Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/simonkowallik/irulescan

:shield: irulescan - static security analyzer for iRules
https://github.com/simonkowallik/irulescan

docker docker-image f5 f5-bigip f5networks irules security tcl

Last synced: 3 months ago
JSON representation

:shield: irulescan - static security analyzer for iRules

Awesome Lists containing this project

README 

        




    irulescan






    static security analyzer for iRules




---







    build





    container image size





    releases






`irulescan` is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.



`irulescan` would not exist without [tclscan](https://github.com/aidanhs/tclscan).



It is available as a docker/container image as well as a Github Action [`irulescan-action`](https://github.com/marketplace/actions/irules-security-scan).



## Usage



It is easiest to use the irulescan container to scan your irules. It is available via [docker hub](https://hub.docker.com/r/simonkowallik/irulescan) as we as [ghcr.io](https://github.com/simonkowallik/irulescan/pkgs/container/irulescan).



The container will recursively scan files within the `/scandir` folder of the container and return the result in YAML format.

Files with the (case insensitive) extensions `.tcl`, `.irul` and `.irule` will be considered.



### Command line



Scanning a directory (`$PWD/tests/basic`):



```sh

docker run --rm -v "$PWD/tests/basic:/scandir" simonkowallik/irulescan

---

/dangerous.tcl: |

  WARNING: Unquoted expr at `1` in `expr 1 + $one`

  WARNING: Unquoted expr at `+` in `expr 1 + $one`

  DANGEROUS: Dangerous unquoted expr at `$one` in `expr 1 + $one`

/ok.tcl: |

/warning.tcl: |

  WARNING: Unquoted expr at `1` in `expr 1 + 1`

  WARNING: Unquoted expr at `+` in `expr 1 + 1`

  WARNING: Unquoted expr at `1` in `expr 1 + 1`

```














Scanning a single file (`$PWD/tests/tcl/catch.tcl`):



```sh

docker run --rm -v "$PWD/tests/tcl/catch.tcl:/scandir/catch.tcl" simonkowallik/irulescan

---

/catch.tcl: |

  WARNING: Unquoted expr at `1` in `expr 1`

  WARNING: Unquoted expr at `2` in `expr 2`

```














Invoking irulescan directly:



```sh

docker run --rm simonkowallik/irulescan irulescan

```



The container ships with a simple shell script, `scandir.sh`, which can be invoked directly.

This is especially useful when using a CI system with custom mount points (eg. `/custom/path`), here is an example:



```sh

docker run --rm \

  -v "$PWD/tests/tcl/:/custom/path" \

  simonkowallik/irulescan /scandir.sh /custom/path

```



> ***Note:*** When using `-t, --tty` with `docker run` newlines will use CRLF ("Windows style") instead of LF ("unix style")



### API Server



The irulescan container tag `:apiserver` ships with a simple Swagger / OpenAPI server.



Start the API server:



```sh

docker run -t --rm -p 80:80 simonkowallik/irulescan:apiserver

```



Scanning a single file:



```sh

curl -s http://localhost/scan/ --data-binary '@tests/basic/dangerous.tcl'

```














Scanning multiple files:



```sh

curl -s http://localhost/scanfiles/ -F 'file=@tests/basic/warning.tcl' -F 'file=@tests/basic/ok.tcl'

```














Here is a demo of the Swagger UI:







simonkowallik/irulescan:apiserver






## Additional resources



For safer authoring the VS Code iRules Extension is highly recommended:



- [F5 Networks iRules by bitwisecook](https://marketplace.visualstudio.com/items?itemName=bitwisecook.iRule) [on github](https://github.com/bitwisecook/vscode-iRule)



- [Avoiding Common iRules Security Pitfalls on F5 DevCentral](https://community.f5.com/t5/technical-articles/avoiding-common-irules-security-pitfalls/ta-p/306623)



- [iRules Style Guide on F5 DevCentral](https://community.f5.com/t5/technical-articles/irules-style-guide/ta-p/305921)