Error listing clients as normal user
Hi! First of all, thanks for this awesome project!
Bug summary
I'm having a problem with the latest version of bui. I created a new user without admin/moderator privileges and tried to login with him. After that, in the "Clients" screen, an error shows up.
Burp
$ burp -V
burp-2.3.16
Sysinfo
$ bui-manage -c /<dir>/etc/burp-ui.cnf sysinfo
Python version: 3.6.3
Burp-UI version: 0.7.0.dev0 (c6a74ecbb9ecc40b2aba5e230c8ed0a867de0019)
OS: Linux:3.10.0-957.27.2.el7.x86_64 (posix)
Distribution: centos 7.7.1908 Core
Single mode: True
Backend: burp2
WebSocket embedded: False
WebSocket available: False
Config file: /<dir>/etc/burp-ui.cnf
Steps to reproduce
- Create a user without privileges
- Go to the login page
- Try to authenticate with the created user
- Go to the "Clients" screen
- The error will show up in screen (if in debug mode) and in the bui log.
logs
<MY IP> - - [13/Jan/2020 11:47:34] "GET /api/clients/backup-running?_session=b8b0dc8e-6e8d-4385-aad0-98f42114424b&_extra=1578926852 HTTP/1.1" 500 -
Traceback (most recent call last):
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2463, in __call__
return self.wsgi_app(environ, start_response)
File "/<dir>/burp-ui/burpui/utils.py", line 250, in __call__
return self.wsgi_app(environ, start_response)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2449, in wsgi_app
response = self.handle_exception(e)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 584, in error_router
return original_handler(e)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1866, in handle_exception
reraise(exc_type, exc_value, tb)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/_compat.py", line 38, in reraise
raise value.with_traceback(tb)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 584, in error_router
return original_handler(e)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/_compat.py", line 38, in reraise
raise value.with_traceback(tb)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/<dir>/burp-ui/burpui/api/__init__.py", line 74, in decorated_view
return func(*args, **kwargs)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 325, in wrapper
resp = resource(*args, **kwargs)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/views.py", line 89, in view
return self.dispatch_request(*args, **kwargs)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/resource.py", line 44, in dispatch_request
resp = meth(*args, **kwargs)
File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/marshalling.py", line 243, in wrapper
resp = f(*args, **kwargs)
File "/<dir>/burp-ui/burpui/api/clients.py", line 165, in get
server
File "/<dir>/burp-ui/burpui/api/clients.py", line 188, in _is_one_backup_running
allowed = [x for x in clients if mask.is_client_allowed(current_user, x, server)]
File "/<dir>/burp-ui/burpui/api/clients.py", line 188, in <listcomp>
allowed = [x for x in clients if mask.is_client_allowed(current_user, x, server)]
File "/<dir>/burp-ui/burpui/filter.py", line 62, in is_client_allowed
return current_user.acl.is_client_allowed(client, server)
File "/<dir>/burp-ui/burpui/misc/auth/handler.py", line 144, in __call__
return func(**encoded_args)
File "/<dir>/burp-ui/burpui/misc/acl/handler.py", line 162, in is_client_allowed
server
File "/<dir>/burp-ui/burpui/misc/acl/handler.py", line 124, in _iterate_through_loader
ret = func(*args, **kwargs)
File "/<dir>/burp-ui/burpui/misc/acl/meta.py", line 598, in is_client_allowed
order = _extract_key(adv, 'order', None, DEFAULT_EVAL_ORDER)
UnboundLocalError: local variable 'adv' referenced before assignment
Configuration
[Global]
backend = burp2
auth = basic
acl = basic
audit = basic
plugins = none
[UI]
refresh = 180
liverefresh = 5
ignore_labels = color:.*, custom:.*
format_labels = s/^os:\s*//
default_strip = 0
[Production]
storage = redis
session = redis
cache = redis
redis = 127.0.0.1:6379
celery = false
database = sqlite:////<dir>/burpui.db
limiter = false
ratio = 60/minute
prefix = none
num_proxies = 0
proxy_fix_args = "{'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}"
[WebSocket]
enabled = false
embedded = false
broker = redis
url = none
debug = false
[Security]
includes = /<dir>/etc
enforce = false
revoke = true
cookietime = 14
sessiontime = 5
scookie = true
appsecret = random
[Experimental]
zip64 = true
noserverrestore = false
[Burp]
burpbin = /<dir>/sbin/burp
stripbin = /<dir>/bin/vss_strip
bconfcli = /<dir>/etc/burp.conf
bconfsrv = /<dir>/etc/burp-server.conf
tmpdir = /tmp/bui
timeout = 15
deep_inspection = false
[Parallel]
host = ::1
port = 11111
timeout = 15
password = password123456
ssl = true
concurrency = 2
init_wait = 15
[BASIC:AUDIT]
priority = 100
level = WARNING
logfile = none
max_bytes = 30 * 1024 * 1024
rotate = 5
[BASIC:AUTH]
pedro.domingues@harpo.com.br = <hash>
teste@harpo.com.br = <hash>
teste = <hash> # THIS USER DON'T HAVE AN ACL
[BASIC:ACL]
pedro.domingues@harpo.com.br = ""
admin = admin, pedro.domingues@harpo.com.br
+moderator = pedro.domingues@harpo.com.br,
teste@harpo.com.br = {} # I'VE TRIED TO CREATE AN USER WITH EMPTY ACL, BUT WITHOUT SUCCESS
Thanks!