nuclei/pkg/protocols/common/protocolstate/headless.go

package protocolstate

import (
	"net"
	"strings"

	"github.com/go-rod/rod"
	"github.com/go-rod/rod/lib/proto"
	"github.com/projectdiscovery/networkpolicy"
	errorutil "github.com/projectdiscovery/utils/errors"
	stringsutil "github.com/projectdiscovery/utils/strings"
	urlutil "github.com/projectdiscovery/utils/url"
	"go.uber.org/multierr"
)

// initalize state of headless protocol

var (
	ErrURLDenied         = errorutil.NewWithFmt("headless: url %v dropped by rule: %v")
	ErrHostDenied        = errorutil.NewWithFmt("host %v dropped by network policy")
	NetworkPolicy        *networkpolicy.NetworkPolicy
	allowLocalFileAccess bool
)

// ValidateNFailRequest validates and fails request
// if the request does not respect the rules, it will be canceled with reason
func ValidateNFailRequest(page *rod.Page, e *proto.FetchRequestPaused) error {
	reqURL := e.Request.URL
	normalized := strings.ToLower(reqURL)      // normalize url to lowercase
	normalized = strings.TrimSpace(normalized) // trim leading & trailing whitespaces
	if !allowLocalFileAccess && stringsutil.HasPrefixI(normalized, "file:") {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "use of file:// protocol disabled use '-lfa' to enable"))
	}
	// validate potential invalid schemes
	// javascript protocol is allowed for xss fuzzing
	if stringsutil.HasPrefixAnyI(normalized, "ftp:", "externalfile:", "chrome:", "chrome-extension:") {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "protocol blocked by network policy"))
	}
	if !isValidHost(reqURL) {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "address blocked by network policy"))
	}
	return nil
}

// FailWithReason fails request with AccessDenied reason
func FailWithReason(page *rod.Page, e *proto.FetchRequestPaused) error {
	m := proto.FetchFailRequest{
		RequestID:   e.RequestID,
		ErrorReason: proto.NetworkErrorReasonAccessDenied,
	}
	return m.Call(page)
}

// InitHeadless initializes headless protocol state
func InitHeadless(localFileAccess bool, np *networkpolicy.NetworkPolicy) {
	allowLocalFileAccess = localFileAccess
	if np != nil {
		NetworkPolicy = np
	}
}

// isValidHost checks if the host is valid (only limited to http/https protocols)
func isValidHost(targetUrl string) bool {
	if !stringsutil.HasPrefixAny(targetUrl, "http:", "https:") {
		return true
	}
	if NetworkPolicy == nil {
		return true
	}
	urlx, err := urlutil.Parse(targetUrl)
	if err != nil {
		// not a valid url
		return false
	}
	targetUrl = urlx.Hostname()
	_, ok := NetworkPolicy.ValidateHost(targetUrl)
	return ok
}

// IsHostAllowed checks if the host is allowed by network policy
func IsHostAllowed(targetUrl string) bool {
	if NetworkPolicy == nil {
		return true
	}
	sepCount := strings.Count(targetUrl, ":")
	if sepCount > 1 {
		// most likely a ipv6 address (parse url and validate host)
		return NetworkPolicy.Validate(targetUrl)
	}
	if sepCount == 1 {
		host, _, _ := net.SplitHostPort(targetUrl)
		if _, ok := NetworkPolicy.ValidateHost(host); !ok {
			return false
		}
		return true
		// portInt, _ := strconv.Atoi(port)
		// fixme:  broken port validation logic in networkpolicy
		// if !NetworkPolicy.ValidatePort(portInt) {
		// 	return false
		// }
	}
	// just a hostname or ip without port
	_, ok := NetworkPolicy.ValidateHost(targetUrl)
	return ok
}
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`package protocolstate`

			`import (`
fix network policy error 2024-02-05 20:33:33 +00:00			`"net"`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`"strings"`

			`"github.com/go-rod/rod"`
			`"github.com/go-rod/rod/lib/proto"`
			`"github.com/projectdiscovery/networkpolicy"`
			`errorutil "github.com/projectdiscovery/utils/errors"`
			`stringsutil "github.com/projectdiscovery/utils/strings"`
			`urlutil "github.com/projectdiscovery/utils/url"`
			`"go.uber.org/multierr"`
			`)`

			`// initalize state of headless protocol`

			`var (`
			`ErrURLDenied = errorutil.NewWithFmt("headless: url %v dropped by rule: %v")`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 10:32:17 +00:00			`ErrHostDenied = errorutil.NewWithFmt("host %v dropped by network policy")`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`NetworkPolicy *networkpolicy.NetworkPolicy`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`allowLocalFileAccess bool`
			`)`

			`// ValidateNFailRequest validates and fails request`
			`// if the request does not respect the rules, it will be canceled with reason`
			`func ValidateNFailRequest(page rod.Page, e proto.FetchRequestPaused) error {`
			`reqURL := e.Request.URL`
			`normalized := strings.ToLower(reqURL) // normalize url to lowercase`
			`normalized = strings.TrimSpace(normalized) // trim leading & trailing whitespaces`
			`if !allowLocalFileAccess && stringsutil.HasPrefixI(normalized, "file:") {`
			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "use of file:// protocol disabled use '-lfa' to enable"))`
			`}`
			`// validate potential invalid schemes`
			`// javascript protocol is allowed for xss fuzzing`
use stringsutil.HasPrefixAnyI 2023-08-28 08:15:30 +00:00			`if stringsutil.HasPrefixAnyI(normalized, "ftp:", "externalfile:", "chrome:", "chrome-extension:") {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "protocol blocked by network policy"))`
			`}`
			`if !isValidHost(reqURL) {`
			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "address blocked by network policy"))`
			`}`
			`return nil`
			`}`

			`// FailWithReason fails request with AccessDenied reason`
			`func FailWithReason(page rod.Page, e proto.FetchRequestPaused) error {`
			`m := proto.FetchFailRequest{`
			`RequestID: e.RequestID,`
			`ErrorReason: proto.NetworkErrorReasonAccessDenied,`
			`}`
			`return m.Call(page)`
			`}`

			`// InitHeadless initializes headless protocol state`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`func InitHeadless(localFileAccess bool, np *networkpolicy.NetworkPolicy) {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`allowLocalFileAccess = localFileAccess`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`if np != nil {`
			`NetworkPolicy = np`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`}`
			`}`

			`// isValidHost checks if the host is valid (only limited to http/https protocols)`
			`func isValidHost(targetUrl string) bool {`
			`if !stringsutil.HasPrefixAny(targetUrl, "http:", "https:") {`
			`return true`
			`}`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`if NetworkPolicy == nil {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`return true`
			`}`
			`urlx, err := urlutil.Parse(targetUrl)`
			`if err != nil {`
			`// not a valid url`
			`return false`
			`}`
			`targetUrl = urlx.Hostname()`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`_, ok := NetworkPolicy.ValidateHost(targetUrl)`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 13:00:46 +00:00			`return ok`
			`}`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 10:32:17 +00:00
			`// IsHostAllowed checks if the host is allowed by network policy`
			`func IsHostAllowed(targetUrl string) bool {`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`if NetworkPolicy == nil {`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 10:32:17 +00:00			`return true`
			`}`
fix network policy error 2024-02-05 20:33:33 +00:00			`sepCount := strings.Count(targetUrl, ":")`
			`if sepCount > 1 {`
			`// most likely a ipv6 address (parse url and validate host)`
			`return NetworkPolicy.Validate(targetUrl)`
			`}`
			`if sepCount == 1 {`
			`host, _, _ := net.SplitHostPort(targetUrl)`
			`if _, ok := NetworkPolicy.ValidateHost(host); !ok {`
			`return false`
			`}`
			`return true`
			`// portInt, _ := strconv.Atoi(port)`
			`// fixme: broken port validation logic in networkpolicy`
			`// if !NetworkPolicy.ValidatePort(portInt) {`
			`// return false`
			`// }`
			`}`
			`// just a hostname or ip without port`
Using network policy everywhere (#4578) * Using network policy everywhere * fixing bool param * fixing websocket parsing issue * fixing other schemes * go mod tidy --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-01-07 23:39:11 +00:00			`_, ok := NetworkPolicy.ValidateHost(targetUrl)`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 10:32:17 +00:00			`return ok`
			`}`