示例#1
0
def has_all_text(code_dest: str,
                 expected_list: list,
                 use_regex: bool = False,
                 exclude: list = None,
                 lang_specs: dict = None) -> bool:
    """
    Check if a list of bad text is present in given source file.

    if `use_regex` equals True, Search is (case-insensitively)
    performed by :py:func:`re.search`.

    :param code_dest: Path to the file or directory to be tested.
    :param expected_list: List of bad text to look for in the file.
    :param use_regex: Use regular expressions instead of literals to search.
    :param exclude: Paths that contains any string from this list are ignored.
    :param lang_specs: Specifications of the language, see
                       fluidasserts.lang.java.LANGUAGE_SPECS for an example.
    """
    if not lang_specs:
        lang_specs = LANGUAGE_SPECS
    matches = {}
    for expected in set(expected_list):
        grammar = expected if use_regex else re.escape(expected)
        try:
            __matches = lang.check_grammar_re(grammar, code_dest, lang_specs,
                                              exclude)
            if not __matches:
                show_close('Not all expected text was found in code',
                           details=dict(location=code_dest,
                                        expected_list=expected_list,
                                        used_regular_expressions=use_regex))
                return False
            matches.update(__matches)
        except FileNotFoundError:
            show_unknown('File does not exist',
                         details=dict(code_dest=code_dest,
                                      used_regular_expressions=use_regex))
            return False
    show_open('A bad text from list was found in code',
              details=dict(matches=matches,
                           expected_list=expected_list,
                           used_regular_expressions=use_regex))
    return True
示例#2
0
def has_any_secret(code_dest: str,
                   secrets_list: list,
                   use_regex: bool = False,
                   exclude: list = None,
                   lang_specs: dict = None) -> bool:
    """
    Check if any on a list of secrets is present in given source file.

    if `use_regex` equals True, Search is (case-insensitively)
    performed by :py:func:`re.search`.

    :param code_dest: Path to the file or directory to be tested.
    :param secrets_list: List of secrets to look for in the file.
    :param use_regex: Use regular expressions instead of literals to search.
    :param exclude: Paths that contains any string from this list are ignored.
    :param lang_specs: Specifications of the language, see
                       fluidasserts.lang.java.LANGUAGE_SPECS for an example.
    """
    # Remove duplicates
    secrets_set = set(secrets_list)
    if not lang_specs:
        lang_specs = LANGUAGE_SPECS
    if not use_regex:
        secrets_set = map(re.escape, secrets_set)
    any_list = '|'.join(f'(?:{exp})' for exp in secrets_set)
    try:
        matches = lang.check_grammar_re(any_list, code_dest, lang_specs,
                                        exclude)
        if not matches:
            show_close('None of the expected secrets were found in code',
                       details=dict(location=code_dest,
                                    secrets_list=secrets_list,
                                    used_regular_expressions=use_regex))
            return False
    except FileNotFoundError:
        show_unknown('File does not exist', details=dict(code_dest=code_dest))
        return False
    show_open('Some of the expected secrets are present in code',
              details=dict(matches=matches,
                           secrets_list=secrets_list,
                           used_regular_expressions=use_regex))
    return True
示例#3
0
def has_weak_cipher(code_dest: str,
                    expected_text: str,
                    exclude: list = None,
                    lang_specs: dict = None) -> bool:
    """
    Check if code uses base 64 to cipher confidential data.

    See `REQ.185 <https://fluidattacks.com/web/rules/185/>`_.

    :param code_dest: Path to a code source file or package.
    :param expected_text: Text that might be in source file or package
    :param exclude: Paths that contains any string from this list are ignored.
    :param lang_specs: Specifications of the language, see
                       fluidasserts.lang.java.LANGUAGE_SPECS for an example.
    """
    if not lang_specs:
        lang_specs = LANGUAGE_SPECS
    grammar = re.escape(b64encode(expected_text.encode()).decode())
    try:
        b64_matches = lang.check_grammar_re(grammar, code_dest, lang_specs,
                                            exclude)
        if not b64_matches:
            show_close(
                'Code does not have confidential data encoded in base64',
                details=dict(location=code_dest))
            return False
    except FileNotFoundError:
        show_unknown('File does not exist', details=dict(code_dest=code_dest))
        return False
    else:
        for code_file, vulns in b64_matches.items():
            show_open('Code has confidential data encoded in base64',
                      details=dict(expected=expected_text,
                                   file=code_file,
                                   fingerprint=lang.get_sha256(code_file),
                                   lines=str(vulns)[1:-1],
                                   total_vulns=len(vulns)))
    return True