mitmproxy/libmproxy/web/app.py

import os.path
import re
import tornado.web
import tornado.websocket
import logging
import json
from .. import version, filt


class APIError(tornado.web.HTTPError):
    pass


class RequestHandler(tornado.web.RequestHandler):
    def set_default_headers(self):
        super(RequestHandler, self).set_default_headers()
        self.set_header("Server", version.NAMEVERSION)
        self.set_header("X-Frame-Options", "DENY")
        self.add_header("X-XSS-Protection", "1; mode=block")
        self.add_header("X-Content-Type-Options", "nosniff")
        self.add_header("Content-Security-Policy", "default-src 'self'; "
                                                   "connect-src 'self' ws://* ; "
                                                   "style-src   'self' 'unsafe-inline'")

    @property
    def state(self):
        return self.application.master.state

    @property
    def master(self):
        return self.application.master

    @property
    def flow(self):
        flow_id = str(self.path_kwargs["flow_id"])
        flow = self.state.flows.get(flow_id)
        if flow:
            return flow
        else:
            raise APIError(400, "Flow not found.")

    def write_error(self, status_code, **kwargs):
        if "exc_info" in kwargs and isinstance(kwargs["exc_info"][1], APIError):
            self.finish(kwargs["exc_info"][1].log_message)
        else:
            super(RequestHandler, self).write_error(status_code, **kwargs)


class IndexHandler(RequestHandler):
    def get(self):
        _ = self.xsrf_token  # https://github.com/tornadoweb/tornado/issues/645
        self.render("index.html")


class FiltHelp(RequestHandler):
    def get(self):
        self.write(dict(
            commands=filt.help
        ))

class WebSocketEventBroadcaster(tornado.websocket.WebSocketHandler):
    connections = None  # raise an error if inherited class doesn't specify its own instance.

    def open(self):
        self.connections.add(self)

    def on_close(self):
        self.connections.remove(self)

    @classmethod
    def broadcast(cls, **kwargs):
        message = json.dumps(kwargs)
        for conn in cls.connections:
            try:
                conn.write_message(message)
            except:
                logging.error("Error sending message", exc_info=True)


class ClientConnection(WebSocketEventBroadcaster):
    connections = set()


class Flows(RequestHandler):
    def get(self):
        self.write(dict(
            data=[f.get_state(short=True) for f in self.state.flows]
        ))


class ClearAll(RequestHandler):
    def post(self):
        self.state.clear()


class AcceptFlows(RequestHandler):
    def post(self):
        self.state.flows.accept_all(self.master)


class AcceptFlow(RequestHandler):
    def post(self, flow_id):
        self.flow.accept_intercept(self.master)


class FlowHandler(RequestHandler):
    def delete(self, flow_id):
        self.flow.kill(self.master)
        self.state.delete_flow(self.flow)


class DuplicateFlow(RequestHandler):
    def post(self, flow_id):
        self.master.duplicate_flow(self.flow)


class RevertFlow(RequestHandler):
    def post(self, flow_id):
        self.state.revert(self.flow)


class ReplayFlow(RequestHandler):
    def post(self, flow_id):
        r = self.master.replay_request(self.flow)
        if r:
            raise APIError(400, r)


class FlowContent(RequestHandler):
    def get(self, flow_id, message):
        message = getattr(self.flow, message)

        if not message.content:
            raise APIError(400, "No content.")

        content_encoding = message.headers.get_first("Content-Encoding", None)
        if content_encoding:
            content_encoding = re.sub(r"[^\w]", "", content_encoding)
            self.set_header("Content-Encoding", content_encoding)

        original_cd = message.headers.get_first("Content-Disposition", None)
        filename = None
        if original_cd:
            filename = re.search("filename=([\w\" \.\-\(\)]+)", original_cd)
            if filename:
                filename = filename.group(1)
        if not filename:
            filename = self.flow.request.path.split("?")[0].split("/")[-1]

        filename = re.sub(r"[^\w\" \.\-\(\)]", "", filename)
        cd = "attachment; filename={}".format(filename)
        self.set_header("Content-Disposition", cd)
        self.set_header("Content-Type", "application/text")
        self.set_header("X-Content-Type-Options", "nosniff")
        self.set_header("X-Frame-Options", "DENY")
        self.write(message.content)


class Events(RequestHandler):
    def get(self):
        self.write(dict(
            data=list(self.state.events)
        ))


class Settings(RequestHandler):
    def get(self):
        self.write(dict(
            data=dict(
                version=version.VERSION,
                mode=str(self.master.server.config.mode),
                intercept=self.state.intercept_txt
            )
        ))

    def put(self, *update, **kwargs):
        update = {}
        for k, v in self.request.arguments.iteritems():
            if len(v) != 1:
                print "Warning: Unknown length for setting {}: {}".format(k, v)
                continue

            if k == "_xsrf":
                continue
            elif k == "intercept":
                self.state.set_intercept(v[0])
                update[k] = v[0]
            else:
                print "Warning: Unknown setting {}: {}".format(k, v)

        ClientConnection.broadcast(
            type="settings",
            cmd="update",
            data=update
        )


class Application(tornado.web.Application):
    def __init__(self, master, debug):
        self.master = master
        handlers = [
            (r"/", IndexHandler),
            (r"/filter-help", FiltHelp),
            (r"/updates", ClientConnection),
            (r"/events", Events),
            (r"/flows", Flows),
            (r"/flows/accept", AcceptFlows),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/accept", AcceptFlow),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow),
            (r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request|response)/content", FlowContent),
            (r"/settings", Settings),
            (r"/clear", ClearAll),
        ]
        settings = dict(
            template_path=os.path.join(os.path.dirname(__file__), "templates"),
            static_path=os.path.join(os.path.dirname(__file__), "static"),
            xsrf_cookies=True,
            cookie_secret=os.urandom(256),
            debug=debug,
        )
        super(Application, self).__init__(handlers, **settings)
Basic web service and options 2014-09-14 00:22:28 +00:00			`import os.path`
web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00			`import re`
Basic web service and options 2014-09-14 00:22:28 +00:00			`import tornado.web`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00			`import tornado.websocket`
			`import logging`
Introduce short form object state, and connect the ends to send data to web app 2014-09-17 01:58:56 +00:00			`import json`
web: integrate filter docs 2014-12-26 02:10:24 +00:00			`from .. import version, filt`
Basic web service and options 2014-09-14 00:22:28 +00:00

web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class APIError(tornado.web.HTTPError):`
			`pass`

web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00
			`class RequestHandler(tornado.web.RequestHandler):`
			`def set_default_headers(self):`
			`super(RequestHandler, self).set_default_headers()`
			`self.set_header("Server", version.NAMEVERSION)`
			`self.set_header("X-Frame-Options", "DENY")`
			`self.add_header("X-XSS-Protection", "1; mode=block")`
			`self.add_header("X-Content-Type-Options", "nosniff")`
			`self.add_header("Content-Security-Policy", "default-src 'self'; "`
			`"connect-src 'self' ws://* ; "`
			`"style-src 'self' 'unsafe-inline'")`

			`@property`
			`def state(self):`
			`return self.application.master.state`

			`@property`
			`def master(self):`
			`return self.application.master`

			`@property`
			`def flow(self):`
			`flow_id = str(self.path_kwargs["flow_id"])`
			`flow = self.state.flows.get(flow_id)`
			`if flow:`
			`return flow`
			`else:`
			`raise APIError(400, "Flow not found.")`

			`def write_error(self, status_code, **kwargs):`
			`if "exc_info" in kwargs and isinstance(kwargs["exc_info"][1], APIError):`
			`self.finish(kwargs["exc_info"][1].log_message)`
			`else:`
			`super(RequestHandler, self).write_error(status_code, **kwargs)`


			`class IndexHandler(RequestHandler):`
Add tornado dependency, serve index file 2014-09-14 00:33:07 +00:00			`def get(self):`
web: various fixes, add clear button 2014-11-28 18:16:47 +00:00			`_ = self.xsrf_token # https://github.com/tornadoweb/tornado/issues/645`
Add tornado dependency, serve index file 2014-09-14 00:33:07 +00:00			`self.render("index.html")`


web: integrate filter docs 2014-12-26 02:10:24 +00:00			`class FiltHelp(RequestHandler):`
			`def get(self):`
			`self.write(dict(`
			`commands=filt.help`
			`))`

introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`class WebSocketEventBroadcaster(tornado.websocket.WebSocketHandler):`
			`connections = None # raise an error if inherited class doesn't specify its own instance.`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00
			`def open(self):`
introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`self.connections.add(self)`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00
			`def on_close(self):`
introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`self.connections.remove(self)`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00
			`@classmethod`
generalize store 2014-12-09 17:55:16 +00:00			`def broadcast(cls, **kwargs):`
			`message = json.dumps(kwargs)`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00			`for conn in cls.connections:`
			`try:`
introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`conn.write_message(message)`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00			`except:`
			`logging.error("Error sending message", exc_info=True)`


web: intercept feature 2014-12-23 19:33:42 +00:00			`class ClientConnection(WebSocketEventBroadcaster):`
			`connections = set()`


web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class Flows(RequestHandler):`
introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`def get(self):`
			`self.write(dict(`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`data=[f.get_state(short=True) for f in self.state.flows]`
web: add event store, fix all those bugs 2014-12-09 23:47:05 +00:00			`))`

web: intercept feature 2014-12-23 19:33:42 +00:00
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class ClearAll(RequestHandler):`
			`def post(self):`
			`self.state.clear()`


			`class AcceptFlows(RequestHandler):`
web: intercept feature 2014-12-23 19:33:42 +00:00			`def post(self):`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`self.state.flows.accept_all(self.master)`


			`class AcceptFlow(RequestHandler):`
			`def post(self, flow_id):`
			`self.flow.accept_intercept(self.master)`


			`class FlowHandler(RequestHandler):`
			`def delete(self, flow_id):`
			`self.flow.kill(self.master)`
			`self.state.delete_flow(self.flow)`
web: intercept feature 2014-12-23 19:33:42 +00:00

web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class DuplicateFlow(RequestHandler):`
web: intercept feature 2014-12-23 19:33:42 +00:00			`def post(self, flow_id):`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`self.master.duplicate_flow(self.flow)`
web: intercept feature 2014-12-23 19:33:42 +00:00
web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00
			`class RevertFlow(RequestHandler):`
			`def post(self, flow_id):`
			`self.state.revert(self.flow)`


web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class ReplayFlow(RequestHandler):`
			`def post(self, flow_id):`
			`r = self.master.replay_request(self.flow)`
			`if r:`
			`raise APIError(400, r)`

web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00
			`class FlowContent(RequestHandler):`
			`def get(self, flow_id, message):`
			`message = getattr(self.flow, message)`

			`if not message.content:`
			`raise APIError(400, "No content.")`

			`content_encoding = message.headers.get_first("Content-Encoding", None)`
			`if content_encoding:`
			`content_encoding = re.sub(r"[^\w]", "", content_encoding)`
			`self.set_header("Content-Encoding", content_encoding)`

			`original_cd = message.headers.get_first("Content-Disposition", None)`
			`filename = None`
			`if original_cd:`
			`filename = re.search("filename=([\w\" \.\-\(\)]+)", original_cd)`
			`if filename:`
			`filename = filename.group(1)`
			`if not filename:`
			`filename = self.flow.request.path.split("?")[0].split("/")[-1]`

			`filename = re.sub(r"[^\w\" \.\-\(\)]", "", filename)`
			`cd = "attachment; filename={}".format(filename)`
			`self.set_header("Content-Disposition", cd)`
			`self.set_header("Content-Type", "application/text")`
			`self.set_header("X-Content-Type-Options", "nosniff")`
			`self.set_header("X-Frame-Options", "DENY")`
			`self.write(message.content)`


web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class Events(RequestHandler):`
web: add event store, fix all those bugs 2014-12-09 23:47:05 +00:00			`def get(self):`
			`self.write(dict(`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`data=list(self.state.events)`
web: implement settings store, modularize store 2014-12-10 14:25:40 +00:00			`))`


web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`class Settings(RequestHandler):`
web: implement settings store, modularize store 2014-12-10 14:25:40 +00:00			`def get(self):`
			`self.write(dict(`
			`data=dict(`
web: show mitmproxy version 2014-12-25 01:08:58 +00:00			`version=version.VERSION,`
web: much ui work, such christmas 2014-12-25 01:03:55 +00:00			`mode=str(self.master.server.config.mode),`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`intercept=self.state.intercept_txt`
web: implement settings store, modularize store 2014-12-10 14:25:40 +00:00			`)`
introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00			`))`

web: intercept feature 2014-12-23 19:33:42 +00:00			`def put(self, update, *kwargs):`
			`update = {}`
			`for k, v in self.request.arguments.iteritems():`
			`if len(v) != 1:`
			`print "Warning: Unknown length for setting {}: {}".format(k, v)`
			`continue`

			`if k == "_xsrf":`
			`continue`
			`elif k == "intercept":`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`self.state.set_intercept(v[0])`
web: intercept feature 2014-12-23 19:33:42 +00:00			`update[k] = v[0]`
			`else:`
			`print "Warning: Unknown setting {}: {}".format(k, v)`

			`ClientConnection.broadcast(`
			`type="settings",`
			`cmd="update",`
			`data=update`
			`)`

introduce revised views, port over changes from multiple_views branch 2014-11-26 03:18:21 +00:00
web: intercept feature 2014-12-23 19:33:42 +00:00			`class Application(tornado.web.Application):`
			`def __init__(self, master, debug):`
			`self.master = master`
Basic web service and options 2014-09-14 00:22:28 +00:00			`handlers = [`
Add tornado dependency, serve index file 2014-09-14 00:33:07 +00:00			`(r"/", IndexHandler),`
web: integrate filter docs 2014-12-26 02:10:24 +00:00			`(r"/filter-help", FiltHelp),`
Basic websocket connection, code cleanup. 2014-09-16 21:40:25 +00:00			`(r"/updates", ClientConnection),`
web: add event store, fix all those bugs 2014-12-09 23:47:05 +00:00			`(r"/events", Events),`
web: various fixes, add clear button 2014-11-28 18:16:47 +00:00			`(r"/flows", Flows),`
web: intercept feature 2014-12-23 19:33:42 +00:00			`(r"/flows/accept", AcceptFlows),`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)", FlowHandler),`
			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)/accept", AcceptFlow),`
			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)/duplicate", DuplicateFlow),`
			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)/replay", ReplayFlow),`
web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)/revert", RevertFlow),`
			`(r"/flows/(?P<flow_id>[0-9a-f\-]+)/(?P<message>request\|response)/content", FlowContent),`
web: implement settings store, modularize store 2014-12-10 14:25:40 +00:00			`(r"/settings", Settings),`
web: duplicate, delete, replay flows 2014-12-24 00:07:57 +00:00			`(r"/clear", ClearAll),`
Basic web service and options 2014-09-14 00:22:28 +00:00			`]`
			`settings = dict(`
			`template_path=os.path.join(os.path.dirname(__file__), "templates"),`
			`static_path=os.path.join(os.path.dirname(__file__), "static"),`
			`xsrf_cookies=True,`
web: various fixes, add clear button 2014-11-28 18:16:47 +00:00			`cookie_secret=os.urandom(256),`
Basic web service and options 2014-09-14 00:22:28 +00:00			`debug=debug,`
			`)`
web: CSP, revert functionality, serve content 2014-12-25 15:10:47 +00:00			`super(Application, self).__init__(handlers, **settings)`