zaproxy · psiinon · Mar 28, 2023 · Mar 28, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,6 +16,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - active/User defined attacks.js - correctly escape dot character in some evidence strings.
+- targeted/curl_command_generator.js - prevent and warn on local file inclusion when generating the command.
+  Thanks to James Kettle (@albinowax) for reporting.
 
 ## [15] - 2022-10-02
 ### Added

diff --git a/targeted/curl_command_generator.js b/targeted/curl_command_generator.js
@@ -7,22 +7,36 @@ function invokeWith(msg) {
 	var string = "curl -i -s -k -X  '"+msg.getRequestHeader().getMethod()+"'  \\\n";
 	var header = msg.getRequestHeader().getHeadersAsString();
 	header = header.split(msg.getRequestHeader().getLineDelimiter());
+	var suspiciousHeaders = false;
 	for(var i=0;i<header.length;i++){
+		var headerEntry = header[i].trim()
+		if (headerEntry.startsWith("@")) {
+			suspiciousHeaders = true;
+		}
 		//blacklisting Host (other blacklisting should also specify here
-		var keyval = header[i].split(":");
+		var keyval = headerEntry.split(":");
 		if(keyval[0].trim() != "Host")
-			string += " -H '"+header[i].trim()+"' ";
+			string += " -H '"+headerEntry+"' ";
 	}
 	string += " \\\n";
 	var body = msg.getRequestBody().toString();
 	if(body.length() != 0){
-		string += "--data-binary $'"+addSlashes(body)+"' \\\n";
+		string += "--data-raw $'"+addSlashes(body)+"' \\\n";
 	}
 	string += "'"+msg.getRequestHeader().getURI().toString()+"'";
-	var selected = new java.awt.datatransfer.StringSelection(string);
-	var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard();
-	clipboard.setContents(selected,null);
+
+	if (!suspiciousHeaders) {
+		var selected = new java.awt.datatransfer.StringSelection(string);
+		var clipboard = java.awt.Toolkit.getDefaultToolkit().getSystemClipboard();
+		clipboard.setContents(selected,null);
+	}
 	print (string);
+
+	if (suspiciousHeaders) {
+		print("\n**WARNING**");
+		print("The generated command might be including a local file (e.g. `@/path/to/file`) in a header, carefully review the command before executing it.");
+		print("Note: The command was *not* added to the clipboard.\n");
+	}
 }
 
 function addSlashes(body){