From a338b1855ef694c78bc77e4557975a7b973e7329 Mon Sep 17 00:00:00 2001
From: Matt Tesauro <mtesauro@gmail.com>
Date: Sun, 5 Dec 2021 00:38:59 -0600
Subject: [PATCH] Fix a couple of bugs (#32)

* Fix bug in installing PostgreSQL DB install process

* Remove use of legacy resolver for pip installs

* Ensure there's an admin email address provided, use default if not

* Ensure special characters in passwords are handled correctly when setting the initial web admin password
---
 embd/factory_2.0.3 | 73 ++++++++++++++++++++++++++++++++++++++++++++++
 ubuntu.go          | 20 ++++++++-----
 util.go            | 15 ++++++++++
 3 files changed, 101 insertions(+), 7 deletions(-)
 create mode 100644 embd/factory_2.0.3

diff --git a/embd/factory_2.0.3 b/embd/factory_2.0.3
new file mode 100644
index 0000000..4a8abd9
--- /dev/null
+++ b/embd/factory_2.0.3
@@ -0,0 +1,73 @@
+import logging
+from dojo.models import Test_Type
+
+PARSERS = {}
+# TODO remove that
+SCAN_SONARQUBE_API = 'SonarQube API Import'
+
+
+def register(parser_type):
+    for scan_type in parser_type().get_scan_types():
+        parser = parser_type()
+        if scan_type.endswith('detailed'):
+            parser.set_mode('detailed')
+        register_parser(scan_type, parser)
+
+
+def register_parser(scan_type, parser):
+    logging.debug(f"register scan_type:{scan_type} with parser:{parser}")
+    # check double registration or registration with an existing key
+    if scan_type in PARSERS:
+        raise ValueError(f"Try to register an existing parser '{scan_type}'")
+    PARSERS[scan_type] = parser
+
+
+def import_parser_factory(file, test, active, verified, scan_type=None):
+    """Return a parser by the scan type
+    This function exists only for backward compatibility
+    """
+    if scan_type in PARSERS:
+        # create dynamicaly in DB
+        test_type, created = Test_Type.objects.get_or_create(name=scan_type)
+        if created:
+            test_type.save()
+        return PARSERS[scan_type]
+    else:
+        raise ValueError(f'Unknown Test Type {scan_type}')
+
+
+def get_choices():
+    res = list()
+    for key in PARSERS:
+        res.append((key, PARSERS[key].get_label_for_scan_types(key)))
+    return tuple(res)
+
+
+def requires_file(scan_type):
+    if scan_type is None or scan_type not in PARSERS:
+        return False
+    # FIXME switch to method of the parser
+    # parser = PARSERS[scan_type]
+    return scan_type != SCAN_SONARQUBE_API
+
+
+import os
+from inspect import isclass
+from pkgutil import iter_modules
+from pathlib import Path
+from importlib import import_module
+
+# iterate through the modules in the current package
+package_dir = str(Path(__file__).resolve().parent)
+for (path, module_name, _) in iter_modules([package_dir]):
+    # check if it's submodule
+    if os.path.isdir(os.path.join(package_dir, module_name)):
+        try:
+            # import the module and iterate through its attributes
+            module = import_module(f"dojo.tools.{module_name}.parser")
+            for attribute_name in dir(module):
+                attribute = getattr(module, attribute_name)
+                if isclass(attribute) and attribute_name.lower() == module_name.replace("_", "") + 'parser':
+                    register(attribute)
+        except:
+            logging.exception(f"failed to load {module_name}")
diff --git a/ubuntu.go b/ubuntu.go
index 337ff13..63d9960 100644
--- a/ubuntu.go
+++ b/ubuntu.go
@@ -165,8 +165,8 @@ func ubuntuInstPostgreSQLClient(id string, b *osCmds) {
 		b.id = id
 		b.cmds = []string{
 			"DEBIAN_FRONTEND=noninteractive apt-get install -y postgresql-client-12",
-			"/usr/sbin/groupadd -f postgres",
-			"/usr/sbin/useradd -s /bin/bash -m -g postgres postgres",
+			"/usr/sbin/groupadd -f postgres",                         // TODO: consider using os.Group.Lookup before calling this
+			"/usr/sbin/useradd -s /bin/bash -m -g postgres postgres", // TODO: consider using os.User.Lookup before calling this
 		}
 		b.errmsg = []string{
 			"Unable to install PostgreSQL client",
@@ -276,10 +276,10 @@ func ubuntuOSPrep(id string, inst *config.InstallConfig, b *osCmds) {
 		b.cmds = []string{
 			"python3 -m virtualenv --python=/usr/bin/python3 " + inst.Root,
 			inst.Root + "/bin/python3 -m pip install --upgrade pip",
-			inst.Root + "/bin/pip3 install --use-deprecated=legacy-resolver -r " + inst.Root + "/django-DefectDojo/requirements.txt",
+			inst.Root + "/bin/pip3 install -r " + inst.Root + "/django-DefectDojo/requirements.txt",
 			"mkdir " + inst.Root + "/logs",
-			"/usr/sbin/groupadd -f " + inst.OS.Group,
-			"id " + inst.OS.User + " &>/dev/null; if [ $? -ne 0 ]; then useradd -s /bin/bash -m -g " + inst.OS.Group + " " + inst.OS.User + "; fi",
+			"/usr/sbin/groupadd -f " + inst.OS.Group, // TODO: check with os.Group.Lookup
+			"id " + inst.OS.User + " &>/dev/null; if [ $? -ne 0 ]; then useradd -s /bin/bash -m -g " + inst.OS.Group + " " + inst.OS.User + "; fi", // TODO: check with os.User.Lookup
 			"chown -R " + inst.OS.User + "." + inst.OS.Group + " " + inst.Root,
 		}
 		b.errmsg = []string{
@@ -334,12 +334,18 @@ func ubuntuSetupDDjango(id string, inst *config.InstallConfig, b *osCmds) {
 		addCmd(b, "cd "+inst.Root+"/django-DefectDojo && source ../bin/activate && python3 manage.py migrate",
 			"Failed during database migrate", true)
 
+		// Ensure there's a value for email as the call will fail without one
+		adminEmail := "default.user@defectdojo.org"
+		if len(inst.Admin.Email) > 0 {
+			// If user configures an incorrect email, this will still fail but that's on them, not godojo
+			adminEmail = inst.Admin.Email
+		}
 		addCmd(b, "cd "+inst.Root+"/django-DefectDojo && source ../bin/activate && python3 manage.py createsuperuser --noinput --username=\""+
-			inst.Admin.User+"\" --email=\""+inst.Admin.Email+"\"",
+			inst.Admin.User+"\" --email=\""+adminEmail+"\"",
 			"Failed while creating DefectDojo superuser", true)
 
 		addCmd(b, "cd "+inst.Root+"/django-DefectDojo && source ../bin/activate && "+
-			inst.Root+"/django-DefectDojo/setup-superuser.expect "+inst.Admin.User+" "+inst.Admin.Pass,
+			inst.Root+"/django-DefectDojo/setup-superuser.expect "+inst.Admin.User+" \""+escSpCar(inst.Admin.Pass)+"\"",
 			"Failed while setting the password for the DefectDojo superuser", true)
 
 		// Roles showed up in 2.x.x
diff --git a/util.go b/util.go
index 806cf7b..4e04a1f 100644
--- a/util.go
+++ b/util.go
@@ -153,6 +153,21 @@ func addRedact(s string) {
 	sensStr = append(sensStr, s)
 }
 
+func escSpCar(s string) string {
+	// Replace special characters that cause issues when exec'ing in Bash
+	fmt.Printf("Before escaping string - %s\n", s)
+
+	// Replace $ with \$
+	s = strings.ReplaceAll(s, "\\", "\\\\")
+	// Replace $ with \$
+	s = strings.ReplaceAll(s, "$", "\\$")
+	// Replace $ with \$
+	s = strings.ReplaceAll(s, "`", "\\`")
+
+	fmt.Printf("After escaping string - %s\n", s)
+	return s
+}
+
 // Deemb -
 func deemb(f []string, o string) error {
 	// Testing embedding files