static security analyzer for iRules
irulescan
is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.
irulescan
would not exist without tclscan.
It is available as a docker/container image as well as a Github Action irulescan-action
.
Usage
It is easiest to use the irulescan container to scan your irules. It is available via docker hub as we as ghcr.io.
The container will recursively scan files within the /scandir
folder of the container and return the result in YAML format.
Files with the (case insensitive) extensions .tcl
, .irul
and .irule
will be considered.
Command line
Scanning a directory ($PWD/tests/basic
):
docker run -i --rm -v $PWD/tests/basic:/scandir simonkowallik/irulescan
---
/dangerous.tcl: |
WARNING: Unquoted expr at `1` in `expr 1 + $one`
WARNING: Unquoted expr at `+` in `expr 1 + $one`
DANGEROUS: Dangerous unquoted expr at `$one` in `expr 1 + $one`
/ok.tcl: |
/warning.tcl: |
WARNING: Unquoted expr at `1` in `expr 1 + 1`
WARNING: Unquoted expr at `+` in `expr 1 + 1`
WARNING: Unquoted expr at `1` in `expr 1 + 1`
Scanning a single file ($PWD/tests/tcl/catch.tcl
):
docker run -i --rm -v $PWD/tests/tcl/catch.tcl:/scandir/catch.tcl simonkowallik/irulescan
---
/catch.tcl: |
WARNING: Unquoted expr at `1` in `expr 1`
WARNING: Unquoted expr at `2` in `expr 2`
Invoking irulescan directly:
docker run -i --rm simonkowallik/irulescan irulescan
The container ships with a simple shell script, scandir.sh
, which can be invoked directly.
This is especially useful when using a CI system with custom mount points (eg. /custom/path
), here is an example:
docker run -i --rm \
-v $PWD/tests/tcl/:/custom/path \
simonkowallik/irulescan /scandir.sh /custom/path
Note: When using
-t, --tty
withdocker run
newlines will use CRLF (“Windows style”) instead of LF (“unix style”)
API Server
The irulescan container tag :apiserver
ships with a simple Swagger / OpenAPI server.
Start the API server:
docker run -it --rm -p 80:80 simonkowallik/irulescan:apiserver
Scanning a single file:
curl -s http://localhost/scan/ --data-binary '@tests/basic/dangerous.tcl'
Scanning multiple files:
curl -s http://localhost/scanfiles/ -F 'file=@tests/basic/warning.tcl' -F 'file=@tests/basic/ok.tcl'
Here is a demo of the Swagger UI:
Additional resources
For safer authoring the VS Code iRules Extension is highly recommended: