puppet-lint-infrasecure 1.1.0 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/puppet-lint/linter.rb +32 -0
- data/lib/puppet-lint/plugins/check_admin_by_default.rb +22 -15
- data/lib/puppet-lint/plugins/check_cyrillic_homograph_attack.rb +16 -10
- data/lib/puppet-lint/plugins/check_empty_password.rb +15 -16
- data/lib/puppet-lint/plugins/check_hard_coded_key.rb +28 -0
- data/lib/puppet-lint/plugins/check_hard_coded_password.rb +33 -0
- data/lib/puppet-lint/plugins/check_hard_coded_secret.rb +20 -18
- data/lib/puppet-lint/plugins/check_hard_coded_username.rb +31 -0
- data/lib/puppet-lint/plugins/check_invalid_ip_addr_binding.rb +13 -12
- data/lib/puppet-lint/plugins/check_malicious_dependency.rb +2 -2
- data/lib/puppet-lint/plugins/check_suspicious_comment.rb +2 -2
- data/lib/puppet-lint/plugins/check_use_http_without_tls.rb +14 -12
- data/lib/puppet-lint/plugins/check_use_of_weak_crypto_algorithm.rb +2 -2
- data/lib/puppet-lint/plugins/check_weak_password.rb +6 -4
- data/lib/puppet-lint-infrasecure/config/default.yml +21 -0
- data/lib/puppet-lint-infrasecure/rules.rb +23 -6
- data/lib/puppet-lint-infrasecure/version.rb +1 -1
- data/spec/puppet-lint/plugins/check_admin_by_default_spec.rb +3 -3
- data/spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_empty_password_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_hard_coded_key_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_hard_coded_password_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb +6 -5
- data/spec/puppet-lint/plugins/check_hard_coded_username_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_malicious_dependency_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_suspicious_comment_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_use_http_without_tls_spec.rb +2 -2
- data/spec/puppet-lint/plugins/check_use_of_weak_crypto_algorithm_spec.rb +1 -1
- data/spec/puppet-lint/plugins/check_weak_password_spec.rb +1 -1
- metadata +12 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1ccfc1a16704f252eb18653d27c22f1bb519afaf09c2527db4b776d0884e6846
|
|
4
|
+
data.tar.gz: bf3a2457fcb232299b77bee3ebfb379b76e1baa3b3ea52d21c8f7e39399b2bdd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 923cb4e0e996e1e1886836447dde93f5989e691142396a98c3e435f4f04214b7fe09083bbc09f66c791e98f75d030c916a633ef5215df35beb876c98612f821b
|
|
7
|
+
data.tar.gz: f62d22690a41560085df4744427362b7ff984ddf26caac75ee1ee52d1476bf9c5daf802255b4cbe301b6a5be7cf9c6fc643e80320c7e455be14cbc7cb30c0b8a
|
data/lib/puppet-lint/linter.rb
CHANGED
|
@@ -118,6 +118,38 @@ class PuppetLint::CheckPlugin
|
|
|
118
118
|
return ftokens
|
|
119
119
|
end
|
|
120
120
|
|
|
121
|
+
def filter_credentials(tokens)
|
|
122
|
+
credentials = {}
|
|
123
|
+
tokens.each do |token|
|
|
124
|
+
next if token.next_code_token.nil?
|
|
125
|
+
next if token.prev_code_token.nil?
|
|
126
|
+
# accepts (<VARIABLE>|<NAME>) =~ SECRET (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>|<NAME>) =~ (NONSECRET AND PLACHOLDER)
|
|
127
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and token.prev_code_token.value.downcase =~ Rules.secret and !(token.next_code_token.value.downcase =~ Rules.nonsecret) and !(token.next_code_token.value.downcase =~ Rules.placeholder)
|
|
128
|
+
# check if username
|
|
129
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
130
|
+
is_username = left_side_value[Rules.username]
|
|
131
|
+
is_password = left_side_value[Rules.password]
|
|
132
|
+
if !is_username.nil?
|
|
133
|
+
puts is_username
|
|
134
|
+
context = left_side_value.gsub(is_username, '')
|
|
135
|
+
if context.length > 0
|
|
136
|
+
puts "CONTEXT", context
|
|
137
|
+
end
|
|
138
|
+
credentials.merge!(context => {:username => left_side_value }) if context.length > 0
|
|
139
|
+
end
|
|
140
|
+
if !is_password.nil?
|
|
141
|
+
puts is_password
|
|
142
|
+
context = left_side_value.gsub(is_password, '')
|
|
143
|
+
if context.length > 0
|
|
144
|
+
puts "CONTEXT", context
|
|
145
|
+
end
|
|
146
|
+
credentials.merge!(context => {:password => left_side_value }) if context.length > 0
|
|
147
|
+
end
|
|
148
|
+
end
|
|
149
|
+
end
|
|
150
|
+
puts credentials
|
|
151
|
+
end
|
|
152
|
+
|
|
121
153
|
def filter_variables(tokens, keywords)
|
|
122
154
|
line = -1
|
|
123
155
|
kw_regex = Regexp.new keywords.join("|")
|
|
@@ -3,21 +3,28 @@ require 'puppet-lint-infrasecure'
|
|
|
3
3
|
PuppetLint.new_check(:admin_by_default) do
|
|
4
4
|
|
|
5
5
|
def check
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
6
|
+
tokens.each do |token|
|
|
7
|
+
next if token.next_code_token.nil?
|
|
8
|
+
next if token.prev_code_token.nil?
|
|
9
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
10
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
11
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
12
|
+
right_side_value = token.next_code_token.value.downcase
|
|
13
|
+
|
|
14
|
+
# left side checkers (<VARIABLE>|<NAME>)
|
|
15
|
+
if !(left_side_value =~ Rules.nonsecret) and left_side_value =~ Rules.username and !left_side_value[/(admin|root)/]
|
|
16
|
+
# right side checkers (<STRING>|<SSTRING>)
|
|
17
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !(right_side_value =~ /\/.*./ )
|
|
18
|
+
# final check
|
|
19
|
+
if ['admin', 'root'].include? right_side_value
|
|
20
|
+
notify :warning, {
|
|
21
|
+
message: "[SECURITY][CWE-250] Admin by default (line=#{token.line}, col=#{token.column}) | Do not make user as admin as for $#{left_side_value} in line #{token.line}. This can be easily exploited.",
|
|
22
|
+
line: token.line,
|
|
23
|
+
column: token.column,
|
|
24
|
+
token: right_side_value,
|
|
25
|
+
cwe: 'CWE-250'
|
|
26
|
+
}
|
|
27
|
+
end
|
|
21
28
|
end
|
|
22
29
|
end
|
|
23
30
|
end
|
|
@@ -2,17 +2,23 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:cyrillic_homograph_attack) do
|
|
4
4
|
def check
|
|
5
|
-
ftokens = filter_tokens(tokens)
|
|
6
5
|
tokens.each do |token|
|
|
7
|
-
|
|
8
|
-
if
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
# checks (<STRING>|<SSTRING>)
|
|
13
|
+
if right_side_value =~ Rules.cyrillic
|
|
14
|
+
notify :warning, {
|
|
15
|
+
message: "[SECURITY][CWE-1007] Homograph Attack (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}). This link (#{right_side_value}) has a cyrillic char. These chars are not rendered by browsers and are sometimes used for phishing attacks. It can also result in typosquatting attacks.",
|
|
16
|
+
line: token.next_code_token.line,
|
|
17
|
+
column: token.next_code_token.column,
|
|
18
|
+
token: token.next_code_token.value,
|
|
19
|
+
cwe: 'CWE-1007'
|
|
20
|
+
}
|
|
21
|
+
end
|
|
16
22
|
end
|
|
17
23
|
end
|
|
18
24
|
end
|
|
@@ -3,22 +3,21 @@ require 'puppet-lint-infrasecure'
|
|
|
3
3
|
PuppetLint.new_check(:empty_password) do
|
|
4
4
|
|
|
5
5
|
def check
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
end
|
|
6
|
+
tokens.each do |token|
|
|
7
|
+
next if token.next_code_token.nil?
|
|
8
|
+
next if token.prev_code_token.nil?
|
|
9
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
10
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
11
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
12
|
+
right_side_value = token.next_code_token.value.downcase
|
|
13
|
+
if left_side_value =~ Rules.password and right_side_value == ''
|
|
14
|
+
notify :warning, {
|
|
15
|
+
message: "[SECURITY][CWE-258] Empty Password (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep the password field empty as for $#{token.prev_code_token.value} in line #{token.prev_code_token.line}. Use a stronger password.",
|
|
16
|
+
line: token.next_code_token.line,
|
|
17
|
+
column: token.next_code_token.column,
|
|
18
|
+
token: token.next_code_token.value,
|
|
19
|
+
cwe: 'CWE-258'
|
|
20
|
+
}
|
|
22
21
|
end
|
|
23
22
|
end
|
|
24
23
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_key) do
|
|
4
|
+
def check
|
|
5
|
+
tokens.each do |token|
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
# checks left side (<VARIABLE>|<NAME>)
|
|
13
|
+
if left_side_value =~ Rules.key and !(left_side_value =~ Rules.nonsecret)
|
|
14
|
+
# checks right side (<STRING>|<SSTRING>)
|
|
15
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/]
|
|
16
|
+
notify :warning, {
|
|
17
|
+
message: "[SECURITY][CWE-321] Hard Coded Key (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
18
|
+
line: token.next_code_token.line,
|
|
19
|
+
column: token.next_code_token.column,
|
|
20
|
+
token: right_side_value,
|
|
21
|
+
cwe: 'CWE-321'
|
|
22
|
+
}
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_password) do
|
|
4
|
+
def check
|
|
5
|
+
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
|
+
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
|
+
# some were advised by puppet specialists
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
|
|
18
|
+
if left_side_value =~ Rules.password and !(left_side_value =~ Rules.nonsecret)
|
|
19
|
+
|
|
20
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
21
|
+
notify :warning, {
|
|
22
|
+
message: "[SECURITY][CWE-259] Hard Coded Password (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
23
|
+
line: token.next_code_token.line,
|
|
24
|
+
column: token.next_code_token.column,
|
|
25
|
+
token: token.next_code_token.value,
|
|
26
|
+
cwe: 'CWE-259'
|
|
27
|
+
}
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -5,25 +5,27 @@ PuppetLint.new_check(:hardcoded_secret) do
|
|
|
5
5
|
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
6
|
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
7
|
# some were advised by puppet specialists
|
|
8
|
-
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'root']
|
|
9
|
-
|
|
10
|
-
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
11
|
next if token.next_code_token.nil?
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
|
|
18
|
+
if left_side_value =~ Rules.secret and !(left_side_value =~ Rules.nonsecret)
|
|
19
|
+
|
|
20
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
21
|
+
notify :warning, {
|
|
22
|
+
message: "[SECURITY][CWE-798] Hard Coded Secret (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
23
|
+
line: token.next_code_token.line,
|
|
24
|
+
column: token.next_code_token.column,
|
|
25
|
+
token: right_side_value,
|
|
26
|
+
cwe: 'CWE-798'
|
|
27
|
+
}
|
|
28
|
+
end
|
|
27
29
|
end
|
|
28
30
|
end
|
|
29
31
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'puppet-lint-infrasecure'
|
|
2
|
+
|
|
3
|
+
PuppetLint.new_check(:hardcoded_secret_username) do
|
|
4
|
+
def check
|
|
5
|
+
# list of known credentials - not considered secrets by the community (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)
|
|
6
|
+
user_default = ['pe-puppet', 'pe-webserver', 'pe-puppetdb', 'pe-postgres', 'pe-console-services', 'pe-orchestration-services','pe-ace-server', 'pe-bolt-server']
|
|
7
|
+
# some were advised by puppet specialists
|
|
8
|
+
invalid_values = ['undefined', 'unset', 'www-data', 'wwwrun', 'www', 'no', 'yes', '[]', 'undef', 'true', 'false', 'changeit', 'changeme', 'root', 'admin', 'none']
|
|
9
|
+
|
|
10
|
+
tokens.each do |token|
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) !(<STRING>|<SSTRING>)
|
|
14
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
15
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
16
|
+
right_side_value = token.next_code_token.value.downcase
|
|
17
|
+
if left_side_value =~ Rules.username and !(left_side_value =~ Rules.nonsecret)
|
|
18
|
+
if !(right_side_value =~ Rules.placeholder) and right_side_value.length > 1 and !right_side_value[/\/.*(\/)+/] and !(user_default.include? right_side_value) and !(invalid_values.include? right_side_value)
|
|
19
|
+
notify :warning, {
|
|
20
|
+
message: "[SECURITY][CWE-798] Hard Coded Username (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Do not keep secrets on your scripts as for $#{token.prev_code_token.value} = #{token.next_code_token.value} in line #{token.next_code_token.line}. Store secrets in a vault instead.",
|
|
21
|
+
line: token.next_code_token.line,
|
|
22
|
+
column: token.next_code_token.column,
|
|
23
|
+
token: right_side_value,
|
|
24
|
+
cwe: 'CWE-798'
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -2,20 +2,21 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:invalid_ip_addr_binding) do
|
|
4
4
|
def check
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
5
|
+
tokens.each do |token|
|
|
6
|
+
next if token.next_code_token.nil?
|
|
7
|
+
next if token.prev_code_token.nil?
|
|
8
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
9
|
+
if [:VARIABLE, :NAME].include? token.prev_code_token.type and [:EQUALS, :FARROW].include? token.type and [:STRING, :SSTRING].include? token.next_code_token.type
|
|
10
|
+
left_side_value = token.prev_code_token.value.downcase
|
|
11
|
+
right_side_value = token.next_code_token.value.downcase
|
|
12
|
+
if right_side_value =~ Rules.ip_addr_bind
|
|
12
13
|
notify :warning, {
|
|
13
|
-
message: "[SECURITY] Invalid IP Address Binding (line=#{token.line}, col=#{token.column}) | Don\'t bind your host to #{
|
|
14
|
-
line: token.line,
|
|
15
|
-
column: token.column,
|
|
16
|
-
token:
|
|
14
|
+
message: "[SECURITY][CWE-284] Invalid IP Address Binding (line=#{token.next_code_token.line}, col=#{token.next_code_token.column}) | Don\'t bind your host to #{token.next_code_token.value}. This config allows connections from every possible network. Restrict your available IPs.",
|
|
15
|
+
line: token.next_code_token.line,
|
|
16
|
+
column: token.next_code_token.column,
|
|
17
|
+
token: token.next_code_token.value,
|
|
17
18
|
cwe: 'CWE-284'
|
|
18
|
-
|
|
19
|
+
}
|
|
19
20
|
end
|
|
20
21
|
end
|
|
21
22
|
end
|
|
@@ -12,11 +12,11 @@ PuppetLint.new_check(:malicious_dependency) do
|
|
|
12
12
|
cves = get_malicious_cves(dependency, version)
|
|
13
13
|
if !cves.nil?
|
|
14
14
|
notify :warning, {
|
|
15
|
-
message: "[SECURITY] Malicious Dependency (line=#{token[:token].line}, col=#{token[:token].column}) | This software is using a third-party library/software (#{dependency} v#{version}) affected by known CVEs (#{cves.join(', ')}).",
|
|
15
|
+
message: "[SECURITY][CWE-829] Malicious Dependency (line=#{token[:token].line}, col=#{token[:token].column}) | This software is using a third-party library/software (#{dependency} v#{version}) affected by known CVEs (#{cves.join(', ')}).",
|
|
16
16
|
line: token[:token].line,
|
|
17
17
|
column: token[:token].column,
|
|
18
18
|
token: token[:token].prev_code_token.value.downcase,
|
|
19
|
-
cwe:
|
|
19
|
+
cwe: 'CWE-829'
|
|
20
20
|
}
|
|
21
21
|
end
|
|
22
22
|
end
|
|
@@ -5,9 +5,9 @@ PuppetLint.new_check(:suspicious_comment) do
|
|
|
5
5
|
ftokens = get_comments(tokens)
|
|
6
6
|
ftokens.each do |token|
|
|
7
7
|
token_value = token.value.downcase
|
|
8
|
-
if (token_value =~ Rules.susp_comment)
|
|
8
|
+
if ([:COMMENT, :MLCOMMENT, :SLASH_COMMENT].include? token.type) and (token_value =~ Rules.susp_comment)
|
|
9
9
|
notify :warning, {
|
|
10
|
-
message: "[SECURITY] Suspicious Comment (line=#{token.line}, col=#{token.column}) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.",
|
|
10
|
+
message: "[SECURITY][CWE-546] Suspicious Comment (line=#{token.line}, col=#{token.column}) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.",
|
|
11
11
|
line: token.line,
|
|
12
12
|
column: token.column,
|
|
13
13
|
token: token_value,
|
|
@@ -2,25 +2,27 @@ require 'puppet-lint-infrasecure'
|
|
|
2
2
|
|
|
3
3
|
PuppetLint.new_check(:use_http_without_tls) do
|
|
4
4
|
def check
|
|
5
|
-
resources = ['apt::source', '::apt::source', 'wget::fetch', 'yumrepo', 'yum::', 'aptly::mirror', 'util::system_package', 'yum::managed_yumrepo']
|
|
6
|
-
ptokens = filter_resources(tokens, resources)
|
|
7
|
-
keywords = ['backport', 'key', 'download', 'uri', 'mirror']
|
|
8
|
-
ctokens = filter_variables(ptokens, keywords)
|
|
9
5
|
if Config.regex.whitelist
|
|
10
|
-
wtokens = filter_whitelist(
|
|
6
|
+
wtokens = filter_whitelist(tokens)
|
|
11
7
|
else
|
|
12
|
-
wtokens =
|
|
8
|
+
wtokens = tokens
|
|
13
9
|
end
|
|
14
10
|
wtokens.each do |token|
|
|
15
|
-
|
|
16
|
-
if
|
|
17
|
-
|
|
18
|
-
|
|
11
|
+
next if token.next_code_token.nil?
|
|
12
|
+
next if token.prev_code_token.nil?
|
|
13
|
+
# accepts (<VARIABLE>|<NAME>) (<EQUALS>|<FARROW>) (<STRING>|<SSTRING>)
|
|
14
|
+
if [:EQUALS, :FARROW].include? token.prev_code_token.type and [:STRING, :SSTRING].include? token.type
|
|
15
|
+
right_side_value = token.value.downcase
|
|
16
|
+
|
|
17
|
+
if (right_side_value =~ Rules.http)
|
|
18
|
+
notify :warning, {
|
|
19
|
+
message: "[SECURITY][CWE-319] HTTP without TLS (line=#{token.line}, col=#{token.column}) | Do not use HTTP without TLS as in #{token.value}. This may cause a MITM attack.",
|
|
19
20
|
line: token.line,
|
|
20
21
|
column: token.column,
|
|
21
|
-
token:
|
|
22
|
+
token: token.value,
|
|
22
23
|
cwe: 'CWE-319'
|
|
23
|
-
|
|
24
|
+
}
|
|
25
|
+
end
|
|
24
26
|
end
|
|
25
27
|
end
|
|
26
28
|
end
|
|
@@ -9,12 +9,12 @@ PuppetLint.new_check(:use_of_weak_crypto_algorithm) do
|
|
|
9
9
|
end
|
|
10
10
|
if (token_value =~ Rules.poor_crypto) && (next_token_type.eql? :LPAREN)
|
|
11
11
|
notify :warning, {
|
|
12
|
-
message: "[SECURITY] Weak Crypto Algorithm (line=#{token.line}, col=#{token.column}) | Do not use #{token_value}, as they have security weakness. Use SHA-512 instead.",
|
|
12
|
+
message: "[SECURITY][CWE-326] Weak Crypto Algorithm (line=#{token.line}, col=#{token.column}) | Do not use #{token_value}, as they have security weakness. Use SHA-512 instead.",
|
|
13
13
|
line: token.line,
|
|
14
14
|
column: token.column,
|
|
15
15
|
token: token_value,
|
|
16
16
|
cwe: 'CWE-326'
|
|
17
|
-
|
|
17
|
+
}
|
|
18
18
|
end
|
|
19
19
|
end
|
|
20
20
|
end
|
|
@@ -10,15 +10,17 @@ PuppetLint.new_check(:weak_password) do
|
|
|
10
10
|
next if token.prev_code_token.nil? or token.next_code_token.nil?
|
|
11
11
|
if [:EQUALS, :FARROW].include? token_type and [:VARIABLE,:NAME].include? token.prev_code_token.type
|
|
12
12
|
left_side_value = token.prev_code_token.value.downcase
|
|
13
|
-
right_side_value = token.next_code_token.value
|
|
13
|
+
right_side_value = token.next_code_token.value
|
|
14
14
|
right_side_token = token.next_code_token
|
|
15
|
-
if left_side_value =~ Rules.password and checker.is_weak?(right_side_value) and right_side_value
|
|
15
|
+
if left_side_value =~ Rules.password and checker.is_weak?(right_side_value) and right_side_value.length > 1 and [:SSTRING, :STRING].include? token.next_code_token.type
|
|
16
|
+
pwd_entropy = checker.calculate_entropy(right_side_value)
|
|
16
17
|
notify :warning, {
|
|
17
|
-
message: "[SECURITY] Weak Password (line=#{right_side_token.line}, col=#{right_side_token.column}) | Passwords should be strong to be hard to uncover by hackers (weak_password=#{right_side_value}). In any case,
|
|
18
|
+
message: "[SECURITY][CWE-521] Weak Password (line=#{right_side_token.line}, col=#{right_side_token.column}) | Passwords should be strong to be hard to uncover by hackers (weak_password=#{right_side_value}, entropy=#{pwd_entropy}). Recommendation is to use a password with at least 18 bits of entropy. In any case, secrets should be stored in services like kms/heira/vault not in plain text.",
|
|
18
19
|
line: right_side_token.line,
|
|
19
20
|
column: right_side_token.column,
|
|
20
21
|
token: right_side_value,
|
|
21
|
-
cwe: 'CWE-521'
|
|
22
|
+
cwe: 'CWE-521',
|
|
23
|
+
entropy: pwd_entropy
|
|
22
24
|
}
|
|
23
25
|
end
|
|
24
26
|
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
user-default:
|
|
2
|
+
- pe-puppetpe-webserver
|
|
3
|
+
- pe-puppetdb
|
|
4
|
+
- pe-postgres
|
|
5
|
+
- pe-console-services
|
|
6
|
+
- pe-orchestration-services
|
|
7
|
+
- pe-ace-server
|
|
8
|
+
- pe-bolt-server
|
|
9
|
+
|
|
10
|
+
invalid-values:
|
|
11
|
+
- undefined
|
|
12
|
+
- unset
|
|
13
|
+
- www-data
|
|
14
|
+
- wwwrun
|
|
15
|
+
- www
|
|
16
|
+
- no
|
|
17
|
+
- yes
|
|
18
|
+
- []
|
|
19
|
+
- undef
|
|
20
|
+
- true
|
|
21
|
+
- false
|
|
@@ -17,22 +17,39 @@ module Rules
|
|
|
17
17
|
@password ||= /pass(word|_|$)|pwd/
|
|
18
18
|
end
|
|
19
19
|
|
|
20
|
-
def self.
|
|
21
|
-
@
|
|
20
|
+
def self.secret
|
|
21
|
+
@secret ||= /user|usr|pass(word|_|$)|pwd|(pvt|priv)+.*(cert|key|rsa|secret|ssl)+/
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def self.
|
|
25
|
-
@
|
|
24
|
+
def self.key
|
|
25
|
+
@key ||= /(cert|key|rsa|secret|ssl)+/
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
-
def self.
|
|
29
|
-
@
|
|
28
|
+
def self.privkey
|
|
29
|
+
@key ||= /(pvt|priv)+.*(cert|key|rsa|secret|ssl)+/
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
def self.username
|
|
34
|
+
@username ||= /user|usr/
|
|
30
35
|
end
|
|
31
36
|
|
|
32
37
|
def self.nonsecret
|
|
33
38
|
@nonsecret ||= /gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid/
|
|
34
39
|
end
|
|
35
40
|
|
|
41
|
+
def self.credentials
|
|
42
|
+
@credentials ||= /user|usr|pass(word|_|$)|pwd/
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def self.placeholder
|
|
46
|
+
@placeholder ||= /\${.*}|(\$)?.*::.*(::)?/
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def self.cyrillic
|
|
50
|
+
@cyrillic ||= /^(http(s)?:\/\/)?.*\p{Cyrillic}+/
|
|
51
|
+
end
|
|
52
|
+
|
|
36
53
|
def self.ip_addr_bind
|
|
37
54
|
@ip_addr_bind ||= /^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$/
|
|
38
55
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'admin_by_default' do
|
|
4
|
-
let(:msg) { '[SECURITY] Admin by default (line=6, col=
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-250] Admin by default (line=6, col=22) | Do not make user as admin as for $user in line 6. This can be easily exploited.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'user configuration as admin' do
|
|
@@ -11,7 +11,7 @@ describe 'admin_by_default' do
|
|
|
11
11
|
$auth_server = '127.0.0.1',
|
|
12
12
|
$tenant = 'openstack',
|
|
13
13
|
$user = 'admin'
|
|
14
|
-
|
|
14
|
+
$admin_user = 'admin',
|
|
15
15
|
) {
|
|
16
16
|
include swift::deps
|
|
17
17
|
|
|
@@ -27,7 +27,7 @@ describe 'admin_by_default' do
|
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it 'should create a warning for svnwc user config' do
|
|
30
|
-
expect(problems).to contain_warning(msg).on_line(6).in_column(
|
|
30
|
+
expect(problems).to contain_warning(msg).on_line(6).in_column(22)
|
|
31
31
|
end
|
|
32
32
|
end
|
|
33
33
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'cyrillic_homograph_attack' do
|
|
4
|
-
let(:msg) {'[SECURITY] Homograph Attack (line=2, col=35). This link (https://www.аpple.com/phish) has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.' }
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-1007] Homograph Attack (line=2, col=35). This link (https://www.аpple.com/phish) has a cyrillic char. These chars are not rendered by browsers and are sometimes used for phishing attacks. It can also result in typosquatting attacks.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'homograph attack using cyrillic chars not rendered by normal browsers' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'empty_password' do
|
|
4
|
-
let(:msg) { '[SECURITY] Empty Password (line=12, col=32) | Do not keep the password field empty as for $password in line 12. Use
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-258] Empty Password (line=12, col=32) | Do not keep the password field empty as for $password in line 12. Use a stronger password.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code configuration using empty passwords' do
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_key' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-321] Hard Coded Key (line=19, col=28) | Do not keep secrets on your scripts as for $private_ssl_key = D868325 in line 19. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$private_ssl_key = 'D868325'
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(19).in_column(28)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_password' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-259] Hard Coded Password (line=10, col=36) | Do not keep secrets on your scripts as for $username_password = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$pwd = undef
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(36)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'hardcoded_secret' do
|
|
4
|
-
let(:msg) { '[SECURITY] Hard Coded Secret (line=10, col=
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-798] Hard Coded Secret (line=10, col=36) | Do not keep secrets on your scripts as for $username_password = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code contains hard coded usernames' do
|
|
@@ -13,8 +13,8 @@ describe 'hardcoded_secret' do
|
|
|
13
13
|
$groupname = 'apmirror',
|
|
14
14
|
$groups = [],
|
|
15
15
|
$service_ensure = 'running',
|
|
16
|
-
$
|
|
17
|
-
$
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username_password = 'apmirror',
|
|
18
18
|
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
19
|
){
|
|
20
20
|
package { $packages:
|
|
@@ -23,7 +23,7 @@ describe 'hardcoded_secret' do
|
|
|
23
23
|
|
|
24
24
|
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
25
|
|
|
26
|
-
$pwd =
|
|
26
|
+
$pwd = undef
|
|
27
27
|
$pwd = $cert
|
|
28
28
|
$pwd = 'pe-puppet'
|
|
29
29
|
|
|
@@ -38,6 +38,7 @@ describe 'hardcoded_secret' do
|
|
|
38
38
|
managehome => true,
|
|
39
39
|
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
40
|
}
|
|
41
|
+
|
|
41
42
|
}
|
|
42
43
|
" }
|
|
43
44
|
|
|
@@ -46,7 +47,7 @@ describe 'hardcoded_secret' do
|
|
|
46
47
|
end
|
|
47
48
|
|
|
48
49
|
it 'should create a warning for username hard coded config' do
|
|
49
|
-
expect(problems).to contain_warning(msg).on_line(10).in_column(
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(36)
|
|
50
51
|
end
|
|
51
52
|
end
|
|
52
53
|
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe 'hardcoded_secret_username' do
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-798] Hard Coded Username (line=10, col=27) | Do not keep secrets on your scripts as for $username = apmirror in line 10. Store secrets in a vault instead.' }
|
|
5
|
+
|
|
6
|
+
context 'with fix disabled' do
|
|
7
|
+
context 'code contains hard coded usernames' do
|
|
8
|
+
let(:code) { "
|
|
9
|
+
class apmirror (
|
|
10
|
+
$uid = 508,
|
|
11
|
+
$gid = 508,
|
|
12
|
+
$group_present = 'present',
|
|
13
|
+
$groupname = 'apmirror',
|
|
14
|
+
$groups = [],
|
|
15
|
+
$service_ensure = 'running',
|
|
16
|
+
$cert = '/bin/bash',
|
|
17
|
+
$username = 'apmirror',
|
|
18
|
+
$packages = ['libwww-perl', 'libnet-dns-perl'],
|
|
19
|
+
){
|
|
20
|
+
package { $packages:
|
|
21
|
+
ensure => present,
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
$cert_generation_class = '::puppet::puppetserver::generate_cert'
|
|
25
|
+
|
|
26
|
+
$private_ssl_key = 'D868325'
|
|
27
|
+
$pwd = $cert
|
|
28
|
+
$pwd = 'pe-puppet'
|
|
29
|
+
|
|
30
|
+
user { $username:
|
|
31
|
+
ensure => $user_present,
|
|
32
|
+
name => $username,
|
|
33
|
+
home => '/home/${username}',
|
|
34
|
+
shell => $shell,
|
|
35
|
+
uid => $uid,
|
|
36
|
+
gid => $groupname,
|
|
37
|
+
groups => $groups,
|
|
38
|
+
managehome => true,
|
|
39
|
+
require => [ Group[$groupname], Group[$apbackup::username] ],
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
}
|
|
43
|
+
" }
|
|
44
|
+
|
|
45
|
+
it 'should detect one problem' do
|
|
46
|
+
expect(problems).to have(1).problem
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it 'should create a warning for username hard coded config' do
|
|
50
|
+
expect(problems).to contain_warning(msg).on_line(10).in_column(27)
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'invalid_ip_addr_binding' do
|
|
4
|
-
let(:msg) {'[SECURITY] Invalid IP Address Binding (line=4, col=30) | Don\'t bind your host to 0.0.0.0. This config allows connections from every possible network. Restrict your available IPs.' }
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-284] Invalid IP Address Binding (line=4, col=30) | Don\'t bind your host to 0.0.0.0. This config allows connections from every possible network. Restrict your available IPs.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'invalid ip adress binding configuration' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'malicious_dependency' do
|
|
4
|
-
let(:msg) {'[SECURITY] Malicious Dependency (line=10, col=40) | This software is using a third-party library/software (postgresql v9.4) affected by known CVEs (CVE-2017-12172, CVE-2017-15098, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424).'}
|
|
4
|
+
let(:msg) {'[SECURITY][CWE-829] Malicious Dependency (line=10, col=40) | This software is using a third-party library/software (postgresql v9.4) affected by known CVEs (CVE-2017-12172, CVE-2017-15098, CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, CVE-2016-0766, CVE-2016-0773, CVE-2016-5423, CVE-2016-5424).'}
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'software uses malicious dependencies' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'suspicious_comment' do
|
|
4
|
-
let(:msg) { '[SECURITY] Suspicious Comment (line=8, col=9) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-546] Suspicious Comment (line=8, col=9) | Avoid doing comments containing info about a defect, missing functionality or weakness of the system.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code with suspicious comment' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'use_http_without_tls' do
|
|
4
|
-
let(:msg) { '[SECURITY] HTTP without TLS (line=2, col=23) | Do not use HTTP without TLS as in http://localhost:2021. This may cause a MITM attack.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-319] HTTP without TLS (line=2, col=23) | Do not use HTTP without TLS as in http://localhost:2021. This may cause a MITM attack.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'configuration using http' do
|
|
@@ -89,7 +89,7 @@ describe 'use_http_without_tls' do
|
|
|
89
89
|
" }
|
|
90
90
|
|
|
91
91
|
it 'should detect a single problem' do
|
|
92
|
-
expect(problems).to have(
|
|
92
|
+
expect(problems).to have(13).problem
|
|
93
93
|
end
|
|
94
94
|
|
|
95
95
|
it 'should create a warning' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'use_of_weak_crypto_algorithm' do
|
|
4
|
-
let(:msg) { '[SECURITY] Weak Crypto Algorithm (line=22, col=21) | Do not use sha1, as they have security weakness. Use SHA-512 instead.' }
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-326] Weak Crypto Algorithm (line=22, col=21) | Do not use sha1, as they have security weakness. Use SHA-512 instead.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code using unsecure algorithms' do
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe 'weak_password' do
|
|
4
|
-
let(:msg) { '[SECURITY] Weak Password (line=9, col=20) | Passwords should be strong to be hard to uncover by hackers (weak_password=12345678). In any case,
|
|
4
|
+
let(:msg) { '[SECURITY][CWE-521] Weak Password (line=9, col=20) | Passwords should be strong to be hard to uncover by hackers (weak_password=12345678, entropy=10). Recommendation is to use a password with at least 18 bits of entropy. In any case, secrets should be stored in services like kms/heira/vault not in plain text.' }
|
|
5
5
|
|
|
6
6
|
context 'with fix disabled' do
|
|
7
7
|
context 'code using weak password' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppet-lint-infrasecure
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sofia Reis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-03
|
|
11
|
+
date: 2022-06-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: puppet-lint
|
|
@@ -186,6 +186,7 @@ extra_rdoc_files: []
|
|
|
186
186
|
files:
|
|
187
187
|
- README.md
|
|
188
188
|
- lib/puppet-lint-infrasecure.rb
|
|
189
|
+
- lib/puppet-lint-infrasecure/config/default.yml
|
|
189
190
|
- lib/puppet-lint-infrasecure/config/dependencies.yml
|
|
190
191
|
- lib/puppet-lint-infrasecure/config/whitelist
|
|
191
192
|
- lib/puppet-lint-infrasecure/dependencies/activemq.json
|
|
@@ -228,7 +229,10 @@ files:
|
|
|
228
229
|
- lib/puppet-lint/plugins/check_admin_by_default.rb
|
|
229
230
|
- lib/puppet-lint/plugins/check_cyrillic_homograph_attack.rb
|
|
230
231
|
- lib/puppet-lint/plugins/check_empty_password.rb
|
|
232
|
+
- lib/puppet-lint/plugins/check_hard_coded_key.rb
|
|
233
|
+
- lib/puppet-lint/plugins/check_hard_coded_password.rb
|
|
231
234
|
- lib/puppet-lint/plugins/check_hard_coded_secret.rb
|
|
235
|
+
- lib/puppet-lint/plugins/check_hard_coded_username.rb
|
|
232
236
|
- lib/puppet-lint/plugins/check_invalid_ip_addr_binding.rb
|
|
233
237
|
- lib/puppet-lint/plugins/check_malicious_dependency.rb
|
|
234
238
|
- lib/puppet-lint/plugins/check_suspicious_comment.rb
|
|
@@ -238,7 +242,10 @@ files:
|
|
|
238
242
|
- spec/puppet-lint/plugins/check_admin_by_default_spec.rb
|
|
239
243
|
- spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb
|
|
240
244
|
- spec/puppet-lint/plugins/check_empty_password_spec.rb
|
|
245
|
+
- spec/puppet-lint/plugins/check_hard_coded_key_spec.rb
|
|
246
|
+
- spec/puppet-lint/plugins/check_hard_coded_password_spec.rb
|
|
241
247
|
- spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb
|
|
248
|
+
- spec/puppet-lint/plugins/check_hard_coded_username_spec.rb
|
|
242
249
|
- spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb
|
|
243
250
|
- spec/puppet-lint/plugins/check_malicious_dependency_spec.rb
|
|
244
251
|
- spec/puppet-lint/plugins/check_suspicious_comment_spec.rb
|
|
@@ -274,7 +281,10 @@ test_files:
|
|
|
274
281
|
- spec/puppet-lint/plugins/check_admin_by_default_spec.rb
|
|
275
282
|
- spec/puppet-lint/plugins/check_cyrillic_homograph_attack_spec.rb
|
|
276
283
|
- spec/puppet-lint/plugins/check_empty_password_spec.rb
|
|
284
|
+
- spec/puppet-lint/plugins/check_hard_coded_key_spec.rb
|
|
285
|
+
- spec/puppet-lint/plugins/check_hard_coded_password_spec.rb
|
|
277
286
|
- spec/puppet-lint/plugins/check_hard_coded_secret_spec.rb
|
|
287
|
+
- spec/puppet-lint/plugins/check_hard_coded_username_spec.rb
|
|
278
288
|
- spec/puppet-lint/plugins/check_invalid_ip_addr_binding_spec.rb
|
|
279
289
|
- spec/puppet-lint/plugins/check_malicious_dependency_spec.rb
|
|
280
290
|
- spec/puppet-lint/plugins/check_suspicious_comment_spec.rb
|