From c6a6293499678489a9c847b5ba5039dd955f0cca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=2E=20=C3=81ngel=20Jimeno?=
 <jimen0@users.noreply.github.com>
Date: Mon, 26 Oct 2020 22:43:09 +0100
Subject: [PATCH] pkg/ffuf: fix panic in Windows when parsing wordlist flag
 (#335)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change addresses two panics that happened while parsing the provided
wordlist flag in Windows systems.

- pkg/ffuf/util.go:40: panic happened when the provided path was
invalid. Example: ".\wordlist.txt:" as the os.Stat call returned an
error different than os.ErrNotExist.

- pkg/ffuf/optionsparser.go:179: panic happened when the provided value
did not existed and did not contain a colon character. Example:
".\asdf.txt" when the local file ".\asdf.txt" did not exist. This panic
happened due to strings.LastIndex returning -1 when the provided
substring does not appear. Therefore, v[:-1] panicking.

Fixes #333

Signed-off-by: Miguel Ángel Jimeno <miguelangel4b@gmail.com>
---
 CHANGELOG.md              | 1 +
 pkg/ffuf/optionsparser.go | 6 +++++-
 pkg/ffuf/util.go          | 6 ++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a24c222..e5b5907 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
     - Fixed the issue where the option -ac was overwriting existing filters. Now auto-calibration will add them where needed.
     - The `-w` flag now accepts comma delimited values in the form of `file1:W1,file2:W2`.
     - Links in the HTML report are now clickable
+    - Fixed panic during wordlist flag parsing in Windows systems.
 
 - v1.1.0
   - New
diff --git a/pkg/ffuf/optionsparser.go b/pkg/ffuf/optionsparser.go
index 0e305d9..1a12b80 100644
--- a/pkg/ffuf/optionsparser.go
+++ b/pkg/ffuf/optionsparser.go
@@ -176,7 +176,11 @@ func ConfigFromOptions(parseOpts *ConfigOptions, ctx context.Context, cancel con
 				// The wordlist was supplied without a keyword parameter
 				wl = []string{v}
 			} else {
-				filepart := v[:strings.LastIndex(v, ":")]
+				filepart := v
+				if strings.Contains(filepart, ":") {
+					filepart = v[:strings.LastIndex(filepart, ":")]
+				}
+
 				if FileExists(filepart) {
 					wl = []string{filepart, v[strings.LastIndex(v, ":")+1:]}
 				} else {
diff --git a/pkg/ffuf/util.go b/pkg/ffuf/util.go
index 56c61aa..327fa6a 100644
--- a/pkg/ffuf/util.go
+++ b/pkg/ffuf/util.go
@@ -31,11 +31,13 @@ func UniqStringSlice(inslice []string) []string {
 	return ret
 }
 
-//FileExists checks if the filepath exists and is not a directory
+//FileExists checks if the filepath exists and is not a directory.
+//Returns false in case it's not possible to describe the named file.
 func FileExists(path string) bool {
 	md, err := os.Stat(path)
-	if os.IsNotExist(err) {
+	if err != nil {
 		return false
 	}
+
 	return !md.IsDir()
 }