Add support for 'privileged' search

rapid7 / metasploit-framework

Metasploit Framework

https://www.metasploit.com/

Other

32.92k stars 13.71k forks source link

Add support for 'privileged' search #19120

Open nrathaus opened 3 weeks ago

nrathaus commented 3 weeks ago

Resolves https://github.com/rapid7/metasploit-framework/issues/18990

cgranleese-r7 commented 3 weeks ago

Hi @nrathaus thanks for all the recent contributions 🚀

I thought I'd add a few things we like to do/see when contributing. It's super helpful for everyone involved if contributors follow the pull request template. Just a brief description of what the changes are and why they were needed, replication and verification steps for the testing you completed when verifying the change.

This is will help us work towards making sure all bases are covered in terms of testing path, and with the project being a long running open source project, it is also super helpful for future traveler's when changes are well documented with a good paper trail to reference back to.

nrathaus commented 3 weeks ago

Isn't linking to the original Issue sufficient here? @cgranleese-r7

nrathaus commented 3 weeks ago

@cgranleese-r7 how can I get the modules_metadata updated with the privileged attribute?

Is there a way to populate the JSON file?

cgranleese-r7 commented 3 weeks ago

Isn't linking to the original Issue sufficient here? @cgranleese-r7

No, due to the points I have listed above it is much more beneficial to make use of our template.

@cgranleese-r7 how can I get the modules_metadata updated with the privileged attribute? Is there a way to populate the JSON file?

If I'm understanding what you're asking, I believe that will be done automatically once the PR is merged.

nrathaus commented 3 weeks ago

@cgranleese-r7 The 'privileged' field information is read from the modules_metadata.json file that is either the version under ~/.msf4/store/ or the one shipped with the metasploit db/modules_metadata_base.json

adfoster-r7 commented 3 weeks ago

Thanks for the PR! I think the code changes in isolation are good, but I think the privileged metadata that's exposed on our datamodel is ambiguous in its definition. It looks like it can mean one of two things:

  #
  # Returns whether or not the module requires or grants high privileges.
  #
  def privileged?
    privileged == true
  end

Because of this ambiguity in definition, i.e. the module either requiring or granting privileges, I'm not sure if exposing these values to the user is beneficial in its current state

I'm wondering if we might need to do some pre-requisite work to split this one value into two? i.e. privileges_required and grants_privileges or something? That might be useful so users could search for exactly what they want 🤔

nrathaus commented 2 weeks ago

We need to decide if we add support (non-ambiguous, or ambiguous privileged) or we don't
Then we need to decide non-ambiguous/ambiguous way