org.apache.commons.httpclient.URI Java Examples

The following examples show how to use org.apache.commons.httpclient.URI. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ExchangeFormAuthenticator.java    From davmail with GNU General Public License v2.0 6 votes vote down vote up
protected String getAbsoluteUri(HttpMethod method, String path) throws URIException {
    URI uri = method.getURI();
    if (path != null) {
        // reset query string
        uri.setQuery(null);
        if (path.startsWith("/")) {
            // path is absolute, replace method path
            uri.setPath(path);
        } else if (path.startsWith("http://") || path.startsWith("https://")) {
            return path;
        } else {
            // relative path, build new path
            String currentPath = method.getPath();
            int end = currentPath.lastIndexOf('/');
            if (end >= 0) {
                uri.setPath(currentPath.substring(0, end + 1) + path);
            } else {
                throw new URIException(uri.getURI());
            }
        }
    }
    return uri.getURI();
}
 
Example #2
Source File: CsrfCountermeasuresScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@BeforeEach
public void before() throws URIException {
    antiCsrfTokenNames = new ArrayList<>();
    antiCsrfTokenNames.add("token");
    antiCsrfTokenNames.add("csrfToken");

    extensionAntiCSRFMock = mock(ExtensionAntiCSRF.class);
    Mockito.lenient()
            .when(extensionAntiCSRFMock.getAntiCsrfTokenNames())
            .thenReturn(antiCsrfTokenNames);

    rule.setExtensionAntiCSRF(extensionAntiCSRFMock);
    rule.setCsrfIgnoreList("");
    rule.setCSRFIgnoreAttName("");
    rule.setCSRFIgnoreAttValue("");

    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setURI(new URI("http://example.com", false));

    msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
}
 
Example #3
Source File: UriUtils.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
/**
 * Returns a representation of the host name as used throughout ZAP. The representation contains
 * the scheme, the host and, if needed, the port. Method should be used to keep consistency
 * whenever displaying a node's hostname.
 *
 * <p>Example outputs:
 *
 * <ul>
 *   <li><i>http://example.org</i>
 *   <li><i>http://example.org:8080</i>
 *   <li><i>https://example.org</i>
 * </ul>
 *
 * @throws URIException
 */
public static String getHostName(URI uri) throws URIException {
    StringBuilder host = new StringBuilder();

    String scheme = uri.getScheme().toLowerCase();
    host.append(scheme).append("://").append(uri.getHost());
    int port = uri.getPort();
    if ((port != -1)
            && ((port == 80 && !"http".equals(scheme))
                    || (port == 443 && !"https".equals(scheme))
                    || (port != 80 && port != 443))) {
        host.append(":").append(port);
    }

    return host.toString();
}
 
Example #4
Source File: ScanTarget.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
public ScanTarget(URI uri) {
    this.uri = copyURI(uri);

    this.scheme = uri.getScheme();

    try {
        this.host = uri.getHost();
    } catch (URIException e) {
        throw new IllegalArgumentException("Failed to get host from URI: " + e.getMessage(), e);
    }

    this.port = getPort(scheme, uri.getPort());

    try {
        this.uri.setPath(null);
        this.uri.setQuery(null);
        this.uri.setFragment(null);
    } catch (URIException ignore) {
        // It's safe to set the URI query, path and fragment components to null.
    }

    this.stringRepresentation = createHostPortString(host, port);
    buildHtmlStringRepresentation();
}
 
Example #5
Source File: ImportWSDLTestCase.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@BeforeEach
public void setUp() throws URIException, NullPointerException {
    ImportWSDL.destroy();
    /* Retrieves singleton instance. */
    singleton = ImportWSDL.getInstance();

    /* Makes test request. */
    testRequest = new HttpMessage();
    HttpRequestHeader header = new HttpRequestHeader();
    header.setURI(new URI(TEST_URI, true));
    testRequest.setRequestHeader(header);
    HttpRequestBody body = new HttpRequestBody();
    body.append("test");
    body.setLength(4);
    testRequest.setRequestBody(body);

    /* Empty configuration object. */
    soapConfig = new SOAPMsgConfig();
    soapConfig.setWsdl(new Definitions());
    soapConfig.setSoapVersion(1);
    soapConfig.setParams(new HashMap<String, String>());
    soapConfig.setPort(new Port());
    soapConfig.setBindOp(new BindingOperation());
}
 
Example #6
Source File: SolrSearchProviderImpl.java    From swellrt with Apache License 2.0 6 votes vote down vote up
private JsonArray sendSearchRequest(String solrQuery,
    Function<InputStreamReader, JsonArray> function) throws IOException {
  JsonArray docsJson;
  GetMethod getMethod = new GetMethod();
  HttpClient httpClient = new HttpClient();
  try {
    getMethod.setURI(new URI(solrQuery, false));
    int statusCode = httpClient.executeMethod(getMethod);
    docsJson = function.apply(new InputStreamReader(getMethod.getResponseBodyAsStream()));
    if (statusCode != HttpStatus.SC_OK) {
      LOG.warning("Failed to execute query: " + solrQuery);
      throw new IOException("Search request status is not OK: " + statusCode);
    }
  } finally {
    getMethod.releaseConnection();
  }
  return docsJson;
}
 
Example #7
Source File: CrossDomainScanner.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
/** scans the node for cross-domain mis-configurations */
@Override
public void scan() {
    if (docBuilder == null) {
        return;
    }

    try {
        // get the network details for the attack
        URI originalURI = this.getBaseMsg().getRequestHeader().getURI();

        scanAdobeCrossdomainPolicyFile(originalURI);

        scanSilverlightCrossdomainPolicyFile(originalURI);

    } catch (Exception e) {
        // needed to catch exceptions from the "finally" statement
        log.error(
                "Error scanning a node for Cross Domain misconfigurations: " + e.getMessage(),
                e);
    }
}
 
Example #8
Source File: UserControlledHTMLAttributesScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldRaiseMultipleAlertsIfRequestParamValuesUsedInAttributes() throws Exception {
    // Given
    HttpMessage msg = createMessage();
    msg.getRequestHeader()
            .setURI(
                    new URI(
                            "http://example.com/i.php?place=http://example.com/&name=fred",
                            false));
    msg.setResponseBody(
            "<html><meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\"><img src=\"x.jpg\" alt=fred></img></html>");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(2));
    assertThat(alertsRaised.get(0).getParam(), equalTo("place"));
    assertThat(alertsRaised.get(1).getParam(), equalTo("name"));
}
 
Example #9
Source File: InformationDisclosureInUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void emailAddressInURLParamValue() throws HttpMalformedHeaderException, URIException {

    // Given
    String sensitiveParamName = "docid";
    String sensitiveValue = "[email protected]";
    String testURI = URI + "?mailto=me&" + sensitiveParamName + "=" + sensitiveValue + "&hl=en";
    HttpMessage msg = createHttpMessageWithRespBody(testURI);

    // When
    scanHttpRequestSend(msg);

    // Then
    assertEquals(1, alertsRaised.size());
    assertEquals(sensitiveParamName, alertsRaised.get(0).getParam());
    assertEquals(sensitiveValue, alertsRaised.get(0).getEvidence());
    assertEquals(
            Constant.messages.getString(
                    InformationDisclosureInUrlScanRule.MESSAGE_PREFIX + "otherinfo.email"),
            alertsRaised.get(0).getOtherInfo());
}
 
Example #10
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void detectExposureTo3rdPartyInSRC() throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<p><a href=\"default.jsp\">\n"
                    + " <img src=\"https://www.example.org/images/smiley.gif\" alt=\"HTML tutorial\" "
                    + "style=\"width:42px;height:42px;border:0;\">\n</a>"
                    + "</p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then
    assertEquals(2, alertsRaised.size());
}
 
Example #11
Source File: UserControlledCookieScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldRaiseAlertIfCookieBasedOnGetParamDuringPost() throws Exception {
    // Given
    HttpMessage msg = createMessage();
    msg.getRequestHeader().setURI(new URI("http://example.com/i.php?place=evil", false));
    msg.getRequestHeader().setMethod(HttpRequestHeader.POST);
    TreeSet<HtmlParameter> formParams = new TreeSet<HtmlParameter>();
    formParams.add(new HtmlParameter(HtmlParameter.Type.form, "name", "jane"));
    msg.setFormParams(formParams);
    msg.getResponseHeader().setStatusCode(HttpStatusCode.FOUND);
    msg.getResponseHeader()
            .setHeader(HttpHeader.SET_COOKIE, "Set-Cookie: aCookie=evil; Secure");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(1));
    assertThat(alertsRaised.get(0).getParam(), equalTo("place"));
}
 
Example #12
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void ignoreExposureToSelf() throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com/foo?jsessionid=1A530637289A03B07199A44E8D531427";
    String body =
            "<html>\n<body>\n<h2>HTML Links</h2>\n"
                    + "<p><a href=\"https://example.com/html/\">Testing ZAP</a>"
                    + "</p>\n"
                    + "</body>\n</html>";
    HttpMessage msg = createHttpMessageWithRespBody(body);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When
    scanHttpResponseReceive(msg);

    // Then:
    // Passing means it detects the session ID in the URL (alert #1), but since the
    // origin of the href in the body is the same as the URL, it should not raise a
    // 2nd alert.
    assertEquals(1, alertsRaised.size());
}
 
Example #13
Source File: InfoSessionIdUrlScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void containsSessionIdAsUrlParameterInHTTPSOnCustomPort()
        throws HttpMalformedHeaderException, URIException {

    // Given
    String testURI = "https://example.com:4443/foo?jsessionid=1a530637289b03x07199de8D531427";
    HttpMessage msg = createHttpMessageWithRespBody(BODY);
    msg.getRequestHeader().setURI(new URI(testURI, false));

    // When

    scanHttpResponseReceive(msg);

    // Then
    assertEquals(1, alertsRaised.size());
}
 
Example #14
Source File: ExtensionOpenApi.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
/**
 * Imports the API definition from a URI.
 *
 * @param uri the URI locating the API definition.
 * @param targetUrl the URL to override the URL defined in the API, might be {@code null}.
 * @param initViaUi {@code true} if the import is being done through the GUI, {@code false}
 *     otherwise.
 * @return the list of errors, if any. Returns {@code null} if the import is being done through
 *     the GUI.
 * @throws InvalidUrlException if the target URL is not valid.
 */
public List<String> importOpenApiDefinition(
        final URI uri, final String targetUrl, boolean initViaUi) {
    Requestor requestor = new Requestor(HttpSender.MANUAL_REQUEST_INITIATOR);
    requestor.addListener(new HistoryPersister());
    try {
        String path = uri.getPath();
        if (path == null) {
            path = "";
        }
        return importOpenApiDefinition(
                requestor.getResponseBody(uri),
                targetUrl,
                uri.getScheme() + "://" + uri.getAuthority() + path,
                initViaUi);
    } catch (IOException e) {
        if (initViaUi) {
            View.getSingleton()
                    .showWarningDialog(Constant.messages.getString("openapi.io.error"));
        }
        LOG.warn(e.getMessage(), e);
    }
    return null;
}
 
Example #15
Source File: UserControlledOpenRedirectScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
@Test
public void shouldRaiseAlertIfResponseIsTempRedirectHasLocationHeaderBasedOnGetParamDuringPost()
        throws Exception {
    // Given
    HttpMessage msg = createMessage();
    msg.getRequestHeader().setURI(new URI("http://example.com/i.php?place=evil.com", false));
    msg.getRequestHeader().setMethod(HttpRequestHeader.POST);
    TreeSet<HtmlParameter> formParams = new TreeSet<HtmlParameter>();
    formParams.add(new HtmlParameter(HtmlParameter.Type.form, "name", "jane"));
    msg.setFormParams(formParams);
    msg.getResponseHeader().setStatusCode(HttpStatusCode.FOUND);
    msg.getResponseHeader().setHeader(HttpHeader.LOCATION, "http://evil.com");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(1));
    assertThat(alertsRaised.get(0).getParam(), equalTo("place"));
}
 
Example #16
Source File: HttpPrefixUriValidator.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
/**
 * Tells whether or not the given URI is valid, by starting or not with the defined prefix.
 *
 * @param uri the uri to be validated
 * @return {@code true} if valid, that is, the {@code uri} starts with the {@code prefix},
 *     {@code false} otherwise
 */
public boolean isValid(URI uri) {
    if (uri == null) {
        return false;
    }

    String otherScheme = normalisedScheme(uri.getRawScheme());
    if (port != normalisedPort(otherScheme, uri.getPort())) {
        return false;
    }

    if (!scheme.equals(otherScheme)) {
        return false;
    }

    if (!hasSameHost(uri)) {
        return false;
    }

    if (!startsWith(uri.getRawPath(), path)) {
        return false;
    }

    return true;
}
 
Example #17
Source File: HttpMethodBaseExecuteMethodInterceptor.java    From pinpoint with Apache License 2.0 6 votes vote down vote up
private String getHost(HttpMethod httpMethod, HttpConnection httpConnection) {
    try {
        final URI uri = httpMethod.getURI();
        // if uri have schema
        if (uri.isAbsoluteURI()) {
            return HttpClient3RequestWrapper.getEndpoint(uri.getHost(), uri.getPort());
        }
        if (httpConnection != null) {
            final String host = httpConnection.getHost();
            final int port = HttpClient3RequestWrapper.getPort(httpConnection);
            return HttpClient3RequestWrapper.getEndpoint(host, port);
        }
    } catch (Exception e) {
        if (isDebug) {
            logger.debug("Failed to get host. httpMethod={}", httpMethod, e);
        }
    }
    return null;
}
 
Example #18
Source File: ExtensionZest.java    From zap-extensions with Apache License 2.0 6 votes vote down vote up
public void recordClientScript(String url) {
    Extension extPnh =
            Control.getSingleton().getExtensionLoader().getExtension("ExtensionPlugNHack");
    if (extPnh != null) {
        Method method = null;
        try {
            URI uri = new URI(url, true);

            startClientRecording(url);

            method = extPnh.getClass().getMethod("launchAndRecordClient", URI.class);

            method.invoke(extPnh, uri);

        } catch (Exception e) {
            // Its an older version, so just dont try to use it
            e.printStackTrace();
        }
    }
}
 
Example #19
Source File: CsrfCountermeasuresScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private HttpMessage createScopedMessage(boolean isInScope) throws URIException {
    HttpMessage newMsg =
            new HttpMessage() {
                @Override
                public boolean isInScope() {
                    return isInScope;
                }
            };
    newMsg.getRequestHeader().setURI(new URI("http://", "localhost", "/", ""));
    newMsg.setResponseBody(
            "<html><head></head><body>"
                    + "<form name=\"someName\" data-no-csrf><input type=\"text\" name=\"name\"/><input type=\"submit\"/></form>"
                    + "</body></html>");
    return newMsg;
}
 
Example #20
Source File: WebSocketTestUtils.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
public URI getServerUrl() throws URIException {
    return new URI(
            webSocketTestServer.isSecure() ? "https" : "http",
            null,
            webSocketTestServer.getHostname(),
            webSocketTestServer.getListeningPort());
}
 
Example #21
Source File: ServerConnectionEstablisher.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Override
public boolean isValid(URI redirection) {
    if (!isValidForCurrentMode(redirection)) {
        isRequestValid = false;
        invalidRedirection = redirection;
        return false;
    }
    return true;
}
 
Example #22
Source File: UserControlledHTMLAttributesScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldNotRaiseAlertIfResponseContainsNoAttributes() throws Exception {
    // Given
    HttpMessage msg = createMessage();
    msg.getRequestHeader()
            .setURI(new URI("http://example.com/i.php?place=here&name=fred", false));
    msg.setResponseBody("<html><H1>Title</H1></html>");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(0));
}
 
Example #23
Source File: ServerConnectionEstablisher.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private boolean isValidForCurrentMode(URI uri) {
    switch (Control.getSingleton().getMode()) {
        case safe:
            return false;
        case protect:
            return Model.getSingleton().getSession().isInScope(uri.toString());
        default:
            return true;
    }
}
 
Example #24
Source File: MonitoredPagesManager.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
public MonitoredPage startMonitoring(URI uri) throws HttpMalformedHeaderException {
    HttpMessage msg = new HttpMessage(uri);
    MonitoredPage page = new MonitoredPage(this.getUniqueId(), msg, new Date());
    this.monitoredPages.put(page.getId(), page);
    for (MonitoredPageListener listener : this.listeners) {
        listener.startMonitoringPageEvent(page);
    }
    return page;
}
 
Example #25
Source File: ApacheHttpClient3xAspect.java    From glowroot with Apache License 2.0 5 votes vote down vote up
@OnBefore
public static @Nullable TraceEntry onBefore(ThreadContext context,
        @SuppressWarnings("unused") @BindParameter @Nullable HostConfiguration hostConfiguration,
        @BindParameter @Nullable HttpMethod methodObj) {
    if (methodObj == null) {
        return null;
    }
    String method = methodObj.getName();
    if (method == null) {
        method = "";
    } else {
        method += " ";
    }
    String uri;
    try {
        URI uriObj = methodObj.getURI();
        if (uriObj == null) {
            uri = "";
        } else {
            uri = uriObj.getURI();
            if (uri == null) {
                uri = "";
            }
        }
    } catch (URIException e) {
        uri = "";
    }
    return context.startServiceCallEntry("HTTP", method + Uris.stripQueryString(uri),
            MessageSupplier.create("http client request: {}{}", method, uri),
            timerName);
}
 
Example #26
Source File: ExtensionWappalyzer.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
static String normalizeSite(URI uri) {
    String lead = uri.getScheme() + "://";
    try {
        return lead + uri.getAuthority();
    } catch (URIException e) {
        if (logger.isDebugEnabled()) {
            logger.debug("Unable to get authority from: " + uri.toString(), e);
        }
        // Shouldn't happen, but sure fallback
        return ScanPanel.cleanSiteName(uri.toString(), true);
    }
}
 
Example #27
Source File: HiddenFilesScanRule.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private HttpMessage sendHiddenFileRequest(HiddenFile file) {
    HttpMessage testMsg = getNewMsg();
    try {
        URI baseUri = getBaseMsg().getRequestHeader().getURI();
        URI testUri =
                new URI(
                        baseUri.getScheme(),
                        null,
                        baseUri.getHost(),
                        baseUri.getPort(),
                        generatePath(baseUri.getPath(), file.getPath()));
        testMsg.getRequestHeader().setURI(testUri);
        sendAndReceive(testMsg);
        return testMsg;
    } catch (URIException uEx) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(
                    "An error occurred creating or setting a URI for the: "
                            + getName()
                            + " scanner. "
                            + uEx.getMessage(),
                    uEx);
        }
    } catch (IOException e) {
        LOG.warn(
                "An error occurred while checking ["
                        + testMsg.getRequestHeader().getMethod()
                        + "] ["
                        + testMsg.getRequestHeader().getURI()
                        + "] for "
                        + getName()
                        + " Caught "
                        + e.getClass().getName()
                        + " "
                        + e.getMessage());
    }
    return null;
}
 
Example #28
Source File: CacheableScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
private HttpMessage createMessage() throws URIException {
    HttpRequestHeader requestHeader = new HttpRequestHeader();
    requestHeader.setMethod("GET");
    requestHeader.setURI(new URI("https://example.com/fred/", false));

    HttpMessage msg = new HttpMessage();
    msg.setRequestHeader(requestHeader);
    return msg;
}
 
Example #29
Source File: BaseEventStreamTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
protected HttpMessage getMockHttpMessage() throws URIException {
    HistoryReference mockHistoryRef = mock(HistoryReference.class);

    HttpRequestHeader mockReqHeader = mock(HttpRequestHeader.class);
    when(mockReqHeader.getURI()).thenReturn(new URI("http", "example.com", "/", ""));

    HttpMessage mockMessage = mock(HttpMessage.class);
    when(mockMessage.getHistoryRef()).thenReturn(mockHistoryRef);
    when(mockMessage.getRequestHeader()).thenReturn(mockReqHeader);

    return mockMessage;
}
 
Example #30
Source File: UserControlledHTMLAttributesScanRuleUnitTest.java    From zap-extensions with Apache License 2.0 5 votes vote down vote up
@Test
public void shouldRaiseAlertIfRequestParamsValuesUsedInAttributes() throws Exception {
    // Given
    HttpMessage msg = createMessage();
    msg.getRequestHeader()
            .setURI(new URI("http://example.com/i.php?place=here&name=fred", false));
    msg.setResponseBody("<html><img src=\"x.jpg\" alt=\"fred, here\")></img></html>");
    // When
    scanHttpResponseReceive(msg);
    // Then
    assertThat(alertsRaised.size(), equalTo(1));
    assertThat(alertsRaised.get(0).getParam(), equalTo("name"));
}