Fix filename expansion in CSV output
This commit fixes #1123 where a security header containing an asterix lead to a local filename expansion which was included in the CSV file output. A new function fileout_csv_finding() addresses this. Also if "$GIVE_HINTS" isn't true the headline and each line in the CSV file doesn't include anymore the word hint -- which is more consistent with the JSON output.
This commit is contained in:
parent
15261b2cf4
commit
c9b725e6ff
29
testssl.sh
29
testssl.sh
|
@ -780,7 +780,7 @@ fileout_json_finding() {
|
||||||
echo -e "\n }" >> "$JSONFILE"
|
echo -e "\n }" >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
if "$do_pretty_json"; then
|
if "$do_pretty_json"; then
|
||||||
if [[ "$1" == "service" ]]; then
|
if [[ "$1" == service ]]; then
|
||||||
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
if [[ $SERVER_COUNTER -gt 1 ]]; then
|
||||||
echo " ," >> "$JSONFILE"
|
echo " ," >> "$JSONFILE"
|
||||||
fi
|
fi
|
||||||
|
@ -869,6 +869,21 @@ fileout_insert_warning() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fileout_csv_finding() {
|
||||||
|
safe_echo "\"$1\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$2\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$3\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$4\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$5\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$6\"," >> "$CSVFILE"
|
||||||
|
if "$GIVE_HINTS"; then
|
||||||
|
safe_echo "\"$7\"," >> "$CSVFILE"
|
||||||
|
safe_echo "\"$8\"\n" >> "$CSVFILE"
|
||||||
|
else
|
||||||
|
safe_echo "\"$7\"\n" >> "$CSVFILE"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# ID, SEVERITY, FINDING, CVE, CWE, HINT
|
# ID, SEVERITY, FINDING, CVE, CWE, HINT
|
||||||
fileout() {
|
fileout() {
|
||||||
|
@ -877,11 +892,11 @@ fileout() {
|
||||||
local cwe="$5"
|
local cwe="$5"
|
||||||
local hint="$6"
|
local hint="$6"
|
||||||
|
|
||||||
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then
|
if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
|
||||||
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")")
|
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
|
||||||
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint")
|
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
||||||
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
|
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
|
||||||
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE"
|
fileout_csv_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
|
||||||
"$FIRST_FINDING" && FIRST_FINDING=false
|
"$FIRST_FINDING" && FIRST_FINDING=false
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -961,7 +976,11 @@ csv_header() {
|
||||||
CSVHEADER=false
|
CSVHEADER=false
|
||||||
else
|
else
|
||||||
[[ -s "$CSVFILE" ]] && fatal "non-empty \"$CSVFILE\" exists. Either use \"--append\" or (re)move it" $ERR_FCREATE
|
[[ -s "$CSVFILE" ]] && fatal "non-empty \"$CSVFILE\" exists. Either use \"--append\" or (re)move it" $ERR_FCREATE
|
||||||
|
if "$GIVE_HINTS"; then
|
||||||
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
|
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
|
||||||
|
else
|
||||||
|
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\"" > "$CSVFILE"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue