puppet-sec-lint 0.1.2 → 0.5.0

data/lib/puppet-sec-lint/version.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.1.2"
+  VERSION = "0.5.0"
+  YEAR = "2021"
+  AUTHOR = "Tiago Ribeiro"
 end

data/lib/rule_engine.rb

@@ -2,18 +2,30 @@ require 'puppet-lint'
 require_relative 'rules/rule'
 require_relative 'rules/hard_coded_credentials_rule'
 require_relative 'rules/no_http_rule'
+require_relative 'rules/admin_by_default_rule'
+require_relative 'rules/empty_password_rule'
+require_relative 'rules/invalid_ip_addr_binding_rule'
+require_relative 'rules/suspicious_comment_rule'
+require_relative 'rules/use_weak_crypto_algorithms_rule'
+require_relative 'rules/cyrillic_homograph_attack'
 
 
 class RuleEngine
-  @rules=[HardCodedCredentialsRule,NoHTTPRule]
+  @rules=[HardCodedCredentialsRule,NoHTTPRule,AdminByDefaultRule,EmptyPasswordRule,InvalidIPAddrBindingRule,UseWeakCryptoAlgorithmsRule,SuspiciousCommentRule,CyrillicHomographAttack]
 
   class << self
     attr_accessor :rules
   end
 
   def self.getTokens(code)
-    lexer = PuppetLint::Lexer.new
-    tokens = lexer.tokenise(code)
+    begin
+      lexer = PuppetLint::Lexer.new
+      tokens = lexer.tokenise(code)
+    rescue
+      puts "Error in getting tokens from Puppet-Lint"
+      tokens = []
+    end
+
     return tokens
   end
 

data/lib/rules/admin_by_default_rule.rb

@@ -0,0 +1,33 @@
+require_relative '../configurations/list_configuration'
+
+class AdminByDefaultRule < Rule
+  @name = "Admin by default"
+
+  @credentials = /user|usr|pass(word|_|$)|pwd/
+
+  @credentials_conf = RegexConfiguration.new("Regular expression of words present in credentials", @credentials, "Regular expression of words that if present indicate the existence of a secret.")
+
+  @configurations+=[@credentials_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_tokens(tokens,'admin')
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if left_side.value.downcase =~ @credentials_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          if token_value == 'admin'
+            result.append(Sin.new(SinType::AdminByDefault, left_side.line, left_side.column, token.line, token.column+token_value.length))
+          end
+        end
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/cyrillic_homograph_attack.rb

@@ -0,0 +1,27 @@
+require_relative '../configurations/list_configuration'
+
+class CyrillicHomographAttack < Rule
+  @name = "Cyrillic Homograph attack"
+
+  @site_w_cyrillic = /^(http(s)?:\/\/)?.*\p{Cyrillic}+/
+
+  @site_w_cyrillic_conf = RegexConfiguration.new("Regular expression of links with Cyrillic characters", @site_w_cyrillic, "Regular expression of website links that have Cyrillic characters.")
+
+  @configurations+=[@site_w_cyrillic_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.filter_tokens(tokens)
+    tokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["STRING", "SSTRING"].include? token_type and token_value =~ @site_w_cyrillic_conf.value
+        result.append(Sin.new(SinType::CyrillicHomographAttack, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/empty_password_rule.rb

@@ -0,0 +1,35 @@
+require_relative '../configurations/list_configuration'
+
+class EmptyPasswordRule < Rule
+  @default_trigger_words = %w[pwd password pass]
+  @password = /pass(word|_|$)|pwd/
+
+  @trigger_words_conf = ListConfiguration.new("List of trigger words", @default_trigger_words, "List of words that identify a password variable")
+  @password_conf = RegexConfiguration.new("Regular expression of password name", @password, "Regular expression of names used for password variables.")
+
+  @configurations+=[@trigger_words_conf, @password_conf]
+
+  @name = "Check empty password"
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_string_tokens(tokens,'')
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if left_side.value.downcase =~ @password_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          if token_value == ''
+            result.append(Sin.new(SinType::EmptyPassword, prev_token.line, prev_token.column, token.line, token.column+token_value.length))
+          end
+        end
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/hard_coded_credentials_rule.rb

@@ -1,40 +1,34 @@
 require_relative '../configurations/list_configuration'
+require_relative '../configurations/regex_configuration'
 
 class HardCodedCredentialsRule < Rule
-  @default_trigger_words = %w[pwd password pass uuid key crypt secret certificate id cert token ssh_key md5 rsa ssl]
-  @trigger_words_conf = ListConfiguration.new("List of trigger words", @default_trigger_words, "List of words that identify a variable with credentials")
-  @test_conf = BooleanConfiguration.new("Test configuration", true, "This is just a test configuration")
+  @not_considered_creds = %w[pe-puppet pe-webserver pe-puppetdb pe-postgres pe-console-services pe-orchestration-services pe-ace-server pe-bolt-server]
+  @invalid_values = %w[undefined unset www-data wwwrun www no yes [] root]
+  @secrets = /user|usr|pass(word|_|$)|pwd|key|secret/
+  @non_secrets = /gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid/
+
+  @not_considered_creds_conf = ListConfiguration.new("List of known words not considered in credentials", @not_considered_creds, "List of words not considered secrets by the community  (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)")
+  @invalid_values_conf = ListConfiguration.new("List of invalid values in credentials", @invalid_values, "List of words that are not valid in a credential, advised by puppet specialists.")
+  @secrets_conf = RegexConfiguration.new("Regular expression of words present in credentials", @secrets, "Regular expression of words that if present indicate the existence of a secret.")
+  @non_secrets_conf = RegexConfiguration.new("Regular expression of words not present in credentials", @non_secrets, "Regular expression of words that if present discard the existence of a secret.")
 
   @name = "Hard Coded Credentials"
-  @configurations+=[@trigger_words_conf,@test_conf]
+  @configurations+=[@not_considered_creds_conf, @invalid_values_conf, @secrets_conf, @non_secrets_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
-    tokens.each do |indi_token|
-      nxt_token     = indi_token.next_code_token # next token which is not a white space
-      if (!nxt_token.nil?) && (!indi_token.nil?)
-        token_type   = indi_token.type.to_s ### this gives type for current token
-
-        token_line   = indi_token.line ### this gives type for current token
-        nxt_tok_line = nxt_token.line
-
-        nxt_nxt_token =  nxt_token.next_code_token # get the next next token to get key value pair
-
-        if  (!nxt_nxt_token.nil?)
-          nxt_nxt_line = nxt_nxt_token.line
-          if (token_type.eql? 'NAME') || (token_type.eql? 'VARIABLE')
-            # puts "Token type: #{token_type}"
-            if (token_line==nxt_nxt_line)
-              token_valu   = indi_token.value.downcase
-              nxt_nxt_val  = nxt_nxt_token.value.downcase
-              nxt_nxt_type = nxt_nxt_token.type.to_s  ## to handle false positives,
-
-              if (self.TriggerWordInString(token_valu)) && ((nxt_nxt_val.length > 0)) && ((!nxt_nxt_type.eql? 'VARIABLE') && (!token_valu.include? "("))
-                result.append(Sin.new(SinType::HardCodedCred, indi_token.line, indi_token.column, nxt_nxt_token.line, nxt_nxt_token.column+nxt_nxt_token.value.length))
-              end
-            end
-          end
+    ftokens = self.filter_tokens(tokens)
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      next_token = token.next_code_token
+      # accepts <VARIABLE> <EQUALS> secret OR <NAME> <FARROW> secret, checks if <VARIABLE> | <NAME> satisfy SECRETS but not satisfy NON_SECRETS
+      if ["VARIABLE", "NAME"].include? token_type and ["EQUALS", "FARROW"].include? next_token.type.to_s and token_value =~ @secrets_conf.value and !(token_value =~ @non_secrets_conf.value)
+        right_side_type = next_token.next_code_token.type.to_s
+        right_side_value = next_token.next_code_token.value.downcase
+        if ["STRING", "SSTRING"].include? right_side_type and right_side_value.length > 1 and !@invalid_values_conf.value.include? right_side_value and !(right_side_value =~ /::|\/|\.|\\/ ) and !@not_considered_creds_conf.value.include? right_side_value
+          result.append(Sin.new(SinType::HardCodedCred, token.line, token.column, next_token.next_code_token.line, next_token.next_code_token.column+right_side_value.length))
         end
       end
     end
@@ -42,7 +36,4 @@ class HardCodedCredentialsRule < Rule
     return result
   end
 
-  def self.TriggerWordInString(string)
-    return @trigger_words_conf.value.any? { |word| string.include?(word) }
-  end
 end

data/lib/rules/invalid_ip_addr_binding_rule.rb

@@ -0,0 +1,37 @@
+require_relative '../configurations/list_configuration'
+
+class InvalidIPAddrBindingRule < Rule
+  @name = "Invalid IP Address Binding"
+
+  @ip_addr_bin_regex = /^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$/
+
+  @ip_addr_bin_regex_conf = RegexConfiguration.new("Regular expression of an invalid IP address", @ip_addr_bin_regex, "Regular expression of an IP address considered invalid or insecure to use.")
+
+  @configurations+=[@ip_addr_bin_regex_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = get_tokens(tokens,"0.0.0.0")
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if token_value =~ @ip_addr_bin_regex_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          result.append(Sin.new(SinType::InvalidIPAddrBinding, left_side.line, left_side.column, token.line, token.column+token_value.length))
+        end
+      end
+    end
+
+    return result
+  end
+
+  def self.filter_tokens_per_value(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+end

data/lib/rules/no_http_rule.rb

@@ -1,19 +1,36 @@
 require_relative '../configurations/list_configuration'
-require_relative '../sin'
-require_relative '../sin_type'
+require_relative '../sin/sin'
+require_relative '../sin/sin_type'
 
 class NoHTTPRule < Rule
-  @name="No HTTP Connections"
+  @name="No HTTPS Connections"
+
+  @resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
+  @keywords = %w[backport key download uri mirror]
+  @http = /^http:\/\/.+/
+  @whitelist = [] # Todo:Need to check how is this set up
+
+  @resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
+  @keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
+  @http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
+
+  @configurations+=[@resources_conf, @keywords_conf, @http_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
-    tokens.each do |indi_token|
-      token_valu = indi_token.value ### this gives each token
-      token_valu = token_valu.downcase
-      token_type = indi_token.type.to_s
-      if (token_valu.include? "http://" ) && (!token_type.eql? "COMMENT")
-        result.append(Sin.new(SinType::HttpWithoutTLS, indi_token.line, indi_token.column, indi_token.line, indi_token.column+indi_token.value.length))
+    ptokens = self.filter_resources(tokens, @resources_conf.value)
+    ctokens = self.filter_variables(ptokens, @keywords_conf.value)
+    if @whitelist
+      wtokens = self.filter_whitelist(ctokens)
+    else
+      wtokens = ptokens
+    end
+    wtokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if (token_value =~ @http_conf.value)
+        result.append(Sin.new(SinType::HttpWithoutTLS, token.line, token.column, token.line, token.column+token_value.length))
       end
     end
 

data/lib/rules/rule.rb

@@ -14,4 +14,76 @@ class Rule
     puts "Implement this"
     return
   end
+
+  def self.get_tokens(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'NAME' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+
+  def self.filter_tokens(tokens)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'NAME')
+    end
+    return ftokens
+  end
+
+  def self.filter_resources(tokens, resources)
+    is_resource = false
+    brackets = 0
+    ftokens=tokens.find_all do |hash|
+
+      if resources.include? hash.value.downcase
+        is_resource = true
+      elsif is_resource and hash.type.to_s == "LBRACE"
+        brackets += 1
+      elsif is_resource and hash.type.to_s == "RBRACE"
+        brackets -=1
+      end
+
+      if is_resource and hash.type.to_s == "RBRACE" and brackets == 0
+        is_resource = false
+      end
+
+      if !is_resource
+        (hash.type.to_s == 'NAME' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING')
+      end
+    end
+    return ftokens
+  end
+
+  def self.get_string_tokens(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+
+  def self.get_comments(tokens)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'COMMENT' || hash.type.to_s == 'MLCOMMENT' || hash.type.to_s == 'SLASH_COMMENT')
+    end
+    return ftokens
+  end
+
+  def self.filter_whitelist(tokens)
+    ftokens=tokens.find_all do |hash|
+      #!(@whitelist =~ hash.value.downcase)
+      true # TODO: Understand the whitelist
+    end
+    return ftokens
+  end
+
+  def self.filter_variables(tokens, keywords)
+    line = -1
+    kw_regex = Regexp.new keywords.join("|")
+    ftokens=tokens.find_all do |hash|
+      if (hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'NAME') and hash.value.downcase =~ kw_regex
+        line = hash.line
+      elsif hash.line != line
+        hash
+      end
+    end
+  end
 end

data/lib/rules/suspicious_comment_rule.rb

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+
+class SuspiciousCommentRule < Rule
+  @trigger_words = %w[hack fixme later later2 todo ticket launchpad bug to-do]
+  @suspicious = /hack|fixme|ticket|bug|secur|debug|defect|weak/
+
+  @trigger_words_conf = ListConfiguration.new("List of trigger words", @trigger_words, "List of words that identify a suspicious comment")
+  @suspicious_conf = RegexConfiguration.new("Regular expression of keywords present in suspicious comments", @suspicious, "Regular expression that identifies words that are immediately considered suspicious comments that shouldn't be present in a finalized product.")
+
+  @configurations+=[@trigger_words_conf, @suspicious_conf]
+
+  @name = "Suspicious comments"
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_comments(tokens)
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if (token_value =~ @suspicious_conf.value)
+        result.append(Sin.new(SinType::SuspiciousComments, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+end

data/lib/rules/use_weak_crypto_algorithms_rule.rb

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+
+class UseWeakCryptoAlgorithmsRule < Rule
+  @name = "Use of weak crypto algorithm"
+
+  @poor_crypto = /^(sha1|md5)/
+
+  @poor_crypto_conf = RegexConfiguration.new("Regular expression of weak Crypto Algorithms", @poor_crypto, "Regular expression for names of known weak Cryptographic algorithms that shouldn't be used to secure sensitive information.")
+
+  @configurations+=[@poor_crypto_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    tokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if !token.next_token.nil?
+        next_token_type = token.next_token.type.to_s
+      end
+      if (token_value =~ @poor_crypto_conf.value) && (next_token_type.eql? "LPAREN")
+        result.append(Sin.new(SinType::WeakCryptoAlgorithm, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+end

data/lib/servers/language_server.rb

@@ -0,0 +1,100 @@
+require 'json'
+require 'uri'
+require 'socket'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+
+class LanguageServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+
+  def self.start
+    server = TCPServer.open(5007)
+
+    loop {
+      Thread.fork(server.accept) do |client|
+        while line=client.gets
+          length=Integer(line.scan(/\d/).join(''))
+          line=client.read(length+2)
+          request = JSON.parse(line)
+          puts line
+
+          method_name = request['method'].sub('/', '_')
+          response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
+
+          if not response.nil?
+            client.flush
+            client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
+            client.print(response)
+            puts response
+          end
+        end
+        client.close
+      end
+    }
+  end
+
+  def self.client_initialize(id,params)
+    return JSON.generate({
+      jsonrpc: '2.0',
+      result: {
+        capabilities: {
+          textDocumentSync:1,
+          implementationProvider: "true"
+        }
+      },
+      id: id
+    })
+  end
+
+  def self.client_textDocument_didOpen(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['textDocument']['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+
+  def self.client_textDocument_didChange(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['contentChanges'][0]['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+
+  def self.generate_diagnostics(uri,version,code)
+    result = RuleEngine.analyzeDocument(code) #convert to json
+
+    diagnostics = []
+
+    result.each do |sin|
+      diagnostics.append({
+                           range:{
+                             start: { line: sin.begin_line-1, character: sin.begin_char },
+                             end: { line: sin.end_line-1, character: sin.end_char }
+                           },
+                           severity: 2,
+                           code: {
+                             value:sin.type[:name],
+                             target:sin.type[:solution]
+                           },
+                           source:'Puppet-sec-lint',
+                           message: sin.type[:message]
+                         })
+    end
+
+    return JSON.generate({
+                           jsonrpc: '2.0',
+                           method: 'textDocument/publishDiagnostics',
+                           params: {
+                             uri: uri,
+                             version: version,
+                             diagnostics: diagnostics
+                           }
+                         })
+  end
+
+end