Merge pull request #45 from BuffaloWill/1.0.1

Update ruby versions to modern status, removed unsupported libraries
BuffaloWill · May 3, 2023 · 2e2f168 · 2e2f168
2 parents 88b2a68 + afeae80
commit 2e2f168
Show file tree

Hide file tree

Showing 114 changed files with 60,095 additions and 23,020 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ruby:2.3.8-slim
+FROM ruby:2.7.7-slim
 
 RUN apt-get update && \
     apt-get install -y make git libsqlite3-dev libxslt-dev libxml2-dev zlib1g-dev gcc && \
@@ -7,10 +7,10 @@ RUN apt-get update && \
 WORKDIR /oxml_xxe
 
 # install deps
-COPY Gemfile Gemfile.lock ./
+COPY Gemfile ./
 RUN bundle install
 
 COPY . .
 
 EXPOSE 4567
-CMD ruby server.rb -o 0.0.0.0 -p 4567
+CMD ["bundle", "exec", "ruby", "server.rb", "-o", "0.0.0.0", "-p", "4567"]
diff --git a/Gemfile b/Gemfile
@@ -1,11 +1,13 @@
 source "https://rubygems.org"
 
-ruby "2.3.8"
+ruby "2.7.7"
 
-gem "sinatra", "1.4.8"
-gem "haml", "5.0.4"
-gem "rubyzip", "1.2.1"
-gem "json","1.8.6"
-gem "nokogiri", "1.8.1"
-gem "data_mapper", "1.2.0"
-gem "dm-sqlite-adapter", "1.2.0"
+gem "slim"
+gem "sinatra"
+gem "haml"
+gem "rubyzip"
+gem "json"
+gem "nokogiri"
+gem "sequel"
+gem "sqlite3"
+gem "rack"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,97 +1,54 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    bcrypt (3.1.16)
-    bcrypt-ruby (3.1.5)
-      bcrypt (>= 3.1.3)
-    data_mapper (1.2.0)
-      dm-aggregates (~> 1.2.0)
-      dm-constraints (~> 1.2.0)
-      dm-core (~> 1.2.0)
-      dm-migrations (~> 1.2.0)
-      dm-serializer (~> 1.2.0)
-      dm-timestamps (~> 1.2.0)
-      dm-transactions (~> 1.2.0)
-      dm-types (~> 1.2.0)
-      dm-validations (~> 1.2.0)
-    data_objects (0.10.17)
-      addressable (~> 2.1)
-    dm-aggregates (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-constraints (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-core (1.2.1)
-      addressable (~> 2.3)
-    dm-do-adapter (1.2.0)
-      data_objects (~> 0.10.6)
-      dm-core (~> 1.2.0)
-    dm-migrations (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-serializer (1.2.2)
-      dm-core (~> 1.2.0)
-      fastercsv (~> 1.5)
-      json (~> 1.6)
-      json_pure (~> 1.6)
-      multi_json (~> 1.0)
-    dm-sqlite-adapter (1.2.0)
-      dm-do-adapter (~> 1.2.0)
-      do_sqlite3 (~> 0.10.6)
-    dm-timestamps (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-transactions (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-types (1.2.2)
-      bcrypt-ruby (~> 3.0)
-      dm-core (~> 1.2.0)
-      fastercsv (~> 1.5)
-      json (~> 1.6)
-      multi_json (~> 1.0)
-      stringex (~> 1.4)
-      uuidtools (~> 2.1)
-    dm-validations (1.2.0)
-      dm-core (~> 1.2.0)
-    do_sqlite3 (0.10.17)
-      data_objects (= 0.10.17)
-    fastercsv (1.5.5)
-    haml (5.0.4)
-      temple (>= 0.8.0)
+    haml (6.1.1)
+      temple (>= 0.8.2)
+      thor
       tilt
-    json (1.8.6)
-    json_pure (1.8.6)
-    mini_portile2 (2.3.0)
-    multi_json (1.15.0)
-    nokogiri (1.8.1)
-      mini_portile2 (~> 2.3.0)
-    public_suffix (4.0.6)
-    rack (1.6.13)
-    rack-protection (1.5.5)
+    json (2.6.3)
+    mini_portile2 (2.8.2)
+    mustermann (3.0.0)
+      ruby2_keywords (~> 0.0.1)
+    nokogiri (1.14.3)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    racc (1.6.2)
+    rack (2.2.7)
+    rack-protection (3.0.6)
       rack
-    rubyzip (1.2.1)
-    sinatra (1.4.8)
-      rack (~> 1.5)
-      rack-protection (~> 1.4)
-      tilt (>= 1.3, < 3)
-    stringex (1.5.1)
-    temple (0.8.2)
-    tilt (2.0.10)
-    uuidtools (2.2.0)
+    ruby2_keywords (0.0.5)
+    rubyzip (2.3.2)
+    sequel (5.68.0)
+    sinatra (3.0.6)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.6)
+      tilt (~> 2.0)
+    slim (5.1.0)
+      temple (~> 0.10.0)
+      tilt (>= 2.0.6, < 2.2)
+    sqlite3 (1.6.2)
+      mini_portile2 (~> 2.8.0)
+    temple (0.10.0)
+    thor (1.2.1)
+    tilt (2.1.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  data_mapper (= 1.2.0)
-  dm-sqlite-adapter (= 1.2.0)
-  haml (= 5.0.4)
-  json (= 1.8.6)
-  nokogiri (= 1.8.1)
-  rubyzip (= 1.2.1)
-  sinatra (= 1.4.8)
+  haml
+  json
+  nokogiri
+  rack
+  rubyzip
+  sequel
+  sinatra
+  slim
+  sqlite3
 
 RUBY VERSION
-   ruby 2.3.5p376
+   ruby 2.7.7p221
 
 BUNDLED WITH
-   1.16.0
+   2.1.4
diff --git a/README.md b/README.md
@@ -1,17 +1,10 @@
-# Archived
-
-This project is archived. If someone has a working and _maintained_ fork please let me know and I will point people there. Thank you to all of you. This was a fun project and a technique that yieled (and still yields) interesting research.
-
 # oxml_xxe
 This tool is meant to help test XXE vulnerabilities in **OXML document** file formats. Currently supported:
 
 - DOCX/XLSX/PPTX
 - ODT/ODG/ODP/ODS
 - SVG
 - XML
-- PDF (experimental)
-- JPG (experimental)
-- GIF (experimental)
 
 BH USA 2015 Presentation: [Exploiting XXE in File Upload Functionality (Slides)](http://oxmlxxe.github.io/reveal.js/slides.html#/) [(Recorded Webcast)](https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html)
 
@@ -22,7 +15,7 @@ Blog Posts on the topic:
 
 # Developer Build
 
-OXML_XXE was re-written in Ruby using Sinatra, Bootstrap, and Haml. Installation should be easy with Docker:
+OXML_XXE was re-written in Ruby using Sinatra, Bootstrap, and Slim. Installation should be easy with Docker:
 
 1. Run `docker-compose up`
 2. Browse to http://localhost:4567/ to get started.

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,6 @@
 version: "2.2"
 
 services:
-
   web:
     build: .
     volumes:

diff --git a/lib/model.rb b/lib/model.rb
@@ -1,25 +1,13 @@
-require 'rubygems'
-require 'data_mapper'
-require 'digest/sha1'
-require 'dm-migrations'
+require 'sequel'
 
-# Initialize the Master DB
-DataMapper.setup(:default, "sqlite://#{Dir.pwd}/db/master.db")
-
-
-class Oxfile
-    include DataMapper::Resource
-
-    property :id, Serial
-    property :filename, String, :length => 400
-    property :location, String, :length => 400
-    property :desc, String, :length => 500
-    property :type, String, :length => 15
+DB = Sequel.sqlite("#{Dir.pwd}/db/master.db")
 
+class Oxfile < Sequel::Model(:oxfiles)
+    set_columns :filename
+    set_columns :id
+    set_columns :location
+    set_columns :desc
+    set_columns :type
+    set_columns :created_at
 end
 
-DataMapper.finalize
-
-# any differences between the data store and the data model should be fixed by this
-#   As discussed in http://datamapper.org/why.html it is limited. Hopefully we never create conflicts.
-DataMapper.auto_upgrade!
diff --git a/lib/util.rb b/lib/util.rb
@@ -264,7 +264,9 @@ def display_file(rand_file)
 		file = {}
 		file["name"] = "XML/SVG FILE"
 		file["id"] = 0
-		file["contents"] = clean_xml(File.open(rand_file, "rb").read)
+		#		file["contents"] = clean_xml(File.open(rand_file, "rb").read)
+		file["contents"] = File.open(rand_file, "rb").read
+
 		@files = [file]
 	elsif ext =~ /pdf/ or ext =~ /jpg/ or ext =~ /gif/
 		file = {}
@@ -283,7 +285,8 @@ def display_file(rand_file)
 				if nm =~ /xml/ or nm =~ /_rels/ or nm =~ /Cont/
 					document = entry.get_input_stream.read
 					if document
-						file["contents"] = clean_xml(document) # read entry content
+						#file["contents"] = clean_xml(document) # read entry content
+						file["contents"] = document
 					else
 						file["contents"] = "EMPTY FILE"
 					end