hedra 2.0.3 → 2.1.0

data/lib/hedra/protocol_checker.rb

@@ -0,0 +1,228 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'socket'
+require 'uri'
+
+module Hedra
+  # Check HTTP protocol version and TLS version
+  class ProtocolChecker
+    MINIMUM_TLS_VERSION = 'TLSv1.2'
+    RECOMMENDED_TLS_VERSION = 'TLSv1.3'
+
+    TLS_VERSION_MAP = {
+      0x0300 => 'SSLv3',
+      0x0301 => 'TLSv1.0',
+      0x0302 => 'TLSv1.1',
+      0x0303 => 'TLSv1.2',
+      0x0304 => 'TLSv1.3'
+    }.freeze
+
+    def check(url, response = nil)
+      findings = []
+      uri = URI.parse(url)
+
+      # Check HTTP protocol version
+      if response
+        findings.concat(check_http_version(response))
+      end
+
+      # Check TLS version for HTTPS
+      if uri.scheme == 'https'
+        findings.concat(check_tls_version(uri.host, uri.port || 443))
+      elsif uri.scheme == 'http'
+        findings << {
+          header: 'protocol',
+          issue: 'Using insecure HTTP protocol instead of HTTPS',
+          severity: :critical,
+          recommended_fix: 'Migrate to HTTPS with valid SSL/TLS certificate'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "Protocol check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def check_http_version(response)
+      findings = []
+
+      # Try to detect HTTP version from response
+      http_version = detect_http_version(response)
+
+      case http_version
+      when '1.0'
+        findings << {
+          header: 'protocol',
+          issue: 'Using outdated HTTP/1.0 protocol',
+          severity: :warning,
+          recommended_fix: 'Upgrade to HTTP/2 or HTTP/3 for better performance and security'
+        }
+      when '1.1'
+        findings << {
+          header: 'protocol',
+          issue: 'Using HTTP/1.1 - consider upgrading to HTTP/2 or HTTP/3',
+          severity: :info,
+          recommended_fix: 'Upgrade to HTTP/2 or HTTP/3 for multiplexing and improved security'
+        }
+      when '2', '2.0'
+        # HTTP/2 is good, but HTTP/3 is better
+        findings << {
+          header: 'protocol',
+          issue: 'Using HTTP/2 - HTTP/3 available for better performance',
+          severity: :info,
+          recommended_fix: 'Consider upgrading to HTTP/3 (QUIC) for improved performance'
+        }
+      when '3', '3.0'
+        # HTTP/3 is optimal - no finding
+      when nil
+        # Unable to detect - skip
+      else
+        findings << {
+          header: 'protocol',
+          issue: "Unknown HTTP version: #{http_version}",
+          severity: :info,
+          recommended_fix: 'Verify HTTP protocol version'
+        }
+      end
+
+      findings
+    end
+
+    def detect_http_version(response)
+      # Try to get version from response object
+      if response.respond_to?(:version)
+        return response.version.to_s
+      end
+
+      # Try to detect from headers
+      # HTTP/2 typically has lowercase headers
+      if response.headers.keys.all? { |k| k == k.downcase }
+        return '2'
+      end
+
+      # Check for HTTP/2 specific pseudo-headers
+      if response.headers.keys.any? { |k| k.start_with?(':') }
+        return '2'
+      end
+
+      # Check alt-svc header for HTTP/3
+      if response.headers['alt-svc']&.include?('h3')
+        return '3'
+      end
+
+      # Default assumption for HTTPS
+      '1.1'
+    rescue StandardError
+      nil
+    end
+
+    def check_tls_version(host, port)
+      findings = []
+
+      tls_info = probe_tls_versions(host, port)
+      return findings if tls_info.empty?
+
+      # Check if weak protocols are supported
+      weak_protocols = tls_info.select { |v| weak_tls_version?(v) }
+      if weak_protocols.any?
+        findings << {
+          header: 'tls-version',
+          issue: "Weak TLS versions supported: #{weak_protocols.join(', ')}",
+          severity: :critical,
+          recommended_fix: "Disable #{weak_protocols.join(', ')} and use only TLS 1.2 or higher"
+        }
+      end
+
+      # Check if TLS 1.2 is the minimum
+      if tls_info.include?('TLSv1.1') || tls_info.include?('TLSv1.0')
+        findings << {
+          header: 'tls-version',
+          issue: 'TLS 1.0/1.1 supported - deprecated and insecure',
+          severity: :critical,
+          recommended_fix: 'Disable TLS 1.0 and 1.1, use TLS 1.2+ only'
+        }
+      end
+
+      # Recommend TLS 1.3 if not supported
+      unless tls_info.include?('TLSv1.3')
+        findings << {
+          header: 'tls-version',
+          issue: 'TLS 1.3 not supported',
+          severity: :info,
+          recommended_fix: 'Enable TLS 1.3 for improved security and performance'
+        }
+      end
+
+      # Check negotiated version
+      negotiated = tls_info.last
+      if negotiated && negotiated < MINIMUM_TLS_VERSION
+        findings << {
+          header: 'tls-version',
+          issue: "Negotiated TLS version #{negotiated} is below minimum (#{MINIMUM_TLS_VERSION})",
+          severity: :critical,
+          recommended_fix: "Enforce minimum TLS version #{MINIMUM_TLS_VERSION}"
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "TLS version check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    def probe_tls_versions(host, port)
+      supported_versions = []
+      timeout = 5
+
+      # Try to connect with different TLS versions
+      [
+        OpenSSL::SSL::TLS1_3_VERSION,
+        OpenSSL::SSL::TLS1_2_VERSION,
+        OpenSSL::SSL::TLS1_1_VERSION,
+        OpenSSL::SSL::TLS1_VERSION
+      ].each do |version|
+        begin
+          tcp_socket = Socket.tcp(host, port, connect_timeout: timeout)
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          
+          # Set specific TLS version
+          ssl_context.min_version = version
+          ssl_context.max_version = version
+          ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+          ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+          ssl_socket.sync_close = true
+          ssl_socket.connect
+
+          # Get actual version
+          actual_version = ssl_socket.ssl_version
+          supported_versions << actual_version unless supported_versions.include?(actual_version)
+
+          ssl_socket.close
+        rescue OpenSSL::SSL::SSLError, Errno::ECONNREFUSED, Errno::ETIMEDOUT, SocketError
+          # Version not supported or connection failed
+          next
+        rescue StandardError => e
+          warn "TLS probe error for #{version}: #{e.message}" if ENV['DEBUG']
+          next
+        ensure
+          tcp_socket&.close rescue nil
+        end
+      end
+
+      supported_versions.uniq.sort
+    rescue StandardError => e
+      warn "TLS version probe failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    def weak_tls_version?(version)
+      weak_versions = ['SSLv2', 'SSLv3', 'TLSv1', 'TLSv1.0', 'TLSv1.1']
+      weak_versions.include?(version)
+    end
+  end
+end

data/lib/hedra/sri_checker.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'digest'
+
+module Hedra
+  # Check for Subresource Integrity (SRI) on external resources
+  class SriChecker
+    EXTERNAL_RESOURCE_PATTERN = /<(script|link)\s+[^>]*>/i.freeze
+    SRC_PATTERN = /(?:src|href)=["']([^"']+)["']/i.freeze
+    INTEGRITY_PATTERN = /integrity=["']([^"']+)["']/i.freeze
+    CROSSORIGIN_PATTERN = /crossorigin(?:=["']([^"']+)["'])?/i.freeze
+
+    def initialize(http_client: nil)
+      @http_client = http_client
+    end
+
+    def check(url, html_content = nil)
+      findings = []
+      
+      # Fetch HTML if not provided
+      html_content ||= fetch_html(url)
+      return findings unless html_content
+
+      base_uri = URI.parse(url)
+      external_resources = extract_external_resources(html_content, base_uri)
+
+      return findings if external_resources.empty?
+
+      external_resources.each do |resource|
+        next if resource[:has_integrity]
+
+        findings << {
+          header: 'subresource-integrity',
+          issue: "External #{resource[:type]} missing SRI: #{truncate_url(resource[:url])}",
+          severity: :warning,
+          recommended_fix: "Add integrity attribute with hash: integrity=\"sha384-...\" crossorigin=\"anonymous\""
+        }
+      end
+
+      # Check for crossorigin without integrity
+      external_resources.each do |resource|
+        if resource[:has_integrity] && !resource[:has_crossorigin]
+          findings << {
+            header: 'subresource-integrity',
+            issue: "SRI without crossorigin attribute: #{truncate_url(resource[:url])}",
+            severity: :info,
+            recommended_fix: 'Add crossorigin="anonymous" when using integrity attribute'
+          }
+        end
+      end
+
+      findings
+    rescue StandardError => e
+      warn "SRI check failed: #{e.message}" if ENV['DEBUG']
+      []
+    end
+
+    private
+
+    def fetch_html(url)
+      return nil unless @http_client
+
+      response = @http_client.get(url)
+      content_type = response.headers['Content-Type'].to_s
+      
+      # Only process HTML content
+      return nil unless content_type.include?('text/html')
+
+      response.body.to_s
+    rescue StandardError => e
+      warn "Failed to fetch HTML for SRI check: #{e.message}" if ENV['DEBUG']
+      nil
+    end
+
+    def extract_external_resources(html, base_uri)
+      resources = []
+      
+      html.scan(EXTERNAL_RESOURCE_PATTERN) do |match|
+        tag = match[0]
+        full_tag = ::Regexp.last_match(0)
+        
+        # Extract src/href
+        src_match = full_tag.match(SRC_PATTERN)
+        next unless src_match
+
+        resource_url = src_match[1]
+        next if resource_url.nil? || resource_url.empty?
+
+        # Skip data URIs, inline scripts, and relative URLs to same origin
+        next if resource_url.start_with?('data:', 'blob:', '#', 'javascript:')
+        
+        # Resolve relative URLs
+        absolute_url = resolve_url(resource_url, base_uri)
+        next unless absolute_url
+
+        # Check if external
+        resource_uri = URI.parse(absolute_url)
+        next if same_origin?(base_uri, resource_uri)
+
+        # Check for integrity and crossorigin attributes
+        has_integrity = full_tag.match?(INTEGRITY_PATTERN)
+        has_crossorigin = full_tag.match?(CROSSORIGIN_PATTERN)
+
+        resources << {
+          type: tag.downcase,
+          url: absolute_url,
+          has_integrity: has_integrity,
+          has_crossorigin: has_crossorigin
+        }
+      rescue URI::InvalidURIError
+        # Skip invalid URIs
+        next
+      end
+
+      resources.uniq { |r| r[:url] }
+    end
+
+    def resolve_url(url, base_uri)
+      return url if url.match?(%r{^https?://})
+
+      if url.start_with?('//')
+        "#{base_uri.scheme}:#{url}"
+      elsif url.start_with?('/')
+        "#{base_uri.scheme}://#{base_uri.host}#{base_uri.port && ![80, 443].include?(base_uri.port) ? ":#{base_uri.port}" : ''}#{url}"
+      else
+        # Relative URL
+        base_path = base_uri.path.split('/')[0..-2].join('/')
+        "#{base_uri.scheme}://#{base_uri.host}#{base_uri.port && ![80, 443].include?(base_uri.port) ? ":#{base_uri.port}" : ''}#{base_path}/#{url}"
+      end
+    rescue StandardError
+      nil
+    end
+
+    def same_origin?(uri1, uri2)
+      uri1.scheme == uri2.scheme &&
+        uri1.host == uri2.host &&
+        (uri1.port || default_port(uri1.scheme)) == (uri2.port || default_port(uri2.scheme))
+    end
+
+    def default_port(scheme)
+      scheme == 'https' ? 443 : 80
+    end
+
+    def truncate_url(url, max_length = 60)
+      return url if url.length <= max_length
+
+      "#{url[0...max_length]}..."
+    end
+  end
+end

data/lib/hedra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Hedra
-  VERSION = '2.0.3'
+  VERSION = '2.1.0'
 end

data/lib/hedra.rb

@@ -22,5 +22,10 @@ require_relative 'hedra/http_client'
 require_relative 'hedra/plugin_manager'
 require_relative 'hedra/exporter'
 require_relative 'hedra/html_reporter'
+require_relative 'hedra/sri_checker'
+require_relative 'hedra/cors_checker'
+require_relative 'hedra/protocol_checker'
+require_relative 'hedra/ct_checker'
+require_relative 'hedra/dns_checker'
 require_relative 'hedra/analyzer'
 require_relative 'hedra/cli'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hedra
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.1.0
 platform: ruby
 authors:
 - bl4ckstack
@@ -79,6 +79,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: resolv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -130,14 +144,19 @@ files:
 - lib/hedra/circuit_breaker.rb
 - lib/hedra/cli.rb
 - lib/hedra/config.rb
+- lib/hedra/cors_checker.rb
+- lib/hedra/ct_checker.rb
+- lib/hedra/dns_checker.rb
 - lib/hedra/exporter.rb
 - lib/hedra/html_reporter.rb
 - lib/hedra/http_client.rb
 - lib/hedra/plugin_manager.rb
 - lib/hedra/progress_tracker.rb
+- lib/hedra/protocol_checker.rb
 - lib/hedra/rate_limiter.rb
 - lib/hedra/scorer.rb
 - lib/hedra/security_txt_checker.rb
+- lib/hedra/sri_checker.rb
 - lib/hedra/url_validator.rb
 - lib/hedra/version.rb
 homepage: https://github.com/bl4ckstack/hedra