def has_all_text(code_dest: str,
expected_list: list,
use_regex: bool = False,
exclude: list = None,
lang_specs: dict = None) -> bool:
"""
Check if a list of bad text is present in given source file.
if `use_regex` equals True, Search is (case-insensitively)
performed by :py:func:`re.search`.
:param code_dest: Path to the file or directory to be tested.
:param expected_list: List of bad text to look for in the file.
:param use_regex: Use regular expressions instead of literals to search.
:param exclude: Paths that contains any string from this list are ignored.
:param lang_specs: Specifications of the language, see
fluidasserts.lang.java.LANGUAGE_SPECS for an example.
"""
if not lang_specs:
lang_specs = LANGUAGE_SPECS
matches = {}
for expected in set(expected_list):
grammar = expected if use_regex else re.escape(expected)
try:
__matches = lang.check_grammar_re(grammar, code_dest, lang_specs,
exclude)
if not __matches:
show_close('Not all expected text was found in code',
details=dict(location=code_dest,
expected_list=expected_list,
used_regular_expressions=use_regex))
return False
matches.update(__matches)
except FileNotFoundError:
show_unknown('File does not exist',
details=dict(code_dest=code_dest,
used_regular_expressions=use_regex))
return False
show_open('A bad text from list was found in code',
details=dict(matches=matches,
expected_list=expected_list,
used_regular_expressions=use_regex))
return True
def has_any_secret(code_dest: str,
secrets_list: list,
use_regex: bool = False,
exclude: list = None,
lang_specs: dict = None) -> bool:
"""
Check if any on a list of secrets is present in given source file.
if `use_regex` equals True, Search is (case-insensitively)
performed by :py:func:`re.search`.
:param code_dest: Path to the file or directory to be tested.
:param secrets_list: List of secrets to look for in the file.
:param use_regex: Use regular expressions instead of literals to search.
:param exclude: Paths that contains any string from this list are ignored.
:param lang_specs: Specifications of the language, see
fluidasserts.lang.java.LANGUAGE_SPECS for an example.
"""
# Remove duplicates
secrets_set = set(secrets_list)
if not lang_specs:
lang_specs = LANGUAGE_SPECS
if not use_regex:
secrets_set = map(re.escape, secrets_set)
any_list = '|'.join(f'(?:{exp})' for exp in secrets_set)
try:
matches = lang.check_grammar_re(any_list, code_dest, lang_specs,
exclude)
if not matches:
show_close('None of the expected secrets were found in code',
details=dict(location=code_dest,
secrets_list=secrets_list,
used_regular_expressions=use_regex))
return False
except FileNotFoundError:
show_unknown('File does not exist', details=dict(code_dest=code_dest))
return False
show_open('Some of the expected secrets are present in code',
details=dict(matches=matches,
secrets_list=secrets_list,
used_regular_expressions=use_regex))
return True
def has_weak_cipher(code_dest: str,
expected_text: str,
exclude: list = None,
lang_specs: dict = None) -> bool:
"""
Check if code uses base 64 to cipher confidential data.
See `REQ.185 <https://fluidattacks.com/web/rules/185/>`_.
:param code_dest: Path to a code source file or package.
:param expected_text: Text that might be in source file or package
:param exclude: Paths that contains any string from this list are ignored.
:param lang_specs: Specifications of the language, see
fluidasserts.lang.java.LANGUAGE_SPECS for an example.
"""
if not lang_specs:
lang_specs = LANGUAGE_SPECS
grammar = re.escape(b64encode(expected_text.encode()).decode())
try:
b64_matches = lang.check_grammar_re(grammar, code_dest, lang_specs,
exclude)
if not b64_matches:
show_close(
'Code does not have confidential data encoded in base64',
details=dict(location=code_dest))
return False
except FileNotFoundError:
show_unknown('File does not exist', details=dict(code_dest=code_dest))
return False
else:
for code_file, vulns in b64_matches.items():
show_open('Code has confidential data encoded in base64',
details=dict(expected=expected_text,
file=code_file,
fingerprint=lang.get_sha256(code_file),
lines=str(vulns)[1:-1],
total_vulns=len(vulns)))
return True