inspec-core 5.22.50 → 6.8.1

data/lib/inspec/config.rb

@@ -7,6 +7,7 @@ require "forwardable" unless defined?(Forwardable)
 require "thor" unless defined?(Thor)
 require "base64" unless defined?(Base64)
 require "inspec/plugin/v2/filter"
+require "inspec/feature"
 
 module Inspec
   class Config
@@ -25,6 +26,12 @@ module Inspec
       shell_command
     }.freeze
 
+    AUDIT_LOG_OPTIONS = %w{
+      audit_log_location
+      enable_audit_log
+      audit_log_app_name
+    }.freeze
+
     KNOWN_VERSIONS = [
       "1.1",
       "1.2",
@@ -80,6 +87,10 @@ module Inspec
       puts
     end
 
+    def allow_unsigned_profiles?
+      self["allow_unsigned_profiles"] || ENV["CHEF_ALLOW_UNSIGNED_PROFILES"]
+    end
+
     # return all telemetry options from config
     # @return [Hash]
     def telemetry_options
@@ -109,11 +120,14 @@ module Inspec
     def unpack_train_credentials
       # Internally, use indifferent access while we build the creds
       credentials = Thor::CoreExt::HashWithIndifferentAccess.new({})
-
       # Helper methods prefixed with _utc_ (Unpack Train Credentials)
 
       credentials.merge!(_utc_generic_credentials)
 
+      # Only runs this block when preview flag CHEF_PREVIEW_AUDIT_LOGGING is set
+      Inspec.with_feature("inspec-audit-logging") {
+        credentials.merge!(_utc_merge_audit_log_options)
+      }
       _utc_determine_backend(credentials)
       transport_name = credentials[:backend].to_s
 
@@ -154,13 +168,21 @@ module Inspec
 
     private
 
+    def _utc_merge_audit_log_options
+      @final_options.select { |option, _value| AUDIT_LOG_OPTIONS.include?(option) }
+    end
+
     def _utc_merge_transport_options(credentials, transport_name)
       # Ask Train for the names of the transport options
       transport_options = Train.options(transport_name).keys.map(&:to_s)
 
       # If there are any options with those (unprefixed) names, merge them in.
+      # e.g., 'host'
       unprefixed_transport_options = final_options.select do |option_name, _value|
-        transport_options.include? option_name # e.g., 'host'
+        # We currently want this option only to be set if CHEF_PREVIEW_AUDIT_LOGGING is set
+        # and we already merging the audit_log_options within _utc_merge_audit_log_options method which only invoke if feature flag is on
+        # we don't want audit log option to get set from here again so this is a safe check and can be removed when we remove preview feature flag.
+        transport_options.include? option_name unless option_name.match?("enable_audit_log")
       end
       credentials.merge!(unprefixed_transport_options)
 

data/lib/inspec/dependencies/cache.rb

@@ -70,5 +70,38 @@ module Inspec
     def base_path_for(cache_key)
       File.join(@path, cache_key)
     end
+
+    #
+    # For given cache key, return true if the
+    # cache path is locked
+    def locked?(key)
+      locked = false
+      path = base_path_for(key)
+      # For archive there is no need to lock the directory so we skip those and return false for archive formatted cache
+      if File.directory?(path)
+        locked = File.exist?("#{path}/.lock")
+      end
+      locked
+    end
+
+    def lock(cache_path)
+      lock_file_path = File.join(cache_path, ".lock")
+      begin
+        FileUtils.mkdir_p(cache_path)
+        Inspec::Log.debug("Locking cache ..... #{cache_path}")
+        FileUtils.touch(lock_file_path)
+      rescue Errno::EACCES
+        raise "Permission denied while creating cache lock #{cache_path}/.lock."
+      end
+    end
+
+    def unlock(cache_path)
+      Inspec::Log.debug("Unlocking cache..... #{cache_path}")
+      begin
+        FileUtils.rm("#{cache_path}/.lock") if File.exist?("#{cache_path}/.lock")
+      rescue Errno::EACCES
+        raise "Permission denied while removing cache lock #{cache_path}/.lock"
+      end
+    end
   end
 end

data/lib/inspec/enhanced_outcomes.rb

@@ -15,5 +15,6 @@ module Inspec
         "passed"
       end
     end
+
   end
 end

data/lib/inspec/errors.rb

@@ -24,4 +24,9 @@ module Inspec
   end
 
   class InvalidProfileSignature < Error; end
+
+  class FeatureConfigMissingError < Error; end
+  class FeatureConfigTamperedError < Error; end
+
+  class ProfileSignatureRequired < Error; end
 end

data/lib/inspec/exceptions.rb

@@ -12,5 +12,7 @@ module Inspec
     class ProfileSigningKeyNotFound < ArgumentError; end
     class WaiversFileNotReadable < ArgumentError; end
     class WaiversFileDoesNotExist < ArgumentError; end
+    class WaiversFileInvalidFormatting < ArgumentError; end
+    class InvalidAuditLogOption < ArgumentError; end
   end
 end

data/lib/inspec/feature/config.rb

@@ -0,0 +1,75 @@
+require "inspec/iaf_file" # Uses some of the same encryption routines
+
+module Inspec
+  class Feature
+    class Config
+
+      VERIFICATION_KEY_NAME = "progress-2022-05-04".freeze
+
+      attr_reader :cfg_data, :valid
+
+      def initialize(conf_path = nil)
+        # If conf path is nil, read from source installation
+        conf_path ||= File.join(Inspec.src_root, "etc", "features.yaml")
+
+        # Verify path and sig file exists or else throw exception
+        sig_path = conf_path.sub(/\.yaml/, ".sig")
+        [conf_path, sig_path].each do |file|
+          raise Inspec::FeatureConfigMissingError.new("No such file #{file}") unless File.exist?(file)
+        end
+
+        # Verify sig matches contents
+        validation_key_path = Inspec::IafFile.find_validation_key(VERIFICATION_KEY_NAME)
+        verification_key = Inspec::IafFile::KEY_ALG.new File.read validation_key_path
+        signature = Base64.decode64 File.read sig_path
+        digest = Inspec::IafFile::ARTIFACT_DIGEST.new
+        unless verification_key.verify digest, signature, File.read(conf_path)
+          # If not load default empty config and raise exception
+          @cfg_data = load_error_data
+          raise Inspec::FeatureConfigTamperedError.new("Feature yaml file does not match signature - tampered?")
+        end
+
+        # Read YAML data from path
+        @cfg_data = YAML.load_file(conf_path)
+        @features_by_name = {}
+      end
+
+      def with_each_feature
+        cfg_data["features"].each do |feature_name, raw_info|
+          feat = @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+          yield(feat)
+        end
+      end
+
+      def [](feature_name)
+        raw_info = cfg_data["features"][feature_name]
+        return nil unless raw_info
+
+        @features_by_name[feature_name] ||= Inspec::Feature.new(feature_name.to_sym, raw_info)
+      end
+
+      def feature_name?(query)
+        cfg_data["features"].key?(query.to_s)
+      end
+
+      def features
+        @features ||= load_features
+      end
+
+      private
+
+      def load_features
+        feats = []
+        with_each_feature { |f| feats << f }
+        feats
+      end
+
+      # Default data for when the config is in an error state.
+      def load_error_data
+        {
+          "features": {},
+        }
+      end
+    end
+  end
+end

data/lib/inspec/feature/runner.rb

@@ -0,0 +1,29 @@
+module Inspec
+  class Feature
+    class Runner
+      def self.with_feature(feature_name, opts = {}, &feature_implementation)
+        config = opts[:config] || Inspec::Feature::Config.new
+        logger = opts[:logger] || Inspec::Log
+
+        # Emit log message saying we're running a feature
+        logger.debug("Prepping to run feature '#{feature_name}'")
+
+        # Validate that the feature is recognized
+        feature = config[feature_name]
+        unless feature
+          # Avoid warning for custom plugins
+          user_plugins = Inspec::Plugin::V2::Registry.instance.plugin_statuses.select { |status| status.installation_type == :user_gem }
+          user_plugin_names = user_plugins.collect { |a| a.name.to_s }
+          logger.warn "Unrecognized feature name '#{feature_name}'" unless user_plugin_names.include?(feature_name)
+        end
+
+        # If the feature is not recognized
+        # If the feature has no env_preview flag set in config
+        # If the feature is previewable
+        if feature.nil? || feature&.no_preview? || feature&.previewable?
+          yield feature_implementation
+        end
+      end
+    end
+  end
+end

data/lib/inspec/feature.rb

@@ -0,0 +1,42 @@
+require_relative "feature/config"
+require_relative "feature/runner"
+
+module Inspec
+  def self.with_feature(feature_name, opts = {}, &feature_implementation)
+    Inspec::Feature::Runner.with_feature(feature_name, opts, &feature_implementation)
+  end
+
+  class Feature
+    attr_reader :name, :description, :env_preview
+
+    @@features_invoked = []
+
+    def initialize(feature_name, feature_yaml_opts)
+      @name = feature_name
+      feature_yaml_opts ||= {}
+      @description = feature_yaml_opts["description"]
+      @env_preview = feature_yaml_opts["env_preview"]
+      @@features_invoked << feature_name
+    end
+
+    def previewable?
+      # If the feature is previewable in config (features.yaml) & has an environment value set to use previewed feature
+      !!env_preview && !env_preview_value.nil?
+    end
+
+    def no_preview?
+      env_preview.nil?
+    end
+
+    def env_preview_value
+      # Examples: If feature name is "inspec-test-feature"
+      # ENV used for this feature preview would be CHEF_PREVIEW_TEST_FEATURE
+      env_preview_feature_name = name.to_s.split("inspec-")[-1]
+      ENV["CHEF_PREVIEW_#{env_preview_feature_name.gsub("-", "_").upcase}"]
+    end
+
+    def self.list_all_invoked_features
+      @@features_invoked.uniq
+    end
+  end
+end

data/lib/inspec/fetcher/git.rb

@@ -127,6 +127,11 @@ module Inspec::Fetcher
       %i{branch tag ref}.map { |opt_name| update_ivar_from_opt(opt_name, opts) }.any?
     end
 
+    # Git fetcher is sensitive to cache contention so it needs cache locking mechanism.
+    def requires_locking?
+      true
+    end
+
     private
 
     def resolved_ref

data/lib/inspec/fetcher/url.rb

@@ -248,10 +248,30 @@ module Inspec::Fetcher
       @temp_archive_path = archive.path
     end
 
-    def open(target, opts) # overridden so we can control who we're talking to
-      URI.open(target, opts)
-    rescue NoMethodError   # TODO: remove when we drop ruby 2.4
-      super(target, opts)  # Kernel#open
+    # Opens a URI or local file specified by `target` with options `opts`.
+    # If `target` is a valid URI (http://, https://, ftp://), opens it using URI.open.
+    # If `target` is a local file path, opens it using File.open.
+    # Raises ArgumentError for invalid `target` that is neither a valid URI nor a local file path.
+    # Logs or handles exceptions gracefully using `pretty_handle_exception`.
+    def open(target, opts)
+      if valid_uri?(target)
+        URI(target).open(opts) # Open URI if it's a valid HTTP, HTTPS, or FTP URI
+      elsif File.file?(target)
+        File.open(target, opts) # Open local file if it exists
+      else
+        raise ArgumentError, "Invalid target: #{target}. Must be a valid URI or a local file path."
+      end
+    rescue StandardError => e
+      raise Inspec::FetcherFailure, "Profile URL dependency #{target} could not be fetched: #{e.message}"
+    end
+
+    # Checks if the given `target` string is a valid URI by attempting to parse it.
+    # Returns true if `target` is a valid HTTP, HTTPS, or FTP URI; false otherwise.
+    def valid_uri?(target)
+      uri = URI.parse(target)
+      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS) || uri.is_a?(URI::FTP)
+    rescue URI::InvalidURIError
+      false
     end
 
     def open_via_uri(target)

data/lib/inspec/globals.rb

@@ -23,4 +23,10 @@ module Inspec
     require "rbconfig" unless defined?(RbConfig)
     RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
   end
+
+  def self.log_dir
+    log_dir_path = "#{config_dir}/logs"
+    FileUtils.mkdir_p(log_dir_path) unless File.directory?(log_dir_path)
+    log_dir_path
+  end
 end

data/lib/inspec/iaf_file.rb

@@ -34,8 +34,9 @@ module Inspec
       raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("Validation key #{keyname} not found")
     end
 
-    def self.find_signing_key(keyname)
-      [".", File.join(Inspec.config_dir, "keys")].each do |path|
+    def self.find_signing_key(keyname, config_dir = nil)
+      config_dir ||= Inspec.config_dir
+      [".", File.join(config_dir, "keys")].each do |path|
         filename = File.join(path, "#{keyname}.pem.key")
         return filename if File.exist?(filename)
       end

data/lib/inspec/input_registry.rb

@@ -189,7 +189,11 @@ module Inspec
     def parse_cli_input_value(input_name, given_value)
       value = given_value.chomp(",") # Trim trailing comma if any
       case value
-      when /^true|false$/i
+      # Changed regex to use \A and \z instead of ^ and $ for stricter start and end of string matching.
+      # This prevents potential bypass issues with multi-line input and ensures the entire string
+      # is exactly "true" or "false", enhancing security when dealing with untrusted input.
+      # Issue detected here: https://github.com/inspec/inspec/security/code-scanning/41
+      when /\A(true|false)\z/i
         value = !!(value =~ /true/i)
       when /^-?\d+$/
         value = value.to_i

data/lib/inspec/plugin/v1/plugin_types/fetcher.rb

@@ -105,6 +105,13 @@ module Inspec
         file_provider = Inspec::FileProvider.for_path(archive_path)
         file_provider.relative_provider
       end
+
+      # Returns false by default
+      # This is used to regulate cache contention.
+      # Fetchers that are sensitive to cache contention should return true.
+      def requires_locking?
+        false
+      end
     end
   end
 end

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -12,6 +12,7 @@ module Inspec::Plugin::V2::PluginType
       @control_checks_count_map = {}
       @controls_count = nil
       @notifications = {}
+      @enhanced_outcome_control_wise = {}
     end
 
     private
@@ -29,16 +30,43 @@ module Inspec::Plugin::V2::PluginType
 
     # method to identify when the control ended running
     # this will be useful in executing operations on control's level end
-    def control_ended?(control_id)
+    def control_ended?(notification, control_id)
       set_control_checks_count_map_value
       unless @control_checks_count_map[control_id].nil?
         @control_checks_count_map[control_id] -= 1
-        @control_checks_count_map[control_id] == 0
+        control_ended = @control_checks_count_map[control_id] == 0
+        # after a control has ended it checks for certain operations, like enhanced outcomes
+        run_control_operations(notification, control_id) if control_ended
+        control_ended
       else
         false
       end
     end
 
+    def run_control_operations(notification, control_id)
+      check_for_enhanced_outcomes(notification, control_id)
+    end
+
+    def check_for_enhanced_outcomes(notification, control_id)
+      if enhanced_outcomes
+        control_outcome = add_enhanced_outcomes(control_id)
+        @enhanced_outcome_control_wise[control_id] = control_outcome
+      end
+    end
+
+    def format_message(indicator, control_id, title, full_description)
+      message_to_format = ""
+      message_to_format += "#{indicator}  "
+      message_to_format += "#{control_id.to_s.strip.dup.force_encoding(Encoding::UTF_8)}  "
+      message_to_format += "#{title.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " if title
+      message_to_format += "#{full_description.gsub(/\n*\s+/, " ").to_s.force_encoding(Encoding::UTF_8)}  " unless title
+      message_to_format
+    end
+
+    def control_outcome(control_id)
+      @enhanced_outcome_control_wise[control_id]
+    end
+
     # method to identify total no. of controls
     def controls_count
       @controls_count ||= RSpec.configuration.formatters.grep(Inspec::Formatters::Base).first.get_controls_count

data/lib/inspec/profile.rb

@@ -16,6 +16,7 @@ require "inspec/utils/json_profile_summary"
 require "inspec/dependency_loader"
 require "inspec/dependency_installer"
 require "inspec/utils/profile_ast_helpers"
+require "plugins/inspec-sign/lib/inspec-sign/base"
 
 module Inspec
   class Profile
@@ -82,7 +83,7 @@ module Inspec
     end
 
     attr_reader :source_reader, :backend, :runner_context, :check_mode
-    attr_accessor :parent_profile, :profile_id, :profile_name
+    attr_accessor :parent_profile, :profile_id, :profile_name, :target
     def_delegator :@source_reader, :tests
     def_delegator :@source_reader, :libraries
     def_delegator :@source_reader, :metadata
@@ -181,6 +182,26 @@ module Inspec
       @state == :failed
     end
 
+    def verify_if_signed
+      if signed?
+        verify_signed_profile
+        true
+      else
+        false
+      end
+    end
+
+    def signed?
+      # Signed profiles have .iaf extension
+      (@source_reader&.target&.parent&.class == Inspec::IafProvider)
+    end
+
+    def verify_signed_profile
+      # Kitchen inspec send target profile in Hash format in some scenarios. For example: While using local profile with kitchen, {:path => "path/to/kitchen/lcoal-profile"}
+      target_profile = target.is_a?(Hash) ? target.values[0] : target
+      InspecPlugins::Sign::Base.profile_verify(target_profile, true) if target_profile
+    end
+
     #
     # Is this profile is supported on the current platform of the
     # backend machine and the current inspec version.
@@ -215,8 +236,30 @@ module Inspec
       @params ||= load_params
     end
 
+    def virtual_profile?
+      # A virtual profile is for virtual profile evaluation
+      # Used by shell & inspec detect command.
+      (name == "inspec-shell") && (files&.length == 1) && (files[0] == "inspec.yml")
+    end
+
     def collect_tests
       unless @tests_collected || failed?
+
+        # This is that one common place in InSpec engine which is used to collect tests of InSpec profile
+        # One common place used by most of the CLI commands using profile, like exec, export etc
+        # Checking for profile signature in parent profile only
+        # Child profiles of a signed profile are extracted to cache dir
+        # Hence they are not in .iaf format
+        # Only runs this block when preview flag CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING is set
+        Inspec.with_feature("inspec-mandatory-profile-signing") {
+          if !parent_profile && !virtual_profile?
+            cfg = Inspec::Config.cached
+            if cfg.is_a?(Inspec::Config) && !cfg.allow_unsigned_profiles?
+              raise Inspec::ProfileSignatureRequired, "Signature required for profile: #{name}. Please provide a signed profile. Or set CHEF_ALLOW_UNSIGNED_PROFILES in the environment. Or use `--allow-unsigned-profiles` flag with InSpec CLI." unless verify_if_signed
+            end
+          end
+        }
+
         return unless supports_platform?
 
         locked_dependencies.each(&:collect_tests)

data/lib/inspec/reporters.rb

@@ -4,76 +4,89 @@ require "inspec/reporters/json"
 require "inspec/reporters/json_automate"
 require "inspec/reporters/automate"
 require "inspec/reporters/yaml"
+require "inspec/feature"
 
 module Inspec::Reporters
   # rubocop:disable Metrics/CyclomaticComplexity
   def self.render(reporter, run_data, enhanced_outcomes = false)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "cli"
-      reporter = Inspec::Reporters::CLI.new(config)
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    # This reporter is only used for Chef internal. We reserve the
-    # right to introduce breaking changes to this reporter at any time.
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "automate"
-      reporter = Inspec::Reporters::Automate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
-      activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-      activator.activate!
-      reporter = activator.implementation_class.new(config)
-    end
-    reporter.enhanced_outcomes = enhanced_outcomes
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "cli"
+        reporter = Inspec::Reporters::CLI.new(config)
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      # This reporter is only used for Chef internal. We reserve the
+      # right to introduce breaking changes to this reporter at any time.
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "automate"
+        reporter = Inspec::Reporters::Automate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it must be a plugin, and we know it exists (because we validated it in config.rb)
+        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+        activator.activate!
+        reporter = activator.implementation_class.new(config)
+      end
 
-    # optional send_report method on reporter
-    return reporter.send_report if defined?(reporter.send_report)
+      if enhanced_outcomes
+        Inspec.with_feature("inspec-enhanced-outcomes") {
+          reporter.enhanced_outcomes = enhanced_outcomes
+        }
+      else
+        reporter.enhanced_outcomes = enhanced_outcomes
+      end
 
-    reporter.render
-    output = reporter.rendered_output
+      # optional send_report method on reporter
+      return reporter.send_report if defined?(reporter.send_report)
 
-    if config["file"]
-      # create destination directory if it does not exist
-      dirname = File.dirname(config["file"])
-      FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
+      reporter.render
+      output = reporter.rendered_output
+      config_file = config["file"]
+      if config_file
+        config_file.gsub!("CHILD_PID", Process.pid.to_s)
+        # create destination directory if it does not exist
+        dirname = File.dirname(config_file)
+        FileUtils.mkdir_p(dirname) unless File.directory?(dirname)
 
-      File.write(config["file"], output)
-    elsif config["stdout"] == true
-      print output
-      $stdout.flush
-    end
+        File.write(config_file, output)
+      elsif config["stdout"] == true
+        print output
+        $stdout.flush
+      end
+    }
   end
 
   def self.report(reporter, run_data)
     name, config = reporter.dup
-    config[:run_data] = run_data
-    case name
-    when "json"
-      reporter = Inspec::Reporters::Json.new(config)
-    when "json-automate"
-      reporter = Inspec::Reporters::JsonAutomate.new(config)
-    when "yaml"
-      reporter = Inspec::Reporters::Yaml.new(config)
-    else
-      # If we made it here, it might be a plugin
-      begin
-        activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
-        activator.activate!
-        reporter = activator.implementation_class.new(config)
-        unless reporter.respond_to(:report?)
+    Inspec.with_feature("inspec-reporter-#{name}") {
+      config[:run_data] = run_data
+      case name
+      when "json"
+        reporter = Inspec::Reporters::Json.new(config)
+      when "json-automate"
+        reporter = Inspec::Reporters::JsonAutomate.new(config)
+      when "yaml"
+        reporter = Inspec::Reporters::Yaml.new(config)
+      else
+        # If we made it here, it might be a plugin
+        begin
+          activator = Inspec::Plugin::V2::Registry.instance.find_activator(plugin_type: :reporter, activator_name: name.to_sym)
+          activator.activate!
+          reporter = activator.implementation_class.new(config)
+          unless reporter.respond_to(:report?)
+            return run_data
+          end
+        rescue Inspec::Plugin::V2::LoadError
+          # Must not have been a plugin - just return the run_data
           return run_data
         end
-      rescue Inspec::Plugin::V2::LoadError
-        # Must not have been a plugin - just return the run_data
-        return run_data
       end
-    end
 
-    reporter.report
+      reporter.report
+    }
   end
 end