Fix filename expansion in CSV output

This commit fixes #1123 where a security header containing an asterix lead
to a local filename expansion which was included in the CSV file output.
A new function fileout_csv_finding() addresses this.

Also if "$GIVE_HINTS" isn't true the headline and each line in the CSV file doesn't include
anymore the word hint -- which is more consistent with the JSON output.
This commit is contained in:
Dirk 2018-09-16 18:08:05 +02:00
parent 15261b2cf4
commit c9b725e6ff

View File

@ -780,7 +780,7 @@ fileout_json_finding() {
echo -e "\n }" >> "$JSONFILE" echo -e "\n }" >> "$JSONFILE"
fi fi
if "$do_pretty_json"; then if "$do_pretty_json"; then
if [[ "$1" == "service" ]]; then if [[ "$1" == service ]]; then
if [[ $SERVER_COUNTER -gt 1 ]]; then if [[ $SERVER_COUNTER -gt 1 ]]; then
echo " ," >> "$JSONFILE" echo " ," >> "$JSONFILE"
fi fi
@ -869,6 +869,21 @@ fileout_insert_warning() {
fi fi
} }
fileout_csv_finding() {
safe_echo "\"$1\"," >> "$CSVFILE"
safe_echo "\"$2\"," >> "$CSVFILE"
safe_echo "\"$3\"," >> "$CSVFILE"
safe_echo "\"$4\"," >> "$CSVFILE"
safe_echo "\"$5\"," >> "$CSVFILE"
safe_echo "\"$6\"," >> "$CSVFILE"
if "$GIVE_HINTS"; then
safe_echo "\"$7\"," >> "$CSVFILE"
safe_echo "\"$8\"\n" >> "$CSVFILE"
else
safe_echo "\"$7\"\n" >> "$CSVFILE"
fi
}
# ID, SEVERITY, FINDING, CVE, CWE, HINT # ID, SEVERITY, FINDING, CVE, CWE, HINT
fileout() { fileout() {
@ -877,11 +892,11 @@ fileout() {
local cwe="$5" local cwe="$5"
local hint="$6" local hint="$6"
if ( "$do_pretty_json" && [[ "$1" == "service" ]] ) || show_finding "$severity"; then if ( "$do_pretty_json" && [[ "$1" == service ]] ) || show_finding "$severity"; then
local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") local finding=$(strip_lf "$(newline_to_spaces "$(strip_quote "$3")")") # additional quotes will mess up screen output
[[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && (fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint") [[ -e "$JSONFILE" ]] && [[ ! -d "$JSONFILE" ]] && fileout_json_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
"$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \ "$do_csv" && [[ -n "$CSVFILE" ]] && [[ ! -d "$CSVFILE" ]] && \
echo -e \""$1\"",\"$NODE/$NODEIP\",\"$PORT"\",\""$severity"\",\""$finding"\",\""$cve"\",\""$cwe"\",\""$hint"\"" >> "$CSVFILE" fileout_csv_finding "$1" "$severity" "$finding" "$cve" "$cwe" "$hint"
"$FIRST_FINDING" && FIRST_FINDING=false "$FIRST_FINDING" && FIRST_FINDING=false
fi fi
} }
@ -961,7 +976,11 @@ csv_header() {
CSVHEADER=false CSVHEADER=false
else else
[[ -s "$CSVFILE" ]] && fatal "non-empty \"$CSVFILE\" exists. Either use \"--append\" or (re)move it" $ERR_FCREATE [[ -s "$CSVFILE" ]] && fatal "non-empty \"$CSVFILE\" exists. Either use \"--append\" or (re)move it" $ERR_FCREATE
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE" if "$GIVE_HINTS"; then
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\",\"hint\"" > "$CSVFILE"
else
echo "\"id\",\"fqdn/ip\",\"port\",\"severity\",\"finding\",\"cve\",\"cwe\"" > "$CSVFILE"
fi
fi fi
return 0 return 0
} }