metasploit-model 2.0.4 → 3.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f5931fcef9a47b50a9829e81ad51125d66e855a8
-  data.tar.gz: 92a0b8a04a711bfd83b3ec395e5558d1867142ba
+SHA256:
+  metadata.gz: 5dfe45d8a1e68673abc35d971c84c0008953a48ea3d02ea1474038737f26174f
+  data.tar.gz: cb013f8c4e3c54e36c5ab14cf4f3a00b3737b3914dd3b8f36ba89745080abae7
 SHA512:
-  metadata.gz: d5508cca540e03ba5581227747d831f7378529392dff9b96938ad9ced88c91bb8f10c62f6c279786b2039cea36ce8fd72a852daf0575d9f933781cc8db5600b7
-  data.tar.gz: 94bc2fd53546b919075f06f3b620510c98d95488d16cd8655208cab3c1e11a3521dab84875d6f1d4de3431914a62618cc4c3e37d1f027551d51530294ad74faa
+  metadata.gz: dd93de36bc27cee9b4f189bf3e3b50d500280eac1ec695340bad22e68ce0862e88c326c69d093945681515cbac44f57c9cef255f40a42daa00f1db2b94733aed
+  data.tar.gz: 34c2e286192dc1d7c92cd981a0b7e47f7523053a283930b3dafc9a2bf452f0dd5198b08b54f11723d8a03ee5959f93b0e1768494aeefef84aba810fdcde6c07f

data/.travis.yml

@@ -1,16 +1,21 @@
+dist: trusty
 group: stable
 sudo: false
 cache: bundler
 language: ruby
 addons:
-  postgresql: '9.3'
+  postgresql: '9.6'
   apt:
     packages:
       - graphviz
 rvm:
-  - 2.3.2
+  - 2.7.2
 before_install:
-  - gem update bundler
+  - gem install bundler
+  - cp spec/dummy/config/database.yml.travis spec/dummy/config/database.yml
+  - bundle install
+  - bundle exec rake --version
+  - bundle exec rake db:test:prepare
 script:
   - bundle exec rake spec
   - bundle exec rake yard

data/.yardopts

@@ -1,5 +1,6 @@
 --markup markdown
+--plugin yard-metasploit-erd
 --private
 --protected
 {app,lib}/**/*.rb
-db/migrate/*.rb
+db/migrate/*.rb

data/Gemfile

@@ -7,9 +7,9 @@ gemspec
 group :development, :test do
   # supplies factories for producing model instance for specs
   # Version 4.1.0 or newer is needed to support generate calls without the 'FactoryGirl.' in factory definitions syntax.
-  gem 'factory_girl'
+  gem 'factory_bot'
   # auto-load factories from spec/factories
-  gem 'factory_girl_rails'
+  gem 'factory_bot_rails'
 end
 
 group :test do

data/app/validators/address_format_validator.rb

@@ -0,0 +1,26 @@
+require 'ipaddr'
+
+# Validates that attribute is a valid address.
+class AddressFormatValidator < ActiveModel::EachValidator
+  # Validates that `attribute`'s `value` on `object` is a valid address.
+  #
+  # @param record [#errors, ApplicationRecord] ActiveModel or ActiveRecord
+  # @param attribute [Symbol] name of address attribute.
+  # @param value [String, nil] address.
+  # @return [void]
+  def validate_each(object, attribute, value)
+    error_message_block = lambda{ object.errors.add attribute, "must be a valid (IP or hostname) address" }
+    begin
+      # Checks for valid IP addresses
+      if value.is_a? IPAddr
+        potential_ip = value.dup
+      else
+        potential_ip = IPAddr.new(value)
+      end
+      error_message_block.call unless potential_ip.ipv4? || potential_ip.ipv6?
+    rescue IPAddr::InvalidAddressError, IPAddr::AddressFamilyError, ArgumentError
+      # IP address resolution failed, checks for valid hostname
+      error_message_block.call unless (value && value.match?(/\A#{URI::PATTERN::HOSTNAME}\z/))
+    end
+  end
+end

data/app/validators/ip_format_validator.rb

@@ -1,31 +1,25 @@
 require 'ipaddr'
 
-# Validates that value is an IPv4 or IPv6 address.
+# Validates that value is a valid IPv4 or IPv6 address.
 class IpFormatValidator < ActiveModel::EachValidator
-  # Validates that `value` is an IPv4 or IPv4 address.  Ranges in CIDR or netmask notation are not allowed.
+  # Validates that `attribute`'s `value` on `object` is a valid IPv4 or IPv6 address.
   #
-  # @param record [#errors, ActiveRecord::Base] ActiveModel or ActiveRecord
+  # @param record [#errors, ApplicationRecord] ActiveModel or ActiveRecord
   # @param attribute [Symbol] name of IP address attribute.
   # @param value [String, nil] IP address.
   # @return [void]
-  # @see IPAddr#ipv4?
-  # @see IPAddr#ipv6?
-  def validate_each(record, attribute, value)
+  def validate_each(object, attribute, value)
+    error_message_block = lambda{ object.errors.add attribute, "must be a valid IPv4 or IPv6 address" }
     begin
-      potential_ip = IPAddr.new(value)
-    rescue ArgumentError
-      record.errors[attribute] << 'must be a valid IPv4 or IPv6 address'
-    else
-      # if it includes a netmask, then it's not an IP address, but an IP range.
-      if potential_ip.ipv4?
-        if potential_ip.instance_variable_get(:@mask_addr) != IPAddr::IN4MASK
-          record.errors[attribute] << 'must be a valid IPv4 or IPv6 address and not an IPv4 address range in CIDR or netmask notation'
-        end
-      elsif potential_ip.ipv6?
-        if potential_ip.instance_variable_get(:@mask_addr) != IPAddr::IN6MASK
-          record.errors[attribute] << 'must be a valid IPv4 or IPv6 address and not an IPv6 address range in CIDR or netmask notation'
-        end
+      if value.is_a? IPAddr
+        potential_ip = value.dup
+      else
+        potential_ip = IPAddr.new(value)
       end
+
+      error_message_block.call unless potential_ip.ipv4? || potential_ip.ipv6?
+    rescue ArgumentError
+      error_message_block.call
     end
   end
 end

data/app/validators/nil_validator.rb

@@ -4,13 +4,13 @@
 class NilValidator < ActiveModel::EachValidator
   # Validates that `value` is `nil`.
   #
-  # @param record [#errors, ActiveRecord::Base] an ActiveModel or ActiveRecord
+  # @param record [#errors, ApplicationRecord] an ActiveModel or ActiveRecord
   # @param attribute [Symbol] name of attribute being validated.
   # @param value [#nil?] value of `attribute` to check with `nil?`
   # @return [void]
   def validate_each(record, attribute, value)
     unless value.nil?
-      record.errors[attribute] << 'must be nil'
+      record.errors.add attribute, 'must be nil'
     end
   end
-end
+end

data/app/validators/parameters_validator.rb

@@ -1,13 +1,21 @@
 # Validates that attribute's value is Array<Array(String, String)> which is the only valid type signature for serialized
 # parameters.
 class ParametersValidator < ActiveModel::EachValidator
+  #
+  # CONSTANTS
+  #
+
   # Sentence explaining the valid type signature for parameters.
   TYPE_SIGNATURE_SENTENCE = 'Valid parameters are an Array<Array(String, String)>.'
 
-  # Validates that attribute's value is Array<Array(String, String)> which is the only valid type signature for
-  # serialized parameters.  Errors are specific to the how different `value` is compared to correct format.
   #
-  # @param record [#errors, ActiveRecord::Base] ActiveModel or ActiveRecord
+  # Instance Methods
+  #
+
+  # Validates that `attribute`'s `value` on `record` is `Array<Array(String, String)>` which is the only valid type
+  # signature for serialized parameters.
+  #
+  # @param record [#errors, ApplicationRecord] ActiveModel or ActiveRecord
   # @param attribute [Symbol] serialized parameters attribute name.
   # @param value [Object, nil, Array, Array<Array>, Array<Array(String, String)>] serialized parameters.
   # @return [void]
@@ -28,7 +36,7 @@ class ParametersValidator < ActiveModel::EachValidator
                 :index => index
             )
 
-            record.errors[attribute] << length_error
+            record.errors.add attribute, length_error
           else
             parameter_name = element.first
 
@@ -39,7 +47,7 @@ class ParametersValidator < ActiveModel::EachValidator
                     :index => index,
                     :prefix => "has blank parameter name"
                 )
-                record.errors[attribute] << error
+                record.errors.add attribute, error
               end
             else
               error = error_at(
@@ -47,7 +55,7 @@ class ParametersValidator < ActiveModel::EachValidator
                   :index => index,
                   :prefix => "has non-String parameter name (#{parameter_name.inspect})"
               )
-              record.errors[attribute] << error
+              record.errors.add attribute, error
             end
 
             parameter_value = element.second
@@ -58,7 +66,7 @@ class ParametersValidator < ActiveModel::EachValidator
                   :index => index,
                   :prefix => "has non-String parameter value (#{parameter_value.inspect})"
               )
-              record.errors[attribute] << error
+              record.errors.add attribute, error
             end
           end
         else
@@ -67,11 +75,11 @@ class ParametersValidator < ActiveModel::EachValidator
               :index => index,
               :prefix => 'has non-Array'
           )
-          record.errors[attribute] << error
+          record.errors.add attribute, error
         end
       end
     else
-      record.errors[attribute] << "is not an Array.  #{TYPE_SIGNATURE_SENTENCE}"
+      record.errors.add attribute, "is not an Array.  #{TYPE_SIGNATURE_SENTENCE}"
     end
   end
 
@@ -144,4 +152,4 @@ class ParametersValidator < ActiveModel::EachValidator
 
     clause
   end
-end
+end

data/app/validators/password_is_strong_validator.rb

@@ -4,22 +4,20 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
   # CONSTANTS
   #
 
-  # Password that are used too often and will be easily guessed.
+  # Known passwords that should NOT be allowed and should be considered weak.
   COMMON_PASSWORDS = %w{
-			password pass root admin metasploit
-			msf 123456 qwerty abc123 letmein monkey link182 demo
-			changeme test1234 rapid7
-		}
-
-  # Validates that `value` is a strong password.  A password is strong if it meets the following rules:
-  # * SHOULD contain at least one letter.
-  # * SHOULD contain at least one digit.
-  # * SHOULD contain at least one special character.
-  # * SHOULD NOT contain `record.username` (case-insensitive).
-  # * SHOULD NOT be in {COMMON_PASSWORDS}.
-  # * SHOULD NOT repetitions.
+      password pass root admin metasploit
+      msf 123456 qwerty abc123 letmein monkey link182 demo
+      changeme test1234 rapid7
+    }
+
+  # Special characters that are considered to strength passwords and are required once in a strong password.
+  SPECIAL_CHARS = %q{!@"#$%&'()*+,-./:;<=>?[\\]^_`{|}~ }
+
+  # Validates that the `attribute`'s `value` on `record` contains letters, numbers, and at least one special character
+  # without containing the `record.username`, any {COMMON_PASSWORDS} or repetition.
   #
-  # @param record [#errors, #username, ActiveRecord::Base] ActiveModel or ActiveRecord that supports #username method.
+  # @param record [#errors, #username, ApplicationRecord] ActiveModel or ActiveRecord that supports #username method.
   # @param attribute [Symbol] password attribute name.
   # @param value [String] a password.
   # @return [void]
@@ -27,30 +25,101 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
     return if value.blank?
 
     if is_simple?(value)
-      record.errors[attribute] << 'must contain letters, numbers, and at least one special character'
+      record.errors.add attribute, 'must contain letters, numbers, and at least one special character'
     end
 
-    if contains_username?(record.username, value)
-      record.errors[attribute] << 'must not contain the username'
+    if !record.username.blank? && contains_username?(record.username, value)
+      record.errors.add attribute, 'must not contain the username'
     end
 
     if is_common_password?(value)
-      record.errors[attribute] << 'must not be a common password'
+      record.errors.add attribute, 'must not be a common password'
     end
 
-    if contains_repetition?(value)
-      record.errors[attribute] << 'must not be a predictable sequence of characters'
+    if is_only_repetition?(value)
+      record.errors.add attribute, 'must not be a predictable sequence of characters'
     end
   end
 
   private
 
-  # Password repetition (quite basic) -- no "aaaaaa" or "ababab" or "abcabc" or
-  # "abcdabcd" (but note that the user can use "aaaaaab" or something).
+  # Returns whether the password is simple.
+  #
+  # @return [false] if password contains a letter, digit and special character.
+  # @return [true] otherwise
+  def is_simple?(password)
+    not (password =~ /[A-Za-z]/ and password =~ /[0-9]/ and password =~ /[#{Regexp.escape(SPECIAL_CHARS)}]/)
+  end
+
+  # Returns whether username is in password (case-insensitively).
+  #
+  # @return [true] if `username` is in `password`.
+  # @return [false] unless `username` is in `password`.
+  def contains_username?(username, password)
+    !!(password =~ /#{username}/i)
+  end
+
+  # Returns whether `password` is in {COMMON_PASSWORDS} or a simple variation of a password in {COMMON_PASSWORDS}.
+  #
+  # @param password [String]
+  # @return [Boolean]
+  def is_common_password?(password)
+    COMMON_PASSWORDS.each do |pw|
+      common_pw = [pw] # pw + "!", pw + "1", pw + "12", pw + "123", pw + "1234"]
+      common_pw += mutate_pass(pw)
+      common_pw.each do |common_pass|
+        if password.downcase =~ /#{common_pass}[\d!]*/
+          return true
+        end
+      end
+    end
+    false
+  end
+
+  # Returns a leet mutated variant of the original password
+  #
+  # @param password [String]
+  # @return [String] containing the password with leet mutations
+  def mutate_pass(password)
+    mutations = {
+        'a' => '@',
+        'o' => '0',
+        'e' => '3',
+        's' => '$',
+        't' => '7',
+        'l' => '1'
+    }
+
+    iterations = mutations.keys.dup
+    results = []
+
+    # Find PowerSet of all possible mutation combinations
+    iterations = iterations.inject([[]]){|c,y|r=[];c.each{|i|r<<i;r<<i+[y]};r}
+
+    # Iterate through combinations to create each possible mutation
+    iterations.each do |iteration|
+      next if iteration.flatten.empty?
+      first = iteration.shift
+      intermediate = password.gsub(/#{first}/i, mutations[first])
+      iteration.each do |mutator|
+        next unless mutator.kind_of? String
+        intermediate.gsub!(/#{mutator}/i, mutations[mutator])
+      end
+      results << intermediate
+    end
+
+    return results
+  end
+
+
+  # Returns whether `password` is only composed of repetitions
   #
   # @param password [String]
   # @return [Boolean]
-  def contains_repetition?(password)
+  def is_only_repetition?(password)
+    # Password repetition (quite basic) -- no "aaaaaa" or "ababab" or "abcabc" or
+    # "abcdabcd" (but note that the user can use "aaaaaab" or something).
+
     if password.scan(/./).uniq.size < 2
       return true
     end
@@ -69,47 +138,4 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
 
     false
   end
-
-  # Whether username is in password (case-insensitively).
-  #
-  # @return [false] if `password` is blank.
-  # @return [false] if `username` is blank.
-  # @return [false] unless `username` is in `password`.
-  # @return [true] if `username` is in `password`.
-  def contains_username?(username, password)
-    contains = false
-
-    unless password.blank? or username.blank?
-      escaped_username = Regexp.escape(username)
-      username_regexp = Regexp.new(escaped_username, Regexp::IGNORECASE)
-
-      if username_regexp.match(password)
-        contains = true
-      end
-    end
-
-    contains
-  end
-
-  # Whether `password` is in {COMMON_PASSWORDS} or a simple variation of a password in {COMMON_PASSWORDS}.
-  #
-  # @param password [String]
-  # @return [Boolean]
-  def is_common_password?(password)
-    COMMON_PASSWORDS.each do |pw|
-      common_pw = [pw, pw + "!", pw + "1", pw + "12", pw + "123", pw + "1234"]
-      if common_pw.include?(password.downcase)
-        return true
-      end
-    end
-    false
-  end
-
-  # Returns whether the password is simple.
-  #
-  # @return [false] if password contains a letter, digit and special character.
-  # @return [true] otherwise
-  def is_simple?(password)
-    not (password =~ /[A-Za-z]/ and password =~ /[0-9]/ and password =~ /[\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x3a\x3b\x3c\x3d\x3e\x3f\x5b\x5c\x5d\x5e\x5f\x60\x7b\x7c\x7d\x7e]/)
-  end
-end
+end

data/lib/metasploit/model.rb

@@ -9,6 +9,7 @@
 require 'active_model'
 require 'active_support'
 
+autoload :AddressFormatValidator, 'address_format_validator'
 autoload :IpFormatValidator, 'ip_format_validator'
 autoload :NilValidator, 'nil_validator'
 autoload :ParametersValidator, 'parameters_validator'

data/lib/metasploit/model/base.rb

@@ -1,5 +1,5 @@
 # Superclass for all Metasploit::Models.  Just adds a default {#initialize} to make models mimic behavior of
-# ActiveRecord::Base subclasses.
+# ApplicationRecord subclasses.
 class Metasploit::Model::Base
   include ActiveModel::Validations
 
@@ -22,4 +22,4 @@ class Metasploit::Model::Base
       raise Metasploit::Model::Invalid.new(self)
     end
   end
-end
+end