puppet-sec-lint 0.5.11 → 0.5.17
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.idea/modules.xml +1 -0
- data/.idea/puppet-sec-lint.iml +2 -24
- data/Gemfile +3 -1
- data/Gemfile.lock +4 -1
- data/README.md +24 -8
- data/docs/admin-by-default.md +5 -1
- data/docs/cyrillic-homograph-attack.md +5 -1
- data/docs/empty-password.md +5 -1
- data/docs/hard-coded-credentials.md +6 -1
- data/docs/http-without-tls.md +46 -0
- data/docs/images/puppet-sec-lint_configurations.png +0 -0
- data/docs/invalid-ip-addr-binding.md +6 -2
- data/docs/suspicious-comments.md +31 -0
- data/docs/weak-crypto-algorithm.md +6 -1
- data/exe/puppet-sec-lint +12 -0
- data/lib/facades/configuration_page_facade.rb +1 -2
- data/lib/lol2.pp +11 -0
- data/lib/manifest.pp +83 -0
- data/lib/puppet-sec-lint/version.rb +2 -2
- data/lib/rule_engine.rb +3 -3
- data/lib/rules/no_http_rule.rb +1 -1
- data/lib/servers/language_server.rb +2 -2
- data/lib/servers/linter_server.rb +3 -1
- data/lib/settings.ini +2 -2
- data/puppet-sec-lint.gemspec +3 -2
- metadata +24 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6bfe95cea2d99930169041dca391fc75092615989bf760110c9e30aa129e4cfa
|
4
|
+
data.tar.gz: 74eebb1a8c0173313962c2f89a59f051228b32148deca9abebfad22345dc4728
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 61ef7a949e6eb553397d1e3497daee79e7d53d5bc87b4d11c6dcb825652ccd31bd395a38956a503bd4f2a157e7a35c19b81a3c67a5794381022253b424417e34
|
7
|
+
data.tar.gz: 5a630410caafefd0c5536fde1503591f0e9f8ebc82718b020b3b8a81f583a7746e69ff2cbba4e8c05971cf68ab22bbf4617467f2bcb4a44762ed40e7cf2bc5d3
|
data/.idea/modules.xml
CHANGED
@@ -2,6 +2,7 @@
|
|
2
2
|
<project version="4">
|
3
3
|
<component name="ProjectModuleManager">
|
4
4
|
<modules>
|
5
|
+
<module fileurl="file://$PROJECT_DIR$/.idea/modules/docs.iml" filepath="$PROJECT_DIR$/.idea/modules/docs.iml" />
|
5
6
|
<module fileurl="file://$PROJECT_DIR$/.idea/puppet-sec-lint.iml" filepath="$PROJECT_DIR$/.idea/puppet-sec-lint.iml" />
|
6
7
|
</modules>
|
7
8
|
</component>
|
data/.idea/puppet-sec-lint.iml
CHANGED
@@ -15,6 +15,7 @@
|
|
15
15
|
<orderEntry type="library" scope="PROVIDED" name="bundler (v2.2.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
16
16
|
<orderEntry type="library" scope="PROVIDED" name="inifile (v3.0.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
17
17
|
<orderEntry type="library" scope="PROVIDED" name="launchy (v2.5.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
18
|
+
<orderEntry type="library" scope="PROVIDED" name="logger (v1.4.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
18
19
|
<orderEntry type="library" scope="PROVIDED" name="minitest (v5.14.4, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
19
20
|
<orderEntry type="library" scope="PROVIDED" name="public_suffix (v4.0.6, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
20
21
|
<orderEntry type="library" scope="PROVIDED" name="puppet-lint (v2.4.2, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
|
@@ -24,30 +25,7 @@
|
|
24
25
|
</component>
|
25
26
|
<component name="RakeTasksCache">
|
26
27
|
<option name="myRootTask">
|
27
|
-
<RakeTaskImpl id="rake"
|
28
|
-
<subtasks>
|
29
|
-
<RakeTaskImpl description="Build puppet-sec-lint-0.5.7.gem into the pkg directory" fullCommand="build" id="build" />
|
30
|
-
<RakeTaskImpl description="Remove any temporary products" fullCommand="clean" id="clean" />
|
31
|
-
<RakeTaskImpl description="Remove any generated files" fullCommand="clobber" id="clobber" />
|
32
|
-
<RakeTaskImpl description="Build and install puppet-sec-lint-0.5.7.gem into system gems" fullCommand="install" id="install" />
|
33
|
-
<RakeTaskImpl id="install">
|
34
|
-
<subtasks>
|
35
|
-
<RakeTaskImpl description="Build and install puppet-sec-lint-0.5.7.gem into system gems without network access" fullCommand="install:local" id="local" />
|
36
|
-
</subtasks>
|
37
|
-
</RakeTaskImpl>
|
38
|
-
<RakeTaskImpl description="Create tag v0.5.7 and build and push puppet-sec-lint-0.5.7.gem to https://rubygems.org" fullCommand="release[remote]" id="release[remote]" />
|
39
|
-
<RakeTaskImpl description="Run tests" fullCommand="test" id="test" />
|
40
|
-
<RakeTaskImpl description="" fullCommand="default" id="default" />
|
41
|
-
<RakeTaskImpl description="" fullCommand="release" id="release" />
|
42
|
-
<RakeTaskImpl id="release">
|
43
|
-
<subtasks>
|
44
|
-
<RakeTaskImpl description="" fullCommand="release:guard_clean" id="guard_clean" />
|
45
|
-
<RakeTaskImpl description="" fullCommand="release:rubygem_push" id="rubygem_push" />
|
46
|
-
<RakeTaskImpl description="" fullCommand="release:source_control_push" id="source_control_push" />
|
47
|
-
</subtasks>
|
48
|
-
</RakeTaskImpl>
|
49
|
-
</subtasks>
|
50
|
-
</RakeTaskImpl>
|
28
|
+
<RakeTaskImpl id="rake" />
|
51
29
|
</option>
|
52
30
|
</component>
|
53
31
|
</module>
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,9 +1,10 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet-sec-lint (0.5.
|
4
|
+
puppet-sec-lint (0.5.17)
|
5
5
|
inifile (~> 3.0.0)
|
6
6
|
launchy (~> 2.5.0)
|
7
|
+
logger (~> 1.4.3)
|
7
8
|
minitest (~> 5.0)
|
8
9
|
puppet-lint (~> 2.4, >= 2.4.2)
|
9
10
|
rack (~> 2.2.3)
|
@@ -18,6 +19,7 @@ GEM
|
|
18
19
|
inifile (3.0.0)
|
19
20
|
launchy (2.5.0)
|
20
21
|
addressable (~> 2.7)
|
22
|
+
logger (1.4.3)
|
21
23
|
minitest (5.14.4)
|
22
24
|
public_suffix (4.0.6)
|
23
25
|
puppet-lint (2.4.2)
|
@@ -31,6 +33,7 @@ PLATFORMS
|
|
31
33
|
DEPENDENCIES
|
32
34
|
inifile
|
33
35
|
launchy
|
36
|
+
logger
|
34
37
|
minitest (~> 5.0)
|
35
38
|
puppet-lint
|
36
39
|
puppet-sec-lint!
|
data/README.md
CHANGED
@@ -25,14 +25,6 @@ If the linter is called with a folder, all puppet files inside are recursively a
|
|
25
25
|
puppet-sec-lint /folder
|
26
26
|
```
|
27
27
|
|
28
|
-
To open the configurations page to better tune the different rules applied, use the appropriate flag:
|
29
|
-
|
30
|
-
```bash
|
31
|
-
puppet-sec-lint -c
|
32
|
-
```
|
33
|
-
(this will open the configurations page on the computer default web browser)
|
34
|
-
|
35
|
-
|
36
28
|
### Integration with Visual Studio Code
|
37
29
|
|
38
30
|
The linter can also work inside Visual Studio code. For it, please ensure that the 'puppet-sec-lint' gem was installed on your system.
|
@@ -43,12 +35,36 @@ Now, after that the extension is activate, it should be activated automatically
|
|
43
35
|
|
44
36
|
![puppet-sec-lint console execution](docs/images/puppet-sec-lint_vscode.png)
|
45
37
|
|
38
|
+
###Customization of Linter Rules
|
39
|
+
|
40
|
+
All rules applied by the linter to detect vulnerabilities can be configured to better adapt the tool to any project conventions and requirements.
|
41
|
+
|
42
|
+
To open the configurations page, use the appropriate flag:
|
43
|
+
|
44
|
+
```bash
|
45
|
+
puppet-sec-lint -c
|
46
|
+
```
|
47
|
+
(this will open the configurations page on the computer default web browser)
|
48
|
+
|
49
|
+
![puppet-sec-lint configurations page](docs/images/puppet-sec-lint_configurations.png)
|
50
|
+
|
46
51
|
## Development
|
47
52
|
|
53
|
+
### Development of new rules
|
54
|
+
|
55
|
+
The linter was built on top of a modular architecture, which means that new customizable rules can be added fairly easy facing the discovery of new scenarios and vulnerabilities.
|
56
|
+
|
57
|
+
<!--
|
58
|
+
(add instructions on how to clone, build and run tool)
|
59
|
+
|
60
|
+
(add instructions on where and how to add new rule and configurations)
|
61
|
+
-->
|
62
|
+
|
48
63
|
<!--After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
49
64
|
|
50
65
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).-->
|
51
66
|
|
67
|
+
|
52
68
|
## Contributing
|
53
69
|
|
54
70
|
<!-- Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/puppet-sec-lint. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/puppet-sec-lint/blob/master/CODE_OF_CONDUCT.md). -->
|
data/docs/admin-by-default.md
CHANGED
@@ -24,4 +24,8 @@ Any account with the power to do everything in the system is a very dangerous si
|
|
24
24
|
|
25
25
|
## How to avoid it?
|
26
26
|
|
27
|
-
Accounts should always be setup up with the [Principle of least privilege](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege) in mind, meaning that all accounts should only get the permissions strictly necessary to perform their required tasks during the minimum amount of time possible. This severely limits the exposure to accidental errors and also to malicious attackers.
|
27
|
+
Accounts should always be setup up with the [Principle of least privilege](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege) in mind, meaning that all accounts should only get the permissions strictly necessary to perform their required tasks during the minimum amount of time possible. This severely limits the exposure to accidental errors and also to malicious attackers.
|
28
|
+
|
29
|
+
## More related information
|
30
|
+
|
31
|
+
* [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html)
|
@@ -37,4 +37,8 @@ This malicious domain on a Puppet manifest can point to a fake package repositor
|
|
37
37
|
After the tool detects the presence of Cyrillic characters on a URL, the best course of action is to replace all Cyrillic characters with their Latin counterparts, as these characters are very rarely used in legitimate domains.
|
38
38
|
Then, check if the domain is well written (subtle misspellings with similar letters are very common in these kinds of attacks).
|
39
39
|
|
40
|
-
To better ensure that the domain is actually the correct one, the URL can also be copied from a trusted source.
|
40
|
+
To better ensure that the domain is actually the correct one, the URL can also be copied from a trusted source.
|
41
|
+
|
42
|
+
## More related information
|
43
|
+
|
44
|
+
* [CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User](https://cwe.mitre.org/data/definitions/1007.html)
|
data/docs/empty-password.md
CHANGED
@@ -24,4 +24,8 @@ An attacker looking to gain access to an account my try a couple of different ge
|
|
24
24
|
|
25
25
|
## How to avoid it?
|
26
26
|
|
27
|
-
Secure software systems should have a decent password policy that prevents, among other types, empty passwords. This means that it's very likely for the Puppet manifest to fail as the password would be rejected. But even if the target software accepts empty passwords, a long and hard to guess password is always a much safer option against malicious attacks.
|
27
|
+
Secure software systems should have a decent password policy that prevents, among other types, empty passwords. This means that it's very likely for the Puppet manifest to fail as the password would be rejected. But even if the target software accepts empty passwords, a long and hard to guess password is always a much safer option against malicious attacks.
|
28
|
+
|
29
|
+
## More related information
|
30
|
+
|
31
|
+
* [CWE-258: Empty Password in Configuration File](https://cwe.mitre.org/data/definitions/258.html)
|
@@ -77,4 +77,9 @@ file { '/etc/mysql/server-key.pem':
|
|
77
77
|
ensure => file,
|
78
78
|
content => hiera("privatekey"),
|
79
79
|
}
|
80
|
-
```
|
80
|
+
```
|
81
|
+
|
82
|
+
## More related information
|
83
|
+
|
84
|
+
* [CWE-259: Use of Hard-coded Password](https://cwe.mitre.org/data/definitions/259.html)
|
85
|
+
* [CWE-798: Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html)
|
@@ -0,0 +1,46 @@
|
|
1
|
+
---
|
2
|
+
title: Use HTTP without TLS
|
3
|
+
permalink: /http-without-tls/
|
4
|
+
layout: default
|
5
|
+
---
|
6
|
+
|
7
|
+
# Use HTTP without TLS
|
8
|
+
|
9
|
+
## What is it?
|
10
|
+
|
11
|
+
Connecting to a server using the regular HTTP protocol instead of the secure HTTPS, which uses TLS, doesn't allow for an encrypted connection. This means that all the data is sent in plaintext and easily viewed and modified by anyone, including malicious attackers.
|
12
|
+
|
13
|
+
### Example
|
14
|
+
Providing a server to run the PHPMyAdmin application:
|
15
|
+
```puppet
|
16
|
+
define phpmyadmin::server (
|
17
|
+
$blowfish_key = md5("${::fqdn}${::ipaddress}"),
|
18
|
+
$absolute_uri = "http://${::fqdn}/phpmyadmin/",
|
19
|
+
$config_file = $::phpmyadmin::params::config_file
|
20
|
+
)
|
21
|
+
```
|
22
|
+
This newly created service will be available to clients through a non secure HTTP address.
|
23
|
+
|
24
|
+
A more secure way of hosting the server would be by using an HTTPS url:
|
25
|
+
```puppet
|
26
|
+
define phpmyadmin::server (
|
27
|
+
$blowfish_key = md5("${::fqdn}${::ipaddress}"),
|
28
|
+
$absolute_uri = "https://${::fqdn}/phpmyadmin/",
|
29
|
+
$config_file = $::phpmyadmin::params::config_file
|
30
|
+
)
|
31
|
+
```
|
32
|
+
|
33
|
+
|
34
|
+
## How can it be exploited?
|
35
|
+
|
36
|
+
When a connection is made to a website using a non-secure HTTP address, all communications are sent unencrypted. An attacker can capture the traffic sent and received by a victim, for example, in the same Wifi network. After analyzing his traffic, the attacker can extract sensitive information exchanged by the victim with the websites visited, like passwords and tokens.
|
37
|
+
|
38
|
+
The attacker can then use this information to attack his victim, by logging in and impersonating him in several different websites that don't use the TLS protocol.
|
39
|
+
|
40
|
+
## How to avoid it?
|
41
|
+
|
42
|
+
All connections to internet addresses or made available to the public by a service configured with a Puppet manifest must use some kind of secure protocol, to ensure the confidentiality, authenticity and integrity of all data exchanged. Making an HTTPS connection is the easiest way to do this and it's also the recommended way of addressing this security vulnerability. In some cases, if the transferred information is verified afterwards by an hashing algorithm, like packages transferred from a repository, then this solution can be considered optional.
|
43
|
+
|
44
|
+
## More related information
|
45
|
+
|
46
|
+
* [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)
|
Binary file
|
@@ -6,7 +6,7 @@ layout: default
|
|
6
6
|
|
7
7
|
# Invalid IP Address binding
|
8
8
|
|
9
|
-
## What
|
9
|
+
## What is it?
|
10
10
|
|
11
11
|
Binding an IP address to a server or service means authorizing connections incoming from those networks. This allows to limit what kind of incoming connections a server may or may not accept. Binding the 0.0.0.0 IP address to a service means that any connection from any network is accepted.
|
12
12
|
|
@@ -28,4 +28,8 @@ A server or service that's open to all kinds of connections it's more exposed to
|
|
28
28
|
|
29
29
|
## How to avoid it?
|
30
30
|
|
31
|
-
Properly configuring binding addresses means that the server should only accept connections from trusted networks known to use the service. This ensures a greater level of control and also protection, as an attacker would know have an extra obstacle in trying to gain access first to one of those networks.
|
31
|
+
Properly configuring binding addresses means that the server should only accept connections from trusted networks known to use the service. This ensures a greater level of control and also protection, as an attacker would know have an extra obstacle in trying to gain access first to one of those networks.
|
32
|
+
|
33
|
+
## More related information
|
34
|
+
|
35
|
+
* [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html)
|
@@ -0,0 +1,31 @@
|
|
1
|
+
---
|
2
|
+
title: Suspicious Comments
|
3
|
+
permalink: /suspicious-comments/
|
4
|
+
layout: default
|
5
|
+
---
|
6
|
+
|
7
|
+
# Suspicious Comments
|
8
|
+
|
9
|
+
## What are they?
|
10
|
+
|
11
|
+
Suspicious comments are all comments left in a release of a Puppet Manifest that might suggest the existence of bugs, missing security functionalities or other weaknesses.
|
12
|
+
|
13
|
+
|
14
|
+
### Example
|
15
|
+
```puppet
|
16
|
+
# TODO: switch password from weak hash to sha256
|
17
|
+
$key = md5("${client_name} ${client_ip} ${client_seed}")
|
18
|
+
```
|
19
|
+
This comment immediately tells that developers are aware of the weakness of using a compromised hashing algorithm, but still hadn't made the necessary fix.
|
20
|
+
|
21
|
+
## How can it be exploited?
|
22
|
+
|
23
|
+
In the previous example, the presence of the comment immediately draws the attention of a malicious hacker who might have gained access to the code repository. By stating the portion of code that is considered insecure, it tells to an attacker exactly where to look for unpatched vulnerabilities. In this case, he could start working on ways to break the weak hashing algorithm.
|
24
|
+
|
25
|
+
## How to avoid it?
|
26
|
+
|
27
|
+
All comments indicating to be implemented features or non-resolved security issues should be erased, as they pose a very serious threat by gaining the attackers attention. Instead, proper and secure defect management solutions should be used. As a plus, the code stays clean and easy to read.
|
28
|
+
|
29
|
+
## More related information
|
30
|
+
|
31
|
+
* [CWE-546: Suspicious Comment](https://cwe.mitre.org/data/definitions/546.html)
|
@@ -28,4 +28,9 @@ An attacker who was able to gain access to a server and steal the hashes from al
|
|
28
28
|
|
29
29
|
## How to avoid it?
|
30
30
|
|
31
|
-
If the Puppet manifest is being used to generate hashes for passwords or important data, using a more secure algorithm like SHA256 is very advisable as it avoids exposure to the risks mentioned above, ensuring that the algorithm actually performs what's intended to.
|
31
|
+
If the Puppet manifest is being used to generate hashes for passwords or important data, using a more secure algorithm like SHA256 is very advisable as it avoids exposure to the risks mentioned above, ensuring that the algorithm actually performs what's intended to.
|
32
|
+
|
33
|
+
## More related information
|
34
|
+
|
35
|
+
* [CWE-326: Inadequate Encryption Strength](https://cwe.mitre.org/data/definitions/326.html)
|
36
|
+
* [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)
|
data/exe/puppet-sec-lint
CHANGED
@@ -5,6 +5,7 @@ require 'json'
|
|
5
5
|
require 'launchy'
|
6
6
|
require 'optparse'
|
7
7
|
require 'optparse/uri'
|
8
|
+
require 'logger'
|
8
9
|
require_relative '../lib/puppet-sec-lint/version'
|
9
10
|
require_relative '../lib/visitors/configuration_visitor'
|
10
11
|
require_relative '../lib/facades/configuration_file_facade'
|
@@ -12,6 +13,9 @@ require_relative '../lib/facades/configuration_file_facade'
|
|
12
13
|
ConfigurationVisitor.GenerateIDs
|
13
14
|
ConfigurationFileFacade.LoadConfigurations
|
14
15
|
|
16
|
+
$logger = Logger.new(STDOUT)
|
17
|
+
$logger.level = Logger::ERROR
|
18
|
+
|
15
19
|
#get free port
|
16
20
|
loop do
|
17
21
|
$port = rand(3000..9999)
|
@@ -49,6 +53,11 @@ OptionParser.new do |opts|
|
|
49
53
|
opts.on("-p", "--port=PORT", "TCP Port open for socket communication with the language server (Default:5007)") do |port|
|
50
54
|
options[:port] = port
|
51
55
|
end
|
56
|
+
|
57
|
+
opts.on("-v", "--verbose", "Verbose mode (shows all communications and other debug info)") do |v|
|
58
|
+
options[:verbose] = v
|
59
|
+
$logger.level = Logger::DEBUG
|
60
|
+
end
|
52
61
|
end.parse!
|
53
62
|
|
54
63
|
puts '___ _ _ ___ ___ ____ ___ ____ ____ ____ _ _ ____ _ ___ _ _ _ _ _ _ ___ ____ ____ '
|
@@ -61,6 +70,8 @@ puts "Release v#{PuppetSecLint::VERSION} #{PuppetSecLint::AUTHOR} #{P
|
|
61
70
|
|
62
71
|
puts "\n"
|
63
72
|
|
73
|
+
STDOUT.flush
|
74
|
+
|
64
75
|
if not ARGV[0].nil?
|
65
76
|
if File.file?(ARGV[0].to_s) && File.extname(ARGV[0].to_s) == '.pp'
|
66
77
|
analyze_file(ARGV[0].to_s)
|
@@ -93,6 +104,7 @@ if ARGV[0].nil? || options[:configurations]
|
|
93
104
|
else
|
94
105
|
puts "\nLinter configurations page available at #{conf_page_url}\n\n"
|
95
106
|
puts "-----------------------------------------------------------------------"
|
107
|
+
STDOUT.flush
|
96
108
|
end
|
97
109
|
|
98
110
|
linter_server.join
|
@@ -75,8 +75,7 @@ class ConfigurationPageFacade
|
|
75
75
|
configuration.value = new_conf[configuration.id].split(/\r?\n/).delete_if(&:empty?)
|
76
76
|
|
77
77
|
when DisplayField[:RegexBox]
|
78
|
-
configuration.value = Regexp.new new_conf[configuration.id]
|
79
|
-
|
78
|
+
configuration.value = if new_conf[configuration.id].empty? then new_conf[configuration.id] else Regexp.new new_conf[configuration.id] end
|
80
79
|
else
|
81
80
|
configuration.value = new_conf[configuration.id]
|
82
81
|
end
|
data/lib/lol2.pp
ADDED
@@ -0,0 +1,11 @@
|
|
1
|
+
# addresses bug: https://bugs.launchpad.net/keystone/+bug/1472285
|
2
|
+
class example (
|
3
|
+
$power_username= 'admin',
|
4
|
+
$power_password= ‘’,
|
5
|
+
$pwd = ‘EHDJSKD’
|
6
|
+
){
|
7
|
+
$bind_host = ‘0.0.0.0’
|
8
|
+
$quantum_auth_url = ‘http://127.0.0.1:35357/v2.0’
|
9
|
+
“ $”tr = "hey"
|
10
|
+
$message = sha1($str)
|
11
|
+
}
|
data/lib/manifest.pp
ADDED
@@ -0,0 +1,83 @@
|
|
1
|
+
#class path_attribute {
|
2
|
+
# file { 'ssh_config_file':
|
3
|
+
# path => '/etc/ssh/sshd_config',
|
4
|
+
# content => 'Bad path attribute, bad.',
|
5
|
+
# }
|
6
|
+
#}
|
7
|
+
|
8
|
+
# the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
|
9
|
+
|
10
|
+
class consul_template::service (
|
11
|
+
$rpc_password = '{6ad470ec62b0511b63340dca2950d750181598efnHKvN1ge',
|
12
|
+
$admin_username = 'admin',
|
13
|
+
$password = 'ceilometer',
|
14
|
+
$admin_password = 'admin',
|
15
|
+
) {
|
16
|
+
exec { 'network-restart':
|
17
|
+
command => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
|
18
|
+
path => '/usr/bin:/usr/sbin:/bin:/sbin',
|
19
|
+
refreshonly => true,
|
20
|
+
vmware_md5 => 'LOL',
|
21
|
+
autho => 'MD5',
|
22
|
+
cmd => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
|
23
|
+
$auth_uri => 'http://127.0.0.1:5000',
|
24
|
+
'bind_address' => '0.0.0.0',
|
25
|
+
password => '',
|
26
|
+
}
|
27
|
+
case $::osfamily {
|
28
|
+
'RedHat': {
|
29
|
+
exec { 'upload-img':
|
30
|
+
command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /opt/vm/cirros-x86_64-disk.img",
|
31
|
+
unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
|
32
|
+
|
33
|
+
}
|
34
|
+
}
|
35
|
+
'Debian': {
|
36
|
+
exec { 'upload-img':
|
37
|
+
command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /usr/share/cirros-testvm/cirros-x86_64-disk.img",
|
38
|
+
unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
|
39
|
+
key => "E8CC67053ED3B199",
|
40
|
+
key_content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
|
41
|
+
Version: GnuPG v1.4.11 (GNU/Linux)
|
42
|
+
|
43
|
+
mQENBE/oXVkBCACcjAcV7lRGskECEHovgZ6a2robpBroQBW+tJds7B+qn/DslOAN
|
44
|
+
1hm0UuGQsi8pNzHDE29FMO3yOhmkenDd1V/T6tHNXqhHvf55nL6anlzwMmq3syIS
|
45
|
+
uqVjeMMXbZ4d+Rh0K/rI4TyRbUiI2DDLP+6wYeh1pTPwrleHm5FXBMDbU/OZ5vKZ
|
46
|
+
67j99GaARYxHp8W/be8KRSoV9wU1WXr4+GA6K7ENe2A8PT+jH79Sr4kF4uKC3VxD
|
47
|
+
BF5Z0yaLqr+1V2pHU3AfmybOCmoPYviOqpwj3FQ2PhtObLs+hq7zCviDTX2IxHBb
|
48
|
+
Q3mGsD8wS9uyZcHN77maAzZlL5G794DEr1NLABEBAAG0NU9wZW5TdGFja0BDaXNj
|
49
|
+
byBBUFQgcmVwbyA8b3BlbnN0YWNrLWJ1aWxkZEBjaXNjby5jb20+iQE4BBMBAgAi
|
50
|
+
BQJP6F1ZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDozGcFPtOxmXcK
|
51
|
+
B/9WvQrBwxmIMV2M+VMBhQqtipvJeDX2Uv34Ytpsg2jldl0TS8XheGlUNZ5djxDy
|
52
|
+
u3X0hKwRLeOppV09GVO3wGizNCV1EJjqQbCMkq6VSJjD1B/6Tg+3M/XmNaKHK3Op
|
53
|
+
zSi+35OQ6xXc38DUOrigaCZUU40nGQeYUMRYzI+d3pPlNd0+nLndrE4rNNFB91dM
|
54
|
+
BTeoyQMWd6tpTwz5MAi+I11tCIQAPCSG1qR52R3bog/0PlJzilxjkdShl1Cj0RmX
|
55
|
+
7bHIMD66uC1FKCpbRaiPR8XmTPLv29ZTk1ABBzoynZyFDfliRwQi6TS20TuEj+ZH
|
56
|
+
xq/T6MM6+rpdBVz62ek6/KBcuQENBE/oXVkBCACgzyyGvvHLx7g/Rpys1WdevYMH
|
57
|
+
THBS24RMaDHqg7H7xe0fFzmiblWjV8V4Yy+heLLV5nTYBQLS43MFvFbnFvB3ygDI
|
58
|
+
IdVjLVDXcPfcp+Np2PE8cJuDEE4seGU26UoJ2pPK/IHbnmGWYwXJBbik9YepD61c
|
59
|
+
NJ5XMzMYI5z9/YNupeJoy8/8uxdxI/B66PL9QN8wKBk5js2OX8TtEjmEZSrZrIuM
|
60
|
+
rVVXRU/1m732lhIyVVws4StRkpG+D15Dp98yDGjbCRREzZPeKHpvO/Uhn23hVyHe
|
61
|
+
PIc+bu1mXMQ+N/3UjXtfUg27hmmgBDAjxUeSb1moFpeqLys2AAY+yXiHDv57ABEB
|
62
|
+
AAGJAR8EGAECAAkFAk/oXVkCGwwACgkQ6MxnBT7TsZng+AgAnFogD90f3ByTVlNp
|
63
|
+
Sb+HHd/cPqZ83RB9XUxRRnkIQmOozUjw8nq8I8eTT4t0Sa8G9q1fl14tXIJ9szzz
|
64
|
+
BUIYyda/RYZszL9rHhucSfFIkpnp7ddfE9NDlnZUvavnnyRsWpIZa6hJq8hQEp92
|
65
|
+
IQBF6R7wOws0A0oUmME25Rzam9qVbywOh9ZQvzYPpFaEmmjpCRDxJLB1DYu8lnC4
|
66
|
+
h1jP1GXFUIQDbcznrR2MQDy5fNt678HcIqMwVp2CJz/2jrZlbSKfMckdpbiWNns/
|
67
|
+
xKyLYs5m34d4a0it6wsMem3YCefSYBjyLGSd/kCI/CgOdGN1ZY1HSdLmmjiDkQPQ
|
68
|
+
UcXHbA==
|
69
|
+
=v6jg
|
70
|
+
-----END PGP PUBLIC KEY BLOCK-----',
|
71
|
+
|
72
|
+
}
|
73
|
+
}
|
74
|
+
}
|
75
|
+
file { '/var/lib/gerrit/.ssh/id_rsa' :
|
76
|
+
owner => 'gerrit',
|
77
|
+
group => 'gerrit',
|
78
|
+
mode => '0600',
|
79
|
+
content => $ssh_replication_rsa_key_contents,
|
80
|
+
replace => true,
|
81
|
+
require => File['/var/lib/gerrit/.ssh']
|
82
|
+
}
|
83
|
+
}
|
data/lib/rule_engine.rb
CHANGED
@@ -22,8 +22,8 @@ class RuleEngine
|
|
22
22
|
lexer = PuppetLint::Lexer.new
|
23
23
|
tokens = lexer.tokenise(code)
|
24
24
|
rescue => error
|
25
|
-
|
26
|
-
|
25
|
+
$logger.error("Error in getting tokens from Puppet-Lint")
|
26
|
+
$logger.error(error.backtrace)
|
27
27
|
tokens = []
|
28
28
|
end
|
29
29
|
|
@@ -40,7 +40,7 @@ class RuleEngine
|
|
40
40
|
(result << rule.AnalyzeTokens(tokens)).flatten!
|
41
41
|
end
|
42
42
|
rescue
|
43
|
-
|
43
|
+
$logger.error("Error in running rule #{rule.name}")
|
44
44
|
end
|
45
45
|
end
|
46
46
|
|
data/lib/rules/no_http_rule.rb
CHANGED
@@ -22,7 +22,7 @@ class NoHTTPRule < Rule
|
|
22
22
|
|
23
23
|
ptokens = self.filter_resources(tokens, @resources_conf.value)
|
24
24
|
ctokens = self.filter_variables(ptokens, @keywords_conf.value) #TODO: It's working upside down
|
25
|
-
if @whitelist_conf.value
|
25
|
+
if not @whitelist_conf.value.to_s.empty?
|
26
26
|
wtokens = self.filter_whitelist(ctokens, @whitelist_conf.value)
|
27
27
|
else
|
28
28
|
wtokens = ptokens
|
@@ -18,7 +18,7 @@ class LanguageServer
|
|
18
18
|
length=Integer(line.scan(/\d/).join(''))
|
19
19
|
line=client.read(length+2)
|
20
20
|
request = JSON.parse(line)
|
21
|
-
|
21
|
+
$logger.debug(line)
|
22
22
|
|
23
23
|
method_name = request['method'].sub('/', '_')
|
24
24
|
response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
|
@@ -27,7 +27,7 @@ class LanguageServer
|
|
27
27
|
client.flush
|
28
28
|
client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
|
29
29
|
client.print(response)
|
30
|
-
|
30
|
+
$logger.debug(response)
|
31
31
|
end
|
32
32
|
end
|
33
33
|
client.close
|
@@ -1,4 +1,5 @@
|
|
1
1
|
require "rack"
|
2
|
+
require 'webrick'
|
2
3
|
require 'json'
|
3
4
|
require 'uri'
|
4
5
|
require_relative '../rule_engine'
|
@@ -43,7 +44,8 @@ class LinterServer
|
|
43
44
|
end
|
44
45
|
|
45
46
|
def self.start(port)
|
46
|
-
|
47
|
+
log = WEBrick::Log.new $stdout,1
|
48
|
+
Rack::Handler::WEBrick.run(LinterServer.new, :Port => port,Logger: log )
|
47
49
|
end
|
48
50
|
|
49
51
|
end
|
data/lib/settings.ini
CHANGED
@@ -7,10 +7,10 @@ HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials
|
|
7
7
|
|
8
8
|
[NoHTTPRule]
|
9
9
|
NoHTTPRule-enable_configuration = true
|
10
|
-
NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
|
10
|
+
NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo,apt::repository
|
11
11
|
NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
|
12
12
|
NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
|
13
|
-
NoHTTPRule-http_address_whitelist =
|
13
|
+
NoHTTPRule-http_address_whitelist =
|
14
14
|
|
15
15
|
[AdminByDefaultRule]
|
16
16
|
AdminByDefaultRule-enable_configuration = true
|
data/puppet-sec-lint.gemspec
CHANGED
@@ -8,8 +8,8 @@ Gem::Specification.new do |spec|
|
|
8
8
|
spec.authors = ["Tiago Ribeiro"]
|
9
9
|
spec.email = ["tiago7b27@gmail.com"]
|
10
10
|
|
11
|
-
spec.summary = "
|
12
|
-
spec.description = "
|
11
|
+
spec.summary = "Security vulnerabilities linter for Puppet Manifests"
|
12
|
+
spec.description = "Linter built to detect potential security vulnerabilities in Puppet manifests code. It also offers integration with Visual Studio Code https://marketplace.visualstudio.com/items?itemName=tiago1998.puppet-sec-lint-vscode"
|
13
13
|
spec.homepage = "https://github.com/TiagoR98/puppet-sec-lint"
|
14
14
|
spec.license = "MIT"
|
15
15
|
spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
|
@@ -37,6 +37,7 @@ Gem::Specification.new do |spec|
|
|
37
37
|
spec.add_runtime_dependency 'webrick', '~> 1.7.0'
|
38
38
|
spec.add_runtime_dependency 'inifile', '~> 3.0.0'
|
39
39
|
spec.add_runtime_dependency 'launchy', '~> 2.5.0'
|
40
|
+
spec.add_runtime_dependency 'logger', '~> 1.4.3'
|
40
41
|
|
41
42
|
# For more information and examples about making a new gem, checkout our
|
42
43
|
# guide at: https://bundler.io/guides/creating_gem.html
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet-sec-lint
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.17
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tiago Ribeiro
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-06-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: puppet-lint
|
@@ -114,7 +114,22 @@ dependencies:
|
|
114
114
|
- - "~>"
|
115
115
|
- !ruby/object:Gem::Version
|
116
116
|
version: 2.5.0
|
117
|
-
|
117
|
+
- !ruby/object:Gem::Dependency
|
118
|
+
name: logger
|
119
|
+
requirement: !ruby/object:Gem::Requirement
|
120
|
+
requirements:
|
121
|
+
- - "~>"
|
122
|
+
- !ruby/object:Gem::Version
|
123
|
+
version: 1.4.3
|
124
|
+
type: :runtime
|
125
|
+
prerelease: false
|
126
|
+
version_requirements: !ruby/object:Gem::Requirement
|
127
|
+
requirements:
|
128
|
+
- - "~>"
|
129
|
+
- !ruby/object:Gem::Version
|
130
|
+
version: 1.4.3
|
131
|
+
description: Linter built to detect potential security vulnerabilities in Puppet manifests
|
132
|
+
code. It also offers integration with Visual Studio Code https://marketplace.visualstudio.com/items?itemName=tiago1998.puppet-sec-lint-vscode
|
118
133
|
email:
|
119
134
|
- tiago7b27@gmail.com
|
120
135
|
executables:
|
@@ -157,10 +172,13 @@ files:
|
|
157
172
|
- docs/cyrillic-homograph-attack.md
|
158
173
|
- docs/empty-password.md
|
159
174
|
- docs/hard-coded-credentials.md
|
175
|
+
- docs/http-without-tls.md
|
176
|
+
- docs/images/puppet-sec-lint_configurations.png
|
160
177
|
- docs/images/puppet-sec-lint_console.png
|
161
178
|
- docs/images/puppet-sec-lint_vscode.png
|
162
179
|
- docs/index.md
|
163
180
|
- docs/invalid-ip-addr-binding.md
|
181
|
+
- docs/suspicious-comments.md
|
164
182
|
- docs/weak-crypto-algorithm.md
|
165
183
|
- exe/puppet-sec-lint
|
166
184
|
- lib/configurations/boolean_configuration.rb
|
@@ -170,6 +188,8 @@ files:
|
|
170
188
|
- lib/facades/configuration_file_facade.rb
|
171
189
|
- lib/facades/configuration_page_facade.rb
|
172
190
|
- lib/lol.pp
|
191
|
+
- lib/lol2.pp
|
192
|
+
- lib/manifest.pp
|
173
193
|
- lib/puppet-sec-lint/version.rb
|
174
194
|
- lib/rule_engine.rb
|
175
195
|
- lib/rules/admin_by_default_rule.rb
|
@@ -214,5 +234,5 @@ requirements: []
|
|
214
234
|
rubygems_version: 3.2.3
|
215
235
|
signing_key:
|
216
236
|
specification_version: 4
|
217
|
-
summary:
|
237
|
+
summary: Security vulnerabilities linter for Puppet Manifests
|
218
238
|
test_files: []
|