added url-decoding by default in checks of messages

doc/language.md

@@ -513,7 +513,8 @@ The Checks tag is a list of Check elements, which can be defined with:
 - `check param` specifies the name of the parameter to be checked, depending on the section choosed, the tool will search for the parameter using a pattern. (for the url, it will search for a query parameter, for the head, it will search for a head parameter)
 - `check regex` specify a regex that checks the selected content by matching it.
   . `use variable` (true or false) set to true if you want to specify a variable name on the following tags, to check wrt to that variable value.
-- The actual check on the value, which are self explanatory. (if none of these are specified, the check will only check if the given parameter is present)
+- `url decode` if you want to disable url decoding in http messages, see the note below for details.
+- The actual check on the value. (if none of these are specified, the check will only check if the given parameter is present)
   - `is`
   - `not is`
   - `contains`
@@ -529,6 +530,8 @@ Note that you can use `check regex` OR `check` OR `check param`.
 
 Note that `check` accepts only the `is present` tag.
 
+Note: by default, all the values read from a message (only message, not json) are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false
+
 In passive tests the checks's result are intended as the entire test result, so all the checks has to pass to have a successfull test.
 
 ### Checks on JSON content

tool/src/main/java/migt/Check.java

@@ -5,6 +5,7 @@
 import org.json.JSONException;
 import org.json.JSONObject;
 
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Iterator;
@@ -28,6 +29,7 @@ public class Check extends Module {
     boolean isParamCheck; // specifies if what is declared in what is a parameter name
     String regex; // the eventual regex to use
     boolean use_variable; // if a variable name will be used in the check operation
+    boolean url_decode = true; // this can be used to disable url decoding
 
     public Check() {
         init();
@@ -144,6 +146,9 @@ public Check(JSONObject json_check) throws ParsingException {
                         this.op = NOT_MATCHES_REGEX;
                         this.op_val = json_check.getString("not matches regex");
                         break;
+                    case "url decode":
+                        url_decode = json_check.getBoolean("url decode");
+                        break;
                 }
             } catch (JSONException e) {
                 throw new ParsingException("error in parsing check: " + e);
@@ -247,6 +252,10 @@ private boolean execute_http(HTTPReqRes message,
             return false;
         }
 
+        // URL-decode matched content
+        if (url_decode)
+            msg_str = URLDecoder.decode(msg_str, StandardCharsets.UTF_8);
+
         // if a regex is present, execute it
         if (!regex.equals("")) {
             return execute_regex(msg_str);
@@ -504,7 +513,7 @@ public boolean do_check(String val_to_check) throws ParsingException {
                     return !m.find();
                 }
                 default:
-                    throw new ParsingException("Unsupported operand for Check in a message: " + op.toString());
+                    throw new ParsingException("Unsupported operand for Check in a message: " + op);
             }
         } catch (ArrayIndexOutOfBoundsException e) {
             //e.printStackTrace();

tool/src/main/java/migt/Operation_API.java

@@ -1,5 +1,6 @@
 package migt;
 
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -13,6 +14,7 @@ public class Operation_API extends API {
     public Operation_API(HTTPReqRes message, boolean is_request) {
         this.message = message;
         this.is_request = is_request;
+        this.vars = new ArrayList<>();
     }
 
     public Operation_API(List<Var> vars) {