def verify_regex(request):
"""
:param request:
:return:
"""
result = {"status": "ok"}
content = strip(request.POST.get('content', None))
role = request.POST.get('role', None)
if role == 'file_ext':
if content and ',' in content:
ext_list = content.split(',')
for item in ext_list:
if not item.startswith('.'):
result['status'] = 'failed'
result['msg'] = '多个文件名后缀必须使用英文的(,)隔开, 以(.)开始!'
break
else:
if content:
regex_list = content.split('\n')
try:
for item in regex_list:
re.compile(item)
except re.error as ex:
result['status'] = 'failed'
result['msg'] = '正则表达式不正确, 请输入正确的正则表达式!'
return JsonResponse(result, safe=False)
def show(request, perm_id):
"""
:param request:
:param perm_id:
:return:
"""
if request.method == 'POST':
name = strip(request.POST.get('name', ''))
if name:
perm = Permission.objects.get(id=int(perm_id))
perm.name = name
perm.save()
return HttpResponseRedirect("/sys/account/perm/{0}/".format(perm_id))
else:
model = Permission.objects.get(id=perm_id)
modules = ContentType.objects.all()
return render(request, 'system/account/perm/edit.html', {
'nav': 'sys',
'model': model,
'modules': modules,
})
def show(request, issue_id):
"""
:param request:
:param issue_id:
:return:
"""
if request.method == 'POST':
role = strip(request.POST.get('role', ''))
title = strip(request.POST.get('title', ''))
status = strip(request.POST.get('status', ''))
comment = strip(request.POST.get('comment', ''))
if role == 'title':
update_issue_obj(issue_id=issue_id, title=title)
elif role == 'status':
update_issue_obj(
issue_id=issue_id,
status=status,
comment=comment,
user=request.user,
)
return HttpResponseRedirect('/scan/issue/{0}/'.format(issue_id))
else:
code_segment, issue_flows, tags = [], [], []
try:
model = IssueInfo.objects.get(id=issue_id)
code_segment_list = model.code_segment.split('\n')
if model.start_line == 1:
i = 0
else:
i = -1
for code in code_segment_list:
code_safe = code.replace("<", "<")
code_safe = code_safe.replace(">", ">")
if model.start_line + i == model.start_line:
code_segment.append(
"<i style='color:#c0c0c0'>{0}.</i> <span id='element' style='font-weight: bold;"
"color:purple; background-color:#ccc'>{1}</span>".
format(model.start_line + i, code_safe))
else:
code_segment.append(
"<i style='color:#c0c0c0'>{0}.</i> "
"<span style='color:blue'>{1}</span>".format(
model.start_line + i, code_safe))
i += 1
issue_flows = IssueFlowInfo.objects.filter(
issue__id=model.id).order_by("created_at")
tags = get_tactic_tags_by_id(tactic_id=model.tactic.id)
except IssueInfo.DoesNotExist as ex:
model = None
return render(
request, 'scan/issue/show.html', {
'nav': 'scan',
'issue_status': ISSUE_STATUS,
'model': model,
'code_segment': '\n'.join(code_segment),
'issue_flows': issue_flows,
'tags': tags,
})
def index(request, task_id=None):
"""
:param request:
:param task_id:
:return:
"""
app_id = strip(request.GET.get('app', ''))
e = strip(request.GET.get('e', ''))
cate = strip(request.GET.get('c', ''))
risk = strip(request.GET.get('r', ''))
done = strip(request.GET.get('d', ''))
keyword = request.GET.get('k', '')
a = request.GET.get('a', '')
page_num = parse_int(request.GET.get('p', 1), 1)
page_size = parse_int(request.GET.get('ps', 20), 20)
sql_where = {}
app_obj = None
if task_id:
task = get_task_by_id(task_id)
if task:
app_obj = get_app_by_id(task.app.id)
sql_where['app__id'] = task.app.id
if app_id:
app_obj = get_app_by_id(app_id)
sql_where['app__id'] = app_id
if e:
sql_where['tactic__engine__id'] = int(e)
if risk:
sql_where['tactic__risk'] = risk
if cate:
sql_where['tactic__type'] = int(cate)
if keyword:
keyword = keyword.strip()
sql_where['title__icontains'] = keyword
if a:
if a == '1':
sql_where['is_send_alarm'] = True
elif a == '2':
sql_where['scm_url__isnull'] = False
if done:
if done == '1':
sql_where['status__in'] = [2, 3, 4, 5]
elif done == '2':
sql_where['status'] = 1
elif done == '3':
sql_where['is_false_positive'] = True
items = IssueInfo.objects.filter(**sql_where).order_by("-updated_at")
paginator = Paginator(items, page_size, request=request, pre_name=u"问题")
page = paginator.page(page_num)
return render(
request, 'scan/issue/index.html', {
'nav': 'scan',
'page': page,
'e': e,
'c': cate,
'r': risk,
'd': done,
'alarm': a,
'app_obj': app_obj,
'keyword': keyword,
'issues_type': TACTIC_TYPE,
'risk_list': RISK_TYPE,
'engine_list': get_all_engine(),
'issues_status': ISSUE_STATUS,
})
def index(request):
"""
:param request:
:return:
"""
if request.method == "POST":
try:
tactic_id = request.POST.get('tactic_id', None)
if tactic_id:
msg = '修改策略规则成功!'
else:
msg = '添加策略规则成功!'
save(request)
return HttpResponseRedirect('/tactic/rule/?msg={0}'.format(
urlquote(msg)))
except (Exception, QueryConditionIsEmptyException,
ParameterIsEmptyException) as ex:
import traceback
traceback.print_exc() # FIXME syslog
return HttpResponseRedirect('/tactic/rule/?errmsg={0}'.format(
urlquote(str(ex))))
else:
t = strip(request.GET.get('t', ''))
e = strip(request.GET.get('e', ''))
n = strip(request.GET.get('n', ''))
r = strip(request.GET.get('r', ''))
lang = strip(request.GET.get('l', ''))
keyword = strip(request.GET.get('k', ''))
a = strip(request.GET.get('a', ''))
kb = strip(request.GET.get('kb', ''))
page_num = parse_int(request.GET.get('p', 1), 1)
page_size = parse_int(request.GET.get('ps', 20), 20)
sql_where = {}
if n:
sql_where['nature_type'] = parse_int(n, 0)
if t:
sql_where['type'] = parse_int(t, 0)
if r:
sql_where['risk'] = parse_int(r, 0)
if e:
sql_where['engine__id'] = int(e)
if keyword:
sql_where['name__icontains'] = keyword
if lang:
sql_where['lang__id'] = int(lang)
if a:
if a == '1':
sql_where['alarm_enable'] = True
else:
sql_where['alarm_enable'] = False
if kb:
if kb == '1':
sql_where['vuln__isnull'] = False
else:
sql_where['vuln__isnull'] = True
items = TacticInfo.objects.filter(**sql_where).order_by('-updated_at')
paginator = Paginator(items,
page_size,
request=request,
pre_name=u"规则")
page = paginator.page(page_num)
return render(
request, 'tactic/rule/index.html', {
'nav': 'tactic',
'page': page,
't': t,
'r': r,
'n': n,
'a': a,
'e': e,
'kb': kb,
'l': lang,
'keyword': keyword,
'risk_list': RISK_TYPE,
'tactic_type_list': TACTIC_TYPE,
'match_list': TACTIC_MATCH_TYPE,
'engine_list': get_all_engine(),
'component_match_list': COMPONENT_MATCH_TYPE,
'lang_list': get_lang_all(),
})
def save(request):
"""
:param request:
:return:
"""
name = strip(request.POST.get('name', None))
key = strip(request.POST.get('key', None))
lang_id = strip(request.POST.get('lang', None))
tactic_id = strip(request.POST.get('tactic_id', None))
nature_type = strip(request.POST.get('nature_type', 1))
tactic_type = strip(request.POST.get('tactic_type', 3))
risk = strip(request.POST.get('risk', None))
kb_id = strip(request.POST.get('kb_id', None))
rule_match_type = strip(request.POST.get('match_type', 0))
file_ext = strip(request.POST.get('file_ext', None))
component_match_type = strip(request.POST.get('component_match_type',
None))
rule_regex = strip(request.POST.get('rule_regex', None))
component_name = strip(request.POST.get('component_name', None))
rule_regex_flag = strip(request.POST.get('rule_regex_flag', None))
description = strip(request.POST.get('description', ''))
solution = strip(request.POST.get('solution', ''))
is_active = parse_bool(strip(request.POST.get('is_active', False)))
plugin_name = strip(request.POST.get('plugin_name', ''))
plugin_content = strip(request.POST.get('plugin_content', ''))
tags = strip(request.POST.get('tags', ''))
nature_type = int(nature_type)
tactic_type = int(tactic_type)
rule_match_type = int(rule_match_type)
risk = int(risk)
vuln_obj = None
rule_value = ''
if kb_id:
kb_id = int(kb_id)
vuln_obj = get_vuln_by_id(vuln_id=kb_id)
if not all((
name,
key,
)):
raise Exception('请填写"策略标题"、"Key"字段!')
key = key.lower()
if rule_match_type == 3:
rule_value = file_ext
elif rule_match_type == 4:
rule_value = component_match_type
plugin_module_name = ''
if plugin_name and plugin_content:
plugin_module_name = dump_plugin(name=plugin_name,
content=plugin_content)
if tactic_id:
tactic_id = int(tactic_id)
model = get_tactic_by_id(tactic_id=tactic_id)
if not model:
raise Exception('"tactic_id={0}"规则策略未找到!'.format(tactic_id))
tactic_obj = get_tactic_by_key(key=key)
if tactic_obj and tactic_obj.id != tactic_id:
raise Exception('"{0}"已存在!'.format(key))
update_tactic_obj(
tactic_id=tactic_id,
user=request.user,
vuln_obj=vuln_obj,
is_active=is_active,
key=key,
name=name,
description=description,
solution=solution,
type=tactic_type,
risk=risk,
nature_type=nature_type,
rule_match_type=rule_match_type,
rule_value=rule_value,
rule_regex=rule_regex,
rule_regex_flag=rule_regex_flag,
component_name=component_name,
plugin_name=plugin_name,
plugin_module_name=plugin_module_name,
plugin_content=plugin_content,
tags=tags,
)
else:
engine = strip(request.POST.get('engine', None))
if get_tactic_by_key(key=key):
raise Exception('"{0}"已存在!'.format(key))
lang_obj = get_lang_by_id(lang_id=lang_id)
if engine == 'RuleScanner':
attribution_type = 1
engine_obj = get_engine_by_module_name(
module_name='seecode_scanner.lib.engines.rulescanner')
elif engine == 'PluginScanner':
attribution_type = 2
engine_obj = get_engine_by_module_name(
module_name='seecode_scanner.lib.engines.pluginscanner')
else:
attribution_type = 3
engine_obj = get_engine_by_module_name(
module_name='seecode_scanner.lib.engines.sonarscanner')
create_tactic_obj(
lang_obj=lang_obj,
engine_obj=engine_obj,
key=key,
name=name,
user=request.user,
vuln_obj=vuln_obj,
is_active=True,
type=tactic_type,
risk=risk,
nature_type=nature_type,
attribution_type=attribution_type,
rule_match_type=rule_match_type,
rule_value=rule_value,
rule_regex=rule_regex,
rule_regex_flag=rule_regex_flag,
component_name=component_name,
)