forked from visma-prodsec/confused
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mvn.go
120 lines (106 loc) · 3.29 KB
/
mvn.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package main
import (
"encoding/json"
"encoding/xml"
"fmt"
"io/ioutil"
"log"
"net/http"
"strings"
"time"
)
// NPMLookup represents a collection of npm packages to be tested for dependency confusion.
type MVNLookup struct {
Packages []MVNPackage
Verbose bool
}
type MVNPackage struct {
Group string
Artifact string
Version string
}
// NewNPMLookup constructs an `MVNLookup` struct and returns it.
func NewMVNLookup(verbose bool) PackageResolver {
return &MVNLookup{Packages: []MVNPackage{}, Verbose: verbose}
}
// ReadPackagesFromFile reads package information from an npm package.json file
//
// Returns any errors encountered
func (n *MVNLookup) ReadPackagesFromFile(filename string) error {
rawfile, err := ioutil.ReadFile(filename)
if err != nil {
return err
}
fmt.Print("Checking: filename: " + filename + "\n")
var project MavenProject
if err := xml.Unmarshal([]byte(rawfile), &project); err != nil {
log.Fatalf("unable to unmarshal pom file. Reason: %s\n", err)
}
for _, dep := range project.Dependencies {
n.Packages = append(n.Packages, MVNPackage{dep.GroupId, dep.ArtifactId, dep.Version})
}
for _, dep := range project.Build.Plugins {
n.Packages = append(n.Packages, MVNPackage{dep.GroupId, dep.ArtifactId, dep.Version})
}
for _, build := range project.Profiles {
for _, dep := range build.Build.Plugins {
n.Packages = append(n.Packages, MVNPackage{dep.GroupId, dep.ArtifactId, dep.Version})
}
}
return nil
}
// PackagesNotInPublic determines if an npm package does not exist in the public npm package repository.
//
// Returns a slice of strings with any npm packages not in the public npm package repository
func (n *MVNLookup) PackagesNotInPublic() []string {
notavail := []string{}
for _, pkg := range n.Packages {
if !n.isAvailableInPublic(pkg, 0) {
notavail = append(notavail, pkg.Group+"/"+pkg.Artifact)
}
}
return notavail
}
// isAvailableInPublic determines if an npm package exists in the public npm package repository.
//
// Returns true if the package exists in the public npm package repository.
func (n *MVNLookup) isAvailableInPublic(pkg MVNPackage, retry int) bool {
if retry > 3 {
fmt.Printf(" [W] Maximum number of retries exhausted for package: %s\n", pkg.Group)
return false
}
if pkg.Group == "" {
return true
}
group := strings.Replace(pkg.Group, ".", "/", -1)
if n.Verbose {
fmt.Print("Checking: https://repo1.maven.org/maven2/" + group + "/ ")
}
resp, err := http.Get("https://repo1.maven.org/maven2/" + group + "/")
if err != nil {
fmt.Printf(" [W] Error when trying to request https://repo1.maven.org/maven2/"+group+"/ : %s\n", err)
return false
}
defer resp.Body.Close()
if n.Verbose {
fmt.Printf("%s\n", resp.Status)
}
if resp.StatusCode == http.StatusOK {
npmResp := NpmResponse{}
body, _ := ioutil.ReadAll(resp.Body)
_ = json.Unmarshal(body, &npmResp)
if npmResp.NotAvailable() {
if n.Verbose {
fmt.Printf("[W] Package %s was found, but all its versions are unpublished, making anyone able to takeover the namespace.\n", pkg.Group)
}
return false
}
return true
} else if resp.StatusCode == 429 {
fmt.Printf(" [!] Server responded with 429 (Too many requests), throttling and retrying...\n")
time.Sleep(10 * time.Second)
retry = retry + 1
return n.isAvailableInPublic(pkg, retry)
}
return false
}