def check_response(url: str,
res: Response,
soup: Union[BeautifulSoup, None] = None) -> List[Result]:
# make sure we actually have something
if res is None:
return []
results: List[Result] = []
raw_full = network.http_build_raw_response(res)
if http_utils.is_text(res):
body = res.text
if soup is None:
soup = BeautifulSoup(body, "html.parser")
# check for things thar require parsed HTML
results += retirejs.get_results(soup, url, res)
results += apache_tomcat.get_version(url, res)
results += error_checker.check_response(url, res, body)
results += _check_cache_headers(url, res)
results += http_basic.get_header_issues(res, raw_full, url)
results += http_basic.get_cookie_issues(res, url)
# this function will trigger a recursive call, as it calls this to check the response.
# to deal with this, we'll check the caller, to make sure it's not what we're about to call.
if "check_cve_2019_5418" not in inspect.stack()[1].function:
results += rails.check_cve_2019_5418(url)
results += _check_charset(url, res)
return results
def test_check_response_none(self):
with requests_mock.Mocker() as m:
url = "http://example.com"
m.get(url, text="body")
resp = requests.get(url)
res = error_checker.check_response(url, resp)
self.assertEqual(0, len(res))
def test_check_response_fp(self):
url = "http://example.com"
with requests_mock.Mocker(real_http=True) as m:
m.get(url, text="at (202)")
resp = requests.get(url)
res = error_checker.check_response(url, resp)
self.assertEqual(0, len(res))
def test_check_response_java(self):
url = "http://example.com"
with requests_mock.Mocker(real_http=True) as m:
m.get(
url,
text="Failed to convert property value of type [java.lang.String] to"
" required type [boolean] for property order; nested exception is"
" java.lang.IllegalArgumentException",
)
resp = requests.get(url)
res = error_checker.check_response(url, resp)
self.assertEqual(1, len(res))
def test_check_response_php(self):
url = "http://example.com"
with requests_mock.Mocker(real_http=True) as m:
m.get(
url,
text="Fatal error: Call to a member function getId() on a non-object "
"in /var/www/docroot/application/modules/controllers/"
"ModalController.php on line 609",
)
resp = requests.get(url)
res = error_checker.check_response(url, resp)
self.assertEqual(1, len(res))
def check_response(
url: str, res: Response, soup: Union[BeautifulSoup, None] = None
) -> List[Result]:
# make sure we actually have something
if res is None:
return []
results: List[Result] = []
raw_full = network.http_build_raw_response(res)
if soup or network.response_body_is_text(res):
body = res.text
if soup is None:
soup = BeautifulSoup(body, "html.parser")
# check for things thar require parsed HTML
results += retirejs.get_results(soup, url, res)
results += apache_tomcat.get_version(url, res)
results += error_checker.check_response(url, res, body)
results += iis.check_telerik_rau_enabled(soup, url)
results += _check_cache_headers(url, res)
results += http_basic.get_header_issues(res, raw_full, url)
results += http_basic.get_cookie_issues(res, url)
# only check for this if we have a good response - no point in doing this for errors
if res.status_code < 400:
results += rails.check_cve_2019_5418(url)
# we perform this check even if the response isn't text as this also covers missing content-type
results += _check_charset(url, res)
return results