Merge pull request #235 from AikidoSec/decode-url-strings

Keep both encoded and unencoded http data

Author: teta2k

Aikido.Zen.Core/Helpers/HttpHelper.cs

@@ -84,8 +84,8 @@ public static async Task<HttpDataResult> ReadAndFlattenHttpDataAsync(
                 LogHelper.ErrorLog(Agent.Logger, $"caught error while parsing body: {e.Message}");
             }
 
-            // Decode percent-encoded values
-            UserInputHelper.DecodeUriValues(result);
+            // Add decoded URI strings to result dictionary where applicable
+            UserInputHelper.ProcessUriValues(result);
 
             return new HttpDataResult
             {

Aikido.Zen.Core/Helpers/UserInputHelper.cs

@@ -14,10 +14,10 @@ public static class UserInputHelper
         private const int MaxDecodeUriPasses = 2;
 
         /// <summary>
-        /// Decodes percent-encoded values in place (e.g. who%61mi => whoami).
+        /// Processes all values and adds URI decoded variants where applicable (e.g. who%61mi => whoami).
         /// </summary>
-        /// <param name="values">Dictionary containing user input values.</param>
-        public static void DecodeUriValues(IDictionary<string, string> values)
+        /// <param name="result">The dictionary to store processed data.</param>
+        public static void ProcessUriValues(IDictionary<string, string> values)
         {
             if (values == null || values.Count == 0)
             {
@@ -26,7 +26,11 @@ public static void DecodeUriValues(IDictionary<string, string> values)
 
             foreach (var key in values.Keys.ToList())
             {
-                values[key] = DecodeUriComponent(values[key]);
+                string original = values[key];
+                if (TryDecodeUriComponent(original, out string decoded))
+                {
+                    values[$"{key}|decoded"] = decoded;
+                }
             }
         }
 
@@ -128,13 +132,14 @@ public static bool IsMultipart(string contentType, out string boundary)
             return isMultipart;
         }
 
-        private static string DecodeUriComponent(string input)
+        private static bool TryDecodeUriComponent(string input, out string decoded)
         {
-            string decoded = input;
+            bool changed = false;
+            decoded = input;
 
             if (string.IsNullOrEmpty(input))
             {
-                return decoded;
+                return false;
             }
 
             for (int i = 0; i < MaxDecodeUriPasses; i++)
@@ -146,9 +151,10 @@ private static string DecodeUriComponent(string input)
                 }
 
                 decoded = next;
+                changed = true;
             }
 
-            return decoded;
+            return changed;
         }
     }
 }

Aikido.Zen.Test/HttpHelperTests.cs

@@ -131,15 +131,25 @@ public async Task ReadAndFlattenHttpDataAsync_ShouldDecodePercentEncodedUserInpu
                 bodyStream.Length);
 
             // Assert
-            Assert.That(result.FlattenedData["route.command"], Is.EqualTo("whoami"));
-            Assert.That(result.FlattenedData["query.path"], Is.EqualTo("../etc/passwd"));
-            Assert.That(result.FlattenedData["query.emoji"], Is.EqualTo("\U0001F600"));
-            Assert.That(result.FlattenedData["query.double"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["route.command"], Is.EqualTo("who%61mi"));
+            Assert.That(result.FlattenedData["query.path"], Is.EqualTo("%2e%2e%2fetc%2fpasswd"));
+            Assert.That(result.FlattenedData["query.emoji"], Is.EqualTo("%F0%9F%98%80"));
+            Assert.That(result.FlattenedData["query.double"], Is.EqualTo("%2577%2568%256f%2561%256d%2569"));
             Assert.That(result.FlattenedData["query.invalid"], Is.EqualTo("%E0%A4%A"));
-            Assert.That(result.FlattenedData["headers.X-Custom"], Is.EqualTo("a+b+c"));
-            Assert.That(result.FlattenedData["cookies.session"], Is.EqualTo("abc123"));
-            Assert.That(result.FlattenedData["body.cmd"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["headers.X-Custom"], Is.EqualTo("a+b%2Bc"));
+            Assert.That(result.FlattenedData["cookies.session"], Is.EqualTo("abc%31%32%33"));
+            Assert.That(result.FlattenedData["body.cmd"], Is.EqualTo("who%61mi"));
             Assert.That(result.FlattenedData["body.literal"], Is.EqualTo("a+b"));
+
+            Assert.That(result.FlattenedData["route.command|decoded"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["query.path|decoded"], Is.EqualTo("../etc/passwd"));
+            Assert.That(result.FlattenedData["query.emoji|decoded"], Is.EqualTo("\U0001F600"));
+            Assert.That(result.FlattenedData["query.double|decoded"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData["headers.X-Custom|decoded"], Is.EqualTo("a+b+c"));
+            Assert.That(result.FlattenedData["cookies.session|decoded"], Is.EqualTo("abc123"));
+            Assert.That(result.FlattenedData["body.cmd|decoded"], Is.EqualTo("whoami"));
+            Assert.That(result.FlattenedData.ContainsKey("query.invalid|decoded"), Is.False);
+            Assert.That(result.FlattenedData.ContainsKey("body.literal|decoded"), Is.False);
         }
 
         [Test]