puppet-sec-lint 0.1.2 → 0.5.4

data/lib/rules/suspicious_comment_rule.rb

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+
+class SuspiciousCommentRule < Rule
+  @trigger_words = %w[hack fixme later later2 todo ticket launchpad bug to-do]
+  @suspicious = /hack|fixme|ticket|bug|secur|debug|defect|weak/
+
+  @trigger_words_conf = ListConfiguration.new("List of trigger words", @trigger_words, "List of words that identify a suspicious comment")
+  @suspicious_conf = RegexConfiguration.new("Regular expression of keywords present in suspicious comments", @suspicious, "Regular expression that identifies words that are immediately considered suspicious comments that shouldn't be present in a finalized product.")
+
+  @configurations+=[@trigger_words_conf, @suspicious_conf]
+
+  @name = "Suspicious comments"
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    ftokens = self.get_comments(tokens)
+    ftokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if (token_value =~ @suspicious_conf.value)
+        result.append(Sin.new(SinType::SuspiciousComments, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+end

data/lib/rules/use_weak_crypto_algorithms_rule.rb

@@ -0,0 +1,28 @@
+require_relative '../configurations/list_configuration'
+
+class UseWeakCryptoAlgorithmsRule < Rule
+  @name = "Use of weak crypto algorithm"
+
+  @poor_crypto = /^(sha1|md5)/
+
+  @poor_crypto_conf = RegexConfiguration.new("Regular expression of weak Crypto Algorithms", @poor_crypto, "Regular expression for names of known weak Cryptographic algorithms that shouldn't be used to secure sensitive information.")
+
+  @configurations+=[@poor_crypto_conf]
+
+  def self.AnalyzeTokens(tokens)
+    result = []
+
+    tokens.each do |token|
+      token_value = token.value.downcase
+      token_type = token.type.to_s
+      if !token.next_token.nil?
+        next_token_type = token.next_token.type.to_s
+      end
+      if (token_value =~ @poor_crypto_conf.value) && (next_token_type.eql? "LPAREN")
+        result.append(Sin.new(SinType::WeakCryptoAlgorithm, token.line, token.column, token.line, token.column+token_value.length))
+      end
+    end
+
+    return result
+  end
+end

data/lib/servers/language_server.rb

@@ -0,0 +1,101 @@
+require 'json'
+require 'uri'
+require 'socket'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+
+class LanguageServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+
+  def self.start(port)
+    port ||= 5007
+    server = TCPServer.open(port)
+
+    loop {
+      Thread.fork(server.accept) do |client|
+        while line=client.gets
+          length=Integer(line.scan(/\d/).join(''))
+          line=client.read(length+2)
+          request = JSON.parse(line)
+          puts line
+
+          method_name = request['method'].sub('/', '_')
+          response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
+
+          if not response.nil?
+            client.flush
+            client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
+            client.print(response)
+            puts response
+          end
+        end
+        client.close
+      end
+    }
+  end
+
+  def self.client_initialize(id,params)
+    return JSON.generate({
+      jsonrpc: '2.0',
+      result: {
+        capabilities: {
+          textDocumentSync:1,
+          implementationProvider: "true"
+        }
+      },
+      id: id
+    })
+  end
+
+  def self.client_textDocument_didOpen(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['textDocument']['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+
+  def self.client_textDocument_didChange(id,params)
+    uri = params["textDocument"]["uri"]
+    version = params["textDocument"]["version"]
+    code = params['contentChanges'][0]['text']
+    return self.generate_diagnostics(uri,version,code)
+    return
+  end
+
+  def self.generate_diagnostics(uri,version,code)
+    result = RuleEngine.analyzeDocument(code) #convert to json
+
+    diagnostics = []
+
+    result.each do |sin|
+      diagnostics.append({
+                           range:{
+                             start: { line: sin.begin_line-1, character: sin.begin_char },
+                             end: { line: sin.end_line-1, character: sin.end_char }
+                           },
+                           severity: 2,
+                           code: {
+                             value:sin.type[:name],
+                             target:sin.type[:solution]
+                           },
+                           source:'Puppet-sec-lint',
+                           message: sin.type[:message]
+                         })
+    end
+
+    return JSON.generate({
+                           jsonrpc: '2.0',
+                           method: 'textDocument/publishDiagnostics',
+                           params: {
+                             uri: uri,
+                             version: version,
+                             diagnostics: diagnostics
+                           }
+                         })
+  end
+
+end

data/lib/servers/linter_server.rb

@@ -0,0 +1,52 @@
+require "rack"
+require "thin"
+require 'json'
+require 'uri'
+require_relative '../rule_engine'
+require_relative '../visitors/configuration_visitor'
+require_relative '../facades/configuration_page_facade'
+require_relative '../facades/configuration_file_facade'
+
+class LinterServer
+  ConfigurationVisitor.GenerateIDs
+  ConfigurationFileFacade.LoadConfigurations
+
+  def call(env)
+    req = Rack::Request.new(env)
+
+    case req.path
+    when "/configuration"
+      if req.post?
+        process_form(req)
+      elsif req.get?
+        configurations_page
+      end
+    end
+
+  end
+
+  def configurations_page
+    configuration_page = ConfigurationPageFacade.AssemblePage
+
+    return [200, { 'Content-Type' => 'text/html' }, [configuration_page]]
+  end
+
+  def process_form(req)
+    new_conf = URI.decode_www_form(req.body.read)
+    new_conf_hash = Hash[new_conf.map {|key, value| [key, value]}]
+
+    begin
+      ConfigurationPageFacade.ApplyConfigurations(new_conf_hash)
+      ConfigurationFileFacade.SaveConfigurations
+    rescue StandardError => error
+      return [400, { 'Content-Type' => 'text/plain' }, ["Error: #{error.message}"]]
+    end
+
+    return [200, { 'Content-Type' => 'text/plain' }, ["Changes saved successfully"]]
+  end
+
+  def self.start(port)
+    Rack::Handler::Thin.run(LinterServer.new, :Port => port)
+  end
+
+end

data/lib/settings.ini

@@ -0,0 +1,39 @@
+[HardCodedCredentialsRule]
+HardCodedCredentialsRule-enable_configuration = true
+HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
+HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
+HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
+HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
+
+[NoHTTPRule]
+NoHTTPRule-enable_configuration = true
+NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
+NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
+NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
+
+[AdminByDefaultRule]
+AdminByDefaultRule-enable_configuration = true
+AdminByDefaultRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd)
+
+[EmptyPasswordRule]
+EmptyPasswordRule-enable_configuration = true
+EmptyPasswordRule-list_of_trigger_words = pwd,password,pass
+EmptyPasswordRule-regular_expression_of_password_name = (?-mix:pass(word|_|$)|pwd)
+
+[InvalidIPAddrBindingRule]
+InvalidIPAddrBindingRule-enable_configuration = true
+InvalidIPAddrBindingRule-regular_expression_of_an_invalid_ip_address = (?-mix:^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$)
+
+[UseWeakCryptoAlgorithmsRule]
+UseWeakCryptoAlgorithmsRule-enable_configuration = true
+UseWeakCryptoAlgorithmsRule-regular_expression_of_weak_crypto_algorithms = (?-mix:^(sha1|md5))
+
+[SuspiciousCommentRule]
+SuspiciousCommentRule-enable_configuration = true
+SuspiciousCommentRule-list_of_trigger_words = hack,fixme,later,later2,todo,ticket,launchpad,bug,to-do
+SuspiciousCommentRule-regular_expression_of_keywords_present_in_suspicious_comments = (?-mix:hack|fixme|ticket|bug|secur|debug|defect|weak)
+
+[CyrillicHomographAttack]
+CyrillicHomographAttack-enable_configuration = true
+CyrillicHomographAttack-regular_expression_of_links_with_cyrillic_characters = (?-mix:^(http(s)?:\/\/)?.*\p{Cyrillic}+)
+

data/lib/{sin.rb → sin/sin.rb}

@@ -10,6 +10,11 @@ class Sin
   end
 
   def ToString
-    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:recommendation]}>"
+    return "<Sin:#{@type[:name]}, Line:#{@begin_line}, Char:#{@begin_char}, Message:#{@type[:message]}, Recommendation:#{@type[:solution]}>"
   end
+
+  def ==(other_object)
+    @type == other_object.type && @begin_line == other_object.begin_line && @begin_char == other_object.begin_char && @end_line == other_object.end_line && @end_char == other_object.end_char
+  end
+
 end

data/lib/sin/sin_type.rb

@@ -0,0 +1,44 @@
+module SinType
+  base_url="https://tiagor98.github.io/puppet-sec-lint"
+
+  HardCodedCred = {
+    name: "Hard Coded Credentials",
+    message: "Do not hard code secrets. This may help an attacker to attack the system.",
+    solution: "#{base_url}/hard-coded-credentials"
+  }
+  HttpWithoutTLS = {
+    name: "HTTP without TLS",
+    message: "Do not use HTTP without TLS. This may cause a man in the middle attack.",
+    solution: "#{base_url}/http-without-tls"
+  }
+  AdminByDefault = {
+    name: "Admin by default",
+    message: "This violates the secure by design principle.",
+    solution: "#{base_url}/admin-by-default"
+  }
+  EmptyPassword = {
+    name: "Empty password",
+    message: "Do not keep password field empty. This may help an attacker to attack.",
+    solution: "#{base_url}/empty-password"
+  }
+  InvalidIPAddrBinding = {
+    name: "Invalid IP Address Binding",
+    message: "This config allows connections from every possible network.",
+    solution: "#{base_url}/invalid-ip-addr-binding"
+  }
+  SuspiciousComments = {
+    name: "Suspicious Comments",
+    message: "This comment can expose sensitive information to attackers.",
+    solution: "#{base_url}/suspicious-comments"
+  }
+  WeakCryptoAlgorithm = {
+    name: "Weak Crypto Algorithm",
+    message: "Do not use this algorithm, as it may have security weaknesses.",
+    solution: "#{base_url}/weak-crypto-algorithm"
+  }
+  CyrillicHomographAttack = {
+    name: "Cyrillic Homograph attack",
+    message: "This link has a cyrillic char. These are not rendered by browsers and are sometimes used for phishing attacks.",
+    solution: "#{base_url}/cyrillic-homograph-attack"
+  }
+end

data/lib/test.txt

@@ -0,0 +1,15 @@
+jiuhiuhiuh
+ouhiuhiuh
+iuhiuh
+iuhiuhkokok
+kokokokokokokowdijwoidjqwoidjqwodijqdoiqjwdodij
+qwdqwd
+qwdqwddq
+wd
+qwdqwdoijoijoijoij
+oijoijoijoij
+kkkkkkkk
+huiuhiuhiuh
+
+kkjjjm
+okpokpok,l,l,l

data/lib/test2.rb

@@ -0,0 +1,16 @@
+require 'rjr/nodes/ws'
+
+# listen for methods via amqp, websockets, http, and via local calls
+
+ws_node    = RJR::Nodes::WS.new    :node_id => 'server', :host   => '127.0.0.1', :port => 5007
+
+
+# define a rpc method called 'hello' which takes
+# one argument and returns it in upper case
+ws_node.dispatcher.handle("initialize") { |processId,clientInfo,locale,rootPath,rootUri,capabilities,trace,workspaceFolders|
+  arg.upcase
+}
+
+# start the server and block
+ws_node.listen
+ws_node.join

data/lib/test3.rb

@@ -0,0 +1,32 @@
+require 'socket'                 # Get sockets from stdlib
+require 'json'
+
+server = TCPServer.open(5007)    # Socket to listen on port 2000
+
+loop {
+  Thread.fork(server.accept) do |client|
+    while line=client.gets
+      length=Integer(line.scan(/\d/).join(''))
+      line=client.read(length+2)
+      request = JSON.parse(line)
+      puts line
+
+      response = {
+          jsonrpc: request['jsonrpc'],
+          result: {
+            capabilities: {
+              textDocumentSync:1
+            }
+          },
+          id: request['id']
+      }
+
+      response = JSON.generate(response)
+
+      client.flush
+      client.puts("Content-Length: "+response.length.to_s+"\r\n\r\n")
+      client.puts(response)
+    end
+    client.close
+  end
+}

data/lib/test_new.rb

@@ -0,0 +1,19 @@
+require 'jimson'
+
+class MyHandler
+  extend Jimson::Handler
+
+  def initi(a,b)
+    a + b
+  end
+
+  def initialize
+    super
+  end
+
+end
+
+server = Jimson::Server.new(MyHandler.new)
+server.port = 5007
+server.host = '127.0.0.1'
+server.start # serve with webrick on http://0.0.0.0:8999/

data/puppet-sec-lint.gemspec

@@ -30,7 +30,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   # Uncomment to register a new dependency of your gem
-  # spec.add_dependency "example-gem", "~> 1.0"
+  spec.add_runtime_dependency 'puppet-lint', '~> 2.4', '>= 2.4.2'
+  spec.add_runtime_dependency 'rake', '~> 13.0'
+  spec.add_runtime_dependency 'minitest', '~> 5.0'
+  spec.add_runtime_dependency 'rack', '~> 2.2.3'
+  spec.add_runtime_dependency 'thin', '~> 1.8.0'
+  spec.add_runtime_dependency 'inifile', '~> 3.0.0'
+  spec.add_runtime_dependency 'launchy', '~> 2.5.0'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata

@@ -1,15 +1,119 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.5.4
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-04-11 00:00:00.000000000 Z
-dependencies: []
+date: 2021-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.4.2
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.0
 description: This is a more complete security linter for the puppet language
 email:
 - tiago7b27@gmail.com
@@ -35,24 +139,53 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- _config.yml
 - bin/console
 - bin/setup
+- docs/404.html
+- docs/Gemfile
+- docs/Gemfile.lock
+- docs/_config.yml
+- docs/_posts/2021-05-03-welcome-to-jekyll.markdown
+- docs/_site/404.html
+- docs/_site/feed.xml
+- docs/_site/index.html
+- docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html
+- docs/hard-coded-credentials.md
+- docs/images/puppet-sec-lint_console.png
+- docs/images/puppet-sec-lint_vscode.png
+- docs/index.md
 - exe/puppet-sec-lint
+- file.pp
 - lib/configurations/boolean_configuration.rb
 - lib/configurations/configuration.rb
 - lib/configurations/list_configuration.rb
+- lib/configurations/regex_configuration.rb
 - lib/facades/configuration_file_facade.rb
 - lib/facades/configuration_page_facade.rb
-- lib/language_server.rb
 - lib/lol.pp
 - lib/puppet-sec-lint/version.rb
 - lib/rule_engine.rb
+- lib/rules/admin_by_default_rule.rb
+- lib/rules/cyrillic_homograph_attack.rb
+- lib/rules/empty_password_rule.rb
 - lib/rules/hard_coded_credentials_rule.rb
+- lib/rules/invalid_ip_addr_binding_rule.rb
 - lib/rules/no_http_rule.rb
 - lib/rules/rule.rb
-- lib/sin.rb
-- lib/sin_type.rb
+- lib/rules/suspicious_comment_rule.rb
+- lib/rules/use_weak_crypto_algorithms_rule.rb
+- lib/servers/language_server.rb
+- lib/servers/linter_server.rb
+- lib/settings.ini
+- lib/sin/sin.rb
+- lib/sin/sin_type.rb
+- lib/test.txt
+- lib/test2.rb
+- lib/test3.rb
+- lib/test_new.rb
 - lib/visitors/configuration_visitor.rb
+- puppet-sec-lint-0.5.3.gem
 - puppet-sec-lint.gemspec
 homepage: https://github.com/TiagoR98/puppet-sec-lint
 licenses: