Hello community, here is the log from the commit of package snallygaster for openSUSE:Factory checked in at 2020-10-15 13:51:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/snallygaster (Old) and /work/SRC/openSUSE:Factory/.snallygaster.new.3486 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "snallygaster" Thu Oct 15 13:51:07 2020 rev:2 rq:841819 version:0.0.9 Changes: -------- --- /work/SRC/openSUSE:Factory/snallygaster/snallygaster.changes 2020-10-07 14:18:41.833495743 +0200 +++ /work/SRC/openSUSE:Factory/.snallygaster.new.3486/snallygaster.changes 2020-10-15 13:51:18.577322188 +0200 @@ -1,0 +2,23 @@ +Wed Oct 7 19:38:08 UTC 2020 - Sebastian Wagner <[email protected]> + +- update to version 0.0.9: + - Fix composer false positive + - disable broken python nightly, enable 3.9-dev + - add http header injection test + - doc for headerinject + - check if we document all the tests in TESTS.md + - fix pyflakes and pyupgrade warnings + - add wordpress debug.log test + - document wpdebug + - add .orig to backupfiles test, created by patch tool + - dnspython 2.x support, this requires using dns.resolver.resolve if av… + - codingstyle for backupfiles +- update to version 0.0.8: + - Test: phpinfo + - code styling + - add vb_test.php check + - fix whitespace error from merge + - document phpinfo + - use annotated tags for changelog + +------------------------------------------------------------------- Old: ---- snallygaster-0.0.7.tar.gz New: ---- snallygaster-0.0.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ snallygaster.spec ++++++ --- /var/tmp/diff_new_pack.dbQSsT/_old 2020-10-15 13:51:21.901323579 +0200 +++ /var/tmp/diff_new_pack.dbQSsT/_new 2020-10-15 13:51:21.905323581 +0200 @@ -1,7 +1,7 @@ # -# spec file for package python-snallygaster +# spec file for package snallygaster # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,28 +12,29 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Name: snallygaster -Version: 0.0.7 +Version: 0.0.9 Release: 0 -License: CC0-1.0 Summary: Tool to scan for hidden files on HTTP servers -Url: https://github.com/hannob/snallygaster +License: CC0-1.0 Group: Development/Languages/Python +URL: https://github.com/hannob/snallygaster Source: https://files.pythonhosted.org/packages/source/s/snallygaster/snallygaster-%{version}.tar.gz BuildRequires: python-rpm-macros BuildRequires: python3-setuptools # SECTION test requirements BuildRequires: python3-beautifulsoup4 BuildRequires: python3-dnspython -BuildRequires: python3-urllib3 +BuildRequires: python3-flake8 BuildRequires: python3-pycodestyle BuildRequires: python3-pyflakes BuildRequires: python3-pylint -BuildRequires: python3-flake8 BuildRequires: python3-pyupgrade +BuildRequires: python3-urllib3 # /SECTION BuildRequires: fdupes Requires: python3-beautifulsoup4 ++++++ snallygaster-0.0.7.tar.gz -> snallygaster-0.0.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/.travis.yml new/snallygaster-0.0.9/.travis.yml --- old/snallygaster-0.0.7/.travis.yml 2020-06-10 20:10:40.000000000 +0200 +++ new/snallygaster-0.0.9/.travis.yml 2020-09-11 20:43:00.000000000 +0200 @@ -2,7 +2,9 @@ python: - "3.7" - "3.8" - - "nightly" + - "3.9-dev" +# Fails due to https://github.com/pypa/wheel/issues/354 +# - "nightly" env: global: - RUN_ONLINETESTS=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/DEVELOPMENT.md new/snallygaster-0.0.9/DEVELOPMENT.md --- old/snallygaster-0.0.7/DEVELOPMENT.md 2020-05-04 18:43:17.000000000 +0200 +++ new/snallygaster-0.0.9/DEVELOPMENT.md 2020-09-11 20:42:56.000000000 +0200 @@ -6,7 +6,8 @@ * raise version number in *setup.py*. * Tag it: ``` - git tag v0.0.x + git tag -a v0.0.x + [add changelog message] git push origin v0.0.x ``` * Build the wheel and source distribution: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/PKG-INFO new/snallygaster-0.0.9/PKG-INFO --- old/snallygaster-0.0.7/PKG-INFO 2020-06-23 13:29:29.788378500 +0200 +++ new/snallygaster-0.0.9/PKG-INFO 2020-10-01 14:03:36.346673300 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: snallygaster -Version: 0.0.7 +Version: 0.0.9 Summary: Tool to scan for secret files on HTTP servers Home-page: https://github.com/hannob/snallygaster Author: Hanno Böck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/TESTS.md new/snallygaster-0.0.9/TESTS.md --- old/snallygaster-0.0.7/TESTS.md 2020-06-23 12:44:59.000000000 +0200 +++ new/snallygaster-0.0.9/TESTS.md 2020-09-17 22:00:51.000000000 +0200 @@ -324,6 +324,27 @@ detailled HTTP requests including Cookies and thus should never be accessible in production. +vb_test +------- + +vb_test.php is a script provided by the proprietary Vbulletin software that allows webmasters +to check server requirements. It should not be left on live hosts. + + +headerinject +------------ + +This tries to inject an url-encoded newline and HTTP header into the URL. This often works on +redirections if the host decodes the path and passes it to the location header. + + +wpdebug +------- + +Publicly accessible debug.log file from Wordpress, contains usually PHP error messages, sometimes +with sensitive data like passwords in stack traces. + + axfr ---- @@ -381,3 +402,9 @@ Check for composer.json/composer.lock files. Can be checked with the [Symfony security check](https://symfony.com/doc/current/setup.html#security-checker) afterwards. + + +phpinfo +------- + +Check for the presence of a phpinfo() script. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/setup.py new/snallygaster-0.0.9/setup.py --- old/snallygaster-0.0.7/setup.py 2020-06-23 13:28:58.000000000 +0200 +++ new/snallygaster-0.0.9/setup.py 2020-10-01 14:03:18.000000000 +0200 @@ -11,7 +11,7 @@ setuptools.setup( name=package_name, - version="0.0.7", + version="0.0.9", description="Tool to scan for secret files on HTTP servers", long_description=readme, long_description_content_type='text/markdown', diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/snallygaster new/snallygaster-0.0.9/snallygaster --- old/snallygaster-0.0.7/snallygaster 2020-06-23 12:45:19.000000000 +0200 +++ new/snallygaster-0.0.9/snallygaster 2020-09-27 15:18:49.000000000 +0200 @@ -215,7 +215,10 @@ except OSError: pass try: - dnsanswer = dns.resolver.query(qhost, 'A') + if 'resolve' in dir(dns.resolver): + dnsanswer = dns.resolver.resolve(qhost, 'A') + else: # dnspython before 2.0 + dnsanswer = dns.resolver.query(qhost, 'A') except (dns.exception.DNSException, ConnectionResetError): dns_cache[qhost] = None return None @@ -337,7 +340,8 @@ # code, check doesn't make sense. return for f in STANDARD_PHP_FILES: - for ps in ['_FILE_.bak', '_FILE_~', '._FILE_.swp', '%23_FILE_%23', '_FILE_.save']: + for ps in ['_FILE_.bak', '_FILE_~', '._FILE_.swp', '%23_FILE_%23', '_FILE_.save', + '_FILE_.orig']: furl = url + "/" + ps.replace('_FILE_', f) r = fetcher(furl) if any(m in r for m in ['<?php', '<?=']): @@ -709,22 +713,68 @@ @DEFAULT +def test_vb_test(url): + r = fetcher(url + "/vb_test.php") + if '<title>vBulletin Test Script' in r: + pout("vb_test", url + "/vb_test.php") + + +@DEFAULT +def test_headerinject(url): + rnd = randstring() + try: + r = pool.request('GET', url + '/%%0D%%0A%s:1' % rnd, retries=False, redirect=False) + if rnd in r.headers: + pout("headerinject", url + '/%%0D%%0A%s:1' % rnd) + except (urllib3.exceptions.HTTPError, UnicodeError, + ConnectionRefusedError): + pass + + +@DEFAULT +def test_wpdebug(url): + r = fetcher(url + "/wp-content/debug.log") + if re.match(r'^\[\d\d-\w\w\w-\d\d\d\d ', r): + pout("wpdebug", url + "/wp-content/debug.log") + + +@DEFAULT @HOSTNAME def test_axfr(qhost): try: - ns = dns.resolver.query(qhost, 'NS') + if 'resolve' in dir(dns.resolver): + ns = dns.resolver.resolve(qhost, 'NS') + else: # dnspython before 2.0 + ns = dns.resolver.query(qhost, 'NS') except (dns.exception.DNSException, ConnectionResetError): return for r in ns.rrset: r = str(r) + ipv4 = [] + ipv6 = [] try: - axfr = dns.zone.from_xfr(dns.query.xfr(r, qhost)) - if axfr: - pout("axfr", qhost, r) - except (dns.exception.DNSException, ConnectionResetError, - EOFError, socket.gaierror, ConnectionRefusedError, - TimeoutError, OSError): + if 'resolve' in dir(dns.resolver): + ipv4 = dns.resolver.resolve(r, 'a').rrset + ipv6 = dns.resolver.resolve(r, 'aaaa').rrset + else: # dnspython before 2.0 + ipv4 = dns.resolver.query(r, 'a').rrset + ipv6 = dns.resolver.query(r, 'aaaa').rrset + except dns.resolver.NoAnswer: pass + ips = [] + for ip in ipv4: + ips.append(str(ip)) + for ip in ipv6: + ips.append(str(ip)) + for ip in ips: + try: + axfr = dns.zone.from_xfr(dns.query.xfr(ip, qhost)) + if axfr: + pout("axfr", qhost, r) + except (dns.exception.DNSException, ConnectionResetError, + EOFError, socket.gaierror, ConnectionRefusedError, + TimeoutError, OSError): + pass @DEFAULT @@ -818,10 +868,17 @@ for c in ['composer.json', 'composer.lock']: furl = url + '/' + c r = fetcher(furl) - if '"require":' or '"packages":' in r: + if '"require":' in r or '"packages":' in r: pout("composer", furl) +def test_phpinfo(url): + for fn in ["phpinfo.php", "info.php", "i.php", "test.php"]: + r = fetcher(url + "/" + fn) + if 'phpinfo()' in r: + pout("phpinfo", url + "/" + fn) + + def new_excepthook(etype, value, traceback): if etype == KeyboardInterrupt: pdebug("Interrupted by user...") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/snallygaster.egg-info/PKG-INFO new/snallygaster-0.0.9/snallygaster.egg-info/PKG-INFO --- old/snallygaster-0.0.7/snallygaster.egg-info/PKG-INFO 2020-06-23 13:29:29.000000000 +0200 +++ new/snallygaster-0.0.9/snallygaster.egg-info/PKG-INFO 2020-10-01 14:03:36.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: snallygaster -Version: 0.0.7 +Version: 0.0.9 Summary: Tool to scan for secret files on HTTP servers Home-page: https://github.com/hannob/snallygaster Author: Hanno Böck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/snallygaster.egg-info/SOURCES.txt new/snallygaster-0.0.9/snallygaster.egg-info/SOURCES.txt --- old/snallygaster-0.0.7/snallygaster.egg-info/SOURCES.txt 2020-06-23 13:29:29.000000000 +0200 +++ new/snallygaster-0.0.9/snallygaster.egg-info/SOURCES.txt 2020-10-01 14:03:36.000000000 +0200 @@ -18,4 +18,5 @@ snallygaster.egg-info/zip-safe tests/__init__.py tests/test_codingstyle.py +tests/test_docs.py tests/test_scan_testdata.py \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snallygaster-0.0.7/tests/test_docs.py new/snallygaster-0.0.9/tests/test_docs.py --- old/snallygaster-0.0.7/tests/test_docs.py 1970-01-01 01:00:00.000000000 +0100 +++ new/snallygaster-0.0.9/tests/test_docs.py 2020-09-17 15:01:18.000000000 +0200 @@ -0,0 +1,24 @@ +import unittest +import re + + +class TestCodingstyle(unittest.TestCase): + # checking if there is documentation for all snallygaster tests + # in the TEST.md documentation + def test_docs(self): + f = open("snallygaster") + funcs = re.findall("def test_([a-z_]*)", f.read()) + f.close() + fd = open("TESTS.md") + docs = [] + ol = "" + for line in fd.readlines(): + if line.startswith("---"): + docs.append(ol.rstrip()) + ol = line + fd.close() + self.assertEqual(funcs, docs) + + +if __name__ == '__main__': + unittest.main()
