Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parse code tags as inline code #55

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
v4.12.0 (XXXX 2024)
- Parse code tags as inline code
- Update Dradis links in README

v4.11.0 (January 2024)
Expand Down
34 changes: 16 additions & 18 deletions lib/nexpose/vulnerability.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def initialize(xml_node)
def supported_tags
[
# attributes
:added, :cvss_score, :cvss_vector, :modified, :nexpose_id, :pci_severity,
:added, :cvss_score, :cvss_vector, :modified, :nexpose_id, :pci_severity,
:published, :risk_score, :severity, :title,

# simple tags
Expand All @@ -34,10 +34,9 @@ def supported_tags
]
end


# This allows external callers (and specs) to check for implemented
# properties
def respond_to?(method, include_private=false)
def respond_to?(method, include_private = false)
return true if supported_tags.include?(method.to_sym)
super
end
Expand All @@ -49,7 +48,6 @@ def respond_to?(method, include_private=false)
# attribute, simple descendent or collection that it maps to in the XML
# tree.
def method_missing(method, *args)

# We could remove this check and return nil for any non-recognized tag.
# The problem would be that it would make tricky to debug problems with
# typos. For instance: <>.potr would return nil instead of raising an
Expand All @@ -62,11 +60,11 @@ def method_missing(method, *args)
# First we try the attributes. In Ruby we use snake_case, but in XML
# CamelCase is used for some attributes
translations_table = {
:nexpose_id => 'id',
:pci_severity => 'pciSeverity',
:risk_score => 'riskScore',
:cvss_score => 'cvssScore',
:cvss_vector =>'cvssVector'
nexpose_id: 'id',
pci_severity: 'pciSeverity',
risk_score: 'riskScore',
cvss_score: 'cvssScore',
cvss_vector: 'cvssVector'
}

method_name = translations_table.fetch(method, method.to_s)
Expand Down Expand Up @@ -96,7 +94,7 @@ def method_missing(method, *args)
return @xml.xpath("//test[@id='#{vuln_id}']/Paragraph").
text.split("\n").
collect(&:strip).
reject{|line| line.empty?}.join("\n")
reject { |line| line.empty? }.join("\n")
end

nil
Expand All @@ -106,13 +104,13 @@ def method_missing(method, *args)

def add_bc_to_ssl_cipher_list(source)
result = source.to_s
result.gsub!(/\n(.*?)!(.*?)/){"\nbc. #{ $1 }!#{ $2 }\n"}
result.gsub!(/\n(.*?)!(.*?)/) { "\nbc. #{ $1 }!#{ $2 }\n" }
result
end

def cleanup_html(source)
result = source.to_s
result.gsub!(/<ContainerBlockElement>(.*?)<\/ContainerBlockElement>/m){|m| "#{ $1 }"}
result.gsub!(/<ContainerBlockElement>(.*?)<\/ContainerBlockElement>/m) { |m| "#{ $1 }" }
result.gsub!(/<Paragraph preformat=\"true\">(\s*)<Paragraph preformat=\"true\">(.*?)<\/Paragraph>(\s*)<\/Paragraph>/mi) do
text = $2
text[/\n/] ? "\nbc.. #{ text }\n\np. " : "@#{text}@"
Expand All @@ -121,10 +119,11 @@ def cleanup_html(source)
text = $1
text[/\n/] ? "\nbc.. #{ text }\n\np. " : "@#{text}@"
end
result.gsub!(/<Paragraph>(.*?)<\/Paragraph>/m){|m| "#{ $1 }\n"}
result.gsub!(/<code>(.*?)<\/code>/) { "@#{ $1 }@" }
result.gsub!(/<Paragraph>(.*?)<\/Paragraph>/m) { |m| "#{ $1 }\n" }
result.gsub!(/<Paragraph>|<\/Paragraph>/, '')
result.gsub!(/<UnorderedList(.*?)>(.*?)<\/UnorderedList>/m){|m| "#{ $2 }"}
result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m){|m| "#{ $2 }"}
result.gsub!(/<UnorderedList(.*?)>(.*?)<\/UnorderedList>/m) { |m| "#{ $2 }" }
result.gsub!(/<OrderedList(.*?)>(.*?)<\/OrderedList>/m) { |m| "#{ $2 }" }
result.gsub!(/<ListItem>|<\/ListItem>/, '')
result.gsub!(/ /, '')
result.gsub!(/ /, '')
Expand All @@ -141,10 +140,10 @@ def cleanup_nested(source)
result = source.to_s
result.gsub!(/<references>/, '')
result.gsub!(/<\/references>/, '')
result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) {"#{$1.strip}: #{$2.strip}\n"}
result.gsub!(/<reference source=\"(.*?)\">(.*?)<\/reference>/i) { "#{$1.strip}: #{$2.strip}\n" }
result.gsub!(/<tags>/, '')
result.gsub!(/<\/tags>/, '')
result.gsub!(/<tag>(.*?)<\/tag>/) {"#{$1}\n"}
result.gsub!(/<tag>(.*?)<\/tag>/) { "#{$1}\n" }
result.gsub!(/ /, '')
result
end
Expand All @@ -156,6 +155,5 @@ def tags_with_html_content
def tags_with_nested_content
[:references, :tags]
end

end
end
2 changes: 1 addition & 1 deletion spec/fixtures/files/full.xml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
</exploits>
<description>
<ContainerBlockElement>
<Paragraph>A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose &quot;httpOnly&quot; cookies when no custom ErrorDocument is specified.</Paragraph>
<Paragraph>A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose <code>httpOnly</code> cookies when no custom ErrorDocument is specified.</Paragraph>
</ContainerBlockElement>
</description>
<references>
Expand Down
11 changes: 10 additions & 1 deletion spec/nexpose_upload_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@
expect(args[:content]).to include("#[Content]#\nThe following NTP variables")
OpenStruct.new(args)
end.once

expect(@content_service).to receive(:create_evidence) do |args|
expect(args[:content]).to include("#[Content]#\nVulnerable URL:")
OpenStruct.new(args)
Expand All @@ -187,6 +187,15 @@

@importer.import(file: @fixtures_dir + '/full.xml')
end

it 'transforms the <code> markup' do
expect(@content_service).to receive(:create_issue) do |args|
expect(args[:text]).to include('@httpOnly@')
OpenStruct.new(args)
end

@importer.import(file: @fixtures_dir + '/full.xml')
end
end

describe 'Importer: Full with duplicate nodes' do
Expand Down