fix removing double slash prefix in raw req path (#3960)

* update utils lib * add integration test on unsafe:false * fix build error --------- Co-authored-by: mzack <[email protected]>
projectdiscovery · Aug 3, 2023 · c8a7df9 · c8a7df9
1 parent 0776b2e
commit c8a7df9
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/integration_tests/http/http-paths.yaml b/integration_tests/http/http-paths.yaml
@@ -16,6 +16,7 @@ info:
     - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
     - "/test/..;/..;/"
     - "/xyz/%25u2s/%25invalid"
+    - "//CFIDE/wizards/common/utils.cfc"
     # duplicating here because same results are expected even if http request is written in different format
     - "/1337?with=param"
     - "/some%0A/%0D"
@@ -24,6 +25,7 @@ info:
     - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
     - "/test/..;/..;/"
     - "/xyz/%25u2s/%25invalid"
+    - "//CFIDE/wizards/common/utils.cfc"
 
 # Test all templates with FullURLs
 requests:
@@ -62,6 +64,10 @@ requests:
       - |+
         GET /xyz/%u2s/%invalid HTTP/1.1
         Host: scanme.sh
+    # test relative path start with //
+      - |+
+        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
+        Host: scanme.sh
 
     matchers:
       - type: status
@@ -77,6 +83,7 @@ requests:
      - "{{BaseURL}}/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
      - "{{BaseURL}}/test/..;/..;/"
      - "{{BaseURL}}/xyz/%u2s/%invalid"
+     - "{{BaseURL}}//CFIDE/wizards/common/utils.cfc"
 
     matchers:
     - type: status

diff --git a/integration_tests/http/raw-unsafe-path.yaml b/integration_tests/http/raw-unsafe-path.yaml
@@ -16,6 +16,7 @@ info:
     - "/text4shell/attack?search=$%7bscript:javascript:java.lang.Runtime.getRuntime().exec('nslookup%20{}.getparam')%7d"
     - "/test/..;/..;/"
     - "/xyz/%u2s/%invalid"
+    - "//CFIDE/wizards/common/utils.cfc"
 
 
 # Test all unsafe URL Handling Edgecases
@@ -50,6 +51,10 @@ requests:
       - |+
         GET /xyz/%u2s/%invalid HTTP/1.1
         Host: scanme.sh
+    # test relative path start with // (should not be removed)
+      - |+
+        GET //CFIDE/wizards/common/utils.cfc HTTP/1.1
+        Host: scanme.sh
 
     unsafe: true
     matchers:

diff --git a/v2/go.mod b/v2/go.mod
@@ -77,7 +77,7 @@ require (
 	github.com/projectdiscovery/sarif v0.0.1
 	github.com/projectdiscovery/tlsx v1.1.1
 	github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1
-	github.com/projectdiscovery/utils v0.0.45
+	github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40
 	github.com/projectdiscovery/wappalyzergo v0.0.107
 	github.com/stretchr/testify v1.8.4
 	gopkg.in/src-d/go-git.v4 v4.13.1

diff --git a/v2/go.sum b/v2/go.sum
@@ -435,8 +435,8 @@ github.com/projectdiscovery/tlsx v1.1.1 h1:4q14vu2A+TnQjhYI68I3yCUss3UM0fmrkmnJK
 github.com/projectdiscovery/tlsx v1.1.1/go.mod h1:x2S3KajTVxH5Tm4lbBoX4EumY/gh+cGzfBUhlCuNtdY=
 github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1 h1:Pu6LvDqn+iSlhCDKKWm1ItPc++kqqlU8OntZeB/Prak=
 github.com/projectdiscovery/uncover v1.0.6-0.20230601103158-bfd7e02a5bb1/go.mod h1:Drl/CWD392mKtdXJhCBPlMkM0I6671pqedFphcnK5f8=
-github.com/projectdiscovery/utils v0.0.45 h1:i0xwdpaGrTIw8hVtutjpVXvPCMcKKwb9VbqWxlwL08M=
-github.com/projectdiscovery/utils v0.0.45/go.mod h1:kJu+OqAWsoilLto06ajSp4U3gWuz51GEVLL/PogJXPk=
+github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40 h1:bgTXdrA/yFhFGfjhMIsczVNhnsMEHFidgS/FD2Tq5Js=
+github.com/projectdiscovery/utils v0.0.45-0.20230725161322-28ec1ee0ba40/go.mod h1:HtUI1pyNCgQUuwZuxDILQ4NSUaFcfBh0TuCK/ZQTS6Q=
 github.com/projectdiscovery/wappalyzergo v0.0.107 h1:B8gzJpAh08f1o+OiDunHAfKtqXiDnFCc7Rj1qKp+DB8=
 github.com/projectdiscovery/wappalyzergo v0.0.107/go.mod h1:4Z3DKhi75zIPMuA+qSDDWxZvnhL4qTLmDx4dxNMu7MA=
 github.com/projectdiscovery/yamldoc-go v1.0.4 h1:eZoESapnMw6WAHiVgRwNqvbJEfNHEH148uthhFbG5jE=