Always use module cache for searching

[adfoster-r7]

This pull request updates the slow module search to use the module cache.

Verification

1 - Console search

Open the console, and ensure that normal search functionality works as expected:

search monkey
search author:egypt arch:x64
search psexec author:egypt arch:x64

2 - rpcd

Create an instance of msfrpcd in one tab:

bundle exec ruby ./msfrpcd -P foo -f

In another create the client:

bundle exec ./ruby msfrpc -P foo -a 127.0.0.1

Ensure search works as expected, and aligns with the existing msfconsole search functionality:

rpc.call("module.search", "monkey")
rpc.call("module.search", "author:egypt arch:x64")
rpc.call("module.search", "psexec author:egypt arch:x64")

3 - json web service

The existing webservice should not be impacted by this code change, but for a sanity check - run the service with:

bundle exec thin --rackup msf-json-rpc.ru --address localhost --port 8081 --environment production --tag msf-json-rpc start

Run some search queries:

curl --request POST --url http://localhost:8081/api/v1/json-rpc --header 'content-type: application/json' --data '{ "jsonrpc": "2.0", "method": "module.search", "id": 1, "params": ["monkey"] }'
curl --request POST --url http://localhost:8081/api/v1/json-rpc --header 'content-type: application/json' --data '{ "jsonrpc": "2.0", "method": "module.search", "id": 1, "params": ["author:egypt arch:x64"] }'
curl --request POST --url http://localhost:8081/api/v1/json-rpc --header 'content-type: application/json' --data '{ "jsonrpc": "2.0", "method": "module.search", "id": 1, "params": ["psexec author:egypt arch:x64"] }'

[adfoster-r7]

I believe this is dead, and was only being used by tests

[adfoster-r7]

This is the existing parse string functionality lifted from command_dispatcher/modules.rb

[adfoster-r7]

I've decided to port over the existing slow search tests and I've tried to keep as close to the original specification as I could, to ensure there was no unintentional regressions introduced. In a future PR I'll most likely expand/change these tests.

[adfoster-r7]

The new search cache has stricter validation, this test was previously producing invalid query strings which aren't supported by the search mechanism such as:

-os:osx

For the scope of these tests, the new inverse_query_terms just needs to support the translation to negating terms:

os:-osx

[adfoster-r7]

expect(subject.search_filter("-#{query}")).to be_truthy # what? why?

I've updated this to verify the exact module that's been returned, rather than using be_truthy

[adfoster-r7]

Previously these opts were used to hydrate a module, now they're hydrating the search cache - as a result I've had to update some of the keys.

[adfoster-r7]

An empty search query will now result in all modules being returned, which aligns with the previous search functionality offered by framework's slow search / the old rpc search - #8606

The console never went down this path, as there's a guard clause in the dispatcher:

metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb

Lines 411 to 418 in 2e887a8

	if args.empty?
	if @module_search_results.empty?
	cmd_search_help
	return false
	end
	cached = true
	end

So this feels like a safe/valid change to make 🤞

[dwelch-r7]

not sure why you're adding a space to the end of this only to split on spaces on the next line, it doesn't make a difference right?

[adfoster-r7]

This was copied from the original implementation, I noticed this problem on the RPC service, with the input:

author:egypt arch:x64

This parsing method gives the following result:

=> {"author"=>[["egypt arch:x64"], []]}

With the extra space appended, it gives the expected result of:

=> {"author"=>[["egypt"], []], "arch"=>[["x64"], []]}

I'll add a unit test to make sure this scenario is caught correctly.

[adfoster-r7]

Tests added. The tests were red without this line:

Failure/Error: it { expect(described_class.parse_search_string("author:egypt arch:x64")).to eq({"author"=>[["egypt"], []], "arch"=>[["x64"], []]}) }
     
       expected: {"arch"=>[["x64"], []], "author"=>[["egypt"], []]}
            got: {"author"=>[["egypt arch:x64"], []]}
     
       (compared using ==)
     
       Diff:
       @@ -1,3 +1,2 @@
       -"arch" => [["x64"], []],
       -"author" => [["egypt"], []],
       +"author" => [["egypt arch:x64"], []],

And now it's green with the line added back in 👍

[dwelch-r7]

metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb

Line 496 in 9bd98f9

def parse_search_string(search_string)

isn't this where you got the code from? unless I'm missing something no space is being added to the search term

[adfoster-r7]

The addition of the space is from the slow search that I'm unifying:

metasploit-framework/lib/msf/core/module/search.rb

Lines 12 to 16 in 9bd98f9

	def search_filter(search_string)
	return false if not search_string
	search_string += " "

[dwelch-r7]

ah gotcha, that one has a guard clause, does that need added in here too? or are we stopping nil being passed in from elsewhere

[adfoster-r7]

It's technically possible to provide nil via a message pack rpc call. I've updated this to handle nil, and added tests for an entirely empty string too. A nil search string will now result in empty search params, and thus return all modules.

[adfoster-r7]

Release notes

Greatly improved the performance of Metasploit Framework's module.search rpc call by searching the module cache instead of Framework's previous slow search functionality.