STRLCPY/autorize

Merge pull request #94 from legithubert/feature/inverse-edfilters
```
Add inverse enforcement detectors
```
Barak Tawily committed with GitHub 2 years ago

24fccab7

2 parents
1d44c141
07eaa618

■ ■ ■ ■ ■ ■

authorization/authorization.py

		skipped 218 lines
219	219		andEnforcementCheck = False
220	220		auth_enforced = False
221	221
222		-	response = requestResponse.getResponse()
223	222		for filter in filters:
224	223		filter = self._helpers.bytesToString(bytes(filter))
	224	+	inverse = "NOT" in filter
	225	+	filter = filter.replace(" NOT", "")
	226	+
225	227		if filter.startswith("Status code equals: "):
226	228		statusCode = filter[20:]
227		-	if andEnforcementCheck:
228		-	if auth_enforced and not isStatusCodesReturned(self, requestResponse, statusCode):
229		-	auth_enforced = False
230		-	else:
231		-	if not auth_enforced and isStatusCodesReturned(self, requestResponse, statusCode):
232		-	auth_enforced = True
	229	+	filterMatched = inverse ^ isStatusCodesReturned(self, requestResponse, statusCode)
233	230
234		-	if filter.startswith("Headers (simple string): "):
235		-	if andEnforcementCheck:
236		-	if auth_enforced and not filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]):
237		-	auth_enforced = False
238		-	else:
239		-	if not auth_enforced and filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]):
240		-	auth_enforced = True
	231	+	elif filter.startswith("Headers (simple string): "):
	232	+	filterMatched = inverse ^ (filter[25:] in self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()]))
241	233
242		-	if filter.startswith("Headers (regex): "):
	234	+	elif filter.startswith("Headers (regex): "):
243	235		regex_string = filter[17:]
244	236		p = re.compile(regex_string, re.IGNORECASE)
245		-	if andEnforcementCheck:
246		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])):
247		-	auth_enforced = False
248		-	else:
249		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])):
250		-	auth_enforced = True
	237	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse()[0:analyzedResponse.getBodyOffset()])))
251	238
252		-	if filter.startswith("Body (simple string): "):
253		-	if andEnforcementCheck:
254		-	if auth_enforced and not filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]):
255		-	auth_enforced = False
256		-	else:
257		-	if not auth_enforced and filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]):
258		-	auth_enforced = True
	239	+	elif filter.startswith("Body (simple string): "):
	240	+	filterMatched = inverse ^ (filter[22:] in self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():]))
259	241
260		-	if filter.startswith("Body (regex): "):
	242	+	elif filter.startswith("Body (regex): "):
261	243		regex_string = filter[14:]
262	244		p = re.compile(regex_string, re.IGNORECASE)
263		-	if andEnforcementCheck:
264		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])):
265		-	auth_enforced = False
266		-	else:
267		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])):
268		-	auth_enforced = True
	245	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse()[analyzedResponse.getBodyOffset():])))
269	246
270		-	if filter.startswith("Full response (simple string): "):
271		-	if andEnforcementCheck:
272		-	if auth_enforced and not filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()):
273		-	auth_enforced = False
274		-	else:
275		-	if not auth_enforced and filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()):
276		-	auth_enforced = True
	247	+	elif filter.startswith("Full response (simple string): "):
	248	+	filterMatched = inverse ^ (filter[31:] in self._helpers.bytesToString(requestResponse.getResponse()))
277	249
278		-	if filter.startswith("Full response (regex): "):
	250	+	elif filter.startswith("Full response (regex): "):
279	251		regex_string = filter[23:]
280	252		p = re.compile(regex_string, re.IGNORECASE)
281		-	if andEnforcementCheck:
282		-	if auth_enforced and not p.search(self._helpers.bytesToString(requestResponse.getResponse())):
283		-	auth_enforced = False
284		-	else:
285		-	if not auth_enforced and p.search(self._helpers.bytesToString(requestResponse.getResponse())):
286		-	auth_enforced = True
	253	+	filterMatched = inverse ^ bool(p.search(self._helpers.bytesToString(requestResponse.getResponse())))
	254	+
	255	+	elif filter.startswith("Full response length: "):
	256	+	filterMatched = inverse ^ (str(len(response)) == filter[22:].strip())
	257	+
	258	+	if andEnforcementCheck:
	259	+	if auth_enforced and not filterMatched:
	260	+	auth_enforced = False
	261	+	else:
	262	+	if not auth_enforced and filterMatched:
	263	+	auth_enforced = True
287	264
288		-	if filter.startswith("Full response length: "):
289		-	if andEnforcementCheck:
290		-	if auth_enforced and not str(len(response)) == filter[22:].strip():
291		-	auth_enforced = False
292		-	else:
293		-	if not auth_enforced and str(len(response)) == filter[22:].strip():
294		-	auth_enforced = True
295		-	return auth_enforced
	265	+	return auth_enforced
296	266
297	267		def checkBypass(self, oldStatusCode, newStatusCode, oldContent,
298	268		newContent, filters, requestResponse, andOrEnforcement):
		skipped 60 lines
359	329		for i in range(self.tableModel.getRowCount()):
360	330		logEntry = self._log.get(self.logTable.convertRowIndexToModel(i))
361	331		handle_message(self, "AUTORIZE", False, logEntry._originalrequestResponse)
	332	+

■ ■ ■ ■ ■ ■

gui/enforcement_detector.py

		skipped 34 lines
35	35		EDLabelList = JLabel("Filter List:")
36	36		EDLabelList.setBounds(10, 165, 140, 30)
37	37
38		-	EDStrings = ["Headers (simple string): (enforced message headers contains)",
39		-	"Headers (regex): (enforced message headers contains)",
40		-	"Body (simple string): (enforced message body contains)",
41		-	"Body (regex): (enforced message body contains)",
42		-	"Full response (simple string): (enforced message contains)",
43		-	"Full response (regex): (enforced message contains)",
44		-	"Full response length: (of enforced response)",
45		-	"Status code equals: (numbers only)"]
	38	+	EDStrings = [
	39	+	"Headers (simple string): (enforced message headers contain)",
	40	+	"Headers NOT (simple string): (enforced message headers NOT contain)",
	41	+	"Headers (regex): (enforced message headers contain)",
	42	+	"Headers NOT (regex): (enforced message headers NOT contain)",
	43	+	"Body (simple string): (enforced message body contains)",
	44	+	"Body NOT (simple string): (enforced message body NOT contains)",
	45	+	"Body (regex): (enforced message body contains)",
	46	+	"Body NOT (regex): (enforced message body NOT contains)",
	47	+	"Full response (simple string): (enforced message contains)",
	48	+	"Full response NOT (simple string): (enforced message NOT contains)",
	49	+	"Full response (regex): (enforced message contains)",
	50	+	"Full response NOT (regex): (enforced message NOT contains)",
	51	+	"Full response length: (of enforced response)",
	52	+	"Full response NOT length: (of enforced response)",
	53	+	"Status code equals: (numbers only)",
	54	+	"Status code NOT equals: (numbers only)"
	55	+	]
46	56		self._extender.EDType = JComboBox(EDStrings)
47	57		self._extender.EDType.setBounds(80, 10, 430, 30)
48	58
		skipped 50 lines
99	109		EDLabelList = JLabel("Filter List:")
100	110		EDLabelList.setBounds(10, 165, 140, 30)
101	111
102		-	EDStrings = ["Headers (simple string): (enforced message headers contains)",
103		-	"Headers (regex): (enforced message headers contains)",
104		-	"Body (simple string): (enforced message body contains)",
105		-	"Body (regex): (enforced message body contains)",
106		-	"Full response (simple string): (enforced message contains)",
107		-	"Full response (regex): (enforced message contains)",
108		-	"Full response length: (of enforced response)",
109		-	"Status code equals: (numbers only)"]
	112	+	EDStrings = [
	113	+	"Headers (simple string): (enforced message headers contain)",
	114	+	"Headers NOT (simple string): (enforced message headers NOT contain)",
	115	+	"Headers (regex): (enforced message headers contain)",
	116	+	"Headers NOT (regex): (enforced message headers NOT contain)",
	117	+	"Body (simple string): (enforced message body contains)",
	118	+	"Body NOT (simple string): (enforced message body NOT contains)",
	119	+	"Body (regex): (enforced message body contains)",
	120	+	"Body NOT (regex): (enforced message body NOT contains)",
	121	+	"Full response (simple string): (enforced message contains)",
	122	+	"Full response NOT (simple string): (enforced message NOT contains)",
	123	+	"Full response (regex): (enforced message contains)",
	124	+	"Full response NOT (regex): (enforced message NOT contains)",
	125	+	"Full response length: (of enforced response)",
	126	+	"Full response NOT length: (of enforced response)",
	127	+	"Status code equals: (numbers only)",
	128	+	"Status code NOT equals: (numbers only)"
	129	+	]
110	130		self._extender.EDTypeUnauth = JComboBox(EDStrings)
111	131		self._extender.EDTypeUnauth.setBounds(80, 10, 430, 30)
112	132
		skipped 60 lines

Merge pull request #94 from legithubert/feature/inverse-edfilters