84660a128f
Blindly using `pip` against system Python packages in RHEL based systems is a direct recipe to disaster. Added notes about the existing prebuilt package. |
||
|---|---|---|
| docs | ||
| gixy | ||
| rpm | ||
| tests | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| .travis.yml | ||
| AUTHORS | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| MANIFEST.in | ||
| Makefile | ||
| README.RU.md | ||
| README.md | ||
| requirements.dev.txt | ||
| requirements.txt | ||
| setup.py | ||
| tox.ini | ||
README.md
GIXY
Overview
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 2.7, 3.5, 3.6 and 3.7.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
What it can do
Right now Gixy can find:
- [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by "add_header" directive
- [host_spoofing] Request's Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
- [alias_traversal] Path traversal via misconfigured alias
You can find things that Gixy is learning to detect at Issues labeled with "new plugin"
Installation
RHEL/CentOS 7
yum install https://extras.getpagespeed.com/release-el7-latest.rpm
yum install gixy
Other systems
Gixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy
Run Gixy and check results:
gixy
Usage
By default Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf.
But you can always specify needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Or something else, you can find all other gixy arguments with the help command: gixy --help
Docker usage
Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf
If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for it.