Removed nested if statement, indentation clean up

mrrootsec · Jul 10, 2023 · dc94e91 · dc94e91
1 parent 155a11a
commit dc94e91
Show file tree

Hide file tree

Showing 14 changed files with 213 additions and 203 deletions.
diff --git a/other/springboot/Springboot autoconfig actuator.bcheck b/other/springboot/Springboot autoconfig actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot autoconfig actuator"
     description: "Springboot autoconfig actuator may expose sensitive information"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,17 +15,18 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"positiveMatches\"" in {check.response.body} and "\"AuditAutoConfiguration#auditListener\"" in {check.response.body}
-					and  "\"EndpointAutoConfiguration#beansEndpoint\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot autoconfig actuator found at {potential_path}.`
-			            remediation: "Ensure autoconfig is not exposed."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200"
+		and "\"positiveMatches\"" in {check.response.body} 
+		and "\"AuditAutoConfiguration#auditListener\"" in {check.response.body}
+		and "\"EndpointAutoConfiguration#beansEndpoint\"" in {check.response.body} 
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot autoconfig actuator found at {potential_path}.`
+					remediation: "Ensure autoconfig is not exposed."
+	end if
diff --git a/other/springboot/Springboot beans actuator.bcheck b/other/springboot/Springboot beans actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot beans actuator"
     description: "Springboot beans actuator may expose sensitive information"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,17 +15,19 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"type\"" in {check.response.body} and "\"beans\"" in {check.response.body}
-					and  "\"dependencies\"" in {check.response.body} and "\"scope\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot beans actuator found at {potential_path}.`
-			            remediation: "Ensure beans is not exposed."
-				end if
-			end if
+    if {check.response.status_code} is "200" 
+		and "\"type\"" in {check.response.body} 
+		and "\"beans\"" in {check.response.body}
+		and  "\"dependencies\"" in {check.response.body} 
+		and "\"scope\"" in {check.response.body}
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot beans actuator found at {potential_path}.`
+					remediation: "Ensure beans is not exposed."
 		end if
diff --git a/other/springboot/Springboot caches actuator.bcheck b/other/springboot/Springboot caches actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot caches actuator"
     description: "Springboot caches actuator exposed"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,16 +15,16 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"cacheManagers\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot info caches found at {potential_path}.`
-			            remediation: "Ensure info caches is not exposed."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+		and "\"cacheManagers\"" in {check.response.body}
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot info caches found at {potential_path}.`
+					remediation: "Ensure info caches is not exposed."
+	end if
diff --git a/other/springboot/Springboot conditions actuator.bcheck b/other/springboot/Springboot conditions actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot conditions actuator"
     description: "Springboot conditions actuator exposed"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,16 +15,17 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"positiveMatches\"" in {check.response.body} and "\"unconditionalClasses\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot conditions actuator found at {potential_path}.`
-			            remediation: "Ensure conditions actuator is not exposed."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+		and "\"positiveMatches\"" in {check.response.body} 
+		and "\"unconditionalClasses\"" in {check.response.body} 
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot conditions actuator found at {potential_path}.`
+					remediation: "Ensure conditions actuator is not exposed."
+	end if
diff --git a/other/springboot/Springboot configprops actuator.bcheck b/other/springboot/Springboot configprops actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot configprops actuator"
     description: "Springboot configprops actuator may expose sensitive information"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,17 +15,18 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "org.springframework.boot.actuate" in {check.response.body} and "\"beans\"" in {check.response.body}
-					and  "\"contexts\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot configprops actuator found at {potential_path}.`
-			            remediation: "Ensure configprops is not exposed or doesn't contain sensitive information."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+		and "org.springframework.boot.actuate" in {check.response.body} 
+		and "\"beans\"" in {check.response.body}
+		and  "\"contexts\"" in {check.response.body}
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot configprops actuator found at {potential_path}.`
+					remediation: "Ensure configprops is not exposed or doesn't contain sensitive information."
+	end if
diff --git a/other/springboot/Springboot env actuator.bcheck b/other/springboot/Springboot env actuator.bcheck
@@ -1,9 +1,9 @@
 metadata:
     language: v1-beta
     name: "Springboot env actuator"
-    description: "Springboot env actuator may expose sensitive information"
-    author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	description: "Springboot env actuator may expose sensitive information"
+	author: "Mateusz Dabrowski (dbrwsky)"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,17 +15,17 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "applicationConfig" in {check.response.body} or "activeProfiles" in {check.response.body}
-					and  "server.port" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot env actuator found at {potential_path}.`
-			            remediation: "Ensure env actuator is not exposed or doesn't contain sensitive information."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+		and ("applicationConfig" in {check.response.body} or "activeProfiles" in {check.response.body})
+		and  "server.port" in {check.response.body} 
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot env actuator found at {potential_path}.`
+					remediation: "Ensure env actuator is not exposed or doesn't contain sensitive information."
+	end if
diff --git a/other/springboot/Springboot health actuator.bcheck b/other/springboot/Springboot health actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot health actuator"
     description: "Springboot health actuator exposed"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,16 +15,17 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"status\"" in {check.response.body} and "\"diskSpace\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot health actuator found at {potential_path}.`
-			            remediation: "Ensure health actuator is not exposed."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+		and "\"status\"" in {check.response.body} 
+		and "\"diskSpace\"" in {check.response.body} 
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot health actuator found at {potential_path}.`
+					remediation: "Ensure health actuator is not exposed."
+	end if
diff --git a/other/springboot/Springboot info actuator.bcheck b/other/springboot/Springboot info actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot info actuator"
     description: "Springboot info actuator exposed"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,16 +15,17 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "\"name\"" in {check.response.body} and "\"version\"" in {check.response.body} then
-				if "application/json" in {check.response.headers} or "application/vnd.spring-boot.actuator" in {check.response.headers} 
-						or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
-						or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot info actuator found at {potential_path}.`
-			            remediation: "Ensure info actuator is not exposed."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200"
+		and "\"name\"" in {check.response.body} 
+		and "\"version\"" in {check.response.body}
+		and ("application/json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v1+json" in {check.response.headers} 
+			or "application/vnd.spring-boot.actuator.v2+json" in {check.response.headers}
+			or "application/vnd.spring-boot.actuator.v3+json" in {check.response.headers}) then
+				report issue:
+					severity: low
+					confidence: certain
+					detail: `Springboot info actuator found at {potential_path}.`
+					remediation: "Ensure info actuator is not exposed."
+	end if
diff --git a/other/springboot/Springboot logfile actuator.bcheck b/other/springboot/Springboot logfile actuator.bcheck
@@ -3,7 +3,7 @@ metadata:
     name: "Springboot logfile actuator"
     description: "Springboot logfile actuator exposed and may expose sensitive information"
     author: "Mateusz Dabrowski (dbrwsky)"
-		tags: "actuator", "springboot", "exposure", "informative"
+	tags: "actuator", "springboot", "exposure", "informative"
 
 run for each:
     potential_path =
@@ -15,14 +15,13 @@ given host then
         method: "GET"
         path: {potential_path}
 
-    if {check.response.status_code} is "200" then 
-			if "[main]" in {check.response.body} and "INFO" in {check.response.body} then
-				if "text/plain" in {check.response.headers} then
-			        report issue:
-			            severity: low
-			            confidence: certain
-			            detail: `Springboot logfile actuator found at {potential_path}.`
-			            remediation: "Ensure logfile actuator is not exposed and doesn't contain sensitive information."
-				end if
-			end if
-		end if
+    if {check.response.status_code} is "200" 
+        and "[main]" in {check.response.body} 
+        and "INFO" in {check.response.body} 
+        and "text/plain" in {check.response.headers} then
+	        report issue:
+	            severity: low
+	            confidence: certain
+	            detail: `Springboot logfile actuator found at {potential_path}.`
+	            remediation: "Ensure logfile actuator is not exposed and doesn't contain sensitive information."
+	end if