Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Script Dependencies Replacement for Runlevels

From: Fyodor <fyodor () insecure org>
Date: Tue, 10 Nov 2009 19:30:40 -0800
On Tue, Nov 10, 2009 at 09:51:32AM -0700, David Fifield wrote:

On Tue, Nov 10, 2009 at 09:25:16AM -0600, Ron wrote:

David Fifield wrote:


That's a pretty good example. How do you see your script being invoked.
I can think of a few options. Below when I say "list all scripts" I mean
you can name the scripts individually or by category with --script, or
have them selected automatically by being in the default category.

1. You have to list all scripts, including dependencies, or Nmap will
   stop with an error.
2. If a dependency for a script is not listed, that script just won't
   run even if you asked for it.
3. Nmap won't run if not all dependencies are listed, but there is an
   option to automatically include any required dependencies.
4. Same as #2, with an option to automatically add dependencies.
5. Required dependencies are always added automatically; you may have
   scripts run that you didn't ask for specifically.


I'm not sure that we need "strong dependencies", but if we do then I
prefer #5 so that Nmap adds them automatically.  The reasons for this
are:

1) Users should not have to know the implementation details of the
   scripts they want to run.  If the sql-injection script uses an
   http-spider script rather than a library or handling it internally,
   users should not have to know that and recite it in their command
   line.  But Nmap can always note in verbose mode if it is pulling in
   a dependency.

2) If the dependencies are added implicitly, Nmap will only include
   the ones actually needed.  If users are responsible, they may load
   up the command line with dependency scripts, some of which might
   not even be needed for a run.  It would be a waste to have the
   likes of http-spider run and use a lot of bandwidth if it turns out
   that no script even used the results.

Of course we also wouldn't want someone to specify one safe script and
have it specify a dependency which causes a dangerous script to run
and do something completely different.  But that should never happen
in the first place.  Scripts should not depend on another script which
does something likely to be unexpected to the user.

Of course we can avoid the whole issue if we don't allow required
dependencies in the first place.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: