Nmap Development mailing list archives
Re: CouchDB and MongoDB
From: Martin Holst Swende <martin () swende se>
Date: Mon, 22 Feb 2010 23:09:09 +0100
Hi! Thank you David for the testing and comments! David Fifield wrote:
On Wed, Feb 03, 2010 at 10:07:03PM +0100, Martin Holst Swende wrote:Hi, I have now implemented the following : - json.lua is heavily reworked (and now according to specs :)) - except for Unicode collapsing into UTF-8, which is not done. If you have any good pointers on how to do that it is welcome.First you must decode from UTF-16, then you must reencode with UTF-8. I think the Unicode character handling is important to have, at least so we're not passing things like "\u0041" on to scripts. It will not be terribly hard to implement, but if you like you can leave it until last. I am thinking of writing a unicode.lua or charenc.lua library to handle encodings like these, and then json.lua can just use that.
I have, as you suggested, still left it out. However, I am in need of just that functionality also for an authentication library for mongodb I am working on, so I may fix it if I find some time for it. [snip]
That's a good question. For now, I would just use
portrule = shortport.portnumber({5984})
Done for all couch scripts. [snip]
Here are the test cases I want you to add to the library:
'', -- error
'null', -- error
'"abc"', -- error
'{a":1}', -- error
'{"a" bad :1}', -- error
'["a\\\\t"]', -- Should become Lua {"a\t"}
'["a\\"]', -- Should become Lua {"a\"}
'{"a}": 1}', -- Should become Lua {"a}" = 1}
'["key": "value"]', -- error
'["\\u0041"]', -- Should become Lua {"A"}
'["\\uD800"]', -- error
'["\\uD834\\uDD1E"]', -- Should become Lua {"\240\157\132\158"}
I have now rewritten the json library. I got tired of dealing with state
by passing
parameters and return values, and made an OO-approach (for the
parser-part). It became much nicer. It also
made it more easy to handle errors, so the library now says stuff like
NSE: Json:Syntax error near pos 2: Expected '"', got 'a' input: {a":1}
I did not go all the way with a tokenizing lexer, a grammar etc - the
grammar is part of the
parser flow, but otherwise I have skipped all %b{} and such 'shortcuts'
and parse character by character.
I disagree about one point though:
'["a\\"]', -- Should become Lua {"a\"}
a\\" is interpreted in lua as a\", which to the parser looks like an
escaped quote, and gives syntax error. Did you mean '["a\\\\"]' , or am
I lost again? :)
json.NULL is good idea, and I understand the reason for it, but it can't be a constant string like it is now. So I'm going to ask anyone reading, is there a good way to create a unique Lua object that can't be mistaken for any other type of object?
What problem do you see with using a constant string? The way I see it :
if the script using this library
gets a "null" from the server, one way or the other, it will fail unless
it checks explicitly for equality with json.NULL. The reason
I chose 'JAVASCRIPT NULL' is it gives script writes a chance to read the
text and look it up in the library. Perhaps something like
"JAVASCRIPT NULL : check documentation in json.lua" would be better ?
On another note (but still couch): I added a test to the
couchdb-get-stats.nse to check if authentication is enabled. It now
outputs :
PORT STATE SERVICE REASON
5984/tcp open httpd syn-ack
| couchdb-get-stats:
| httpd_request_methods
| GET (number of HTTP GET requests)
| current = 5
| count = 1617
| couchdb
| request_time (length of a request inside CouchDB without MochiWeb)
| current = 1
| count = 5
| httpd_status_codes
| 200 (number of HTTP 200 OK responses)
| current = 5
| count = 1617
| httpd
| requests (number of HTTP requests)
| current = 5
| count = 1617
|_ Authentication : NOT enabled ('admin party')
Attaching files, also available from my repo. At the repo, there is also
some work on bruteforcers for mongo and couch. I'll post about that
later, when it is more complete.
Regards,
Martin Holst Swende
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
couch.tar.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: MongoDB scripts, (continued)
- Re: MongoDB scripts David Fifield (Jan 25)
- Re: MongoDB scripts Martin Holst Swende (Jan 25)
- Re: MongoDB scripts Martin Holst Swende (Jan 27)
- Re: MongoDB scripts David Fifield (Jan 29)
- Re: CouchDB scripts David Fifield (Jan 29)
- Re: CouchDB scripts Martin Holst Swende (Jan 31)
- Re: CouchDB scripts David Fifield (Feb 01)
- Re: CouchDB scripts David Fifield (Feb 01)
- CouchDB and MongoDB Martin Holst Swende (Feb 03)
- Re: CouchDB and MongoDB David Fifield (Feb 15)
- Re: CouchDB and MongoDB Martin Holst Swende (Feb 22)
- Re: CouchDB and MongoDB David Fifield (Feb 23)
- Re: CouchDB and MongoDB Martin Holst Swende (Feb 27)
- Re: CouchDB and MongoDB David Fifield (Feb 28)
- Re: MongoDB scripts Martin Holst Swende (Jan 25)
- Re: MongoDB scripts David Fifield (Jan 25)
- Re: CouchDB and MongoDB Patrick Donnelly (Feb 28)
- Re: CouchDB and MongoDB Martin Holst Swende (Mar 01)
- Re: CouchDB and MongoDB Patrick Donnelly (Mar 01)
- Lua and LPeg David Fifield (Mar 05)
- Re: Lua and LPeg Patrick Donnelly (Mar 05)
- Re: CouchDB scripts Martin Holst Swende (Feb 01)
- Re: MongoDB scripts David Fifield (Jan 29)