Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Revise html decoding to use decode() from the 'he' library #10

Merged
merged 8 commits into from
Feb 19, 2024
Merged

fix: Revise html decoding to use decode() from the 'he' library #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5eda6fe
he code example
Matte22 Feb 16, 2024
44ee507
spelling errors
Matte22 Feb 16, 2024
8aad461
update imports
Matte22 Feb 16, 2024
cb42a2f
Established approach for using he in our local project for decoding html
Matte22 Feb 16, 2024
565268d
revised tests
Matte22 Feb 16, 2024
3149b1e
renamed decode file, removed use of 'var', simplified decodeHTML.
Matte22 Feb 16, 2024
b7027ba
missed a 'var'
Matte22 Feb 16, 2024
effd28e
remove semicolons; replace merge() with spread; replace has() with in…
csmig Feb 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 5 additions & 28 deletions ReviewParser.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,8 @@
import {XMLParser} from './fxp.esm.js'
import decode from './decode.js'

const tagValueProcessor = function () {
const text = arguments[1]
const entities = {
'&': '&',
'&lt;': '<',
'&gt;': '>',
'&quot;': '"',
'&#039;': "'"
}

return text.replace(/&([^;]+);/g, function (entity, entityCode) {
let match

if (entityCode in entities) {
return entities[entityCode]
}
else if (match = entityCode.match(/^#x([\da-fA-F]+)$/)) {
return String.fromCharCode(parseInt(match[1], 16))
}
else if (match = entityCode.match(/^#(\d+)$/)) {
return String.fromCharCode(~~match[1])
}
else {
return entity
}
})
const decodeHTML = function () {
return decode(arguments[1])
}

export function reviewsFromCkl(
Expand Down Expand Up @@ -66,7 +43,7 @@ export function reviewsFromCkl(
parseAttributeValue: false,
removeNSPrefix: true,
trimValues: true,
tagValueProcessor,
tagValueProcessor: decodeHTML,
commentPropName: "__comment",
isArray: (name, jpath, isLeafNode, isAttribute) => {
return name === '__comment' || !isLeafNode
Expand Down Expand Up @@ -440,7 +417,7 @@ export function reviewsFromXccdf(
parseTagValue: false,
removeNSPrefix: true,
trimValues: true,
tagValueProcessor,
tagValueProcessor: decodeHTML,
commentPropName: "__comment",
isArray: (name, jpath, isLeafNode, isAttribute) => {
const arrayElements = [
Expand Down
168 changes: 168 additions & 0 deletions WATCHER-test-files/WATCHER/ckl/html-decode.ckl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- STIG Manager 1.3.13 -->
<!-- Classification: NONE -->
<CHECKLIST>
<ASSET>
<ROLE>None</ROLE>
<ASSET_TYPE>Non-Computing</ASSET_TYPE>
<MARKING>NONE</MARKING>
<HOST_NAME>Asset_aaaaaaaaaa</HOST_NAME>
<HOST_IP>10.2.2.2</HOST_IP>
<HOST_MAC></HOST_MAC>
<HOST_GUID/>
<HOST_FQDN>hostname</HOST_FQDN>
<TECH_AREA/>
<TARGET_KEY>2777</TARGET_KEY>
<WEB_OR_DATABASE>false</WEB_OR_DATABASE>
<WEB_DB_SITE/>
<WEB_DB_INSTANCE/>
</ASSET>
<STIGS>
<iSTIG>
<STIG_INFO>
<SI_DATA>
<SID_NAME>version</SID_NAME>
<SID_DATA>1</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>classification</SID_NAME>
</SI_DATA>
<SI_DATA>
<SID_NAME>customname</SID_NAME>
</SI_DATA>
<SI_DATA>
<SID_NAME>stigid</SID_NAME>
<SID_DATA>RHEL_9_TRUNCATED</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>description</SID_NAME>
<SID_DATA>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>filename</SID_NAME>
<SID_DATA>stig-manager-oss</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>releaseinfo</SID_NAME>
<SID_DATA>Release: 1 Benchmark Date: 22 Sep 2023</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>title</SID_NAME>
<SID_DATA>Red Hat Enterprise Linux 9 TRUNCATED</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>uuid</SID_NAME>
<SID_DATA>391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>notice</SID_NAME>
<SID_DATA>terms-of-use</SID_DATA>
</SI_DATA>
<SI_DATA>
<SID_NAME>source</SID_NAME>
</SI_DATA>
</STIG_INFO>
<VULN>
<STIG_DATA>
<VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>V-207191</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Weight</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>10.0</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Group_Title</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>SRG-NET-000063</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>SV-207191r803418_rule</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Rule_Ver</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>SRG-NET-000063-VPN-000210</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.

Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.

Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>IA_Controls</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.

If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>False_Positives</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>False_Negatives</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Documentable</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>false</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Mitigations</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Potential_Impact</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Third_Party_Tools</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Mitigation_Control</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Responsibility</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>Security_Override_Guidance</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA/>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>STIGRef</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023</ATTRIBUTE_DATA>
</STIG_DATA>
<STIG_DATA>
<VULN_ATTRIBUTE>CCI_REF</VULN_ATTRIBUTE>
<ATTRIBUTE_DATA>CCI-001453</ATTRIBUTE_DATA>
</STIG_DATA>
<STATUS>Open</STATUS>
<FINDING_DETAILS>&amp; &lt; &gt; &quot; &#039; &#x26; &#60; &amp; &lt; &gt; &quot; &#039; &#65; &#46; &#37; &#44; &#126;</FINDING_DETAILS>
<COMMENTS>xyz</COMMENTS>
<SEVERITY_OVERRIDE/>
<SEVERITY_JUSTIFICATION/>
</VULN>
</iSTIG>
</STIGS>
</CHECKLIST>
Loading
Loading