search

dradis / dradis-ce

Dradis Framework: Collaboration and reporting for IT Security teams
https://dradis.com/ce/
GNU General Public License v2.0
672 stars 190 forks source link

Add-on's template does not update #897

Closed greyleonie closed 2 years ago

greyleonie commented 3 years ago

Steps to reproduce

Modify the template file, such as dradis-zap-4.0.0

# original file
$ cat templates/issue.template 
#[Title]#
%issue.alert%

#[Risk]#
%issue.riskdesc%

#[Confidence]#
%issue.confidence%

#[Description]#
%issue.desc%

#[Solution]#
%issue.solution%

#[OtherInfo]#
%issue.otherinfo%

#[References]#
%issue.reference%

CWE: %issue.cweid%
WASC: %issue.wascid%

# modify CWE and WASC output format
$ cat templates/issue.template 
#[Title]#
%issue.alert%

#[Risk]#
%issue.riskdesc%

#[Confidence]#
%issue.confidence%

#[Description]#
%issue.desc%

#[Solution]#
%issue.solution%

#[OtherInfo]#
%issue.otherinfo%

#[References]#
%issue.reference%

#[CWE]#
%issue.cweid%

#[WASC]#
%issue.wascid%

Expected behavior

The issue output will change.

#[Title]#
Format String Error

#[Risk]#
Medium (Medium)

#[Confidence]#
2

#[Description]#
A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. 

#[Solution]#
Rewrite the background program using proper deletion of bad character strings.  This will require a recompile of the background executable.

#[OtherInfo]#
Potential Format String Error.  The script closed the connection on a /%s

#[References]#
https://www.owasp.org/index.php/Format_string_attack

#[CWE]#
134

#[WASC]#
6

Actual behavior

The issue output does not change.

#[Title]#
Format String Error

#[Risk]#
Medium (Medium)

#[Confidence]#
2

#[Description]#
A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. 

#[Solution]#
Rewrite the background program using proper deletion of bad character strings.  This will require a recompile of the background executable.

#[OtherInfo]#
Potential Format String Error.  The script closed the connection on a /%s

#[References]#
https://www.owasp.org/index.php/Format_string_attack

CWE: 134
WASC: 6

Extension test

After rename the template file and change the source code, the issue output format changed. For example, rename 'issue.template' to 'issue1.template'.

# rename the template file
$ ls templates/
evidence.fields  evidence.sample  evidence.template  issue1.fields  issue1.sample  issue1.template

$ vi lib/dradis/plugins/zap/importer.rb
    def process_alert_item(xml_alert_item)
      plugin_id = xml_alert_item.at_xpath('./pluginid').text()
      logger.info{ "\t\t => Creating new issue (plugin_id: #{plugin_id})" }

      issue_text = template_service.process_template(template: 'issue1', data: xml_alert_item)
      logger.info{ "#{issue_text}" }
      issue = content_service.create_issue(text: issue_text, id: plugin_id)

$ bundle exec thor dradis:plugins:zap:upload /mnt/hgfs/ZAP_2.4.3_report-merged.xml
...
#[Title]#
Format String Error

#[Risk]#
Medium (Medium)

#[Confidence]#
2

#[Description]#
A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. 

#[Solution]#
Rewrite the background program using proper deletion of bad character strings.  This will require a recompile of the background executable.

#[OtherInfo]#
Potential Format String Error.  The script closed the connection on a /%s

#[References]#
https://www.owasp.org/index.php/Format_string_attack

#[CWE]#
134

#[WASC]#
6

System configuration

Dradis version: 

$ git status
HEAD detached at v4.0.0

Ruby version: 

$ ruby -v
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux]

OS version:

$ uname -a
Linux zoo 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
etdsoft commented 2 years ago

Hi @greyleonie,

Thanks for the report, plugin templates are copied form the external gems (dradis-zap) in this case, to the Dradis folder as part of the initialisation process:

https://github.com/dradis/dradis-ce/blob/develop/config/initializers/z_11_plugin_templates.rb#L15

By default they end up in ./templates/plugins/. If you modify the ZAP template in that folder and restart the Dradis server, the changes should take effect.

Closing the issue for now, but feel free to re-open if needed.