puppet-sec-lint 0.1.2 → 0.5.0

data/lib/servers/linter_server.rb

@@ -0,0 +1,50 @@
+require "rack"
+require "thin"
+require 'json'
+require 'uri'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+
+class LinterServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+
+  def call(env)
+    req = Rack::Request.new(env)
+
+    case req.path
+    when "/configuration"
+      if req.post?
+        process_form(req)
+      elsif req.get?
+        configurations_page
+      end
+    end
+
+  end
+
+  def configurations_page
+    configuration_page = ConfigurationPageFacade.AssemblePage
+
+    return [200, { 'Content-Type' => 'text/html' }, [configuration_page]]
+  end
+
+  def process_form(req)
+    new_conf = URI.decode_www_form(req.body.read)
+    new_conf_hash = Hash[new_conf.map {|key, value| [key, value]}]
+
+    begin
+      ConfigurationPageFacade.ApplyConfigurations(new_conf_hash)
+      ConfigurationFileFacade.SaveConfigurations
+    rescue StandardError => error
+      return [400, { 'Content-Type' => 'text/plain' }, ["Error: #{error.message}"]]
+    end
+
+    return [200, { 'Content-Type' => 'text/plain' }, ["Changes saved successfully"]]
+  end
+
+end
+
+Rack::Handler::Thin.run(LinterServer.new, :Port => 9292)

data/lib/{sin.rb → sin/sin.rb}

@@ -10,6 +10,11 @@ class Sin
   end
 
   def ToString
-    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:recommendation]}>"
+    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:solution]}>"
   end
+
+  def ==(other_object)
+    @type == other_object.type && @begin_line == other_object.begin_line && @begin_char == other_object.begin_char && @end_line == other_object.end_line && @end_char == other_object.end_char
+  end
+
 end

data/lib/sin/sin_type.rb

@@ -0,0 +1,44 @@
+module SinType
+  base_url="https://tiagor98.github.io/puppet-sec-lint"
+
+  HardCodedCred = {
+    name: "Hard Coded Credentials",
+    message: "Do not hard code secrets. This may help an attacker to attack the system.",
+    solution: "#{base_url}/hard-coded-credentials"
+  }
+  HttpWithoutTLS = {
+    name: "HTTP without TLS",
+    message: "Do not use HTTP without TLS. This may cause a man in the middle attack.",
+    solution: "#{base_url}/http-without-tls"
+  }
+  AdminByDefault = {
+    name: "Admin by default",
+    message: "This violates the secure by design principle.",
+    solution: "#{base_url}/admin-by-default"
+  }
+  EmptyPassword = {
+    name: "Empty password",
+    message: "Do not keep password field empty. This may help an attacker to attack.",
+    solution: "#{base_url}/empty-password"
+  }
+  InvalidIPAddrBinding = {
+    name: "Invalid IP Address Binding",
+    message: "This config allows connections from every possible network.",
+    solution: "#{base_url}/invalid-ip-addr-binding"
+  }
+  SuspiciousComments = {
+    name: "Suspicious Comments",
+    message: "This comment can expose sensitive information to attackers.",
+    solution: "#{base_url}/suspicious-comments"
+  }
+  WeakCryptoAlgorithm = {
+    name: "Weak Crypto Algorithm",
+    message: "Do not use this algorithm, as it may have security weaknesses.",
+    solution: "#{base_url}/weak-crypto-algorithm"
+  }
+  CyrillicHomographAttack = {
+    name: "Cyrillic Homograph attack",
+    message: "This link has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.",
+    solution: "#{base_url}/cyrillic-homograph-attack"
+  }
+end

data/lib/test.txt

@@ -0,0 +1,15 @@
+jiuhiuhiuh
+ouhiuhiuh
+iuhiuh
+iuhiuhkokok
+kokokokokokokowdijwoidjqwoidjqwodijqdoiqjwdodij
+qwdqwd
+qwdqwddq
+wd
+qwdqwdoijoijoijoij
+oijoijoijoij
+kkkkkkkk
+huiuhiuhiuh
+
+kkjjjm
+okpokpok,l,l,l

data/lib/test2.rb

@@ -0,0 +1,16 @@
+require 'rjr/nodes/ws'
+
+# listen for methods via amqp, websockets, http, and via local calls
+
+ws_node    = RJR::Nodes::WS.new    :node_id => 'server', :host   => '127.0.0.1', :port => 5007
+
+
+# define a rpc method called 'hello' which takes
+# one argument and returns it in upper case
+ws_node.dispatcher.handle("initialize") { |processId,clientInfo,locale,rootPath,rootUri,capabilities,trace,workspaceFolders|
+  arg.upcase
+}
+
+# start the server and block
+ws_node.listen
+ws_node.join

data/lib/test3.rb

@@ -0,0 +1,32 @@
+require 'socket'                 # Get sockets from stdlib
+require 'json'
+
+server = TCPServer.open(5007)    # Socket to listen on port 2000
+
+loop {
+  Thread.fork(server.accept) do |client|
+    while line=client.gets
+      length=Integer(line.scan(/\d/).join(''))
+      line=client.read(length+2)
+      request = JSON.parse(line)
+      puts line
+
+      response = {
+          jsonrpc: request['jsonrpc'],
+          result: {
+            capabilities: {
+              textDocumentSync:1
+            }
+          },
+          id: request['id']
+      }
+
+      response = JSON.generate(response)
+
+      client.flush
+      client.puts("Content-Length: "+response.length.to_s+"\r\n\r\n")
+      client.puts(response)
+    end
+    client.close
+  end
+}

data/lib/test_new.rb

@@ -0,0 +1,19 @@
+require 'jimson'
+
+class MyHandler
+  extend Jimson::Handler
+
+  def initi(a,b)
+    a + b
+  end
+
+  def initialize
+    super
+  end
+
+end
+
+server = Jimson::Server.new(MyHandler.new)
+server.port = 5007
+server.host = '127.0.0.1'
+server.start # serve with webrick on http://0.0.0.0:8999/

data/lol2.pp

@@ -0,0 +1,83 @@
+#class path_attribute {
+#  file { 'ssh_config_file':
+#    path    => '/etc/ssh/sshd_config',
+#    content => 'Bad path attribute, bad.',
+#  }
+#}
+
+# the following code addresses the bujjjg: https://bukkkgs.launchpad.net/keystone/+bug/1472285 .
+
+class consul_template::service (
+    $pass                   = lols(3),
+    $aijoijooiumihhn_password = 'pe-puppet'
+    $admin       = 'ceisssesrelometer',
+    $aijoijooiumihhn_passuihiuhword = '(adiyu(guygmin',
+  ) {
+  exec { 'network-restart':
+    command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
+    path           => '/usr/bin:/usr/sbin:/bin:/sbin',
+    refreshonly    => true,
+    vmware_md5     => 'LOL',
+    autho          => 'MDi09i09i5',
+    cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
+    $auth_uri      => 'http://127.0.0.1:5000',
+    'bind_address' => '0.0.0.0',
+    passwkkkkord       => 'joijoij',
+  }
+  case $::osfamily {
+    'RedHat': {
+    exec { 'upload-img':
+      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /opt/vm/cirros-x86_64-disk.img",
+      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
+
+      }
+    }
+    'Debian': {
+    exec { 'upload-img':
+      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /usr/share/cirros-testvm/cirros-x86_64-disk.img",
+      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
+      kehhhuhy => "E8CC67053ED3B199",
+      key_content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQENBE/oXVkBCACcjAcV7lRGskECEHovgZ6a2robpBroQBW+tJds7B+qn/DslOAN
+1hm0UuGQsi8pNzHDE29FMO3yOhmkenDd1V/T6tHNXqhHvf55nL6anlzwMmq3syIS
+uqVjeMMXbZ4d+Rh0K/rI4TyRbUiI2DDLP+6wYeh1pTPwrleHm5FXBMDbU/OZ5vKZ
+67j99GaARYxHp8W/be8KRSoV9wU1WXr4+GA6K7ENe2A8PT+jH79Sr4kF4uKC3VxD
+BF5Z0yaLqr+1V2pHU3AfmybOCmoPYviOqpwj3FQ2PhtObLs+hq7zCviDTX2IxHBb
+Q3mGsD8wS9uyZcHN77maAzZlL5G794DEr1NLABEBAAG0NU9wZW5TdGFja0BDaXNj
+byBBUFQgcmVwbyA8b3BlbnN0YWNrLWJ1aWxkZEBjaXNjby5jb20+iQE4BBMBAgAi
+BQJP6F1ZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDozGcFPtOxmXcK
+B/9WvQrBwxmIMV2M+VMBhQqtipvJeDX2Uv34Ytpsg2jldl0TS8XheGlUNZ5djxDy
+u3X0hKwRLeOppV09GVO3wGizNCV1EJjqQbCMkq6VSJjD1B/6Tg+3M/XmNaKHK3Op
+zSi+35OQ6xXc38DUOrigaCZUU40nGQeYUMRYzI+d3pPlNd0+nLndrE4rNNFB91dM
+BTeoyQMWd6tpTwz5MAi+I11tCIQAPCSG1qR52R3bog/0PlJzilxjkdShl1Cj0RmX
+7bHIMD66uC1FKCpbRaiPR8XmTPLv29ZTk1ABBzoynZyFDfliRwQi6TS20TuEj+ZH
+xq/T6MM6+rpdBVz62ek6/KBcuQENBE/oXVkBCACgzyyGvvHLx7g/Rpys1WdevYMH
+THBS24RMaDHqg7H7xe0fFzmiblWjV8V4Yy+heLLV5nTYBQLS43MFvFbnFvB3ygDI
+IdVjLVDXcPfcp+Np2PE8cJuDEE4seGU26UoJ2pPK/IHbnmGWYwXJBbik9YepD61c
+NJ5XMzMYI5z9/YNupeJoy8/8uxdxI/B66PL9QN8wKBk5js2OX8TtEjmEZSrZrIuM
+rVVXRU/1m732lhIyVVws4StRkpG+D15Dp98yDGjbCRREzZPeKHpvO/Uhn23hVyHe
+PIc+bu1mXMQ+N/3UjXtfUg27hmmgBDAjxUeSb1moFpeqLys2AAY+yXiHDv57ABEB
+AAGJAR8EGAECAAkFAk/oXVkCGwwACgkQ6MxnBT7TsZng+AgAnFogD90f3ByTVlNp
+Sb+HHd/cPqZ83RB9XUxRRnkIQmOozUjw8nq8I8eTT4t0Sa8G9q1fl14tXIJ9szzz
+BUIYyda/RYZszL9rHhucSfFIkpnp7ddfE9NDlnZUvavnnyRsWpIZa6hJq8hQEp92
+IQBF6R7wOws0A0oUmME25Rzam9qVbywOh9ZQvzYPpFaEmmjpCRDxJLB1DYu8lnC4
+h1jP1GXFUIQDbcznrR2MQDy5fNt678HcIqMwVp2CJz/2jrZlbSKfMckdpbiWNns/
+xKyLYs5m34d4a0it6wsMem3YCefSYBjyLGSd/kCI/CgOdGN1ZY1HSdLmmjiDkQPQ
+UcXHbA==
+=v6jg
+-----END PGP PUBLIC KEY BLOCK-----',
+
+      }
+    }
+  }
+  file { '/var/lib/gerrit/.ssh/id_rsa' :
+    owner   => 'gerrit',
+    group   => 'gerrit',
+    mode    => '0600',
+    content => $ssh_replication_rsa_key_contents,
+    replace => true,
+    require => File['/var/lib/gerrit/.ssh']
+  }
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-04-11 00:00:00.000000000 Z
+date: 2021-05-06 00:00:00.000000000 Z
 dependencies: []
 description: This is a more complete security linter for the puppet language
 email:
@@ -35,24 +35,49 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- _config.yml
 - bin/console
 - bin/setup
+- docs/404.html
+- docs/Gemfile
+- docs/Gemfile.lock
+- docs/_config.yml
+- docs/_posts/2021-05-03-welcome-to-jekyll.markdown
+- docs/_site/404.html
+- docs/_site/feed.xml
+- docs/_site/index.html
+- docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html
+- docs/hard-coded-credentials.md
+- docs/index.md
 - exe/puppet-sec-lint
 - lib/configurations/boolean_configuration.rb
 - lib/configurations/configuration.rb
 - lib/configurations/list_configuration.rb
+- lib/configurations/regex_configuration.rb
 - lib/facades/configuration_file_facade.rb
 - lib/facades/configuration_page_facade.rb
-- lib/language_server.rb
 - lib/lol.pp
 - lib/puppet-sec-lint/version.rb
 - lib/rule_engine.rb
+- lib/rules/admin_by_default_rule.rb
+- lib/rules/cyrillic_homograph_attack.rb
+- lib/rules/empty_password_rule.rb
 - lib/rules/hard_coded_credentials_rule.rb
+- lib/rules/invalid_ip_addr_binding_rule.rb
 - lib/rules/no_http_rule.rb
 - lib/rules/rule.rb
-- lib/sin.rb
-- lib/sin_type.rb
+- lib/rules/suspicious_comment_rule.rb
+- lib/rules/use_weak_crypto_algorithms_rule.rb
+- lib/servers/language_server.rb
+- lib/servers/linter_server.rb
+- lib/sin/sin.rb
+- lib/sin/sin_type.rb
+- lib/test.txt
+- lib/test2.rb
+- lib/test3.rb
+- lib/test_new.rb
 - lib/visitors/configuration_visitor.rb
+- lol2.pp
 - puppet-sec-lint.gemspec
 homepage: https://github.com/TiagoR98/puppet-sec-lint
 licenses:

data/lib/language_server.rb

@@ -1,78 +0,0 @@
-require "rack"
-require "thin"
-require 'json'
-require 'uri'
-require_relative 'rule_engine'
-require_relative 'visitors/configuration_visitor'
-require_relative 'facades/configuration_page_facade'
-require_relative 'facades/configuration_file_facade'
-
-class LanguageServer
-  ConfigurationVisitor.GenerateIDs
-  ConfigurationFileFacade.LoadConfigurations
-
-  def call(env)
-    req = Rack::Request.new(env)
-
-    case req.path
-    when "/"
-      if req.post?
-        process_analysis(req)
-      end
-    when "/configuration"
-      if req.post?
-        process_form(req)
-      elsif req.get?
-        configurations_page
-      end
-    end
-
-  end
-
-  def process_form(req)
-    new_conf = URI.decode_www_form(req.body.read)
-    new_conf_hash = Hash[new_conf.map {|key, value| [key, value]}]
-
-    ConfigurationPageFacade.ApplyConfigurations(new_conf_hash)
-    ConfigurationFileFacade.SaveConfigurations
-
-    return [200, { 'Content-Type' => 'text/plain' }, ["Changes saved successfully"]]
-  end
-
-  def process_analysis(req)
-    body = JSON.parse(req.body.read)
-
-    if body['documentContent']
-      code = body['documentContent']
-
-      result_json = []
-
-      result = RuleEngine.analyzeDocument(code) #convert to json
-
-      result.each do |sin|
-        result_json.append(JSON.generate({
-                             'name' => sin.type[:name],
-                             'message' => sin.type[:message],
-                             'recommendation' => sin.type[:recommendation],
-                             'begin_line' => sin.begin_line,
-                             'begin_char' => sin.begin_char,
-                             'end_line' => sin.end_line,
-                             'end_char' => sin.end_char
-                           }))
-      end
-
-      return [200, { 'Content-Type' => 'application/json' }, [result_json.to_json]]
-    end
-
-    [401, { 'Content-Type' => 'text/html' }, ['Invalid Request']]
-  end
-
-  def configurations_page
-    configuration_page = ConfigurationPageFacade.AssemblePage
-
-    return [200, { 'Content-Type' => 'text/html' }, [configuration_page]]
-  end
-
-end
-
-Rack::Handler::Thin.run(LanguageServer.new, :Port => 9292)

data/lib/sin_type.rb

@@ -1,12 +0,0 @@
-module SinType
-  HardCodedCred = {
-    name: "Hard Coded Credentials",
-    message: "Do not hard code secrets. This may help an attacker to attack the system.",
-    recommendation: "You can use hiera to avoid this issue."
-  }
-  HttpWithoutTLS = {
-    name: "HTTP without TLS",
-    message: "Do not use HTTP without TLS. This may cause a man in the middle attack.",
-    recommendation: "Use TLS with HTTP"
-  }
-end