Nmap Development mailing list archives
Re: [NSE] Script Dependencies Replacement for Runlevels
From: Fyodor <fyodor () insecure org>
Date: Tue, 10 Nov 2009 19:30:40 -0800
On Tue, Nov 10, 2009 at 09:51:32AM -0700, David Fifield wrote:
On Tue, Nov 10, 2009 at 09:25:16AM -0600, Ron wrote:David Fifield wrote:That's a pretty good example. How do you see your script being invoked. I can think of a few options. Below when I say "list all scripts" I mean you can name the scripts individually or by category with --script, or have them selected automatically by being in the default category. 1. You have to list all scripts, including dependencies, or Nmap will stop with an error. 2. If a dependency for a script is not listed, that script just won't run even if you asked for it. 3. Nmap won't run if not all dependencies are listed, but there is an option to automatically include any required dependencies. 4. Same as #2, with an option to automatically add dependencies. 5. Required dependencies are always added automatically; you may have scripts run that you didn't ask for specifically.
I'm not sure that we need "strong dependencies", but if we do then I prefer #5 so that Nmap adds them automatically. The reasons for this are: 1) Users should not have to know the implementation details of the scripts they want to run. If the sql-injection script uses an http-spider script rather than a library or handling it internally, users should not have to know that and recite it in their command line. But Nmap can always note in verbose mode if it is pulling in a dependency. 2) If the dependencies are added implicitly, Nmap will only include the ones actually needed. If users are responsible, they may load up the command line with dependency scripts, some of which might not even be needed for a run. It would be a waste to have the likes of http-spider run and use a lot of bandwidth if it turns out that no script even used the results. Of course we also wouldn't want someone to specify one safe script and have it specify a dependency which causes a dangerous script to run and do something completely different. But that should never happen in the first place. Scripts should not depend on another script which does something likely to be unexpected to the user. Of course we can avoid the whole issue if we don't allow required dependencies in the first place. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script Dependencies Replacement for Runlevels Patrick Donnelly (Nov 08)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 08)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 09)
- Re: [NSE] Script Dependencies Replacement for Runlevels David Fifield (Nov 09)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels David Fifield (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Patrick Donnelly (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Ron (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 10)
- Re: [NSE] Script Dependencies Replacement for Runlevels Patrick Donnelly (Nov 12)
- Re: [NSE] Script Dependencies Replacement for Runlevels David Fifield (Nov 13)
- Re: [NSE] Script Dependencies Replacement for Runlevels Fyodor (Nov 13)