fix: ffuf ANSI code processing preventing task to finish #1058
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if not line: | ||
| break | ||
| line = line.strip() | ||
| ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') |
Check warning
Code scanning / CodeQL
Overly permissive regular expression range Medium
| if not line: | ||
| break | ||
| line = line.strip() | ||
| ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') |
Check warning
Code scanning / CodeQL
Overly permissive regular expression range Medium
|
I think its better to wait for 2.0.2 release until we test this out. Excellent work @ocervell, will test this out tomorow. |
It's a pretty severe bug though, and as this PR will fix it, I think it can be safely merged. From what I'm understanding, Psyray is testing this right now, so let's wait until tests are finished. |
|
Lets hope so! Anyways @ocervell would be the best person to fix this, lets trust his work. since he had worked on the rework of celery tasks and I think he is aware of the ffuf issue. I initially thought it had something to do with celery, if this PR fixes, well and good for all of us. |
I've talked with him, and yes he is aware of this issue. |
|
@ocervell |
|
For the restart, it seems that it comes from an option that I've set in the scanEngine, so forget about it. Anyway, the same problem happens, I've tested on one of my website. Tree view of the running processes |
|
OK found the bug. I try to fix this one. |
|
@psyray for me this solution works! At the same time, I believe our ffuf command is also wrong, I am checking the command once again, but ffuf starts and stops without any issues. |
|
Yes one of the issues is that |
|
Fuzz works fine to what I see as of now.
|
|
Also check the security alerts and its potential risks. Take action on them (e.g. dismissing if false positive). |
@yogeshojha |
|
@ocervell Do you think we should merge this modification ? What was the use case that cause problem for you that need this modification ? |
|
And please, take a look to the security advisories as I pointed out earlier. |
|
I am doubting that #1063 is related only to ffuf, seems like an extra issue that could be triggered by any duplicate endpoint added to the db; for me this PR resolves the problem with ffuf not completing properly. As for the security advisory, not sure how impactful it is ... If you have a better regex to replace ANSI codes feel free to change it. |
|
I agree with @ocervell duplicate endpoint is coming from elsewhere. The function where we save endpoint has get_or_create, that should have never written duplicate endpoints. It is either coming from http crawler or manual entry. |
Duplicate endpoint seems to come from the missing target_domain_id and PR has been merged. Now duplicate endpoint task should better do his job. Maybe there's another source of duplicate. So we need to test with a clean db and launch multiples scans, then check the db with this query SELECT http_url, COUNT(http_url) as url_count, is_default FROM public."startScan_endpoint"
group by http_url, is_default
having COUNT(http_url) > 1
order by url_count descOr this python code >>> from django.db.models import Count
>>> EndPoint.objects.values('http_url').annotate(Count('http_url')).order_by().filter(http_url__count__gt=1)
<QuerySet [{'http_url': 'http://testphp.vulnweb.com', 'http_url__count': 2}]>To see if duplicates are coming again |
ocervell
changed the title
Should
Needs to be tested for potential impact on other tasks (e.g: dalfox)