- omniauth\.rb
- carrierwave\.rb
- schema\.rb
+ - knife\.rb
- database\.yml
- settings\.py
- keychain
- kwallet
- aws_access_key_id
- aws_secret_access_key
+ - otr\.private_key
+ - ovpn
+ - agilekeychain
+ - \.log
+ - gnucash
+ - backup
+ - jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin\.xml
+ - LocalSettings\.php
+ - tblk
+ - Favorites\.plist
+ - configuration\.user\.xpl
+ - tugboat
+ - git-credentials
+ - git-config
+ - proftpdpasswd
+ - robomongo\.json
+ - filezilla\.xml
+ - recentservers\.xml
+ - ventrilo_srv\.ini
file_contents:
private_key:
ripemd:
regex: ripemd
- desc: |
- "RACE Integrity Primitives Evaluation Message Digest
- is an insecure hashing algorithm"
+ desc: "RACE Message Digest is an insecure hashing algorithm"
secret:
regex: secret
apprun:
regex: app\.run\s*\(.*debug.*=.*True.*\)
desc: |
- "Running flask in debug mode can give away sensitive data on a
- systems configuration"
+ "Running flask in debug mode can give away sensitive data"
autoescape:
regex: autoescape.*=.*False
- desc: |
- "Without escaping HTML input an application becomes
- vulnerable to Cross Site Scripting (XSS) attacks."
+ desc: "Not escaping HTML input is vulnerable to XSS attacks."
safestring:
regex: safestring\.mark_safe.*\(.*\)
- desc: |
- "Without escaping HTML input an application becomes
- vulnerable to Cross Site Scripting (XSS) attacks."
+ desc: "Not escaping HTML input is vulnerable to XSS attacks."
shelltrue:
regex: shell.*=.*True
- desc: |
- "Shell=True can lead to dangerous shell escapes,
- expecially when the input can be crafted by untrusted external input"
+ desc: "Shell=True can lead to dangerous shell escapes"
tmp:
regex: \/tmp\/
desc: |
- "Use of tmp directories can be dangerous. Its world writable and
- accessable, and can be easily guessed by attackers"
+ "tmp directories are risky. They are world writable and easily guessed"
yamlload:
regex: \yaml\.load
desc: |
- "Avoid dangerous file parsing and object serialization libraries,
- use instead `yaml.safe_load`"
+ "Avoid dangerous file parsing & serialization libs, use yaml.safe_load"
telnet:
regex: telnet
finger:
regex: \bfinger\b
desc: "Avoid coms applications that transmit credentials in clear text"
+ allint:
+ regex: 0\.0\.0\.0
+ desc: "Interface listening on all addresses - may break security zones"
+
+file_ignore:
+ - '.rst'
+ - '.md'
licence:
licence_ext:
- releng: exceptions/releng.yaml
- sandbox: exceptions/sandbox.yaml
- yardstick: exceptions/yardstick.yaml
+ - infra: exceptions/infra.yaml
+ - ipv6: exceptions/ipv6.yaml
+ - joid: exceptions/joid.yaml
+ - kvmfornfv: exceptions/kvmfornfv.yaml
+ - lsoapi: exceptions/lsoapi.yaml
+ - models: exceptions/models.yaml
+ - moon: exceptions/moon.yaml
+ - multisite: exceptions/multisite.yaml
+ - netready: exceptions/netready.yaml