GitHub has started to redirect raw.github.com to
raw.githubusercontent.com, breaking the installation scripts.
Paramter -L makes curl follow the redirect.
Previously, this was used to make writing tests easier without having to
run the entire integration test suite (of which it is still a part of).
Somehow it accidentally got committed.
Like the HINFO and MINFO RR's, TXT is vulnerable to RCE attacks and has
no purpose at the moment. TXT may be needed in the future (e.g. data
exfiltration) which is why it has been removed separately.
These RR's are very difficult to validate and, in their current state,
are vulnerable to RCE attacks. Furthermore, BeEF does not have a use for
these RR's.
Even though #print_more will display nothing since ''.split("\n").each()
iterates 0 times, it will still be called without this modifier which is
unnecessary.
Throw `UnknownDnsResourceError` instead of `InvalidDnsResourceError`
Prevents `[20:30:55][!] Internal error while adding DNS rule (uninitialized constant BeEF::Core::Models::Dns::Rule::InvalidDnsResourceError)` for invalid user supplied DNS response types.
'BeEF::Core::Models::Dns::Rule::InvalidDnsResourceError' does not exist, and it's unlikely we'll need to differentiate between invalid and unknown resource types.
This cleans up the API a bit by removing the requirement of placing #run
inside a Thread.new {EventMachine.next_tick {}} block. That should not
be the caller's responsibility.
Previously, upstream nameservers were configured by default even if the
config file did not specify them. Now upstream nameservers are only
used if they are specified. If none are given, then NXDOMAIN is
returned for unresolvable requests.
Even though it is unlikely that a user would remove these options from
the DNS config file, it is still good practice to have these safeguards
in place.
This is primarily intended to add clarity by reducing clutter. Moreover,
it also has the side effect of improving performance very slightly by
removing the overhead of calling #instance numerous times.
Many filter checks were removed because the new DNS extension performs
validation before performing any database operation.
Modified message for InvalidParamError to be more modular.
Uses BeEF::Filters to ensure that empty, null, and non-printable
patterns are tossed out. Added new InvalidDnsPatternError exception
class to handle these cases.
Renamed #validate_response to #format_callback since the name is more
appropriate.
Using parameterized methods is better structured coding style rather
than defining multiple similarly-behaved methods.
annex_region('crimea') # good
vs.
annex_crimea # bad
Changed regex in #is_valid_ip? to be more strict since it previously
would have matched an invalid IP such as 999.999.999.999. Changed its
name to #is_valid_ipv4?.
Added new #is_valid_ipv6? method that validates IPv6 addresses. It is
very comprehensive and will match normal IPv6 addresses, zero
compressed, link-local with zone index, and IPv6 addresses that have
IPv4 embedded, mapped, and translated.
Added new #is_valid_domain? method that validates domain names.
Perhaps the ugliest part of the DNS extension, it is also the most
crucial. This method ensures that a given resource and response are
appropriate for each other. It must also prevent RCE vulns since the
input is eval'd later on.
However, HINFO, MINFO, and especially TXT validation is not strict
enough. These three need to be reviewed scrupulously since a 100%
anti-RCE solution may prove to be difficult.
