fix removing double slash prefix in raw req path (#3960)

* update utils lib * add integration test on unsafe:false * fix build error --------- Co-authored-by: mzack <marco.rivoli.nvh@gmail.com>
2023-08-04 00:56:32 +05:30 · 2023-08-04 00:56:32 +05:30 · c8a7df98f3
parent 0776b2e237
commit c8a7df98f3
4 changed files with 15 additions and 3 deletions
--- a/integration_tests/http/http-paths.yaml
+++ b/integration_tests/http/http-paths.yaml
@ -16,6 +16,7 @@ info:
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
    - "/test/..;/..;/"
    - "/xyz/%25u2s/%25invalid"
+    - "//CFIDE/wizards/common/utils.cfc"
    # duplicating here because same results are expected even if http request is written in different format
    - "/1337?with=param"
    - "/some%0A/%0D"
@ -24,6 +25,7 @@ info:
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
    - "/test/..;/..;/"
    - "/xyz/%25u2s/%25invalid"
+    - "//CFIDE/wizards/common/utils.cfc"

 # Test all templates with FullURLs
 requests:
@ -62,6 +64,10 @@ requests:
      - |+
        GET /xyz/%u2s/%invalid HTTP/1.1
        Host: scanme.sh
+    # test relative path start with //
+      - |+
+        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
+        Host: scanme.sh

    matchers:
      - type: status
@ -77,6 +83,7 @@ requests:
     - "{{BaseURL}}/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
     - "{{BaseURL}}/test/..;/..;/"
     - "{{BaseURL}}/xyz/%u2s/%invalid"
+     - "{{BaseURL}}//CFIDE/wizards/common/utils.cfc"

    matchers:
    - type: status
--- a/integration_tests/http/raw-unsafe-path.yaml
+++ b/integration_tests/http/raw-unsafe-path.yaml
@ -16,6 +16,7 @@ info:
    - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
    - "/test/..;/..;/"
    - "/xyz/%u2s/%invalid"
+    - "//CFIDE/wizards/common/utils.cfc"


 # Test all unsafe URL Handling Edgecases
@ -50,6 +51,10 @@ requests:
      - |+
        GET /xyz/%u2s/%invalid HTTP/1.1
        Host: scanme.sh
+    # test relative path start with // (should not be removed)
+      - |+
+        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
+        Host: scanme.sh

    unsafe: true
    matchers:
--- a/v2/go.mod
+++ b/v2/go.mod
@ -77,7 +77,7 @@ require (
 	github.com/projectdiscovery/sarif v0.0.1
 	github.com/projectdiscovery/tlsx v1.1.1
 	github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1
-	github.com/projectdiscovery/utils v0.0.45
+	github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40
 	github.com/projectdiscovery/wappalyzergo v0.0.107
 	github.com/stretchr/testify v1.8.4
 	gopkg.in/src-d/go-git.v4 v4.13.1
--- a/v2/go.sum
+++ b/v2/go.sum
@ -435,8 +435,8 @@ github.com/projectdiscovery/tlsx v1.1.1 h1:4q14vu2A+TnQjhYI68I3yCUss3UM0fmrkmnJK
 github.com/projectdiscovery/tlsx v1.1.1/go.mod h1:x2S3KajTVxH5Tm4lbBoX4EumY/gh+cGzfBUhlCuNtdY=
 github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1 h1:Pu6LvDqn+iSlhCDKKWm1ItPc++kqqlU8OntZeB/Prak=
 github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1/go.mod h1:Drl/CWD392mKtdXJhCBPlMkM0I6671pqedFphcnK5f8=
-github.com/projectdiscovery/utils v0.0.45 h1:i0xwdpaGrTIw8hVtutjpVXvPCMcKKwb9VbqWxlwL08M=
-github.com/projectdiscovery/utils v0.0.45/go.mod h1:kJu+OqAWsoilLto06ajSp4U3gWuz51GEVLL/PogJXPk=
+github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40 h1:bgTXdrA/yFhFGfjhMIsczVNhnsMEHFidgS/FD2Tq5Js=
+github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40/go.mod h1:HtUI1pyNCgQUuwZuxDILQ4NSUaFcfBh0TuCK/ZQTS6Q=
 github.com/projectdiscovery/wappalyzergo v0.0.107 h1:B8gzJpAh08f1o+OiDunHAfKtqXiDnFCc7Rj1qKp+DB8=
 github.com/projectdiscovery/wappalyzergo v0.0.107/go.mod h1:4Z3DKhi75zIPMuA+qSDDWxZvnhL4qTLmDx4dxNMu7MA=
 github.com/projectdiscovery/yamldoc-go v1.0.4 h1:eZoESapnMw6WAHiVgRwNqvbJEfNHEH148uthhFbG5jE=