Merge pull request #19 from kenjoe41/patch-1

Load hashes.json properly.

.whitesource

@@ -1,8 +0,0 @@
-{
-  "generalSettings": {
-    "shouldScanRepo": true
-  },
-  "checkRunSettings": {
-    "vulnerableCheckRunConclusionLevel": "failure"
-  }
-}

bolt.py

@@ -13,17 +13,19 @@ banner()
 
 try:
     import concurrent.futures
-    try:
+    from pathlib import Path
-        from fuzzywuzzy import fuzz, process
-    except:
-        import os
-        print ('%s fuzzywuzzy library is not installed, installing now.' % info)
-        os.system('pip3 install fuzzywuzzy')
-        print ('%s fuzzywuzzy has been installed, please restart Bolt.' % info)
-        quit()
 except:
     print ('%s Bolt is not compatible with python 2. Please run it with python 3.' % bad)
 
+try:
+    from fuzzywuzzy import fuzz, process
+except:
+    import os
+    print ('%s fuzzywuzzy library is not installed, installing now.' % info)
+    os.system('pip3 install fuzzywuzzy')
+    print ('%s fuzzywuzzy has been installed, please restart Bolt.' % info)
+    quit()
+
 import argparse
 import json
 import random
@@ -110,8 +112,10 @@ if len(uniqueTokens) < len(allTokens):
     print ('%s Potential Replay Attack condition found' % good)
     print ('%s Verifying and looking for the cause' % run)
     replay = False
-    for url, token in tokenDatabase:
+    for each in tokenDatabase:
-        for url2, token2 in tokenDatabase:
+        url, token = next(iter(each.keys())), next(iter(each.values()))
+        for each2 in tokenDatabase:
+            url2, token2 = next(iter(each2.keys())), next(iter(each2.values()))
             if token == token2 and url != url2:
                 print ('%s The same token was used on %s%s%s and %s%s%s' %
                        (good, green, url, end, green, url2, end))
@@ -119,7 +123,8 @@ if len(uniqueTokens) < len(allTokens):
     if not replay:
         print ('%s Further investigation shows that it was a false positive.')
 
-with open('./db/hashes.json') as f:
+p = Path(__file__).parent.joinpath('db/hashes.json')
+with p.open('r') as f:
     hashPatterns = json.load(f)
 
 if not allTokens:
@@ -203,7 +208,7 @@ def extractForms(url):
         inputs = each['inputs']
         for inp in inputs:
             value = inp['value']
-            if value and match(r'^[\w\-_]+$', value):
+            if value and re.match(r'^[\w\-_]+$', value):
                 if strength(value) > 10:
                     simTokens.append(value)
 
@@ -233,20 +238,19 @@ print (' %s Phase: Testing %s[%s5/6%s]%s' %
        (lightning, green, end, green, end))
 
 parsed = ''
+found = False
 print ('%s Finding a suitable form for further testing. It may take a while.' % run)
-for url, forms in allForms[0].items():
+for form_dict in allForms:
-    found = False
+    for url, forms in form_dict.items():
-    parsed = datanize(forms, tolerate=True)
+        parsed = datanize(forms, tolerate=True)
-    if parsed:
+        if parsed:
-        found = True
+            found = True
-        break
+            break
     if found:
         break
 
 if not parsed:
-    candidate = list(random.choice(tokenDatabase).keys())[0]
+    quit('%s No suitable form found for testing.' % bad)
-    parsed = datanize(candidate, headers, tolerate=True)
-    print (parsed)
 
 origGET = parsed[0]
 origUrl = parsed[1]

requirements.txt

@@ -2,3 +2,4 @@ numpy
 scipy
 requests
 fuzzywuzzy
+python-Levenshtein