inspec-core 5.22.50 → 5.22.55

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +4 -1
  3. data/lib/inspec/fetcher/url.rb +24 -4
  4. data/lib/inspec/input_registry.rb +5 -1
  5. data/lib/inspec/resources/nftables.rb +14 -1
  6. data/lib/inspec/resources/oracledb_session.rb +12 -3
  7. data/lib/inspec/resources/sybase_session.rb +11 -2
  8. data/lib/inspec/version.rb +1 -1
  9. data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +9 -4
  10. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bf0d707c247850a684a024680d641da787207608e7601e617023b29c299d1d2f
4
- data.tar.gz: 684b3be8f6b45f7ffa770670f3eb9e281253c3e2c46f47c8d0e50e2d2090d564
3
+ metadata.gz: 5b84448a3befad076d31e888ef81ca567f4fb398dc73f215abebb8af76021bc5
4
+ data.tar.gz: 03b2b4ea7321ceba11f2f043c4dc76ede8652f3d24b0e9a7fcca08cd648572d0
5
5
  SHA512:
6
- metadata.gz: 701450c7309e4d2d637b631f2e409f4d16dea4468771ce5c3a1aa9bf1a3fd75b9c25defde7d19ed21c005e8511134ea624cde373f99d448e79c90385a73da61f
7
- data.tar.gz: 3afa092af7a5c77918ec4a6cf7d1904b649cb67e988025e9abbc8011cd13fd5124942b540efdcdafbcb83549a3f5627e85e7dc10e349097a2988803936aac58d
6
+ metadata.gz: 819f0ccd7d978c1f71f3e3cfe22f922c4bcdf763a09b55e5d9fe4eb2406a2c759671af09987ba4267abcc4505f517d8c2f6e0bfe9bcc62bcfd05f91a17474ca9
7
+ data.tar.gz: 8920507c3d2cb040f21c5e6309defc3a32c1f4000ee4b4bccba793ce0038c8eac3c84aa2f7247833e57635ed757e3b8e5d8a4b1977b859a0fb975af31ca3aa54
data/Gemfile CHANGED
@@ -9,7 +9,10 @@ gem "inspec", path: "."
9
9
  # in it in order to package the executable. Hence the odd backwards dependency.
10
10
  gem "inspec-bin", path: "./inspec-bin"
11
11
 
12
- gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
12
+ # ffi version v1.17.0 is breaking verify pipeline as it requires
13
+ # rubygems version to be upgraded to >= 3.3.22 Ref:https://buildkite.com/chef/inspec-inspec-main-verify-private/builds/812#018fe177-2ccb-45ed-a25e-213c8a6453df/698-707
14
+
15
+ gem "ffi", ">= 1.15.5", "< 1.18.0"
13
16
 
14
17
  # We have a build issue 2023-11-13 with unf_ext 0.0.9 so we are pinning to 0.0.8.2
15
18
  # See https://github.com/knu/ruby-unf_ext/issues/74 https://buildkite.com/chef/inspec-inspec-inspec-5-omnibus-release/builds/22
data/lib/inspec/fetcher/url.rb CHANGED
@@ -248,10 +248,30 @@ module Inspec::Fetcher
248
248
  @temp_archive_path = archive.path
249
249
  end
250
250
 
251
- def open(target, opts) # overridden so we can control who we're talking to
252
- URI.open(target, opts)
253
- rescue NoMethodError # TODO: remove when we drop ruby 2.4
254
- super(target, opts) # Kernel#open
251
+ # Opens a URI or local file specified by `target` with options `opts`.
252
+ # If `target` is a valid URI (http://, https://, ftp://), opens it using URI.open.
253
+ # If `target` is a local file path, opens it using File.open.
254
+ # Raises ArgumentError for invalid `target` that is neither a valid URI nor a local file path.
255
+ # Logs or handles exceptions gracefully using `pretty_handle_exception`.
256
+ def open(target, opts)
257
+ if valid_uri?(target)
258
+ URI(target).open(opts) # Open URI if it's a valid HTTP, HTTPS, or FTP URI
259
+ elsif File.file?(target)
260
+ File.open(target, opts) # Open local file if it exists
261
+ else
262
+ raise ArgumentError, "Invalid target: #{target}. Must be a valid URI or a local file path."
263
+ end
264
+ rescue StandardError => e
265
+ raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
266
+ end
267
+
268
+ # Checks if the given `target` string is a valid URI by attempting to parse it.
269
+ # Returns true if `target` is a valid HTTP, HTTPS, or FTP URI; false otherwise.
270
+ def valid_uri?(target)
271
+ uri = URI.parse(target)
272
+ uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) || uri.is_a?(URI::FTP)
273
+ rescue URI::InvalidURIError
274
+ false
255
275
  end
256
276
 
257
277
  def open_via_uri(target)
data/lib/inspec/input_registry.rb CHANGED
@@ -189,7 +189,11 @@ module Inspec
189
189
  def parse_cli_input_value(input_name, given_value)
190
190
  value = given_value.chomp(",") # Trim trailing comma if any
191
191
  case value
192
- when /^true|false$/i
192
+ # Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
193
+ # This prevents potential bypass issues with multi-line input and ensures the entire string
194
+ # is exactly "true" or "false", enhancing security when dealing with untrusted input.
195
+ # Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
196
+ when /\A(true|false)\z/i
193
197
  value = !!(value =~ /true/i)
194
198
  when /^-?\d+$/
195
199
  value = value.to_i
data/lib/inspec/resources/nftables.rb CHANGED
@@ -135,7 +135,20 @@ module Inspec::Resources
135
135
  cmd = inspec.command(nftables_cmd)
136
136
  return [] if cmd.exit_status.to_i != 0
137
137
 
138
- @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n").reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ }.map { |line| line.sub("elements = {", "").sub("}", "").split(",") }.flatten.map(&:strip)
138
+ # https://github.com/inspec/inspec/security/code-scanning/10
139
+ # Update @nftables_cache with sanitized command output
140
+ @nftables_cache[idx] = cmd.stdout.gsub("\t", "").split("\n")
141
+ .reject { |line| line =~ /^(table|set|type|size|flags|typeof|auto-merge)/ || line =~ /^}$/ } # Reject lines that match certain patterns
142
+ .map { |line| line.gsub("elements = {", "").gsub("}", "").split(",") } # Use gsub to replace all occurrences of specified strings
143
+ .flatten # Flatten the array of arrays into a single array
144
+ .map(&:strip) # Remove leading and trailing whitespace from each element
145
+ .map { |element| sanitize_input(element) } # Sanitize each element to prevent injection attacks
146
+ end
147
+
148
+ # Method to sanitize input
149
+ def sanitize_input(input)
150
+ # Replace potentially dangerous characters with their escaped counterparts
151
+ input.gsub(/([\\'";])/, '\\\\\1')
139
152
  end
140
153
 
141
154
  def retrieve_chain_rules
data/lib/inspec/resources/oracledb_session.rb CHANGED
@@ -96,8 +96,7 @@ module Inspec::Resources
96
96
  if @db_role.nil? || @su_user.nil?
97
97
  verified_query = verify_query(query)
98
98
  else
99
- escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
100
- escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
99
+ escaped_query = escape_query(query)
101
100
  verified_query = verify_query(escaped_query)
102
101
  end
103
102
 
@@ -134,11 +133,21 @@ module Inspec::Resources
134
133
  query
135
134
  end
136
135
 
136
+ def escape_query(query)
137
+ # https://github.com/inspec/inspec/security/code-scanning/7
138
+ # https://github.com/inspec/inspec/security/code-scanning/8
139
+ escaped_query = query.gsub(/["\\]/) { |match| match == '"' ? '\\"' : "\\\\" } # Escape backslashes and double quotes
140
+ escaped_query.gsub!("$", '\\$') unless escaped_query.include? "\\$" # Escape dollar signs, but only if not already escaped
141
+ escaped_query
142
+ end
143
+
137
144
  def parse_csv_result(stdout)
138
145
  output = stdout.split("oracle_query_string")[-1]
139
146
  # comma_query_sub replaces the csv delimiter "," in the output.
140
147
  # Handles CSV parsing of data like this (DROP,3) etc
141
- output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
148
+ # Replace all occurrences of the target pattern using gsub instead of sub
149
+ # Issue detected: https://github.com/inspec/inspec/security/code-scanning/9
150
+ output = output.gsub(/\r/, "").strip.gsub(",", "comma_query_sub")
142
151
  converter = ->(header) { header.downcase }
143
152
  CSV.parse(output, headers: true, header_converters: converter).map do |row|
144
153
  next if row.entries.flatten.empty?
data/lib/inspec/resources/sybase_session.rb CHANGED
@@ -44,10 +44,19 @@ module Inspec::Resources
44
44
  # try to get a temp path
45
45
  sql_file_path = upload_sql_file(sql)
46
46
 
47
+ # TODO: Find if there is better way to get the current shell
48
+ current_shell = inspec.command("echo $SHELL")
49
+
50
+ res = current_shell.exit_status
51
+
47
52
  # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
48
- command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
49
- isql_cmd = inspec.command(command)
53
+ if res == 0 && ( current_shell.stdout&.include?("/csh") || current_shell.stdout&.include?("/tcsh") )
54
+ command = "source #{sybase_home}/SYBASE.csh; setenv LANG en_US.UTF-8; #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
55
+ else
56
+ command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
57
+ end
50
58
 
59
+ isql_cmd = inspec.command(command)
51
60
  # Check for isql errors
52
61
  res = isql_cmd.exit_status
53
62
  raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0
data/lib/inspec/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Inspec
2
- VERSION = "5.22.50".freeze
2
+ VERSION = "5.22.55".freeze
3
3
  end
data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb CHANGED
@@ -36,11 +36,15 @@ module InspecPlugins
36
36
  FileUtils.mkdir_p(path)
37
37
 
38
38
  puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
39
- open "#{path}/#{options["keyname"]}.pem.key", "w" do |io|
39
+ # https://github.com/inspec/inspec/security/code-scanning/1
40
+ # https://github.com/inspec/inspec/security/code-scanning/2
41
+ # The following line was flagged by GitHub code scanning as a security vulnerability.
42
+ # Update the code to eliminate the vulnerability.
43
+ File.open("#{path}/#{options["keyname"]}.pem.key", "w") do |io|
40
44
  io.write key.to_pem
41
45
  end
42
46
  puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
43
- open "#{path}/#{options["keyname"]}.pem.pub", "w" do |io|
47
+ File.open("#{path}/#{options["keyname"]}.pem.pub", "w") do |io|
44
48
  io.write key.public_key.to_pem
45
49
  end
46
50
  end
@@ -67,7 +71,8 @@ module InspecPlugins
67
71
  # Generating tar.gz file using archive method of Inspec Cli
68
72
  Inspec::InspecCLI.new.archive(profile_path, "error")
69
73
  tarfile = "#{filename}.tar.gz"
70
- tar_content = IO.binread(tarfile)
74
+ # Update IO.binread with File.binread because of https://github.com/inspec/inspec/security/code-scanning/3
75
+ tar_content = File.binread(tarfile)
71
76
  FileUtils.rm(tarfile)
72
77
 
73
78
  # Generate the signature
@@ -152,7 +157,7 @@ module InspecPlugins
152
157
  ui.exit(:usage_error)
153
158
  end
154
159
 
155
- lines = IO.readlines(p)
160
+ lines = File.readlines(p)
156
161
  lines << "\nprofile_content_id: #{profile_content_id}\n"
157
162
 
158
163
  File.open("#{p}", "w" ) do |f|
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.22.50
4
+ version: 5.22.55
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chef InSpec Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-05-21 00:00:00.000000000 Z
11
+ date: 2024-07-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef-telemetry