From 37706e094d7877173800eed9addc17a510012e62 Mon Sep 17 00:00:00 2001
From: James Barnett <James_Barnett@rapid7.com>
Date: Fri, 27 Jul 2018 16:41:11 -0500
Subject: [PATCH] Dont wrap object in array when using ID parameter

---
 lib/msf/core/db_manager/cred.rb                             | 2 +-
 lib/msf/core/db_manager/http/servlet/credential_servlet.rb  | 4 +++-
 lib/msf/core/db_manager/http/servlet/host_servlet.rb        | 2 ++
 lib/msf/core/db_manager/http/servlet/login_servlet.rb       | 6 ++++--
 lib/msf/core/db_manager/http/servlet/loot_servlet.rb        | 2 ++
 lib/msf/core/db_manager/http/servlet/note_servlet.rb        | 2 ++
 lib/msf/core/db_manager/http/servlet/service_servlet.rb     | 2 ++
 .../core/db_manager/http/servlet/session_event_servlet.rb   | 2 ++
 lib/msf/core/db_manager/http/servlet/session_servlet.rb     | 2 ++
 lib/msf/core/db_manager/http/servlet/user_servlet.rb        | 2 ++
 .../core/db_manager/http/servlet/vuln_attempt_servlet.rb    | 2 ++
 lib/msf/core/db_manager/http/servlet/vuln_servlet.rb        | 2 ++
 lib/msf/core/db_manager/http/servlet/workspace_servlet.rb   | 3 ++-
 13 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/db_manager/cred.rb b/lib/msf/core/db_manager/cred.rb
index 9e038fef35..fe4c21470b 100644
--- a/lib/msf/core/db_manager/cred.rb
+++ b/lib/msf/core/db_manager/cred.rb
@@ -5,7 +5,7 @@ module Msf::DBManager::Cred
     ::ActiveRecord::Base.connection_pool.with_connection {
       # If :id exists we're looking for a specific record, skip the other stuff
       if opts[:id] && !opts[:id].empty?
-        return Metasploit::Credential::Core.find(opts[:id])
+        return Array.wrap(Metasploit::Credential::Core.find(opts[:id]))
       end
 
       wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
diff --git a/lib/msf/core/db_manager/http/servlet/credential_servlet.rb b/lib/msf/core/db_manager/http/servlet/credential_servlet.rb
index 8a9ccedb27..2f2d1f122b 100644
--- a/lib/msf/core/db_manager/http/servlet/credential_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/credential_servlet.rb
@@ -9,7 +9,7 @@ module CredentialServlet
   end
 
   def self.registered(app)
-    app.get CredentialServlet.api_path, &get_credentials
+    app.get CredentialServlet.api_path_with_id, &get_credentials
     app.post CredentialServlet.api_path, &create_credential
     app.put CredentialServlet.api_path_with_id, &update_credential
     app.delete CredentialServlet.api_path, &delete_credentials
@@ -33,6 +33,8 @@ module CredentialServlet
           json = cred.as_json(include: includes).merge(private_class: cred.private.class.to_s)
           response << json
         end
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         response = format_cred_json(data)
         set_json_data_response(response: response)
       rescue => e
diff --git a/lib/msf/core/db_manager/http/servlet/host_servlet.rb b/lib/msf/core/db_manager/http/servlet/host_servlet.rb
index b801721e7b..66940b5019 100644
--- a/lib/msf/core/db_manager/http/servlet/host_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/host_servlet.rb
@@ -31,6 +31,8 @@ module HostServlet
         sanitized_params = sanitize_params(params)
         data = get_db.hosts(sanitized_params)
         includes = [:loots]
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data, includes: includes)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error getting hosts:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/login_servlet.rb b/lib/msf/core/db_manager/http/servlet/login_servlet.rb
index ca926671cd..d5b5cb645d 100644
--- a/lib/msf/core/db_manager/http/servlet/login_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/login_servlet.rb
@@ -23,8 +23,10 @@ module LoginServlet
     lambda {
       begin
         sanitized_params = sanitize_params(params)
-        response = get_db.logins(sanitized_params)
-        set_json_response(response)
+        data = get_db.logins(sanitized_params)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
+        set_json_response(data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving logins:', code: 500)
       end
diff --git a/lib/msf/core/db_manager/http/servlet/loot_servlet.rb b/lib/msf/core/db_manager/http/servlet/loot_servlet.rb
index 93b2fc3b7b..a7bb6c8852 100644
--- a/lib/msf/core/db_manager/http/servlet/loot_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/loot_servlet.rb
@@ -61,6 +61,8 @@ module LootServlet
         tmp_params = sanitize_params(params)
         opts[:id] = tmp_params[:id] if tmp_params[:id]
         data = get_db.update_loot(opts)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error updating the loot:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/note_servlet.rb b/lib/msf/core/db_manager/http/servlet/note_servlet.rb
index a90f5966fa..e037fabea4 100644
--- a/lib/msf/core/db_manager/http/servlet/note_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/note_servlet.rb
@@ -51,6 +51,8 @@ module NoteServlet
         tmp_params = sanitize_params(params)
         opts[:id] = tmp_params[:id] if tmp_params[:id]
         data = get_db.update_note(opts)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error updating the note:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/service_servlet.rb b/lib/msf/core/db_manager/http/servlet/service_servlet.rb
index 11d7a8b62b..015d919711 100644
--- a/lib/msf/core/db_manager/http/servlet/service_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/service_servlet.rb
@@ -26,6 +26,8 @@ module ServiceServlet
         sanitized_params = sanitize_params(params)
         data = get_db.services(sanitized_params)
         includes = [:host]
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data, includes: includes)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving services:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/session_event_servlet.rb b/lib/msf/core/db_manager/http/servlet/session_event_servlet.rb
index 5b7e78eec0..5ab5d1ff63 100644
--- a/lib/msf/core/db_manager/http/servlet/session_event_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/session_event_servlet.rb
@@ -23,6 +23,8 @@ module SessionEventServlet
       begin
         sanitized_params = sanitize_params(params)
         data = get_db.session_events(sanitized_params)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving session events:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/session_servlet.rb b/lib/msf/core/db_manager/http/servlet/session_servlet.rb
index f54cebc32c..d0066aaf30 100644
--- a/lib/msf/core/db_manager/http/servlet/session_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/session_servlet.rb
@@ -24,6 +24,8 @@ module SessionServlet
         sanitized_params = sanitize_params(params)
         data = get_db.sessions(sanitized_params)
         includes = [:host]
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data, includes: includes)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving sessions:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/user_servlet.rb b/lib/msf/core/db_manager/http/servlet/user_servlet.rb
index 5804a8ac8c..79069781b5 100644
--- a/lib/msf/core/db_manager/http/servlet/user_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/user_servlet.rb
@@ -50,6 +50,8 @@ module UserServlet
         tmp_params = sanitize_params(params)
         opts[:id] = tmp_params[:id] if tmp_params[:id]
         data = get_db.update_user(opts)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error creating the user:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/vuln_attempt_servlet.rb b/lib/msf/core/db_manager/http/servlet/vuln_attempt_servlet.rb
index 4e350a4e98..2d566b08e7 100644
--- a/lib/msf/core/db_manager/http/servlet/vuln_attempt_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/vuln_attempt_servlet.rb
@@ -23,6 +23,8 @@ module VulnAttemptServlet
       begin
         sanitized_params = sanitize_params(params)
         data = get_db.vuln_attempts(sanitized_params)
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving vuln attempts:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/vuln_servlet.rb b/lib/msf/core/db_manager/http/servlet/vuln_servlet.rb
index 26b5615a76..b52bb25929 100644
--- a/lib/msf/core/db_manager/http/servlet/vuln_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/vuln_servlet.rb
@@ -26,6 +26,8 @@ module VulnServlet
         sanitized_params = sanitize_params(params)
         data = get_db.vulns(sanitized_params)
         includes = [:host, :vulns_refs, :refs, :module_refs]
+        # Only return the single object if the user used the resource/ID GET request
+        data = data.first if data.count == 1 && request.url =~ /\/\d$/
         set_json_data_response(response: data, includes: includes)
       rescue => e
         print_error_and_create_response(error: e, message: 'There was an error retrieving vulns:', code: 500)
diff --git a/lib/msf/core/db_manager/http/servlet/workspace_servlet.rb b/lib/msf/core/db_manager/http/servlet/workspace_servlet.rb
index 673ae222f4..f68f995291 100644
--- a/lib/msf/core/db_manager/http/servlet/workspace_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/workspace_servlet.rb
@@ -27,7 +27,8 @@ module WorkspaceServlet
 
           sanitized_params = sanitize_params(params)
           data = get_db.workspaces(sanitized_params)
-
+          # Only return the single object if the user used the resource/ID GET request
+          data = data.first if data.count == 1 && request.url =~ /\/\d$/
           set_json_data_response(response: data, includes: includes)
         rescue => e
           print_error_and_create_response(error: e, message: 'There was an error retrieving workspaces:', code: 500)