Merge pull request #11 from vvMelody/develop

Improve code quality

core/requester.py

@@ -13,7 +13,8 @@ headers = {
 }
 
 def requester(url, scheme, origin):
-	headers['Origin'] = scheme + origin
+
-	response = requests.get(url, headers=headers, verify=False).headers
+    headers['Origin'] = scheme + origin
-	if 'Access-Control-Allow-Origin' in response:
+    response = requests.get(url, headers=headers, verify=False).headers
-		return response['Access-Control-Allow-Origin']
+    return response.get('Access-Control-Allow-Origin', None)
+

core/tests.py

@@ -3,57 +3,57 @@ import time
 from core.utils import host
 from core.requester import requester
 
+
 def passive_tests(url, acao_header):
-	root = host(url)
+    root = host(url)
-	if acao_header == '*':
+    if acao_header == '*':
-		return 'Wildcard value'
+        return 'Wildcard value'
-	if root:
+    if root:
-		if root != host(acao_header):
+        if root != host(acao_header):
-			print(acao_header)
+            print(acao_header)
-			return 'Third party allowed'
+            return 'Third party allowed'
-		elif url.startswith('http://'):
+        elif url.startswith('http://'):
-			return 'HTTP origin allowed'
+            return 'HTTP origin allowed'
-		else:
+        else:
-			return False
+            return None
-	else:
+    else:
-		return 'Invalid value'
+        return 'Invalid value'
 
 def active_tests(url, root, scheme, delay):
-	acao_header = requester(url, scheme, 'example.com')
+    acao_header = requester(url, scheme, 'example.com')
-	if acao_header:
+    if acao_header and acao_header == (scheme + 'example.com'):
-		if acao_header == (scheme + 'example.com'):
+            return 'Origin reflected'
-			return 'Origin reflected'
+    time.sleep(delay)
-	time.sleep(delay)
+
-	acao_header = requester(url, scheme, root + '.example.com')
+    acao_header = requester(url, scheme, root + '.example.com')
-	if acao_header:
+    if acao_header and acao_header == (scheme + root + '.example.com'):
-		if acao_header == (scheme + root + '.example.com'):
+            return 'Post-domain wildcard'
-			return 'Post-domain wildcard'
+    time.sleep(delay)
-	time.sleep(delay)
+
-	acao_header = requester(url, scheme, 'd3v' + root)
+    acao_header = requester(url, scheme, 'd3v' + root)
-	if acao_header:
+    if acao_header and acao_header == (scheme + 'd3v' + root):
-		if acao_header == (scheme + 'd3v' + root):
+            return 'Pre-domain wildcard'
-			return 'Pre-domain wildcard'
+    time.sleep(delay)
-	time.sleep(delay)
+
-	acao_header = requester(url, '', 'null')
+    acao_header = requester(url, '', 'null')
-	if acao_header:
+    if acao_header and acao_header == 'null':
-		if acao_header == 'null':
+            return 'Null origin allowed'
-			return 'Null origin allowed'
+    time.sleep(delay)
-	time.sleep(delay)
+
-	acao_header = requester(url, scheme, root + '%60.example.com')
+    acao_header = requester(url, scheme, root + '%60.example.com')
-	if acao_header:
+    if acao_header and '`.example.com' in acao_header:
-		if '`.example.com' in acao_header:
+            return 'Broken parser'
-			return 'Broken parser'
+
-	if root.count('.') > 1:
+    if root.count('.') > 1:
-		time.sleep(delay)
+        time.sleep(delay)
-		spoofed_root = root.replace('.', 'x', 1)
+        spoofed_root = root.replace('.', 'x', 1)
-		acao_header = requester(url, scheme, spoofed_root)
+        acao_header = requester(url, scheme, spoofed_root)
-		if acao_header:
+        if acao_header and host(acao_header) == spoofed_root:
-			if host(acao_header) == spoofed_root:
+                return 'Unescaped regex'
-				return 'Unescaped regex'
+        time.sleep(delay)
-		time.sleep(delay)
+
-	acao_header = requester(url, 'http', root)
+    acao_header = requester(url, 'http', root)
-	if acao_header:
+    if acao_header and acao_header.startswith('http://'):
-		if acao_header.startswith('http://'):
+        return 'HTTP origin allowed'
-			return 'HTTP origin allowed'
+    else:
-		else:
+        return passive_tests(url, acao_header)
-			return passive_tests(url, acao_header)

core/utils.py

@@ -1,17 +1,11 @@
 import tld
 import json
 
-def load_file(path):
-    with open(path, 'r') as f:
-        result = [line.rstrip('\n').encode('utf-8').decode('utf-8') for line in f]
-    return '\n'.join(result)
 
 def host(string):
-	if string and '*' not in string:
+    if string and '*' not in string:
-		try:
+        return tld.get_fld(string, fix_protocol=True, fail_silently=True)
-			return tld.get_fld(string, fix_protocol=True)
-		except:
-			return False
 
 def load_json(file):
-	return json.loads(load_file('./db/details.json'))
+    with open(file) as f:
+        return json.load(f)

corsy.py

@@ -30,8 +30,7 @@ def cors(target, delay, scheme=False):
 		url = scheme + '://' + url
 	root = host(url)
 	parsed = urlparse(url)
-	netloc = parsed.netloc
+	netloc, scheme = parsed.netloc, parsed.scheme
-	scheme = parsed.scheme
 	url = scheme + '://' + netloc
 	active = active_tests(url, root, scheme, delay)
 	return active