RubyGems - puppet-sec-lint - Versions diffs - 0.1.2 → 0.5.4 - Mend

puppet-sec-lint 0.1.2 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

checksums.yaml +4 -4
data/.github/workflows/main.yml +4 -2
data/.idea/puppet-sec-lint.iml +7 -4
data/Gemfile +3 -1
data/Gemfile.lock +14 -1
data/README.md +36 -17
data/_config.yml +1 -0
data/docs/404.html +24 -0
data/docs/Gemfile +30 -0
data/docs/Gemfile.lock +275 -0
data/docs/_config.yml +41 -0
data/docs/_posts/2021-05-03-welcome-to-jekyll.markdown +25 -0
data/docs/_site/404.html +71 -0
data/docs/_site/feed.xml +13 -0
data/docs/_site/index.html +1 -0
data/docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html +77 -0
data/docs/hard-coded-credentials.md +17 -0
data/docs/images/puppet-sec-lint_console.png +0 -0
data/docs/images/puppet-sec-lint_vscode.png +0 -0
data/docs/index.md +6 -0
data/exe/puppet-sec-lint +81 -15
data/file.pp +77 -0
data/lib/configurations/configuration.rb +2 -1
data/lib/configurations/regex_configuration.rb +9 -0
data/lib/facades/configuration_file_facade.rb +3 -1
data/lib/facades/configuration_page_facade.rb +6 -0
data/lib/lol.pp +6 -6
data/lib/puppet-sec-lint/version.rb +3 -1
data/lib/rule_engine.rb +15 -3
data/lib/rules/admin_by_default_rule.rb +33 -0
data/lib/rules/cyrillic_homograph_attack.rb +27 -0
data/lib/rules/empty_password_rule.rb +35 -0
data/lib/rules/hard_coded_credentials_rule.rb +22 -31
data/lib/rules/invalid_ip_addr_binding_rule.rb +37 -0
data/lib/rules/no_http_rule.rb +26 -9
data/lib/rules/rule.rb +72 -0
data/lib/rules/suspicious_comment_rule.rb +28 -0
data/lib/rules/use_weak_crypto_algorithms_rule.rb +28 -0
data/lib/servers/language_server.rb +101 -0
data/lib/servers/linter_server.rb +52 -0
data/lib/settings.ini +39 -0
data/lib/{sin.rb → sin/sin.rb} +6 -1
data/lib/sin/sin_type.rb +44 -0
data/lib/test.txt +15 -0
data/lib/test2.rb +16 -0
data/lib/test3.rb +32 -0
data/lib/test_new.rb +19 -0
data/puppet-sec-lint-0.5.3.gem +0 -0
data/puppet-sec-lint.gemspec +7 -1
metadata +139 -6
data/lib/language_server.rb +0 -78
data/lib/sin_type.rb +0 -12

data/lib/rules/suspicious_comment_rule.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+class SuspiciousCommentRule < Rule
+  @trigger_words = %w[hack fixme later later2 todo ticket launchpad bug to-do]
+  @suspicious = /hack|fixme|ticket|bug|secur|debug|defect|weak/
+  @trigger_words_conf = ListConfiguration.new("List of trigger words", @trigger_words, "List of words that identify a suspicious comment")
+  @suspicious_conf = RegexConfiguration.new("Regular expression of keywords present in suspicious comments", @suspicious, "Regular expression that identifies words that are immediately considered suspicious comments that shouldn't be present in a finalized product.")
+  @configurations+=[@trigger_words_conf, @suspicious_conf]
+  @name = "Suspicious comments"
+  def self.AnalyzeTokens(tokens)
+    result = []
+    ftokens = self.get_comments(tokens)
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if (token_value =~ @suspicious_conf.value)
+        result.append(Sin.new(SinType::SuspiciousComments, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+    return result
+  end
+end

data/lib/rules/use_weak_crypto_algorithms_rule.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+class UseWeakCryptoAlgorithmsRule < Rule
+  @name = "Use of weak crypto algorithm"
+  @poor_crypto = /^(sha1|md5)/
+  @poor_crypto_conf = RegexConfiguration.new("Regular expression of weak Crypto Algorithms", @poor_crypto, "Regular expression for names of known weak Cryptographic algorithms that shouldn't be used to secure sensitive information.")
+  @configurations+=[@poor_crypto_conf]
+  def self.AnalyzeTokens(tokens)
+    result = []
+    tokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if !token.next_token.nil?
+        next_token_type = token.next_token.type.to_s
+      end
+      if (token_value =~ @poor_crypto_conf.value) && (next_token_type.eql? "LPAREN")
+        result.append(Sin.new(SinType::WeakCryptoAlgorithm, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+    return result
+  end
+end

data/lib/servers/language_server.rb ADDED Viewed

@@ -0,0 +1,101 @@
+require 'json'
+require 'uri'
+require 'socket'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+class LanguageServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+  def self.start(port)
+    port ||= 5007
+    server = TCPServer.open(port)
+    loop {
+      Thread.fork(server.accept) do |client|
+        while line=client.gets
+          length=Integer(line.scan(/\d/).join(''))
+          line=client.read(length+2)
+          request = JSON.parse(line)
+          puts line
+          method_name = request['method'].sub('/', '_')
+          response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
+          if not response.nil?
+            client.flush
+            client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
+            client.print(response)
+            puts response
+          end
+        end
+        client.close
+      end
+    }
+  end
+  def self.client_initialize(id,params)
+    return JSON.generate({
+      jsonrpc: '2.0',
+      result: {
+        capabilities: {
+          textDocumentSync:1,
+          implementationProvider: "true"
+        }
+      },
+      id: id
+    })
+  end
+  def self.client_textDocument_didOpen(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['textDocument']['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+  def self.client_textDocument_didChange(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['contentChanges'][0]['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+  def self.generate_diagnostics(uri,version,code)
+    result = RuleEngine.analyzeDocument(code) #convert to json
+    diagnostics = []
+    result.each do |sin|
+      diagnostics.append({
+                           range:{
+                             start: { line: sin.begin_line-1, character: sin.begin_char },
+                             end: { line: sin.end_line-1, character: sin.end_char }
+                           },
+                           severity: 2,
+                           code: {
+                             value:sin.type[:name],
+                             target:sin.type[:solution]
+                           },
+                           source:'Puppet-sec-lint',
+                           message: sin.type[:message]
+                         })
+    end
+    return JSON.generate({
+                           jsonrpc: '2.0',
+                           method: 'textDocument/publishDiagnostics',
+                           params: {
+                             uri: uri,
+                             version: version,
+                             diagnostics: diagnostics
+                           }
+                         })
+  end
+end

data/lib/servers/linter_server.rb ADDED Viewed

@@ -0,0 +1,52 @@
+require "rack"
+require "thin"
+require 'json'
+require 'uri'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+class LinterServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+  def call(env)
+    req = Rack::Request.new(env)
+    case req.path
+    when "/configuration"
+      if req.post?
+        process_form(req)
+      elsif req.get?
+        configurations_page
+      end
+    end
+  end
+  def configurations_page
+    configuration_page = ConfigurationPageFacade.AssemblePage
+    return [200, { 'Content-Type' => 'text/html' }, [configuration_page]]
+  end
+  def process_form(req)
+    new_conf = URI.decode_www_form(req.body.read)
+    new_conf_hash = Hash[new_conf.map {|key, value| [key, value]}]
+    begin
+      ConfigurationPageFacade.ApplyConfigurations(new_conf_hash)
+      ConfigurationFileFacade.SaveConfigurations
+    rescue StandardError => error
+      return [400, { 'Content-Type' => 'text/plain' }, ["Error: #{error.message}"]]
+    end
+    return [200, { 'Content-Type' => 'text/plain' }, ["Changes saved successfully"]]
+  end
+  def self.start(port)
+    Rack::Handler::Thin.run(LinterServer.new, :Port => port)
+  end
+end

data/lib/settings.ini ADDED Viewed

@@ -0,0 +1,39 @@
+[HardCodedCredentialsRule]
+HardCodedCredentialsRule-enable_configuration = true
+HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
+HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
+HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
+HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
+[NoHTTPRule]
+NoHTTPRule-enable_configuration = true
+NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
+NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
+NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
+[AdminByDefaultRule]
+AdminByDefaultRule-enable_configuration = true
+AdminByDefaultRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd)
+[EmptyPasswordRule]
+EmptyPasswordRule-enable_configuration = true
+EmptyPasswordRule-list_of_trigger_words = pwd,password,pass
+EmptyPasswordRule-regular_expression_of_password_name = (?-mix:pass(word|_|$)|pwd)
+[InvalidIPAddrBindingRule]
+InvalidIPAddrBindingRule-enable_configuration = true
+InvalidIPAddrBindingRule-regular_expression_of_an_invalid_ip_address = (?-mix:^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$)
+[UseWeakCryptoAlgorithmsRule]
+UseWeakCryptoAlgorithmsRule-enable_configuration = true
+UseWeakCryptoAlgorithmsRule-regular_expression_of_weak_crypto_algorithms = (?-mix:^(sha1|md5))
+[SuspiciousCommentRule]
+SuspiciousCommentRule-enable_configuration = true
+SuspiciousCommentRule-list_of_trigger_words = hack,fixme,later,later2,todo,ticket,launchpad,bug,to-do
+SuspiciousCommentRule-regular_expression_of_keywords_present_in_suspicious_comments = (?-mix:hack|fixme|ticket|bug|secur|debug|defect|weak)
+[CyrillicHomographAttack]
+CyrillicHomographAttack-enable_configuration = true
+CyrillicHomographAttack-regular_expression_of_links_with_cyrillic_characters = (?-mix:^(http(s)?:\/\/)?.*\p{Cyrillic}+)

data/lib/{sin.rb → sin/sin.rb} RENAMED Viewed

@@ -10,6 +10,11 @@ class Sin
   end
   def ToString
-    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:recommendation]}>"
+    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:solution]}>"
   end
+  def ==(other_object)
+    @type == other_object.type && @begin_line == other_object.begin_line && @begin_char == other_object.begin_char && @end_line == other_object.end_line && @end_char == other_object.end_char
+  end
 end

data/lib/sin/sin_type.rb ADDED Viewed

@@ -0,0 +1,44 @@
+module SinType
+  base_url="https://tiagor98.github.io/puppet-sec-lint"
+  HardCodedCred = {
+    name: "Hard Coded Credentials",
+    message: "Do not hard code secrets. This may help an attacker to attack the system.",
+    solution: "#{base_url}/hard-coded-credentials"
+  }
+  HttpWithoutTLS = {
+    name: "HTTP without TLS",
+    message: "Do not use HTTP without TLS. This may cause a man in the middle attack.",
+    solution: "#{base_url}/http-without-tls"
+  }
+  AdminByDefault = {
+    name: "Admin by default",
+    message: "This violates the secure by design principle.",
+    solution: "#{base_url}/admin-by-default"
+  }
+  EmptyPassword = {
+    name: "Empty password",
+    message: "Do not keep password field empty. This may help an attacker to attack.",
+    solution: "#{base_url}/empty-password"
+  }
+  InvalidIPAddrBinding = {
+    name: "Invalid IP Address Binding",
+    message: "This config allows connections from every possible network.",
+    solution: "#{base_url}/invalid-ip-addr-binding"
+  }
+  SuspiciousComments = {
+    name: "Suspicious Comments",
+    message: "This comment can expose sensitive information to attackers.",
+    solution: "#{base_url}/suspicious-comments"
+  }
+  WeakCryptoAlgorithm = {
+    name: "Weak Crypto Algorithm",
+    message: "Do not use this algorithm, as it may have security weaknesses.",
+    solution: "#{base_url}/weak-crypto-algorithm"
+  }
+  CyrillicHomographAttack = {
+    name: "Cyrillic Homograph attack",
+    message: "This link has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.",
+    solution: "#{base_url}/cyrillic-homograph-attack"
+  }
+end

data/lib/test.txt ADDED Viewed

@@ -0,0 +1,15 @@
+jiuhiuhiuh
+ouhiuhiuh
+iuhiuh
+iuhiuhkokok
+kokokokokokokowdijwoidjqwoidjqwodijqdoiqjwdodij
+qwdqwd
+qwdqwddq
+wd
+qwdqwdoijoijoijoij
+oijoijoijoij
+kkkkkkkk
+huiuhiuhiuh
+kkjjjm
+okpokpok,l,l,l

data/lib/test2.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require 'rjr/nodes/ws'
+# listen for methods via amqp, websockets, http, and via local calls
+ws_node    = RJR::Nodes::WS.new    :node_id => 'server', :host   => '127.0.0.1', :port => 5007
+# define a rpc method called 'hello' which takes
+# one argument and returns it in upper case
+ws_node.dispatcher.handle("initialize") { |processId,clientInfo,locale,rootPath,rootUri,capabilities,trace,workspaceFolders|
+  arg.upcase
+}
+# start the server and block
+ws_node.listen
+ws_node.join

data/lib/test3.rb ADDED Viewed

@@ -0,0 +1,32 @@
+require 'socket'                 # Get sockets from stdlib
+require 'json'
+server = TCPServer.open(5007)    # Socket to listen on port 2000
+loop {
+  Thread.fork(server.accept) do |client|
+    while line=client.gets
+      length=Integer(line.scan(/\d/).join(''))
+      line=client.read(length+2)
+      request = JSON.parse(line)
+      puts line
+      response = {
+          jsonrpc: request['jsonrpc'],
+          result: {
+            capabilities: {
+              textDocumentSync:1
+            }
+          },
+          id: request['id']
+      }
+      response = JSON.generate(response)
+      client.flush
+      client.puts("Content-Length: "+response.length.to_s+"\r\n\r\n")
+      client.puts(response)
+    end
+    client.close
+  end
+}

data/lib/test_new.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require 'jimson'
+class MyHandler
+  extend Jimson::Handler
+  def initi(a,b)
+    a + b
+  end
+  def initialize
+    super
+  end
+end
+server = Jimson::Server.new(MyHandler.new)
+server.port = 5007
+server.host = '127.0.0.1'
+server.start # serve with webrick on http://0.0.0.0:8999/

data/puppet-sec-lint-0.5.3.gem ADDED Viewed

Binary file

data/puppet-sec-lint.gemspec CHANGED Viewed

@@ -30,7 +30,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   # Uncomment to register a new dependency of your gem
-  # spec.add_dependency "example-gem", "~> 1.0"
+  spec.add_runtime_dependency 'puppet-lint', '~> 2.4', '>= 2.4.2'
+  spec.add_runtime_dependency 'rake', '~> 13.0'
+  spec.add_runtime_dependency 'minitest', '~> 5.0'
+  spec.add_runtime_dependency 'rack', '~> 2.2.3'
+  spec.add_runtime_dependency 'thin', '~> 1.8.0'
+  spec.add_runtime_dependency 'inifile', '~> 3.0.0'
+  spec.add_runtime_dependency 'launchy', '~> 2.5.0'
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata CHANGED Viewed

@@ -1,15 +1,119 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.5.4
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-04-11 00:00:00.000000000 Z
-dependencies: []
+date: 2021-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.0
 description: This is a more complete security linter for the puppet language
 email:
 - tiago7b27@gmail.com
@@ -35,24 +139,53 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- _config.yml
 - bin/console
 - bin/setup
+- docs/404.html
+- docs/Gemfile
+- docs/Gemfile.lock
+- docs/_config.yml
+- docs/_posts/2021-05-03-welcome-to-jekyll.markdown
+- docs/_site/404.html
+- docs/_site/feed.xml
+- docs/_site/index.html
+- docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html
+- docs/hard-coded-credentials.md
+- docs/images/puppet-sec-lint_console.png
+- docs/images/puppet-sec-lint_vscode.png
+- docs/index.md
 - exe/puppet-sec-lint
+- file.pp
 - lib/configurations/boolean_configuration.rb
 - lib/configurations/configuration.rb
 - lib/configurations/list_configuration.rb
+- lib/configurations/regex_configuration.rb
 - lib/facades/configuration_file_facade.rb
 - lib/facades/configuration_page_facade.rb
-- lib/language_server.rb
 - lib/lol.pp
 - lib/puppet-sec-lint/version.rb
 - lib/rule_engine.rb
+- lib/rules/admin_by_default_rule.rb
+- lib/rules/cyrillic_homograph_attack.rb
+- lib/rules/empty_password_rule.rb
 - lib/rules/hard_coded_credentials_rule.rb
+- lib/rules/invalid_ip_addr_binding_rule.rb
 - lib/rules/no_http_rule.rb
 - lib/rules/rule.rb
-- lib/sin.rb
-- lib/sin_type.rb
+- lib/rules/suspicious_comment_rule.rb
+- lib/rules/use_weak_crypto_algorithms_rule.rb
+- lib/servers/language_server.rb
+- lib/servers/linter_server.rb
+- lib/settings.ini
+- lib/sin/sin.rb
+- lib/sin/sin_type.rb
+- lib/test.txt
+- lib/test2.rb
+- lib/test3.rb
+- lib/test_new.rb
 - lib/visitors/configuration_visitor.rb
+- puppet-sec-lint-0.5.3.gem
 - puppet-sec-lint.gemspec
 homepage: https://github.com/TiagoR98/puppet-sec-lint
 licenses: