search

trailofbits / twa

A tiny web auditor with strong opinions.
https://trailofbits.github.io/twa
MIT License
585 stars 53 forks source link

No ,, operator in Bash ver. <4 causes minor issues when using twa on macOS #7

Closed bl4de closed 6 years ago

bl4de commented 6 years ago

Hi @woodruffw ,

First things first - thank you for this little pretty thing :) It's very useful tool and I really like it since the first time I've used it.

While I had no issues on Ubuntu 16.04 LTS, when I've tried to use twa on macOS, I run into this error:

$ ./twa google.com
Connection to google.com port 443 [tcp/https] succeeded!
FAIL(google.com): HTTP redirects to HTTP (not secure)
FAIL(google.com): Strict-Transport-Security missing
./twa: line 212: ${xfo,,}: bad substitution
PASS(google.com): Site doesn't send 'Server' header
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
PASS(google.com): Site doesn't send 'X-AspNet-Version'
PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
PASS(google.com): No SCM repository at: http://google.com/.svn/entries

Quick source code audit reveals three other places where this operator is used (in lines 231, 241 and 258).

I did some further investigation and found that as macOS uses older version of Bash ,, operator is not implemented, bc it was introduced in Bash ver. 4 (source: https://stackoverflow.com/questions/47815637/getting-bad-substitution-error-with-a-shell-script-on-a-mac)

Unfortunately, changing shell to sh (as mentioned in the thread on SO) does not resolve the problem, causing different syntax errors here and there.

twa still works despite of this issue, however an audit result for some headers are not present (eg. X-Frame-Options, X-XSS-Protection)

Any sugestions how ,, operator could be substituted with something Bash <4 compatible?

Thanks!

Cheers,

bl4de

woodruffw commented 6 years ago

Hi @bl4de! Thanks for the kind words.

Three other people have brought this up, in #1, #3, and #6. It's a tough position, since OS X is the only platform that I know of that's still shipping such an ancient version of bash. I'm hesitant to support it, since it'll severely limit the flexibility of future checks.

For the time being, my suggestion is to install a newer bash on OS X via Homebrew or your package manager of choice. Once you do that, twa should work as expected. I'll be adding a check to twa itself for bash > 4 this evening, probably.

bl4de commented 6 years ago

Hi @woodruffw ,

Thank you for very quick feedback! Getting bash via Homebrew resolved the issue :)

Please forgive me I did not check Closed tab first and opened duplicate issue ;)

Cheers,

bl4de

woodruffw commented 6 years ago

Thank you for very quick feedback! Getting bash via Homebrew resolved the issue :)

Glad to hear!

And don't worry about not checking, I closed them pretty fast. Let me know if you run into any other problems!