def audit(self, directive):
if directive.operand not in ['~', '~*', '!~', '!~*']:
# Not regexp
return
if directive.variable not in ['$http_referer', '$http_origin']:
# Not interesting
return
invalid_referers = set()
regexp = Regexp(directive.value, case_sensitive=(directive.operand in ['~', '!~']))
for value in regexp.generate('/', anchored=True):
if value.startswith('^'):
value = value[1:]
else:
value = 'http://evil.com/' + value
if value.endswith('$'):
value = value[:-1]
elif not value.endswith('/'):
value += '.evil.com'
valid = self.valid_re.match(value)
if not valid or valid.group('domain') == 'evil.com':
invalid_referers.add(value)
if invalid_referers:
invalid_referers = '", "'.join(invalid_referers)
name = 'origin' if directive.variable == '$http_origin' else 'referrer'
severity = gixy.severity.HIGH if directive.variable == '$http_origin' else gixy.severity.MEDIUM
reason = 'Regex matches "{value}" as a valid {name}.'.format(value=invalid_referers, name=name)
self.add_issue(directive=directive, reason=reason, severity=severity)
def test_regexp_boundary():
var = Variable(name='simple', value=Regexp('.*'), boundary=Regexp('/[a-z]', strict=True))
assert_false(var.depends)
assert_true(var.regexp)
assert_true(var.can_startswith('/'))
assert_false(var.can_startswith('a'))
assert_false(var.can_contain('/'))
assert_true(var.can_contain('a'))
assert_false(var.can_contain('0'))
assert_false(var.can_contain('\n'))
assert_true(var.must_contain('/'))
assert_false(var.must_contain('a'))
assert_true(var.must_startswith('/'))
assert_false(var.must_startswith('a'))
def test_script_boundary():
get_context().add_var('foo', Variable(name='foo', value=Regexp('.*'), boundary=Regexp('[a-z]', strict=True)))
var = Variable(name='simple', value='/$foo', boundary=Regexp('[/a-z0-9]', strict=True))
assert_true(var.depends)
assert_false(var.regexp)
assert_false(var.can_startswith('/'))
assert_false(var.can_startswith('a'))
assert_false(var.can_contain('/'))
assert_true(var.can_contain('a'))
assert_false(var.can_contain('\n'))
assert_false(var.can_contain('0'))
assert_true(var.must_contain('/'))
assert_false(var.must_contain('a'))
assert_true(var.must_startswith('/'))
assert_false(var.must_startswith('a'))
def test_group_can_contains():
source = '/some/(?P<action>[^/:.]+)/'
reg = Regexp(source)
assert_true(
reg.can_contain('\n'),
'Whole regex "{src}" can contains {sym!r}'.format(src=source,
sym='\\n'))
assert_true(
reg.group(0).can_contain('\n'),
'Group 0 from regex "{src}" can contains {sym!r}'.format(src=source,
sym='\\n'))
assert_true(
reg.group('action').can_contain('\n'),
'Group "action" from regex "{src}" can contains {sym!r}'.format(
src=source, sym='\\n'))
assert_true(
reg.group(1).can_contain('\n'),
'Group 1 from regex "{src}" can contains {sym!r}'.format(src=source,
sym='\\n'))
assert_false(
reg.group('action').can_contain('/'),
'Group "action" from regex "{src}" CAN\'T (!) contain {sym!r}'.format(
src=source, sym='/'))
def variables(self):
if not self.modifier or self.modifier not in ('~', '~*'):
return []
regexp = Regexp(self.path, case_sensitive=self.modifier == '~')
result = []
for name, group in regexp.groups.items():
result.append(Variable(name=name, value=group, boundary=None, provider=self))
return result
def variables(self):
if self.operand != '~':
return []
regexp = Regexp(self.value, case_sensitive=self.operand == '~')
result = []
for name, group in regexp.groups.items():
result.append(Variable(name=name, value=group, boundary=None, provider=self))
return result
def validate():
body = request.get_json()
regex = body.get('regex', '')
danger = body.get('danger', 'a')[:1]
try:
regex = Regexp(regex)
values = regex.generate(char=danger, anchored=True)
result = {'status': 'ok', 'result': [x for x in values]}
except Exception as e:
result = {
'status': 'failed',
'error': 'Error occurred: {}'.format(str(e))
}
return Response(response=json.dumps(result),
status=200,
mimetype='application/json')
def test_push_failed_with_regexp_py35_gixy_10():
push_context(Root())
assert_equals(len(get_context().variables['index']), 0)
assert_equals(len(get_context().variables['name']), 0)
regexp = Regexp('^/some/(.*?)')
for name, group in regexp.groups.items():
get_context().add_var(name, Variable(name=name, value=group))
push_context(Root())
def variables(self):
regexp = Regexp(self.pattern, case_sensitive=True)
result = []
for name, group in regexp.groups.items():
result.append(
Variable(name=name,
value=group,
boundary=self.boundary,
provider=self))
return result
def builtin_var(name):
for builtin, regexp in BUILTIN_VARIABLES.items():
if builtin.endswith('_'):
if not name.startswith(builtin):
continue
elif name != builtin:
continue
if regexp:
return Variable(name=name, value=Regexp(regexp, strict=True, case_sensitive=False))
return Variable(name=name, value='builtin', have_script=False)
return None
def test_regexp():
var = Variable(name='simple', value=Regexp('^/.*'))
assert_false(var.depends)
assert_true(var.regexp)
assert_true(var.can_startswith('/'))
assert_false(var.can_startswith('a'))
assert_true(var.can_contain('a'))
assert_false(var.can_contain('\n'))
assert_true(var.must_contain('/'))
assert_false(var.must_contain('a'))
assert_true(var.must_startswith('/'))
assert_false(var.must_startswith('a'))
def test_script():
get_context().add_var('foo', Variable(name='foo', value=Regexp('.*')))
var = Variable(name='simple', value='/$foo')
assert_true(var.depends)
assert_false(var.regexp)
assert_false(var.can_startswith('/'))
assert_false(var.can_startswith('a'))
assert_true(var.can_contain('/'))
assert_true(var.can_contain('a'))
assert_false(var.can_contain('\n'))
assert_true(var.must_contain('/'))
assert_false(var.must_contain('a'))
assert_true(var.must_startswith('/'))
assert_false(var.must_startswith('a'))
def check_positive_must_startswith(regexp, char, strict):
reg = Regexp(regexp, case_sensitive=True, strict=strict)
assert_true(reg.must_startswith(char),
'"{}" MUST start\'s with "{}"'.format(regexp, char))
reg = Regexp(regexp, case_sensitive=False, strict=strict)
char = char.upper()
assert_true(
reg.must_startswith(char),
'"{}" (case insensitive) MUST start\'s with "{}"'.format(regexp, char))
def check_positive_must_contain(regexp, char):
reg = Regexp(regexp, case_sensitive=True)
assert_true(reg.must_contain(char),
'"{}" must contain with "{}"'.format(regexp, char))
reg = Regexp(regexp, case_sensitive=False)
char = char.upper()
assert_true(
reg.must_contain(char),
'"{}" (case insensitive) must contain with "{}"'.format(regexp, char))
def check_negative_contain(regexp, char):
reg = Regexp(regexp, case_sensitive=True)
assert_false(reg.can_contain(char),
'"{}" should not contain "{}"'.format(regexp, char))
reg = Regexp(regexp, case_sensitive=False)
char = char.upper()
assert_false(
reg.can_contain(char),
'"{}" (case insensitive) should not contain "{}"'.format(regexp, char))
def check_positive_contain(regexp, char):
reg = Regexp(regexp, case_sensitive=True)
assert_true(reg.can_contain(char),
'{reg!r} should contain {chr!r}'.format(reg=regexp, chr=char))
reg = Regexp(regexp, case_sensitive=False)
char = char.upper()
assert_true(
reg.can_contain(char),
'{reg!r} (case insensitive) should contain {chr!r}'.format(reg=regexp,
chr=char))
def check_negative_startswith(regexp, char, strict):
reg = Regexp(regexp, case_sensitive=True, strict=strict)
assert_false(reg.can_startswith(char),
'"{}" can\'t start\'s with "{}"'.format(regexp, char))
reg = Regexp(regexp, case_sensitive=False, strict=strict)
char = char.upper()
assert_false(
reg.can_startswith(char),
'"{}" (case insensitive) can\'t start\'s with "{}"'.format(
regexp, char))
def check_positive_startswith(regexp, char, strict):
reg = Regexp(regexp, case_sensitive=True, strict=strict)
assert_true(
reg.can_startswith(char),
'{reg!r} can start\'s with {chr!r}'.format(reg=regexp, chr=char))
reg = Regexp(regexp, case_sensitive=False, strict=strict)
char = char.upper()
assert_true(
reg.can_startswith(char),
'{reg!r} (case insensitive) can start\'s with {chr!r}'.format(
reg=regexp, chr=char))
def check_negative_must_contain(regexp, char):
reg = Regexp(regexp, case_sensitive=True)
assert_false(
reg.must_contain(char),
'{reg!r} must NOT contain with {chr!r}'.format(reg=regexp, chr=char))
reg = Regexp(regexp, case_sensitive=False)
char = char.upper()
assert_false(
reg.must_contain(char),
'{reg!r} (case insensitive) must NOT contain with {chr!r}'.format(
reg=regexp, chr=char))
def check_negative_must_startswith(regexp, char, strict):
reg = Regexp(regexp, case_sensitive=True, strict=strict)
assert_false(
reg.must_startswith(char),
'{reg!r} MUST NOT start\'s with {chr!r}'.format(reg=regexp, chr=char))
reg = Regexp(regexp, case_sensitive=False, strict=strict)
char = char.upper()
assert_false(
reg.must_startswith(char),
'{reg!r} (case insensitive) MUST NOT start\'s with {chr!r}'.format(
reg=regexp, chr=char))
class RewriteDirective(Directive):
nginx_name = 'rewrite'
provide_variables = True
boundary = Regexp('[^\s\r\n]')
def __init__(self, name, args):
super(RewriteDirective, self).__init__(name, args)
self.pattern = args[0]
self.replace = args[1]
self.flag = None
if len(args) > 2:
self.flag = args[2]
@property
def variables(self):
regexp = Regexp(self.pattern, case_sensitive=True)
result = []
for name, group in regexp.groups.items():
result.append(Variable(name=name, value=group, boundary=self.boundary, provider=self))
return result
def test_gen_anchor():
reg = Regexp('^some$')
val = next(reg.generate('', anchored=False))
assert_equals(val, 'some')
reg = Regexp('^some$')
val = next(reg.generate('', anchored=True))
assert_equals(val, '^some$')
reg = Regexp('^some$', strict=True)
val = next(reg.generate('', anchored=False))
assert_equals(val, 'some')
reg = Regexp('^some$', strict=True)
val = next(reg.generate('', anchored=True))
assert_equals(val, '^some$')
def check_generate(regexp, values):
reg = Regexp(regexp)
assert_equals(sorted(reg.generate('|', anchored=True)), sorted(values))
def check_to_string(regexp, string):
reg = Regexp(regexp)
assert_equals(str(reg), string)
def check_groups_names(regexp, groups):
reg = Regexp(regexp)
assert_equals(set(reg.groups.keys()), set(groups))
def test_strict_generate():
reg = Regexp('^foo|bar', strict=True)
assert_equals(sorted(reg.generate('|', anchored=True)),
sorted({'^foo', '^bar'}))