MCPcopy Index your code
hub / github.com/yandex/gixy

github.com/yandex/gixy @v0.1.21 sqlite

repository ↗ · DeepWiki ↗ · release v0.1.21 ↗
495 symbols 1,405 edges 59 files 36 documented · 7%
README

GIXY

Mozilla Public License 2.0 Build Status Your feedback is greatly appreciated GitHub issues GitHub pull requests

Overview

Gixy — это утилита для анализа конфигурации Nginx. Большей частью служит для обнаружения проблем безопасности, но может искать и иные ошибки.

Официально поддерживаются версии Python 2.7, 3.5, 3.6 и 3.7

 

Что умеет

На текущий момент Gixy способна обнаружить: * [ssrf] Server Side Request Forgery * [http_splitting] HTTP Splitting * [origins] Проблемы валидации referrer/origin * [add_header_redefinition] Переопределение "вышестоящих" заголовков ответа директивой "add_header" * [host_spoofing] Подделка заголовка запроса Host * [valid_referers] none in valid_referers * [add_header_multiline] Многострочные заголовоки ответа * [alias_traversal] Path traversal при использовании alias

Проблемы, которым Gixy только учится можно найти в Issues с меткой "new plugin"

Установка

Наиболее простой способ установки Gixy - воспользоваться pip для установки из PyPI:

pip install gixy

Использование

После установки должна стать доступна консольная утилита gixy. По умолчанию Gixy ищет конфигурацию по стандартному пути /etc/nginx/nginx.conf, однако вы можете указать специфичное расположение:

$ gixy /etc/nginx/nginx.conf

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/wiki/ru/httpsplitting
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;

    server {

        location ~ /v1/((?<action>[^.]*)\.json)?$ {
            add_header X-Action $action;
        }
    }


==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

Gixy умеет обрабатывать директиву include и попробует максимально корректно обработать все зависимости, если что-то пошло не так можно попробовать запустить gixy с флагом -d для вывода дополнительной информации. Все доступные опции:

$ gixy -h
usage: gixy [-h] [-c CONFIG_FILE] [--write-config CONFIG_OUTPUT_PATH]
            [-v] [-l] [-f {console,text,json}] [-o OUTPUT_FILE] [-d]
            [--tests TESTS] [--skips SKIPS] [--disable-includes]
            [--origins-domains domains]
            [--origins-https-only https_only]
            [--add-header-redefinition-headers headers]
            [nginx.conf]

Gixy - a Nginx configuration [sec]analyzer

positional arguments:
  nginx.conf            Path to nginx.conf, e.g. /etc/nginx/nginx.conf

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        config file path
  --write-config CONFIG_OUTPUT_PATH
                        takes the current command line args and writes them
                        out to a config file at the given path, then exits
  -v, --version         show program's version number and exit
  -l, --level           Report issues of a given severity level or higher (-l
                        for LOW, -ll for MEDIUM, -lll for HIGH)
  -f {console,text,json}, --format {console,text,json}
                        Specify output format
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        Write report to file
  -d, --debug           Turn on debug mode
  --tests TESTS         Comma-separated list of tests to run
  --skips SKIPS         Comma-separated list of tests to skip
  --disable-includes    Disable "include" directive processing

plugins options:
  --origins-domains domains
                        Default: *
  --origins-https-only https_only
                        Default: False
  --add-header-redefinition-headers headers
                        Default: content-security-policy,x-xss-
                        protection,x-frame-options,x-content-type-
                        options,strict-transport-security,cache-control


available plugins:
    host_spoofing
    add_header_multiline
    http_splitting
    valid_referers
    origins
    add_header_redefinition
    ssrf

Contributing

Contributions to Gixy are always welcome! You can help us in different ways: * Open an issue with suggestions for improvements and errors you're facing; * Fork this repository and submit a pull request; * Improve the documentation.

Code guidelines: * Python code style should follow pep8 standards whenever possible; * Pull requests with new plugins must have unit tests for it.

Core symbols most depended-on inside this repo

append
called by 38
gixy/core/sre_parse/sre_parse.py
assert_is_instance
called by 37
tests/asserts.py
get_context
called by 29
gixy/core/context.py
get
called by 24
gixy/core/sre_parse/sre_parse.py
get_var
called by 21
gixy/core/context.py
can_contain
called by 16
gixy/core/regexp.py
append
called by 15
gixy/directives/block.py
can_contain
called by 14
gixy/core/variable.py

Shape

Method 273
Function 152
Class 70

Languages

Python100%

Modules by API surface

gixy/core/regexp.py149 symbols
gixy/core/sre_parse/sre_parse.py34 symbols
gixy/directives/block.py32 symbols
gixy/directives/directive.py29 symbols
tests/core/test_regexp.py25 symbols
tests/parser/test_raw_parser.py24 symbols
tests/directives/test_block.py17 symbols
gixy/parser/nginx_parser.py12 symbols
gixy/core/context.py11 symbols
gixy/cli/argparser.py10 symbols
gixy/core/plugins_manager.py9 symbols
gixy/core/manager.py9 symbols

Dependencies from manifests, versioned

ConfigArgParse0.11.0 · 1×
Jinja22.8 · 1×
argparse1.4.0 · 1×
cached-property1.2.0 · 1×
coverage4.3 · 1×
flake83.2 · 1×
mock2.0.0 · 1×
nose1.3.7 · 1×
pyparsing1.5.5 · 1×
six1.1.0 · 1×
tox2.7.0 · 1×

For agents

$ claude mcp add gixy \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact