nexpose 0.5.4 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 00359dd620e92f676ddd3fa63454edcde20be901
-  data.tar.gz: e4232827f4eb8c05c0f3f384e9d15dc1c7b21de5
+  metadata.gz: be1927974585e905062867bb7351af429d25508f
+  data.tar.gz: 6bdddfb2e730d732b624eec8a1fb1a6d3a64cc8f
 SHA512:
-  metadata.gz: 06b52c03d3a839c289bc140c5c8c741a5119040681bdb7f4946ea9dc26d11f9e518c8ec5717a525fa072c385e7763939c268c45cbe87af9f07f7800f7071521f
-  data.tar.gz: 35fa17bad2fa38cb8333510ea62e5cd63a90051726656531b05b024bfc5f43766efa77c71b6a31fcfd6028a2293f1a43e3a99a96f7f700c0a543338a111688e1
+  metadata.gz: f1378c726f6efe3b18e57e40becbb76705bd12e0fa23e38e5c8f28bc3ace2bef5c4fb3641f64b0815d68b724225bc26fdb921fad1f1a4ae33cce722c0973ada6
+  data.tar.gz: a5a4bff4e2ac2f6935c905a12c63a8dd54ffd2c49875faa2c64f0c7c916ea00560c8c4ea3038e7399558c477a4ee7610146ea95a94de685c7124a888102ce30b

data/lib/nexpose.rb

@@ -83,7 +83,7 @@ require 'nexpose/user'
 require 'nexpose/vuln'
 require 'nexpose/vuln_exception'
 require 'nexpose/connection'
-require 'nexpose/backup'
+require 'nexpose/maint'
 
 module Nexpose
 

data/lib/nexpose/ajax.rb

@@ -120,6 +120,8 @@ module Nexpose
         response.body
       when Net::HTTPCreated
         response.body
+      when Net::HTTPUnauthorized
+        raise Nexpose::PermissionError.new(response) 
       else
         req_type = request.class.name.split('::').last.upcase
         raise Nexpose::APIError.new(response, "#{req_type} request to #{request.path} failed. #{request.body}")

data/lib/nexpose/api_request.rb

@@ -5,9 +5,6 @@ module Nexpose
     attr_reader :http
     attr_reader :uri
     attr_reader :headers
-    attr_reader :retry_count
-    attr_reader :time_out
-    attr_reader :pause
 
     attr_reader :req
     attr_reader :res
@@ -20,7 +17,7 @@ module Nexpose
     attr_reader :raw_response
     attr_reader :raw_response_data
 
-    def initialize(req, url, api_version='1.1')
+    def initialize(req, url, api_version = '1.1')
       @url = url
       @req = req
       @api_version = api_version
@@ -29,10 +26,6 @@ module Nexpose
     end
 
     def prepare_http_client
-      @retry_count = 0
-      @retry_count_max = 10
-      @time_out = 30
-      @pause = 2
       @uri = URI.parse(@url)
       @http = Net::HTTP.new(@uri.host, @uri.port)
       @http.use_ssl = true
@@ -46,11 +39,12 @@ module Nexpose
       @success = false
     end
 
-    def execute
+    def execute(options = {})
       @conn_tries = 0
 
       begin
         prepare_http_client
+        @http.read_timeout = options[:timeout] if options.key? :timeout
         @raw_response = @http.post(@uri.path, @req, @headers)
         @raw_response_data = @raw_response.read_body
         @res = parse_xml(@raw_response_data)
@@ -93,7 +87,7 @@ module Nexpose
           @conn_tries += 1
           retry
         end
-      rescue ::ArgumentError, ::NoMethodError
+      rescue ::ArgumentError, ::NoMethodError => e
         if @conn_tries < 5
           @conn_tries += 1
           retry
@@ -101,9 +95,10 @@ module Nexpose
       rescue ::Timeout::Error
         if @conn_tries < 5
           @conn_tries += 1
-          retry
+          # If an explicit timeout is set, don't retry.
+          retry unless options.key? :timeout
         end
-        @error = 'Nexpose host did not respond.'
+        @error = "Nexpose did not respond within #{@http.read_timeout} seconds."
       rescue ::Errno::EHOSTUNREACH, ::Errno::ENETDOWN, ::Errno::ENETUNREACH, ::Errno::ENETRESET, ::Errno::EHOSTDOWN, ::Errno::EACCES, ::Errno::EINVAL, ::Errno::EADDRNOTAVAIL
         @error = 'Nexpose host is unreachable.'
         # Handle console-level interrupts
@@ -127,12 +122,11 @@ module Nexpose
       @res.root.attributes(*args)
     end
 
-    def self.execute(url, req, api_version='1.1')
+    def self.execute(url, req, api_version='1.1', options = {})
       obj = self.new(req, url, api_version)
-      obj.execute
+      obj.execute(options)
       raise APIError.new(obj, "Action failed: #{obj.error}") unless obj.success
       obj
     end
-
   end
 end

data/lib/nexpose/common.rb

@@ -31,7 +31,7 @@ module Nexpose
     # Send as file attachment or zipped file to individuals who are not members
     # of the report access list. One of: file|zip
     attr_accessor :send_as
-    # Send to all the authorized users of sites, groups, and devices.
+    # Send to all the authorized users of sites, groups, and assets.
     attr_accessor :to_all_authorized
     # Send to users on the report access list.
     attr_accessor :send_to_acl_as

data/lib/nexpose/connection.rb

@@ -84,10 +84,10 @@ module Nexpose
     end
 
     # Execute an API request
-    def execute(xml, version = '1.1')
+    def execute(xml, version = '1.1', options = {})
       @request_xml = xml.to_s
       @api_version = version
-      response = APIRequest.execute(@url, @request_xml, @api_version)
+      response = APIRequest.execute(@url, @request_xml, @api_version, options)
       @response_xml = response.raw_response_data
       response
     end

data/lib/nexpose/device.rb

@@ -84,6 +84,8 @@ module Nexpose
       r = execute(make_xml('DeviceDeleteRequest', { 'device-id' => device_id }))
       r.success
     end
+
+    alias_method :delete_asset, :delete_device
   end
 
   # Object that represents a single device in a Nexpose security console.

data/lib/nexpose/group.rb

@@ -59,14 +59,18 @@ module Nexpose
   # Asset group configuration object containing Device details.
   #
   class AssetGroup < AssetGroupSummary
+    include Sanitize
+
     attr_accessor :name, :description, :id
 
     # Array[Device] of devices associated with this asset group.
-    attr_accessor :devices
+    attr_accessor :assets
+    alias :devices :assets
+    alias :devices= :assets=
 
     def initialize(name, desc, id = -1, risk = 0.0)
       @name, @description, @id, @risk_score = name, desc, id, risk
-      @devices = []
+      @assets = []
     end
 
     def save(connection)
@@ -78,18 +82,18 @@ module Nexpose
     end
 
     # Get an XML representation of the group that is valid for a save request.
-    # Note that only name, description, and device ID information is accepted
+    # Note that only name, description, and asset ID information is accepted
     # by a save request.
     #
     # @return [String] XML representation of the asset group.
     #
     def to_xml
-      xml = %(<AssetGroup id="#{@id}" name="#{@name}")
-      xml << %( description="#{@description}") if @description
+      xml = %(<AssetGroup id="#{@id}" name="#{replace_entities(@name)}")
+      xml << %( description="#{replace_entities(@description)}") if @description
       xml << '>'
       xml << '<Devices>'
-      @devices.each do |device|
-        xml << %(<device id="#{device.id}"/>)
+      @assets.each do |asset|
+        xml << %(<device id="#{asset.id}"/>)
       end
       xml << '</Devices>'
       xml << '</AssetGroup>'
@@ -102,11 +106,11 @@ module Nexpose
     # @return [Hash] Hash of site ID to Scan launch information for each scan.
     #
     def rescan_assets(connection)
-      sites_ids = @devices.map { |d| d.site_id }.uniq
+      sites_ids = @assets.map { |d| d.site_id }.uniq
       scans = {}
       sites_ids.each do |id|
-        to_scan = @devices.select { |d| d.site_id == id }
-        scans[id] = connection.scan_devices(to_scan)
+        to_scan = @assets.select { |d| d.site_id == id }
+        scans[id] = connection.scan_assets(to_scan)
       end
       scans
     end
@@ -134,11 +138,11 @@ module Nexpose
                         group.attributes['id'].to_i,
                         group.attributes['riskscore'].to_f)
       group.elements.each('Devices/device') do |dev|
-        asset_group.devices << Device.new(dev.attributes['id'].to_i,
-                                          dev.attributes['address'],
-                                          dev.attributes['site-id'].to_i,
-                                          dev.attributes['riskfactor'].to_f,
-                                          dev.attributes['riskscore'].to_f)
+        asset_group.assets << Device.new(dev.attributes['id'].to_i,
+                                         dev.attributes['address'],
+                                         dev.attributes['site-id'].to_i,
+                                         dev.attributes['riskfactor'].to_f,
+                                         dev.attributes['riskscore'].to_f)
       end
       asset_group
     end

data/lib/nexpose/{backup.rb → maint.rb}

@@ -32,6 +32,31 @@ module Nexpose
       end
     end
 
+    # Initiate database maintenance tasks to improve database performance and
+    # consistency.
+    # A restart will be initiated in order to put the product into maintenance
+    # mode while the tasks are run. It will then restart automatically.
+    #
+    # @param [Boolean] clean_up Removes any unnecessary data from the database.
+    # @param [Boolean] compress Compresses the database tables and reclaims
+    #   unused, allocated space.
+    # @param [Boolean] reindex Drops and recreates the database indexes for
+    #   improved performance.
+    # @return [Boolean] Whether a maintenance tasks are successfully initiated.
+    #
+    def db_maintenance(clean_up = false, compress = false, reindex = false)
+      return unless compress || clean_up || reindex
+      parameters = { 'cmd' => 'startMaintenance',
+                     'targetTask' => 'dbMaintenance' }
+      parameters['cleanup'] = 1 if clean_up
+      parameters['compress'] = 1 if compress
+      parameters['reindex'] = 1 if reindex
+      xml = AJAX.form_post(self, '/admin/global/maintenance/maintCmd.txml', parameters)
+      if !!(xml =~ /succeded="true"/)
+        _maintenance_restart
+      end
+    end
+
     def _maintenance_restart
       parameters = { 'cancelAllTasks' => false,
                      'cmd' => 'restartServer',

data/lib/nexpose/report.rb

@@ -226,13 +226,15 @@ module Nexpose
     # For XML-based reports, only the raw report is returned and not any images.
     #
     # @param [Connection] connection Nexpose connection.
+    # @param [Fixnum] timeout How long, in seconds, to wait for the report to
+    #   generate. Larger reports can take a significant amount of time.
     # @return Report in text format except for PDF, which returns binary data.
     #
-    def generate(connection)
+    def generate(connection, timeout = 300)
       xml = %(<ReportAdhocGenerateRequest session-id='#{connection.session_id}'>)
       xml << to_xml
       xml << '</ReportAdhocGenerateRequest>'
-      response = connection.execute(xml)
+      response = connection.execute(xml, '1.1', timeout: timeout)
       if response.success
         content_type_response = response.raw_response.header['Content-Type']
         if content_type_response =~ /multipart\/mixed;\s*boundary=([^\s]+)/
@@ -396,9 +398,9 @@ module Nexpose
   end
 
   # Object that represents a report filter which determines which sites, asset
-  # groups, and/or devices that a report is run against.
+  # groups, and/or assets that a report is run against.
   #
-  # The configuration must include at least one of device (asset), site,
+  # The configuration must include at least one of asset, site,
   # group (asset group) or scan filter to define the scope of report.
   # The vuln-status filter can be used only with raw report formats: csv
   # or raw_xml. If the vuln-status filter is not included in the configuration,
@@ -406,8 +408,9 @@ module Nexpose
   # exported by default in csv and raw_xml reports.
   #
   class Filter
+    include Sanitize
 
-    # The ID of the specific site, group, device, or scan.
+    # The ID of the specific site, group, asset, or scan.
     # For scan, this can also be "last" for the most recently run scan.
     # For vuln-status, the ID can have one of the following values:
     # 1. vulnerable-exploited (The check was positive. An exploit verified the vulnerability.)
@@ -424,7 +427,7 @@ module Nexpose
     end
 
     def to_xml
-      %(<filter id='#{@id}' type='#{@type}' />)
+      %(<filter id='#{replace_entities(@id)}' type='#{@type}' />)
     end
 
     def self.parse(xml)

data/lib/nexpose/report_template.rb

@@ -108,7 +108,9 @@ module Nexpose
     # Array of report attributes, in the order they will be present in a report.
     attr_accessor :attributes
     # Display asset names with IPs.
-    attr_accessor :show_device_names
+    attr_accessor :show_asset_names
+    alias :show_device_names :show_asset_names
+    alias :show_device_names= :show_asset_names=
 
     def initialize(name, type = 'document', id = -1, scope = 'silo', built_in = false)
       @name = name
@@ -120,7 +122,7 @@ module Nexpose
       @sections = []
       @properties = {}
       @attributes = []
-      @show_device_names = false
+      @show_asset_names = false
     end
 
     # Save the configuration for a report template.
@@ -170,7 +172,7 @@ module Nexpose
         xml << '</ReportSections>'
       end
 
-      xml << %(<Settings><showDeviceNames enabled='#{@show_device_names ? 1 : 0}' /></Settings>)
+      xml << %(<Settings><showDeviceNames enabled='#{@show_asset_names ? 1 : 0}' /></Settings>)
       xml << '</ReportTemplate>'
     end
 
@@ -198,7 +200,7 @@ module Nexpose
         end
 
         tmp.elements.each('//showDeviceNames') do |show|
-          template.show_device_names = show.attributes['enabled'] == '1'
+          template.show_asset_names = show.attributes['enabled'] == '1'
         end
 
         return template

data/lib/nexpose/role.rb

@@ -112,6 +112,7 @@ module Nexpose
   end
 
   class Role < RoleSummary
+    include Sanitize
 
     # Constants, mapping UI terms to role names expected by API.
 
@@ -231,10 +232,10 @@ module Nexpose
     end
 
     def to_xml
-      xml = %Q(<Role name="#{@name}" full-name="#{@full_name}")
+      xml = %Q(<Role name="#{replace_entities(@name)}" full-name="#{replace_entities(@full_name)}")
       xml << %Q( enabled="#{(enabled ? 'true' : 'false')}")
       xml << %Q( scope="#{@scope}">)
-      xml << %Q(<Description>#{@description}</Description>)
+      xml << %Q(<Description>#{replace_entities(@description)}</Description>)
 
       xml << '<SitePrivileges>'
       Privilege::Site::constants.each do |field|

data/lib/nexpose/scan_template.rb

@@ -34,6 +34,7 @@ module Nexpose
   # available for configuration.
   #
   class ScanTemplate
+    include Sanitize
 
     # Parsed XML of a scan template.
     attr_reader :xml
@@ -60,7 +61,7 @@ module Nexpose
     def name=(name)
       desc = REXML::XPath.first(@xml, 'ScanTemplate/templateDescription')
       if desc
-        desc.attributes['title'] = name
+        desc.attributes['title'] = replace_entities(name)
       else
         root = REXML::XPath.first(xml, 'ScanTemplate')
         desc = REXML::Element.new('templateDescription')
@@ -80,7 +81,7 @@ module Nexpose
     def description=(description)
       desc = REXML::XPath.first(@xml, 'ScanTemplate/templateDescription')
       if desc
-        desc.text = description
+        desc.text = replace_entities(description)
       else
         root = REXML::XPath.first(xml, 'ScanTemplate')
         desc = REXML::Element.new('templateDescription')

data/lib/nexpose/ticket.rb

@@ -56,10 +56,12 @@ module Nexpose
     attr_accessor :name
 
     # The asset the ticket is created for.
-    attr_accessor :device_id
+    attr_accessor :asset_id
+    alias :device_id :asset_id
+    alias :device_id= :asset_id=
 
     # The login name of person to whom the ticket is assigned.
-    # The user must have view asset privilege on the asset specified in the device-id attribute.
+    # The user must have view asset privilege on the asset specified in the asset-id attribute.
     attr_accessor :assigned_to
 
     # The relative priority of the ticket, assigned by the creator of the ticket.
@@ -82,7 +84,7 @@ module Nexpose
     def self.parse(xml)
       ticket = new(xml.attributes['name'],
                    xml.attributes['id'].to_i)
-      ticket.device_id = xml.attributes['device-id'].to_i
+      ticket.asset_id = xml.attributes['device-id'].to_i
       ticket.assigned_to = xml.attributes['assigned-to']
       lookup = Ticket::Priority.constants.reduce({}) { |a, e| a[Ticket::Priority.const_get(e)] = e; a }
       ticket.priority = lookup[xml.attributes['priority']]
@@ -178,7 +180,7 @@ module Nexpose
       xml = REXML::Element.new('TicketCreate')
       xml.add_attributes({ 'name' => @name,
                            'priority' => @priority,
-                           'device-id' => @device_id,
+                           'device-id' => @asset_id,
                            'assigned-to' => @assigned_to })
 
       vuln_xml = REXML::Element.new('Vulnerabilities')

data/lib/nexpose/user.rb

@@ -117,9 +117,9 @@ module Nexpose
       xml << %Q{ authsrcid="#{@authsrcid}"}
       xml << %Q{ name="#{replace_entities(@name)}"}
       xml << %Q{ fullname="#{replace_entities(@full_name)}"}
-      xml << %Q{ role-name="#{@role_name}"}
+      xml << %Q{ role-name="#{replace_entities(@role_name)}"}
       xml << %Q{ password="#{replace_entities(@password)}"} if @password
-      xml << %Q{ email="#{@email}"} if @email
+      xml << %Q{ email="#{replace_entities(@email)}"} if @email
       xml << %Q{ enabled="#{@enabled}"}
       # These two fields are keying off role_name to work around a defect.
       xml << %Q{ allGroups="#{@all_groups || @role_name == 'global-admin'}"}

data/lib/nexpose/vuln_exception.rb

@@ -83,13 +83,13 @@ module Nexpose
   # Certain attributes are necessary for some exception scopes, even though
   # they are optional otherwise.
   # • An exception for all instances of a vulnerability on all assets only
-  #   requires the vuln_id attribute. The device_id, vuln_key and port
+  #   requires the vuln_id attribute. The asset_id, vuln_key and port
   #   attributes are ignored for this scope type.
   # • An exception for all instances on a specific asset requires the vuln_id
-  #   and device_id attributes. The vuln_key and port attributes are ignored for
+  #   and asset_id attributes. The vuln_key and port attributes are ignored for
   #   this scope type.
   # • An exception for a specific instance of a vulnerability on a specific
-  #   asset requires the vuln_id, device_id. Additionally, the port and/or the
+  #   asset requires the vuln_id, asset_id. Additionally, the port and/or the
   #   key attribute must be specified.
   #
   class VulnException
@@ -111,9 +111,12 @@ module Nexpose
     # The scope of the exception.
     # @see Nexpose::VulnException::Scope
     attr_accessor :scope
-    # ID of device, if this exception applies to only one device.
-    attr_accessor :device_id
-    # Port on a device, if this exception applies to a specific port.
+    # ID of asset, if this exception applies to only one asset.
+    attr_accessor :asset_id
+    alias :device_id :asset_id
+    alias :device_id= :asset_id=
+
+    # Port on a asset, if this exception applies to a specific port.
     attr_accessor :port
     # The specific vulnerable component in a discovered instance of the
     # vulnerability referenced by the vuln_id, such as a program, file or user
@@ -145,9 +148,9 @@ module Nexpose
                            'reason' => @reason })
       case @scope
       when Scope::ALL_INSTANCES_ON_A_SPECIFIC_ASSET
-        xml.add_attributes({ 'device-id' => @device_id })
+        xml.add_attributes({ 'device-id' => @asset_id })
       when Scope::SPECIFIC_INSTANCE_OF_SPECIFIC_ASSET
-        xml.add_attributes({ 'device-id' => @device_id,
+        xml.add_attributes({ 'device-id' => @asset_id,
                              'port-no' => @port,
                              'vuln-key' => @vuln_key })
       end
@@ -303,12 +306,12 @@ module Nexpose
 
       case @scope
       when Scope::ALL_INSTANCES
-        @device_id = @port = @vuln_key = nil
+        @asset_id = @port = @vuln_key = nil
       when Scope::ALL_INSTANCES_ON_A_SPECIFIC_ASSET
-        raise ArgumentError.new('No device_id.') unless @device_id
+        raise ArgumentError.new('No asset_id.') unless @asset_id
         @port = @vuln_key = nil
       when Scope::SPECIFIC_INSTANCE_OF_SPECIFIC_ASSET
-        raise ArgumentError.new('No device_id.') unless @device_id
+        raise ArgumentError.new('No asset_id.') unless @asset_id
         raise ArgumentError.new('Port or vuln_key is required.') unless @port || @vuln_key
       else
         raise ArgumentError.new("Invalid scope: #{@scope}")
@@ -324,7 +327,7 @@ module Nexpose
       exception.id = xml.attributes['exception-id']
       exception.submitter = xml.attributes['submitter']
       exception.reviewer = xml.attributes['reviewer']
-      exception.device_id = xml.attributes['device-id']
+      exception.asset_id = xml.attributes['device-id']
       exception.port = xml.attributes['port-no']
       exception.vuln_key = xml.attributes['vuln-key']
       # TODO: Convert to Date/Time object?

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nexpose
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.5
 platform: ruby
 authors:
 - HD Moore
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-27 00:00:00.000000000 Z
+date: 2013-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: librex
@@ -55,7 +55,6 @@ files:
 - Rakefile
 - lib/nexpose.rb
 - lib/nexpose/pool.rb
-- lib/nexpose/backup.rb
 - lib/nexpose/group.rb
 - lib/nexpose/device.rb
 - lib/nexpose/report_template.rb
@@ -66,6 +65,7 @@ files:
 - lib/nexpose/creds.rb
 - lib/nexpose/api_request.rb
 - lib/nexpose/role.rb
+- lib/nexpose/maint.rb
 - lib/nexpose/engine.rb
 - lib/nexpose/manage.rb
 - lib/nexpose/scan.rb
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.0.rc.2
+rubygems_version: 2.0.3
 signing_key: 
 specification_version: 4
 summary: Ruby API for Rapid7 Nexpose