Merge pull request #2429 from blacklanternsecurity/fix-condition-printing

Optimize --list-preset

Author: TheTechromancer

bbot/presets/web/lightfuzz-xss.yml

@@ -1,4 +1,5 @@
 description: Discover web parameters and lightly fuzz them, limited to just GET-based xss vulnerabilities. This is an example of a custom lightfuzz preset, selectively enabling a single lightfuzz module.
+
 modules:
   - httpx
   - lightfuzz

bbot/scanner/preset/path.py

@@ -6,6 +6,7 @@
 log = logging.getLogger("bbot.presets.path")
 
 DEFAULT_PRESET_PATH = Path(__file__).parent.parent.parent / "presets"
+DEFAULT_PRESET_PATH = DEFAULT_PRESET_PATH.expanduser().resolve()
 
 
 class PresetPath:
@@ -17,7 +18,7 @@ def __init__(self):
         self.paths = [DEFAULT_PRESET_PATH]
 
     def find(self, filename):
-        filename_path = Path(filename).resolve()
+        filename_path = Path(filename).expanduser().resolve()
         extension = filename_path.suffix.lower()
         file_candidates = set()
         extension_candidates = {".yaml", ".yml"}
@@ -29,16 +30,12 @@ def find(self, filename):
             file_candidates.add(f"{filename_path.stem}{ext}")
         file_candidates = sorted(file_candidates)
         file_candidates_str = ",".join([str(s) for s in file_candidates])
-        paths_to_search = self.paths
         if "/" in str(filename):
-            if filename_path.parent not in paths_to_search:
-                paths_to_search.append(filename_path.parent)
-        log.debug(
-            f"Searching for preset in {[str(p) for p in paths_to_search]}, file candidates: {file_candidates_str}"
-        )
-        for path in paths_to_search:
+            self.add_path(filename_path.parent)
+        log.debug(f"Searching for {file_candidates_str} in {[str(p) for p in self.paths]}")
+        for path in self.paths:
             for candidate in file_candidates:
-                for file in path.rglob(candidate):
+                for file in path.rglob(f"**/{candidate}"):
                     if file.is_file():
                         log.verbose(f'Found preset matching "{filename}" at {file}')
                         self.add_path(file.parent)
@@ -51,14 +48,19 @@ def __str__(self):
         return ":".join([str(s) for s in self.paths])
 
     def add_path(self, path):
-        path = Path(path).resolve()
+        path = Path(path).expanduser().resolve()
+        # skip if already in paths
         if path in self.paths:
             return
+        # skip if path is a subdirectory of any path in paths
         if any(path.is_relative_to(p) for p in self.paths):
             return
+        # skip if path is not a directory
         if not path.is_dir():
             log.debug(f'Path "{path.resolve()}" is not a directory')
             return
+        # preemptively remove any paths that are subdirectories of the new path
+        self.paths = [p for p in self.paths if not p.is_relative_to(path)]
         self.paths.append(path)
 
     def __iter__(self):

bbot/scanner/preset/preset.py

@@ -308,7 +308,7 @@ def blacklist(self):
 
     @property
     def preset_dir(self):
-        return self.bbot_home / "presets"
+        return (self.bbot_home / "presets").expanduser().resolve()
 
     @property
     def default_output_modules(self):
@@ -413,30 +413,32 @@ def bake(self, scan=None):
         self.log_debug("Getting baked")
         # create a copy of self
         baked_preset = copy(self)
-        baked_preset.scan = scan
+
         # copy core
         baked_preset.core = self.core.copy()
-        # copy module loader
-        baked_preset._module_loader = self.module_loader.copy()
-        # prepare os environment
-        os_environ = baked_preset.environ.prepare()
-        # find and replace preloaded modules with os environ
-        # this is different from the config variable substitution because it modifies
-        #  the preloaded modules, i.e. their ansible playbooks
-        baked_preset.module_loader.find_and_replace(**os_environ)
-        # update os environ
-        os.environ.clear()
-        os.environ.update(os_environ)
 
-        # validate flags, config options
-        baked_preset.validate()
+        if scan is not None:
+            baked_preset.scan = scan
+            # copy module loader
+            baked_preset._module_loader = self.module_loader.copy()
+            # prepare os environment
+            os_environ = baked_preset.environ.prepare()
+            # find and replace preloaded modules with os environ
+            # this is different from the config variable substitution because it modifies
+            #  the preloaded modules, i.e. their ansible playbooks
+            baked_preset.module_loader.find_and_replace(**os_environ)
+            # update os environ
+            os.environ.clear()
+            os.environ.update(os_environ)
+
+            # assign baked preset to our scan
+            scan.preset = baked_preset
 
         # validate log level options
         baked_preset.apply_log_level(apply_core=scan is not None)
 
-        # assign baked preset to our scan
-        if scan is not None:
-            scan.preset = baked_preset
+        # validate flags, config options
+        baked_preset.validate()
 
         # now that our requirements / exclusions are validated, we can start enabling modules
         # enable scan modules
@@ -483,15 +485,19 @@ def bake(self, scan=None):
         from bbot.scanner.target import BBOTTarget
 
         baked_preset._target = BBOTTarget(
-            *list(self._seeds), whitelist=self._whitelist, blacklist=self._blacklist, strict_scope=self.strict_scope
+            *list(self._seeds),
+            whitelist=self._whitelist,
+            blacklist=self._blacklist,
+            strict_scope=self.strict_scope,
         )
 
-        # evaluate conditions
-        if baked_preset.conditions:
-            from .conditions import ConditionEvaluator
+        if scan is not None:
+            # evaluate conditions
+            if baked_preset.conditions:
+                from .conditions import ConditionEvaluator
 
-            evaluator = ConditionEvaluator(baked_preset)
-            evaluator.evaluate()
+                evaluator = ConditionEvaluator(baked_preset)
+                evaluator.evaluate()
 
         self._baked = True
         return baked_preset
@@ -562,6 +568,12 @@ def strict_scope(self):
         return self.scope_config.get("strict", False)
 
     def apply_log_level(self, apply_core=False):
+        """
+        Apply the log level to the preset.
+
+        Args:
+            apply_core (bool, optional): If True, apply the log level to the core logger.
+        """
         # silent takes precedence
         if self.silent:
             self.verbose = False
@@ -920,20 +932,17 @@ def all_presets(self):
         """
         Recursively find all the presets and return them as a dictionary
         """
-        preset_dir = self.preset_dir
-        home_dir = Path.home()
-
         # first, add local preset dir to PRESET_PATH
         PRESET_PATH.add_path(self.preset_dir)
 
         # ensure local preset directory exists
-        mkdir(preset_dir)
+        mkdir(self.preset_dir)
 
         global DEFAULT_PRESETS
         if DEFAULT_PRESETS is None:
             presets = {}
-            for ext in ("yml", "yaml"):
-                for preset_path in PRESET_PATH:
+            for preset_path in PRESET_PATH:
+                for ext in ("yml", "yaml"):
                     # for every yaml file
                     for original_filename in preset_path.rglob(f"**/*.{ext}"):
                         # not including symlinks
@@ -957,18 +966,14 @@ def all_presets(self):
 
                         local_preset = original_filename
                         # populate symlinks in local preset dir
-                        if not original_filename.is_relative_to(preset_dir):
+                        if not original_filename.is_relative_to(self.preset_dir):
                             relative_preset = original_filename.relative_to(preset_path)
-                            local_preset = preset_dir / relative_preset
+                            local_preset = self.preset_dir / relative_preset
                             mkdir(local_preset.parent, check_writable=False)
                             if not local_preset.exists():
                                 local_preset.symlink_to(original_filename)
 
-                        # collapse home directory into "~"
-                        if local_preset.is_relative_to(home_dir):
-                            local_preset = Path("~") / local_preset.relative_to(home_dir)
-
-                        presets[local_preset] = (loaded_preset, category, preset_path, original_filename)
+                        presets[local_preset.stem] = (loaded_preset, category, preset_path, original_filename)
 
             # sort by name
             DEFAULT_PRESETS = dict(sorted(presets.items(), key=lambda x: x[-1][0].name))

bbot/scripts/docs.py

@@ -198,15 +198,15 @@ def update_individual_module_options():
     update_md_files("BBOT PRESETS", bbot_presets_table)
 
     # BBOT presets
-    for yaml_file, (loaded_preset, category, preset_path, original_filename) in DEFAULT_PRESET.all_presets.items():
+    for _, (loaded_preset, category, preset_path, original_filename) in DEFAULT_PRESET.all_presets.items():
         preset_yaml = f"""
-```yaml title={yaml_file.name}
+```yaml title={preset_path.name}
 {loaded_preset._yaml_str}
 ```
 """
         preset_yaml_expandable = f"""
 <details>
-<summary><b><code>{yaml_file.name}</code></b></summary>
+<summary><b><code>{preset_path.name}</code></b></summary>
 
 ```yaml
 {loaded_preset._yaml_str}
@@ -218,11 +218,11 @@ def update_individual_module_options():
         update_md_files(f"BBOT {loaded_preset.name.upper()} PRESET EXPANDABLE", preset_yaml_expandable)
 
     content = []
-    for yaml_file, (loaded_preset, category, preset_path, original_filename) in DEFAULT_PRESET.all_presets.items():
+    for _, (loaded_preset, category, preset_path, original_filename) in DEFAULT_PRESET.all_presets.items():
         yaml_str = loaded_preset._yaml_str
         indent = " " * 4
         yaml_str = f"\n{indent}".join(yaml_str.splitlines())
-        filename = homedir_collapseuser(yaml_file)
+        filename = homedir_collapseuser(preset_path)
 
         num_modules = len(loaded_preset.scan_modules)
         modules = ", ".join(sorted([f"`{m}`" for m in loaded_preset.scan_modules]))