New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added two new options to the forced-browse add-on. #1534
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven’t tested it yet, here’s a few things.
List<String> extensionsToMissList = new ArrayList<>(); | ||
for (String extensionToMiss: extensionsToMiss.replaceAll("\\s", | ||
EMPTY_STRING).split(",")) { | ||
if (!extensionToMiss.equals(EMPTY_STRING)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about !extensionToMiss.isEmpty()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually there’s also probably a way to do this without a loop and using addAll. Should the code handle duplicates? If it was all put in a set
I believe that’d ensure unique entries...
if (failCaseString == null) { | ||
throw new IllegalArgumentException("failCaseString is null"); | ||
} | ||
if (!"".equals(failCaseString)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use isEmpty as mentioned above.
@@ -13,6 +13,8 @@ bruteforce.options.button.addfile = Select File... | |||
bruteforce.options.label.addfile = Add custom Forced Browse file: | |||
bruteforce.options.label.browsefiles = Force Browse files | |||
bruteforce.options.label.defaultfile = Default file: | |||
bruteforce.options.label.extensionsToMiss = File extensions to not process (separated by ,): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think “ignore” might be more clear than ‘not process’.
Suggestions are addressed and ready for the review. |
@KajanM could you update https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/bruteforce/resources/help/contents/options.html to add the new options? |
@@ -58,7 +58,8 @@ | |||
private boolean recursive = BruteForceParam.DEFAULT_RECURSIVE; | |||
private DirBusterManager manager = null; | |||
private List<String> extensions = null; | |||
|
|||
private Vector<String> extsToMissVector = null; | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A space was accidentally added.
|
||
public static final int DEFAULT_THREAD_PER_SCAN = 10; | ||
public static final int MAXIMUM_THREADS_PER_SCAN = 200; | ||
public static final boolean DEFAULT_RECURSIVE = true; | ||
public static final boolean DEFAULT_BROWSE_FILES = false; | ||
public static final String EMPTY_STRING = ""; | ||
public static final String DEFAULT_EXTENSIONS_TO_MISS = "jpg, gif, jpeg, ico, tiff, png, bmp"; | ||
public static final String DEFAULT_FAIL_CASE_STRING = Config.failCaseString; | ||
public static final String WHITESPACE = "\\s"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be private.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thc202 DEFAULT_EXTENSIONS_TO_MISS
, DEFAULT_FAIL_CASE_STRING
are also used in OptionsBruteForcePanel.java
. Should I provide getter method or leave it public?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are fine, I just mean WHITESPACE
and COMMA
(though it applies to EMPTY_STRING
as well), we don't really want other classes to depend on this class just because of these generic constants.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem.
Sounds good.
public static final String DEFAULT_EXTENSIONS_TO_MISS = "jpg, gif, jpeg, ico, tiff, png, bmp"; | ||
public static final String DEFAULT_FAIL_CASE_STRING = Config.failCaseString; | ||
public static final String WHITESPACE = "\\s"; | ||
public static final String COMMA = ","; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, also do we really need a constant for this? (If so, it should probably have a more meaningful name, like EXTENSION_SEPARATOR
.)
|
||
/** | ||
* @return {@code String} of comma-separated file-extensions that are not to be processed. | ||
* {@code "jpg, gif, jpeg, ico, tiff, png, bmp"} is returned by default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably better to link to the constant instead, otherwise this will have to be changed if we happen to add/remove an extension.
|
||
/** | ||
* Define a {@code String} of comma-separated file-extensions for | ||
* resources not to be processed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could also use "ignore".
* {@code "jpg", "gif", "jpeg", "ico", "tiff", "png", "bmp"} | ||
* | ||
*/ | ||
public Vector<String> getExtensionsToMissVector() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could return the Set
, let BruteForce
convert it to Vector
(actually BruteForce
could just add them to the existing extsToMiss
).
* | ||
*/ | ||
public Vector<String> getExtensionsToMissVector() { | ||
if (extensionsToMiss.trim().equals(EMPTY_STRING)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isEmpty()
if (failCaseString == null) { | ||
throw new IllegalArgumentException("failCaseString is null"); | ||
} | ||
if (!failCaseString.isEmpty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the empty string is not acceptable we should throw an exception instead (like above).
Also, this should be validated in OptionsBruteForcePanel
to inform the user that it should not be left empty.
I'm not sure this fixes the issue, we might want check if there's any other useful option (or functionality) that needs to be exposed (it does not need to be done in this PR though). |
Ya the issue has comments about showing all traffic, following redirects, Files/dirs/both, recursion (done I think), request limits, etc So the commit and PR messages should probably be changed. |
I will create a separate PR for other missing options. As I am new to open-source development I wanted to get some insights from the review before putting all the changes. |
No problem |
Thank you for the review. Suggestions are addressed. |
@@ -99,6 +99,7 @@ public BruteForce (ScanTarget target, File file, BruteForceListenner listenner, | |||
} else { | |||
extensions = Collections.emptyList(); | |||
} | |||
extsToMissVector = new Vector<>(bruteForceParam.getExtensionsToMissSet()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was suggesting change the extsToMiss
directly, e.g.: manager.extsToMiss.addAll(bruteForceParam.getExtensionsToMissSet())
(which avoids changing setupManager
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, it is beautiful.
public void setFailCaseString(String failCaseString) { | ||
if (failCaseString == null || failCaseString.isEmpty()) { | ||
throw new IllegalArgumentException( | ||
Constant.messages.getString("bruteforce.options.error.failCaseString.invalid")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For exception messages not show directly in the UI we keep them in English.
The failCaseString
is not being set to the configuration file.
@@ -10,9 +10,12 @@ bruteforce.desc = Forced browsing of files and directories u | |||
bruteforce.dir.popup = Forced Browse directory | |||
bruteforce.dir.and.children.popup = Forced Browse directory (and children) | |||
bruteforce.options.button.addfile = Select File... | |||
bruteforce.options.error.failCaseString.invalid = Invalid Fail Case String. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should tell why it's invalid, better say something like "The Fail Case String should not be empty."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to provide null
value to the JTextField
from the UI?
Is it enough to validate only for empty value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it just returns an empty string. Yes.
Done. |
LGTM, there's just one thing missing, the |
Updated the |
Note that the version was not updated. It was fine to leave them public also fine with package accessibility :) (+1 to the removal of the unused import.) |
following options in DirBuster are brought to Forced Browse add-on. HTML Parsing Options > File extensions to not process Scan Options > Fail Case String
Version updated. Thank you for the time :) |
Thank you! |
@kingthorin looks good? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, looks good to me.
Squashed and merged. |
@KajanM how would you like to be credited? |
Kajan Mohanagandhirasa(@GM_K4J4N) |
Thank you :) |
as part of #173 following options in DirBuster are brought to Forced Browse add-on.
HTML Parsing Options > File extensions to not process
Scan Options > Fail Case String