pwn 0.4.414 → 0.4.415

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7fb462955a6182ce0079d75733ab41f39ec0919bd42f2801022453a7d18e5794
-  data.tar.gz: 6f37f2b2aaae0dd1950febd4c28234d155f120a9def746cf4d5d35fe08a44680
+  metadata.gz: 61670e1dd6c986c619918f5f97abefcde8593af1cb34c1cbe8089c9102a57346
+  data.tar.gz: 0a4daaa0f3b6a3790886adc5863f59084359b7efdd9e642f13739b5674783a54
 SHA512:
-  metadata.gz: 13d72a02777d25615116e23656a746827892c449c2f73741c9904fc93aab73173c5a080d3f609841ad391c3eff4db2f1624bbc45a84e1bc364b13e729d8147e2
-  data.tar.gz: 825ee7cba89d734ecb80661a3b0a0bc3f10bb66c729df66b57ccaa203985e05afc6254ff61bbae45ae6bc562c031943483df866e74dbbabec38a10316808580c
+  metadata.gz: a47ee10adfd7d9f236f4c51c58ba4bd5505aa0df21a37966427731d6a743e4fa3e31122290acad1d9c5adb25034c2876c6fc1c6ff26317d4617ad22ca78dfbc5
+  data.tar.gz: 5cd9ebf6af0386fbfae0a776481c990e1ec28b9253ac8f6683b070452e7abd9de38fbc4bbb902241310b349c9181b6dd142e1f1e0b1b49b3f88a92834967f75e

data/Gemfile

@@ -32,7 +32,7 @@ gem 'ipaddress', '0.8.3'
 # gem 'jenkins_api_client', '1.5.3' # Temporarily disabled until arangamani/jenkins_api_client/issues/304 is Closed out
 gem 'js-beautify', '0.1.8'
 gem 'json', '2.6.1'
-gem 'jsonpath', '1.1.0'
+gem 'jsonpath', '1.1.2'
 gem 'jwt', '2.3.0'
 gem 'luhn', '1.0.2'
 gem 'mail', '2.7.1'
@@ -59,7 +59,7 @@ gem 'rex', '2.0.13'
 gem 'rmagick', '4.2.5'
 gem 'rspec', '3.11.0'
 gem 'rtesseract', '3.1.2'
-gem 'rubocop', '1.28.1'
+gem 'rubocop', '1.28.2'
 gem 'rubocop-rake', '0.6.0'
 gem 'rubocop-rspec', '2.10.0'
 gem 'ruby-audio', '1.6.1'
@@ -79,5 +79,5 @@ gem 'tty-prompt', '0.23.1'
 gem 'watir', '7.1.0'
 gem 'waveform', '0.1.2'
 gem 'webrick', '1.7.0'
-gem 'wicked_pdf', '2.1.0'
+gem 'wicked_pdf', '2.6.0'
 gem 'yard', '0.9.27'

data/README.md

@@ -37,7 +37,7 @@ $ rvm use ruby-3.1.2@pwn
 $ rvm list gemsets
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.414]:001 >>> PWN.help
+pwn[v0.4.415]:001 >>> PWN.help
 ```
 
 [![Installing the pwn Security Automation Framework](https://raw.githubusercontent.com/0dayInc/pwn/master/documentation/pwn_install.png)](https://youtu.be/G7iLUY4FzsI)
@@ -52,7 +52,7 @@ $ rvm use ruby-3.1.2@pwn
 $ gem uninstall --all --executables pwn
 $ gem install --verbose pwn
 $ pwn
-pwn[v0.4.414]:001 >>> PWN.help
+pwn[v0.4.415]:001 >>> PWN.help
 ```
 
 

data/bin/pwn_sast

@@ -95,6 +95,7 @@ begin
       Redirect
       ReDOS
       Shell
+      Signature
       SQL
       SSL
       Sudo

data/git_commit_test_reinit_gem.sh

@@ -1,5 +1,10 @@
 #!/bin/bash --login
-if [[ $1 != "" && $2 != "" && $3 != "" ]]; then
+usage() {
+  echo "USAGE: ${0} '<full name>' <email address> '<git commit comments>'"
+  exit 1
+}
+
+if (( $# == 3 )); then
   # Default Strategy is to merge codebase
   git config pull.rebase false
   git config commit.gpgsign true
@@ -18,5 +23,5 @@ if [[ $1 != "" && $2 != "" && $3 != "" ]]; then
     git tag $this_version
   fi
 else
-  echo "USAGE: ${0} '<full name>' <email address> '<git commit comments>'"
+  usage
 fi

data/lib/pwn/sast/signature.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: false
+
+require 'socket'
+
+module PWN
+  module SAST
+    # SAST Module used to identify private keys used for authenticating
+    # with remote hosts.
+    module Signature
+      @@logger = PWN::Plugins::PWNLogger.create
+
+      # Supported Method Parameters::
+      # PWN::SAST::Signature(
+      #   dir_path: 'optional path to dir defaults to .'
+      #   git_repo_root_uri: 'optional http uri of git repo scanned'
+      # )
+
+      public_class_method def self.scan(opts = {})
+        dir_path = opts[:dir_path]
+        git_repo_root_uri = opts[:git_repo_root_uri].to_s.scrub
+        result_arr = []
+        logger_results = ''
+
+        PWN::Plugins::FileFu.recurse_dir(dir_path: dir_path) do |entry|
+          if File.file?(entry) && File.basename(entry) !~ /^pwn.+(html|json|db)$/ && File.basename(entry) !~ /\.JS-BEAUTIFIED$/
+            line_no_and_contents_arr = []
+            filename_arr = []
+            entry_beautified = false
+
+            if File.extname(entry) == '.js' && (`wc -l #{entry}`.split.first.to_i < 20 || entry.include?('.min.js') || entry.include?('-all.js'))
+              js_beautify = `js-beautify #{entry} > #{entry}.JS-BEAUTIFIED`.to_s.scrub
+              entry = "#{entry}.JS-BEAUTIFIED"
+              entry_beautified = true
+            end
+
+            test_case_filter = "
+              grep -n \
+              -e 'Signature' #{entry}
+            "
+
+            str = `#{test_case_filter}`.to_s.scrub
+
+            if str.to_s.empty?
+              # If str length is >= 64 KB do not include results. (Due to Mongo Document Size Restrictions)
+              logger_results = "#{logger_results}~" # Catching bugs is good :)
+            else
+              str = "1:Result larger than 64KB -> Size: #{str.to_s.length}.  Please click the \"Path\" link for more details." if str.to_s.length >= 64_000
+
+              hash_line = {
+                timestamp: Time.now.strftime('%Y-%m-%d %H:%M:%S.%9N %z').to_s,
+                test_case: nist_800_53_requirements,
+                filename: filename_arr.push(git_repo_root_uri: git_repo_root_uri, entry: entry),
+                line_no_and_contents: '',
+                raw_content: str,
+                test_case_filter: test_case_filter
+              }
+
+              # COMMMENT: Must be a better way to implement this (regex is kinda funky)
+              line_contents_split = str.split(/^(\d{1,}):|\n(\d{1,}):/)[1..-1]
+              line_no_count = line_contents_split.length # This should always be an even number
+              current_count = 0
+              while line_no_count > current_count
+                line_no = line_contents_split[current_count]
+                contents = line_contents_split[current_count + 1]
+                if Dir.exist?("#{dir_path}/.git") ||
+                   Dir.exist?('.git')
+
+                  repo_root = dir_path
+                  repo_root = '.' if Dir.exist?('.git')
+
+                  author = PWN::Plugins::Git.get_author(
+                    repo_root: repo_root,
+                    from_line: line_no,
+                    to_line: line_no,
+                    target_file: entry,
+                    entry_beautified: entry_beautified
+                  )
+                else
+                  author = 'N/A'
+                end
+                hash_line[:line_no_and_contents] = line_no_and_contents_arr.push(line_no: line_no,
+                                                                                 contents: contents,
+                                                                                 author: author)
+
+                current_count += 2
+              end
+              result_arr.push(hash_line)
+              logger_results = "#{logger_results}x" # Seeing progress is good :)
+            end
+          end
+        end
+        logger_banner = "http://#{Socket.gethostname}:8808/doc_root/pwn-#{PWN::VERSION.to_s.scrub}/#{to_s.scrub.gsub('::', '/')}.html"
+        if logger_results.empty?
+          @@logger.info("#{logger_banner}: No files applicable to this test case.\n")
+        else
+          @@logger.info("#{logger_banner} => #{logger_results}complete.\n")
+        end
+        result_arr
+      rescue StandardError => e
+        raise e
+      end
+
+      # Used primarily to map NIST 800-53 Revision 4 Security Controls
+      # https://web.nvd.nist.gov/view/800-53/Rev4/impact?impactName=HIGH
+      # to PWN Exploit & Static Code Anti-Pattern Matching Modules to
+      # Determine the level of Testing Coverage w/ PWN.
+
+      public_class_method def self.nist_800_53_requirements
+        {
+          sast_module: self,
+          section: 'CRYPTOGRAPHIC MODULE AUTHENTICATION',
+          nist_800_53_uri: 'https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control/?version=5.1&number=IA-7'
+        }
+      rescue StandardError => e
+        raise e
+      end
+
+      # Author(s):: 0day Inc. <request.pentest@0dayinc.com>
+
+      public_class_method def self.authors
+        "AUTHOR(S):
+          0day Inc. <request.pentest@0dayinc.com>
+        "
+      end
+
+      # Display Usage for this Module
+
+      public_class_method def self.help
+        puts "USAGE:
+          sast_arr = #{self}.scan(
+            dir_path: 'optional path to dir defaults to .',
+            git_repo_root_uri: 'optional http uri of git repo scanned'
+          )
+
+          #{self}.authors
+        "
+      end
+    end
+  end
+end

data/lib/pwn/sast.rb

@@ -36,6 +36,7 @@ module PWN
     autoload :Redirect, 'pwn/sast/redirect'
     autoload :ReDOS, 'pwn/sast/redos'
     autoload :Shell, 'pwn/sast/shell'
+    autoload :Signature, 'pwn/sast/signature'
     autoload :SQL, 'pwn/sast/sql'
     autoload :SSL, 'pwn/sast/ssl'
     autoload :Sudo, 'pwn/sast/sudo'

data/lib/pwn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PWN
-  VERSION = '0.4.414'
+  VERSION = '0.4.415'
 end

data/spec/lib/pwn/sast/signature_spec.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe PWN::SAST::Signature do
+  it 'scan method should exist' do
+    scan_response = PWN::SAST::Signature
+    expect(scan_response).to respond_to :scan
+  end
+
+  it 'should display information for nist_800_53_requirements' do
+    nist_800_53_requirements_response = PWN::SAST::Signature
+    expect(nist_800_53_requirements_response).to respond_to :nist_800_53_requirements
+  end
+
+  it 'should display information for authors' do
+    authors_response = PWN::SAST::Signature
+    expect(authors_response).to respond_to :authors
+  end
+
+  it 'should display information for existing help method' do
+    help_response = PWN::SAST::Signature
+    expect(help_response).to respond_to :help
+  end
+end

data/update_pwn.sh

@@ -5,7 +5,5 @@ else
   pwn_root="${PWN_ROOT}"
 fi
 
-#sudo /bin/bash --login -c "cd ${pwn_root} && ./reinstall_pwn_gemset.sh"
-#sudo /bin/bash --login -c "cd ${pwn_root} && ./build_pwn_gem.sh"
 export rvmsudo_secure_path=1
 rvmsudo /bin/bash --login -c "cd ${pwn_root} && ./build_pwn_gem.sh"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pwn
 version: !ruby/object:Gem::Version
-  version: 0.4.414
+  version: 0.4.415
 platform: ruby
 authors:
 - 0day Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-22 00:00:00.000000000 Z
+date: 2022-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -296,14 +296,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.2
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -674,14 +674,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.28.1
+        version: 1.28.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.28.1
+        version: 1.28.2
 - !ruby/object:Gem::Dependency
   name: rubocop-rake
   requirement: !ruby/object:Gem::Requirement
@@ -954,14 +954,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.6.0
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -1588,6 +1588,7 @@ files:
 - lib/pwn/sast/redirect.rb
 - lib/pwn/sast/redos.rb
 - lib/pwn/sast/shell.rb
+- lib/pwn/sast/signature.rb
 - lib/pwn/sast/sql.rb
 - lib/pwn/sast/ssl.rb
 - lib/pwn/sast/sudo.rb
@@ -1881,6 +1882,7 @@ files:
 - spec/lib/pwn/sast/redirect_spec.rb
 - spec/lib/pwn/sast/redos_spec.rb
 - spec/lib/pwn/sast/shell_spec.rb
+- spec/lib/pwn/sast/signature_spec.rb
 - spec/lib/pwn/sast/sql_spec.rb
 - spec/lib/pwn/sast/ssl_spec.rb
 - spec/lib/pwn/sast/sudo_spec.rb
@@ -2149,6 +2151,7 @@ test_files:
 - spec/lib/pwn/sast/redirect_spec.rb
 - spec/lib/pwn/sast/redos_spec.rb
 - spec/lib/pwn/sast/shell_spec.rb
+- spec/lib/pwn/sast/signature_spec.rb
 - spec/lib/pwn/sast/sql_spec.rb
 - spec/lib/pwn/sast/ssl_spec.rb
 - spec/lib/pwn/sast/sudo_spec.rb