Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-03 23:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make sure control chars from HTTP header don't end up in html,csv,json

Browse Source 
This addresses the bug #2330 by implementing a function which removes
control characters from the file output format html,csv,json at the
output.

In every instance called there's a check before whether the string
contains control chars, hoping it'll save a few milli seconds.

A tr function is used, omitting LF.

It doesn't filter the terminal output and the log file output.
This commit is contained in:
Dirk Wetter 2023-03-11 13:38:28 +01:00
parent 1ee21b7f22
commit 06506b371e
1 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
testssl.sh
View File

@ -534,7 +534,6 @@ show_finding() {
html_reserved(){ html_reserved(){
local output local output
"$do_html" || return 0 "$do_html" || return 0
#sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1"
output="${1//&/$'&'amp;}" output="${1//&/$'&'amp;}"
output="${output//</$'&'lt;}" output="${output//</$'&'lt;}"
output="${output//>/$'&'gt;}" output="${output//>/$'&'gt;}"
@ -545,8 +544,26 @@ html_reserved(){
} }
html_out() { html_out() {
local outstr="$1"
"$do_html" || return 0 "$do_html" || return 0
[[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "$1" >> "$HTMLFILE" if [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]]; then
if [[ "$outstr" =~ [[:cntrl:]] ]]; then
outstr="$(sanitize_fileout "$outstr")"
fi
printf -- "%b" "$outstr" >> "$HTMLFILE"
fi
}
# Removes on printable chars in CSV, JSON, HTML, see #2330
sanitize_fileout() {
tr -d '\000-\011,\013-\037' <<< "$1"
}
# Removes on printable chars in terminal output (log files)
# We need to keep the icolor ANSI escape code, see #2330
sanitize_termout() {
tr -d '\000-\011,\013-\032,\034-\037' <<< "$1"
} }
# This is intentionally the same. # This is intentionally the same.
@ -1227,6 +1244,9 @@ fileout_json_print_parameter() {
spaces=" " || \ spaces=" " || \
spaces=" " spaces=" "
if [[ -n "$value" ]] || [[ "$parameter" == finding ]]; then if [[ -n "$value" ]] || [[ "$parameter" == finding ]]; then
if [[ "$value" =~ [[:cntrl:]] ]]; then
value="$(sanitize_fileout "$value")"
fi
printf -- "%b%b%b%b" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE" printf -- "%b%b%b%b" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
"$not_last" && printf ",\n" >> "$JSONFILE" "$not_last" && printf ",\n" >> "$JSONFILE"
fi fi
@ -1350,12 +1370,19 @@ fileout_insert_warning() {
fi fi
} }
# args: "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" "hint"
#
fileout_csv_finding() { fileout_csv_finding() {
local finding="$5"
if [[ "$finding" =~ [[:cntrl:]] ]]; then
finding="$(sanitize_fileout "$finding")"
fi
safe_echo "\"$1\"," >> "$CSVFILE" safe_echo "\"$1\"," >> "$CSVFILE"
safe_echo "\"$2\"," >> "$CSVFILE" safe_echo "\"$2\"," >> "$CSVFILE"
safe_echo "\"$3\"," >> "$CSVFILE" safe_echo "\"$3\"," >> "$CSVFILE"
safe_echo "\"$4\"," >> "$CSVFILE" safe_echo "\"$4\"," >> "$CSVFILE"
safe_echo "\"$5\"," >> "$CSVFILE" safe_echo "\"$finding\"," >> "$CSVFILE"
safe_echo "\"$6\"," >> "$CSVFILE" safe_echo "\"$6\"," >> "$CSVFILE"
if "$GIVE_HINTS"; then if "$GIVE_HINTS"; then
safe_echo "\"$7\"," >> "$CSVFILE" safe_echo "\"$7\"," >> "$CSVFILE"