puppet-sec-lint 0.1.2 → 0.5.4

data/lib/configurations/configuration.rb

@@ -15,5 +15,6 @@ DisplayField = {
   TextBox: "textbox",
   CheckBox: "checkbox",
   NumericBox: "numericbox",
-  SelectBox: "selectbox"
+  SelectBox: "selectbox",
+  RegexBox: "regexbox"
 }

data/lib/configurations/regex_configuration.rb

@@ -0,0 +1,9 @@
+require_relative 'configuration'
+
+class RegexConfiguration < Configuration
+
+  def initialize(name, value, description)
+    super
+    @displayfield=DisplayField[:RegexBox]
+  end
+end

data/lib/facades/configuration_file_facade.rb

@@ -13,7 +13,7 @@ class ConfigurationFileFacade
         when DisplayField[:SelectBox]
           ini[rule][configuration.id] = configuration.value.join(',')
         else
-          ini[rule][configuration.id] = configuration.value
+          ini[rule][configuration.id] = configuration.value.to_s
         end
       end
     end
@@ -32,6 +32,8 @@ class ConfigurationFileFacade
           case configuration.displayfield
           when DisplayField[:SelectBox]
             configuration.value = ini[rule][configuration.id].split(',')
+          when DisplayField[:RegexBox]
+            configuration.value = Regexp.new ini[rule][configuration.id]
           else
             configuration.value = ini[rule][configuration.id]
           end

data/lib/facades/configuration_page_facade.rb

@@ -50,6 +50,8 @@ class ConfigurationPageFacade
         return_value+="#{option}\n"
       end
       return_value += "</textarea>"
+    when DisplayField[:TextBox], DisplayField[:RegexBox]
+      return_value += "<input type=\"text\" id=\"#{configuration.id}\" name=\"#{configuration.id}\" value=\"#{configuration.value.to_s}\" size=\"#{configuration.value.to_s.length()}\"><br>\n"
     end
 
     return_value += "<p style=\"color:gray\">#{configuration.description}</p>\n<br>\n"
@@ -71,6 +73,10 @@ class ConfigurationPageFacade
 
         when DisplayField[:SelectBox]
           configuration.value = new_conf[configuration.id].split(/\r?\n/).delete_if(&:empty?)
+
+        when DisplayField[:RegexBox]
+          configuration.value = Regexp.new new_conf[configuration.id]
+
         else
           configuration.value = new_conf[configuration.id]
         end

data/lib/lol.pp

@@ -8,17 +8,17 @@
 # the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
 
 class consul_template::service (
-    $rpc_password                   = '{6ad470ec62b0511b63340dca2950d750181598efnHKvN1ge',
-    $admin_username = 'admin',
-    $password       = 'ceilometer',
-    $admin_password = 'admin',
+    $pass                   = lols(3),
+    $aijoijooiumihhn_password = 'pe-puppet'
+    $admin       = 'ceisssesrelometer',
+    $aijoijooiumihhn_password = '(adiyu(guygmin',
   ) {
   exec { 'network-restart':
     command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
     path           => '/usr/bin:/usr/sbin:/bin:/sbin',
     refreshonly    => true,
     vmware_md5     => 'LOL',
-    autho          => 'MD5',
+    autho          => 'MDi09i09i5',
     cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
     $auth_uri      => 'http://127.0.0.1:5000',
     'bind_address' => '0.0.0.0',
@@ -80,4 +80,4 @@ UcXHbA==
     replace => true,
     require => File['/var/lib/gerrit/.ssh']
   }
-}
+}

data/lib/puppet-sec-lint/version.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.1.2"
+  VERSION = "0.5.4"
+  YEAR = "2021"
+  AUTHOR = "Tiago Ribeiro"
 end

data/lib/rule_engine.rb

@@ -2,18 +2,30 @@ require 'puppet-lint'
 require_relative 'rules/rule'
 require_relative 'rules/hard_coded_credentials_rule'
 require_relative 'rules/no_http_rule'
+require_relative 'rules/admin_by_default_rule'
+require_relative 'rules/empty_password_rule'
+require_relative 'rules/invalid_ip_addr_binding_rule'
+require_relative 'rules/suspicious_comment_rule'
+require_relative 'rules/use_weak_crypto_algorithms_rule'
+require_relative 'rules/cyrillic_homograph_attack'
 
 
 class RuleEngine
-  @rules=[HardCodedCredentialsRule,NoHTTPRule]
+  @rules=[HardCodedCredentialsRule,NoHTTPRule,AdminByDefaultRule,EmptyPasswordRule,InvalidIPAddrBindingRule,UseWeakCryptoAlgorithmsRule,SuspiciousCommentRule,CyrillicHomographAttack]
 
   class << self
     attr_accessor :rules
   end
 
   def self.getTokens(code)
-    lexer = PuppetLint::Lexer.new
-    tokens = lexer.tokenise(code)
+    begin
+      lexer = PuppetLint::Lexer.new
+      tokens = lexer.tokenise(code)
+    rescue
+      puts "Error in getting tokens from Puppet-Lint"
+      tokens = []
+    end
+
     return tokens
   end
 

data/lib/rules/admin_by_default_rule.rb

@@ -0,0 +1,33 @@
+require_relative '../configurations/list_configuration'
+
+class AdminByDefaultRule < Rule
+  @name = "Admin by default"
+
+  @credentials = /user|usr|pass(word|_|$)|pwd/
+
+  @credentials_conf = RegexConfiguration.new("Regular expression of words present in credentials", @credentials, "Regular expression of words that if present indicate the existence of a secret.")
+
+  @configurations+=[@credentials_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_tokens(tokens,'admin')
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if left_side.value.downcase =~ @credentials_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          if token_value == 'admin'
+            result.append(Sin.new(SinType::AdminByDefault, left_side.line, left_side.column, token.line, token.column+token_value.length))
+          end
+        end
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/cyrillic_homograph_attack.rb

@@ -0,0 +1,27 @@
+require_relative '../configurations/list_configuration'
+
+class CyrillicHomographAttack < Rule
+  @name = "Cyrillic Homograph attack"
+
+  @site_w_cyrillic = /^(http(s)?:\/\/)?.*\p{Cyrillic}+/
+
+  @site_w_cyrillic_conf = RegexConfiguration.new("Regular expression of links with Cyrillic characters", @site_w_cyrillic, "Regular expression of website links that have Cyrillic characters.")
+
+  @configurations+=[@site_w_cyrillic_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.filter_tokens(tokens)
+    tokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["STRING", "SSTRING"].include? token_type and token_value =~ @site_w_cyrillic_conf.value
+        result.append(Sin.new(SinType::CyrillicHomographAttack, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/empty_password_rule.rb

@@ -0,0 +1,35 @@
+require_relative '../configurations/list_configuration'
+
+class EmptyPasswordRule < Rule
+  @default_trigger_words = %w[pwd password pass]
+  @password = /pass(word|_|$)|pwd/
+
+  @trigger_words_conf = ListConfiguration.new("List of trigger words", @default_trigger_words, "List of words that identify a password variable")
+  @password_conf = RegexConfiguration.new("Regular expression of password name", @password, "Regular expression of names used for password variables.")
+
+  @configurations+=[@trigger_words_conf, @password_conf]
+
+  @name = "Check empty password"
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_string_tokens(tokens,'')
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if left_side.value.downcase =~ @password_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          if token_value == ''
+            result.append(Sin.new(SinType::EmptyPassword, prev_token.line, prev_token.column, token.line, token.column+token_value.length))
+          end
+        end
+      end
+    end
+
+    return result
+  end
+
+end

data/lib/rules/hard_coded_credentials_rule.rb

@@ -1,40 +1,34 @@
 require_relative '../configurations/list_configuration'
+require_relative '../configurations/regex_configuration'
 
 class HardCodedCredentialsRule < Rule
-  @default_trigger_words = %w[pwd password pass uuid key crypt secret certificate id cert token ssh_key md5 rsa ssl]
-  @trigger_words_conf = ListConfiguration.new("List of trigger words", @default_trigger_words, "List of words that identify a variable with credentials")
-  @test_conf = BooleanConfiguration.new("Test configuration", true, "This is just a test configuration")
+  @not_considered_creds = %w[pe-puppet pe-webserver pe-puppetdb pe-postgres pe-console-services pe-orchestration-services pe-ace-server pe-bolt-server]
+  @invalid_values = %w[undefined unset www-data wwwrun www no yes [] root]
+  @secrets = /user|usr|pass(word|_|$)|pwd|key|secret/
+  @non_secrets = /gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid/
+
+  @not_considered_creds_conf = ListConfiguration.new("List of known words not considered in credentials", @not_considered_creds, "List of words not considered secrets by the community  (https://puppet.com/docs/pe/2019.8/what_gets_installed_and_where.html#user_and_group_accounts_installed)")
+  @invalid_values_conf = ListConfiguration.new("List of invalid values in credentials", @invalid_values, "List of words that are not valid in a credential, advised by puppet specialists.")
+  @secrets_conf = RegexConfiguration.new("Regular expression of words present in credentials", @secrets, "Regular expression of words that if present indicate the existence of a secret.")
+  @non_secrets_conf = RegexConfiguration.new("Regular expression of words not present in credentials", @non_secrets, "Regular expression of words that if present discard the existence of a secret.")
 
   @name = "Hard Coded Credentials"
-  @configurations+=[@trigger_words_conf,@test_conf]
+  @configurations+=[@not_considered_creds_conf, @invalid_values_conf, @secrets_conf, @non_secrets_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
-    tokens.each do |indi_token|
-      nxt_token     = indi_token.next_code_token # next token which is not a white space
-      if (!nxt_token.nil?) && (!indi_token.nil?)
-        token_type   = indi_token.type.to_s ### this gives type for current token
-
-        token_line   = indi_token.line ### this gives type for current token
-        nxt_tok_line = nxt_token.line
-
-        nxt_nxt_token =  nxt_token.next_code_token # get the next next token to get key value pair
-
-        if  (!nxt_nxt_token.nil?)
-          nxt_nxt_line = nxt_nxt_token.line
-          if (token_type.eql? 'NAME') || (token_type.eql? 'VARIABLE')
-            # puts "Token type: #{token_type}"
-            if (token_line==nxt_nxt_line)
-              token_valu   = indi_token.value.downcase
-              nxt_nxt_val  = nxt_nxt_token.value.downcase
-              nxt_nxt_type = nxt_nxt_token.type.to_s  ## to handle false positives,
-
-              if (self.TriggerWordInString(token_valu)) && ((nxt_nxt_val.length > 0)) && ((!nxt_nxt_type.eql? 'VARIABLE') && (!token_valu.include? "("))
-                result.append(Sin.new(SinType::HardCodedCred, indi_token.line, indi_token.column, nxt_nxt_token.line, nxt_nxt_token.column+nxt_nxt_token.value.length))
-              end
-            end
-          end
+    ftokens = self.filter_tokens(tokens)
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      next_token = token.next_code_token
+      # accepts <VARIABLE> <EQUALS> secret OR <NAME> <FARROW> secret, checks if <VARIABLE> | <NAME> satisfy SECRETS but not satisfy NON_SECRETS
+      if ["VARIABLE", "NAME"].include? token_type and ["EQUALS", "FARROW"].include? next_token.type.to_s and token_value =~ @secrets_conf.value and !(token_value =~ @non_secrets_conf.value)
+        right_side_type = next_token.next_code_token.type.to_s
+        right_side_value = next_token.next_code_token.value.downcase
+        if ["STRING", "SSTRING"].include? right_side_type and right_side_value.length > 1 and !@invalid_values_conf.value.include? right_side_value and !(right_side_value =~ /::|\/|\.|\\/ ) and !@not_considered_creds_conf.value.include? right_side_value
+          result.append(Sin.new(SinType::HardCodedCred, token.line, token.column, next_token.next_code_token.line, next_token.next_code_token.column+right_side_value.length))
         end
       end
     end
@@ -42,7 +36,4 @@ class HardCodedCredentialsRule < Rule
     return result
   end
 
-  def self.TriggerWordInString(string)
-    return @trigger_words_conf.value.any? { |word| string.include?(word) }
-  end
 end

data/lib/rules/invalid_ip_addr_binding_rule.rb

@@ -0,0 +1,37 @@
+require_relative '../configurations/list_configuration'
+
+class InvalidIPAddrBindingRule < Rule
+  @name = "Invalid IP Address Binding"
+
+  @ip_addr_bin_regex = /^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$/
+
+  @ip_addr_bin_regex_conf = RegexConfiguration.new("Regular expression of an invalid IP address", @ip_addr_bin_regex, "Regular expression of an IP address considered invalid or insecure to use.")
+
+  @configurations+=[@ip_addr_bin_regex_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = get_tokens(tokens,"0.0.0.0")
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if ["EQUALS", "FARROW"].include? token.prev_code_token.type.to_s
+        prev_token = token.prev_code_token
+        left_side = prev_token.prev_code_token
+        if token_value =~ @ip_addr_bin_regex_conf.value and ["VARIABLE", "NAME"].include? left_side.type.to_s
+          result.append(Sin.new(SinType::InvalidIPAddrBinding, left_side.line, left_side.column, token.line, token.column+token_value.length))
+        end
+      end
+    end
+
+    return result
+  end
+
+  def self.filter_tokens_per_value(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+end

data/lib/rules/no_http_rule.rb

@@ -1,19 +1,36 @@
 require_relative '../configurations/list_configuration'
-require_relative '../sin'
-require_relative '../sin_type'
+require_relative '../sin/sin'
+require_relative '../sin/sin_type'
 
 class NoHTTPRule < Rule
-  @name="No HTTP Connections"
+  @name="No HTTPS Connections"
+
+  @resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
+  @keywords = %w[backport key download uri mirror]
+  @http = /^http:\/\/.+/
+  @whitelist = [] # Todo:Need to check how is this set up
+
+  @resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
+  @keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
+  @http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
+
+  @configurations+=[@resources_conf, @keywords_conf, @http_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
-    tokens.each do |indi_token|
-      token_valu = indi_token.value ### this gives each token
-      token_valu = token_valu.downcase
-      token_type = indi_token.type.to_s
-      if (token_valu.include? "http://" ) && (!token_type.eql? "COMMENT")
-        result.append(Sin.new(SinType::HttpWithoutTLS, indi_token.line, indi_token.column, indi_token.line, indi_token.column+indi_token.value.length))
+    ptokens = self.filter_resources(tokens, @resources_conf.value)
+    ctokens = self.filter_variables(ptokens, @keywords_conf.value)
+    if @whitelist
+      wtokens = self.filter_whitelist(ctokens)
+    else
+      wtokens = ptokens
+    end
+    wtokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if (token_value =~ @http_conf.value)
+        result.append(Sin.new(SinType::HttpWithoutTLS, token.line, token.column, token.line, token.column+token_value.length))
       end
     end
 

data/lib/rules/rule.rb

@@ -14,4 +14,76 @@ class Rule
     puts "Implement this"
     return
   end
+
+  def self.get_tokens(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'NAME' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+
+  def self.filter_tokens(tokens)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'NAME')
+    end
+    return ftokens
+  end
+
+  def self.filter_resources(tokens, resources)
+    is_resource = false
+    brackets = 0
+    ftokens=tokens.find_all do |hash|
+
+      if resources.include? hash.value.downcase
+        is_resource = true
+      elsif is_resource and hash.type.to_s == "LBRACE"
+        brackets += 1
+      elsif is_resource and hash.type.to_s == "RBRACE"
+        brackets -=1
+      end
+
+      if is_resource and hash.type.to_s == "RBRACE" and brackets == 0
+        is_resource = false
+      end
+
+      if !is_resource
+        (hash.type.to_s == 'NAME' || hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING')
+      end
+    end
+    return ftokens
+  end
+
+  def self.get_string_tokens(tokens, token)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'SSTRING' || hash.type.to_s == 'STRING') and hash.value.downcase.include? token
+    end
+    return ftokens
+  end
+
+  def self.get_comments(tokens)
+    ftokens=tokens.find_all do |hash|
+      (hash.type.to_s == 'COMMENT' || hash.type.to_s == 'MLCOMMENT' || hash.type.to_s == 'SLASH_COMMENT')
+    end
+    return ftokens
+  end
+
+  def self.filter_whitelist(tokens)
+    ftokens=tokens.find_all do |hash|
+      #!(@whitelist =~ hash.value.downcase)
+      true # TODO: Understand the whitelist
+    end
+    return ftokens
+  end
+
+  def self.filter_variables(tokens, keywords)
+    line = -1
+    kw_regex = Regexp.new keywords.join("|")
+    ftokens=tokens.find_all do |hash|
+      if (hash.type.to_s == 'VARIABLE' || hash.type.to_s == 'NAME') and hash.value.downcase =~ kw_regex
+        line = hash.line
+      elsif hash.line != line
+        hash
+      end
+    end
+  end
 end