Get-ScubaSpfRecord returns in rdata all TXT records not only SPF

[slavag]

🐛 Summary

Get-ScubaSpfRecord returns in rdata all TXT records not only SPF

To reproduce

Check on domains with TXT records, but not SPF.

Expected behavior

Only SPF records to be present in rdata

[adhilto]

Hi, thanks for reaching out. There are couple of moving pieces here. The "provider" module, which pulls all the data for ScubaGear, doesn't filter the TXT records returned, as you say. But the Rego code, the code that actually evaluates the policies, does filter the TXT records returned to just the SPF records, so the report produced will still be accurate, though there may be some superfluous records in the raw data stored in the ScubaResults.json file. Is there a reason this might cause a problem for your use case? Though on further reflection, I can see that there is a slight discrepancy between the function name and what it actually does, which certainly isn't good practice. Either way, curious to hear what additional thoughts you might have on this issue.

[slavag]

Hi,
Thanks for your reply.
Well, I don't have any specific issue, but just tried to understand the code and found that it's contains not only SPF data, and also number of records in the log entries is not exactly correct.
So, I was thinking that it worth check with the dev team (for me it's looks like a bug :) ).
Thanks

[adhilto]

Got it. This does look like something we'll eventually want to fix, if nothing else so the functionality of Get-ScubaSpfRecord more closely aligns with what it actually does. But in the meantime, rest assured that the extra records are not skewing the assessment results.

Thanks again for reporting!

[hkelley]

I think there is a related issue where Get-ScubaSpfRecord is splitting long TXT records over multiple items in rdata, which causes the v=spf1 and -all to be separated from one another. This, in turn, may be causing this evaluation to fail:

ScubaGear/PowerShell/ScubaGear/Rego/EXOConfig.rego

Line 61 in 1b76e1e

SpfRecords := {Record | some Record in DNSResponse.rdata; startswith(Record, "v=spf1 "); contains(Record, "-all")} |

DomainsWithoutSpf contains DNSResponse.domain if {
    some DNSResponse in input.spf_records
    SpfRecords := {Record | some Record in DNSResponse.rdata; startswith(Record, "v=spf1 "); contains(Record, "-all")} | 

When I run this over my domain:

$result = Get-ScubaSpfRecord -Domains @([pscustomobject] @{DomainName='REDACTED.com'})

I get four items for rdata:

> $result.rdata.Count
4

> for($i=0;$i -lt $result.rdata.Count; $i++) {Write-Host "`nitem $i"; Write-Host $result.rdata[$i]}

item 0
MS=ms445xxx

item 1
cisco-ci-domain-verification=xxxxxx

item 2
v=spf1 a ip4:999.999.999.169 ip4:999.999.999.170 ip4:999.999.999.152 ip4:999.999.999.140 ip4:999.999.999.77 ip4:999.999.999.72 ip4:999.999.999.102 ip4:999.999.999.103 ip4:999.4.999.149 ip4:999.999.999.237 ip4:999.999.999.170 include:spf-000xxxxxx.pphosted.com include:

item 3
e2ma.net include:spf.protection.outlook.com include:amazonses.com include:_spf.salesforce.com ip4:999.999.999.196 ip4:999.999.999.174 ip4:999.999.999.207 ip4:999.999.999.142 ip4:999.999.999.250 ip4:999.1.999.157 -all

[adhilto]

@hkelley Thanks for the report. I created a separate issue to track that: #1534