From 6015314d2434ca10404067c55b0d96ea2928c8a4 Mon Sep 17 00:00:00 2001 From: juandiego-bmu Date: Sun, 26 Apr 2026 14:42:11 +0200 Subject: [PATCH 1/2] fix(http): preserve raw URL bytes via opt-in url_raw flag aiohttp passes string URLs through yarl.URL(str), which decodes percent- encoded dots and collapses dot-segments before the bytes hit the wire. Modules that rely on traversal in the URL path therefore send a flattened path to the target and never trigger the bypass condition they describe. Adds an opt-in step-level flag url_raw: true that wraps the URL with yarl.URL(url, encoded=True). Default behavior is unchanged. Updates apache_cve_2021_41773.yaml with the flag as a regression case. See linked issue for the full reproduction and the list of affected modules. --- nettacker/core/lib/http.py | 3 +++ nettacker/modules/vuln/apache_cve_2021_41773.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/nettacker/core/lib/http.py b/nettacker/core/lib/http.py index 776266036..4b9959f55 100644 --- a/nettacker/core/lib/http.py +++ b/nettacker/core/lib/http.py @@ -8,6 +8,7 @@ import aiohttp import uvloop +from yarl import URL from nettacker.core.lib.base import BaseEngine from nettacker.core.utils.common import ( @@ -34,6 +35,8 @@ async def perform_request_action(action, request_options): async def send_request(request_options, method): + if request_options.pop("url_raw", False): + request_options["url"] = URL(request_options["url"], encoded=True) async with aiohttp.ClientSession() as session: action = getattr(session, method, None) response = await asyncio.gather( diff --git a/nettacker/modules/vuln/apache_cve_2021_41773.yaml b/nettacker/modules/vuln/apache_cve_2021_41773.yaml index 185d4505c..b8034c2a6 100644 --- a/nettacker/modules/vuln/apache_cve_2021_41773.yaml +++ b/nettacker/modules/vuln/apache_cve_2021_41773.yaml @@ -24,6 +24,7 @@ payloads: headers: User-Agent: "{user_agent}" ssl: false + url_raw: true url: nettacker_fuzzer: input_format: "{{schema}}://{target}:{{ports}}/{{path}}" From 2cc2b2c39056764afb67377f3d278d6661b08ee5 Mon Sep 17 00:00:00 2001 From: juandiego-bmu Date: Sun, 26 Apr 2026 14:48:04 +0200 Subject: [PATCH 2/2] test(schema): allow url_raw key in HTTP_STEP_SCHEMA The schema validator in test_yaml_schema_and_regex.py rejects unknown keys. Add url_raw as Optional(bool) so modules that opt in to raw URL preservation pass schema validation. --- tests/test_yaml_schema_and_regex.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_yaml_schema_and_regex.py b/tests/test_yaml_schema_and_regex.py index d1b45cd8f..ab6b0ae36 100644 --- a/tests/test_yaml_schema_and_regex.py +++ b/tests/test_yaml_schema_and_regex.py @@ -69,6 +69,7 @@ def is_valid_regex(regex: str) -> bool: Optional("timeout"): int, Optional("allow_redirects"): bool, Optional("ssl"): bool, + Optional("url_raw"): bool, Optional("data"): object, Optional("json"): object, Optional("ports"): object,