Merge remote-tracking branch 'origin/develop' into develop

build/dist-tools/nsis/vega.nsi

@@ -2,7 +2,7 @@
 
 ; HM NIS Edit Wizard helper defines
 !define PRODUCT_NAME "Vega"
-!define PRODUCT_VERSION "1.0 Beta"
+!define PRODUCT_VERSION "1.0"
 !define PRODUCT_PUBLISHER "Subgraph"
 !define PRODUCT_WEB_SITE "http://www.subgraph.com"
 !define PRODUCT_DIR_REGKEY "Software\Microsoft\Windows\CurrentVersion\App Paths\Vega.exe"

build/dist-tools/nsis/win-x86.ini

@@ -0,0 +1,6 @@
+-vmargs 
+-Xms256m 
+-XX:PermSize=128m 
+-XX:MaxPermSize=256m 
+-Xmx1024m 
+

build/dist-tools/nsis/win-x86_64.ini

@@ -0,0 +1,6 @@
+-vmargs 
+-Xms256m 
+-XX:PermSize=128m 
+-XX:MaxPermSize=256m 
+-Xmx2048m 
+

build/dist-tools/nsis/windows-dist.sh

@@ -9,6 +9,7 @@ make_dist() {
     rm -rf $TARGET
     mkdir -p $TARGET
     /usr/bin/unzip -d $TARGET $VEGA
+    cp build/dist-tools/nsis/win-$ARCH.ini $TARGET/vega/Vega.ini
     cp build/dist-tools/nsis/epl.txt $TARGET
     cp build/dist-tools/nsis/vega.nsi $TARGET
     /usr/local/bin/makensis $TARGET/vega.nsi

licenses/db4o-dOCL.txt

@@ -1,6 +1,6 @@
 ============================================================
 Notices for file(s):
-  /Vega/platform/com.subgraph.vega.model/lib/db4o-8.0.184.15484-all-java5.jar
+  /Vega/platform/com.subgraph.vega.model/lib/db4o-8.0.249.16098-all-java5.jar
 
 Vega uses db4o under the dOCL.
 http://community.versant.com/Blogs/db4o/tabid/197/entryid/1044/Default.aspx

platform/com.subgraph.vega.analysis/META-INF/MANIFEST.MF

@@ -20,5 +20,6 @@ Import-Package: com.subgraph.vega.api.analysis,
  org.apache.http.client.utils;version="4.2.2",
  org.jsoup,
  org.jsoup.nodes,
+ org.jsoup.parser,
  org.jsoup.select
 Service-Component: OSGI-INF/analysis.xml

platform/com.subgraph.vega.analysis/src/com/subgraph/vega/internal/analysis/urls/HtmlUrlExtractor.java

@@ -27,6 +27,7 @@
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
 import org.jsoup.nodes.Element;
+import org.jsoup.parser.Parser;
 
 import com.subgraph.vega.api.html.IHTMLParseResult;
 import com.subgraph.vega.api.http.requests.IHttpResponse;
@@ -139,7 +140,7 @@ private URI createURI(String link) {
 		try {
 			if(link.isEmpty())
 				return null;
-			return new URI(link);
+			return new URI(Parser.unescapeEntities(link, false));
 		} catch (URISyntaxException ex) {
 			return null;
 		}

platform/com.subgraph.vega.api/META-INF/MANIFEST.MF

@@ -6,7 +6,7 @@ Bundle-Version: 1.0.0.qualifier
 Bundle-Vendor: SUBGRAPH
 Bundle-RequiredExecutionEnvironment: JavaSE-1.7,
  JavaSE-1.6
-Import-Package: com.google.common.net;version="1.6.0",
+Import-Package: com.google.common.net,
  com.subgraph.vega.api.html,
  org.apache.http;version="4.0.0",
  org.apache.http.client,

platform/com.subgraph.vega.application/vega.product

@@ -14,13 +14,14 @@
    </configIni>
 
    <launcherArgs>
-      <vmArgs>-Xms256m -Xmx2048m -XX:PermSize=128m -XX:MaxPermSize=256m</vmArgs>
-      <vmArgsMac>-XstartOnFirstThread -Dorg.eclipse.swt.internal.carbon.smallFonts</vmArgsMac>
+      <vmArgs>-Xms256m -XX:PermSize=128m -XX:MaxPermSize=256m</vmArgs>
+      <vmArgsLin>-Xmx2048m</vmArgsLin>
+      <vmArgsMac>-XstartOnFirstThread -Dorg.eclipse.swt.internal.carbon.smallFonts -Xmx2048m</vmArgsMac>
+      <vmArgsWin>-Xmx1536m</vmArgsWin>
    </launcherArgs>
 
    <windowImages i16="/com.subgraph.vega.application/icons/16x16Vega.png" i32="/com.subgraph.vega.application/icons/32x32Vega.png" i48="/com.subgraph.vega.application/icons/48x48Vega.png" i64="/com.subgraph.vega.application/icons/64x64Vega.png" i128="/com.subgraph.vega.application/icons/128x128Vega.png"/>
 
-
    <launcher name="Vega">
       <linux icon="/com.subgraph.vega.application/icons/Vega.xpm"/>
       <macosx icon="/com.subgraph.vega.application/icons/VegaIcons-OSX.icns"/>
@@ -31,11 +32,9 @@
       </win>
    </launcher>
 
-
    <vm>
    </vm>
 
-
    <plugins>
       <plugin id="com.ibm.icu"/>
       <plugin id="com.subgraph.vega.application"/>

platform/com.subgraph.vega.model/.classpath

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
-	<classpathentry exported="true" kind="lib" path="lib/db4o-8.0.184.15484-all-java5.jar"/>
+	<classpathentry exported="true" kind="lib" path="lib/db4o-8.0.249.16098-all-java5.jar"/>
 	<classpathentry kind="con" path="org.eclipse.pde.core.requiredPlugins"/>
 	<classpathentry kind="src" path="src"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>

platform/com.subgraph.vega.model/META-INF/MANIFEST.MF

@@ -6,7 +6,7 @@ Bundle-Version: 1.0.0.qualifier
 Bundle-Vendor: SUBGRAPH
 Bundle-RequiredExecutionEnvironment: JavaSE-1.7,
  JavaSE-1.6
-Import-Package: com.google.common.base;version="1.6.0",
+Import-Package: com.google.common.base,
  com.subgraph.vega.api.annotations,
  com.subgraph.vega.api.console,
  com.subgraph.vega.api.events,
@@ -46,6 +46,6 @@ Import-Package: com.google.common.base;version="1.6.0",
  org.apache.http.util;version="4.0.0",
  org.w3c.dom.html2
 Service-Component: OSGI-INF/model.xml
-Bundle-ClassPath: lib/db4o-8.0.184.15484-all-java5.jar,
- .
+Bundle-ClassPath: .,
+ lib/db4o-8.0.249.16098-all-java5.jar
 Require-Bundle: org.apache.http.core;bundle-version="4.2.3"

platform/com.subgraph.vega.model/build.properties

@@ -1,6 +1,6 @@
 output.. = bin/
 bin.includes = META-INF/,\
                .,\
-               lib/db4o-8.0.184.15484-all-java5.jar,\
+               lib/db4o-8.0.249.16098-all-java5.jar,\
                OSGI-INF/
 source.. = src/

platform/com.subgraph.vega.scanner.modules/META-INF/MANIFEST.MF

@@ -6,7 +6,8 @@ Bundle-Version: 1.0.0.qualifier
 Bundle-Vendor: SUBGRAPH
 Bundle-RequiredExecutionEnvironment: JavaSE-1.7,
  JavaSE-1.6
-Import-Package: com.google.common.net;version="1.6.0",
+Import-Package: com.google.common.io,
+ com.google.common.net,
  com.subgraph.vega.api.annotations,
  com.subgraph.vega.api.console,
  com.subgraph.vega.api.crawler,

platform/com.subgraph.vega.scanner.modules/src/com/subgraph/vega/impl/scanner/modules/scripting/ModuleContextJS.java

@@ -21,6 +21,7 @@
 import org.mozilla.javascript.Wrapper;
 
 import com.google.common.net.InternetDomainName;
+import com.google.common.io.BaseEncoding;
 
 import com.subgraph.vega.api.http.requests.IHttpResponse;
 import com.subgraph.vega.api.http.requests.IPageFingerprint;
@@ -309,4 +310,14 @@ public InternetDomainName internetDomainName(String domain) {
 	public boolean isValidInternetDomainName(String domain) {
 		return context.isValidInternetDomainName(domain);
 	}
+
+	public String base64decode(String encoded) {
+		byte[] decoded = BaseEncoding.base64().decode(encoded);
+		return new String(decoded);
+	}
+
+	public String base64encode(String input) {
+		String encoded = BaseEncoding.base64().encode(input.getBytes());
+		return encoded;
+	}
 }

platform/com.subgraph.vega.scanner.modules/src/com/subgraph/vega/impl/scanner/modules/scripting/ResponseModuleContext.java

@@ -21,6 +21,7 @@
 import org.mozilla.javascript.Scriptable;
 import org.mozilla.javascript.Wrapper;
 
+import com.google.common.io.BaseEncoding;
 import com.google.common.net.InternetDomainName;
 
 import com.subgraph.vega.api.http.requests.IHttpResponse;
@@ -253,4 +254,14 @@ public InternetDomainName internetDomainName(String domain) {
 	public boolean isValidInternetDomainName(String domain) {
 		return InternetDomainName.isValid(domain);
 	}
+
+	public String base64decode(String encoded) {
+		byte[] decoded = BaseEncoding.base64().decode(encoded);
+		return new String(decoded);
+	}
+
+	public String base64encode(String input) {
+		String encoded = BaseEncoding.base64().encode(input.getBytes());
+		return encoded;
+	}
 }

platform/com.subgraph.vega.scanner/META-INF/MANIFEST.MF

@@ -6,7 +6,7 @@ Bundle-Version: 1.0.0.qualifier
 Bundle-Vendor: SUBGRAPH
 Bundle-RequiredExecutionEnvironment: JavaSE-1.7,
  JavaSE-1.6
-Import-Package: com.google.common.base;version="1.6.0",
+Import-Package: com.google.common.base,
  com.subgraph.vega.api.analysis,
  com.subgraph.vega.api.crawler,
  com.subgraph.vega.api.events,

platform/com.subgraph.vega.scanner/src/com/subgraph/vega/impl/scanner/ScannerTask.java

@@ -88,6 +88,8 @@ public void run() {
 
 
 		scanInstance.updateScanStatus(IScanInstance.SCAN_AUDITING);
+		scan.getRequestEngine().getCookieStore().clear();
+
 		if (handleMacroAuthentication()) {
 			runCrawlerPhase();
 

platform/com.subgraph.vega.scanner/src/com/subgraph/vega/impl/scanner/urls/SQLErrorMessageDetector.java

@@ -1,53 +1,65 @@
 package com.subgraph.vega.impl.scanner.urls;
 
-import java.util.Arrays;
-import java.util.List;
-
 import org.apache.http.client.methods.HttpUriRequest;
 
+import com.google.common.collect.ImmutableMap;
 import com.subgraph.vega.api.http.requests.IHttpResponse;
 import com.subgraph.vega.api.scanner.IInjectionModuleContext;
 
 public class SQLErrorMessageDetector {
-	private final static String SQL_INJECTION_ALERT = "vinfo-sql-error";
-	private final static List<String> ERROR_STRINGS = Arrays.asList(
-
-			"Incorrect syntax near",                             // MS-SQL Server
-			"Unclosed quotation mark",					         // MS-SQL Server
-			"Dynamic SQL Error",						         // MS-SQL Server
-			"SqlClient.SqlException: Syntax error",				 // ASP.Net / MS SQL Server
-			"[Microsoft][ODBC SQL Server Driver]",               // MS Generic ODBC Error
-			"Microsoft OLE DB Provider for ODBC Drivers</font>", // MS OLE 
-			"Microsoft OLE DB Provider for ODBC Drivers</FONT>", // MS OLE
-
-			"Syntax error in string in query expression",        // MS Access
-
-			"<b>Warning</b>:  MySQL: ",                          // MySQL
-			"You have an error in your SQL syntax",              // MySQL
-			"supplied argument is not a valid MySQL",            // MySQL
-
-			"PostgreSQL query failed:",                          // PostgreSQL
-			"unterminated quoted string at or near",             // PostgreSQL
-			"syntax error at or near",                           // PostgreSQL
-			"invalid input syntax for integer:",		         // PostgreSQL
-			"Query failed: ERROR: syntax error",		         // PostgreSQL
-
-			"Unexpected end of command in statement",	         // Java
-			"java.sql.SQLException:",					         // Java
-
-			"quoted string not properly terminated",	         // Oracle
-			"SQL command not properly ended",                    // Oracle
-			"unable to perform query",
-
-			"[DM_QUERY_E_SYNTAX]",						         // DQL
-
-			"[Macromedia][SQLServer JDBC Driver]",				 // CF
+
+	private static enum databaseErrorTypes {SQLSERVER, ASP, MS, ACCESS, MYSQL, POSTGRES, JAVA, ORACLE, DQL, CF, DB2}
+
+	private final static ImmutableMap<databaseErrorTypes, String> DATABASE_ALERTS = ImmutableMap.<databaseErrorTypes, String>builder().put(
+																													databaseErrorTypes.SQLSERVER, "vinfo-sqlserver-error").put(
+																													databaseErrorTypes.ASP, "vinfo-sql-error").put(
+																													databaseErrorTypes.MS, "vinfo-sql-error").put(
+																													databaseErrorTypes.ACCESS, "vinfo-sql-error").put(
+																													databaseErrorTypes.MYSQL, "vinfo-mysql-error").put(
+																													databaseErrorTypes.POSTGRES, "vinfo-sql-error").put(
+																													databaseErrorTypes.JAVA, "vinfo-sql-error").put(
+																													databaseErrorTypes.ORACLE, "vinfo-sql-error").put(
+																													databaseErrorTypes.DQL, "vinfo-sql-error").put(
+																													databaseErrorTypes.CF, "vinfo-sql-error").put(
+																													databaseErrorTypes.DB2, "vinfo-sql-error").build();
+
+
+	private final static ImmutableMap<String, databaseErrorTypes> ERROR_STRINGS = ImmutableMap.<String, databaseErrorTypes>builder().put(
+																													"Incorrect syntax near",  databaseErrorTypes.SQLSERVER).put(
+																								   					"Unclosed quotation mark", databaseErrorTypes.SQLSERVER).put(
+																								   					"Dynamic SQL Error", databaseErrorTypes.SQLSERVER).put(			
+
+																								   					"SqlClient.SqlException: Syntax error", databaseErrorTypes.ASP).put(
+
+																								   				    "[Microsoft][ODBC SQL Server Driver]", databaseErrorTypes.MS).put(
+																								   				    "Microsoft OLE DB Provider for ODBC Drivers</font>", databaseErrorTypes.MS).put(
+																								   				    "Microsoft OLE DB Provider for ODBC Drivers</FONT>", databaseErrorTypes.MS).put(
+
+																								   				    "Syntax error in string in query expression",  databaseErrorTypes.ACCESS).put(
+
+																								   				    "<b>Warning</b>:  MySQL: ", databaseErrorTypes.MYSQL).put(
+																								   				    "You have an error in your SQL syntax", databaseErrorTypes.MYSQL).put(
+																								   				    "supplied argument is not a valid MySQL", databaseErrorTypes.MYSQL).put(
+
+																								   				    "PostgreSQL query failed:", databaseErrorTypes.POSTGRES).put(
+																								   				    "unterminated quoted string at or near", databaseErrorTypes.POSTGRES).put(
+																								   				    "syntax error at or near", databaseErrorTypes.POSTGRES).put(
+																								   				    "invalid input syntax for integer:",	databaseErrorTypes.POSTGRES).put(
+																								   				    "Query failed: ERROR: syntax error",	databaseErrorTypes.POSTGRES).put(
+
+																								   				    "Unexpected end of command in statement", databaseErrorTypes.JAVA).put(
+																								   				    "java.sql.SQLException:", databaseErrorTypes.JAVA).put(
+																								   				    "quoted string not properly terminated",	databaseErrorTypes.ORACLE).put(
+																								   				    "SQL command not properly ended", databaseErrorTypes.ORACLE).put(
+																								   				    "unable to perform query", databaseErrorTypes.ORACLE).put(
 
-			"DB2 SQL Error:"     								 // DB2
+																								   				    "[DM_QUERY_E_SYNTAX]", databaseErrorTypes.DQL).put(
+
+																								   				    "[Macromedia][SQLServer JDBC Driver]", databaseErrorTypes.CF).put(
+																								   				    "[Macromedia][MySQL JDBC Driver]", databaseErrorTypes.CF).put(
 
+																								   				    "DB2 SQL Error:", databaseErrorTypes.DB2).build();
 
-			);
-
 	private final ResponseAnalyzer responseAnalyzer; 
 
 	public SQLErrorMessageDetector(ResponseAnalyzer responseAnalyzer) {
@@ -59,15 +71,15 @@ public void detectErrorMessages(IInjectionModuleContext ctx, HttpUriRequest requ
 		if(body == null || body.isEmpty()) {
 			return;
 		}
-		for(String errorString: ERROR_STRINGS) {
+		for(String errorString: ERROR_STRINGS.keySet()) {
 			if(body.contains(errorString)) {
-				processDetectedErrorMessage(ctx, request, response, errorString);
+				processDetectedErrorMessage(ctx, request, response, errorString, ERROR_STRINGS.get(errorString));
 			}
 		}
 	}
 
-	private void processDetectedErrorMessage(IInjectionModuleContext ctx, HttpUriRequest request, IHttpResponse response, String errorString) {
+	private void processDetectedErrorMessage(IInjectionModuleContext ctx, HttpUriRequest request, IHttpResponse response, String errorString, databaseErrorTypes errorType) {
 		ctx.addStringHighlight(errorString);
-		responseAnalyzer.alert(ctx, SQL_INJECTION_ALERT, "SQL Error Message Detected", request, response, null);
+		responseAnalyzer.alert(ctx, DATABASE_ALERTS.get(errorType), "SQL Error Message Detected", request, response, null);
 	}
 }

platform/com.subgraph.vega.scanner/src/com/subgraph/vega/impl/scanner/urls/UriParser.java

@@ -99,7 +99,7 @@ private void processWebHost(IWebHost webHost) {
 		final IWebPath rootPath = webHost.getRootPath();
 		synchronized(pathStateManager) {
 			if(!pathStateManager.hasSeenPath(rootPath)) {
-				pathStateManager.createStateForPath(rootPath, directoryProcessor);
+				pathStateManager.createStateForPath(rootPath, unknownProcessor);
 			}
 		}
 	}

platform/com.subgraph.vega.ui.scanner/.classpath

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
+	<classpathentry exported="true" kind="lib" path="lib/freemarker-gae-2.3.20.jar"/>
 	<classpathentry kind="con" path="org.eclipse.pde.core.requiredPlugins"/>
 	<classpathentry kind="src" path="src"/>
-	<classpathentry kind="lib" path="lib/freemarker.jar"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>

platform/com.subgraph.vega.ui.scanner/META-INF/MANIFEST.MF

@@ -33,5 +33,5 @@ Import-Package: com.subgraph.vega.api.events,
  org.eclipse.ui.forms,
  org.eclipse.ui.forms.widgets
 Bundle-ClassPath: .,
- lib/freemarker.jar
+ lib/freemarker-gae-2.3.20.jar
 Export-Package: com.subgraph.vega.ui.scanner

platform/com.subgraph.vega.ui.scanner/build.properties

@@ -3,5 +3,6 @@ output.. = bin/
 bin.includes = META-INF/,\
                .,\
                plugin.xml,\
-               lib/,\
-               icons/
+               icons/,\
+               lib/freemarker-gae-2.3.20.jar
+

platform/com.subgraph.vega.ui.web/META-INF/MANIFEST.MF

@@ -10,7 +10,7 @@ Require-Bundle: org.eclipse.ui,
 Bundle-RequiredExecutionEnvironment: JavaSE-1.7,
  JavaSE-1.6
 Bundle-ActivationPolicy: lazy
-Import-Package: com.google.common.collect;version="1.6.0",
+Import-Package: com.google.common.collect,
  com.subgraph.vega.api.crawler,
  com.subgraph.vega.api.events,
  com.subgraph.vega.api.model,

scripts/scanner/modules/injection/cross-domain-policy-audit.js

@@ -11,7 +11,17 @@ function initialize(ctx) {
 }
 
 function process(req, res, ctx) {
-  ctx.responseChecks(req, res);
+	if (ctx.hasModuleFailed()) return;
+
+  if (res.fetchFail) {
+    ctx.error(req, res, "During cross-domain policy auditor checks");
+    ctx.setModuleFailed();
+    return;
+  }
+
+  if (ctx.allResponsesReceived()) {
+    ctx.responseChecks(req, res);
+  }
 }