From 6f93e3fb37af116da1ac83388c6b66241bd9beb0 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Sun, 2 Feb 2014 11:51:21 -0600
Subject: [PATCH] Modules shouldn't use Nokogiri

Nokogiri has a habit of shipping vulnerable builds of libxml2. For
example, see this:

http://www.ubuntu.com/usn/usn-1904-1/

and compare to Nokogiri's bundled requirements:

https://github.com/sparklemotion/nokogiri/blob/master/dependencies.yml

While Nokogiri is quite pleasant to use, it really shouldn't be trusted
to handle potentially malicious data. Imagine if a "vulnerable" target
was actually a malicious honeypot, lying in wait for a poor Metasploit
user to come along and parse out its payload. (OT: does such a thing
have a clever name? If not, I propose "beehive" to imply the offensive
capabilities of such a honeypot.)

Nokogiri is used elsewhere in Metasploit, but those functions handle
data sourced from the Metasploit user herself, so those XML hunks are
nominally trustworthy.
---
 tools/msftidy.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index c6f54e80a5..bc763fbaa9 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -105,6 +105,18 @@ class Msftidy
     end
   end
 
+  def check_nokogiri
+    msg = "Requiring Nokogiri in modules can be risky, use REXML instead."
+    has_nokogiri = false
+    @source.each_line do |line|
+      if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/
+        has_nokogiri = true
+        break
+      end
+    end
+    error(msg) if has_nokogiri
+  end
+
   def check_ref_identifiers
     in_super = false
     in_refs  = false
@@ -489,6 +501,7 @@ def run_checks(full_filepath)
   tidy = Msftidy.new(full_filepath)
   tidy.check_mode
   tidy.check_shebang
+  tidy.check_nokogiri
   tidy.check_ref_identifiers
   tidy.check_old_keywords
   tidy.check_verbose_option