tirith-core 0.1.9

Terminal security analysis engine - homograph attacks, pipe-to-shell, ANSI injection
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

use crate::parse::UrlLike;
use crate::verdict::{Evidence, Finding, RuleId, Severity};

/// Run transport rules against a parsed URL.
pub fn check(url: &UrlLike, in_sink_context: bool) -> Vec<Finding> {
    let mut findings = Vec::new();

    check_plain_http_to_sink(url, in_sink_context, &mut findings);
    check_shortened_url(url, &mut findings);

    if matches!(url, UrlLike::SchemelessHostPath { .. }) && in_sink_context {
        findings.push(Finding {
            rule_id: RuleId::SchemelessToSink,
            severity: Severity::Medium,
            title: "Schemeless URL in sink context".to_string(),
            description:
                "URL without explicit scheme passed to a command that downloads/executes content"
                    .to_string(),
            evidence: vec![Evidence::Url { raw: url.raw_str() }],
        });
    }

    findings
}

fn check_plain_http_to_sink(url: &UrlLike, in_sink: bool, findings: &mut Vec<Finding>) {
    if let Some(scheme) = url.scheme() {
        if scheme == "http" && in_sink {
            findings.push(Finding {
                rule_id: RuleId::PlainHttpToSink,
                severity: Severity::High,
                title: "Plain HTTP URL in execution context".to_string(),
                description: format!(
                    "URL '{}' uses unencrypted HTTP and is being passed to a command that downloads or executes content. An attacker on the network could modify the content.",
                    url.raw_str()
                ),
                evidence: vec![Evidence::Url { raw: url.raw_str() }],
            });
        }
    }
}

fn check_shortened_url(url: &UrlLike, findings: &mut Vec<Finding>) {
    let shorteners = [
        "bit.ly",
        "t.co",
        "tinyurl.com",
        "is.gd",
        "v.gd",
        "goo.gl",
        "ow.ly",
    ];

    if let Some(host) = url.host() {
        let host_lower = host.to_lowercase();
        if shorteners.iter().any(|s| host_lower == *s) {
            findings.push(Finding {
                rule_id: RuleId::ShortenedUrl,
                severity: Severity::Medium,
                title: "Shortened URL detected".to_string(),
                description: format!(
                    "URL uses shortener '{host}' which hides the actual destination"
                ),
                evidence: vec![Evidence::Url { raw: url.raw_str() }],
            });
        }
    }
}

fn strip_quotes_simple(s: &str) -> String {
    let s = s.trim();
    if s.len() >= 2
        && ((s.starts_with('"') && s.ends_with('"')) || (s.starts_with('\'') && s.ends_with('\'')))
    {
        s[1..s.len() - 1].to_string()
    } else {
        s.to_string()
    }
}

/// Check command arguments for insecure TLS flags.
pub fn check_insecure_flags(args: &[String], in_sink: bool) -> Vec<Finding> {
    let mut findings = Vec::new();
    let insecure_flags = ["-k", "--insecure", "--no-check-certificate"];

    for arg in args {
        let clean = strip_quotes_simple(arg);
        if insecure_flags.contains(&clean.as_str()) {
            let severity = if in_sink {
                Severity::High
            } else {
                Severity::Medium
            };
            findings.push(Finding {
                rule_id: RuleId::InsecureTlsFlags,
                severity,
                title: "Insecure TLS flag detected".to_string(),
                description: format!(
                    "Flag '{arg}' disables TLS certificate verification, allowing MITM attacks"
                ),
                evidence: vec![Evidence::CommandPattern {
                    pattern: "insecure TLS flag".to_string(),
                    matched: arg.to_string(),
                }],
            });
        }
    }

    findings
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_quoted_insecure_flags() {
        let args = vec!["\"-k\"".to_string(), "https://example.com".to_string()];
        let findings = check_insecure_flags(&args, true);
        assert!(!findings.is_empty(), "should detect -k even when quoted");
    }

    #[test]
    fn test_single_quoted_insecure_flags() {
        let args = vec!["'-k'".to_string()];
        let findings = check_insecure_flags(&args, true);
        assert!(
            !findings.is_empty(),
            "should detect -k even when single-quoted"
        );
    }

    #[test]
    fn test_unquoted_insecure_flags_still_work() {
        let args = vec!["-k".to_string()];
        let findings = check_insecure_flags(&args, true);
        assert!(!findings.is_empty());
    }
}