puppet-sec-lint 0.1.2 → 0.5.0

data/docs/_config.yml

@@ -0,0 +1,41 @@
+# Welcome to Jekyll!
+#
+# This config file is meant for settings that affect your whole blog, values
+# which you are expected to set up once and rarely edit after that. If you find
+# yourself editing this file very often, consider using Jekyll's data files
+# feature for the data you need to update frequently.
+#
+# For technical reasons, this file is *NOT* reloaded automatically when you use
+# 'bundle exec jekyll serve'. If you change this file, please restart the server process.
+
+# Site settings
+# These are used to personalize your new site. If you look in the HTML files,
+# you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
+# You can create any custom variable you would like, and they will be accessible
+# in the templates via {{ site.myvariable }}.
+title: Puppet Securtiy Linter
+email: tiago7b27@gmail.com
+description: >- # this means to ignore newlines until "baseurl:"
+  Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts
+baseurl: "" # the subpath of your site, e.g. /blog
+url: "" # the base hostname & protocol for your site, e.g. http://example.com
+twitter_username: jekyllrb
+github_username:  jekyll
+
+# Build settings
+markdown: kramdown
+theme: jekyll-theme-hacker
+plugins:
+  - jekyll-feed
+
+# Exclude from processing.
+# The following items will not be processed, by default. Create a custom list
+# to override the default setting.
+# exclude:
+#   - Gemfile
+#   - Gemfile.lock
+#   - node_modules
+#   - vendor/bundle/
+#   - vendor/cache/
+#   - vendor/gems/
+#   - vendor/ruby/

data/docs/_posts/2021-05-03-welcome-to-jekyll.markdown

@@ -0,0 +1,25 @@
+---
+layout: post
+title:  "Welcome to Jekyll!"
+date:   2021-05-03 21:09:12 +0100
+categories: jekyll update
+---
+You’ll find this post in your `_posts` directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run `jekyll serve`, which launches a web server and auto-regenerates your site when a file is updated.
+
+To add new posts, simply add a file in the `_posts` directory that follows the convention `YYYY-MM-DD-name-of-post.ext` and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.
+
+Jekyll also offers powerful support for code snippets:
+
+{% highlight ruby %}
+def print_hi(name)
+  puts "Hi, #{name}"
+end
+print_hi('Tom')
+#=> prints 'Hi, Tom' to STDOUT.
+{% endhighlight %}
+
+Check out the [Jekyll docs][jekyll-docs] for more info on how to get the most out of Jekyll. File all bugs/feature requests at [Jekyll’s GitHub repo][jekyll-gh]. If you have questions, you can ask them on [Jekyll Talk][jekyll-talk].
+
+[jekyll-docs]: https://jekyllrb.com/docs/home
+[jekyll-gh]:   https://github.com/jekyll/jekyll
+[jekyll-talk]: https://talk.jekyllrb.com/

data/docs/_site/404.html

@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<html lang="en-US">
+  <head>
+    <meta charset='utf-8'>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link rel="stylesheet" href="/assets/css/style.css?v=451ab93a01ea7ba9ec933d2a6c0ad3f1555b70e0">
+
+<!-- Begin Jekyll SEO tag v2.7.1 -->
+<title>Puppet Securtiy Linter | Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</title>
+<meta name="generator" content="Jekyll v3.9.0" />
+<meta property="og:title" content="Puppet Securtiy Linter" />
+<meta property="og:locale" content="en_US" />
+<meta name="description" content="Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts" />
+<meta property="og:description" content="Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts" />
+<link rel="canonical" href="http://localhost:4000/404.html" />
+<meta property="og:url" content="http://localhost:4000/404.html" />
+<meta property="og:site_name" content="Puppet Securtiy Linter" />
+<meta name="twitter:card" content="summary" />
+<meta property="twitter:title" content="Puppet Securtiy Linter" />
+<script type="application/ld+json">
+{"@type":"WebPage","headline":"Puppet Securtiy Linter","description":"Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts","url":"http://localhost:4000/404.html","@context":"https://schema.org"}</script>
+<!-- End Jekyll SEO tag -->
+
+  </head>
+
+  <body>
+
+    <header>
+      <div class="container">
+        <a id="a-title" href="/">
+          <h1>Puppet Securtiy Linter</h1>
+        </a>
+        <h2>Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</h2>
+
+        <section id="downloads">
+          
+          <a href="https://github.com/TiagoR98/puppet-sec-lint" class="btn btn-github"><span class="icon"></span>View on GitHub</a>
+        </section>
+      </div>
+    </header>
+
+    <div class="container">
+      <section id="main_content">
+        <style type="text/css" media="screen">
+  .container {
+    margin: 10px auto;
+    max-width: 600px;
+    text-align: center;
+  }
+  h1 {
+    margin: 30px 0;
+    font-size: 4em;
+    line-height: 1;
+    letter-spacing: -1px;
+  }
+</style>
+
+<div class="container">
+  <h1>404</h1>
+
+  <p><strong>Page not found :(</strong></p>
+  <p>The requested page could not be found.</p>
+</div>
+
+      </section>
+    </div>
+
+    
+  </body>
+</html>

data/docs/_site/feed.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.0">Jekyll</generator><link href="http://localhost:4000/feed.xml" rel="self" type="application/atom+xml" /><link href="http://localhost:4000/" rel="alternate" type="text/html" /><updated>2021-05-03T22:26:18+01:00</updated><id>http://localhost:4000/feed.xml</id><title type="html">Puppet Securtiy Linter</title><subtitle>Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</subtitle><entry><title type="html">Welcome to Jekyll!</title><link href="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html" rel="alternate" type="text/html" title="Welcome to Jekyll!" /><published>2021-05-03T21:09:12+01:00</published><updated>2021-05-03T21:09:12+01:00</updated><id>http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll</id><content type="html" xml:base="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html">&lt;p&gt;You’ll find this post in your &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;_posts&lt;/code&gt; directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;jekyll serve&lt;/code&gt;, which launches a web server and auto-regenerates your site when a file is updated.&lt;/p&gt;
+
+&lt;p&gt;To add new posts, simply add a file in the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;_posts&lt;/code&gt; directory that follows the convention &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;YYYY-MM-DD-name-of-post.ext&lt;/code&gt; and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.&lt;/p&gt;
+
+&lt;p&gt;Jekyll also offers powerful support for code snippets:&lt;/p&gt;
+
+&lt;figure class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-ruby&quot; data-lang=&quot;ruby&quot;&gt;&lt;span class=&quot;k&quot;&gt;def&lt;/span&gt; &lt;span class=&quot;nf&quot;&gt;print_hi&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;name&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
+  &lt;span class=&quot;nb&quot;&gt;puts&lt;/span&gt; &lt;span class=&quot;s2&quot;&gt;&quot;Hi, &lt;/span&gt;&lt;span class=&quot;si&quot;&gt;#{&lt;/span&gt;&lt;span class=&quot;nb&quot;&gt;name&lt;/span&gt;&lt;span class=&quot;si&quot;&gt;}&lt;/span&gt;&lt;span class=&quot;s2&quot;&gt;&quot;&lt;/span&gt;
+&lt;span class=&quot;k&quot;&gt;end&lt;/span&gt;
+&lt;span class=&quot;n&quot;&gt;print_hi&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;(&lt;/span&gt;&lt;span class=&quot;s1&quot;&gt;'Tom'&lt;/span&gt;&lt;span class=&quot;p&quot;&gt;)&lt;/span&gt;
+&lt;span class=&quot;c1&quot;&gt;#=&amp;gt; prints 'Hi, Tom' to STDOUT.&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/figure&gt;
+
+&lt;p&gt;Check out the &lt;a href=&quot;https://jekyllrb.com/docs/home&quot;&gt;Jekyll docs&lt;/a&gt; for more info on how to get the most out of Jekyll. File all bugs/feature requests at &lt;a href=&quot;https://github.com/jekyll/jekyll&quot;&gt;Jekyll’s GitHub repo&lt;/a&gt;. If you have questions, you can ask them on &lt;a href=&quot;https://talk.jekyllrb.com/&quot;&gt;Jekyll Talk&lt;/a&gt;.&lt;/p&gt;</content><author><name></name></author><category term="jekyll" /><category term="update" /><summary type="html">You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.</summary></entry></feed>

data/docs/_site/index.html

@@ -0,0 +1 @@
+

data/docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html

@@ -0,0 +1,77 @@
+<!DOCTYPE html>
+<html lang="en-US">
+  <head>
+    <meta charset='utf-8'>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link rel="stylesheet" href="/assets/css/style.css?v=451ab93a01ea7ba9ec933d2a6c0ad3f1555b70e0">
+
+<!-- Begin Jekyll SEO tag v2.7.1 -->
+<title>Welcome to Jekyll! | Puppet Securtiy Linter</title>
+<meta name="generator" content="Jekyll v3.9.0" />
+<meta property="og:title" content="Welcome to Jekyll!" />
+<meta property="og:locale" content="en_US" />
+<meta name="description" content="You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated." />
+<meta property="og:description" content="You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated." />
+<link rel="canonical" href="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html" />
+<meta property="og:url" content="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html" />
+<meta property="og:site_name" content="Puppet Securtiy Linter" />
+<meta property="og:type" content="article" />
+<meta property="article:published_time" content="2021-05-03T21:09:12+01:00" />
+<meta name="twitter:card" content="summary" />
+<meta property="twitter:title" content="Welcome to Jekyll!" />
+<script type="application/ld+json">
+{"@type":"BlogPosting","mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html"},"headline":"Welcome to Jekyll!","dateModified":"2021-05-03T21:09:12+01:00","datePublished":"2021-05-03T21:09:12+01:00","description":"You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.","url":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html","@context":"https://schema.org"}</script>
+<!-- End Jekyll SEO tag -->
+
+  </head>
+
+  <body>
+
+    <header>
+      <div class="container">
+        <a id="a-title" href="/">
+          <h1>Puppet Securtiy Linter</h1>
+        </a>
+        <h2>Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</h2>
+
+        <section id="downloads">
+          
+          <a href="https://github.com/TiagoR98/puppet-sec-lint" class="btn btn-github"><span class="icon"></span>View on GitHub</a>
+        </section>
+      </div>
+    </header>
+
+    <div class="container">
+      <section id="main_content">
+        <small>3 May 2021</small>
+<h1>Welcome to Jekyll!</h1>
+
+<p class="view">by </p>
+
+<p>You’ll find this post in your <code class="language-plaintext highlighter-rouge">_posts</code> directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run <code class="language-plaintext highlighter-rouge">jekyll serve</code>, which launches a web server and auto-regenerates your site when a file is updated.</p>
+
+<p>To add new posts, simply add a file in the <code class="language-plaintext highlighter-rouge">_posts</code> directory that follows the convention <code class="language-plaintext highlighter-rouge">YYYY-MM-DD-name-of-post.ext</code> and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.</p>
+
+<p>Jekyll also offers powerful support for code snippets:</p>
+
+<figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="k">def</span> <span class="nf">print_hi</span><span class="p">(</span><span class="nb">name</span><span class="p">)</span>
+  <span class="nb">puts</span> <span class="s2">"Hi, </span><span class="si">#{</span><span class="nb">name</span><span class="si">}</span><span class="s2">"</span>
+<span class="k">end</span>
+<span class="n">print_hi</span><span class="p">(</span><span class="s1">'Tom'</span><span class="p">)</span>
+<span class="c1">#=&gt; prints 'Hi, Tom' to STDOUT.</span></code></pre></figure>
+
+<p>Check out the <a href="https://jekyllrb.com/docs/home">Jekyll docs</a> for more info on how to get the most out of Jekyll. File all bugs/feature requests at <a href="https://github.com/jekyll/jekyll">Jekyll’s GitHub repo</a>. If you have questions, you can ask them on <a href="https://talk.jekyllrb.com/">Jekyll Talk</a>.</p>
+
+
+
+
+  <small>tags: <em></em></small>
+
+
+      </section>
+    </div>
+
+    
+  </body>
+</html>

data/docs/hard-coded-credentials.md

@@ -0,0 +1,17 @@
+---
+title: Hard Coded Credentials
+permalink: /hard-coded-credentials/
+---
+
+# Hard Coded Credentials
+
+Writing sensitive credentials on puppet scripts  can expose them to malicious actors who can obtain access to these files.
+
+## Example
+
+```puppet
+class example::service (
+    $username = "user1",
+    $passsword = "amind1234"
+  ) 
+```

data/docs/index.md

@@ -0,0 +1,6 @@
+---
+# Feel free to add content and custom Front Matter to this file.
+# To modify the layout, see https://jekyllrb.com/docs/themes/#overriding-theme-defaults
+
+layout: home
+---

data/exe/puppet-sec-lint

@@ -2,34 +2,88 @@
 
 require_relative '../lib/rule_engine'
 require 'json'
+require 'launchy'
 require 'optparse'
 require 'optparse/uri'
+require_relative '../lib/puppet-sec-lint/version'
 require_relative '../lib/visitors/configuration_visitor'
 require_relative '../lib/facades/configuration_file_facade'
 
+conf_page_url = "http://localhost:9292/configuration"
+
 options = {}
+@success = true
+
+def analyze_file(file_path)
+  File.open(file_path, 'rb:UTF-8') do |f|
+    puts "Analyzing the file #{File.basename(file_path)}...\n\n"
+
+    code = f.read
+    result = RuleEngine.analyzeDocument(code)
+
+    result.each do |sin|
+      puts sin.ToString
+      @success = false
+    end
+
+    puts "\nFound #{result.length} vulnerabilities in the puppet code.\n"
+  end
+end
+
 OptionParser.new do |opts|
-  opts.banner = "Usage: puppet-sec-lint [options]"
+  opts.banner = "Usage: puppet-sec-lint [file or directory] [options]"
 
-  opts.on("-f", "--file FILE",URI, "Path of puppet file to be analyzed") do |file|
-    options[:file] = file
+  opts.on("-c", "--configurations", "Open the linter rules configurations page on a browser") do |v|
+    options[:configurations] = v
   end
 end.parse!
 
-if options[:file].nil?
-  require_relative '../lib/language_server'
-  exit
-end
+puts '___  _  _ ___  ___  ____ ___    ____ ____ ____ _  _ ____ _ ___ _   _    _    _ _  _ ___ ____ ____ '
+puts '|__] |  | |__] |__] |___  |     [__  |___ |    |  | |__/ |  |   \_/     |    | |\ |  |  |___ |__/ '
+puts '|    |__| |    |    |___  |     ___] |___ |___ |__| |  \ |  |    |      |___ | | \|  |  |___ |  \ '
+
+puts "\n"
 
-ConfigurationVisitor.GenerateIDs
-ConfigurationFileFacade.LoadConfigurations
+puts "Release v#{PuppetSecLint::VERSION}       #{PuppetSecLint::AUTHOR}      #{PuppetSecLint::YEAR}"
 
-File.open(options[:file].to_s, 'rb:UTF-8') do |f|
-  code = f.read
+puts "\n"
 
-  result = RuleEngine.analyzeDocument(code)
+if not ARGV[0].nil?
+  if File.file?(ARGV[0].to_s) && File.extname(ARGV[0].to_s) == '.pp'
+    analyze_file(ARGV[0].to_s)
+  elsif File.directory?(ARGV[0].to_s)
+    Dir.chdir(ARGV[0].to_s)
+    files = Dir.glob("**/*.pp").map {|f| File.join(Dir.pwd,f) }
 
-  result.each do |sin|
-    puts sin.ToString
+    files.each do |file_path|
+      analyze_file(file_path)
+      puts "\n"
+    end
+  else
+    raise "#{ARGV[0].to_s} is neither a valid directory or puppet file"
   end
-end
+end
+
+if ARGV[0].nil? || options[:configurations]
+  linter_server = Thread.new {
+  require_relative '../lib/servers/linter_server'
+  }
+  language_server = Thread.new {
+    require_relative '../lib/servers/language_server'
+    LanguageServer.start
+    }
+
+  if options[:configurations]
+    puts "\nLaunching configurations page at #{conf_page_url}...\n\n"
+    Launchy.open(conf_page_url)
+  else
+    puts "\nLinter configurations page available at #{conf_page_url}\n\n"
+  end
+
+  linter_server.join
+  language_server.exit
+end
+
+exit(@success)
+
+

data/lib/configurations/configuration.rb

@@ -15,5 +15,6 @@ DisplayField = {
   TextBox: "textbox",
   CheckBox: "checkbox",
   NumericBox: "numericbox",
-  SelectBox: "selectbox"
+  SelectBox: "selectbox",
+  RegexBox: "regexbox"
 }

data/lib/configurations/regex_configuration.rb

@@ -0,0 +1,9 @@
+require_relative 'configuration'
+
+class RegexConfiguration < Configuration
+
+  def initialize(name, value, description)
+    super
+    @displayfield=DisplayField[:RegexBox]
+  end
+end

data/lib/facades/configuration_file_facade.rb

@@ -13,7 +13,7 @@ class ConfigurationFileFacade
         when DisplayField[:SelectBox]
           ini[rule][configuration.id] = configuration.value.join(',')
         else
-          ini[rule][configuration.id] = configuration.value
+          ini[rule][configuration.id] = configuration.value.to_s
         end
       end
     end
@@ -32,6 +32,8 @@ class ConfigurationFileFacade
           case configuration.displayfield
           when DisplayField[:SelectBox]
             configuration.value = ini[rule][configuration.id].split(',')
+          when DisplayField[:RegexBox]
+            configuration.value = Regexp.new ini[rule][configuration.id]
           else
             configuration.value = ini[rule][configuration.id]
           end

data/lib/facades/configuration_page_facade.rb

@@ -50,6 +50,8 @@ class ConfigurationPageFacade
         return_value+="#{option}\n"
       end
       return_value += "</textarea>"
+    when DisplayField[:TextBox], DisplayField[:RegexBox]
+      return_value += "<input type=\"text\" id=\"#{configuration.id}\" name=\"#{configuration.id}\" value=\"#{configuration.value.to_s}\" size=\"#{configuration.value.to_s.length()}\"><br>\n"
     end
 
     return_value += "<p style=\"color:gray\">#{configuration.description}</p>\n<br>\n"
@@ -71,6 +73,10 @@ class ConfigurationPageFacade
 
         when DisplayField[:SelectBox]
           configuration.value = new_conf[configuration.id].split(/\r?\n/).delete_if(&:empty?)
+
+        when DisplayField[:RegexBox]
+          configuration.value = Regexp.new new_conf[configuration.id]
+
         else
           configuration.value = new_conf[configuration.id]
         end

data/lib/lol.pp

@@ -8,17 +8,17 @@
 # the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
 
 class consul_template::service (
-    $rpc_password                   = '{6ad470ec62b0511b63340dca2950d750181598efnHKvN1ge',
-    $admin_username = 'admin',
-    $password       = 'ceilometer',
-    $admin_password = 'admin',
+    $pass                   = lols(3),
+    $aijoijooiumihhn_password = 'pe-puppet'
+    $admin       = 'ceisssesrelometer',
+    $aijoijooiumihhn_password = '(adiyu(guygmin',
   ) {
   exec { 'network-restart':
     command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
     path           => '/usr/bin:/usr/sbin:/bin:/sbin',
     refreshonly    => true,
     vmware_md5     => 'LOL',
-    autho          => 'MD5',
+    autho          => 'MDi09i09i5',
     cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
     $auth_uri      => 'http://127.0.0.1:5000',
     'bind_address' => '0.0.0.0',
@@ -80,4 +80,4 @@ UcXHbA==
     replace => true,
     require => File['/var/lib/gerrit/.ssh']
   }
-}
+}