inspec 3.0.46 → 3.0.52

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5ff447f7ae9aa9544f0e511e2d5d07f2e52015e031f33fdde47e578b3f1a7ed8
-  data.tar.gz: 94a76db1779ffcf1e6b74101e064891578e30e74f18c3d6dc87d9a0dfb1e593f
+  metadata.gz: c5971c1dc6baf84c252d7f662178f0759a78b470b748c11aa303c2fb52c0de01
+  data.tar.gz: 04164f7e8bf06371813f01126c1cebc86bd90bd282d168d978ca06317530458d
 SHA512:
-  metadata.gz: 052a13a474764ee9857ade3a9caef06204a568d48a254f85f753d8ccfa6051b6214268e007acdf051fc8fc0699bb18680b92acd870cab2889e1e24037ceabafb
-  data.tar.gz: 3ce8e4121cd642573a713d365e9bdb1624c0ab145b81c42ce608e2a57705a0fa80356731d94d88367d23ce84b7af0b5b18ca399471de50f0db9c074fb715409f
+  metadata.gz: 1b252d1733f366b92f0e996413fe38166d69f30f02a23762d34fed9de10d1f2ad25ac9cb1395294e49aa9d16d2b61f10924dd1e5a23c5a9e69ad913deeebae85
+  data.tar.gz: 137e9b3594c8245c5171dc5c6ae88ae9d00114d5a362c6a420c316e2856b6568fbc591ffeb8eca2df9db915ebeef0e0796cdae734cf3030bb6f5cf7d8a6b1ac7

data/CHANGELOG.md

@@ -1,36 +1,49 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 3.0.46 -->
-## [v3.0.46](https://github.com/inspec/inspec/tree/v3.0.46) (2018-11-08)
+<!-- latest_release 3.0.52 -->
+## [v3.0.52](https://github.com/inspec/inspec/tree/v3.0.52) (2018-11-15)
 
-#### New Features
-- Add Git SSH and HTTP basic auth support to `inspec exec` [#3562](https://github.com/inspec/inspec/pull/3562) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+#### Merged Pull Requests
+- Load the compliance plugin when the fetcher is needed [#3609](https://github.com/inspec/inspec/pull/3609) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=3.0.25 -->
-### Changes since 3.0.25 release
+<!-- release_rollup since=3.0.46 -->
+### Changes since 3.0.46 release
 
-#### New Features
-- Add Git SSH and HTTP basic auth support to `inspec exec` [#3562](https://github.com/inspec/inspec/pull/3562) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.0.46 -->
+#### Merged Pull Requests
+- Load the compliance plugin when the fetcher is needed [#3609](https://github.com/inspec/inspec/pull/3609) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.0.52 -->
 
 #### Bug Fixes
-- port: Correctly detect FreeBSD [#3579](https://github.com/inspec/inspec/pull/3579) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 3.0.43 -->
-- Update iis_site bindingInformation construction and add tests [#3492](https://github.com/inspec/inspec/pull/3492) ([mrshanahan](https://github.com/mrshanahan)) <!-- 3.0.40 -->
-- Silence RSpec &#39;should&#39; Warning [#3560](https://github.com/inspec/inspec/pull/3560) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 3.0.29 -->
+- Adds protection against zipslip vulnerability [#3604](https://github.com/inspec/inspec/pull/3604) ([hdost](https://github.com/hdost)) <!-- 3.0.51 -->
 
 #### Enhancements
-- Allow add_test to accept negation [#3586](https://github.com/inspec/inspec/pull/3586) ([rachelrice](https://github.com/rachelrice)) <!-- 3.0.37 -->
-- Added xml resource support for ints, bools, and string responses [#3583](https://github.com/inspec/inspec/pull/3583) ([greenantdotcom](https://github.com/greenantdotcom)) <!-- 3.0.34 -->
-- Add only_if to Inspec objects [#3577](https://github.com/inspec/inspec/pull/3577) ([james-stocks](https://github.com/james-stocks)) <!-- 3.0.31 -->
-- aws_vpc: accept 17 hexadecimal characters for vpc_id [#3564](https://github.com/inspec/inspec/pull/3564) ([kchistova](https://github.com/kchistova)) <!-- 3.0.28 -->
-
-#### Merged Pull Requests
-- Fixes broken link in documentation [#3588](https://github.com/inspec/inspec/pull/3588) ([dmccown](https://github.com/dmccown)) <!-- 3.0.30 -->
-- Fixes (some) ruby warnings related to functional tests [#3561](https://github.com/inspec/inspec/pull/3561) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 3.0.27 -->
-- Fix functional tests issues with vendoring [#3572](https://github.com/inspec/inspec/pull/3572) ([jquick](https://github.com/jquick)) <!-- 3.0.26 -->
+- Adding --no-pager to service checks [#3592](https://github.com/inspec/inspec/pull/3592) ([fernandoalex](https://github.com/fernandoalex)) <!-- 3.0.50 -->
+- aws_security_group: Query against other security group ids in allow_* matchers [#3576](https://github.com/inspec/inspec/pull/3576) ([j00p34](https://github.com/j00p34)) <!-- 3.0.49 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v3.0.46](https://github.com/inspec/inspec/tree/v3.0.46) (2018-11-08)
+
+#### New Features
+- Add Git SSH and HTTP basic auth support to `inspec exec` [#3562](https://github.com/inspec/inspec/pull/3562) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+
+#### Enhancements
+- aws_vpc: accept 17 hexadecimal characters for vpc_id [#3564](https://github.com/inspec/inspec/pull/3564) ([kchistova](https://github.com/kchistova))
+- Add only_if to Inspec objects [#3577](https://github.com/inspec/inspec/pull/3577) ([james-stocks](https://github.com/james-stocks))
+- Added xml resource support for ints, bools, and string responses [#3583](https://github.com/inspec/inspec/pull/3583) ([greenantdotcom](https://github.com/greenantdotcom))
+- Allow add_test to accept negation [#3586](https://github.com/inspec/inspec/pull/3586) ([rachelrice](https://github.com/rachelrice))
+
+#### Bug Fixes
+- Silence RSpec &#39;should&#39; Warning [#3560](https://github.com/inspec/inspec/pull/3560) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Update iis_site bindingInformation construction and add tests [#3492](https://github.com/inspec/inspec/pull/3492) ([mrshanahan](https://github.com/mrshanahan))
+- port: Correctly detect FreeBSD [#3579](https://github.com/inspec/inspec/pull/3579) ([clintoncwolfe](https://github.com/clintoncwolfe))
+
+#### Merged Pull Requests
+- Fix functional tests issues with vendoring [#3572](https://github.com/inspec/inspec/pull/3572) ([jquick](https://github.com/jquick))
+- Fixes (some) ruby warnings related to functional tests [#3561](https://github.com/inspec/inspec/pull/3561) ([TheLonelyGhost](https://github.com/TheLonelyGhost))
+- Fixes broken link in documentation [#3588](https://github.com/inspec/inspec/pull/3588) ([dmccown](https://github.com/dmccown))
+<!-- latest_stable_release -->
+
 ## [v3.0.25](https://github.com/inspec/inspec/tree/v3.0.25) (2018-11-01)
 
 #### Enhancements
@@ -46,7 +59,6 @@
 - Allow end of options during Thor array parsing [#3547](https://github.com/inspec/inspec/pull/3547) ([jquick](https://github.com/jquick))
 - Pin to train 1.5.6 [#3568](https://github.com/inspec/inspec/pull/3568) ([jquick](https://github.com/jquick))
 - bump expeditor version [#3569](https://github.com/inspec/inspec/pull/3569) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v3.0.12](https://github.com/inspec/inspec/tree/v3.0.12) (2018-10-24)
 

data/lib/inspec/fetcher.rb

@@ -42,3 +42,6 @@ end
 require 'fetchers/local'
 require 'fetchers/url'
 require 'fetchers/git'
+
+# TODO: Remove in 4.0 when Compliance fetcher plugin is created
+require 'plugins/inspec-compliance/lib/inspec-compliance/api'

data/lib/inspec/file_provider.rb

@@ -100,7 +100,7 @@ module Inspec
       walk_zip(@path) do |io|
         while (entry = io.get_next_entry)
           name = entry.name.sub(%r{/+$}, '')
-          @files.push(name) unless name.empty?
+          @files.push(name) unless name.empty? || name.squeeze('/') =~ %r{\.{2}(?:/|\z)}
         end
       end
     end
@@ -156,7 +156,7 @@ module Inspec
         @files = tar.find_all(&:file?)
 
         # delete all entries with no name
-        @files = @files.find_all { |x| !x.full_name.empty? }
+        @files = @files.find_all { |x| !x.full_name.empty? && x.full_name.squeeze('/') !~ %r{\.{2}(?:/|\z)} }
 
         # delete all entries that have a PaxHeader
         @files = @files.delete_if { |x| x.full_name.include?('PaxHeader/') }

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '3.0.46'
+  VERSION = '3.0.52'
 end

data/lib/resources/aws/aws_security_group.rb

@@ -41,9 +41,18 @@ class AwsSecurityGroup < Inspec.resource(1)
   private
 
   def allow_only(rules, criteria)
+    rules = allow__focus_on_position(rules, criteria)
     # allow_{in_out}_only require either a single-rule group, or you
     # to select a rule using position.
     return false unless rules.count == 1 || criteria.key?(:position)
+    if criteria.key?(:security_group)
+      if criteria.key?(:position)
+        pos = criteria[:position] -1
+      else
+        pos = 0
+      end
+      return false unless rules[pos].key?(:user_id_group_pairs) && rules[pos][:user_id_group_pairs].count == 1
+    end
     criteria[:exact] = true
     allow(rules, criteria)
   end
@@ -58,6 +67,7 @@ class AwsSecurityGroup < Inspec.resource(1)
       matched &&= allow__match_protocol(rule, criteria)
       matched &&= allow__match_ipv4_range(rule, criteria)
       matched &&= allow__match_ipv6_range(rule, criteria)
+      matched &&= allow__match_security_group(rule, criteria)
       matched
     end
   end
@@ -67,6 +77,7 @@ class AwsSecurityGroup < Inspec.resource(1)
       :from_port,
       :ipv4_range,
       :ipv6_range,
+      :security_group,
       :port,
       :position,
       :protocol,
@@ -187,6 +198,13 @@ class AwsSecurityGroup < Inspec.resource(1)
     match_ipv4_or_6_range(rule, criteria)
   end
 
+  def allow__match_security_group(rule, criteria)
+    return true unless criteria.key?(:security_group)
+    query = criteria[:security_group]
+    return false unless rule[:user_id_group_pairs]
+    rule[:user_id_group_pairs].any? { |group| query == group[:group_id] }
+  end
+
   def validate_params(raw_params)
     recognized_params = check_resource_param_names(
       raw_params: raw_params,

data/lib/resources/service.rb

@@ -272,7 +272,7 @@ module Inspec::Resources
     end
 
     def info(service_name)
-      cmd = inspec.command("#{service_ctl} show --all #{service_name}")
+      cmd = inspec.command("#{service_ctl} show --no-pager --all #{service_name}")
       return nil if cmd.exit_status.to_i != 0
 
       # parse data

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 3.0.46
+  version: 3.0.52
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-08 00:00:00.000000000 Z
+date: 2018-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train