metasploit_data_models 0.6.13

data/lib/metasploit_data_models.rb

@@ -0,0 +1,60 @@
+#
+# Core
+#
+require 'shellwords'
+
+#
+# Gems
+#
+require 'active_record'
+require 'active_support'
+require 'active_support/all'
+require 'active_support/dependencies'
+
+#
+# Project
+#
+require 'mdm'
+require 'metasploit_data_models/version'
+require 'metasploit_data_models/serialized_prefs'
+require 'metasploit_data_models/base64_serializer'
+
+require 'metasploit_data_models/validators/ip_format_validator'
+require 'metasploit_data_models/validators/password_is_strong_validator'
+
+# Only include the Rails engine when using Rails.  This allows the non-Rails projects, like metasploit-framework to use
+# the models by calling MetasploitDataModels.require_models.
+if defined? Rails
+  require 'metasploit_data_models/engine'
+end
+
+module MetasploitDataModels
+  def self.models_pathname
+    root.join('app', 'models')
+  end
+
+  def self.require_models
+    models_globs = models_pathname.join('**', '*.rb')
+
+    Dir.glob(models_globs) do |model_path|
+      require model_path
+    end
+  end
+
+  def self.root
+    unless instance_variable_defined? :@root
+      lib_pathname = Pathname.new(__FILE__).dirname
+
+      @root = lib_pathname.parent
+    end
+
+    @root
+  end
+end
+
+lib_pathname = MetasploitDataModels.root.join('lib')
+# has to work under 1.8.7, so can't use to_path
+lib_path = lib_pathname.to_s
+# Add path to gem's lib so that concerns for models are loaded correctly if models are reloaded
+ActiveSupport::Dependencies.autoload_paths << lib_path
+ActiveSupport::Dependencies.autoload_once_paths << lib_path

data/lib/metasploit_data_models/base64_serializer.rb

@@ -0,0 +1,103 @@
+# Provides ActiveRecord 3.1x-friendly serialization for descendants of
+# ActiveRecord::Base. Backwards compatible with older YAML methods and
+# will fall back to string decoding in the worst case
+#
+# @example Using default default of {}
+#   serialize :foo, MetasploitDataModels::Base64Serializer.new
+#
+# @example Overriding default to []
+#   serialize :bar, MetasploitDataModels::Base64Serializer.new(:default => [])
+#
+module MetasploitDataModels
+  class Base64Serializer
+    #
+    # CONSTANTS
+    #
+
+    # The default for {#default}
+    DEFAULT = {}
+    # Deserializers for {#load}
+    # 1. Base64 decoding and then unmarshalling the value.
+    # 2. Parsing the value as YAML.
+    # 3. The raw value.
+    LOADERS = [
+        lambda { |serialized|
+          marshaled = serialized.unpack('m').first
+          # Load the unpacked Marshal object first
+          Marshal.load(marshaled)
+        },
+        lambda { |serialized|
+          # Support legacy YAML encoding for existing data
+          YAML.load(serialized)
+        },
+        lambda { |serialized|
+          # Fall back to string decoding
+          serialized
+        }
+    ]
+
+    #
+    # Methods
+    #
+
+    # Creates a duplicate of default value
+    #
+    # @return
+    def default
+      @default.dup
+    end
+
+    attr_writer :default
+
+    # Serializes the value by marshalling the value and then base64 encodes the marshaled value.
+    #
+    # @param value [Object] value to serialize
+    # @return [String]
+    def dump(value)
+      # Always store data back in the Marshal format
+      marshalled = Marshal.dump(value)
+      base64_encoded = [ marshalled ].pack('m')
+
+      base64_encoded
+    end
+
+    # @param attributes [Hash] attributes
+    # @option attributes [Object] :default ({}) Value to use for {#default}.
+    def initialize(attributes={})
+      attributes.assert_valid_keys(:default)
+
+      @default = attributes.fetch(:default, DEFAULT)
+    end
+
+    # Deserializes the value by either
+    # 1. Base64 decoding and then unmarshalling the value.
+    # 2. Parsing the value as YAML.
+    # 3. Returns the raw value.
+    #
+    # @param value [String] serialized value
+    # @return [Object]
+    #
+    # @see #default
+    def load(value)
+      loaded = nil
+
+      if value.blank?
+        loaded = default
+      else
+        LOADERS.each do |loader|
+          begin
+            loaded = loader.call(value)
+          rescue
+            next
+          else
+            break
+          end
+        end
+      end
+
+      loaded
+    end
+  end
+end
+
+

data/lib/metasploit_data_models/engine.rb

@@ -0,0 +1,23 @@
+require 'rails'
+
+module MetasploitDataModels
+  class Engine < Rails::Engine
+    # @see http://viget.com/extend/rails-engine-testing-with-rspec-capybara-and-factorygirl
+    config.generators do |g|
+      g.assets false
+      g.fixture_replacement :factory_girl, :dir => 'spec/factories'
+      g.helper false
+      g.test_framework :rspec, :fixture => false
+    end
+
+    initializer 'metasploit_data_models.prepend_factory_path', :after => 'factory_girl.set_factory_paths' do
+      if defined? FactoryGirl
+        relative_definition_file_path = config.generators.options[:factory_girl][:dir]
+        definition_file_path = root.join(relative_definition_file_path)
+
+        # unshift so that Pro can modify mdm factories
+        FactoryGirl.definition_file_paths.unshift definition_file_path
+      end
+    end
+  end
+end

data/lib/metasploit_data_models/serialized_prefs.rb

@@ -0,0 +1,23 @@
+module MetasploitDataModels
+  module SerializedPrefs
+    def serialized_prefs_attr_accessor(*args)
+      args.each do |method_name|
+
+        method_declarations = <<-RUBY
+          def #{method_name}
+            return if not self.prefs
+            self.prefs[:#{method_name}]
+          end
+
+          def #{method_name}=(value)
+            temp = self.prefs || {}
+            temp[:#{method_name}] = value
+            self.prefs = temp
+          end
+        RUBY
+
+        class_eval method_declarations, __FILE__, __LINE__
+      end
+    end
+  end
+end

data/lib/metasploit_data_models/validators/ip_format_validator.rb

@@ -0,0 +1,13 @@
+require "ipaddr"
+
+class IpFormatValidator < ActiveModel::EachValidator
+  def validate_each(object, attribute, value)
+    error_message_block = lambda{ object.errors[attribute] << " must be a valid IPv4 or IPv6 address" }
+    begin
+      potential_ip = IPAddr.new(value)
+      error_message_block.call unless potential_ip.ipv4? || potential_ip.ipv6?
+    rescue ArgumentError
+      error_message_block.call
+    end
+  end
+end

data/lib/metasploit_data_models/validators/password_is_strong_validator.rb

@@ -0,0 +1,70 @@
+class PasswordIsStrongValidator < ActiveModel::EachValidator
+  COMMON_PASSWORDS = %w{
+			password pass root admin metasploit
+			msf 123456 qwerty abc123 letmein monkey link182 demo
+			changeme test1234 rapid7
+		}
+
+  def validate_each(record, attribute, value)
+    return if value.blank?
+
+    if is_simple?(value)
+      record.errors[attribute] << "must contain letters, numbers, and at least one special character"
+    end
+
+    if contains_username?(record.username, value)
+      record.errors[attribute] << "must not contain the username"
+    end
+
+    if is_common_password?(value)
+      record.errors[attribute] << "must not be a common password"
+    end
+
+    if contains_repetition?(value)
+      record.errors[attribute] << "must not be a predictable sequence of characters"
+    end
+  end
+
+  private
+
+  def is_simple?(password)
+    not (password =~ /[A-Za-z]/ and password =~ /[0-9]/ and password =~ /[\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x3a\x3b\x3c\x3d\x3e\x3f\x5b\x5c\x5d\x5e\x5f\x60\x7b\x7c\x7d\x7e]/)
+  end
+
+  def contains_username?(username, password)
+    password =~ /#{username}/i
+  end
+
+  def is_common_password?(password)
+    COMMON_PASSWORDS.each do |pw|
+      common_pw = [pw, pw + "!", pw + "1", pw + "12", pw + "123", pw + "1234"]
+      if common_pw.include?(password.downcase)
+        return true
+      end
+    end
+    false
+  end
+
+  def contains_repetition?(password)
+    # Password repetition (quite basic) -- no "aaaaaa" or "ababab" or "abcabc" or
+    # "abcdabcd" (but note that the user can use "aaaaaab" or something).
+
+    if password.scan(/./).uniq.size < 2
+      return true
+    end
+
+    if (password.size % 2 == 0) and (password.scan(/../).uniq.size < 2)
+      return true
+    end
+
+    if (password.size % 3 == 0) and (password.scan(/.../).uniq.size < 2)
+      return true
+    end
+
+    if (password.size % 4 == 0) and (password.scan(/..../).uniq.size < 2)
+      return true
+    end
+
+    false
+  end
+end

data/lib/metasploit_data_models/version.rb

@@ -0,0 +1,8 @@
+module MetasploitDataModels
+  # MetasploitDataModels follows the {http://semver.org/  Semantic Versioning Specification}.  At this time, the API
+  # is considered unstable because although the database migrations have moved from
+  # metasploit-framework/data/sql/migrate to db/migrate in this project, not all models have specs that verify the
+  # migrations (with have_db_column and have_db_index) and certain models may not be shared between metasploit-framework
+  # and pro, so models may be removed in the future.  Because of the unstable API the version should remain below 1.0.0
+  VERSION = '0.6.13'
+end

data/lib/tasks/yard.rake

@@ -0,0 +1,26 @@
+# @note All options not specific to any given rake task should go in the .yardopts file so they are available to both
+#   the below rake tasks and when invoking `yard` from the command line
+
+if defined? YARD
+  namespace :yard do
+    YARD::Rake::YardocTask.new(:doc) do |t|
+      # --no-stats here as 'stats' task called after will print fuller stats
+      t.options = ['--no-stats']
+
+      t.after = Proc.new {
+        Rake::Task['yard:stats'].execute
+      }
+    end
+
+    desc "Shows stats for YARD Documentation including listing undocumented modules, classes, constants, and methods"
+    task :stats => :environment do
+      stats = YARD::CLI::Stats.new
+      stats.run('--compact', '--list-undoc')
+    end
+  end
+
+  # @todo Figure out how to just clone description from yard:doc
+  desc "Generate YARD documentation"
+  # allow calling namespace to as a task that goes to default task for namespace
+  task :yard => ['yard:doc']
+end

data/metasploit_data_models.gemspec

@@ -0,0 +1,31 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "metasploit_data_models/version"
+
+Gem::Specification.new do |s|
+  s.name        = "metasploit_data_models"
+  s.version     = MetasploitDataModels::VERSION
+  s.authors     = ["Trevor Rosen"]
+  s.email       = ["trevor_rosen@rapid7.com"]
+  s.homepage    = ""
+  s.summary     = %q{Database code for MSF and Metasploit Pro}
+  s.description = %q{Implements minimal ActiveRecord models and database helper code used in both the Metasploit Framework (MSF) and Metasploit commercial editions.}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # ---- Dependencies ----
+  s.add_development_dependency 'rake'
+  # markdown formatting for yard
+  s.add_development_dependency 'redcarpet'
+  # documentation
+  s.add_development_dependency 'yard'
+  # debugging
+  s.add_development_dependency 'pry'
+
+  s.add_runtime_dependency 'activerecord', '>= 3.2.13'
+  s.add_runtime_dependency 'activesupport'
+  s.add_runtime_dependency 'pg'
+end

data/script/rails

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('../..', __FILE__)
+ENGINE_PATH = File.expand_path('../../lib/metasploit_data_models/engine', __FILE__)
+
+require 'rails/all'
+require 'rails/engine/commands'

data/spec/app/models/mdm/module_action_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe Mdm::ModuleAction do
+  context 'associations' do
+    it { should belong_to(:module_detail).class_name('Mdm::ModuleDetail') }
+  end
+
+  context 'database' do
+    context 'columns' do
+      it { should have_db_column(:module_detail_id).of_type(:integer) }
+      it { should have_db_column(:name).of_type(:text) }
+    end
+
+    context 'indices' do
+      it { should have_db_index(:module_detail_id) }
+    end
+  end
+
+  context 'factories' do
+    context 'mdm_module_action' do
+      subject(:mdm_module_action) do
+        FactoryGirl.build(:mdm_module_action)
+      end
+
+      it { should be_valid }
+    end
+  end
+
+  context 'mass assignment security' do
+    it { should_not allow_mass_assignment_of(:module_detail_id) }
+    it { should allow_mass_assignment_of(:name) }
+  end
+
+  context 'validations' do
+    it { should validate_presence_of(:module_detail) }
+    it { should validate_presence_of(:name) }
+  end
+end

data/spec/app/models/mdm/module_arch_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe Mdm::ModuleArch do
+  context 'associations' do
+    it { should belong_to(:module_detail).class_name('Mdm::ModuleDetail') }
+  end
+
+  context 'database' do
+    context 'columns' do
+      it { should have_db_column(:module_detail_id).of_type(:integer) }
+      it { should have_db_column(:name).of_type(:text) }
+    end
+
+    context 'indices' do
+      it { should have_db_index(:module_detail_id) }
+    end
+  end
+
+  context 'factories' do
+    context 'mdm_module_arch' do
+      subject(:mdm_module_arch) do
+        FactoryGirl.build(:mdm_module_arch)
+      end
+
+      it { should be_valid }
+    end
+  end
+
+  context 'mass assignment security' do
+    it { should_not allow_mass_assignment_of(:module_detail_id) }
+    it { should allow_mass_assignment_of(:name) }
+  end
+
+  context 'validations' do
+    it { should validate_presence_of(:module_detail) }
+    it { should validate_presence_of(:name) }
+  end
+end