Commit Graph

161 Commits (2edd268275e51872a5746957eaa3bad507fddd1e)

Author SHA1 Message Date
William Vu c73892b721 Nuke datastore modification check from orbit 2015-02-11 12:46:40 -06:00
William Vu c8a687db7f
Fix false positive in cookie check 2015-02-09 17:23:59 -06:00
William Vu 4ed3ffa0ed
Fix false positive in snake case check 2015-02-09 16:30:19 -06:00
William Vu e62f44cc1a
Fix false negative in comment check
Adds anchor to regex.
2015-02-09 14:58:02 -06:00
Tod Beardsley 1d6524b4d9
Revert #4593, msftidy extraneous comma check
Fixes #4626 by ignoring the problem identified.

This reverts commit 7c3378b2e6, reversing
changes made to cb0257bec7.
2015-01-22 14:28:27 -06:00
William Vu cf7555447c
Land #4621, msftidy whitelist constant
Now I'm happy... almost.
2015-01-21 14:03:39 -06:00
William Vu bbe9fc208e
Update formatting (80 columns)
Piped to fmt -78 to account for the indent.
2015-01-21 14:01:44 -06:00
Tod Beardsley 264adf14d1
Add 'tnftp' software to the title whitelist 2015-01-21 11:52:39 -06:00
Tod Beardsley efebaae251
Make the title whitelist a constant 2015-01-21 11:50:50 -06:00
William Vu 7c3378b2e6
Land #4593, msftidy extraneous comma check 2015-01-18 00:46:39 -06:00
Christian Mehlmauer 596e956660
some changed 2015-01-16 17:53:06 +01:00
Christian Mehlmauer 3237dd8591
add comma check to msftidy 2015-01-16 00:13:55 +01:00
Christian Mehlmauer 56c1f74d70
modify msftidy regex 2015-01-09 22:07:21 +01:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 9bf55ef8f4
Minor improvements to datastore and http// checks in msftidy 2014-12-11 18:36:42 -08:00
Christian Mehlmauer be1440bcb9
more msftidy checks 2014-12-11 23:10:07 +01:00
William Vu 48e098b172
Remove WVE references from msftidy 2014-09-05 19:28:27 -05:00
Tod Beardsley c045c9606c
Fix typo in PR #3712
Fixes the typo pointed out in
rapid7#3712#discussion_r16750554

Derp
2014-08-26 20:36:28 -05:00
Joshua Smith 622e8a7714 adds better exploit module detection to msftidy 2014-08-26 15:30:08 -05:00
Jon Hart bfa89bb3a5 Enforce binary encoding on non-modules, no encoding on modules 2014-08-25 13:12:29 -07:00
Tod Beardsley 47cb906408
Remove rubocop and msftidy touchpoints
Rubocop replaces the default YAML library which makes development
testing difficult. It does not cause problems on Travis, but according
to reports, it does cause instability with many individual dev
environments.

While I would love to have a more solid source of this bug report, right
now this was an oral report from @shuckins-r7 (who I tend to believe a
lot).
2014-08-12 10:37:58 -05:00
Tod Beardsley ffafd4c01f
Add NTP fuzzer from @jhart-r7
Looks good to me!
2014-07-21 12:38:12 -05:00
Jon Hart 17b0560dff Add rubygems check to msftidy. remove rubygems. 2014-07-17 09:29:13 -07:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
Tod Beardsley 68980157c8
Just skip if info is suppressed. 2014-07-16 11:20:40 -05:00
Tod Beardsley 81a98081d9
Rubocop checks are optional and info only
I like the change but it means that basically everything will fail
forever until we tweak up the config.
2014-07-16 10:26:35 -05:00
Jon Hart ab73c16d0d Add Rubocop to msftidy. You now have 15 seconds to comply. You are in direct violation of Penal Code 1.13, Section 9. 2014-07-15 17:11:04 -07:00
William Vu 4904426164
Fix @source and prefer && 2014-07-14 14:36:08 -05:00
HD Moore 6e8415143c Fix msftidy and tweak a few modules missing timeouts 2014-06-30 00:46:28 -05:00
HD Moore a279db7710 Check for sock.get / udp_sock.get issues 2014-06-30 00:40:06 -05:00
William Vu 56c71c7b85
Land #3457, newline check for msftidy 2014-06-17 14:20:53 -05:00
Christian Mehlmauer 3c00388f87
Add check for newline at end of file 2014-06-17 15:44:43 +02:00
William Vu 7f2b173130
Fix misspelled constant in msftidy 2014-06-12 13:47:44 -05:00
William Vu 3a9f7fb7f9
Land #3405, improved Nokogiri check for msftidy 2014-05-29 16:21:26 -05:00
William Vu 17fb48eaa3
Refactor check_nokogiri in msftidy 2014-05-29 13:20:23 -05:00
Tod Beardsley 2ce6f325f5
Be more specific with Nokogiri check
There are still strong reservations about using Nokogiri to parse
untrusted XML data.

http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/

It is also believed that many desktop operating systems are still
shipping out-of-date and vulnerable libxml2 libraries, which become
exposed via Nokogiri. For example:

http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x

While this isn't a problem for binary builds of Metasploit (Metasploit
Community, Express, or Pro) it can be a problem for development
versions or Kali's / Backtrack's version.

So, the compromise here is to allow for modules that don't directly
expose XML parsing. I can't say for sure that the various libxml2
vulnerabilities (current and future) aren't also exposed via
`Nokogiri::HTML` but I also can't come up with a reasonable demo.

Metasploit committers should still look at any module that relies on
Nokogiri very carefully, and suggest alternatives if there are any. But,
it's sometimes going to be required for complex HTML parsing.

tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you
absolutely must.
2014-05-29 11:52:17 -05:00
Tod Beardsley d9fbf861d2
Add an environment option to suppress info msgs
It's often you want counts of just WARN and ERROR messages, and don't
want to spam yourself with INFO messages that you don't intend to
address anyway. This is most often the case with CI, such as with

https://travis-ci.org/todb-r7/metasploit-framework
2014-05-21 16:20:57 -05:00
Tod Beardsley 765419627b
Demote datastore edits to info status
SeeRM #8498
2014-05-21 16:18:36 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
Christian Mehlmauer 3f4e9ab18d
msftidy: only check send_request_cgi for vars_get 2014-04-22 19:24:06 +02:00
Christian Mehlmauer b864c4619d
msftidy - added info messages
this commit adds info messages to msftidy to show some info,
but stil exit with status 0 if there are not errors.
2014-04-21 18:04:14 +02:00
Christian Mehlmauer fc803ae277
Changed msftidy check
send_request_raw does not support vars_get so change
the message to switch to send_request_cgi.
See #3272 for more info
2014-04-20 22:41:32 +02:00
William Vu aeedad262d
Remove unnecessary charclass escapes 2014-04-15 14:14:51 -05:00
William Vu 261572158b
Add paren to list of exclusion chars 2014-04-15 11:20:11 -05:00
William Vu 14c7eb19e6
Make the hash brace optional 2014-04-15 10:06:43 -05:00
William Vu f3f31005d8
Revert inadvertent fix for vars_get in msftidy 2014-04-14 14:51:52 -05:00
sinn3r e54a348bd4
Land #3237 - Reconcile test_old_rubies with the other checks 2014-04-11 10:49:23 -05:00
William Vu 8919e21379
Reconcile test_old_rubies with the other checks
It is now check_old_rubies.
2014-04-10 21:44:00 -05:00
William Vu df29578036
Correct check_vars_get to check_request_vars
Since check_vars_get also checked for POSTs.
2014-04-10 21:37:59 -05:00
William Vu 79f82be35d
Land #3188, deluxe msftidy post-merge hook 2014-04-07 14:38:19 -05:00