Re: [NSE][PATCH] only show script errors in verbose mode

[David Fifield <david () bamsoftware com>]

On Wed, Sep 24, 2008 at 12:29:00PM -0600, Patrick Donnelly wrote:
> On Wed, Sep 24, 2008 at 11:48 AM, David Fifield <david () bamsoftware com> wrote:
> > Sven, is there a way to check if require("openssl") failed by actually
> > trying it, rather than predicting it will fail with nmap.have_ssl?
>
> pcall(require, "openssl")
>
> > I
> > mean, run require("openssl") and somehow catch any error. That would
> > make the technique more general and it could become the recommended way
> > to handle scripts which use any optional modules.
>
> What you guys are proposing doesn't sound any different from what I
> did except the way it is handled. The alternate methods proposed,
> particularly:
>
> -portrule = shortport.port_or_service(22, "ssh")
> +if nmap.have_ssl() then
> +  require("openssl")
> +  portrule = shortport.port_or_service(22, "ssh")
> +else
> +  portrule = function() return false end
> +end
>
> makes the script not run. The patch I made does the same thing _and_
> tells the user the script failed due to X dependency provided the
> verbosity is high enough. I'm not sure what you guys are really
> looking for.

The difference is that checking for the openssl module in the script
affects only the openssl module, while catching all require errors
affects every module.

This is a new situation because openssl would be our first "optional"
module, one that can't automaically be assumed to be installed. It's
going to be a serious error if, say, shortport, is missing, but openssl
is one we expect sometimes to be unavailable.

Don't get me wrong, I think your solution of hooking the require
function is a good one. I keep equivocating as to which approach is the
best. We do want most require errors to be shown by default, except
those that come from openssl.

You'll have to forgive me, I'm (still) pretty new to Lua. Is there a way
to signal a special error code that would mean a module is missing, but
it's an error that can be ignored? The error would be raised in the
"else" branch of the "if" in Sven's example, or it could even be raised
in an alternate compiled openssl module that didn't have any functions,
just raised the error. Then this special error could be ignored, and
normal require errors could continue to be reported.

This approach would mean that the default action would be to report
errors, unless they are specifically ignored by a script or a module.
Reporting errors by default is a good choice because it will catch
unforeseen errors. Raising a real error, instead of just having the
portrule return false, is good because then we can display the error at
higher verbosity levels ("The optional openssl module is not
installed"). (This is a benefit I realized from studying your approach.)

loadfile already checks for errors when loading a file ("%s: '%s' threw
a run time error and could not be loaded."). So is there a way to
indicate that the error is ignorable? I'm fine with creating a new type
or whatever to ensure it's different from any other error message.

If what I've described is feasible, that's what I'd like to see. Failing
that, I slightly prefer checking for openssl in each script that uses
it, because that's safer than ignoring all require errors and,
importantly, it's easier to change to another technique in the future.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org