Class: Arachni::Element::XML

Inherits:

Base

• Object
• Base
• Arachni::Element::XML

Includes:

Capabilities::Analyzable, Capabilities::WithSource, Capabilities::Inputtable, Capabilities::Mutable

Defined in:

lib/arachni/element/xml.rb,
lib/arachni/element/xml/capabilities/mutable.rb,
lib/arachni/element/xml/capabilities/inputtable.rb

Overview

Represents an auditable XML element

Defined Under Namespace

Modules: Capabilities

Constant Summary

Constants included from Capabilities::Mutable

Capabilities::Mutable::EXTRA_NAME, Capabilities::Mutable::FUZZ_NAME, Capabilities::Mutable::FUZZ_NAME_VALUE, Capabilities::Mutable::MUTATION_OPTIONS

Constants included from Capabilities::Inputtable

Capabilities::Inputtable::INPUTTABLE_CACHE

Constants included from Capabilities::Analyzable::Differential

Capabilities::Analyzable::Differential::DIFFERENTIAL_OPTIONS

Constants included from Capabilities::Analyzable::Timeout

Capabilities::Analyzable::Timeout::TIMEOUT_OPTIONS

Constants included from Capabilities::Analyzable::Taint

Capabilities::Analyzable::Taint::TAINT_CACHE, Capabilities::Analyzable::Taint::TAINT_OPTIONS

Constants included from Capabilities::Auditable

Capabilities::Auditable::OPTIONS

Constants inherited from Base

Base::MAX_SIZE

Instance Attribute Summary

Attributes included from Capabilities::Mutable

#affected_input_name, #format, #seed

Attributes included from Capabilities::Inputtable

#default_inputs, #inputs

Attributes included from Capabilities::WithSource

#source

Attributes included from Capabilities::Analyzable::Differential

#differential_analysis_options

Attributes included from Capabilities::Analyzable::Timeout

#timing_attack_remark_data

Attributes included from Capabilities::Auditable

#audit_options

Attributes included from Capabilities::WithAuditor

#auditor

Attributes inherited from Base

#initialization_options, #page

Class Method Summary

• .decode(v) ⇒ Object

  No-op.

• .encode(v) ⇒ Object

  No-op.

• .from_request(url, request) ⇒ XML^?

  Extracts XML elements from an HTTP request.

• .parse_inputs(doc) ⇒ Object

Instance Method Summary

• #decode(*args) ⇒ Object
• #dup ⇒ Object
• #encode(*args) ⇒ Object
• #initialize(options) ⇒ XML constructor

  A new instance of XML.

• #marshal_dump ⇒ Object
• #simple ⇒ Hash

  Simple representation of self in the form of ‘{ Capabilities::Submittable#action => Capabilities::Inputtable#inputs }`.

• #to_rpc_data ⇒ Object
• #to_s ⇒ Object
• #to_xml ⇒ String

  XML formatted Capabilities::Inputtable#inputs.

• #transform_xml(&block) ⇒ Object

Methods included from Capabilities::Mutable

#each_mutation

Methods included from Capabilities::Mutable

#affected_input_value, #affected_input_value=, #each_mutation, #immutables, #inspect, #mutation?, #mutations, #reset, #switch_method, #to_h

Methods included from Capabilities::Inputtable

#valid_input_name?

Methods included from Capabilities::Inputtable

#[], #[]=, #changes, #has_inputs?, #inputtable_id, #reset, #to_h, #try_input, #update, #valid_input_data?, #valid_input_name?, #valid_input_name_data?, #valid_input_value?, #valid_input_value_data?

Methods included from Capabilities::WithSource

#to_h

Methods included from Capabilities::Analyzable

has_timeout_candidates?, reset, timeout_audit_run

Methods included from Capabilities::Analyzable::Differential

#differential_analysis, reset

Methods included from Capabilities::Analyzable::Timeout

add_phase_2_candidate, candidates_include?, deduplicate, deduplicate?, do_not_deduplicate, #ensure_responsiveness, has_candidates?, payload_delay_from_options, reset, run, #timeout_analysis, timeout_from_options, #timeout_id, #timing_attack_probe, #timing_attack_verify

Methods included from Capabilities::Analyzable::Taint

#taint_analysis

Methods included from Capabilities::Auditable

#audit, #audit_id, #audit_status_message, #audit_status_message_action, #audit_verbose_message, #coverage_hash, #coverage_id, #matches_skip_like_blocks?, #reset, reset, #skip?, skip_like

Methods included from Capabilities::WithAuditor

#orphan?, #prepare_for_report, #remove_auditor

Methods included from Capabilities::Submittable

#action, #action=, #http, #id, #method, #method=, #platforms, #submit, #to_h

Methods included from Utilities

#available_port, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods inherited from Base

#==, #action, from_rpc_data, #hash, #id, #marshal_load, #persistent_hash, #prepare_for_report, #reset, #to_h, #to_hash, too_big?, type, #type, #url, #url=

Methods included from Capabilities::WithScope

#scope

Constructor Details

#initialize(options) ⇒ XML

Returns a new instance of XML.

Parameters:

• options (Hash)

Options Hash (options):

• :url (String) —

  URL of the page which includes the link.

• :action (String) —

  Link URL – defaults to ‘:url`.

• :source (String) —

  XML data, to be parsed into inputs.

Raises:

• (Error::MissingSource) —

  On missing ‘:source`.

# File 'lib/arachni/element/xml.rb', line 39

def initialize( options )
    self.http_method = options[:method] || :post

    super( options )

    fail Arachni::Element::Capabilities::WithSource::Error::MissingSource if !@source

    @inputs = options[:inputs] || {}
    if @inputs.empty?
        # The ivar needs to be set first because it's used as an input name
        # validator by the setter later on.
        @inputs = self.class.parse_inputs( @source )
        self.inputs = @inputs
    end

    @default_inputs = self.inputs.dup.freeze
end

Class Method Details

.decode(v) ⇒ Object

No-op

# File 'lib/arachni/element/xml.rb', line 129

def decode( v )
    v
end

.encode(v) ⇒ Object

No-op

# File 'lib/arachni/element/xml.rb', line 124

def encode( v )
    v
end

.from_request(url, request) ⇒ XML^?

Extracts XML elements from an HTTP request.

Parameters:

• request (Arachni::HTTP::Request)

Returns:

• (XML, nil)

# File 'lib/arachni/element/xml.rb', line 138

def from_request( url, request )
    return if !request.body.is_a?( String ) || request.body.empty?
    return if too_big?( request.body )

    data = parse_inputs( request.body )
    return if data.empty?

    new(
        url:    url,
        action: request.url,
        method: request.method,
        inputs: data,
        source: request.body
    )
end

.parse_inputs(doc) ⇒ Object

# File 'lib/arachni/element/xml.rb', line 154

def parse_inputs( doc )
    doc = doc.is_a?( Nokogiri::XML ) ? doc : Nokogiri::XML( doc )

    inputs = {}
    doc.traverse do |node|
        if node.is_a?( Nokogiri::XML::Text ) && node.children.empty? &&
            node.parent.children.size == 1

            inputs[node.css_path] = node.content
        end

        if node.respond_to? :attributes
            node.attributes.each do |_, attribute|
                inputs[attribute.css_path] = attribute.content
            end
        end
    end

    inputs
end

Instance Method Details

#decode(*args) ⇒ Object

See Also:

• decode

# File 'lib/arachni/element/xml.rb', line 101

def decode( *args )
    self.class.decode( *args )
end

#dup ⇒ Object

# File 'lib/arachni/element/xml.rb', line 105

def dup
    super.tap { |e| e.source = @source }
end

#encode(*args) ⇒ Object

See Also:

• encode

# File 'lib/arachni/element/xml.rb', line 93

def encode( *args )
    self.class.encode( *args )
end

#marshal_dump ⇒ Object

# File 'lib/arachni/element/xml.rb', line 115

def marshal_dump
    d = super
    d.delete :@transform_xml
    d
end

#simple ⇒ Hash

Returns Simple representation of self in the form of ‘{ Capabilities::Submittable#action => Capabilities::Inputtable#inputs }`.

Returns:

• (Hash) —

  Simple representation of self in the form of ‘{ Capabilities::Submittable#action => Capabilities::Inputtable#inputs }`.

# File 'lib/arachni/element/xml.rb', line 85

def simple
    { self.action => self.inputs }
end

#to_rpc_data ⇒ Object

# File 'lib/arachni/element/xml.rb', line 109

def to_rpc_data
    d = super
    d.delete 'transform_xml'
    d
end

#to_s ⇒ Object

# File 'lib/arachni/element/xml.rb', line 79

def to_s
    to_xml
end

#to_xml ⇒ String

Returns XML formatted Capabilities::Inputtable#inputs.

If a #transform_xml callback has been set, it will return its value.

Returns:

• (String) —

  XML formatted Capabilities::Inputtable#inputs.

  If a #transform_xml callback has been set, it will return its value.

# File 'lib/arachni/element/xml.rb', line 61

def to_xml
    doc = Nokogiri::XML( source )

    inputs.each do |path, content|
        doc.css( path ).each do |node|
            node.content = content
        end
    end

    @transform_xml ? @transform_xml.call( doc.to_xml ) : doc.to_xml
end

#transform_xml(&block) ⇒ Object

Parameters:

• block (Block) —

  Callback to intercept #to_xml‘s return value.

# File 'lib/arachni/element/xml.rb', line 75

def transform_xml( &block )
    @transform_xml = block
end