search

doyensec / inql

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
https://doyensec.com/
Apache License 2.0
1.51k stars 156 forks source link

Investigate report about failed installs #125

Open execveat opened 11 months ago

execveat commented 11 months ago

There is a report on Twitter about InQL failing during installation: https://twitter.com/irsdl/status/1698658521166815250

Post mentions Windows, but it could be a red herring. #28 is almost definitely unrelated to this as it was fixed a while ago. I've seen somewhat similar bug where updates were broken due to changes in how the settings were persisted in different versions. However this should have been addressed by removing old style settings: https://github.com/doyensec/inql/blob/master/python/inql/extender.py#L73

This should be investigated further before the 5.1 release.

nobodynate commented 11 months ago

Snag_30b5249 I'm having same/similar issue as the Tweet. BApp store version seemingly not working on Windows Burp Pro. To be fair it's an old version being served in the store, inQL 5.0 from releases page of this repo installs fine.

Traceback (most recent call last):
  File "C:\Users\nate\AppData\Roaming\BurpSuite\bapps\296e9a0730384be4b2fffef7b4e19b1f\ext\inql_burp.py", line 83, in <module>
    from burp_ext.extender import BurpExtender
  File "C:\Users\nate\Downloads\jython-standalone-2.7.3.jar\Lib\contextlib$py.class", line 24, in __exit__
  File "C:\Users\nate\Downloads\jython-standalone-2.7.3.jar\Lib\contextlib$py.class", line 24, in __exit__
  File "C:\Users\nate\AppData\Roaming\BurpSuite\bapps\296e9a0730384be4b2fffef7b4e19b1f\ext\inql_burp.py", line 14, in __stickytape_temporary_dir
    shutil.rmtree(dir_path)
  File "C:\Users\nate\Downloads\jython-standalone-2.7.3.jar\Lib\shutil$py.class", line 247, in rmtree
  File "C:\Users\nate\Downloads\jython-standalone-2.7.3.jar\Lib\shutil$py.class", line 252, in rmtree
  File "C:\Users\nate\Downloads\jython-standalone-2.7.3.jar\Lib\shutil$py.class", line 250, in rmtree
OSError: unlink(): an unknown error occurred: C:\Users\nate\AppData\Local\Temp\tmpks9kq9\burp_ext\__init__.py

    at org.python.core.PyException.doRaise(PyException.java:211)
    at org.python.core.Py.makeException(Py.java:1654)
    at org.python.core.Py.makeException(Py.java:1658)
    at org.python.core.Py.makeException(Py.java:1662)
    at org.python.core.Py.makeException(Py.java:1666)
    at shutil$py.onerror$16(shutil.py:226)
    at shutil$py.call_function(shutil.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:306)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:158)
    at org.python.core.PyFunction.__call__(PyFunction.java:437)
    at shutil$py.rmtree$14(shutil.py:256)
    at shutil$py.call_function(shutil.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:168)
    at org.python.core.PyFunction.__call__(PyFunction.java:437)
    at shutil$py.rmtree$14(shutil.py:256)
    at shutil$py.call_function(shutil.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:306)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:126)
    at org.python.core.PyFunction.__call__(PyFunction.java:416)
    at org.python.pycode._pyx5.__stickytape_temporary_dir$1(C:/Users/nate/AppData/Roaming/BurpSuite/bapps/296e9a0730384be4b2fffef7b4e19b1f/ext/inql_burp.py:14)
    at org.python.pycode._pyx5.call_function(C:/Users/nate/AppData/Roaming/BurpSuite/bapps/296e9a0730384be4b2fffef7b4e19b1f/ext/inql_burp.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyGenerator.__iternext__(PyGenerator.java:161)
    at org.python.core.PyGenerator.__iternext__(PyGenerator.java:143)
    at org.python.core.PyIterator.next(PyIterator.java:45)
    at org.python.core.PyGenerator.generator_next(PyGenerator.java:95)
    at org.python.core.PyGenerator$generator_next_exposer.__call__(Unknown Source)
    at org.python.core.PyObject.__call__(PyObject.java:450)
    at contextlib$py.__exit__$4(contextlib.py:51)
    at contextlib$py.call_function(contextlib.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyBaseCode.call(PyBaseCode.java:187)
    at org.python.core.PyFunction.__call__(PyFunction.java:449)
    at org.python.core.PyMethod.__call__(PyMethod.java:171)
    at org.python.core.ContextGuard.__exit__(ContextGuard.java:29)
    at org.python.pycode._pyx5.f$0(C:/Users/nate/AppData/Roaming/BurpSuite/bapps/296e9a0730384be4b2fffef7b4e19b1f/ext/inql_burp.py:83)
    at org.python.pycode._pyx5.call_function(C:/Users/nate/AppData/Roaming/BurpSuite/bapps/296e9a0730384be4b2fffef7b4e19b1f/ext/inql_burp.py)
    at org.python.core.PyTableCode.call(PyTableCode.java:173)
    at org.python.core.PyCode.call(PyCode.java:18)
    at org.python.core.Py.runCode(Py.java:1703)
    at org.python.core.__builtin__.execfile_flags(__builtin__.java:535)
    at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
    at java.base/java.lang.reflect.Method.invoke(Method.java:578)
    at burp.Znkl.ZI(Unknown Source)
    at burp.Zk7m.Zy(Unknown Source)
    at burp.Zcll.Zi(Unknown Source)
    at burp.Zveh.lambda$panelLoaded$0(Unknown Source)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1589)
execveat commented 11 months ago

So, here's the status on this bug. The root cause is a 3rd party library stickytape. It's a known issue and we actually don't use this library at all in our current master & dev branches. The new code was sent to PortSwigger (https://github.com/PortSwigger/inql/commits/master), but the BApp Store release is being delayed due to some issues that we can't influence.

The code in PortSwigger's repo matches InQL release 5.0.2, so hopefully that's the version that should appear in the BApp Store any time soon. We're working towards the next release 5.1 in our dev branch, so that might occur sooner than the BApp Store release.

I'm leaving this issue opened as a reminder to check Windows compatibility before the 5.1 release, but I'm afraid the original issue with the BApp Store version will remain unsolved until PortSwigger releases public update.