public void ApplyConfig()
{
HttpResource notfound = new HttpResource(ResourceMappingType.FILE);
notfound.BasePath = $"{Environment.CurrentDirectory}/web/404.html";
notfound.MIMEType = "text/html";
serverConfig = new ServerConfig();
serverConfig.DocumentRoot = $"{Environment.CurrentDirectory}/web/";
serverConfig.MaxCleanUpNumber = 5;
serverConfig.MaxConnectionAccepted = 100;
serverConfig.ServerPort = 8080;
serverConfig.DeadConnectionCleanUpInterval = 4000;
serverConfig.IdleConnectionCleanUpInterval = 4000;
serverConfig.NotFound404Page
= new ResourceLocator("", "", notfound);
}
/// <summary>
/// Cleans up after configuration has been performed.
/// </summary>
/// <param name="WebServer">Current Web Server object.</param>
public override Task CleanupAfterConfiguration(HttpServer WebServer)
{
Task Result = base.CleanupAfterConfiguration(WebServer);
if (this.connectToHost != null)
{
WebServer.Unregister(this.connectToHost);
this.connectToHost = null;
}
if (this.randomizePassword != null)
{
WebServer.Unregister(this.randomizePassword);
this.randomizePassword = null;
}
return(Result);
}
public async Task <JsonResult> TitleFromUri()
{
if (VoatSettings.Instance.OutgoingTraffic.Enabled)
{
var uri = Request.Query["uri"].FirstOrDefault();
uri = uri.TrimSafe();
if (!string.IsNullOrEmpty(uri) && UrlUtility.IsUriValid(uri, true, true))
{
//Old Code:
//string title = UrlUtility.GetTitleFromUri(uri);
using (var httpResource = new HttpResource(
new Uri(uri),
new HttpResourceOptions()
{
AllowAutoRedirect = true
},
VoatSettings.Instance.OutgoingTraffic.Proxy.ToWebProxy()))
{
await httpResource.GiddyUp();
string title = httpResource.Title;
if (title != null)
{
title = title.StripUnicode();
var resultList = new List <string>
{
title
};
return(Json(resultList /* CORE_PORT: Removed , JsonRequestBehavior.AllowGet */));
}
}
}
}
Response.StatusCode = (int)HttpStatusCode.BadRequest;
return(Json("Bad request." /* CORE_PORT: Removed , JsonRequestBehavior.AllowGet */));
}
public async Task TestRedirect()
{
Uri testUri = new Uri("http://stackoverflow.com/questions/1348683/will-the-b-and-i-tags-ever-become-deprecated");
using (var httpResource = new HttpResource(testUri.ToString()))
{
await httpResource.GiddyUp();
Assert.AreEqual(false, httpResource.Redirected);
Assert.AreEqual(HttpStatusCode.MovedPermanently, httpResource.Response.StatusCode);
}
using (var httpResource = new HttpResource(testUri.ToString(), new HttpResourceOptions()
{
AllowAutoRedirect = true
}))
{
await httpResource.GiddyUp();
Assert.AreEqual(true, httpResource.Redirected);
Assert.AreEqual(HttpStatusCode.OK, httpResource.Response.StatusCode);
}
}
/// <summary>
/// Initializes the setup object.
/// </summary>
/// <param name="WebServer">Current Web Server object.</param>
public override async Task InitSetup(HttpServer WebServer)
{
XmlSchema Schema = XSL.LoadSchema(typeof(Gateway).Namespace + ".Schema.Theme.xsd", typeof(Gateway).Assembly);
string ThemesFolder = Path.Combine(Gateway.AppDataFolder, "Root", "Themes");
ThemeDefinition Def;
await base.InitSetup(WebServer);
WebServer.ETagSalt = this.Updated.Ticks.ToString();
if (Directory.Exists(ThemesFolder))
{
foreach (string FileName in Directory.GetFiles(ThemesFolder, "*.xml", SearchOption.AllDirectories))
{
try
{
XmlDocument Doc = new XmlDocument();
Doc.Load(FileName);
XSL.Validate(FileName, Doc, "Theme", "http://waher.se/Schema/Theme.xsd", Schema);
Def = new ThemeDefinition(Doc);
themeDefinitions[Def.Id] = Def;
}
catch (Exception ex)
{
Log.Critical(ex, FileName);
continue;
}
}
}
bool Update = false;
if (!string.IsNullOrEmpty(this.themeId) && !themeDefinitions.ContainsKey(this.themeId))
{
this.themeId = string.Empty;
this.Step = 0;
this.Completed = DateTime.MinValue;
this.Complete = false;
Update = true;
}
if (string.IsNullOrEmpty(this.themeId) && themeDefinitions.Count == 1)
{
foreach (ThemeDefinition Def2 in themeDefinitions.Values)
{
this.themeId = Def2.Id;
await this.MakeCompleted();
Update = false;
break;
}
}
if (Update)
{
this.Updated = DateTime.Now;
await Database.Update(this);
}
if (!string.IsNullOrEmpty(this.themeId) && themeDefinitions.TryGetValue(this.themeId, out Def))
{
Theme.CurrerntTheme = Def;
}
else if (themeDefinitions.TryGetValue("CactusRose", out Def))
{
Theme.CurrerntTheme = Def;
}
else
{
foreach (ThemeDefinition Def2 in themeDefinitions.Values)
{
Theme.CurrerntTheme = Def2;
break;
}
}
this.setTheme = WebServer.Register("/Settings/SetTheme", null, this.SetTheme, true, false, true);
}
/// <summary>
/// Initializes the setup object.
/// </summary>
/// <param name="WebServer">Current Web Server object.</param>
public override Task InitSetup(HttpServer WebServer)
{
this.testAddresses = WebServer.Register("/Settings/TestNotificationAddresses", null, this.TestNotificationAddresses, false, false, true);
return(base.InitSetup(WebServer));
}
/// <summary>
/// Waits for the user to provide configuration.
/// </summary>
/// <param name="WebServer">Current Web Server object.</param>
/// <returns>If all system configuration objects must be reloaded from the database.</returns>
public override Task <bool> SetupConfiguration(HttpServer WebServer)
{
this.simplified = WebServer.Register("/Settings/Simplified", null, this.Simplified, false, false, true);
return(base.SetupConfiguration(WebServer));
}
public HttpResource ToResource() => HttpResource.From(_name);
private void Refresh(App app, string path)
{
var cssFolder = Path.Combine(app.LocalDirectory, "css");
if (!Directory.Exists(cssFolder))
Directory.CreateDirectory(cssFolder);
var cssFiles = Directory
.GetFiles(cssFolder)
.Where(f => f.EndsWith(".css"));
if (cssFiles
.Where(f => !TimeMap.ContainsKey(f) || File.GetLastWriteTimeUtc(f) != TimeMap[f])
.Any())
{
// Combine CSS
var combinedCss = cssFiles
.OrderBy(f => f.Substring(0, f.Length-4))
.Select(f => File.ReadAllText(f))
.Where(t => !t.StartsWith("/* Auto-Combine: Exclude", StringComparison.InvariantCultureIgnoreCase))
.Aggregate((a, b) => a + Environment.NewLine + b);
// Minify CSS
var cachedCss = new HttpResource(
DateTime.UtcNow,
Encoding.UTF8.GetBytes(
new Minifier().MinifyStyleSheet(combinedCss)
), "text/css");
// Update write times
foreach (var cssFile in cssFiles)
TimeMap.AddOrUpdate(cssFile, File.GetLastWriteTimeUtc(cssFile),
(f, d) => File.GetLastWriteTimeUtc(f));
// Add or update the combined css.
this.Cache.AddOrUpdate(path, cachedCss, (s, o) => cachedCss);
}
}
public override async Task SummaryRunOnce(VulnerabilitySummary summary)
{
ZapJsonReport report = null;
var jsonReportPath = Path.Combine(WorkingDirectory, OwaspZapPlugin.JSON_REPORT_FILE);
if (File.Exists(jsonReportPath))
{
using (var sr = new StreamReader(jsonReportPath))
{
report = JsonConvert.DeserializeObject <ZapJsonReport>(await sr.ReadToEndAsync());
}
}
else
{
Logger.LogCritical("JSON report from this plugin was not found! Aborting...");
return;
}
if (report == null)
{
Logger.LogCritical("JSON report from this plugin was not valid! Aborting...");
return;
}
foreach (var alert in report.Site.First().Alerts)
{
var item = new VulnerabilityItem
{
PluginResults = new List <PluginResult> {
this
},
PluginPointer = PluginPointer,
PluginRawScore = alert.RiskCode * alert.Confidence,
PluginAdjustedScore = alert.RiskCode * alert.Confidence / (3.0 * 5.0) * 100,
Description = alert.Desc,
Resources = alert.Instances.Select(instance =>
{
var newResource = new HttpResource {
Method = instance.Method, Url = instance.Uri
};
var newFingerprint =
newResource.Fingerprint(skippedFields: new[] { "resourceId", "fields", "headers" });
if (ResourceManager.Instance.ContainsFingerprint(newFingerprint))
{
return(ResourceManager.Instance.GetByFingerprint <HttpResource>(newFingerprint));
}
ResourceManager.Instance.Register(newResource);
return(newResource);
}).Cast <Resource>().ToList()
};
item.Extras["OWASPZAP"] = new
{
alert.Alert,
alert.Confidence,
alert.Count,
alert.CWEId,
alert.Desc,
alert.Name,
alert.OtherInfo,
alert.PluginId,
alert.Reference,
alert.RiskCode,
alert.RiskDesc,
alert.Solution,
alert.SourceId,
alert.WASCId
};
string[] skipFields = { "pluginResults", "extras" };
var fingerprint = item.Fingerprint(skippedFields: skipFields);
if (summary.VulnerabilityItems.All(i => i.Fingerprint(skippedFields: skipFields) != fingerprint))
{
summary.VulnerabilityItems.Add(item);
}
else // correlation -- multiple plugins see this
{
var correlatedItem = summary.VulnerabilityItems.FirstOrDefault(v =>
v.Fingerprint(skippedFields: skipFields) == fingerprint);
if (correlatedItem != null && !correlatedItem.PluginResults.Contains(this))
{
correlatedItem.PluginResults.Add(this);
correlatedItem.Extras["OWASPZAP"] = item.Extras["OWASPZAP"];
}
}
}
// TODO: Migrate HTML report into AzDO plugin?
}
public void ProcessRequest(App site, HttpContext context, string resource, string query)
{
HttpRequest request = context.Request;
HttpResponse response = context.Response;
var file = new FileInfo(Path.Combine(site.LocalDirectory, resource));
var mime = site.Mime.GetMime(file.Extension);
if (!file.Exists || mime == null || file.Name.EndsWith("web.config.xml"))
{
response.Status = "404";
return;
}
// Check if we have dpr in the cookie
var dprString = request.Cookies.GetString("dpr");
// Check if we have dpr bigger than one in the cookie
if (dprString != null && dprString != "1" && mime.StartsWith("image/"))
{
// Get the dpr value
int dpr = 1;
// Check if it's an image and if it exists
if (Int32.TryParse(dprString, out dpr))
{
// If dpr is bigger than one
if (dpr > 1)
{
var fullname = file.FullName;
var namebase = fullname.Remove(fullname.Length - file.Extension.Length);
var newfile = namebase + "@2x" + file.Extension;
// Set the new file to a 2x one
if (File.Exists(newfile))
file = new FileInfo(newfile);
}
}
}
// Add Vary for javascript & css
if (mime == "application/javascript" || mime == "application/x-javascript" || mime == "text/javascript" || mime == "text/css")
response.Headers.Set("Vary", "Accept-Encoding");
// Create a new resource from file and write to the response
HttpResource content = new HttpResource(file);
response.Status = "200";
content.WriteTo(context);
}
public HttpResource ToResource()
{
return(Region.ToResource().Then(HttpResource.From(Name)));
}
