Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add detection of CVE-2019-11043 #288

Merged
merged 40 commits into from Dec 1, 2019
Merged

Add detection of CVE-2019-11043 #288

merged 40 commits into from Dec 1, 2019

Conversation

@brandonlw
Copy link
Contributor

brandonlw commented Nov 3, 2019

No description provided.

adamcaudill and others added 16 commits Aug 25, 2019
develop -> master
develop -> master
develop -> master
Update pythonpackage.yml
Update changelog
develop -> master
develop -> master
Split on first occurrence
Create 2019-09-04-yawast-0-9-released.md
develop -> master
Use pipx to install
develop -> master
Check for .DS_Store Files
This requires the path of a PHP script (no redirects), specified via --php_page.
Tested to work against vulnerable Docker image.
Restyled.io
@codecov

This comment has been minimized.

Copy link

codecov bot commented Nov 3, 2019

Codecov Report

Merging #288 into develop will increase coverage by 0.15%.
The diff coverage is 78.57%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop     #288      +/-   ##
===========================================
+ Coverage    63.66%   63.82%   +0.15%     
===========================================
  Files           86       86              
  Lines         5805     5871      +66     
===========================================
+ Hits          3696     3747      +51     
- Misses        2109     2124      +15
Impacted Files Coverage Δ
yawast/scanner/cli/http.py 10.9% <0%> (-0.27%) ⬇️
yawast/reporting/enums.py 100% <100%> (ø) ⬆️
yawast/command_line.py 81.39% <100%> (+0.21%) ⬆️
yawast/shared/utils.py 78.09% <100%> (ø) ⬆️
yawast/scanner/plugins/http/servers/php.py 89.87% <78.94%> (-10.13%) ⬇️
tests/test_http.py 92.48% <90.9%> (-0.07%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 767a78e...3ea6bf4. Read the comment docs.

@adamcaudill adamcaudill added this to the v0.10 milestone Nov 7, 2019
adamcaudill added 11 commits Nov 7, 2019
adamcaudill added 3 commits Nov 7, 2019
yawast/scanner/plugins/http/servers/php.py Outdated Show resolved Hide resolved

for qsl in range(MIN_QSL + QSL_STEP, MAX_QSL, QSL_STEP):
res = _get_resp(base_url, qsl)
if res.status_code != base_status_code:

This comment has been minimized.

Copy link
@adamcaudill

adamcaudill Nov 10, 2019

Owner

Could we trigger a false positive if we get an error due to the path length? Some servers will respond with an error if the path is too long - if the first request doesn't that limit, but a later request with a higher QSL does, it seems that it could trigger this check, and report this, even though it's not vulnerable.

yawast/scanner/plugins/http/servers/php.py Outdated Show resolved Hide resolved
yawast/scanner/cli/http.py Show resolved Hide resolved
@adamcaudill

This comment has been minimized.

Copy link
Owner

adamcaudill commented Nov 10, 2019

@brandonlw Can you see if you can add some type unit tests for this? It doesn't have to be perfect, but hopefully enough to see if we break it in future updates.

adamcaudill added 10 commits Nov 10, 2019
@adamcaudill adamcaudill merged commit c63e1b7 into develop Dec 1, 2019
9 of 10 checks passed
9 of 10 checks passed
build (ubuntu-latest)
Details
build (windows-latest)
Details
build (macOS-latest)
Details
build-docker
Details
CodeFactor 2 issues fixed. 3 issues found.
Details
LGTM analysis: Python No new or fixed alerts
Details
WIP Ready for review
Details
codecov/patch 78.57% of diff hit (target 63.66%)
Details
codecov/project 63.82% (+0.15%) compared to 767a78e
Details
restyled No differences
Details
@adamcaudill adamcaudill deleted the cve-2019-11043 branch Dec 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.