From 4213d68935e3d5f0668b0a2d9213f6ad8f4e76ec Mon Sep 17 00:00:00 2001 From: ONUKI Masanori Date: Fri, 14 Jun 2024 14:22:19 +0900 Subject: [PATCH 1/3] Add test for ScannerFacade#scanHtml #81 --- .../retirejs/repo/ScannerFacadeTest.java | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/retirejs-core/src/test/java/com/h3xstream/retirejs/repo/ScannerFacadeTest.java b/retirejs-core/src/test/java/com/h3xstream/retirejs/repo/ScannerFacadeTest.java index 47b7dcf..b25809c 100644 --- a/retirejs-core/src/test/java/com/h3xstream/retirejs/repo/ScannerFacadeTest.java +++ b/retirejs-core/src/test/java/com/h3xstream/retirejs/repo/ScannerFacadeTest.java @@ -147,4 +147,53 @@ public void noMatch() throws IOException { verify(repo).findByHash(DUMMY_SCRIPT_SHA1); verify(repo).findByFileContent(DUMMY_SCRIPT); } + + @Test + public void uriMatchToHtml() throws IOException { + VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; + + //Init. mock + VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); + when(repo.findByUri("/js/yolo.js")).thenReturn(ONE_RESULT); + + //Call the scanner logic + ScannerFacade scanner = new ScannerFacade(repo); + List results = scanner.scanHtml(( + "" + // double quote + "" + // single quote + "" // no quote + ).getBytes(),0); + + //Assertions + assertEquals(results.size(),3,"Expect one result."); + verify(repo,times(3)).findByUri("/js/yolo.js"); + verify(repo,never()).findByFilename(anyString()); + verify(repo,never()).findByHash(anyString()); + verify(repo,never()).findByFileContent(anyString()); + } + + @Test + public void filenameMatchToHtml() throws IOException { + VulnerabilitiesRepositoryLoader.syncWithOnlineRepository = false; + + //Init. mock + VulnerabilitiesRepository repo = mock(VulnerabilitiesRepository.class); + when(repo.findByUri("/js/yolo.js")).thenReturn(EMPTY_RESULT); + when(repo.findByFilename("yolo.js")).thenReturn(ONE_RESULT); + + //Call the scanner logic + ScannerFacade scanner = new ScannerFacade(repo); + List results = scanner.scanHtml(( + "" + // double quote + "" + // single quote + "" // no quote + ).getBytes(),0); + + //Assertions + assertEquals(results.size(),3,"Expect one result."); + verify(repo,times(3)).findByUri("/js/yolo.js"); + verify(repo,times(3)).findByFilename("yolo.js"); + verify(repo,never()).findByHash(anyString()); + verify(repo,never()).findByFileContent(anyString()); + } } \ No newline at end of file From a8069dd3caa28b77afcbde091b159a133138eddf Mon Sep 17 00:00:00 2001 From: ONUKI Masanori Date: Fri, 14 Jun 2024 14:22:33 +0900 Subject: [PATCH 2/3] Modify SannerFacade#findScriptUrl to work even when the script tag contains mixed case letters --- .../com/h3xstream/retirejs/repo/ScannerFacade.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java b/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java index 596b395..70aec88 100644 --- a/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java +++ b/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java @@ -67,10 +67,13 @@ private List findScriptUrl(String source) { List urls = new ArrayList(); for(String line : tokens) { - if(line.contains("]*" + //script tags - "[sS][rR][cC]=" + //src attribute - "[\"']([^>]*)[\"']"); //URL between quotes + if (line.toLowerCase().contains("]*" + //script tags + "src=" + //src attribute + "[\"']([^>]*)[\"']", //URL between quotes + Pattern.CASE_INSENSITIVE); + Matcher m = p.matcher(line); if(m.find()) { String urlScript = m.group(1); From b8a2948a11c4899bc129ba6aaa403fd8476a8ca9 Mon Sep 17 00:00:00 2001 From: ONUKI Masanori Date: Fri, 14 Jun 2024 14:24:33 +0900 Subject: [PATCH 3/3] Fix SannerFacade#findScriptUrl to extract only the src attribute string #81 --- .../java/com/h3xstream/retirejs/repo/ScannerFacade.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java b/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java index 70aec88..cfd7049 100644 --- a/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java +++ b/retirejs-core/src/main/java/com/h3xstream/retirejs/repo/ScannerFacade.java @@ -71,12 +71,15 @@ private List findScriptUrl(String source) { Pattern p = Pattern.compile( "]*" + //script tags "src=" + //src attribute - "[\"']([^>]*)[\"']", //URL between quotes + "(?\"[^\"]*?\"|'[^']*?'|\\S+)", //URL between quotes Pattern.CASE_INSENSITIVE); Matcher m = p.matcher(line); - if(m.find()) { - String urlScript = m.group(1); + if (m.find()) { + String src = m.group("src"); + String urlScript = src.startsWith("\"") || src.startsWith("'") + ? src.substring(1, src.length() - 1) // trim quotes + : src; urls.add(urlScript); } }