-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Split regex functions and non-regex functions #171
Conversation
I am writing docs now -- but here is the functionality. |
checks.go
Outdated
// This check will always fail if the command returns an error. | ||
func (c cond) CommandContains() (bool, error) { | ||
c.requireArgs("Cmd", "Value") | ||
out, err := shellCommandOutput(c.Cmd) | ||
if c.Regex { | ||
outTrim := strings.TrimSpace(out) | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like err here doesn't get checked unless regex
checks.go
Outdated
found, err = regexp.Match(c.Value, []byte(line)) | ||
} else { | ||
found = strings.Contains(line, c.Value) | ||
} | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, I think err check should be moved up to under regex match
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so just make sure each error != nil is always directly under the error causer?
checks.go
Outdated
condFunc := "" | ||
negation := false | ||
cond.Regex = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting condition regex as a boolean works since it's more nuanced than negation, although I think we should leave it unexported (like starting with a lowercase in the struct) which should prevent people from trying to set it in their config. That or raise an error, since if they have Regex = true but CommandContains
not CommandContainsRegex
then it won't be regex.
|
||
// Ensure that condition type is a valid length | ||
if len(cond.Type) <= len(not) { | ||
if len(cond.Type) <= len(regex) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's unintuitive but should be valid. I think. Might catch us later if we have a very short check type name
checks.go
Outdated
negation = true | ||
condFunc = cond.Type[:len(cond.Type)-len(not)] | ||
} else if cond.Type[len(cond.Type)-len(regex):len(cond.Type)] == regex { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this prevent doing RegexNot commands since it's an else if?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah it does currently -- my next push should check for and remove Not
, then check for Regex
and remove it
> **Note**: We recommend you use the `Not` version of this check to score a program's version being different from its version at the beginning of the image. You can't guarantee that the latest version of the program you're scoring will be the same once your round is released, and it's unlikely that a competitor will intentionally downgrade a package. | ||
> **Note**: We recommend you use the `Not` version of this check to score a program's version being different from its | ||
> version at the beginning of the image. You can't guarantee that the latest version of the program you're scoring will | ||
> be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kind of weird single word line here?
|
||
**FileContains**: pass if file contains regex | ||
**FileContains**: pass if file contains a value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still need documentation for FileContainsRegex and all the other *Regex checks right? Since I dont think you can 100% guess if all checks have a regex alternate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point thanks I definitely skimmed over the note block we should probably make that more readable at some point
@@ -377,7 +425,10 @@ name = 'Administrators' | |||
value = 'SeTimeZonePrivilege' | |||
``` | |||
|
|||
> A list of URA and Constant Names (which are used in the config) [can be found here](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment). On your local machine, check Local Security Policy > User Rights Assignments to see the current assignments. | |||
> A list of URA and Constant Names (which are used in the | |||
> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes the lint god is wrong
checks.go
Outdated
@@ -51,7 +52,7 @@ func (c cond) requireArgs(args ...interface{}) { | |||
v := reflect.ValueOf(c) | |||
vType := v.Type() | |||
for i := 0; i < v.NumField(); i++ { | |||
if vType.Field(i).Name == "Type" { | |||
if vType.Field(i).Name == "Type" || vType.Field(i).Name == "Regex" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be lowercase here right?
No description provided.