eval removed

git-svn-id: https://beef.googlecode.com/svn/trunk@521 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

lib/filter.rb

@@ -2,6 +2,14 @@ module BeEF
   
   module Filter
     
+    # check if the string is a valid path from a HTTP request
+    def self.is_valid_path_info?(str)
+      return false if str.nil?
+      return false if not str.is_a? String
+      return false if BeEF::Filter.has_non_printable_char?(str)
+      true
+    end
+
     # check if the string is not empty and not nil
     def self.is_non_empty_string?(str)
       return false if str.nil?

lib/loader.rb

@@ -12,6 +12,7 @@ require 'singleton'
 require 'ipaddr'
 require 'base64'
 require 'xmlrpc/client'
+require 'erubis'
 
 require 'lib/patches/webrick/httprequest'
 require 'lib/patches/webrick/cookie'
@@ -20,6 +21,7 @@ require 'lib/patches/webrick/httpresponse'
 require 'lib/patches/webrick/httpservlet/filehandler.rb'
 
 require 'lib/constants'
+require 'lib/filter'
 
 require 'lib/model/user'
 require 'lib/model/commandmodule'
@@ -33,7 +35,6 @@ require 'lib/model/http'
 require 'lib/model/browserdetails'
 
 require 'lib/crypto'
-require 'lib/filter'
 
 require 'lib/configuration'
 

lib/server/httpcontroller.rb

@@ -1,21 +1,18 @@
-require 'erubis'
-
 module BeEF
   
   #
-  #
+  # Handle HTTP requests and call the relevant functions in the derived classes
   #
   class HttpController
     
     attr_accessor :headers, :status, :body, :paths, :currentuser, :params
     
     C = BeEF::Models::Command
-    E = BeEF::Models::CommandModule
+    CM = BeEF::Models::CommandModule
     Z = BeEF::Models::Zombie
     
     #
-    # Class constructor. Takes data from the child class and populates
-    # itself with it.
+    # Class constructor. Takes data from the child class and populates itself with it.
     #
     def initialize(data = {})
       @erubis = nil
@@ -31,7 +28,7 @@ module BeEF
     end
     
     #
-    #
+    # Handle HTTP requests and call the relevant functions in the derived classes
     #
     def run(request, response)
       @request = request
@@ -41,30 +38,27 @@ module BeEF
 
       # test if session is unauth'd and whether the auth functionality is requested
       if not @session.valid_session?(@request) and not self.class.eql?(BeEF::UI::Authentication)
-        
-        # request is unauthenicated so redirect to auth page
-        @body = page_redirect(auth_url)
+        @body = page_redirect(auth_url) # redirect to auth page
         return
-        
       end
 
-      # search for matching path and get the function to call
-      function = get_path_function(request.path_info)
+      # get the mapped function (if it exists) from the derived class
+      path = request.path_info
+      raise WEBrick::HTTPStatus::BadRequest, "path is invalid" if not Filter::is_valid_path_info?(path)
+      function = @paths[path] || @paths[path + '/'] # check hash for '<path>' and '<path>/'
       raise WEBrick::HTTPStatus::BadRequest, "path does not exist" if function.nil?
       
-      eval "self.#{function}"
+      # call the relevant mapped function
+      function.call
 
-      # use template
-      class_s = self.class.to_s.sub('BeEF::UI::', '').downcase
-
-      template_ui = "#{$root_dir}/lib/ui/#{class_s}/#{function}.html"
-      @eruby = Erubis::FastEruby.new(File.read(template_ui)) if File.exists? template_ui
-
-      template_module = "#{$root_dir}/modules/plugins/#{class_s}/#{function}.html"
-      @eruby = Erubis::FastEruby.new(File.read(template_module)) if File.exists? template_module
-
-      @body = @eruby.result(binding()) if not @eruby.nil?
+      # build the template filename and apply it - if the file exists
+      function_name = function.name # used for filename
+      class_s = self.class.to_s.sub('BeEF::UI::', '').downcase # used for directory name
+      template_ui = "#{$root_dir}/lib/ui/#{class_s}/#{function_name}.html" 
+      @eruby = Erubis::FastEruby.new(File.read(template_ui)) if File.exists? template_ui # load the template file
+      @body = @eruby.result(binding()) if not @eruby.nil? # apply template and set the response
 
+      # set content type
       if @headers['Content-Type'].nil?
         @headers['Content-Type']='text/html; charset=UTF-8' # default content and charset type for all pages
         @headers['Content-Type']='application/json; charset=UTF-8' if request.path =~ /.json$/
@@ -72,35 +66,19 @@ module BeEF
 
     end
 
-    #
-    # get the function mapped to path_info
-    #
-    def get_path_function(path_info) 
-
-      return nil if @paths.nil?
-
-      # search the paths
-      @paths.each{ |function, path|
-        return function if path.eql? path_info
-        return function if path.eql? path_info + '/'
-      }
-
-      nil
-    end
-
-    # Forges a redirect page
+    # Constructs a redirect page
     def page_redirect(location) "<html><head></head><body>" + script_redirect(location) + "</body>" end
     
-    # Forges a redirect script
+    # Constructs a redirect script
     def script_redirect(location) "<script> document.location=\"#{location}\"</script>" end
     
-    # Forges a html script tag
+    # Constructs a html script tag
     def script_tag(filename) "<script src=\"#{$url}/ui/public/javascript/#{filename}\" type=\"text/javascript\"></script>" end
     
-    # Forges a html stylesheet tag
+    # Constructs a html stylesheet tag
     def stylesheet_tag(filename) "<link rel=\"stylesheet\" href=\"#{$url}/ui/public/css/#{filename}\" type=\"text/css\" />" end
 
-    # Forges a hidden html nonce tag
+    # Constructs a hidden html nonce tag
     def nonce_tag 
       @session = BeEF::UI::Session.instance
       "<input type=\"hidden\" name=\"nonce\" id=\"nonce\" value=\"" + @session.get_nonce + "\"/>"

lib/ui/authentication/authentication.rb

@@ -12,9 +12,9 @@ class Authentication < BeEF::HttpController
   def initialize
     super({
       'paths' =>  {
-        'index' => '/',
-        'login' => '/login',
-        'logout' => '/logout'
+        '/'        => method(:index), 
+        '/login'   => method(:login),
+        '/logout'  => method(:logout)
       }
     })
     
@@ -30,6 +30,7 @@ class Authentication < BeEF::HttpController
   # Function managing the login
   #
   def login
+    
     username = @params['username-cfrm'] || ''
     password = @params['password-cfrm'] || ''
     config = BeEF::Configuration.instance

lib/ui/logs/logs.rb

@@ -6,8 +6,8 @@ class Logs < BeEF::HttpController
   def initialize
     super({
       'paths' => {
-        'select_all_logs' => '/all.json',
-        'select_zombie_logs' => '/zombie.json'
+        '/all.json'     => method(:select_all_logs),
+        '/zombie.json'  => method(:select_zombie_logs)
       }
     })
   end

lib/ui/modules/modules.rb

@@ -11,15 +11,15 @@ class Modules < BeEF::HttpController
   def initialize
     super({
       'paths' => {
-        'select_all_command_modules'      => '/select/commandmodules/all.json',
-        'select_command_modules_tree'     => '/select/commandmodules/tree.json',
-        'select_command_module'           => '/select/commandmodule.json',
-        'select_command'                  => '/select/command.json',
-        'select_command_results'          => '/select/command_results.json',
-        'select_zombie_summary'           => '/select/zombie_summary.json',
-        'select_command_module_commands'  => '/commandmodule/commands.json',
-        'attach_command_module'           => '/commandmodule/new',
-        'reexecute_command_module'        => '/commandmodule/reexecute'
+        '/select/commandmodules/all.json'   => method(:select_all_command_modules),
+        '/select/commandmodules/tree.json'  => method(:select_command_modules_tree),
+        '/select/commandmodule.json'        => method(:select_command_module),
+        '/select/command.json'              => method(:select_command),
+        '/select/command_results.json'      => method(:select_command_results),
+        '/select/zombie_summary.json'       => method(:select_zombie_summary),
+        '/commandmodule/commands.json'      => method(:select_command_module_commands),
+        '/commandmodule/new'                => method(:attach_command_module),
+        '/commandmodule/reexecute'          => method(:reexecute_command_module)
       }
     })
     

lib/ui/panel/panel.rb

@@ -9,13 +9,14 @@ class Panel < BeEF::HttpController
   def initialize
     super({
       'paths' => {
-        'index' => '/'
+        '/' => method(:index)
       }
     })
   end
   
   #
   def index
+    # should be rendered with Erubis::FastEruby
     @body = 'a'
   end
   

lib/ui/requester/requester.rb

@@ -6,15 +6,15 @@ module UI
 #
 class Requester < BeEF::HttpController
   
-  # Variable representing the Http db model.
+  # Variable representing the Http DB model.
   H = BeEF::Models::Http
   
   def initialize
     super({
       'paths' => {
-        'send_request'            => '/send',
-        'get_zombie_history'      => '/history.json',
-        'get_zombie_response'     => '/response.json',
+        '/send'           => method(:send_request),
+        '/history.json'   => method(:get_zombie_history),
+        '/response.json'  => method(:get_zombie_response)
       }
     })
   end

lib/ui/zombies/zombies.rb

@@ -9,13 +9,13 @@ class Zombies < BeEF::HttpController
   def initialize
     super({
       'paths' => {
-        'select_all' => '/select/all/complete.json',
-        'select_online' => '/select/online/complete.json',
-        'select_offline' => '/select/offline/complete.json',
+        '/select/all/complete.json'     => method(:select_all),
+        '/select/online/complete.json'  => method(:select_online),
+        '/select/offline/complete.json' => method(:select_offline),
         
-        'select_online_simple' => '/select/online/simple.json',
-        'select_all_simple' => '/select/all/simple.json',
-        'select_offline_simple' => '/select/offline/simple.json'
+        '/select/online/simple.json'    => method(:select_online_simple),
+        '/select/all/simple.json'       => method(:select_all_simple),
+        '/select/offline/simple.json'   => method(:select_offline_simple)
       }
     })
   end