class Pedant::CheckScriptNotSignedAndUsingSecretKBItem

Public Class Methods

requires() click to toggle source
Calls superclass method Pedant::Check::requires
# File lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb, line 29
def self.requires
  super + [:main, :trees, :codes]
end

Public Instance Methods

run() click to toggle source
# File lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb, line 33
def run
  # This check only applies to plugins.
  return skip unless @kb[:main].extname == '.nasl'

  tree = @kb[:trees][@kb[:main]]
  codes = @kb[:codes][@kb[:main]]

  tree.all(:Call).each do |node|
    next unless [
      "get_kb_item",
      "rm_kb_item",
      "get_kb_list",
      "replace_kb_item",
      "set_kb_item",
      "script_require_keys",
      "set_global_kb_item",
      "get_global_kb_item",
      "get_fresh_kb_item",
      "get_global_kb_list",
      "get_kb_item_or_exit"
    ].include? node.name.ident.name
    next if node.args.empty?

    # one case where we check all arguments
    if node.name.ident.name == "script_require_keys"
      node.args.each do |arg|
        arg = arg.expr
        arg = arg.lhs while arg.is_a? Nasl::Expression
        next unless arg.respond_to? :text
        next unless arg.text.index("Secret") == 0
        next if codes.index("#TRUSTED") == 0
        report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
        report(:warn, arg.context())
        return fail
      end
    end

    # every other function we need to check the first argument, or if the arguments are named, the 'name' argument
    arg = node.args.first.expr
    if node.args.first.respond_to? :name and node.args.first.name.respond_to? :name
      arg = node.args[1].expr if node.args[1].respond_to? :name and node.args[1].name.respond_to? :name and node.args[1].name.name == "name"
    end

    arg = arg.lhs while arg.is_a? Nasl::Expression
    next unless arg.respond_to? :text

    if arg.text.index("Secret") == 0
      next if codes.index("#TRUSTED") == 0
      report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.")
      report(:warn, arg.context())
      return fail
    end
  end
  report(:info, "Plugin is not using secret KB items without being signed.")
  pass
end