puppet-sec-lint 0.5.10 → 0.5.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -1
- data/lib/puppet-sec-lint/version.rb +1 -1
- data/lib/rule_engine.rb +6 -2
- data/lib/rules/no_http_rule.rb +6 -5
- data/lib/rules/rule.rb +2 -3
- data/lib/settings.ini +3 -2
- metadata +2 -4
- data/puppet-sec-lint-0.5.8.gem +0 -0
- data/puppet-sec-lint-0.5.9.gem +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 67a4dd80a401b71eaab4f79e3fa450d165c442e0ea1dd94a5f42e857da6ea1bf
|
4
|
+
data.tar.gz: d2c8e7e7dc3dc0c408a5c37e7a1625f49dd02702a1367944f7a7697f9cb96b32
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 17b1aaa97c44c6bdec2ef334ae7bbe3214023f8b75f9de42cd510a9debaf499ef86e6a02611f115809ec20433b9ad7c279b86d5acde6255aa78831a5fa2804e9
|
7
|
+
data.tar.gz: 2d911ad4836cea34361647374c448d506f5b9be896e2e5d664f38e81e1915a162760ec89a3b7648328be525f9129b88aba039252bcd9a5055913deaafe2d4513
|
data/Gemfile.lock
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet-sec-lint (0.5.
|
4
|
+
puppet-sec-lint (0.5.10)
|
5
5
|
inifile (~> 3.0.0)
|
6
6
|
launchy (~> 2.5.0)
|
7
7
|
minitest (~> 5.0)
|
8
8
|
puppet-lint (~> 2.4, >= 2.4.2)
|
9
9
|
rack (~> 2.2.3)
|
10
10
|
rake (~> 13.0)
|
11
|
+
webrick (~> 1.7.0)
|
11
12
|
|
12
13
|
GEM
|
13
14
|
remote: https://rubygems.org/
|
data/lib/rule_engine.rb
CHANGED
@@ -35,8 +35,12 @@ class RuleEngine
|
|
35
35
|
tokens = self.getTokens(code)
|
36
36
|
|
37
37
|
@rules.each do |rule|
|
38
|
-
|
39
|
-
|
38
|
+
begin
|
39
|
+
if rule.configurations[0].value
|
40
|
+
(result << rule.AnalyzeTokens(tokens)).flatten!
|
41
|
+
end
|
42
|
+
rescue
|
43
|
+
puts "Error in running rule #{rule.name}"
|
40
44
|
end
|
41
45
|
end
|
42
46
|
|
data/lib/rules/no_http_rule.rb
CHANGED
@@ -8,21 +8,22 @@ class NoHTTPRule < Rule
|
|
8
8
|
@resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
|
9
9
|
@keywords = %w[backport key download uri mirror]
|
10
10
|
@http = /^http:\/\/.+/
|
11
|
-
@whitelist =
|
11
|
+
@whitelist = ""
|
12
12
|
|
13
13
|
@resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
|
14
14
|
@keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
|
15
|
+
@whitelist_conf = RegexConfiguration.new("HTTP Address whitelist", @whitelist, "List of addresses that are allowed to have non-secure http connections to them.")
|
15
16
|
@http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
|
16
17
|
|
17
|
-
@configurations+=[@resources_conf, @keywords_conf, @http_conf]
|
18
|
+
@configurations+=[@resources_conf, @keywords_conf, @http_conf, @whitelist_conf]
|
18
19
|
|
19
20
|
def self.AnalyzeTokens(tokens)
|
20
21
|
result = []
|
21
22
|
|
22
23
|
ptokens = self.filter_resources(tokens, @resources_conf.value)
|
23
|
-
ctokens = self.filter_variables(ptokens, @keywords_conf.value)
|
24
|
-
if @
|
25
|
-
wtokens = self.filter_whitelist(ctokens)
|
24
|
+
ctokens = self.filter_variables(ptokens, @keywords_conf.value) #TODO: It's working upside down
|
25
|
+
if @whitelist_conf.value
|
26
|
+
wtokens = self.filter_whitelist(ctokens, @whitelist_conf.value)
|
26
27
|
else
|
27
28
|
wtokens = ptokens
|
28
29
|
end
|
data/lib/rules/rule.rb
CHANGED
@@ -67,10 +67,9 @@ class Rule
|
|
67
67
|
return ftokens
|
68
68
|
end
|
69
69
|
|
70
|
-
def self.filter_whitelist(tokens)
|
70
|
+
def self.filter_whitelist(tokens, whitelist)
|
71
71
|
ftokens=tokens.find_all do |hash|
|
72
|
-
|
73
|
-
true # TODO: Understand the whitelist
|
72
|
+
!(whitelist =~ hash.value.downcase)
|
74
73
|
end
|
75
74
|
return ftokens
|
76
75
|
end
|
data/lib/settings.ini
CHANGED
@@ -1,15 +1,16 @@
|
|
1
1
|
[HardCodedCredentialsRule]
|
2
|
-
HardCodedCredentialsRule-enable_configuration =
|
2
|
+
HardCodedCredentialsRule-enable_configuration = true
|
3
3
|
HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
|
4
4
|
HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
|
5
5
|
HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
|
6
6
|
HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
|
7
7
|
|
8
8
|
[NoHTTPRule]
|
9
|
-
NoHTTPRule-enable_configuration =
|
9
|
+
NoHTTPRule-enable_configuration = true
|
10
10
|
NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
|
11
11
|
NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
|
12
12
|
NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
|
13
|
+
NoHTTPRule-http_address_whitelist = (?-mix:^(127.0.0.1))
|
13
14
|
|
14
15
|
[AdminByDefaultRule]
|
15
16
|
AdminByDefaultRule-enable_configuration = true
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet-sec-lint
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.11
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tiago Ribeiro
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-05-
|
11
|
+
date: 2021-05-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: puppet-lint
|
@@ -187,8 +187,6 @@ files:
|
|
187
187
|
- lib/sin/sin.rb
|
188
188
|
- lib/sin/sin_type.rb
|
189
189
|
- lib/visitors/configuration_visitor.rb
|
190
|
-
- puppet-sec-lint-0.5.8.gem
|
191
|
-
- puppet-sec-lint-0.5.9.gem
|
192
190
|
- puppet-sec-lint.gemspec
|
193
191
|
homepage: https://github.com/TiagoR98/puppet-sec-lint
|
194
192
|
licenses:
|
data/puppet-sec-lint-0.5.8.gem
DELETED
Binary file
|
data/puppet-sec-lint-0.5.9.gem
DELETED
Binary file
|