8000 feat: add support for additional ansible and chef commands (932160 PL-1, 932161 PL-2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) by EsadCetiner · Pull Request #3601 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: add support for additional ansible and chef commands (932160 PL-1, 932161 PL-2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) #3601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Mar 11, 2024
Merged

feat: add support for additional ansible and chef commands (932160 PL-1, 932161 PL-2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) #3601

merged 13 commits into from
Mar 11, 2024

Conversation

EsadCetiner
Copy link
Member

Adds support for all known ansible commands according to Ansible documentation

dune73
dune73 requested changes Mar 6, 2024
View reviewed changes
@EsadCetiner EsadCetiner changed the title feat: add support for additional ansible commands feat: add support for additional ansible commands (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) Mar 6, 2024
@EsadCetiner EsadCetiner changed the title feat: add support for additional ansible commands (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) feat: add support for additional ansible and chef commands (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) Mar 6, 2024
@EsadCetiner
Copy link
Member Author

@fzipi I've added some additional chef commands, but one of the commands chef is a common english word. I've added @ to reduce FPs with the word chef but it won't cover all variants of the word chef. I tried to exclude just the chef command at pl-1 but both unix-shell-fps-pl1-curated.ra and unix-shell-fps-pl1.ra wants to exclude all possible variants of a word (based on the comments), I just want to exclude the command chef and not chef-client or similar. Any ideas, should I just leave as is and accept the false positive at PL-1?

@fzipi
Copy link
Member
fzipi commented Mar 6, 2024

Thanks Esad. Is chef a thing, really? I never executed that command....

@EsadCetiner
Copy link
Member Author

@fzipi I'm not a chef user so I don't understand the differences between all of the commands (I'm an ansible user) but following these instructions to install chef does give me that command.

$ chef
The Chef command line tool for managing your infrastructure from your workstation.
Docs: https://docs.chef.io/workstation/
Patents: https://www.chef.io/patents

Usage:
    chef -h/--help
    chef -v/--version
    chef command [arguments...] [options...]

Available Commands:
    exec                    Runs the command in context of the embedded ruby
    env                     Prints environment variables used by Chef Workstation
    gem                     Runs the 'gem' command in context of the embedded Ruby
    generate                Generate a new repository, cookbook, or other component
    shell-init              Initialize your shell to use Chef Workstation as your primary Ruby
    install                 Install cookbooks from a Policyfile and generate a locked cookbook set
    update                  Updates a Policyfile.lock.json with latest run_list and cookbooks
    push                    Push a local policy lock to a policy group on the Chef Infra Server
    push-archive            Push a policy archive to a policy group on the Chef Infra Server
    show-policy             Show policyfile objects on the Chef Infra Server
    diff                    Generate an itemized diff of two Policyfile lock documents
    export                  Export a policy lock as a Chef Infra Zero code repo
    clean-policy-revisions  Delete unused policy revisions on the Chef Infra Server
    clean-policy-cookbooks  Delete unused policyfile cookbooks on the Chef Infra Server
    delete-policy-group     Delete a policy group on the Chef Infra Server
    delete-policy           Delete all revisions of a policy on the Chef Infra Server
    undelete                Undo a delete command
    describe-cookbook       Prints cookbook checksum information used for cookbook identifier
    report                  Report on the state of existing infrastructure from a Chef Infra Server
    capture                 Copy the state of an existing node locally for testing and verification

@RedXanadu
Copy link
Member
RedXanadu commented Mar 6, 2024
edited
Loading

I remember that Chef, Puppet, and Ansible used to be the big three names in automation/deployment. No idea if they're all still as popular.

FWIW, the 10k quantitative testing payloads do not show a difference between main* and the current state of this PR (4e5e83c), so no big alarm bells ringing regarding English natural language FPs (although still some added risk).

(*To be precise, testing against the point at which this PR branched off of main as a baseline)

@EsadCetiner
Merge branch 'main' into feat-ansible-rce
< 8000 input type="hidden" name="badge_size" value="small" autocomplete="off" data-targets="batch-deferred-content.inputs" />
26b891c
@EsadCetiner
perf: use simpler regex
69b9399
@EsadCetiner
revert commit 69b9399
5ed6bd4
@dune73
Copy link
Member
dune73 commented Mar 9, 2024

@RedXanadu : What is the difference exactly? Which rules and which values before and aft?

fzipi
fzipi reviewed Mar 9, 2024
View reviewed changes
@fzipi
Copy link
Member
fzipi commented Mar 9, 2024

I like the direction here @EsadCetiner. We should have looked into these commands earlier I guess. Good PR.

fzipi
fzipi approved these changes Mar 10, 2024
View reviewed changes
Copy link
Member
@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fzipi fzipi requested a review from dune73 March 10, 2024 13:34
@EsadCetiner EsadCetiner changed the title feat: add support for additional ansible and chef commands (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) feat: add support for additional ansible and chef commands (932160 PL-1, 932161 PL-2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) Mar 11, 2024
@dune73
Copy link
Member
dune73 commented Mar 11, 2024

Thank you for the PR @EsadCetiner. Good catch.

@dune73 dune73 added this pull request to the merge queue Mar 11, 2024
Merged via the queue into coreruleset:main with commit d2afa66 Mar 11, 2024
@EsadCetiner EsadCetiner deleted the feat-ansible-rce branch March 11, 2024 09:30
@RedXanadu
Copy link
Member

@dune73 Sorry, only just seen your earlier comment. The difference was nil: same results before and after, so all was good.

@dune73
Copy link
Member
dune73 commented Mar 13, 2024

Thank you for the confirmation @RedXanadu

@fzipi fzipi mentioned this pull request Mar 18, 2024
Closed
@dune73 dune73 mentioned this pull request Apr 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dune73 dune73 dune73 approved these changes

@fzipi fzipi fzipi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@EsadCetiner @fzipi @RedXanadu @dune73
0