ronin-app 0.1.0.rc1

data/lib/ronin/app/types/import.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'ronin/app/types'
+
+module Ronin
+  module App
+    module Types
+      #
+      # Types for {Validations::ImportParams} and {Workers::Import}.
+      #
+      module Import
+        # The type of file type
+        TypeType = Types::String.enum('nmap', 'masscan')
+      end
+    end
+  end
+end

data/lib/ronin/app/types/nmap.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'ronin/app/types'
+
+require 'nmap/command'
+
+module Ronin
+  module App
+    module Types
+      module Nmap
+        # Represents a time value.
+        Time = Types::String.constrained(format: ::Nmap::Command::Time::REGEXP)
+
+        # Represents a hex string for the `--data` option (ex: `123ABC`).
+        HexString = Types::String.constrained(format: ::Nmap::Command::HexString::REGEXP)
+
+        # Represents a port number (ex: `80`).
+        Port = Types::String.constrained(format: ::Nmap::Command::Port::REGEXP)
+
+        # Represent a port-range (ex: `80` or `1-80`).
+        PortRange = Types::String.constrained(format: ::Nmap::Command::PortRange::REGEXP)
+
+        # Represent a comma separated list of port-ranges (ex: `1-80,443`).
+        PortRangeList = Types::String.constrained(format: ::Nmap::Command::PortRangeList::REGEXP)
+
+        # Represents a protocol list for the `-PO` option.
+        ProtocolList = PortRangeList
+
+        # Represents a single flag value for the `--scanflags` option.
+        ScanFlag = Types::Symbol.enum(
+          urg: 'urg',
+          ack: 'ack',
+          psh: 'psh',
+          rst: 'rst',
+          syn: 'syn',
+          fin: 'fin'
+        )
+
+        # Represents `--scanflags` value.
+        ScanFlags = Types::Array.of(ScanFlag)
+
+        # Represents a value for the `--nsock-engine` option.
+        NsockEngine = Types::String.enum(
+          'iocp',
+          'epoll',
+          'kqueue',
+          'poll',
+          'select'
+        )
+
+        # Represents a value for the `--timing-template` option.
+        TimingTemplate = Types::String.enum(
+          'paranoid',
+          'sneaky',
+          'polite',
+          'normal',
+          'aggressive',
+          'insane'
+        )
+      end
+    end
+  end
+end

data/lib/ronin/app/types/spider.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'ronin/app/types'
+
+module Ronin
+  module App
+    module Types
+      #
+      # Types for {Validations::SpiderParams}.
+      #
+      module Spider
+        # The type of web spider targets
+        TargetType = Types::String.enum('host', 'domain', 'site')
+
+        # Represents a list of hosts.
+        HostList = Types::List
+
+        # Represents a comma separated list of ports.
+        PortList = Types::Array.of(Types::Integer).constructor do |value|
+          value.split(/(?:,\s*|\s+)/).map(&:to_i)
+        end
+
+        # Represents a list of URLs.
+        URLList = Types::List
+
+        # Represents a list of file exts.
+        ExtList = Types::List
+      end
+    end
+  end
+end

data/lib/ronin/app/types/vulns.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'ronin/app/types'
+
+module Ronin
+  module App
+    module Types
+      #
+      # Types for {Validations::VulnsParams}.
+      #
+      module Vulns
+        module LFI
+          # The type of OS
+          OSType = Types::Symbol.enum(
+            unix:    'unix',
+            windows: 'windows'
+          )
+
+          # The lfi filter bypass technique type
+          FilterBypassType = Types::Symbol.enum(
+            null_byte:     'null_byte',
+            double_escape: 'double_escape',
+            base64:        'base64',
+            rot13:         'rot13',
+            zlib:          'zlib'
+          )
+        end
+
+        module RFI
+          # The rfi filter bypass technique type
+          FilterBypassType = Types::Symbol.enum(
+            null_byte: 'null_byte',
+            double_encode: 'double_encode',
+            suffix_escape: 'suffix_escape'
+          )
+        end
+
+        module SSTI
+          # The type of SSTI escape expression
+          EscapeType = Types::Symbol.enum(
+            double_curly_braces:        'double_curly_braces',
+            dollar_curly_braces:        'dollar_curly_braces',
+            dollar_double_curly_braces: 'dollar_double_curly_braces',
+            pound_curly_braces:         'pound_curly_braces',
+            angle_brackets_percent:     'angle_brackets_percent'
+          )
+        end
+      end
+    end
+  end
+end

data/lib/ronin/app/types.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'dry/types'
+
+module Ronin
+  module App
+    #
+    # Types used by `ronin-app`.
+    #
+    module Types
+      include Dry::Types()
+
+      # Represents an Array of argument values.
+      Args = Types::Array.of(Types::String).constructor do |value|
+        value.split
+      end
+
+      # Represents a space or comma separated list of values.
+      List = Types::Array.of(Types::String).constructor do |value|
+        value.split(/(?:,\s*|\s+)/)
+      end
+
+      # Represents a comma separated list of values.
+      CommaSeparatedList = Types::Array.of(Types::String).constructor do |value|
+        value.split(/,\s*/)
+      end
+
+      # Represents an HTTP method name.
+      HTTPMethod = Types::String.enum(
+        'COPY',
+        'DELETE',
+        'GET',
+        'HEAD',
+        'LOCK',
+        'MKCOL',
+        'MOVE',
+        'OPTIONS',
+        'PATCH',
+        'POST',
+        'PROPFIND',
+        'PROPPATCH',
+        'PUT',
+        'TRACE',
+        'UNLOCK'
+      )
+    end
+  end
+end

data/lib/ronin/app/validations/import_params.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'ronin/app/types/import'
+
+require 'dry/validation'
+require 'set'
+
+require 'masscan/output_file'
+
+module Ronin
+  module App
+    module Validations
+      #
+      # Validations for the form params submitted to `POST /import`.
+      #
+      class ImportParams < Dry::Validation::Contract
+
+        params do
+          required(:type).filled(Types::Import::TypeType)
+          required(:path).filled(:string)
+        end
+
+        # Mapping of `type` values to their set of valid file extension names.
+        VALID_FILE_EXTS = {
+          'nmap'    => Set['.xml'],
+          'masscan' => Masscan::OutputFile::FILE_FORMATS.keys.to_set
+        }
+
+        rule(:path) do
+          valid_file_exts = VALID_FILE_EXTS.fetch(values[:type])
+
+          unless valid_file_exts.include?(File.extname(value))
+            key.failure("#{values[:type]} file path must end with #{valid_file_exts.join(', ')}")
+          end
+        end
+
+        #
+        # Initializes and calls the validation contract.
+        #
+        # @param [Hash{String => Object}] params
+        #   The HTTP params to validate.
+        #
+        # @return [Dry::Validation::Result]
+        #   The validation result.
+        #
+        def self.call(params)
+          new.call(params)
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/app/validations/install_repo_params.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'dry/validation'
+
+require 'uri'
+
+module Ronin
+  module App
+    module Validations
+      #
+      # Validations for form params submitted to `POST /repos/install`.
+      #
+      class InstallRepoParams < Dry::Validation::Contract
+
+        params do
+          required(:uri).filled(:string)
+          optional(:name).maybe(:string)
+        end
+
+        # Regular expression that matches `https://`, `http://`, `ssh://`, and
+        # `git://` URIs.
+        URI_REGEX = URI::DEFAULT_PARSER.make_regexp(%w[https http git ssh])
+
+        # Regular expression that matches both `https://` URIs and
+        # `git@host.com:path/to/repo.git` URIs.
+        GIT_URI_REGEX = %r{\A(?:#{URI_REGEX}|[^@]+@[A-Za-z0-9._-]+(?::\d+)?:[A-Za-z0-9./_-]+)\z}
+
+        rule(:uri) do
+          unless value =~ GIT_URI_REGEX
+            key.failure('URI must be a https:// or a git@host:path/to/repo.git URI')
+          end
+        end
+
+        # Regular expression that matches an alpha-numeric name containing
+        # dashes and/or underscores.
+        NAME_REGEX = /\A[A-Za-z0-9_-]+\z/
+
+        rule(:name) do
+          if value && value !~ NAME_REGEX
+            key.failure('repo name must only contain alpha-numeric, dashes, and underscores')
+          end
+        end
+
+        #
+        # Initializes and calls the validation contract.
+        #
+        # @param [Hash{String => Object}] params
+        #   The HTTP params to validate.
+        #
+        # @return [Dry::Validation::Result]
+        #   The validation result.
+        #
+        def self.call(params)
+          new.call(params)
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/app/validations/masscan_params.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+#
+# ronin-app - a local web app for Ronin.
+#
+# Copyright (c) 2023-2024 Hal Brodigan (postmodern.mod3@gmail.com)
+#
+# ronin-app is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-app is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with ronin-app.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'dry/validation'
+require 'ronin/app/types'
+
+require 'masscan/command'
+
+module Ronin
+  module App
+    module Validations
+      #
+      # Validations for the form params submitted to `POST /masscan`.
+      #
+      class MasscanParams < Dry::Validation::Contract
+
+        params do
+          required(:ips).filled(Types::Args).each(:filled?)
+          required(:ports).filled(:string)
+
+          optional(:banners).maybe(:bool)
+          optional(:rate).maybe(:integer)
+          optional(:config_file).maybe(:string)
+          optional(:adapter).maybe(:string)
+          optional(:adapter_ip).maybe(:string)
+          optional(:adapter_port).maybe(:string)
+          optional(:adapter_mac).maybe(:string)
+          optional(:adapter_vlan).maybe(:string)
+          optional(:router_mac).maybe(:string)
+          optional(:ping).maybe(:bool)
+          optional(:exclude).maybe(:string)
+          optional(:exclude_file).maybe(:string)
+          optional(:include_file).maybe(:string)
+          optional(:pcap_payloads).maybe(:string)
+          optional(:nmap_payloads).maybe(:string)
+          optional(:http_method).maybe(Types::HTTPMethod)
+          optional(:http_url).maybe(:string)
+          optional(:http_version).maybe(:string)
+          optional(:http_host).maybe(:string)
+          optional(:http_user_agent).maybe(:string)
+          optional(:http_field).maybe(:string)
+          optional(:http_cookie).maybe(:string)
+          optional(:http_payload).maybe(:string)
+          optional(:open_only).maybe(:bool)
+          optional(:pcap).maybe(:string)
+          optional(:packet_trace).maybe(:bool)
+          optional(:pfring).maybe(:bool)
+          optional(:shards).maybe(:string)
+          optional(:seed).maybe(:integer)
+          optional(:ttl).maybe(:integer)
+          optional(:wait).maybe(:integer)
+          optional(:retries).maybe(:integer)
+
+          before(:value_coercer) do |result|
+            result.to_h.reject { |key,value| value.empty? }
+          end
+        end
+
+        rule(:ports) do
+          if value && value !~ ::Masscan::Command::PortList::REGEXP
+            key.failure("invalid masscan port list")
+          end
+        end
+
+        rule(:adapter_port) do
+          if value && value !~ ::Masscan::Command::PortRange::REGEXP
+            key.failure('invalid port or port range')
+          end
+        end
+
+        rule(:router_mac) do
+          if value && value !~ ::Masscan::Command::MACAddress::REGEXP
+            key.failure('invalid MAC address')
+          end
+        end
+
+        rule(:exclude) do
+          if value && value !~ ::Masscan::Command::Target::REGEXP
+            key.failure('invalid IP or IP range')
+          end
+        end
+
+        rule(:shards) do
+          if value && value !~ ::Masscan::Command::Shards::REGEXP
+            key.failure('invalid shards value')
+          end
+        end
+
+        #
+        # Initializes and calls the validation contract.
+        #
+        # @param [Hash{String => Object}] params
+        #   The HTTP params to validate.
+        #
+        # @return [Dry::Validation::Result]
+        #   The validation result.
+        #
+        def self.call(params)
+          new.call(params)
+        end
+
+      end
+    end
+  end
+end