Nmap Developmentmailing list archives
Re: [NSE] http-git patches
From: Alex Weber <alexwebr () gmail com>
Date: Tue, 11 Dec 2012 15:50:50 -0600
Thank-you for doing that bisection and fixing the problem.I made the changes you suggested, and a lot of code was touched, so thepatches are big. While making the changes, I had a code review done andmade some style changes to enhance readability and bring http-git closerto the style of the other NSE scripts.The real changes are in http-git_functional.patch , and thereadability/style changes are done in http-git_style.patch .The style patch needs to be applied after the functional patch.I thought it might be easier to treat it as a new script because a lothas changed, so I attached the full text of the script as http-git.nse_new.This is equivalent to applying the functional patch and then the stylepatch to SVNs copy of http-git.Please do let me know if there's a better way to do big patches like this :)-AlexOn 08/12/12 04:49 AM, David Fifield wrote:
On Fri, Dec 07, 2012 at 07:31:59PM -0600, Alex Weber wrote:http-git seemed to have stop working at some point,I did a bisection and found that it stopped working at r29570, theintroduction of structured output. What went wrong is that string.gsubreturns two value: the substituted string and the number ofsubstitutions. This was being interpreted as structured output andunstructured output, respectively. I fixed this in r30354 by removingthe string.gsub call.so I took the opportunity to change the output to a table so that wehave some semantic XML with -oX.Thank you for doing this. We're tring to gradually move existing scriptsto structured output, and this helps.I'd like you to consider making some changes to the structured output.Here is what it looks like now:$ ./nmap -p80 --script http-git javaop.com -d -oX -<table key="206.220.193.152:80/.git/"> <elem>Potential Git repository found at 206.220.193.152:80/.git/ (found 5 of 6 expected files)</elem> <elem>Source might be athttps://github.com/skullspace/breachdb</elem> <elem key="Interesting files">Contents of '.git/COMMIT_EDITMSG' matched patterns 'passw' (case-insensitive match)</elem> <elem key="Repository description">Unnamed repository; edit this file 'description' to name the...</elem> <elem key="Last commit message">Brought the github repo up-to-date with my private subversio...</elem> <elem key="Remote">git () github com:skullspace/breachdb.git</elem></table>Parts of this could be better structured. For example, the URLs: thoseshould be isolated in elements of their own, not appear in the middle offree text. (In general, structured output shouldn't have free textunless it is something copied from the service.) In normal output youshow "found 5 of 6 interesting files"; in structured output you shouldlist the names of those files. Strings like "Interesting files" and"Repository description" are bad key names. Imagine that you are aprogrammer processing this data--what is the most convenient form inwhich it can appear? The line Contents of '.git/COMMIT_EDITMSG' matched patterns 'passw' (case-insensitive match)should definitely be broken down into subelements: <table key="interesting-files"> <table> <elem key="filename">.get/COMMIT_EDITMSG</elem> <elem key="pattern">passw</elem> </table> </table>Strings should not be truncated with "..." in structured output; that'sonly for normal screen output. Think of a programmer using this XML: youwant everything to be there.Generally, this is how you should approach structured output. Have afunction that returns everything interesting the script can report, in aprogrammer-oriented form. That means a table with nice key names, andsubtables when you need to represent a list or hierarchy. This tablewill be the first return value of your script. Then, make a functionthat processes the nice programmer-oriented table and transforms it intoscreen output. This is where you do things like omit the names of the 5expected files, and truncate some strings with "...". The result of theformatting function will be the second return value of the script. Seehttp-auth for an example of this: the challenges table is directlyreturned from an API function; it's programmer-oriented data. The resultstring contains a bunch of free text and labels for screen output.Please add an @xmloutput section in future patches to show what thestructured output looks like.David Fifield
Attachment:http-git_functional.patch
Description:
Attachment:http-git.nse_new
Description:
Attachment:http-git_style.patch
Description:
_______________________________________________Sent through the dev mailing listhttp://nmap.org/mailman/listinfo/devArchived athttp://seclists.org/nmap-dev/
Current thread:
- [NSE] http-git patchesAlex Weber (Dec 08)
- [NSE] http-git patchesAlex Weber (Dec 07)
- Re: [NSE] http-git patchesDavid Fifield (Dec 08)
- Re: [NSE] http-git patchesAlex Weber (Dec 11)
- Re: [NSE] http-git patchesDavid Fifield (Dec 12)
- Re: [NSE] http-git patchesDavid Fifield (Dec 08)
- [NSE] http-git patchesAlex Weber (Dec 07)