Fixed security problems in python scripts, added a reset to rule enla…

…rgement
CactuseSecurity · Jun 22, 2020 · 580eaea · 580eaea
1 parent 56a96ad
commit 580eaea
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 42 deletions.
diff --git a/roles/import-samples/files/config_changes/enlarge_rule.py b/roles/import-samples/files/config_changes/enlarge_rule.py
@@ -5,7 +5,6 @@
 import random
 import string
 import fnmatch
-from shutil import copyfile
 
 
 def random_octet():
@@ -17,8 +16,8 @@ def random_ip():
 
 
 def random_uuid():
-    str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=32))
-    return str[:8] + '-' + str[8:12] + '-' + str[12:16] + '-' + str[16:20] + '-' + str[20:]
+    s = ''.join(random.choices(string.ascii_lowercase + string.digits, k=32))
+    return s[:8] + '-' + s[8:12] + '-' + s[12:16] + '-' + s[16:20] + '-' + s[20:]
 
 
 # Second step: build new network object in "config firewall address"
@@ -41,7 +40,8 @@ def random_uuid():
     data.insert(line_to_insert_at + 2, '        set associated-interface "kids-wifi"\n')
     data.insert(line_to_insert_at + 3, '        set subnet {} 255.255.255.255\n'.format(ip_address))
     data.insert(line_to_insert_at + 4, '        set comment "Automatically built for test purposes"\n')
-data.insert(line_to_insert_at + 5, '    next\n')
+    data.insert(line_to_insert_at + 5, '    next\n')
+    data.insert(line_to_insert_at + 6, '# recognition comment for auto-delete function')
 
 fout = open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "w")
 data = "".join(data)
@@ -50,20 +50,36 @@ def random_uuid():
 
 # Third step: add new objects to rule 60
 
-fin = open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "rt")
-fout = open("/tmp/FWOrch_deleteme2.txt", "wt")
-uid_flag = False
-for line in fin:
-    if fnmatch.filter([line], '*edit 60*'):
-        uid_flag = True
-    if fnmatch.filter([line], '*next*'):
-        uid_flag = False
-    if fnmatch.filter([line], '*set srcaddr*') and uid_flag:
-        if fnmatch.filter([line], '*"all"*'):
-            line = '        set srcaddr "{}"\n'.format(ip_address)
-        else:
-            line = line.rstrip() + ' "{}"\n'.format(ip_address)
-    fout.write(line)
-fin.close()
-fout.close()
-copyfile("/tmp/FWOrch_deleteme2.txt", "/home/isosample/sample-configs/fortinet_demo/fortigate.cfg")
+with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "r") as fin:
+    lines = fin.readlines()
+with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "w") as fout:
+    uid_flag = False
+    delete_unused_networkobjects = False
+    for line in lines:
+        if fnmatch.filter([line], '*edit 60*'):
+            uid_flag = True
+        if fnmatch.filter([line], '*next*'):
+            uid_flag = False
+        if fnmatch.filter([line], '*set srcaddr*') and uid_flag:
+            if fnmatch.filter([line], '*"all"*') or len(line) > 200:
+                line = '        set srcaddr "{}"\n'.format(ip_address)
+                delete_unused_networkobjects = True
+            else:
+                line = line.rstrip() + ' "{}"\n'.format(ip_address)
+        fout.write(line)
+
+# Utils
+
+# This routine deletes all automatically created network objects except the most recent
+if delete_unused_networkobjects:
+    delete_flag = False
+    with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "r") as fin:
+        lines = fin.readlines()
+    with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "w") as fout:
+        for line in lines:
+            if line.strip("\n") == "# recognition comment for auto-delete function":
+                delete_flag = True
+            if line.strip("\n") == 'edit "SSLVPN_TUNNEL_ADDR1"':
+                delete_flag = False
+            if not delete_flag:
+                fout.write(line)
diff --git a/roles/import-samples/files/config_changes/write_date_to_comment.py b/roles/import-samples/files/config_changes/write_date_to_comment.py
@@ -3,25 +3,17 @@
 
 import fnmatch
 import datetime
-from shutil import copyfile
-
-fin = open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "rt")
-fout = open("/tmp/FWOrch_deleteme.txt", "wt")
-uid = 52
-uid_flag = False
-for line in fin:
-    if fnmatch.filter([line], '*edit {}*'.format(uid)):
-        uid_flag = True
-    if fnmatch.filter([line], '*next*'):
-        uid_flag = False
-    if fnmatch.filter([line], '*set comments*') and uid_flag:
-        # fout.write(line.replace('"*"', '"{}"'.format(datetime.datetime.now())))
-        #line = re.sub('"*"', '"{}"'.format(datetime.datetime.now()), line)
-        #fout.write(line.re.sub('set comments "VPN: Cactus-DA (Created by VPN wizard)"', 'test'))
-        line = '        set comments "{}"\n'.format(datetime.datetime.now())
-    fout.write(line)
-fin.close()
-fout.close()
-
-copyfile("/tmp/FWOrch_deleteme.txt", "/home/isosample/sample-configs/fortinet_demo/fortigate.cfg")
 
+with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "rt") as fin:
+    lines = fin.readlines()
+with open("/home/isosample/sample-configs/fortinet_demo/fortigate.cfg", "wt") as fout:
+    uid = 52
+    uid_flag = False
+    for line in fin:
+        if fnmatch.filter([line], '*edit {}*'.format(uid)):
+            uid_flag = True
+        if fnmatch.filter([line], '*next*'):
+            uid_flag = False
+        if fnmatch.filter([line], '*set comments*') and uid_flag:
+            line = '        set comments "{}"\n'.format(datetime.datetime.now())
+        fout.write(line)