Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access files by path instead of query #571

Merged
merged 1 commit into from
Aug 6, 2019
Merged

Access files by path instead of query #571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 17 additions & 17 deletions src/main/java/org/zaproxy/zap/extension/hud/HudAPI.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,22 +185,22 @@ public boolean allowUnsafeEval() {
public String handleCallBack(HttpMessage msg) throws ApiException {
// Just used to handle files which need to be on the target domain
try {
String query = msg.getRequestHeader().getURI().getPathQuery();
logger.debug("callback query = " + query);
if (query != null) {
if (query.indexOf("zapfile=") > 0) {
String fileName = query.substring(query.indexOf("zapfile=") + 8);
if (DOMAIN_FILE_WHITELIST.contains(fileName)) {
msg.setResponseBody(
this.getFile(msg, ExtensionHUD.TARGET_DIRECTORY + "/" + fileName));
// Currently only javascript files are returned
msg.setResponseHeader(
API.getDefaultResponseHeader(
"application/javascript; charset=UTF-8",
msg.getResponseBody().length(),
false));
return msg.getResponseBody().toString();
}
String path = msg.getRequestHeader().getURI().getEscapedPath();
int lastSlash = path.lastIndexOf("/");
String fileName = path.substring(lastSlash + 1);

logger.debug("callback fileName = " + fileName);
if (fileName != null) {
if (DOMAIN_FILE_WHITELIST.contains(fileName)) {
msg.setResponseBody(
this.getFile(msg, ExtensionHUD.TARGET_DIRECTORY + "/" + fileName));
// Currently only javascript files are returned
msg.setResponseHeader(
API.getDefaultResponseHeader(
"application/javascript; charset=UTF-8",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this have a little more evaluation on file type for setting the header since we'll be serving CSS and image files as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those will be served by HudFileProxy which does that.

msg.getResponseBody().length(),
false));
return msg.getResponseBody().toString();
}
}
} catch (Exception e) {
Expand Down Expand Up @@ -458,7 +458,7 @@ protected String getFile(HttpMessage msg, String file) {
if (tool.toLowerCase(Locale.ROOT).endsWith(".js")) {
sb.append("\t\"");
sb.append(this.hudFileUrl);
sb.append("?name=tools/");
sb.append("/file/tools/");
sb.append(tool);
sb.append("\",\n");
}
Expand Down
89 changes: 46 additions & 43 deletions src/main/java/org/zaproxy/zap/extension/hud/HudFileProxy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,55 +94,58 @@ private HttpResponseHeader getResponseHeader(String fileName, int contentLength)
@Override
public String handleCallBack(HttpMessage msg) throws ApiException {
try {
String query = msg.getRequestHeader().getURI().getPathQuery();
LOG.debug("callback query = " + query);
if (query != null) {
if (query.contains("..")) {
// Looks like an injection attack
LOG.warn("Attempted injection attack? " + msg.getRequestHeader().getURI());
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
if (query.indexOf("name=") > 0) {
String file = query.substring(query.indexOf("name=") + 5);
if (file.indexOf("&") > 0) {
file = file.substring(0, file.indexOf("&"));
}
msg.setResponseBody(api.getFile(msg, file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
String path = msg.getRequestHeader().getURI().getPath();
if (path.contains("..")) {
// Looks like an injection attack
LOG.warn("Attempted injection attack? " + msg.getRequestHeader().getURI());
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
String[] pathElements = path.split("/");
if (pathElements.length < 5) {
throw new ApiException(
ApiException.Type.ILLEGAL_PARAMETER,
msg.getRequestHeader().getURI().toString());
}
String type = pathElements[4];
LOG.debug("callback type = " + type);
if (type.equals("file")) {
String file = path.substring(path.indexOf("file") + 5);
LOG.debug("callback file = " + file);
msg.setResponseBody(api.getFile(msg, file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));

if (msg.getRequestHeader().getURI().toString().startsWith(API.API_URL_S)) {
if (api.allowUnsafeEval()) {
msg.getResponseHeader()
.setHeader(
"Content-Security-Policy",
HudAPI.CSP_POLICY_UNSAFE_EVAL);
} else {
msg.getResponseHeader()
.setHeader("Content-Security-Policy", HudAPI.CSP_POLICY);
}
}
if (api.getRequestCookieValue(msg, HudAPI.ZAP_HUD_COOKIE) == null) {
// The ZAP-HUD cookie has not been set, so set it or we'll block access to
// key resources
if (msg.getRequestHeader().getURI().toString().startsWith(API.API_URL_S)) {
if (api.allowUnsafeEval()) {
msg.getResponseHeader()
.setHeader(
HttpHeader.SET_COOKIE,
HudAPI.ZAP_HUD_COOKIE
+ "="
+ api.getZapHudCookieValue()
+ "; Secure; HttpOnly; SameSite=Strict");
"Content-Security-Policy", HudAPI.CSP_POLICY_UNSAFE_EVAL);
} else {
msg.getResponseHeader()
.setHeader("Content-Security-Policy", HudAPI.CSP_POLICY);
}
}
if (api.getRequestCookieValue(msg, HudAPI.ZAP_HUD_COOKIE) == null) {
// The ZAP-HUD cookie has not been set, so set it or we'll block access to
// key resources
msg.getResponseHeader()
.setHeader(
HttpHeader.SET_COOKIE,
HudAPI.ZAP_HUD_COOKIE
+ "="
+ api.getZapHudCookieValue()
+ "; Secure; HttpOnly; SameSite=Strict");
}

return msg.getResponseBody().toString();
} else if (query.indexOf("image=") > 0) {
String file = query.substring(query.indexOf("image=") + 6);
return msg.getResponseBody().toString();
} else if (type.equals("image")) {
String file = path.substring(path.indexOf("image") + 6);
LOG.debug("callback image = " + file);

msg.setResponseBody(api.getImage(file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
return msg.getResponseBody().toString();
}
msg.setResponseBody(api.getImage(file));
msg.setResponseHeader(getResponseHeader(file, msg.getResponseBody().length()));
return msg.getResponseBody().toString();
}
} catch (ApiException e) {
throw e;
Expand Down
22 changes: 11 additions & 11 deletions src/main/zapHomeFiles/hud/display.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=display.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/display.css"/>

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=display.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/display.js"></script>
</head>

<body>
Expand Down Expand Up @@ -266,9 +266,9 @@
<div slot="body">
<ul class="menu">
<li v-for="(conf, id) in items" class="menu-item" @click="itemSelect(id)">
<img v-if="conf.startimage" :src="'<<ZAP_HUD_FILES>>?image=' + conf.startimage" />
<img v-if="conf.startimage" :src="'<<ZAP_HUD_FILES>>/image/' + conf.startimage" />
{{ conf.label }}
<img v-if="conf.endimage" :src="'<<ZAP_HUD_FILES>>?image=' + conf.endimage" />
<img v-if="conf.endimage" :src="'<<ZAP_HUD_FILES>>/image/' + conf.endimage" />
</li>
</ul>
</div>
Expand Down Expand Up @@ -312,7 +312,7 @@
<div slot="footer">
<div><span class="errorMessages">{{errors}}</span></div>
<div class="float-left">
<button :class="{'btn': true, 'disabled': isAscanDisabled}" @click="ascanRequest"> {{ $t('message.history_ascan_request') }} <img src="<<ZAP_HUD_FILES>>?image=flame.png" /> </button>
<button :class="{'btn': true, 'disabled': isAscanDisabled}" @click="ascanRequest"> {{ $t('message.history_ascan_request') }} <img src="<<ZAP_HUD_FILES>>/image/flame.png" /> </button>
</div>
<button class="btn btn-primary" @click="replay"> {{ $t('message.history_replay_console') }} </button>
<button class="btn" @click="replayInBrowser"> {{ $t('message.history_replay_browser') }} </button>
Expand Down
20 changes: 10 additions & 10 deletions src/main/zapHomeFiles/hud/drawer.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=drawer.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre-icons.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/drawer.css"/>

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=drawer.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue-i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/i18n.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/drawer.js"></script>
</head>
<body>
<div id="app">
Expand Down Expand Up @@ -173,4 +173,4 @@
<div v-show="isActive"><slot></slot></div>
</template>
</body>
</html>
</html>
8 changes: 4 additions & 4 deletions src/main/zapHomeFiles/hud/growlerAlerts.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<html>
<head>
<script src="<<ZAP_HUD_FILES>>?name=libraries/alertify.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=growlerAlerts.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/alertify.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/growlerAlerts.js"></script>
</head>
<body>

Expand Down
8 changes: 4 additions & 4 deletions src/main/zapHomeFiles/hud/growlerAlerts.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
// Injected string
var ZAP_HUD_FILES = '<<ZAP_HUD_FILES>>';

var INFORMATIONAL_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-blue.png" >&nbsp';
var LOW_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-yellow.png" >&nbsp';
var MEDIUM_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-orange.png" >&nbsp';
var HIGH_FLAG = '<img src="' + ZAP_HUD_FILES + '?image=flag-red.png" >&nbsp';
var INFORMATIONAL_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-blue.png" >&nbsp';
var LOW_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-yellow.png" >&nbsp';
var MEDIUM_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-orange.png" >&nbsp';
var HIGH_FLAG = '<img src="' + ZAP_HUD_FILES + '/image/flag-red.png" >&nbsp';
var DELAY_MS = 3000;
var QUEUE_SIZE = 5;
var MAX_LINE_LENGTH = 45;
Expand Down
14 changes: 7 additions & 7 deletions src/main/zapHomeFiles/hud/management.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=management.css" />
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/management.css" />

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script src="<<ZAP_HUD_FILES>>?name=management.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script src="<<ZAP_HUD_FILES>>/file/management.js"></script>
</head>
<body>
<div id="app">
Expand All @@ -15,7 +15,7 @@

<template id="welcome-screen-template">
<div class="welcome-div">
<img class="welcome-image" src='<<ZAP_HUD_FILES>>?image=hud-welcome.png'>
<img class="welcome-image" src='<<ZAP_HUD_FILES>>/image/hud-welcome.png'>
<div class="tutorial-div">
<button class="btn btn-primary" @click="continueToTutorial"> Take the HUD Tutorial </button>
</div>
Expand Down
18 changes: 9 additions & 9 deletions src/main/zapHomeFiles/hud/panel.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
<html>
<head>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>?name=panel.css&amp;orientation=ORIENTATION" />
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/libraries/spectre.css"/>
<link rel="stylesheet" type="text/css" href="<<ZAP_HUD_FILES>>/file/panel.css?orientation=ORIENTATION" />

<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>?name=panel.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/localforage.min.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/libraries/vue.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/utils.js"></script>
<script type="text/javascript" src="<<ZAP_HUD_FILES>>/file/panel.js"></script>
</head>
<body>
<div id="app">
Expand All @@ -15,8 +15,8 @@

<template id="hud-buttons-template">
<div id="hud-buttons" :class="{'d-hide': !isVisible, 'd-visible': isVisible}">
<hud-button v-for="tool in tools" :key="tool.name" :label="tool.label" :icon="'<<ZAP_HUD_FILES>>?image=' + tool.icon" :data="tool.data" :name="tool.name"></hud-button>
<hud-button icon="<<ZAP_HUD_FILES>>?image=plus.png" name="add-tool"></hud-button>
<hud-button v-for="tool in tools" :key="tool.name" :label="tool.label" :icon="'<<ZAP_HUD_FILES>>/image/' + tool.icon" :data="tool.data" :name="tool.name"></hud-button>
<hud-button icon="<<ZAP_HUD_FILES>>/image/plus.png" name="add-tool"></hud-button>
</div>
</template>

Expand All @@ -28,4 +28,4 @@
</div>
</template>
</body>
</html>
</html>
2 changes: 1 addition & 1 deletion src/main/zapHomeFiles/hud/panel.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* Description goes here...
*/

var IMAGE_URL = '<<ZAP_HUD_FILES>>?image=';
var IMAGE_URL = '<<ZAP_HUD_FILES>>/image/';
var orientation = "";
var panelKey = "";
var frameId = '';
Expand Down
Loading