2020-12-21 16:46:25 +05:30
|
|
|
package raw
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bufio"
|
2021-11-02 14:12:59 +05:30
|
|
|
"bytes"
|
2024-03-14 03:08:53 +05:30
|
|
|
"encoding/base64"
|
2021-11-08 19:33:54 +01:00
|
|
|
"errors"
|
2020-12-21 16:46:25 +05:30
|
|
|
"fmt"
|
2021-02-08 16:07:16 +05:30
|
|
|
"io"
|
2020-12-21 16:46:25 +05:30
|
|
|
"strings"
|
2025-09-15 23:48:02 +05:30
|
|
|
"sync"
|
2021-02-20 00:35:39 +01:00
|
|
|
|
2024-03-14 03:08:53 +05:30
|
|
|
"github.com/projectdiscovery/gologger"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/authprovider/authx"
|
2021-02-20 00:35:39 +01:00
|
|
|
"github.com/projectdiscovery/rawhttp/client"
|
2025-08-20 05:28:23 +05:30
|
|
|
"github.com/projectdiscovery/utils/errkit"
|
2022-11-06 21:24:23 +01:00
|
|
|
stringsutil "github.com/projectdiscovery/utils/strings"
|
2023-01-05 16:41:59 +05:30
|
|
|
urlutil "github.com/projectdiscovery/utils/url"
|
2020-12-21 16:46:25 +05:30
|
|
|
)
|
|
|
|
|
|
2025-09-15 23:48:02 +05:30
|
|
|
var bufferPool = sync.Pool{New: func() any { return new(bytes.Buffer) }}
|
|
|
|
|
|
2020-12-26 14:55:15 +05:30
|
|
|
// Request defines a basic HTTP raw request
|
2020-12-21 16:46:25 +05:30
|
|
|
type Request struct {
|
2021-02-20 02:02:57 +01:00
|
|
|
FullURL string
|
|
|
|
|
Method string
|
|
|
|
|
Path string
|
|
|
|
|
Data string
|
|
|
|
|
Headers map[string]string
|
|
|
|
|
UnsafeHeaders client.Headers
|
|
|
|
|
UnsafeRawBytes []byte
|
2020-12-21 16:46:25 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse parses the raw request as supplied by the user
|
2023-06-19 20:22:17 +05:30
|
|
|
func Parse(request string, inputURL *urlutil.URL, unsafe, disablePathAutomerge bool) (*Request, error) {
|
2022-12-13 12:09:31 +05:30
|
|
|
rawrequest, err := readRawRequest(request, unsafe)
|
2021-11-02 14:12:59 +05:30
|
|
|
if err != nil {
|
2022-12-13 12:09:31 +05:30
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch {
|
|
|
|
|
// If path is empty do not tamper input url (see doc)
|
|
|
|
|
// can be omitted but makes things clear
|
|
|
|
|
case rawrequest.Path == "":
|
2023-08-10 19:28:05 +05:30
|
|
|
if !disablePathAutomerge {
|
2023-12-20 14:30:34 +03:00
|
|
|
inputURL.Params.IncludeEquals = true
|
2023-08-10 19:28:05 +05:30
|
|
|
rawrequest.Path = inputURL.GetRelativePath()
|
|
|
|
|
}
|
2022-12-13 12:09:31 +05:30
|
|
|
|
|
|
|
|
// full url provided instead of rel path
|
|
|
|
|
case strings.HasPrefix(rawrequest.Path, "http") && !unsafe:
|
2023-01-24 22:04:52 +05:30
|
|
|
urlx, err := urlutil.ParseURL(rawrequest.Path, true)
|
|
|
|
|
if err != nil {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.Wrapf(err, "failed to parse url %v from template", rawrequest.Path)
|
2023-01-24 22:04:52 +05:30
|
|
|
}
|
|
|
|
|
cloned := inputURL.Clone()
|
2023-12-20 14:30:34 +03:00
|
|
|
cloned.Params.IncludeEquals = true
|
2023-06-19 20:22:17 +05:30
|
|
|
if disablePathAutomerge {
|
|
|
|
|
cloned.Path = ""
|
|
|
|
|
}
|
2023-01-24 22:04:52 +05:30
|
|
|
parseErr := cloned.MergePath(urlx.GetRelativePath(), true)
|
2022-12-13 12:09:31 +05:30
|
|
|
if parseErr != nil {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.Wrapf(parseErr, "could not automergepath for template path %v", urlx.GetRelativePath())
|
2022-12-13 12:09:31 +05:30
|
|
|
}
|
2023-01-24 22:04:52 +05:30
|
|
|
rawrequest.Path = cloned.GetRelativePath()
|
2023-08-01 14:33:43 -04:00
|
|
|
// If unsafe changes must be made in raw request string itself
|
2022-12-13 12:09:31 +05:30
|
|
|
case unsafe:
|
|
|
|
|
prevPath := rawrequest.Path
|
2023-01-24 22:04:52 +05:30
|
|
|
cloned := inputURL.Clone()
|
2023-12-20 14:30:34 +03:00
|
|
|
cloned.Params.IncludeEquals = true
|
2023-02-20 22:26:04 +05:30
|
|
|
unsafeRelativePath := ""
|
|
|
|
|
if (cloned.Path == "" || cloned.Path == "/") && !strings.HasPrefix(prevPath, "/") {
|
|
|
|
|
// Edgecase if raw unsafe request is
|
|
|
|
|
// GET 1337?with=param HTTP/1.1
|
2023-07-03 12:43:24 +05:30
|
|
|
if tmpurl, err := urlutil.ParseRelativePath(prevPath, true); err == nil && !tmpurl.Params.IsEmpty() {
|
2023-02-20 22:26:04 +05:30
|
|
|
// if raw request contains parameters
|
2023-07-03 12:43:24 +05:30
|
|
|
cloned.Params.Merge(tmpurl.Params.Encode())
|
2023-02-20 22:26:04 +05:30
|
|
|
unsafeRelativePath = strings.TrimPrefix(tmpurl.Path, "/") + "?" + cloned.Params.Encode()
|
|
|
|
|
} else {
|
|
|
|
|
// if raw request does not contain param
|
2023-07-03 12:43:24 +05:30
|
|
|
if !cloned.Params.IsEmpty() {
|
2023-02-20 22:26:04 +05:30
|
|
|
unsafeRelativePath = prevPath + "?" + cloned.Params.Encode()
|
|
|
|
|
} else {
|
|
|
|
|
unsafeRelativePath = prevPath
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2024-04-03 17:09:35 +03:00
|
|
|
// Edgecase if raw request is
|
|
|
|
|
// GET / HTTP/1.1
|
|
|
|
|
//use case: https://github.com/projectdiscovery/nuclei/issues/4921
|
|
|
|
|
if rawrequest.Path == "/" && cloned.Path != "" {
|
|
|
|
|
rawrequest.Path = ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-19 20:22:17 +05:30
|
|
|
if disablePathAutomerge {
|
|
|
|
|
cloned.Path = ""
|
|
|
|
|
}
|
2023-02-20 22:26:04 +05:30
|
|
|
err = cloned.MergePath(rawrequest.Path, true)
|
|
|
|
|
if err != nil {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.Wrapf(err, "failed to automerge %v from unsafe template", rawrequest.Path)
|
2023-02-20 22:26:04 +05:30
|
|
|
}
|
|
|
|
|
unsafeRelativePath = cloned.GetRelativePath()
|
2023-01-24 22:04:52 +05:30
|
|
|
}
|
2023-07-04 19:04:13 +05:30
|
|
|
rawrequest.Path = cloned.GetRelativePath()
|
2022-12-13 12:09:31 +05:30
|
|
|
rawrequest.UnsafeRawBytes = bytes.Replace(rawrequest.UnsafeRawBytes, []byte(prevPath), []byte(unsafeRelativePath), 1)
|
|
|
|
|
|
|
|
|
|
default:
|
2023-01-24 22:04:52 +05:30
|
|
|
cloned := inputURL.Clone()
|
2023-12-20 14:30:34 +03:00
|
|
|
cloned.Params.IncludeEquals = true
|
2024-04-03 17:09:35 +03:00
|
|
|
// Edgecase if raw request is
|
|
|
|
|
// GET / HTTP/1.1
|
|
|
|
|
//use case: https://github.com/projectdiscovery/nuclei/issues/4921
|
|
|
|
|
if rawrequest.Path == "/" {
|
|
|
|
|
rawrequest.Path = ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-19 20:22:17 +05:30
|
|
|
if disablePathAutomerge {
|
|
|
|
|
cloned.Path = ""
|
|
|
|
|
}
|
2023-01-24 22:04:52 +05:30
|
|
|
parseErr := cloned.MergePath(rawrequest.Path, true)
|
|
|
|
|
if parseErr != nil {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.Wrapf(parseErr, "could not automergepath for template path %v", rawrequest.Path)
|
2023-01-24 22:04:52 +05:30
|
|
|
}
|
|
|
|
|
rawrequest.Path = cloned.GetRelativePath()
|
2022-12-13 12:09:31 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !unsafe {
|
|
|
|
|
if _, ok := rawrequest.Headers["Host"]; !ok {
|
|
|
|
|
rawrequest.Headers["Host"] = inputURL.Host
|
|
|
|
|
}
|
2023-08-31 18:03:01 +05:30
|
|
|
cloned := inputURL.Clone()
|
2023-12-20 14:30:34 +03:00
|
|
|
cloned.Params.IncludeEquals = true
|
2023-08-31 18:03:01 +05:30
|
|
|
cloned.Path = ""
|
|
|
|
|
_ = cloned.MergePath(rawrequest.Path, true)
|
|
|
|
|
rawrequest.FullURL = cloned.String()
|
2022-12-13 12:09:31 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return rawrequest, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-01 12:15:35 +05:30
|
|
|
// ParseRawRequest parses the raw request as supplied by the user
|
|
|
|
|
// this function should only be used for self-contained requests
|
|
|
|
|
func ParseRawRequest(request string, unsafe bool) (*Request, error) {
|
|
|
|
|
req, err := readRawRequest(request, unsafe)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(req.Path, "http") {
|
|
|
|
|
urlx, err := urlutil.Parse(req.Path)
|
|
|
|
|
if err != nil {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.Wrapf(err, "failed to parse url %v", req.Path)
|
2023-05-01 12:15:35 +05:30
|
|
|
}
|
|
|
|
|
req.Path = urlx.GetRelativePath()
|
|
|
|
|
req.FullURL = urlx.String()
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
|
|
if req.Path == "" {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.New("path cannot be empty in self contained request")
|
2023-05-01 12:15:35 +05:30
|
|
|
}
|
|
|
|
|
// given url is relative construct one using Host Header
|
|
|
|
|
if _, ok := req.Headers["Host"]; !ok {
|
2025-08-25 15:06:58 +07:00
|
|
|
return nil, errkit.New("host header is required for relative path")
|
2023-05-01 12:15:35 +05:30
|
|
|
}
|
|
|
|
|
// Review: Current default scheme in self contained templates if relative path is provided is http
|
|
|
|
|
req.FullURL = fmt.Sprintf("%s://%s%s", urlutil.HTTP, strings.TrimSpace(req.Headers["Host"]), req.Path)
|
|
|
|
|
}
|
|
|
|
|
return req, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-13 12:09:31 +05:30
|
|
|
// reads raw request line by line following convention
|
|
|
|
|
func readRawRequest(request string, unsafe bool) (*Request, error) {
|
|
|
|
|
rawRequest := &Request{
|
|
|
|
|
Headers: make(map[string]string),
|
2021-11-02 14:12:59 +05:30
|
|
|
}
|
|
|
|
|
|
2022-12-13 12:09:31 +05:30
|
|
|
// store body if it is unsafe request
|
2021-02-20 02:02:57 +01:00
|
|
|
if unsafe {
|
|
|
|
|
rawRequest.UnsafeRawBytes = []byte(request)
|
|
|
|
|
}
|
2022-12-13 12:09:31 +05:30
|
|
|
|
|
|
|
|
// parse raw request
|
2021-02-20 02:02:57 +01:00
|
|
|
reader := bufio.NewReader(strings.NewReader(request))
|
2022-04-04 09:32:41 +02:00
|
|
|
read_line:
|
2020-12-21 16:46:25 +05:30
|
|
|
s, err := reader.ReadString('\n')
|
|
|
|
|
if err != nil {
|
2021-11-25 15:18:46 +02:00
|
|
|
return nil, fmt.Errorf("could not read request: %w", err)
|
2020-12-21 16:46:25 +05:30
|
|
|
}
|
2022-04-04 09:32:41 +02:00
|
|
|
// ignore all annotations
|
|
|
|
|
if stringsutil.HasPrefixAny(s, "@") {
|
|
|
|
|
goto read_line
|
|
|
|
|
}
|
2020-12-21 16:46:25 +05:30
|
|
|
|
2023-05-01 12:15:35 +05:30
|
|
|
parts := strings.Fields(s)
|
2022-12-13 12:09:31 +05:30
|
|
|
if len(parts) > 0 {
|
|
|
|
|
rawRequest.Method = parts[0]
|
|
|
|
|
if len(parts) == 2 && strings.Contains(parts[1], "HTTP") {
|
|
|
|
|
// When relative path is missing/ not specified it is considered that
|
|
|
|
|
// request is meant to be untampered at path
|
|
|
|
|
// Ex: GET HTTP/1.1
|
|
|
|
|
parts = []string{parts[0], "", parts[1]}
|
|
|
|
|
}
|
|
|
|
|
if len(parts) < 3 && !unsafe {
|
|
|
|
|
// missing a field
|
|
|
|
|
return nil, fmt.Errorf("malformed request specified: %v", s)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// relative path
|
|
|
|
|
rawRequest.Path = parts[1]
|
|
|
|
|
// Note: raw request does not URL Encode if needed `+` should be used
|
|
|
|
|
// this can be also be implemented
|
2021-11-02 14:12:59 +05:30
|
|
|
}
|
2020-12-21 16:46:25 +05:30
|
|
|
|
2021-11-25 18:54:16 +02:00
|
|
|
var multiPartRequest bool
|
2020-12-21 16:46:25 +05:30
|
|
|
// Accepts all malformed headers
|
|
|
|
|
var key, value string
|
|
|
|
|
for {
|
|
|
|
|
line, readErr := reader.ReadString('\n')
|
|
|
|
|
line = strings.TrimSpace(line)
|
|
|
|
|
|
|
|
|
|
if readErr != nil || line == "" {
|
2021-02-08 16:07:16 +05:30
|
|
|
if readErr != io.EOF {
|
|
|
|
|
break
|
|
|
|
|
}
|
2020-12-21 16:46:25 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p := strings.SplitN(line, ":", 2)
|
|
|
|
|
key = p[0]
|
|
|
|
|
if len(p) > 1 {
|
|
|
|
|
value = p[1]
|
|
|
|
|
}
|
2021-02-22 18:59:03 +05:30
|
|
|
if strings.Contains(key, "Content-Type") && strings.Contains(value, "multipart/") {
|
2021-11-25 18:54:16 +02:00
|
|
|
multiPartRequest = true
|
2021-02-22 18:59:03 +05:30
|
|
|
}
|
2020-12-21 16:46:25 +05:30
|
|
|
|
|
|
|
|
// in case of unsafe requests multiple headers should be accepted
|
|
|
|
|
// therefore use the full line as key
|
|
|
|
|
_, found := rawRequest.Headers[key]
|
2021-02-20 02:02:57 +01:00
|
|
|
if unsafe {
|
|
|
|
|
rawRequest.UnsafeHeaders = append(rawRequest.UnsafeHeaders, client.Header{Key: line})
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 16:46:25 +05:30
|
|
|
if unsafe && found {
|
|
|
|
|
rawRequest.Headers[line] = ""
|
|
|
|
|
} else {
|
2021-02-20 00:35:39 +01:00
|
|
|
rawRequest.Headers[key] = strings.TrimSpace(value)
|
2020-12-21 16:46:25 +05:30
|
|
|
}
|
2021-02-08 16:07:16 +05:30
|
|
|
if readErr == io.EOF {
|
|
|
|
|
break
|
|
|
|
|
}
|
2020-12-21 16:46:25 +05:30
|
|
|
}
|
|
|
|
|
|
2020-12-26 14:55:15 +05:30
|
|
|
// Set the request body
|
2022-02-23 13:54:46 +01:00
|
|
|
b, err := io.ReadAll(reader)
|
2020-12-26 14:55:15 +05:30
|
|
|
if err != nil {
|
2021-11-25 15:18:46 +02:00
|
|
|
return nil, fmt.Errorf("could not read request body: %w", err)
|
2020-12-26 14:55:15 +05:30
|
|
|
}
|
|
|
|
|
rawRequest.Data = string(b)
|
2021-11-25 18:54:16 +02:00
|
|
|
if !multiPartRequest {
|
2021-02-22 18:59:03 +05:30
|
|
|
rawRequest.Data = strings.TrimSuffix(rawRequest.Data, "\r\n")
|
|
|
|
|
}
|
2020-12-26 14:55:15 +05:30
|
|
|
return rawRequest, nil
|
2022-10-27 20:09:38 +02:00
|
|
|
|
2021-11-02 14:12:59 +05:30
|
|
|
}
|
2021-11-08 19:33:54 +01:00
|
|
|
|
|
|
|
|
// TryFillCustomHeaders after the Host header
|
|
|
|
|
func (r *Request) TryFillCustomHeaders(headers []string) error {
|
|
|
|
|
unsafeBytes := bytes.ToLower(r.UnsafeRawBytes)
|
|
|
|
|
// locate first host header
|
|
|
|
|
hostHeaderIndex := bytes.Index(unsafeBytes, []byte("host:"))
|
|
|
|
|
if hostHeaderIndex > 0 {
|
|
|
|
|
// attempt to locate next newline
|
|
|
|
|
newLineIndex := bytes.Index(unsafeBytes[hostHeaderIndex:], []byte("\r\n"))
|
|
|
|
|
if newLineIndex > 0 {
|
|
|
|
|
newLineIndex += hostHeaderIndex + 2
|
|
|
|
|
// insert custom headers
|
2025-09-15 23:48:02 +05:30
|
|
|
buf := bufferPool.Get().(*bytes.Buffer)
|
|
|
|
|
buf.Reset()
|
2021-11-08 19:33:54 +01:00
|
|
|
buf.Write(r.UnsafeRawBytes[:newLineIndex])
|
|
|
|
|
for _, header := range headers {
|
2025-09-15 23:48:02 +05:30
|
|
|
buf.WriteString(header)
|
|
|
|
|
buf.WriteString("\r\n")
|
2021-11-08 19:33:54 +01:00
|
|
|
}
|
|
|
|
|
buf.Write(r.UnsafeRawBytes[newLineIndex:])
|
2025-09-15 23:48:02 +05:30
|
|
|
r.UnsafeRawBytes = append([]byte(nil), buf.Bytes()...)
|
|
|
|
|
buf.Reset()
|
|
|
|
|
bufferPool.Put(buf)
|
2021-11-08 19:33:54 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return errors.New("no new line found at the end of host header")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return errors.New("no host header found")
|
|
|
|
|
}
|
2024-03-14 03:08:53 +05:30
|
|
|
|
|
|
|
|
// ApplyAuthStrategy applies the auth strategy to the request
|
|
|
|
|
func (r *Request) ApplyAuthStrategy(strategy authx.AuthStrategy) {
|
|
|
|
|
if strategy == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
switch s := strategy.(type) {
|
|
|
|
|
case *authx.QueryAuthStrategy:
|
|
|
|
|
parsed, err := urlutil.Parse(r.FullURL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
gologger.Error().Msgf("auth strategy failed to parse url: %s got %v", r.FullURL, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
for _, p := range s.Data.Params {
|
|
|
|
|
parsed.Params.Add(p.Key, p.Value)
|
|
|
|
|
}
|
|
|
|
|
case *authx.CookiesAuthStrategy:
|
2025-09-15 23:48:02 +05:30
|
|
|
buff := bufferPool.Get().(*bytes.Buffer)
|
|
|
|
|
buff.Reset()
|
2024-03-14 03:08:53 +05:30
|
|
|
for _, cookie := range s.Data.Cookies {
|
2025-09-15 23:48:02 +05:30
|
|
|
fmt.Fprintf(buff, "%s=%s; ", cookie.Key, cookie.Value)
|
2024-03-14 03:08:53 +05:30
|
|
|
}
|
|
|
|
|
if buff.Len() > 0 {
|
|
|
|
|
if val, ok := r.Headers["Cookie"]; ok {
|
|
|
|
|
r.Headers["Cookie"] = strings.TrimSuffix(strings.TrimSpace(val), ";") + "; " + buff.String()
|
|
|
|
|
} else {
|
|
|
|
|
r.Headers["Cookie"] = buff.String()
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-09-15 23:48:02 +05:30
|
|
|
bufferPool.Put(buff)
|
2024-03-14 03:08:53 +05:30
|
|
|
case *authx.HeadersAuthStrategy:
|
|
|
|
|
for _, header := range s.Data.Headers {
|
|
|
|
|
r.Headers[header.Key] = header.Value
|
|
|
|
|
}
|
|
|
|
|
case *authx.BearerTokenAuthStrategy:
|
|
|
|
|
r.Headers["Authorization"] = "Bearer " + s.Data.Token
|
|
|
|
|
case *authx.BasicAuthStrategy:
|
|
|
|
|
r.Headers["Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(s.Data.Username+":"+s.Data.Password))
|
|
|
|
|
default:
|
|
|
|
|
gologger.Warning().Msgf("[raw-request] unknown auth strategy: %T", s)
|
|
|
|
|
}
|
|
|
|
|
}
|
