-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathinql_burp.py
71 lines (60 loc) · 160 KB
/
inql_burp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python
import contextlib as __stickytape_contextlib
@__stickytape_contextlib.contextmanager
def __stickytape_temporary_dir():
import tempfile
import shutil
dir_path = tempfile.mkdtemp()
try:
yield dir_path
finally:
shutil.rmtree(dir_path)
with __stickytape_temporary_dir() as __stickytape_working_dir:
def __stickytape_write_module(path, contents):
import os, os.path
def make_package(path):
parts = path.split("/")
partial_path = __stickytape_working_dir
for part in parts:
partial_path = os.path.join(partial_path, part)
if not os.path.exists(partial_path):
os.mkdir(partial_path)
open(os.path.join(partial_path, "__init__.py"), "w").write("\n")
make_package(os.path.dirname(path))
full_path = os.path.join(__stickytape_working_dir, path)
with open(full_path, "w") as module_file:
module_file.write(contents)
import sys as __stickytape_sys
__stickytape_sys.path.insert(0, __stickytape_working_dir)
__stickytape_write_module('''inql/burp_ext/editor.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport json\n\nfrom burp import IMessageEditorTab\n\nfrom javax.swing import JFrame, JPanel, JLabel, JSplitPane\nfrom java.awt import BorderLayout\n\nfrom inql.widgets.payloadview import PayloadView\n\n\nclass GraphQLEditorTab(IMessageEditorTab):\n """\n GraphQL Editor TAB\n """\n def __init__(self, callbacks, editable):\n self.payload_view = PayloadView(payload=\'\', texteditor_factory=callbacks.createTextEditor, editable=editable)\n self._helpers = callbacks.getHelpers()\n self._currentMessage = \'\'\n\n def getTabCaption(self):\n """\n Define Message Editor Properties for GQL Editor\n\n :return: InQL burp message editor name\n """\n return "InQL"\n\n def getUiComponent(self):\n """\n Get UI Component. Overrides IMessageEditorTab.\n\n :return: UI txt component\n """\n return self.payload_view.this\n\n def isEnabled(self, content, isRequest):\n """\n Check if we can enable or not the MessageEditorTab. Overrides IMessageEditorTab.\n\n :param content: message request/response\n :param isRequest: check if is request\n :return: True or False depending if the request is enabled to be edited with this tab.\n """\n if isRequest:\n rBody = self._helpers.analyzeRequest(content)\n\n else:\n rBody = self._helpers.analyzeResponse(content)\n\n message = content[rBody.getBodyOffset():].tostring().strip()\n try:\n content = json.loads(str(message))\n if isinstance(content, list):\n content = content[0]\n\n return \'query\' in content and \\\n any([content[\'query\'].strip().startswith(qtype) for qtype in [\'query\', \'mutation\', \'subscription\', \'{\']])\n except ValueError:\n return False\n\n def setMessage(self, content, isRequest):\n """\n Message Setter. Overrides IMessageEditorTab.\n\n :param content: message request/response\n :param isRequest: check if is request\n :return: the modified body\n """\n if content is not None:\n r = self._helpers.analyzeRequest(content)\n self._currentMessage = content\n message = content[r.getBodyOffset():].tostring()\n\n try:\n self.payload_view.refresh(message)\n except ValueError:\n pass\n\n def getMessage(self):\n """\n Message Getter. Overrides IMessageEditorTab.\n\n :return: the current message\n """\n if self.isModified():\n try:\n request_body = self.payload_view.textarea().getText()\n r = self._helpers.analyzeRequest(self._currentMessage)\n return self._helpers.buildHttpMessage(r.getHeaders(), request_body)\n except Exception as ex:\n print(ex)\n return self._helpers.buildHttpMessage(r.getHeaders(), self._currentMessage[r.getBodyOffset():].tostring())\n\n\n def isModified(self):\n """\n Check if the message was modified.\n\n :return: True if the message was modified.\n """\n r = self._helpers.analyzeRequest(self._currentMessage)\n return self._currentMessage[r.getBodyOffset():].tostring() != self.payload_view.textarea().getText()\n\n\n def getSeletedData(self):\n """\n Return the selected data.\n\n :return: the selected string.\n """\n return self.payload_view.textarea().getSeletedText()''')
__stickytape_write_module('''inql/actions/sendto.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\ntry:\n from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer\nexcept ImportError:\n from http.server import BaseHTTPRequestHandler, HTTPServer\n\ntry:\n import urllib.request as urllib_request # for Python 3\nexcept ImportError:\n import urllib2 as urllib_request # for Python 2 and Jython\n\nimport threading\nimport json\n\nfrom email.parser import HeaderParser\n\nfrom java.awt.event import ActionListener\nfrom javax.swing import JMenuItem\nfrom org.python.core.util import StringUtil\n\ntry:\n from burp import IProxyListener, IContextMenuFactory\nexcept ImportError:\n IProxyListener = object\n IContextMenuFactory = object\n\nfrom inql.constants import *\nfrom inql.utils import string_join, override_headers, make_http_handler, HTTPRequest\nfrom inql.actions.browser import URLOpener\n\n\nclass OmniMenuItem(IContextMenuFactory):\n def __init__(self, helpers=None, callbacks=None, text=\'\'):\n self._helpers = helpers\n self._callbacks = callbacks\n self.menuitem = JMenuItem(text)\n self._burp_menuitem = JMenuItem("inql: %s" % text)\n self.set_enabled(False)\n self._callbacks.registerContextMenuFactory(self)\n\n def add_action_listener(self, action_listener):\n self._action_listener = action_listener\n self.menuitem.addActionListener(action_listener)\n self._burp_menuitem.addActionListener(action_listener)\n\n def set_enabled(self, enabled):\n self.menuitem.setEnabled(enabled)\n self._burp_menuitem.setEnabled(enabled)\n\n def createMenuItems(self, invocation):\n """\n Overrides IContextMenuFactory callback\n\n :param invocation: handles menu selected invocation\n :return:\n """\n try:\n r = invocation.getSelectedMessages()[0]\n info = self._helpers.analyzeRequest(r)\n url = str(info.getUrl())\n if not any([x in url for x in URLS]):\n return None\n body = r.getRequest()[info.getBodyOffset():].tostring()\n for h in info.getHeaders():\n if h.lower().startswith("host:"):\n domain = h[5:].strip()\n\n self._action_listener.ctx(fname=\'dummy.query\', host=domain, payload=body)\n mymenu = []\n mymenu.append(self._burp_menuitem)\n except Exception as ex:\n return None\n return mymenu\n\n\nclass SimpleMenuItem:\n def __init__(self, text=None):\n self.menuitem = JMenuItem(text)\n self.menuitem.setEnabled(False)\n\n def add_action_listener(self, action_listener):\n self.menuitem.addActionListener(action_listener)\n\n def set_enabled(self, enabled):\n self.menuitem.setEnabled(enabled)\n\n\nclass EnhancedHTTPMutator(IProxyListener):\n def __init__(self, callbacks=None, helpers=None, overrideheaders=None, requests=None, stub_responses=None):\n self._requests = requests if requests is not None else {}\n self._overrideheaders = overrideheaders if overrideheaders is not None else {}\n self._overrideheaders = overrideheaders if overrideheaders is not None else {}\n self._index = 0\n self._stub_responses = stub_responses if stub_responses is not None else {}\n\n if helpers and callbacks:\n self._helpers = helpers\n self._callbacks = callbacks\n self._callbacks.registerProxyListener(self)\n for r in self._callbacks.getProxyHistory():\n self._process_request(self._helpers.analyzeRequest(r), r.getRequest())\n\n\n def _process_request(self, reqinfo, reqbody):\n """\n Process request and extract key values\n\n :param reqinfo:\n :param reqbody:\n :return:\n """\n url = str(reqinfo.getUrl())\n if any([url.endswith(x) for x in URLS]):\n for h in reqinfo.getHeaders():\n if h.lower().startswith("host:"):\n domain = h[5:].strip()\n\n method = reqinfo.getMethod()\n try:\n self._requests[domain]\n except KeyError:\n self._requests[domain] = {\'POST\': None, \'PUT\': None, \'GET\': None, \'url\': None}\n self._requests[domain][method] = (reqinfo, reqbody)\n self._requests[domain][\'url\'] = url\n\n def processProxyMessage(self, messageIsRequest, message):\n """\n Implements IProxyListener method\n\n :param messageIsRequest: True if BURP Message is a request\n :param message: message content\n :return: None\n """\n if self._helpers and self._callbacks and messageIsRequest:\n self._process_request(self._helpers.analyzeRequest(message.getMessageInfo()),\n message.getMessageInfo().getRequest())\n\n def get_graphiql_target(self, server_port, host=None, query=None, variables=None):\n base_url = "http://localhost:%s/%s" % (server_port, self._requests[host][\'url\'])\n arguments = ""\n if query or variables:\n arguments += \'?\'\n args = []\n if host:\n args.append("query=%s" % urllib_request.quote(query))\n if variables:\n args.append("variables=%s" % urllib_request.quote(json.dumps(variables)))\n arguments += "&".join(args)\n\n return base_url + arguments\n\n def has_host(self, host):\n try:\n self._requests[host]\n return True\n except KeyError:\n return False\n\n def build_python_request(self, endpoint, host, payload):\n req = self._requests[host][\'POST\'] or self._requests[host][\'PUT\'] or self._requests[host][\'GET\']\n if req:\n original_request = HTTPRequest(req[1])\n del original_request.headers[\'Content-Length\']\n\n # TODO: Implement custom headers in threads. It is not easy to share them with the current architecture.\n return urllib_request.Request(endpoint, payload, headers=original_request.headers)\n\n def get_stub_response(self, host):\n return self._stub_responses[host] if host in self._stub_responses else None\n\n def set_stub_response(self, host, payload):\n self._stub_responses[host] = payload\n\n def send_to_repeater(self, host, payload):\n req = self._requests[host][\'POST\'] or self._requests[host][\'PUT\'] or self._requests[host][\'GET\']\n if req and self._callbacks and self._helpers:\n info = req[0]\n body = req[1]\n nobody = body[:info.getBodyOffset()].tostring()\n rstripoffset = info.getBodyOffset()-len(nobody.rstrip())\n headers = body[:info.getBodyOffset()-rstripoffset].tostring()\n\n try:\n self._overrideheaders[host]\n except KeyError:\n self._overrideheaders[host] = []\n\n headers = override_headers(headers, self._overrideheaders[host])\n repeater_body = StringUtil.toBytes(string_join(\n headers,\n body[info.getBodyOffset()-rstripoffset:info.getBodyOffset()].tostring(),\n payload))\n\n self._callbacks.sendToRepeater(info.getUrl().getHost(), info.getUrl().getPort(),\n info.getUrl().getProtocol() == \'https\', repeater_body,\n \'GraphQL #%s\' % self._index)\n self._index += 1\n\n\nclass RepeaterSenderAction(ActionListener):\n def __init__(self, omnimenu, http_mutator):\n self._http_mutator = http_mutator\n self._omnimenu = omnimenu\n self._omnimenu.add_action_listener(self)\n self.menuitem = self._omnimenu.menuitem\n self._host = None\n self._payload = None\n self._fname = None\n\n def actionPerformed(self, e):\n """\n Overrides ActionListener behaviour. Send current query to repeater.\n\n :param e: unused\n :return: None\n """\n self._http_mutator.send_to_repeater(self._host, self._payload)\n\n def ctx(self, host=None, payload=None, fname=None):\n """\n When a fname is specified and is a query file or a request is selected in the other tabs,\n enables the context menu to send to repeater tab\n\n :param host: should be not null\n :param payload: should be not null\n :param fname: should be not null\n :return: None\n """\n self._host = host\n self._payload = payload\n self._fname = fname\n\n if not self._fname.endswith(\'.query\'):\n self._omnimenu.set_enabled(False)\n return\n\n if self._http_mutator.has_host(host):\n self._omnimenu.set_enabled(True)\n else:\n self._omnimenu.set_enabled(False)\n\n\nclass GraphiQLSenderAction(ActionListener):\n def __init__(self, omnimenu, http_mutator):\n self._http_mutator = http_mutator\n self._omnimenu = omnimenu\n self._omnimenu.add_action_listener(self)\n self.menuitem = self._omnimenu.menuitem\n self._server = HTTPServer((\'127.0.0.1\', 0), make_http_handler(http_mutator))\n t = threading.Thread(target=self._server.serve_forever)\n #t.daemon = True\n t.start()\n\n def actionPerformed(self, e):\n """\n Override the ActionListener method. Usually setup in combination with a menuitem click.\n :param e: unused\n :return:\n """\n content = json.loads(self._payload)\n if isinstance(content, list):\n content = content[0]\n\n URLOpener().open(self._http_mutator.get_graphiql_target(\n self._server.server_port, self._host,\n content[\'query\'] if \'query\' in content else None,\n content[\'variables\'] if \'variables\' in content else None))\n\n def ctx(self, host=None, payload=None, fname=None):\n """\n When a fname is specified and is a query file or a request is selected in the other tabs,\n enables the context menu to send to repeater tab\n\n :param host: should be not null\n :param payload: should be not null\n :param fname: should be not null\n :return: None\n """\n self._host = host\n self._payload = payload\n self._fname = fname\n\n if not self._fname.endswith(\'.query\'):\n self._omnimenu.set_enabled(False)\n return\n\n if self._http_mutator.has_host(host):\n self._omnimenu.set_enabled(True)\n else:\n self._omnimenu.set_enabled(False)''')
__stickytape_write_module('''inql/burp_ext/scanner.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nfrom array import array\n\nfrom burp import IScanIssue, IScannerCheck\n\nfrom inql.constants import TECH_CHECKS, CONSOLE_CHECKS, URLS\n\n\nclass _CustomScanIssue(IScanIssue):\n """\n Custom Scan Issue Container\n """\n def __init__(self, http_service, url, http_messages, name, detail, severity, confidence, issuebg, rembg, remdet):\n self._http_service = http_service\n self._url = url\n self._http_messages = http_messages\n self._name = name\n self._detail = detail\n self._severity = severity\n self._confidence = confidence\n self._issuebg = issuebg\n self._rembg = rembg\n self._remdet = remdet\n\n def getUrl(self):\n """\n Overrides IScanIssue\n\n :return: the URL\n """\n return self._url\n\n def getIssueName(self):\n """\n Overrides IScanIssue\n\n :return: the Issue Name\n """\n return self._name\n\n def getIssueType(self):\n """\n Overrides IScanIssue\n\n See http://portswigger.net/burp/help/scanner_issuetypes.html\n\n :return: always 0\n """\n return 0\n\n def getSeverity(self):\n """\n Overrides IScanIssue\n\n :return: "High", "Medium", "Low", "Information" or "False positive"\n """\n return self._severity\n\n def getConfidence(self):\n """\n Overrides IScanIssue\n\n :return: "Certain", "Firm" or "Tentative"\n """\n return self._confidence\n\n def getIssueBackground(self):\n """\n Overrides IScanIssue\n\n :return: issue background\n """\n return self._issuebg\n\n def getRemediationBackground(self):\n """\n Overrides IScanIssue\n\n :return: remediation background\n """\n return self._rembg\n\n def getIssueDetail(self):\n """\n Overrides IScanIssue\n\n :return: issue detail\n """\n return self._detail\n\n def getRemediationDetail(self):\n """\n Overrides IScanIssue\n\n :return: remediation detail\n """\n return self._remdet\n\n def getHttpMessages(self):\n """\n Overrides IScanIssue\n\n :return: Http messages content\n """\n return self._http_messages\n\n def getHttpService(self):\n """\n Overrides IScanIssue\n\n :return: Http Service\n """\n return self._http_service\n\n\nclass BurpScannerCheck(IScannerCheck):\n """\n Scanner Check\n """\n def __init__(self, callbacks):\n self._callbacks = callbacks\n self._helpers = callbacks.getHelpers()\n\n def _get_matches(self, response, match):\n """\n helper method to search a response for occurrences of a literal match string\n and return a list of start/end offsets.\n\n :param response: response object to search for\n :param match: search term\n :return: matches\n """\n matches = []\n start = 0\n reslen = len(response)\n matchlen = len(match)\n while start < reslen:\n """\n indexOf(byte[] data, byte[] pattern, boolean caseSensitive, int from, int to)\n This method searches a piece of data for the first occurrence of a specified pattern.\n """\n start = self._helpers.indexOf(response, match, False, start, reslen)\n if start == -1:\n break\n matches.append(array(\'i\', [start, start + matchlen]))\n start += matchlen\n\n return matches\n\n def doPassiveScan(self, baseRequestResponse):\n """\n Override IScannerCheck method.\n\n :param baseRequestResponse: burp requestResponse message.\n :return: issues containing all the burp findings, they will be added to the found issues.\n """\n issues = []\n for check in TECH_CHECKS:\n # look for matches of our passive check grep string\n matches = self._get_matches(baseRequestResponse.getResponse(), bytearray(check))\n if len(matches) != 0:\n # report the issue\n issues.extend([_CustomScanIssue(\n http_service=baseRequestResponse.getHttpService(),\n url=self._helpers.analyzeRequest(baseRequestResponse).getUrl(),\n http_messages=[self._callbacks.applyMarkers(baseRequestResponse, None, matches)],\n name="GraphQL Technology",\n detail="The website is using GraphQL Technology!<br><br>"\n "GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data. GraphQL was developed internally by Facebook in 2012 before being publicly released in 2015.<br><br>"\n "It provides an efficient, powerful and flexible approach to developing web APIs, and has been compared and contrasted with REST and other web service architectures. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server, therefore preventing excessively large amounts of data from being returned, but this has implications for how effective web caching of query results can be. The flexibility and richness of the query language also adds complexity that may not be worthwhile for simple APIs. It consists of a type system, query language and execution semantics, static validation, and type introspection.<br><br>"\n "GraphQL supports reading, writing (mutating) and subscribing to changes to data (realtime updates).",\n severity="Information", confidence="Firm", issuebg="Not posing any imminent security risk.",\n rembg="<ul><li><a href=\'https://graphql.org/\'>GraphQL</a></li></ul>",\n remdet=""\n )])\n\n for check in CONSOLE_CHECKS:\n # look for matches of our passive check grep string\n matches = self._get_matches(baseRequestResponse.getResponse(), bytearray(check))\n if len(matches) != 0:\n # report the issue\n issues.extend([_CustomScanIssue(\n http_service=baseRequestResponse.getHttpService(),\n url=self._helpers.analyzeRequest(baseRequestResponse).getUrl(),\n http_messages=[self._callbacks.applyMarkers(baseRequestResponse, None, matches)],\n name="Exposed GraphQL Development Console",\n detail="GraphQL is a query language for APIs and a runtime for fulfilling queries with existing data.<br><br>"\n "<b>GraphiQL/GraphQL Playground</b> are in-browser tools for writing, validating, and testing GraphQL queries.<br><br>"\n "The response contains the following string: <b>%s</b>." % check,\n severity="Low", confidence="Firm", issuebg="Not posing any imminent security risk.",\n rembg="<ul>"\n "<li><a href=\'https://graphql.org/\'>GraphQL</a></li>"\n "<li><a href=\'https://github.com/graphql/graphiql\'>GraphiQL</a></li>"\n "<li><a href=\'https://github.com/prisma/graphql-playground\'>GraphQL Playground</a></li>"\n "</ul>",\n remdet="Remove the GraphQL development console from web-application in a production stage.<br><br>"\n "Disable GraphiQL<br>"\n "<pre>if (process.env.NODE_ENV === \'development\') {</pre></br>"\n "<pre> app.all(</pre></br>"\n "<pre> \'/graphiql\',</pre></br>"\n "<pre> graphiqlExpress({</pre></br>"\n "<pre> endpointURL: \'/graphql\',</pre></br>"\n "<pre> }),</pre></br>"\n "<pre> );</pre></br>"\n "<pre>}</pre>"\n )])\n\n return issues\n\n def doActiveScan(self, baseRequestResponse, insertionPoint):\n """\n Override IScannerCheck method.\n\n :param baseRequestResponse: burp requestResponse message.\n :param insertionPoint: where to insert the payload, never used\n :return: issues containing all the burp findings, they will be added to the found issues.\n """\n\n issues = []\n # will request the URLS, passive scanner will do the grep and match\n for url in URLS:\n path = self._callbacks.getHelpers().analyzeRequest(baseRequestResponse).getUrl().getPath()\n # replace the path inside the old bytearray for the new request\n newReq = self._callbacks.getHelpers().bytesToString(baseRequestResponse.getRequest()).replace(path, url,\n 1)\n result = self._callbacks.makeHttpRequest(baseRequestResponse.getHttpService(), newReq)\n for check in TECH_CHECKS:\n # look for matches of our passive check grep string\n matches = self._get_matches(result.getResponse(), bytearray(check))\n if len(matches) != 0:\n # report the issue\n issues.extend([_CustomScanIssue(\n http_service=result.getHttpService(),\n url=self._helpers.analyzeRequest(result).getUrl(),\n http_messages=[self._callbacks.applyMarkers(result, None, matches)],\n name="GraphQL Technology",\n detail="The website is using GraphQL Technology!<br><br>"\n "GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data. GraphQL was developed internally by Facebook in 2012 before being publicly released in 2015.<br><br>"\n "It provides an efficient, powerful and flexible approach to developing web APIs, and has been compared and contrasted with REST and other web service architectures. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server, therefore preventing excessively large amounts of data from being returned, but this has implications for how effective web caching of query results can be. The flexibility and richness of the query language also adds complexity that may not be worthwhile for simple APIs. It consists of a type system, query language and execution semantics, static validation, and type introspection.<br><br>"\n "GraphQL supports reading, writing (mutating) and subscribing to changes to data (realtime updates).",\n severity="Information", confidence="Firm", issuebg="Not posing any imminent security risk.",\n rembg="<ul><li><a href=\'https://graphql.org/\'>GraphQL</a></li></ul>",\n remdet=""\n )])\n\n for check in CONSOLE_CHECKS:\n # look for matches of our passive check grep string\n matches = self._get_matches(result.getResponse(), bytearray(check))\n if len(matches) != 0:\n # report the issue\n issues.extend([_CustomScanIssue(\n http_service=result.getHttpService(),\n url=self._helpers.analyzeRequest(result).getUrl(),\n http_messages=[self._callbacks.applyMarkers(result, None, matches)],\n name="Exposed GraphQL Development Console",\n detail="GraphQL is a query language for APIs and a runtime for fulfilling queries with existing data.<br><br>"\n "<b>GraphiQL/GraphQL Playground</b> are in-browser tools for writing, validating, and testing GraphQL queries.<br><br>"\n "The response contains the following string: <b>%s</b>." % check,\n severity="Low", confidence="Firm", issuebg="Not posing any imminent security risk.",\n rembg="<ul>"\n "<li><a href=\'https://graphql.org/\'>GraphQL</a></li>"\n "<li><a href=\'https://github.com/graphql/graphiql\'>GraphiQL</a></li>"\n "<li><a href=\'https://github.com/prisma/graphql-playground\'>GraphQL Playground</a></li>"\n "</ul>",\n remdet="Remove the GraphQL development console from web-application in a production stage.<br><br>"\n "Disable GraphiQL<br>"\n "<pre>if (process.env.NODE_ENV === \'development\') {</pre></br>"\n "<pre> app.all(</pre></br>"\n "<pre> \'/graphiql\',</pre></br>"\n "<pre> graphiqlExpress({</pre></br>"\n "<pre> endpointURL: \'/graphql\',</pre></br>"\n "<pre> }),</pre></br>"\n "<pre> );</pre></br>"\n "<pre>}</pre>"\n )])\n\n return issues\n\n def consolidateDuplicateIssues(self, existingIssue, newIssue):\n """\n This method is called when multiple issues are reported for the same URL\n path by the same extension-provided check. The value we return from this\n method determines how/whether Burp consolidates the multiple issues\n to prevent duplication\n\n Do not report same issues on the same path\n\n :param existingIssue: an issue we have already saved\n :param newIssue: an issue we are gonna insert\n :return: 0 if the issue as to be inserted, -1 otherwise\n """\n\n if (existingIssue.getHttpMessages()[0].getHttpService().getHost() == newIssue.getHttpMessages()[\n 0].getHttpService().getHost()) and (\n existingIssue.getHttpMessages()[0].getHttpService().getPort() == newIssue.getHttpMessages()[\n 0].getHttpService().getPort()):\n return -1\n else:\n return 0''')
__stickytape_write_module('''inql/widgets/tab.py''', '''from __future__ import print_function\nimport platform\n\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\n# JAVA GUI Import\nfrom java.awt import Color, BorderLayout\nfrom javax.swing import (JFrame, JPanel, JPopupMenu, JFileChooser)\nfrom java.lang import System\nfrom java.io import File\n\nimport os\nimport json\nimport string\nimport time\nimport sys\n\nfrom inql.actions.executor import ExecutorAction\nfrom inql.actions.browser import BrowserAction\nfrom inql.introspection import init\nfrom inql.constants import *\nfrom inql.widgets.omnibar import Omnibar\nfrom inql.widgets.fileview import FileView\nfrom inql.widgets.propertyeditor import PropertyEditor\nfrom inql.utils import inherits_popup_menu, AttrDict, run_async\n\n\nclass GraphQLPanel():\n """\n Compound class that represents the burp user interface tab.\n\n It can run standalone with limited functionalities with: jython -m inql.widgets.tab\n """\n def __init__(self, actions=[], restore=None, proxy=None, http_mutator=None, texteditor_factory=None, requests=None, stub_responses=None):\n self._requests = requests if requests is not None else {}\n self._stub_responses = stub_responses if stub_responses is not None else {}\n self._actions = actions\n self._load_headers = []\n self._run_config = [\n [\'Proxy\', proxy],\n [\'Authorization Key\', None],\n [\'Load Placeholders\', True],\n [\'Generate HTML DOC\', True],\n [\'Generate Schema DOC\', False],\n [\'Generate Stub Queries\', True],\n [\'Accept Invalid SSL Certificate\', True]\n ]\n self._init_config = json.loads(json.dumps(self._run_config))\n self._default_config = {}\n for k, v in self._run_config:\n self._default_config[k] = v\n self._old_config_hash = None\n self._actions.append(BrowserAction())\n self._actions.append(ExecutorAction("Configure", lambda _: self._setup()))\n self._actions.append(ExecutorAction("Load", self._loadurl))\n self._actions = [a for a in reversed(self._actions)]\n self._http_mutator = http_mutator\n\n self.this = JPanel()\n self.this.setLayout(BorderLayout())\n self._omnibar = Omnibar(\n hint=DEFAULT_LOAD_URL,\n label="Load",\n action=self._loadurl)\n self.this.add(BorderLayout.PAGE_START, self._omnibar.this)\n self._fileview = FileView(\n dir=os.getcwd(),\n filetree_label="Queries, Mutations and Subscriptions",\n texteditor_factory=texteditor_factory)\n self.this.add(BorderLayout.CENTER, self._fileview.this)\n self._fileview.addTreeListener(self._tree_listener)\n self._fileview.addPayloadListener(self._payload_listener)\n\n self._popup = JPopupMenu()\n self.this.setComponentPopupMenu(self._popup)\n inherits_popup_menu(self.this)\n\n for action in self._actions:\n self._popup.add(action.menuitem)\n\n self._state = {\'runs\': []}\n try:\n if restore:\n cfg = json.loads(restore)\n if \'runs\' in cfg:\n for target, key, proxy, headers, load_placeholer, generate_html, generate_schema, generate_queries, accept_invalid_certificate, flag in cfg[\'runs\']:\n self._run(target=target,\n key=key,\n proxy=proxy,\n headers=headers,\n load_placeholer=load_placeholer,\n generate_html=generate_html,\n generate_schema=generate_schema,\n generate_queries=generate_queries,\n accept_invalid_certificate=accept_invalid_certificate,\n flag=flag)\n self._run_config = cfg[\'config\']\n except Exception as ex:\n print("Cannot Load old configuration: starting with a clean state: %s" % ex)\n sys.stdout.flush()\n self._state[\'config\'] = self._run_config\n\n def _setup_headers(self):\n """\n Setup Headers callback\n :return: None\n """\n PropertyEditor.get_instance(\n text=\'Load Headers\',\n columns=[\'Header\', \'Value\'],\n data=self._load_headers,\n empty=["X-New-Header", "X-New-Header-Value"])\n\n def _setup(self):\n """\n Setup callback\n :return: None\n """\n PropertyEditor.get_instance(\n text="Configure InQL",\n columns=[\'Property\', \'Value\'],\n data=self._run_config,\n actions=[\n ExecutorAction("Setup Load Headers",\n lambda _: self._setup_headers()),\n ExecutorAction("Reset",\n lambda _: self._reset())\n ]\n )\n\n def _cfg(self, key):\n """\n :param key: the key of the configuration\n :return: configuration value or default if unset\n """\n new_hash = hash(string.join([str(i) for _, i in self._run_config]))\n if self._old_config_hash != new_hash:\n self._config = {}\n for k, v in self._run_config:\n self._config[k] = v\n self._old_config_hash = new_hash\n try:\n return self._config[key]\n except KeyError:\n try:\n return self._default_config[key]\n except KeyError:\n return None\n\n def state(self):\n """\n Tab State, used to regenerate the status after load.\n\n :return: the current status in JSON format, this will be saved in BURP preferences for later reuse\n """\n return json.dumps(self._state)\n\n def _reset(self):\n """Reset configuration state"""\n self._state[\'config\'] = json.loads(json.dumps(self._init_config))\n self._run_config = self._state[\'config\']\n self._state[\'runs\'] = {}\n\n\n def _tree_listener(self, e):\n """\n Listen to Ftree change and act on that behalf.\n\n :param e: get current path and set the context on every action.\n :return: None\n """\n try:\n host = [str(p) for p in e.getPath().getPath()][1]\n self._host = host\n fname = os.path.join(*[str(p) for p in e.getPath().getPath()][1:])\n self._fname = fname\n f = open(fname, "r")\n payload = f.read()\n for action in self._actions:\n action.ctx(host=host, payload=payload, fname=fname)\n except IOError:\n pass\n\n def _payload_listener(self, e):\n """\n Listen for Payload Change and change the context of every action accordingly.\n\n :param e: event change.\n :return: None\n """\n\n try:\n doc = e.getDocument()\n payload = doc.getText(0, doc.getLength())\n for action in self._actions:\n action.ctx(host=self._host, payload=payload, fname=self._fname)\n except Exception:\n pass\n\n def _filepicker(self):\n """\n Run the filepicker and return if approved\n\n :return: boolean, true if approved\n """\n fileChooser = JFileChooser()\n fileChooser.setCurrentDirectory(File(System.getProperty("user.home")))\n result = fileChooser.showOpenDialog(self.this)\n isApproveOption = result == JFileChooser.APPROVE_OPTION\n if isApproveOption:\n selectedFile = fileChooser.getSelectedFile()\n self._omnibar.setText(selectedFile.getAbsolutePath())\n return isApproveOption\n\n def _loadurl(self, evt):\n """\n load url if present.\n\n :param evt: load url or reload itself with the same evt.\n :return: None\n """\n target = self._omnibar.getText().strip()\n if target == DEFAULT_LOAD_URL:\n if self._filepicker():\n self._loadurl(evt)\n elif target == \'about:config\':\n self._setup()\n self._omnibar.reset()\n elif target == \'about:headers\':\n self._setup_headers()\n self._omnibar.reset()\n elif target.startswith(\'http://\') or target.startswith(\'https://\'):\n print("Quering GraphQL schema from: %s" % target)\n self._run(target=target,\n key=self._cfg(\'Authorization Key\'),\n proxy=self._cfg(\'Proxy\'),\n headers=self._load_headers,\n load_placeholer=self._cfg(\'Load Placeholders\'),\n generate_html=self._cfg(\'Generate HTML DOC\'),\n generate_schema=self._cfg(\'Generate Schema DOC\'),\n generate_queries=self._cfg(\'Generate Stub Queries\'),\n accept_invalid_certificate=self._cfg(\'Accept Invalid SSL Certificate\'),\n flag="URL")\n elif not os.path.isfile(target):\n if self._filepicker():\n self._loadurl(evt)\n else:\n print("Loading JSON schema from: %s" % target)\n self._run(target=target,\n key=self._cfg(\'Authorization Key\'),\n proxy=self._cfg(\'Proxy\'),\n headers=self._load_headers,\n load_placeholer=self._cfg(\'Load Placeholders\'),\n generate_html=self._cfg(\'Generate HTML DOC\'),\n generate_schema=self._cfg(\'Generate Schema DOC\'),\n generate_queries=self._cfg(\'Generate Stub Queries\'),\n accept_invalid_certificate=self._cfg(\'Accept Invalid SSL Certificate\'),\n flag="JSON")\n\n\n def _run(self, target, key, proxy, headers, load_placeholer, generate_html, generate_schema, generate_queries,\n accept_invalid_certificate, flag):\n """\n Run the actual analysis, this method is a wrapper for the non-UI version of the tool and basically calls the\n main/init method by itself.\n\n :param target: target URL\n :param load_placeholer: load placeholder option\n :param generate_html: generate html option\n :param generate_schema: generate schema option\n :param generate_queries: generate queries option\n :param flag: "JSON" file or normal target otherwise\n :return: None\n """\n self._omnibar.reset()\n args = {"key": key, "proxy": proxy, \'headers\': headers, "detect": load_placeholer,\n "generate_html": generate_html,\n "generate_schema": generate_schema,\n "generate_queries": generate_queries,\n "target": target if flag != "JSON" else None,\n "schema_json_file": target if flag == "JSON" else None,\n "insecure_certificate": accept_invalid_certificate,\n "requests": self._requests,\n "stub_responses": self._stub_responses}\n\n # call init method from Introspection tool\n if flag == \'JSON\':\n with open(target, \'r\') as f:\n host = os.path.splitext(os.path.basename(target))[0]\n self._http_mutator.set_stub_response(host, f.read())\n\n def async_run():\n init(AttrDict(args.copy()))\n self._state[\'runs\'].append((\n target, key, proxy, headers, load_placeholer, generate_html, generate_schema, generate_queries,\n accept_invalid_certificate, flag))\n self._fileview.refresh()\n\n run_async(async_run)\n return\n\n def app(self, label="InQL Scanner"):\n frame = JFrame(label)\n frame.setForeground(Color.black)\n frame.setBackground(Color.lightGray)\n cp = frame.getContentPane()\n cp.add(self.this)\n frame.pack()\n frame.setVisible(True)\n frame.setDefaultCloseOperation(JFrame.DISPOSE_ON_CLOSE)\n while frame.isVisible():\n time.sleep(1)\n\nif __name__ == "__main__":\n import tempfile\n tmpdir = tempfile.mkdtemp()\n from java.awt.event import ActionListener\n from javax.swing import JMenuItem\n\n class TestAction(ActionListener):\n def __init__(self, text):\n self.requests = {}\n self.menuitem = JMenuItem(text)\n self.menuitem.addActionListener(self)\n self.enabled = True\n self.menuitem.setEnabled(self.enabled)\n\n def actionPerformed(self, e):\n self.enabled = not self.enabled\n self.menuitem.setEnabled(self.enabled)\n\n def ctx(self, host=None, payload=None, fname=None):\n pass\n print("Changing dir to %s" % tmpdir)\n os.chdir(tmpdir)\n GraphQLPanel(actions=[TestAction("test it")]).app()''')
__stickytape_write_module('''inql/widgets/__init__.py''', '''''')
__stickytape_write_module('''inql/widgets/propertyeditor.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport time\n\nfrom javax.swing import JFrame, JTable, JScrollPane, JPopupMenu\nfrom java.awt import Color\nfrom javax.swing.table import DefaultTableModel\nfrom java.awt.event import WindowAdapter\n\nfrom inql.actions.executor import ExecutorAction\nfrom inql.utils import inherits_popup_menu\n\nclass PropertyEditor(WindowAdapter):\n """\n Edits Tabular Properties of a given WindowAdapter\n """\n instances = {}\n last_location = None\n locations = {}\n last_size = None\n sizes = {}\n\n NEW_WINDOW_OFFSET = 32\n offset = NEW_WINDOW_OFFSET\n\n @staticmethod\n def get_instance(text="Property Editor", columns=None, data=None, empty=None, add_actions=True, actions=None):\n """\n Singleton Method based on the text property. It tries to generate only one property configuration page per text.\n\n :param text: getinstance key\n :param columns: proparty columns it should be an array alike\n :param data: it contains the current property rows\n :param empty: empty row property when adding a new one\n :param add_actions: include or not new actions\n :param actions: default set of actions to be appended to Add and Delete Rows\n :return: a new instance of PropertyEditor or a reused one.\n """\n if not actions: actions = []\n if not columns: columns = []\n if data == None: data = []\n if not empty: empty = []\n try:\n PropertyEditor.instances[text]\n except KeyError:\n PropertyEditor.instances[text] = \\\n PropertyEditor().__private_init__(text, columns, data, empty, add_actions, actions)\n try:\n PropertyEditor.instances[text].this.setLocation(PropertyEditor.locations[text])\n except KeyError:\n if PropertyEditor.last_location:\n PropertyEditor.instances[text].this.setLocation(\n PropertyEditor.last_location.x+PropertyEditor.offset,\n PropertyEditor.last_location.y+PropertyEditor.offset)\n PropertyEditor.offset = PropertyEditor.NEW_WINDOW_OFFSET\n try:\n PropertyEditor.instances[text].this.setSize(PropertyEditor.sizes[text])\n except KeyError:\n if PropertyEditor.last_size:\n PropertyEditor.instances[text].this.setSize(PropertyEditor.last_size)\n PropertyEditor.last_location = PropertyEditor.instances[text].this.getLocation()\n PropertyEditor.last_size = PropertyEditor.instances[text].this.getSize()\n ## Hack ON: Bring on Front\n PropertyEditor.instances[text].this.setAlwaysOnTop(True)\n PropertyEditor.instances[text].this.setAlwaysOnTop(False)\n ## Hack OFF\n return PropertyEditor.instances[text]\n\n def __private_init__(self, text="Property Editor", columns=None, data=None, empty=None, add_actions=True, actions=None):\n if not actions: actions = []\n if not columns: columns = []\n if data == None: data = []\n if not empty: empty = []\n\n self._text = text\n self.this = JFrame(text)\n self._table = JTable()\n self._dtm = DefaultTableModel(0, 0)\n self._dtm.setColumnIdentifiers(columns)\n self._table.setModel(self._dtm)\n self._data = data\n for d in data:\n self._dtm.addRow(d)\n self._pane = JScrollPane(self._table)\n self.this.add(self._pane)\n self._empty = empty\n\n self.this.addWindowListener(self)\n\n self._dtm.addTableModelListener(lambda _: self._update_model())\n self.this.setLocation(PropertyEditor.NEW_WINDOW_OFFSET, PropertyEditor.NEW_WINDOW_OFFSET)\n\n if add_actions:\n self._popup = JPopupMenu()\n self._pane.setComponentPopupMenu(self._popup)\n inherits_popup_menu(self._pane)\n\n self._actions = actions\n self._actions.append(ExecutorAction(\'Remove Selected Rows\', action=lambda e: self._remove_row()))\n self._actions.append(ExecutorAction(\'Add New Row\', action=lambda e: self._add_row()))\n\n for action in self._actions:\n self._popup.add(action.menuitem)\n\n self.this.setForeground(Color.black)\n self.this.setBackground(Color.lightGray)\n self.this.pack()\n self.this.setVisible(True)\n self.this.setDefaultCloseOperation(JFrame.DO_NOTHING_ON_CLOSE)\n\n return self\n\n def _add_row(self):\n """\n Add a new row the selection\n\n :return: None\n """\n self._dtm.addRow(self._empty)\n\n def _remove_row(self):\n """\n Remove all the selected rows from the selection\n :return:\n """\n rows = self._table.getSelectedRows()\n for i in range(0, len(rows)):\n self._dtm.removeRow(rows[i] - i)\n\n def windowClosing(self, evt):\n """\n Overrides WindowAdapter method\n\n :param evt: unused\n :return: None\n """\n PropertyEditor.locations[self._text] = self.this.getLocation()\n PropertyEditor.sizes[self._text] = self.this.getSize()\n PropertyEditor.last_location = self.this.getLocation()\n PropertyEditor.last_size = self.this.getSize()\n PropertyEditor.offset = 0\n self.this.setVisible(False)\n self.this.dispose()\n del PropertyEditor.instances[self._text]\n\n def _update_model(self):\n """\n Update the data content with the updated rows\n\n :return: None\n """\n del self._data[:]\n nRow = self._dtm.getRowCount()\n nCol = self._dtm.getColumnCount()\n for i in range(0, nRow):\n self._data.append([None] * nCol)\n for j in range(0, nCol):\n d = str(self._dtm.getValueAt(i, j)).lower()\n if d == \'none\' or d == \'\':\n self._data[i][j] = None\n elif d == \'true\' or d == \'t\':\n self._data[i][j] = True\n elif d == \'false\' or d == \'f\':\n self._data[i][j] = False\n else:\n try:\n self._data[i][j] = int(self._dtm.getValueAt(i, j))\n except ValueError:\n self._data[i][j] = self._dtm.getValueAt(i, j)\n\nif __name__ == "__main__":\n data = [[\'a\', \'b\'], [\'c\', \'d\']]\n pe = PropertyEditor.get_instance(columns=[\'ciao\', \'bao\'], data=data, empty=[\'e1\', \'e2\'])\n while True:\n time.sleep(10)\n pe = PropertyEditor.get_instance(columns=[\'ciao\', \'bao\'], data=data, empty=[\'e1\', \'e2\'])\n PropertyEditor.get_instance(text=\'test2\', columns=[\'ciao\', \'bao\'], data=data, empty=[\'e1\', \'e2\'])\n print pe._data''')
__stickytape_write_module('''inql/burp_ext/__init__.py''', '''''')
__stickytape_write_module('''inql/constants.py''', '''SCANNER_VERSION = \'v2.0.0\'\n\nTECH_CHECKS = {\n \'{"data":{"__schema":{\',\n "graphql-ws"\n}\n\nCONSOLE_CHECKS = {\n "GraphiQL",\n "GraphQL Playground",\n "GraphQL Console",\n "graphql-playground"\n}\n\nURLS = {\n "/graphql.php",\n "/graphql",\n "/graphiql",\n "/graphql/console/",\n "/swapi-graphql/",\n "/gql",\n "/graphql/subscriptions",\n "/graphql/subscription"\n}\n\nDEFAULT_LOAD_URL = "URL or File Location (eg: http://example.com/graphql or /tmp/schema.json)"''')
__stickytape_write_module('''inql/burp_ext/tab.py''', '''from __future__ import print_function\n\nimport platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport json\n\nfrom burp import ITab\n\nfrom inql.actions.sendto import RepeaterSenderAction, OmniMenuItem, EnhancedHTTPMutator, GraphiQLSenderAction\nfrom inql.actions.setcustomheader import CustomHeaderSetterAction\nfrom inql.widgets.tab import GraphQLPanel\n\n\nclass GraphQLTab(ITab):\n """\n Java GUI\n """\n def __init__(self, callbacks, helpers):\n self._callbacks = callbacks\n self._helpers = helpers\n\n def getTabCaption(self):\n """\n Override ITab method\n :return: tab name\n """\n return "InQL Scanner"\n\n def getUiComponent(self):\n """\n Override ITab method\n :return: Tab UI Component\n """\n overrideheaders = {}\n repeater_omnimenu = OmniMenuItem(callbacks=self._callbacks, helpers=self._helpers, text="Send to Repeater")\n graphiql_omnimenu = OmniMenuItem(callbacks=self._callbacks, helpers=self._helpers, text="Send to GraphiQL")\n http_mutator = EnhancedHTTPMutator(\n callbacks=self._callbacks, helpers=self._helpers, overrideheaders=overrideheaders)\n repeater_sender = RepeaterSenderAction(omnimenu=repeater_omnimenu, http_mutator=http_mutator)\n graphiql_sender = GraphiQLSenderAction(omnimenu=graphiql_omnimenu, http_mutator=http_mutator)\n custom_header_setter = CustomHeaderSetterAction(overrideheaders=overrideheaders, text="Set Custom Header")\n try:\n restore = self._callbacks.loadExtensionSetting(GraphQLPanel.__name__)\n except Exception as ex:\n print("Cannot restore state! %s" % ex)\n restore = None\n\n proxy = None\n\n for request_listener in json.loads(self._callbacks.saveConfigAsJson())["proxy"]["request_listeners"]:\n if request_listener["running"]:\n proxy = "localhost:%s" % request_listener["listener_port"]\n break\n\n self.panel = GraphQLPanel(\n actions=[\n repeater_sender,\n graphiql_sender,\n custom_header_setter],\n restore=restore,\n proxy=proxy,\n http_mutator=http_mutator,\n texteditor_factory=self._callbacks.createTextEditor\n )\n self._callbacks.customizeUiComponent(self.panel.this)\n return self.panel.this\n\n def bring_in_front(self):\n self.panel.this.setAlwaysOnTop(True)\n self.panel.this.setAlwaysOnTop(False)\n\n def save(self):\n """\n Save Extension State before exiting\n :return: None\n """\n try:\n self._callbacks.saveExtensionSetting(self.panel.__class__.__name__, self.panel.state())\n except:\n print("Cannot save state!")''')
__stickytape_write_module('''inql/__init__.py''', '''''')
__stickytape_write_module('''inql/generators/schema.py''', '''import json\n\nfrom inql.utils import open\n\n\ndef generate(argument, fpath="introspection.json"):\n """\n Generate Schema JSON\n\n :param argument: introspection query output\n :param fpath: file output\n :return: None\n """\n with open(fpath, "w") as schema_file:\n schema_file.write(json.dumps(argument, indent=4, sort_keys=True))''')
__stickytape_write_module('''inql/introspection.py''', '''from __future__ import print_function\n\ntry:\n import urllib.request as urllib_request # for Python 3\nexcept ImportError:\n import urllib2 as urllib_request # for Python 2 and Jython\ntry:\n from urllib.parse import urlparse # for Python 3\nexcept ImportError:\n from urlparse import urlparse # for Python 2 and Jython\n\nimport argparse\nimport time\nimport os\nimport json\nimport sys\nimport ssl\nimport platform\nfrom datetime import date\n\nfrom .utils import string_join, mkdir_p, raw_request\nfrom .generators import html, query, schema\n\ntry:\n # Use UTF8 On Python2 and Jython\n reload(sys)\n sys.setdefaultencoding(\'UTF8\')\nexcept NameError:\n pass # Nothing Needed in Python3\n\n\ndef wrap_exit(method, exceptions = (OSError, IOError)):\n """\n Wrap exit method to write the error and reset colors to the output before exiting.\n :param method: exit method\n :param exceptions:\n :return:\n """\n def fn(*args, **kwargs):\n try:\n print(reset)\n return method(*args, **kwargs)\n except exceptions:\n sys.exit(\'Can\\\'t open \\\'{0}\\\'. Error #{1[0]}: {1[1]}\'.format(args[0], sys.exc_info()[1].args))\n\n return fn\nexit = wrap_exit(exit)\n\n# colors for terminal messages\nred = ""\ngreen = ""\nwhite = ""\nyellow = ""\nreset = ""\n\ndef posix_colors():\n """\n Setup global POSIX shell colors.\n :return: None\n """\n global red, green, white, yellow, reset\n red = "\\033[1;31;10m[!] "\n green = "\\033[1;32;10m[+] "\n white = "\\033[1;37;10m"\n yellow = "\\033[1;33;10m[!] "\n reset = "\\033[0;0m"\n\ndef supports_color():\n """\n Returns True if the running system\'s terminal supports color, and False\n otherwise.\n """\n plat = sys.platform\n supported_platform = plat != \'Pocket PC\' and (plat != \'win32\' or\n \'ANSICON\' in os.environ)\n # isatty is not always implemented, #6223.\n is_a_tty = hasattr(sys.stdout, \'isatty\') and sys.stdout.isatty()\n return supported_platform and is_a_tty\n\n\nif supports_color():\n posix_colors()\n\n\ndef query_result(target, key, headers=None, verify_certificate=True, requests=None, stub_responses=None):\n """\n Execute the introspection query against the GraphQL endpoint\n\n :param target:\n Expects a valid URL ex. https://example.com/graphql\n Raise an exception if HTTP/HTTPS schema is missing\n\n :param key:\n Optional parameter to be used as authentication header\n "Basic dXNlcjp0ZXN0"\n "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"\n\n :return:\n Returns a dictionary objects to be parsed\n """\n headers = headers.copy() if headers else {}\n requests = requests if requests is not None else {}\n stub_responses = stub_responses if stub_responses is not None else {}\n # Introspection Query\n # -----------------------\n introspection_query = "query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"\n old_introspection_query = "query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description args{...InputValue}onOperation onFragment onField}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name}}}}"\n # -----------------------\n if \'User-Agent\' not in headers:\n headers[\'User-Agent\'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"\n\n if key:\n headers[\'Authorization\'] = key\n\n try:\n # Issue the Introspection request against the GraphQL endpoint\n request = urllib_request.Request(target, json.dumps({"query": introspection_query}, sort_keys=True).encode(\'UTF-8\'), headers=headers)\n request.add_header(\'Content-Type\', \'application/json\')\n\n url = urlparse(target)\n reqbody = raw_request(request)\n if url.netloc not in requests:\n requests[url.netloc] = {}\n requests[url.netloc][\'POST\'] = (None, reqbody)\n requests[url.netloc][\'url\'] = target\n\n if verify_certificate:\n contents = urllib_request.urlopen(request).read()\n else:\n ctx = ssl.create_default_context()\n ctx.check_hostname = False\n ctx.verify_mode = ssl.CERT_NONE\n\n contents = urllib_request.urlopen(request, context=ctx).read()\n\n stub_responses[url.netloc] = contents\n\n return contents\n\n except Exception as e:\n print(string_join(red, str(e), reset))\n\ndef main():\n """\n Query a GraphQL endpoint with introspection in order to retrieve the documentation of all the Queries, Mutations & Subscriptions.\n It will also generate Queries, Mutations & Subscriptions templates (with optional placeholders) for all the known types.\n\n :return:\n none\n """\n # Args parser definition\n # -----------------------\n parser = argparse.ArgumentParser(prog="inql", description="InQL Scanner")\n if platform.system() == "Java":\n parser.add_argument("--nogui", default=False, dest="nogui",\n action="store_true", help="Start InQL Without Standalone GUI [Jython-only]")\n parser.add_argument("-t", default=None, dest="target",\n help="Remote GraphQL Endpoint (https://<Target_IP>/graphql)")\n parser.add_argument("-f", dest="schema_json_file", default=None, help="Schema file in JSON format")\n parser.add_argument("-k", dest="key", help="API Authentication Key")\n parser.add_argument(\'-p\', dest="proxy", default=None,\n help=\'IP of web proxy to go through (http://127.0.0.1:8080)\')\n parser.add_argument(\'--header\', dest="headers", nargs=2, action=\'append\')\n parser.add_argument("-d", dest="detect", action=\'store_true\', default=False,\n help="Replace known GraphQL arguments types with placeholder values (useful for Burp Suite)")\n parser.add_argument("--generate-html", dest="generate_html", action=\'store_true\', default=True,\n help="Generate HTML Documentation")\n parser.add_argument("--generate-schema", dest="generate_schema", action=\'store_true\', default=True,\n help="Generate JSON Schema Documentation")\n parser.add_argument("--generate-queries", dest="generate_queries", action=\'store_true\', default=True,\n help="Generate Queries")\n parser.add_argument("--insecure", dest="insecure_certificate", action="store_true",\n help="Accept any SSL/TLS certificate")\n parser.add_argument("-o", dest="output_directory", default=os.getcwd(),\n help="Output Directory")\n args = parser.parse_args()\n # -----------------------\n args.requests = {}\n args.stub_responses = {}\n\n mkdir_p(args.output_directory)\n os.chdir(args.output_directory)\n\n if platform.system() == "Java" and args.nogui is not True:\n from inql.widgets.tab import GraphQLPanel\n from inql.actions.sendto import SimpleMenuItem, EnhancedHTTPMutator, GraphiQLSenderAction\n from inql.actions.setcustomheader import CustomHeaderSetterAction\n overrideheaders = {}\n graphiql_omnimenu = SimpleMenuItem(text="Send to GraphiQL")\n http_mutator = EnhancedHTTPMutator(\n requests=args.requests,\n stub_responses=args.stub_responses,\n overrideheaders=overrideheaders)\n graphiql_sender = GraphiQLSenderAction(omnimenu=graphiql_omnimenu, http_mutator=http_mutator)\n custom_header_setter = CustomHeaderSetterAction(overrideheaders=overrideheaders, text="Set Custom Header")\n cfg = [\n [\'Proxy\', args.proxy],\n [\'Authorization Key\', args.key],\n [\'Load Placeholders\', args.detect],\n [\'Generate HTML DOC\', args.generate_html],\n [\'Generate Schema DOC\', args.generate_schema],\n [\'Generate Stub Queries\', args.generate_queries],\n [\'Accept Invalid SSL Certificate\', args.insecure_certificate]\n ]\n return GraphQLPanel(\n actions=[custom_header_setter, graphiql_sender],\n restore=json.dumps({\'config\': cfg}),\n http_mutator=None,\n requests=args.requests,\n stub_responses=args.stub_responses\n ).app()\n else:\n return init(args, lambda: parser.print_help())\n\n\ndef init(args, print_help=None):\n """\n Main Introspection method.\n\n :param args: arg parser alike arguments\n :param print_help: print help lambda\n :return: None\n """\n # At least one between -t or -f (target) parameters must be set\n if args.target is None and args.schema_json_file is None:\n print(string_join(red, "Remote GraphQL Endpoint OR a Schema file in JSON format must be specified!", reset))\n if print_help:\n print_help()\n exit(1)\n\n # Only one of them -t OR -f :)\n if args.target is not None and args.schema_json_file is not None:\n print(string_join(red, "Only a Remote GraphQL Endpoint OR a Schema file in JSON format must be specified, not both!", reset))\n if print_help:\n print_help()\n exit(1)\n\n # Takes care of any configured proxy (-p param)\n if args.proxy is not None:\n print(string_join(yellow, "Proxy ENABLED: ", args.proxy, reset))\n os.environ[\'http_proxy\'] = args.proxy\n os.environ[\'https_proxy\'] = args.proxy\n\n # Generate Headers object\n headers = {}\n if args.headers:\n for k, v in args.headers:\n headers[k] = v\n\n if args.target is not None or args.schema_json_file is not None:\n if args.target is not None:\n # Acquire GraphQL endpoint URL as a target\n host = urlparse(args.target).netloc\n else:\n # Acquire a local JSON file as a target\n print(string_join(yellow, "Parsing local schema file", reset))\n host = os.path.splitext(os.path.basename(args.schema_json_file))[0]\n if args.detect:\n print(string_join(yellow, "Detect arguments is ENABLED, known types will be replaced with placeholder values", reset))\n # Used to generate \'unique\' file names for multiple documentation\n timestamp = str(int(time.time())) # Can be printed with: str(int(timestamp))\n today = str(date.today())\n # -----------------------\n # Custom Objects are required for fields names in the documentation and templates generation\n # old -c parameter, enabled by default\n custom = True\n # Generate the documentation for the target\n if args.target is not None:\n # Parse response from the GraphQL endpoint\n argument = query_result(target=args.target,\n key=args.key,\n headers=headers,\n verify_certificate=not args.insecure_certificate,\n requests=args.requests,\n stub_responses=args.stub_responses)\n # returns a dict\n argument = json.loads(argument)\n else:\n # Parse the local JSON file\n with open(args.schema_json_file, "r") as s:\n result_raw = s.read()\n argument = json.loads(result_raw)\n\n if args.generate_schema:\n schema.generate(argument,\n fpath=os.path.join(host, "schema-%s-%s.json" % (today, timestamp)))\n if args.generate_html:\n html.generate(argument,\n fpath=os.path.join(host, "doc-%s-%s.html" % (today, timestamp)),\n custom=custom,\n target=args.target)\n if args.generate_queries:\n query.generate(argument,\n qpath=os.path.join(host, "%s", today, timestamp, "%s"),\n detect=args.detect,\n custom=custom,\n green_print=lambda s: print(string_join(green, "Writing Queries Templates", reset)))\n\n else:\n # Likely missing a required arguments\n print("Missing Arguments")\n if print_help:\n print(white)\n print_help()\n print(reset)\n exit(1)\n\n\nif __name__ == "__main__":\n try:\n main()\n except KeyboardInterrupt:\n # Catch CTRL+C, it will abruptly kill the script\n print(string_join(red, "Exiting...", reset))\n exit(-1)\n''')
__stickytape_write_module('''inql/widgets/omnibar.py''', '''import platform\n\nfrom inql.utils import nop_evt\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nfrom java.awt.event import FocusListener, KeyAdapter, KeyEvent\nfrom javax.swing import JFrame, JPanel, JTextField, JButton\nfrom java.awt import (BorderLayout, Color)\n\n\nclass _HintTextField(FocusListener, KeyAdapter):\n """\n HintTextField is a class responsible for showing an hint while the textfield is empty\n """\n\n def __init__(self, hint=None, action=None):\n if not hint: hint = \'hint\'\n if not action: action = nop_evt\n self.this = JTextField(hint)\n self._hint = hint\n self._showing_hint = True\n self._enter_listener = None\n self.this.addFocusListener(self)\n self.this.addKeyListener(self)\n self.set_enter_evt_listener(action)\n\n def set_enter_evt_listener(self, enter_listener):\n """\n Add an evt listener to HintTextField\n\n :param enter_listener: lambda event listener\n :return:\n """\n self._enter_listener = enter_listener\n\n def keyPressed(self, e):\n """\n KeyAdapter override\n\n :param e: event containing the key pressed\n :return: None\n """\n if self._enter_listener and e.getKeyCode() == KeyEvent.VK_ENTER:\n self._enter_listener(e)\n \n def focusGained(self, e):\n """\n FocusListener override\n\n :param e: unused\n :return: None\n """\n if self.getText() == "":\n self.this.setText("")\n self._showing_hint = False\n\n def focusLost(self, e):\n """\n FocusListener override\n\n :param e: unused\n :return: None\n """\n if self.getText() == "":\n self.this.setText(self._hint)\n self._showing_hint = True\n\n def getText(self):\n """\n :return: the current text or "" if no text is wrote inside the textfield\n """\n if self._showing_hint:\n return ""\n else:\n return self.this.getText()\n\n def setText(self, txt):\n """\n Set Text\n\n :param txt: a string\n :return: None\n """\n self.this.setText(txt)\n self._showing_hint = False\n\n def reset(self):\n """\n Reset the HintBox\n :return: None\n """\n self.this.setText(self._hint)\n self._showing_hint = True\n\nclass Omnibar:\n """\n Omnibar represents a chrome alike textbox with behaviour similar to the one of a normal browser\n """\n\n def __init__(self, hint=None, label=None, action=None):\n if not hint: hint = \'Omnibar hint\'\n if not label: label = \'Run\'\n if not action: action = nop_evt\n self.this = JPanel()\n self.this.setLayout(BorderLayout())\n\n # Add an hinttextfield\n self._text = _HintTextField(hint, action)\n self.this.add(BorderLayout.CENTER, self._text.this)\n\n # Add a run buttpn\n button = JButton(label)\n button.addActionListener(action)\n self.this.add(BorderLayout.EAST, button)\n\n def getText(self):\n """\n :return: the current text or "" if no text is wrote inside the textfield\n """\n return self._text.getText()\n\n def setText(self, txt):\n """\n Set Text\n\n :param txt: a string\n :return: None\n """\n self._text.setText(txt)\n\n def reset(self):\n """\n Reset the HintBox\n :return: None\n """\n self._text.reset()\n\nif __name__ == "__main__":\n frame = JFrame("Omnibar")\n frame.setForeground(Color.black)\n frame.setBackground(Color.lightGray)\n cp = frame.getContentPane()\n cp.add(Omnibar().this)\n frame.pack()\n frame.setVisible(True)\n frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE)''')
__stickytape_write_module('''inql/actions/executor.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nfrom java.awt.event import ActionListener\nfrom javax.swing import JMenuItem\n\n\nclass ExecutorAction(ActionListener):\n """\n ExecutorAction class represent a context-free action class container.\n During creation an action should be passed to defined the behaviour of this context free action.\n """\n def __init__(self, text, action=None):\n self._action = action\n self.menuitem = JMenuItem(text)\n self.menuitem.setEnabled(True)\n self.menuitem.addActionListener(self)\n\n def actionPerformed(self, e):\n """\n Executes action if setup during creation.\n\n :param e: unused\n :return: None\n """\n if self._action:\n self._action(e)\n\n def ctx(self, host=None, payload=None, fname=None):\n """\n Do Nothing, stub implemented to be an action.\n This is not needed since the action to be performed is context free and setup during object creation.\n\n :param host: unused\n :param payload: unused\n :param fname: unused\n :return: None\n """\n pass''')
__stickytape_write_module('''inql/generators/html.py''', '''from inql.utils import open\n\n\n# CSS style used for the documentation\nstl = """\n<style>\nbody {\n font-family: Roboto;\n background-color: #f9f9f9;\n}\n\nli.query {\n color: #368cbf;\n}\n\nli.mutation {\n color: #30a;\n}\n\nli.subscription {\n color: #397D13;\n}\n\nli.argument {\n color: #edae49;\n}\n\nli.type {\n color: #7ebc59;\n}\n\nli.deprecated {\n color: red;\n ext-decoration: underline wavy red;\n}\n\nli.field {\n\n}\n\nli.description {\n color: grey;\n}\nspan.query {\n color: #368cbf;\n}\n\nspan.mutation {\n color: #30a;\n}\n\nspan.subscription {\n color: #397D13;\n}\n\nspan.argument {\n color: #edae49;\n}\n\nspan.type {\n color: #7ebc59;\n}\n\nspan.deprecated {\n color: red;\n ext-decoration: underline wavy red;\n}\n\nspan.field {\n\n}\n\nspan.description {\n color: grey;\n}\n\ndiv.box {\n background-color: white;\n width: 300px;\n border: 5px solid grey;\n padding: 10px;\n margin: 10px;\n}\n</style>\n"""\n\n\ndef generate(argument, fpath, custom=False, target="empty"):\n """\n Generate HTML Documentation\n\n :param argument: introspection query result\n :param fpath: output result\n :param custom: enable or disable custom types, disabled by default\n :param target: who is the owner of that graphql endpoint\n :return: None\n """\n with open(fpath, \'w\') as output_file:\n result = argument.copy()\n # Write HTML header for the documentation\n # --------------------\n output_file.write("<html><head><title>GraphQL Schema</title>")\n # write CSS\n output_file.write(stl)\n # write target URL\n output_file.write("</head><body><h2>GraphQL Schema</h2><h3><a href=\'{0}\'>{0}</a></h3>".format(target))\n # write legend box\n output_file.write(\n "<div class=\'box\'><h4>Legend</h4><ul><li class=\'query\'>Queries</li><li class=\'mutation\'>Mutations</li><"\n "li class=\'subscription\'>Subscriptions</li><li class=\'argument\'>Arguments</li>"\n "<li class=\'type\'>Types: String, Float, not_null!, [list]</li><li class=\'deprecated\'>Deprecated</li>"\n "<li class=\'field\'>Fields</li></ul></div>")\n # --------------------\n output_file.write("<p>Available Operations Types:</p>")\n try:\n # Print available operation types, usually: Query, Mutations & Subscriptions\n # This part also holds custom names (schema[Type][\'name\'] != \'RootQuery\', \'RootMutation\', \'Subscriptions\')\n # --------------------\n if result[\'data\'][\'__schema\'][\'mutationType\'] is not None:\n output_file.write("<ul><li class=\'mutation\'>{0}</li>".format(\n result[\'data\'][\'__schema\'][\'mutationType\'][\'name\']))\n Mutation = result[\'data\'][\'__schema\'][\'mutationType\'][\'name\']\n else:\n # Needed since not all GraphQL endpoints use/have all the three types (Query, Mutations & Subscriptions)\n Mutation = None\n if result[\'data\'][\'__schema\'][\'queryType\'] is not None:\n output_file.write("<li class=\'query\'>{0}</li>".format(\n result[\'data\'][\'__schema\'][\'queryType\'][\'name\']))\n Query = result[\'data\'][\'__schema\'][\'queryType\'][\'name\']\n else:\n Query = None\n if result[\'data\'][\'__schema\'][\'subscriptionType\'] is not None:\n output_file.write(\n "<li class=\'subscription\'>{0}</li></ul>".format(\n result[\'data\'][\'__schema\'][\'subscriptionType\'][\'name\']))\n Subscription = result[\'data\'][\'__schema\'][\'subscriptionType\'][\'name\']\n else:\n Subscription = None\n # --------------------\n i = 0\n ##########################################################################################\n # Parsing JSON response/file structure as follows\n # data\n # __schema\n # directives\n # mutationType\n # queryType\n # subscriptionType\n # types (kind, name, description)\n # name (RootQuery, RootMutation, Subscriptions, [custom] OBJECT)\n # fields\n # name (query names)\n # args\n # name (args names)\n # type\n # name (args types)\n ##########################################################################################\n # Start looping trough types\n if result[\'data\'][\'__schema\'][\'types\'] is not None:\n rt = result[\'data\'][\'__schema\'][\'types\']\n # holds the number of custom objects\n xxx = 0\n for types in rt:\n j = 0\n # Data -> Schema -> Types (kind, name, description)\n # filtering out primitive types\n # TODO: exclude interfaces & union types\n primitives = [\'Int\', \'Float\', \'String\', \'Boolean\', \'ID\', \'__TypeKind\', \'__Type\', \'__Schema\',\n \'__Field\', \'__InputValue\', \'__EnumValue\', \'__Directive\', \'__DirectiveLocation\']\n advanced_kind = [\'INPUT_OBJECT\']\n # This super if is BOOLEAN able to switch between ENABLED custom types parameter (-c)\n # It will selectively routine trough values needed to print\n if ((custom is False and ((rt[i][\'kind\'] is not None and rt[i][\'name\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'kind\'] is not None and rt[i][\'name\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n output_file.write("<li>{0}</li>".format(rt[i][\'kind\']))\n # Print our types RootQuery, RootMutation, Subscriptions\n # --------------------\n if rt[i][\'name\'] == Mutation:\n output_file.write("<li class=\'mutation\'>{0}</li>".format(rt[i][\'name\']))\n elif rt[i][\'name\'] == Query:\n output_file.write("<li class=\'query\'>{0}</li>".format(rt[i][\'name\']))\n elif rt[i][\'name\'] == Subscription:\n output_file.write("<li class=\'subscription\'>{0}</li>".format(rt[i][\'name\']))\n # Handles custom objects (FIELDS)\n elif rt[i][\'kind\'] == "OBJECT" and rt[i][\'name\'] is not None:\n output_file.write("<span class=\'type\'>{0}</span><br>".format(rt[i][\'name\']))\n xxx += 1\n if rt[i][\'description\'] is not None:\n output_file.write(\n "<span class=\'description\'>{0}</span><br>".format(rt[i][\'description\']))\n # --------------------\n k = 0\n # Retrieving general docs regarding primitives (filtered out from documentation, not needed)\n # Data -> Schema -> Types -> enumValues (name, description, isDeprecated, deprecationReason)\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and (\n rt[i][\'enumValues\'] is not None and (rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'enumValues\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n for enumValues in rt[i][\'enumValues\']:\n # Name\n if rt[i][\'enumValues\'][k][\'name\'] is not None:\n output_file.write("<span>{0}</span><br>".format(rt[i][\'enumValues\'][k][\'name\']))\n # Description\n if rt[i][\'enumValues\'][k][\'description\'] is not None:\n output_file.write("<span class=\'description\'>{0}</span><br>".format(\n rt[i][\'enumValues\'][k][\'description\']))\n # Is Deprecated?\n if rt[i][\'enumValues\'][k][\'isDeprecated\'] is not False and rt[i][\'enumValues\'][k][\n \'isDeprecated\'] is not None:\n output_file.write("<span class=\'deprecated\'>Is Deprecated</span><br>")\n # Deprecation Reason\n if rt[i][\'enumValues\'][k][\'deprecationReason\'] is not None:\n output_file.write("<span>Reason: {0}</span><br>".format(\n rt[i][\'enumValues\'][k][\'deprecationReason\']))\n k = k + 1\n # Retrieving queries, mutations and subscriptions information\n # Data -> Schema -> Types -> Fields (name, isDeprecated, deprecationReason, description)\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and ((\n rt[i][\'fields\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((\n rt[i][\'fields\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind)))):\n # Printing out queries, mutations, subscriptions and custom object names\n # --------------------\n # number of fields per obj\n for fields in result[\'data\'][\'__schema\'][\'types\'][i][\'fields\']:\n if rt[i][\'fields\'][j][\'name\'] is not None:\n # Query\n if rt[i][\'name\'] == Query:\n output_file.write(\n "<li class=\'query\'>{0}</li>".format(rt[i][\'fields\'][j][\'name\']))\n # Mutation\n elif rt[i][\'name\'] == Mutation:\n output_file.write(\n "<li class=\'mutation\'>{0}</li>".format(rt[i][\'fields\'][j][\'name\']))\n # Subscription\n elif rt[i][\'name\'] == Subscription:\n output_file.write(\n "<li class=\'subscription\'>{0}</li>".format(rt[i][\'fields\'][j][\'name\']))\n # It handle custom objects\n elif rt[i][\'kind\'] == "OBJECT":\n output_file.write(\n "<span class=\'field\'>{0}</span> ".format(\n rt[i][\'fields\'][j][\'name\']))\n # Seems that i do not need the following two lines\n # else:\n # output_file.write("<li>{0}</li>".format(rt[i][\'fields\'][j][\'name\']))\n # --------------------\n # Printing info regarding the queries, mutations and subscriptions above\n # --------------------\n # Deprecated\n if rt[i][\'fields\'][j][\'isDeprecated\'] is not False and rt[i][\'fields\'][j][\n \'isDeprecated\'] is not None:\n output_file.write("<span class=\'deprecated\'>Is Deprecated</span><br>")\n # Deprecated Reason\n if rt[i][\'fields\'][j][\'deprecationReason\'] is not None:\n output_file.write(\n "<span>Reason: {0}</span><br>".format(rt[i][\'fields\'][j][\'deprecationReason\']))\n # Description\n if rt[i][\'fields\'][j][\'description\'] is not None and rt[i][\'fields\'][j][\n \'description\'] != \'\':\n output_file.write(\n "<span class=\'description\'>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'description\']))\n # Name (fields type)\n if rt[i][\'fields\'][j][\'type\'] is not None:\n if rt[i][\'fields\'][j][\'type\'][\'name\'] is not None:\n output_file.write("<span class=\'type\'>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'type\'][\'name\']))\n # oFType\n if rt[i][\'fields\'][j][\'type\'][\'ofType\'] is not None and \\\n rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\'] is not None:\n # LIST\n if rt[i][\'fields\'][j][\'type\'][\'kind\'] is not None and rt[i][\'fields\'][j][\'type\'][\n \'kind\'] == "LIST":\n output_file.write("<span class=\'type\'>[{0}]</span><br>".format(\n rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\']))\n # NOT NULL\n elif rt[i][\'fields\'][j][\'type\'][\'kind\'] is not None and rt[i][\'fields\'][j][\'type\'][\n \'kind\'] == "NON_NULL":\n output_file.write("<span class=\'type\'>!{0}</span><br>".format(\n rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\']))\n # CUSTOM TYPE\n else:\n output_file.write("<span class=\'type\'>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\']))\n # --------------------\n x = 0\n # Prepare a list of ARGS names for queries, mutations and subscriptions\n # --------------------\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and ((rt[i][\'fields\'][j][\'args\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (\n rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'fields\'][j][\'args\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n # Printing out queries, mutations and subscriptions ARGS name\n # Data -> Schema -> Types -> Fields -> Args (defaultValue, name, description)\n # --------------------\n for args in rt[i][\'fields\'][j][\'args\']:\n # Default value if present\n if rt[i][\'fields\'][j][\'args\'][x][\'defaultValue\'] is not None:\n output_file.write(\n "<span>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'args\'][x][\'defaultValue\']))\n # ARGS name\n if rt[i][\'fields\'][j][\'args\'][x][\'name\'] is not None:\n output_file.write("<span class=\'argument\'>{0}</span> ".format(\n rt[i][\'fields\'][j][\'args\'][x][\'name\']))\n # ARGS description\n if rt[i][\'fields\'][j][\'args\'][x][\'description\'] is not None and \\\n rt[i][\'fields\'][j][\'args\'][x][\'description\'] != \'\':\n output_file.write("<span class=\'description\'>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'args\'][x][\'description\']))\n # --------------------\n # Printing out ARGS types\n # Data -> Schema -> Types -> Fields -> Args -> Type (name, ofType, kind)\n # TODO half a bug: there are custom objects that have multiple types as the following example\n # in this case ![LIST], at the moment this specific case is handled casting the returning value of\n # rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\'] to STRING\n # in order to prevent errors (None type concatenated to a string)\n # we are missing the custom object but at least the script does not falls apart\n """\n "description":null,\n "isDeprecated":false,\n "args":[ ],\n "deprecationReason":null,\n "type":{ \n "kind":"NON_NULL",\n "name":null,\n "ofType":{ \n "kind":"LIST",\n "name":null,\n "ofType":{ \n "kind":"NON_NULL",\n "name":null,\n "ofType":{ \n "kind":"SCALAR",\n "name":"String",\n "ofType":null\n }\n }\n }\n },\n "name":"roles"\n """\n # --------------------\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'] is not None and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind):\n # LIST\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'kind\'] == "LIST":\n output_file.write("<span class=\'type\'>[{0}]</span><br>".format(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n # NOT NULL\n elif rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'kind\'] == "NON_NULL":\n output_file.write("<span class=\'type\'>{0}!</span><br>".format(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n # Holds simple types like float, string, int etc.\n else:\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\'] is not None:\n output_file.write("<span class=\'type\'>{0}</span><br>".format(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\']))\n x += 1\n j += 1\n i += 1\n # For None key exceptions use: except KeyError:\n except Exception:\n raise\n # Close documentation\n output_file.write("</body></html>")\n output_file.close()\n''')
__stickytape_write_module('''burp_ext/extender.py''', '''import platform\n\nfrom inql.utils import watch, stop\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport os\nimport shutil\nimport tempfile\n\nfrom burp import (IBurpExtender, IScannerInsertionPointProvider, IExtensionStateListener)\n\nfrom inql.burp_ext.editor import GraphQLEditorTab\nfrom inql.burp_ext.scanner import BurpScannerCheck\nfrom inql.burp_ext.tab import GraphQLTab\nfrom inql.constants import SCANNER_VERSION\n\n\nclass BurpExtender(IBurpExtender, IScannerInsertionPointProvider, IExtensionStateListener):\n """\n Main Class for Burp Extenders\n """\n\n def registerExtenderCallbacks(self, callbacks):\n """\n Overrides IBurpExtender method, it registers all the elements that compose this extension\n\n :param callbacks: burp callbacks\n :return: None\n """\n self._tmpdir = tempfile.mkdtemp()\n os.chdir(self._tmpdir)\n helpers = callbacks.getHelpers()\n callbacks.setExtensionName("InQL: Introspection GraphQL Scanner %s" % SCANNER_VERSION)\n callbacks.issueAlert("InQL Scanner Started")\n print("InQL Scanner Started! (tmpdir: %s )" % os.getcwd())\n # Registering GraphQL Tab\n callbacks.registerMessageEditorTabFactory(lambda _, editable: GraphQLEditorTab(callbacks, editable))\n # Register ourselves as a custom scanner check\n callbacks.registerScannerCheck(BurpScannerCheck(callbacks))\n # Register Suite Tab\n self._tab = GraphQLTab(callbacks, helpers)\n callbacks.addSuiteTab(self._tab)\n # Register extension state listener\n callbacks.registerExtensionStateListener(self)\n\n def extensionUnloaded(self):\n """\n Overrides IExtensionStateListener method, it unregisters all the element that compose this extension and it will save the\n state if available.\n\n :return: None\n """\n os.chdir(\'/\')\n shutil.rmtree(self._tmpdir, ignore_errors=False, onerror=None)\n stop()\n self._tab.save()''')
__stickytape_write_module('''inql/widgets/fileview.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport os\nimport json\n\nfrom javax.swing import JSplitPane, JFrame\nfrom java.awt import BorderLayout, Color\n\nfrom filetree import FileTree\nfrom payloadview import PayloadView\n\nclass FileView:\n """\n SplitPane containing an editoresque (Sublime-alike) filetree+editor widget\n """\n def __init__(self, dir=None, filetree_label=None, texteditor_factory=None):\n if not dir: dir = os.getcwd()\n self._filetree = FileTree(dir=dir, label=filetree_label)\n self._payloadview = PayloadView(texteditor_factory=texteditor_factory)\n self.this = JSplitPane(JSplitPane.HORIZONTAL_SPLIT,\n self._filetree.this, self._payloadview.this)\n self.this.setOneTouchExpandable(True)\n self._filetree.add_tree_selection_listener(self._tree_listener)\n self.this.getRightComponent().setVisible(False)\n\n def _tree_listener(self, e):\n """\n Listen for tree selection and fill the payloadview\n\n :param e: unused\n :return: None\n """\n try:\n fpath = os.path.join(*[str(p) for p in e.getPath().getPath()][1:])\n\n if fpath.endswith(\'.html\'):\n self.this.getRightComponent().setVisible(False)\n return\n\n with open(fpath, \'r\') as f:\n payload = f.read()\n self._payloadview.set_editable(True)\n self._payloadview.refresh(payload)\n self.this.getRightComponent().setVisible(True)\n self.this.setDividerLocation(0.25)\n except IOError:\n pass\n\n def addTreeListener(self, action):\n """\n Add a new Tree ActionListener\n\n :param action: actionListener lambda\n :return:\n """\n self._filetree.add_tree_selection_listener(action)\n\n def addPayloadListener(self, action):\n """\n Add a new PayloadView Listener\n\n :param action: actionListener lambda\n :return:\n """\n self._payloadview.add_listener(action)\n\n def refresh(self):\n self._filetree.refresh()\n\nif __name__ == "__main__":\n frame = JFrame("FileView")\n frame.setForeground(Color.black)\n frame.setBackground(Color.lightGray)\n cp = frame.getContentPane()\n cp.add(FileView().this)\n frame.pack()\n frame.setVisible(True)\n frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE)''')
__stickytape_write_module('''inql/utils.py''', '''import re\nimport os, sys\nimport time\nimport threading\nimport ssl\nimport json\n\ntry:\n import urllib.request as urllib_request # for Python 3\nexcept ImportError:\n import urllib2 as urllib_request # for Python 2 and Jython\n\ntry:\n from urllib.parse import urlparse # for Python 3\nexcept ImportError:\n from urlparse import urlparse # for Python 2 and Jython\n\ntry:\n from BaseHTTPServer import BaseHTTPRequestHandler\nexcept ImportError:\n from http.server import BaseHTTPRequestHandler\n\nfrom io import BytesIO\n\ndef string_join(*ss):\n """\n String joins with arbitrary lengthy parameters\n\n :param ss: strings to be joined\n :return: strings joined\n """\n return "".join(ss)\n\n\ndef mkdir_p(path):\n """\n Create Directory if it does not exist, exit otherwise\n :param path:\n :return:\n """\n try:\n os.makedirs(path)\n except:\n if os.path.isdir(path):\n pass\n else:\n raise\n\n\ndef wrap_open(method, exceptions = (OSError, IOError)):\n """Wrap Open method in order to create containing directories if they does not exist"""\n def fn(*args, **kwargs):\n try:\n mkdir_p(os.path.dirname(args[0]))\n return method(*args, **kwargs)\n except exceptions:\n sys.exit(\'Can\\\'t open \\\'{0}\\\'. Error #{1[0]}: {1[1]}\'.format(args[0], sys.exc_info()[1].args))\n\n return fn\n\n\nopen = wrap_open(open)\n\n\ndef inherits_popup_menu(element):\n """\n Inherits popup menu on each and every child widgets.\n\n :param element: current widget.\n :return: None\n """\n element.setInheritsPopupMenu(True)\n try:\n for e in element.getComponents():\n inherits_popup_menu(e)\n except:\n pass\n\n\nclass AttrDict(dict):\n """\n HACK: this class will generate a class object with fields from a dict\n """\n def __init__(self, *args, **kwargs):\n super(AttrDict, self).__init__(*args, **kwargs)\n self.__dict__ = self\n\n\ndef override_headers(http_header, overrideheaders):\n """\n Overrides headers with the defined overrides.\n\n :param http_header: an HTTP header content\n :param overrideheaders: an overrideheaders object.\n :return: a new overridden headers string\n """\n ree = [(\n re.compile("^%s\\s*:\\s*[^\\n]+$" % re.escape(header), re.MULTILINE),\n "%s: %s" % (header, val))\n for (header, val) in overrideheaders]\n h = http_header\n for find, replace in ree:\n hn = re.sub(find, replace, h)\n if hn == h:\n h = "%s\\n%s" % (hn, str(replace))\n else:\n h = hn\n\n return h\n\n\ndef nop_evt(evt):\n """\n Do nothing on events\n\n :param evt: ignored\n :return: None\n """\n pass\n\ndef nop():\n """\n Do nothing\n\n :return: None\n """\n pass\n\nstop_watch = False\n\ndef stop():\n global stop_watch\n stop_watch = True\n\ndef watch(execute=nop, interval=60):\n global stop_watch\n def async_run():\n try:\n while not stop_watch:\n execute()\n time.sleep(interval)\n sys.stdout.flush()\n sys.stderr.flush()\n finally:\n sys.stdout.flush()\n sys.stderr.flush()\n\n t = threading.Thread(target=async_run)\n t.start()\n\ndef run_async(execute=nop):\n def async_run():\n try:\n execute()\n finally:\n sys.stdout.flush()\n sys.stderr.flush()\n threading.Thread(target=async_run).start()\n\n\ndef make_http_handler(http_mutator=None):\n class GraphQLRequestHandler(BaseHTTPRequestHandler):\n def graphiql_page(self, address, extrascript=""):\n """\n Return a graphiql console page given a domain\n :param listenin_on: address on which the graphiql server proxy is listening on\n :param domain: input domain on which to perform queries\n :return: a string representing the graphiql page\n """\n return """<html>\n <head>\n <title>InQL GraphiQL Console</title>\n <link href="https://unpkg.com/graphiql/graphiql.min.css" rel="stylesheet" />\n </head>\n <body style="margin: 0;">\n <div id="graphiql" style="height: 100vh;"></div>\n\n <script\n crossorigin\n src="https://unpkg.com/react/umd/react.production.min.js"\n ></script>\n <script\n crossorigin\n src="https://unpkg.com/react-dom/umd/react-dom.production.min.js"\n ></script>\n <script\n crossorigin\n src="https://unpkg.com/graphiql/graphiql.min.js"\n ></script>\n\n <script>\n\n /**\n * This GraphiQL example illustrates how to use some of GraphiQL\'s props\n * in order to enable reading and updating the URL parameters, making\n * link sharing of queries a little bit easier.\n *\n * This is only one example of this kind of feature, GraphiQL exposes\n * various React params to enable interesting integrations.\n */\n\n // Parse the search string to get url parameters.\n var address = "%s";\n var search = window.location.search;\n var parameters = {};\n search.substr(1).split(\'&\').forEach(function (entry) {\n var eq = entry.indexOf(\'=\');\n if (eq >= 0) {\n parameters[decodeURIComponent(entry.slice(0, eq))] =\n decodeURIComponent(entry.slice(eq + 1));\n }\n });\n\n // if variables was provided, try to format it.\n if (parameters.variables) {\n try {\n parameters.variables =\n JSON.stringify(JSON.parse(parameters.variables), null, 2);\n } catch (e) {\n // Do nothing, we want to display the invalid JSON as a string, rather\n // than present an error.\n }\n }\n\n // When the query and variables string is edited, update the URL bar so\n // that it can be easily shared\n function onEditQuery(newQuery) {\n parameters.query = newQuery;\n updateURL();\n }\n\n function onEditVariables(newVariables) {\n parameters.variables = newVariables;\n updateURL();\n }\n\n function onEditOperationName(newOperationName) {\n parameters.operationName = newOperationName;\n updateURL();\n }\n\n function updateURL() {\n var newSearch = \'?\' + Object.keys(parameters).filter(function (key) {\n return Boolean(parameters[key]);\n }).map(function (key) {\n return encodeURIComponent(key) + \'=\' +\n encodeURIComponent(parameters[key]);\n }).join(\'&\');\n history.replaceState(null, null, newSearch);\n }\n\n const graphQLFetcher = graphQLParams =>\n fetch(address, {\n method: \'post\',\n headers: { \'Content-Type\': \'application/json\' },\n body: JSON.stringify(graphQLParams),\n })\n .then(response => response.json())\n .catch(() => response.text());\n ReactDOM.render(\n React.createElement(GraphiQL, {\n fetcher: graphQLFetcher,\n query: parameters.query,\n variables: parameters.variables,\n operationName: parameters.operationName,\n onEditQuery: onEditQuery,\n onEditVariables: onEditVariables,\n onEditOperationName: onEditOperationName\n }),\n document.getElementById(\'graphiql\'),\n );\n while (document.querySelector(\'.title\') == null) {\n // wait for the title to be something\n } \n document.querySelector(\'.title\').innerHTML = \'<a href="https://github.com/doyensec/inql"><img src="https://github.com/doyensec/inql/blob/master/docs/inql.png?raw=true" style="display: block; height:6em; z-index: 10; position: relative"></img></a>\';\n %s\n </script>\n </body>\n </html>""" % (address, extrascript)\n\n # Handler for the GET requests\n def do_GET(self):\n self.send_response(200)\n self.send_header(\'Content-type\', \'text/html\')\n self.end_headers()\n\n # Send the html message\n if http_mutator:\n page = self.graphiql_page(self.path, extrascript="""(function() {\n var toolbar = document.querySelector(\'.toolbar\');\n var sendToRepeater = document.createElement(\'button\');\n sendToRepeater.classList.add(\'toolbar-button\');\n sendToRepeater.innerHTML = \'Send To Repeater\';\n sendToRepeater.title = \'Send To Repeater\';\n sendToRepeater.setAttribute(\'aria-invalid\', true);\n sendToRepeater.onclick = function() {\n var xhr = new XMLHttpRequest();\n xhr.open("PUT", address, true);\n xhr.setRequestHeader(\'Content-Type\', \'application/json\');\n var params = JSON.parse(JSON.stringify(parameters));\n params[\'variables\'] = JSON.parse(params[\'variables\']);\n xhr.send(JSON.stringify(params));\n }\n toolbar.appendChild(sendToRepeater);\n } ());""")\n else:\n page = self.graphiql_page(self.path)\n\n self.wfile.write(page.encode())\n return\n\n def do_POST(self):\n try:\n content_len = int(self.headers.getheader(\'content-length\', 0))\n except AttributeError: # python3 has not the getheader type, use get instead\n content_len = int(self.headers.get(\'Content-Length\'))\n\n host = None\n body = None\n try:\n idx = self.path.find(\'?\')\n if idx != -1:\n endpoint = self.path[1:idx]\n else:\n endpoint = self.path[1:]\n\n url = urlparse(endpoint)\n if url.scheme == "https" and url.port == 443 or url.scheme == "http" and url.port == 80:\n host = url.hostname\n else:\n host = url.netloc\n self.headers[\'Host\'] = host\n body = self.rfile.read(content_len)\n if not http_mutator:\n request = urllib_request.Request(endpoint, body, headers=self.headers)\n else:\n request = http_mutator.build_python_request(endpoint, host, body)\n\n if \'http_proxy\' in os.environ or \'https_proxy\' in os.environ:\n ctx = ssl.create_default_context()\n ctx.check_hostname = False\n ctx.verify_mode = ssl.CERT_NONE\n contents = urllib_request.urlopen(request, context=ctx).read()\n else:\n contents = urllib_request.urlopen(request).read()\n\n jres = json.loads(contents)\n if \'errors\' in jres and len(jres[\'errors\']) > 0 and "IntrospectionQuery" in body:\n raise Exception("IntrospectionQuery request contains errors")\n\n self.send_response(200)\n self.send_header(\'Content-type\', \'application/json\')\n self.end_headers()\n\n self.wfile.write(contents)\n except Exception as ex:\n if host and http_mutator and http_mutator.get_stub_response(host) and "IntrospectionQuery" in body:\n self.send_response(200)\n self.send_header(\'Content-type\', \'application/json\')\n self.end_headers()\n self.wfile.write(http_mutator.get_stub_response(host))\n return\n print(ex)\n self.send_response(400)\n self.send_header(\'Content-type\', \'application/json\')\n self.end_headers()\n\n try:\n # Try to get the 400 page error content since it is used by the GraphiQL Console\n self.wfile.write(ex.read())\n except:\n pass\n return\n\n def do_PUT(self):\n try:\n content_len = int(self.headers.getheader(\'content-length\', 0))\n except AttributeError: # python3 has not the getheader type, use get instead\n content_len = int(self.headers.get(\'Content-Length\'))\n\n if http_mutator:\n body = self.rfile.read(content_len)\n url = urlparse(self.path[1:])\n if url.scheme == "https" and url.port == 443 or url.scheme == "http" and url.port == 80:\n host = url.hostname\n else:\n host = url.netloc\n http_mutator.send_to_repeater(host, body)\n else:\n print(self.path)\n print(self.rfile.read(content_len))\n\n self.send_response(200)\n self.send_header(\'Content-type\', \'application/json\')\n self.end_headers()\n return\n return GraphQLRequestHandler\n\nclass HTTPRequest(BaseHTTPRequestHandler):\n def __init__(self, request_text):\n self.rfile = BytesIO(request_text)\n self.raw_requestline = self.rfile.readline()\n self.error_code = self.error_message = None\n self.parse_request()\n\n def send_error(self, code, message):\n self.error_code = code\n self.error_message = message\n\ndef raw_request(request):\n """\n At this point it is completely built and ready\n to be fired; it is "prepared".\n\n However pay attention at the formatting used in\n this function because it is programmed to be pretty\n printed and may differ from the actual request.\n """\n headers = request.headers.copy()\n if \'Connection\' not in headers:\n headers[\'Connection\'] = \'close\'\n if \'User-Agent\' not in headers:\n headers[\'User-Agent\'] = \'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0\'\n if \'Accept-Encoding\' not in headers:\n headers[\'Accept-Encoding\'] = \'gzip, deflate\'\n url = urlparse(request.get_full_url())\n headers[\'Host\'] = url.netloc\n path = url.path if len(url.path) else \'/\'\n\n return \'{}\\r\\n{}\\r\\n\\r\\n{}\'.format(\n request.get_method() + \' \' + path + \' HTTP/1.1\',\n \'\\r\\n\'.join(\'{}: {}\'.format(k, v) for k, v in headers.items()),\n request.data if request.data else \'\',\n )''')
__stickytape_write_module('''inql/actions/__init__.py''', '''''')
__stickytape_write_module('''inql/generators/__init__.py''', '''''')
__stickytape_write_module('''inql/widgets/filetree.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport os\n\nfrom java.awt import (BorderLayout, Color, Container, Dimension, Component)\nfrom java.io import File\nfrom java.util import Vector, Collections\nfrom javax.swing import (BoxLayout, JFrame, JPanel, JScrollPane, JTree, JLabel)\nfrom javax.swing.tree import (DefaultMutableTreeNode, DefaultTreeModel)\n\n\nclass FileTree:\n """\n TreeView widget containing a filetree\n """\n\n def __init__(self, dir=None, label=None):\n if not dir: dir = os.getcwd()\n if not label: label = "FileTree"\n dir = File(dir)\n self._dir = dir\n self.this = JPanel()\n self.this.setLayout(BorderLayout())\n\n # Add a label\n self.this.add(BorderLayout.PAGE_START, JLabel(label))\n\n # Make a tree list with all the nodes, and make it a JTree\n tree = JTree(self._add_nodes(None, dir))\n tree.setRootVisible(False)\n self._tree = tree\n\n # Lastly, put the JTree into a JScrollPane.\n scrollpane = JScrollPane()\n scrollpane.getViewport().add(tree)\n self.this.add(BorderLayout.CENTER, scrollpane)\n\n def refresh(self):\n """\n Refresh TreeModel when the directory is updated\n\n :return: None\n """\n self._tree.setModel(DefaultTreeModel(self._add_nodes(None, self._dir)))\n\n def _add_nodes(self, curTop, dir):\n """\n Recursive implementation to fill the tree with filenames and directories\n\n :param curTop: current top directory\n :param dir: next directory\n :return: None\n """\n curPath = dir.getPath()\n if os.path.isdir(curPath):\n nodePath = os.path.basename(curPath)\n curDir = DefaultMutableTreeNode(nodePath)\n if curTop != None: # should only be null at root\n curTop.add(curDir)\n ol = Vector()\n tmp = dir.list()\n for i in xrange(0, len(tmp)):\n ol.addElement(tmp[i])\n thisObject = None\n files = Vector()\n # Make two passes, one for Dirs and one for Files. This is #1.\n for i in xrange(0, ol.size()):\n thisObject = ol.elementAt(i)\n if curPath == self._dir:\n newPath = thisObject\n else:\n newPath = os.path.join(curPath, thisObject)\n f = File(newPath)\n if f.isDirectory():\n self._add_nodes(curDir, f)\n else:\n files.addElement(thisObject)\n\n # Pass two: for files.\n Collections.sort(files)\n for i in xrange(0, files.size()):\n f = files.elementAt(i)\n #if f.split(\'.\')[-1] != \'html\':\n curDir.add(DefaultMutableTreeNode(files.elementAt(i)))\n return curDir\n\n def add_tree_selection_listener(self, listener):\n """\n Wrapper for the inner tree selection listener callback register function\n\n :param listener: a new listener\n :return: None\n """\n self._tree.addTreeSelectionListener(listener)\n\n\nif __name__ == "__main__":\n frame = JFrame("FileTree")\n frame.setForeground(Color.black)\n frame.setBackground(Color.lightGray)\n cp = frame.getContentPane()\n cp.add(FileTree().this)\n frame.pack()\n frame.setVisible(True)\n frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE)\n''')
__stickytape_write_module('''inql/actions/browser.py''', '''import platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nimport subprocess\nimport os\n\nfrom java.awt.event import ActionListener\nfrom java.awt import Desktop\nfrom javax.swing import JMenuItem\nfrom java.net import URI\n\n\nclass URLOpener():\n def __init__(self):\n self.openers = [\n lambda url: Desktop.getDesktop().browse(URI(url)),\n lambda url: subprocess.call(["xdg-open", url]),\n lambda url: subprocess.call(["open", url])\n ]\n\n def open(self, url):\n """\n Try to execute the first available browser. Since on every system (Darwin, Windows and Linux) this procedure is\n different, iterate on every procedure and exit on the first successful one or on the last one altogether.\n\n :param url: url to be opened\n :return: None\n """\n for opener in self.openers:\n try:\n opener(url)\n return\n except:\n pass\n print("Cannot open url %s!!!" % url)\n\n\nclass BrowserAction(ActionListener):\n """\n BrowserAction performs a new "Open In Browser" action when the context is set to an HTML File.\n The idea is to show HTML documentation in a Browser, when generated and the context is correct\n """\n\n def __init__(self, text="Open In Browser"):\n self.menuitem = JMenuItem(text)\n self.menuitem.setEnabled(False)\n self.menuitem.addActionListener(self)\n\n def actionPerformed(self, e):\n """\n Override the ActionListener method. Usually setup in combination with a menuitem click.\n :param e: unused\n :return:\n """\n URLOpener().open("file://%s" % self.target)\n\n def ctx(self, host=None, payload=None, fname=None):\n """\n Setup the current context\n :param host: unused\n :param payload: unused\n :param fname: filename of the selected file\n :return: None\n """\n self.target = os.path.abspath(fname)\n if self.target.endswith(\'.html\'):\n self.menuitem.setEnabled(True)\n else:\n self.menuitem.setEnabled(False)''')
__stickytape_write_module('''inql/widgets/payloadview.py''', '''from __future__ import print_function\n\nimport platform\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nfrom javax.swing import JFrame, JPanel, JLabel, JScrollPane, JTextArea, JTabbedPane, JSplitPane, SwingUtilities\nfrom javax.swing.event import DocumentListener\nfrom java.awt import BorderLayout, Color\n\nimport json\n\nfrom inql.utils import inherits_popup_menu\n\nclass _PayloadListener(DocumentListener):\n """\n PayloadListener wrapper is a java DocumentListener wrapper for python lambdas\n """\n def __init__(self, event_listener=lambda e: None, changed_update=None, remove_update=None, insert_update=None):\n self.changed_update = changed_update if changed_update else event_listener\n self.remove_update = changed_update if changed_update else event_listener\n self.insert_update = changed_update if changed_update else event_listener\n\n def removeUpdate(self, e):\n self.remove_update(e)\n\n def insertUpdate(self, e):\n self.insert_update(e)\n\n def changedUpdate(self, e):\n self.changed_update(e)\n\nBaseTabbedPaneUI = JTabbedPane().getUI().getClass()\n\nclass SneakTabbedPaneUI(BaseTabbedPaneUI):\n def __init__(self, tabbed_pane):\n self.tabbed_pane = tabbed_pane\n\n def calculateTabAreaHeight(self, tab_placement, run_count, max_tab_height):\n if self.tabbed_pane.getTabCount() > 1:\n return self.super__calculateTabAreaHeight(tab_placement, run_count, max_tab_height)\n else:\n return 0\n\n\nclass PayloadView:\n """\n PayloadView is a TextView viewer and editor.\n """\n def __init__(self, payload=None, texteditor_factory=None, editable=True):\n self._idx = 0\n\n self._texteditor_factory = texteditor_factory\n self._textareas = {}\n self._widgets = {}\n\n self._listener = None\n\n self.this = JTabbedPane()\n self.this.setUI(SneakTabbedPaneUI(self.this))\n\n if payload:\n self.refresh(payload)\n self.editable = editable\n self.set_editable(editable)\n\n def _get_textarea(self, element):\n """\n Inherits popup menu on each and every child widgets.\n\n :param element: current widget.\n :return: None\n """\n try:\n if \'getDocument\' in dir(element) and \'append\' in dir(element):\n return element\n\n for e in element.getComponents():\n ret = self._get_textarea(e)\n if ret:\n return ret\n\n except:\n return None\n\n def _create_texteditor(self, name=None, label=None):\n _textarea = None\n\n if name and name in self._widgets:\n return self._widgets[name]\n\n if not name:\n name = "TextArea#%s" % self._idx\n self._idx += 1\n\n this = JPanel()\n\n # Add a label\n if label:\n this.setLayout(BorderLayout())\n this.add(BorderLayout.PAGE_START, JLabel(label))\n\n if self._texteditor_factory:\n _texteditor = self._texteditor_factory()\n _component = _texteditor.getComponent()\n this.add(BorderLayout.CENTER, _component)\n _textarea = self._get_textarea(_component)\n\n if not _textarea:\n _textarea = JTextArea()\n _textarea.setColumns(20)\n _textarea.setRows(5)\n _textarea.setLineWrap(True)\n _textarea.setWrapStyleWord(True)\n _textarea.setEditable(True)\n _textarea.setName(name)\n _textarea.setSelectionColor(Color(255, 153, 51))\n _textarea.requestFocus()\n # Add textarea to a scrollable JPane\n _scrollpane = JScrollPane()\n _scrollpane.setViewportView(_textarea)\n this.add(BorderLayout.CENTER, _scrollpane)\n\n _textarea.setEditable(self.editable)\n\n self._textareas[name] = _textarea\n self._widgets[name] = this\n\n def on_change(evt):\n if not self._textareas[name].hasFocus():\n return\n try:\n if name == "raw":\n SwingUtilities.invokeLater(lambda: self._refresh_queries(self._textareas[\'raw\'].getText()))\n elif name.startswith(\'gql_query#\'):\n id = int(name.split("#")[1])\n content = json.loads(self._textareas[\'raw\'].getText())\n if id == 0 and not isinstance(content, list):\n content[\'query\'] = self._textareas[name].getText()\n else:\n content[id][\'query\'] = self._textareas[name].getText()\n SwingUtilities.invokeLater(lambda: self._textareas[\'raw\'].setText(json.dumps(content)))\n elif name.startswith(\'gql_variables#\'):\n id = int(name.split("#")[1])\n content = json.loads(self._textareas[\'raw\'].getText())\n if id == 0 and not isinstance(content, list):\n content[\'variables\'] = json.loads(self._textareas[name].getText())\n else:\n content[id][\'variables\'] = json.loads(self._textareas[name].getText())\n SwingUtilities.invokeLater(lambda: self._textareas[\'raw\'].setText(json.dumps(content)))\n except ValueError:\n pass # Avoid crashing for JSON not valid incompatibilities\n\n _textarea.getDocument().addDocumentListener(_PayloadListener(changed_update=on_change))\n\n return this\n\n def set_editable(self, editable):\n """\n Enable or Disable the editable textview\n\n :param editable: boolean parameter representing the editability\n :return: None\n """\n self.editable = editable\n for t in self._textareas.values():\n t.setEditable(editable)\n\n\n def _graphql_queries(self, payload):\n try:\n content = json.loads(payload)\n if not isinstance(content, list):\n content = [content]\n\n q = {}\n\n for i in range(0, len(content)):\n if any([\'query\' in content[i] and content[i][\'query\'].strip().startswith(qtype) for qtype in [\'query\', \'mutation\', \'subscription\', \'{\']]):\n q[i] = content[i]\n\n return q\n except ValueError:\n return None\n\n def _refresh_raw(self, payload):\n """\n Refresh the textarea content with a new payload, if present\n\n :param payload:\n :return: None\n """\n\n if payload:\n self.this.addTab("Raw", self._create_texteditor(name="raw", label=\'Raw\'))\n self._textareas[\'raw\'].setText(payload)\n if self._listener:\n self.add_listener(self._listener)\n inherits_popup_menu(self.this)\n\n def _get_tab_component_by_name(self, name):\n for i in range(0, self.this.getTabCount()):\n if self.this.getTitleAt(i) == name:\n return self.this.getComponentAt(i)\n\n return None\n\n def _get_tab_index_by_name(self, name):\n for i in range(0, self.this.getTabCount()):\n if self.this.getTitleAt(i) == name:\n return i\n\n return -1\n\n def _refresh_queries(self, payload):\n """\n Refresh the textarea content with a new payload, if present\n\n :param payload:\n :return: None\n """\n graphql_tabs = []\n for i in range(0, self.this.getTabCount()):\n if self.this.getTitleAt(i).startswith("GraphQL #"):\n graphql_tabs.append(self.this.getTitleAt(i))\n\n if payload:\n # Check if the payload contains a GraphQL query object\n queries = self._graphql_queries(payload)\n if queries:\n # Generate and append GraphQL tab to the tabs\n for query_key in queries.keys():\n qname = "gql_query#%s" % query_key\n vname = "gql_variables#%s" % query_key\n tname = "GraphQL #%s" % query_key\n queryeditor = self._create_texteditor(name=qname, label="Query:")\n self._textareas[qname].setText(queries[query_key][\'query\'])\n variableseditor = self._create_texteditor(name=vname, label="Variables:")\n this = self._get_tab_component_by_name(tname)\n if tname in graphql_tabs:\n graphql_tabs.remove(tname)\n if not this:\n this = JSplitPane(JSplitPane.VERTICAL_SPLIT, queryeditor, variableseditor)\n self.this.addTab(tname, this)\n this.setOneTouchExpandable(True)\n this.setDividerLocation(0.66)\n if \'variables\' in queries[query_key]:\n this.getBottomComponent().setVisible(True)\n self._textareas[vname].setText(json.dumps(queries[query_key][\'variables\'], indent=4))\n else:\n this.getBottomComponent().setVisible(False)\n self._textareas[vname].setText("{}")\n\n # Remove empty graphql tabs\n try:\n for tab in graphql_tabs:\n for i in range(0, self.this.getTabCount()):\n if self.this.getTitleAt(i) == tab:\n self.this.remove(i)\n except:\n # Do nothing if you cannot remove an entry\n pass\n\n inherits_popup_menu(self.this)\n\n def refresh(self, payload):\n """\n Refresh the textarea content with a new payload, if present\n\n :param payload:\n :return: None\n """\n self._refresh_queries(payload)\n self._refresh_raw(payload)\n inherits_popup_menu(self.this)\n\n def textarea(self):\n return self._textareas[\'raw\']\n\n def add_listener(self, listener):\n """\n add a new listener to the textarea\n\n :param listener: this parameter should be a lambda or a method\n :return: None\n """\n self._listener = listener\n if \'raw\' in self._textareas:\n self._textareas[\'raw\'].getDocument().addDocumentListener(_PayloadListener(listener))\n\n\nif __name__ == "__main__":\n frame = JFrame("PayloadView")\n frame.setForeground(Color.black)\n frame.setBackground(Color.lightGray)\n cp = frame.getContentPane()\n ft = PayloadView(payload=\'Payload\')\n ft.add_listener(lambda e: print(e))\n cp.add(ft.this)\n frame.pack()\n frame.setVisible(True)\n frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE)''')
__stickytape_write_module('''burp_ext/__init__.py''', '''''')
__stickytape_write_module('''inql/generators/query.py''', '''from __future__ import print_function\n\nfrom inql.utils import string_join, open\n\n\ndef detect_type(types):\n """\n This function will replace known GraphQL arguments types with placeholder values (useful for Burp Suite Repeater)\n\n :param types:\n Known types: String, Boolean, Float, Int, NOT_NULL\n TODO: add the support for custom objects and lists (partially handled since v4.1)\n\n :return:\n Returns a placeholder accordingly to the provided type\n """\n # strip the ! character (not null symbol) before returning the type\n types = types.replace("!", "")\n # Switch between known args types\n if "String" in types:\n # needed for Burp Repeater string handling\n types = string_join(\'\\\\"\', types, \'\\\\"\')\n types = types.replace("String", "asd")\n elif "Boolean" in types:\n types = types.replace("Boolean", "true")\n elif "Float" in types:\n types = types.replace("Float", "0.5")\n elif "Int" in types:\n types = types.replace("Int", "1")\n return types\n\n\ndef query_write(opath, type, qname, content, mode):\n """\n This function is used in order to generate the Queries Mutations & Subscriptions templates.\n Path and file name will be generated as follow:\n\n :param opath:\n query path template it needs two %s to work\n\n :param type:\n query, mutation, subscription\n\n :param qname:\n query, mutation, subscription names\n\n :param content:\n file content\n\n :param mode:\n w, a and so on\n\n :return:\n none\n """\n with open(opath % (type, \'%s.query\' % qname), mode) as ofile:\n ofile.write(content)\n\n\ndef generate(argument, custom=False, qpath="%s/%s", detect=True, green_print=lambda s: print(s)):\n """\n Generate query templates\n\n :param argument: introspection query result\n :param custom: enable or disable custom types, disabled by default\n :param qpath:\n directory template where to output the queries, first parameter is type of query and second is query name\n\n :param detect:\n retrieve placeholders according to arg type\n\n :param green_print:\n implements print in green\n\n :return: None\n """\n # -----------------------\n # Setup lists for templates generation\n # -----------------------\n q_name = []\n q_args_name = []\n q_args_type = []\n q_type = []\n m_name = []\n m_args_name = []\n m_args_type = []\n m_type = []\n s_name = []\n s_args_name = []\n s_args_type = []\n s_type = []\n # holds custom objects\n # [[obj name 1,field name 1,field name 2],[obj name 2,field name 1,field name 2, field name 3]]\n fields_names = []\n\n result = argument.copy()\n\n try:\n # Print available operation types, usually: Query, Mutations & Subscriptions\n # This part also holds custom names (schema[Type][\'name\'] != \'RootQuery\', \'RootMutation\', \'Subscriptions\')\n # --------------------\n if result[\'data\'][\'__schema\'][\'mutationType\'] is not None:\n Mutation = result[\'data\'][\'__schema\'][\'mutationType\'][\'name\']\n else:\n # Needed since not all GraphQL endpoints use/have all the three types (Query, Mutations & Subscriptions)\n Mutation = None\n if result[\'data\'][\'__schema\'][\'queryType\'] is not None:\n Query = result[\'data\'][\'__schema\'][\'queryType\'][\'name\']\n else:\n Query = None\n if result[\'data\'][\'__schema\'][\'subscriptionType\'] is not None:\n Subscription = result[\'data\'][\'__schema\'][\'subscriptionType\'][\'name\']\n else:\n Subscription = None\n # --------------------\n i = 0\n ##########################################################################################\n # Parsing JSON response/file structure as follows\n # data\n # __schema\n # directives\n # mutationType\n # queryType\n # subscriptionType\n # types (kind, name, description)\n # name (RootQuery, RootMutation, Subscriptions, [custom] OBJECT)\n # fields\n # name (query names)\n # args\n # name (args names)\n # type\n # name (args types)\n ##########################################################################################\n # Start looping trough types\n if result[\'data\'][\'__schema\'][\'types\'] is not None:\n rt = result[\'data\'][\'__schema\'][\'types\']\n # holds the number of custom objects\n xxx = 0\n for types in rt:\n j = 0\n # Data -> Schema -> Types (kind, name, description)\n # filtering out primitive types\n # TODO: exclude interfaces & union types\n primitives = [\'Int\', \'Float\', \'String\', \'Boolean\', \'ID\', \'__TypeKind\', \'__Type\', \'__Schema\',\n \'__Field\', \'__InputValue\', \'__EnumValue\', \'__Directive\', \'__DirectiveLocation\']\n advanced_kind = [\'INPUT_OBJECT\']\n # This super if is BOOLEAN able to switch between ENABLED custom types parameter (-c)\n # It will selectively routine trough values needed to print\n if ((custom is False and ((rt[i][\'kind\'] is not None and rt[i][\'name\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'kind\'] is not None and rt[i][\'name\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n # Print our types RootQuery, RootMutation, Subscriptions\n # --------------------\n # Handles custom objects (FIELDS)\n if rt[i][\'kind\'] == "OBJECT" and rt[i][\'name\'] is not None:\n fields_names.append([rt[i][\'name\']])\n xxx += 1\n # --------------------\n k = 0\n # Retrieving general docs regarding primitives (filtered out from documentation, not needed)\n # Data -> Schema -> Types -> enumValues (name, description, isDeprecated, deprecationReason)\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and (\n rt[i][\'enumValues\'] is not None and (rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'enumValues\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n k = k + 1\n # Retrieving queries, mutations and subscriptions information\n # Data -> Schema -> Types -> Fields (name, isDeprecated, deprecationReason, description)\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and ((\n rt[i][\'fields\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((\n rt[i][\'fields\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind)))):\n # Printing out queries, mutations, subscriptions and custom object names\n # --------------------\n # number of fields per obj\n for fields in result[\'data\'][\'__schema\'][\'types\'][i][\'fields\']:\n if rt[i][\'fields\'][j][\'name\'] is not None:\n # Query\n if rt[i][\'name\'] == Query:\n # Get field name and its type, if none is an advanced element (es. list) and we get it from ofType\n q_name.append(rt[i][\'fields\'][j][\'name\'])\n q_args_name.append([])\n if rt[i][\'fields\'][j][\'type\'][\'name\'] is not None:\n q_type.append(rt[i][\'fields\'][j][\'type\'][\'name\'])\n else:\n q_type.append(rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\'])\n # Mutation\n elif rt[i][\'name\'] == Mutation:\n # Get field name and its type, if none is an advanced element (es. list) and we get it from ofType\n m_name.append(rt[i][\'fields\'][j][\'name\'])\n m_args_name.append([])\n if rt[i][\'fields\'][j][\'type\'][\'name\'] is not None:\n m_type.append(rt[i][\'fields\'][j][\'type\'][\'name\'])\n else:\n m_type.append(rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\'])\n # Subscription\n elif rt[i][\'name\'] == Subscription:\n # Get field name and its type, if none is an advanced element (es. list) and we get it from ofType\n s_name.append(rt[i][\'fields\'][j][\'name\'])\n s_args_name.append([])\n if rt[i][\'fields\'][j][\'type\'][\'name\'] is not None:\n s_type.append(rt[i][\'fields\'][j][\'type\'][\'name\'])\n else:\n s_type.append(rt[i][\'fields\'][j][\'type\'][\'ofType\'][\'name\'])\n # It handle custom objects\n elif rt[i][\'kind\'] == "OBJECT":\n # here I add the args name the field list\n # xxx-1 since it will be incremented after the assign, otherwise list out of bound\n fields_names[xxx - 1].append(rt[i][\'fields\'][j][\'name\'])\n # --------------------\n x = 0\n # Prepare a list of ARGS names for queries, mutations and subscriptions\n # --------------------\n # My super BOOLEAN IF, used to switch between ENABLED custom types parameter (-c)\n if ((custom is False and ((rt[i][\'fields\'][j][\'args\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind) and (\n (rt[i][\'kind\'] == "OBJECT") and (\n (rt[i][\'name\'] == Query) or (\n rt[i][\'name\'] == Mutation) or (\n rt[i][\'name\'] == Subscription))))) or (\n custom is not False and ((rt[i][\'fields\'][j][\'args\'] is not None) and (\n rt[i][\'name\'] not in primitives) and (rt[i][\'kind\'] not in advanced_kind)))):\n # Printing out queries, mutations and subscriptions ARGS name\n # Data -> Schema -> Types -> Fields -> Args (defaultValue, name, description)\n # --------------------\n for args in rt[i][\'fields\'][j][\'args\']:\n # ARGS name\n if rt[i][\'fields\'][j][\'args\'][x][\'name\'] is not None:\n # Will append the ARG name to the correct list\n # based on if it is an argument from query, mutation or subscription\n # --------------------\n if rt[i][\'name\'] == Query:\n q_args_name[j].append(rt[i][\'fields\'][j][\'args\'][x][\'name\'])\n elif rt[i][\'name\'] == Mutation:\n m_args_name[j].append(rt[i][\'fields\'][j][\'args\'][x][\'name\'])\n elif rt[i][\'name\'] == Subscription:\n s_args_name[j].append(rt[i][\'fields\'][j][\'args\'][x][\'name\'])\n # --------------------\n # --------------------\n # Printing out ARGS types\n # Data -> Schema -> Types -> Fields -> Args -> Type (name, ofType, kind)\n # TODO half a bug: there are custom objects that have multiple types as the following example\n # in this case ![LIST], at the moment this specific case is handled casting the returning value of\n # rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\'] to STRING\n # in order to prevent errors (None type concatenated to a string)\n # we are missing the custom object but at least the script does not falls apart\n """\n "description":null,\n "isDeprecated":false,\n "args":[ ],\n "deprecationReason":null,\n "type":{ \n "kind":"NON_NULL",\n "name":null,\n "ofType":{ \n "kind":"LIST",\n "name":null,\n "ofType":{ \n "kind":"NON_NULL",\n "name":null,\n "ofType":{ \n "kind":"SCALAR",\n "name":"String",\n "ofType":null\n }\n }\n }\n },\n "name":"roles"\n """\n # --------------------\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'] is not None and (\n rt[i][\'name\'] not in primitives) and (\n rt[i][\'kind\'] not in advanced_kind):\n # LIST\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'kind\'] == "LIST":\n if rt[i][\'name\'] == Query:\n q_args_type.append(\n "[%s]" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n elif rt[i][\'name\'] == Mutation:\n m_args_type.append(\n "[%s]" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n elif rt[i][\'name\'] == Subscription:\n s_args_type.append(\n "[%s]" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n # NOT NULL\n elif rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'kind\'] == "NON_NULL":\n if rt[i][\'name\'] == Query:\n q_args_type.append(\n "!%s" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n elif rt[i][\'name\'] == Mutation:\n m_args_type.append(\n "!%s" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n elif rt[i][\'name\'] == Subscription:\n s_args_type.append(\n "!%s" % str(\n rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'ofType\'][\'name\']))\n # Holds simple types like float, string, int etc.\n else:\n if rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\'] is not None:\n if rt[i][\'name\'] == Query:\n q_args_type.append(\n str(rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\']))\n elif rt[i][\'name\'] == Mutation:\n m_args_type.append(\n str(rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\']))\n elif rt[i][\'name\'] == Subscription:\n s_args_type.append(\n str(rt[i][\'fields\'][j][\'args\'][x][\'type\'][\'name\']))\n # --------------------\n x += 1\n j += 1\n i += 1\n # For None key exceptions use: except KeyError:\n except Exception:\n raise\n # Writing templates\n # Reverse args list in order to use pop\n q_args_type.reverse()\n m_args_type.reverse()\n s_args_type.reverse()\n # replacing None items to String for a smooth exec\n q_type = list(map(str, q_type))\n m_type = list(map(str, m_type))\n s_type = list(map(str, s_type))\n # --------------------\n # QUERY\n # --------------------\n green_print("Writing Queries Templates")\n index = 0\n for qname in q_name:\n print(" | %s" % str(qname))\n query_write(qpath, "query", qname, "{\\"query\\":\\"query {\\\\n\\\\t%s" % qname, "w")\n if len(q_args_name[index]) != 0:\n arguments = []\n for argsname in q_args_name[index]:\n # POP out of the list empty values\n if argsname != "":\n # if detect type (-d param) is enabled, retrieve placeholders according to arg type\n if detect:\n arguments.append("%s:%s" % (argsname, detect_type(q_args_type.pop())))\n else:\n arguments.append("%s:%s" % (argsname, q_args_type.pop()))\n else:\n q_args_type.pop()\n # Query name\n query_write(qpath, "query", qname, "(%s)" % " ".join(arguments), "a")\n # Query fields\n f_index = 0\n fields_str = ""\n for fieldsnames in fields_names:\n if q_type[index] in fields_names[f_index][0]:\n for items in fields_names[f_index][1:]:\n fields_str += "\\\\n\\\\t\\\\t%s " % items\n break\n f_index += 1\n # Close query\n if fields_str != "":\n query_write(qpath, "query", qname, " {%s\\\\n\\\\t}" % fields_str, "a")\n query_write(qpath, "query", qname, "\\\\n}\\"}", "a")\n index += 1\n # --------------------\n # MUTATION\n # --------------------\n green_print( "Writing Mutations Templates")\n index = 0\n for mname in m_name:\n print(" | %s" % str(mname))\n query_write(qpath, "mutation", mname, "{\\"query\\":\\"mutation {\\\\n\\\\t%s" % mname, "w")\n if len(m_args_name[index]) != 0:\n arguments = []\n for argsname in m_args_name[index]:\n # POP out of the list empty values\n if argsname != "":\n # if detect type (-d param) is enabled, retrieve placeholders according to arg type\n if detect:\n arguments.append("%s:%s" % (argsname, detect_type(m_args_type.pop())))\n else:\n arguments.append("%s:%s" % (argsname, m_args_type.pop()))\n else:\n m_args_type.pop()\n # Mutation name\n query_write(qpath, "mutation", mname, "(%s)" % " ".join(arguments), "a")\n # Mutation fields\n fields_str = ""\n f_index = 0\n for fieldsnames in fields_names:\n if m_type[index] in fields_names[f_index][0]:\n for items in fields_names[f_index][1:]:\n fields_str += "\\\\n\\\\t\\\\t%s " % items\n break\n f_index += 1\n # Close mutation\n if fields_str != "":\n query_write(qpath, "mutation", mname, " {%s\\\\n\\\\t}" % fields_str, "a")\n query_write(qpath, "mutation", mname, "\\\\n}\\"}", "a")\n index += 1\n # --------------------\n # SUBSCRIPTION\n # --------------------\n green_print("Writing Subscriptions Templates")\n index = 0\n for sname in s_name:\n print(" | %s" % str(sname))\n query_write(qpath, "subscription", sname, "{\\"query\\":\\"subscription {\\\\n\\\\t%s" % sname,\n "w")\n if len(s_args_name[index]) != 0:\n arguments = []\n for argsname in s_args_name[index]:\n # POP out of the list empty values\n if argsname != "":\n # if detect type (-d param) is enabled, retrieve placeholders according to arg type\n if detect:\n arguments.append("%s:%s" % (argsname, detect_type(s_args_type.pop())))\n else:\n arguments.append("%s:%s" % (argsname, s_args_type.pop()))\n else:\n s_args_type.pop()\n # Subscription name\n query_write(qpath, "subscription", sname, "(%s)" % " ".join(arguments), "a")\n # Subscription fields\n f_index = 0\n fields_str = ""\n for fieldsnames in fields_names:\n if s_type[index] in fields_names[f_index][0]:\n for items in fields_names[f_index][1:]:\n fields_str += "\\\\n\\\\t\\\\t%s " % items\n break\n f_index += 1\n # Close subscription\n if fields_str != "":\n query_write(qpath, "subscription", sname, " {%s\\\\n\\\\t}" % fields_str, "a")\n query_write(qpath, "subscription", sname, "\\\\n}\\"}", "a")\n index += 1\n # --------------------\n # THE END, they all lived happily ever after (hopefully)\n green_print("DONE")''')
__stickytape_write_module('''inql/actions/setcustomheader.py''', '''from __future__ import print_function\nimport platform\n\nfrom inql.utils import watch\n\nif platform.system() != "Java":\n print("Load this file inside jython, if you need the stand-alone tool run: inql")\n exit(-1)\n\nfrom java.awt.event import ActionListener\nfrom javax.swing import JMenuItem\n\nfrom inql.widgets.propertyeditor import PropertyEditor\n\n\nclass CustomHeaderSetterAction(ActionListener):\n """\n Set Custom Header Action\n """\n\n def __init__(self, overrideheaders, text="Set Custom Header"):\n self.requests = {}\n self.menuitem = JMenuItem(text)\n self.menuitem.setEnabled(False)\n self.menuitem.addActionListener(self)\n self._overrideheaders = overrideheaders\n self._host = None\n\n def actionPerformed(self, e):\n """\n Overrides ActionListener behaviour, when clicked it opens the headers property editor for the given host.\n\n :param e: unused\n :return:\n """\n if self._host:\n try:\n self._overrideheaders[self._host]\n except KeyError:\n print("No custom header for %s, generating an empty set" % self._host)\n self._overrideheaders[self._host] = []\n PropertyEditor.get_instance("Set Custom Header for %s" % self._host,\n columns=["Header", "Value"],\n data=self._overrideheaders[self._host],\n empty=["X-New-Header", "X-New-Header-Value"])\n\n def ctx(self, host=None, payload=None, fname=None):\n """\n implements the context setting behaviour\n\n :param host: when host is not null set it and enable the menuitem.\n :param payload: ignored\n :param fname: ignored\n :return:\n """\n if host:\n self.menuitem.setEnabled(True)\n else:\n self.menuitem.setEnabled(False)\n self._host = host''')
"""
STUB file to make stickytape happy with import from __future__ statements.
"""
import platform
if platform.system() == "Java":
from burp_ext.extender import BurpExtender