From 0917068048eca8316b5c066e00613d002566beaa Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Mon, 19 Apr 2021 00:40:51 +0200 Subject: [PATCH 1/9] begin of work on pseudo-sandbox mode --- internal/runner/options.go | 4 +++ internal/runner/runner.go | 2 ++ pkg/httpserver/httpserver.go | 22 +++++++++++++-- pkg/httpserver/loglayer.go | 44 ++++++++++++++++++++++++++++- pkg/httpserver/sandboxfs.go | 55 ++++++++++++++++++++++++++++++++++++ pkg/httpserver/util.go | 5 ++++ 6 files changed, 129 insertions(+), 3 deletions(-) create mode 100644 pkg/httpserver/sandboxfs.go create mode 100644 pkg/httpserver/util.go diff --git a/internal/runner/options.go b/internal/runner/options.go index bf69db3..78f8579 100644 --- a/internal/runner/options.go +++ b/internal/runner/options.go @@ -29,6 +29,8 @@ type Options struct { TCPWithTLS bool Version bool Silent bool + Sandbox bool + MaxFileSize int } // ParseOptions parses the command line options for application @@ -49,6 +51,8 @@ func ParseOptions() *Options { flag.StringVar(&options.Realm, "realm", "Please enter username and password", "Realm") flag.BoolVar(&options.Version, "version", false, "Show version of the software") flag.BoolVar(&options.Silent, "silent", false, "Show only results in the output") + flag.BoolVar(&options.Sandbox, "sandbox", false, "Enable sandbox mode") + flag.IntVar(&options.MaxFileSize, "max-file-size", 50, "Max Upload File Size") flag.Parse() diff --git a/internal/runner/runner.go b/internal/runner/runner.go index 7d69e25..5806044 100644 --- a/internal/runner/runner.go +++ b/internal/runner/runner.go @@ -57,6 +57,8 @@ func New(options *Options) (*Runner, error) { BasicAuthPassword: r.options.password, BasicAuthReal: r.options.Realm, Verbose: r.options.Verbose, + Sandbox: r.options.Sandbox, + MaxFileSize: r.options.MaxFileSize, }) if err != nil { return nil, err diff --git a/pkg/httpserver/httpserver.go b/pkg/httpserver/httpserver.go index d516caf..72da466 100644 --- a/pkg/httpserver/httpserver.go +++ b/pkg/httpserver/httpserver.go @@ -1,7 +1,10 @@ package httpserver import ( + "errors" "net/http" + "os" + "path/filepath" "github.com/projectdiscovery/sslcert" ) @@ -19,6 +22,8 @@ type Options struct { BasicAuthPassword string BasicAuthReal string Verbose bool + Sandbox bool + MaxFileSize int // 50Mb } // HTTPServer instance @@ -32,9 +37,22 @@ func New(options *Options) (*HTTPServer, error) { var h HTTPServer EnableUpload = options.EnableUpload EnableVerbose = options.Verbose - h.layers = h.loglayer(http.FileServer(http.Dir(options.Folder))) + folder, err := filepath.Abs(options.Folder) + if err != nil { + return nil, err + } + if _, err := os.Stat(folder); os.IsNotExist(err) { + return nil, errors.New("path does not exist") + } + options.Folder = folder + var dir http.FileSystem + dir = http.Dir(options.Folder) + if options.Sandbox { + dir = SandboxFileSystem{fs: http.Dir(options.Folder), RootFolder: options.Folder} + } + h.layers = h.loglayer(http.FileServer(dir)) if options.BasicAuthUsername != "" || options.BasicAuthPassword != "" { - h.layers = h.loglayer(h.basicauthlayer(http.FileServer(http.Dir(options.Folder)))) + h.layers = h.loglayer(h.basicauthlayer(http.FileServer(dir))) } h.options = options diff --git a/pkg/httpserver/loglayer.go b/pkg/httpserver/loglayer.go index 1e64b8f..75f4ba6 100644 --- a/pkg/httpserver/loglayer.go +++ b/pkg/httpserver/loglayer.go @@ -6,6 +6,7 @@ import ( "net/http" "net/http/httputil" "path" + "path/filepath" "github.com/projectdiscovery/gologger" ) @@ -24,13 +25,54 @@ func (t *HTTPServer) loglayer(handler http.Handler) http.Handler { // Handles file write if enabled if EnableUpload && r.Method == http.MethodPut { - data, err := ioutil.ReadAll(r.Body) + // sandbox - calcolate absolute path + if t.options.Sandbox { + absPath, err := filepath.Abs(filepath.Join(t.options.Folder, r.URL.Path)) + if err != nil { + gologger.Print().Msgf("%s\n", err) + w.WriteHeader(http.StatusBadRequest) + return + } + // check if the path is within the configured folder + pattern := t.options.Folder + string(filepath.Separator) + "*" + matched, err := filepath.Match(pattern, absPath) + if err != nil { + gologger.Print().Msgf("%s\n", err) + w.WriteHeader(http.StatusBadRequest) + return + } else if !matched { + gologger.Print().Msg("pointing to unauthorized directory") + w.WriteHeader(http.StatusBadRequest) + return + } + } + + var ( + data []byte + err error + ) + if t.options.Sandbox { + maxFileSize := toMb(t.options.MaxFileSize) + // check header content length + if r.ContentLength > maxFileSize { + gologger.Print().Msg("request too large") + return + } + // body max length + r.Body = http.MaxBytesReader(w, r.Body, maxFileSize) + } + + data, err = ioutil.ReadAll(r.Body) if err != nil { gologger.Print().Msgf("%s\n", err) + w.WriteHeader(http.StatusInternalServerError) + return } err = handleUpload(path.Base(r.URL.Path), data) if err != nil { gologger.Print().Msgf("%s\n", err) + w.WriteHeader(http.StatusInternalServerError) + return } } diff --git a/pkg/httpserver/sandboxfs.go b/pkg/httpserver/sandboxfs.go new file mode 100644 index 0000000..41fcadf --- /dev/null +++ b/pkg/httpserver/sandboxfs.go @@ -0,0 +1,55 @@ +package httpserver + +import ( + "errors" + "net/http" + "path/filepath" +) + +type SandboxFileSystem struct { + fs http.FileSystem + RootFolder string +} + +func (sbfs SandboxFileSystem) Open(path string) (http.File, error) { + abspath, err := filepath.Abs(filepath.Join(sbfs.RootFolder, path)) + if err != nil { + return nil, err + } + + filename := filepath.Base(abspath) + // rejects names starting with a dot like .file + dotmatch, err := filepath.Match(".*", filename) + if err != nil { + return nil, err + } else if dotmatch { + return nil, errors.New("invalid file") + } + + // reject symlinks + symlinkCheck, err := filepath.EvalSymlinks(abspath) + if err != nil { + return nil, err + } + if symlinkCheck != abspath { + return nil, errors.New("symlinks not allowed") + } + + // check if the path is within the configured folder + if sbfs.RootFolder != abspath { + pattern := sbfs.RootFolder + string(filepath.Separator) + "*" + matched, err := filepath.Match(pattern, abspath) + if err != nil { + return nil, err + } else if !matched { + return nil, errors.New("invalid file") + } + } + + f, err := sbfs.fs.Open(path) + if err != nil { + return nil, err + } + + return f, nil +} diff --git a/pkg/httpserver/util.go b/pkg/httpserver/util.go new file mode 100644 index 0000000..4c69d6f --- /dev/null +++ b/pkg/httpserver/util.go @@ -0,0 +1,5 @@ +package httpserver + +func toMb(n int) int64 { + return int64(n) * 1024 * 1024 +} From a8c31d49cbf355a165b85725fbf631b1bd46f978 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Mon, 19 Apr 2021 00:53:04 +0200 Subject: [PATCH 2/9] adding missing comments --- pkg/httpserver/sandboxfs.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/httpserver/sandboxfs.go b/pkg/httpserver/sandboxfs.go index 41fcadf..cde5c04 100644 --- a/pkg/httpserver/sandboxfs.go +++ b/pkg/httpserver/sandboxfs.go @@ -6,11 +6,13 @@ import ( "path/filepath" ) +// SandboxFileSystem implements superbasic security checks type SandboxFileSystem struct { fs http.FileSystem RootFolder string } +// Open performs basic security checks before providing folder/file content func (sbfs SandboxFileSystem) Open(path string) (http.File, error) { abspath, err := filepath.Abs(filepath.Join(sbfs.RootFolder, path)) if err != nil { From 0e6bfeeeb800eeb5f770cd09adbfacd9ce463180 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Wed, 26 May 2021 00:34:47 +0200 Subject: [PATCH 3/9] Deprecating golint --- .github/workflows/build.yaml | 4 +- .golangci.yml | 118 ----------------------------------- 2 files changed, 2 insertions(+), 120 deletions(-) delete mode 100644 .golangci.yml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8d43441..70b19c6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -12,10 +12,10 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - name: Run golangci-lint - uses: golangci/golangci-lint-action@v2.5.2 + uses: golangci/golangci-lint-action@v2 with: # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. - version: v1.31 + version: latest args: --timeout 5m build: diff --git a/.golangci.yml b/.golangci.yml deleted file mode 100644 index 31b66f3..0000000 --- a/.golangci.yml +++ /dev/null @@ -1,118 +0,0 @@ -linters-settings: - dupl: - threshold: 100 - exhaustive: - default-signifies-exhaustive: false - # funlen: - # lines: 100 - # statements: 50 - goconst: - min-len: 2 - min-occurrences: 2 - gocritic: - enabled-tags: - - diagnostic - - experimental - - opinionated - - performance - - style - disabled-checks: - - dupImport # https://github.com/go-critic/go-critic/issues/845 - - ifElseChain - # gocyclo: - # min-complexity: 15 - goimports: - local-prefixes: github.com/golangci/golangci-lint - golint: - min-confidence: 0 - gomnd: - settings: - mnd: - # don't include the "operation" and "assign" - checks: argument,case,condition,return - govet: - check-shadowing: true - settings: - printf: - funcs: - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf - # lll: - # line-length: 140 - misspell: - locale: US - nolintlint: - allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space) - allow-unused: false # report any unused nolint directives - require-explanation: false # don't require an explanation for nolint directives - require-specific: false # don't require nolint directives to be specific about which linter is being skipped - -linters: - # please, do not use `enable-all`: it's deprecated and will be removed soon. - # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint - disable-all: true - enable: - - bodyclose - - deadcode - - dogsled - - dupl - - errcheck - - exhaustive - - gochecknoinits - - goconst - - gocritic - - gofmt - - goimports - - golint - - gomnd - - goprintffuncname - - gosimple - - govet - - ineffassign - - misspell - - nakedret - - noctx - - nolintlint - - rowserrcheck - - exportloopref - - staticcheck - - structcheck - - stylecheck - - typecheck - - unconvert - - unparam - - unused - - varcheck - - whitespace - - # don't enable: - # - depguard - # - asciicheck - # - funlen - # - gochecknoglobals - # - gocognit - # - gocyclo - # - godot - # - godox - # - goerr113 - # - gosec - # - lll - # - nestif - # - prealloc - # - testpackage - # - wsl - -issues: - exclude-use-default: false - exclude: - # should have a package comment, unless it's in another file for this package (golint) - - 'in another file for this package' - -# golangci.com configuration -# https://github.com/golangci/golangci/wiki/Configuration -service: - golangci-lint-version: 1.31.x # use the fixed version to not introduce new linters unexpectedly - prepare: - - echo "here I can run custom commands, but no preparation needed for this repo" From 74c20cef99513c7ef98b79b1155e64762bc70a09 Mon Sep 17 00:00:00 2001 From: mzack Date: Wed, 16 Jun 2021 18:23:52 +0200 Subject: [PATCH 4/9] adding additional checks --- internal/runner/options.go | 6 +++++- pkg/httpserver/loglayer.go | 2 +- pkg/httpserver/uploadlayer.go | 20 ++++++++++++++++++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/internal/runner/options.go b/internal/runner/options.go index 78f8579..a5869d6 100644 --- a/internal/runner/options.go +++ b/internal/runner/options.go @@ -40,7 +40,11 @@ func ParseOptions() *Options { flag.BoolVar(&options.EnableTCP, "tcp", false, "TCP Server") flag.BoolVar(&options.TCPWithTLS, "tls", false, "Enable TCP TLS") flag.StringVar(&options.RulesFile, "rules", "", "Rules yaml file") - flag.StringVar(&options.Folder, "path", ".", "Folder") + currentPath := "." + if p, err := os.Getwd(); err == nil { + currentPath = p + } + flag.StringVar(&options.Folder, "path", currentPath, "Folder") flag.BoolVar(&options.EnableUpload, "upload", false, "Enable upload via PUT") flag.BoolVar(&options.HTTPS, "https", false, "HTTPS") flag.StringVar(&options.TLSCertificate, "cert", "", "HTTPS Certificate") diff --git a/pkg/httpserver/loglayer.go b/pkg/httpserver/loglayer.go index 75f4ba6..0e1a87a 100644 --- a/pkg/httpserver/loglayer.go +++ b/pkg/httpserver/loglayer.go @@ -68,7 +68,7 @@ func (t *HTTPServer) loglayer(handler http.Handler) http.Handler { w.WriteHeader(http.StatusInternalServerError) return } - err = handleUpload(path.Base(r.URL.Path), data) + err = handleUpload(t.options.Folder, path.Base(r.URL.Path), data) if err != nil { gologger.Print().Msgf("%s\n", err) w.WriteHeader(http.StatusInternalServerError) diff --git a/pkg/httpserver/uploadlayer.go b/pkg/httpserver/uploadlayer.go index 2663fba..928ac60 100644 --- a/pkg/httpserver/uploadlayer.go +++ b/pkg/httpserver/uploadlayer.go @@ -1,7 +1,23 @@ package httpserver -import "io/ioutil" +import ( + "errors" + "io/ioutil" + "path/filepath" + "strings" +) + +func handleUpload(base, file string, data []byte) error { + // rejects all paths containing a non exhaustive list of invalid characters - This is only a best effort as the tool is meant for development + if strings.ContainsAny(file, "\\`\"':") { + return errors.New("invalid character") + } + + // allow upload only in subfolders + rel, err := filepath.Rel(base, file) + if rel == "" || err != nil { + return err + } -func handleUpload(file string, data []byte) error { return ioutil.WriteFile(file, data, 0655) } From 5efe87f3af8697acb31dbbba50628a040cdb0191 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jul 2021 12:03:30 +0000 Subject: [PATCH 5/9] chore(deps): bump golang from 1.16-alpine to 1.16.6-alpine Bumps golang from 1.16-alpine to 1.16.6-alpine. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 806904b..1f80a97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16-alpine as build-env +FROM golang:1.16.6-alpine as build-env RUN GO111MODULE=on go get -v github.com/projectdiscovery/simplehttpserver/cmd/simplehttpserver FROM alpine:latest From 42ca7aa08772af77dc3db44f27c3cdac54425793 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:04:09 +0000 Subject: [PATCH 6/9] chore(deps): bump golang from 1.16-alpine to 1.16.6-alpine Bumps golang from 1.16-alpine to 1.16.6-alpine. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 806904b..1f80a97 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16-alpine as build-env +FROM golang:1.16.6-alpine as build-env RUN GO111MODULE=on go get -v github.com/projectdiscovery/simplehttpserver/cmd/simplehttpserver FROM alpine:latest From 37af337de65d69cbb15eab5bcb1dfe96bd0392df Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 28 Jul 2021 21:26:33 +0530 Subject: [PATCH 7/9] Updated workflow --- .github/dependabot.yml | 5 ++- .github/workflows/build-test.yml | 27 ++++++++++++ .github/workflows/build.yaml | 39 ------------------ .github/workflows/codeql-analysis.yml | 38 +++++++++++++++++ .github/workflows/dockerhub-push.yml | 41 +++++++++++++------ .github/workflows/lint-test.yml | 19 +++++++++ .../{release.yml => release-binary.yml} | 8 ++-- 7 files changed, 122 insertions(+), 55 deletions(-) create mode 100644 .github/workflows/build-test.yml delete mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/lint-test.yml rename .github/workflows/{release.yml => release-binary.yml} (80%) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4d5617f..69d9543 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: directory: "/" schedule: interval: "weekly" + target-branch: "dev" commit-message: prefix: "chore" include: "scope" @@ -20,6 +21,7 @@ updates: directory: "/" schedule: interval: "weekly" + target-branch: "dev" commit-message: prefix: "chore" include: "scope" @@ -29,6 +31,7 @@ updates: directory: "/" schedule: interval: "weekly" + target-branch: "dev" commit-message: prefix: "chore" - include: "scope" + include: "scope" \ No newline at end of file diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml new file mode 100644 index 0000000..6bfe472 --- /dev/null +++ b/.github/workflows/build-test.yml @@ -0,0 +1,27 @@ +name: 🔨 Build Test +on: + push: + pull_request: + workflow_dispatch: + + +jobs: + build: + name: Test Builds + runs-on: ubuntu-latest + steps: + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.15 + + - name: Check out code + uses: actions/checkout@v2 + + - name: Test + run: go test . + working-directory: cmd/simplehttpserver/ + + - name: Build + run: go build . + working-directory: cmd/simplehttpserver/ \ No newline at end of file diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index 70b19c6..0000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Build -on: - push: - branches: - - master - pull_request: - -jobs: - golangci-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Run golangci-lint - uses: golangci/golangci-lint-action@v2 - with: - # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. - version: latest - args: --timeout 5m - - build: - name: Build - runs-on: ubuntu-latest - steps: - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: 1.14 - - - name: Check out code - uses: actions/checkout@v2 - - - name: Test - run: go test . - working-directory: cmd/simplehttpserver - - - name: Build - run: go build . - working-directory: cmd/simplehttpserver/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..545cdea --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,38 @@ +name: 🚨 CodeQL Analysis + +on: + workflow_dispatch: + pull_request: + branches: + - dev + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 \ No newline at end of file diff --git a/.github/workflows/dockerhub-push.yml b/.github/workflows/dockerhub-push.yml index b46f4e0..49369db 100644 --- a/.github/workflows/dockerhub-push.yml +++ b/.github/workflows/dockerhub-push.yml @@ -1,17 +1,34 @@ -# dockerhub-push pushes docker build to dockerhub automatically -# on the creation of a new release -name: Publish to Dockerhub on creation of a new release -on: +name: 🌥 Docker Push + +on: release: types: [published] + workflow_dispatch: + jobs: - build: + docker: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - name: Publish to Dockerhub Registry - uses: elgohr/Publish-Docker-Github-Action@master - with: - name: projectdiscovery/simplehttpserver - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} \ No newline at end of file + - + name: Checkout + uses: actions/checkout@v2 + - + name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - + name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + - + name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + - + name: Build and push + uses: docker/build-push-action@v2 + with: + context: . + platforms: linux/amd64,linux/arm64,linux/arm + push: true + tags: projectdiscovery/simplehttpserver:latest \ No newline at end of file diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml new file mode 100644 index 0000000..794d073 --- /dev/null +++ b/.github/workflows/lint-test.yml @@ -0,0 +1,19 @@ +name: 🙏🏻 Lint Test +on: + push: + pull_request: + workflow_dispatch: + +jobs: + lint: + name: Lint Test + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v2 + with: + version: latest + args: --timeout 5m + working-directory: . \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release-binary.yml similarity index 80% rename from .github/workflows/release.yml rename to .github/workflows/release-binary.yml index 70cb60a..6fe8c82 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release-binary.yml @@ -1,8 +1,9 @@ -name: Release +name: 🎉 Release Binary on: create: tags: - v* + workflow_dispatch: jobs: release: @@ -17,7 +18,7 @@ jobs: name: "Set up Go" uses: actions/setup-go@v2 with: - go-version: 1.14 + go-version: 1.16 - env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" @@ -25,4 +26,5 @@ jobs: uses: goreleaser/goreleaser-action@v2 with: args: "release --rm-dist" - version: latest \ No newline at end of file + version: latest + workdir: . \ No newline at end of file From a40ede72ac439c69da106a86ab2a94d55bcf2429 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 28 Jul 2021 21:29:40 +0530 Subject: [PATCH 8/9] version update --- internal/runner/banner.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/runner/banner.go b/internal/runner/banner.go index a6b729d..9093db8 100644 --- a/internal/runner/banner.go +++ b/internal/runner/banner.go @@ -8,11 +8,11 @@ const banner = ` \__ \/ / __ -__ \/ __ \/ / _ \/ /_/ / / / / / / /_/ / ___/ _ \/ ___/ | / / _ \/ ___/ ___/ / / / / / / / /_/ / / __/ __ / / / / / / ____(__ ) __/ / | |/ / __/ / /____/_/_/ /_/ /_/ .___/_/\___/_/ /_/ /_/ /_/ /_/ /____/\___/_/ |___/\___/_/ - /_/ - v0.0.3 + /_/ - v0.0.4 ` // Version is the current version -const Version = `0.0.3` +const Version = `0.0.4` // showBanner is used to show the banner to the user func showBanner() { From 5ae0683445932534dbe508ea068c5c98ab6fd8d6 Mon Sep 17 00:00:00 2001 From: sandeep Date: Wed, 28 Jul 2021 21:46:34 +0530 Subject: [PATCH 9/9] readme update and notes --- README.md | 60 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index fba4ea3..5580afc 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,9 @@ SimpleHTTPserver is a go enhanced version of the well known python simplehttpser # Features -- HTTPS support -- File server in arbitrary directory -- Full request/response dump +- HTTP/S Web Server +- File Server with arbitrary directory support +- HTTP request/response dump - Configurable ip address and listening port - Configurable HTTP/TCP server with customizable response via YAML template @@ -38,7 +38,7 @@ SimpleHTTPserver is a go enhanced version of the well known python simplehttpser SimpleHTTPserver requires **go1.14+** to install successfully. Run the following command to get the repo - ```sh -▶ GO111MODULE=on go get -v github.com/projectdiscovery/simplehttpserver/cmd/simplehttpserver +GO111MODULE=on go get -v github.com/projectdiscovery/simplehttpserver/cmd/simplehttpserver ``` # Usage @@ -49,30 +49,33 @@ simplehttpserver -h This will display help for the tool. Here are all the switches it supports. -| Flag | Description | Example | -| ----------- | -------------------------------------------------------------------- | ------------------------------------------------- | -| listen | Configure listening ip:port (default 127.0.0.1:8000) | simplehttpserver -listen 127.0.0.1:8000 | -| path | Fileserver folder (default current directory) | simplehttpserver -path /var/docs | -| verbose | Verbose (dump request/response, default false) | simplehttpserver -verbose | -| tcp | TCP server (default 127.0.0.1:8000) | simplehttpserver -tcp 127.0.0.1:8000 | -| tls | Enable TLS for TCP server | simplehttpserver -tls | -| rules | File containing yaml rules | simplehttpserver -rules rule.yaml | -| upload | Enable file upload in case of http server | simplehttpserver -upload | -| https | Enable HTTPS in case of http server | simplehttpserver -https | -| cert | HTTPS/TLS certificate (self generated if not specified) | simplehttpserver -cert cert.pem | -| key | HTTPS/TLS certificate private key (self generated if not specified) | simplehttpserver -key cert.key | -| domain | Domain name to use for the self-generated certificate | simplehttpserver -domain projectdiscovery.io | -| basic-auth | Basic auth (username:password) | simplehttpserver -basic-auth user:password | -| realm | Basic auth message | simplehttpserver -realm "insert the credentials" | -| version | Show version | simplehttpserver -version | -| silent | Show only results | simplehttpserver -silent | +| Flag | Description | Example | +| ------------- | ------------------------------------------------------- | ------------------------------------------------ | +| listen | Configure listening ip:port (default 127.0.0.1:8000) | simplehttpserver -listen 127.0.0.1:8000 | +| path | Fileserver folder (default current directory) | simplehttpserver -path /var/docs | +| verbose | Verbose (dump request/response, default false) | simplehttpserver -verbose | +| tcp | TCP server (default 127.0.0.1:8000) | simplehttpserver -tcp 127.0.0.1:8000 | +| tls | Enable TLS for TCP server | simplehttpserver -tls | +| rules | File containing yaml rules | simplehttpserver -rules rule.yaml | +| upload | Enable file upload in case of http server | simplehttpserver -upload | +| max-file-size | Max Upload File Size (default 50 MB) | simplehttpserver -max-file-size 100 | +| sandbox | Enable sandbox mode | simplehttpserver -sandbox | +| https | Enable HTTPS in case of http server | simplehttpserver -https | +| cert | HTTPS/TLS certificate (self generated if not specified) | simplehttpserver -cert cert.pem | +| key | HTTPS/TLS certificate private key | simplehttpserver -key cert.key | +| domain | Domain name to use for the self-generated certificate | simplehttpserver -domain projectdiscovery.io | +| basic-auth | Basic auth (username:password) | simplehttpserver -basic-auth user:password | +| realm | Basic auth message | simplehttpserver -realm "insert the credentials" | +| version | Show version | simplehttpserver -version | +| silent | Show only results | simplehttpserver -silent | ### Running simplehttpserver in the current folder This will run the tool exposing the current directory on port 8000 ```sh -▶ simplehttpserver +simplehttpserver + 2021/01/11 21:40:48 Serving . on http://0.0.0.0:8000/... 2021/01/11 21:41:15 [::1]:50181 "GET / HTTP/1.1" 200 383 2021/01/11 21:41:15 [::1]:50181 "GET /favicon.ico HTTP/1.1" 404 19 @@ -83,7 +86,8 @@ This will run the tool exposing the current directory on port 8000 This will run the tool exposing the current directory on port 8000 over HTTPS with user provided certificate: ```sh -▶ simplehttpserver -https -cert cert.pen -key cert.key +simplehttpserver -https -cert cert.pen -key cert.key + 2021/01/11 21:40:48 Serving . on http://0.0.0.0:8000/... 2021/01/11 21:41:15 [::1]:50181 "GET / HTTP/1.1" 200 383 2021/01/11 21:41:15 [::1]:50181 "GET /favicon.ico HTTP/1.1" 404 19 @@ -91,7 +95,8 @@ This will run the tool exposing the current directory on port 8000 over HTTPS wi Instead, to run with self-signed certificate and specific domain name: ```sh -▶ simplehttpserver -https -domain localhost +simplehttpserver -https -domain localhost + 2021/01/11 21:40:48 Serving . on http://0.0.0.0:8000/... 2021/01/11 21:41:15 [::1]:50181 "GET / HTTP/1.1" 200 383 2021/01/11 21:41:15 [::1]:50181 "GET /favicon.ico HTTP/1.1" 404 19 @@ -102,13 +107,14 @@ Instead, to run with self-signed certificate and specific domain name: This will run the tool and will request the user to enter username and password before authorizing file uploads ```sh -▶ simplehttpserver -basic-auth root:root -upload +simplehttpserver -basic-auth root:root -upload + 2021/01/11 21:40:48 Serving . on http://0.0.0.0:8000/... ``` To upload files use the following curl request with basic auth header: ```sh -▶ curl -v --user 'root:root' --upload-file file.txt http://localhost:8000/file.txt +curl -v --user 'root:root' --upload-file file.txt http://localhost:8000/file.txt ``` ### Running TCP server with custom responses @@ -116,7 +122,7 @@ To upload files use the following curl request with basic auth header: This will run the tool as TLS TCP server and enable custom responses based on YAML templates: ```sh -▶ simplehttpserver -rule rules.yaml -tcp -tls -domain localhost +simplehttpserver -rule rules.yaml -tcp -tls -domain localhost ``` The rules are written as follows: