common

package
v0.0.0-...-b8d018d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 31, 2025 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source 
const INPUT = "input"

INPUT used as the standard input name across the project and forms

Variables

View Source 
var Templates = make(map[string]*template.Template)

Templates is the map we use to lookup the parsed templates based on filenames. It is intended for use for use by all frameworks supported by the bench.

View Source 
var Verbose bool

Verbose increases the verbosity of logging.

Functions

func FindViewsDir 

func FindViewsDir() (string, error)

FindViewsDir looks for the views dir, which contains our html templates. It looks in the current dir and its parents.

func FuncMap 

func FuncMap() template.FuncMap

FuncMap returns a map of functions for use from templates.

func GetCookieValue 

func GetCookieValue(r *http.Request, key string) string

GetCookieValue returns the input value for the given cookie

func GetFormValue 

func GetFormValue(r *http.Request, key string) string

GetFormValue returns the input value for the given key from the submitted form

func GetHeaderValue 

func GetHeaderValue(r *http.Request, key string) string

GetHeaderValue returns the input value from the given header

func GetParamValue 

func GetParamValue(r *http.Request, key string) string

GetParamValue returns the input value for the given key of a GET request query

func GetPathValue 

func GetPathValue(r *http.Request, positions ...int) string

GetPathValue returns element(s) from the given position(s) in the url, joined with '/'. Negative positions are allowed and start at the right.

func GetUserInput 

func GetUserInput(r *http.Request) (val string)

GetUserInput returns the first value found in the request with the key 'input'.

If none are found, it tries for a header with key 'credentials', and finally the last element in the url.

the order of precedence when getting the result is:

- query parameter

- form value

- cookie value

- header value

- credentials header

func LocateDir 

func LocateDir(dir string, maxTries int) (string, error)

LocateDir finds a dir with the given name and returns its path. The given name may contain a slash, i.e. 'cmd/go-swagger'.

func MethodFromInput 

func MethodFromInput(in string) string

MethodFromInput determines the http method from the input type.

func ParseViewTemplates 

func ParseViewTemplates() error

ParseViewTemplates is used to set up the template resources for use by std and go-swagger

func Register 

func Register(r Route)

Register adds one or more Endpoints to the global list of routes.

func Reset 

func Reset()

Reset clears AllRoutes and rmap. For testing.

Types

type ConstParams 

type ConstParams struct {
	Year      int
	Rulebar   RouteMap
	Addr      string
	Framework string
}

ConstParams are the page parameters that will not change during a run. Currently only used with the standard lib.

type HandlerFn 

type HandlerFn func(safety Safety, payload string, opaque interface{}) (data, mime string, status int)

HandlerFn is a framework-agnostic function to handle a vulnerable endpoint. `opaque` can be set to some framework-specific struct - for example, gin.Context.

Prefer statuses 200 (success), 400 (generic, expected error), and 500 (generic, unexpected error).

If a HandlerFn returns empty data, drivers should not write any data to the response.

func GenericHandler 

func GenericHandler(s *Sink) (HandlerFn, error)

GenericHandler returns a generic replacement for HandlerFn. It requires VulnerableFnWrapper and Sanitize to be set.

type LogWrapper 

type LogWrapper struct {
	// contains filtered or unexported fields
}

LogWrapper wraps log.Logger to work with the above logger interface. Errorf() and Fatalf() are equivalent.

func (*LogWrapper) Errorf 

func (w *LogWrapper) Errorf(f string, va ...interface{})

Errorf implements Logger.

func (*LogWrapper) Fatalf 

func (w *LogWrapper) Fatalf(f string, va ...interface{})

Fatalf implements Logger.

func (*LogWrapper) Logf 

func (w *LogWrapper) Logf(f string, va ...interface{})

Logf implements Logger.

type Logger 

type Logger interface {
	Logf(f string, va ...interface{})
	Errorf(f string, va ...interface{})
	Fatalf(f string, va ...interface{})
}

Logger contains selected methods of testing.TB

func NewLogWrapper 

func NewLogWrapper(l *log.Logger) Logger

NewLogWrapper creates a wrapper around log.Logger conforming to Logger.

type Parameters 

type Parameters struct {
	Name string
	ConstParams
}

Parameters includes ConstParams as well as anything page-specific. Currently only used with the standard lib.

type Route 

type Route struct {
	Name     string   // human-readable name
	Link     string   // owasp link
	Base     string   // short name, suitable for use in filename or URL - i.e. cmdInjection
	TmplFile string   // name of template used for non-result page; default is Base + '.gohtml'
	Products []string // relevant Contrast products
	Inputs   []string // input methods supported by this app: query, cookies, body, headers, headers-json, ...
	Sinks    []*Sink  // one per vulnerable function
	Payload  string   // must be set for the default template.
	// contains filtered or unexported fields
}

Route is the template information for a specific route

func (*Route) String 

func (r *Route) String() string

func (*Route) UsesGenericTmpl 

func (r *Route) UsesGenericTmpl() bool

UsesGenericTmpl returns true if the route uses the generic vulnerability template.

type RouteMap 

type RouteMap map[string]Route

RouteMap is a map from base path to Route

func GetRouteMap 

func GetRouteMap() RouteMap

GetRouteMap returns the already-populated RouteMap.

func PopulateRouteMap 

func PopulateRouteMap(routes Routes) RouteMap

PopulateRouteMap returns a RouteMap, for use in nav bar template.

type Routes 

type Routes []Route

Routes is a slice of Route 

var AllRoutes Routes

AllRoutes contains all "new" (not in json) routes.

func (Routes) Len 

func (rs Routes) Len() int

sortable for swagger code gen

func (Routes) Less 

func (rs Routes) Less(i, j int) bool

func (Routes) String 

func (rs Routes) String() string

func (Routes) Swap 

func (rs Routes) Swap(i, j int)

type Safety 

type Safety string

Safety indicates whether input to the vulnerable function will be sanitized or not, or if the vulnerable func will be bypassed entirely. 

const (
	// Unsafe indicates no sanitization will be performed.
	Unsafe Safety = "unsafe"
	// Safe indicates input will be sanitized.
	Safe Safety = "safe"
	// NOOP indicates the vulnerable function will not be called.
	NOOP Safety = "noop"
)

type SanitizerFn 

type SanitizerFn func(string) string

A SanitizerFn sanitizes the input string

type Sink 

type Sink struct {
	Name string
	URL  string

	// if nil, a generic handler is used and VulnerableFnWrapper and Sanitizer must
	// both be set
	Handler HandlerFn

	// a function that renders input safe; only used by the generic handler and only
	// when 'safe' mode is requested.
	//
	// for example: url.QueryEscape
	Sanitize SanitizerFn

	// the vulnerable function which may receive unsanitized input. Handler must be
	// nil when this is set.
	VulnerableFnWrapper VulnerableFnWrapper

	// the mime type used when VulnerableFnWrapper returns true for R1 (raw);
	// defaults to text/plain.
	RawMime string

	// http status that we expect to be returned for unsafe queries (used in testing)
	// defaults to http.StatusOK if unset
	ExpectedUnsafeStatus int
}

Sink is a struct that identifies the name of the sink, the associated URL, and what handler/sanitizer to use.

func (*Sink) AddPayloadToRequest 

func (s *Sink) AddPayloadToRequest(req *http.Request, inputType, key, payload string)

AddPayloadToRequest adds user controllable data to the request r. The data type can be configured with inputType. If inputType is not supported, the program exits. You can also specify the key and value of the data to be added to the request. If key is empty, "input" is used.

func (*Sink) String 

func (s *Sink) String() string

type VulnerableFnWrapper 

type VulnerableFnWrapper func(opaque interface{}, payload string) (data string, raw bool, err error)

VulnerableFnWrapper is a function wrapping something vulnerable. Used to adapt things for use with GenericHandler. 'raw' indicates data should be sent verbatim, not decorated.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.