Class: Arachni::URI

Inherits:

Object

• Object
• Arachni::URI

Extended by:

Arachni::UI::Output, Utilities

Includes:

Arachni::UI::Output, Utilities

Defined in:

lib/arachni/uri.rb,
lib/arachni/uri/scope.rb

Overview

The URI class automatically normalizes the URLs it is passed to parse while maintaining compatibility with Ruby’s URI core class by delegating missing methods to it – thus, you can treat it like a Ruby URI and enjoy some extra perks along the way.

It also provides cached (to maintain a low latency) helper class methods to ease common operations such as:

• Normalization.

• Parsing to Arachni::URI (see also URI), ::URI or Hash objects.

• Conversion to absolute URLs.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error, Scope

Constant Summary

CACHE_SIZES =

{
    parse:       1000,
    ruby_parse:  1000,
    fast_parse:  1000,
    encode:      1000,
    decode:      1000,
    normalize:   1000,
    to_absolute: 1000
}

CACHE =

{
    parser: ::URI::Parser.new
}

Class Method Summary

• ._load(url) ⇒ Object
• .addressable_parse(url) ⇒ Hash

  Performs a parse using the ‘URI::Addressable` lib while normalizing the URL (will also discard the fragment).

• .decode(string) ⇒ String

  URL decodes a string.

• .encode(string, good_characters = nil) ⇒ String

  URL encodes a string.

• .fast_parse(url) ⇒ Hash

  Performs a parse that is less resource intensive than Ruby’s URI lib’s method while normalizing the URL (will also discard the fragment and path parameters).

• .full_and_absolute?(url) ⇒ Bool

  ‘true` is the URL is full and absolute, `false` otherwise.

• .normalize(url) ⇒ String

  Uses URI.fast_parse to parse and normalize the URL and then converts it to a common String format.

• .parse(url) ⇒ Object

  Cached version of #initialize, if there’s a chance that the same URL will be needed to be parsed multiple times you should use this method.

• .parse_query(url) ⇒ Hash

  Extracts inputs from a URL query.

• .parser ⇒ URI::Parser

  Cached URI parser.

• .rewrite(url, rules = Arachni::Options.scope.url_rewrites) ⇒ String

  Rewritten URL.

• .ruby_parse(url) ⇒ URI

  Normalizes ‘url` and uses Ruby’s core URI lib to parse it.

• .to_absolute(relative, reference = Options.instance.url.to_s) ⇒ String

  Normalizes and converts a ‘relative` URL to an absolute one by merging in with a `reference` URL.

Instance Method Summary

• #==(other) ⇒ Object
• #_dump(_) ⇒ Object
• #domain ⇒ String

  ‘domain_name.tld`.

• #dup ⇒ Object
• #hash ⇒ Object
• #initialize(url) ⇒ URI constructor

  Normalizes and parses the provided URL.

• #ip_address? ⇒ Boolean

  ‘true` if the URI contains an IP address, `false` otherwise.

• #mailto? ⇒ Boolean
• #method_missing(sym, *args, &block) ⇒ Object

  Delegates unimplemented methods to Ruby’s ‘URI::Generic` class for compatibility.

• #persistent_hash ⇒ Object
• #query=(q) ⇒ Object
• #query_parameters ⇒ Hash

  Extracted inputs from a URL query.

• #resource_extension ⇒ String^?

  The extension of the URI #file_name, ‘nil` if there is none.

• #resource_name ⇒ String

  Name of the resource.

• #respond_to?(*args) ⇒ Boolean
• #rewrite(rules = Arachni::Options.scope.url_rewrites) ⇒ URI

  Rewritten URL.

• #scope ⇒ Scope
• #to_absolute(reference) ⇒ Arachni::URI

  Converts self into an absolute URL using ‘reference` to fill in the missing data.

• #to_s ⇒ String
• #up_to_path ⇒ String

  The URL up to its path component (no resource name, query, fragment, etc).

• #without_query ⇒ String

  The URL up to its resource component (query, fragment, etc).

Methods included from Arachni::UI::Output

debug?, debug_off, debug_on, disable_only_positives, included, mute, muted?, only_positives, only_positives?, print_bad, print_debug, print_debug_backtrace, print_debug_level_1, print_debug_level_2, print_debug_level_3, print_error, print_error_backtrace, print_exception, print_info, print_line, print_ok, print_status, print_verbose, reroute_to_file, reroute_to_file?, reset_output_options, unmute, verbose?, verbose_on

Methods included from Utilities

available_port, bytes_to_kilobytes, bytes_to_megabytes, caller_name, caller_path, cookie_decode, cookie_encode, cookies_from_document, cookies_from_file, cookies_from_response, exception_jail, exclude_path?, follow_protocol?, form_decode, form_encode, forms_from_document, forms_from_response, full_and_absolute_url?, generate_token, get_path, hms_to_seconds, html_decode, html_encode, include_path?, links_from_document, links_from_response, normalize_url, page_from_response, page_from_url, parse_set_cookie, path_in_domain?, path_too_deep?, port_available?, rand_port, random_seed, redundant_path?, regexp_array_match, remove_constants, request_parse_body, seconds_to_hms, skip_page?, skip_path?, skip_resource?, skip_response?, uri_decode, uri_encode, uri_parse, uri_parse_query, uri_parser, uri_rewrite

Constructor Details

#initialize(url) ⇒ URI

Note:

Will discard the fragment component, if there is one.

Normalizes and parses the provided URL.

Parameters:

• url (Arachni::URI, String, URI, Hash) —

  String URL to parse, ‘URI` to convert, or a `Hash` holding URL components (for `URI::Generic.build`). Also accepts Arachni::URI for convenience.

# File 'lib/arachni/uri.rb', line 494

def initialize( url )
    @parsed_url = case url
                      when String
                          self.class.ruby_parse( url )

                      when ::URI
                          url

                      when Hash
                          ::URI::Generic.build( url )

                      when Arachni::URI
                          self.parsed_url = url.parsed_url

                      else
                          to_string = url.to_s rescue ''
                          msg = 'Argument must either be String, URI or Hash'
                          msg << " -- #{url.class.name} '#{to_string}' passed."
                          fail ArgumentError.new( msg )
                  end

    fail Error, 'Failed to parse URL.' if !@parsed_url

    # We probably got it from the cache, dup it to avoid corrupting the cache
    # entries.
    @parsed_url = @parsed_url.dup
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(sym, *args, &block) ⇒ Object

Delegates unimplemented methods to Ruby’s ‘URI::Generic` class for compatibility.

# File 'lib/arachni/uri.rb', line 675

def method_missing( sym, *args, &block )
    if @parsed_url.respond_to?( sym )
        @parsed_url.send( sym, *args, &block )
    else
        super
    end
end

Class Method Details

._load(url) ⇒ Object

# File 'lib/arachni/uri.rb', line 661

def self._load( url )
    new url
end

.addressable_parse(url) ⇒ Hash

Note:

The Hash is suitable for passing to ‘::URI::Generic.build` – if however you plan on doing that you’ll be better off just using ruby_parse which does the same thing and caches the results for some extra schnell.

Performs a parse using the ‘URI::Addressable` lib while normalizing the URL (will also discard the fragment).

This method is not cached and solely exists as a fallback used by fast_parse.

Parameters:

• url (String)

Returns:

• (Hash) —

  URL components:

  * `:scheme` -- HTTP or HTTPS
  * `:userinfo` -- `username:password`
  * `:host`
  * `:port`
  * `:path`
  * `:query`
  

# File 'lib/arachni/uri.rb', line 340

def addressable_parse( url )
    u = Addressable::URI.parse( html_decode( url.to_s ) ).normalize
    u.fragment = nil
    h = u.to_hash

    h[:path].gsub!( /\/+/, '/' ) if h[:path]
    if h[:user]
        h[:userinfo] = h.delete( :user )
        h[:userinfo] << ":#{h.delete( :password )}" if h[:password]
    end
    h
end

.decode(string) ⇒ String

URL decodes a string.

Parameters:

• string (String)

Returns:

• (String)

# File 'lib/arachni/uri.rb', line 95

def decode( string )
    CACHE[__method__][string] ||= Addressable::URI.unencode( string )
end

.encode(string, good_characters = nil) ⇒ String

URL encodes a string.

Parameters:

• string (String)
• good_characters (String, Regexp) (defaults to: nil) —

  Class of characters to allow – if String is passed, it should formatted as a regexp (for ‘Regexp.new`).

Returns:

• (String) —

  Encoded string.

# File 'lib/arachni/uri.rb', line 85

def encode( string, good_characters = nil )
    CACHE[__method__][[string, good_characters]] ||=
        Addressable::URI.encode_component( *[string, good_characters].compact )
end

.fast_parse(url) ⇒ Hash

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Note:

The Hash is suitable for passing to ‘::URI::Generic.build` – if however you plan on doing that you’ll be better off just using ruby_parse which does the same thing and caches the results for some extra schnell.

Performs a parse that is less resource intensive than Ruby’s URI lib’s method while normalizing the URL (will also discard the fragment and path parameters).

Parameters:

• url (String)

Returns:

• (Hash) —

  URL components (frozen):

  * `:scheme` -- HTTP or HTTPS
  * `:userinfo` -- `username:password`
  * `:host`
  * `:port`
  * `:path`
  * `:query`
  

# File 'lib/arachni/uri.rb', line 171

def fast_parse( url )
    return if !url || url.empty?
    return if url.downcase.start_with? 'javascript:'

    cache = CACHE[__method__]

    url = url.to_s.dup

    # Remove the fragment if there is one.
    if url.include?( '#' )
        url = url.split( '#', 2 )[0...-1].join
    end

    c_url = url.dup

    components = {
        scheme:   nil,
        userinfo: nil,
        host:     nil,
        port:     nil,
        path:     nil,
        query:    nil
    }

    valid_schemes = %w(http https)

    begin
        if (v = cache[url]) && v == :err
            return
        elsif v
            return v
        end

        # We're not smart enough for scheme-less URLs and if we're to go
        # into heuristics then there's no reason to not just use
        # Addressable's parser.
        if url.start_with?( '//' )
            return cache[c_url] = addressable_parse( c_url ).freeze
        end

        url = url.recode!
        url = html_decode( url )

        dupped_url = url.dup
        has_path = true

        splits = url.split( ':' )
        if !splits.empty? && valid_schemes.include?( splits.first.downcase )
            splits = url.split( '://', 2 )
            components[:scheme] = splits.shift
            components[:scheme].downcase! if components[:scheme]

            if url = splits.shift
                splits = url.to_s.split( '?' ).first.to_s.split( '@', 2 )

                if splits.size > 1
                    components[:userinfo] = splits.first
                    url = splits.shift
                end

                if !splits.empty?
                    splits = splits.last.split( '/', 2 )
                    url = splits.last

                    splits = splits.first.split( ':', 2 )
                    if splits.size == 2
                        host = splits.first

                        if splits.last && !splits.last.empty?
                            components[:port] = Integer( splits.last )
                        end

                        if components[:port] == 80
                            components[:port] = nil
                        end

                        url.gsub!( ':' + components[:port].to_s, '' )
                    else
                        host = splits.last
                    end

                    if components[:host] = host
                        url.gsub!( host, '' )
                        components[:host].downcase!
                    end
                else
                    has_path = false
                end
            else
                has_path = false
            end
        end

        if has_path
            splits = url.split( '?', 2 )
            if (components[:path] = splits.shift)
                if components[:scheme]
                    components[:path] = '/' + components[:path]
                end

                components[:path].gsub!( /\/+/, '/' )

                # Remove path params
                components[:path] = components[:path].split( ';', 2 ).first

                if components[:path]
                    components[:path] =
                        encode( decode( components[:path] ),
                                Addressable::URI::CharacterClasses::PATH )

                    components[:path] = ::URI.encode( components[:path], ';' )
                end
            end

            if c_url.include?( '?' ) &&
                !(query = dupped_url.split( '?', 2 ).last).empty?

                components[:query] = (query.split( '&', -1 ).map do |pair|
                    encode( decode( pair ),
                            Addressable::URI::CharacterClasses::QUERY.sub( '\\&', '' ) )
                end).join( '&' )
            end
        end

        components[:path] ||= components[:scheme] ? '/' : nil

        components.values.each(&:freeze)

        cache[c_url] = components.freeze
    rescue => e
        begin
            print_debug "Failed to fast-parse '#{c_url}', falling back to slow-parse."
            print_debug "Error: #{e}"
            print_debug_backtrace( e )

            cache[c_url] = addressable_parse( c_url.recode! ).freeze
        rescue => ex
            print_debug "Failed to parse '#{c_url}'."
            print_debug "Error: #{ex}"
            print_debug_backtrace( ex )

            cache[c_url] = :err
            nil
        end
    end
end

.full_and_absolute?(url) ⇒ Bool

Returns ‘true` is the URL is full and absolute, `false` otherwise.

Parameters:

• url (String) —

  URL to check.

Returns:

• (Bool) —

  ‘true` is the URL is full and absolute, `false` otherwise.

# File 'lib/arachni/uri.rb', line 477

def full_and_absolute?( url )
    return false if url.to_s.empty?

    parsed = parse( url.to_s )
    return false if !parsed

    parsed.absolute?
end

.normalize(url) ⇒ String

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Uses fast_parse to parse and normalize the URL and then converts it to a common String format.

Parameters:

• url (String)

Returns:

• (String) —

  Normalized URL (frozen).

# File 'lib/arachni/uri.rb', line 406

def normalize( url )
    return if !url || url.empty?

    cache = CACHE[__method__]

    url   = url.to_s.strip
    c_url = url.dup

    begin
        if (v = cache[url]) && v == :err
            return
        elsif v
            return v
        end

        components = fast_parse( url )

        normalized = ''
        normalized << components[:scheme] + '://' if components[:scheme]

        if components[:userinfo]
            normalized << components[:userinfo]
            normalized << '@'
        end

        if components[:host]
            normalized << components[:host]
            normalized << ':' + components[:port].to_s if components[:port]
        end

        normalized << components[:path] if components[:path]
        normalized << '?' + components[:query] if components[:query]

        cache[c_url] = normalized.freeze
    rescue => e
        print_debug "Failed to normalize '#{c_url}'."
        print_debug "Error: #{e}"
        print_debug_backtrace( e )

        cache[c_url] = :err
        nil
    end
end

.parse(url) ⇒ Object

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Cached version of #initialize, if there’s a chance that the same URL will be needed to be parsed multiple times you should use this method.

See Also:

• #initialize

# File 'lib/arachni/uri.rb', line 107

def parse( url )
    return url if !url || url.is_a?( Arachni::URI )
    CACHE[__method__][url] ||= begin
        new( url )
    rescue => e
        print_debug "Failed to parse '#{url}'."
        print_debug "Error: #{e}"
        print_debug_backtrace( e )
        nil
    end
end

.parse_query(url) ⇒ Hash

Extracts inputs from a URL query.

Parameters:

• url (String)

Returns:

• (Hash)

# File 'lib/arachni/uri.rb', line 465

def parse_query( url )
    parsed = parse( url )
    return {} if !parsed

    parse( url ).query_parameters
end

.parser ⇒ URI::Parser

Returns cached URI parser.

Returns:

• (URI::Parser) —

  cached URI parser

# File 'lib/arachni/uri.rb', line 72

def parser
    CACHE[__method__]
end

.rewrite(url, rules = Arachni::Options.scope.url_rewrites) ⇒ String

Returns Rewritten URL.

Parameters:

• url (String)
• rules (Hash<Regexp => String>) (defaults to: Arachni::Options.scope.url_rewrites) —

  Regular expression and substitution pairs.

Returns:

• (String) —

  Rewritten URL.

# File 'lib/arachni/uri.rb', line 456

def rewrite( url, rules = Arachni::Options.scope.url_rewrites )
    parse( url ).rewrite( rules ).to_s
end

.ruby_parse(url) ⇒ URI

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Normalizes ‘url` and uses Ruby’s core URI lib to parse it.

Parameters:

• url (String) —

  URL to parse

Returns:

• (URI)

# File 'lib/arachni/uri.rb', line 129

def ruby_parse( url )
    return url if url.to_s.empty? || url.is_a?( ::URI )
    return if url.downcase.start_with? 'javascript:'

    CACHE[__method__][url] ||= begin
        ::URI::Generic.build( fast_parse( url ) )
    rescue
        begin
            parser.parse( normalize( url ).dup )
        rescue => e
            print_debug "Failed to parse '#{url}'."
            print_debug "Error: #{e}"
            print_debug_backtrace( e )
            nil
        end
    end
end

.to_absolute(relative, reference = Options.instance.url.to_s) ⇒ String

Note:

This method’s results are cached for performance reasons. If you plan on doing something destructive with its return value duplicate it first because there may be references to it elsewhere.

Normalizes and converts a ‘relative` URL to an absolute one by merging in with a `reference` URL.

Pretty much a cached version of #to_absolute.

Parameters:

• relative (String)
• reference (String) (defaults to: Options.instance.url.to_s) —

  Absolute url to use as a reference.

Returns:

• (String) —

  Absolute URL (frozen).

# File 'lib/arachni/uri.rb', line 368

def to_absolute( relative, reference = Options.instance.url.to_s )
    return reference if !relative || relative.empty?
    key = relative + ' :: ' + reference

    cache = CACHE[__method__]
    begin
        if (v = cache[key]) && v == :err
            return
        elsif v
            return v
        end

        parsed_ref = parse( reference )

        if relative.start_with?( '//' )
            # Scheme-less URLs are expensive to parse so let's resolve
            # the issue here.
            relative = "#{parsed_ref.scheme}:#{relative}"
        end

        cache[key] = parse( relative ).to_absolute( parsed_ref ).to_s.freeze
    rescue
        cache[key] = :err
        nil
    end
end

Instance Method Details

#==(other) ⇒ Object

# File 'lib/arachni/uri.rb', line 527

def ==( other )
    to_s == other.to_s
end

#_dump(_) ⇒ Object

# File 'lib/arachni/uri.rb', line 657

def _dump( _ )
    to_s
end

#domain ⇒ String

Returns ‘domain_name.tld`.

Returns:

• (String) —

  ‘domain_name.tld`

# File 'lib/arachni/uri.rb', line 590

def domain
    return if !host
    return host if ip_address?

    s = host.split( '.' )
    return s.first if s.size == 1
    return host if s.size == 2

    s[1..-1].join( '.' )
end

#dup ⇒ Object

# File 'lib/arachni/uri.rb', line 653

def dup
    self.class.new( to_s )
end

#hash ⇒ Object

# File 'lib/arachni/uri.rb', line 665

def hash
    to_s.hash
end

#ip_address? ⇒ Boolean

Returns ‘true` if the URI contains an IP address, `false` otherwise.

Returns:

• (Boolean) —

  ‘true` if the URI contains an IP address, `false` otherwise.

# File 'lib/arachni/uri.rb', line 620

def ip_address?
    !(IPAddr.new( host ) rescue nil).nil?
end

#mailto? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/uri.rb', line 624

def mailto?
    scheme == 'mailto'
end

#persistent_hash ⇒ Object

# File 'lib/arachni/uri.rb', line 669

def persistent_hash
    to_s.persistent_hash
end

#query=(q) ⇒ Object

# File 'lib/arachni/uri.rb', line 628

def query=( q )
    q = q.to_s
    q = nil if q.empty?

    @parsed_url.query = q
end

#query_parameters ⇒ Hash

Returns Extracted inputs from a URL query.

Returns:

• (Hash) —

  Extracted inputs from a URL query.

# File 'lib/arachni/uri.rb', line 637

def query_parameters
    q = self.query
    return {} if q.to_s.empty?

    q.split( '&' ).inject( {} ) do |h, pair|
        name, value = pair.split( '=', 2 )
        h[::URI.decode( name.to_s )] = ::URI.decode( value.to_s )
        h
    end
end

#resource_extension ⇒ String^?

Returns The extension of the URI #file_name, ‘nil` if there is none.

Returns:

• (String, nil) —

  The extension of the URI #file_name, ‘nil` if there is none.

# File 'lib/arachni/uri.rb', line 566

def resource_extension
    name = resource_name.to_s
    return if !name.include?( '.' )

    name.split( '.' ).last
end

#resource_name ⇒ String

Returns Name of the resource.

Returns:

• (String) —

  Name of the resource.

# File 'lib/arachni/uri.rb', line 560

def resource_name
    path.split( '/' ).last
end

#respond_to?(*args) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/uri.rb', line 683

def respond_to?( *args )
    super || @parsed_url.respond_to?( *args )
end

#rewrite(rules = Arachni::Options.scope.url_rewrites) ⇒ URI

Returns Rewritten URL.

Parameters:

• rules (Hash<Regexp => String>) (defaults to: Arachni::Options.scope.url_rewrites) —

  Regular expression and substitution pairs.

Returns:

• (URI) —

  Rewritten URL.

# File 'lib/arachni/uri.rb', line 606

def rewrite( rules = Arachni::Options.scope.url_rewrites )
    as_string = self.to_s

    rules.each do |args|
        if (rewritten = as_string.gsub( *args )) != as_string
            return Arachni::URI( rewritten )
        end
    end

    self.dup
end

#scope ⇒ Scope

Returns:

• (Scope)

# File 'lib/arachni/uri.rb', line 523

def scope
    @scope ||= Scope.new( self )
end

#to_absolute(reference) ⇒ Arachni::URI

Converts self into an absolute URL using ‘reference` to fill in the missing data.

Parameters:

• reference (Arachni::URI, URI, String) —

  Full, absolute URL.

Returns:

• (Arachni::URI) —

  Self, as an absolute URL.

# File 'lib/arachni/uri.rb', line 539

def to_absolute( reference )
    absolute = case reference
                   when Arachni::URI
                       reference.parsed_url
                   when ::URI
                       reference
                   else
                       self.class.new( reference.to_s ).parsed_url
               end.merge( @parsed_url )

    self.class.new( absolute )
end

#to_s ⇒ String

Returns:

• (String)

# File 'lib/arachni/uri.rb', line 649

def to_s
    @parsed_url.to_s
end

#up_to_path ⇒ String

Returns The URL up to its path component (no resource name, query, fragment, etc).

Returns:

• (String) —

  The URL up to its path component (no resource name, query, fragment, etc).

# File 'lib/arachni/uri.rb', line 575

def up_to_path
    return if !path
    uri_path = path.dup

    uri_path = File.dirname( uri_path ) if !File.extname( path ).empty?

    uri_path << '/' if uri_path[-1] != '/'

    uri_str = "#{scheme}://#{host}"
    uri_str << ':' + port.to_s if port && port != 80
    uri_str << uri_path
end

#without_query ⇒ String

Returns The URL up to its resource component (query, fragment, etc).

Returns:

• (String) —

  The URL up to its resource component (query, fragment, etc).

# File 'lib/arachni/uri.rb', line 554

def without_query
    to_s.split( '?', 2 ).first.to_s
end