hrbrmstr
/
securitytxt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

addressed 2019-08-18 CRAN comments

master
boB Rudis 5 years ago
parent
8065506f8f
commit
0465240a91
No known key found for this signature in database GPG Key ID: 1D7529BE14E2BBA9
5 changed files with 186 additions and 189 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      DESCRIPTION
  2. 48
      README.Rmd
  3. 164
      README.md
  4. 37
      cran-comments.md
  5. 119
      src/security.cpp

7
DESCRIPTION
View File

@ -1,8 +1,8 @@
Package: securitytxt
Type: Package
Title: Identify and Parse Web Security Policies Files
Version: 0.1.0
Date: 2017-10-20
Version: 0.1.1
Date: 2019-08-18
Authors@R: c(
person("Bob", "Rudis", email = "bob@rud.is", role = c("aut", "cre"),
comment = c(ORCID = "0000-0001-5670-2640")),
@ -22,6 +22,7 @@ URL: https://gitlab.com/hrbrmstr/securitytxt
BugReports: https://gitlab.com/hrbrmstr/securitytxt/issues
Copyright: file inst/COPYRIGHTS
License: MIT + file LICENSE
Encoding: UTF-8
Suggests:
testthat,
covr
@ -29,5 +30,5 @@ Depends:
R (>= 3.2.0)
Imports:
Rcpp
RoxygenNote: 6.0.1
RoxygenNote: 6.1.1
LinkingTo: Rcpp

48
README.Rmd
View File

@ -1,26 +1,21 @@
---
output: rmarkdown::github_document
output:
rmarkdown::github_document:
df_print: kable
editor_options:
chunk_output_type: console
---
```{r pkg-knitr-opts, include=FALSE}
hrbrpkghelpr::global_opts()
```
[![Build Status](https://travis-ci.org/hrbrmstr/securitytxt.svg?branch=master)](https://travis-ci.org/hrbrmstr/securitytxt)
[![Build status](https://ci.appveyor.com/api/projects/status/o654jge4mce4a7lg?svg=true)](https://ci.appveyor.com/project/hrbrmstr/securitytxt)
![Coverage Status](http://img.shields.io/codecov/c/github/hrbrmstr/securitytxt/master.svg)
# securitytxt
Identify and Parse Web Security Policies Files
## Description
When security risks in web services are discovered by independent
security researchers who understand the severity of the risk, they
often lack the channels to properly disclose them. As a result,
security issues may be left unreported. The 'security.txt' 'Web Security Policies'
specification defines a 'IETF' standard to help organizations define the process
for security researchers to securely disclose security vulnerabilities.
```{r badges, results='asis', echo=FALSE, cache=FALSE}
hrbrpkghelpr::stinking_badges()
```
Tools are provided to identify and parse 'security.txt' files, enabling analysis of
the usage of these policies.
```{r description, results='asis', echo=FALSE, cache=FALSE}
hrbrpkghelpr::yank_title_and_description()
```
- [IETF Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-00)
- [Information hub](https://securitytxt.org/)
@ -30,19 +25,14 @@ the usage of these policies.
The following functions are implemented:
- `sectxt`: Parse a 'security.txt' Web Security Policies file & create a 'sectxt' object
- `sectxt_info`: Retrieve a data frame of `security.txt` keys/values
- `sectxt_validate`: Validate a 'security.txt' Web Security Policies file
- `sectxt_url`: Determine `security.txt` URL for a given site/URL
```{r ingredients, results='asis', echo=FALSE, cache=FALSE}
hrbrpkghelpr::describe_ingredients()
```
## Installation
```{r eval=FALSE}
devtools::install_git("git://gitlab.com/hrbrmstr/securitytxt")
```
```{r message=FALSE, warning=FALSE, error=FALSE, include=FALSE}
options(width=120)
```{r install-ex, results='asis', echo=FALSE, cache=FALSE}
hrbrpkghelpr::install_block()
```
## Usage

164
README.md
View File

@ -1,123 +1,151 @@
[![Build Status](https://travis-ci.org/hrbrmstr/securitytxt.svg?branch=master)](https://travis-ci.org/hrbrmstr/securitytxt) [![Build status](https://ci.appveyor.com/api/projects/status/o654jge4mce4a7lg?svg=true)](https://ci.appveyor.com/project/hrbrmstr/securitytxt) ![Coverage Status](http://img.shields.io/codecov/c/github/hrbrmstr/securitytxt/master.svg)
securitytxt
===========
[![Project Status: Active – The project has reached a stable, usable
state and is being actively
developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
[![Signed
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr)
![Signed commit
%](https://img.shields.io/badge/Signed_Commits-16.7%25-lightgrey.svg)
[![Linux build
Status](https://travis-ci.org/hrbrmstr/securitytxt.svg?branch=master)](https://travis-ci.org/hrbrmstr/securitytxt)
[![Windows build
status](https://ci.appveyor.com/api/projects/status/github/hrbrmstr/securitytxt?svg=true)](https://ci.appveyor.com/project/hrbrmstr/securitytxt)
[![Coverage
Status](https://codecov.io/gh/hrbrmstr/securitytxt/branch/master/graph/badge.svg)](https://codecov.io/gh/hrbrmstr/securitytxt)
[![cran
checks](https://cranchecks.info/badges/worst/securitytxt)](https://cranchecks.info/pkgs/securitytxt)
[![CRAN
status](https://www.r-pkg.org/badges/version/securitytxt)](https://www.r-pkg.org/pkg/securitytxt)
![Minimal R
Version](https://img.shields.io/badge/R%3E%3D-3.2.0-blue.svg)
![License](https://img.shields.io/badge/License-MIT-blue.svg)
# securitytxt
Identify and Parse Web Security Policies Files
Description
-----------
When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. The 'security.txt' 'Web Security Policies' specification defines a 'IETF' standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.
## Description
Tools are provided to identify and parse 'security.txt' files, enabling analysis of the usage of these policies.
When security risks in web services are discovered by independent
security researchers who understand the severity of the risk, they often
lack the channels to properly disclose them. As a result, security
issues may be left unreported. The ‘security.txt’ ‘Web Security
Policies’ specification defines an ‘IETF’ draft standard
<https://tools.ietf.org/html/draft-foudil-securitytxt-00> to help
organizations define the process for security researchers to securely
disclose security vulnerabilities. Tools are provided to help identify
and parse ‘security.txt’ files to enable analysis of the usage and
adoption of these policies.
- [IETF Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-00)
- [Information hub](https://securitytxt.org/)
- [GitHub Organization](https://github.com/securitytxt)
- [IETF
Draft](https://tools.ietf.org/html/draft-foudil-securitytxt-00)
- [Information hub](https://securitytxt.org/)
- [GitHub Organization](https://github.com/securitytxt)
What's Inside The Tin
---------------------
## What’s Inside The Tin
The following functions are implemented:
- `sectxt`: Parse a 'security.txt' Web Security Policies file & create a 'sectxt' object
- `sectxt_info`: Retrieve a data frame of `security.txt` keys/values
- `sectxt_validate`: Validate a 'security.txt' Web Security Policies file
- `sectxt_url`: Determine `security.txt` URL for a given site/URL
- `sectxt_info`: Retrieve a data frame of security.txt keys/values
- `sectxt_url`: Determine security.txt URL for a given site/URL
- `sectxt_validate`: Validate a security.txt Web Security Policies
file
- `sectxt`: Parse a security.txt Web Security Policies file & create a
sectxt object
Installation
------------
## Installation
``` r
devtools::install_git("git://gitlab.com/hrbrmstr/securitytxt")
remotes::install_gitlab("hrbrmstr/securitytxt")
# or
remotes::install_github("hrbrmstr/securitytxt")
```
Usage
-----
NOTE: To use the ‘remotes’ install options you will need to have the
[{remotes} package](https://github.com/r-lib/remotes) installed.
## Usage
``` r
library(securitytxt)
# current verison
packageVersion("securitytxt")
```
## [1] '0.1.0'
## [1] '0.1.0'
``` r
# built-in example
x <- sectxt(readLines(system.file("extdata", "security.txt", package="securitytxt")))
sectxt_info(x)
```
## key value
## 1 contact security@example.com
## 2 encryption https://example.com/pgp-key.txt
<div class="kable-table">
``` r
# "live" example
(xurl <- sectxt_url("https://securitytxt.org"))
```
| key | value |
| :--------- | :-------------------------------- |
| contact | <security@example.com> |
| encryption | <https://example.com/pgp-key.txt> |
## [1] "https://securitytxt.org/.well-known/security.txt"
</div>
``` r
# "live" example
(xurl <- sectxt_url("https://securitytxt.org"))
## [1] "https://securitytxt.org/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
```
## key value
## 1 contact https://twitter.com/EdOverflow
<div class="kable-table">
``` r
sectxt_validate(x)
```
| key | value |
| :--------------- | :------------------------------------------- |
| contact | <https://hackerone.com/ed> |
| encryption | <https://keybase.pub/edoverflow/pgp_key.asc> |
| acknowledgements | <https://hackerone.com/ed/thanks> |
## [1] TRUE
</div>
``` r
sectxt_validate(x)
## [1] FALSE
x
```
## <Web Security Policies Object>
## # Our security address
## Contact: https://twitter.com/EdOverflow
## <Web Security Policies Object>
## # If you would like to report a security issue
## # you may report it to us on HackerOne.
## Contact: https://hackerone.com/ed
## Encryption: https://keybase.pub/edoverflow/pgp_key.asc
## Acknowledgements: https://hackerone.com/ed/thanks
``` r
# another "live" example
(xurl <- sectxt_url("https://rud.is/b"))
```
## [1] "https://rud.is/.well-known/security.txt"
``` r
## [1] "https://rud.is/.well-known/security.txt"
x <- sectxt(url(xurl))
sectxt_info(x)
```
## key value
## 1 contact bob@rud.is
## 2 encryption https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## 3 disclosure Full
<div class="kable-table">
``` r
sectxt_validate(x)
```
| key | value |
| :--------- | :---------------------------------------------------------------------------------------------- |
| contact | <bob@rud.is> |
| encryption | <https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399> |
| disclosure | Full |
## [1] TRUE
</div>
``` r
sectxt_validate(x)
## [1] TRUE
x
## <Web Security Policies Object>
## Contact: bob@rud.is
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## Disclosure: Full
```
## <Web Security Policies Object>
## Contact: bob@rud.is
## Encryption: https://keybase.io/hrbrmstr/pgp_keys.asc?fingerprint=e5388172b81c210906f5e5605879179645de9399
## Disclosure: Full
Code of Conduct
---------------
## Code of Conduct
Please note that this project is released with a [Contributor Code of Conduct](CONDUCT.md). By participating in this project you agree to abide by its terms.
Please note that this project is released with a [Contributor Code of
Conduct](CONDUCT.md). By participating in this project you agree to
abide by its terms.

37
cran-comments.md
View File

@ -1,37 +0,0 @@
## Test environments
* local OS X install, R 3.4.2
* ubuntu 14.04 (on travis-ci), R oldrel, release & devel
* ubuntu 16.04.3 (local), R 3.4.1
* r-hub Windows
* win-builder (devel and release)
## R CMD check results
0 errors | 0 warnings | 1 note
* This is a new release.
## Reverse dependencies
This is a new release, so there are no reverse dependencies.
---
* I've used the new ORCID id in
Authors@R (not sure if I need
to note that but it's "new" so
figured it wldn't hurt to
mention it).
* There is extra copyright info
for the included C++ lib used
both in inst/COPYRIGHTS &
in the C++ source files.
* Some examples that require
internet connectivity are
marked 'dontrun' b/c they
are for illustration only.
* Tests are included and run
weekly on Travis-CI
* Tests are manuall run on AppVeyor
as well for all builds.
* Code coverage is also provided.

119
src/security.cpp
View File

@ -13,77 +13,92 @@
namespace SecTxt {
void SecurityText::strip(std::string& string) {
string.erase(string.begin(), std::find_if(string.begin(), string.end(),
std::not1(std::ptr_fun<int, int>(std::isspace))));
string.erase(std::find_if(string.rbegin(), string.rend(),
std::not1(std::ptr_fun<int, int>(std::isspace))).base(), string.end());
}
void SecurityText::strip(std::string& string) {
bool SecurityText::getpair(std::istringstream& stream, std::string& key, std::string& value) {
string.erase(
string.begin(),
std::find_if(
string.begin(), string.end(),
[](int c) { return(!std::isspace(c)); }
)
);
while (getline(stream, key)) {
string.erase(
std::find_if(
string.rbegin(), string.rend(),
[](int c) { return(!std::isspace(c)); }
).base(), string.end()
);
size_t index = key.find('#');
}
if (index != std::string::npos) key.resize(index);
bool SecurityText::getpair(std::istringstream& stream, std::string& key, std::string& value) {
// Find the colon and divide it into key and value, skipping malformed lines
index = key.find(':');
if (index == std::string::npos) continue;
while (getline(stream, key)) {
value.assign(key.begin() + index + 1, key.end());
key.resize(index);
size_t index = key.find('#');
// Strip whitespace off of each
strip(key);
strip(value);
if (index != std::string::npos) key.resize(index);
// Lowercase the key
std::transform(key.begin(), key.end(), key.begin(), ::tolower);
// Find the colon and divide it into key and value, skipping malformed lines
index = key.find(':');
if (index == std::string::npos) continue;
return true;
}
return false;
}
value.assign(key.begin() + index + 1, key.end());
key.resize(index);
SecurityText::SecurityText(const std::string& content) {
// Strip whitespace off of each
strip(key);
strip(value);
orig_file = content;
// Lowercase the key
std::transform(key.begin(), key.end(), key.begin(), ::tolower);
std::istringstream input(content);
return true;
if (content.compare(0, 3, "\xEF\xBB\xBF") == 0) input.ignore(3);
}
std::string key, value;
return false;
while (SecurityText::getpair(input, key, value)) {
st_keys.push_back(key);
st_vals.push_back(value);
}
}
}
SecurityText::SecurityText(const std::string& content) {
std::string SecurityText::rawFile() {
return(orig_file);
}
orig_file = content;
std::vector< std::string > SecurityText::sectxtKeys() {
return(st_keys);
}
std::istringstream input(content);
std::vector< std::string > SecurityText::sectxtVals() {
return(st_vals);
}
if (content.compare(0, 3, "\xEF\xBB\xBF") == 0) input.ignore(3);
std::string SecurityText::securityUrl(const std::string& url) {
return Url::Url(url)
.setUserinfo("")
.setPath(".well-known/security.txt")
.setParams("")
.setQuery("")
.setFragment("")
.remove_default_port()
.str();
std::string key, value;
while (SecurityText::getpair(input, key, value)) {
st_keys.push_back(key);
st_vals.push_back(value);
}
}
std::string SecurityText::rawFile() {
return(orig_file);
}
std::vector< std::string > SecurityText::sectxtKeys() {
return(st_keys);
}
std::vector< std::string > SecurityText::sectxtVals() {
return(st_vals);
}
std::string SecurityText::securityUrl(const std::string& url) {
return Url::Url(url)
.setUserinfo("")
.setPath(".well-known/security.txt")
.setParams("")
.setQuery("")
.setFragment("")
.remove_default_port()
.str();
}
}

Write Preview
Loading…
Cancel
Save