nasl-pedant 0.1.1 → 0.1.2

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NGNlMmFiYThiNDA5OGE3MmUyZDcwMTM3ZGMxODdhN2ZlYzliMDQzNQ==
-  data.tar.gz: !binary |-
-    MTY1NDYwOTM2NTQ3ZDZlZGFjNjVlODY4YTUzY2QzMmZkYzRkN2ExMA==
+SHA1:
+  metadata.gz: 9a6b4c22908b881b935d3f7a3c533b7dca735438
+  data.tar.gz: 44df11019465bd433a79877ace7df3f1d9fb53ea
 SHA512:
-  metadata.gz: !binary |-
-    YWYyMjg0MjExZTIyMzliNjQ5MzI1YWRjOWZhNDdlNjhiMjA3ZTUxNDE4OThh
-    ODIxM2QxODk5MThkODI5YWY0NGM2Njg1OWI3ZTkyOGRjNDY3YmU0NjA4YmI1
-    ZWQwMGRkNmI0ODI4ZTA0ZDlmMTNlMTk4MTcyNGRiMTdkM2JjNTM=
-  data.tar.gz: !binary |-
-    ZGM1ZjYxZGUwMWE4M2I0ODQ5NGUyODFlNGM0NTc3ODZjMGE1NTAzYTQ1Nzgz
-    MDg2MWYzZDk3OGY1YWUxOTUyNjllODYwM2Q0NDZjMGRmZTkwMWI0MjUzNmNm
-    OWRmODZjMTY3YmEzYjQwOTBiMDY0YzE2YzA4YzdlOGQ0MjBiNGI=
+  metadata.gz: 636d307ea833d5e34ebd7dad9582ecfd003961754ae44d9710c3be1e6bb1f86748355d63bf95a0887684f82581789d3ad0e0b6ab1a05326f52b2c26a0d2d5ba8
+  data.tar.gz: f31689c4a1a2920c099a3160e72fb672752420d70f1da1c97502caaf93fe0be28bd7d7865d0fc8895ef6400da27af95e380fb0d99aad142fc3893500ef9390df

data/README.md

@@ -31,7 +31,7 @@ As your regular user:
     git clone https://github.com/tenable/pedant
     cd pedant
     bundle install --path vendor/bundle
-    bundle exec rake tests
+    bundle exec rake test
 
 All the tests should pass!
 

data/lib/pedant/checks/contains_display.rb

@@ -0,0 +1,53 @@
+################################################################################
+# Copyright (c) 2016, Tenable Network Security
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+require 'set'
+
+module Pedant
+  class CheckContainsDisplay < Check
+    def self.requires
+      super + [:main, :trees]
+    end
+
+    def run
+      si_nodes = []
+      tree = @kb[:trees][@kb[:main]]
+
+      tree.all(:Call).each do |node|
+        next unless node.name.ident.name == 'display'
+        next unless node.name.indexes == []
+        si_nodes << node
+      end
+      
+      if (si_nodes.length != 0)
+        report(:warn, "display() is called:\n" + si_nodes.first.context())
+        return warn
+      end
+      
+      pass
+    end
+  end
+end

data/lib/pedant/checks/contains_unreachable_code.rb

@@ -36,7 +36,10 @@ module Pedant
           # Check if the Node is capable of jumping out of the Block, without
           # resuming where it left off (i.e., Call). The exception is exit(),
           # which is a builtin Function that terminates execution.
-          if node.is_a?(Nasl::Break) || node.is_a?(Nasl::Continue) || node.is_a?(Nasl::Return) || (node.is_a?(Nasl::Call) && node.name.ident.name == 'exit' && node.name.indexes == [])
+          if node.is_a?(Nasl::Break) || node.is_a?(Nasl::Continue) ||
+             node.is_a?(Nasl::Return) || (node.is_a?(Nasl::Call) &&
+             (node.name.ident.name == 'exit' ||
+              node.name.ident.name == 'audit') && node.name.indexes == [])
             # If this is not the final node in the list, then there is
             # absolutely no way for the later nodes to be accessed.
             return node if node != list.last

data/lib/pedant/checks/get_byte_used.rb

@@ -0,0 +1,62 @@
+################################################################################
+# Copyright (c) 2016, Tenable Network Security
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+module Pedant
+  class CheckGetByteUsed < Check
+    def self.requires
+      super + [:main, :trees]
+    end
+
+    def run
+      # This check only applies to plugins.
+      return skip unless @kb[:main].extname == '.nasl'
+
+      tree = @kb[:trees][@kb[:main]]
+
+      tree.all(:Call).each do |node|
+        next unless [
+          "get_byte",
+          "get_word",
+          "get_dword"
+        ].include? node.name.ident.name
+
+        # error if we are also using set_byte_order()
+        if tree.all(:Call).any? { |node2| node2.name.ident.name == "set_byte_order" }
+          report(:error, "Plugin is using #{node.name.ident.name}(), which does not respect set_byte_order(). Since this plugin also uses set_byte_order(), we should be using the set_byte_order() respecting function #{node.name.ident.name.tr("_","")}() from byte_func.inc instead, as #{node.name.ident.name}() will always operate as if the byte order is set to little endian.")
+          report(:error, node.context())
+          return fail
+        end
+
+        # just warn otherwise
+        report(:warn, "Plugin is using #{node.name.ident.name}(), which does not respect set_byte_order(). Consider using the set_byte_order() respecting function #{node.name.ident.name.tr("_","")}() from byte_func.inc instead, as #{node.name.ident.name}() will always operate as if the byte order is set to little endian.")
+        report(:warn, node.context())
+        return fail
+      end
+      report(:info, "Plugin is not using any of get_byte(), get_word(), or get_dword(), which can be problematic as they do not respect set_byte_order().")
+      pass
+    end
+  end
+end

data/lib/pedant/checks/script_missing_audit_inc.rb

@@ -0,0 +1,67 @@
+################################################################################
+# Copyright (c) 2016, Tenable Network Security
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+module Pedant
+  class CheckScriptDoesNotUseAuditDotInc < Check
+    def self.requires
+      super + [:main, :trees, :codes]
+    end
+
+    def run
+      args = []
+      tree = @kb[:trees][@kb[:main]]
+
+      tree.all(:Include).each do |node|
+        next unless node.filename.text == 'audit.inc'
+        report(:info, "#{node.filename.text}")
+        args << node
+      end # each
+
+      audit_calls = []
+      tree.all(:Call).each do |node|
+        next unless node.name.ident.name == "audit"
+        next if node.args.empty?
+        audit_calls << node
+      end
+
+      if args.length == 0
+        report(:warn, "Plugin does not include audit.inc. Should it?")
+        return warn
+      elsif args.length == 1
+        if audit_calls.length == 0
+          report(:warn, "Plugin includes audit.inc but does not make a direct audit call")
+          return warn
+        end
+        pass
+      elsif args.length > 1
+        report(:error, "Plugin specifies multiple audit.inc:")
+        args.each { |call| report(:error, call.context()) }
+        return fail
+      end
+
+    end # def run
+  end #class
+end #module

data/lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb

@@ -0,0 +1,90 @@
+################################################################################
+# Copyright (c) 2016, Tenable Network Security
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+module Pedant
+  class CheckScriptNotSignedAndUsingSecretKBItem < Check
+    def self.requires
+      super + [:main, :trees, :codes]
+    end
+
+    def run
+      # This check only applies to plugins.
+      return skip unless @kb[:main].extname == '.nasl'
+
+      tree = @kb[:trees][@kb[:main]]
+      codes = @kb[:codes][@kb[:main]]
+
+      tree.all(:Call).each do |node|
+        next unless [
+          "get_kb_item",
+          "rm_kb_item",
+          "get_kb_list",
+          "replace_kb_item",
+          "set_kb_item",
+          "script_require_keys",
+          "set_global_kb_item",
+          "get_global_kb_item",
+          "get_fresh_kb_item",
+          "get_global_kb_list",
+          "get_kb_item_or_exit"
+        ].include? node.name.ident.name
+      	next if node.args.empty?
+
+        # one case where we check all arguments
+        if node.name.ident.name == "script_require_keys"
+          node.args.each do |arg|
+            arg = arg.expr
+            arg = arg.lhs while arg.is_a? Nasl::Expression
+            next unless arg.respond_to? :text
+            next unless arg.text.index("Secret") == 0
+            next if codes.index("#TRUSTED") == 0
+            report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
+            report(:warn, arg.context())
+            return fail
+          end
+        end
+
+        # every other function we need to check the first argument, or if the arguments are named, the 'name' argument
+        arg = node.args.first.expr
+        if node.args.first.respond_to? :name and node.args.first.name.respond_to? :name
+          arg = node.args[1].expr if node.args[1].respond_to? :name and node.args[1].name.respond_to? :name and node.args[1].name.name == "name"
+        end
+
+	arg = arg.lhs while arg.is_a? Nasl::Expression
+        next unless arg.respond_to? :text
+
+        if arg.text.index("Secret") == 0
+          next if codes.index("#TRUSTED") == 0
+          report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
+          report(:warn, arg.context())
+          return fail
+        end
+      end
+      report(:info, "Plugin is not using secret KB items without being signed.")
+      pass
+    end
+  end
+end

data/lib/pedant/checks/script_not_signed_and_using_trusted_function.rb

@@ -0,0 +1,195 @@
+################################################################################
+# Copyright (c) 2016, Tenable Network Security
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice, this
+#    list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+module Pedant
+  class CheckScriptNotSignedAndUsingTrustedFunction < Check
+    def self.requires
+      super + [:main, :trees, :codes]
+    end
+
+    def run
+      # This check only applies to plugins.
+      return skip unless @kb[:main].extname == '.nasl'
+
+      tree = @kb[:trees][@kb[:main]]
+      codes = @kb[:codes][@kb[:main]]
+
+      tree.all(:Call).each do |node|
+        # builtin trusted functions
+        next unless [
+          "bind_sock_tcp",
+          "bind_sock_tcp6",
+          "bind_sock_udp",
+          "bind_sock_udp6",
+          "can_query_report",
+          "cfile_open",
+          "cfile_stat",
+          "db_open",
+          "db_open2",
+          "db_open_ex",
+          "db_query",
+          "db_query_foreach",
+          "dsa_do_sign",
+          "dump_interfaces",
+          "file_close",
+          "file_fstat",
+          "file_is_signed",
+          "file_md5",
+          "file_mkdir",
+          "file_mtime",
+          "file_open",
+          "file_read",
+          "file_rename",
+          "file_seek",
+          "file_stat",
+          "file_write",
+          "find_in_path",
+          "fork",
+          "fread",
+          "fwrite",
+          "gc",
+          "get_preference_file_content",
+          "get_preference_file_location",
+          "get_tmp_dir",
+          "inject_packet",
+          "is_user_root",
+          "kb_ssh_certificate",
+          "kb_ssh_login",
+          "kb_ssh_password",
+          "kb_ssh_privatekey",
+          "kb_ssh_publickey",
+          "kb_ssh_realm",
+          "kb_ssh_transport",
+          "kill",
+          "load_db_master_key_cli",
+          "mkdir",
+          "mkdir_ex",
+          "mutex_lock",
+          "mutex_unlock",
+          "nessus_get_dir",
+          "open_sock2",
+          "open_sock_ex",
+          "pem_to_dsa",
+          "pem_to_dsa2",
+          "pem_to_pub_rsa",
+          "pem_to_rsa",
+          "pem_to_rsa2",
+          "pread",
+          "query_report",
+          "readdir",
+          "recvfrom",
+          "rename",
+          "resolv",
+          "rmdir",
+          "rsa_sign",
+          "same_host",
+          "schematron_validate",
+          "script_get_preference_file_content",
+          "script_get_preference_file_location",
+          "sendto",
+          "set_mem_limits",
+          "socket_accept",
+          "ssl_accept3",
+          "ssl_accept4",
+          "syn_scan",
+          "tcp_scan",
+          "thread_create",
+          "udp_scan",
+          "unlink",
+          "untar_plugins",
+          "xmldsig_sign",
+          "xmldsig_verify",
+          "xmlparse",
+          "xsd_validate",
+          "xslt_apply_stylesheet",
+          "xslt_filter",
+          # trusted functions from includes
+          # cisco_kb_cmd_func.inc
+          "cisco_command_kb_item",
+          # macosx_func.inc
+          "exec_cmd",
+          "exec_cmds",
+          "get_users_homes",
+          # ssh_func.inc
+          "ssh_cmd",
+          # ssh1_func.inc
+          "ssh_cmd1",
+          # functions that can call open_sock2()
+          "enable_keepalive",
+          "http_is_dead",
+          "http_keepalive_enabled",
+          "http_open_soc_err",
+          "http_open_socket_ka",
+          "http_recv_body",
+          "http_recv_headers3",
+          "http_recv3",
+          "http_reopen_socket",
+          "http_send_recv_req",
+          "http_send_recv3",
+          "http_set_error"
+        ].include? node.name.ident.name
+
+        if [
+          # functions that can call open_sock2()
+          "enable_keepalive",
+          "http_is_dead",
+          "http_keepalive_enabled",
+          "http_open_soc_err",
+          "http_open_socket_ka",
+          "http_recv_body",
+          "http_recv_headers3",
+          "http_recv3",
+          "http_reopen_socket",
+          "http_send_recv_req",
+          "http_send_recv3",
+          "http_set_error"
+        ].include? node.name.ident.name
+          # check if we use the named argument 'target'
+          next unless node.args.any? { |arg|
+            arg.respond_to? :name and arg.name.respond_to? :name and arg.name.name == "target" 
+          }
+          next if codes.index("#TRUSTED") == 0
+          report(
+            :warn,
+            "Plugin is using the function #{node.name.ident.name}() with the 'target' argument, which makes it call open_sock2(), a trusted function, and may need to be signed."
+          )
+          report(:warn, node.context())
+          return fail
+        end
+
+        next if codes.index("#TRUSTED") == 0
+        report(
+          :warn,
+          "Plugin is using the trusted function #{node.name.ident.name}() and may need to be signed."
+        )
+        report(:warn, node.context())
+        return fail
+      end
+      report(:info, "Plugin is not using a trusted function.")
+      pass
+    end
+  end
+end