Merge pull request #4 from Escape-Technologies/feat/wordlist-conforms…

…-to-name feat: jamboro fixes issue 11
Escape-Technologies · Feb 14, 2023 · 6d29060 · 6d29060
2 parents 91dda68 + e1c7140
commit 6d29060
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -28,7 +28,9 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
     - name: Install dependencies
       run: |
         pip install poetry
@@ -47,7 +49,9 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
     - name: Install dependencies
       run: |
         pip install poetry
@@ -89,7 +93,9 @@ jobs:
     if: false
     steps:
     - uses: actions/checkout@v3
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.10'
     - name: Install dependencies
       run: |
         pip install poetry

diff --git a/clairvoyance/cli.py b/clairvoyance/cli.py
@@ -2,6 +2,7 @@
 import json
 import logging
 import os
+import re
 import sys
 from typing import Dict, List, Optional
 
@@ -119,6 +120,15 @@ def cli(argv: Optional[List[str]] = None) -> None:
     wordlist = []
     if args.wordlist:
         wordlist = [w.strip() for w in args.wordlist.readlines() if w.strip()]
+        # de-dupe the wordlist.
+        wordlist = list(set(wordlist))
+
+    # remove wordlist items that don't conform to graphQL regex github-issue #11
+    if args.validate:
+        wordlist_parsed = [w for w in wordlist if re.match(r'[_A-Za-z][_0-9A-Za-z]*', w)]
+        logging.info(f'Removed {len(wordlist) - len(wordlist_parsed)} items from Wordlist, to conform to name regex. '
+                     f'https://spec.graphql.org/June2018/#sec-Names')
+        wordlist = wordlist_parsed
 
     asyncio.run(
         blind_introspection(

diff --git a/clairvoyance/utils.py b/clairvoyance/utils.py
@@ -67,6 +67,12 @@ def parse_args(args: List[str]) -> argparse.Namespace:
         type=argparse.FileType('r'),
         help='This wordlist will be used for all brute force effots (fields, arguments and so on)',
     )
+    parser.add_argument(
+        '-wv',
+        '--validate',
+        action='store_true',
+        help='Validate the wordlist items match name Regex',
+    )
     parser.add_argument(
         '-x',
         '--proxy',

diff --git a/tests/data/wordlist-for-apollo-server.txt b/tests/data/wordlist-for-apollo-server.txt
@@ -1,3 +1,4 @@
+123BAD
 booktrips
 boolean
 canceltrip

diff --git a/tests/system.py b/tests/system.py
@@ -28,6 +28,7 @@ def setUpClass(cls) -> None:
                 'clairvoyance',
                 '-o',
                 output_file,
+                '-wv',
                 '-w',
                 'tests/data/wordlist-for-apollo-server.txt',
                 f'http://localhost:{cls.port}',
@@ -56,6 +57,9 @@ def get_type(self, name: str) -> Optional[Dict[str, Any]]:
 
         return None
 
+    def test_validate_wordlist(self):
+        self.assertIn(b'Removed 1 items from Wordlist', self.clairvoyance.stderr)
+
     def test_found_root_type_names(self) -> None:
         self.assertEqual(self.schema['queryType'], {'name': 'Query'})
         self.assertEqual(self.schema['mutationType'], {'name': 'Mutation'})