Class: Pedant::CheckScriptNotSignedAndUsingSecretKBItem

Inherits:
Check
  • Object
show all
Defined in:
lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb

Instance Attribute Summary

Attributes inherited from Check

#result

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Check

all, depends, #fail, #fatal, friendly_name, inherited, #initialize, initialize!, list, #pass, provides, ready?, #report, run_checks_in_dependency_order, #skip, #warn

Constructor Details

This class inherits a constructor from Pedant::Check

Class Method Details

.requiresObject 



29
30
31
 
# File 'lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb', line 29

def self.requires
  super + [:main, :trees, :codes]
end

Instance Method Details

#runObject 



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb', line 33

def run
  # This check only applies to plugins.
  return skip unless @kb[:main].extname == '.nasl'

  tree = @kb[:trees][@kb[:main]]
  codes = @kb[:codes][@kb[:main]]

  tree.all(:Call).each do |node|
    next unless [
      "get_kb_item",
      "rm_kb_item",
      "get_kb_list",
      "replace_kb_item",
      "set_kb_item",
      "script_require_keys",
      "set_global_kb_item",
      "get_global_kb_item",
      "get_fresh_kb_item",
      "get_global_kb_list",
      "get_kb_item_or_exit"
    ].include? node.name.ident.name
  	next if node.args.empty?

    # one case where we check all arguments
    if node.name.ident.name == "script_require_keys"
      node.args.each do |arg|
        arg = arg.expr
        arg = arg.lhs while arg.is_a? Nasl::Expression
        next unless arg.respond_to? :text
        next unless arg.text.index("Secret") == 0
        next if codes.index("#TRUSTED") == 0
        report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
        report(:warn, arg.context())
        return fail
      end
    end

    # every other function we need to check the first argument, or if the arguments are named, the 'name' argument
    arg = node.args.first.expr
    if node.args.first.respond_to? :name and node.args.first.name.respond_to? :name
      arg = node.args[1].expr if node.args[1].respond_to? :name and node.args[1].name.respond_to? :name and node.args[1].name.name == "name"
    end

	arg = arg.lhs while arg.is_a? Nasl::Expression
    next unless arg.respond_to? :text

    if arg.text.index("Secret") == 0
      next if codes.index("#TRUSTED") == 0
      report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
      report(:warn, arg.context())
      return fail
    end
  end
  report(:info, "Plugin is not using secret KB items without being signed.")
  pass
end