Skip to content

Commit

Permalink
Merge pull request #571 from psiinon/feature/pathchange
Browse files Browse the repository at this point in the history 
Access files by path instead of query
  • Loading branch information
@thc202
thc202 authored Aug 6, 2019
2 parents 9fb27ca + 23b2778 commit 39111d7
Show file tree
Hide file tree
Showing 13 changed files with 143 additions and 140 deletions.
34 changes: 17 additions & 17 deletions src/main/java/org/zaproxy/zap/extension/hud/HudAPI.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,22 +185,22 @@ public boolean allowUnsafeEval() {
public String handleCallBack(HttpMessage msg) throws ApiException {
// Just used to handle files which need to be on the target domain
try {
String query = msg.getRequestHeader().getURI().getPathQuery();
logger.debug("callback query = " + query);
if (query != null) {
if (query.indexOf("zapfile=") > 0) {
String fileName = query.substring(query.indexOf("zapfile=") + 8);
if (DOMAIN_FILE_WHITELIST.contains(fileName)) {
msg.setResponseBody(
this.getFile(msg, ExtensionHUD.TARGET_DIRECTORY + "/" + fileName));
// Currently only javascript files are returned
msg.setResponseHeader(
API.getDefaultResponseHeader(
"application/javascript; charset=UTF-8",
msg.getResponseBody().length(),
false));
return msg.getResponseBody().toString();
}
String path = msg.getRequestHeader().getURI().getEscapedPath();
int lastSlash = path.lastIndexOf("/");
String fileName = path.substring(lastSlash + 1);

logger.debug("callback fileName = " + fileName);
if (fileName != null) {
if (DOMAIN_FILE_WHITELIST.contains(fileName)) {
msg.setResponseBody(
this.getFile(msg, ExtensionHUD.TARGET_DIRECTORY + "/" + fileName));
// Currently only javascript files are returned
msg.setResponseHeader(
API.getDefaultResponseHeader(
"application/javascript; charset=UTF-8",
msg.getResponseBody().length(),
false));
return msg.getResponseBody().toString();
}
}
} catch (Exception e) {
Expand Down Expand Up @@ -458,7 +458,7 @@ protected String getFile(HttpMessage msg, String file) {
if (tool.toLowerCase(Locale.ROOT).endsWith(".js")) {
sb.append("\t\"");
sb.append(this.hudFileUrl);
sb.append("?name=tools/");
sb.append("/file/tools/");
sb.append(tool);
sb.append("\",\n");
}
Expand Down
89 changes: 46 additions & 43 deletions src/main/java/org/zaproxy/zap/extension/hud/HudFileProxy.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,55 +94,58 @@ private HttpResponseHeader getResponseHeader(String fileName, int contentLength)
@Override
public String handleCallBack(HttpMessage msg) throws ApiException {
try {
String query = msg.getRequestHeader().getURI().getPathQuery();
LOG.debug("callback query = " + query);
if (query != null) {
if (query.contains("..")) {
// Looks like an injection attack
LOG.warn("Attempted injection attack? " + msg.getRequestHeader().getURI());
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
if (query.indexOf("name=") > 0) {
String file = query.substring(query.indexOf("name=") + 5);
if (file.indexOf("&") > 0) {
file = file.substring(0, file.indexOf("&"));
}
msg.setResponseBody(api.getFile(msg, file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
String path = msg.getRequestHeader().getURI().getPath();
if (path.contains("..")) {
// Looks like an injection attack
LOG.warn("Attempted injection attack? " + msg.getRequestHeader().getURI());
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
String[] pathElements = path.split("/");
if (pathElements.length < 5) {
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
String type = pathElements[4];
LOG.debug("callback type = " + type);
if (type.equals("file")) {
String file = path.substring(path.indexOf("file") + 5);
LOG.debug("callback file = " + file);
msg.setResponseBody(api.getFile(msg, file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));

if (msg.getRequestHeader().getURI().toString().startsWith(API.API_URL_S)) {
if (api.allowUnsafeEval()) {
msg.getResponseHeader()
.setHeader(
"Content-Security-Policy",
HudAPI.CSP_POLICY_UNSAFE_EVAL);
} else {
msg.getResponseHeader()
.setHeader("Content-Security-Policy", HudAPI.CSP_POLICY);
}
}
if (api.getRequestCookieValue(msg, HudAPI.ZAP_HUD_COOKIE) == null) {
// The ZAP-HUD cookie has not been set, so set it or we'll block access to
// key resources
if (msg.getRequestHeader().getURI().toString().startsWith(API.API_URL_S)) {
if (api.allowUnsafeEval()) {
msg.getResponseHeader()
.setHeader(
HttpHeader.SET_COOKIE,
HudAPI.ZAP_HUD_COOKIE
+ "="
+ api.getZapHudCookieValue()
+ "; Secure; HttpOnly; SameSite=Strict");
"Content-Security-Policy", HudAPI.CSP_POLICY_UNSAFE_EVAL);
} else {
msg.getResponseHeader()
.setHeader("Content-Security-Policy", HudAPI.CSP_POLICY);
}
}
if (api.getRequestCookieValue(msg, HudAPI.ZAP_HUD_COOKIE) == null) {
// The ZAP-HUD cookie has not been set, so set it or we'll block access to
// key resources
msg.getResponseHeader()
.setHeader(
HttpHeader.SET_COOKIE,
HudAPI.ZAP_HUD_COOKIE
+ "="
+ api.getZapHudCookieValue()
+ "; Secure; HttpOnly; SameSite=Strict");
}

return msg.getResponseBody().toString();
} else if (query.indexOf("image=") > 0) {
String file = query.substring(query.indexOf("image=") + 6);
return msg.getResponseBody().toString();
} else if (type.equals("image")) {
String file = path.substring(path.indexOf("image") + 6);
LOG.debug("callback image = " + file);

msg.setResponseBody(api.getImage(file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
return msg.getResponseBody().toString();
}
msg.setResponseBody(api.getImage(file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
return msg.getResponseBody().toString();
}
} catch (ApiException e) {
throw e;
Expand Down
22 changes: 11 additions & 11 deletions src/main/zapHomeFiles/hud/display.html
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=display.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/display.css"/>

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=display.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/display.js"></script>
</head>

<body>
Expand Down Expand Up @@ -266,9 +266,9 @@
<div slot="body">
<ul class="menu">
<li v-for="(conf, id) in items" class="menu-item" @click="itemSelect(id)">
<img v-if="conf.startimage" :src="'<<ZAP_HUD_FILES>>?image=' + conf.startimage" />
<img v-if="conf.startimage" :src="'<<ZAP_HUD_FILES>>/image/' + conf.startimage" />
{{ conf.label }}
<img v-if="conf.endimage" :src="'<<ZAP_HUD_FILES>>?image=' + conf.endimage" />
<img v-if="conf.endimage" :src="'<<ZAP_HUD_FILES>>/image/' + conf.endimage" />
</li>
</ul>
</div>
Expand Down Expand Up @@ -312,7 +312,7 @@
<div slot="footer">
<div><span class="errorMessages">{{errors}}</span></div>
<div class="float-left">
<button :class="{'btn': true, 'disabled': isAscanDisabled}" @click="ascanRequest"> {{ $t('message.history_ascan_request') }} <img src="<<ZAP_HUD_FILES>>?image=flame.png" /> </button>
<button :class="{'btn': true, 'disabled': isAscanDisabled}" @click="ascanRequest"> {{ $t('message.history_ascan_request') }} <img src="<<ZAP_HUD_FILES>>/image/flame.png" /> </button>
</div>
<button class="btn btn-primary" @click="replay"> {{ $t('message.history_replay_console') }} </button>
<button class="btn" @click="replayInBrowser"> {{ $t('message.history_replay_browser') }} </button>
Expand Down
20 changes: 10 additions & 10 deletions src/main/zapHomeFiles/hud/drawer.html
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=drawer.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/drawer.css"/>

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=drawer.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/drawer.js"></script>
</head>
<body>
<div id="app">
Expand Down Expand Up @@ -173,4 +173,4 @@
<div v-show="isActive"><slot></slot></div>
</template>
</body>
</html>
</html>
8 changes: 4 additions & 4 deletions src/main/zapHomeFiles/hud/growlerAlerts.html
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<html>
<head>
<script src="<<ZAP_HUD_FILES>>?name=libraries/alertify.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=growlerAlerts.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/alertify.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/growlerAlerts.js"></script>
</head>
<body>

Expand Down
8 changes: 4 additions & 4 deletions src/main/zapHomeFiles/hud/growlerAlerts.js
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
// Injected string
var ZAP_HUD_FILES = '<<ZAP_HUD_FILES>>';

var INFORMATIONAL_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-blue.png" >&nbsp';
var LOW_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-yellow.png" >&nbsp';
var MEDIUM_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-orange.png" >&nbsp';
var HIGH_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-red.png" >&nbsp';
var INFORMATIONAL_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-blue.png" >&nbsp';
var LOW_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-yellow.png" >&nbsp';
var MEDIUM_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-orange.png" >&nbsp';
var HIGH_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-red.png" >&nbsp';
var DELAY_MS = 3000;
var QUEUE_SIZE = 5;
var MAX_LINE_LENGTH = 45;
Expand Down
14 changes: 7 additions & 7 deletions src/main/zapHomeFiles/hud/management.html
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=management.css" />
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/management.css" />

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=management.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/management.js"></script>
</head>
<body>
<div id="app">
Expand All @@ -15,7 +15,7 @@

<template id="welcome-screen-template">
<div class="welcome-div">
<img class="welcome-image" src='<<ZAP_HUD_FILES>>?image=hud-welcome.png'>
<img class="welcome-image" src='<<ZAP_HUD_FILES>>/image/hud-welcome.png'>
<div class="tutorial-div">
<button class="btn btn-primary" @click="continueToTutorial"> Take the HUD Tutorial </button>
</div>
Expand Down
18 changes: 9 additions & 9 deletions src/main/zapHomeFiles/hud/panel.html
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=panel.css&amp;orientation=ORIENTATION" />
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/panel.css?orientation=ORIENTATION" />

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=panel.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/panel.js"></script>
</head>
<body>
<div id="app">
Expand All @@ -15,8 +15,8 @@

<template id="hud-buttons-template">
<div id="hud-buttons" :class="{'d-hide': !isVisible, 'd-visible': isVisible}">
<hud-button v-for="tool in tools" :key="tool.name" :label="tool.label" :icon="'<<ZAP_HUD_FILES>>?image=' + tool.icon" :data="tool.data" :name="tool.name"></hud-button>
<hud-button icon="<<ZAP_HUD_FILES>>?image=plus.png" name="add-tool"></hud-button>
<hud-button v-for="tool in tools" :key="tool.name" :label="tool.label" :icon="'<<ZAP_HUD_FILES>>/image/' + tool.icon" :data="tool.data" :name="tool.name"></hud-button>
<hud-button icon="<<ZAP_HUD_FILES>>/image/plus.png" name="add-tool"></hud-button>
</div>
</template>

Expand All @@ -28,4 +28,4 @@
</div>
</template>
</body>
</html>
</html>
2 changes: 1 addition & 1 deletion src/main/zapHomeFiles/hud/panel.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* Description goes here...
*/

var IMAGE_URL = '<<ZAP_HUD_FILES>>?image=';
var IMAGE_URL = '<<ZAP_HUD_FILES>>/image/';
var orientation = "";
var panelKey = "";
var frameId = '';
Expand Down
Loading

0 comments on commit 39111d7

Please sign in to comment.