From 1bf3ae6d94f867782c13bda455de8101a4f86950 Mon Sep 17 00:00:00 2001 From: Florian Wininger Date: Thu, 29 Apr 2021 11:19:37 +0200 Subject: [PATCH] Fix coding style --- .pylintrc | 20 +++++-- setup.py | 2 +- wapitiCore/attack/attack.py | 6 +- wapitiCore/attack/mod_brute_login_form.py | 4 +- wapitiCore/attack/mod_crlf.py | 2 +- wapitiCore/attack/mod_csrf.py | 2 +- wapitiCore/attack/mod_drupal_enum.py | 71 ++++++++++++----------- wapitiCore/attack/mod_file.py | 2 +- wapitiCore/attack/mod_http_headers.py | 4 +- wapitiCore/attack/mod_permanentxss.py | 10 ++-- wapitiCore/attack/mod_shellshock.py | 2 +- wapitiCore/attack/mod_sql.py | 6 +- wapitiCore/attack/mod_ssrf.py | 2 +- wapitiCore/attack/mod_timesql.py | 2 +- wapitiCore/attack/mod_wp_enum.py | 51 ++++++++-------- wapitiCore/attack/mod_xss.py | 11 ++-- wapitiCore/attack/mod_xxe.py | 6 +- wapitiCore/language/vulnerability.py | 1 + wapitiCore/main/wapiti.py | 7 ++- wapitiCore/net/page.py | 4 +- wapitiCore/net/swf.py | 3 - wapitiCore/net/web.py | 5 +- wapitiCore/net/xss_utils.py | 6 +- wapitiCore/report/__init__.py | 12 ++-- wapitiCore/report/txtreportgenerator.py | 1 - 25 files changed, 128 insertions(+), 114 deletions(-) diff --git a/.pylintrc b/.pylintrc index 7f3e23ec..c761bcaf 100644 --- a/.pylintrc +++ b/.pylintrc @@ -3,6 +3,10 @@ # Specify a configuration file. #rcfile= +# Add files or directories matching the regex patterns to the blacklist. The +# regex matches against base names, not paths. +ignore-patterns=jsparser3.py + [MESSAGES CONTROL] # Only show warnings with the listed confidence levels. Leave empty to show @@ -24,19 +28,27 @@ confidence= # --enable=similarities". If you want to run only the classes checker, but have # no Warning level messages displayed, use"--disable=all --enable=classes # --disable=W" -disable=too-few-public-methods,too-many-instance-attributes,too-many-arguments, - too-many-locals,logging-format-interpolation,not-an-iterable,too-many-public-methods, - missing-function-docstring,missing-class-docstring,missing-module-docstring +disable=too-few-public-methods,too-many-instance-attributes,too-many-arguments,import-error, + logging-format-interpolation,not-an-iterable,too-many-public-methods,fixme, + missing-function-docstring,missing-class-docstring,missing-module-docstring,invalid-name [FORMAT] # Maximum number of characters on a single line. max-line-length=120 +max-nested-blocks=10 + +max-locals=25 + +max-branches=40 + +max-statements=100 + [SIMILARITIES] # Minimum lines number of a similarity. -min-similarity-lines=16 +min-similarity-lines=43 # Ignore comments when computing similarities. ignore-comments=yes diff --git a/setup.py b/setup.py index 0948f626..b86891b9 100644 --- a/setup.py +++ b/setup.py @@ -78,7 +78,7 @@ if a script is vulnerable.""", author_email="nicolas.surribas@gmail.com", license="GPLv2", platforms=["Any"], - packages=find_packages(exclude=["tests","tests.*"]), + packages=find_packages(exclude=["tests", "tests.*"]), data_files=doc_and_conf_files, include_package_data=True, scripts=[ diff --git a/wapitiCore/attack/attack.py b/wapitiCore/attack/attack.py index b18c742e..3f6df019 100644 --- a/wapitiCore/attack/attack.py +++ b/wapitiCore/attack/attack.py @@ -591,14 +591,14 @@ if __name__ == "__main__": print(flags) print('') - print("#"*50) + print("#" * 50) print('') for evil_request, param_name, payload, flags in mutator.mutate(res2): print(evil_request) print('') - print("#"*50) + print("#" * 50) print('') def iterator(): @@ -610,7 +610,7 @@ if __name__ == "__main__": print(evil_request) print('') - print("#"*50) + print("#" * 50) print('') mutator = Mutator(payloads=random_string_with_flags, qs_inject=True, max_queries_per_pattern=16) diff --git a/wapitiCore/attack/mod_brute_login_form.py b/wapitiCore/attack/mod_brute_login_form.py index da2e1760..63a3bd62 100644 --- a/wapitiCore/attack/mod_brute_login_form.py +++ b/wapitiCore/attack/mod_brute_login_form.py @@ -91,7 +91,7 @@ class mod_brute_login_form(Attack): def must_attack(self, request: Request): # We leverage the fact that the crawler will fill password entries with a known placeholder - if "Letm3in_" not in (request.encoded_data + request.encoded_params): + if "Letm3in_" not in request.encoded_data + request.encoded_params: return False # We may want to remove this but if not available fallback to target URL @@ -172,7 +172,7 @@ class mod_brute_login_form(Attack): ) self.log_red("---") - self.log_red(vuln_message), + self.log_red(vuln_message) self.log_red(Messages.MSG_EVIL_REQUEST) self.log_red(evil_request.http_repr()) self.log_red("---") diff --git a/wapitiCore/attack/mod_crlf.py b/wapitiCore/attack/mod_crlf.py index 87f13b0b..c1273496 100644 --- a/wapitiCore/attack/mod_crlf.py +++ b/wapitiCore/attack/mod_crlf.py @@ -43,7 +43,7 @@ class mod_crlf(Attack): def attack(self, request: Request): page = request.path - for mutated_request, parameter, payload, flags in self.mutator.mutate(request): + for mutated_request, parameter, _payload, _flags in self.mutator.mutate(request): if self.verbose == 2: print("[¨] {0}".format(mutated_request.url)) diff --git a/wapitiCore/attack/mod_csrf.py b/wapitiCore/attack/mod_csrf.py index 15e8bdb9..be93ea13 100644 --- a/wapitiCore/attack/mod_csrf.py +++ b/wapitiCore/attack/mod_csrf.py @@ -46,7 +46,7 @@ class mod_csrf(Attack): "authenticity_token", "_token", "csrf_token", "csrfname", "csrftoken", "anticsrf", "__requestverificationtoken", "token", "csrf", "_csrf_token", "xsrf_token", "_csrf", "csrf-token", "xsrf-token", "_wpnonce" - ] + ] TOKEN_HEADER_STRINGS = [ "csrf-token", "x-csrf-token", "xsrf-token", "x-xsrf-token", "csrfp-token", diff --git a/wapitiCore/attack/mod_drupal_enum.py b/wapitiCore/attack/mod_drupal_enum.py index 843149d5..0cba85c3 100644 --- a/wapitiCore/attack/mod_drupal_enum.py +++ b/wapitiCore/attack/mod_drupal_enum.py @@ -11,6 +11,7 @@ from wapitiCore.definitions.fingerprint import NAME as TECHNO_DETECTED MSG_TECHNO_VERSIONED = _("{0} {1} detected") MSG_NO_DRUPAL = _("No Drupal Detected") + class mod_drupal_enum(Attack): """Detect Drupal version.""" name = "drupal_enum" @@ -18,6 +19,7 @@ class mod_drupal_enum(Attack): PAYLOADS_FILE_THEMES = "wordpress_themes.txt" versions = [] + def __init__(self, crawler, persister, logger, attack_options): Attack.__init__(self, crawler, persister, logger, attack_options) self.finished = False @@ -30,7 +32,7 @@ class mod_drupal_enum(Attack): def detect_version(self, url): vers = {} data = self.get_hash() - for uri in data : + for uri in data: req = Request('{}{}'.format(url, uri)) rep = self.crawler.get(req) if rep.status != 200: @@ -39,22 +41,21 @@ class mod_drupal_enum(Attack): cont = rep.content.encode() hash_content = hashlib.sha256(cont).hexdigest() - if uri in data : - if hash_content in data[uri] : + if uri in data: + if hash_content in data[uri]: vers[uri] = data[uri][hash_content] - if vers : - self.versions = set.intersection(*[set(versions) for versions in vers.values()]) + if vers: + self.versions = set.intersection(*[set(versions) for versions in vers.values()]) def check_drupal(self, url): check_list = ['sites/', 'core/misc/drupal.js', 'misc/drupal.js', 'misc/test/error/404/ispresent.html'] - for item in check_list : + for item in check_list: req = Request('{}{}'.format(url, item)) rep = self.crawler.get(req) if rep.status != 404: return True return False - def must_attack(self, request: Request): if self.finished: return False @@ -66,44 +67,44 @@ class mod_drupal_enum(Attack): def attack(self, request: Request): self.finished = True request_to_root = Request(request.url) - response = self.crawler.send(request_to_root, follow_redirects=True) + self.crawler.send(request_to_root, follow_redirects=True) if self.check_drupal(request_to_root.url): self.detect_version(request_to_root.url) - if self.versions : + if self.versions: self.versions = sorted(self.versions, key=lambda x: [i for i in x.split('.')]) drupal_detected = { - "name": "Drupal", - "versions": self.versions, - "categories": ["CMS Drupal"] - } + "name": "Drupal", + "versions": self.versions, + "categories": ["CMS Drupal"] + } self.log_blue( - MSG_TECHNO_VERSIONED, - "Drupal", - self.versions - ) + MSG_TECHNO_VERSIONED, + "Drupal", + self.versions + ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = request_to_root, - info = json.dumps(drupal_detected) - ) - else : + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=request_to_root, + info=json.dumps(drupal_detected) + ) + else: drupal_detected = { - "name": "Drupal", - "versions": [""], - "categories": ["CMS Drupal"] - } + "name": "Drupal", + "versions": [""], + "categories": ["CMS Drupal"] + } self.log_blue( - MSG_TECHNO_VERSIONED, - "Drupal", - [] + MSG_TECHNO_VERSIONED, + "Drupal", + [] ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = request_to_root, - info = json.dumps(drupal_detected) + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=request_to_root, + info=json.dumps(drupal_detected) ) - else : + else: self.log_blue(MSG_NO_DRUPAL) diff --git a/wapitiCore/attack/mod_file.py b/wapitiCore/attack/mod_file.py index 38081f38..4f0d1097 100644 --- a/wapitiCore/attack/mod_file.py +++ b/wapitiCore/attack/mod_file.py @@ -24,7 +24,7 @@ import re from requests.exceptions import ReadTimeout, RequestException from wapitiCore.attack.attack import Attack, PayloadReader -from wapitiCore.language.vulnerability import Messages, MEDIUM_LEVEL, HIGH_LEVEL,CRITICAL_LEVEL, _ +from wapitiCore.language.vulnerability import Messages, MEDIUM_LEVEL, HIGH_LEVEL, CRITICAL_LEVEL, _ from wapitiCore.definitions.file import NAME from wapitiCore.net.web import Request diff --git a/wapitiCore/attack/mod_http_headers.py b/wapitiCore/attack/mod_http_headers.py index 7d0033b4..951676cb 100644 --- a/wapitiCore/attack/mod_http_headers.py +++ b/wapitiCore/attack/mod_http_headers.py @@ -43,8 +43,8 @@ class mod_http_headers(Attack): def is_set(self, response: Page, header_name, check_list): if header_name not in response.headers: return False - else: - return any(element in response.headers[header_name].lower() for element in check_list) + + return any(element in response.headers[header_name].lower() for element in check_list) def must_attack(self, request: Request): if self.finished: diff --git a/wapitiCore/attack/mod_permanentxss.py b/wapitiCore/attack/mod_permanentxss.py index b6e7edad..0e59745d 100644 --- a/wapitiCore/attack/mod_permanentxss.py +++ b/wapitiCore/attack/mod_permanentxss.py @@ -215,7 +215,7 @@ class mod_permanentxss(Attack): skip=self.options.get("skipped_parameters") ) - for evil_request, xss_param, xss_payload, xss_flags in attack_mutator.mutate(injection_request): + for evil_request, xss_param, _xss_payload, xss_flags in attack_mutator.mutate(injection_request): if self.verbose == 2: print("[¨] {0}".format(evil_request)) @@ -364,12 +364,12 @@ class mod_permanentxss(Attack): if case_sensitive: if match_type == "exact" and expected_value == tag.string.strip(): return True - elif match_type == "starts_with" and tag.string.strip().startswith(expected_value): + if match_type == "starts_with" and tag.string.strip().startswith(expected_value): return True else: if match_type == "exact" and expected_value.lower() == tag.string.strip().lower(): return True - elif match_type == "starts_with" and \ + if match_type == "starts_with" and \ tag.string.strip().lower().startswith(expected_value.lower()): return True else: @@ -378,12 +378,12 @@ class mod_permanentxss(Attack): if case_sensitive: if match_type == "exact" and tag[attribute] == expected_value: return True - elif match_type == "starts_with" and tag[attribute].startswith(expected_value): + if match_type == "starts_with" and tag[attribute].startswith(expected_value): return True else: if match_type == "exact" and tag[attribute].lower() == expected_value.lower(): return True - elif match_type == "starts_with" and \ + if match_type == "starts_with" and \ expected_value.lower().startswith(tag[attribute].lower()): return True break diff --git a/wapitiCore/attack/mod_shellshock.py b/wapitiCore/attack/mod_shellshock.py index a6393589..c788b98e 100644 --- a/wapitiCore/attack/mod_shellshock.py +++ b/wapitiCore/attack/mod_shellshock.py @@ -46,7 +46,7 @@ class mod_shellshock(Attack): hex_string = hexlify(self.rand_string.encode()) bash_string = "" for i in range(0, 64, 2): - bash_string += "\\x" + hex_string[i:i+2].decode() + bash_string += "\\x" + hex_string[i:i + 2].decode() cmd = "echo; echo; echo -e '{0}';".format(bash_string) diff --git a/wapitiCore/attack/mod_sql.py b/wapitiCore/attack/mod_sql.py index bf92f763..0773b368 100644 --- a/wapitiCore/attack/mod_sql.py +++ b/wapitiCore/attack/mod_sql.py @@ -495,9 +495,9 @@ class mod_sql(Attack): continue comparison = ( - response.status == good_status and - response.redirection_url == good_redirect and - response.text_only_md5 == good_hash + response.status == good_status and + response.redirection_url == good_redirect and + response.text_only_md5 == good_hash ) test_results.append(comparison == (flags.section == "True")) diff --git a/wapitiCore/attack/mod_ssrf.py b/wapitiCore/attack/mod_ssrf.py index 30406711..d6df6d24 100644 --- a/wapitiCore/attack/mod_ssrf.py +++ b/wapitiCore/attack/mod_ssrf.py @@ -174,7 +174,7 @@ class mod_ssrf(Attack): def attack(self, request: Request): # Let's just send payloads, we don't care of the response as what we want to know is if the target # contacted the endpoint. - for mutated_request, parameter, payload, flags in self.mutator.mutate(request): + for mutated_request, _parameter, _payload, _flags in self.mutator.mutate(request): if self.verbose == 2: print("[¨] {0}".format(mutated_request)) diff --git a/wapitiCore/attack/mod_timesql.py b/wapitiCore/attack/mod_timesql.py index 51817d97..511ba0f9 100644 --- a/wapitiCore/attack/mod_timesql.py +++ b/wapitiCore/attack/mod_timesql.py @@ -49,7 +49,7 @@ class mod_timesql(Attack): current_parameter = None vulnerable_parameter = False - for mutated_request, parameter, payload, flags in self.mutator.mutate(request): + for mutated_request, parameter, _payload, _flags in self.mutator.mutate(request): if current_parameter != parameter: # Forget what we know about current parameter current_parameter = parameter diff --git a/wapitiCore/attack/mod_wp_enum.py b/wapitiCore/attack/mod_wp_enum.py index 1d2aefa7..acc0f64d 100644 --- a/wapitiCore/attack/mod_wp_enum.py +++ b/wapitiCore/attack/mod_wp_enum.py @@ -10,6 +10,7 @@ from wapitiCore.definitions.fingerprint import NAME as TECHNO_DETECTED MSG_TECHNO_VERSIONED = _("{0} {1} detected") MSG_NO_WP = _("No WordPress Detected") + class mod_wp_enum(Attack): """Detect WordPress Plugins with version.""" name = "wp_enum" @@ -20,7 +21,6 @@ class mod_wp_enum(Attack): Attack.__init__(self, crawler, persister, logger, attack_options) self.finished = False - def get_plugin(self): with open(path_join(self.DATA_DIR, self.PAYLOADS_FILE_PLUGINS), errors="ignore") as plugin_list: for line in plugin_list: @@ -41,11 +41,11 @@ class mod_wp_enum(Attack): rep = self.crawler.get(req) if rep.status == 200: version = re.search(r'tag:\s*([\d.]+)', rep.content) - #This check was added to detect invalid format of "Readme.txt" who can cause a crashe - if version : + # This check was added to detect invalid format of "Readme.txt" who can cause a crashe + if version: version = version.group(1) - else : - print ("Readme.txt is not in a valid format") + else: + print("Readme.txt is not in a valid format") version = "" plugin_detected = { "name": plugin, @@ -58,10 +58,10 @@ class mod_wp_enum(Attack): version ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = req, - info = json.dumps(plugin_detected) + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=req, + info=json.dumps(plugin_detected) ) elif rep.status == 403: plugin_detected = { @@ -75,10 +75,10 @@ class mod_wp_enum(Attack): [""] ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = req, - info = json.dumps(plugin_detected) + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=req, + info=json.dumps(plugin_detected) ) def detect_theme(self, url): @@ -87,11 +87,10 @@ class mod_wp_enum(Attack): rep = self.crawler.get(req) if rep.status == 200: version = re.search(r'tag:\s*([\d.]+)', rep.content) - #This check was added to detect invalid format of "Readme.txt" who can cause a crashe - if version : + # This check was added to detect invalid format of "Readme.txt" who can cause a crashe + if version: version = version.group(1) - else : - #print ("Readme.txt is not in a valid format") + else: version = "" theme_detected = { "name": theme, @@ -104,10 +103,10 @@ class mod_wp_enum(Attack): version ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = req, - info = json.dumps(theme_detected) + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=req, + info=json.dumps(theme_detected) ) elif rep.status == 403: theme_detected = { @@ -121,13 +120,13 @@ class mod_wp_enum(Attack): [""] ) self.add_addition( - category = TECHNO_DETECTED, - level = LOW_LEVEL, - request = req, - info = json.dumps(theme_detected) + category=TECHNO_DETECTED, + level=LOW_LEVEL, + request=req, + info=json.dumps(theme_detected) ) - def check_wordpress(self, response :object): + def check_wordpress(self, response: object): if re.findall('WordPress.*', response.content): return True return False diff --git a/wapitiCore/attack/mod_xss.py b/wapitiCore/attack/mod_xss.py index 9002d349..73900dfa 100644 --- a/wapitiCore/attack/mod_xss.py +++ b/wapitiCore/attack/mod_xss.py @@ -185,7 +185,8 @@ class mod_xss(Attack): # stop trying payloads and jump to the next parameter break - elif response.status == 500 and not saw_internal_error: + + if response.status == 500 and not saw_internal_error: if xss_param == "QUERY_STRING": anom_msg = Messages.MSG_QS_500 else: @@ -239,12 +240,12 @@ class mod_xss(Attack): if case_sensitive: if match_type == "exact" and expected_value == tag.string.strip(): return True - elif match_type == "starts_with" and tag.string.strip().startswith(expected_value): + if match_type == "starts_with" and tag.string.strip().startswith(expected_value): return True else: if match_type == "exact" and expected_value.lower() == tag.string.strip().lower(): return True - elif match_type == "starts_with" and \ + if match_type == "starts_with" and \ tag.string.strip().lower().startswith(expected_value.lower()): return True else: @@ -253,12 +254,12 @@ class mod_xss(Attack): if case_sensitive: if match_type == "exact" and tag[attribute] == expected_value: return True - elif match_type == "starts_with" and tag[attribute].startswith(expected_value): + if match_type == "starts_with" and tag[attribute].startswith(expected_value): return True else: if match_type == "exact" and tag[attribute].lower() == expected_value.lower(): return True - elif match_type == "starts_with" and \ + if match_type == "starts_with" and \ expected_value.lower().startswith(tag[attribute].lower()): return True break diff --git a/wapitiCore/attack/mod_xxe.py b/wapitiCore/attack/mod_xxe.py index ff19f3e0..99896c29 100644 --- a/wapitiCore/attack/mod_xxe.py +++ b/wapitiCore/attack/mod_xxe.py @@ -203,7 +203,7 @@ class mod_xxe(Attack): vulnerable_parameter = True continue - elif response.status == 500 and not saw_internal_error: + if response.status == 500 and not saw_internal_error: saw_internal_error = True if parameter == "QUERY_STRING": anom_msg = Messages.MSG_QS_500 @@ -268,7 +268,7 @@ class mod_xxe(Attack): current_parameter = None vulnerable_parameter = False - for mutated_request, parameter, payload, flags in mutator.mutate(original_request): + for mutated_request, parameter, _payload, flags in mutator.mutate(original_request): if current_parameter != parameter: # Forget what we know about current parameter current_parameter = parameter @@ -379,7 +379,7 @@ class mod_xxe(Attack): "" ) - for payload, flags in self.payloads: + for payload, _flags in self.payloads: if "{}.dtd".format(payload_name) in payload: payload = payload.replace("[PATH_ID]", str(original_request.path_id)) payload = payload.replace("[PARAM_AS_HEX]", "72617720626f6479") diff --git a/wapitiCore/language/vulnerability.py b/wapitiCore/language/vulnerability.py index 97850816..aeaa3e10 100644 --- a/wapitiCore/language/vulnerability.py +++ b/wapitiCore/language/vulnerability.py @@ -25,6 +25,7 @@ MEDIUM_LEVEL = "2" LOW_LEVEL = "1" INFO_LEVEL = "0" + class Messages: MSG_EVIL_URL = _(" Evil url: {0}") MSG_PARAM_INJECT = _("{0} in {1} via injection in the parameter {2}") diff --git a/wapitiCore/main/wapiti.py b/wapitiCore/main/wapiti.py index 235d7fcc..0ddd7825 100755 --- a/wapitiCore/main/wapiti.py +++ b/wapitiCore/main/wapiti.py @@ -448,7 +448,11 @@ class Wapiti: with open(traceback_file, "w") as traceback_fd: print_tb(exception_traceback, file=traceback_fd) print("{}: {}".format(exception.__class__.__name__, exception), file=traceback_fd) - print("Occurred in {} on {}".format(attack_module.name, self.target_url), file=traceback_fd) + print( + "Occurred in {} on {}".format( + attack_module.name, + self.target_url), + file=traceback_fd) print("{}. Requests {}. OS {}".format(WAPITI_VERSION, requests.__version__, sys.platform)) try: @@ -1252,7 +1256,6 @@ def wapiti_main(): print(_("Attack process interrupted. Scan will be resumed next time " "unless you specify \"--flush-attacks\" or \"--flush-session\".")) print('') - pass except OperationalError: print(_("[!] Can't store information in persister. SQLite database must have been locked by another process")) print(_("[!] You should unlock and launch Wapiti again.")) diff --git a/wapitiCore/net/page.py b/wapitiCore/net/page.py index 025be3fb..32e8345e 100644 --- a/wapitiCore/net/page.py +++ b/wapitiCore/net/page.py @@ -395,8 +395,8 @@ class Page: # a hack for auto-generated Apache directory index if query_string in [ - "C=D;O=A", "C=D;O=D", "C=M;O=A", "C=M;O=D", - "C=N;O=A", "C=N;O=D", "C=S;O=A", "C=S;O=D" + "C=D;O=A", "C=D;O=D", "C=M;O=A", "C=M;O=D", + "C=N;O=A", "C=N;O=D", "C=S;O=A", "C=S;O=D" ]: query_string = "" diff --git a/wapitiCore/net/swf.py b/wapitiCore/net/swf.py index 30fc9d63..926fbce9 100644 --- a/wapitiCore/net/swf.py +++ b/wapitiCore/net/swf.py @@ -17,8 +17,6 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -import struct - from yaswfp import swfparser from bs4 import BeautifulSoup @@ -86,7 +84,6 @@ def new_read_u30(stream): def read_abc(data): name_len = data.find(b'\0') - minor, major = struct.unpack("HH", data[name_len + 1: name_len + 5]) i = name_len + 5 read_value, read_size = read_u30(data[i:]) diff --git a/wapitiCore/net/web.py b/wapitiCore/net/web.py index 3091cd82..81cbd934 100644 --- a/wapitiCore/net/web.py +++ b/wapitiCore/net/web.py @@ -339,8 +339,8 @@ class Request: def parameters_count(self): if isinstance(self._post_params, list): return len(self.get_params) + len(self._post_params) + len(self._file_params) - else: - return len(self.get_params) + len(self._file_params) + + return len(self.get_params) + len(self._file_params) @staticmethod def _encoded_keys(params): @@ -356,6 +356,7 @@ class Request: buff += "\n\tdata: {}".format(self.encoded_data.replace("\n", "\n\t")) if self._file_params: buff += "\n\tfiles: {}".format(self.encoded_files) + return buff def http_repr(self, left_margin=" "): diff --git a/wapitiCore/net/xss_utils.py b/wapitiCore/net/xss_utils.py index 0061379b..67535aa8 100644 --- a/wapitiCore/net/xss_utils.py +++ b/wapitiCore/net/xss_utils.py @@ -323,9 +323,9 @@ def apply_attrval_context(context, payloads, code): # we must deal differently with self-closing tags # see https://developer.mozilla.org/en-US/docs/Glossary/empty_element for reference if context["tag"].lower() in [ - "area", "base", "br", "col", "embed", "hr", "img", "input", "keygen", "link", "meta", "param", - "source", "track", "wbr", - "frame" # Not in Mozilla list but I guess it is because it is deprecated + "area", "base", "br", "col", "embed", "hr", "img", "input", "keygen", "link", "meta", "param", + "source", "track", "wbr", + "frame" # Not in Mozilla list but I guess it is because it is deprecated ]: # We don't even need a slash to mark the end of the tag js_code += ">" diff --git a/wapitiCore/report/__init__.py b/wapitiCore/report/__init__.py index 31962632..761c1762 100644 --- a/wapitiCore/report/__init__.py +++ b/wapitiCore/report/__init__.py @@ -24,12 +24,12 @@ from .txtreportgenerator import TXTReportGenerator from .xmlreportgenerator import XMLReportGenerator GENERATORS = { - "csv": CSVReportGenerator, - "html": HTMLReportGenerator, - "json": JSONReportGenerator, - "txt": TXTReportGenerator, - "xml": XMLReportGenerator - } + "csv": CSVReportGenerator, + "html": HTMLReportGenerator, + "json": JSONReportGenerator, + "txt": TXTReportGenerator, + "xml": XMLReportGenerator +} def get_report_generator_instance(report_format: str = "html"): diff --git a/wapitiCore/report/txtreportgenerator.py b/wapitiCore/report/txtreportgenerator.py index 99cd4a36..f47251a0 100644 --- a/wapitiCore/report/txtreportgenerator.py +++ b/wapitiCore/report/txtreportgenerator.py @@ -23,7 +23,6 @@ from wapitiCore.report.reportgenerator import ReportGenerator NB_COLUMNS = 80 - # TODO: should use more the python format mini-language # http://docs.python.org/2/library/string.html#format-specification-mini-language