[LOTP] Add vale

[fproulx-boostsecurity]

Description of the LOTP tool

vale is CLI meta-linting tool that has tons of plugins that can be configured using a config file.

• https://vale.sh/
• https://github.com/errata-ai/vale
• https://github.com/errata-ai/vale-action (LOTP variant)

Configuration files

.vale.ini

Documentation

https://vale.sh/

Interesting features

• Tengo script extension is interesting, but currently limited because it was hardened in a certain version to prevent import "os"
  • while Tengo can optionally have "os" (https://github.com/d5/tengo/blob/master/docs/stdlib-os.md)
  • Only "text", "fmt", "math are exported (https://github.com/errata-ai/vale/blob/e8dd9f6435aa9377159783bb3d517e8bbc77717d/internal/lint/action.go#L91)
• Other linters are often not pre-installed, so very much environment dependant
• most versions of xsltproc makes old-school XXE hard / if not impossible? because of URI constraints, BUT as most support the exsl:document extension (https://exslt.github.io/exsl/elements/document/index.html) it does provide an arbitrary write gadget that can be combined with theNLPEndpoint for exfiltration (ex. https://github.com/Koha-Community/Koha/blob/main/t/db_dependent/Koha/XSLT/Security.t#L64-L75)
• NLPEndpoint + Lang (!= "en") REST API support is a great reliable built-in exfiltration mechanism, easy to combine with symbolic link (with *.txt) in git repo pointing to file (ex. /proc/self/environ or .git/config)
  • NLPEndpoint in .vale.ini https://github.com/errata-ai/vale/blob/e8dd9f6435aa9377159783bb3d517e8bbc77717d/internal/core/ini.go#L227
  • Lang = fr (not en to trigger NLP REST API)
  • HTTP POST https://github.com/errata-ai/vale/blob/v3/internal/nlp/http.go#L37-L54