added two new options to the forced-browse add-on. #1534
Conversation
KajanM
changed the title
| List<String> extensionsToMissList = new ArrayList<>(); | ||
| for (String extensionToMiss: extensionsToMiss.replaceAll("\\s", | ||
| EMPTY_STRING).split(",")) { | ||
| if (!extensionToMiss.equals(EMPTY_STRING)) { |
There was a problem hiding this comment.
How about !extensionToMiss.isEmpty()
There was a problem hiding this comment.
Actually there’s also probably a way to do this without a loop and using addAll. Should the code handle duplicates? If it was all put in a set I believe that’d ensure unique entries...
| if (failCaseString == null) { | ||
| throw new IllegalArgumentException("failCaseString is null"); | ||
| } | ||
| if (!"".equals(failCaseString)) { |
There was a problem hiding this comment.
Should use isEmpty as mentioned above.
| @@ -13,6 +13,8 @@ bruteforce.options.button.addfile = Select File... | |||
| bruteforce.options.label.addfile = Add custom Forced Browse file: | |||
| bruteforce.options.label.browsefiles = Force Browse files | |||
| bruteforce.options.label.defaultfile = Default file: | |||
| bruteforce.options.label.extensionsToMiss = File extensions to not process (separated by ,): | |||
There was a problem hiding this comment.
I think “ignore” might be more clear than ‘not process’.
|
Suggestions are addressed and ready for the review. |
|
@KajanM could you update https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/bruteforce/resources/help/contents/options.html to add the new options? |
| @@ -58,7 +58,8 @@ | |||
| private boolean recursive = BruteForceParam.DEFAULT_RECURSIVE; | |||
| private DirBusterManager manager = null; | |||
| private List<String> extensions = null; | |||
|
|
|||
| private Vector<String> extsToMissVector = null; | |||
|
|
|||
|
|
||
| public static final int DEFAULT_THREAD_PER_SCAN = 10; | ||
| public static final int MAXIMUM_THREADS_PER_SCAN = 200; | ||
| public static final boolean DEFAULT_RECURSIVE = true; | ||
| public static final boolean DEFAULT_BROWSE_FILES = false; | ||
| public static final String EMPTY_STRING = ""; | ||
| public static final String DEFAULT_EXTENSIONS_TO_MISS = "jpg, gif, jpeg, ico, tiff, png, bmp"; | ||
| public static final String DEFAULT_FAIL_CASE_STRING = Config.failCaseString; | ||
| public static final String WHITESPACE = "\\s"; |
There was a problem hiding this comment.
@thc202 DEFAULT_EXTENSIONS_TO_MISS, DEFAULT_FAIL_CASE_STRING are also used in OptionsBruteForcePanel.java. Should I provide getter method or leave it public?
There was a problem hiding this comment.
Those are fine, I just mean WHITESPACE and COMMA (though it applies to EMPTY_STRING as well), we don't really want other classes to depend on this class just because of these generic constants.
| public static final String DEFAULT_EXTENSIONS_TO_MISS = "jpg, gif, jpeg, ico, tiff, png, bmp"; | ||
| public static final String DEFAULT_FAIL_CASE_STRING = Config.failCaseString; | ||
| public static final String WHITESPACE = "\\s"; | ||
| public static final String COMMA = ","; |
There was a problem hiding this comment.
Same here, also do we really need a constant for this? (If so, it should probably have a more meaningful name, like EXTENSION_SEPARATOR.)
|
|
||
| /** | ||
| * @return {@code String} of comma-separated file-extensions that are not to be processed. | ||
| * {@code "jpg, gif, jpeg, ico, tiff, png, bmp"} is returned by default |
There was a problem hiding this comment.
Probably better to link to the constant instead, otherwise this will have to be changed if we happen to add/remove an extension.
|
|
||
| /** | ||
| * Define a {@code String} of comma-separated file-extensions for | ||
| * resources not to be processed |
| * {@code "jpg", "gif", "jpeg", "ico", "tiff", "png", "bmp"} | ||
| * | ||
| */ | ||
| public Vector<String> getExtensionsToMissVector() { |
There was a problem hiding this comment.
This could return the Set, let BruteForce convert it to Vector (actually BruteForce could just add them to the existing extsToMiss).
| * | ||
| */ | ||
| public Vector<String> getExtensionsToMissVector() { | ||
| if (extensionsToMiss.trim().equals(EMPTY_STRING)) { |
| if (failCaseString == null) { | ||
| throw new IllegalArgumentException("failCaseString is null"); | ||
| } | ||
| if (!failCaseString.isEmpty()) { |
There was a problem hiding this comment.
If the empty string is not acceptable we should throw an exception instead (like above).
Also, this should be validated in OptionsBruteForcePanel to inform the user that it should not be left empty.
|
I'm not sure this fixes the issue, we might want check if there's any other useful option (or functionality) that needs to be exposed (it does not need to be done in this PR though). |
|
Ya the issue has comments about showing all traffic, following redirects, Files/dirs/both, recursion (done I think), request limits, etc So the commit and PR messages should probably be changed. |
KajanM
changed the title
I will create a separate PR for other missing options. As I am new to open-source development I wanted to get some insights from the review before putting all the changes. |
|
No problem |
KajanM
changed the title
|
Thank you for the review. Suggestions are addressed. |
| @@ -99,6 +99,7 @@ public BruteForce (ScanTarget target, File file, BruteForceListenner listenner, | |||
| } else { | |||
| extensions = Collections.emptyList(); | |||
| } | |||
| extsToMissVector = new Vector<>(bruteForceParam.getExtensionsToMissSet()); | |||
There was a problem hiding this comment.
I was suggesting change the extsToMiss directly, e.g.: manager.extsToMiss.addAll(bruteForceParam.getExtensionsToMissSet()) (which avoids changing setupManager).
There was a problem hiding this comment.
Wow, it is beautiful.
| public void setFailCaseString(String failCaseString) { | ||
| if (failCaseString == null || failCaseString.isEmpty()) { | ||
| throw new IllegalArgumentException( | ||
| Constant.messages.getString("bruteforce.options.error.failCaseString.invalid")); |
There was a problem hiding this comment.
For exception messages not show directly in the UI we keep them in English.
The failCaseString is not being set to the configuration file.
| @@ -10,9 +10,12 @@ bruteforce.desc = Forced browsing of files and directories u | |||
| bruteforce.dir.popup = Forced Browse directory | |||
| bruteforce.dir.and.children.popup = Forced Browse directory (and children) | |||
| bruteforce.options.button.addfile = Select File... | |||
| bruteforce.options.error.failCaseString.invalid = Invalid Fail Case String. | |||
There was a problem hiding this comment.
We should tell why it's invalid, better say something like "The Fail Case String should not be empty."
There was a problem hiding this comment.
Is it possible to provide null value to the JTextField from the UI?
Is it enough to validate only for empty value?
There was a problem hiding this comment.
No, it just returns an empty string. Yes.
|
Done. |
|
LGTM, there's just one thing missing, the |
|
Updated the |
|
Note that the version was not updated. It was fine to leave them public also fine with package accessibility :) (+1 to the removal of the unused import.) |
following options in DirBuster are brought to Forced Browse add-on. HTML Parsing Options > File extensions to not process Scan Options > Fail Case String
|
Version updated. Thank you for the time :) |
|
Thank you! |
|
@kingthorin looks good? |
|
Squashed and merged. |
|
@KajanM how would you like to be credited? |
|
Kajan Mohanagandhirasa(@GM_K4J4N) |
|
Thank you :) |
as part of #173 following options in DirBuster are brought to Forced Browse add-on.
HTML Parsing Options > File extensions to not processScan Options > Fail Case String