def defang(url):
"""
This handles both GET and POST requests.
If a GET request: this pulls everything in the url after /fang/ and
puts it in the variable: url.
If a POST request: This expects a JSON request in the format
{'url: 'http://example.com'}
:returns: (Json, response code). JSON is in the format
{'url': 'hxxp://defanged[.]com'}
"""
result = {}
if request.method == 'POST':
req_data = request.get_json()
if req_data is None or req_data.get('url', None) is None:
result[
'error'] = "Proper format is JSON request {'url': 'http://example.com'}"
return make_response(jsonify(result), 400)
url, parameters = handle_parameters(req_data['url'])
result['url'] = Fang.defang(url, parameters)
else:
# normal get request
result['url'] = Fang.defang(url, request.query_string.decode("utf-8"))
return make_response(jsonify(result), 200)
def test_basic_url(self):
"""
test a simple url
"""
start = "http://test.com"
expected = "hxxp://test[.]com"
result = Fang.defang(start, '')
assert result == expected
result = Fang.refang(result, '')
assert result == start
def test_url_mixed_caps(self):
"""
Test a URL with mixed capitals into protocol
"""
start = "HTtP://this.is.a.test.com"
expected = "hxxp://this[.]is[.]a[.]test[.]com"
result = Fang.defang(start, '')
assert result == expected
result = Fang.refang(result, '')
assert result == start.lower()
def test_with_url_in_params(self):
"""
Test a URL with parameters that need to be defanged
"""
start_url = "http:test.com"
params = "test=http://bob.com"
expected = "hxxp:test[.]com?test=hxxp://bob[.]com"
result = Fang.defang(start_url, params)
assert result == expected
result = Fang.refang(result.split('?')[0], result.split('?')[1])
assert result == "%s?%s" % (start_url, params)
def test_with_simple_parameters(self):
"""
Test a URL with extra parameters
"""
start_url = "http://test.com"
params = "first=1&second=2"
expected = "hxxp://test[.]com?first=1&second=2"
result = Fang.defang(start_url, params)
assert result == expected
result = Fang.refang(result.split('?')[0], result.split('?')[1])
assert result == "%s?%s" % (start_url, params)
def refang(url):
"""
This pulls everything in the URL after /defang/ and puts
it in the variable: url.
The parameters are pulled separately.
:param url: String. The url we're making unsafe
:returns: (Json, response code). JSON is in the format
{'url': 'http://refanged.com'}
"""
result = {}
if request.method == 'POST':
req_data = request.get_json()
if req_data is None or req_data.get('url', None) is None:
result[
'error'] = "Proper format is JSON request {'url': 'http://example.com'}"
return make_response(jsonify(result), 400)
url, parameters = handle_parameters(req_data['url'])
result['url'] = Fang.refang(url, parameters)
else:
# normal GET request
result['url'] = Fang.refang(url, request.query_string.decode("utf-8"))
return make_response(jsonify(result), 200)
def defang_list():
"""
This handles POST requests with a JSON list of URL's to defang.
Expects a POST request in the format {'urls': [url1, url2, url3]}
:returns: (json, response_code). JSON is in format:
{'urls': [url1, url2, url3]}
"""
req_data = request.get_json()
if req_data is None or req_data.get('urls', None) is None:
result = {
'error':
"Proper format is JSON request {'url': ['url1', 'url2', 'etc']}"
}
return make_response(jsonify(result), 400)
defanged_urls = []
for bad_url in req_data['urls']:
url, parameters = handle_parameters(bad_url)
defanged_urls.append(Fang.defang(url, parameters))
result = {'urls': defanged_urls}
return make_response(jsonify(result), 200)