metasploit_data_models 0.16.6-java → 0.16.7-java

data/app/validators/password_is_strong_validator.rb

@@ -5,6 +5,8 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
 			changeme test1234 rapid7
 		}
 
+  SPECIAL_CHARS = %q{!@"#$%&'()*+,-./:;<=>?[\\]^_`{|}~ }
+
   def validate_each(record, attribute, value)
     return if value.blank?
 
@@ -28,7 +30,7 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
   private
 
   def is_simple?(password)
-    not (password =~ /[A-Za-z]/ and password =~ /[0-9]/ and password =~ /[\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x3a\x3b\x3c\x3d\x3e\x3f\x5b\x5c\x5d\x5e\x5f\x60\x7b\x7c\x7d\x7e]/)
+    not (password =~ /[A-Za-z]/ and password =~ /[0-9]/ and password =~ /[#{Regexp.escape(SPECIAL_CHARS)}]/)
   end
 
   def contains_username?(username, password)
@@ -37,14 +39,50 @@ class PasswordIsStrongValidator < ActiveModel::EachValidator
 
   def is_common_password?(password)
     COMMON_PASSWORDS.each do |pw|
-      common_pw = [pw, pw + "!", pw + "1", pw + "12", pw + "123", pw + "1234"]
-      if common_pw.include?(password.downcase)
-        return true
+      common_pw = [pw] # pw + "!", pw + "1", pw + "12", pw + "123", pw + "1234"]
+      common_pw += mutate_pass(pw)
+      common_pw.each do |common_pass|
+        if password.downcase =~ /#{common_pass}[\d!]*/
+          return true
+        end
       end
     end
     false
   end
 
+  def mutate_pass(password)
+    mutations = {
+        'a' => '@',
+        'o' => '0',
+        'e' => '3',
+        's' => '$',
+        't' => '7',
+        'l' => '1'
+    }
+
+    iterations = mutations.keys.dup
+    results = []
+
+    # Find PowerSet of all possible mutation combinations
+    iterations = iterations.inject([[]]){|c,y|r=[];c.each{|i|r<<i;r<<i+[y]};r}
+
+    # Iterate through combinations to create each possible mutation
+    iterations.each do |iteration|
+      next if iteration.flatten.empty?
+      first = iteration.shift
+      intermediate = password.gsub(/#{first}/i, mutations[first])
+      iteration.each do |mutator|
+        next unless mutator.kind_of? String
+        intermediate.gsub!(/#{mutator}/i, mutations[mutator])
+      end
+      results << intermediate
+    end
+
+    return results
+  end
+
+
+
   def contains_repetition?(password)
     # Password repetition (quite basic) -- no "aaaaaa" or "ababab" or "abcabc" or
     # "abcdabcd" (but note that the user can use "aaaaaab" or something).

data/lib/metasploit_data_models/version.rb

@@ -4,5 +4,5 @@ module MetasploitDataModels
   # metasploit-framework/data/sql/migrate to db/migrate in this project, not all models have specs that verify the
   # migrations (with have_db_column and have_db_index) and certain models may not be shared between metasploit-framework
   # and pro, so models may be removed in the future.  Because of the unstable API the version should remain below 1.0.0
-  VERSION = '0.16.6'
+  VERSION = '0.16.7'
 end

data/spec/app/validators/password_is_strong_validator_spec.rb

@@ -0,0 +1,324 @@
+require 'spec_helper'
+
+describe PasswordIsStrongValidator do
+
+  subject(:password_validator) do
+    described_class.new(
+        :attributes => attributes
+    )
+  end
+
+  let(:attribute) do
+    :params
+  end
+
+  let(:attributes) do
+    attribute
+  end
+
+
+  context '#contains_repetition?' do
+
+    it 'should return true for aaaa' do
+      password_validator.send(:contains_repetition?, 'aaaa').should be_true
+    end
+
+    it 'should return true for ababab' do
+      password_validator.send(:contains_repetition?, 'ababab').should be_true
+    end
+
+    it 'should return true for abcabcabc' do
+      password_validator.send(:contains_repetition?, 'abcabcabc').should be_true
+    end
+
+    it 'should return true for abcdabcd' do
+      password_validator.send(:contains_repetition?, 'abcdabcd').should be_true
+    end
+
+    it 'should return false for abcd1234abcd' do
+      password_validator.send(:contains_repetition?, 'abcd1234abcd').should be_false
+    end
+
+  end
+
+
+
+  context '#mutate_pass' do
+
+    variants = [
+      "metasp1oit",
+      "me7asploi7",
+      "me7asp1oi7",
+      "meta$ploit",
+      "meta$p1oit",
+      "me7a$ploi7",
+      "me7a$p1oi7",
+      "m3tasploit",
+      "m3tasp1oit",
+      "m37asploi7",
+      "m37asp1oi7",
+      "m3ta$ploit",
+      "m3ta$p1oit",
+      "m37a$ploi7",
+      "m37a$p1oi7",
+      "metaspl0it",
+      "metasp10it",
+      "me7aspl0i7",
+      "me7asp10i7",
+      "meta$pl0it",
+      "meta$p10it",
+      "me7a$pl0i7",
+      "me7a$p10i7",
+      "m3taspl0it",
+      "m3tasp10it",
+      "m37aspl0i7",
+      "m37asp10i7",
+      "m3ta$pl0it",
+      "m3ta$p10it",
+      "m37a$pl0i7",
+      "m37a$p10i7",
+      "met@sploit",
+      "met@sp1oit",
+      "me7@sploi7",
+      "me7@sp1oi7",
+      "met@$ploit",
+      "met@$p1oit",
+      "me7@$ploi7",
+      "me7@$p1oi7",
+      "m3t@sploit",
+      "m3t@sp1oit",
+      "m37@sploi7",
+      "m37@sp1oi7",
+      "m3t@$ploit",
+      "m3t@$p1oit",
+      "m37@$ploi7",
+      "m37@$p1oi7",
+      "met@spl0it",
+      "met@sp10it",
+      "me7@spl0i7",
+      "me7@sp10i7",
+      "met@$pl0it",
+      "met@$p10it",
+      "me7@$pl0i7",
+      "me7@$p10i7",
+      "m3t@spl0it",
+      "m3t@sp10it",
+      "m37@spl0i7",
+      "m37@sp10i7",
+      "m3t@$pl0it",
+      "m3t@$p10it",
+      "m37@$pl0i7",
+      "m37@$p10i7"
+      ]
+
+    it 'should return all the expected mutations of a password' do
+      password_validator.send(:mutate_pass, 'metasploit').should == variants
+    end
+
+  end
+
+
+  context '#is_common_password?' do
+
+    PasswordIsStrongValidator::COMMON_PASSWORDS.each do |password|
+
+      it "should return true for #{password}"  do
+        password_validator.send(:is_common_password?, password).should be_true
+      end
+
+      it "should return true for #{password}!"  do
+        password_validator.send(:is_common_password?, "#{password}!").should be_true
+      end
+
+      it "should return true for #{password}1"  do
+        password_validator.send(:is_common_password?, "#{password}1").should be_true
+      end
+
+      it "should return true for #{password}9"  do
+        password_validator.send(:is_common_password?, "#{password}1").should be_true
+      end
+
+      it "should return true for #{password}99"  do
+        password_validator.send(:is_common_password?, "#{password}12").should be_true
+      end
+
+      it "should return true for #{password}123"  do
+        password_validator.send(:is_common_password?, "#{password}123").should be_true
+      end
+
+      it "should return true for #{password}123!" do
+        password_validator.send(:is_common_password?, "#{password}123!").should be_true
+      end
+
+    end
+
+    it "should return true for r00t" do
+      password_validator.send(:is_common_password?, "r00t").should be_true
+    end
+
+    it "should return true for m3t@spl0it" do
+      password_validator.send(:is_common_password?, "m3t@spl0it").should be_true
+    end
+
+    it "should return true for m3t@spl0it123!" do
+      password_validator.send(:is_common_password?, "m3t@spl0it123!").should be_true
+    end
+  end
+
+  context '#contains_username' do
+
+    it 'should return true if username and password are the same' do
+      password_validator.send(:contains_username?, 'admin', 'admin').should be_true
+    end
+
+    it 'should return true if the password contains the username as part of it' do
+      password_validator.send(:contains_username?, 'admin', '123admin123').should be_true
+    end
+
+    it 'should return false otherwise' do
+      password_validator.send(:contains_username?, 'admin', 'foobar').should be_false
+    end
+  end
+
+  context '#is_simple?' do
+
+    it "should return true if no number" do
+      password_validator.send(:is_simple?, "b@carat").should be_true
+    end
+
+    it "should return true if no special char" do
+      password_validator.send(:is_simple?, "bacarat4").should be_true
+    end
+
+    it "should return true if no letters" do
+      password_validator.send(:is_simple?, "1337").should be_true
+    end
+
+    PasswordIsStrongValidator::SPECIAL_CHARS.each_char do |char|
+
+      it "should return false with a #{char}" do
+        password_validator.send(:is_simple?, "bacarat4#{char}").should be_false
+      end
+    end
+  end
+
+  context '#validate_each' do
+
+    subject(:errors) do
+      record.errors[attribute]
+    end
+
+    def validate_each
+      password_validator.validate_each(record, attribute, value)
+    end
+
+    let(:record) do
+      Object.new.tap { |object|
+        object.extend ActiveModel::Validations
+        object.class.module_eval { attr_accessor :username }
+        object.username = 'admin'
+      }
+    end
+
+
+    context 'with a password with no special char' do
+      let(:value) { "bacarat4" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must contain letters, numbers, and at least one special character"' do
+        validate_each
+        errors.include?("must contain letters, numbers, and at least one special character").should be_true
+      end
+    end
+
+    context 'with a password with no numbers' do
+      let(:value) { "b@carat" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must contain letters, numbers, and at least one special character"' do
+        validate_each
+        errors.include?("must contain letters, numbers, and at least one special character").should be_true
+      end
+    end
+
+    context 'with a password with no letters' do
+      let(:value) { "1337@" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must contain letters, numbers, and at least one special character"' do
+        validate_each
+        errors.include?("must contain letters, numbers, and at least one special character").should be_true
+      end
+    end
+
+    context 'with a password containing the username' do
+      let(:value) { "admin1" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must not contain the username"' do
+        validate_each
+        errors.include?("must not contain the username").should be_true
+      end
+    end
+
+    context 'with a common password' do
+      let(:value) { "password" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must not be a common password"' do
+        validate_each
+        errors.include?("must not be a common password").should be_true
+      end
+    end
+
+    context 'with a mutated common password' do
+      let(:value) { "P@ssw0rd1!" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must not be a common password"' do
+        validate_each
+        errors.include?("must not be a common password").should be_true
+      end
+    end
+
+    context 'with a repeated pattern' do
+      let(:value) { "abcdabcd" }
+
+      it 'should record an error' do
+        validate_each
+        errors.should_not be_empty
+      end
+
+      it 'should have an error of "must not be a predictable sequence of characters"' do
+        validate_each
+        errors.include?("must not be a predictable sequence of characters").should be_true
+      end
+    end
+
+  end
+
+end

data/spec/factories/mdm/web_forms.rb

@@ -6,7 +6,7 @@ FactoryGirl.define do
     association :web_site, :factory => :mdm_web_site
 
     trait :exported do
-      method { generate :mdm_web_form_method }
+      add_attribute(:method) { generate :mdm_web_form_method }
       params { generate :mdm_web_form_params }
       path { generate :mdm_web_form_path }
     end
@@ -20,10 +20,10 @@ FactoryGirl.define do
 
   sequence :mdm_web_form_params do |n|
     [
-        [
-            "name#{n}",
-            "value#{n}"
-        ]
+      [
+        "name#{n}",
+        "value#{n}"
+      ]
     ]
   end
 

data/spec/factories/mdm/web_vulns.rb

@@ -11,7 +11,7 @@ FactoryGirl.define do
 
     category { generate :mdm_web_vuln_category }
     confidence { generate :mdm_web_vuln_confidence }
-    method { generate :mdm_web_vuln_method }
+    add_attribute(:method) { generate :mdm_web_vuln_method }
     name { generate :mdm_web_vuln_name }
     path { generate :mdm_web_vuln_path }
     params { generate :mdm_web_vuln_params }

metadata

@@ -2,7 +2,7 @@
 name: metasploit_data_models
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 0.16.6
+  version: 0.16.7
 platform: java
 authors:
 - Samuel Huckins
@@ -12,23 +12,21 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-08-14 00:00:00.000000000 Z
+date: 2013-11-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :development
@@ -36,17 +34,15 @@ dependencies:
   name: yard
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :development
@@ -54,17 +50,15 @@ dependencies:
   name: pry
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :development
@@ -72,13 +66,13 @@ dependencies:
   name: activerecord
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.13
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.2.13
     none: false
@@ -88,17 +82,15 @@ dependencies:
   name: activesupport
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :runtime
@@ -106,17 +98,15 @@ dependencies:
   name: kramdown
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :development
@@ -124,17 +114,15 @@ dependencies:
   name: jdbc-postgres
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :runtime
@@ -142,17 +130,15 @@ dependencies:
   name: activerecord-jdbcpostgresql-adapter
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
-        version: !binary |-
-          MA==
+        version: '0'
     none: false
   prerelease: false
   type: :runtime
@@ -167,11 +153,11 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".rspec"
-- ".simplecov"
-- ".travis.yml"
-- ".yardopts"
+- .gitignore
+- .rspec
+- .simplecov
+- .travis.yml
+- .yardopts
 - Gemfile
 - LICENSE
 - README.md
@@ -395,6 +381,7 @@ files:
 - spec/app/models/mdm/web_vuln_spec.rb
 - spec/app/models/mdm/workspace_spec.rb
 - spec/app/validators/parameters_validator_spec.rb
+- spec/app/validators/password_is_strong_validator_spec.rb
 - spec/dummy/Rakefile
 - spec/dummy/app/assets/javascripts/application.js
 - spec/dummy/app/assets/stylesheets/application.css
@@ -488,23 +475,21 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       segments:
       - 0
       hash: 2
-      version: !binary |-
-        MA==
+      version: '0'
   none: false
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       segments:
       - 0
       hash: 2
-      version: !binary |-
-        MA==
+      version: '0'
   none: false
 requirements: []
 rubyforge_project:
@@ -557,6 +542,7 @@ test_files:
 - spec/app/models/mdm/web_vuln_spec.rb
 - spec/app/models/mdm/workspace_spec.rb
 - spec/app/validators/parameters_validator_spec.rb
+- spec/app/validators/password_is_strong_validator_spec.rb
 - spec/dummy/Rakefile
 - spec/dummy/app/assets/javascripts/application.js
 - spec/dummy/app/assets/stylesheets/application.css