def has_all_text(code_dest: str, expected_list: list, use_regex: bool = False, exclude: list = None, lang_specs: dict = None) -> bool: """ Check if a list of bad text is present in given source file. if `use_regex` equals True, Search is (case-insensitively) performed by :py:func:`re.search`. :param code_dest: Path to the file or directory to be tested. :param expected_list: List of bad text to look for in the file. :param use_regex: Use regular expressions instead of literals to search. :param exclude: Paths that contains any string from this list are ignored. :param lang_specs: Specifications of the language, see fluidasserts.lang.java.LANGUAGE_SPECS for an example. """ if not lang_specs: lang_specs = LANGUAGE_SPECS matches = {} for expected in set(expected_list): grammar = expected if use_regex else re.escape(expected) try: __matches = lang.check_grammar_re(grammar, code_dest, lang_specs, exclude) if not __matches: show_close('Not all expected text was found in code', details=dict(location=code_dest, expected_list=expected_list, used_regular_expressions=use_regex)) return False matches.update(__matches) except FileNotFoundError: show_unknown('File does not exist', details=dict(code_dest=code_dest, used_regular_expressions=use_regex)) return False show_open('A bad text from list was found in code', details=dict(matches=matches, expected_list=expected_list, used_regular_expressions=use_regex)) return True
def has_any_secret(code_dest: str, secrets_list: list, use_regex: bool = False, exclude: list = None, lang_specs: dict = None) -> bool: """ Check if any on a list of secrets is present in given source file. if `use_regex` equals True, Search is (case-insensitively) performed by :py:func:`re.search`. :param code_dest: Path to the file or directory to be tested. :param secrets_list: List of secrets to look for in the file. :param use_regex: Use regular expressions instead of literals to search. :param exclude: Paths that contains any string from this list are ignored. :param lang_specs: Specifications of the language, see fluidasserts.lang.java.LANGUAGE_SPECS for an example. """ # Remove duplicates secrets_set = set(secrets_list) if not lang_specs: lang_specs = LANGUAGE_SPECS if not use_regex: secrets_set = map(re.escape, secrets_set) any_list = '|'.join(f'(?:{exp})' for exp in secrets_set) try: matches = lang.check_grammar_re(any_list, code_dest, lang_specs, exclude) if not matches: show_close('None of the expected secrets were found in code', details=dict(location=code_dest, secrets_list=secrets_list, used_regular_expressions=use_regex)) return False except FileNotFoundError: show_unknown('File does not exist', details=dict(code_dest=code_dest)) return False show_open('Some of the expected secrets are present in code', details=dict(matches=matches, secrets_list=secrets_list, used_regular_expressions=use_regex)) return True
def has_weak_cipher(code_dest: str, expected_text: str, exclude: list = None, lang_specs: dict = None) -> bool: """ Check if code uses base 64 to cipher confidential data. See `REQ.185 <https://fluidattacks.com/web/rules/185/>`_. :param code_dest: Path to a code source file or package. :param expected_text: Text that might be in source file or package :param exclude: Paths that contains any string from this list are ignored. :param lang_specs: Specifications of the language, see fluidasserts.lang.java.LANGUAGE_SPECS for an example. """ if not lang_specs: lang_specs = LANGUAGE_SPECS grammar = re.escape(b64encode(expected_text.encode()).decode()) try: b64_matches = lang.check_grammar_re(grammar, code_dest, lang_specs, exclude) if not b64_matches: show_close( 'Code does not have confidential data encoded in base64', details=dict(location=code_dest)) return False except FileNotFoundError: show_unknown('File does not exist', details=dict(code_dest=code_dest)) return False else: for code_file, vulns in b64_matches.items(): show_open('Code has confidential data encoded in base64', details=dict(expected=expected_text, file=code_file, fingerprint=lang.get_sha256(code_file), lines=str(vulns)[1:-1], total_vulns=len(vulns))) return True