puppet-sec-lint 0.5.6 → 0.5.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9122cfc7a33eaeec5420572853a125a9689e5cbb991b4f01d91fa329797c894c
-  data.tar.gz: a69e4c6c6cf57eef56f0827a04464b005e3796f5831117127360ec29aaad7a90
+  metadata.gz: 7b342570d0cd33a8818a927585edab299dc3117eea0bd92ca2b017045627836f
+  data.tar.gz: 14c9957c5262ca2b9dfa209740fc3de748fb326009ca24a98b3fc046b99defa2
 SHA512:
-  metadata.gz: 8795ab736c4f332c9de27803b3fb87dfeb4e6828b559eb01b92fb1df968ce3a8d471f102161e65f02a43fa1e5d91b9d55d4c53a7a41c07b0d564d401f9643f91
-  data.tar.gz: 68fc3d3ae216a5752d89245847dea69d10579d8eb411835a9b9c97c66f40ef59e5481db97e1787e4ca527b29ee2bc4a687e747127a62e288e09f69823b69e325
+  metadata.gz: 326b1e1ef9084032fa9fe0e2403c666d7ea385806a42848a9939ff0e3b62837d28f2af794ee9f4cf45cabaffac891b5787164a8b89d0182f1d0cb21d3ba17fee
+  data.tar.gz: 440a31bcac39c6818463e8fec34611e7df7f7779ac05b69b697c1caa24ce9006dbdd5e8316081708eeae19f85af18c381fb1a07cf25f4efb5fd3fe3d18074e63

data/.idea/puppet-sec-lint.iml

@@ -28,16 +28,16 @@
     <option name="myRootTask">
       <RakeTaskImpl id="rake">
         <subtasks>
-          <RakeTaskImpl description="Build puppet-sec-lint-0.1.2.gem into the pkg directory" fullCommand="build" id="build" />
+          <RakeTaskImpl description="Build puppet-sec-lint-0.1.0.gem into the pkg directory" fullCommand="build" id="build" />
           <RakeTaskImpl description="Remove any temporary products" fullCommand="clean" id="clean" />
           <RakeTaskImpl description="Remove any generated files" fullCommand="clobber" id="clobber" />
-          <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.2.gem into system gems" fullCommand="install" id="install" />
+          <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.0.gem into system gems" fullCommand="install" id="install" />
           <RakeTaskImpl id="install">
             <subtasks>
-              <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.2.gem into system gems without network access" fullCommand="install:local" id="local" />
+              <RakeTaskImpl description="Build and install puppet-sec-lint-0.1.0.gem into system gems without network access" fullCommand="install:local" id="local" />
             </subtasks>
           </RakeTaskImpl>
-          <RakeTaskImpl description="Create tag v0.1.2 and build and push puppet-sec-lint-0.1.2.gem to https://rubygems.org" fullCommand="release[remote]" id="release[remote]" />
+          <RakeTaskImpl description="Create tag v0.1.0 and build and push puppet-sec-lint-0.1.0.gem to TODO: Set to 'http://mygemserver.com'" fullCommand="release[remote]" id="release[remote]" />
           <RakeTaskImpl description="Run tests" fullCommand="test" id="test" />
           <RakeTaskImpl description="" fullCommand="default" id="default" />
           <RakeTaskImpl description="" fullCommand="release" id="release" />

data/Gemfile.lock

@@ -1,14 +1,13 @@
 PATH
   remote: .
   specs:
-    puppet-sec-lint (0.5.2)
+    puppet-sec-lint (0.5.6)
       inifile (~> 3.0.0)
       launchy (~> 2.5.0)
       minitest (~> 5.0)
       puppet-lint (~> 2.4, >= 2.4.2)
       rack (~> 2.2.3)
       rake (~> 13.0)
-      thin (~> 1.8.0)
 
 GEM
   remote: https://rubygems.org/

data/docs/Gemfile.lock

@@ -1,7 +1,7 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.3.6)
+    activesupport (6.0.3.7)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -25,7 +25,7 @@ GEM
     ethon (0.14.0)
       ffi (>= 1.15.0)
     eventmachine (1.2.7)
-    execjs (2.7.0)
+    execjs (2.8.0)
     faraday (1.4.1)
       faraday-excon (~> 1.1)
       faraday-net_http (~> 1.0)
@@ -228,7 +228,7 @@ GEM
       forwardable-extended (~> 2.6)
     public_suffix (4.0.6)
     racc (1.5.2)
-    rb-fsevent (0.10.4)
+    rb-fsevent (0.11.0)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rexml (3.2.5)

data/docs/_config.yml

@@ -13,14 +13,10 @@
 # you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.
 # You can create any custom variable you would like, and they will be accessible
 # in the templates via {{ site.myvariable }}.
-title: Puppet Securtiy Linter
+title: Puppet Security Linter
 email: tiago7b27@gmail.com
 description: >- # this means to ignore newlines until "baseurl:"
-  Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts
-baseurl: "" # the subpath of your site, e.g. /blog
-url: "" # the base hostname & protocol for your site, e.g. http://example.com
-twitter_username: jekyllrb
-github_username:  jekyll
+  Security focused linter to detect and help solve vulnerabilities found on Puppet Infrastructure-as-code scripts
 
 # Build settings
 markdown: kramdown

data/docs/_site/404.html

@@ -4,7 +4,7 @@
     <meta charset='utf-8'>
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet" href="/assets/css/style.css?v=451ab93a01ea7ba9ec933d2a6c0ad3f1555b70e0">
+    <link rel="stylesheet" href="/assets/css/style.css?v=b8f4fcea6993188f9bfaf6d72181f63f9e7a5872">
 
 <!-- Begin Jekyll SEO tag v2.7.1 -->
 <title>Puppet Securtiy Linter | Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</title>
@@ -19,7 +19,7 @@
 <meta name="twitter:card" content="summary" />
 <meta property="twitter:title" content="Puppet Securtiy Linter" />
 <script type="application/ld+json">
-{"@type":"WebPage","headline":"Puppet Securtiy Linter","description":"Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts","url":"http://localhost:4000/404.html","@context":"https://schema.org"}</script>
+{"headline":"Puppet Securtiy Linter","description":"Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts","url":"http://localhost:4000/404.html","@type":"WebPage","@context":"https://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   </head>

data/docs/_site/feed.xml

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.0">Jekyll</generator><link href="http://localhost:4000/feed.xml" rel="self" type="application/atom+xml" /><link href="http://localhost:4000/" rel="alternate" type="text/html" /><updated>2021-05-03T22:26:18+01:00</updated><id>http://localhost:4000/feed.xml</id><title type="html">Puppet Securtiy Linter</title><subtitle>Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</subtitle><entry><title type="html">Welcome to Jekyll!</title><link href="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html" rel="alternate" type="text/html" title="Welcome to Jekyll!" /><published>2021-05-03T21:09:12+01:00</published><updated>2021-05-03T21:09:12+01:00</updated><id>http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll</id><content type="html" xml:base="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html">&lt;p&gt;You’ll find this post in your &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;_posts&lt;/code&gt; directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;jekyll serve&lt;/code&gt;, which launches a web server and auto-regenerates your site when a file is updated.&lt;/p&gt;
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="3.9.0">Jekyll</generator><link href="http://localhost:4000/feed.xml" rel="self" type="application/atom+xml" /><link href="http://localhost:4000/" rel="alternate" type="text/html" /><updated>2021-05-13T01:19:00+01:00</updated><id>http://localhost:4000/feed.xml</id><title type="html">Puppet Securtiy Linter</title><subtitle>Scurity focused linter to detect and help solve vulnearbilities found on Puppet Infrastructure-as-code scripts</subtitle><entry><title type="html">Welcome to Jekyll!</title><link href="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html" rel="alternate" type="text/html" title="Welcome to Jekyll!" /><published>2021-05-03T21:09:12+01:00</published><updated>2021-05-03T21:09:12+01:00</updated><id>http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll</id><content type="html" xml:base="http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html">&lt;p&gt;You’ll find this post in your &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;_posts&lt;/code&gt; directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;jekyll serve&lt;/code&gt;, which launches a web server and auto-regenerates your site when a file is updated.&lt;/p&gt;
 
 &lt;p&gt;To add new posts, simply add a file in the &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;_posts&lt;/code&gt; directory that follows the convention &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;YYYY-MM-DD-name-of-post.ext&lt;/code&gt; and includes the necessary front matter. Take a look at the source for this post to get an idea about how it works.&lt;/p&gt;
 

data/docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html

@@ -4,7 +4,7 @@
     <meta charset='utf-8'>
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet" href="/assets/css/style.css?v=451ab93a01ea7ba9ec933d2a6c0ad3f1555b70e0">
+    <link rel="stylesheet" href="/assets/css/style.css?v=b8f4fcea6993188f9bfaf6d72181f63f9e7a5872">
 
 <!-- Begin Jekyll SEO tag v2.7.1 -->
 <title>Welcome to Jekyll! | Puppet Securtiy Linter</title>
@@ -21,7 +21,7 @@
 <meta name="twitter:card" content="summary" />
 <meta property="twitter:title" content="Welcome to Jekyll!" />
 <script type="application/ld+json">
-{"@type":"BlogPosting","mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html"},"headline":"Welcome to Jekyll!","dateModified":"2021-05-03T21:09:12+01:00","datePublished":"2021-05-03T21:09:12+01:00","description":"You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.","url":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html","@context":"https://schema.org"}</script>
+{"headline":"Welcome to Jekyll!","dateModified":"2021-05-03T21:09:12+01:00","datePublished":"2021-05-03T21:09:12+01:00","description":"You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.","url":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html","@type":"BlogPosting","mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:4000/jekyll/update/2021/05/03/welcome-to-jekyll.html"},"@context":"https://schema.org"}</script>
 <!-- End Jekyll SEO tag -->
 
   </head>

data/docs/admin-by-default.md

@@ -0,0 +1,27 @@
+---
+title: Admin by default
+permalink: /admin-by-default/
+layout: default
+---
+
+# Admin by default
+
+## What is it?
+
+An user who is created with administrator privileges usually has permission to do everything in the system. It's usually identified with the username 'admin' in a lot of software applications.  
+
+### Example
+```puppet
+user { 'admin':
+  ensure => 'present'
+}
+```
+This user, with the username 'admin', will likely have a big concentration of privileges by default.
+
+## How can it be exploited?
+
+Any account with the power to do everything in the system is a very dangerous single point of failure. Firstly, even during normal operations, it allows for its user to potentially change the system in unwanted ways, or even access information that he's not supposed to. Even worse, it presents a very dangerous point of entry for an attacker, as he just needs to compromise this single password to have complete access to the system.
+
+## How to avoid it?
+
+Accounts should always be setup up with the [Principle of least privilege](https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege) in mind, meaning that all accounts should only get the permissions strictly necessary to perform their required tasks during the minimum amount of time possible. This severely limits the exposure to accidental errors and also to malicious attackers.

data/docs/cyrillic-homograph-attack.md

@@ -0,0 +1,40 @@
+---
+title: Cyrillic Homograph Attack
+permalink: /cyrillic-homograph-attack/
+layout: default
+---
+
+# Cyrillic Homograph Attack
+
+## What are they?
+
+A Cyrillic Homograph attack takes advantage of the fact that several characters in the [Cyrillic alphabet](https://www.britannica.com/topic/Cyrillic-alphabet) are virtually indistinguishable (homographs) from regular Latin ones in a lot of fonts. This makes it possible for attackers to setup fake domains with Cyrillic characters that look identical to the real one but redirect the user to a malicious website.
+
+### Example
+These two website links look identical:
+```
+https://google.com
+https://gооgle.com
+```
+
+But after taking a closer look at the code of each character of the website name only, it's possible to see where the attack can be made:
+```
+\u0067 \u006f \u006f \u0067 \u006c \u0065 \u002e \u0063 \u006f \u006d
+\u0067 \u043e \u043e \u0067 \u006c \u0065 \u002e \u0063 \u006f \u006d
+  g      o       o       g      l     e       .      c     o     m
+```
+
+It's possible to see that the second and third characters in the word "google" are different. On the top domain, the Latin o letter is used (unicode u006f) but on the bottom one, the Cyrillic о letter is used (unicode u043e). Although similar, the bottom website can point to a completely different server.
+
+## How can it be exploited?
+
+To exploit this vulnerability, an attacker can setup, for example, a malicious software repository and register a domain that looks exactly like an existing legitimate one, but written with Cyrillic characters. It's even possible to request a SSL certificate for it, making it possible to receive HTTPS connections, further  convincing the user of its authenticity.
+
+This malicious domain on a Puppet manifest can point to a fake package repository, containing malware infected versions of legitimate packages. These malicious packages would then be installed in all infrastructure deployed by that manifest, causing a widespread infection that could severely compromise the integrity of the systems.
+  
+## How to avoid it?
+
+After the tool detects the presence of Cyrillic characters on a URL, the best course of action is to replace all Cyrillic characters with their Latin counterparts, as these characters are very rarely used in legitimate domains.
+Then, check if the domain is well written (subtle misspellings with similar letters are very common in these kinds of attacks).
+
+To better ensure that the domain is actually the correct one, the URL can also be copied from a trusted source.

data/docs/empty-password.md

@@ -0,0 +1,27 @@
+---
+title: Empty Password
+permalink: /empty-password/
+layout: default
+---
+
+# Empty password
+
+## What are they?
+
+An account with an empty password is different from an account with no password. Here, the password exists, it's prompted but it's an empty string.
+
+### Example
+If an account has an empty password, when logging in, the user should still be prompted fo input the password:
+```
+Password:
+```
+
+But a simple click on the return key, without actually writing anything, is enough to log in.
+
+## How can it be exploited?
+
+An attacker looking to gain access to an account my try a couple of different generic and vulnerable passwords to brute force his way in. One of his first attempts may be to just press return without actually writing anything. This makes for a very easy password to be guessed.
+
+## How to avoid it?
+
+Secure software systems should have a decent password policy that prevents, among other types, empty passwords. This means that it's very likely for the Puppet manifest to fail as the password would be rejected. But even if the target software accepts empty passwords, a long and hard to guess password is always a much safer option against malicious attacks.

data/docs/hard-coded-credentials.md

@@ -1,17 +1,80 @@
 ---
 title: Hard Coded Credentials
 permalink: /hard-coded-credentials/
+layout: default
 ---
 
 # Hard Coded Credentials
 
-Writing sensitive credentials on puppet scripts  can expose them to malicious actors who can obtain access to these files.
+## What are they?
 
-## Example
+Hard Coded credentials are sensitive information, like passwords, private keys and other secrets, that are written directly on the source code, in plain text.
+### Examples
+Username and password for a mysql database:
+```puppet
+mysql::user { 'pdns':
+  password => 'pdns123pass',
+  requires => Mysql::Database['pdns'];
+}
+```
 
+Private key used to access a database:
 ```puppet
-class example::service (
-    $username = "user1",
-    $passsword = "amind1234"
-  ) 
+file { '/etc/mysql/server-key.pem':
+  ensure  => file,
+  content => '-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA9bftj7SJfMpBqk7eza3I1Tp4n3VbjkEo7pq9ft6hCpSHaThN
+OU362GyeLawZNTCtROePj3g2StB3UFQTGRe5Xbl510UaoRwSpHnUSTaDfjPeT8SX
+(...)
+nh0c2NOM2YaGl1J0/WUnzsg7ZDMY6S9zQQ/KZP6LVm4P5yn3k8h8B9FL13a9AK83
+89RotRTzKPEAh7SjI84GAVUn6BcxsrVroe3p45E9KpX1bgYCkvu45Q==
+-----END RSA PRIVATE KEY-----',
+}
+```
+
+## How can it be exploited?
+
+Having hard coded credentials in code can expose the software to several kinds of vulnerabilities:
+* If the puppet manifest is used to deploy several different machines, because the credentials are hard coded, all of them will share the same credentials. This make it possible for an attacker to exploit all machines after compromising just one of them.
+* It's hard to manage and rotate secrets if these ever get compromised, as they can be distributed across several different manifests.
+* If an attacker ever gets hold of the source code (by compromising the code repository or the local machine of one developer for example), he can easily access the credentials for potentially all machines in the system. 
+  This is an even bigger problem if the source code is open source, as in that case the passwords are completely open to anyone to see them.
+  
+## How to avoid it?
+
+There are much better ways to store credentials and other secrets. A fairly easy and secure way is by using a tool provided by Puppet called [Hiera](https://puppet.com/docs/puppet/7.6/hiera.html).
+
+It allows the storage of credentials and other data in a centralized file, using then keys to reference them in the source code. This allows for an easy management of the passwords and the possibility of, for example, quickly rotating them between installations.
+
+For even more security, [Hiera can use an encrypted file](https://puppet.com/blog/encrypt-your-data-using-hiera-eyaml/), protecting also against attackers who might, for example, gain access to the source code repository.
+
+### Example
+
+A **secrets.yaml** file containing the password:
+
+```yaml
+---
+password: pdns123pass
+privatekey: |-
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+  NhAAAAAwEAAQAAAQEAssBRe91wZ0TJBIWK2V1NH/ourcFPb0cA4ln32a3j5QITMS3zhs/o
+(...)
+  C8YRNCLnBgR2CCp27D0wuadL9aFITlx91GPytF9BKxzy949VaF6SEw9M86oouj362u/BvP
+  CO7Hnjlg77HRNFXPAAAAFWxrYW1pcmVkZHlAdm13YXJlLmNvbQECAwQF
+  -----END OPENSSH PRIVATE KEY-----
 ```
+
+And then the source code from the examples above, but now without hard coded credentials:
+
+```puppet
+mysql::user { 'pdns':
+  password => hiera("password"),
+  requires => Mysql::Database['pdns'];
+}
+
+file { '/etc/mysql/server-key.pem':
+  ensure  => file,
+  content => hiera("privatekey"),
+}
+```

data/docs/invalid-ip-addr-binding.md

@@ -0,0 +1,31 @@
+---
+title: Invalid IP Address binding
+permalink: /invalid-ip-addr-binding/
+layout: default
+---
+
+# Invalid IP Address binding
+
+## What it it?
+
+Binding an IP address to a server or service means authorizing connections incoming from those networks. This allows to limit what kind of incoming connections a server may or may not accept. Binding the 0.0.0.0 IP address to a service means that any connection from any network is accepted.
+
+### Example
+Using Puppet to configure a MySQL database bind address:
+```puppet
+  class { 'mysql::server':
+    config_hash => {
+                     'bind_address' => '0.0.0.0'
+                   }
+  }
+```
+This configuration means that the database accepts connections from anywhere, including remote clients if it's connected to the internet.
+
+
+## How can it be exploited?
+
+A server or service that's open to all kinds of connections it's more exposed to possible attacks coming from non intended networks. A malicious attacker can try to gain access to it just by using it's own network or other compromised networks across the globe.
+
+## How to avoid it?
+
+Properly configuring binding addresses means that the server should only accept connections from trusted networks known to use the service. This ensures a greater level of control and also protection, as an attacker would know have an extra obstacle in trying to gain access first to one of those networks.

data/docs/weak-crypto-algorithm.md

@@ -0,0 +1,31 @@
+---
+title: 
+permalink: /weak-crypto-algorithm/
+layout: default
+---
+
+# Use of weak Cryptographic algorithms
+
+## What are they?
+
+A Cryptographic hash algorithm is a one-way function used to map data to an unique fixed-sized sequence of bytes. This has several applications in CyberSecurity, like storing passwords securely in a server for example. The strength of an algorithm is measured by its ability to generate a truly unique output for every unique input and also by its ability to be non reversible, meaning that it should be impossible to determine the original value given the generated hash. 
+
+Weak algorithms like MD5 or SHA-1, either by their age or by their design flaws, are known to not ensure these properties.
+
+### Example
+The weakness of the SHA-1 algorithm was originally demonstrated with the collision shown on [this website](https://shattered.it):
+
+```shell
+$ sha1sum *.pdf
+38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-1.pdf
+38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-2.pdf
+```
+They have two different .pdf files that should generate two different hashes, but as shown above, the resulting hash is exactly the same.
+
+## How can it be exploited?
+
+An attacker who was able to gain access to a server and steal the hashes from all passwords may exploit the weaknesses on the hashing algorithm to either try to reverse them or perform a collision attack. This happens because the algorithm allows the existence of collisions, meaning that an attacker may be able to brute force an hash without even finding the original password.
+
+## How to avoid it?
+
+If the Puppet manifest is being used to generate hashes for passwords or important data, using a more secure algorithm like SHA256 is very advisable as it avoids exposure to the risks mentioned above, ensuring that the algorithm actually performs what's intended to.

data/lib/lol.pp

@@ -8,17 +8,17 @@
 # the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
 
 class consul_template::service (
-    $pass                   = lols(3),
-    $aijoijooiumihhn_password = 'pe-puppet'
-    $admin       = 'ceisssesrelometer',
-    $aijoijooiumihhn_password = '(adiyu(guygmin',
+    $rpc_password                   = '{6ad470ec62b0511b63340dca2950d750181598efnHKvN1ge',
+    $admin_username = 'admin',
+    $password       = 'ceilometer',
+    $admin_password = 'admin',
   ) {
   exec { 'network-restart':
     command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
     path           => '/usr/bin:/usr/sbin:/bin:/sbin',
     refreshonly    => true,
     vmware_md5     => 'LOL',
-    autho          => 'MDi09i09i5',
+    autho          => 'MD5',
     cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
     $auth_uri      => 'http://127.0.0.1:5000',
     'bind_address' => '0.0.0.0',
@@ -80,4 +80,4 @@ UcXHbA==
     replace => true,
     require => File['/var/lib/gerrit/.ssh']
   }
-}
+}

data/lib/puppet-sec-lint/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.5.6"
+  VERSION = "0.5.7"
   YEAR = "2021"
   AUTHOR = "Tiago Ribeiro"
 end

data/puppet-sec-lint.gemspec

@@ -34,7 +34,6 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rake', '~> 13.0'
   spec.add_runtime_dependency 'minitest', '~> 5.0'
   spec.add_runtime_dependency 'rack', '~> 2.2.3'
-  spec.add_runtime_dependency 'thin', '~> 1.8.0'
   spec.add_runtime_dependency 'inifile', '~> 3.0.0'
   spec.add_runtime_dependency 'launchy', '~> 2.5.0'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.5.6
+  version: 0.5.7
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-05-12 00:00:00.000000000 Z
+date: 2021-05-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: puppet-lint
@@ -72,20 +72,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.2.3
-- !ruby/object:Gem::Dependency
-  name: thin
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.8.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: inifile
   requirement: !ruby/object:Gem::Requirement
@@ -149,14 +135,20 @@ files:
 - docs/_posts/2021-05-03-welcome-to-jekyll.markdown
 - docs/_site/404.html
 - docs/_site/feed.xml
+- docs/_site/images/puppet-sec-lint_console.png
+- docs/_site/images/puppet-sec-lint_vscode.png
 - docs/_site/index.html
 - docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html
+- docs/admin-by-default.md
+- docs/cyrillic-homograph-attack.md
+- docs/empty-password.md
 - docs/hard-coded-credentials.md
 - docs/images/puppet-sec-lint_console.png
 - docs/images/puppet-sec-lint_vscode.png
 - docs/index.md
+- docs/invalid-ip-addr-binding.md
+- docs/weak-crypto-algorithm.md
 - exe/puppet-sec-lint
-- file.pp
 - lib/configurations/boolean_configuration.rb
 - lib/configurations/configuration.rb
 - lib/configurations/list_configuration.rb
@@ -177,17 +169,9 @@ files:
 - lib/rules/use_weak_crypto_algorithms_rule.rb
 - lib/servers/language_server.rb
 - lib/servers/linter_server.rb
-- lib/settings.ini
 - lib/sin/sin.rb
 - lib/sin/sin_type.rb
-- lib/test.txt
-- lib/test2.rb
-- lib/test3.rb
-- lib/test_new.rb
 - lib/visitors/configuration_visitor.rb
-- puppet-sec-lint-0.5.3.gem
-- puppet-sec-lint-0.5.4.gem
-- puppet-sec-lint-0.5.5.gem
 - puppet-sec-lint.gemspec
 homepage: https://github.com/TiagoR98/puppet-sec-lint
 licenses:

data/file.pp

@@ -1,77 +0,0 @@
-# the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
-
-class consul_template::service (
-    $pass                   = lols(3),
-    $aijoijooiumihhn_password = 'pe-puppet'
-    $admin       = 'ceisssesrelometer',
-    $aijoijooiumihhn_password = '(adiyu(guygmin',
-  ) {
-  exec { 'network-restart':
-    command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
-    path           => '/usr/bin:/usr/sbin:/bin:/sbin',
-    refreshonly    => true,
-    vmware_md5     => 'LOL',
-    autho          => 'MDi09i09i5',
-    cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
-    $auth_uri      => 'http://127.0.0.1:5000',
-    address => '0.0.0.0',
-    user = 'admin',
-    password       => '',
-  }
-  case $::osfamily {
-    'RedHat': {
-    exec { 'upload-img':
-      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /opt/vm/cirros-x86_64-disk.img",
-      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
-
-      }
-    }
-    'Debian': {
-    exec { 'upload-img':
-      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /usr/share/cirros-testvm/cirros-x86_64-disk.img",
-      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
-      key => "E8CC67053ED3B199",
-      key_content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-mQENBE/oXVkBCACcjAcV7lRGskECEHovgZ6a2robpBroQBW+tJds7B+qn/DslOAN
-1hm0UuGQsi8pNzHDE29FMO3yOhmkenDd1V/T6tHNXqhHvf55nL6anlzwMmq3syIS
-uqVjeMMXbZ4d+Rh0K/rI4TyRbUiI2DDLP+6wYeh1pTPwrleHm5FXBMDbU/OZ5vKZ
-67j99GaARYxHp8W/be8KRSoV9wU1WXr4+GA6K7ENe2A8PT+jH79Sr4kF4uKC3VxD
-BF5Z0yaLqr+1V2pHU3AfmybOCmoPYviOqpwj3FQ2PhtObLs+hq7zCviDTX2IxHBb
-Q3mGsD8wS9uyZcHN77maAzZlL5G794DEr1NLABEBAAG0NU9wZW5TdGFja0BDaXNj
-byBBUFQgcmVwbyA8b3BlbnN0YWNrLWJ1aWxkZEBjaXNjby5jb20+iQE4BBMBAgAi
-BQJP6F1ZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDozGcFPtOxmXcK
-B/9WvQrBwxmIMV2M+VMBhQqtipvJeDX2Uv34Ytpsg2jldl0TS8XheGlUNZ5djxDy
-u3X0hKwRLeOppV09GVO3wGizNCV1EJjqQbCMkq6VSJjD1B/6Tg+3M/XmNaKHK3Op
-zSi+35OQ6xXc38DUOrigaCZUU40nGQeYUMRYzI+d3pPlNd0+nLndrE4rNNFB91dM
-BTeoyQMWd6tpTwz5MAi+I11tCIQAPCSG1qR52R3bog/0PlJzilxjkdShl1Cj0RmX
-7bHIMD66uC1FKCpbRaiPR8XmTPLv29ZTk1ABBzoynZyFDfliRwQi6TS20TuEj+ZH
-xq/T6MM6+rpdBVz62ek6/KBcuQENBE/oXVkBCACgzyyGvvHLx7g/Rpys1WdevYMH
-THBS24RMaDHqg7H7xe0fFzmiblWjV8V4Yy+heLLV5nTYBQLS43MFvFbnFvB3ygDI
-IdVjLVDXcPfcp+Np2PE8cJuDEE4seGU26UoJ2pPK/IHbnmGWYwXJBbik9YepD61c
-NJ5XMzMYI5z9/YNupeJoy8/8uxdxI/B66PL9QN8wKBk5js2OX8TtEjmEZSrZrIuM
-rVVXRU/1m732lhIyVVws4StRkpG+D15Dp98yDGjbCRREzZPeKHpvO/Uhn23hVyHe
-PIc+bu1mXMQ+N/3UjXtfUg27hmmgBDAjxUeSb1moFpeqLys2AAY+yXiHDv57ABEB
-AAGJAR8EGAECAAkFAk/oXVkCGwwACgkQ6MxnBT7TsZng+AgAnFogD90f3ByTVlNp
-Sb+HHd/cPqZ83RB9XUxRRnkIQmOozUjw8nq8I8eTT4t0Sa8G9q1fl14tXIJ9szzz
-BUIYyda/RYZszL9rHhucSfFIkpnp7ddfE9NDlnZUvavnnyRsWpIZa6hJq8hQEp92
-IQBF6R7wOws0A0oUmME25Rzam9qVbywOh9ZQvzYPpFaEmmjpCRDxJLB1DYu8lnC4
-h1jP1GXFUIQDbcznrR2MQDy5fNt678HcIqMwVp2CJz/2jrZlbSKfMckdpbiWNns/
-xKyLYs5m34d4a0it6wsMem3YCefSYBjyLGSd/kCI/CgOdGN1ZY1HSdLmmjiDkQPQ
-UcXHbA==
-=v6jg
------END PGP PUBLIC KEY BLOCK-----',
-
-      }
-    }
-  }
-  file { '/var/lib/gerrit/.ssh/id_rsa' :
-    owner   => 'gerrit',
-    group   => 'gerrit',
-    mode    => '0600',
-    content => $ssh_replication_rsa_key_contents,
-    replace => true,
-    require => File['/var/lib/gerrit/.ssh']
-  }
-}

data/lib/settings.ini

@@ -1,39 +0,0 @@
-[HardCodedCredentialsRule]
-HardCodedCredentialsRule-enable_configuration = true
-HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
-HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
-HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
-HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
-
-[NoHTTPRule]
-NoHTTPRule-enable_configuration = true
-NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
-NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
-NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
-
-[AdminByDefaultRule]
-AdminByDefaultRule-enable_configuration = true
-AdminByDefaultRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd)
-
-[EmptyPasswordRule]
-EmptyPasswordRule-enable_configuration = true
-EmptyPasswordRule-list_of_trigger_words = pwd,password,pass
-EmptyPasswordRule-regular_expression_of_password_name = (?-mix:pass(word|_|$)|pwd)
-
-[InvalidIPAddrBindingRule]
-InvalidIPAddrBindingRule-enable_configuration = true
-InvalidIPAddrBindingRule-regular_expression_of_an_invalid_ip_address = (?-mix:^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$)
-
-[UseWeakCryptoAlgorithmsRule]
-UseWeakCryptoAlgorithmsRule-enable_configuration = true
-UseWeakCryptoAlgorithmsRule-regular_expression_of_weak_crypto_algorithms = (?-mix:^(sha1|md5))
-
-[SuspiciousCommentRule]
-SuspiciousCommentRule-enable_configuration = true
-SuspiciousCommentRule-list_of_trigger_words = hack,fixme,later,later2,todo,ticket,launchpad,bug,to-do
-SuspiciousCommentRule-regular_expression_of_keywords_present_in_suspicious_comments = (?-mix:hack|fixme|ticket|bug|secur|debug|defect|weak)
-
-[CyrillicHomographAttack]
-CyrillicHomographAttack-enable_configuration = true
-CyrillicHomographAttack-regular_expression_of_links_with_cyrillic_characters = (?-mix:^(http(s)?:\/\/)?.*\p{Cyrillic}+)
-

data/lib/test.txt

@@ -1,15 +0,0 @@
-jiuhiuhiuh
-ouhiuhiuh
-iuhiuh
-iuhiuhkokok
-kokokokokokokowdijwoidjqwoidjqwodijqdoiqjwdodij
-qwdqwd
-qwdqwddq
-wd
-qwdqwdoijoijoijoij
-oijoijoijoij
-kkkkkkkk
-huiuhiuhiuh
-
-kkjjjm
-okpokpok,l,l,l

data/lib/test2.rb

@@ -1,16 +0,0 @@
-require 'rjr/nodes/ws'
-
-# listen for methods via amqp, websockets, http, and via local calls
-
-ws_node    = RJR::Nodes::WS.new    :node_id => 'server', :host   => '127.0.0.1', :port => 5007
-
-
-# define a rpc method called 'hello' which takes
-# one argument and returns it in upper case
-ws_node.dispatcher.handle("initialize") { |processId,clientInfo,locale,rootPath,rootUri,capabilities,trace,workspaceFolders|
-  arg.upcase
-}
-
-# start the server and block
-ws_node.listen
-ws_node.join

data/lib/test3.rb

@@ -1,32 +0,0 @@
-require 'socket'                 # Get sockets from stdlib
-require 'json'
-
-server = TCPServer.open(5007)    # Socket to listen on port 2000
-
-loop {
-  Thread.fork(server.accept) do |client|
-    while line=client.gets
-      length=Integer(line.scan(/\d/).join(''))
-      line=client.read(length+2)
-      request = JSON.parse(line)
-      puts line
-
-      response = {
-          jsonrpc: request['jsonrpc'],
-          result: {
-            capabilities: {
-              textDocumentSync:1
-            }
-          },
-          id: request['id']
-      }
-
-      response = JSON.generate(response)
-
-      client.flush
-      client.puts("Content-Length: "+response.length.to_s+"\r\n\r\n")
-      client.puts(response)
-    end
-    client.close
-  end
-}

data/lib/test_new.rb

@@ -1,19 +0,0 @@
-require 'jimson'
-
-class MyHandler
-  extend Jimson::Handler
-
-  def initi(a,b)
-    a + b
-  end
-
-  def initialize
-    super
-  end
-
-end
-
-server = Jimson::Server.new(MyHandler.new)
-server.port = 5007
-server.host = '127.0.0.1'
-server.start # serve with webrick on http://0.0.0.0:8999/