Re: CouchDB scripts

[Martin Holst Swende <martin () swende se>]

David Fifield wrote:
> On Wed, Jan 27, 2010 at 09:17:41PM +0100, Martin Holst Swende wrote:
>   
> > A Couchdb library and scripts is now finished(at least in alpha). It
> > consists of :
> > * json.lua - library for parsing json
> > * couchdb-databases.nse - script which get database info
> > * couchdb-get-stats.nse - script which get some runtime statistics from
> > the database.
> >
> > Sample output is below (the bottom one may be a bit verbose - perhaps I
> > should compact that a bit.
> >
> > The scripts can be found at the same place (or via hg pull ; hg update).
> > For future reference : would you rather I send files via email ?
> >     
>
> Thanks. These scripts will be good ones to have. I tested it against
> CouchDB installed fresh from MacPorts. The first time running after
> starting the server I see
>
> PORT     STATE SERVICE
> 5984/tcp open  unknown
> |_couchdb-get-stats:
> |_couchdb-databases:
>
> The second and every following time I run the script, I get
> [snip]
>   
No, I have no idea. I don't suppose you kept the -d3 log showing the
traffic ?

> I like that you have split JSON into a separate library. The library is
> too verbose with -d. The very low level parsing debug messages like
>
> NSE: Json:Parsed key a
>   
[snip]

> should be pushed up to -d4, or removed altogether if they are no longer
> needed.
>   
Sure.

> I would like json.qtrim to handle backslash escapes, and signal an error
> if it doesn't get a valid quoted string. It looks like fromJson can
> silently return bad data in the case of an error. I added these to your
> test cases:
>
>         '() test ()',
>         '1 / 2',
>         '"gaz\\"onk"',
>         '{foo:"gaz\\"onk", pi:3.14159,hello:{ wo:"rld"}}',
>  
> They decode and flatten to, respectively,
>
>       () test (),
>       1 / 2,
>       gaz\,
>       {hello={wo=rld,},pi=3.14159,foo=gaz\,}
>
> I would expect an error in the first two cases and
>
>       gaz"onk
>       {hello={wo=rld,},pi=3.14159,foo=gaz"onk,}
>
> for the last two. 

This is where things start getting tricky. Regarding keys, which the
qtrim is used for, we have some rules : they must be valid javascript
object attribute names. This is valid:
a={"fo\"o":"bar",vax:"boork"};

So, I will implement unescape for keys, but they do not have to be
quoted in the first place (like a.vax), so it should not give errors in
those cases.

For values, however, it is more tricky, since they can be pretty much
anything :

a={a:1/2, b:alert, c:alert(1), d:{}+1, e:""|''|""}

a.a => 0.5 (number)
a.b => the window.alert function (native function)
a.c => the return of alert, (undefined)
a.d => "[object Object]1" (string)
a.e => Three empty strings, OR:ed into 0 (number)

So it is a bit of a mess going to deep into validating values. However,
some basic checks could be done :
1. The top-level data should be on the form {...} or [...], just
sanity-check that it probably is json data.
2. Values that are 'probably' strings (ends with and starts with the
same quoting-character), should be escaped as keys (which would probably
mess up cases like a.e).

Any other ideas ?

> I like the flatten functionality, but you should make
> it return JSON so that the library can be used to encode as well as
> decode. If you just want a quick look at a Lua table, use
> nsedebug.tostr.
It was just a quick look I wanted, so far there's no need for me to
encode json. Perhaps save that for later? Thanks for the input.
/Martin

> http://nmap.org/nsedoc/lib/nsedebug.html#tostr
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
>   

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/