Class: Arachni::URI

Inherits:

Object

• Object
• Arachni::URI

Extended by:

Arachni::UI::Output, Utilities

Includes:

Arachni::UI::Output, Utilities

Defined in:

lib/arachni/uri.rb,
lib/arachni/uri/scope.rb

Overview

The URI class automatically normalizes the URLs it is passed to parse while maintaining compatibility with Ruby’s URI core class by delegating missing methods to it – thus, you can treat it like a Ruby URI and enjoy some extra perks along the way.

It also provides cached (to maintain a low latency) helper class methods to ease common operations such as:

• Normalization.

• Parsing to Arachni::URI (see also URI), ::URI or Hash objects.

• Conversion to absolute URLs.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error, Scope

Constant Summary

CACHE_SIZES =

{
    parse:       600,
    ruby_parse:  600,
    fast_parse:  600,
    normalize:   1000,
    to_absolute: 1000
}

CACHE =

{
    parser:      ::URI::Parser.new,
    ruby_parse:  Support::Cache::RandomReplacement.new( CACHE_SIZES[:ruby_parse] ),
    parse:       Support::Cache::RandomReplacement.new( CACHE_SIZES[:parse] ),
    fast_parse:  Support::Cache::RandomReplacement.new( CACHE_SIZES[:fast_parse] ),
    normalize:   Support::Cache::RandomReplacement.new( CACHE_SIZES[:normalize] ),
    to_absolute: Support::Cache::RandomReplacement.new( CACHE_SIZES[:to_absolute] )
}

Class Method Summary

• ._load(url) ⇒ Object
• .addressable_parse(url) ⇒ Hash

  Performs a parse using the ‘URI::Addressable` lib while normalizing the URL (will also discard the fragment).

• .decode(string) ⇒ String

  URL decodes a string.

• .encode(string, bad_characters = nil) ⇒ String

  URL encodes a string.

• .fast_parse(url) ⇒ Hash

  Performs a parse that is less resource intensive than Ruby’s URI lib’s method while normalizing the URL (will also discard the fragment and path parameters).

• .normalize(url) ⇒ String

  Uses URI.fast_parse to parse and normalize the URL and then converts it to a common String format.

• .parse(url) ⇒ Object

  Cached version of #initialize, if there’s a chance that the same URL will be needed to be parsed multiple times you should use this method.

• .parse_query(url) ⇒ Hash

  Extracts inputs from a URL query.

• .parser ⇒ URI::Parser

  Cached URI parser.

• .rewrite(url, rules = Arachni::Options.scope.url_rewrites) ⇒ String

  Rewritten URL.

• .ruby_parse(url) ⇒ URI

  Normalizes ‘url` and uses Ruby’s core URI lib to parse it.

• .to_absolute(relative, reference = Options.instance.url.to_s) ⇒ String

  Normalizes and converts a ‘relative` URL to an absolute one by merging in with a `reference` URL.

Instance Method Summary

• #==(other) ⇒ Object
• #_dump(_) ⇒ Object
• #domain ⇒ String

  ‘domain_name.tld`.

• #dup ⇒ Object
• #hash ⇒ Object
• #initialize(url) ⇒ URI constructor

  Normalizes and parses the provided URL.

• #ip_address? ⇒ Boolean

  ‘true` if the URI contains an IP address, `false` otherwise.

• #mailto? ⇒ Boolean
• #method_missing(sym, *args, &block) ⇒ Object

  Delegates unimplemented methods to Ruby’s ‘URI::Generic` class for compatibility.

• #persistent_hash ⇒ Object
• #query=(q) ⇒ Object
• #query_parameters ⇒ Hash

  Extracted inputs from a URL query.

• #resource_extension ⇒ String

  The extension of the URI resource.

• #respond_to?(*args) ⇒ Boolean
• #rewrite(rules = Arachni::Options.scope.url_rewrites) ⇒ URI

  Rewritten URL.

• #scope ⇒ Scope
• #to_absolute(reference) ⇒ Arachni::URI

  Converts self into an absolute URL using ‘reference` to fill in the missing data.

• #to_s ⇒ String
• #up_to_path ⇒ String

  The URL up to its path component (no resource name, query, fragment, etc).

• #without_query ⇒ String

  The URL up to its resource component (query, fragment, etc).

Methods included from Arachni::UI::Output

debug?, debug_off, debug_on, disable_only_positives, included, mute, muted?, only_positives, only_positives?, print_bad, print_debug, print_debug_backtrace, print_debug_level_1, print_debug_level_2, print_debug_level_3, print_error, print_error_backtrace, print_exception, print_info, print_line, print_ok, print_status, print_verbose, reroute_to_file, reroute_to_file?, reset_output_options, unmute, verbose?, verbose_on

Methods included from Utilities

available_port, caller_name, caller_path, cookie_decode, cookie_encode, cookies_from_document, cookies_from_file, cookies_from_response, exception_jail, exclude_path?, follow_protocol?, form_decode, form_encode, forms_from_document, forms_from_response, generate_token, get_path, hms_to_seconds, html_decode, html_encode, include_path?, links_from_document, links_from_response, normalize_url, page_from_response, page_from_url, parse_set_cookie, path_in_domain?, path_too_deep?, port_available?, rand_port, random_seed, redundant_path?, remove_constants, request_parse_body, seconds_to_hms, skip_page?, skip_path?, skip_resource?, skip_response?, uri_decode, uri_encode, uri_parse, uri_parse_query, uri_parser, uri_rewrite

Constructor Details

#initialize(url) ⇒ URI

Note:

Will discard the fragment component, if there is one.

Normalizes and parses the provided URL.

Parameters:

• url (Arachni::URI, String, URI, Hash) —

  String URL to parse, ‘URI` to convert, or a `Hash` holding URL components (for `URI::Generic.build`). Also accepts Arachni::URI for convenience.

# File 'lib/arachni/uri.rb', line 477

def initialize( url )
    @parsed_url = case url
                      when String
                          self.class.ruby_parse( url )

                      when ::URI
                          url.dup

                      when Hash
                          ::URI::Generic.build( url )

                      when Arachni::URI
                          self.parsed_url = url.parsed_url.dup

                      else
                          to_string = url.to_s rescue ''
                          msg = 'Argument must either be String, URI or Hash'
                          msg << " -- #{url.class.name} '#{to_string}' passed."
                          fail ArgumentError.new( msg )
                  end

    fail Error, 'Failed to parse URL.' if !@parsed_url

    # We probably got it from the cache, dup it to avoid corrupting the cache
    # entries.
    @parsed_url = @parsed_url.dup
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(sym, *args, &block) ⇒ Object

Delegates unimplemented methods to Ruby’s ‘URI::Generic` class for compatibility.

# File 'lib/arachni/uri.rb', line 649

def method_missing( sym, *args, &block )
    if @parsed_url.respond_to?( sym )
        @parsed_url.send( sym, *args, &block )
    else
        super
    end
end

Class Method Details

._load(url) ⇒ Object

# File 'lib/arachni/uri.rb', line 635

def self._load( url )
    new url
end

.addressable_parse(url) ⇒ Hash

Note:

The Hash is suitable for passing to ‘::URI::Generic.build` – if however you plan on doing that you’ll be better off just using ruby_parse which does the same thing and caches the results for some extra schnell.

Performs a parse using the ‘URI::Addressable` lib while normalizing the URL (will also discard the fragment).

This method is not cached and solely exists as a fallback used by fast_parse.

Parameters:

• url (String)

Returns:

• (Hash) —

  URL components:

  * `:scheme` -- HTTP or HTTPS
  * `:userinfo` -- `username:password`
  * `:host`
  * `:port`
  * `:path`
  * `:query`
  

# File 'lib/arachni/uri.rb', line 337

def addressable_parse( url )
    u = Addressable::URI.parse( html_decode( url.to_s ) ).normalize
    u.fragment = nil
    h = u.to_hash
    
    h[:path].gsub!( /\/+/, '/' ) if h[:path]
    if h[:user]
        h[:userinfo] = h.delete( :user )
        h[:userinfo] << ":#{h.delete( :password )}" if h[:password]
    end
    h
end

.decode(string) ⇒ String

URL decodes a string.

Parameters:

• string (String)

Returns:

• (String)

# File 'lib/arachni/uri.rb', line 94

def decode( string )
    Addressable::URI.unencode( string )
end

.encode(string, bad_characters = nil) ⇒ String

URL encodes a string.

Parameters:

• string (String)
• bad_characters (String, Regexp) (defaults to: nil) —

  Class of characters to encode – if String is passed, it should formatted as a regexp (for ‘Regexp.new`).

Returns:

• (String) —

  Encoded string.

# File 'lib/arachni/uri.rb', line 85

def encode( string, bad_characters = nil )
    Addressable::URI.encode_component( *[string, bad_characters].compact )
end

.fast_parse(url) ⇒ Hash

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Note:

The Hash is suitable for passing to ‘::URI::Generic.build` – if however you plan on doing that you’ll be better off just using ruby_parse which does the same thing and caches the results for some extra schnell.

Performs a parse that is less resource intensive than Ruby’s URI lib’s method while normalizing the URL (will also discard the fragment and path parameters).

Parameters:

• url (String)

Returns:

• (Hash) —

  URL components (frozen):

  * `:scheme` -- HTTP or HTTPS
  * `:userinfo` -- `username:password`
  * `:host`
  * `:port`
  * `:path`
  * `:query`
  

# File 'lib/arachni/uri.rb', line 170

def fast_parse( url )
    return if !url || url.empty?
    return if url.downcase.start_with? 'javascript:'
    
    cache = CACHE[__method__]
    
    url = url.to_s.dup
    
    # Remove the fragment if there is one.
    url   = url.split( '#', 2 )[0...-1].join if url.include?( '#' )
    c_url = url.to_s.dup
    
    components = {
        scheme:   nil,
        userinfo: nil,
        host:     nil,
        port:     nil,
        path:     nil,
        query:    nil
    }
    
    valid_schemes = %w(http https)
    
    begin
        if (v = cache[url]) && v == :err
            return
        elsif v
            return v
        end
    
        # We're not smart enough for scheme-less URLs and if we're to go
        # into heuristics then there's no reason to not just use
        # Addressable's parser.
        if url.start_with?( '//' )
            return cache[c_url] = addressable_parse( c_url ).freeze
        end
    
        url = url.recode
        url = html_decode( url )
    
        dupped_url = url.dup
        has_path = true
    
        splits = url.split( ':' )
        if !splits.empty? && valid_schemes.include?( splits.first.downcase )
            splits = url.split( '://', 2 )
            components[:scheme] = splits.shift
            components[:scheme].downcase! if components[:scheme]
    
            if url = splits.shift
                splits = url.to_s.split( '?' ).first.to_s.split( '@', 2 )
    
                if splits.size > 1
                    components[:userinfo] = splits.first
                    url = splits.shift
                end
    
                if !splits.empty?
                    splits = splits.last.split( '/', 2 )
                    url = splits.last
    
                    splits = splits.first.split( ':', 2 )
                    if splits.size == 2
                        host = splits.first

                        if splits.last && !splits.last.empty?
                            components[:port] = Integer( splits.last )
                        end

                        if components[:port] == 80
                            components[:port] = nil
                        end

                        url.gsub!( ':' + components[:port].to_s, '' )
                    else
                        host = splits.last
                    end
    
                    if components[:host] = host
                        url.gsub!( host, '' )
                        components[:host].downcase!
                    end
                else
                    has_path = false
                end
            else
                has_path = false
            end
        end
    
        if has_path
            splits = url.split( '?', 2 )
            if (components[:path] = splits.shift)
                if components[:scheme]
                    components[:path] = '/' + components[:path]
                end

                components[:path].gsub!( /\/+/, '/' )
    
                # Remove path params
                components[:path] = components[:path].split( ';', 2 ).first
    
                if components[:path]
                    components[:path] =
                        encode( decode( components[:path] ),
                                Addressable::URI::CharacterClasses::PATH )
    
                    components[:path] = ::URI.encode( components[:path], ';' )
                end
            end
    
            if c_url.include?( '?' ) &&
                !(query = dupped_url.split( '?', 2 ).last).empty?

                components[:query] = (query.split( '&', -1 ).map do |pair|
                    Addressable::URI.normalize_component( pair,
                        Addressable::URI::CharacterClasses::QUERY.sub( '\\&', '' )
                    )
                end).join( '&' )
            end
        end
    
        components[:path] ||= components[:scheme] ? '/' : nil
    
        components.values.each(&:freeze)
    
        cache[c_url] = components.freeze
    rescue => e
        begin
            print_debug "Failed to fast-parse '#{c_url}', falling back to slow-parse."
            print_debug "Error: #{e}"
            print_debug_backtrace( e )
    
            cache[c_url] = addressable_parse( c_url ).freeze
        rescue => ex
            print_debug "Failed to parse '#{c_url}'."
            print_debug "Error: #{ex}"
            print_debug_backtrace( ex )
    
            cache[c_url] = :err
            nil
        end
    end
end

.normalize(url) ⇒ String

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Uses fast_parse to parse and normalize the URL and then converts it to a common String format.

Parameters:

• url (String)

Returns:

• (String) —

  Normalized URL (frozen).

# File 'lib/arachni/uri.rb', line 403

def normalize( url )
    return if !url || url.empty?
    
    cache = CACHE[__method__]
    
    url   = url.to_s.strip.dup
    c_url = url.to_s.strip.dup
    
    begin
        if (v = cache[url]) && v == :err
            return
        elsif v
            return v
        end
    
        components = fast_parse( url )
    
        normalized = ''
        normalized << components[:scheme] + '://' if components[:scheme]
    
        if components[:userinfo]
            normalized << components[:userinfo]
            normalized << '@'
        end
    
        if components[:host]
            normalized << components[:host]
            normalized << ':' + components[:port].to_s if components[:port]
        end
    
        normalized << components[:path] if components[:path]
        normalized << '?' + components[:query] if components[:query]
    
        cache[c_url] = normalized.freeze
    rescue => e
        print_debug "Failed to normalize '#{c_url}'."
        print_debug "Error: #{e}"
        print_debug_backtrace( e )
    
        cache[c_url] = :err
        nil
    end
end

.parse(url) ⇒ Object

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Cached version of #initialize, if there’s a chance that the same URL will be needed to be parsed multiple times you should use this method.

See Also:

• #initialize

# File 'lib/arachni/uri.rb', line 106

def parse( url )
    return url if !url || url.is_a?( Arachni::URI )
    CACHE[__method__][url] ||= begin
        new( url )
    rescue => e
        print_debug "Failed to parse '#{url}'."
        print_debug "Error: #{e}"
        print_debug_backtrace( e )
        nil
    end
end

.parse_query(url) ⇒ Hash

Extracts inputs from a URL query.

Parameters:

• url (String)

Returns:

• (Hash)

# File 'lib/arachni/uri.rb', line 462

def parse_query( url )
    parsed = parse( url )
    return {} if !parsed

    parse( url ).query_parameters
end

.parser ⇒ URI::Parser

Returns cached URI parser.

Returns:

• (URI::Parser) —

  cached URI parser

# File 'lib/arachni/uri.rb', line 72

def parser
    CACHE[__method__]
end

.rewrite(url, rules = Arachni::Options.scope.url_rewrites) ⇒ String

Returns Rewritten URL.

Parameters:

• url (String)
• rules (Hash<Regexp => String>) (defaults to: Arachni::Options.scope.url_rewrites) —

  Regular expression and substitution pairs.

Returns:

• (String) —

  Rewritten URL.

# File 'lib/arachni/uri.rb', line 453

def rewrite( url, rules = Arachni::Options.scope.url_rewrites )
    parse( url ).rewrite( rules ).to_s
end

.ruby_parse(url) ⇒ URI

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Normalizes ‘url` and uses Ruby’s core URI lib to parse it.

Parameters:

• url (String) —

  URL to parse

Returns:

• (URI)

# File 'lib/arachni/uri.rb', line 128

def ruby_parse( url )
    return url if url.to_s.empty? || url.is_a?( ::URI )
    return if url.downcase.start_with? 'javascript:'
    
    CACHE[__method__][url] ||= begin
        ::URI::Generic.build( fast_parse( url ) )
    rescue
        begin
            parser.parse( normalize( url ).dup )
        rescue => e
            print_debug "Failed to parse '#{url}'."
            print_debug "Error: #{e}"
            print_debug_backtrace( e )
            nil
        end
    end
end

.to_absolute(relative, reference = Options.instance.url.to_s) ⇒ String

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Normalizes and converts a ‘relative` URL to an absolute one by merging in with a `reference` URL.

Pretty much a cached version of #to_absolute.

Parameters:

• relative (String)
• reference (String) (defaults to: Options.instance.url.to_s) —

  Absolute url to use as a reference.

Returns:

• (String) —

  Absolute URL (frozen).

# File 'lib/arachni/uri.rb', line 365

def to_absolute( relative, reference = Options.instance.url.to_s )
    return reference if !relative || relative.empty?
    key = relative + ' :: ' + reference
    
    cache = CACHE[__method__]
    begin
        if (v = cache[key]) && v == :err
            return
        elsif v
            return v
        end
    
        parsed_ref = parse( reference )

        if relative.start_with?( '//' )
            # Scheme-less URLs are expensive to parse so let's resolve
            # the issue here.
            relative = "#{parsed_ref.scheme}:#{relative}"
        end

        cache[key] = parse( relative ).to_absolute( parsed_ref ).to_s.freeze
    rescue
        cache[key] = :err
        nil
    end
end

Instance Method Details

#==(other) ⇒ Object

# File 'lib/arachni/uri.rb', line 510

def ==( other )
    to_s == other.to_s
end

#_dump(_) ⇒ Object

# File 'lib/arachni/uri.rb', line 631

def _dump( _ )
    to_s
end

#domain ⇒ String

Returns ‘domain_name.tld`.

Returns:

• (String) —

  ‘domain_name.tld`

# File 'lib/arachni/uri.rb', line 565

def domain
    return host if ip_address?

    s = host.split( '.' )
    return s.first if s.size == 1
    return host if s.size == 2

    s[1..-1].join( '.' )
end

#dup ⇒ Object

# File 'lib/arachni/uri.rb', line 627

def dup
    self.class.new( to_s )
end

#hash ⇒ Object

# File 'lib/arachni/uri.rb', line 639

def hash
    to_s.hash
end

#ip_address? ⇒ Boolean

Returns ‘true` if the URI contains an IP address, `false` otherwise.

Returns:

• (Boolean) —

  ‘true` if the URI contains an IP address, `false` otherwise.

# File 'lib/arachni/uri.rb', line 594

def ip_address?
    !(IPAddr.new( host ) rescue nil).nil?
end

#mailto? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/uri.rb', line 598

def mailto?
    scheme == 'mailto'
end

#persistent_hash ⇒ Object

# File 'lib/arachni/uri.rb', line 643

def persistent_hash
    to_s.persistent_hash
end

#query=(q) ⇒ Object

# File 'lib/arachni/uri.rb', line 602

def query=( q )
    q = q.to_s
    q = nil if q.empty?

    @parsed_url.query = q
end

#query_parameters ⇒ Hash

Returns Extracted inputs from a URL query.

Returns:

• (Hash) —

  Extracted inputs from a URL query.

# File 'lib/arachni/uri.rb', line 611

def query_parameters
    q = self.query
    return {} if q.to_s.empty?

    q.split( '&' ).inject( {} ) do |h, pair|
        name, value = pair.split( '=', 2 )
        h[::URI.decode( name.to_s )] = ::URI.decode( value.to_s )
        h
    end
end

#resource_extension ⇒ String

Returns The extension of the URI resource.

Returns:

• (String) —

  The extension of the URI resource.

# File 'lib/arachni/uri.rb', line 542

def resource_extension
    resource_name = path.split( '/' ).last.to_s
    return if !resource_name.include?( '.' )
    resource_name.split( '.' ).last
end

#respond_to?(*args) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/uri.rb', line 657

def respond_to?( *args )
    super || @parsed_url.respond_to?( *args )
end

#rewrite(rules = Arachni::Options.scope.url_rewrites) ⇒ URI

Returns Rewritten URL.

Parameters:

• rules (Hash<Regexp => String>) (defaults to: Arachni::Options.scope.url_rewrites) —

  Regular expression and substitution pairs.

Returns:

• (URI) —

  Rewritten URL.

# File 'lib/arachni/uri.rb', line 580

def rewrite( rules = Arachni::Options.scope.url_rewrites )
    as_string = self.to_s

    rules.each do |args|
        if (rewritten = as_string.gsub( *args )) != as_string
            return Arachni::URI( rewritten )
        end
    end

    self.dup
end

#scope ⇒ Scope

Returns:

• (Scope)

# File 'lib/arachni/uri.rb', line 506

def scope
    @scope ||= Scope.new( self )
end

#to_absolute(reference) ⇒ Arachni::URI

Converts self into an absolute URL using ‘reference` to fill in the missing data.

Parameters:

• reference (Arachni::URI, URI, String) —

  Full, absolute URL.

Returns:

• (Arachni::URI) —

  Self, as an absolute URL.

# File 'lib/arachni/uri.rb', line 522

def to_absolute( reference )
    absolute = case reference
                   when Arachni::URI
                       reference.parsed_url
                   when ::URI
                       reference
                   else
                       self.class.new( reference.to_s ).parsed_url
               end.merge( @parsed_url )

    self.class.new( absolute )
end

#to_s ⇒ String

Returns:

• (String)

# File 'lib/arachni/uri.rb', line 623

def to_s
    @parsed_url.to_s
end

#up_to_path ⇒ String

Returns The URL up to its path component (no resource name, query, fragment, etc).

Returns:

• (String) —

  The URL up to its path component (no resource name, query, fragment, etc).

# File 'lib/arachni/uri.rb', line 550

def up_to_path
    return if !path
    uri_path = path.dup

    uri_path = File.dirname( uri_path ) if !File.extname( path ).empty?

    uri_path << '/' if uri_path[-1] != '/'

    uri_str = "#{scheme}://#{host}"
    uri_str << ':' + port.to_s if port && port != 80
    uri_str << uri_path
end

#without_query ⇒ String

Returns The URL up to its resource component (query, fragment, etc).

Returns:

• (String) —

  The URL up to its resource component (query, fragment, etc).

# File 'lib/arachni/uri.rb', line 537

def without_query
    to_s.split( '?', 2 ).first.to_s
end