replace xml entities in a bunch of places. still not perfect, but solves the specific issues you can get to from the exposed config elements
git-svn-id: file:///home/svn/framework3/trunk@9194 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
7631b193fd
commit
176b564007
|
@ -24,6 +24,18 @@ require 'uri'
|
||||||
|
|
||||||
module Nexpose
|
module Nexpose
|
||||||
|
|
||||||
|
module Sanitize
|
||||||
|
def replace_entities(str)
|
||||||
|
ret = str.dup
|
||||||
|
ret.gsub!(/&/, "&")
|
||||||
|
ret.gsub!(/'/, "'")
|
||||||
|
ret.gsub!(/"/, """)
|
||||||
|
ret.gsub!(/</, "<")
|
||||||
|
ret.gsub!(/>/, ">")
|
||||||
|
ret
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
class APIError < ::RuntimeError
|
class APIError < ::RuntimeError
|
||||||
attr_accessor :req, :reason
|
attr_accessor :req, :reason
|
||||||
def initialize(req, reason = '')
|
def initialize(req, reason = '')
|
||||||
|
@ -489,10 +501,17 @@ class IPRange
|
||||||
attr_reader :to;
|
attr_reader :to;
|
||||||
|
|
||||||
def initialize(from, to = nil)
|
def initialize(from, to = nil)
|
||||||
|
|
||||||
@from = from
|
@from = from
|
||||||
@to = to
|
@to = to
|
||||||
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
if (to and not to.empty?)
|
||||||
|
return %Q{<range from="#{from}" to="#{to}"/>}
|
||||||
|
else
|
||||||
|
return %Q{<range from="#{from}"/>}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -504,9 +523,12 @@ class HostName
|
||||||
attr_reader :hostname
|
attr_reader :hostname
|
||||||
|
|
||||||
def initialize(hostname)
|
def initialize(hostname)
|
||||||
|
|
||||||
@hostname = hostname
|
@hostname = hostname
|
||||||
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
"<hostname>#{replace_entities(hostname)}</hostname>"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -892,107 +914,45 @@ class Site
|
||||||
|
|
||||||
xml = '<Site id="' + "#{@site_config.site_id}" + '" name="' + "#{@site_config.site_name}" + '" description="' + "#{@site_config.description}" + '" riskfactor="' + "#{@site_config.riskfactor}" + '">'
|
xml = '<Site id="' + "#{@site_config.site_id}" + '" name="' + "#{@site_config.site_name}" + '" description="' + "#{@site_config.description}" + '" riskfactor="' + "#{@site_config.riskfactor}" + '">'
|
||||||
|
|
||||||
xml += ' <Hosts>'
|
xml << ' <Hosts>'
|
||||||
|
|
||||||
@site_config.hosts.each do |h|
|
@site_config.hosts.each do |h|
|
||||||
|
xml << h.to_xml if h.respond_to? :to_xml
|
||||||
if (h.class.to_s == "Nexpose::IPRange")
|
|
||||||
if (h.to and not h.to.empty?)
|
|
||||||
xml += ' <range from="' + h.from + '" to="' + h.to + '"/>'
|
|
||||||
else
|
|
||||||
xml += ' <range from="' + h.from + '"/>'
|
|
||||||
end
|
end
|
||||||
|
xml << '</Hosts>'
|
||||||
|
|
||||||
elsif (h.class.to_s == "Nexpose::HostName")
|
xml << '<Credentials>'
|
||||||
|
|
||||||
xml += ' <host>' + h.hostname + '</host>'
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
xml +=' </Hosts>'
|
|
||||||
|
|
||||||
xml += ' <Credentials>'
|
|
||||||
@site_config.credentials.each do |c|
|
@site_config.credentials.each do |c|
|
||||||
xml += ' <adminCredentials'
|
xml << c.to_xml if c.respond_to? :to_xml
|
||||||
if (c.service)
|
|
||||||
xml += ' service="' + c.service + '"'
|
|
||||||
end
|
end
|
||||||
|
xml << ' </Credentials>'
|
||||||
|
|
||||||
if (c.userid)
|
xml << ' <Alerting>'
|
||||||
xml += ' userid="' + c.userid + '"'
|
|
||||||
end
|
|
||||||
if (c.password)
|
|
||||||
xml += ' password="' + c.password + '"'
|
|
||||||
end
|
|
||||||
if (c.realm)
|
|
||||||
xml += ' realm="' + c.realm + '"'
|
|
||||||
end
|
|
||||||
if (c.host)
|
|
||||||
xml += ' host="' + c.host + '"'
|
|
||||||
end
|
|
||||||
if (c.port)
|
|
||||||
xml += ' port="' + c.port + '"'
|
|
||||||
end
|
|
||||||
xml += '>'
|
|
||||||
|
|
||||||
|
|
||||||
if (c.isblob)
|
|
||||||
xml += c.securityblob
|
|
||||||
end
|
|
||||||
|
|
||||||
xml += '</adminCredentials>'
|
|
||||||
|
|
||||||
end
|
|
||||||
xml += ' </Credentials>'
|
|
||||||
|
|
||||||
xml += ' <Alerting>'
|
|
||||||
@site_config.alerts.each do |a|
|
@site_config.alerts.each do |a|
|
||||||
|
xml << a.to_xml if a.respond_to? :to_xml
|
||||||
case a.type
|
|
||||||
when :smtp
|
|
||||||
xml += ' <smtpAlert name="' + a.name + '" enabled="' + a.enabled + '" sender="' + a.sender + '" limitText="' + a.limitText + '">'
|
|
||||||
a.recipients.each do |r|
|
|
||||||
xml += ' <recipient>' + r + '</recipient>'
|
|
||||||
end
|
end
|
||||||
xml += ' <vulnFilter typeMask="' + a.vulnFilter.typeMask + '" maxAlerts="' + a.vulnFilter.maxAlerts + '" severityThreshold="' + a.vulnFilter.severityThreshold + '"/>'
|
xml << ' </Alerting>'
|
||||||
xml += ' </smtpAlert>'
|
|
||||||
|
|
||||||
when :snmp
|
xml << ' <ScanConfig configID="' + "#{@site_config.scanConfig.configID}" + '" name="' + "#{@site_config.scanConfig.name}" + '" templateID="' + "#{@site_config.scanConfig.templateID}" + '" configVersion="' + "#{@site_config.scanConfig.configVersion}" + '">'
|
||||||
xml += ' <snmpAlert name="' + a.name + '" enabled="' + a.enabled + '" community="' + a.community + '" server="' + a.server + '">'
|
|
||||||
xml += ' <vulnFilter typeMask="' + a.vulnFilter.typeMask + '" maxAlerts="' + a.vulnFilter.maxAlerts + '" severityThreshold="' + a.vulnFilter.severityThreshold + '"/>'
|
|
||||||
xml += ' </snmpAlert>'
|
|
||||||
|
|
||||||
when :syslog
|
xml << ' <Schedules>'
|
||||||
xml += ' <syslogAlert name="' + a.name + '" enabled="' + a.enabled + '" server="' + a.server + '">'
|
|
||||||
xml += ' <vulnFilter typeMask="' + a.vulnFilter.typeMask + '" maxAlerts="' + a.vulnFilter.maxAlerts + '" severityThreshold="' + a.vulnFilter.severityThreshold + '"/>'
|
|
||||||
xml += ' </syslogAlert>'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
xml += ' </Alerting>'
|
|
||||||
|
|
||||||
xml += ' <ScanConfig configID="' + "#{@site_config.scanConfig.configID}" + '" name="' + "#{@site_config.scanConfig.name}" + '" templateID="' + "#{@site_config.scanConfig.templateID}" + '" configVersion="' + "#{@site_config.scanConfig.configVersion}" + '">'
|
|
||||||
|
|
||||||
xml += ' <Schedules>'
|
|
||||||
@site_config.scanConfig.schedules.each do |s|
|
@site_config.scanConfig.schedules.each do |s|
|
||||||
xml += ' <Schedule enabled="' + s.enabled + '" type="' + s.type + '" interval="' + s.interval + '" start="' + s.start + '"/>'
|
xml << ' <Schedule enabled="' + s.enabled + '" type="' + s.type + '" interval="' + s.interval + '" start="' + s.start + '"/>'
|
||||||
end
|
end
|
||||||
xml += ' </Schedules>'
|
xml << ' </Schedules>'
|
||||||
|
|
||||||
xml += ' <ScanTriggers>'
|
xml << ' <ScanTriggers>'
|
||||||
@site_config.scanConfig.scanTriggers.each do |s|
|
@site_config.scanConfig.scanTriggers.each do |s|
|
||||||
|
|
||||||
if (s.class.to_s == "Nexpose::AutoUpdate")
|
if (s.class.to_s == "Nexpose::AutoUpdate")
|
||||||
xml += ' <autoUpdate enabled="' + s.enabled + '" incremental="' + s.incremental + '"/>'
|
xml << ' <autoUpdate enabled="' + s.enabled + '" incremental="' + s.incremental + '"/>'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
xml += ' </ScanTriggers>'
|
xml << ' </ScanTriggers>'
|
||||||
|
|
||||||
xml += ' </ScanConfig>'
|
xml << ' </ScanConfig>'
|
||||||
|
|
||||||
xml += ' </Site>'
|
xml << ' </Site>'
|
||||||
|
|
||||||
return xml
|
return xml
|
||||||
end
|
end
|
||||||
|
@ -1002,7 +962,6 @@ end
|
||||||
# Object that represents administrative credentials to be used during a scan. When retrived from an existing site configuration the credentials will be returned as a security blob and can only be passed back as is during a Site Save operation. This object can only be used to create a new set of credentials.
|
# Object that represents administrative credentials to be used during a scan. When retrived from an existing site configuration the credentials will be returned as a security blob and can only be passed back as is during a Site Save operation. This object can only be used to create a new set of credentials.
|
||||||
#
|
#
|
||||||
class AdminCredentials
|
class AdminCredentials
|
||||||
|
|
||||||
# Security blob for an existing set of credentials
|
# Security blob for an existing set of credentials
|
||||||
attr_reader :securityblob
|
attr_reader :securityblob
|
||||||
# Designates if this object contains user defined credentials or a security blob
|
# Designates if this object contains user defined credentials or a security blob
|
||||||
|
@ -1052,9 +1011,25 @@ class AdminCredentials
|
||||||
@securityblob = securityblob
|
@securityblob = securityblob
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
xml = ''
|
||||||
|
xml << '<adminCredentials'
|
||||||
|
xml << %Q{ service="#{replace_entities(service)}"} if (service)
|
||||||
|
xml << %Q{ userid="#{replace_entities(userid)}"} if (userid)
|
||||||
|
xml << %Q{ password="#{replace_entities(password)}"} if (password)
|
||||||
|
xml << %Q{ realm="#{replace_entities(realm)}"} if (realm)
|
||||||
|
xml << %Q{ host="#{replace_entities(host)}"} if (host)
|
||||||
|
xml << %Q{ port="#{replace_entities(port)}"} if (port)
|
||||||
|
xml << '>'
|
||||||
|
xml << replace_entities(securityblob) if (isblob)
|
||||||
|
xml << '</adminCredentials>'
|
||||||
|
|
||||||
|
xml
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# === Description
|
# === Description
|
||||||
# Object that represents an SMTP (Email) Alert.
|
# Object that represents an SMTP (Email) Alert.
|
||||||
#
|
#
|
||||||
|
@ -1096,6 +1071,20 @@ class SmtpAlert
|
||||||
@vulnFilter = vulnFilter
|
@vulnFilter = vulnFilter
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
xml = "<smtpAlert"
|
||||||
|
xml << %Q{ name="#{replace_entities(name)}"}
|
||||||
|
xml << %Q{ enabled="#{replace_entities(enabled)}"}
|
||||||
|
xml << %Q{ sender="#{replace_entities(sender)}"}
|
||||||
|
xml << %Q{ limitText="#{replace_entities(limitText)}">}
|
||||||
|
recipients.each do |recpt|
|
||||||
|
xml << "<recipient>#{replace_entities(recpt)}</recipient>"
|
||||||
|
end
|
||||||
|
xml << vulnFilter.to_xml
|
||||||
|
xml << "</smtpAlert>"
|
||||||
|
xml
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# === Description
|
# === Description
|
||||||
|
@ -1131,6 +1120,18 @@ class SnmpAlert
|
||||||
@vulnFilter = vulnFilter
|
@vulnFilter = vulnFilter
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
xml = "<snmpAlert"
|
||||||
|
xml << %Q{ name="#{replace_entities(name)}"}
|
||||||
|
xml << %Q{ enabled="#{replace_entities(enabled)}"}
|
||||||
|
xml << %Q{ community="#{replace_entities(community)}"}
|
||||||
|
xml << %Q{ server="#{replace_entities(server)}">}
|
||||||
|
xml << vulnFilter.to_xml
|
||||||
|
xml << "</snmpAlert>"
|
||||||
|
xml
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# === Description
|
# === Description
|
||||||
|
@ -1164,6 +1165,17 @@ class SyslogAlert
|
||||||
@vulnFilter = vulnFilter
|
@vulnFilter = vulnFilter
|
||||||
end
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
xml = "<syslogAlert"
|
||||||
|
xml << %Q{ name="#{replace_entities(name)}"}
|
||||||
|
xml << %Q{ enabled="#{replace_entities(enabled)}"}
|
||||||
|
xml << %Q{ server="#{replace_entities(server)}">}
|
||||||
|
xml << vulnFilter.to_xml
|
||||||
|
xml << "</syslogAlert>"
|
||||||
|
xml
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: review
|
# TODO: review
|
||||||
|
@ -1196,11 +1208,20 @@ class VulnFilter
|
||||||
attr_reader :severityThreshold
|
attr_reader :severityThreshold
|
||||||
|
|
||||||
def initialize(typeMask, severityThreshold, maxAlerts = -1)
|
def initialize(typeMask, severityThreshold, maxAlerts = -1)
|
||||||
|
|
||||||
@typeMask = typeMask
|
@typeMask = typeMask
|
||||||
@maxAlerts = maxAlerts
|
@maxAlerts = maxAlerts
|
||||||
@severityThreshold = severityThreshold
|
@severityThreshold = severityThreshold
|
||||||
|
end
|
||||||
|
|
||||||
|
include Sanitize
|
||||||
|
def to_xml
|
||||||
|
xml = "<vulnFilter "
|
||||||
|
xml << %Q{ typeMask="#{replace_entities(typeMask)}"}
|
||||||
|
xml << %Q{ maxAlerts="#{replace_entities(maxAlerts)}"}
|
||||||
|
xml << %Q{ severityThreshold="#{replace_entities(severityThreshold)}"}
|
||||||
|
xml << "/>"
|
||||||
|
|
||||||
|
xml
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue