Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve validation of note and override ports #1045

Merged
merged 6 commits into from
Apr 16, 2020

Conversation

mattmundell
Copy link
Contributor

@mattmundell mattmundell commented Apr 14, 2020

This is the port validation used by GMP CREATE/MODIFY_NOTE/OVERRIDE.

Checklist:

@mattmundell mattmundell marked this pull request as ready for review April 14, 2020 14:27
src/manage_sql.c Outdated

if (strncmp ("general/", port, 8) == 0)
return 0;
/* "cpe:abc", "general/tcp", "20/upd"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* "cpe:abc", "general/tcp", "20/upd"
/* "cpe:abc", "general/tcp", "20/udp"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 917206a.

src/manage_sql.c Outdated
/* "cpe:abc", "general/tcp", "20/upd"
*
* The , and ; is to stop users from entering lists of ports.
* CPE doesn't use them because seems like they're valid in CPEs. */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a bit clearer that it's referring to the restriction not containing , and ; for CPEs.

Also, whether the characters are allowed without percent escaping depends on the version of the specification.
If I understand it correctly, 2.2 (the version we currently use) requires them to be escaped.
(Chapter 5.4. in https://cpe.mitre.org/specification/2.2/cpe-specification_2.2.pdf)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Improved in 5ce9e79.

I don't think we need to worry about escaping at this point. Ultimately we could use a full CPE regex (saw one at https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd) but it might prove too restrictive (eg won't allow for errors in the shipped CPEs or mixed CPE versions). Anyway, a topic for a future PR, I'd say.

@timopollmeier timopollmeier merged commit 20c7081 into greenbone:master Apr 16, 2020
@mattmundell mattmundell deleted the port-validation branch April 16, 2020 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants