pkg/ffuf: fix panic in Windows when parsing wordlist flag #335
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
da94c64 to
0833647
Compare
This change addresses two panics that happened while parsing the provided wordlist flag in Windows systems. - pkg/ffuf/util.go:40: panic happened when the provided path was invalid. Example: ".\wordlist.txt:" as the os.Stat call returned an error different than os.ErrNotExist. - pkg/ffuf/optionsparser.go:179: panic happened when the provided value did not existed and did not contain a colon character. Example: ".\asdf.txt" when the local file ".\asdf.txt" did not exist. This panic happened due to strings.LastIndex returning -1 when the provided substring does not appear. Therefore, v[:-1] panicking. Fixes ffuf#333 Signed-off-by: Miguel Ángel Jimeno <miguelangel4b@gmail.com>
0833647 to
576ade3
Compare
joohoi
requested changes
Oct 21, 2020
|
Hi @joohoi, did you have a chance to check my previous comment? |
joohoi
approved these changes
Oct 26, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change addresses two panics that happened while parsing the provided wordlist flag in Windows systems.
pkg/ffuf/util.go:40: panic happened when the provided path was invalid. Example:.\wordlist.txt:as theos.Statcall returned an error different thanos.ErrNotExist.pkg/ffuf/optionsparser.go:179: panic happened when the provided value did not existed and did not contain a colon character. Example:.\asdf.txtwhen the local file.\asdf.txtdid not exist. This panic happened due tostrings.LastIndexreturning-1when the provided substring does not appear. Therefore,v[:-1]panicking.Fixes #333
Additonally
CONTRIBUTORS.md.The file should be alphabetically ordered.
CHANGELOG.mdPlease, test this patch thoroughly using a Windows system before merging it. I'd like to contribute unit tests for this patch too in order to avoid having a regression or incomplete fix. However, it would require a bigger refactor of the file rather than just 2 panic fixes.
Note:
pkg/ffuf/optionsparser.go:181(L185 on my patch) does not panic asstrings.LastIndexreturning -1 will make the slice access to bev[0:], preserving the completevvalue. It would be nice to prevent this in a next patch, though.