Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-31 22:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2386 from drwetter/strict_parsing_HSTS

Browse Source 
Strict parser for HSTS
This commit is contained in:
Dirk Wetter
2023-08-28 19:55:57 +02:00
committed by GitHub
parent c55207d45c 01ab3acde5
commit 765b5855cc
1 changed files with 32 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
testssl.sh
View File

@@ -2716,28 +2716,40 @@ run_hsts() {
match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true" match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo "$HEADERVALUE" >$TMPFILE echo "$HEADERVALUE" >$TMPFILE
hsts_age_sec="${HEADERVALUE//[^0-9]/}" # strict parsing now as suggested in #2381
debugme echo "hsts_age_sec: $hsts_age_sec" hsts_age_sec="${HEADERVALUE#*=}"
if [[ -n $hsts_age_sec ]]; then hsts_age_sec=${hsts_age_sec%%;*}
hsts_age_days=$(( hsts_age_sec / 86400)) if [[ $hsts_age_sec =~ \" ]]; then
else # remove first an last " in $hsts_age_sec (borrowed from strip_trailing_space/strip_leading_space):
hsts_age_days=-1 hsts_age_sec=$(printf "%s" "${hsts_age_sec#"${hsts_age_sec%%[!\"]*}"}")
hsts_age_sec=$(printf "%s" "${hsts_age_sec%"${hsts_age_sec##*[!\"]}"}")
fi fi
if [[ $hsts_age_days -eq -1 ]]; then debugme echo "hsts_age_sec: $hsts_age_sec"
pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing" if ! is_number "$hsts_age_sec"; then
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing" pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
set_grade_cap "A" "HSTS max-age is misconfigured" fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
elif [[ $hsts_age_sec -eq 0 ]]; then
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
set_grade_cap "A" "HSTS is disabled"
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
else else
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)" if [[ -n $hsts_age_sec ]]; then
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds" hsts_age_days=$(( hsts_age_sec / 86400))
set_grade_cap "A" "HSTS max-age is too short" else
hsts_age_days=-1
fi
if [[ $hsts_age_days -eq -1 ]]; then
pr_svrty_medium "misconfiguration: HSTS max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days ) is required but missing"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, parameter max-age (recommended > $HSTS_MIN seconds = $((HSTS_MIN/86400)) days) missing"
set_grade_cap "A" "HSTS max-age is misconfigured"
elif [[ $hsts_age_sec -eq 0 ]]; then
pr_svrty_low "HSTS max-age is set to 0. HSTS is disabled"
fileout "${jsonID}_time" "LOW" "0. HSTS is disabled"
set_grade_cap "A" "HSTS is disabled"
elif [[ $hsts_age_sec -ge $HSTS_MIN ]]; then
pr_svrty_good "$hsts_age_days days" ; out "=$hsts_age_sec s"
fileout "${jsonID}_time" "OK" "$hsts_age_days days (=$hsts_age_sec seconds) > $HSTS_MIN seconds"
else
pr_svrty_medium "$hsts_age_sec s = $hsts_age_days days is too short ( >= $HSTS_MIN seconds recommended)"
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
set_grade_cap "A" "HSTS max-age is too short"
fi
fi fi
if includeSubDomains "$TMPFILE"; then if includeSubDomains "$TMPFILE"; then
fileout "${jsonID}_subdomains" "OK" "includes subdomains" fileout "${jsonID}_subdomains" "OK" "includes subdomains"