Merge pull request #8 from DolphFlynn/main

Prevent intruder config model and view becoming out of sync
PortSwigger · Mar 11, 2024 · 0eb20fc · 0eb20fc
2 parents 44aea9a + 3823ae9
commit 0eb20fc
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 102 deletions.
diff --git a/src/main/java/burp/intruder/IntruderConfig.java b/src/main/java/burp/intruder/IntruderConfig.java
@@ -21,7 +21,6 @@
 import com.nimbusds.jose.JWSAlgorithm;
 
 import static burp.intruder.FuzzLocation.PAYLOAD;
-import static org.apache.commons.lang3.StringUtils.isNotEmpty;
 
 public class IntruderConfig {
     private String fuzzParameter;
@@ -57,15 +56,14 @@ public String signingKeyId() {
 
     public void setSigningKeyId(String signingKeyId) {
         this.signingKeyId = signingKeyId;
-        this.resign = resign && canSign();
     }
 
     public boolean resign() {
         return resign;
     }
 
     public void setResign(boolean resign) {
-        this.resign = resign && canSign();
+        this.resign = resign;
     }
 
     public JWSAlgorithm signingAlgorithm() {
@@ -74,10 +72,5 @@ public JWSAlgorithm signingAlgorithm() {
 
     public void setSigningAlgorithm(JWSAlgorithm signingAlgorithm) {
         this.signingAlgorithm = signingAlgorithm;
-        this.resign = resign && canSign();
-    }
-
-    private boolean canSign() {
-        return isNotEmpty(signingKeyId) && signingAlgorithm != null;
     }
 }
diff --git a/src/main/java/com/blackberry/jwteditor/view/config/IntruderConfigModel.java b/src/main/java/com/blackberry/jwteditor/view/config/IntruderConfigModel.java
@@ -71,7 +71,9 @@ String[] signingKeyIds() {
     }
 
     String signingKeyId() {
-        return intruderConfig.signingKeyId();
+        String keyId = intruderConfig.signingKeyId();
+
+        return keyId == null && hasSigningKeys() ? signingKeyIds()[0] : keyId;
     }
 
     public void setSigningKeyId(String signingKeyId) {
@@ -88,19 +90,23 @@ public void setSigningKeyId(String signingKeyId) {
     }
 
     JWSAlgorithm[] signingAlgorithms() {
-        if (intruderConfig.signingKeyId() == null) {
+        String keyId = signingKeyId();
+
+        if (keyId == null) {
             return NO_ALGORITHMS;
         }
 
         return keysModel.getSigningKeys().stream()
-                .filter(k -> k.getID().equals(intruderConfig.signingKeyId()))
+                .filter(k -> k.getID().equals(keyId))
                 .findFirst()
                 .orElseThrow()
                 .getSigningAlgorithms();
     }
 
     JWSAlgorithm signingAlgorithm() {
-        return intruderConfig.signingAlgorithm();
+        JWSAlgorithm signingAlgorithm = intruderConfig.signingAlgorithm();
+
+        return signingAlgorithm == null && hasSigningKeys() ? signingAlgorithms()[0] : signingAlgorithm;
     }
 
     void setSigningAlgorithm(JWSAlgorithm signingAlgorithm) {

diff --git a/src/test/java/burp/config/IntruderConfigTest.java b/src/test/java/burp/config/IntruderConfigTest.java
diff --git a/src/test/java/com/blackberry/jwteditor/view/config/IntruderConfigModelFromJsonTest.java b/src/test/java/com/blackberry/jwteditor/view/config/IntruderConfigModelFromJsonTest.java
@@ -0,0 +1,37 @@
+package com.blackberry.jwteditor.view.config;
+
+import burp.intruder.IntruderConfig;
+import com.blackberry.jwteditor.model.keys.KeysModel;
+import org.junit.jupiter.api.Test;
+
+import static com.nimbusds.jose.JWSAlgorithm.ES256;
+import static org.assertj.core.api.Assertions.assertThat;
+
+class IntruderConfigModelFromJsonTest {
+    private static final String KEYS_JSON = """
+            [
+                {"kty":"EC","d":"R7xUBrtHikGBXsJkDekdUxWWC2YhYMKTDXILREc4_7s","crv":"P-256","kid":"1","x":"Kxyedi_DE6wZdC1shMeYVx9IvSXl14RRp_Z5tZjBodo","y":"UXtt70JCve0c_puZsjyTHtLD6xfBvoI3fVoh9WzhH-M"},
+                {"kty":"EC","crv":"P-256","kid":"2","x":"Kxyedi_DE6wZdC1shMeYVx9IvSXl14RRp_Z5tZjBodo","y":"UXtt70JCve0c_puZsjyTHtLD6xfBvoI3fVoh9WzhH-M"}
+            ]""";
+
+    @Test
+    void givenKeysLoadedJson_butNoSelectedKey_whenGetSigningKeyId_thenFirstKeyIdReturned() throws Exception {
+        IntruderConfigModel model = new IntruderConfigModel(KeysModel.parse(KEYS_JSON), new IntruderConfig());
+
+        assertThat(model.signingKeyId()).isEqualTo("1");
+    }
+
+    @Test
+    void givenKeysLoadedJson_butNoSelectedKey_whenGetSigningAlgorithms_thenFirstKeysAlgorithmsReturned() throws Exception {
+        IntruderConfigModel model = new IntruderConfigModel(KeysModel.parse(KEYS_JSON), new IntruderConfig());
+
+        assertThat(model.signingAlgorithms()).containsExactly(ES256);
+    }
+
+    @Test
+    void givenKeysLoadedJson_butNoSelectedKey_whenGetSigningAlgorithm_thenFirstAlgorithmReturned() throws Exception {
+        IntruderConfigModel model = new IntruderConfigModel(KeysModel.parse(KEYS_JSON), new IntruderConfig());
+
+        assertThat(model.signingAlgorithm()).isEqualTo(ES256);
+    }
+}