Github url

gixy

by yandex

yandex /gixy

Nginx configuration static analyzer

6.4K Stars 300 Forks Last release: almost 2 years ago (v0.1.20) Other 126 Commits 9 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

GIXY

Mozilla Public License 2.0Build StatusYour feedback is greatly appreciatedGitHub issuesGitHub pull requests

Overview

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.

Currently supported Python versions are 2.7, 3.5, 3.6 and 3.7.

Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.

What it can do

Right now Gixy can find: * [ssrf] Server Side Request Forgery * [http_splitting] HTTP Splitting * [origins] Problems with referrer/origin validation * [add_header_redefinition] Redefining of response headers by "add_header" directive * [host_spoofing] Request's Host header forgery * [valid_referers] none in valid_referers * [add_header_multiline] Multiline response headers * [alias_traversal] Path traversal via misconfigured alias

You can find things that Gixy is learning to detect at Issues labeled with "new plugin"

Installation

Gixy is distributed on PyPI. The best way to install it is with pip:

bash pip install gixy

Run Gixy and check results:

bash gixy

Usage

By default Gixy will try to analyze Nginx configuration placed in

/etc/nginx/nginx.conf

.

But you can always specify needed path: ``` $ gixy /etc/nginx/nginx.conf

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability. Description: Using variables that can contain "\n" may lead to http injection. Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md Reason: At least variable "$action" can contain "\n" Pseudo config: include /etc/nginx/sites/default.conf;

server { location ~ /v1/((?<action>[^.]*)\.json)?$ {
        add_header X-Action $action;
    }
}
</action>

==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 1 ```

Or skip some tests: ``` $ gixy --skips http_splitting /etc/nginx/nginx.conf

==================== Results =================== No issues found.

==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 0 ```

Or something else, you can find all other

gixy

arguments with the help command:

gixy --help

Docker usage

Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.

$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf

If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume. ``` $ docker run --rm --name nginx -d -v /etc/nginx nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905

$ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf

==================== Results =================== No issues found.

==================== Summary =================== Total issues: Unspecified: 0 Low: 0 Medium: 0 High: 0

# Contributing Contributions to Gixy are always welcome! You can help us in different ways: \* Open an issue with suggestions for improvements and errors you're facing; \* Fork this repository and submit a pull request; \* Improve the documentation. Code guidelines: \* Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible; \* Pull requests with new plugins must have unit tests for it.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.