Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix more shellcheck complaints (high severity)

Browse Source 
... and fine tune some comments in the beginning
This commit is contained in:
Dirk Wetter
2025-10-13 21:06:02 +02:00
parent 672493ebe7
commit c53e7a3955
1 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
testssl.sh
View File

@@ -11,17 +11,16 @@
# Stable version https://testssl.sh # Stable version https://testssl.sh
# File bugs at GitHub https://github.com/testssl/testssl.sh/issues # File bugs at GitHub https://github.com/testssl/testssl.sh/issues
# #
# Project lead and initiator: Dirk Wetter, copyleft: 2007-today, contributions so far see CREDITS.md # Project lead and initiator: Dirk Wetter, copyleft: 2007-today, contributions so far
# Main contributions from David Cooper # see CREDITS.md .
# Project lead and initiator: Dirk Wetter, copyleft: 2007-today.
# Main contributions from David Cooper. Further contributors see CREDITS.md . # Main contributions from David Cooper. Further contributors see CREDITS.md .
# #
# License: GPLv2, see https://opensource.org/licenses/gpl-2.0.php and # License: GPLv2, see https://opensource.org/licenses/gpl-2.0.php and accompanying
# accompanying license "LICENSE.txt". Redistribution + modification under this # license "LICENSE.txt". Redistribution + modification under this license permitted.
# license permitted. #
# If you enclose this program or parts of it in your software, it has to be # If you enclose this program or parts of it in your software, it has to be
# accompanied by the same license (see link). Do not violate the license. # accompanied by the same license (see link). Do not violate the license.
# If you do not agree to these terms, do not use it in the first place! # If you do not agree to these terms, do not use testssl.sh in the first place!
# #
# OpenSSL, which is being used and maybe distributed via one of this projects' # OpenSSL, which is being used and maybe distributed via one of this projects'
# web sites, is subject to their licensing: https://www.openssl.org/source/license.txt # web sites, is subject to their licensing: https://www.openssl.org/source/license.txt
@@ -30,10 +29,11 @@
# Terms of Use' (v2.2), see https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf, # Terms of Use' (v2.2), see https://www.ssllabs.com/downloads/Qualys_SSL_Labs_Terms_of_Use.pdf,
# stating a CC BY 3.0 US license: https://creativecommons.org/licenses/by/3.0/us/ # stating a CC BY 3.0 US license: https://creativecommons.org/licenses/by/3.0/us/
# #
# Please note: USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". # Please note:
# USE IT AT your OWN RISK! # USAGE WITHOUT ANY WARRANTY, THE SOFTWARE IS PROVIDED "AS IS". USE IT AT your OWN RISK!
# Seriously! The threat is you run this code on your computer and untrusted input e.g. #
# could be supplied from a server you are querying. # The threat is you run this code on your computer and untrusted input could be supplied from
# a server you are testing.
# #
# HISTORY: # HISTORY:
# Back in 2006 it all started with a few openssl commands... # Back in 2006 it all started with a few openssl commands...
@@ -41,7 +41,7 @@
# https://wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist # https://wiki.openssl.org/index.php/Command_Line_Utilities) that it was difficult to resist
# wrapping some shell commands around it, which I used for my pen tests. This is how # wrapping some shell commands around it, which I used for my pen tests. This is how
# everything started. # everything started.
# Now it has grown up, it has bash socket support for most features, which has been basically # Testssl.sh has grown up, it has bash socket support for most features, which has been basically
# replacing more and more functions of OpenSSL and some sockets functions serve as some kind # replacing more and more functions of OpenSSL and some sockets functions serve as some kind
# of central functions. # of central functions.
# #
@@ -462,6 +462,7 @@ declare TLS_CIPHER_OSSL_NAME=()
declare TLS_CIPHER_RFC_NAME=() declare TLS_CIPHER_RFC_NAME=()
declare TLS_CIPHER_SSLVERS=() declare TLS_CIPHER_SSLVERS=()
declare TLS_CIPHER_KX=() declare TLS_CIPHER_KX=()
# shellcheck disable=SC2034 . This is a false positive
declare TLS_CIPHER_AUTH=() declare TLS_CIPHER_AUTH=()
declare TLS_CIPHER_ENC=() declare TLS_CIPHER_ENC=()
declare TLS_CIPHER_EXPORT=() declare TLS_CIPHER_EXPORT=()
@@ -13135,7 +13136,7 @@ derive-handshake-secret() {
pubkeys_and_ciphers="${pubkeys_and_ciphers%--END HYBRID CIPHERTEXT--*}" pubkeys_and_ciphers="${pubkeys_and_ciphers%--END HYBRID CIPHERTEXT--*}"
privkeys="${tmpfile#*---BEGIN HYBRID PRIV KEY---}" privkeys="${tmpfile#*---BEGIN HYBRID PRIV KEY---}"
privkeys="${privkeys%---END HYBRID PRIV KEY---*}" privkeys="${privkeys%---END HYBRID PRIV KEY---*}"
while [[ "$pubkeys_and_ciphers" =~ BEGIN ]]; do while [[ "$pubkeys_and_ciphers" =~ BEGIN ]]; do
if [[ "${pubkeys_and_ciphers:0:27}" =~ BEGIN\ CIPHERTEXT ]]; then if [[ "${pubkeys_and_ciphers:0:27}" =~ BEGIN\ CIPHERTEXT ]]; then
key_or_cipher="-----BEGIN CIPHERTEXT${pubkeys_and_ciphers#*-----BEGIN CIPHERTEXT}" key_or_cipher="-----BEGIN CIPHERTEXT${pubkeys_and_ciphers#*-----BEGIN CIPHERTEXT}"
@@ -18364,16 +18365,16 @@ run_breach() {
if [[ ${has_compression[*]} =~ warn ]]; then if [[ ${has_compression[*]} =~ warn ]]; then
# warn_empty / warn_stalled # warn_empty / warn_stalled
if [[ ${has_compression[*]} =~ warn_empty ]]; then if [[ ${has_compression[*]} =~ warn_empty ]]; then
pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[@]}" pr_warning "At least 1/4 checks failed (HTTP header request was empty, debug: ${has_compression[*]}"
outln ", debug: ${has_compression[@]})" outln ", debug: ${has_compression[*]})"
fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[@]}" "$cve" "$cwe" fileout "$jsonID" "WARN" "Test failed as HTTP response was empty, debug: ${has_compression[*]}" "$cve" "$cwe"
else # warn_stalled else # warn_stalled
pr_warning "At least 1/4 checks failed (HTTP header request stalled and was terminated" pr_warning "At least 1/4 checks failed (HTTP header request stalled and was terminated"
outln ", debug: ${has_compression[@]})" outln ", debug: ${has_compression[*]})"
fileout "$jsonID" "WARN" "Test failed as HTTP request stalled and was terminated" "$cve" "$cwe" fileout "$jsonID" "WARN" "Test failed as HTTP request stalled and was terminated" "$cve" "$cwe"
fi fi
else else
for c in "${has_compression[@]}"; do for c in ${has_compression[*]}; do
if [[ $c =~ yes ]]; then if [[ $c =~ yes ]]; then
detected_compression+="${c%:*} " detected_compression+="${c%:*} "
fi fi
@@ -18384,7 +18385,7 @@ run_breach() {
outln "${spaces}${when_makesense}" outln "${spaces}${when_makesense}"
fileout "$jsonID" "MEDIUM" "potentially VULNERABLE, $detected_compression HTTP compression detected $disclaimer" "$cve" "$cwe" "$hint" fileout "$jsonID" "MEDIUM" "potentially VULNERABLE, $detected_compression HTTP compression detected $disclaimer" "$cve" "$cwe" "$hint"
fi fi
debugme outln "${spaces}has_compression: ${has_compression[@]}" debugme outln "${spaces}has_compression: ${has_compression[*]}"
;; ;;
esac esac