puppet-lint-infrasecure 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: af41dd57d2277014626a4346718c4fecc7ac7f1bb62a544d69853058837092bc
+  data.tar.gz: 0f174a79194cdfaae29db7de3d720e5194a06ee91d9808b4db3c910c408565ed
+SHA512:
+  metadata.gz: a94c3cf0b774ec50dcc4610b7cf281768af290a025f7a282c5d7a1281e3152c9607e5cba886007a56465f416bd5458c6eaefe66545c50526a27d266a796121fd
+  data.tar.gz: 9eff8346d97c2c31b9716b276c9905e29a7e9d2cfb0e6c0e0dd7b7a40404bfb2fa1d05edb0e5d4ec2fe8ac2f9cb351a32f538fc963b623a02bccd25c342ac790

data/README.md

@@ -0,0 +1,81 @@
+# puppet-lint-infrasecure [![Gem Version](https://badge.fury.io/rb/puppet-lint-infrasecure.svg)](https://badge.fury.io/rb/puppet-lint-infrasecure)
+
+The goal of this project is to identify potential security issues in your puppet scripts. Ten different checks/plug-ins for puppet-lint are implemented. Contributions are welcome.
+
+#### Installation
+
+```
+gem install puppet-lint-infrasecure
+```
+
+#### Run
+
+```
+puppet-lint --json <file>
+```
+
+#### Security Plug-ins
+
+Usage documentation is available here.
+
+|    CWE-ID      |              Anti-Pattern              |              Example             |
+|:---------------|----------------------------------------|----------------------------------|
+|    `CWE-250`   | Admin by default credentials <br /> `admin_by_default` | `$user = 'admin'` <br />  `$pwd = 'admin'` |
+|    `CWE-798`   | Hard-coded secrets (password, user, keys) <br /> `hardcoded_secret` | `$username = 'apmirror'` |
+|    `CWE-258`   | Invalid IP address binding <br />`invalid_ip_addr_binding` | `$bind_host = '0.0.0.0'` |
+|    `CWE-319`   | Use of HTTP without TLS (whitelist config) <br /> `use_http_without_tls` | `$auth_url = 'http://127.0.0.1:35357/v2.0'` |
+|    `CWE-326`   | Usage of weak crypto algorithms (sha1, md5) <br /> `use_of_weak_crypto_algorithm` | `password => md5($debian_password)` |
+|    `CWE-521`   | Usage of weak passwords (uses [strong_password](https://github.com/bdmac/strong_password)) <br /> `weak_password` | `$pwd = '12345'` |
+|    `CWE-546`   | Suspicious comments <br /> `suspicious_comment` | `# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392` |
+|    `CWE-829`   | Malicious dependencies (beta) <br /> `malicious_dependency` | `$postgresql_version = '8.4'` |
+|    `CWE-1007`  | Homograph Attacks (e.g., [Apple](https://www.xudongz.com/blog/2017/idn-phishing/)) <br /> `cyrillic_homograph_attack`| `$source = 'https://downloads.аpаche.org/activemq/5.17.0/apache-activemq-5.17.0-bin.zip'` |
+
+List security plug-ins:
+```
+puppet-lint --list-checks
+```
+Output should integrate the following list of plug-ins:
+
+```
+admin_by_default
+cyrillic_homograph_attack
+empty_password
+hardcoded_secret
+invalid_ip_addr_binding
+malicious_dependency
+suspicious_comment
+use_http_without_tls
+use_of_weak_crypto_algorithm
+weak_password
+```
+
+A default `whitelist` is available for `use_http_without_tls`. You can set your own personalized whitelist.
+
+1. Create `.env` file.
+2. Add the whitelist path to the `.env` file.
+```
+WHITELIST=~/path/to/whitelist
+```
+3. Whitelist Schema
+```
+<link1>
+<link2>
+<link3>
+```
+e.g.,
+
+```
+http://apt.postgresql.org/.*
+http://packages.vmware.com
+http://.*.jenkins-ci.org/.*
+```
+
+
+#### Reporting bugs
+
+Any bugs related with our plug-ins, please create an issue in our [issue tracker](https://github.com/TQRG/puppet-lint-infrasecure).
+
+#### Contributions
+
+Many other security anti-patterns may be out there, therefore feel free to contribute through a [pull request](https://github.com/TQRG/puppet-lint-infrasecure/pulls). 
+

data/lib/puppet-lint/linter.rb

@@ -0,0 +1,132 @@
+class PuppetLint::CheckPlugin
+
+   def get_malicious_cves(dependency, version)
+      path = "#{Config.dpath}#{dependency}.json"
+      cves = JSON.parse(File.read(path))
+      if !cves[version].nil?
+         return cves[version]
+      end
+   end
+
+   def get_dependencies(tokens)
+      is_resource = false
+      ftokens = []
+      dependency = ''
+      tokens.each do |token|
+
+         is_next_brace = (not token.next_code_token.nil? and token.next_code_token.type == :LBRACE)
+         is_prev_brace = (not token.prev_code_token.nil? and token.prev_code_token.type == :LBRACE)
+
+         if (token.value.downcase[Config.regex.dependencies] and token.type == :NAME and is_next_brace) or (token.value.downcase[Config.regex.dependencies] and token.type == :SSTRING and is_prev_brace)
+            is_resource = true
+            dependency = token.value.downcase[Config.regex.dependencies]
+         end 
+
+         if is_resource and token.type == :RBRACE
+            is_resource = false
+         end
+     
+         if not is_resource and not token.next_code_token.nil? 
+            if token.value.downcase[Config.regex.dependencies] and token.value.downcase[/_version/]
+               dependency = token.value.downcase[Config.regex.dependencies]
+               variable_name = "#{dependency}_version"
+               if token.value.downcase == variable_name and [:EQUALS, :FARROW].include? token.next_code_token.type
+                  ftokens += [{"token": token.next_code_token, "dependency": dependency}]
+               end
+            end
+         end
+         
+         is_assign = (not token.prev_code_token.nil? and not token.next_code_token.nil?)
+         is_version = (is_assign and token.prev_code_token.value.downcase =~ /version/)
+         
+         if is_resource and is_version and [:EQUALS, :FARROW].include? token.type and ![:VARIABLE, :NAME].include? token.next_code_token.type
+            if !token.prev_code_token.value.downcase[Config.regex.dependencies].eql? dependency and token.prev_code_token.value.downcase[Config.regex.dependencies]
+               ftokens += [{"token": token, "dependency": token.prev_code_token.value.downcase[Config.regex.dependencies]}]
+            else
+               ftokens += [{"token": token, "dependency": dependency}]
+            end
+         end
+
+      end
+      return ftokens
+   end
+
+   def get_string_tokens(tokens, token)
+      ftokens=tokens.find_all do |hash|
+         [:SSTRING, :STRING].include? hash.type and hash.value.downcase.include? token
+      end
+      return ftokens
+   end
+
+   def get_tokens(tokens, token)
+      ftokens=tokens.find_all do |hash|
+         [:NAME, :VARIABLE, :SSTRING, :STRING].include? hash.type and hash.value.downcase.include? token
+      end
+      return ftokens
+   end
+
+   def get_comments(tokens)
+      ftokens=tokens.find_all do |hash|
+         [:COMMENT, :MLCOMMENT, :SLASH_COMMENT].include? hash.type
+      end
+      return ftokens
+   end
+
+   def filter_resources(tokens, resources)
+      is_resource = false  
+      brackets = 0
+      ftokens=tokens.find_all do |hash|
+         
+         if resources.include? hash.value.downcase
+            is_resource = true
+         elsif is_resource and hash.type == :LBRACE
+            brackets += 1
+         elsif is_resource and hash.type == :RBRACE
+            brackets -=1
+         end
+
+         if is_resource and hash.type == :RBRACE and brackets == 0
+            is_resource = false
+         end
+
+         if !is_resource
+            [:NAME, :VARIABLE, :SSTRING, :STRING].include? hash.type
+         end
+      end
+      return ftokens
+   end
+
+   def filter_whitelist(tokens)
+      whitelist=Config.regex.whitelist 
+      ftokens=tokens.find_all do |hash|
+         !(whitelist =~ hash.value.downcase)
+      end
+      return ftokens
+   end
+
+   def filter_tokens_per_value(tokens, token)
+      ftokens=tokens.find_all do |hash|
+         [:NAME, :SSTRING, :STRING].include? hash.type and !hash.value.downcase.include? token
+      end
+      return ftokens
+   end
+
+   def filter_tokens(tokens)
+      ftokens=tokens.find_all do |hash|
+         [:NAME, :VARIABLE, :SSTRING, :STRING].include? hash.type
+      end
+      return ftokens
+   end
+
+   def filter_variables(tokens, keywords)
+      line = -1
+      kw_regex = Regexp.new keywords.join("|")
+      ftokens=tokens.find_all do |hash|
+         if [:NAME, :VARIABLE].include? hash.type and hash.value.downcase =~ kw_regex
+            line = hash.line
+         elsif hash.line != line
+            hash
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_admin_by_default.rb

@@ -0,0 +1,26 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:admin_by_default) do
+
+   def check
+        ftokens = get_tokens(tokens,'admin')
+        ftokens.each do |token|
+         token_value = token.value.downcase
+         if [:EQUALS, :FARROW].include? token.prev_code_token.type
+            prev_token = token.prev_code_token
+            left_side = prev_token.prev_code_token
+            if left_side.value.downcase =~ Rules.credentials and [:VARIABLE, :NAME].include? left_side.type
+               if token_value == 'admin'
+                  notify :warning, {
+               message: "[SECURITY] Admin by default (line=#{token.line}, col=#{token.column}) | Do not make user/password as admin as for $#{prev_token.prev_code_token.value.downcase} in line #{token.line}. This can be easily exploited.",
+               line:    token.line,
+               column:  token.column,
+               token:   token_value,
+               cwe: 'CWE-250'
+            }
+               end
+            end
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_cyrillic_homograph_attack.rb

@@ -0,0 +1,19 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:cyrillic_homograph_attack) do   
+   def check
+      ftokens = filter_tokens(tokens)
+      tokens.each do |token|
+         token_value = token.value.downcase
+         if [:STRING, :SSTRING].include? token.type and token_value =~ Rules.cyrillic 
+            notify :warning, {
+               message: "[SECURITY] Homograph Attack (line=#{token.line}, col=#{token.column}). This link (#{token_value}) has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.",
+               line: token.line,
+               column: token.column,
+               token: token_value,
+               cwe: 'CWE-1007'
+            }
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_empty_password.rb

@@ -0,0 +1,26 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:empty_password) do
+
+   def check
+      ftokens = get_string_tokens(tokens,'')
+      ftokens.each do |token|
+         token_value = token.value.downcase
+         if [:EQUALS, :FARROW].include? token.prev_code_token.type 
+            prev_token = token.prev_code_token
+            left_side = prev_token.prev_code_token
+            if left_side.value.downcase =~ Rules.password and [:VARIABLE, :NAME].include? left_side.type
+               if token_value == ''
+                  notify :warning, {
+               message: "[SECURITY] Empty Password (line=#{token.line}, col=#{token.column}) | Do not keep the password field empty as for $#{prev_token.prev_code_token.value.downcase} in line #{token.line}. Use kms/heira/vault instead.",
+               line:    token.line,
+               column:  token.column,
+               token:   token_value,
+               cwe: 'CWE-258'
+            }
+               end
+            end
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_hard_coded_secret.rb

@@ -0,0 +1,31 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:hardcoded_secret) do
+   def check
+      # list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
+      user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
+      # some were advised by puppet specialists
+      invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'root']
+      ftokens = filter_tokens(tokens)
+      ftokens.each do |token|
+         next if token.next_code_token.nil?
+         token_value = token.value.downcase
+         token_type = token.type
+         next_token = token.next_code_token
+         # accepts <VARIABLE> <EQUALS> secret OR <NAME> <FARROW> secret, checks if <VARIABLE> | <NAME> satisfy SECRETS but not satisfy NON_SECRETS 
+         if [:VARIABLE, :NAME].include? token_type and [:EQUALS, :FARROW].include? next_token.type and token_value =~ Rules.secret and !(token_value =~ Rules.nonsecret)
+            right_side_type = next_token.next_code_token.type
+            right_side_value = next_token.next_code_token.value.downcase
+            if [:STRING, :SSTRING].include? right_side_type and right_side_value.length > 1 and !invalid_values.include? right_side_value and !(right_side_value =~ /::|\/|\.|\\/ ) and !user_default.include? right_side_value
+               notify :warning, {
+                  message: "[SECURITY] Hard Coded Secret (line=#{next_token.next_code_token.line}, col=#{next_token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token_value} = #{right_side_value} in #{next_token.next_code_token.line}. Use kms/heira/vault instead.",
+                  line:    next_token.next_code_token.line,
+                  column:  next_token.next_code_token.column,
+                  token:   right_side_value,
+                  cwe: 'CWE-798'
+               }
+            end
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_invalid_ip_addr_binding.rb

@@ -0,0 +1,23 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:invalid_ip_addr_binding) do   
+   def check
+      ftokens = get_tokens(tokens,"0.0.0.0")
+      ftokens.each do |token|
+         token_value = token.value.downcase
+         if [:EQUALS, :FARROW].include? token.prev_code_token.type 
+            prev_token = token.prev_code_token
+            left_side = prev_token.prev_code_token
+            if token_value =~ Rules.ip_addr_bind and [:VARIABLE, :NAME].include? left_side.type
+               notify :warning, {
+               message: "[SECURITY] Invalid IP Address Binding (line=#{token.line}, col=#{token.column}) | Don\'t bind your host to #{token_value}. This config allows connections from every possible network. Restrict your available IPs.",
+               line:    token.line,
+               column:  token.column,
+               token:   token_value,
+               cwe: 'CWE-284'
+            }
+            end
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_malicious_dependency.rb

@@ -0,0 +1,24 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:malicious_dependency) do
+   def check
+      ftokens = get_dependencies(tokens)
+      ftokens.each do |token|
+         version = token[:token].next_code_token.value.downcase
+         if version.include? "v"
+            version = version.gsub("v", "")
+         end
+         dependency = token[:dependency]
+         cves = get_malicious_cves(dependency, version)
+         if !cves.nil?
+            notify :warning, {
+               message: "[SECURITY] Malicious Dependency (line=#{token[:token].line}, col=#{token[:token].column}) | This software is using a third-party library/software (#{dependency} v#{version}) affected by known CVEs (#{cves.join(', ')}).",
+               line: token[:token].line,
+               column: token[:token].column,
+               token: token[:token].prev_code_token.value.downcase,
+               cwe: "CWE-829"
+            }
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_suspicious_comment.rb

@@ -0,0 +1,19 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:suspicious_comment) do
+   def check
+      ftokens = get_comments(tokens)
+      ftokens.each do |token|
+         token_value = token.value.downcase
+         if (token_value =~ Rules.susp_comment)
+            notify :warning, {
+               message: "[SECURITY] Suspicious Comment (line=#{token.line}, col=#{token.column}) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.",
+               line: token.line,
+               column: token.column,
+               token: token_value,
+               cwe: 'CWE-546'
+            }
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_use_http_without_tls.rb

@@ -0,0 +1,27 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:use_http_without_tls) do
+   def check
+      resources = ['apt::source', '::apt::source', 'wget::fetch', 'yumrepo', 'yum::', 'aptly::mirror', 'util::system_package', 'yum::managed_yumrepo']
+      ptokens = filter_resources(tokens, resources)
+      keywords = ['backport', 'key', 'download', 'uri', 'mirror']
+      ctokens = filter_variables(ptokens, keywords)
+      if Config.regex.whitelist
+         wtokens = filter_whitelist(ctokens)
+      else
+         wtokens = ptokens
+      end
+      wtokens.each do |token|
+         token_value = token.value.downcase
+         if (token_value =~ Rules.http)
+            notify :warning, {
+               message: "[SECURITY] HTTP without TLS (line=#{token.line}, col=#{token.column}) | Do not use HTTP without TLS as in #{token_value}. This may cause a MITM attack.",
+               line: token.line,
+               column: token.column,
+               token: token_value,
+               cwe: 'CWE-319'
+            }
+         end
+      end
+   end
+end

data/lib/puppet-lint/plugins/check_use_of_weak_crypto_algorithm.rb

@@ -0,0 +1,21 @@
+require 'puppet-lint-infrasecure'
+
+PuppetLint.new_check(:use_of_weak_crypto_algorithm) do
+   def check
+      tokens.each do |token|
+         token_value = token.value.downcase
+         if !token.next_token.nil?
+            next_token_type = token.next_token.type
+         end
+         if (token_value =~ Rules.poor_crypto) && (next_token_type.eql? :LPAREN)
+            notify :warning, {
+               message: "[SECURITY] Weak Crypto Algorithm (line=#{token.line}, col=#{token.column}) | Do not use #{token_value}, as they have security weakness. Use SHA-512 instead.",
+               line: token.line,
+               column: token.column,
+               token: token_value,
+               cwe: 'CWE-326'
+         }
+         end
+      end
+   end  
+end

data/lib/puppet-lint/plugins/check_weak_password.rb

@@ -0,0 +1,27 @@
+require 'puppet-lint-infrasecure'
+require 'strong_password'
+
+PuppetLint.new_check(:weak_password) do
+    def check
+        checker = StrongPassword::StrengthChecker.new
+        tokens.each do |token|
+            token_value = token.value.downcase
+            token_type = token.type
+            next if token.prev_code_token.nil? or token.next_code_token.nil?             
+            if [:EQUALS, :FARROW].include? token_type and [:VARIABLE,:NAME].include? token.prev_code_token.type
+                left_side_value = token.prev_code_token.value.downcase
+                right_side_value = token.next_code_token.value.downcase
+                right_side_token = token.next_code_token
+                if left_side_value =~ Rules.password and checker.is_weak?(right_side_value) and right_side_value != '' and token.next_code_token.type == :SSTRING
+                    notify :warning, {
+                        message: "[SECURITY] Weak Password (line=#{right_side_token.line}, col=#{right_side_token.column}) | Passwords should be strong to be hard to uncover by hackers (weak_password=#{right_side_value}). In any case, you should use kms/heira/vault to store secrets instead.",
+                        line:    right_side_token.line,
+                        column:  right_side_token.column,
+                        token:   right_side_value,
+                        cwe: 'CWE-521'
+                    }
+                end
+             end
+      end
+   end  
+end

data/lib/puppet-lint-infrasecure/config/dependencies.yml

@@ -0,0 +1,33 @@
+- activemq
+- apt
+- cassandra
+- docker
+- elasticsearch
+- gitlab
+- grafana
+- haproxy
+- jenkins
+- jira
+- kafka
+- kubernetes
+- mongodb
+- mysql
+- nagios_core
+- nginx
+- nodejs
+- ntp
+- openstack
+- openvpn
+- postgresql
+- puppet_agent
+- python
+- rabbitmq
+- redis
+- ruby
+- sqlite
+- systemd
+- tomcat
+- vault
+- wget
+- yum
+- zabbix

data/lib/puppet-lint-infrasecure/config/whitelist

@@ -0,0 +1,19 @@
+http://archives.fedoraproject.org/.*
+http://packages.elasticsearch.org/.*
+http://http.debian.net/debian/.*
+http://downloads-distro.mongodb.org/repo/.*
+http://dl.fedoraproject.org/pub/.*
+http://download.fedoraproject.org/.*
+http://download.virtualbox.org/virtualbox/.*
+http://archive.apache.org/.*
+http://links.puppetlabs.com/.*
+http://repos.fedorapeople.org
+http://fastdl.mongodb.org/.*
+http://bitbucket.org/.*
+http://download.java.net/.*
+http://github.com/.*
+http://www.prestashop.com/.*
+http://www.scala-lang.org/.*
+http://download.eclipse.org/.*
+http://apache.org/.*
+http://jdbc.postgresql.org/.*