metasploit_data_models 5.0.5 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00bd68f8a0e9727e8a61a8ef62c77265a527b86c39e700e0244e9974e7db1039
-  data.tar.gz: 323300caafddc850752818a075abd7fd998e16591f2d42f7d23ba5797bbae77d
+  metadata.gz: 34ebbe62c0392161c1ac0cc6fb78264eb1e9dcdfee1512e1951c8ac2ad7625cc
+  data.tar.gz: 7d10985f37643d1f87a2482072aa8b25920713f5ad4994789b7266c4d1aaac9a
 SHA512:
-  metadata.gz: 15f22b13afb57fc18fad9a19f7ebb6b18bab95b13cb6f5f562dae9578fd411e81b3ff1692d2349ecad5991ee99183191730e5aa8f5a255957ec17901d31a64bf
-  data.tar.gz: 0e43b630f2a3c3207795eb22de079c2fc0a09a36d70c71d0dc0b831dd22f1531d9f3f4fff22d83a0af2153de4392b4374c8168d25ca87482feb8fb7ede13d458
+  metadata.gz: 38e6e0252f557548c3803de5b17418795a8072842c707c2c1d2bea51769dd7b099ef1d57e6e260fde3a6ac9ddabfb7700765d99b8858b6da0a6110f52b542d5a
+  data.tar.gz: 7fc77506c277ea62abc873cd68d9945249617d92c74382f26ad4527e3b2788a227c94d1fcc1fa02a56de4a670b5157f45bb37547c4af34911c686008db226c33

data/.github/workflows/verify.yml

@@ -1,5 +1,21 @@
 name: Verify
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 on:
   push:
     branches:
@@ -10,7 +26,7 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
     timeout-minutes: 40
 
     services:
@@ -30,15 +46,20 @@ jobs:
       fail-fast: true
       matrix:
         ruby:
-          - 2.6
           - 2.7
           - 3.0
           - 3.1
+        os:
+          - ubuntu-20.04
+          - ubuntu-latest
+        exclude:
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
 
     env:
       RAILS_ENV: test
 
-    name: Ruby ${{ matrix.ruby }}
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
     steps:
       - name: Install system dependencies
         run: sudo apt-get install libpcap-dev graphviz

data/Gemfile

@@ -3,7 +3,6 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in metasploit_data_models.gemspec
 gemspec
 
-
 group :development do
   #gem 'metasploit-erd'
   # embed ERDs on index, namespace Module and Class<ApplicationRecord> pages
@@ -13,14 +12,16 @@ end
 # used by dummy application
 group :development, :test do
   # Upload coverage reports to coveralls.io
-  gem 'coveralls', require: false  
+  gem 'coveralls', require: false
   # supplies factories for producing model instance for specs
   # Version 4.1.0 or newer is needed to support generate calls without the 'FactoryBot.' in factory definitions syntax.
   gem 'factory_bot'
   # auto-load factories from spec/factories
   gem 'factory_bot_rails'
 
-  gem 'rails', '~> 6.0'
+  gem 'rails'
+  gem 'net-smtp', require: false
+
   # Used to create fake data
   gem "faker"
 

data/app/models/mdm/host_tag.rb

@@ -38,7 +38,9 @@ class Mdm::HostTag < ApplicationRecord
   # @see http://stackoverflow.com/a/11694704
   # @return [void]
   def destroy_orphan_tag
-    tag.destroy_if_orphaned
+    # ensure fresh load of tag record
+    # in theory this will always return one result safe navigation is just "extra"
+    Mdm::Tag.where(id: tag.id).first&.destroy_if_orphaned
   end
 
   # switch back to public for load hooks

data/app/models/mdm/tag.rb

@@ -100,7 +100,8 @@ class Mdm::Tag < ApplicationRecord
   # @return [void]
   def destroy_if_orphaned
     self.class.transaction do
-      if hosts_tags.empty?
+      # call `.count` to avoid serialization of any Mdm::HostTag that may exist
+      if hosts_tags.count == 0
         destroy
       end
     end

data/app/models/mdm/web_page.rb

@@ -1,6 +1,6 @@
 # Web page requested from a {#web_site}.
 class Mdm::WebPage < ApplicationRecord
-  
+
   #
   # Associations
   #

data/app/models/mdm/workspace.rb

@@ -18,7 +18,7 @@ class Mdm::Workspace < ApplicationRecord
 
   # Automatic exploitation match sets generated against {#hosts} and {#services} in this workspace.
   has_many :automatic_exploitation_match_sets,
-           class_name: 'MetasploitDataModels::AutomaticExploitation:MatchSet',
+           class_name: 'MetasploitDataModels::AutomaticExploitation::MatchSet',
            inverse_of: :workspace
 
 

data/lib/metasploit_data_models/base64_serializer.rb

@@ -27,7 +27,7 @@ class MetasploitDataModels::Base64Serializer
       },
       lambda { |serialized|
         # Support legacy YAML encoding for existing data
-        YAML.load(serialized)
+        YAML.safe_load(serialized, permitted_classes: Rails.application.config.active_record.yaml_column_permitted_classes)
       },
       lambda { |serialized|
         # Fall back to string decoding

data/lib/metasploit_data_models/engine.rb

@@ -5,7 +5,6 @@ require 'rails'
 class MetasploitDataModels::Engine < Rails::Engine
   # @see http://viget.com/extend/rails-engine-testing-with-rspec-capybara-and-factorygirl
   config.generators do |g|
-    g.assets false
     g.fixture_replacement :factory_bot, :dir => 'spec/factories'
     g.helper false
     g.test_framework :rspec, :fixture => false

data/lib/metasploit_data_models/serialized_prefs.rb

@@ -24,4 +24,4 @@ module MetasploitDataModels::SerializedPrefs
       class_eval method_declarations, __FILE__, __LINE__
     end
   end
-end
+end

data/lib/metasploit_data_models/version.rb

@@ -1,6 +1,6 @@
 module MetasploitDataModels
   # VERSION is managed by GemRelease
-  VERSION = '5.0.5'
+  VERSION = '6.0.0'
 
   # @return [String]
   #

data/lib/metasploit_data_models/yaml.rb

@@ -0,0 +1,31 @@
+# Namespace for YAML configuration
+class MetasploitDataModels::YAML
+  #
+  # CONSTANTS
+  #
+
+  # List of supported classes when deserializing YAML classes
+  # See: https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
+  #
+  PERMITTED_CLASSES = [
+    Range,
+    Set,
+    Symbol,
+    Time,
+    'WEBrick::Cookie'.to_sym,
+    'ActionController::Parameters'.to_sym,
+    'ActiveModel::Attribute::FromDatabase'.to_sym,
+    'ActiveModel::Attribute::FromUser'.to_sym,
+    'ActiveModel::Attribute::WithCastValue'.to_sym,
+    'ActiveModel::Type::Boolean'.to_sym,
+    'ActiveModel::Type::Integer'.to_sym,
+    'ActiveModel::Type::String'.to_sym,
+    'ActiveRecord::Coders::JSON'.to_sym,
+    'ActiveSupport::TimeWithZone'.to_sym,
+    'ActiveSupport::TimeZone'.to_sym,
+    'ActiveRecord::Type::Serialized'.to_sym,
+    'ActiveRecord::Type::Text'.to_sym,
+    'ActiveSupport::HashWithIndifferentAccess'.to_sym,
+    'Mdm::Workspace'.to_sym
+  ].freeze
+end

data/lib/metasploit_data_models.rb

@@ -39,6 +39,7 @@ module MetasploitDataModels
   autoload :ModuleRun
   autoload :Search
   autoload :SerializedPrefs
+  autoload :YAML
 
   # The root directory of `metasploit_data_models` gem in both development and gem installs.
   #

data/metasploit_data_models.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.require_paths = %w{app/models app/validators lib}
 
-  s.required_ruby_version = '>= 2.4'
+  s.required_ruby_version = '>= 2.7'
 
   # ---- Dependencies ----
   # documentation
@@ -33,15 +33,15 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'pry'
 
 
-  s.add_runtime_dependency 'activerecord', '~>6.0'
-  s.add_runtime_dependency 'activesupport', '~>6.0'
+  s.add_runtime_dependency 'activerecord', '~>7.0'
+  s.add_runtime_dependency 'activesupport', '~>7.0'
   s.add_runtime_dependency 'metasploit-concern'
   s.add_runtime_dependency 'metasploit-model', '>=3.1'
-  s.add_runtime_dependency 'railties', '~>6.0'
+  s.add_runtime_dependency 'railties', '~>7.0'
   s.add_runtime_dependency 'webrick'
 
   # os fingerprinting
-  s.add_runtime_dependency 'recog', '~> 2.0'
+  s.add_runtime_dependency 'recog'
 
   # arel-helpers: Useful tools to help construct database queries with ActiveRecord and Arel.
   s.add_runtime_dependency 'arel-helpers'

data/spec/app/models/mdm/host_spec.rb

@@ -547,14 +547,14 @@ RSpec.describe Mdm::Host, type: :model do
         it "when the string contains 'ppc'" do
           expect(host.send(:get_arch_from_string, 'blahppcblah')).to eq('PowerPC')
         end
-      end
 
-      context 'should return nil' do
         it 'when PowerPC is cased incorrectly' do
-          expect(host.send(:get_arch_from_string, 'powerPC')).to eq(nil)
-          expect(host.send(:get_arch_from_string, 'Powerpc')).to eq(nil)
+          expect(host.send(:get_arch_from_string, 'powerPC')).to eq('PowerPC')
+          expect(host.send(:get_arch_from_string, 'Powerpc')).to eq('PowerPC')
         end
+      end
 
+      context 'should return nil' do
         it 'when no recognized arch string is present' do
           expect(host.send(:get_arch_from_string, 'blahblah')).to eq(nil)
         end

data/spec/app/models/metasploit_data_models/ip_address/v4/range_spec.rb

@@ -185,7 +185,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Range, type: :model do
   end
 
   context '#to_s' do
-    subject(:to_s) {
+    subject(:to_s_result) {
       range.to_s
     }
 
@@ -195,7 +195,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Range, type: :model do
       }
 
       it 'equals the original formatted value' do
-        expect(to_s).to eq(formatted_value)
+        expect(to_s_result).to eq(formatted_value)
       end
     end
 
@@ -295,4 +295,4 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Range, type: :model do
       it { is_expected.not_to be_a Range }
     end
   end
-end
+end

data/spec/app/models/metasploit_data_models/ip_address/v4/segment/nmap/list_spec.rb

@@ -135,7 +135,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::List, type: :
   end
 
   context '#to_s' do
-    subject(:to_s) do
+    subject(:to_s_value) do
       nmap.to_s
     end
 
@@ -145,7 +145,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::List, type: :
       }
 
       it 'returns a string equal to the original formatted value' do
-        expect(to_s).to eq(formatted_value)
+        expect(to_s_value).to eq(formatted_value)
       end
     end
 
@@ -155,7 +155,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::List, type: :
       }
 
       it 'returned the formatted value as a string' do
-        expect(to_s).to eq(formatted_value.to_s)
+        expect(to_s_value).to eq(formatted_value.to_s)
       end
     end
   end
@@ -273,4 +273,4 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::List, type: :
       end
     end
   end
-end
+end

data/spec/app/models/metasploit_data_models/ip_address/v4/segment/nmap/range_spec.rb

@@ -185,7 +185,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::Range, type:
   end
 
   context '#to_s' do
-    subject(:to_s) {
+    subject(:to_s_result) {
       range.to_s
     }
 
@@ -195,7 +195,7 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::Range, type:
       }
 
       it 'equals the original formatted value' do
-        expect(to_s).to eq(formatted_value)
+        expect(to_s_result).to eq(formatted_value)
       end
     end
 
@@ -299,4 +299,4 @@ RSpec.describe MetasploitDataModels::IPAddress::V4::Segment::Nmap::Range, type:
       it { is_expected.not_to be_a Range }
     end
   end
-end
+end

data/spec/dummy/config/application.rb

@@ -39,13 +39,15 @@ module Dummy
 
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
-    
+
     # Raise deprecations as errors
     config.active_support.deprecation = :raise
 
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
+    config.active_record.yaml_column_permitted_classes = MetasploitDataModels::YAML::PERMITTED_CLASSES
+
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types
@@ -54,13 +56,9 @@ module Dummy
     # 5.x change to belongs_to
     config.active_record.belongs_to_required_by_default = true
 
-    # Enable the asset pipeline
-    config.assets.enabled = false
-
-    # Version of your assets, change this if you want to expire all your assets
-    config.assets.version = '1.0'
-
     config.autoloader = :zeitwerk
+
+    ActiveRecord.legacy_connection_handling = false
   end
 end
 

data/spec/dummy/config/environments/development.rb

@@ -22,16 +22,6 @@ Rails.application.configure do
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
-  # Debug mode disables concatenation and preprocessing of assets.
-  # This option may cause significant delays in view rendering with a large
-  # number of complex assets.
-  config.assets.debug = true
-
-  # Adds additional error checking when serving assets at runtime.
-  # Checks for improperly declared sprockets dependencies.
-  # Raises helpful error messages.
-  config.assets.raise_runtime_errors = true
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
 end

data/spec/dummy/config/environments/production.rb

@@ -22,18 +22,6 @@ Rails.application.configure do
   # Disable Rails's static asset server (Apache or nginx will already do this).
   config.serve_static_assets = false
 
-  # Compress JavaScripts and CSS.
-  config.assets.js_compressor = :uglifier
-  # config.assets.css_compressor = :sass
-
-  # Do not fallback to assets pipeline if a precompiled asset is missed.
-  config.assets.compile = false
-
-  # Generate digests for assets URLs.
-  config.assets.digest = true
-
-  # `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
-
   # Specifies the header that your server uses for sending files.
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit_data_models
 version: !ruby/object:Gem::Version
-  version: 5.0.5
+  version: 6.0.0
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -93,7 +93,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-04-07 00:00:00.000000000 Z
+date: 2022-11-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-yard
@@ -185,28 +185,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
 - !ruby/object:Gem::Dependency
   name: metasploit-concern
   requirement: !ruby/object:Gem::Requirement
@@ -241,14 +241,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -267,16 +267,16 @@ dependencies:
   name: recog
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: arel-helpers
   requirement: !ruby/object:Gem::Requirement
@@ -576,6 +576,7 @@ files:
 - lib/metasploit_data_models/search/visitor.rb
 - lib/metasploit_data_models/serialized_prefs.rb
 - lib/metasploit_data_models/version.rb
+- lib/metasploit_data_models/yaml.rb
 - metasploit_data_models.gemspec
 - script/rails
 - spec/app/models/mdm/api_key_spec.rb
@@ -674,7 +675,6 @@ files:
 - spec/dummy/config/environments/production.rb
 - spec/dummy/config/environments/test.rb
 - spec/dummy/config/initializers/active_record_migrations.rb
-- spec/dummy/config/initializers/assets.rb
 - spec/dummy/config/initializers/backtrace_silencers.rb
 - spec/dummy/config/initializers/cookies_serializer.rb
 - spec/dummy/config/initializers/filter_parameter_logging.rb
@@ -778,7 +778,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/spec/dummy/config/initializers/assets.rb

@@ -1,8 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = '1.0'
-
-# Precompile additional assets.
-# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
-# Rails.application.config.assets.precompile += %w( search.js )