Commit Graph

332 Commits (50e804d9cb69360a49e455a4e76ca1f4eb1ab286)

Author SHA1 Message Date
Tod Beardsley c045c9606c
Fix typo in PR #3712
Fixes the typo pointed out in
rapid7#3712#discussion_r16750554

Derp
2014-08-26 20:36:28 -05:00
Josh 073c668cd8 Merge pull request #12 from todb-r7/commit-hooks-should-only-check-modules
Land 12 from todb, only pre-commit-hook on actual modules
2014-08-26 16:47:23 -05:00
Tod Beardsley dbdb4afb8c
Add a top anchor to the file match regex. 2014-08-26 16:19:29 -05:00
Joshua Smith 622e8a7714 adds better exploit module detection to msftidy 2014-08-26 15:30:08 -05:00
Jon Hart bfa89bb3a5 Enforce binary encoding on non-modules, no encoding on modules 2014-08-25 13:12:29 -07:00
Tod Beardsley 47cb906408
Remove rubocop and msftidy touchpoints
Rubocop replaces the default YAML library which makes development
testing difficult. It does not cause problems on Travis, but according
to reports, it does cause instability with many individual dev
environments.

While I would love to have a more solid source of this bug report, right
now this was an oral report from @shuckins-r7 (who I tend to believe a
lot).
2014-08-12 10:37:58 -05:00
Tod Beardsley ffafd4c01f
Add NTP fuzzer from @jhart-r7
Looks good to me!
2014-07-21 12:38:12 -05:00
Jon Hart 17b0560dff Add rubygems check to msftidy. remove rubygems. 2014-07-17 09:29:13 -07:00
William Vu a07656fec6
Land #3536, msftidy INFO messages aren't blockers 2014-07-16 17:57:48 -05:00
Tod Beardsley 58558e8dfa
Allow INFO msftidy messages
INFO level messages should not block commits or be complained about on
merges. They should merely inform the user.
2014-07-16 15:29:23 -05:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
Tod Beardsley 68980157c8
Just skip if info is suppressed. 2014-07-16 11:20:40 -05:00
Tod Beardsley 81a98081d9
Rubocop checks are optional and info only
I like the change but it means that basically everything will fail
forever until we tweak up the config.
2014-07-16 10:26:35 -05:00
Jon Hart ab73c16d0d Add Rubocop to msftidy. You now have 15 seconds to comply. You are in direct violation of Penal Code 1.13, Section 9. 2014-07-15 17:11:04 -07:00
William Vu 4904426164
Fix @source and prefer && 2014-07-14 14:36:08 -05:00
HD Moore 6e8415143c Fix msftidy and tweak a few modules missing timeouts 2014-06-30 00:46:28 -05:00
HD Moore a279db7710 Check for sock.get / udp_sock.get issues 2014-06-30 00:40:06 -05:00
William Vu 56c71c7b85
Land #3457, newline check for msftidy 2014-06-17 14:20:53 -05:00
Christian Mehlmauer 3c00388f87
Add check for newline at end of file 2014-06-17 15:44:43 +02:00
William Vu 7f2b173130
Fix misspelled constant in msftidy 2014-06-12 13:47:44 -05:00
William Vu 3a9f7fb7f9
Land #3405, improved Nokogiri check for msftidy 2014-05-29 16:21:26 -05:00
William Vu 17fb48eaa3
Refactor check_nokogiri in msftidy 2014-05-29 13:20:23 -05:00
Tod Beardsley 2ce6f325f5
Be more specific with Nokogiri check
There are still strong reservations about using Nokogiri to parse
untrusted XML data.

http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/

It is also believed that many desktop operating systems are still
shipping out-of-date and vulnerable libxml2 libraries, which become
exposed via Nokogiri. For example:

http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x

While this isn't a problem for binary builds of Metasploit (Metasploit
Community, Express, or Pro) it can be a problem for development
versions or Kali's / Backtrack's version.

So, the compromise here is to allow for modules that don't directly
expose XML parsing. I can't say for sure that the various libxml2
vulnerabilities (current and future) aren't also exposed via
`Nokogiri::HTML` but I also can't come up with a reasonable demo.

Metasploit committers should still look at any module that relies on
Nokogiri very carefully, and suggest alternatives if there are any. But,
it's sometimes going to be required for complex HTML parsing.

tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you
absolutely must.
2014-05-29 11:52:17 -05:00
Tod Beardsley d9fbf861d2
Add an environment option to suppress info msgs
It's often you want counts of just WARN and ERROR messages, and don't
want to spam yourself with INFO messages that you don't intend to
address anyway. This is most often the case with CI, such as with

https://travis-ci.org/todb-r7/metasploit-framework
2014-05-21 16:20:57 -05:00
Tod Beardsley 765419627b
Demote datastore edits to info status
SeeRM #8498
2014-05-21 16:18:36 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
Christian Mehlmauer 3f4e9ab18d
msftidy: only check send_request_cgi for vars_get 2014-04-22 19:24:06 +02:00
Christian Mehlmauer b864c4619d
msftidy - added info messages
this commit adds info messages to msftidy to show some info,
but stil exit with status 0 if there are not errors.
2014-04-21 18:04:14 +02:00
Christian Mehlmauer fc803ae277
Changed msftidy check
send_request_raw does not support vars_get so change
the message to switch to send_request_cgi.
See #3272 for more info
2014-04-20 22:41:32 +02:00
William Vu aeedad262d
Remove unnecessary charclass escapes 2014-04-15 14:14:51 -05:00
William Vu 261572158b
Add paren to list of exclusion chars 2014-04-15 11:20:11 -05:00
William Vu 14c7eb19e6
Make the hash brace optional 2014-04-15 10:06:43 -05:00
William Vu f3f31005d8
Revert inadvertent fix for vars_get in msftidy 2014-04-14 14:51:52 -05:00
sinn3r e54a348bd4
Land #3237 - Reconcile test_old_rubies with the other checks 2014-04-11 10:49:23 -05:00
William Vu 8919e21379
Reconcile test_old_rubies with the other checks
It is now check_old_rubies.
2014-04-10 21:44:00 -05:00
William Vu df29578036
Correct check_vars_get to check_request_vars
Since check_vars_get also checked for POSTs.
2014-04-10 21:37:59 -05:00
William Vu 79f82be35d
Land #3188, deluxe msftidy post-merge hook 2014-04-07 14:38:19 -05:00
sinn3r 023bde5b43 Correct msftidy disclosure date check
This correct msftidy's disclosure date check to do the following:

1. If the module has a disclosure date, the check should kick in.
2. If the module is an exploit, and doesn't have a disclosure
   date, then it will be flagged.
3. If the module is an auxiliary, and doesn't have a disclosure
   date, then it will NOT be flgged (because not all aux modules
   target bugs/vulns like exploits do).
2014-04-07 14:21:04 -05:00
William Vu 31b3a6973e
Fix symlink commands 2014-04-07 12:40:11 -05:00
William Vu 48ef061c3c
Land #3046, AIX ibtstat privesc exploit 2014-04-03 17:07:00 -05:00
William Vu 5ac6c4b565
Align msftidy whitelist to 80 columns 2014-04-03 16:54:47 -05:00
Tod Beardsley e1d819b8b9
Update the comment docs on pre-commit-hook.rb
[SeeRM #8779]
2014-04-03 15:26:25 -05:00
Tod Beardsley 70c0a19bbe
Be explicit about which mode we're in.
[SeeRM #8779]
2014-04-03 15:20:50 -05:00
Tod Beardsley 14b47aa67e
Remove the broken SPOTCHECK_RECENT stuff 2014-04-02 11:12:00 -05:00
Tod Beardsley eb2e4cbdef
Add post-merge capability to pre-commit-hook.rb
This will make it possible to run a post-merge check when
pre-commit-hook.rb is referenced as a symlink from .git/hooks/post-merge

The kind of check you're going to do is entirely dependant on the
basename of the file, which is a little weird but convenient.

Verification is a little tricky on this. Coming soon.
2014-04-02 10:19:43 -05:00
Sagi Shahar becefde52f Fix bugs and syntax 2014-04-01 00:54:51 +02:00
Christian Mehlmauer 91034722e9
Added check for 'Rank' on Auxiliary modules 2014-03-28 22:43:53 +01:00
FireFart c023cb2275 make set-cookie header check case insensitive 2014-03-01 13:35:58 +01:00
FireFart 551327bec6 Added a check for Set-Cookie header in msftidy 2014-03-01 13:30:24 +01:00
William Vu 506c354722
Land #3103, vars_get check for msftidy 2014-03-15 19:57:19 -05:00