Merge pull request #128 from dominiqueroux/migrate-montoya

Migrated the extension to the MontoyaAPI.

Author: righettod

build.gradle

@@ -13,8 +13,8 @@ buildscript {
 apply plugin: 'java'
 apply plugin: 'org.owasp.dependencycheck'
 
-group 'eu.righettod'
-version '2.0.1'
+group = 'eu.righettod'
+version = '2.0.1'
 def burpExtensionHomepage = 'https://github.com/righettod/log-requests-to-sqlite'
 def burpExtensionJarName = 'LogRequestsToSQLite.jar'
 
@@ -23,8 +23,9 @@ repositories {
 }
 
 dependencies {
-    compile 'org.xerial:sqlite-jdbc:3.49.1.0'
-    compile 'net.portswigger.burp.extender:burp-extender-api:2.3'
+    implementation 'org.xerial:sqlite-jdbc:3.49.1.0'
+    // implementation 'net.portswigger.burp.extender:burp-extender-api:2.3'
+    implementation 'net.portswigger.burp.extensions:montoya-api:2025.4'
 }
 
 sourceSets {
@@ -39,15 +40,15 @@ sourceSets {
 }
 
 compileJava {
-    targetCompatibility '11'
-    sourceCompatibility '11'
+    targetCompatibility  = '21'
+    sourceCompatibility = '21'
 }
 
 dependencyCheck {
     autoUpdate = true
     failOnError = true
     failBuildOnCVSS = 1
-    cveValidForHours = 12
+    nvd.validForHours = 12
     suppressionFile = "odc-suppress.xml"
     format = 'JSON'
 }
@@ -56,7 +57,7 @@ task fatJar(type: Jar) {
     manifest {
         attributes("Implementation-Version": project.version, "Implementation-Title": project.name, "Implementation-URL": burpExtensionHomepage)
     }
-    archiveName = burpExtensionJarName
-    from { configurations.compile.collect { it.isDirectory() ? it : zipTree(it) } }
+    archiveBaseName = burpExtensionJarName
+    from { configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) } }
     with jar
 }

src/burp/ActivityHttpListener.java

@@ -1,11 +1,14 @@
 package burp;
 
+import burp.api.montoya.http.message.requests.HttpRequest;
+import burp.api.montoya.http.handler.*;
+
 import java.util.Locale;
 
 /**
  * Handle the recording of HTTP activities into the activity log storage.
  */
-class ActivityHttpListener implements IHttpListener {
+class ActivityHttpListener implements HttpHandler {
 
     /**
      * Ref on handler that will store the activity information into the activity log storage.
@@ -17,54 +20,59 @@ class ActivityHttpListener implements IHttpListener {
      */
     private Trace trace;
 
-    /**
-     * Ref on Burp tool to manipulate the HTTP requests and have access to API to identify the source of the activity (tool name).
-     */
-    private IBurpExtenderCallbacks callbacks;
-
     /**
      * Constructor.
      *
-     * @param activityLogger Ref on handler that will store the activity information into the activity log storage.
-     * @param trace          Ref on project logger.
-     * @param callbacks      Ref on Burp tool to manipulate the HTTP requests and have access to API to identify the source of the activity (tool name).
+     * @param activityLogger    Ref on handler that will store the activity information into the activity log storage.
+     * @param trace             Ref on project logger.
      */
-    ActivityHttpListener(ActivityLogger activityLogger, Trace trace, IBurpExtenderCallbacks callbacks) {
+    ActivityHttpListener(ActivityLogger activityLogger, Trace trace) {
         this.activityLogger = activityLogger;
         this.trace = trace;
-        this.callbacks = callbacks;
+    }
+
+    @Override
+    public RequestToBeSentAction handleHttpRequestToBeSent(HttpRequestToBeSent requestToBeSent)
+    {
+        //Check if the response will be logged as well. If yes, wait until response is received.
+        if (!ConfigMenu.INCLUDE_HTTP_RESPONSE_CONTENT) {
+            try {
+                if (this.mustLogRequest(requestToBeSent)) {
+                    this.activityLogger.logEvent(requestToBeSent, null, requestToBeSent.toolSource().toolType().toolName());
+                }
+            } catch (Exception e) {
+                this.trace.writeLog("Cannot save request: " + e.getMessage());
+            }
+        }
+        return RequestToBeSentAction.continueWith(requestToBeSent);
     }
 
     /**
      * {@inheritDoc}
      */
-    public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo) {
-        try {
-            //Save the information of the current request if the message is an HTTP response and according to the restriction options
-            if (!messageIsRequest) {
-                IRequestInfo reqInfo = callbacks.getHelpers().analyzeRequest(messageInfo);
-                if (this.mustLogRequest(reqInfo)) {
-                    IResponseInfo responseInfoStatusCode = callbacks.getHelpers().analyzeResponse(messageInfo.getResponse());
-                    String statusCode = String.valueOf(responseInfoStatusCode.getStatusCode());
-                    byte[] responseInfo = null;
-                    if (ConfigMenu.INCLUDE_HTTP_RESPONSE_CONTENT) {
-                        responseInfo = messageInfo.getResponse();
-                    }
-                    this.activityLogger.logEvent(toolFlag, reqInfo, messageInfo.getRequest(), statusCode, responseInfo);
+    @Override
+    public ResponseReceivedAction handleHttpResponseReceived(HttpResponseReceived responseReceived)
+    {
+        if (ConfigMenu.INCLUDE_HTTP_RESPONSE_CONTENT) {
+            try {
+                //Save the information of the current request if the message is an HTTP response and according to the restriction options
+                if (this.mustLogRequest(responseReceived.initiatingRequest())) {
+                    this.activityLogger.logEvent(responseReceived.initiatingRequest(), responseReceived, responseReceived.toolSource().toolType().toolName());
                 }
+            } catch (Exception e) {
+                this.trace.writeLog("Cannot save response: " + e.getMessage());
             }
-        } catch (Exception e) {
-            this.trace.writeLog("Cannot save request: " + e.getMessage());
         }
+        return ResponseReceivedAction.continueWith(responseReceived);
     }
 
     /**
      * Determine if the current request must be logged according to the configuration options selected by the users.
      *
-     * @param reqInfo Information about the current request
+     * @param request HttpRequest object containing all the information about the request
      * @return TRUE if the request must be logged, FALSE otherwise
      */
-    private boolean mustLogRequest(IRequestInfo reqInfo) {
+    private boolean mustLogRequest(HttpRequest request) {
         //By default: Request is logged
         boolean mustLogRequest = true;
 
@@ -75,7 +83,7 @@ private boolean mustLogRequest(IRequestInfo reqInfo) {
             //First: We check if we must apply restriction about image resource
             if (ConfigMenu.EXCLUDE_IMAGE_RESOURCE_REQUESTS) {
                 //Get the file extension of the current URL and remove the parameters from the URL
-                String filename = reqInfo.getUrl().getFile();
+                String filename = request.url();
                 if (filename != null && filename.indexOf('?') != -1) {
                     filename = filename.substring(0, filename.indexOf('?')).trim();
                 }
@@ -91,7 +99,7 @@ private boolean mustLogRequest(IRequestInfo reqInfo) {
             }
             //Secondly: We check if we must apply restriction about the URL scope
             //Configuration restrictions options are applied in sequence so we only work here if the request is marked to be logged
-            if (mustLogRequest && ConfigMenu.ONLY_INCLUDE_REQUESTS_FROM_SCOPE && !this.callbacks.isInScope(reqInfo.getUrl())) {
+            if (mustLogRequest && ConfigMenu.ONLY_INCLUDE_REQUESTS_FROM_SCOPE && ! request.isInScope()) {
                 mustLogRequest = false;
             }
         }

src/burp/ActivityLogger.java

@@ -10,10 +10,15 @@
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 
+import burp.api.montoya.MontoyaApi;
+import burp.api.montoya.http.message.requests.HttpRequest;
+import burp.api.montoya.http.message.responses.HttpResponse;
+import burp.api.montoya.extension.ExtensionUnloadingHandler;
+
 /**
  * Handle the recording of the activities into the real storage, SQLite local DB here.
  */
-class ActivityLogger implements IExtensionStateListener {
+class ActivityLogger implements ExtensionUnloadingHandler {
 
     /**
      * SQL instructions.
@@ -25,12 +30,6 @@ class ActivityLogger implements IExtensionStateListener {
     private static final String SQL_BIGGEST_REQUEST_AMOUNT_DATA_SENT = "SELECT MAX(LENGTH(REQUEST_RAW)) FROM ACTIVITY";
     private static final String SQL_MAX_HITS_BY_SECOND = "SELECT COUNT(REQUEST_RAW) AS HITS, SEND_DATETIME FROM ACTIVITY GROUP BY SEND_DATETIME ORDER BY HITS DESC";
 
-    /**
-     * Empty string to use when response must be not be logged.
-     */
-    private static final String EMPTY_RESPONSE_CONTENT = "";
-
-
     /**
      * Use a single DB connection for performance and to prevent DB file locking issue at filesystem level.
      */
@@ -41,11 +40,6 @@ class ActivityLogger implements IExtensionStateListener {
      */
     private String url;
 
-    /**
-     * Ref on Burp tool to manipulate the HTTP requests and have access to API to identify the source of the activity (tool name).
-     */
-    private IBurpExtenderCallbacks callbacks;
-
     /**
      * Ref on project logger.
      */
@@ -60,16 +54,13 @@ class ActivityLogger implements IExtensionStateListener {
     /**
      * Constructor.
      *
-     * @param storeName Name of the storage that will be created (file path).
-     * @param callbacks Ref on Burp tool to manipulate the HTTP requests and have access to API to identify the source of the activity (tool name).
-     * @param trace     Ref on project logger.
-     * @throws Exception If connection with the DB cannot be opened or if the DB cannot be created or if the JDBC driver cannot be loaded.
+     * @param storeName     Name of the storage that will be created (file path).
+     * @param trace         Ref on project logger.
+     * @throws Exception    If connection with the DB cannot be opened or if the DB cannot be created or if the JDBC driver cannot be loaded.
      */
-    ActivityLogger(String storeName, IBurpExtenderCallbacks callbacks, Trace trace) throws Exception {
+    ActivityLogger(String storeName, MontoyaApi api, Trace trace) throws Exception {
         //Load the SQLite driver
         Class.forName("org.sqlite.JDBC");
-        //Affect the properties
-        this.callbacks = callbacks;
         this.trace = trace;
         updateStoreLocation(storeName);
     }
@@ -98,26 +89,32 @@ void updateStoreLocation(String storeName) throws Exception {
     /**
      * Save an activity event into the storage.
      *
-     * @param toolFlag   A flag indicating the Burp tool that issued the request.
-     *                   Burp tool flags are defined in the
-     *                   <code>IBurpExtenderCallbacks</code> interface.
-     * @param reqInfo    Details of the request to be processed.
-     * @param reqContent Raw content of the request.
-     * @throws Exception If event cannot be saved.
+     * @param request       HttpRequest object containing all information about the request
+     *                      which was either sent or will be sent out soon.
+     * @param response      HttpResponse object containing all information about the response.
+     *                      Is null when only the request ist stored.
+     * @param tool          The name of the tool which was used to issue to request.
+     * @throws Exception    If event cannot be saved.
      */
-    void logEvent(int toolFlag, IRequestInfo reqInfo, byte[] reqContent, String statusCode, byte[] resContent) throws Exception {
+    void logEvent(HttpRequest request, HttpResponse response, String tool) throws Exception {
         //Verify that the DB connection is still opened
         this.ensureDBState();
         //Insert the event into the storage
         try (PreparedStatement stmt = this.storageConnection.prepareStatement(SQL_TABLE_INSERT)) {
             stmt.setString(1, InetAddress.getLocalHost().getHostAddress());
-            stmt.setString(2, reqInfo.getUrl().toString());
-            stmt.setString(3, reqInfo.getMethod());
-            stmt.setString(4, callbacks.getToolName(toolFlag));
-            stmt.setString(5, callbacks.getHelpers().bytesToString(reqContent));
+            stmt.setString(2, request.url());
+            stmt.setString(3, request.method());
+            stmt.setString(4, tool);
+            stmt.setString(5, request.toString()); //Apparently, bodyToString() does not work..
             stmt.setString(6, LocalDateTime.now().format(this.datetimeFormatter));
-            stmt.setString(7, statusCode);
-            stmt.setString(8, (resContent != null) ? callbacks.getHelpers().bytesToString(resContent) : EMPTY_RESPONSE_CONTENT);
+            //Make a distinction if only the request is stored or the response is added as well.
+            if (response != null) {
+                stmt.setString(7, String.valueOf(response.statusCode()));
+                stmt.setString(8, response.bodyToString());
+            } else {
+                stmt.setString(7, null);
+                stmt.setString(8, null);
+            }
             int count = stmt.executeUpdate();
             if (count != 1) {
                 this.trace.writeLog("Request was not inserted, no detail available (insertion counter = " + count + ") !");
@@ -188,8 +185,9 @@ private void ensureDBState() throws Exception {
     }
 
     /**
-     * {@inheritDoc}
+     * Unloads the extension by releasing the DB connection.
      */
+    @Override
     public void extensionUnloaded() {
         try {
             if (this.storageConnection != null && !this.storageConnection.isClosed()) {