puppet-sec-lint 0.5.10 → 0.5.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -1
- data/lib/puppet-sec-lint/version.rb +1 -1
- data/lib/rule_engine.rb +6 -2
- data/lib/rules/no_http_rule.rb +6 -5
- data/lib/rules/rule.rb +2 -3
- data/lib/settings.ini +3 -2
- metadata +2 -4
- data/puppet-sec-lint-0.5.8.gem +0 -0
- data/puppet-sec-lint-0.5.9.gem +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 67a4dd80a401b71eaab4f79e3fa450d165c442e0ea1dd94a5f42e857da6ea1bf
|
4
|
+
data.tar.gz: d2c8e7e7dc3dc0c408a5c37e7a1625f49dd02702a1367944f7a7697f9cb96b32
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 17b1aaa97c44c6bdec2ef334ae7bbe3214023f8b75f9de42cd510a9debaf499ef86e6a02611f115809ec20433b9ad7c279b86d5acde6255aa78831a5fa2804e9
|
7
|
+
data.tar.gz: 2d911ad4836cea34361647374c448d506f5b9be896e2e5d664f38e81e1915a162760ec89a3b7648328be525f9129b88aba039252bcd9a5055913deaafe2d4513
|
data/Gemfile.lock
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet-sec-lint (0.5.
|
4
|
+
puppet-sec-lint (0.5.10)
|
5
5
|
inifile (~> 3.0.0)
|
6
6
|
launchy (~> 2.5.0)
|
7
7
|
minitest (~> 5.0)
|
8
8
|
puppet-lint (~> 2.4, >= 2.4.2)
|
9
9
|
rack (~> 2.2.3)
|
10
10
|
rake (~> 13.0)
|
11
|
+
webrick (~> 1.7.0)
|
11
12
|
|
12
13
|
GEM
|
13
14
|
remote: https://rubygems.org/
|
data/lib/rule_engine.rb
CHANGED
@@ -35,8 +35,12 @@ class RuleEngine
|
|
35
35
|
tokens = self.getTokens(code)
|
36
36
|
|
37
37
|
@rules.each do |rule|
|
38
|
-
|
39
|
-
|
38
|
+
begin
|
39
|
+
if rule.configurations[0].value
|
40
|
+
(result << rule.AnalyzeTokens(tokens)).flatten!
|
41
|
+
end
|
42
|
+
rescue
|
43
|
+
puts "Error in running rule #{rule.name}"
|
40
44
|
end
|
41
45
|
end
|
42
46
|
|
data/lib/rules/no_http_rule.rb
CHANGED
@@ -8,21 +8,22 @@ class NoHTTPRule < Rule
|
|
8
8
|
@resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
|
9
9
|
@keywords = %w[backport key download uri mirror]
|
10
10
|
@http = /^http:\/\/.+/
|
11
|
-
@whitelist =
|
11
|
+
@whitelist = ""
|
12
12
|
|
13
13
|
@resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
|
14
14
|
@keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
|
15
|
+
@whitelist_conf = RegexConfiguration.new("HTTP Address whitelist", @whitelist, "List of addresses that are allowed to have non-secure http connections to them.")
|
15
16
|
@http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
|
16
17
|
|
17
|
-
@configurations+=[@resources_conf, @keywords_conf, @http_conf]
|
18
|
+
@configurations+=[@resources_conf, @keywords_conf, @http_conf, @whitelist_conf]
|
18
19
|
|
19
20
|
def self.AnalyzeTokens(tokens)
|
20
21
|
result = []
|
21
22
|
|
22
23
|
ptokens = self.filter_resources(tokens, @resources_conf.value)
|
23
|
-
ctokens = self.filter_variables(ptokens, @keywords_conf.value)
|
24
|
-
if @
|
25
|
-
wtokens = self.filter_whitelist(ctokens)
|
24
|
+
ctokens = self.filter_variables(ptokens, @keywords_conf.value) #TODO: It's working upside down
|
25
|
+
if @whitelist_conf.value
|
26
|
+
wtokens = self.filter_whitelist(ctokens, @whitelist_conf.value)
|
26
27
|
else
|
27
28
|
wtokens = ptokens
|
28
29
|
end
|
data/lib/rules/rule.rb
CHANGED
@@ -67,10 +67,9 @@ class Rule
|
|
67
67
|
return ftokens
|
68
68
|
end
|
69
69
|
|
70
|
-
def self.filter_whitelist(tokens)
|
70
|
+
def self.filter_whitelist(tokens, whitelist)
|
71
71
|
ftokens=tokens.find_all do |hash|
|
72
|
-
|
73
|
-
true # TODO: Understand the whitelist
|
72
|
+
!(whitelist =~ hash.value.downcase)
|
74
73
|
end
|
75
74
|
return ftokens
|
76
75
|
end
|
data/lib/settings.ini
CHANGED
@@ -1,15 +1,16 @@
|
|
1
1
|
[HardCodedCredentialsRule]
|
2
|
-
HardCodedCredentialsRule-enable_configuration =
|
2
|
+
HardCodedCredentialsRule-enable_configuration = true
|
3
3
|
HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
|
4
4
|
HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
|
5
5
|
HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
|
6
6
|
HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
|
7
7
|
|
8
8
|
[NoHTTPRule]
|
9
|
-
NoHTTPRule-enable_configuration =
|
9
|
+
NoHTTPRule-enable_configuration = true
|
10
10
|
NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
|
11
11
|
NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
|
12
12
|
NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
|
13
|
+
NoHTTPRule-http_address_whitelist = (?-mix:^(127.0.0.1))
|
13
14
|
|
14
15
|
[AdminByDefaultRule]
|
15
16
|
AdminByDefaultRule-enable_configuration = true
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet-sec-lint
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.11
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tiago Ribeiro
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-05-
|
11
|
+
date: 2021-05-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: puppet-lint
|
@@ -187,8 +187,6 @@ files:
|
|
187
187
|
- lib/sin/sin.rb
|
188
188
|
- lib/sin/sin_type.rb
|
189
189
|
- lib/visitors/configuration_visitor.rb
|
190
|
-
- puppet-sec-lint-0.5.8.gem
|
191
|
-
- puppet-sec-lint-0.5.9.gem
|
192
190
|
- puppet-sec-lint.gemspec
|
193
191
|
homepage: https://github.com/TiagoR98/puppet-sec-lint
|
194
192
|
licenses:
|
data/puppet-sec-lint-0.5.8.gem
DELETED
Binary file
|
data/puppet-sec-lint-0.5.9.gem
DELETED
Binary file
|