Merge pull request #74 from projectdiscovery/dev

0.0.5 Release

Author: ehsandeep

.github/workflows/codeql-analysis.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/dockerhub-push.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v1

.github/workflows/lint-test.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3.1.0
         with:
           version: latest
           args: --timeout 5m

README.md

@@ -61,6 +61,7 @@ This will display help for the tool. Here are all the switches it supports.
 | `-max-file-size` | Max Upload File Size (default 50 MB)                    | `simplehttpserver -max-file-size 100`              |
 | `-sandbox`       | Enable sandbox mode                                     | `simplehttpserver -sandbox`                        |
 | `-https`         | Enable HTTPS in case of http server                     | `simplehttpserver -https`                          |
+| `-http1`         | Enable only HTTP1                                       | `simplehttpserver -http1`                          |
 | `-cert`          | HTTPS/TLS certificate (self generated if not specified) | `simplehttpserver -cert cert.pem`                  |
 | `-key`           | HTTPS/TLS certificate private key                       | `simplehttpserver -key cert.key`                   |
 | `-domain`        | Domain name to use for the self-generated certificate   | `simplehttpserver -domain projectdiscovery.io`     |
@@ -128,7 +129,9 @@ simplehttpserver -rule rules.yaml -tcp -tls -domain localhost
 The rules are written as follows:
 ```yaml
 rules:
-  - match: regex
+  - match: regex-match
+    match-contains: literal-match
+    name: rule-name
     response: response data
 ```
 
@@ -137,6 +140,7 @@ For example to handle two different paths simulating an HTTP server or SMTP comm
 rules:
   # HTTP Requests
   - match: GET /path1
+    name: redirect
     response: |
               HTTP/1.0 200 OK
               Server: httpd/2.0
@@ -149,13 +153,15 @@ rules:
               <HTML><HEAD><script>top.location.href='/Main_Login.asp';</script>
               </HEAD></HTML>
   - match: GET /path2
+    name: "404"
     response: |
               HTTP/1.0 404 OK
               Server: httpd/2.0
             
               <HTML><HEAD></HEAD><BODY>Not found</BODY></HTML>
   # SMTP Commands
   - match: "EHLO example.com"
+    name: smtp 
     response: |
               250-localhost Nice to meet you, [127.0.0.1]
               250-PIPELINING
@@ -167,6 +173,14 @@ rules:
     response: 250 Accepted
   - match: "RCPT TO: <test@example.com>"
     response: 250 Accepted
+
+  - match-contains: !!binary |
+      MAwCAQFgBwIBAwQAgAA=
+    name: "ldap"
+    # Request:  300c 0201 0160 0702 0103 0400 8000       0....`........
+    # Response: 300c 0201 0161 070a 0100 0400 0400       0....a........
+    response: !!binary |
+      MAwCAQFhBwoBAAQABAA=
 ```
 
 ## Note

go.mod

@@ -3,6 +3,7 @@ module github.com/projectdiscovery/simplehttpserver
 go 1.17
 
 require (
+	github.com/fsnotify/fsnotify v1.5.1
 	github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2
 	github.com/projectdiscovery/gologger v1.1.4
 	github.com/projectdiscovery/sslcert v0.0.0-20210416140253-8f56bec1bb5e
@@ -14,4 +15,5 @@ require (
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
+	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
 )

go.sum

@@ -2,6 +2,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -31,6 +33,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/runner/banner.go

@@ -8,11 +8,11 @@ const banner = `
   \__ \/ / __ -__ \/ __ \/ / _ \/ /_/ / / /   / / / /_/ / ___/ _ \/ ___/ | / / _ \/ ___/
  ___/ / / / / / / / /_/ / /  __/ __  / / /   / / / ____(__  )  __/ /   | |/ /  __/ /    
 /____/_/_/ /_/ /_/ .___/_/\___/_/ /_/ /_/   /_/ /_/   /____/\___/_/    |___/\___/_/     
-                /_/                                                       - v0.0.4
+                /_/                                                       - v0.0.5
 `
 
 // Version is the current version
-const Version = `0.0.4`
+const Version = `0.0.5`
 
 // showBanner is used to show the banner to the user
 func showBanner() {

internal/runner/options.go

@@ -31,6 +31,8 @@ type Options struct {
 	Silent         bool
 	Sandbox        bool
 	MaxFileSize    int
+	HTTP1Only      bool
+	MaxDumpBodySize int
 }
 
 // ParseOptions parses the command line options for application
@@ -56,8 +58,9 @@ func ParseOptions() *Options {
 	flag.BoolVar(&options.Version, "version", false, "Show version of the software")
 	flag.BoolVar(&options.Silent, "silent", false, "Show only results in the output")
 	flag.BoolVar(&options.Sandbox, "sandbox", false, "Enable sandbox mode")
+	flag.BoolVar(&options.HTTP1Only, "http1", false, "Enable only HTTP1")
 	flag.IntVar(&options.MaxFileSize, "max-file-size", 50, "Max Upload File Size")
-
+	flag.IntVar(&options.MaxDumpBodySize, "max-dump-body-size", -1, "Max Dump Body Size")
 	flag.Parse()
 
 	// Read the inputs and configure the logging

internal/runner/runner.go

@@ -5,6 +5,7 @@ import (
 	"github.com/projectdiscovery/simplehttpserver/pkg/binder"
 	"github.com/projectdiscovery/simplehttpserver/pkg/httpserver"
 	"github.com/projectdiscovery/simplehttpserver/pkg/tcpserver"
+	"github.com/projectdiscovery/simplehttpserver/pkg/unit"
 )
 
 // Runner is a client for running the enumeration process.
@@ -41,6 +42,12 @@ func New(options *Options) (*Runner, error) {
 		if err != nil {
 			return nil, err
 		}
+		watcher, err := watchFile(r.options.RulesFile, serverTCP.LoadTemplate)
+		if err != nil {
+			return nil, err
+		}
+		defer watcher.Close()
+
 		r.serverTCP = serverTCP
 		return &r, nil
 	}
@@ -59,6 +66,8 @@ func New(options *Options) (*Runner, error) {
 		Verbose:           r.options.Verbose,
 		Sandbox:           r.options.Sandbox,
 		MaxFileSize:       r.options.MaxFileSize,
+		HTTP1Only:         r.options.HTTP1Only,
+		MaxDumpBodySize:   unit.ToMb(r.options.MaxDumpBodySize),
 	})
 	if err != nil {
 		return nil, err
@@ -71,6 +80,10 @@ func New(options *Options) (*Runner, error) {
 // Run logic
 func (r *Runner) Run() error {
 	if r.options.EnableTCP {
+		if r.options.TCPWithTLS {
+			gologger.Print().Msgf("Serving TCP rule based tls server on tcp://%s", r.options.ListenAddress)
+			return r.serverTCP.ListenAndServeTLS()
+		}
 		gologger.Print().Msgf("Serving TCP rule based server on tcp://%s", r.options.ListenAddress)
 		return r.serverTCP.ListenAndServe()
 	}

internal/runner/watchdog.go

@@ -0,0 +1,36 @@
+package runner
+
+import (
+	"log"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type WatchEvent func(fname string) error
+
+func watchFile(fname string, callback WatchEvent) (watcher *fsnotify.Watcher, err error) {
+	watcher, err = fsnotify.NewWatcher()
+	if err != nil {
+		return
+	}
+	go func() {
+		for {
+			select {
+			case event, ok := <-watcher.Events:
+				if !ok {
+					continue
+				}
+				if event.Op&fsnotify.Write == fsnotify.Write {
+					if err := callback(fname); err != nil {
+						log.Println("err", err)
+					}
+				}
+			case <-watcher.Errors:
+				// ignore errors for now
+			}
+		}
+	}()
+
+	err = watcher.Add(fname)
+	return
+}

pkg/httpserver/authlayer.go

@@ -5,7 +5,7 @@ import (
 	"net/http"
 )
 
-func (t *HTTPServer) basicauthlayer(handler http.Handler) http.HandlerFunc {
+func (t *HTTPServer) basicauthlayer(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		user, pass, ok := r.BasicAuth()
 		if !ok || user != t.options.BasicAuthUsername || pass != t.options.BasicAuthPassword {

pkg/httpserver/httpserver.go

@@ -1,6 +1,7 @@
 package httpserver
 
 import (
+	"crypto/tls"
 	"errors"
 	"net/http"
 	"os"
@@ -23,7 +24,9 @@ type Options struct {
 	BasicAuthReal     string
 	Verbose           bool
 	Sandbox           bool
+	HTTP1Only         bool
 	MaxFileSize       int // 50Mb
+	MaxDumpBodySize   int64
 }
 
 // HTTPServer instance
@@ -32,6 +35,9 @@ type HTTPServer struct {
 	layers  http.Handler
 }
 
+// LayerHandler is the interface of all layer funcs
+type Middleware func(http.Handler) http.Handler
+
 // New http server instance with options
 func New(options *Options) (*HTTPServer, error) {
 	var h HTTPServer
@@ -50,18 +56,44 @@ func New(options *Options) (*HTTPServer, error) {
 	if options.Sandbox {
 		dir = SandboxFileSystem{fs: http.Dir(options.Folder), RootFolder: options.Folder}
 	}
-	h.layers = h.loglayer(http.FileServer(dir))
+
+	httpHandler := http.FileServer(dir)
+	addHandler := func(newHandler Middleware) {
+		httpHandler = newHandler(httpHandler)
+	}
+
+	// middleware
+	if options.EnableUpload {
+		addHandler(h.uploadlayer)
+	}
+
 	if options.BasicAuthUsername != "" || options.BasicAuthPassword != "" {
-		h.layers = h.loglayer(h.basicauthlayer(http.FileServer(dir)))
+		addHandler(h.basicauthlayer)
 	}
+
+	httpHandler = h.loglayer(httpHandler)
+
+	// add handler
+	h.layers = httpHandler
 	h.options = options
 
 	return &h, nil
 }
 
+func (t *HTTPServer) makeHTTPServer(tlsConfig *tls.Config) *http.Server {
+	httpServer := &http.Server{Addr: t.options.ListenAddress}
+	if t.options.HTTP1Only {
+		httpServer.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
+	}
+	httpServer.TLSConfig = tlsConfig
+	httpServer.Handler = t.layers
+	return httpServer
+}
+
 // ListenAndServe requests over http
 func (t *HTTPServer) ListenAndServe() error {
-	return http.ListenAndServe(t.options.ListenAddress, t.layers)
+	httpServer := t.makeHTTPServer(nil)
+	return httpServer.ListenAndServe()
 }
 
 // ListenAndServeTLS requests over https
@@ -73,11 +105,7 @@ func (t *HTTPServer) ListenAndServeTLS() error {
 		if err != nil {
 			return err
 		}
-		httpServer := &http.Server{
-			Addr:      t.options.ListenAddress,
-			TLSConfig: tlsConfig,
-		}
-		httpServer.Handler = t.layers
+		httpServer := t.makeHTTPServer(tlsConfig)
 		return httpServer.ListenAndServeTLS("", "")
 	}
 	return http.ListenAndServeTLS(t.options.ListenAddress, t.options.Certificate, t.options.CertificateKey, t.layers)