Minor patch of API calls

2026-06-20 06:28:55 +00:00 · 2026-06-11 21:15:58 +02:00 · 2026-06-11 21:15:58 +02:00 · e12d7a22d0
commit e12d7a22d0
parent 74b5ffd4dc
4 changed files with 41 additions and 15 deletions
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@ -188,7 +188,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-74df13374f7058ba09ce9e7c5cec9e79f8a59a4a6f73d79ba4a6fa972a75961f  lib/core/settings.py
+78a7197b843f1766159e803ccc5724880bea795ad6bd2e06eddb746db3324129  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@ -241,7 +241,7 @@ f552b6140d4069be6a44792a08f295da8adabc1c4bb6a5e100f222f87144ca9d  lib/techniques
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/union/__init__.py
 30cae858e2a5a75b40854399f65ad074e6bb808d56d5ee66b94d4002dc6e101b  lib/techniques/union/test.py
 a8a795f29ec6fd66482926f04b054ed492a033982c3b7837c5d2ea32368acec0  lib/techniques/union/use.py
-c771212c97b534f47e74e972e12ada7d341a170c637ed2638cee6546f7b754d2  lib/utils/api.py
+ab5132ff9605a7e795293ce10eec7f8d1a98a36dabb3432b9c805535afe054ac  lib/utils/api.py
 442555ab85277aff7c9e0cf465ea5b0d28395c326f68363449b2d3941f4b6de2  lib/utils/brute.py
 da5bcbcda3f667582adf5db8c1b5d511b469ac61b55d387cec66de35720ed718  lib/utils/crawler.py
 a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb  lib/utils/deps.py
@ -490,7 +490,7 @@ cedf45d33461bd7e5400d06611a63c8a4ffae1a4510030c5696b9d46ed6a9883  plugins/generi
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  plugins/__init__.py
 5d72f0af46ff3c9e3fe80300e83cb78749132278e8db88915764a94d7130a04c  README.md
 7ef0d0ea10d4b19283b1e380d521abb0fdd4c6bf1443b88f7b00af7947fc5e27  sqlmapapi.py
-69ca771751f9d996cc07c2cd3f082667949148792ba9db26d08dc953fbf17815  sqlmapapi.yaml
+5b73370e455ee5d4cfd72db7485223528d3ede2637e74469fac9ba9f8a2b9d13  sqlmapapi.yaml
 627d90f1194335b800cbc9cc78db6697cf9e02e193a83598e0d4d0abb55b63b8  sqlmap.conf
 65159b82795604069a2d14ccbd1f66e888a26b05db0401a1ddadb40c665c93dc  sqlmap.py
 eb37a88357522fd7ad00d90cdc5da6b57442b4fec49366aadb2944c4fbf8b804  tamper/0eunion.py
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.78"
+VERSION = "1.10.6.79"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@ -78,6 +78,8 @@ class DataStore(object):
    username = None
    password = None

+RESTAPI_READONLY_OPTIONS = ("api", "taskid", "database")
+
 # API objects
 class Database(object):
    filepath = None
@ -296,6 +298,19 @@ def setRestAPILog():
 def is_admin(token):
    return safeCompareStrings(DataStore.admin_token, token)

+def validate_task_options(taskid, options, caller):
+    if not isinstance(options, dict):
+        logger.warning("[%s] Invalid JSON options provided to %s()" % (taskid, caller))
+        return "Invalid JSON options"
+
+    for key in options:
+        if key in RESTAPI_UNSUPPORTED_OPTIONS or key in RESTAPI_READONLY_OPTIONS:
+            logger.warning("[%s] Unsupported option '%s' provided to %s()" % (taskid, key, caller))
+            return "Unsupported option '%s'" % key
+        elif key not in DataStore.tasks[taskid].options:
+            logger.warning("[%s] Unknown option '%s' provided to %s()" % (taskid, key, caller))
+            return "Unknown option '%s'" % key
+
@hook('before_request')
 def check_authentication():
    if not any((DataStore.username, DataStore.password)):
@ -490,10 +505,9 @@ def option_set(taskid):
        logger.warning("[%s] Invalid JSON options provided to option_set()" % taskid)
        return jsonize({"success": False, "message": "Invalid JSON options"})

-    for key in request.json:
-        if key in RESTAPI_UNSUPPORTED_OPTIONS:
-            logger.warning("[%s] Unsupported option '%s' provided to option_set()" % (taskid, key))
-            return jsonize({"success": False, "message": "Unsupported option '%s'" % key})
+    message = validate_task_options(taskid, request.json, "option_set")
+    if message:
+        return jsonize({"success": False, "message": message})

    for option, value in request.json.items():
        DataStore.tasks[taskid].set_option(option, value)
@ -516,10 +530,13 @@ def scan_start(taskid):
        logger.warning("[%s] Invalid JSON options provided to scan_start()" % taskid)
        return jsonize({"success": False, "message": "Invalid JSON options"})

-    for key in request.json:
-        if key in RESTAPI_UNSUPPORTED_OPTIONS:
-            logger.warning("[%s] Unsupported option '%s' provided to scan_start()" % (taskid, key))
-            return jsonize({"success": False, "message": "Unsupported option '%s'" % key})
+    if DataStore.tasks[taskid].engine_process() is not None and not DataStore.tasks[taskid].engine_has_terminated():
+        logger.warning("[%s] Scan already running" % taskid)
+        return jsonize({"success": False, "message": "Scan already running"})
+
+    message = validate_task_options(taskid, request.json, "scan_start")
+    if message:
+        return jsonize({"success": False, "message": message})

    # Initialize sqlmap engine's options with user's provided options, if any
    for option, value in request.json.items():
@ -601,7 +618,7 @@ def scan_data(taskid):
        json_data_message.append({"status": status, "type": content_type, "value": dejsonize(value)})

    # Read all error messages from the IPC database
-    for error in DataStore.current_db.execute("SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC", (taskid,)):
+    for error, in DataStore.current_db.execute("SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC", (taskid,)):
        json_errors_message.append(error)

    logger.debug("(%s) Retrieved scan data and error messages" % taskid)
--- a/sqlmapapi.yaml
+++ b/sqlmapapi.yaml
@ -726,9 +726,9 @@ components:

    OptionValue:
      description: Value accepted by sqlmap options. The exact type depends on the option.
-      nullable: true
      oneOf:
        - type: string
+          nullable: true
        - type: boolean
        - type: integer
        - type: number
@ -826,7 +826,16 @@ components:
          description: Numeric content type stored by sqlmap.
          example: 0
        value:
-          nullable: true
+          oneOf:
+            - type: string
+              nullable: true
+            - type: boolean
+            - type: integer
+            - type: number
+            - type: array
+              items: {}
+            - type: object
+              additionalProperties: true
          description: JSON-decoded scan output value. Shape depends on the content type.
      additionalProperties: true