Merge pull request #879 from jjnicola/fix-loadup-mw

[middleware] Fix loadup. Backpor #878

CHANGELOG.md

@@ -30,6 +30,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Use fchmod to change file permission instead of on open to prevent race conditions [860](https://github.com/greenbone/openvas-scanner/pull/860)
+- Fix plugins upload. Backport #878. [#879](https://github.com/greenbone/openvas/pull/879)
 
 ## [21.10] (unreleased)
 

nasl/exec.c

@@ -1657,6 +1657,8 @@ exec_nasl_script (struct script_infos *script_infos, int mode)
   bzero (&ctx, sizeof (ctx));
   if (mode & NASL_ALWAYS_SIGNED)
     ctx.always_signed = 1;
+  if ((mode & NASL_EXEC_DESCR) != 0)
+    ctx.exec_descr = 1;
   if (nvticache_initialized ())
     ctx.kb = nvticache_get_kb ();
   else

nasl/nasl_global_ctxt.h

@@ -26,7 +26,10 @@
 typedef struct
 {
   int line_nb;
-  int always_signed;
+  int always_signed; /**< If set disable signature check during scans and feed
+                        upload. */
+  int exec_descr; /**< Tell grammar that is a feed upload process or a running a
+                     scan process. */
   int index;
   tree_cell *tree;
   char *buffer;

nasl/nasl_grammar.y

@@ -316,6 +316,7 @@ inc: INCLUDE '(' string ')'
 
           bzero (&subctx, sizeof (subctx));
           subctx.always_signed = ((naslctxt*)parm)->always_signed;
+          subctx.exec_descr = ((naslctxt*)parm)->exec_descr;
           subctx.kb = ((naslctxt *) parm)->kb;
           subctx.tree = ((naslctxt*) parm)->tree;
           $$ = NULL;
@@ -763,7 +764,12 @@ init_nasl_ctx(naslctxt* pc, const char* name)
     filename = full_name;
   snprintf (key_path, sizeof (key_path), "signaturecheck:%s", filename);
   timestamp = kb_item_get_int (pc->kb, key_path);
-  if (timestamp > 0)
+
+  /* We never use the mtime of a .nasl/.inc file as integrity check during
+   * the script load up. A complete verification is done in this case.
+   * Once it has been uploaded in the nvticache it is enough to just check
+   * the mtime. */
+  if (timestamp > 0 && pc->exec_descr == 0)
     {
       struct stat file_stat;
 
@@ -796,14 +802,19 @@ init_nasl_ctx(naslctxt* pc, const char* name)
       int ret;
       char *check = file_checksum (full_name, checksum_algorithm);
 
+      snprintf (key_path, sizeof (key_path), "signaturecheck:%s", filename);
       ret = strcmp (check, checksum);
       if (ret)
-        g_warning ("checksum for %s not matching", full_name);
+        {
+          kb_del_items (pc->kb, key_path);
+          g_warning ("checksum for %s not matching", full_name);
+        }
       else
         {
-          snprintf (key_path, sizeof (key_path), "signaturecheck:%s", filename);
+          kb_del_items (pc->kb, key_path);
           kb_item_add_int (pc->kb, key_path, time (NULL));
         }
+
       g_free (full_name);
       g_free (checksum);
       g_free (check);

src/nasl_plugins.c

@@ -83,12 +83,45 @@ check_nvti (const char *filename, nvti_t *nvt)
   return 0;
 }
 
+/**
+ * @brief Check a single .nasl/.inc file.
+ *
+ * @param folder  Path to the plugin folder.
+ * @param filename    File-name of the plugin
+ *
+ * @return 0 on success, -1 on error.
+ */
+int
+nasl_file_check (const char *folder, const char *filename)
+{
+  char fullname[PATH_MAX + 1];
+  int nasl_mode;
+  struct script_infos *args;
+
+  snprintf (fullname, sizeof (fullname), "%s/%s", folder, filename);
+  nasl_mode = NASL_EXEC_DESCR;
+  if (prefs_get_bool ("nasl_no_signature_check"))
+    nasl_mode |= NASL_ALWAYS_SIGNED;
+
+  args = g_malloc0 (sizeof (struct script_infos));
+  args->key = nvticache_get_kb ();
+  args->nvti = NULL;
+  args->name = fullname;
+  if (exec_nasl_script (args, nasl_mode) < 0)
+    {
+      g_debug ("%s: Checksum check failed", fullname);
+      g_free (args);
+      return -1;
+    }
+  g_free (args);
+
+  return 0;
+}
+
 /**
  * @brief Add *one* .nasl plugin to the plugin list.
  *
- * The plugin is first attempted to be loaded from the cache.
- * If that fails, it is parsed (via exec_nasl_script) and
- * added to the cache.
+ * It is parsed (via exec_nasl_script) and added to the cache
  *
  * @param folder  Path to the plugin folder.
  * @param filename    File-name of the plugin
@@ -100,44 +133,38 @@ nasl_plugin_add (char *folder, char *filename)
 {
   char fullname[PATH_MAX + 1];
   int nasl_mode;
-  nasl_mode = NASL_EXEC_DESCR;
+  nvti_t *new_nvti;
+  struct script_infos *args;
+  time_t now;
+  struct utimbuf updated_timestamp;
 
   snprintf (fullname, sizeof (fullname), "%s/%s", folder, filename);
-
+  nasl_mode = NASL_EXEC_DESCR;
   if (prefs_get_bool ("nasl_no_signature_check"))
-    {
-      nasl_mode |= NASL_ALWAYS_SIGNED;
-    }
+    nasl_mode |= NASL_ALWAYS_SIGNED;
 
-  if (!nvticache_check (filename))
+  args = g_malloc0 (sizeof (struct script_infos));
+  args->key = nvticache_get_kb ();
+  new_nvti = nvti_new ();
+  args->nvti = new_nvti;
+  args->name = fullname;
+  if (exec_nasl_script (args, nasl_mode) < 0)
     {
-      nvti_t *new_nvti;
-      struct script_infos *args;
-      time_t now;
-      struct utimbuf updated_timestamp;
-
-      args = g_malloc0 (sizeof (struct script_infos));
-      args->key = nvticache_get_kb ();
-      new_nvti = nvti_new ();
-      args->nvti = new_nvti;
-      args->name = fullname;
-      if (exec_nasl_script (args, nasl_mode) < 0)
-        {
-          g_debug ("%s: Could not be loaded", fullname);
-          g_free (args);
-          return -1;
-        }
+      g_debug ("%s: Could not be loaded", fullname);
       g_free (args);
+      return -1;
+    }
+  g_free (args);
 
-      now = time (NULL) - 1;
-      updated_timestamp.actime = now;
-      updated_timestamp.modtime = now;
-      utime (fullname, &updated_timestamp);
+  now = time (NULL) - 1;
+  updated_timestamp.actime = now;
+  updated_timestamp.modtime = now;
+  utime (fullname, &updated_timestamp);
+
+  if (!check_nvti (filename, new_nvti))
+    nvticache_add (new_nvti, filename);
+  nvti_free (new_nvti);
 
-      if (!check_nvti (filename, new_nvti))
-        nvticache_add (new_nvti, filename);
-      nvti_free (new_nvti);
-    }
   return 0;
 }
 

src/openvas.c

@@ -34,6 +34,7 @@
  */
 
 #include "../misc/plugutils.h"     /* nvticache_free */
+#include "../misc/reporting.h"     /* for send_failure */
 #include "../misc/vendorversion.h" /* for vendor_version_set */
 #include "attack.h"                /* for attack_network */
 #include "debug_utils.h"           /* for init_sentry */
@@ -850,6 +851,7 @@ attack_network_init (struct scan_globals *globals, const gchar *config_file)
   if (plugins_cache_init ())
     {
       g_message ("Failed to initialize nvti cache.");
+      send_failure (globals->scan_id, "Failed to initialize nvti cache.");
       nvticache_reset ();
       exit (1);
     }

src/pluginload.c

@@ -360,6 +360,7 @@ include_dirs (void)
 int
 plugins_cache_init (void)
 {
+  int ret;
   const char *plugins_folder = prefs_get ("plugins_folder");
 
   if (nvticache_init (plugins_folder, prefs_get ("db_address")))
@@ -368,6 +369,10 @@ plugins_cache_init (void)
       return -1;
     }
   include_dirs ();
+  ret = nasl_file_check (plugins_folder, "plugin_feed_info.inc");
+  if (ret)
+    return -1;
+
   return 0;
 }
 

src/pluginload.h

@@ -52,6 +52,8 @@ total_loading_plugins (void);
 /* From nasl_plugins.c */
 int
 nasl_plugin_add (char *, char *);
+int
+nasl_file_check (const char *, const char *);
 
 int
 nasl_plugin_launch (struct scan_globals *, struct in6_addr *, GSList *, kb_t,