New upstream version 3.10.2
Sophie Brun
4 years ago
| 151 | 151 | - nix-build '<nixpkgs>' -A gtk3 -o result-gtk |
| 152 | 152 | - tar cf /py3.tar $(nix-store --query --requisites $(readlink result) $(readlink result-vte)) $(readlink result-gtk) |
| 153 | 153 | - mkdir /opt |
| 154 | - nix-env -i findutils postgresql | |
| 154 | - nix-env -i findutils | |
| 155 | 155 | - "nix-shell -p python37Packages.virtualenv --command 'virtualenv /opt/faraday'" |
| 156 | # - cp result /opt/faraday/lib/python3.7/site-packages/nix.pth # This doesn't include dependencies of dependencies | |
| 157 | - 'for dir in $(nix-store -qR result); do if [[ -d "$dir/lib/python3.7/site-packages" ]]; then echo "$dir/lib/python3.7/site-packages" >>recursive.pth; fi; done' | |
| 158 | - mv recursive.pth /opt/faraday/lib/python3.7/site-packages/nix.pth | |
| 156 | 159 | - source /opt/faraday/bin/activate |
| 157 | - "nix-shell -p libxml2 libxslt zlib cairo gobject-introspection glib pkgconfig --run 'SOURCE_DATE_EPOCH=$(date +%s) /opt/faraday/bin/pip install -r requirements.txt'" | |
| 160 | # - "nix-shell -p libxml2 libxslt zlib cairo gobject-introspection glib pkgconfig --run 'SOURCE_DATE_EPOCH=$(date +%s) /opt/faraday/bin/pip install -r requirements.txt'" | |
| 158 | 161 | - python setup.py install |
| 159 | - cp result /opt/faraday/lib/python3.7/site-packages/nix.pth | |
| 162 | - pip install -r requirements.txt # This has to be below setup.py install | |
| 163 | - pip freeze | |
| 160 | 164 | - mv /opt/faraday/bin/faraday-client /opt/faraday/bin/_faraday_client_novte |
| 161 | 165 | - 'nix-shell -p makeWrapper --command "makeWrapper /opt/faraday/bin/_faraday_client_novte /opt/faraday/bin/faraday-client --prefix GI_TYPELIB_PATH : $(find /nix/store -name "girepository-1.0" | tr "\n" ":")"' |
| 162 | 166 | - 'nix-shell -p makeWrapper --command "makeWrapper /opt/faraday/bin/python /opt/faraday/bin/test --prefix GI_TYPELIB_PATH : $(find /nix/store -name "girepository-1.0" | tr "\n" ":")"' |
| 163 | - /opt/faraday/bin/test -c "import gi;gi.require_version('Gtk', '3.0');gi.require_version('Vte', '2.91');from gi.repository import Gio, Gtk, GdkPixbuf, Vte, GLib, GObject, Gdk" # Test if GTK will work | |
| 167 | - nix-collect-garbage && /opt/faraday/bin/test -c "import gi;gi.require_version('Gtk', '3.0');gi.require_version('Vte', '2.91');from gi.repository import Gio, Gtk, GdkPixbuf, Vte, GLib, GObject, Gdk" # Test if GTK will work | |
| 164 | 168 | - tar rvf /py3.tar /opt/faraday |
| 165 | 169 | - mv /py3.tar $CI_PROJECT_DIR |
| 166 | 170 | artifacts: |
| 333 | 337 | tags: |
| 334 | 338 | - macos |
| 335 | 339 | stage: build |
| 340 | allow_failure: true | |
| 336 | 341 | before_script: |
| 337 | 342 | - echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile |
| 338 | 343 | - export LDFLAGS="-L/usr/local/opt/openssl/lib" |
| 352 | 357 | - git clone https://github.com/jordansissel/fpm.git |
| 353 | 358 | - cd fpm |
| 354 | 359 | - git checkout d7b466787d17581bc723e474ecf6e18f48226031 |
| 355 | - git apply ../fpm-patchs/fpm.virtualenv.patch | |
| 360 | - git apply ../fpm-patchs/fpm.osx.patch | |
| 356 | 361 | - make gem |
| 357 | 362 | - export GEM_HOME="$HOME/.gem" |
| 358 | 363 | - export GEM_PATH=$HOME/.gem |
| 359 | 364 | - export PATH=$PATH:$HOME/.gem/bin |
| 360 | 365 | - gem install fpm-1.11.0.gem |
| 361 | 366 | - cd ../../ |
| 362 | - sh faraday-linux-installers-builder/build.sh $(eval $IMAGE_TAG) server osxpkg | |
| 367 | - sh faraday-linux-installers-builder/build_osx.sh $(eval $IMAGE_TAG) server osxpkg | |
| 368 | - mv faraday-server_amd64.pkg ../../Faraday-server.pkg | |
| 369 | - sh faraday-linux-installers-builder/build_osx.sh $(eval $IMAGE_TAG) client osxpkg | |
| 370 | - mv faraday-client_amd64.pkg ../../Faraday-client.pkg | |
| 363 | 371 | - mv faraday-server_amd64.pkg ../../Faraday.pkg |
| 364 | 372 | artifacts: |
| 365 | 373 | name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME-binaries" |
| 366 | 374 | paths: |
| 367 | - Faraday.pkg | |
| 375 | - Faraday-server.pkg | |
| 376 | - Faraday-client.pkg | |
| 368 | 377 | expire_in: 1 week |
| 369 | 378 | only: |
| 370 | 379 | variables: |
| 0 | Jan 10th, 2020 |
| 0 | * Fix installation with `pip install --no-binary :all: faradaysec` | |
| 1 | * Force usage of webargs 5 (webargs 6 broke backwards compatibility) | |
| 2 | * Use latest version of faraday-plugins | |
| 3 | * Fix broken "Faraday Plugin" menu entry in the GTK client | |
| 4 | * Extract export csv to reuse for reports |
| 0 | Jan 30th, 2020 |
| 0 | * Fix Cross-Site Request Forgery (CSRF) vulnerability in all JSON API endpoints. | |
| 1 | This was caused because a third-party library doesn't implement proper | |
| 2 | Content-Type header validation. To mitigate the vulnerability, we set the | |
| 3 | session cookie to have the `SameSite: Lax` property. | |
| 4 | * Fix Faraday Server logs were always in debug | |
| 5 | * Add update date column when exporting vulnerabilities to CSV | |
| 6 | * Fix unicode error when exporting vulnerabilities to CSV |
| 7 | 7 | New features in the latest update |
| 8 | 8 | ===================================== |
| 9 | 9 | |
| 10 | ||
| 11 | 3.10.2 [Jan 30th, 2020]: | |
| 12 | --- | |
| 13 | * Fix Cross-Site Request Forgery (CSRF) vulnerability in all JSON API endpoints. | |
| 14 | This was caused because a third-party library doesn't implement proper | |
| 15 | Content-Type header validation. To mitigate the vulnerability, we set the | |
| 16 | session cookie to have the `SameSite: Lax` property. | |
| 17 | * Fix Faraday Server logs were always in debug | |
| 18 | * Add update date column when exporting vulnerabilities to CSV | |
| 19 | * Fix unicode error when exporting vulnerabilities to CSV | |
| 20 | ||
| 21 | 3.10.1 [Jan 10th, 2020]: | |
| 22 | --- | |
| 23 | * Fix installation with `pip install --no-binary :all: faradaysec` | |
| 24 | * Force usage of webargs 5 (webargs 6 broke backwards compatibility) | |
| 25 | * Use latest version of faraday-plugins | |
| 26 | * Fix broken "Faraday Plugin" menu entry in the GTK client | |
| 27 | * Extract export csv to reuse for reports | |
| 10 | 28 | |
| 11 | 29 | 3.10 [Dec 19th, 2019]: |
| 12 | 30 | --- |
| 3 | 3 | include faraday/config/default.xml |
| 4 | 4 | include faraday/server/default.ini |
| 5 | 5 | include requirements.txt |
| 6 | include requirements_dev.txt | |
| 6 | 7 | include requirements_server.txt |
| 7 | 8 | include faraday/client/zsh/faraday.zsh |
| 8 | 9 | include faraday/client/zsh/faraday-terminal.zsh |
| 9 | 10 | include faraday/client/gui/gtk/menubar.xml |
| 10 | 11 | recursive-include faraday/client/data * |
| 11 | include faraday/client/plugins/port_mapper.txt⏎ | |
| 12 | include faraday/client/plugins/port_mapper.txt |
| 7 | 7 | New features in the latest update |
| 8 | 8 | ===================================== |
| 9 | 9 | |
| 10 | ||
| 11 | 3.10.2 [Jan 30th, 2020]: | |
| 12 | --- | |
| 13 | * Fix Cross-Site Request Forgery (CSRF) vulnerability in all JSON API endpoints. | |
| 14 | This was caused because a third-party library doesn't implement proper | |
| 15 | Content-Type header validation. To mitigate the vulnerability, we set the | |
| 16 | session cookie to have the `SameSite: Lax` property. | |
| 17 | * Fix Faraday Server logs were always in debug | |
| 18 | * Add update date column when exporting vulnerabilities to CSV | |
| 19 | * Fix unicode error when exporting vulnerabilities to CSV | |
| 20 | ||
| 21 | 3.10.1 [Jan 10th, 2020]: | |
| 22 | --- | |
| 23 | * Fix installation with `pip install --no-binary :all: faradaysec` | |
| 24 | * Force usage of webargs 5 (webargs 6 broke backwards compatibility) | |
| 25 | * Use latest version of faraday-plugins | |
| 26 | * Fix broken "Faraday Plugin" menu entry in the GTK client | |
| 27 | * Extract export csv to reuse for reports | |
| 10 | 28 | |
| 11 | 29 | 3.10 [Dec 19th, 2019]: |
| 12 | 30 | --- |
| 1 | 1 | |
| 2 | 2 | stdenv.mkDerivation { |
| 3 | 3 | name = "faraday-nix.pth"; |
| 4 | packages = with python37Packages; [virtualenv pip pyopenssl psycopg2 pillow pygobject3 pynacl matplotlib lxml ldap autobahn gssapi setproctitle simplejson pycairo ]; | |
| 4 | packages = with python37Packages; [virtualenv pip pyopenssl psycopg2 pillow pygobject3 pynacl matplotlib numpy lxml ldap autobahn gssapi setproctitle simplejson pycairo cffi cairocffi bcrypt twisted]; | |
| 5 | 5 | builder = ./buildpth.sh; |
| 6 | 6 | } |
| 1 | 1 | # Copyright (C) 2013 Infobyte LLC (http://www.infobytesec.com/) |
| 2 | 2 | # See the file 'doc/LICENSE' for the license information |
| 3 | 3 | |
| 4 | __version__ = '3.10.0' | |
| 4 | __version__ = '3.10.2' | |
| 5 | 5 | __license_version__ = __version__ |
| 977 | 977 | if active_workspace: |
| 978 | 978 | command = fplugin_utils.build_faraday_plugin_command(plugin, active_workspace.getName()) |
| 979 | 979 | fd = terminal.get_pty().get_fd() |
| 980 | os.write(fd, command) | |
| 980 | os.write(fd, command.encode()) | |
| 981 | 981 | |
| 982 | 982 | |
| 983 | 983 | # I'm Py3 |
| 1 | 1 | <faraday> |
| 2 | 2 | |
| 3 | 3 | <appname>Faraday - Penetration Test IDE</appname> |
| 4 | <version>3.10.0</version> | |
| 4 | <version>3.10.2</version> | |
| 5 | 5 | <debug_status>0</debug_status> |
| 6 | 6 | <font>-Misc-Fixed-medium-r-normal-*-12-100-100-100-c-70-iso8859-1</font> |
| 7 | 7 | <home_path></home_path> |
| 45 | 45 | ) |
| 46 | 46 | from faraday.server.utils.database import get_or_create |
| 47 | 47 | from faraday.server.utils.export import export_vulns_to_csv |
| 48 | from faraday.server.utils.py3 import BytesJSONEncoder | |
| 48 | 49 | |
| 49 | 50 | from faraday.server.api.modules.services import ServiceSchema |
| 50 | 51 | from faraday.server.schemas import ( |
| 710 | 711 | normal_vulns_host = normal_vulns.join(Host).join(Hostname).filter(or_(*or_filters)) |
| 711 | 712 | normal_vulns = normal_vulns_host.union(normal_vulns.join(Service).join(Host).join(Hostname).filter(or_(*or_filters))) |
| 712 | 713 | |
| 713 | normal_vulns = self.schema_class_dict['VulnerabilityWeb'](**marshmallow_params).dumps(normal_vulns.all()) | |
| 714 | normal_vulns = self.schema_class_dict['VulnerabilityWeb'](**marshmallow_params).dumps(normal_vulns.all(), | |
| 715 | cls=BytesJSONEncoder) | |
| 714 | 716 | normal_vulns_data = json.loads(normal_vulns.data) |
| 715 | 717 | except Exception as ex: |
| 718 | logger.exception(ex) | |
| 716 | 719 | normal_vulns_data = [] |
| 717 | 720 | try: |
| 718 | 721 | web_vulns = search(db.session, |
| 725 | 728 | or_filters.append(Hostname.name == hostname_filter['val']) |
| 726 | 729 | |
| 727 | 730 | web_vulns = web_vulns.join(Service).join(Host).join(Hostname).filter(or_(*or_filters)) |
| 728 | web_vulns = self.schema_class_dict['VulnerabilityWeb'](**marshmallow_params).dumps(web_vulns.all()) | |
| 731 | web_vulns = self.schema_class_dict['VulnerabilityWeb'](**marshmallow_params).dumps(web_vulns.all(), | |
| 732 | cls=BytesJSONEncoder) | |
| 729 | 733 | web_vulns_data = json.loads(web_vulns.data) |
| 730 | 734 | except Exception as ex: |
| 735 | logger.exception(ex) | |
| 731 | 736 | web_vulns_data = [] |
| 732 | 737 | return normal_vulns_data + web_vulns_data |
| 733 | 738 | |
| 303 | 303 | 'plaintext', # TODO: remove it |
| 304 | 304 | ], |
| 305 | 305 | 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(hours=12), |
| 306 | 'SESSION_COOKIE_NAME': 'faraday_session', | |
| 306 | 'SESSION_COOKIE_NAME': 'faraday_session_2', | |
| 307 | 'SESSION_COOKIE_SAMESITE': 'Lax', | |
| 307 | 308 | }) |
| 308 | 309 | |
| 309 | 310 | store = FilesystemStore(app.config['SESSION_FILE_DIR']) |
| 18 | 18 | "target", "desc", "status", "hostnames", "comments", "owner", "os", "resolution", "easeofresolution", "web_vulnerability", |
| 19 | 19 | "data", "website", "path", "status_code", "request", "method", "params", "pname", "query", |
| 20 | 20 | "policyviolations", "external_id", "impact_confidentiality", "impact_integrity", "impact_availability", |
| 21 | "impact_accountability" | |
| 21 | "impact_accountability", "update_date" | |
| 22 | 22 | ] |
| 23 | 23 | headers += custom_fields_columns |
| 24 | 24 | writer = csv.DictWriter(buffer, fieldnames=headers) |
| 43 | 43 | vuln_dict = {"confirmed": vuln['confirmed'], |
| 44 | 44 | "id": vuln.get('_id', None), |
| 45 | 45 | "date": vuln_date, |
| 46 | "update_date": vuln['metadata']['update_time'], | |
| 46 | 47 | "severity": vuln.get('severity', None), |
| 47 | 48 | "target": vuln.get('target', None), |
| 48 | 49 | "status": vuln.get('status', None), |
| 46 | 46 | file_handler = logging.handlers.RotatingFileHandler( |
| 47 | 47 | LOG_FILE, maxBytes=MAX_LOG_FILE_SIZE, backupCount=MAX_LOG_FILE_BACKUP_COUNT) |
| 48 | 48 | file_handler.setFormatter(formatter) |
| 49 | file_handler.setLevel(logging.DEBUG) | |
| 49 | file_handler.setLevel(faraday.server.config.LOGGING_LEVEL) | |
| 50 | 50 | add_handler(file_handler) |
| 51 | LVL_SETTABLE_HANDLERS.append(file_handler) | |
| 51 | 52 | |
| 52 | 53 | |
| 53 | 54 | def add_handler(handler): |
| 22 | 22 | sqlalchemy_schemadisplay>=1.3 |
| 23 | 23 | tqdm>=4.15.0 |
| 24 | 24 | twisted>=18.9.0 |
| 25 | webargs>=5.1.0 | |
| 25 | webargs>=5.1.0,<6.0.0 | |
| 26 | 26 | marshmallow-sqlalchemy==0.15.0 |
| 27 | 27 | filteralchemy-fork |
| 28 | 28 | filedepot>=0.5.0 |
| 34 | 34 | simplejson>=3.16.0 |
| 35 | 35 | syslog-rfc5424-formatter==1.1.1 |
| 36 | 36 | beautifulsoup4==4.7.1 |
| 37 | Flask-KVSession==0.6.2 | |
| 37 | Flask-KVSession-fork>=0.6.3 | |
| 38 | 38 | simplekv==0.13.0 |
| 39 | 39 | pypcapfile==0.12.0 |
| 40 | 40 | html2text==2019.8.11 |
| 41 | 41 | distro==1.4.0 |
| 42 | faraday-plugins==1.0rc1 | |
| 42 | faraday-plugins>=1.0.1,<2.0.0 | |
| 5 | 5 | |
| 6 | 6 | ''' |
| 7 | 7 | from __future__ import absolute_import |
| 8 | ||
| 9 | import datetime | |
| 8 | 10 | from builtins import str |
| 9 | 11 | |
| 10 | 12 | import json |
| 17 | 19 | |
| 18 | 20 | |
| 19 | 21 | import pytz |
| 22 | from dateutil import parser | |
| 20 | 23 | from depot.manager import DepotManager |
| 21 | 24 | |
| 22 | 25 | from faraday.server.fields import FaradayUploadedFile |
| 1900 | 1903 | "target", "desc", "status", "hostnames", "comments", "owner", "os", "resolution", "easeofresolution", "web_vulnerability", |
| 1901 | 1904 | "data", "website", "path", "status_code", "request", "method", "params", "pname", "query", |
| 1902 | 1905 | "policyviolations", "external_id", "impact_confidentiality", "impact_integrity", "impact_availability", |
| 1903 | "impact_accountability" | |
| 1906 | "impact_accountability", "update_date" | |
| 1904 | 1907 | ] |
| 1905 | 1908 | assert res.status_code == 200 |
| 1906 | 1909 | assert res.data.decode('utf-8').strip('\r\n').split(',') == expected_headers |
| 1949 | 1952 | self._verify_csv(res.data, confirmed=True) |
| 1950 | 1953 | |
| 1951 | 1954 | @pytest.mark.usefixtures('ignore_nplusone') |
| 1955 | def test_export_vulns_check_update_time(self, session, test_client): | |
| 1956 | self.first_object.confirm =True | |
| 1957 | session.add(self.first_object) | |
| 1958 | session.commit() | |
| 1959 | res = test_client.get(self.url() + 'export_csv/') | |
| 1960 | assert res.status_code == 200 | |
| 1961 | csv_data = csv.DictReader(StringIO(res.data.decode('utf-8')), delimiter=',') | |
| 1962 | for index, line in enumerate(csv_data): | |
| 1963 | if self.first_object.id == int(line['id']): | |
| 1964 | create_date = parser.parse(line['date']) | |
| 1965 | update_date = parser.parse(line['update_date']) | |
| 1966 | delta = update_date - create_date | |
| 1967 | assert create_date < update_date | |
| 1968 | ||
| 1969 | ||
| 1970 | @pytest.mark.usefixtures('ignore_nplusone') | |
| 1952 | 1971 | def test_export_vulns_csv_with_custom_fields(self, session, test_client): |
| 1953 | 1972 | |
| 1954 | 1973 | custom_field_schema = CustomFieldsSchemaFactory( |
| 1981 | 2000 | "target", "desc", "status", "hostnames", "comments", "owner", "os", "resolution", "easeofresolution", "web_vulnerability", |
| 1982 | 2001 | "data", "website", "path", "status_code", "request", "method", "params", "pname", "query", |
| 1983 | 2002 | "policyviolations", "external_id", "impact_confidentiality", "impact_integrity", "impact_availability", |
| 1984 | "impact_accountability" | |
| 2003 | "impact_accountability", "update_date" | |
| 1985 | 2004 | ] |
| 1986 | 2005 | final_expected_headers = expected_headers + custom_fields |
| 1987 | 2006 | csv_data = csv.reader(StringIO(raw_csv_data.decode('utf-8')), delimiter=',') |