Merge pull request #64 from theMiddleBlue/v2.3/master

theMiddleBlue · web-flow · commit 24cbf80b952c · 2018-12-20T12:14:55.000+01:00
Improve regex filters
diff --git a/functions_nmap.py b/functions_nmap.py
@@ -38,7 +38,7 @@ def nmap_scaninfo(request):
 
 def nmap_newscan(request):
 	if request.method == "POST":
-		if(re.search('^[a-zA-Z0-9\_\-\.]+$', request.POST['filename']) and not (re.search('[\||\;|\&}]', request.POST['params']) or re.search('[\||\;|\&}]', request.POST['target']))):
+		if(re.search('^[a-zA-Z0-9\_\-\.]+$', request.POST['filename']) and re.search('^[a-zA-Z0-9\-\.\:\=\s]+$', request.POST['params']) and re.search('^[a-zA-Z0-9\-\.\:]+$', request.POST['target'])):
 			res = {'p':request.POST}
 			os.popen('nmap '+request.POST['params']+' --script='+settings.BASE_DIR+'/nmapreport/nmap/nse/ -oX /tmp/'+request.POST['filename']+'.active '+request.POST['target']+' > /dev/null 2>&1 && '+
 			'sleep 10 && mv /tmp/'+request.POST['filename']+'.active /opt/xml/'+request.POST['filename']+' &')
@@ -51,3 +51,6 @@ def nmap_newscan(request):
 				file.write(json.dumps(schedobj, indent=4))
 
 			return HttpResponse(json.dumps(res, indent=4), content_type="application/json")
+		else:
+			res = {'error':'invalid syntax'}
+			return HttpResponse(json.dumps(res, indent=4), content_type="application/json")
diff --git a/static/async.js b/static/async.js
@@ -193,7 +193,6 @@ function newscan() {
 
 function startscan() {
 	$('#modal1').modal('close');
-	swal("Started", "Your new Nmap scan is running...", "success");
 	csrftoken = $('input[name="csrfmiddlewaretoken"]').val();
 	$.post('/api/v1/nmap/scan/new', {
 		'csrfmiddlewaretoken': csrftoken,
@@ -203,7 +202,11 @@ function startscan() {
 		'schedule': $('#schedule').prop('checked'),
 		'frequency': $('#frequency').val(),
 	}).done(function(d) {
-		console.log(d);
+		if(typeof(d['error']) != 'undefined') {
+			swal("Error", "Invalid syntax or disallowed characters", "error");
+		} else {
+			swal("Started", "Your new Nmap scan is running...", "success");
+		}
 	});
 }
 
