Merge pull request #109 from blacklanternsecurity/allow_redirects_fix

Turning off redirects by default, adding optional allow_redirect option
blacklanternsecurity · Dec 30, 2023 · a15bbb1 · a15bbb1
2 parents fda3e11 + 826d8bf
commit a15bbb1
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 1 deletion.
diff --git a/badsecrets/examples/cli.py b/badsecrets/examples/cli.py
@@ -185,6 +185,13 @@ def main():
         help="In URL mode, Optionally set a custom user-agent",
     )
 
+    parser.add_argument(
+        "-r",
+        "--allow-redirects",
+        action="store_true",
+        help="Optionally follow HTTP redirects. Off by default",
+    )
+
     args = parser.parse_args(unknown_args)
 
     if not args.url and not args.product:
@@ -200,6 +207,10 @@ def main():
         parser.error(print_status("In --url mode, no positional arguments should be used", color=Fore.RED))
         return
 
+    allow_redirects = False
+    if args.allow_redirects:
+        allow_redirects = True
+
     proxies = None
     if args.proxy:
         proxies = {"http": args.proxy, "https": args.proxy}
@@ -215,7 +226,9 @@ def main():
             headers["User-agent"] = args.user_agent
 
         try:
-            res = requests.get(args.url, proxies=proxies, headers=headers, verify=False)
+            res = requests.get(
+                args.url, proxies=proxies, headers=headers, verify=False, allow_redirects=allow_redirects
+            )
         except (requests.exceptions.ConnectionError, requests.exceptions.ConnectTimeout):
             print_status(f"Error connecting to URL: [{args.url}]", color=Fore.RED)
             return

diff --git a/tests/examples_cli_test.py b/tests/examples_cli_test.py
@@ -808,3 +808,43 @@ def test_examples_cli_colors_info(monkeypatch, capsys):
     captured = capsys.readouterr()
     assert "your-256-bit-secret" in captured.out
     print(captured.out)
+
+
+def test_example_cli_redirects_allow(monkeypatch, capsys):
+    with requests_mock.Mocker() as m:
+        m.get(
+            f"http://example.com/vulnerablejwt.html",
+            status_code=200,
+            text=base_vulnerable_page,
+        )
+
+        m.get(
+            f"http://example.com/vulnerablejwt-redir.html", status_code=302, headers={"Location": "vulnerablejwt.html"}
+        )
+
+        monkeypatch.setattr(
+            "sys.argv", ["python", "--url", "http://example.com/vulnerablejwt-redir.html", "--allow-redirects"]
+        )
+        cli.main()
+        captured = capsys.readouterr()
+        assert "your-256-bit-secret" in captured.out
+
+
+def test_example_cli_redirects_default(monkeypatch, capsys):
+    with requests_mock.Mocker() as m:
+        m.get(
+            f"http://example.com/vulnerablejwt.html",
+            status_code=200,
+        )
+
+        m.get(
+            f"http://example.com/vulnerablejwt-redir.html",
+            status_code=302,
+            text=base_vulnerable_page,
+            headers={"Location": "vulnerablejwt.html"},
+        )
+
+        monkeypatch.setattr("sys.argv", ["python", "--url", "http://example.com/vulnerablejwt-redir.html"])
+        cli.main()
+        captured = capsys.readouterr()
+        assert "your-256-bit-secret" in captured.out