RubyGems - inspec-core - Versions diffs - 5.22.50 → 5.22.55 - Mend

inspec-core 5.22.50 → 5.22.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/Gemfile +4 -1
data/lib/inspec/fetcher/url.rb +24 -4
data/lib/inspec/input_registry.rb +5 -1
data/lib/inspec/resources/nftables.rb +14 -1
data/lib/inspec/resources/oracledb_session.rb +12 -3
data/lib/inspec/resources/sybase_session.rb +11 -2
data/lib/inspec/version.rb +1 -1
data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +9 -4
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf0d707c247850a684a024680d641da787207608e7601e617023b29c299d1d2f
-  data.tar.gz: 684b3be8f6b45f7ffa770670f3eb9e281253c3e2c46f47c8d0e50e2d2090d564
+  metadata.gz: 5b84448a3befad076d31e888ef81ca567f4fb398dc73f215abebb8af76021bc5
+  data.tar.gz: 03b2b4ea7321ceba11f2f043c4dc76ede8652f3d24b0e9a7fcca08cd648572d0
 SHA512:
-  metadata.gz: 701450c7309e4d2d637b631f2e409f4d16dea4468771ce5c3a1aa9bf1a3fd75b9c25defde7d19ed21c005e8511134ea624cde373f99d448e79c90385a73da61f
-  data.tar.gz: 3afa092af7a5c77918ec4a6cf7d1904b649cb67e988025e9abbc8011cd13fd5124942b540efdcdafbcb83549a3f5627e85e7dc10e349097a2988803936aac58d
+  metadata.gz: 819f0ccd7d978c1f71f3e3cfe22f922c4bcdf763a09b55e5d9fe4eb2406a2c759671af09987ba4267abcc4505f517d8c2f6e0bfe9bcc62bcfd05f91a17474ca9
+  data.tar.gz: 8920507c3d2cb040f21c5e6309defc3a32c1f4000ee4b4bccba793ce0038c8eac3c84aa2f7247833e57635ed757e3b8e5d8a4b1977b859a0fb975af31ca3aa54

data/Gemfile CHANGED Viewed

@@ -9,7 +9,10 @@ gem "inspec", path: "."
 # in it in order to package the executable. Hence the odd backwards dependency.
 gem "inspec-bin", path: "./inspec-bin"
-gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
+# ffi version v1.17.0 is breaking verify pipeline as it requires
+# rubygems version to be upgraded to >= 3.3.22 Ref:https://buildkite.com/chef/inspec-inspec-main-verify-private/builds/812#018fe177-2ccb-45ed-a25e-213c8a6453df/698-707
+gem "ffi", ">= 1.15.5", "< 1.18.0"
 # We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
 # See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22

data/lib/inspec/fetcher/url.rb CHANGED Viewed

@@ -248,10 +248,30 @@ module Inspec::Fetcher
       @temp_archive_path = archive.path
     end
-    def open(target, opts) # overridden so we can control who we're talking to
-      URI.open(target, opts)
-    rescue NoMethodError   # TODO: remove when we drop ruby 2.4
-      super(target, opts)  # Kernel#open
+    # Opens a URI or local file specified by `target` with options `opts`.
+    # If `target` is a valid URI (http://, https://, ftp://), opens it using URI.open.
+    # If `target` is a local file path, opens it using File.open.
+    # Raises ArgumentError for invalid `target` that is neither a valid URI nor a local file path.
+    # Logs or handles exceptions gracefully using `pretty_handle_exception`.
+    def open(target, opts)
+      if valid_uri?(target)
+        URI(target).open(opts) # Open URI if it's a valid HTTP, HTTPS, or FTP URI
+      elsif File.file?(target)
+        File.open(target, opts) # Open local file if it exists
+      else
+        raise ArgumentError, "Invalid target: #{target}. Must be a valid URI or a local file path."
+      end
+    rescue StandardError => e
+      raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
+    end
+    # Checks if the given `target` string is a valid URI by attempting to parse it.
+    # Returns true if `target` is a valid HTTP, HTTPS, or FTP URI; false otherwise.
+    def valid_uri?(target)
+      uri = URI.parse(target)
+      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) || uri.is_a?(URI::FTP)
+    rescue URI::InvalidURIError
+      false
     end
     def open_via_uri(target)

data/lib/inspec/input_registry.rb CHANGED Viewed

@@ -189,7 +189,11 @@ module Inspec
     def parse_cli_input_value(input_name, given_value)
       value = given_value.chomp(",") # Trim trailing comma if any
       case value
-      when /^true|false$/i
+      # Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
+      # This prevents potential bypass issues with multi-line input and ensures the entire string
+      # is exactly "true" or "false", enhancing security when dealing with untrusted input.
+      # Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
+      when /\A(true|false)\z/i
         value = !!(value =~ /true/i)
       when /^-?\d+$/
         value = value.to_i

data/lib/inspec/resources/nftables.rb CHANGED Viewed

@@ -135,7 +135,20 @@ module Inspec::Resources
       cmd = inspec.command(nftables_cmd)
       return [] if cmd.exit_status.to_i != 0
-      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
+      # https://github.com/inspec/inspec/security/code-scanning/10
+      # Update @nftables_cache with sanitized command output
+      @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n")
+        .reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ } # Reject lines that match certain patterns
+        .map { |line| line.gsub("elements = {", "").gsub("}", "").split(",") } # Use gsub to replace all occurrences of specified strings
+        .flatten # Flatten the array of arrays into a single array
+        .map(&:strip) # Remove leading and trailing whitespace from each element
+        .map { |element| sanitize_input(element) } # Sanitize each element to prevent injection attacks
+    end
+    # Method to sanitize input
+    def sanitize_input(input)
+      # Replace potentially dangerous characters with their escaped counterparts
+      input.gsub(/([\\'";])/, '\\\\\1')
     end
     def retrieve_chain_rules

data/lib/inspec/resources/oracledb_session.rb CHANGED Viewed

@@ -96,8 +96,7 @@ module Inspec::Resources
       if @db_role.nil? || @su_user.nil?
         verified_query = verify_query(query)
       else
-        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
-        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        escaped_query = escape_query(query)
         verified_query = verify_query(escaped_query)
       end
@@ -134,11 +133,21 @@ module Inspec::Resources
       query
     end
+    def escape_query(query)
+      # https://github.com/inspec/inspec/security/code-scanning/7
+      # https://github.com/inspec/inspec/security/code-scanning/8
+      escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
+      escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
+      escaped_query
+    end
     def parse_csv_result(stdout)
       output = stdout.split("oracle_query_string")[-1]
       # comma_query_sub replaces the csv delimiter "," in the output.
       # Handles CSV parsing of data like this (DROP,3) etc
-      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
+      # Replace all occurrences of the target pattern using gsub instead of sub
+      # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
+      output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
         next if row.entries.flatten.empty?

data/lib/inspec/resources/sybase_session.rb CHANGED Viewed

@@ -44,10 +44,19 @@ module Inspec::Resources
       # try to get a temp path
       sql_file_path = upload_sql_file(sql)
+      # TODO: Find if there is better way to get the current shell
+      current_shell = inspec.command("echo $SHELL")
+      res = current_shell.exit_status
       # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
-      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
-      isql_cmd = inspec.command(command)
+      if res == 0 && ( current_shell.stdout&.include?("/csh") || current_shell.stdout&.include?("/tcsh") )
+        command = "source #{sybase_home}/SYBASE.csh; setenv LANG en_US.UTF-8; #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      else
+        command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      end
+      isql_cmd = inspec.command(command)
       # Check for isql errors
       res = isql_cmd.exit_status
       raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0

data/lib/inspec/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.22.50".freeze
+  VERSION = "5.22.55".freeze
 end

data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb CHANGED Viewed

@@ -36,11 +36,15 @@ module InspecPlugins
         FileUtils.mkdir_p(path)
         puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
-        open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
+        # https://github.com/inspec/inspec/security/code-scanning/1
+        # https://github.com/inspec/inspec/security/code-scanning/2
+        # The following line was flagged by GitHub code scanning as a security vulnerability.
+        # Update the code to eliminate the vulnerability.
+        File.open("#{path}/#{options["keyname"]}.pem.key", "w") do |io|
           io.write key.to_pem
         end
         puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
-        open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
+        File.open("#{path}/#{options["keyname"]}.pem.pub", "w") do |io|
           io.write key.public_key.to_pem
         end
       end
@@ -67,7 +71,8 @@ module InspecPlugins
         # Generating tar.gz file using archive method of Inspec Cli
         Inspec::InspecCLI.new.archive(profile_path, "error")
         tarfile = "#{filename}.tar.gz"
-        tar_content = IO.binread(tarfile)
+        # Update IO.binread with File.binread because of https://github.com/inspec/inspec/security/code-scanning/3
+        tar_content = File.binread(tarfile)
         FileUtils.rm(tarfile)
         # Generate the signature
@@ -152,7 +157,7 @@ module InspecPlugins
           ui.exit(:usage_error)
         end
-        lines = IO.readlines(p)
+        lines = File.readlines(p)
         lines << "\nprofile_content_id: #{profile_content_id}\n"
         File.open("#{p}", "w" ) do |f|

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.22.50
+  version: 5.22.55
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-21 00:00:00.000000000 Z
+date: 2024-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry