Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-10 18:50:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix filename expansion in CSV output

Browse Source 
(Backport of 2.9.5 branch)

This commit fixes #1123 where a security header containing an asterix lead
to a local filename expansion which was included in the CSV file output.
A new function fileout_csv_finding() addresses this.

Also if "$GIVE_HINTS" isn't true the headline and each line in the CSV file doesn't include
anymore the word hint -- which is more consistent with the JSON output.
This commit is contained in:
Dirk 2018-09-19 11:57:42 +02:00
parent 1b06d6e61a
commit 3c80c06554
1 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
testssl.sh
View File

@ -701,7 +701,7 @@ fileout_json_finding() {
echo -e "\n }" >> "$JSONFILE"
fi
if "$do_pretty_json"; then
if [[ "$1" == "service" ]]; then
if [[ "$1" == service ]]; then
if [[ $SERVER_COUNTER -gt 1 ]]; then
echo " ," >> "$JSONFILE"
fi
@ -804,6 +804,21 @@ fileout_insert_warning() {
fi
}
fileout_csv_finding() {
tm_out "\"$1\"," >> "$CSVFILE"
tm_out "\"$2\"," >> "$CSVFILE"
tm_out "\"$3\"," >> "$CSVFILE"
tm_out "\"$4\"," >> "$CSVFILE"
tm_out "\"$5\"," >> "$CSVFILE"
tm_out "\"$6\"," >> "$CSVFILE"
if "$GIVE_HINTS"; then
tm_out "\"$7\"," >> "$CSVFILE"
tm_out "\"$8\"\n" >> "$CSVFILE"
else
tm_out "\"$7\"\n" >> "$CSVFILE"
fi
}
# ID, SEVERITY, FINDING, CVE, CWE, HINT
fileout() {
@ -812,11 +827,11 @@ fileout() {
local cwe="$5"
local hint="$6"
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
fileout_csv_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
"$FIRST_FINDING" && FIRST_FINDING=false
fi
}
@ -896,7 +911,11 @@ csv_header() {
CSVHEADER=false
else
[[ -e "$CSVFILE" ]] && fatal "\"$CSVFILE\" exists. Either use \"--append\" or (re)move it" 1
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
if "$GIVE_HINTS"; then
fileout_csv_finding "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" "hint" > "$CSVFILE"
else
fileout_csv_finding "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" > "$CSVFILE"
fi
fi
return 0
}