puppet-sec-lint 0.5.7 → 0.5.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b342570d0cd33a8818a927585edab299dc3117eea0bd92ca2b017045627836f
-  data.tar.gz: 14c9957c5262ca2b9dfa209740fc3de748fb326009ca24a98b3fc046b99defa2
+  metadata.gz: bfaad87ab6375c69dd2cb27773653373587f35e3cc74d4cba47c0bb05a69bd18
+  data.tar.gz: 9c5a606fc0867a133d38ab6033f9fe6b66eaae4a8e7426f45d59fea1ff3d4b34
 SHA512:
-  metadata.gz: 326b1e1ef9084032fa9fe0e2403c666d7ea385806a42848a9939ff0e3b62837d28f2af794ee9f4cf45cabaffac891b5787164a8b89d0182f1d0cb21d3ba17fee
-  data.tar.gz: 440a31bcac39c6818463e8fec34611e7df7f7779ac05b69b697c1caa24ce9006dbdd5e8316081708eeae19f85af18c381fb1a07cf25f4efb5fd3fe3d18074e63
+  metadata.gz: 26a4648b94a03331d14bcb1da29938809c5869b8f013c9f4510bfdd3dbf8557139ff66a5cb8834066cdd103ade3631001f4a7ebbc9d09b1292c4a7ec4413d96f
+  data.tar.gz: ce98ccc1b55c37bc67d3ba4bafdd68fee493af13cffcab88af893ce276a0b5ba860d4b0a3deb2dc9210e467e24d8f61f14395b9bab2db314c1354df8a8711351

data/.idea/puppet-sec-lint.iml

@@ -13,43 +13,19 @@
     <orderEntry type="sourceFolder" forTests="false" />
     <orderEntry type="library" scope="PROVIDED" name="addressable (v2.7.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="bundler (v2.2.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="daemons (v1.3.1, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="eventmachine (v1.2.7, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="inifile (v3.0.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="launchy (v2.5.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="logger (v1.4.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="minitest (v5.14.4, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="public_suffix (v4.0.6, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="puppet-lint (v2.4.2, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="rack (v2.2.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="rake (v13.0.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="thin (v1.8.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="webrick (v1.7.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
   </component>
   <component name="RakeTasksCache">
     <option name="myRootTask">
-      <RakeTaskImpl id="rake">
-        <subtasks>
-          <RakeTaskImpl description="Build puppet-sec-lint-0.1.0.gem into the pkg directory" fullCommand="build" id="build" />
-          <RakeTaskImpl description="Remove any temporary products" fullCommand="clean" id="clean" />
-          <RakeTaskImpl description="Remove any generated files" fullCommand="clobber" id="clobber" />
-          <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.0.gem into system gems" fullCommand="install" id="install" />
-          <RakeTaskImpl id="install">
-            <subtasks>
-              <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.0.gem into system gems without network access" fullCommand="install:local" id="local" />
-            </subtasks>
-          </RakeTaskImpl>
-          <RakeTaskImpl description="Create tag v0.1.0 and build and push puppet-sec-lint-0.1.0.gem to TODO: Set to 'http://mygemserver.com'" fullCommand="release[remote]" id="release[remote]" />
-          <RakeTaskImpl description="Run tests" fullCommand="test" id="test" />
-          <RakeTaskImpl description="" fullCommand="default" id="default" />
-          <RakeTaskImpl description="" fullCommand="release" id="release" />
-          <RakeTaskImpl id="release">
-            <subtasks>
-              <RakeTaskImpl description="" fullCommand="release:guard_clean" id="guard_clean" />
-              <RakeTaskImpl description="" fullCommand="release:rubygem_push" id="rubygem_push" />
-              <RakeTaskImpl description="" fullCommand="release:source_control_push" id="source_control_push" />
-            </subtasks>
-          </RakeTaskImpl>
-        </subtasks>
-      </RakeTaskImpl>
+      <RakeTaskImpl id="rake" />
     </option>
   </component>
 </module>

data/Gemfile

@@ -13,8 +13,10 @@ gem "puppet-lint"
 
 gem "rack"
 
-gem 'thin'
+gem 'webrick'
 
 gem 'inifile'
 
-gem 'launchy'
+gem 'launchy'
+
+gem 'logger'

data/Gemfile.lock

@@ -1,33 +1,31 @@
 PATH
   remote: .
   specs:
-    puppet-sec-lint (0.5.6)
+    puppet-sec-lint (0.5.13)
       inifile (~> 3.0.0)
       launchy (~> 2.5.0)
+      logger (~> 1.4.3)
       minitest (~> 5.0)
       puppet-lint (~> 2.4, >= 2.4.2)
       rack (~> 2.2.3)
       rake (~> 13.0)
+      webrick (~> 1.7.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    daemons (1.3.1)
-    eventmachine (1.2.7)
     inifile (3.0.0)
     launchy (2.5.0)
       addressable (~> 2.7)
+    logger (1.4.3)
     minitest (5.14.4)
     public_suffix (4.0.6)
     puppet-lint (2.4.2)
     rack (2.2.3)
     rake (13.0.3)
-    thin (1.8.0)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (>= 1, < 3)
+    webrick (1.7.0)
 
 PLATFORMS
   x86_64-linux
@@ -35,12 +33,13 @@ PLATFORMS
 DEPENDENCIES
   inifile
   launchy
+  logger
   minitest (~> 5.0)
   puppet-lint
   puppet-sec-lint!
   rack
   rake (~> 13.0)
-  thin
+  webrick
 
 BUNDLED WITH
    2.2.3

data/exe/puppet-sec-lint

@@ -5,10 +5,17 @@ require 'json'
 require 'launchy'
 require 'optparse'
 require 'optparse/uri'
+require 'logger'
 require_relative '../lib/puppet-sec-lint/version'
 require_relative '../lib/visitors/configuration_visitor'
 require_relative '../lib/facades/configuration_file_facade'
 
+ConfigurationVisitor.GenerateIDs
+ConfigurationFileFacade.LoadConfigurations
+
+$logger = Logger.new(STDOUT)
+$logger.level = Logger::ERROR
+
 #get free port
 loop do
   $port = rand(3000..9999)
@@ -46,6 +53,11 @@ OptionParser.new do |opts|
   opts.on("-p", "--port=PORT", "TCP Port open for socket communication with the language server (Default:5007)") do |port|
     options[:port] = port
   end
+
+  opts.on("-v", "--verbose", "Verbose mode (shows all communications and other debug info)") do |v|
+    options[:verbose] = v
+    $logger.level = Logger::DEBUG
+  end
 end.parse!
 
 puts '___  _  _ ___  ___  ____ ___    ____ ____ ____ _  _ ____ _ ___ _   _    _    _ _  _ ___ ____ ____ '

data/lib/puppet-sec-lint/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.5.7"
+  VERSION = "0.5.13"
   YEAR = "2021"
   AUTHOR = "Tiago Ribeiro"
 end

data/lib/rule_engine.rb

@@ -21,8 +21,9 @@ class RuleEngine
     begin
       lexer = PuppetLint::Lexer.new
       tokens = lexer.tokenise(code)
-    rescue
-      puts "Error in getting tokens from Puppet-Lint"
+    rescue => error
+      $logger.error("Error in getting tokens from Puppet-Lint")
+      $logger.error(error.backtrace)
       tokens = []
     end
 
@@ -34,8 +35,12 @@ class RuleEngine
     tokens = self.getTokens(code)
 
     @rules.each do |rule|
-      if rule.configurations[0].value
-        (result << rule.AnalyzeTokens(tokens)).flatten!
+      begin
+        if rule.configurations[0].value
+          (result << rule.AnalyzeTokens(tokens)).flatten!
+        end
+      rescue
+        $logger.error("Error in running rule #{rule.name}")
       end
     end
 

data/lib/rules/no_http_rule.rb

@@ -8,21 +8,22 @@ class NoHTTPRule < Rule
   @resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
   @keywords = %w[backport key download uri mirror]
   @http = /^http:\/\/.+/
-  @whitelist = [] # Todo:Need to check how is this set up
+  @whitelist = ""
 
   @resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
   @keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
+  @whitelist_conf = RegexConfiguration.new("HTTP Address whitelist", @whitelist, "List of addresses that are allowed to have non-secure http connections to them.")
   @http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
 
-  @configurations+=[@resources_conf, @keywords_conf, @http_conf]
+  @configurations+=[@resources_conf, @keywords_conf, @http_conf, @whitelist_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
     ptokens = self.filter_resources(tokens, @resources_conf.value)
-    ctokens = self.filter_variables(ptokens, @keywords_conf.value)
-    if @whitelist
-      wtokens = self.filter_whitelist(ctokens)
+    ctokens = self.filter_variables(ptokens, @keywords_conf.value) #TODO: It's working upside down
+    if @whitelist_conf.value
+      wtokens = self.filter_whitelist(ctokens, @whitelist_conf.value)
     else
       wtokens = ptokens
     end

data/lib/rules/rule.rb

@@ -67,10 +67,9 @@ class Rule
     return ftokens
   end
 
-  def self.filter_whitelist(tokens)
+  def self.filter_whitelist(tokens, whitelist)
     ftokens=tokens.find_all do |hash|
-      #!(@whitelist =~ hash.value.downcase)
-      true # TODO: Understand the whitelist
+      !(whitelist =~ hash.value.downcase)
     end
     return ftokens
   end

data/lib/servers/language_server.rb

@@ -7,8 +7,6 @@ require_relative '../facades/configuration_page_facade'
 require_relative '../facades/configuration_file_facade'
 
 class LanguageServer
-  ConfigurationVisitor.GenerateIDs
-  ConfigurationFileFacade.LoadConfigurations
 
   def self.start(port)
     port ||= 5007
@@ -20,7 +18,7 @@ class LanguageServer
           length=Integer(line.scan(/\d/).join(''))
           line=client.read(length+2)
           request = JSON.parse(line)
-          puts line
+          $logger.debug(line)
 
           method_name = request['method'].sub('/', '_')
           response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
@@ -29,7 +27,7 @@ class LanguageServer
             client.flush
             client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
             client.print(response)
-            puts response
+            $logger.debug(response)
           end
         end
         client.close

data/lib/servers/linter_server.rb

@@ -1,5 +1,5 @@
 require "rack"
-require "thin"
+require 'webrick'
 require 'json'
 require 'uri'
 require_relative '../rule_engine'
@@ -8,8 +8,6 @@ require_relative '../facades/configuration_page_facade'
 require_relative '../facades/configuration_file_facade'
 
 class LinterServer
-  ConfigurationVisitor.GenerateIDs
-  ConfigurationFileFacade.LoadConfigurations
 
   def call(env)
     req = Rack::Request.new(env)
@@ -46,7 +44,8 @@ class LinterServer
   end
 
   def self.start(port)
-    Rack::Handler::Thin.run(LinterServer.new, :Port => port)
+    log = WEBrick::Log.new $stdout,1
+    Rack::Handler::WEBrick.run(LinterServer.new, :Port => port,Logger: log )
   end
 
 end

data/lib/settings.ini

@@ -0,0 +1,40 @@
+[HardCodedCredentialsRule]
+HardCodedCredentialsRule-enable_configuration = true
+HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
+HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
+HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
+HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
+
+[NoHTTPRule]
+NoHTTPRule-enable_configuration = true
+NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
+NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
+NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
+NoHTTPRule-http_address_whitelist = (?-mix:^(127.0.0.1))
+
+[AdminByDefaultRule]
+AdminByDefaultRule-enable_configuration = true
+AdminByDefaultRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd)
+
+[EmptyPasswordRule]
+EmptyPasswordRule-enable_configuration = true
+EmptyPasswordRule-list_of_trigger_words = pwd,password,pass
+EmptyPasswordRule-regular_expression_of_password_name = (?-mix:pass(word|_|$)|pwd)
+
+[InvalidIPAddrBindingRule]
+InvalidIPAddrBindingRule-enable_configuration = true
+InvalidIPAddrBindingRule-regular_expression_of_an_invalid_ip_address = (?-mix:^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$)
+
+[UseWeakCryptoAlgorithmsRule]
+UseWeakCryptoAlgorithmsRule-enable_configuration = true
+UseWeakCryptoAlgorithmsRule-regular_expression_of_weak_crypto_algorithms = (?-mix:^(sha1|md5))
+
+[SuspiciousCommentRule]
+SuspiciousCommentRule-enable_configuration = true
+SuspiciousCommentRule-list_of_trigger_words = hack,fixme,later,later2,todo,ticket,launchpad,bug,to-do
+SuspiciousCommentRule-regular_expression_of_keywords_present_in_suspicious_comments = (?-mix:hack|fixme|ticket|bug|secur|debug|defect|weak)
+
+[CyrillicHomographAttack]
+CyrillicHomographAttack-enable_configuration = true
+CyrillicHomographAttack-regular_expression_of_links_with_cyrillic_characters = (?-mix:^(http(s)?:\/\/)?.*\p{Cyrillic}+)
+

data/puppet-sec-lint.gemspec

@@ -34,8 +34,10 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rake', '~> 13.0'
   spec.add_runtime_dependency 'minitest', '~> 5.0'
   spec.add_runtime_dependency 'rack', '~> 2.2.3'
+  spec.add_runtime_dependency 'webrick', '~> 1.7.0'
   spec.add_runtime_dependency 'inifile', '~> 3.0.0'
   spec.add_runtime_dependency 'launchy', '~> 2.5.0'
+  spec.add_runtime_dependency 'logger', '~> 1.4.3'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.5.7
+  version: 0.5.13
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-05-14 00:00:00.000000000 Z
+date: 2021-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: puppet-lint
@@ -72,6 +72,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.2.3
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: inifile
   requirement: !ruby/object:Gem::Requirement
@@ -100,6 +114,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.5.0
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.3
 description: This is a more complete security linter for the puppet language
 email:
 - tiago7b27@gmail.com
@@ -169,6 +197,7 @@ files:
 - lib/rules/use_weak_crypto_algorithms_rule.rb
 - lib/servers/language_server.rb
 - lib/servers/linter_server.rb
+- lib/settings.ini
 - lib/sin/sin.rb
 - lib/sin/sin_type.rb
 - lib/visitors/configuration_visitor.rb