From 6090a551687590d44f9271b88363aafa979af1ab Mon Sep 17 00:00:00 2001 From: mattebit Date: Mon, 28 Aug 2023 15:36:05 +0200 Subject: [PATCH] added url-decoding by default in checks of messages --- doc/language.md | 5 ++++- tool/src/main/java/migt/Check.java | 11 ++++++++++- tool/src/main/java/migt/Operation_API.java | 2 ++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/doc/language.md b/doc/language.md index 9ee089e..3738746 100644 --- a/doc/language.md +++ b/doc/language.md @@ -513,7 +513,8 @@ The Checks tag is a list of Check elements, which can be defined with: - `check param` specifies the name of the parameter to be checked, depending on the section choosed, the tool will search for the parameter using a pattern. (for the url, it will search for a query parameter, for the head, it will search for a head parameter) - `check regex` specify a regex that checks the selected content by matching it. . `use variable` (true or false) set to true if you want to specify a variable name on the following tags, to check wrt to that variable value. -- The actual check on the value, which are self explanatory. (if none of these are specified, the check will only check if the given parameter is present) +- `url decode` if you want to disable url decoding in http messages, see the note below for details. +- The actual check on the value. (if none of these are specified, the check will only check if the given parameter is present) - `is` - `not is` - `contains` @@ -529,6 +530,8 @@ Note that you can use `check regex` OR `check` OR `check param`. Note that `check` accepts only the `is present` tag. +Note: by default, all the values read from a message (only message, not json) are URL-decoded before the checks are executed. You can disable this behaviour by using `url decode` = false + In passive tests the checks's result are intended as the entire test result, so all the checks has to pass to have a successfull test. ### Checks on JSON content diff --git a/tool/src/main/java/migt/Check.java b/tool/src/main/java/migt/Check.java index 3747931..0216f01 100644 --- a/tool/src/main/java/migt/Check.java +++ b/tool/src/main/java/migt/Check.java @@ -5,6 +5,7 @@ import org.json.JSONException; import org.json.JSONObject; +import java.net.URLDecoder; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Iterator; @@ -28,6 +29,7 @@ public class Check extends Module { boolean isParamCheck; // specifies if what is declared in what is a parameter name String regex; // the eventual regex to use boolean use_variable; // if a variable name will be used in the check operation + boolean url_decode = true; // this can be used to disable url decoding public Check() { init(); @@ -144,6 +146,9 @@ public Check(JSONObject json_check) throws ParsingException { this.op = NOT_MATCHES_REGEX; this.op_val = json_check.getString("not matches regex"); break; + case "url decode": + url_decode = json_check.getBoolean("url decode"); + break; } } catch (JSONException e) { throw new ParsingException("error in parsing check: " + e); @@ -247,6 +252,10 @@ private boolean execute_http(HTTPReqRes message, return false; } + // URL-decode matched content + if (url_decode) + msg_str = URLDecoder.decode(msg_str, StandardCharsets.UTF_8); + // if a regex is present, execute it if (!regex.equals("")) { return execute_regex(msg_str); @@ -504,7 +513,7 @@ public boolean do_check(String val_to_check) throws ParsingException { return !m.find(); } default: - throw new ParsingException("Unsupported operand for Check in a message: " + op.toString()); + throw new ParsingException("Unsupported operand for Check in a message: " + op); } } catch (ArrayIndexOutOfBoundsException e) { //e.printStackTrace(); diff --git a/tool/src/main/java/migt/Operation_API.java b/tool/src/main/java/migt/Operation_API.java index 4f7071d..bb8a955 100644 --- a/tool/src/main/java/migt/Operation_API.java +++ b/tool/src/main/java/migt/Operation_API.java @@ -1,5 +1,6 @@ package migt; +import java.util.ArrayList; import java.util.List; /** @@ -13,6 +14,7 @@ public class Operation_API extends API { public Operation_API(HTTPReqRes message, boolean is_request) { this.message = message; this.is_request = is_request; + this.vars = new ArrayList<>(); } public Operation_API(List vars) {