mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
f96a89e7c1
* feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel>
68 lines
2.3 KiB
Python
68 lines
2.3 KiB
Python
import os
|
|
import subprocess
|
|
import shlex
|
|
|
|
# Infrastructure provisioning tool — Python automation scripts.
|
|
# Handles configuration management and deployment automation.
|
|
|
|
# ───── Configuration management ─────
|
|
|
|
def sync_config():
|
|
"""Syncs configuration from a remote source.
|
|
VULN: os.getenv flows into subprocess.run (command injection)
|
|
"""
|
|
remote = os.getenv("CONFIG_REMOTE_URL")
|
|
local_dir = os.getenv("CONFIG_LOCAL_DIR")
|
|
subprocess.run(["rsync", "-avz", remote, local_dir])
|
|
|
|
def apply_ansible_playbook():
|
|
"""Runs an Ansible playbook from env-configured path.
|
|
VULN: os.getenv flows into subprocess.Popen (command injection)
|
|
"""
|
|
playbook = os.getenv("ANSIBLE_PLAYBOOK")
|
|
inventory = os.getenv("ANSIBLE_INVENTORY")
|
|
proc = subprocess.Popen(
|
|
["ansible-playbook", "-i", inventory, playbook],
|
|
stdout=subprocess.PIPE,
|
|
stderr=subprocess.PIPE,
|
|
)
|
|
stdout, stderr = proc.communicate()
|
|
if proc.returncode != 0:
|
|
raise RuntimeError(f"Playbook failed: {stderr.decode()}")
|
|
return stdout.decode()
|
|
|
|
# ───── Secret management ─────
|
|
|
|
def rotate_secrets():
|
|
"""Rotates secrets by calling a vault CLI.
|
|
VULN: os.getenv flows into os.system (command injection)
|
|
"""
|
|
vault_addr = os.getenv("VAULT_ADDR")
|
|
vault_token = os.getenv("VAULT_TOKEN")
|
|
os.system(f"vault write -address={vault_addr} secret/app/key value=rotated")
|
|
|
|
def inject_secrets():
|
|
"""Injects secrets into the environment from vault.
|
|
VULN: os.getenv flows into eval (code injection via env)
|
|
"""
|
|
secret_loader = os.getenv("SECRET_LOADER_EXPR")
|
|
secrets = eval(secret_loader)
|
|
return secrets
|
|
|
|
# ───── Monitoring ─────
|
|
|
|
def check_service_health():
|
|
"""Checks health of all configured services.
|
|
VULN: os.getenv flows into subprocess.call
|
|
"""
|
|
services = os.getenv("MONITORED_SERVICES", "").split(",")
|
|
for svc in services:
|
|
subprocess.call(["curl", "-sf", f"http://{svc}/health"])
|
|
|
|
# ───── Safe patterns ─────
|
|
|
|
def safe_exec():
|
|
"""SAFE: shlex.quote properly sanitizes before shell use."""
|
|
user_path = os.getenv("USER_PATH")
|
|
safe_path = shlex.quote(user_path)
|
|
subprocess.run(f"ls -la {safe_path}", shell=True, capture_output=True)
|