Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/spec/support/lib/module_validation.rb
24699 views
1
require 'active_model'

2


3
module ModuleValidation

4
  # Checks if values within arrays included within the passed list of acceptable values

5
  class ArrayInclusionValidator < ActiveModel::EachValidator

6
    def validate_each(record, attribute, value)

7
      unless value.is_a?(Array)

8
        record.errors.add(attribute, "#{attribute} must be an array")

9
        return

10
      end

11


12
      # Special cases for modules/exploits/bsd/finger/morris_fingerd_bof.rb which has a one-off architecture defined in

13
      # the module itself, and that value is not included in the valid list of architectures.

14
      # https://github.com/rapid7/metasploit-framework/blob/389d84cbf0d7c58727846466d9a9f6a468f32c61/modules/exploits/bsd/finger/morris_fingerd_bof.rb#L11

15
      return if attribute == :arch && value == ["vax"] && record.fullname == "exploit/bsd/finger/morris_fingerd_bof"

16
      return if value == options[:sentinel_value]

17


18
      invalid_options = value - options[:in]

19
      message = "contains invalid values #{invalid_options.inspect} - only #{options[:in].inspect} is allowed"

20


21
      if invalid_options.any?

22
        record.errors.add(attribute, :array_inclusion, message: message, value: value)

23
      end

24
    end

25
  end

26


27
  # Validates module metadata

28
  class Validator < SimpleDelegator

29
    include ActiveModel::Validations

30


31
    validate :validate_filename_is_snake_case

32
    validate :validate_reference_ctx_id

33
    validate :validate_author_bad_chars

34
    validate :validate_target_platforms

35
    validate :validate_default_target

36
    validate :validate_description_does_not_contain_non_printable_chars

37
    validate :validate_name_does_not_contain_non_printable_chars

38
    validate :validate_attack_reference_format

39


40
    attr_reader :mod

41


42
    def initialize(mod)

43
      super

44
      @mod = mod

45
    end

46


47
    #

48
    # Acceptable Stability ratings

49
    #

50
    VALID_STABILITY_VALUES = [

51
      Msf::CRASH_SAFE,

52
      Msf::CRASH_SERVICE_RESTARTS,

53
      Msf::CRASH_SERVICE_DOWN,

54
      Msf::CRASH_OS_RESTARTS,

55
      Msf::CRASH_OS_DOWN,

56
      Msf::SERVICE_RESOURCE_LOSS,

57
      Msf::OS_RESOURCE_LOSS

58
    ]

59


60
    #

61
    # Acceptable Side-effect ratings

62
    #

63
    VALID_SIDE_EFFECT_VALUES = [

64
      Msf::ARTIFACTS_ON_DISK,

65
      Msf::CONFIG_CHANGES,

66
      Msf::IOC_IN_LOGS,

67
      Msf::ACCOUNT_LOCKOUTS,

68
      Msf::ACCOUNT_LOGOUT,

69
      Msf::SCREEN_EFFECTS,

70
      Msf::AUDIO_EFFECTS,

71
      Msf::PHYSICAL_EFFECTS

72
    ]

73


74
    #

75
    # Acceptable Reliability ratings

76
    #

77
    VALID_RELIABILITY_VALUES = [

78
      Msf::FIRST_ATTEMPT_FAIL,

79
      Msf::REPEATABLE_SESSION,

80
      Msf::UNRELIABLE_SESSION,

81
      Msf::EVENT_DEPENDENT

82
    ]

83


84
    #

85
    # Acceptable site references

86
    #

87
    VALID_REFERENCE_CTX_ID_VALUES = %w[

88
      ATT&CK

89
      CVE

90
      CWE

91
      BID

92
      MSB

93
      EDB

94
      US-CERT-VU

95
      ZDI

96
      URL

97
      WPVDB

98
      PACKETSTORM

99
      LOGO

100
      SOUNDTRACK

101
      OSVDB

102
      VTS

103
      OVE

104
    ]

105


106
    def validate_notes_values_are_arrays

107
      notes.each do |k, v|

108
        unless v.is_a?(Array)

109
          errors.add :notes, "note value #{k.inspect} must be an array, got #{v.inspect}"

110
        end

111
      end

112
    end

113


114
    def validate_crash_safe_not_present_in_stability_notes

115
      if rank == Msf::ExcellentRanking && !stability.include?(Msf::CRASH_SAFE)

116
        return if stability == Msf::UNKNOWN_STABILITY

117


118
        errors.add :stability, "must have CRASH_SAFE value if module has an ExcellentRanking, instead found #{stability.inspect}"

119
      end

120
    end

121


122
    def validate_filename_is_snake_case

123
      unless file_path.split('/').last.match?(/^[a-z0-9]+(?:_[a-z0-9]+)*\.rb$/)

124
        errors.add :file_path, "must be snake case, instead found #{file_path.inspect}"

125
      end

126
    end

127


128
    def validate_reference_ctx_id

129
      references_ctx_id_list = references.map(&:ctx_id)

130
      invalid_references = references_ctx_id_list - VALID_REFERENCE_CTX_ID_VALUES

131


132
      invalid_references.each do |ref|

133
        if ref.casecmp?('NOCVE')

134
          errors.add :references, "#{ref} please include NOCVE values in the 'notes' section, rather than in 'references'"

135
        elsif ref.casecmp?('AKA')

136
          errors.add :references, "#{ref} please include AKA values in the 'notes' section, rather than in 'references'"

137
        else

138
          errors.add :references, "#{ref} is not valid, must be in #{VALID_REFERENCE_CTX_ID_VALUES}"

139
        end

140
      end

141
    end

142


143
    def validate_author_bad_chars

144
      author.each do |i|

145
        if i.name =~ /^@.+$/

146
          errors.add :author, "must not include username handles, found #{i.name.inspect}. Try leaving it in a comment instead"

147
        end

148
      end

149
    end

150


151
    def validate_target_platforms

152
      if platform.blank? && type == 'exploit'

153
        targets.each do |target|

154
          if target.platform.blank?

155
            errors.add :platform, 'must be included either within targets or platform module metadata'

156
          end

157
        end

158
      end

159
    end

160


161
    def validate_default_target

162
      return unless respond_to?(:default_target)

163
      return if default_target == 0

164


165
      number_of_targets = respond_to?(:targets) ? targets.size : 0

166


167
      return if default_target < number_of_targets

168


169
      errors.add :default_target, "is out of range. Must specify a valid target index between 0 and #{number_of_targets - 1}, got '#{default_target}'"

170
    end

171


172
    def validate_attack_reference_format

173
      references.each do |ref|

174
        next unless ref.respond_to?(:ctx_id) && ref.respond_to?(:ctx_val)

175
        next unless ref.ctx_id == 'ATT&CK'

176


177
        val = ref.ctx_val

178
        prefix = val[/\A[A-Z]+/]

179
        valid_format = Msf::Mitre::Attack::Categories::PATHS.key?(prefix) && val.match?(/\A#{prefix}[\d.]+\z/)

180
        whitespace = val.match?(/\s/)

181


182
        unless valid_format && !whitespace

183
          errors.add :references, "ATT&CK reference '#{val}' is invalid. Must start with one of #{Msf::Mitre::Attack::Categories::PATHS.keys.inspect} and be followed by digits/periods, no whitespace."

184
        end

185
      end

186
    end

187


188
    def has_notes?

189
      !notes.empty?

190
    end

191


192
    def validate_description_does_not_contain_non_printable_chars

193
      unless description&.match?(/\A[ -~\t\n]*\z/)

194
        # Blank descriptions are validated elsewhere, so we will return early to not also add this error

195
        # and cause unnecessary confusion.

196
        return if description.nil?

197


198
        errors.add :description, 'must only contain human-readable printable ascii characters, including newlines and tabs'

199
      end

200
    end

201


202
    def validate_name_does_not_contain_non_printable_chars

203
      unless name&.match?(/\A[ -~]+\z/)

204
        errors.add :name, 'must only contain human-readable printable ascii characters'

205
      end

206
    end

207


208
    validates :mod, presence: true

209


210
    with_options if: :has_notes? do |mod|

211
      mod.validate :validate_crash_safe_not_present_in_stability_notes

212
      mod.validate :validate_notes_values_are_arrays

213


214
      mod.validates :stability,

215
                    'module_validation/array_inclusion': { in: VALID_STABILITY_VALUES, sentinel_value: Msf::UNKNOWN_STABILITY }

216


217
      mod.validates :side_effects,

218
                    'module_validation/array_inclusion': { in: VALID_SIDE_EFFECT_VALUES, sentinel_value: Msf::UNKNOWN_SIDE_EFFECTS }

219


220
      mod.validates :reliability,

221
                    'module_validation/array_inclusion': { in: VALID_RELIABILITY_VALUES, sentinel_value: Msf::UNKNOWN_RELIABILITY }

222
    end

223


224
    validates :arch,

225
              'module_validation/array_inclusion': { in: Rex::Arch::ARCH_TYPES }

226


227
    validates :license,

228
              presence: true,

229
              inclusion: { in: LICENSES, message: 'must include a valid license' }

230


231
    validates :rank,

232
              presence: true,

233
              inclusion: { in: Msf::RankingName.keys, message: 'must include a valid module ranking' }

234


235
    validates :author,

236
              presence: true

237


238
    validates :name,

239
              presence: true,

240
              format: { with: /\A[^&<>]+\z/, message: 'must not contain the characters &<>' }

241


242
    validates :description,

243
              presence: true

244
  end

245
end

246


247