1
我寫了一個foodcritic規則來捕獲任何嘗試寫入/ etc目錄下的目錄/文件的黑名單。廚師Foodcritic規則沒有捕捉屬性字符串
當列入黑名單的路徑傳遞到資源聲明作爲配方的字符串,規則觸發,但是當它們被作爲屬性傳遞,該規則不會觸發:
@resources = [
'file',
'template',
'remote_file',
'remote_directory',
'directory'
]
@blacklist = [
'/etc/ssh/',
'/etc/init',
...
]
rule 'RULE001', 'do not manipulate /etc other than init/,init.d/ & default/' do
tags %w(security)
recipe do |ast|
violations = []
@resources.each do |resource_type|
violations << find_resources(ast, type: resource_type).select do |resource|
res_str = (resource_attribute(resource, 'path' || resource_name(resource)).to_s
@blacklist.any? { |cmd| res_str.include? cmd }
end
end
violations.flatten
end
end
測試這種使用以下時,文字字符串被捕獲,但是當它們作爲屬性傳遞時,它們被傳遞。任何人都可以看到我失蹤的東西嗎?
屬性/ default.rb:
default['testbook']['etc-test'] = '/etc/ssh/test.conf'
default['testbook']['etc-dir-test'] = 'etc/ssh/somedir/'
食譜/ default.rb:
#template '/etc/ssh/test.conf' do <-- caught
template node['testbook']['etc-test'] do #<-- not caught
source 'test.conf'
owner 'nobody'
group 'nobody'
mode '0644'
action :create
end
#directory '/etc/ssh/somedir' do <-- caught
directory node['testbook']['etc-dir-test'] do <-- not caught
action :create
end
經過反思,我認爲我需要檢查列入黑名單的路徑的屬性文件的內容,因爲屬性未解析。 – Gillespie