puppet-lint-infrasecure 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/puppet-lint/linter.rb +32 -0
- data/lib/puppet-lint/plugins/check_admin_by_default.rb +22 -15
- data/lib/puppet-lint/plugins/check_cyrillic_homograph_attack.rb +16 -10
- data/lib/puppet-lint/plugins/check_empty_password.rb +15 -16
- data/lib/puppet-lint/plugins/check_hard_coded_key.rb +28 -0
- data/lib/puppet-lint/plugins/check_hard_coded_password.rb +33 -0
- data/lib/puppet-lint/plugins/check_hard_coded_secret.rb +20 -18
- data/lib/puppet-lint/plugins/check_hard_coded_username.rb +31 -0
- data/lib/puppet-lint/plugins/check_invalid_ip_addr_binding.rb +13 -12
- data/lib/puppet-lint/plugins/check_malicious_dependency.rb +2 -2
- data/lib/puppet-lint/plugins/check_suspicious_comment.rb +2 -2
- data/lib/puppet-lint/plugins/check_use_http_without_tls.rb +14 -12
- data/lib/puppet-lint/plugins/check_use_of_weak_crypto_algorithm.rb +2 -2
- data/lib/puppet-lint/plugins/check_weak_password.rb +6 -4
- data/lib/puppet-lint-infrasecure/config/default.yml +21 -0
- data/lib/puppet-lint-infrasecure/rules.rb +23 -6
- data/lib/puppet-lint-infrasecure/version.rb +1 -1
- data/spec/puppet-lint/plugins/check_admin_by_default_spec.rb +3 -3
- data/spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_empty_password_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_hard_coded_key_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_hard_coded_password_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb +6 -5
- data/spec/puppet-lint/plugins/check_hard_coded_username_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_malicious_dependency_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_suspicious_comment_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_use_http_without_tls_spec.rb +2 -2
- data/spec/puppet-lint/plugins/check_use_of_weak_crypto_algorithm_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_weak_password_spec.rb +1 -1
- metadata +12 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1ccfc1a16704f252eb18653d27c22f1bb519afaf09c2527db4b776d0884e6846
|
|
4
|
+
data.tar.gz: bf3a2457fcb232299b77bee3ebfb379b76e1baa3b3ea52d21c8f7e39399b2bdd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 923cb4e0e996e1e1886836447dde93f5989e691142396a98c3e435f4f04214b7fe09083bbc09f66c791e98f75d030c916a633ef5215df35beb876c98612f821b
|
|
7
|
+
data.tar.gz: f62d22690a41560085df4744427362b7ff984ddf26caac75ee1ee52d1476bf9c5daf802255b4cbe301b6a5be7cf9c6fc643e80320c7e455be14cbc7cb30c0b8a
|
data/lib/puppet-lint/linter.rb
CHANGED
|
@@ -118,6 +118,38 @@ class PuppetLint::CheckPlugin
|
|
|
118
118
|
return ftokens
|
|
119
119
|
end
|
|
120
120
|
|
|
121
|
+
def filter_credentials(tokens)
|
|
122
|
+
credentials = {}
|
|
123
|
+
tokens.each do |token|
|
|
124
|
+
next if token.next_code_token.nil?
|
|
125
|
+
next if token.prev_code_token.nil?
|
|
126
|
+
# accepts (<VARIABLE>|<NAME>) =~ SECRET (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>|<NAME>) =~ (NONSECRET AND PLACHOLDER)
|
|
127
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and token.prev_code_token.value.downcase =~ Rules.secret and !(token.next_code_token.value.downcase =~ Rules.nonsecret) and !(token.next_code_token.value.downcase =~ Rules.placeholder)
|
|
128
|
+
# check if username
|
|
129
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
130
|
+
is_username = left_side_value[Rules.username]
|
|
131
|
+
is_password = left_side_value[Rules.password]
|
|
132
|
+
if !is_username.nil?
|
|
133
|
+
puts is_username
|
|
134
|
+
context = left_side_value.gsub(is_username, '')
|
|
135
|
+
if context.length > 0
|
|
136
|
+
puts "CONTEXT", context
|
|
137
|
+
end
|
|
138
|
+
credentials.merge!(context => {:username => left_side_value }) if context.length > 0
|
|
139
|
+
end
|
|
140
|
+
if !is_password.nil?
|
|
141
|
+
puts is_password
|
|
142
|
+
context = left_side_value.gsub(is_password, '')
|
|
143
|
+
if context.length > 0
|
|
144
|
+
puts "CONTEXT", context
|
|
145
|
+
end
|
|
146
|
+
credentials.merge!(context => {:password => left_side_value }) if context.length > 0
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
end
|
|
150
|
+
puts credentials
|
|
151
|
+
end
|
|
152
|
+
|
|
121
153
|
def filter_variables(tokens, keywords)
|
|
122
154
|
line = -1
|
|
123
155
|
kw_regex = Regexp.new keywords.join("|")
|
|
@@ -3,21 +3,28 @@ require 'puppet-lint-infrasecure'
|
|
|
3
3
|
PuppetLint.new_check(:admin_by_default) do
|
|
4
4
|
|
|
5
5
|
def check
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
6
|
+
tokens.each do |token|
|
|
7
|
+
next if token.next_code_token.nil?
|
|
8
|
+
next if token.prev_code_token.nil?
|
|
9
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
10
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
11
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
12
|
+
right_side_value = token.next_code_token.value.downcase
|
|
13
|
+
|
|
14
|
+
# left side checkers (<VARIABLE>|<NAME>)
|
|
15
|
+
if !(left_side_value =~ Rules.nonsecret) and left_side_value =~ Rules.username and !left_side_value[/(admin|root)/]
|
|
16
|
+
# right side checkers (<STRING>|<SSTRING>)
|
|
17
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !(right_side_value =~ /\/.*./ )
|
|
18
|
+
# final check
|
|
19
|
+
if ['admin', 'root'].include? right_side_value
|
|
20
|
+
notify :warning, {
|
|
21
|
+
message: "[SECURITY][CWE-250] Admin by default (line=#{token.line}, col=#{token.column}) | Do not make user as admin as for $#{left_side_value} in line #{token.line}. This can be easily exploited.",
|
|
22
|
+
line: token.line,
|
|
23
|
+
column: token.column,
|
|
24
|
+
token: right_side_value,
|
|
25
|
+
cwe: 'CWE-250'
|
|
26
|
+
}
|
|
27
|
+
end
|
|
21
28
|
end
|
|
22
29
|
end
|
|
23
30
|
end
|
|
@@ -2,17 +2,23 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:cyrillic_homograph_attack) do
|
|
4
4
|
def check
|
|
5
|
-
ftokens = filter_tokens(tokens)
|
|
6
5
|
tokens.each do |token|
|
|
7
|
-
|
|
8
|
-
if
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
# checks (<STRING>|<SSTRING>)
|
|
13
|
+
if right_side_value =~ Rules.cyrillic
|
|
14
|
+
notify :warning, {
|
|
15
|
+
message: "[SECURITY][CWE-1007] Homograph Attack (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}). This link (#{right_side_value}) has a cyrillic char. These chars are not rendered by browsers and are sometimes used for phishing attacks. It can also result in typosquatting attacks.",
|
|
16
|
+
line: token.next_code_token.line,
|
|
17
|
+
column: token.next_code_token.column,
|
|
18
|
+
token: token.next_code_token.value,
|
|
19
|
+
cwe: 'CWE-1007'
|
|
20
|
+
}
|
|
21
|
+
end
|
|
16
22
|
end
|
|
17
23
|
end
|
|
18
24
|
end
|
|
@@ -3,22 +3,21 @@ require 'puppet-lint-infrasecure'
|
|
|
3
3
|
PuppetLint.new_check(:empty_password) do
|
|
4
4
|
|
|
5
5
|
def check
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
end
|
|
6
|
+
tokens.each do |token|
|
|
7
|
+
next if token.next_code_token.nil?
|
|
8
|
+
next if token.prev_code_token.nil?
|
|
9
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
10
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
11
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
12
|
+
right_side_value = token.next_code_token.value.downcase
|
|
13
|
+
if left_side_value =~ Rules.password and right_side_value == ''
|
|
14
|
+
notify :warning, {
|
|
15
|
+
message: "[SECURITY][CWE-258] Empty Password (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep the password field empty as for $#{token.prev_code_token.value} in line #{token.prev_code_token.line}. Use a stronger password.",
|
|
16
|
+
line: token.next_code_token.line,
|
|
17
|
+
column: token.next_code_token.column,
|
|
18
|
+
token: token.next_code_token.value,
|
|
19
|
+
cwe: 'CWE-258'
|
|
20
|
+
}
|
|
22
21
|
end
|
|
23
22
|
end
|
|
24
23
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_key) do
|
|
4
|
+
def check
|
|
5
|
+
tokens.each do |token|
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
# checks left side (<VARIABLE>|<NAME>)
|
|
13
|
+
if left_side_value =~ Rules.key and !(left_side_value =~ Rules.nonsecret)
|
|
14
|
+
# checks right side (<STRING>|<SSTRING>)
|
|
15
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/]
|
|
16
|
+
notify :warning, {
|
|
17
|
+
message: "[SECURITY][CWE-321] Hard Coded Key (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
18
|
+
line: token.next_code_token.line,
|
|
19
|
+
column: token.next_code_token.column,
|
|
20
|
+
token: right_side_value,
|
|
21
|
+
cwe: 'CWE-321'
|
|
22
|
+
}
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_password) do
|
|
4
|
+
def check
|
|
5
|
+
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
|
+
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
|
+
# some were advised by puppet specialists
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
|
|
18
|
+
if left_side_value =~ Rules.password and !(left_side_value =~ Rules.nonsecret)
|
|
19
|
+
|
|
20
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
21
|
+
notify :warning, {
|
|
22
|
+
message: "[SECURITY][CWE-259] Hard Coded Password (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
23
|
+
line: token.next_code_token.line,
|
|
24
|
+
column: token.next_code_token.column,
|
|
25
|
+
token: token.next_code_token.value,
|
|
26
|
+
cwe: 'CWE-259'
|
|
27
|
+
}
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -5,25 +5,27 @@ PuppetLint.new_check(:hardcoded_secret) do
|
|
|
5
5
|
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
6
|
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
7
|
# some were advised by puppet specialists
|
|
8
|
-
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'root']
|
|
9
|
-
|
|
10
|
-
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
11
|
next if token.next_code_token.nil?
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
|
|
18
|
+
if left_side_value =~ Rules.secret and !(left_side_value =~ Rules.nonsecret)
|
|
19
|
+
|
|
20
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
21
|
+
notify :warning, {
|
|
22
|
+
message: "[SECURITY][CWE-798] Hard Coded Secret (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
23
|
+
line: token.next_code_token.line,
|
|
24
|
+
column: token.next_code_token.column,
|
|
25
|
+
token: right_side_value,
|
|
26
|
+
cwe: 'CWE-798'
|
|
27
|
+
}
|
|
28
|
+
end
|
|
27
29
|
end
|
|
28
30
|
end
|
|
29
31
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_username) do
|
|
4
|
+
def check
|
|
5
|
+
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
|
+
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
|
+
# some were advised by puppet specialists
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
if left_side_value =~ Rules.username and !(left_side_value =~ Rules.nonsecret)
|
|
18
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
19
|
+
notify :warning, {
|
|
20
|
+
message: "[SECURITY][CWE-798] Hard Coded Username (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
21
|
+
line: token.next_code_token.line,
|
|
22
|
+
column: token.next_code_token.column,
|
|
23
|
+
token: right_side_value,
|
|
24
|
+
cwe: 'CWE-798'
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -2,20 +2,21 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:invalid_ip_addr_binding) do
|
|
4
4
|
def check
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
5
|
+
tokens.each do |token|
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
if right_side_value =~ Rules.ip_addr_bind
|
|
12
13
|
notify :warning, {
|
|
13
|
-
message: "[SECURITY] Invalid IP Address Binding (line=#{token.line}, col=#{token.column}) | Don\'t bind your host to #{
|
|
14
|
-
line: token.line,
|
|
15
|
-
column: token.column,
|
|
16
|
-
token:
|
|
14
|
+
message: "[SECURITY][CWE-284] Invalid IP Address Binding (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Don\'t bind your host to #{token.next_code_token.value}. This config allows connections from every possible network. Restrict your available IPs.",
|
|
15
|
+
line: token.next_code_token.line,
|
|
16
|
+
column: token.next_code_token.column,
|
|
17
|
+
token: token.next_code_token.value,
|
|
17
18
|
cwe: 'CWE-284'
|
|
18
|
-
|
|
19
|
+
}
|
|
19
20
|
end
|
|
20
21
|
end
|
|
21
22
|
end
|
|
@@ -12,11 +12,11 @@ PuppetLint.new_check(:malicious_dependency) do
|
|
|
12
12
|
cves = get_malicious_cves(dependency, version)
|
|
13
13
|
if !cves.nil?
|
|
14
14
|
notify :warning, {
|
|
15
|
-
message: "[SECURITY] Malicious Dependency (line=#{token[:token].line}, col=#{token[:token].column}) | This software is using a third-party library/software (#{dependency} v#{version}) affected by known CVEs (#{cves.join(', ')}).",
|
|
15
|
+
message: "[SECURITY][CWE-829] Malicious Dependency (line=#{token[:token].line}, col=#{token[:token].column}) | This software is using a third-party library/software (#{dependency} v#{version}) affected by known CVEs (#{cves.join(', ')}).",
|
|
16
16
|
line: token[:token].line,
|
|
17
17
|
column: token[:token].column,
|
|
18
18
|
token: token[:token].prev_code_token.value.downcase,
|
|
19
|
-
cwe:
|
|
19
|
+
cwe: 'CWE-829'
|
|
20
20
|
}
|
|
21
21
|
end
|
|
22
22
|
end
|
|
@@ -5,9 +5,9 @@ PuppetLint.new_check(:suspicious_comment) do
|
|
|
5
5
|
ftokens = get_comments(tokens)
|
|
6
6
|
ftokens.each do |token|
|
|
7
7
|
token_value = token.value.downcase
|
|
8
|
-
if (token_value =~ Rules.susp_comment)
|
|
8
|
+
if ([:COMMENT, :MLCOMMENT, :SLASH_COMMENT].include? token.type) and (token_value =~ Rules.susp_comment)
|
|
9
9
|
notify :warning, {
|
|
10
|
-
message: "[SECURITY] Suspicious Comment (line=#{token.line}, col=#{token.column}) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.",
|
|
10
|
+
message: "[SECURITY][CWE-546] Suspicious Comment (line=#{token.line}, col=#{token.column}) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.",
|
|
11
11
|
line: token.line,
|
|
12
12
|
column: token.column,
|
|
13
13
|
token: token_value,
|
|
@@ -2,25 +2,27 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:use_http_without_tls) do
|
|
4
4
|
def check
|
|
5
|
-
resources = ['apt::source', '::apt::source', 'wget::fetch', 'yumrepo', 'yum::', 'aptly::mirror', 'util::system_package', 'yum::managed_yumrepo']
|
|
6
|
-
ptokens = filter_resources(tokens, resources)
|
|
7
|
-
keywords = ['backport', 'key', 'download', 'uri', 'mirror']
|
|
8
|
-
ctokens = filter_variables(ptokens, keywords)
|
|
9
5
|
if Config.regex.whitelist
|
|
10
|
-
wtokens = filter_whitelist(
|
|
6
|
+
wtokens = filter_whitelist(tokens)
|
|
11
7
|
else
|
|
12
|
-
wtokens =
|
|
8
|
+
wtokens = tokens
|
|
13
9
|
end
|
|
14
10
|
wtokens.each do |token|
|
|
15
|
-
|
|
16
|
-
if
|
|
17
|
-
|
|
18
|
-
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
14
|
+
if [:EQUALS, :FARROW].include? token.prev_code_token.type and [:STRING, :SSTRING].include? token.type
|
|
15
|
+
right_side_value = token.value.downcase
|
|
16
|
+
|
|
17
|
+
if (right_side_value =~ Rules.http)
|
|
18
|
+
notify :warning, {
|
|
19
|
+
message: "[SECURITY][CWE-319] HTTP without TLS (line=#{token.line}, col=#{token.column}) | Do not use HTTP without TLS as in #{token.value}. This may cause a MITM attack.",
|
|
19
20
|
line: token.line,
|
|
20
21
|
column: token.column,
|
|
21
|
-
token:
|
|
22
|
+
token: token.value,
|
|
22
23
|
cwe: 'CWE-319'
|
|
23
|
-
|
|
24
|
+
}
|
|
25
|
+
end
|
|
24
26
|
end
|
|
25
27
|
end
|
|
26
28
|
end
|
|
@@ -9,12 +9,12 @@ PuppetLint.new_check(:use_of_weak_crypto_algorithm) do
|
|
|
9
9
|
end
|
|
10
10
|
if (token_value =~ Rules.poor_crypto) && (next_token_type.eql? :LPAREN)
|
|
11
11
|
notify :warning, {
|
|
12
|
-
message: "[SECURITY] Weak Crypto Algorithm (line=#{token.line}, col=#{token.column}) | Do not use #{token_value}, as they have security weakness. Use SHA-512 instead.",
|
|
12
|
+
message: "[SECURITY][CWE-326] Weak Crypto Algorithm (line=#{token.line}, col=#{token.column}) | Do not use #{token_value}, as they have security weakness. Use SHA-512 instead.",
|
|
13
13
|
line: token.line,
|
|
14
14
|
column: token.column,
|
|
15
15
|
token: token_value,
|
|
16
16
|
cwe: 'CWE-326'
|
|
17
|
-
|
|
17
|
+
}
|
|
18
18
|
end
|
|
19
19
|
end
|
|
20
20
|
end
|
|
@@ -10,15 +10,17 @@ PuppetLint.new_check(:weak_password) do
|
|
|
10
10
|
next if token.prev_code_token.nil? or token.next_code_token.nil?
|
|
11
11
|
if [:EQUALS, :FARROW].include? token_type and [:VARIABLE,:NAME].include? token.prev_code_token.type
|
|
12
12
|
left_side_value = token.prev_code_token.value.downcase
|
|
13
|
-
right_side_value = token.next_code_token.value
|
|
13
|
+
right_side_value = token.next_code_token.value
|
|
14
14
|
right_side_token = token.next_code_token
|
|
15
|
-
if left_side_value =~ Rules.password and checker.is_weak?(right_side_value) and right_side_value
|
|
15
|
+
if left_side_value =~ Rules.password and checker.is_weak?(right_side_value) and right_side_value.length > 1 and [:SSTRING, :STRING].include? token.next_code_token.type
|
|
16
|
+
pwd_entropy = checker.calculate_entropy(right_side_value)
|
|
16
17
|
notify :warning, {
|
|
17
|
-
message: "[SECURITY] Weak Password (line=#{right_side_token.line}, col=#{right_side_token.column}) | Passwords should be strong to be hard to uncover by hackers (weak_password=#{right_side_value}). In any case,
|
|
18
|
+
message: "[SECURITY][CWE-521] Weak Password (line=#{right_side_token.line}, col=#{right_side_token.column}) | Passwords should be strong to be hard to uncover by hackers (weak_password=#{right_side_value}, entropy=#{pwd_entropy}). Recommendation is to use a password with at least 18 bits of entropy. In any case, secrets should be stored in services like kms/heira/vault not in plain text.",
|
|
18
19
|
line: right_side_token.line,
|
|
19
20
|
column: right_side_token.column,
|
|
20
21
|
token: right_side_value,
|
|
21
|
-
cwe: 'CWE-521'
|
|
22
|
+
cwe: 'CWE-521',
|
|
23
|
+
entropy: pwd_entropy
|
|
22
24
|
}
|
|
23
25
|
end
|
|
24
26
|
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
user-default:
|
|
2
|
+
- pe-puppetpe-webserver
|
|
3
|
+
- pe-puppetdb
|
|
4
|
+
- pe-postgres
|
|
5
|
+
- pe-console-services
|
|
6
|
+
- pe-orchestration-services
|
|
7
|
+
- pe-ace-server
|
|
8
|
+
- pe-bolt-server
|
|
9
|
+
|
|
10
|
+
invalid-values:
|
|
11
|
+
- undefined
|
|
12
|
+
- unset
|
|
13
|
+
- www-data
|
|
14
|
+
- wwwrun
|
|
15
|
+
- www
|
|
16
|
+
- no
|
|
17
|
+
- yes
|
|
18
|
+
- []
|
|
19
|
+
- undef
|
|
20
|
+
- true
|
|
21
|
+
- false
|
|
@@ -17,22 +17,39 @@ module Rules
|
|
|
17
17
|
@password ||= /pass(word|_|$)|pwd/
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
-
def self.
|
|
21
|
-
@
|
|
20
|
+
def self.secret
|
|
21
|
+
@secret ||= /user|usr|pass(word|_|$)|pwd|(pvt|priv)+.*(cert|key|rsa|secret|ssl)+/
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def self.
|
|
25
|
-
@
|
|
24
|
+
def self.key
|
|
25
|
+
@key ||= /(cert|key|rsa|secret|ssl)+/
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
-
def self.
|
|
29
|
-
@
|
|
28
|
+
def self.privkey
|
|
29
|
+
@key ||= /(pvt|priv)+.*(cert|key|rsa|secret|ssl)+/
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
def self.username
|
|
34
|
+
@username ||= /user|usr/
|
|
30
35
|
end
|
|
31
36
|
|
|
32
37
|
def self.nonsecret
|
|
33
38
|
@nonsecret ||= /gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid/
|
|
34
39
|
end
|
|
35
40
|
|
|
41
|
+
def self.credentials
|
|
42
|
+
@credentials ||= /user|usr|pass(word|_|$)|pwd/
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def self.placeholder
|
|
46
|
+
@placeholder ||= /\${.*}|(\$)?.*::.*(::)?/
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def self.cyrillic
|
|
50
|
+
@cyrillic ||= /^(http(s)?:\/\/)?.*\p{Cyrillic}+/
|
|
51
|
+
end
|
|
52
|
+
|
|
36
53
|
def self.ip_addr_bind
|
|
37
54
|
@ip_addr_bind ||= /^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$/
|
|
38
55
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'admin_by_default' do
|
|
4
|
-
let(:msg) { '[SECURITY] Admin by default (line=6, col=
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-250] Admin by default (line=6, col=22) | Do not make user as admin as for $user in line 6. This can be easily exploited.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'user configuration as admin' do
|
|
@@ -11,7 +11,7 @@ describe 'admin_by_default' do
|
|
|
11
11
|
$auth_server = '127.0.0.1',
|
|
12
12
|
$tenant = 'openstack',
|
|
13
13
|
$user = 'admin'
|
|
14
|
-
|
|
14
|
+
$admin_user = 'admin',
|
|
15
15
|
) {
|
|
16
16
|
include swift::deps
|
|
17
17
|
|
|
@@ -27,7 +27,7 @@ describe 'admin_by_default' do
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it 'should create a warning for svnwc user config' do
|
|
30
|
-
expect(problems).to contain_warning(msg).on_line(6).in_column(
|
|
30
|
+
expect(problems).to contain_warning(msg).on_line(6).in_column(22)
|
|
31
31
|
end
|
|
32
32
|
end
|
|
33
33
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'cyrillic_homograph_attack' do
|
|
4
|
-
let(:msg) {'[SECURITY] Homograph Attack (line=2, col=35). This link (https://www.аpple.com/phish) has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.' }
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-1007] Homograph Attack (line=2, col=35). This link (https://www.аpple.com/phish) has a cyrillic char. These chars are not rendered by browsers and are sometimes used for phishing attacks. It can also result in typosquatting attacks.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'homograph attack using cyrillic chars not rendered by normal browsers' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'empty_password' do
|
|
4
|
-
let(:msg) { '[SECURITY] Empty Password (line=12, col=32) | Do not keep the password field empty as for $password in line 12. Use
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-258] Empty Password (line=12, col=32) | Do not keep the password field empty as for $password in line 12. Use a stronger password.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code configuration using empty passwords' do
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_key' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-321] Hard Coded Key (line=19, col=28) | Do not keep secrets on your scripts as for $private_ssl_key = D868325 in line 19. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$private_ssl_key = 'D868325'
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(19).in_column(28)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_password' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-259] Hard Coded Password (line=10, col=36) | Do not keep secrets on your scripts as for $username_password = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$pwd = undef
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(36)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'hardcoded_secret' do
|
|
4
|
-
let(:msg) { '[SECURITY] Hard Coded Secret (line=10, col=
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-798] Hard Coded Secret (line=10, col=36) | Do not keep secrets on your scripts as for $username_password = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code contains hard coded usernames' do
|
|
@@ -13,8 +13,8 @@ describe 'hardcoded_secret' do
|
|
|
13
13
|
$groupname = 'apmirror',
|
|
14
14
|
$groups = [],
|
|
15
15
|
$service_ensure = 'running',
|
|
16
|
-
$
|
|
17
|
-
$
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
18
|
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
19
|
){
|
|
20
20
|
package { $packages:
|
|
@@ -23,7 +23,7 @@ describe 'hardcoded_secret' do
|
|
|
23
23
|
|
|
24
24
|
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
25
|
|
|
26
|
-
$pwd =
|
|
26
|
+
$pwd = undef
|
|
27
27
|
$pwd = $cert
|
|
28
28
|
$pwd = 'pe-puppet'
|
|
29
29
|
|
|
@@ -38,6 +38,7 @@ describe 'hardcoded_secret' do
|
|
|
38
38
|
managehome => true,
|
|
39
39
|
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
40
|
}
|
|
41
|
+
|
|
41
42
|
}
|
|
42
43
|
" }
|
|
43
44
|
|
|
@@ -46,7 +47,7 @@ describe 'hardcoded_secret' do
|
|
|
46
47
|
end
|
|
47
48
|
|
|
48
49
|
it 'should create a warning for username hard coded config' do
|
|
49
|
-
expect(problems).to contain_warning(msg).on_line(10).in_column(
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(36)
|
|
50
51
|
end
|
|
51
52
|
end
|
|
52
53
|
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_username' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-798] Hard Coded Username (line=10, col=27) | Do not keep secrets on your scripts as for $username = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$private_ssl_key = 'D868325'
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(27)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'invalid_ip_addr_binding' do
|
|
4
|
-
let(:msg) {'[SECURITY] Invalid IP Address Binding (line=4, col=30) | Don\'t bind your host to 0.0.0.0. This config allows connections from every possible network. Restrict your available IPs.' }
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-284] Invalid IP Address Binding (line=4, col=30) | Don\'t bind your host to 0.0.0.0. This config allows connections from every possible network. Restrict your available IPs.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'invalid ip adress binding configuration' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'malicious_dependency' do
|
|
4
|
-
let(:msg) {'[SECURITY] Malicious Dependency (line=10, col=40) | This software is using a third-party library/software (postgresql v9.4) affected by known CVEs (CVE-2017-12172, CVE-2017-15098, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424).'}
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-829] Malicious Dependency (line=10, col=40) | This software is using a third-party library/software (postgresql v9.4) affected by known CVEs (CVE-2017-12172, CVE-2017-15098, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424).'}
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'software uses malicious dependencies' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'suspicious_comment' do
|
|
4
|
-
let(:msg) { '[SECURITY] Suspicious Comment (line=8, col=9) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-546] Suspicious Comment (line=8, col=9) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code with suspicious comment' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'use_http_without_tls' do
|
|
4
|
-
let(:msg) { '[SECURITY] HTTP without TLS (line=2, col=23) | Do not use HTTP without TLS as in http://localhost:2021. This may cause a MITM attack.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-319] HTTP without TLS (line=2, col=23) | Do not use HTTP without TLS as in http://localhost:2021. This may cause a MITM attack.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'configuration using http' do
|
|
@@ -89,7 +89,7 @@ describe 'use_http_without_tls' do
|
|
|
89
89
|
" }
|
|
90
90
|
|
|
91
91
|
it 'should detect a single problem' do
|
|
92
|
-
expect(problems).to have(
|
|
92
|
+
expect(problems).to have(13).problem
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
it 'should create a warning' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'use_of_weak_crypto_algorithm' do
|
|
4
|
-
let(:msg) { '[SECURITY] Weak Crypto Algorithm (line=22, col=21) | Do not use sha1, as they have security weakness. Use SHA-512 instead.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-326] Weak Crypto Algorithm (line=22, col=21) | Do not use sha1, as they have security weakness. Use SHA-512 instead.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code using unsecure algorithms' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'weak_password' do
|
|
4
|
-
let(:msg) { '[SECURITY] Weak Password (line=9, col=20) | Passwords should be strong to be hard to uncover by hackers (weak_password=12345678). In any case,
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-521] Weak Password (line=9, col=20) | Passwords should be strong to be hard to uncover by hackers (weak_password=12345678, entropy=10). Recommendation is to use a password with at least 18 bits of entropy. In any case, secrets should be stored in services like kms/heira/vault not in plain text.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code using weak password' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppet-lint-infrasecure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sofia Reis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-03
|
|
11
|
+
date: 2022-06-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: puppet-lint
|
|
@@ -186,6 +186,7 @@ extra_rdoc_files: []
|
|
|
186
186
|
files:
|
|
187
187
|
- README.md
|
|
188
188
|
- lib/puppet-lint-infrasecure.rb
|
|
189
|
+
- lib/puppet-lint-infrasecure/config/default.yml
|
|
189
190
|
- lib/puppet-lint-infrasecure/config/dependencies.yml
|
|
190
191
|
- lib/puppet-lint-infrasecure/config/whitelist
|
|
191
192
|
- lib/puppet-lint-infrasecure/dependencies/activemq.json
|
|
@@ -228,7 +229,10 @@ files:
|
|
|
228
229
|
- lib/puppet-lint/plugins/check_admin_by_default.rb
|
|
229
230
|
- lib/puppet-lint/plugins/check_cyrillic_homograph_attack.rb
|
|
230
231
|
- lib/puppet-lint/plugins/check_empty_password.rb
|
|
232
|
+
- lib/puppet-lint/plugins/check_hard_coded_key.rb
|
|
233
|
+
- lib/puppet-lint/plugins/check_hard_coded_password.rb
|
|
231
234
|
- lib/puppet-lint/plugins/check_hard_coded_secret.rb
|
|
235
|
+
- lib/puppet-lint/plugins/check_hard_coded_username.rb
|
|
232
236
|
- lib/puppet-lint/plugins/check_invalid_ip_addr_binding.rb
|
|
233
237
|
- lib/puppet-lint/plugins/check_malicious_dependency.rb
|
|
234
238
|
- lib/puppet-lint/plugins/check_suspicious_comment.rb
|
|
@@ -238,7 +242,10 @@ files:
|
|
|
238
242
|
- spec/puppet-lint/plugins/check_admin_by_default_spec.rb
|
|
239
243
|
- spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb
|
|
240
244
|
- spec/puppet-lint/plugins/check_empty_password_spec.rb
|
|
245
|
+
- spec/puppet-lint/plugins/check_hard_coded_key_spec.rb
|
|
246
|
+
- spec/puppet-lint/plugins/check_hard_coded_password_spec.rb
|
|
241
247
|
- spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb
|
|
248
|
+
- spec/puppet-lint/plugins/check_hard_coded_username_spec.rb
|
|
242
249
|
- spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb
|
|
243
250
|
- spec/puppet-lint/plugins/check_malicious_dependency_spec.rb
|
|
244
251
|
- spec/puppet-lint/plugins/check_suspicious_comment_spec.rb
|
|
@@ -274,7 +281,10 @@ test_files:
|
|
|
274
281
|
- spec/puppet-lint/plugins/check_admin_by_default_spec.rb
|
|
275
282
|
- spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb
|
|
276
283
|
- spec/puppet-lint/plugins/check_empty_password_spec.rb
|
|
284
|
+
- spec/puppet-lint/plugins/check_hard_coded_key_spec.rb
|
|
285
|
+
- spec/puppet-lint/plugins/check_hard_coded_password_spec.rb
|
|
277
286
|
- spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb
|
|
287
|
+
- spec/puppet-lint/plugins/check_hard_coded_username_spec.rb
|
|
278
288
|
- spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb
|
|
279
289
|
- spec/puppet-lint/plugins/check_malicious_dependency_spec.rb
|
|
280
290
|
- spec/puppet-lint/plugins/check_suspicious_comment_spec.rb
|