Example 16 with Session
use of org.parosproxy.paros.model.Session in project zaproxy by zaproxy.
the class SpiderAPI method handleApiAction.
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
log.debug("Request for handleApiAction: " + name + " (params: " + params.toString() + ")");
SpiderScan scan;
int maxChildren = -1;
Context context = null;
switch(name) {
case ACTION_START_SCAN:
// The action is to start a new Scan
String url = ApiUtils.getOptionalStringParam(params, PARAM_URL);
if (params.containsKey(PARAM_MAX_CHILDREN)) {
String maxChildrenStr = params.getString(PARAM_MAX_CHILDREN);
if (maxChildrenStr != null && maxChildrenStr.length() > 0) {
try {
maxChildren = Integer.parseInt(maxChildrenStr);
} catch (NumberFormatException e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_MAX_CHILDREN);
}
}
}
if (params.containsKey(PARAM_CONTEXT_NAME)) {
String contextName = params.getString(PARAM_CONTEXT_NAME);
if (!contextName.isEmpty()) {
context = ApiUtils.getContextByName(contextName);
}
}
int scanId = scanURL(url, null, maxChildren, this.getParam(params, PARAM_RECURSE, true), context, getParam(params, PARAM_SUBTREE_ONLY, false));
return new ApiResponseElement(name, Integer.toString(scanId));
case ACTION_START_SCAN_AS_USER:
// The action is to start a new Scan from the perspective of a user
String urlUserScan = ApiUtils.getOptionalStringParam(params, PARAM_URL);
int userID = ApiUtils.getIntParam(params, PARAM_USER_ID);
ExtensionUserManagement usersExtension = Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.class);
if (usersExtension == null) {
throw new ApiException(Type.NO_IMPLEMENTOR, ExtensionUserManagement.NAME);
}
context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
User user = usersExtension.getContextUserAuthManager(context.getId()).getUserById(userID);
if (user == null) {
throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
}
if (params.containsKey(PARAM_MAX_CHILDREN)) {
String maxChildrenStr = params.getString(PARAM_MAX_CHILDREN);
if (maxChildrenStr != null && maxChildrenStr.length() > 0) {
try {
maxChildren = Integer.parseInt(maxChildrenStr);
} catch (NumberFormatException e) {
throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_MAX_CHILDREN);
}
}
}
scanId = scanURL(urlUserScan, user, maxChildren, this.getParam(params, PARAM_RECURSE, true), context, getParam(params, PARAM_SUBTREE_ONLY, false));
return new ApiResponseElement(name, Integer.toString(scanId));
case ACTION_PAUSE_SCAN:
scan = getSpiderScan(params);
extension.pauseScan(scan.getScanId());
break;
case ACTION_RESUME_SCAN:
scan = getSpiderScan(params);
extension.resumeScan(scan.getScanId());
break;
case ACTION_STOP_SCAN:
// The action is to stop a pending scan
scan = getSpiderScan(params);
extension.stopScan(scan.getScanId());
break;
case ACTION_REMOVE_SCAN:
// Note that we're removing the scan with this call, not just getting it ;)
scan = getSpiderScan(params);
extension.removeScan(scan.getScanId());
break;
case ACTION_PAUSE_ALL_SCANS:
extension.pauseAllScans();
break;
case ACTION_RESUME_ALL_SCANS:
extension.resumeAllScans();
break;
case ACTION_STOP_ALL_SCANS:
extension.stopAllScans();
break;
case ACTION_REMOVE_ALL_SCANS:
extension.removeAllScans();
break;
case ACTION_CLEAR_EXCLUDED_FROM_SCAN:
try {
Session session = Model.getSingleton().getSession();
session.setExcludeFromSpiderRegexs(new ArrayList<>());
} catch (DatabaseException e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
break;
case ACTION_EXCLUDE_FROM_SCAN:
String regex = params.getString(PARAM_REGEX);
try {
Session session = Model.getSingleton().getSession();
session.addExcludeFromSpiderRegex(regex);
} catch (DatabaseException e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
} catch (PatternSyntaxException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_REGEX);
}
break;
case ACTION_ADD_DOMAIN_ALWAYS_IN_SCOPE:
try {
String value = params.getString(PARAM_VALUE);
DomainAlwaysInScopeMatcher domainAlwaysInScope;
if (getParam(params, PARAM_IS_REGEX, false)) {
domainAlwaysInScope = new DomainAlwaysInScopeMatcher(DomainAlwaysInScopeMatcher.createPattern(value));
} else {
domainAlwaysInScope = new DomainAlwaysInScopeMatcher(value);
}
domainAlwaysInScope.setEnabled(getParam(params, PARAM_IS_ENABLED, true));
List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
domainsAlwaysInScope.add(domainAlwaysInScope);
extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_VALUE, e);
}
break;
case ACTION_MODIFY_DOMAIN_ALWAYS_IN_SCOPE:
try {
int idx = params.getInt(PARAM_IDX);
if (idx < 0 || idx >= extension.getSpiderParam().getDomainsAlwaysInScope().size()) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
}
DomainAlwaysInScopeMatcher oldDomain = extension.getSpiderParam().getDomainsAlwaysInScope().get(idx);
String value = getParam(params, PARAM_VALUE, oldDomain.getValue());
if (value.isEmpty()) {
value = oldDomain.getValue();
}
DomainAlwaysInScopeMatcher newDomain;
if (getParam(params, PARAM_IS_REGEX, oldDomain.isRegex())) {
newDomain = new DomainAlwaysInScopeMatcher(DomainAlwaysInScopeMatcher.createPattern(value));
} else {
newDomain = new DomainAlwaysInScopeMatcher(value);
}
newDomain.setEnabled(getParam(params, PARAM_IS_ENABLED, oldDomain.isEnabled()));
if (oldDomain.equals(newDomain)) {
break;
}
List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
domainsAlwaysInScope.set(idx, newDomain);
extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
} catch (JSONException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
} catch (IllegalArgumentException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_VALUE, e);
}
break;
case ACTION_REMOVE_DOMAIN_ALWAYS_IN_SCOPE:
try {
int idx = params.getInt(PARAM_IDX);
if (idx < 0 || idx >= extension.getSpiderParam().getDomainsAlwaysInScope().size()) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
}
List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
domainsAlwaysInScope.remove(idx);
extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
} catch (JSONException e) {
throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
}
break;
case ACTION_ENABLE_ALL_DOMAINS_ALWAYS_IN_SCOPE:
setDomainsAlwaysInScopeEnabled(true);
break;
case ACTION_DISABLE_ALL_DOMAINS_ALWAYS_IN_SCOPE:
setDomainsAlwaysInScopeEnabled(false);
break;
default:
throw new ApiException(ApiException.Type.BAD_ACTION);
}
return ApiResponseElement.OK;
}
Also used :
Context(org.zaproxy.zap.model.Context)
User(org.zaproxy.zap.users.User)
ArrayList(java.util.ArrayList)
JSONException(net.sf.json.JSONException)
DomainAlwaysInScopeMatcher(org.zaproxy.zap.spider.DomainAlwaysInScopeMatcher)
ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement)
ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Session(org.parosproxy.paros.model.Session)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
Example 17 with Session
use of org.parosproxy.paros.model.Session in project zaproxy by zaproxy.
the class SpiderAPI method handleApiView.
@Override
public ApiResponse handleApiView(String name, JSONObject params) throws ApiException {
ApiResponse result;
if (VIEW_STATUS.equals(name)) {
SpiderScan scan = this.getSpiderScan(params);
int progress = 0;
if (scan.isStopped()) {
progress = 100;
} else {
progress = scan.getProgress();
}
result = new ApiResponseElement(name, Integer.toString(progress));
} else if (VIEW_RESULTS.equals(name)) {
result = new ApiResponseList(name);
SpiderScan scan = this.getSpiderScan(params);
synchronized (scan.getResults()) {
for (String s : scan.getResults()) {
((ApiResponseList) result).addItem(new ApiResponseElement("url", s));
}
}
} else if (VIEW_FULL_RESULTS.equals(name)) {
ApiResponseList resultUrls = new ApiResponseList(name);
SpiderScan scan = this.getSpiderScan(params);
ApiResponseList resultList = new ApiResponseList("urlsInScope");
synchronized (scan.getResourcesFound()) {
for (SpiderResource sr : scan.getResourcesFound()) {
resultList.addItem(createApiResponseSet(sr, sr.isProcessed(), sr.getReasonNotProcessed()));
}
}
resultUrls.addItem(resultList);
resultList = new ApiResponseList("urlsOutOfScope");
synchronized (scan.getResultsOutOfScope()) {
for (String url : scan.getResultsOutOfScope()) {
resultList.addItem(new ApiResponseElement("url", url));
}
}
resultUrls.addItem(resultList);
resultList = new ApiResponseList("urlsIoError");
synchronized (scan.getResourcesIoErrors()) {
for (SpiderResource sr : scan.getResourcesIoErrors()) {
resultList.addItem(createApiResponseSet(sr, sr.isProcessed(), sr.getReasonNotProcessed()));
}
}
resultUrls.addItem(resultList);
result = resultUrls;
} else if (VIEW_EXCLUDED_FROM_SCAN.equals(name)) {
result = new ApiResponseList(name);
Session session = Model.getSingleton().getSession();
List<String> regexs = session.getExcludeFromSpiderRegexs();
for (String regex : regexs) {
((ApiResponseList) result).addItem(new ApiResponseElement("regex", regex));
}
} else if (VIEW_SCANS.equals(name)) {
ApiResponseList resultList = new ApiResponseList(name);
for (SpiderScan spiderScan : extension.getAllScans()) {
Map<String, String> map = new HashMap<>();
map.put("id", Integer.toString(spiderScan.getScanId()));
map.put("progress", Integer.toString(spiderScan.getProgress()));
map.put("state", spiderScan.getState());
resultList.addItem(new ApiResponseSet<>("scan", map));
}
result = resultList;
} else if (VIEW_ALL_URLS.equals(name)) {
ApiResponseList resultUrls = new ApiResponseList(name);
Set<String> urlSet = new HashSet<>();
TableHistory tableHistory = extension.getModel().getDb().getTableHistory();
List<Integer> ids = Collections.emptyList();
try {
ids = tableHistory.getHistoryIdsOfHistType(extension.getModel().getSession().getSessionId(), HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_SPIDER_TASK);
} catch (DatabaseException e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
String url;
for (Integer id : ids) {
try {
RecordHistory rh = tableHistory.read(id);
if (rh != null) {
url = rh.getHttpMessage().getRequestHeader().getURI().toString();
if (urlSet.add(url)) {
resultUrls.addItem(new ApiResponseElement("url", url));
}
}
} catch (HttpMalformedHeaderException | DatabaseException e) {
throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
}
}
result = resultUrls;
} else if (VIEW_ADDED_NODES.equals(name)) {
result = new ApiResponseList(name);
SpiderScan scan = this.getSpiderScan(params);
for (String s : scan.getAddedNodesTableModel().getAddedNodes()) {
((ApiResponseList) result).addItem(new ApiResponseElement("url", s));
}
} else if (VIEW_DOMAINS_ALWAYS_IN_SCOPE.equals(name) || VIEW_OPTION_DOMAINS_ALWAYS_IN_SCOPE.equals(name)) {
result = domainMatchersToApiResponseList(name, extension.getSpiderParam().getDomainsAlwaysInScope(), false);
} else if (VIEW_OPTION_DOMAINS_ALWAYS_IN_SCOPE_ENABLED.equals(name)) {
result = domainMatchersToApiResponseList(name, extension.getSpiderParam().getDomainsAlwaysInScope(), true);
} else {
throw new ApiException(ApiException.Type.BAD_VIEW);
}
return result;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
ApiResponseSet(org.zaproxy.zap.extension.api.ApiResponseSet)
HashMap(java.util.HashMap)
ApiResponse(org.zaproxy.zap.extension.api.ApiResponse)
ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement)
ApiResponseList(org.zaproxy.zap.extension.api.ApiResponseList)
ApiResponseList(org.zaproxy.zap.extension.api.ApiResponseList)
ArrayList(java.util.ArrayList)
List(java.util.List)
TableHistory(org.parosproxy.paros.db.TableHistory)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
RecordHistory(org.parosproxy.paros.db.RecordHistory)
Session(org.parosproxy.paros.model.Session)
ApiException(org.zaproxy.zap.extension.api.ApiException)
Example 18 with Session
use of org.parosproxy.paros.model.Session in project zaproxy by zaproxy.
the class SearchThread method search.
private void search() {
Session session = Model.getSingleton().getSession();
Matcher matcher = null;
try {
if (Type.Custom.equals(reqType)) {
if (searchers != null && customSearcherName != null) {
HttpSearcher searcher = searchers.get(customSearcherName);
if (searcher != null) {
List<SearchResult> results;
if (pcc.hasMaximumMatches()) {
results = searcher.search(pattern, inverse, pcc.getMaximumMatches());
} else {
results = searcher.search(pattern, inverse);
}
for (SearchResult sr : results) {
searchListenner.addSearchResult(sr);
}
}
}
return;
}
ExtensionHistory extensionHistory = Control.getSingleton().getExtensionLoader().getExtension(ExtensionHistory.class);
List<Integer> list = Model.getSingleton().getDb().getTableHistory().getHistoryIdsOfHistType(session.getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER, HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_SPIDER_AJAX);
int last = list.size();
int currentRecordId = 0;
for (int index = 0; index < last; index++) {
if (stopSearch) {
break;
}
int historyId = list.get(index);
try {
currentRecordId = index;
// Create the href to ensure the msg is set up correctly
HistoryReference href = null;
if (extensionHistory != null) {
href = extensionHistory.getHistoryReference(historyId);
}
if (href == null) {
href = new HistoryReference(historyId);
}
HttpMessage message = href.getHttpMessage();
if (searchJustInScope && !session.isInScope(message.getRequestHeader().getURI().toString())) {
// Not in scope, so ignore
continue;
}
if (this.baseUrl != null && !message.getRequestHeader().getURI().toString().startsWith(baseUrl)) {
// doesn't start with the specified baseurl
continue;
}
if (Type.URL.equals(reqType)) {
// URL
String url = message.getRequestHeader().getURI().toString();
matcher = pattern.matcher(url);
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
int urlStartPos = message.getRequestHeader().getPrimeHeader().indexOf(url);
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, urlStartPos + matcher.start(), urlStartPos + matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Header.equals(reqType)) {
// Header
// Request header
matcher = pattern.matcher(message.getRequestHeader().toString());
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
// Response header
matcher = pattern.matcher(message.getResponseHeader().toString());
if (inverse && !pcc.allMatchesProcessed()) {
if (!matcher.find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
}
} else {
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Request.equals(reqType) || Type.All.equals(reqType)) {
if (inverse && !pcc.allMatchesProcessed()) {
// Check for no matches in either Request Header or Body
if (!pattern.matcher(message.getRequestHeader().toString()).find() && !pattern.matcher(message.getRequestBody().toString()).find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.REQUEST_HEAD);
}
} else {
// Request Header
matcher = pattern.matcher(message.getRequestHeader().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
// Request Body
matcher = pattern.matcher(message.getRequestBody().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.REQUEST_BODY, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
if (Type.Response.equals(reqType) || Type.All.equals(reqType)) {
if (inverse && !pcc.allMatchesProcessed()) {
// Check for no matches in either Response Header or Body
if (!pattern.matcher(message.getResponseHeader().toString()).find() && !pattern.matcher(message.getResponseBody().toString()).find()) {
notifyInverseMatchFound(currentRecordId, message, SearchMatch.Location.RESPONSE_HEAD);
}
} else {
// Response header
matcher = pattern.matcher(message.getResponseHeader().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_HEAD, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
// Response body
matcher = pattern.matcher(message.getResponseBody().toString());
while (matcher.find() && !pcc.allMatchesProcessed()) {
notifyMatchFound(currentRecordId, matcher.group(), message, SearchMatch.Location.RESPONSE_BODY, matcher.start(), matcher.end());
if (!searchAllOccurrences) {
break;
}
}
}
}
} catch (HttpMalformedHeaderException e1) {
log.error(e1.getMessage(), e1);
}
if (pcc.hasPageEnded()) {
break;
}
}
} catch (DatabaseException e) {
log.error(e.getMessage(), e);
}
}
Also used :
Matcher(java.util.regex.Matcher)
ExtensionHistory(org.parosproxy.paros.extension.history.ExtensionHistory)
HistoryReference(org.parosproxy.paros.model.HistoryReference)
HttpMalformedHeaderException(org.parosproxy.paros.network.HttpMalformedHeaderException)
HttpMessage(org.parosproxy.paros.network.HttpMessage)
DatabaseException(org.parosproxy.paros.db.DatabaseException)
Session(org.parosproxy.paros.model.Session)
Example 19 with Session
use of org.parosproxy.paros.model.Session in project zaproxy by zaproxy.
the class ContextListPanel method initParam.
@Override
public void initParam(Object obj) {
Session session = (Session) obj;
List<Object[]> values = new ArrayList<>();
List<Context> contexts = session.getContexts();
for (Context context : contexts) {
values.add(new Object[] { context.getId(), context.getName(), context.isInScope() });
}
this.model.setValues(values);
}Example 20 with Session
use of org.parosproxy.paros.model.Session in project zaproxy by zaproxy.
the class ExtensionHistory method searchHistory.
private void searchHistory(HistoryFilter historyFilter) {
Session session = getModel().getSession();
synchronized (historyTableModel) {
try {
// ZAP: Added type argument.
List<Integer> list = getModel().getDb().getTableHistory().getHistoryIdsOfHistType(session.getSessionId(), HistoryReference.TYPE_PROXIED, HistoryReference.TYPE_ZAP_USER, HistoryReference.TYPE_PROXY_CONNECT);
buildHistory(list, historyFilter);
} catch (DatabaseException e) {
logger.error(e.getMessage(), e);
}
}
}
Also used :
DatabaseException(org.parosproxy.paros.db.DatabaseException)
Session(org.parosproxy.paros.model.Session)
Aggregations
Session (org.parosproxy.paros.model.Session)51
DatabaseException (org.parosproxy.paros.db.DatabaseException)18
Context (org.zaproxy.zap.model.Context)14
ArrayList (java.util.ArrayList)8
JMenuItem (javax.swing.JMenuItem)7
ExtensionPopupMenuItem (org.parosproxy.paros.extension.ExtensionPopupMenuItem)7
File (java.io.File)5
SiteNode (org.parosproxy.paros.model.SiteNode)5
HttpMalformedHeaderException (org.parosproxy.paros.network.HttpMalformedHeaderException)5
URIException (org.apache.commons.httpclient.URIException)4
RecordStructure (org.parosproxy.paros.db.RecordStructure)4
HttpMessage (org.parosproxy.paros.network.HttpMessage)4
ApiException (org.zaproxy.zap.extension.api.ApiException)4
ApiResponseElement (org.zaproxy.zap.extension.api.ApiResponseElement)4
Date (java.util.Date)3
HashMap (java.util.HashMap)3
PatternSyntaxException (java.util.regex.PatternSyntaxException)3
JFileChooser (javax.swing.JFileChooser)3
JSONException (net.sf.json.JSONException)3
ExtensionHistory (org.parosproxy.paros.extension.history.ExtensionHistory)3
