        uri = parse_url(url)
+        raise Error, 'Invalid URL format' unless uri
+        raise Error, "Invalid scheme: #{uri.scheme}. Only HTTP/HTTPS allowed" unless ALLOWED_SCHEMES.include?(uri.scheme)
+        raise Error, 'Invalid or missing host' unless valid_host?(uri.host)
+        raise Error, 'URL contains dangerous characters' if contains_dangerous_chars?(url)
+
+        uri
+      end
+
+      def sanitize(url)
+        url = url.strip
+        url = "https://#{url}" unless url.start_with?('http://', 'https://')
+        url
+      end
+
+      def normalize(url)
+        uri = parse_url(url)
+        return url unless uri
+
+        # Remove default ports
+        port = if (uri.scheme == 'http' && uri.port == 80) || (uri.scheme == 'https' && uri.port == 443)
+                 nil
+               else
+                 uri.port
+               end
+
+        # Rebuild URL
+        normalized = "#{uri.scheme}://#{uri.host}"
+        normalized += ":#{port}" if port
+        normalized += uri.path if uri.path && uri.path != '/'
+        normalized += "?#{uri.query}" if uri.query
+        normalized
+      end
+
+      private
+
+      def parse_url(url)
+        URI.parse(url)
+      rescue URI::InvalidURIError
+        nil
+      end
+
+      def valid_host?(host)
+        return false if host.nil? || host.empty?
+        return false if host.length > 253 # Max domain length
+
+        # Check for valid hostname format
+        return false if host.start_with?('.') || host.end_with?('.')
+        return false if host.include?('..')
+
+        # Check for localhost/private IPs in production
+        return false if host == 'localhost'
+        return false if host.start_with?('127.', '10.', '192.168.', '172.')
+
+        true
+      end
+
+      def contains_dangerous_chars?(url)
+        DANGEROUS_CHARS.any? { |char| url.include?(char) }
+      end
+    end
+  end
+end

data/lib/hedra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Hedra
-  VERSION = '2.0.2'
+  VERSION = '2.1.0'
 end

data/lib/hedra.rb

@@ -7,6 +7,8 @@ module Hedra
 end
 
 require_relative 'hedra/version'
+require_relative 'hedra/banner'
+require_relative 'hedra/url_validator'
 require_relative 'hedra/config'
 require_relative 'hedra/scorer'
 require_relative 'hedra/circuit_breaker'
@@ -20,5 +22,10 @@ require_relative 'hedra/http_client'
 require_relative 'hedra/plugin_manager'
 require_relative 'hedra/exporter'
 require_relative 'hedra/html_reporter'
+require_relative 'hedra/sri_checker'
+require_relative 'hedra/cors_checker'
+require_relative 'hedra/protocol_checker'
+require_relative 'hedra/ct_checker'
+require_relative 'hedra/dns_checker'
 require_relative 'hedra/analyzer'
 require_relative 'hedra/cli'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hedra
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors:
 - bl4ckstack
@@ -79,6 +79,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: resolv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -123,20 +137,27 @@ files:
 - config/example_rules.yml
 - lib/hedra.rb
 - lib/hedra/analyzer.rb
+- lib/hedra/banner.rb
 - lib/hedra/baseline.rb
 - lib/hedra/cache.rb
 - lib/hedra/certificate_checker.rb
 - lib/hedra/circuit_breaker.rb
 - lib/hedra/cli.rb
 - lib/hedra/config.rb
+- lib/hedra/cors_checker.rb
+- lib/hedra/ct_checker.rb
+- lib/hedra/dns_checker.rb
 - lib/hedra/exporter.rb
 - lib/hedra/html_reporter.rb
 - lib/hedra/http_client.rb
 - lib/hedra/plugin_manager.rb
 - lib/hedra/progress_tracker.rb
+- lib/hedra/protocol_checker.rb
 - lib/hedra/rate_limiter.rb
 - lib/hedra/scorer.rb
 - lib/hedra/security_txt_checker.rb
+- lib/hedra/sri_checker.rb
+- lib/hedra/url_validator.rb
 - lib/hedra/version.rb
 homepage: https://github.com/bl4ckstack/hedra
 licenses: