Bugfix: Detect internal URLs better

bin/verify.go

@@ -0,0 +1,86 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"www.velocidex.com/golang/velociraptor/config"
+	logging "www.velocidex.com/golang/velociraptor/logging"
+	"www.velocidex.com/golang/velociraptor/services"
+	"www.velocidex.com/golang/velociraptor/startup"
+)
+
+var (
+	verify      = app.Command("verify", "Verify a set of artifacts")
+	verify_args = verify.Arg("paths", "Paths to artifact yaml files").Required().Strings()
+)
+
+func doVerify() error {
+	//logging.DisableLogging()
+	config_obj := config.GetDefaultConfig()
+
+	config_obj.Services = services.GenericToolServices()
+
+	ctx, cancel := install_sig_handler()
+	defer cancel()
+
+	sm, err := startup.StartToolServices(ctx, config_obj)
+	defer sm.Close()
+
+	if err != nil {
+		return err
+	}
+
+	manager, err := services.GetRepositoryManager(config_obj)
+	if err != nil {
+		return err
+	}
+
+	logger := logging.GetLogger(config_obj, &logging.ToolComponent)
+
+	// Report all errors and keep going as much as possible.
+	var returned_err error
+
+	repository := manager.NewRepository()
+	for _, artifact_path := range *verify_args {
+		fd, err := os.Open(artifact_path)
+		if err != nil {
+			logger.Error("%v: <red>%v</>", artifact_path, err)
+			returned_err = fmt.Errorf("While processing %v: %w", artifact_path, err)
+			continue
+		}
+
+		data, err := ioutil.ReadAll(fd)
+		if err != nil {
+			logger.Error("%v: <red>%v</>", artifact_path, err)
+			returned_err = fmt.Errorf("While processing %v: %w", artifact_path, err)
+			continue
+		}
+
+		_, err = repository.LoadYaml(string(data), services.ArtifactOptions{
+			ValidateArtifact: true,
+		})
+		if err != nil {
+			logger.Error("%v: <red>%v</>", artifact_path, err)
+			returned_err = fmt.Errorf("While processing %v: %w", artifact_path, err)
+			continue
+		}
+		logger.Info("Verified %v: <green>OK</>", artifact_path)
+	}
+
+	return returned_err
+}
+
+func init() {
+	command_handlers = append(command_handlers, func(command string) bool {
+		switch command {
+		case verify.FullCommand():
+			FatalIfError(verify, doVerify)
+
+		default:
+			return false
+		}
+		return true
+	})
+}

gui/velociraptor/src/components/core/api-service.jsx

@@ -262,8 +262,13 @@ const upload = function(url, files, params) {
 
 // Internal Routes declared in api/proxy.go Assume base_path is regex
 // safe due to the sanitation in the sanitation service.
+// A link is considered internal if:
+// * it is relative
+// * it has a known prefix and
+// * it either starts with base path or not - URLs that do not start
+//   with the base path will be fixed later.
 const internal_links = new RegExp(
-    "^" + base_path + "/api|app|notebooks|downloads|hunts|clients/");
+    "^(" + base_path + ")?/(api|app|notebooks|downloads|hunts|clients)/");
 
 // Prepare a suitable href link for <a>
 // This function accepts a number of options:
@@ -334,7 +339,13 @@ const src_of = function (url) {
     if (url && url.match(/^data/)) {
         return url;
     }
-    return path.join(window.base_path, url);
+
+    // If the URL does not already start with base path ensure it does
+    // now.
+    if (!url.startsWith(window.base_path)) {
+        return path.join(window.base_path, url);
+    }
+    return url;
 };
 
 const error = function(msg) {