class Pedant::CheckScriptNotSignedAndUsingSecretKBItem
Public Class Methods
requires()
click to toggle source
Calls superclass method
Pedant::Check::requires
# File lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb, line 29 def self.requires super + [:main, :trees, :codes] end
Public Instance Methods
run()
click to toggle source
# File lib/pedant/checks/script_not_signed_and_using_secret_kb_item.rb, line 33 def run # This check only applies to plugins. return skip unless @kb[:main].extname == '.nasl' tree = @kb[:trees][@kb[:main]] codes = @kb[:codes][@kb[:main]] tree.all(:Call).each do |node| next unless [ "get_kb_item", "rm_kb_item", "get_kb_list", "replace_kb_item", "set_kb_item", "script_require_keys", "set_global_kb_item", "get_global_kb_item", "get_fresh_kb_item", "get_global_kb_list", "get_kb_item_or_exit" ].include? node.name.ident.name next if node.args.empty? # one case where we check all arguments if node.name.ident.name == "script_require_keys" node.args.each do |arg| arg = arg.expr arg = arg.lhs while arg.is_a? Nasl::Expression next unless arg.respond_to? :text next unless arg.text.index("Secret") == 0 next if codes.index("#TRUSTED") == 0 report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.") report(:warn, arg.context()) return fail end end # every other function we need to check the first argument, or if the arguments are named, the 'name' argument arg = node.args.first.expr if node.args.first.respond_to? :name and node.args.first.name.respond_to? :name arg = node.args[1].expr if node.args[1].respond_to? :name and node.args[1].name.respond_to? :name and node.args[1].name.name == "name" end arg = arg.lhs while arg.is_a? Nasl::Expression next unless arg.respond_to? :text if arg.text.index("Secret") == 0 next if codes.index("#TRUSTED") == 0 report(:warn, "Plugin is accessing the secret KB item \"#{arg.text}\" and needs to be signed. Add a #TRUSTED line to the start of your plugin to flag it for signing via Bamboo.") report(:warn, arg.context()) return fail end end report(:info, "Plugin is not using secret KB items without being signed.") pass end