def compress(self):
dc = decompress.Decompress(self.target)
ret, result_d = dc.decompress()
if ret is False:
return 1002, result_d
else:
directory = result_d
logging.info("Scan directory: {0}".format(directory))
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
p = CobraProjects.query.filter_by(repository=directory).first()
# detection framework for project
framework, language = detection.Detection(directory).framework()
if framework != '' or language != '':
project_framework = '{0} ({1})'.format(framework, language)
else:
project_framework = ''
if not p:
# insert into project table.
repo_name = directory.split('/')[-1]
project = CobraProjects(directory, '', repo_name, 'Upload',
project_framework, '', '', 1, current_time)
db.session.add(project)
db.session.commit()
project_id = project.id
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
task = CobraTaskInfo(directory, '', 3, '', '', 0, 0, 0, 1, 0, 0,
current_time, current_time)
db.session.add(task)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'Cobra Not Found'
# 扫描漏洞
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(project_id), "-i",
str(task.id), "-t", directory
])
# 统计代码行数
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", directory
])
# 检测漏洞修复状况
subprocess.Popen(
['python', cobra_path, "repair", "-p",
str(project_id)])
result = dict()
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
def compress(self):
dc = decompress.Decompress(self.target)
ret, result_d = dc.decompress()
if ret is False:
return 1002, result_d
else:
directory = result_d
log.info("Scan directory: {0}".format(directory))
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
task = CobraTaskInfo(self.target, '', 3, '', '', 0, 0, 0, 1, 0, 0,
current_time, current_time)
db.session.add(task)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'Cobra Not Found'
# Start Scanning
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(0), "-i",
str(task.id), "-t", directory
])
# Statistic Code
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", directory
])
result = {}
result['scan_id'] = task.id
result['project_id'] = 0
result['msg'] = u'success'
return 1001, result
def add():
log.debug('In add Route')
# url, username, password, scan_way, old_version, new_version
# if user upload a file, so we set the scan type to file scan
# if there is no upload file, we set the scan type to gitlab scan
# check scan way and version
scan_way = request.form['scan_way']
old_version = request.form['old_version']
new_version = request.form['new_version']
if not scan_way or not scan_way.isdigit():
return jsonify(code=1002, msg=u'please select scan method.')
if scan_way == '2':
if not old_version or not new_version:
return jsonify(
code=1002,
msg=u'in diff mode, please provide new version and old version.'
)
elif scan_way == '1':
old_version = None
new_version = None
else:
return jsonify(code=1002, msg=u'scan method error.')
task_type = 1
# check if there is a file or gitlab url
if len(request.files) == 0:
# no files, should check username and password
task_type = 1
url = request.form['repository']
branch = request.form[
'branch'] if request.form['branch'] != '' else 'master'
if not url:
return jsonify(
code=1002,
msg=u'please support gitlab url. '
u'If this is a public repo, just leave username and password blank'
)
# insert into db
current_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
new_task = CobraTaskInfo(task_type, None, url, branch, scan_way,
old_version, new_version, current_time,
current_time)
db.session.add(new_task)
db.session.commit()
else:
# there is a file, check file format and uncompress it.
# get uploads directory
config = ConfigParser.ConfigParser()
config.read('config')
upload_directory = config.get('cobra', 'upload_directory') + os.sep
if os.path.isdir(upload_directory) is not True:
os.mkdir(upload_directory)
task_type = 2
upload_src = request.files['file']
filename = str(int(time.time())) + '_' + secure_filename(
upload_src.filename)
filepath = upload_directory + filename
upload_src.save(filepath)
# if you upload a rar file, upload_src.mimetype will returns "application/octet-stream"
# rather than "application/x-rar"
# check file type via mime type
file_type = magic.from_file(filepath, mime=True)
if file_type != 'application/x-rar' and file_type != 'application/x-gzip' and file_type != 'application/zip':
os.remove(filepath)
return jsonify(code=1002,
msg=u'only rar, zip and tar.gz supported.')
current_time = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
new_task = CobraTaskInfo(task_type, filename, None, None, scan_way,
old_version, new_version, current_time,
current_time)
db.session.add(new_task)
db.session.commit()
return jsonify(code=1001, msg=u'success', id=123)
def version(self, branch=None, new_version=None, old_version=None):
# Gitlab
if '.git' in self.target:
logging.info('Gitlab project')
# Git
if 'gitlab' in self.target:
username = config.Config('git', 'username').value
password = config.Config('git', 'password').value
else:
username = None
password = None
gg = git.Git(self.target,
branch=branch,
username=username,
password=password)
repo_author = gg.repo_author
repo_name = gg.repo_name
repo_directory = gg.repo_directory
# Git Clone Error
clone_ret, clone_err = gg.clone()
if clone_ret is False:
return 4001, 'Clone Failed ({0})'.format(clone_err)
elif 'svn' in self.target:
# SVN
repo_name = 'mogujie'
repo_author = 'all'
repo_directory = config.Config('upload', 'directory').value
else:
repo_name = 'Local Project'
repo_author = getpass.getuser()
repo_directory = self.target
if not os.path.exists(repo_directory):
return 1004, 'repo directory not exist ({0})'.format(
repo_directory)
if new_version == "" or old_version == "":
scan_way = 1
else:
scan_way = 2
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
# insert into task info table.
task = CobraTaskInfo(self.target, branch, scan_way, new_version,
old_version, 0, 0, 0, 1, 0, 0, current_time,
current_time)
p = CobraProjects.query.filter_by(repository=self.target).first()
project = None
# detection framework for project
framework, language = detection.Detection(repo_directory).framework()
if framework != '' or language != '':
project_framework = '{0} ({1})'.format(framework, language)
else:
project_framework = ''
project_id = 0
if not p:
# insert into project table.
project = CobraProjects(self.target, '', repo_name, repo_author,
project_framework, '', '', 1, current_time)
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
try:
db.session.add(task)
if not p:
db.session.add(project)
db.session.commit()
if not p:
project_id = project.id
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'cobra.py not found'
# scan vulnerability
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(project_id), "-i",
str(task.id), "-t", repo_directory
])
# statistic code
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", repo_directory
])
# check repair
subprocess.Popen(
['python', cobra_path, "repair", "-p",
str(project_id)])
result = dict()
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
except Exception as e:
return 1004, 'Unknown error, try again later?' + e.message
def version(self, branch=None, new_version=None, old_version=None):
# Gitlab
if '.git' in self.target:
# Git
if 'gitlab' in self.target:
username = config.Config('git', 'username').value
password = config.Config('git', 'password').value
else:
username = False
password = False
gg = GitTools.Git(self.target,
branch=branch,
username=username,
password=password)
repo_author = gg.repo_author
repo_name = gg.repo_name
repo_directory = gg.repo_directory
# Git Clone Error
if gg.clone() is False:
return 4001, 'Clone Failed'
elif 'svn' in self.target:
# SVN
repo_name = 'mogujie'
repo_author = 'all'
repo_directory = os.path.join(
config.Config('upload', 'directory').value, 'versions/mogujie')
else:
return 1005, 'Repository must contained .git or svn'
if new_version == "" or old_version == "":
scan_way = 1
else:
scan_way = 2
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
# insert into task info table.
task = CobraTaskInfo(self.target, branch, scan_way, new_version,
old_version, 0, 0, 0, 1, 0, 0, current_time,
current_time)
p = CobraProjects.query.filter_by(repository=self.target).first()
project = None
# detection framework for project
framework, language = detection.Detection(repo_directory).framework()
project_framework = '{0} ({1})'.format(framework, language)
if not p:
# insert into project table.
project = CobraProjects(self.target, '', repo_name, repo_author,
project_framework, '', '', current_time)
project_id = project.id
else:
project_id = p.id
# update project's framework
p.framework = project_framework
db.session.add(p)
db.session.commit()
try:
db.session.add(task)
if not p:
db.session.add(project)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory,
'cobra.py')
if os.path.isfile(cobra_path) is not True:
return 1004, 'Cobra Not Found'
# Start Scanning
subprocess.Popen([
'python', cobra_path, "scan", "-p",
str(project_id), "-i",
str(task.id), "-t", repo_directory
])
# Statistic Code
subprocess.Popen([
'python', cobra_path, "statistic", "-i",
str(task.id), "-t", repo_directory
])
result = {}
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return 1001, result
except Exception as e:
return 1004, 'Unknown error, try again later?' + e.message
def add_task():
""" Add a new task api.
post json to http://url/api/add_new_task
example:
{
"key": "34b9a295d037d47eec3952e9dcdb6b2b", // must, client key
"target": "https://gitlab.com/username/project.git", // must, gitlab address
"branch": "master", // must, the project branch
"old_version": "old version here", // optional, if you choice diff scan mode, you should provide old version hash.
"new_version": "new version here", // optional, if you choice diff scan mode, you should provide new version hash.
}
:return:
The return value also in json format, usually is:
{"code": 1001, "msg": "error reason or success."}
code: 1005: Unknown Protocol
code: 1004: Unknown error, if you see this error code, most time is cobra's database error.
code: 1003: You support the parameters is not json.
code: 1002: Some parameters is empty. More information in "msg".
code: 1001: Success, no error.
"""
result = {}
data = request.json
if not data or data == "":
return jsonify(code=1003, msg=u'Only support json, please post json data.')
# Params
key = data.get('key')
if common.verify_key(key) is False:
return jsonify(code=4002, msg=u'Key verify failed')
target = data.get('target')
branch = data.get('branch')
new_version = data.get('new_version')
old_version = data.get('old_version')
# Verify
if not key or key == "":
return jsonify(code=1002, msg=u'key can not be empty.')
if not target or target == "":
return jsonify(code=1002, msg=u'url can not be empty.')
if not branch or branch == "":
return jsonify(code=1002, msg=u'branch can not be empty.')
# Parse
current_time = time.strftime('%Y-%m-%d %X', time.localtime())
# Gitlab
if '.git' in target:
# Git
if 'gitlab' in target:
username = config.Config('git', 'username').value
password = config.Config('git', 'password').value
else:
username = False
password = False
gg = GitTools.Git(target, branch=branch, username=username, password=password)
repo_author = gg.repo_author
repo_name = gg.repo_name
repo_directory = gg.repo_directory
# Git Clone Error
if gg.clone() is False:
return jsonify(code=4001)
elif 'svn' in target:
# SVN
repo_name = 'mogujie'
repo_author = 'all'
repo_directory = os.path.join(config.Config('cobra', 'upload_directory').value, 'uploads/mogujie/')
else:
return jsonify(code=1005)
if new_version == "" or old_version == "":
scan_way = 1
else:
scan_way = 2
# insert into task info table.
task = CobraTaskInfo(target, branch, scan_way, new_version, old_version, None, None, None, 1, None, 0,
current_time, current_time)
p = CobraProjects.query.filter_by(repository=target).first()
project = None
if not p:
# insert into project table.
project = CobraProjects(target, repo_name, repo_author, None, None, current_time, current_time)
project_id = project.id
else:
project_id = p.id
try:
db.session.add(task)
if not p:
db.session.add(project)
db.session.commit()
cobra_path = os.path.join(config.Config().project_directory, 'cobra.py')
if os.path.isfile(cobra_path) is not True:
return jsonify(code=1004, msg=u'Cobra Not Found')
# Start Scanning
subprocess.Popen(
['python', cobra_path, "scan", "-p", str(project_id), "-i", str(task.id), "-t", repo_directory])
# Statistic Code
subprocess.Popen(
['python', cobra_path, "statistic", "-i", str(task.id), "-t", repo_directory])
result['scan_id'] = task.id
result['project_id'] = project_id
result['msg'] = u'success'
return jsonify(code=1001, result=result)
except Exception as e:
return jsonify(code=1004, msg=u'Unknown error, try again later?' + e.message)