forked from visma-prodsec/confused
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
109 lines (98 loc) · 2.84 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
/*
Package main implements an automated Dependency Confusion scanner.
Original research provided by Alex Birsan.
Original blog post detailing Dependency Confusion : https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 .
*/
package main
import (
"flag"
"fmt"
"os"
"path/filepath"
"strings"
)
func main() {
var resolver PackageResolver
lang := ""
verbose := false
filename := ""
safespaces := ""
flag.StringVar(&lang, "l", "npm", "Package repository system. Possible values: \"pip\", \"npm\", \"composer\", \"mvn\", \"rubygems\"")
flag.StringVar(&safespaces, "s", "", "Comma-separated list of known-secure namespaces. Supports wildcards")
flag.BoolVar(&verbose, "v", false, "Verbose output")
flag.Parse()
// Check that we have a filename
if flag.NArg() == 0 {
Help()
flag.Usage()
os.Exit(1)
}
filename = flag.Args()[0]
switch lang {
case "pip":
resolver = NewPythonLookup(verbose)
case "npm":
resolver = NewNPMLookup(verbose)
case "composer":
resolver = NewComposerLookup(verbose)
case "mvn":
resolver = NewMVNLookup(verbose)
case "rubygems":
resolver = NewRubyGemsLookup(verbose)
default:
fmt.Printf("Unknown package repository system: %s\n", lang)
os.Exit(1)
}
err := resolver.ReadPackagesFromFile(filename)
if err != nil {
fmt.Printf("Encountered an error while trying to read packages from file: %s\n", err)
os.Exit(1)
}
outputPackages := removeSafe(resolver.PackagesNotInPublic(), safespaces)
PrintResult(outputPackages)
}
// Help outputs tool usage and help
func Help() {
fmt.Printf("Usage:\n %s [-l LANGUAGENAME] depfilename.ext\n", os.Args[0])
}
// PrintResult outputs the result of the scanner
func PrintResult(notavail []string) {
if len(notavail) == 0 {
fmt.Printf("[*] All packages seem to be available in the public repositories. \n\n" +
"In case your application uses private repositories please make sure that those namespaces in \n" +
"public repositories are controlled by a trusted party.\n\n")
return
}
fmt.Printf("Issues found, the following packages are not available in public package repositories:\n")
for _, n := range notavail {
fmt.Printf(" [!] %s\n", n)
}
os.Exit(1)
}
// removeSafe removes known-safe package names from the slice
func removeSafe(packages []string, safespaces string) []string {
retSlice := []string{}
safeNamespaces := []string{}
var ignored bool
safeTmp := strings.Split(safespaces, ",")
for _, s := range safeTmp {
safeNamespaces = append(safeNamespaces, strings.TrimSpace(s))
}
for _, p := range packages {
ignored = false
for _, s := range safeNamespaces {
ok, err := filepath.Match(s, p)
if err != nil {
fmt.Printf(" [W] Encountered an error while trying to match a known-safe namespace %s : %s\n", s, err)
continue
}
if ok {
ignored = true
}
}
if !ignored {
retSlice = append(retSlice, p)
}
}
return retSlice
}