def _get(url, **kwargs):
next_delay_sec = 1
for i in xrange(TRY_LIMIT):
if i > 0:
# Retry server error status codes.
LOGGER.info('Encountered server error; retrying after %d second(s).',
next_delay_sec)
time.sleep(next_delay_sec)
next_delay_sec *= 2
p = urlparse.urlparse(url)
c = GetConnectionClass(protocol=p.scheme)(p.netloc)
c.request('GET', url, **kwargs)
resp = c.getresponse()
LOGGER.debug('GET [%s] #%d/%d (%d)', url, i+1, TRY_LIMIT, resp.status)
if resp.status < httplib.INTERNAL_SERVER_ERROR:
return resp
python类INTERNAL_SERVER_ERROR的实例源码
def _get(url, **kwargs):
next_delay_sec = 1
for i in xrange(TRY_LIMIT):
if i > 0:
# Retry server error status codes.
LOGGER.info('Encountered server error; retrying after %d second(s).',
next_delay_sec)
time.sleep(next_delay_sec)
next_delay_sec *= 2
p = urlparse.urlparse(url)
c = GetConnectionClass(protocol=p.scheme)(p.netloc)
c.request('GET', url, **kwargs)
resp = c.getresponse()
LOGGER.debug('GET [%s] #%d/%d (%d)', url, i+1, TRY_LIMIT, resp.status)
if resp.status < httplib.INTERNAL_SERVER_ERROR:
return resp
def __do_batch_create(self, project, create_list):
"""Create the new descriptors as a batch request."""
create_method = (self.__stackdriver.stub.projects()
.metricDescriptors().create)
def create_invocation(descriptor):
name = descriptor['name']
logging.info('batch CREATE %s', name)
return create_method(
name='projects/{0}'.format(project), body=descriptor)
get_descriptor_name = lambda descriptor: descriptor['name']
processor = BatchProcessor(
project, self.__stackdriver,
create_list, create_invocation, get_descriptor_name)
processor.process()
response_code = (httplib.OK if processor.num_ok == len(create_list)
else httplib.INTERNAL_SERVER_ERROR)
headers, body = processor.make_response(
None, False, 'Created', 'Added Descriptor')
return response_code, headers, body
def __init__(self):
self.api_key_valid = True
self.response_code = httplib.INTERNAL_SERVER_ERROR
self.response_size = report_request.NOT_SET
self.request_size = report_request.NOT_SET
self.http_method = None
self.url = None
test_quota_request.py 文件源码
项目:endpoints-management-python
作者: cloudendpoints
项目源码
文件源码
阅读 22
收藏 0
点赞 0
评论 0
def test_should_include_detail_in_error_text_when_needed(self):
detail = u'details, details, details'
resp = sc_messages.AllocateQuotaResponse(
allocateErrors = [
sc_messages.QuotaError(
code=sc_messages.QuotaError.CodeValueValuesEnum.OUT_OF_RANGE,
description=detail)
]
)
code, got = quota_request.convert_response(resp, self.PROJECT_ID)
expect(code).to(equal(httplib.INTERNAL_SERVER_ERROR))
assert got.endswith(detail)
def test_send_project_invalid_server_res(self, mock_cs):
mock_cs.side_effect = [None]
api = API.apiCalls.ApiCalls(
client_id="",
client_secret="",
base_URL="",
username="",
password=""
)
session_response = Foo()
setattr(session_response, "status_code", httplib.INTERNAL_SERVER_ERROR)
setattr(session_response, "text", "Server unavailable")
session_post = MagicMock(side_effect=[session_response])
session = Foo()
setattr(session, "post", session_post)
api.session = session
api.get_link = lambda x, y, targ_dict="": None
proj = API.apiCalls.Project("project1", "projectDescription", "1")
with self.assertRaises(API.apiCalls.ProjectError) as err:
api.send_project(proj)
self.assertTrue(str(session_response.status_code) + " " +
session_response.text in str(err.exception))
def showHttpErrorCodes():
"""
Shows all HTTP error codes raised till now
"""
if kb.httpErrorCodes:
warnMsg = "HTTP error codes detected during run:\n"
warnMsg += ", ".join("%d (%s) - %d times" % (code, httplib.responses[code] \
if code in httplib.responses else '?', count) \
for code, count in kb.httpErrorCodes.items())
logger.warn(warnMsg)
if any((str(_).startswith('4') or str(_).startswith('5')) and _ != httplib.INTERNAL_SERVER_ERROR and _ != kb.originalCode for _ in kb.httpErrorCodes.keys()):
msg = "too many 4xx and/or 5xx HTTP error codes "
msg += "could mean that some kind of protection is involved (e.g. WAF)"
logger.debug(msg)
def should_retry(self, error, retries_attempted):
"""Return true if the http client should retry the request.
:param error: the caught error.
:type error: Exception
:param retries_attempted: the number of retries which has been attempted before.
:type retries_attempted: int
:return: true if the http client should retry the request.
:rtype: bool
"""
# stop retrying when the maximum number of retries is reached
if retries_attempted >= self.max_error_retry:
return False
# always retry on IOError
if isinstance(error, IOError):
_logger.debug('Retry for IOError.')
return True
# Only retry on a subset of service exceptions
if isinstance(error, BceServerError):
if error.status_code == httplib.INTERNAL_SERVER_ERROR:
_logger.debug('Retry for internal server error.')
return True
if error.status_code == httplib.SERVICE_UNAVAILABLE:
_logger.debug('Retry for service unavailable.')
return True
if error.code == BceServerError.REQUEST_EXPIRED:
_logger.debug('Retry for request expired.')
return True
return False
def should_retry(self, error, retries_attempted):
"""Return true if the http client should retry the request.
:param error: the caught error.
:type error: Exception
:param retries_attempted: the number of retries which has been attempted before.
:type retries_attempted: int
:return: true if the http client should retry the request.
:rtype: bool
"""
# stop retrying when the maximum number of retries is reached
if retries_attempted >= self.max_error_retry:
return False
# always retry on IOError
if isinstance(error, IOError):
_logger.debug('Retry for IOError.')
return True
# Only retry on a subset of service exceptions
if isinstance(error, BceServerError):
if error.status_code == httplib.INTERNAL_SERVER_ERROR:
_logger.debug('Retry for internal server error.')
return True
if error.status_code == httplib.SERVICE_UNAVAILABLE:
_logger.debug('Retry for service unavailable.')
return True
if error.code == BceServerError.REQUEST_EXPIRED:
_logger.debug('Retry for request expired.')
return True
return False
def showHttpErrorCodes():
"""
Shows all HTTP error codes raised till now
"""
if kb.httpErrorCodes:
warnMsg = "HTTP error codes detected during run:\n"
warnMsg += ", ".join("%d (%s) - %d times" % (code, httplib.responses[code] \
if code in httplib.responses else '?', count) \
for code, count in kb.httpErrorCodes.items())
logger.warn(warnMsg)
if any((str(_).startswith('4') or str(_).startswith('5')) and _ != httplib.INTERNAL_SERVER_ERROR and _ != kb.originalCode for _ in kb.httpErrorCodes.keys()):
msg = "too many 4xx and/or 5xx HTTP error codes "
msg += "could mean that some kind of protection is involved (e.g. WAF)"
logger.debug(msg)
def showHttpErrorCodes():
"""
Shows all HTTP error codes raised till now
"""
if kb.httpErrorCodes:
warnMsg = "HTTP error codes detected during run:\n"
warnMsg += ", ".join("%d (%s) - %d times" % (code, httplib.responses[code] \
if code in httplib.responses else '?', count) \
for code, count in kb.httpErrorCodes.items())
logger.warn(warnMsg)
if any((str(_).startswith('4') or str(_).startswith('5')) and _ != httplib.INTERNAL_SERVER_ERROR and _ != kb.originalCode for _ in kb.httpErrorCodes.keys()):
msg = "too many 4xx and/or 5xx HTTP error codes "
msg += "could mean that some kind of protection is involved (e.g. WAF)"
logger.debug(msg)
def scan_page(url, data=None):
retval, usable = False, False
url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
try:
for phase in (GET, POST):
original, current = None, url if phase is GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P<parameter>[^_]\w*)=)(?P<value>[^&#]+)", current):
vulnerable, usable = False, True
#print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
original = original or (_retrieve_content(current, data) if phase is GET else _retrieve_content(url, current))
tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))))
content = _retrieve_content(tampered, data) if phase is GET else _retrieve_content(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if not vulnerable and re.search(regex, content[HTML], re.I) and not re.search(regex, original[HTML], re.I):
#print " (i) %s parameter '%s' appears to be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms)
print url
retval = vulnerable = True
vulnerable = False
for prefix, boolean, suffix, inline_comment in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES, (False, True)):
if not vulnerable:
template = ("%s%s%s" % (prefix, boolean, suffix)).replace(" " if inline_comment else "/**/", "/**/")
payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (RANDINT if _ else RANDINT + 1, RANDINT), safe='%')))) for _ in (True, False))
contents = dict((_, _retrieve_content(payloads[_], data) if phase is GET else _retrieve_content(url, payloads[_])) for _ in (False, True))
if all(_[HTTPCODE] and _[HTTPCODE] < httplib.INTERNAL_SERVER_ERROR for _ in (original, contents[True], contents[False])):
if any(original[_] == contents[True][_] != contents[False][_] for _ in (HTTPCODE, TITLE)):
vulnerable = True
else:
ratios = dict((_, difflib.SequenceMatcher(None, original[TEXT], contents[_][TEXT]).quick_ratio()) for _ in (False, True))
vulnerable = all(ratios.values()) and min(ratios.values()) < FUZZY_THRESHOLD < max(ratios.values()) and abs(ratios[True] - ratios[False]) > FUZZY_THRESHOLD / 10
if vulnerable:
#print " (i) %s parameter '%s' appears to be blind SQLi vulnerable (e.g.: '%s')" % (phase, match.group("parameter"), payloads[True])
print url
retval = True
except KeyboardInterrupt:
pass
return retval
def scan_page(url, data=None):
retval, usable = False, False
url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
# tmpurl= re.sub(r"=(&|\Z)", "=1\g<1>", url)
try:
for phase in (GET, POST):
original, current = None, url if phase is GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P<parameter>[^_]\w*)=)(?P<value>[^&#]+)", current):
vulnerable, usable = False, True
print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
original = original or (_retrieve_content(current, data) if phase is GET else _retrieve_content(url, current))
tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))))
content = _retrieve_content(tampered, data) if phase is GET else _retrieve_content(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if not vulnerable and re.search(regex, content[HTML], re.I) and not re.search(regex, original[HTML], re.I):
print " (i) %s parameter '%s' appears to be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms)
retval = vulnerable = True
vulnerable = False
for prefix, boolean, suffix, inline_comment in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES, (False, True)):
if not vulnerable:
template = ("%s%s%s" % (prefix, boolean, suffix)).replace(" " if inline_comment else "/**/", "/**/")
payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (RANDINT if _ else RANDINT + 1, RANDINT), safe='%')))) for _ in (True, False))
contents = dict((_, _retrieve_content(payloads[_], data) if phase is GET else _retrieve_content(url, payloads[_])) for _ in (False, True))
if all(_[HTTPCODE] and _[HTTPCODE] < httplib.INTERNAL_SERVER_ERROR for _ in (original, contents[True], contents[False])):
if any(original[_] == contents[True][_] != contents[False][_] for _ in (HTTPCODE, TITLE)):
vulnerable = True
else:
ratios = dict((_, difflib.SequenceMatcher(None, original[TEXT], contents[_][TEXT]).quick_ratio()) for _ in (False, True))
vulnerable = all(ratios.values()) and min(ratios.values()) < FUZZY_THRESHOLD < max(ratios.values()) and abs(ratios[True] - ratios[False]) > FUZZY_THRESHOLD / 10
if vulnerable:
print " (i) %s parameter '%s' appears to be blind SQLi vulnerable (e.g.: '%s')" % (phase, match.group("parameter"), payloads[True])
retval = True
if not usable:
print " (x) no usable GET/POST parameters found"
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return retval
def _call_api(self, method, uri, **kwargs):
def _set_token_in_request():
if 'params' in kwargs:
kwargs['params']['access_token'] = self._access_token
elif 'data' in kwargs:
kwargs['data']['access_token'] = self._access_token
else:
kwargs['params'] = dict(access_token=self._access_token)
_set_token_in_request()
try:
response = NetatmoClient._invoke(method,
'%s%s' % (NetatmoClient.API_BASE_URL, uri),
**kwargs)
except InvalidStatusCode, i:
if NetatmoClient._is_token_expired(i):
try:
self.request_refresh_token()
_set_token_in_request()
response = NetatmoClient._invoke(method,
'%s%s' % (NetatmoClient.API_BASE_URL, uri),
**kwargs)
except InvalidStatusCode, other:
if other.status_code / 100 == 4:
self._access_token = None
self._refresh_token = None
raise
else:
raise
if kwargs.get('raw_api_call', False):
return response
else:
result = response.json()
_logger.debug('%s - %s', uri, json.dumps(result))
if result['status'] != "ok":
raise InvalidStatusCode(httplib.INTERNAL_SERVER_ERROR, result)
else:
return result.get('body')
def process_web_request(self, request, path, params, fragment):
"""Implements CommandHandler."""
options = dict(get_global_options())
options.update(params)
type_map, processor = self.__do_clear(options)
response_code = (httplib.OK if processor.num_ok == len(type_map)
else httplib.INTERNAL_SERVER_ERROR)
headers, body = processor.make_response(
request, self.accepts_content_type(request, 'text/html'),
'Deleted', 'Cleared Time Series')
request.respond(response_code, headers, body)
def check_resp_status_and_retry(resp, image_id, url):
# Note(Jesse): This branch sorts errors into those that are permanent,
# those that are ephemeral, and those that are unexpected.
if resp.status in (httplib.BAD_REQUEST, # 400
httplib.UNAUTHORIZED, # 401
httplib.PAYMENT_REQUIRED, # 402
httplib.FORBIDDEN, # 403
httplib.METHOD_NOT_ALLOWED, # 405
httplib.NOT_ACCEPTABLE, # 406
httplib.PROXY_AUTHENTICATION_REQUIRED, # 407
httplib.CONFLICT, # 409
httplib.GONE, # 410
httplib.LENGTH_REQUIRED, # 411
httplib.PRECONDITION_FAILED, # 412
httplib.REQUEST_ENTITY_TOO_LARGE, # 413
httplib.REQUEST_URI_TOO_LONG, # 414
httplib.UNSUPPORTED_MEDIA_TYPE, # 415
httplib.REQUESTED_RANGE_NOT_SATISFIABLE, # 416
httplib.EXPECTATION_FAILED, # 417
httplib.UNPROCESSABLE_ENTITY, # 422
httplib.LOCKED, # 423
httplib.FAILED_DEPENDENCY, # 424
httplib.UPGRADE_REQUIRED, # 426
httplib.NOT_IMPLEMENTED, # 501
httplib.HTTP_VERSION_NOT_SUPPORTED, # 505
httplib.NOT_EXTENDED, # 510
):
raise PluginError("Got Permanent Error response [%i] while "
"uploading image [%s] to glance [%s]"
% (resp.status, image_id, url))
# Nova service would process the exception
elif resp.status == httplib.NOT_FOUND: # 404
exc = XenAPI.Failure('ImageNotFound')
raise exc
# NOTE(nikhil): Only a sub-set of the 500 errors are retryable. We
# optimistically retry on 500 errors below.
elif resp.status in (httplib.REQUEST_TIMEOUT, # 408
httplib.INTERNAL_SERVER_ERROR, # 500
httplib.BAD_GATEWAY, # 502
httplib.SERVICE_UNAVAILABLE, # 503
httplib.GATEWAY_TIMEOUT, # 504
httplib.INSUFFICIENT_STORAGE, # 507
):
raise RetryableError("Got Ephemeral Error response [%i] while "
"uploading image [%s] to glance [%s]"
% (resp.status, image_id, url))
else:
# Note(Jesse): Assume unexpected errors are retryable. If you are
# seeing this error message, the error should probably be added
# to either the ephemeral or permanent error list.
raise RetryableError("Got Unexpected Error response [%i] while "
"uploading image [%s] to glance [%s]"
% (resp.status, image_id, url))
def do_GET(self):
path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")
code, content, params, cursor = httplib.OK, HTML_PREFIX, dict((match.group("parameter"), urllib.unquote(','.join(re.findall(r"(?:\A|[?&])%s=([^&]+)" % match.group("parameter"), query)))) for match in re.finditer(r"((\A|[?&])(?P<parameter>[\w\[\]]+)=)([^&]+)", query)), connection.cursor()
try:
if path == '/':
if "id" in params:
cursor.execute("SELECT id, username, name, surname FROM users WHERE id=" + params["id"])
content += "<div><span>Result(s):</span></div><table><thead><th>id</th><th>username</th><th>name</th><th>surname</th></thead>%s</table>%s" % ("".join("<tr>%s</tr>" % "".join("<td>%s</td>" % ("-" if _ is None else _) for _ in row) for row in cursor.fetchall()), HTML_POSTFIX)
elif "v" in params:
content += re.sub(r"(v<b>)[^<]+(</b>)", r"\g<1>%s\g<2>" % params["v"], HTML_POSTFIX)
elif "object" in params:
content = str(pickle.loads(params["object"]))
elif "path" in params:
content = (open(os.path.abspath(params["path"]), "rb") if not "://" in params["path"] else urllib.urlopen(params["path"])).read()
elif "domain" in params:
content = subprocess.check_output("nslookup " + params["domain"], shell=True, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
elif "xml" in params:
content = lxml.etree.tostring(lxml.etree.parse(cStringIO.StringIO(params["xml"]), lxml.etree.XMLParser(no_network=False)), pretty_print=True)
elif "name" in params:
found = lxml.etree.parse(cStringIO.StringIO(USERS_XML)).xpath(".//user[name/text()='%s']" % params["name"])
content += "<b>Surname:</b> %s%s" % (found[-1].find("surname").text if found else "-", HTML_POSTFIX)
elif "size" in params:
start, _ = time.time(), "<br>".join("#" * int(params["size"]) for _ in range(int(params["size"])))
content += "<b>Time required</b> (to 'resize image' to %dx%d): %.6f seconds%s" % (int(params["size"]), int(params["size"]), time.time() - start, HTML_POSTFIX)
elif "comment" in params or query == "comment=":
if "comment" in params:
cursor.execute("INSERT INTO comments VALUES(NULL, '%s', '%s')" % (params["comment"], time.ctime()))
content += "Thank you for leaving the comment. Please click here <a href=\"/?comment=\">here</a> to see all comments%s" % HTML_POSTFIX
else:
cursor.execute("SELECT id, comment, time FROM comments")
content += "<div><span>Comment(s):</span></div><table><thead><th>id</th><th>comment</th><th>time</th></thead>%s</table>%s" % ("".join("<tr>%s</tr>" % "".join("<td>%s</td>" % ("-" if _ is None else _) for _ in row) for row in cursor.fetchall()), HTML_POSTFIX)
elif "include" in params:
backup, sys.stdout, program, envs = sys.stdout, cStringIO.StringIO(), (open(params["include"], "rb") if not "://" in params["include"] else urllib.urlopen(params["include"])).read(), {"DOCUMENT_ROOT": os.getcwd(), "HTTP_USER_AGENT": self.headers.get("User-Agent"), "REMOTE_ADDR": self.client_address[0], "REMOTE_PORT": self.client_address[1], "PATH": path, "QUERY_STRING": query}
exec(program) in envs
content += sys.stdout.getvalue()
sys.stdout = backup
elif "redir" in params:
content = content.replace("<head>", "<head><meta http-equiv=\"refresh\" content=\"0; url=%s\"/>" % params["redir"])
if HTML_PREFIX in content and HTML_POSTFIX not in content:
content += "<div><span>Attacks:</span></div>\n<ul>%s\n</ul>\n" % ("".join("\n<li%s>%s - <a href=\"%s\">vulnerable</a>|<a href=\"%s\">exploit</a>|<a href=\"%s\" target=\"_blank\">info</a></li>" % (" class=\"disabled\" title=\"module 'python-lxml' not installed\"" if ("lxml.etree" not in sys.modules and any(_ in case[0].upper() for _ in ("XML", "XPATH"))) else "", case[0], case[1], case[2], case[3]) for case in CASES)).replace("<a href=\"None\">vulnerable</a>|", "<b>-</b>|")
elif path == "/users.json":
content = "%s%s%s" % ("" if not "callback" in params else "%s(" % params["callback"], json.dumps(dict((_.findtext("username"), _.findtext("surname")) for _ in xml.etree.ElementTree.fromstring(USERS_XML).findall("user"))), "" if not "callback" in params else ")")
elif path == "/login":
cursor.execute("SELECT * FROM users WHERE username='" + re.sub(r"[^\w]", "", params.get("username", "")) + "' AND password='" + params.get("password", "") + "'")
content += "Welcome <b>%s</b><meta http-equiv=\"Set-Cookie\" content=\"SESSIONID=%s; path=/\"><meta http-equiv=\"refresh\" content=\"1; url=/\"/>" % (re.sub(r"[^\w]", "", params.get("username", "")), "".join(random.sample(string.letters + string.digits, 20))) if cursor.fetchall() else "The username and/or password is incorrect<meta http-equiv=\"Set-Cookie\" content=\"SESSIONID=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT\">"
else:
code = httplib.NOT_FOUND
except Exception, ex:
content = ex.output if isinstance(ex, subprocess.CalledProcessError) else traceback.format_exc()
code = httplib.INTERNAL_SERVER_ERROR
finally:
self.send_response(code)
self.send_header("Connection", "close")
self.send_header("X-XSS-Protection", "0")
self.send_header("Content-Type", "%s%s" % ("text/html" if content.startswith("<!DOCTYPE html>") else "text/plain", "; charset=%s" % params.get("charset", "utf8")))
self.end_headers()
self.wfile.write("%s%s" % (content, HTML_POSTFIX if HTML_PREFIX in content and GITHUB not in content else ""))
self.wfile.flush()
self.wfile.close()
def do_GET(self):
path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")
code, content, params, cursor = httplib.OK, HTML_PREFIX, dict((match.group("parameter"), urllib.unquote(','.join(re.findall(r"(?:\A|[?&])%s=([^&]+)" % match.group("parameter"), query)))) for match in re.finditer(r"((\A|[?&])(?P<parameter>[\w\[\]]+)=)([^&]+)", query)), connection.cursor()
try:
if path == '/':
if "id" in params:
cursor.execute("SELECT id, username, name, surname FROM users WHERE id=" + params["id"])
content += "<div><span>Result(s):</span></div><table><thead><th>id</th><th>username</th><th>name</th><th>surname</th></thead>%s</table>%s" % ("".join("<tr>%s</tr>" % "".join("<td>%s</td>" % ("-" if _ is None else _) for _ in row) for row in cursor.fetchall()), HTML_POSTFIX)
elif "v" in params:
content += re.sub(r"(v<b>)[^<]+(</b>)", r"\g<1>%s\g<2>" % params["v"], HTML_POSTFIX)
elif "object" in params:
content = str(pickle.loads(params["object"]))
elif "path" in params:
content = (open(os.path.abspath(params["path"]), "rb") if not "://" in params["path"] else urllib.urlopen(params["path"])).read()
elif "domain" in params:
content = subprocess.check_output("nslookup " + params["domain"], shell=True, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
elif "xml" in params:
content = lxml.etree.tostring(lxml.etree.parse(cStringIO.StringIO(params["xml"]), lxml.etree.XMLParser(no_network=False)), pretty_print=True)
elif "name" in params:
found = lxml.etree.parse(cStringIO.StringIO(USERS_XML)).xpath(".//user[name/text()='%s']" % params["name"])
content += "<b>Surname:</b> %s%s" % (found[-1].find("surname").text if found else "-", HTML_POSTFIX)
elif "size" in params:
start, _ = time.time(), "<br>".join("#" * int(params["size"]) for _ in range(int(params["size"])))
content += "<b>Time required</b> (to 'resize image' to %dx%d): %.6f seconds%s" % (int(params["size"]), int(params["size"]), time.time() - start, HTML_POSTFIX)
elif "comment" in params or query == "comment=":
if "comment" in params:
cursor.execute("INSERT INTO comments VALUES(NULL, '%s', '%s')" % (params["comment"], time.ctime()))
content += "Thank you for leaving the comment. Please click here <a href=\"/?comment=\">here</a> to see all comments%s" % HTML_POSTFIX
else:
cursor.execute("SELECT id, comment, time FROM comments")
content += "<div><span>Comment(s):</span></div><table><thead><th>id</th><th>comment</th><th>time</th></thead>%s</table>%s" % ("".join("<tr>%s</tr>" % "".join("<td>%s</td>" % ("-" if _ is None else _) for _ in row) for row in cursor.fetchall()), HTML_POSTFIX)
elif "include" in params:
backup, sys.stdout, program, envs = sys.stdout, cStringIO.StringIO(), (open(params["include"], "rb") if not "://" in params["include"] else urllib.urlopen(params["include"])).read(), {"DOCUMENT_ROOT": os.getcwd(), "HTTP_USER_AGENT": self.headers.get("User-Agent"), "REMOTE_ADDR": self.client_address[0], "REMOTE_PORT": self.client_address[1], "PATH": path, "QUERY_STRING": query}
exec(program) in envs
content += sys.stdout.getvalue()
sys.stdout = backup
elif "redir" in params:
content = content.replace("<head>", "<head><meta http-equiv=\"refresh\" content=\"0; url=%s\"/>" % params["redir"])
if HTML_PREFIX in content and HTML_POSTFIX not in content:
content += "<div><span>Attacks:</span></div>\n<ul>%s\n</ul>\n" % ("".join("\n<li%s>%s - <a href=\"%s\">vulnerable</a>|<a href=\"%s\">exploit</a>|<a href=\"%s\" target=\"_blank\">info</a></li>" % (" class=\"disabled\" title=\"module 'python-lxml' not installed\"" if ("lxml.etree" not in sys.modules and any(_ in case[0].upper() for _ in ("XML", "XPATH"))) else "", case[0], case[1], case[2], case[3]) for case in CASES)).replace("<a href=\"None\">vulnerable</a>|", "<b>-</b>|")
elif path == "/users.json":
content = "%s%s%s" % ("" if not "callback" in params else "%s(" % params["callback"], json.dumps(dict((_.findtext("username"), _.findtext("surname")) for _ in xml.etree.ElementTree.fromstring(USERS_XML).findall("user"))), "" if not "callback" in params else ")")
elif path == "/login":
cursor.execute("SELECT * FROM users WHERE username='" + re.sub(r"[^\w]", "", params.get("username", "")) + "' AND password='" + params.get("password", "") + "'")
content += "Welcome <b>%s</b><meta http-equiv=\"Set-Cookie\" content=\"SESSIONID=%s; path=/\"><meta http-equiv=\"refresh\" content=\"1; url=/\"/>" % (re.sub(r"[^\w]", "", params.get("username", "")), "".join(random.sample(string.letters + string.digits, 20))) if cursor.fetchall() else "The username and/or password is incorrect<meta http-equiv=\"Set-Cookie\" content=\"SESSIONID=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT\">"
else:
code = httplib.NOT_FOUND
except Exception, ex:
content = ex.output if isinstance(ex, subprocess.CalledProcessError) else traceback.format_exc()
code = httplib.INTERNAL_SERVER_ERROR
finally:
self.send_response(code)
self.send_header("Connection", "close")
self.send_header("X-XSS-Protection", "0")
self.send_header("Content-Type", "%s%s" % ("text/html" if content.startswith("<!DOCTYPE html>") else "text/plain", "; charset=%s" % params.get("charset", "utf8")))
self.end_headers()
self.wfile.write("%s%s" % (content, HTML_POSTFIX if HTML_PREFIX in content and GITHUB not in content else ""))
self.wfile.flush()
self.wfile.close()
def __do_batch_update(self, project, update_list, original_type_map):
"""Orchestrate updates of existing descriptors.
Args:
project: [string] The project we're updating in.
update_list: [list of descriptors] The new descriptor definitions.
original_type_map: [type to descriptor] The original definitions in
case we need to restore them.
"""
get_descriptor_name = lambda descriptor: descriptor['name']
delete_errors = []
create_errors = []
restore_errors = []
failed_list = []
create_list = []
success_list = []
restore_list = []
not_updated_list = []
lost_list = []
if update_list:
self.__do_batch_update_delete_helper(
project, update_list, create_list, failed_list, delete_errors)
if create_list:
self.__do_batch_update_create_helper(
project, create_list, success_list, restore_list, create_errors)
restore_list = [original_type_map[elem['type']] for elem in restore_list]
if restore_list:
# If we successfully restore, we left it in the original unupdated state.
# If we failed to restore, then we've lost the descriptor entirely.
self.__do_batch_update_create_helper(
project, restore_list, not_updated_list, lost_list, restore_errors)
response_code = (httplib.OK if len(failed_list) + len(create_errors) == 0
else httplib.INTERNAL_SERVER_ERROR)
bodies = []
for elem in success_list:
bodies.append('Updated {0} to {1}'.format(elem['type'], elem))
for index, elem in enumerate(failed_list):
bodies.append('Failed to update {0} to {1}: {2}'.format(
elem['type'], elem, delete_errors[index]))
for index, elem in enumerate(restore_list):
bodies.append('Failed to update {0} to {1}: {2}'.format(
elem['type'], elem, create_errors[index]))
for index, elem in enumerate(lost_list):
bodies.append('Lost {0}. It used to be {1}: {2}'.format(
elem['type'], elem, restore_errors[index]))
return response_code, {'Content-Type': 'text/plain'}, '\n'.join(bodies)
