source-mapper icon indicating copy to clipboard operation
source-mapper copied to clipboard
verified publisher icon lachlan2k

Export not working on Windows

Open AkikoOrenji opened this issue 3 years ago • 5 comments

Version SourceMapper-0.0.2.jar Burp version 2022.3.8 Burp Build Number 13217 Burp Update Channel Stable java.runtime.version 17.0.2+8-86

Plugin Output shows :

**- Saving to C:\Users\user\Documents

  • Writing \static\app.js\
  • Saving to C:\Users\user\Documents
  • Writing \static\app.js\
  • Saving to C:\Users\user\Documents\refresh-token.js
  • Saving to C:\Users\user\Documents
  • Writing \Sources\somesitecom\static\app.js**

The plugin errors show java.io.FileNotFoundException: \static\app.js (The network path was not found) It appears an additional slash is is making java assume its a network path and not a local file system.

AkikoOrenji avatar Jun 24 '22 01:06 AkikoOrenji

Hi, thanks for opening the issue! I'll check this out next week if I have a chance. I'm going on vacation shortly so I'll try and get it fixed before then.

I hadn't tested exports on windows, so thanks for catching this.

Can you please provide a screenshot of the file tree inside the Burp tab? Did it include entries with a .. in the file or folder name? The way I use Path.resolve and Path.normalize should be constraining file writes to the selected folder, but I'm wondering if I might have an edge case.

Thanks!

lachlan2k avatar Jun 24 '22 01:06 lachlan2k

Thanks for the quick response. You know you're living in the future when Windows is the edge case 😆 Love it 🥳

The only .. is where node_modules and webpack are sitting.

image

I tried exporting from a few different locations in the tree but they all get the same problem. Clicking an individual file works though.

AkikoOrenji avatar Jun 24 '22 02:06 AkikoOrenji

Hey @AkikoOrenji @lachlan2k - does this branch solve your issues? https://github.com/PeterMosmans/source-mapper/tree/fix-export A binary release can be found in the release folder.

What I've done is trying to ensure that the "path join" is OS-independent, so hopefully that works...

PeterMosmans avatar Aug 02 '23 13:08 PeterMosmans

Sorry, I completely forgot about this!

I'll review & test tonight. I'll also add proper releases (instead of binaries in the repo) and add some other improvements I've been meaning to get around to.

lachlan2k avatar Aug 18 '23 23:08 lachlan2k

Hey @AkikoOrenji @lachlan2k - does this branch solve your issues? https://github.com/PeterMosmans/source-mapper/tree/fix-export A binary release can be found in the release folder.

What I've done is trying to ensure that the "path join" is OS-independent, so hopefully that works...

Unfortunately the use of "." in this branch as opposed to "/" doesn't sufficiently prevent directory traversal.

If the path of a file in the export path is in any ".." folders this may lead to writing outside of the intended directory (or overwriting unintended files).

Screenshot 2023-08-20 at 2 33 30 AM

I have a platform independent solution that should work, but I don't have immediate access to a Windows machine today, but I'll try and sort it in the next week.

lachlan2k avatar Aug 19 '23 14:08 lachlan2k