24 Commits

Author SHA1 Message Date
Hadi 5841ed0a95 Allow user to "edit" response in replay: allow vim navigation & filters
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-21 14:41:17 +02:00
Hadi 9cabe81771 Edit descriptions & create_findings
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-21 10:28:52 +02:00
Hadi 021090f52c init send_request func for plugins
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-21 10:21:37 +02:00
Hadi 0b9e1a1cf0 Change default plugin's config in global config
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-21 09:54:57 +02:00
Hadi f60cdf2033 Delete all except flagged entries
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-21 09:34:52 +02:00
Hadi 6af1388652 init match & replace plugin
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 20:25:01 +02:00
Hadi a708830309 give the set_path et set_url fonction to plugins
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 19:31:44 +02:00
Hadi 44b3c67a37 +stylua
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 19:31:31 +02:00
Hadi 6e673f5c11 v0.0.6
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 15:12:25 +02:00
Hadi 2c63cdbeff Edit plugins id & docs
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 15:09:09 +02:00
Hadi 0e982c6ade add pages "update" label
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 14:49:01 +02:00
Hadi 04ba32cbd5 order by asc
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 14:48:34 +02:00
Hadi f7e9da94cc Add scroll icon on viewports
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 14:36:27 +02:00
Hadi 9253d85c81 init faq.md
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 13:42:02 +02:00
Hadi 1bb547870e add "temp" for temporary projects
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 13:39:11 +02:00
Hadi 4251e4fb2a plugin's config is now in yaml
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 11:43:26 +02:00
Hadi b547a79d6e add trufflehog to dev deps
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:53:42 +02:00
Hadi fe58468abf add direnv
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:45:38 +02:00
Hadi 3542098905 add gomod2nix.toml
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:35:48 +02:00
Hadi f78b3f7174 Move pre-commit hooks to nix
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:33:16 +02:00
Hadi 722021ba02 merge plugins & docs embed
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:27:47 +02:00
Hadi e18f660e83 move the goreleaser config
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:27:35 +02:00
Hadi 67fe8eb911 fix: log silent errors, harden proxy auth, optimize db and render pipeline
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 10:19:37 +02:00
Hadi af872afbe8 gofmt
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-19 23:09:00 +02:00
57 changed files with 1620 additions and 604 deletions
+1
View File
@@ -0,0 +1 @@
use flake
+1 -1
View File
@@ -23,6 +23,6 @@ jobs:
- uses: goreleaser/goreleaser-action@v6 - uses: goreleaser/goreleaser-action@v6
with: with:
version: "~> v2" version: "~> v2"
args: release --clean args: release --clean --config .github/.goreleaser.yaml
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+1
View File
@@ -1,3 +1,4 @@
.claude/ .claude/
CLAUDE.md CLAUDE.md
result/ result/
.pre-commit-config.yaml
-6
View File
@@ -1,6 +0,0 @@
package spilltea
import "embed"
//go:embed docs
var DocsFS embed.FS
+27
View File
@@ -0,0 +1,27 @@
## How do I convert a temporary session into a regular project?
Temporary sessions are stored under `/tmp/spilltea/<random-id>/` and will be lost on reboot. To keep the data, move the directory into the Spilltea projects folder and give it a name.
**1. Find the temporary session directory**
```bash
ls /tmp/spilltea/
```
You will see one or more directories with a random hex name (e.g. `a1b2c3d4`).
**2. Move it to the projects folder**
```bash
mv /tmp/spilltea/<random-id> ~/.local/share/spilltea/<project-name>
```
The project name must only contain lowercase letters, digits, `-`, and `_`.
**3. Open the project**
```bash
spilltea -P my-project
```
Or simply launch Spilltea and pick `my-project` from the project list.
+74 -48
View File
@@ -1,5 +1,7 @@
# Plugins # Plugins
> **Warning:** Plugins can execute arbitrary shell commands, read and write files via `shell_pipe`, and access all intercepted traffic. Only load plugins you trust and have reviewed. You are solely responsible for the plugins you run.
Spilltea supports Lua plugins that can intercept, modify, and analyze HTTP traffic. Spilltea supports Lua plugins that can intercept, modify, and analyze HTTP traffic.
You can found some pre-built plugins [here](../../plugins/). You can found some pre-built plugins [here](../../plugins/).
@@ -32,13 +34,13 @@ Plugin = {
### Hook reference ### Hook reference
| Hook | When called | Sync/async | Return value | | Hook | When called | Sync/async | Return value |
| ------------------------- | ------------------------------------- | ------------ | ----------------------------------------------- | | ------------------------- | ------------------------------------- | ------------ | ----------------------------------------------------------------------------------------- |
| `on_config(config_text)` | At startup and on config save | always sync | ignored | | `on_config()` | At startup and on config save | always sync | ignored |
| `on_start()` | Once at startup, after `on_config` | configurable | `false` to self-disable the plugin, otherwise ignored | | `on_start()` | Once at startup, after `on_config` | configurable | `false` to self-disable the plugin, otherwise ignored |
| `on_quit()` | When the app exits | always sync | ignored | | `on_quit()` | When the app exits | always sync | ignored |
| `on_request(req)` | Every request, before auto-forward | configurable | `"drop"`, `"forward"`, or `nil` (sync only) | | `on_request(req)` | Every request, before auto-forward | configurable | `"drop"`, `"forward"`, or `nil` (nil does nothing and le the user/TUI choose) (sync only) |
| `on_response(req, res)` | Every response | configurable | `"drop"`, `"forward"`, or `nil` (sync only) | | `on_response(req, res)` | Every response | configurable | `"drop"`, `"forward"`, or `nil` (nil does nothing and le the user/TUI choose) (sync only) |
| `on_history_entry(entry)` | Sync: before DB insert / Async: after | configurable | `"skip"` (don't save), `"keep"` or `nil` (save) -- sync only | | `on_history_entry(entry)` | Sync: before DB insert / Async: after | configurable | `"skip"` (don't save), `"keep"` or `nil` (save) (sync only) |
## Request and response objects ## Request and response objects
@@ -120,17 +122,77 @@ if err then
else else
log("output: " .. out) log("output: " .. out)
end end
-- Send an HTTP request directly (bypasses the proxy pipeline and other plugins).
-- method: HTTP method ("GET", "POST", etc.)
-- url: full URL to request
-- headers: table of request headers (optional, pass {} if unused)
-- body: request body string (optional, pass "" if unused)
-- options: optional table of options:
-- insecure = true skip TLS certificate verification
-- Returns: response table, error string (nil on success).
local res, err = send_request("POST", "https://example.com/api", {
["Authorization"] = "Bearer " .. token,
["Content-Type"] = "application/json",
}, '{"key":"value"}', { insecure = true })
if err then
log("request failed: " .. err)
else
log(tostring(res.status_code))
log(res.body)
log(res.headers["Content-Type"] or "")
end
-- Return the plugin's config section as a Lua table (parsed from YAML).
-- Returns an empty table if no config is set.
local cfg = get_config()
``` ```
### Finding deduplication ### Finding deduplication
A finding is identified by `(plugin_name, key)`. If a finding with that pair already exists in the database it will **not** be re-created, even across restarts. If the user **dismisses** a finding it is permanently hidden and will never reappear, even if the plugin generates it again. A finding is identified by `(plugin_name, key)`. If a finding with that pair already exists in the database it will **not** be re-created, even across restarts.
If the user **dismisses** a finding it is permanently hidden and will never reappear, even if the plugin generates it again.
## Configuration ## Configuration
Each plugin gets a **config textarea** on the Plugins page. The raw text is passed as-is to `on_config(config_text)`. Parse it however you like (line by line, key=value, JSON, etc.). Plugin configuration is stored in a `plugins.yaml` file alongside the project database.
Each plugin is keyed by its filename (without the `.lua` extension) and has an `enable` toggle and an optional `config` block (arbitrary YAML).
`on_config` is called once at startup (before `on_start`) and again every time the user saves the config in the UI. ```yaml
plugins:
my_plugin:
enable: true
config:
some_key: some_value
list:
- item1
- item2
other_plugin:
enable: false
```
The config block is edited from the **Plugins** page in the TUI.
Inside a plugin, call `get_config()` to retrieve the config as a Lua table.
Global defaults for any plugin can be set in `~/.config/spilltea/config.yaml` under a `plugins` key with the same structure as `plugins.yaml`.
These defaults are applied the first time a plugin is loaded in a project; once the plugin has an entry in the project's `plugins.yaml`, the project config takes full precedence and the global defaults are ignored.
`on_config()` is called once at startup (before `on_start`) and again every time the user saves the config in the TUI.
It is the right place to read `get_config()` and populate local variables.
```lua
local items = {}
function on_config()
items = {}
local cfg = get_config()
if cfg and cfg.list then
for _, v in ipairs(cfg.list) do
table.insert(items, v)
end
end
end
```
## Sync vs async ## Sync vs async
@@ -139,49 +201,13 @@ Each plugin gets a **config textarea** on the Plugins page. The raw text is pass
`on_config` and `on_quit` are always synchronous regardless of the Plugin table declaration. `on_config` and `on_quit` are always synchronous regardless of the Plugin table declaration.
### Return values for sync hooks Sync `on_history_entry` runs **before** the DB insert, so it can prevent an entry from ever appearing in history.
Async `on_history_entry` runs **after** the insert and cannot affect it.
**`on_start`:**
| Return value | Effect |
| ------------ | -------------------------------------------------------------------------------------------- |
| `false` | The plugin is disabled immediately and the state is persisted (equivalent to toggling it off). |
| anything else | Ignored. |
This is useful for prerequisite checks (binary not found, config invalid, etc.) so the plugin does not silently run in a broken state:
```lua
function on_start()
local h = io.popen("command -v mytool 2>/dev/null")
local result = h and h:read("*a") or ""
if h then h:close() end
if result:match("^%s*$") then
notif("MyPlugin", "mytool not found, plugin disabled", "error")
return false
end
end
```
**`on_request` and `on_response`:**
| Return value | Effect |
| ------------ | --------------------------------------------------------------------------------- |
| `"drop"` | The flow is dropped immediately and never shown in the intercept panel. |
| `"forward"` | The flow is forwarded immediately without going through the intercept panel. |
| `nil` | Normal behaviour: the flow appears in the intercept panel for the user to decide. |
**`on_history_entry` (sync only):**
| Return value | Effect |
| ----------------- | --------------------------------- |
| `"skip"` | The entry is not saved to the DB. |
| `"keep"` or `nil` | The entry is saved normally. |
Sync `on_history_entry` runs **before** the DB insert, so it can prevent an entry from ever appearing in history. Async `on_history_entry` runs **after** the insert and cannot affect it.
## Priority ## Priority
Plugins with a higher `priority` value run before plugins with a lower value (default `0`). This matters for sync hooks that return a decision: the first plugin to return a non-nil value short-circuits the remaining plugins. Plugins with a higher `priority` value run before plugins with a lower value (default `0`).
This matters for sync hooks that return a decision: the first plugin to return a non-nil value short-circuits the remaining plugins.
```lua ```lua
Plugin = { Plugin = {
Generated
+115
View File
@@ -1,5 +1,103 @@
{ {
"nodes": { "nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1767039857,
"narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
"owner": "NixOS",
"repo": "flake-compat",
"rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1778507602,
"narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gomod2nix": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770585520,
"narHash": "sha256-yBz9Ozd5Wb56i3e3cHZ8WcbzCQ9RlVaiW18qDYA/AzA=",
"owner": "nix-community",
"repo": "gomod2nix",
"rev": "1201ddd1279c35497754f016ef33d5e060f3da8d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "gomod2nix",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1777954456, "lastModified": 1777954456,
@@ -18,8 +116,25 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"git-hooks": "git-hooks",
"gomod2nix": "gomod2nix",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",
+21 -35
View File
@@ -1,55 +1,41 @@
{ {
description = "Spilltea: A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players."; description = "Spilltea: A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.";
inputs = {nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";}; inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
gomod2nix = {
url = "github:nix-community/gomod2nix";
inputs.nixpkgs.follows = "nixpkgs";
};
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
gomod2nix,
git-hooks,
}: let }: let
supportedSystems = ["x86_64-linux" "aarch64-linux"]; supportedSystems = ["x86_64-linux" "aarch64-linux"];
forAllSystems = f: forAllSystems = f:
nixpkgs.lib.genAttrs supportedSystems nixpkgs.lib.genAttrs supportedSystems
(system: f system (import nixpkgs {inherit system;})); (system: f system (import nixpkgs {inherit system;}));
pname = "spilltea";
version = "0.0.5";
ldflags = ["-s" "-w" "-X main.version=${version}"];
in { in {
packages = forAllSystems (system: pkgs: let packages = forAllSystems (system: pkgs:
pkg = pkgs.buildGoModule { import ./nix/package.nix {
inherit pname version ldflags; inherit pkgs;
buildGoApplication = gomod2nix.legacyPackages.${system}.buildGoApplication;
src = ./.;
outputs = ["out"];
vendorHash = "sha256-1iPwFsyzdonak9EWMRnudwcCQZfI+Uvre38+puG4s0s=";
meta = with pkgs.lib; {
description = "A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.";
homepage = "https://github.com/anotherhadi/spilltea";
platforms = platforms.unix;
};
};
in {
"${pname}" = pkg;
default = pkg;
}); });
devShells = forAllSystems (system: pkgs: { devShells = forAllSystems (system: pkgs: {
default = pkgs.mkShell { default = import ./nix/shell.nix {
packages = with pkgs; [ inherit pkgs;
go gitHooksLib = git-hooks.lib.${system};
python3 gomod2nixPkgs = gomod2nix.legacyPackages.${system};
lefthook
doctoc
];
shellHook = ''
lefthook install
'';
}; };
}); });
}; };
+9 -1
View File
@@ -41,6 +41,7 @@ type Config struct {
DefaultInterceptEnabled bool `mapstructure:"default_intercept_enabled"` DefaultInterceptEnabled bool `mapstructure:"default_intercept_enabled"`
DefaultCaptureResponse bool `mapstructure:"default_capture_response"` DefaultCaptureResponse bool `mapstructure:"default_capture_response"`
AutoForwardRegex []string `mapstructure:"auto_forward_regex"` AutoForwardRegex []string `mapstructure:"auto_forward_regex"`
QueueSize int `mapstructure:"queue_size"`
} `mapstructure:"intercept"` } `mapstructure:"intercept"`
Replay struct { Replay struct {
@@ -53,6 +54,13 @@ type Config struct {
} `mapstructure:"history"` } `mapstructure:"history"`
Keybindings Keybindings `mapstructure:"keybindings"` Keybindings Keybindings `mapstructure:"keybindings"`
Plugins map[string]GlobalPlugin `mapstructure:"plugins"`
}
type GlobalPlugin struct {
Enable *bool `mapstructure:"enable"`
Config interface{} `mapstructure:"config"`
} }
var Global *Config var Global *Config
@@ -82,7 +90,7 @@ func WriteDefaultConfig(path string) error {
if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil { if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
return fmt.Errorf("create config dir: %w", err) return fmt.Errorf("create config dir: %w", err)
} }
if err := os.WriteFile(path, defaultConfig, 0o644); err != nil { if err := os.WriteFile(path, defaultConfig, 0o600); err != nil {
return fmt.Errorf("write config: %w", err) return fmt.Errorf("write config: %w", err)
} }
return nil return nil
+2 -1
View File
@@ -5,13 +5,14 @@ app:
project_dir: ~/.local/share/spilltea project_dir: ~/.local/share/spilltea
plugins_dir: ~/.config/spilltea/plugins plugins_dir: ~/.config/spilltea/plugins
upstream_proxy: "" # e.g. http://corporate-proxy:8888 or http://user:pass@host:8888 upstream_proxy: "" # e.g. http://corporate-proxy:8888 or http://user:pass@host:8888
proxy_auth: "" # require basic auth to use the proxy, format: user:pass (empty = disabled) proxy_auth: "" # require basic auth to use the proxy, format: user:pass (empty = disabled). Also run: chmod 600 ~/.config/spilltea/config.yaml
max_body_size_mb: 50 # max response body size read into memory for large streamed responses (MB) max_body_size_mb: 50 # max response body size read into memory for large streamed responses (MB)
external_editor: "" # override $EDITOR for external editing (e.g. nvim, code --wait) external_editor: "" # override $EDITOR for external editing (e.g. nvim, code --wait)
intercept: intercept:
default_intercept_enabled: true default_intercept_enabled: true
default_capture_response: false default_capture_response: false
queue_size: 64 # max pending intercepted requests/responses before the proxy blocks
auto_forward_regex: auto_forward_regex:
- '\.(js|css|png|gif|ico|woff2?|ttf|svg)(\?.*)?$' - '\.(js|css|png|gif|ico|woff2?|ttf|svg)(\?.*)?$'
+14 -6
View File
@@ -9,6 +9,7 @@ import (
type DB struct { type DB struct {
conn *sql.DB conn *sql.DB
roConn *sql.DB
path string path string
dedupMu sync.Mutex dedupMu sync.Mutex
} }
@@ -27,6 +28,17 @@ func Open(path string) (*DB, error) {
conn.Close() conn.Close()
return nil, err return nil, err
} }
roConn, err := sql.Open("sqlite", path)
if err != nil {
conn.Close()
return nil, err
}
if _, err := roConn.Exec("PRAGMA query_only=ON"); err != nil {
conn.Close()
roConn.Close()
return nil, err
}
d.roConn = roConn
return d, nil return d, nil
} }
@@ -60,12 +72,7 @@ CREATE TABLE IF NOT EXISTS replay_entries (
status_code INTEGER NOT NULL, status_code INTEGER NOT NULL,
error_msg TEXT NOT NULL error_msg TEXT NOT NULL
); );
CREATE TABLE IF NOT EXISTS plugins ( CREATE TABLE IF NOT EXISTS findings (
name TEXT PRIMARY KEY,
enabled INTEGER NOT NULL DEFAULT 1,
config_text TEXT NOT NULL DEFAULT ''
);
CREATE TABLE IF NOT EXISTS findings (
id INTEGER PRIMARY KEY AUTOINCREMENT, id INTEGER PRIMARY KEY AUTOINCREMENT,
plugin_name TEXT NOT NULL, plugin_name TEXT NOT NULL,
dedup_key TEXT NOT NULL, dedup_key TEXT NOT NULL,
@@ -94,6 +101,7 @@ func (d *DB) Close() error {
if d == nil { if d == nil {
return nil return nil
} }
_ = d.roConn.Close()
return d.conn.Close() return d.conn.Close()
} }
+24 -12
View File
@@ -4,6 +4,7 @@ import (
"crypto/sha256" "crypto/sha256"
"database/sql" "database/sql"
"fmt" "fmt"
"log"
"strings" "strings"
"time" "time"
) )
@@ -63,7 +64,11 @@ func (d *DB) InsertEntry(e Entry, body string) (Entry, error) {
if err != nil { if err != nil {
return e, err return e, err
} }
e.ID, _ = res.LastInsertId() var idErr error
e.ID, idErr = res.LastInsertId()
if idErr != nil {
log.Printf("db: LastInsertId: %v", idErr)
}
return e, nil return e, nil
} }
@@ -113,19 +118,11 @@ func (d *DB) SearchEntries(term string) ([]Entry, error) {
// QueryEntries runs a WHERE expression supplied by the user against the entries // QueryEntries runs a WHERE expression supplied by the user against the entries
// table (e.g. "status_code = 404" or "host LIKE '%example.com%'"). // table (e.g. "status_code = 404" or "host LIKE '%example.com%'").
// It opens a dedicated read-only connection so that any DML or DDL in the // Uses the persistent read-only connection (PRAGMA query_only=ON) so that any
// user-supplied expression is rejected by SQLite before it can execute. // DML or DDL in the user-supplied expression is rejected by SQLite before it executes.
func (d *DB) QueryEntries(where string) ([]Entry, error) { func (d *DB) QueryEntries(where string) ([]Entry, error) {
roConn, err := sql.Open("sqlite", d.path)
if err != nil {
return nil, err
}
defer roConn.Close()
if _, err := roConn.Exec("PRAGMA query_only=ON"); err != nil {
return nil, err
}
q := "SELECT id, timestamp, method, host, path, status_code, request_raw, response_raw, flagged FROM entries WHERE " + strings.TrimSpace(where) q := "SELECT id, timestamp, method, host, path, status_code, request_raw, response_raw, flagged FROM entries WHERE " + strings.TrimSpace(where)
rows, err := roConn.Query(q) rows, err := d.roConn.Query(q)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@@ -147,3 +144,18 @@ func (d *DB) DeleteAllEntries() error {
_, err := d.conn.Exec(`DELETE FROM entries`) _, err := d.conn.Exec(`DELETE FROM entries`)
return err return err
} }
// DeleteAllExceptFlagged deletes all unflagged entries. If there are no
// unflagged entries (only flagged ones remain), it deletes everything.
func (d *DB) DeleteAllExceptFlagged() error {
var count int
if err := d.conn.QueryRow(`SELECT COUNT(*) FROM entries WHERE flagged = 0`).Scan(&count); err != nil {
return err
}
if count > 0 {
_, err := d.conn.Exec(`DELETE FROM entries WHERE flagged = 0`)
return err
}
_, err := d.conn.Exec(`DELETE FROM entries`)
return err
}
+1 -1
View File
@@ -35,7 +35,7 @@ func (d *DB) UpsertFinding(f Finding) (bool, error) {
func (d *DB) LoadFindings() ([]Finding, error) { func (d *DB) LoadFindings() ([]Finding, error) {
rows, err := d.conn.Query( rows, err := d.conn.Query(
`SELECT id, plugin_name, dedup_key, title, description, severity, created_at `SELECT id, plugin_name, dedup_key, title, description, severity, created_at
FROM findings WHERE dismissed = 0 ORDER BY id DESC`, FROM findings WHERE dismissed = 0 ORDER BY id ASC`,
) )
if err != nil { if err != nil {
return nil, err return nil, err
-35
View File
@@ -1,35 +0,0 @@
package db
type PluginState struct {
Name string
Enabled bool
ConfigText string
}
func (d *DB) SavePluginState(name string, enabled bool, configText string) error {
_, err := d.conn.Exec(
`INSERT INTO plugins (name, enabled, config_text) VALUES (?, ?, ?)
ON CONFLICT(name) DO UPDATE SET enabled = excluded.enabled, config_text = excluded.config_text`,
name, enabled, configText,
)
return err
}
func (d *DB) LoadPluginStates() ([]PluginState, error) {
rows, err := d.conn.Query(`SELECT name, enabled, config_text FROM plugins`)
if err != nil {
return nil, err
}
defer rows.Close()
var out []PluginState
for rows.Next() {
var s PluginState
var enabled int
if err := rows.Scan(&s.Name, &enabled, &s.ConfigText); err != nil {
return nil, err
}
s.Enabled = enabled != 0
out = append(out, s)
}
return out, rows.Err()
}
+6 -2
View File
@@ -58,9 +58,13 @@ func (b *Broker) SetOnNewEntry(cb func(db.Entry)) {
} }
func NewBroker() *Broker { func NewBroker() *Broker {
size := config.Global.Intercept.QueueSize
if size <= 0 {
size = 64
}
b := &Broker{ b := &Broker{
Incoming: make(chan *PendingRequest, 64), Incoming: make(chan *PendingRequest, size),
IncomingResponse: make(chan *PendingResponse, 64), IncomingResponse: make(chan *PendingResponse, size),
} }
b.SetAutoForwardRegex(config.Global.Intercept.AutoForwardRegex) b.SetAutoForwardRegex(config.Global.Intercept.AutoForwardRegex)
return b return b
+143
View File
@@ -3,14 +3,20 @@ package plugins
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/tls"
"io"
"log" "log"
"net/http"
"net/url"
"os/exec" "os/exec"
"strings" "strings"
"time" "time"
"github.com/anotherhadi/spilltea/internal/config"
"github.com/anotherhadi/spilltea/internal/db" "github.com/anotherhadi/spilltea/internal/db"
goproxy "github.com/lqqyt2423/go-mitmproxy/proxy" goproxy "github.com/lqqyt2423/go-mitmproxy/proxy"
lua "github.com/yuin/gopher-lua" lua "github.com/yuin/gopher-lua"
"gopkg.in/yaml.v3"
) )
func newLuaState(mgr *Manager, p *Plugin) *lua.LState { func newLuaState(mgr *Manager, p *Plugin) *lua.LState {
@@ -175,6 +181,99 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
return 0 return 0
})) }))
L.SetGlobal("get_config", L.NewFunction(func(L *lua.LState) int {
// p.mu is already held by the hook caller - do not lock again.
configText := p.ConfigText
if configText == "" {
L.Push(L.NewTable())
return 1
}
var data interface{}
if err := yaml.Unmarshal([]byte(configText), &data); err != nil || data == nil {
L.Push(L.NewTable())
return 1
}
lv := goToLuaValue(L, data)
if _, ok := lv.(*lua.LTable); !ok {
L.Push(L.NewTable())
return 1
}
L.Push(lv)
return 1
}))
L.SetGlobal("send_request", L.NewFunction(func(L *lua.LState) int {
method := L.CheckString(1)
rawURL := L.CheckString(2)
hdrs := L.OptTable(3, L.NewTable())
body := L.OptString(4, "")
opts := L.OptTable(5, L.NewTable())
insecure := false
if v, ok := L.GetField(opts, "insecure").(lua.LBool); ok {
insecure = bool(v)
}
transport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
}
if up := config.Global.App.UpstreamProxy; up != "" {
if proxyURL, err := url.Parse(up); err == nil {
transport.Proxy = http.ProxyURL(proxyURL)
}
}
client := &http.Client{
Transport: transport,
Timeout: 30 * time.Second,
}
var bodyReader io.Reader
if body != "" {
bodyReader = strings.NewReader(body)
}
req, err := http.NewRequest(method, rawURL, bodyReader)
if err != nil {
L.Push(lua.LNil)
L.Push(lua.LString(err.Error()))
return 2
}
hdrs.ForEach(func(k, v lua.LValue) {
ks, kok := k.(lua.LString)
vs, vok := v.(lua.LString)
if kok && vok {
req.Header.Set(string(ks), string(vs))
}
})
resp, err := client.Do(req)
if err != nil {
L.Push(lua.LNil)
L.Push(lua.LString(err.Error()))
return 2
}
defer resp.Body.Close()
respBody, err := io.ReadAll(resp.Body)
if err != nil {
L.Push(lua.LNil)
L.Push(lua.LString(err.Error()))
return 2
}
result := L.NewTable()
L.SetField(result, "status_code", lua.LNumber(resp.StatusCode))
L.SetField(result, "body", lua.LString(string(respBody)))
respHeaders := L.NewTable()
for k, vals := range resp.Header {
L.SetField(respHeaders, k, lua.LString(strings.Join(vals, ", ")))
}
L.SetField(result, "headers", respHeaders)
L.Push(result)
L.Push(lua.LNil)
return 2
}))
L.SetGlobal("shell_pipe", L.NewFunction(func(L *lua.LState) int { L.SetGlobal("shell_pipe", L.NewFunction(func(L *lua.LState) int {
cmd := L.CheckString(1) cmd := L.CheckString(1)
input := L.OptString(2, "") input := L.OptString(2, "")
@@ -201,6 +300,35 @@ func registerUtilities(L *lua.LState, mgr *Manager, p *Plugin) {
})) }))
} }
func goToLuaValue(L *lua.LState, v interface{}) lua.LValue {
switch val := v.(type) {
case map[string]interface{}:
t := L.NewTable()
for k, v2 := range val {
L.SetField(t, k, goToLuaValue(L, v2))
}
return t
case []interface{}:
t := L.NewTable()
for i, v2 := range val {
L.RawSetInt(t, i+1, goToLuaValue(L, v2))
}
return t
case string:
return lua.LString(val)
case int:
return lua.LNumber(val)
case float64:
return lua.LNumber(val)
case bool:
if val {
return lua.LTrue
}
return lua.LFalse
}
return lua.LNil
}
func luaTableString(t *lua.LTable, key string) string { func luaTableString(t *lua.LTable, key string) string {
v := t.RawGetString(key) v := t.RawGetString(key)
if s, ok := v.(lua.LString); ok { if s, ok := v.(lua.LString); ok {
@@ -241,6 +369,21 @@ func pushRequest(L *lua.LState, f *goproxy.Flow) *lua.LTable {
return 0 return 0
})) }))
L.SetField(t, "set_path", L.NewFunction(func(L *lua.LState) int {
r.URL.Path = L.CheckString(2)
return 0
}))
L.SetField(t, "set_url", L.NewFunction(func(L *lua.LState) int {
parsed, err := url.Parse(L.CheckString(2))
if err != nil {
log.Printf("[plugin] set_url: %v", err)
return 0
}
r.URL = parsed
return 0
}))
return t return t
} }
+65 -49
View File
@@ -13,14 +13,23 @@ import (
"github.com/anotherhadi/spilltea/internal/intercept" "github.com/anotherhadi/spilltea/internal/intercept"
goproxy "github.com/lqqyt2423/go-mitmproxy/proxy" goproxy "github.com/lqqyt2423/go-mitmproxy/proxy"
lua "github.com/yuin/gopher-lua" lua "github.com/yuin/gopher-lua"
"gopkg.in/yaml.v3"
) )
// GlobalDefault holds global defaults for a single plugin, read from config.yaml.
type GlobalDefault struct {
Enable *bool
Config interface{}
}
type Manager struct { type Manager struct {
mu sync.RWMutex mu sync.RWMutex
plugins []*Plugin plugins []*Plugin
db *db.DB db *db.DB
pluginsFile *PluginsFile
broker *intercept.Broker broker *intercept.Broker
globalDefaults map[string]GlobalDefault
Notifs chan PluginNotifMsg Notifs chan PluginNotifMsg
Quit chan string Quit chan string
@@ -43,6 +52,14 @@ func (m *Manager) SetDB(d *db.DB) {
m.db = d m.db = d
} }
func (m *Manager) SetPluginsFile(pf *PluginsFile) {
m.pluginsFile = pf
}
func (m *Manager) SetGlobalDefaults(defaults map[string]GlobalDefault) {
m.globalDefaults = defaults
}
func (m *Manager) LoadFromDir(dir string) error { func (m *Manager) LoadFromDir(dir string) error {
entries, err := os.ReadDir(dir) entries, err := os.ReadDir(dir)
if os.IsNotExist(err) { if os.IsNotExist(err) {
@@ -52,17 +69,6 @@ func (m *Manager) LoadFromDir(dir string) error {
return err return err
} }
var states map[string]db.PluginState
if m.db != nil {
list, err := m.db.LoadPluginStates()
if err == nil {
states = make(map[string]db.PluginState, len(list))
for _, s := range list {
states[s.Name] = s
}
}
}
for _, e := range entries { for _, e := range entries {
if e.IsDir() || !strings.HasSuffix(e.Name(), ".lua") { if e.IsDir() || !strings.HasSuffix(e.Name(), ".lua") {
continue continue
@@ -73,9 +79,23 @@ func (m *Manager) LoadFromDir(dir string) error {
log.Printf("plugin load error %s: %v", path, err) log.Printf("plugin load error %s: %v", path, err)
continue continue
} }
if s, ok := states[p.Name]; ok { if m.pluginsFile != nil {
p.Enabled = s.Enabled if enabled, configText, found := m.pluginsFile.get(p.ID); found {
p.ConfigText = s.ConfigText p.Enabled = enabled
p.ConfigText = configText
} else {
if def, ok := m.globalDefaults[p.ID]; ok {
if def.Enable != nil {
p.Enabled = *def.Enable
}
if def.Config != nil {
if raw, err := yaml.Marshal(def.Config); err == nil {
p.ConfigText = string(raw)
}
}
}
m.pluginsFile.register(p.ID, p.Enabled, p.ConfigText)
}
} }
m.mu.Lock() m.mu.Lock()
m.plugins = append(m.plugins, p) m.plugins = append(m.plugins, p)
@@ -89,6 +109,7 @@ func (m *Manager) LoadFromDir(dir string) error {
func (m *Manager) loadPlugin(path string) (*Plugin, error) { func (m *Manager) loadPlugin(path string) (*Plugin, error) {
p := &Plugin{ p := &Plugin{
ID: strings.TrimSuffix(filepath.Base(path), ".lua"),
FilePath: path, FilePath: path,
Enabled: true, Enabled: true,
hooks: make(map[string]HookConfig), hooks: make(map[string]HookConfig),
@@ -109,7 +130,7 @@ func (m *Manager) loadPlugin(path string) (*Plugin, error) {
p.Name = string(s) p.Name = string(s)
} }
if p.Name == "" { if p.Name == "" {
p.Name = strings.TrimSuffix(filepath.Base(path), ".lua") p.Name = p.ID
} }
if s, ok := pluginTable.RawGetString("description").(lua.LString); ok { if s, ok := pluginTable.RawGetString("description").(lua.LString); ok {
@@ -131,12 +152,6 @@ func (m *Manager) loadPlugin(path string) (*Plugin, error) {
"on_response": false, "on_response": false,
"on_history_entry": false, "on_history_entry": false,
} }
// Fixed-sync hooks: always sync, not configurable.
fixedSyncHooks := map[string]struct{}{
"on_config": {},
"on_quit": {},
}
for hookName, defaultSync := range configurableHooks { for hookName, defaultSync := range configurableHooks {
if tbl, ok := pluginTable.RawGetString(hookName).(*lua.LTable); ok { if tbl, ok := pluginTable.RawGetString(hookName).(*lua.LTable); ok {
p.hooks[hookName] = HookConfig{Sync: tbl.RawGetString("sync") == lua.LTrue} p.hooks[hookName] = HookConfig{Sync: tbl.RawGetString("sync") == lua.LTrue}
@@ -146,9 +161,9 @@ func (m *Manager) loadPlugin(path string) (*Plugin, error) {
p.hooks[hookName] = HookConfig{Sync: defaultSync} p.hooks[hookName] = HookConfig{Sync: defaultSync}
} }
} }
for hookName := range fixedSyncHooks { for _, fixedSync := range []string{"on_config", "on_quit"} {
if p.L.GetGlobal(hookName) != lua.LNil { if p.L.GetGlobal(fixedSync) != lua.LNil {
p.hooks[hookName] = HookConfig{Sync: true} p.hooks[fixedSync] = HookConfig{Sync: true}
} }
} }
@@ -163,11 +178,11 @@ func (m *Manager) GetPlugins() []*Plugin {
return out return out
} }
func (m *Manager) TogglePlugin(name string) { func (m *Manager) TogglePlugin(id string) {
m.mu.RLock() m.mu.RLock()
var found *Plugin var found *Plugin
for _, p := range m.plugins { for _, p := range m.plugins {
if p.Name == name { if p.ID == id {
found = p found = p
break break
} }
@@ -179,10 +194,11 @@ func (m *Manager) TogglePlugin(name string) {
found.mu.Lock() found.mu.Lock()
found.Enabled = !found.Enabled found.Enabled = !found.Enabled
enabled := found.Enabled enabled := found.Enabled
configText := found.ConfigText
found.mu.Unlock() found.mu.Unlock()
if m.db != nil { if m.pluginsFile != nil {
_ = m.db.SavePluginState(name, enabled, configText) if err := m.pluginsFile.setEnabled(id, enabled); err != nil {
log.Printf("plugin %s: save state: %v", id, err)
}
} }
if !enabled { if !enabled {
return return
@@ -194,8 +210,10 @@ func (m *Manager) TogglePlugin(name string) {
disableIfFalse := func(p *Plugin, ret lua.LValue) { disableIfFalse := func(p *Plugin, ret lua.LValue) {
if ret == lua.LFalse { if ret == lua.LFalse {
p.Enabled = false p.Enabled = false
if m.db != nil { if m.pluginsFile != nil {
_ = m.db.SavePluginState(p.Name, false, p.ConfigText) if err := m.pluginsFile.setEnabled(p.ID, false); err != nil {
log.Printf("plugin %s: save state: %v", p.ID, err)
}
} }
} }
} }
@@ -222,11 +240,11 @@ func (m *Manager) TogglePlugin(name string) {
} }
} }
func (m *Manager) SaveConfig(name, configText string) { func (m *Manager) SaveConfig(id, configText string) {
m.mu.RLock() m.mu.RLock()
var found *Plugin var found *Plugin
for _, p := range m.plugins { for _, p := range m.plugins {
if p.Name == name { if p.ID == id {
found = p found = p
break break
} }
@@ -237,39 +255,35 @@ func (m *Manager) SaveConfig(name, configText string) {
} }
found.mu.Lock() found.mu.Lock()
found.ConfigText = configText found.ConfigText = configText
enabled := found.Enabled
_, hasOnConfig := found.hooks["on_config"]
found.mu.Unlock() found.mu.Unlock()
if m.db != nil { if m.pluginsFile != nil {
_ = m.db.SavePluginState(name, enabled, configText) if err := m.pluginsFile.setConfig(id, configText); err != nil {
log.Printf("plugin %s: save config: %v", id, err)
} }
if !hasOnConfig { }
if _, ok := found.hooks["on_config"]; !ok {
return return
} }
// on_config is always sync.
found.mu.Lock() found.mu.Lock()
if _, err := callHook(found, "on_config", lua.LString(configText)); err != nil { if _, err := callHook(found, "on_config"); err != nil {
log.Printf("plugin %s on_config (config reload): %v", name, err) log.Printf("plugin %s on_config: %v", id, err)
} }
found.mu.Unlock() found.mu.Unlock()
} }
func (m *Manager) RunOnStart() { func (m *Manager) RunOnStart() {
// on_config runs first, always sync, for every enabled plugin that has it.
for _, p := range m.GetPlugins() { for _, p := range m.GetPlugins() {
if !p.Enabled { if !p.Enabled {
continue continue
} }
if _, ok := p.hooks["on_config"]; !ok { if _, ok := p.hooks["on_config"]; ok {
continue
}
p.mu.Lock() p.mu.Lock()
if _, err := callHook(p, "on_config", lua.LString(p.ConfigText)); err != nil { if _, err := callHook(p, "on_config"); err != nil {
log.Printf("plugin %s on_config: %v", p.Name, err) log.Printf("plugin %s on_config: %v", p.Name, err)
} }
p.mu.Unlock() p.mu.Unlock()
} }
// on_start runs after, sync or async depending on plugin config. }
for _, p := range m.GetPlugins() { for _, p := range m.GetPlugins() {
if !p.Enabled { if !p.Enabled {
continue continue
@@ -281,8 +295,10 @@ func (m *Manager) RunOnStart() {
disableIfFalse := func(p *Plugin, ret lua.LValue) { disableIfFalse := func(p *Plugin, ret lua.LValue) {
if ret == lua.LFalse { if ret == lua.LFalse {
p.Enabled = false p.Enabled = false
if m.db != nil { if m.pluginsFile != nil {
_ = m.db.SavePluginState(p.Name, false, p.ConfigText) if err := m.pluginsFile.setEnabled(p.ID, false); err != nil {
log.Printf("plugin %s: save state: %v", p.ID, err)
}
} }
} }
} }
+103
View File
@@ -0,0 +1,103 @@
package plugins
import (
"os"
"path/filepath"
"gopkg.in/yaml.v3"
)
type pluginFileEntry struct {
Enable bool `yaml:"enable"`
Config interface{} `yaml:"config,omitempty"`
}
type pluginsFileData struct {
Plugins map[string]pluginFileEntry `yaml:"plugins"`
}
type PluginsFile struct {
path string
data pluginsFileData
}
func OpenPluginsFile(dbPath string) (*PluginsFile, error) {
path := filepath.Join(filepath.Dir(dbPath), "plugins.yaml")
pf := &PluginsFile{
path: path,
data: pluginsFileData{Plugins: make(map[string]pluginFileEntry)},
}
raw, err := os.ReadFile(path)
if os.IsNotExist(err) {
return pf, nil
}
if err != nil {
return nil, err
}
if err := yaml.Unmarshal(raw, &pf.data); err != nil {
return nil, err
}
if pf.data.Plugins == nil {
pf.data.Plugins = make(map[string]pluginFileEntry)
}
return pf, nil
}
func (pf *PluginsFile) save() error {
raw, err := yaml.Marshal(&pf.data)
if err != nil {
return err
}
return os.WriteFile(pf.path, raw, 0o600)
}
func (pf *PluginsFile) get(id string) (enabled bool, config string, found bool) {
e, ok := pf.data.Plugins[id]
if !ok {
return false, "", false
}
if e.Config == nil {
return e.Enable, "", true
}
raw, err := yaml.Marshal(e.Config)
if err != nil {
return e.Enable, "", true
}
return e.Enable, string(raw), true
}
func (pf *PluginsFile) register(id string, defaultEnabled bool, configText string) {
if _, ok := pf.data.Plugins[id]; !ok {
entry := pluginFileEntry{Enable: defaultEnabled}
if configText != "" {
var parsed interface{}
if err := yaml.Unmarshal([]byte(configText), &parsed); err == nil {
entry.Config = parsed
}
}
pf.data.Plugins[id] = entry
_ = pf.save()
}
}
func (pf *PluginsFile) setEnabled(id string, enabled bool) error {
e := pf.data.Plugins[id]
e.Enable = enabled
pf.data.Plugins[id] = e
return pf.save()
}
func (pf *PluginsFile) setConfig(id string, configText string) error {
e := pf.data.Plugins[id]
if configText == "" {
e.Config = nil
} else {
var parsed interface{}
if err := yaml.Unmarshal([]byte(configText), &parsed); err != nil {
return err
}
e.Config = parsed
}
pf.data.Plugins[id] = e
return pf.save()
}
+3
View File
@@ -11,6 +11,7 @@ type HookConfig struct {
} }
type Plugin struct { type Plugin struct {
ID string
Name string Name string
Description string Description string
FilePath string FilePath string
@@ -37,6 +38,7 @@ func (p *Plugin) HookConfig(name string) (HookConfig, bool) {
} }
type Info struct { type Info struct {
ID string
Name string Name string
Description string Description string
FilePath string FilePath string
@@ -57,6 +59,7 @@ func (p *Plugin) Info() Info {
hooks[k] = v hooks[k] = v
} }
return Info{ return Info{
ID: p.ID,
Name: p.Name, Name: p.Name,
Description: p.Description, Description: p.Description,
FilePath: p.FilePath, FilePath: p.FilePath,
+4 -2
View File
@@ -1,6 +1,7 @@
package proxy package proxy
import ( import (
"crypto/subtle"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io" "io"
@@ -46,7 +47,6 @@ func (a *interceptAddon) Request(f *goproxy.Flow) {
switch a.plugins.RunSyncOnRequest(f) { switch a.plugins.RunSyncOnRequest(f) {
case intercept.Drop: case intercept.Drop:
f.Response = dropResponse() f.Response = dropResponse()
go a.plugins.RunAsyncOnRequest(f)
return return
case intercept.Forward: case intercept.Forward:
go a.plugins.RunAsyncOnRequest(f) go a.plugins.RunAsyncOnRequest(f)
@@ -133,7 +133,9 @@ func Start(broker *intercept.Broker, mgr *plugins.Manager) error {
wantUser, wantPass := parts[0], parts[1] wantUser, wantPass := parts[0], parts[1]
p.SetAuthProxy(func(res http.ResponseWriter, req *http.Request) (bool, error) { p.SetAuthProxy(func(res http.ResponseWriter, req *http.Request) (bool, error) {
user, pass, ok := parseBasicProxyAuth(req.Header.Get("Proxy-Authorization")) user, pass, ok := parseBasicProxyAuth(req.Header.Get("Proxy-Authorization"))
if !ok || user != wantUser || pass != wantPass { userOK := subtle.ConstantTimeCompare([]byte(user), []byte(wantUser))
passOK := subtle.ConstantTimeCompare([]byte(pass), []byte(wantPass))
if !ok || userOK&passOK != 1 {
res.Header().Set("Proxy-Authenticate", `Basic realm="spilltea"`) res.Header().Set("Proxy-Authenticate", `Basic realm="spilltea"`)
return false, fmt.Errorf("invalid credentials") return false, fmt.Errorf("invalid credentials")
} }
+19
View File
@@ -15,6 +15,25 @@ func NewViewport() viewport.Model {
return vp return vp
} }
func ViewportView(vp *viewport.Model) string {
v := vp.View()
if vp.AtBottom() {
return v
}
lines := strings.Split(v, "\n")
if len(lines) == 0 {
return v
}
arrow := lipgloss.NewStyle().Foreground(S.Subtle).Render("↓")
arrowW := lipgloss.Width(arrow)
inner := vp.Width() - 2*arrowW
if inner < 0 {
inner = 0
}
lines[len(lines)-1] = arrow + strings.Repeat(" ", inner) + arrow
return strings.Join(lines, "\n")
}
func NewPaginator() paginator.Model { func NewPaginator() paginator.Model {
p := paginator.New() p := paginator.New()
p.Type = paginator.Dots p.Type = paginator.Dots
+1
View File
@@ -18,6 +18,7 @@ func Paint(c color.Color, s string) string {
func HighlightHTTP(raw string) string { func HighlightHTTP(raw string) string {
raw = strings.ReplaceAll(raw, "\r\n", "\n") raw = strings.ReplaceAll(raw, "\r\n", "\n")
raw = strings.ReplaceAll(raw, "\r", "\n") raw = strings.ReplaceAll(raw, "\r", "\n")
raw = strings.ReplaceAll(raw, "\t", " ")
idx := strings.Index(raw, "\n\n") idx := strings.Index(raw, "\n\n")
if idx == -1 { if idx == -1 {
return highlightHeaders(raw) return highlightHeaders(raw)
+18 -6
View File
@@ -28,6 +28,12 @@ type Styles struct {
PagerDotActive string PagerDotActive string
PagerDotInactive string PagerDotInactive string
methodGet lipgloss.Style
methodPost lipgloss.Style
methodPutPatch lipgloss.Style
methodDelete lipgloss.Style
methodDefault lipgloss.Style
} }
var S *Styles var S *Styles
@@ -46,6 +52,7 @@ func Init(cfg *config.Config) {
primary := lipgloss.Color("#" + c.Base0D) // Accent: primary primary := lipgloss.Color("#" + c.Base0D) // Accent: primary
purple := lipgloss.Color("#" + c.Base0E) // Purple: editing purple := lipgloss.Color("#" + c.Base0E) // Purple: editing
methodBase := lipgloss.NewStyle().Bold(true).Width(7)
S = &Styles{ S = &Styles{
Primary: primary, Primary: primary,
Success: success, Success: success,
@@ -74,6 +81,12 @@ func Init(cfg *config.Config) {
PagerDotActive: lipgloss.NewStyle().Foreground(primary).SetString("•").String(), PagerDotActive: lipgloss.NewStyle().Foreground(primary).SetString("•").String(),
PagerDotInactive: lipgloss.NewStyle().Foreground(subtle).SetString("•").String(), PagerDotInactive: lipgloss.NewStyle().Foreground(subtle).SetString("•").String(),
methodGet: methodBase.Foreground(success),
methodPost: methodBase.Foreground(warning),
methodPutPatch: methodBase.Foreground(primary),
methodDelete: methodBase.Foreground(errCol),
methodDefault: methodBase.Foreground(text),
} }
} }
@@ -90,17 +103,16 @@ func NewHelp() help.Model {
} }
func (s *Styles) Method(method string) lipgloss.Style { func (s *Styles) Method(method string) lipgloss.Style {
base := lipgloss.NewStyle().Bold(true).Width(7)
switch method { switch method {
case "GET": case "GET":
return base.Foreground(s.Success) return s.methodGet
case "POST": case "POST":
return base.Foreground(s.Warning) return s.methodPost
case "PUT", "PATCH": case "PUT", "PATCH":
return base.Foreground(s.Primary) return s.methodPutPatch
case "DELETE": case "DELETE":
return base.Foreground(s.Error) return s.methodDelete
default: default:
return base.Foreground(s.Text) return s.methodDefault
} }
} }
+14
View File
@@ -106,6 +106,20 @@ func New(broker *intercept.Broker, name, path string) Model {
m.findingsPage.SetDB(d) m.findingsPage.SetDB(d)
mgr.SetDB(d) mgr.SetDB(d)
pf, err := plugins.OpenPluginsFile(path)
if err != nil {
log.Printf("plugins file: %v", err)
}
mgr.SetPluginsFile(pf)
if len(cfg.Plugins) > 0 {
defaults := make(map[string]plugins.GlobalDefault, len(cfg.Plugins))
for id, gp := range cfg.Plugins {
defaults[id] = plugins.GlobalDefault{Enable: gp.Enable, Config: gp.Config}
}
mgr.SetGlobalDefaults(defaults)
}
pluginsDir := config.ExpandPath(cfg.App.PluginsDir) pluginsDir := config.ExpandPath(cfg.App.PluginsDir)
if err := mgr.LoadFromDir(pluginsDir); err != nil { if err := mgr.LoadFromDir(pluginsDir); err != nil {
log.Printf("plugins: %v", err) log.Printf("plugins: %v", err)
+4
View File
@@ -37,6 +37,8 @@ type pageEntry struct {
isEditing func(m *Model) bool isEditing func(m *Model) bool
// resize propagates a new (w, h) to the page model. // resize propagates a new (w, h) to the page model.
resize func(m *Model, w, h int) resize func(m *Model, w, h int)
// hasUpdate reports whether the page has unseen updates.
hasUpdate func(m *Model) bool
} }
var pageRegistry = []pageEntry{ var pageRegistry = []pageEntry{
@@ -52,6 +54,7 @@ var pageRegistry = []pageEntry{
}, },
isEditing: func(m *Model) bool { return m.intercept.IsEditing() }, isEditing: func(m *Model) bool { return m.intercept.IsEditing() },
resize: func(m *Model, w, h int) { m.intercept.SetSize(w, h) }, resize: func(m *Model, w, h int) { m.intercept.SetSize(w, h) },
hasUpdate: func(m *Model) bool { return m.intercept.HasUnread() },
}, },
{ {
id: pageHistory, id: pageHistory,
@@ -115,6 +118,7 @@ var pageRegistry = []pageEntry{
return cmd return cmd
}, },
resize: func(m *Model, w, h int) { m.findingsPage.SetSize(w, h) }, resize: func(m *Model, w, h int) { m.findingsPage.SetSize(w, h) },
hasUpdate: func(m *Model) bool { return m.findingsPage.HasUnread() },
}, },
{ {
id: pageDocs, id: pageDocs,
+4
View File
@@ -61,11 +61,15 @@ func (m *Model) renderSidebar() string {
lineStyle := lipgloss.NewStyle().Width(inner).Padding(0, 1) lineStyle := lipgloss.NewStyle().Width(inner).Padding(0, 1)
var items strings.Builder var items strings.Builder
badgeUnread := lipgloss.NewStyle().Foreground(s.Warning).Bold(true)
for i, entry := range sidebarEntries { for i, entry := range sidebarEntries {
selected := entry.id == m.page selected := entry.id == m.page
badgeStyle, textStyle := badgeNormal, textNormal badgeStyle, textStyle := badgeNormal, textNormal
if selected { if selected {
badgeStyle, textStyle = badgeSelected, textSelected badgeStyle, textStyle = badgeSelected, textSelected
} else if entry.hasUpdate != nil && entry.hasUpdate(m) {
badgeStyle = badgeUnread
} }
icon := "" icon := ""
if entry.icon != nil { if entry.icon != nil {
+10
View File
@@ -37,6 +37,9 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
case intercept.RequestArrivedMsg: case intercept.RequestArrivedMsg:
updated, cmd := m.intercept.Update(msg) updated, cmd := m.intercept.Update(msg)
m.intercept = updated.(interceptUI.Model) m.intercept = updated.(interceptUI.Model)
if m.page == pageIntercept {
m.intercept.ClearUnread()
}
return m, tea.Batch(cmd, intercept.WaitForRequest(m.broker)) return m, tea.Batch(cmd, intercept.WaitForRequest(m.broker))
case intercept.ResponseArrivedMsg: case intercept.ResponseArrivedMsg:
updated, cmd := m.intercept.Update(msg) updated, cmd := m.intercept.Update(msg)
@@ -129,6 +132,9 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
case findingsUI.FindingsLoadedMsg: case findingsUI.FindingsLoadedMsg:
updated, cmd := m.findingsPage.Update(msg) updated, cmd := m.findingsPage.Update(msg)
m.findingsPage = updated.(findingsUI.Model) m.findingsPage = updated.(findingsUI.Model)
if m.page == pageFindings {
m.findingsPage.ClearUnread()
}
return m, cmd return m, cmd
case replayUI.SendToReplayMsg: case replayUI.SendToReplayMsg:
@@ -258,8 +264,12 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
return m, m.history.RefreshCmd() return m, m.history.RefreshCmd()
} }
if p == pageFindings { if p == pageFindings {
m.findingsPage.ClearUnread()
return m, findingsUI.RefreshCmd(m.database) return m, findingsUI.RefreshCmd(m.database)
} }
if p == pageIntercept {
m.intercept.ClearUnread()
}
} }
} }
} }
-1
View File
@@ -14,7 +14,6 @@ const (
popupH = 20 popupH = 20
) )
type OpenMsg struct { type OpenMsg struct {
RawRequest string RawRequest string
Scheme string Scheme string
-1
View File
@@ -12,7 +12,6 @@ const (
popupH = 20 popupH = 20
) )
type OpenMsg struct { type OpenMsg struct {
RawRequest string RawRequest string
Scheme string Scheme string
+2 -2
View File
@@ -58,8 +58,8 @@ func (m *Model) renderPanels(panelH int) string {
rightBorder = s.PanelFocused rightBorder = s.PanelFocused
} }
left := style.RenderWithTitle(leftBorder, leftTitle, m.leftViewport.View(), leftW, panelH) left := style.RenderWithTitle(leftBorder, leftTitle, style.ViewportView(&m.leftViewport), leftW, panelH)
right := style.RenderWithTitle(rightBorder, rightTitle, m.rightViewport.View(), rightW, panelH) right := style.RenderWithTitle(rightBorder, rightTitle, style.ViewportView(&m.rightViewport), rightW, panelH)
return lipgloss.JoinHorizontal(lipgloss.Top, left, right) return lipgloss.JoinHorizontal(lipgloss.Top, left, right)
} }
+5
View File
@@ -22,6 +22,8 @@ type Model struct {
database *db.DB database *db.DB
findings []db.Finding findings []db.Finding
cursor int cursor int
hasUnread bool
knownCount int
listViewport viewport.Model listViewport viewport.Model
bodyViewport viewport.Model bodyViewport viewport.Model
@@ -46,6 +48,9 @@ func New() Model {
func (m Model) Init() tea.Cmd { return nil } func (m Model) Init() tea.Cmd { return nil }
func (m Model) HasUnread() bool { return m.hasUnread }
func (m *Model) ClearUnread() { m.hasUnread = false; m.knownCount = len(m.findings) }
func (m *Model) CurrentMarkdown() string { func (m *Model) CurrentMarkdown() string {
if len(m.findings) == 0 { if len(m.findings) == 0 {
return "" return ""
+3
View File
@@ -21,6 +21,9 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
prevID = m.findings[m.cursor].ID prevID = m.findings[m.cursor].ID
} }
m.findings = msg.Findings m.findings = msg.Findings
if len(m.findings) > m.knownCount {
m.hasUnread = true
}
if m.cursor >= len(m.findings) { if m.cursor >= len(m.findings) {
m.cursor = max(0, len(m.findings)-1) m.cursor = max(0, len(m.findings)-1)
} }
+2 -8
View File
@@ -45,7 +45,7 @@ func (m *Model) renderBodyPanel(h int) string {
if len(m.findings) > 0 { if len(m.findings) > 0 {
title = m.findings[m.cursor].Title title = m.findings[m.cursor].Title
} }
return style.RenderWithTitle(s.Panel, title, m.bodyViewport.View(), m.width, h) return style.RenderWithTitle(s.Panel, title, style.ViewportView(&m.bodyViewport), m.width, h)
} }
func (m *Model) renderList() string { func (m *Model) renderList() string {
@@ -58,13 +58,7 @@ func (m *Model) renderList() string {
) )
} }
start, end := m.pager.GetSliceBounds(len(m.findings)) start, end := util.PageBounds(m.pager, len(m.findings))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, f := range m.findings[start:end] { for i, f := range m.findings[start:end] {
+11 -1
View File
@@ -249,11 +249,21 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
case key.Matches(msg, h.DeleteAll): case key.Matches(msg, h.DeleteAll):
if m.database != nil { if m.database != nil {
if m.searchKind != searchKindOff { if m.searchKind != searchKindOff {
hasUnflagged := false
for _, e := range m.entries { for _, e := range m.entries {
if !e.Flagged {
hasUnflagged = true
break
}
}
for _, e := range m.entries {
if hasUnflagged && e.Flagged {
continue
}
m.database.DeleteEntry(e.ID) m.database.DeleteEntry(e.ID)
} }
} else { } else {
m.database.DeleteAllEntries() m.database.DeleteAllExceptFlagged()
} }
} }
return m, m.clearSearch() return m, m.clearSearch()
+2 -8
View File
@@ -46,7 +46,7 @@ func (m *Model) renderBodyPanel(h int) string {
if m.focusedPanel == panelResponse { if m.focusedPanel == panelResponse {
title = icons.I.Response + "Response" title = icons.I.Response + "Response"
} }
return style.RenderWithTitle(s.Panel, title, m.bodyViewport.View(), m.width, h) return style.RenderWithTitle(s.Panel, title, style.ViewportView(&m.bodyViewport), m.width, h)
} }
func (m *Model) renderStatusBar() string { func (m *Model) renderStatusBar() string {
@@ -96,13 +96,7 @@ func (m *Model) renderList() string {
) )
} }
start, end := m.pager.GetSliceBounds(len(m.entries)) start, end := util.PageBounds(m.pager, len(m.entries))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, e := range m.entries[start:end] { for i, e := range m.entries[start:end] {
+2 -2
View File
@@ -138,14 +138,14 @@ func sanitizeName(s string) string {
} }
func IsValidProjectName(s string) bool { func IsValidProjectName(s string) bool {
if s == "tmp" { if s == "tmp" || s == "temp" || s == "temporary" {
return true return true
} }
return s != "" && s == sanitizeName(s) return s != "" && s == sanitizeName(s)
} }
func OpenProject(projectDir, name string) (*Project, error) { func OpenProject(projectDir, name string) (*Project, error) {
if name == "tmp" { if name == "tmp" || name == "temp" || name == "temporary" {
dir := tempDir() dir := tempDir()
if err := os.MkdirAll(dir, 0o755); err != nil { if err := os.MkdirAll(dir, 0o755); err != nil {
return nil, err return nil, err
+4
View File
@@ -30,6 +30,7 @@ type Model struct {
editing bool editing bool
interceptEnabled bool interceptEnabled bool
hasUnread bool
pendingEdits map[*intercept.PendingRequest]string pendingEdits map[*intercept.PendingRequest]string
pendingResponseEdits map[*intercept.PendingResponse]string pendingResponseEdits map[*intercept.PendingResponse]string
@@ -76,6 +77,9 @@ func New(broker *intercept.Broker) Model {
func (m Model) Init() tea.Cmd { return nil } func (m Model) Init() tea.Cmd { return nil }
func (m Model) HasUnread() bool { return m.hasUnread }
func (m *Model) ClearUnread() { m.hasUnread = false }
func (m Model) IsEditing() bool { return m.editing } func (m Model) IsEditing() bool { return m.editing }
func (m Model) IsResponseFocused() bool { func (m Model) IsResponseFocused() bool {
+1
View File
@@ -31,6 +31,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
} }
wasEmpty := len(m.queue) == 0 wasEmpty := len(m.queue) == 0
m.queue = append(m.queue, msg.Req) m.queue = append(m.queue, msg.Req)
m.hasUnread = true
m.refreshListViewport() m.refreshListViewport()
if wasEmpty && (!m.captureResponse || m.focusedPanel == panelRequests) { if wasEmpty && (!m.captureResponse || m.focusedPanel == panelRequests) {
m.refreshBody() m.refreshBody()
+3 -15
View File
@@ -87,7 +87,7 @@ func (m *Model) renderBodyPanel(h int) string {
if m.editing { if m.editing {
body = m.textarea.View() body = m.textarea.View()
} else { } else {
body = m.bodyViewport.View() body = style.ViewportView(&m.bodyViewport)
} }
border := s.Panel border := s.Panel
@@ -109,13 +109,7 @@ func (m *Model) renderList() string {
} }
s := style.S s := style.S
start, end := m.pager.GetSliceBounds(len(m.queue)) start, end := util.PageBounds(m.pager, len(m.queue))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, req := range m.queue[start:end] { for i, req := range m.queue[start:end] {
@@ -165,13 +159,7 @@ func (m *Model) renderResponseList() string {
} }
s := style.S s := style.S
start, end := m.responsePager.GetSliceBounds(len(m.responseQueue)) start, end := util.PageBounds(m.responsePager, len(m.responseQueue))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, resp := range m.responseQueue[start:end] { for i, resp := range m.responseQueue[start:end] {
+4 -4
View File
@@ -59,11 +59,11 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
m.textarea.Blur() m.textarea.Blur()
if info, ok := m.selected(); ok && m.manager != nil { if info, ok := m.selected(); ok && m.manager != nil {
val := m.textarea.Value() val := m.textarea.Value()
m.manager.SaveConfig(info.Name, val) m.manager.SaveConfig(info.ID, val)
// Update cached info. // Update cached info.
m.filtered[m.cursor].ConfigText = val m.filtered[m.cursor].ConfigText = val
for i := range m.items { for i := range m.items {
if m.items[i].Name == info.Name { if m.items[i].ID == info.ID {
m.items[i].ConfigText = val m.items[i].ConfigText = val
break break
} }
@@ -107,10 +107,10 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
case key.Matches(msg, pk.Toggle): case key.Matches(msg, pk.Toggle):
if info, ok := m.selected(); ok && m.manager != nil { if info, ok := m.selected(); ok && m.manager != nil {
m.manager.TogglePlugin(info.Name) m.manager.TogglePlugin(info.ID)
m.filtered[m.cursor].Enabled = !info.Enabled m.filtered[m.cursor].Enabled = !info.Enabled
for i := range m.items { for i := range m.items {
if m.items[i].Name == info.Name { if m.items[i].ID == info.ID {
m.items[i].Enabled = !info.Enabled m.items[i].Enabled = !info.Enabled
break break
} }
+2 -8
View File
@@ -73,7 +73,7 @@ func (m *Model) renderDetailPanel(h int) string {
s.Faint.Render(filepath.Base(info.FilePath)), s.Faint.Render(filepath.Base(info.FilePath)),
) )
parts := []string{header, m.detailViewport.View()} parts := []string{header, style.ViewportView(&m.detailViewport)}
if m.hasConfig() { if m.hasConfig() {
var configLabel string var configLabel string
@@ -143,13 +143,7 @@ func (m *Model) renderList() string {
) )
} }
start, end := m.pager.GetSliceBounds(len(m.filtered)) start, end := util.PageBounds(m.pager, len(m.filtered))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, p := range m.filtered[start:end] { for i, p := range m.filtered[start:end] {
+4 -1
View File
@@ -20,8 +20,8 @@ import (
"github.com/anotherhadi/spilltea/internal/db" "github.com/anotherhadi/spilltea/internal/db"
"github.com/anotherhadi/spilltea/internal/keys" "github.com/anotherhadi/spilltea/internal/keys"
"github.com/anotherhadi/spilltea/internal/style" "github.com/anotherhadi/spilltea/internal/style"
"github.com/anotherhadi/spilltea/internal/util"
diffUI "github.com/anotherhadi/spilltea/internal/ui/diff" diffUI "github.com/anotherhadi/spilltea/internal/ui/diff"
"github.com/anotherhadi/spilltea/internal/util"
"github.com/klauspost/compress/zstd" "github.com/klauspost/compress/zstd"
) )
@@ -181,6 +181,9 @@ func (m Model) updateNormalMode(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
case key.Matches(msg, r.EditExt): case key.Matches(msg, r.EditExt):
if len(m.entries) > 0 { if len(m.entries) > 0 {
if m.focusedPanel == panelResponse {
return m, util.OpenExternalEditorView(m.entries[m.cursor].ResponseRaw)
}
return m, util.OpenExternalEditor(m.entries[m.cursor].RequestRaw) return m, util.OpenExternalEditor(m.entries[m.cursor].RequestRaw)
} }
+3 -9
View File
@@ -57,7 +57,7 @@ func (m *Model) renderRequestPanel(w, h int) string {
body = m.textarea.View() body = m.textarea.View()
border = s.PanelFocused border = s.PanelFocused
} else { } else {
body = m.requestViewport.View() body = style.ViewportView(&m.requestViewport)
if m.focusedPanel == panelRequest { if m.focusedPanel == panelRequest {
border = s.PanelFocused border = s.PanelFocused
} }
@@ -71,7 +71,7 @@ func (m *Model) renderResponsePanel(w, h int) string {
if !m.editing && m.focusedPanel == panelResponse { if !m.editing && m.focusedPanel == panelResponse {
border = s.PanelFocused border = s.PanelFocused
} }
return style.RenderWithTitle(border, icons.I.Response+"Response", m.responseViewport.View(), w, h) return style.RenderWithTitle(border, icons.I.Response+"Response", style.ViewportView(&m.responseViewport), w, h)
} }
func (m *Model) renderStatusBar() string { func (m *Model) renderStatusBar() string {
@@ -88,13 +88,7 @@ func (m *Model) renderList() string {
} }
s := style.S s := style.S
start, end := m.pager.GetSliceBounds(len(m.entries)) start, end := util.PageBounds(m.pager, len(m.entries))
if start < 0 {
start = 0
}
if end < start {
end = start
}
var sb strings.Builder var sb strings.Builder
for i, e := range m.entries[start:end] { for i, e := range m.entries[start:end] {
+22 -3
View File
@@ -1,6 +1,7 @@
package util package util
import ( import (
"log"
"os" "os"
"os/exec" "os/exec"
@@ -14,7 +15,7 @@ type EditorFinishedMsg struct {
Err error Err error
} }
func OpenExternalEditor(content string) tea.Cmd { func resolveEditor() string {
editor := config.Global.App.ExternalEditor editor := config.Global.App.ExternalEditor
if editor == "" { if editor == "" {
editor = os.Getenv("EDITOR") editor = os.Getenv("EDITOR")
@@ -22,15 +23,27 @@ func OpenExternalEditor(content string) tea.Cmd {
if editor == "" { if editor == "" {
editor = "vi" editor = "vi"
} }
return editor
}
func openWithEditor(content string, callback func(string, error) tea.Msg) tea.Cmd {
f, err := os.CreateTemp("", "spilltea-*.http") f, err := os.CreateTemp("", "spilltea-*.http")
if err != nil { if err != nil {
return nil return nil
} }
tmpPath := f.Name() tmpPath := f.Name()
_, _ = f.WriteString(content) if _, err := f.WriteString(content); err != nil {
log.Printf("editor: writing temp file: %v", err)
}
f.Close() f.Close()
return tea.ExecProcess(exec.Command(editor, tmpPath), func(err error) tea.Msg { return tea.ExecProcess(exec.Command(resolveEditor(), tmpPath), func(err error) tea.Msg {
defer os.Remove(tmpPath) defer os.Remove(tmpPath)
return callback(tmpPath, err)
})
}
func OpenExternalEditor(content string) tea.Cmd {
return openWithEditor(content, func(tmpPath string, err error) tea.Msg {
if err != nil { if err != nil {
return EditorFinishedMsg{Err: err} return EditorFinishedMsg{Err: err}
} }
@@ -41,3 +54,9 @@ func OpenExternalEditor(content string) tea.Cmd {
return EditorFinishedMsg{Content: string(data)} return EditorFinishedMsg{Content: string(data)}
}) })
} }
func OpenExternalEditorView(content string) tea.Cmd {
return openWithEditor(content, func(_ string, _ error) tea.Msg {
return nil
})
}
+13
View File
@@ -3,6 +3,7 @@ package util
import ( import (
"strings" "strings"
"charm.land/bubbles/v2/paginator"
"charm.land/lipgloss/v2" "charm.land/lipgloss/v2"
) )
@@ -28,6 +29,18 @@ func CenterLines(lines ...string) string {
return strings.Join(centered, "\n") return strings.Join(centered, "\n")
} }
// PageBounds returns clamped start/end indices for rendering a paginated list.
func PageBounds(p paginator.Model, total int) (start, end int) {
start, end = p.GetSliceBounds(total)
if start < 0 {
start = 0
}
if end < start {
end = start
}
return
}
// InferScheme returns "http" for port 80, "https" otherwise. // InferScheme returns "http" for port 80, "https" otherwise.
func InferScheme(host string) string { func InferScheme(host string) string {
if strings.HasSuffix(host, ":80") { if strings.HasSuffix(host, ":80") {
-19
View File
@@ -1,19 +0,0 @@
pre-commit:
piped: true
commands:
check-vendor-hash:
glob: "{go.mod,go.sum}"
run: .github/scripts/check-vendor-hash.sh
stage_fixed: true
inject-exec-basics:
glob: "{docs/basics.md,cmd/**}"
run: python3 .github/scripts/inject-exec.py docs/basics.md
stage_fixed: true
inject-exec:
glob: "{README.md,docs/basics.md,cmd/**}"
run: python3 .github/scripts/inject-exec.py README.md
stage_fixed: true
toc:
glob: "{README.md,docs/basics.md,cmd/**}"
run: doctoc --notitle README.md
stage_fixed: true
+242
View File
@@ -0,0 +1,242 @@
schema = 3
[mod]
[mod.'charm.land/bubbles/v2']
version = 'v2.1.0'
hash = 'sha256-2OmqpBrl+taOJzAhVM6OReLmoYRxZOXx9JqFNjQjsPA='
[mod.'charm.land/bubbletea/v2']
version = 'v2.0.6'
hash = 'sha256-1jxXmcnI4peUE0Xs3HGe57pIhRONx235aAaeqm2r434='
[mod.'charm.land/glamour/v2']
version = 'v2.0.0'
hash = 'sha256-CZYlNGw2MihqnSHf1Xxqz55NnqW9fVpLxyvLItryIw4='
[mod.'charm.land/lipgloss/v2']
version = 'v2.0.3'
hash = 'sha256-/RFkSUscU3NwymzT+PfizGf3XyQIdVGQlX7vxktCUGk='
[mod.'github.com/alecthomas/chroma/v2']
version = 'v2.24.1'
hash = 'sha256-DufsljWRKireFuLFcnPozuF0N3UoRYGlEfNFMD+z0ng='
[mod.'github.com/andybalholm/brotli']
version = 'v1.0.4'
hash = 'sha256-gAnPRdGP4yna4hiRIEDyBtDOVJqd7RU27wlPu96Rdf8='
[mod.'github.com/atotto/clipboard']
version = 'v0.1.4'
hash = 'sha256-ZZ7U5X0gWOu8zcjZcWbcpzGOGdycwq0TjTFh/eZHjXk='
[mod.'github.com/aymerick/douceur']
version = 'v0.2.0'
hash = 'sha256-NiBX8EfOvLXNiK3pJaZX4N73YgfzdrzRXdiBFe3X3sE='
[mod.'github.com/charmbracelet/colorprofile']
version = 'v0.4.3'
hash = 'sha256-y+QDUxGOKhugEMQLRUTZYT2C+wKqYHnMLJ44jbh7+JA='
[mod.'github.com/charmbracelet/ultraviolet']
version = 'v0.0.0-20260511121909-c840852527f3'
hash = 'sha256-oWEEaaetCmXvflD03MWy8qD105Kd62iI62+lxofE9Ns='
[mod.'github.com/charmbracelet/x/ansi']
version = 'v0.11.7'
hash = 'sha256-q8BZJq4K7NE5ETocN9/G/EoV0dUyD703ONSfHiUYzWQ='
[mod.'github.com/charmbracelet/x/exp/slice']
version = 'v0.0.0-20260517005351-920740d613be'
hash = 'sha256-bMsbEzP1gHA2OJx4zMYZUI3UFhcTG+mcFm8rRY+Khh8='
[mod.'github.com/charmbracelet/x/term']
version = 'v0.2.2'
hash = 'sha256-KF7IU1Luxl/sZP6XjomWB2e3lxSUS4/5AahhapGir/4='
[mod.'github.com/charmbracelet/x/termios']
version = 'v0.1.1'
hash = 'sha256-sri3LpHCBhGvnJldDzBxwbbZpeSGZVCJFOUL45uBFds='
[mod.'github.com/charmbracelet/x/windows']
version = 'v0.2.2'
hash = 'sha256-CvmE8kAC5wlPSeWjl2hc5xizvGS2FeOLHw84froldkk='
[mod.'github.com/clipperhouse/displaywidth']
version = 'v0.11.0'
hash = 'sha256-WokyTaofEy95xlshqK5YDzpemhXV5oaQifxS9YyfCXo='
[mod.'github.com/clipperhouse/uax29/v2']
version = 'v2.7.0'
hash = 'sha256-GO3az7WiGcwU0OvmocwdfR5ohGRL8NbjscIaMyhAdxE='
[mod.'github.com/dlclark/regexp2']
version = 'v1.12.0'
hash = 'sha256-PVX2rDCkiG0vyA1CbDi3bzLeZ2T8hcqJv3pZ5YwGzMI='
[mod.'github.com/dustin/go-humanize']
version = 'v1.0.1'
hash = 'sha256-yuvxYYngpfVkUg9yAmG99IUVmADTQA0tMbBXe0Fq0Mc='
[mod.'github.com/fsnotify/fsnotify']
version = 'v1.10.1'
hash = 'sha256-6LBLgsh4nKkMpgRKVsYFEaGDSU1fncBcWVSjKBdfgjU='
[mod.'github.com/go-viper/mapstructure/v2']
version = 'v2.5.0'
hash = 'sha256-LbrCBANBprVI84M0CWrXc7rriJL5ac5VKbh58LBTw7U='
[mod.'github.com/golang/groupcache']
version = 'v0.0.0-20210331224755-41bb18bfe9da'
hash = 'sha256-7Gs7CS9gEYZkbu5P4hqPGBpeGZWC64VDwraSKFF+VR0='
[mod.'github.com/google/uuid']
version = 'v1.6.0'
hash = 'sha256-VWl9sqUzdOuhW0KzQlv0gwwUQClYkmZwSydHG2sALYw='
[mod.'github.com/gorilla/css']
version = 'v1.0.1'
hash = 'sha256-6JwNHqlY2NpZ0pSQTyYPSpiNqjXOdFHqrUT10sv3y8A='
[mod.'github.com/gorilla/websocket']
version = 'v1.5.0'
hash = 'sha256-EYVgkSEMo4HaVrsWKqnsYRp8SSS8gNf7t+Elva02Ofc='
[mod.'github.com/klauspost/compress']
version = 'v1.17.8'
hash = 'sha256-8rgCCfHX29le8m6fyVn6gwFde5TPUHjwQqZqv9JIubs='
[mod.'github.com/lqqyt2423/go-mitmproxy']
version = 'v1.8.11'
hash = 'sha256-PoCL6TOt99JsenH4XFx+7MqIzzYnnLHYwUpEQ7kxxyg='
[mod.'github.com/lucasb-eyer/go-colorful']
version = 'v1.4.0'
hash = 'sha256-i/3GDHKEMLCy0kc3mtyk58UWYOPmKoUVaq6QCAWXKP0='
[mod.'github.com/mattn/go-isatty']
version = 'v0.0.22'
hash = 'sha256-6O/0jc33pKUzlzUGpH8Ekk54XgJvx6Qe7kJtbcNJAV4='
[mod.'github.com/mattn/go-runewidth']
version = 'v0.0.23'
hash = 'sha256-SmChZ2U1aR8pW3LPhdM7KcVF5TO6VcHgRzBtUXbBWJA='
[mod.'github.com/microcosm-cc/bluemonday']
version = 'v1.0.27'
hash = 'sha256-EZSya9FLPQ83CL7N2cZy21fdS35hViTkiMK5f3op8Es='
[mod.'github.com/muesli/cancelreader']
version = 'v0.2.2'
hash = 'sha256-uEPpzwRJBJsQWBw6M71FDfgJuR7n55d/7IV8MO+rpwQ='
[mod.'github.com/ncruces/go-strftime']
version = 'v1.0.0'
hash = 'sha256-GYIwYDONuv/yTE0AEugCHQbtV3oiBaco93xUNYFcVBQ='
[mod.'github.com/pelletier/go-toml/v2']
version = 'v2.3.1'
hash = 'sha256-5H8+UOtPOs+Yc+8oVT/3bugCCdbq3jFMH6eOW8dadyg='
[mod.'github.com/remyoudompheng/bigfft']
version = 'v0.0.0-20230129092748-24d4a6f8daec'
hash = 'sha256-vYmpyCE37eBYP/navhaLV4oX4/nu0Z/StAocLIFqrmM='
[mod.'github.com/rivo/uniseg']
version = 'v0.4.7'
hash = 'sha256-rDcdNYH6ZD8KouyyiZCUEy8JrjOQoAkxHBhugrfHjFo='
[mod.'github.com/sagikazarmark/locafero']
version = 'v0.12.0'
hash = 'sha256-EXk9S5Z5sYyApAzCgHIugsGMbt/pHWRfHYFZH5D+5Ws='
[mod.'github.com/sahilm/fuzzy']
version = 'v0.1.1'
hash = 'sha256-f2VsDI6G+V2w31tSDzbZPi9EI2E7jRV6Aq8yeOorSZY='
[mod.'github.com/satori/go.uuid']
version = 'v1.2.0'
hash = 'sha256-y/lSGbnZa7mYJCs30a3LTyjfCFQSaYp8GbVR8dwtmsg='
[mod.'github.com/sirupsen/logrus']
version = 'v1.9.4'
hash = 'sha256-ltRvmtM3XTCAFwY0IesfRqYIivyXPPuvkFjL4ARh1wg='
[mod.'github.com/spf13/afero']
version = 'v1.15.0'
hash = 'sha256-LhcezbOqfuBzacytbqck0hNUxi6NbWNhifUc5/9uHQ8='
[mod.'github.com/spf13/cast']
version = 'v1.10.0'
hash = 'sha256-dQ6Qqf26IZsa6XsGKP7GDuCj+WmSsBmkBwGTDfue/rk='
[mod.'github.com/spf13/pflag']
version = 'v1.0.10'
hash = 'sha256-uDPnWjHpSrzXr17KEYEA1yAbizfcsfo5AyztY2tS6ZU='
[mod.'github.com/spf13/viper']
version = 'v1.21.0'
hash = 'sha256-A9A8i7HH/ge4j3hw7G++HNj8BjhhpZKvxHhfY+QAxkI='
[mod.'github.com/subosito/gotenv']
version = 'v1.6.0'
hash = 'sha256-LspbjTniiq2xAICSXmgqP7carwlNaLqnCTQfw2pa80A='
[mod.'github.com/xo/terminfo']
version = 'v0.0.0-20220910002029-abceb7e1c41e'
hash = 'sha256-GyCDxxMQhXA3Pi/TsWXpA8cX5akEoZV7CFx4RO3rARU='
[mod.'github.com/yuin/goldmark']
version = 'v1.8.2'
hash = 'sha256-LoWfW1Tb6mNuMR7SoA/4SJv4pTKfsVXqeXEVm4uEQ7Q='
[mod.'github.com/yuin/goldmark-emoji']
version = 'v1.0.6'
hash = 'sha256-+d6bZzOPE+JSFsZbQNZMCWE+n3jgcQnkPETVk47mxSY='
[mod.'github.com/yuin/gopher-lua']
version = 'v1.1.2'
hash = 'sha256-2YMCxv7RO3uqq6OTjvE0kR9nTt+n2cF+MrLtGEW68po='
[mod.'go.uber.org/atomic']
version = 'v1.11.0'
hash = 'sha256-TyYws/cSPVqYNffFX0gbDml1bD4bBGcysrUWU7mHPIY='
[mod.'go.yaml.in/yaml/v3']
version = 'v3.0.4'
hash = 'sha256-NkGFiDPoCxbr3LFsI6OCygjjkY0rdmg5ggvVVwpyDQ4='
[mod.'golang.org/x/net']
version = 'v0.54.0'
hash = 'sha256-/EoIXzTQzK/yP/lxOyx0Z/bhns4FdPTIF4uyt4gIP80='
[mod.'golang.org/x/sync']
version = 'v0.20.0'
hash = 'sha256-ybcjhCfK6lroUM0yswUvWooW8MOQZBXyiSqoxG6Uy0Y='
[mod.'golang.org/x/sys']
version = 'v0.44.0'
hash = 'sha256-JDlj+PKsG6I6kjv5JyOUNreY51u5An0oZ5OZMHZSk+A='
[mod.'golang.org/x/text']
version = 'v0.37.0'
hash = 'sha256-8XDOnlPIybcDRy89fkjG5VqtIt5Ku+LmaqYhgKl7i1E='
[mod.'gopkg.in/yaml.v3']
version = 'v3.0.1'
hash = 'sha256-FqL9TKYJ0XkNwJFnq9j0VvJ5ZUU1RvH/52h/f5bkYAU='
[mod.'modernc.org/libc']
version = 'v1.72.3'
hash = 'sha256-eOCoqSnX/VzpG63nh1j3JpXRndnZZcn2cDTeutexXAI='
[mod.'modernc.org/mathutil']
version = 'v1.7.1'
hash = 'sha256-COZ5rF2GhQVR1r6a0DanJ8qwQ94JSKdQxTMWrDzE0Cc='
[mod.'modernc.org/memory']
version = 'v1.11.0'
hash = 'sha256-MkybF8vvrxXS5j7O8w3skwTo0aMo1yjWS0K440rYcHM='
[mod.'modernc.org/sqlite']
version = 'v1.50.1'
hash = 'sha256-JbGP3eerH/6mgzI0aq9SpLLwe6ld6PV/zJReG8mLQN0='
+21
View File
@@ -0,0 +1,21 @@
{
pkgs,
buildGoApplication,
}: let
pname = "spilltea";
version = "0.0.6";
ldflags = ["-s" "-w" "-X main.version=${version}"];
pkg = buildGoApplication {
inherit pname version ldflags;
src = ../.;
modules = ./gomod2nix.toml;
meta = with pkgs.lib; {
description = "A minimal, terminal-based HTTP(S) proxy for pentesters and CTF players.";
homepage = "https://github.com/anotherhadi/spilltea";
platforms = platforms.unix;
};
};
in {
"${pname}" = pkg;
default = pkg;
}
+64
View File
@@ -0,0 +1,64 @@
{
pkgs,
gitHooksLib,
gomod2nixPkgs,
}: let
hooks = gitHooksLib.run {
src = ../.;
hooks = {
gofmt.enable = true;
govet.enable = true;
stylua.enable = true;
gomod2nix = {
enable = true;
name = "gomod2nix";
entry = "gomod2nix --outdir ./nix";
language = "system";
files = "go\\.(mod|sum)$";
pass_filenames = false;
};
inject-exec-basics = {
enable = true;
name = "inject-exec-basics";
entry = "python3 .github/scripts/inject-exec.py docs/basics.md";
language = "system";
files = "(docs/basics\\.md|cmd/)";
pass_filenames = false;
};
inject-exec = {
enable = true;
name = "inject-exec";
entry = "python3 .github/scripts/inject-exec.py README.md";
language = "system";
files = "(README\\.md|docs/basics\\.md|cmd/)";
pass_filenames = false;
};
doctoc = {
enable = true;
name = "doctoc";
entry = "doctoc --notitle README.md";
language = "system";
files = "(README\\.md|docs/basics\\.md|cmd/)";
pass_filenames = false;
};
};
};
in
pkgs.mkShell {
packages = with pkgs;
[
go
python3
doctoc
stylua
trufflehog
gomod2nixPkgs.gomod2nix
]
++ hooks.enabledPackages;
shellHook = hooks.shellHook;
}
+9 -3
View File
@@ -4,21 +4,27 @@ Plugin = {
Inject custom headers into every intercepted request. Inject custom headers into every intercepted request.
**Config**: **Config**:
- one 'Header-Name: value' per line. ```yaml
headers:
- "X-My-Header: myvalue"
```
]], ]],
on_request = { sync = true }, on_request = { sync = true },
} }
local headers = {} local headers = {}
function on_config(config_text) function on_config()
headers = {} headers = {}
for line in config_text:gmatch("[^\n]+") do local cfg = get_config()
if cfg and cfg.headers then
for _, line in ipairs(cfg.headers) do
local name, value = line:match("^([^:]+):%s*(.+)$") local name, value = line:match("^([^:]+):%s*(.+)$")
if name and value then if name and value then
table.insert(headers, { name = name, value = value }) table.insert(headers, { name = name, value = value })
end end
end end
end
end end
function on_request(req) function on_request(req)
+15 -11
View File
@@ -4,10 +4,13 @@ Plugin = {
Checks that the proxy's outbound IP is in an allowed list on startup. Checks that the proxy's outbound IP is in an allowed list on startup.
**Config**: **Config**:
- one IP per line ```yaml
- prefix with `!` for a blacklist entry (blocked) ips:
- prefix with `#` to comment it out (ignored) - "1.2.3.4" # whitelist entry
- if no IPs are configured, the check is skipped - "!5.6.7.8" # blacklist entry (blocked)
```
- If no IPs are configured, the check is skipped.
]], ]],
on_start = { sync = false }, on_start = { sync = false },
disable_by_default = true, disable_by_default = true,
@@ -16,13 +19,13 @@ Checks that the proxy's outbound IP is in an allowed list on startup.
local whitelist = {} local whitelist = {}
local blacklist = {} local blacklist = {}
function on_config(config_text) function on_config()
whitelist = {} whitelist, blacklist = {}, {}
blacklist = {} local cfg = get_config()
if cfg and cfg.ips then
for line in config_text:gmatch("[^\n]+") do for _, entry in ipairs(cfg.ips) do
local trimmed = line:match("^%s*(.-)%s*$") local trimmed = entry:match("^%s*(.-)%s*$")
if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then if trimmed ~= "" then
if trimmed:sub(1, 1) == "!" then if trimmed:sub(1, 1) == "!" then
local ip = trimmed:sub(2):match("^%s*(.-)%s*$") local ip = trimmed:sub(2):match("^%s*(.-)%s*$")
if ip ~= "" then if ip ~= "" then
@@ -33,6 +36,7 @@ function on_config(config_text)
end end
end end
end end
end
end end
function on_start() function on_start()
+125
View File
@@ -0,0 +1,125 @@
Plugin = {
name = "Match & Replace",
description = [[
Automatically find and replace content in requests and responses.
**Config**:
```yaml
rules:
- on: "request" # "request", "response", or "both" (default: "both")
url: "example%.com" # optional: Lua pattern to filter by URL
target: "body" # "body", "path", "url", or "header:Name"
find: "old_string" # Lua pattern to search
replace: "new_string" # replacement string (supports %1, %2 for captures)
```
Example (inject a debug flag in JSON bodies):
```yaml
rules:
- on: "both"
url: "api%.example%.com"
target: "body"
find: '"debug":false'
replace: '"debug":true'
```
Example (replace an Authorization header):
```yaml
rules:
- on: "request"
target: "header:Authorization"
find: "Bearer .*"
replace: "Bearer MY_NEW_TOKEN"
```
Example (rewrite a path prefix):
```yaml
rules:
- on: "request"
url: "staging%.example%.com"
target: "path"
find: "^/v1/"
replace: "/v2/"
```
]],
priority = 50,
on_request = { sync = true },
on_response = { sync = true },
}
local rules = {}
function on_config()
rules = {}
local cfg = get_config()
if not cfg or not cfg.rules then
return
end
for _, r in ipairs(cfg.rules) do
if r.find and r.find ~= "" then
table.insert(rules, {
on = r.on or "both",
url = r.url,
target = r.target or "body",
find = r.find,
replace = r.replace or "",
})
end
end
end
local function should_apply(rule, req, context)
if rule.on ~= "both" and rule.on ~= context then
return false
end
if rule.url and not req.url:match(rule.url) then
return false
end
return true
end
local function apply(rule, req, res, context)
local target = rule.target
if target == "body" then
local obj = (context == "response") and res or req
local body = obj:get_body()
local new_body = body:gsub(rule.find, rule.replace)
if new_body ~= body then
obj:set_body(new_body)
end
elseif target == "path" then
local new_path = req.path:gsub(rule.find, rule.replace)
if new_path ~= req.path then
req:set_path(new_path)
end
elseif target == "url" then
local new_url = req.url:gsub(rule.find, rule.replace)
if new_url ~= req.url then
req:set_url(new_url)
end
elseif target:sub(1, 7) == "header:" then
local name = target:sub(8)
local obj = (context == "response") and res or req
local val = obj.headers[name] or ""
local new_val = val:gsub(rule.find, rule.replace)
if new_val ~= val then
obj:set_header(name, new_val)
end
end
end
function on_request(req)
for _, rule in ipairs(rules) do
if should_apply(rule, req, "request") then
apply(rule, req, nil, "request")
end
end
end
function on_response(req, res)
for _, rule in ipairs(rules) do
if should_apply(rule, req, "response") then
apply(rule, req, res, "response")
end
end
end
+52 -35
View File
@@ -4,37 +4,34 @@ Plugin = {
Auto-forward requests and exclude them from history based on patterns. Auto-forward requests and exclude them from history based on patterns.
**Config**: **Config**:
- `pattern` - whitelist: only intercept matching requests/responses and history entries ```yaml
- `!pattern` - blacklist: skip matching requests/responses and history entries patterns:
- `r:pattern` - whitelist for requests/responses only (history unaffected) - "pattern" # whitelist: only intercept matching requests/responses and history
- `r:!pattern` - blacklist for requests/responses only - "!pattern" # blacklist: skip matching requests/responses and history
- `h:pattern` - whitelist for history entries only (requests unaffected) - "r:pattern" # whitelist for requests/responses only
- `h:!pattern` - blacklist for history entries only - "r:!pattern" # blacklist for requests/responses only
- lines starting with `#` are comments - "h:pattern" # whitelist for history only
- "h:!pattern" # blacklist for history only
```
Example (ignore static assets): Example (ignore static assets):
``` ```yaml
!%.css$ patterns:
!%.js$ - "!%.css$"
!%.png$ - "!%.js$"
- "!%.png$"
``` ```
Example (focus on mytarget.com, skip everything else): Example (focus on mytarget.com):
``` ```yaml
mytarget%.com/ patterns:
- "mytarget%.com/"
``` ```
Example (intercept mytarget.com except its static assets): Example (disable history):
``` ```yaml
mytarget%.com/ patterns:
!%.css$ - "h:^$"
!%.js$
!%.png$
```
Example (disable history: whitelist never matches any real URL):
```
h:^$
``` ```
]], ]],
priority = 100, priority = 100,
@@ -50,11 +47,15 @@ local whitelist_req = {}
local blacklist_hist = {} local blacklist_hist = {}
local whitelist_hist = {} local whitelist_hist = {}
function on_config(config_text) function on_config()
blacklist, whitelist = {}, {} blacklist, whitelist = {}, {}
blacklist_req, whitelist_req = {}, {} blacklist_req, whitelist_req = {}, {}
blacklist_hist, whitelist_hist = {}, {} blacklist_hist, whitelist_hist = {}, {}
for line in config_text:gmatch("[^\n]+") do local cfg = get_config()
if not cfg or not cfg.patterns then
return
end
for _, line in ipairs(cfg.patterns) do
local trimmed = line:match("^%s*(.-)%s*$") local trimmed = line:match("^%s*(.-)%s*$")
if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then if trimmed ~= "" and trimmed:sub(1, 1) ~= "#" then
local scope = trimmed:match("^([rh]):") local scope = trimmed:match("^([rh]):")
@@ -74,17 +75,27 @@ end
local function check_skip(url, bl_extra, wl_extra) local function check_skip(url, bl_extra, wl_extra)
for _, p in ipairs(blacklist) do for _, p in ipairs(blacklist) do
if url:match(p) then return true end if url:match(p) then
return true
end
end end
for _, p in ipairs(bl_extra) do for _, p in ipairs(bl_extra) do
if url:match(p) then return true end if url:match(p) then
return true
end
end end
local wl = {} local wl = {}
for _, p in ipairs(whitelist) do wl[#wl + 1] = p end for _, p in ipairs(whitelist) do
for _, p in ipairs(wl_extra) do wl[#wl + 1] = p end wl[#wl + 1] = p
end
for _, p in ipairs(wl_extra) do
wl[#wl + 1] = p
end
if #wl > 0 then if #wl > 0 then
for _, p in ipairs(wl) do for _, p in ipairs(wl) do
if url:match(p) then return false end if url:match(p) then
return false
end
end end
return true return true
end end
@@ -92,13 +103,19 @@ local function check_skip(url, bl_extra, wl_extra)
end end
function on_request(req) function on_request(req)
if check_skip(req.url, blacklist_req, whitelist_req) then return "forward" end if check_skip(req.url, blacklist_req, whitelist_req) then
return "forward"
end
end end
function on_response(req) function on_response(req)
if check_skip(req.url, blacklist_req, whitelist_req) then return "forward" end if check_skip(req.url, blacklist_req, whitelist_req) then
return "forward"
end
end end
function on_history_entry(entry) function on_history_entry(entry)
if check_skip(entry.host .. entry.path, blacklist_hist, whitelist_hist) then return "skip" end if check_skip(entry.host .. entry.path, blacklist_hist, whitelist_hist) then
return "skip"
end
end end
+76 -28
View File
@@ -21,40 +21,61 @@ local CONTENT_TYPES = {
-- Key name alternation (case-insensitive via grep -i) -- Key name alternation (case-insensitive via grep -i)
-- Suffixes are required (no bare generic keyword alone). -- Suffixes are required (no bare generic keyword alone).
local KEYS = { local KEYS = {
"access(_key|_token)", "accessid_secret", "account(_key|_sid)", "access(_key|_token)",
"admin_pass(word)?", "admin_user", "accessid_secret",
"account(_key|_sid)",
"admin_pass(word)?",
"admin_user",
"(algolia|aws|gcp|azure|heroku|firebase|github|gitlab|slack|datadog|stripe|twilio|vercel|supabase|sendgrid|cloudinary|cloudflare|bitbucket|npm|netlify|auth0|okta|sentry)(_?(api|secret|access)(_?(key|token|id|sid|secret))?|_?(key|token|id|sid|secret))", "(algolia|aws|gcp|azure|heroku|firebase|github|gitlab|slack|datadog|stripe|twilio|vercel|supabase|sendgrid|cloudinary|cloudflare|bitbucket|npm|netlify|auth0|okta|sentry)(_?(api|secret|access)(_?(key|token|id|sid|secret))?|_?(key|token|id|sid|secret))",
"ansible_vault_password", "aos_key", "ansible_vault_password",
"aos_key",
"api(_key|_secret|_token)", "api(_key|_secret|_token)",
"app_(id|key|secret)", "application(_key|_id|_secret)", "app_(id|key|secret)",
"auth(_token|_secret|orization)", "authkey", "authsecret", "application(_key|_id|_secret)",
"auth(_token|_secret|orization)",
"authkey",
"authsecret",
"bearer_?token", "bearer_?token",
"bucket(_password|_key)", "bucket(_password|_key)",
"cert_?pass(word)?", "certificate_password", "cert_?pass(word)?",
"certificate_password",
"client(_id|_secret)", "client(_id|_secret)",
"codecov_token", "consumer_(key|secret)", "codecov_token",
"connection_?string", "credentials?", "crypt(_key|_secret)", "consumer_(key|secret)",
"connection_?string",
"credentials?",
"crypt(_key|_secret)",
"db_(password|passwd|user(name)?)", "db_(password|passwd|user(name)?)",
"deploy(_key|_password|_token)", "deploy(_key|_password|_token)",
"docker_?pass(word)?", "dockerhub_?password", "docker_?pass(word)?",
"dockerhub_?password",
"encryption_(key|password)", "encryption_(key|password)",
"jwt_secret", "json_web_token", "jwt_secret",
"keycloak_secret", "kubernetes_token", "json_web_token",
"ldap_(password|bindpw)", "login(_password|_token)", "keycloak_secret",
"mail_?password", "mail_smtp_pass", "kubernetes_token",
"mysql_password", "mongo_password", "ldap_(password|bindpw)",
"netlify_token", "npm(_token|_auth_token)", "login(_password|_token)",
"mail_?password",
"mail_smtp_pass",
"mysql_password",
"mongo_password",
"netlify_token",
"npm(_token|_auth_token)",
"oauth(_token|_secret)", "oauth(_token|_secret)",
"openai_(api_key|secret)", "openai_(api_key|secret)",
"pass(word)?", "passwd", "pass(word)?",
"passwd",
"private(_key|_token)", "private(_key|_token)",
"rds_password", "rds_password",
"s3(_key|_secret|_access_key_id)", "s3(_key|_secret|_access_key_id)",
"secret(_key|_token|_id)", "security_token", "secret(_key|_token|_id)",
"security_token",
"sendgrid_api_key", "sendgrid_api_key",
"ses_(smtp|access|secret)", "ses_(smtp|access|secret)",
"service(_account|_key|_token)", "service(_account|_key|_token)",
"smtp_pass(word)?", "smtp_secret", "smtp_pass(word)?",
"smtp_secret",
"sonar_token", "sonar_token",
"ssh(_key|_private_key|_rsa)", "ssh(_key|_private_key|_rsa)",
"supabase(_anon|_service)?_key", "supabase(_anon|_service)?_key",
@@ -79,10 +100,14 @@ local FULL_PAT = KEY_PAT .. '[a-z0-9._-]{0,20}[^=:a-zA-Z0-9_]{0,3}[[:space:]]*[:
local GREP_CMD = "grep -Eoni '" .. FULL_PAT .. "'" local GREP_CMD = "grep -Eoni '" .. FULL_PAT .. "'"
local function is_relevant(ct) local function is_relevant(ct)
if not ct or ct == "" then return false end if not ct or ct == "" then
return false
end
ct = ct:lower() ct = ct:lower()
for _, t in ipairs(CONTENT_TYPES) do for _, t in ipairs(CONTENT_TYPES) do
if ct:find(t, 1, true) then return true end if ct:find(t, 1, true) then
return true
end
end end
return false return false
end end
@@ -94,17 +119,23 @@ local function build_context(lines, linenum)
local before, after = {}, {} local before, after = {}, {}
for i = lo, linenum - 1 do for i = lo, linenum - 1 do
local l = lines[i] or "" local l = lines[i] or ""
if #l > 120 then l = l:sub(1, 120) .. "..." end if #l > 120 then
l = l:sub(1, 120) .. "..."
end
table.insert(before, l) table.insert(before, l)
end end
for i = linenum + 1, hi do for i = linenum + 1, hi do
local l = lines[i] or "" local l = lines[i] or ""
if #l > 120 then l = l:sub(1, 120) .. "..." end if #l > 120 then
l = l:sub(1, 120) .. "..."
end
table.insert(after, l) table.insert(after, l)
end end
local matched_line = lines[linenum] or "" local matched_line = lines[linenum] or ""
if #matched_line > 200 then matched_line = matched_line:sub(1, 200) .. "..." end if #matched_line > 200 then
matched_line = matched_line:sub(1, 200) .. "..."
end
local parts = {} local parts = {}
if #before > 0 then if #before > 0 then
@@ -118,15 +149,21 @@ local function build_context(lines, linenum)
end end
local function scan(label, ct, body, host, path) local function scan(label, ct, body, host, path)
if not is_relevant(ct) then return end if not is_relevant(ct) then
if not body or body == "" then return end return
end
if not body or body == "" then
return
end
local out, err = shell_pipe(GREP_CMD, body) local out, err = shell_pipe(GREP_CMD, body)
if err and err ~= "" then if err and err ~= "" then
log("grep error on " .. label .. " for " .. host .. path .. ": " .. err) log("grep error on " .. label .. " for " .. host .. path .. ": " .. err)
return return
end end
if not out or out == "" then return end if not out or out == "" then
return
end
local lines = {} local lines = {}
for line in (body .. "\n"):gmatch("([^\n]*)\n") do for line in (body .. "\n"):gmatch("([^\n]*)\n") do
@@ -140,11 +177,22 @@ local function scan(label, ct, body, host, path)
matched = matched:match("^%s*(.-)%s*$") matched = matched:match("^%s*(.-)%s*$")
if matched ~= "" then if matched ~= "" then
local display = matched local display = matched
if #display > 200 then display = display:sub(1, 200) .. "..." end if #display > 200 then
display = display:sub(1, 200) .. "..."
end
local ctx = build_context(lines, linenum) local ctx = build_context(lines, linenum)
create_finding({ create_finding({
title = "Potential secret in " .. label .. " (" .. host .. ")", title = "Potential secret in " .. label .. " (" .. host .. ")",
description = "**Host:** `" .. host .. "` \n**Path:** `" .. path .. "`\n\n**Match:** `" .. display .. "`\n\n" .. ctx, description = "**Host:** `"
.. host
.. "`\n"
.. "\n**Path:** `"
.. path
.. "`\n"
.. "\n**Match:** `"
.. display
.. "`\n\n"
.. ctx,
key = host .. "|" .. path .. "|" .. label .. "|" .. matched, key = host .. "|" .. path .. "|" .. label .. "|" .. matched,
severity = "high", severity = "high",
}) })
+18 -12
View File
@@ -4,9 +4,6 @@ Plugin = {
Scans request and response bodies for secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog). Scans request and response bodies for secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog).
Requires `trufflehog` v3+ to be installed and available in PATH. Requires `trufflehog` v3+ to be installed and available in PATH.
Each finding is stored on the **Findings** page with the matched detector output.
Findings are deduplicated per host+path+body content so repeated requests do not create duplicates.
]], ]],
on_start = { sync = false }, on_start = { sync = false },
on_request = { sync = false }, on_request = { sync = false },
@@ -15,9 +12,7 @@ Findings are deduplicated per host+path+body content so repeated requests do not
} }
function on_start() function on_start()
local handle = io.popen("command -v trufflehog 2>/dev/null") local result, _ = shell_pipe("command -v trufflehog 2>/dev/null")
local result = handle and handle:read("*a") or ""
if handle then handle:close() end
if not result or result:match("^%s*$") then if not result or result:match("^%s*$") then
log("trufflehog is not installed or not in PATH") log("trufflehog is not installed or not in PATH")
notif("TruffleHog", "trufflehog is not installed or not in PATH, plugin disabled", "error") notif("TruffleHog", "trufflehog is not installed or not in PATH, plugin disabled", "error")
@@ -26,28 +21,39 @@ function on_start()
end end
local function scan(label, content, host, path) local function scan(label, content, host, path)
if not content or content == "" then return end if not content or content == "" then
local out, err = shell_pipe("f=$(mktemp) && cat > \"$f\" && trufflehog filesystem --no-color \"$f\"; rc=$?; rm -f \"$f\"; exit $rc", content) return
end
local out, err = shell_pipe(
'f=$(mktemp) && cat > "$f" && trufflehog filesystem --no-color "$f"; rc=$?; rm -f "$f"; exit $rc',
content
)
if err and err ~= "" then if err and err ~= "" then
log("trufflehog error on " .. label .. ": " .. err) log("trufflehog error on " .. label .. ": " .. err)
return return
end end
if not out or out == "" then return end if not out or out == "" then
return
end
local blocks = {} local blocks = {}
local current = nil local current = nil
for line in out:gmatch("[^\n]+") do for line in out:gmatch("[^\n]+") do
if line:match("^Found ") then if line:match("^Found ") then
if current then table.insert(blocks, current) end if current then
table.insert(blocks, current)
end
current = line current = line
elseif current then elseif current then
current = current .. "\n" .. line current = current .. "\n" .. line
end end
end end
if current then table.insert(blocks, current) end if current then
table.insert(blocks, current)
end
for _, block in ipairs(blocks) do for _, block in ipairs(blocks) do
create_finding({ create_finding({
title = "Secret detected in " .. label .. " (" .. host .. ")", title = "Secret detected in " .. label .. " (" .. host .. ")",
description = "**Host:** `" .. host .. "` \n**Path:** `" .. path .. "`\n\n```\n" .. block .. "\n```", description = "**Host:** `" .. host .. "`\n\n**Path:** `" .. path .. "`\n\n```\n" .. block .. "\n```",
key = host .. "|" .. path .. "|" .. label .. "|" .. block, key = host .. "|" .. path .. "|" .. label .. "|" .. block,
severity = "high", severity = "high",
}) })
+3
View File
@@ -8,6 +8,9 @@ import (
"path/filepath" "path/filepath"
) )
//go:embed docs
var DocsFS embed.FS
//go:embed plugins/*.lua //go:embed plugins/*.lua
var PluginsFS embed.FS var PluginsFS embed.FS