nasl-pedant 0.1.1 → 0.1.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,15 +1,7 @@
1
1
  ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- NGNlMmFiYThiNDA5OGE3MmUyZDcwMTM3ZGMxODdhN2ZlYzliMDQzNQ==
5
- data.tar.gz: !binary |-
6
- MTY1NDYwOTM2NTQ3ZDZlZGFjNjVlODY4YTUzY2QzMmZkYzRkN2ExMA==
2
+ SHA1:
3
+ metadata.gz: 9a6b4c22908b881b935d3f7a3c533b7dca735438
4
+ data.tar.gz: 44df11019465bd433a79877ace7df3f1d9fb53ea
7
5
  SHA512:
8
- metadata.gz: !binary |-
9
- YWYyMjg0MjExZTIyMzliNjQ5MzI1YWRjOWZhNDdlNjhiMjA3ZTUxNDE4OThh
10
- ODIxM2QxODk5MThkODI5YWY0NGM2Njg1OWI3ZTkyOGRjNDY3YmU0NjA4YmI1
11
- ZWQwMGRkNmI0ODI4ZTA0ZDlmMTNlMTk4MTcyNGRiMTdkM2JjNTM=
12
- data.tar.gz: !binary |-
13
- ZGM1ZjYxZGUwMWE4M2I0ODQ5NGUyODFlNGM0NTc3ODZjMGE1NTAzYTQ1Nzgz
14
- MDg2MWYzZDk3OGY1YWUxOTUyNjllODYwM2Q0NDZjMGRmZTkwMWI0MjUzNmNm
15
- OWRmODZjMTY3YmEzYjQwOTBiMDY0YzE2YzA4YzdlOGQ0MjBiNGI=
6
+ metadata.gz: 636d307ea833d5e34ebd7dad9582ecfd003961754ae44d9710c3be1e6bb1f86748355d63bf95a0887684f82581789d3ad0e0b6ab1a05326f52b2c26a0d2d5ba8
7
+ data.tar.gz: f31689c4a1a2920c099a3160e72fb672752420d70f1da1c97502caaf93fe0be28bd7d7865d0fc8895ef6400da27af95e380fb0d99aad142fc3893500ef9390df
data/README.md CHANGED
@@ -31,7 +31,7 @@ As your regular user:
31
31
  git clone https://github.com/tenable/pedant
32
32
  cd pedant
33
33
  bundle install --path vendor/bundle
34
- bundle exec rake tests
34
+ bundle exec rake test
35
35
 
36
36
  All the tests should pass!
37
37
 
@@ -0,0 +1,53 @@
1
+ ################################################################################
2
+ # Copyright (c) 2016, Tenable Network Security
3
+ # All rights reserved.
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are met:
7
+ #
8
+ # 1. Redistributions of source code must retain the above copyright notice, this
9
+ # list of conditions and the following disclaimer.
10
+ #
11
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
12
+ # this list of conditions and the following disclaimer in the documentation
13
+ # and/or other materials provided with the distribution.
14
+ #
15
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16
+ # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
+ # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18
+ # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
19
+ # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
+ # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21
+ # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22
+ # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23
+ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25
+ ################################################################################
26
+
27
+ require 'set'
28
+
29
+ module Pedant
30
+ class CheckContainsDisplay < Check
31
+ def self.requires
32
+ super + [:main, :trees]
33
+ end
34
+
35
+ def run
36
+ si_nodes = []
37
+ tree = @kb[:trees][@kb[:main]]
38
+
39
+ tree.all(:Call).each do |node|
40
+ next unless node.name.ident.name == 'display'
41
+ next unless node.name.indexes == []
42
+ si_nodes << node
43
+ end
44
+
45
+ if (si_nodes.length != 0)
46
+ report(:warn, "display() is called:\n" + si_nodes.first.context())
47
+ return warn
48
+ end
49
+
50
+ pass
51
+ end
52
+ end
53
+ end
@@ -36,7 +36,10 @@ module Pedant
36
36
  # Check if the Node is capable of jumping out of the Block, without
37
37
  # resuming where it left off (i.e., Call). The exception is exit(),
38
38
  # which is a builtin Function that terminates execution.
39
- if node.is_a?(Nasl::Break) || node.is_a?(Nasl::Continue) || node.is_a?(Nasl::Return) || (node.is_a?(Nasl::Call) && node.name.ident.name == 'exit' && node.name.indexes == [])
39
+ if node.is_a?(Nasl::Break) || node.is_a?(Nasl::Continue) ||
40
+ node.is_a?(Nasl::Return) || (node.is_a?(Nasl::Call) &&
41
+ (node.name.ident.name == 'exit' ||
42
+ node.name.ident.name == 'audit') && node.name.indexes == [])
40
43
  # If this is not the final node in the list, then there is
41
44
  # absolutely no way for the later nodes to be accessed.
42
45
  return node if node != list.last
@@ -0,0 +1,62 @@
1
+ ################################################################################
2
+ # Copyright (c) 2016, Tenable Network Security
3
+ # All rights reserved.
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are met:
7
+ #
8
+ # 1. Redistributions of source code must retain the above copyright notice, this
9
+ # list of conditions and the following disclaimer.
10
+ #
11
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
12
+ # this list of conditions and the following disclaimer in the documentation
13
+ # and/or other materials provided with the distribution.
14
+ #
15
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16
+ # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
+ # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18
+ # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
19
+ # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
+ # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21
+ # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22
+ # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23
+ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25
+ ################################################################################
26
+
27
+ module Pedant
28
+ class CheckGetByteUsed < Check
29
+ def self.requires
30
+ super + [:main, :trees]
31
+ end
32
+
33
+ def run
34
+ # This check only applies to plugins.
35
+ return skip unless @kb[:main].extname == '.nasl'
36
+
37
+ tree = @kb[:trees][@kb[:main]]
38
+
39
+ tree.all(:Call).each do |node|
40
+ next unless [
41
+ "get_byte",
42
+ "get_word",
43
+ "get_dword"
44
+ ].include? node.name.ident.name
45
+
46
+ # error if we are also using set_byte_order()
47
+ if tree.all(:Call).any? { |node2| node2.name.ident.name == "set_byte_order" }
48
+ report(:error, "Plugin is using #{node.name.ident.name}(), which does not respect set_byte_order(). Since this plugin also uses set_byte_order(), we should be using the set_byte_order() respecting function #{node.name.ident.name.tr("_","")}() from byte_func.inc instead, as #{node.name.ident.name}() will always operate as if the byte order is set to little endian.")
49
+ report(:error, node.context())
50
+ return fail
51
+ end
52
+
53
+ # just warn otherwise
54
+ report(:warn, "Plugin is using #{node.name.ident.name}(), which does not respect set_byte_order(). Consider using the set_byte_order() respecting function #{node.name.ident.name.tr("_","")}() from byte_func.inc instead, as #{node.name.ident.name}() will always operate as if the byte order is set to little endian.")
55
+ report(:warn, node.context())
56
+ return fail
57
+ end
58
+ report(:info, "Plugin is not using any of get_byte(), get_word(), or get_dword(), which can be problematic as they do not respect set_byte_order().")
59
+ pass
60
+ end
61
+ end
62
+ end
@@ -0,0 +1,67 @@
1
+ ################################################################################
2
+ # Copyright (c) 2016, Tenable Network Security
3
+ # All rights reserved.
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are met:
7
+ #
8
+ # 1. Redistributions of source code must retain the above copyright notice, this
9
+ # list of conditions and the following disclaimer.
10
+ #
11
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
12
+ # this list of conditions and the following disclaimer in the documentation
13
+ # and/or other materials provided with the distribution.
14
+ #
15
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16
+ # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
+ # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18
+ # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
19
+ # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
+ # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21
+ # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22
+ # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23
+ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25
+ ################################################################################
26
+
27
+ module Pedant
28
+ class CheckScriptDoesNotUseAuditDotInc < Check
29
+ def self.requires
30
+ super + [:main, :trees, :codes]
31
+ end
32
+
33
+ def run
34
+ args = []
35
+ tree = @kb[:trees][@kb[:main]]
36
+
37
+ tree.all(:Include).each do |node|
38
+ next unless node.filename.text == 'audit.inc'
39
+ report(:info, "#{node.filename.text}")
40
+ args << node
41
+ end # each
42
+
43
+ audit_calls = []
44
+ tree.all(:Call).each do |node|
45
+ next unless node.name.ident.name == "audit"
46
+ next if node.args.empty?
47
+ audit_calls << node
48
+ end
49
+
50
+ if args.length == 0
51
+ report(:warn, "Plugin does not include audit.inc. Should it?")
52
+ return warn
53
+ elsif args.length == 1
54
+ if audit_calls.length == 0
55
+ report(:warn, "Plugin includes audit.inc but does not make a direct audit call")
56
+ return warn
57
+ end
58
+ pass
59
+ elsif args.length > 1
60
+ report(:error, "Plugin specifies multiple audit.inc:")
61
+ args.each { |call| report(:error, call.context()) }
62
+ return fail
63
+ end
64
+
65
+ end # def run
66
+ end #class
67
+ end #module
@@ -0,0 +1,90 @@
1
+ ################################################################################
2
+ # Copyright (c) 2016, Tenable Network Security
3
+ # All rights reserved.
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are met:
7
+ #
8
+ # 1. Redistributions of source code must retain the above copyright notice, this
9
+ # list of conditions and the following disclaimer.
10
+ #
11
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
12
+ # this list of conditions and the following disclaimer in the documentation
13
+ # and/or other materials provided with the distribution.
14
+ #
15
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16
+ # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
+ # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18
+ # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
19
+ # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
+ # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21
+ # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22
+ # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23
+ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25
+ ################################################################################
26
+
27
+ module Pedant
28
+ class CheckScriptNotSignedAndUsingSecretKBItem < Check
29
+ def self.requires
30
+ super + [:main, :trees, :codes]
31
+ end
32
+
33
+ def run
34
+ # This check only applies to plugins.
35
+ return skip unless @kb[:main].extname == '.nasl'
36
+
37
+ tree = @kb[:trees][@kb[:main]]
38
+ codes = @kb[:codes][@kb[:main]]
39
+
40
+ tree.all(:Call).each do |node|
41
+ next unless [
42
+ "get_kb_item",
43
+ "rm_kb_item",
44
+ "get_kb_list",
45
+ "replace_kb_item",
46
+ "set_kb_item",
47
+ "script_require_keys",
48
+ "set_global_kb_item",
49
+ "get_global_kb_item",
50
+ "get_fresh_kb_item",
51
+ "get_global_kb_list",
52
+ "get_kb_item_or_exit"
53
+ ].include? node.name.ident.name
54
+ next if node.args.empty?
55
+
56
+ # one case where we check all arguments
57
+ if node.name.ident.name == "script_require_keys"
58
+ node.args.each do |arg|
59
+ arg = arg.expr
60
+ arg = arg.lhs while arg.is_a? Nasl::Expression
61
+ next unless arg.respond_to? :text
62
+ next unless arg.text.index("Secret") == 0
63
+ next if codes.index("#TRUSTED") == 0
64
+ report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
65
+ report(:warn, arg.context())
66
+ return fail
67
+ end
68
+ end
69
+
70
+ # every other function we need to check the first argument, or if the arguments are named, the 'name' argument
71
+ arg = node.args.first.expr
72
+ if node.args.first.respond_to? :name and node.args.first.name.respond_to? :name
73
+ arg = node.args[1].expr if node.args[1].respond_to? :name and node.args[1].name.respond_to? :name and node.args[1].name.name == "name"
74
+ end
75
+
76
+ arg = arg.lhs while arg.is_a? Nasl::Expression
77
+ next unless arg.respond_to? :text
78
+
79
+ if arg.text.index("Secret") == 0
80
+ next if codes.index("#TRUSTED") == 0
81
+ report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
82
+ report(:warn, arg.context())
83
+ return fail
84
+ end
85
+ end
86
+ report(:info, "Plugin is not using secret KB items without being signed.")
87
+ pass
88
+ end
89
+ end
90
+ end
@@ -0,0 +1,195 @@
1
+ ################################################################################
2
+ # Copyright (c) 2016, Tenable Network Security
3
+ # All rights reserved.
4
+ #
5
+ # Redistribution and use in source and binary forms, with or without
6
+ # modification, are permitted provided that the following conditions are met:
7
+ #
8
+ # 1. Redistributions of source code must retain the above copyright notice, this
9
+ # list of conditions and the following disclaimer.
10
+ #
11
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
12
+ # this list of conditions and the following disclaimer in the documentation
13
+ # and/or other materials provided with the distribution.
14
+ #
15
+ # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16
+ # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
+ # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18
+ # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
19
+ # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
+ # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21
+ # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
22
+ # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
23
+ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24
+ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25
+ ################################################################################
26
+
27
+ module Pedant
28
+ class CheckScriptNotSignedAndUsingTrustedFunction < Check
29
+ def self.requires
30
+ super + [:main, :trees, :codes]
31
+ end
32
+
33
+ def run
34
+ # This check only applies to plugins.
35
+ return skip unless @kb[:main].extname == '.nasl'
36
+
37
+ tree = @kb[:trees][@kb[:main]]
38
+ codes = @kb[:codes][@kb[:main]]
39
+
40
+ tree.all(:Call).each do |node|
41
+ # builtin trusted functions
42
+ next unless [
43
+ "bind_sock_tcp",
44
+ "bind_sock_tcp6",
45
+ "bind_sock_udp",
46
+ "bind_sock_udp6",
47
+ "can_query_report",
48
+ "cfile_open",
49
+ "cfile_stat",
50
+ "db_open",
51
+ "db_open2",
52
+ "db_open_ex",
53
+ "db_query",
54
+ "db_query_foreach",
55
+ "dsa_do_sign",
56
+ "dump_interfaces",
57
+ "file_close",
58
+ "file_fstat",
59
+ "file_is_signed",
60
+ "file_md5",
61
+ "file_mkdir",
62
+ "file_mtime",
63
+ "file_open",
64
+ "file_read",
65
+ "file_rename",
66
+ "file_seek",
67
+ "file_stat",
68
+ "file_write",
69
+ "find_in_path",
70
+ "fork",
71
+ "fread",
72
+ "fwrite",
73
+ "gc",
74
+ "get_preference_file_content",
75
+ "get_preference_file_location",
76
+ "get_tmp_dir",
77
+ "inject_packet",
78
+ "is_user_root",
79
+ "kb_ssh_certificate",
80
+ "kb_ssh_login",
81
+ "kb_ssh_password",
82
+ "kb_ssh_privatekey",
83
+ "kb_ssh_publickey",
84
+ "kb_ssh_realm",
85
+ "kb_ssh_transport",
86
+ "kill",
87
+ "load_db_master_key_cli",
88
+ "mkdir",
89
+ "mkdir_ex",
90
+ "mutex_lock",
91
+ "mutex_unlock",
92
+ "nessus_get_dir",
93
+ "open_sock2",
94
+ "open_sock_ex",
95
+ "pem_to_dsa",
96
+ "pem_to_dsa2",
97
+ "pem_to_pub_rsa",
98
+ "pem_to_rsa",
99
+ "pem_to_rsa2",
100
+ "pread",
101
+ "query_report",
102
+ "readdir",
103
+ "recvfrom",
104
+ "rename",
105
+ "resolv",
106
+ "rmdir",
107
+ "rsa_sign",
108
+ "same_host",
109
+ "schematron_validate",
110
+ "script_get_preference_file_content",
111
+ "script_get_preference_file_location",
112
+ "sendto",
113
+ "set_mem_limits",
114
+ "socket_accept",
115
+ "ssl_accept3",
116
+ "ssl_accept4",
117
+ "syn_scan",
118
+ "tcp_scan",
119
+ "thread_create",
120
+ "udp_scan",
121
+ "unlink",
122
+ "untar_plugins",
123
+ "xmldsig_sign",
124
+ "xmldsig_verify",
125
+ "xmlparse",
126
+ "xsd_validate",
127
+ "xslt_apply_stylesheet",
128
+ "xslt_filter",
129
+ # trusted functions from includes
130
+ # cisco_kb_cmd_func.inc
131
+ "cisco_command_kb_item",
132
+ # macosx_func.inc
133
+ "exec_cmd",
134
+ "exec_cmds",
135
+ "get_users_homes",
136
+ # ssh_func.inc
137
+ "ssh_cmd",
138
+ # ssh1_func.inc
139
+ "ssh_cmd1",
140
+ # functions that can call open_sock2()
141
+ "enable_keepalive",
142
+ "http_is_dead",
143
+ "http_keepalive_enabled",
144
+ "http_open_soc_err",
145
+ "http_open_socket_ka",
146
+ "http_recv_body",
147
+ "http_recv_headers3",
148
+ "http_recv3",
149
+ "http_reopen_socket",
150
+ "http_send_recv_req",
151
+ "http_send_recv3",
152
+ "http_set_error"
153
+ ].include? node.name.ident.name
154
+
155
+ if [
156
+ # functions that can call open_sock2()
157
+ "enable_keepalive",
158
+ "http_is_dead",
159
+ "http_keepalive_enabled",
160
+ "http_open_soc_err",
161
+ "http_open_socket_ka",
162
+ "http_recv_body",
163
+ "http_recv_headers3",
164
+ "http_recv3",
165
+ "http_reopen_socket",
166
+ "http_send_recv_req",
167
+ "http_send_recv3",
168
+ "http_set_error"
169
+ ].include? node.name.ident.name
170
+ # check if we use the named argument 'target'
171
+ next unless node.args.any? { |arg|
172
+ arg.respond_to? :name and arg.name.respond_to? :name and arg.name.name == "target"
173
+ }
174
+ next if codes.index("#TRUSTED") == 0
175
+ report(
176
+ :warn,
177
+ "Plugin is using the function #{node.name.ident.name}() with the 'target' argument, which makes it call open_sock2(), a trusted function, and may need to be signed."
178
+ )
179
+ report(:warn, node.context())
180
+ return fail
181
+ end
182
+
183
+ next if codes.index("#TRUSTED") == 0
184
+ report(
185
+ :warn,
186
+ "Plugin is using the trusted function #{node.name.ident.name}() and may need to be signed."
187
+ )
188
+ report(:warn, node.context())
189
+ return fail
190
+ end
191
+ report(:info, "Plugin is not using a trusted function.")
192
+ pass
193
+ end
194
+ end
195
+ end