网站sourcemap文件泄露检测器
- // ==UserScript==
- // @name sourcemap-searcher
- // @namespace http://tampermonkey.net/
- // @version 0.1
- // @description 网站sourcemap文件泄露检测器
- // @author wuuconix
- // @include *
- // @icon https://www.google.com/s2/favicons?sz=64&domain=wuuconix.link
- // @grant none
- // @license MIT
- // ==/UserScript==
- var judge = (url, protocol, origin, href) => {
- if (url.startsWith("//")) { //省略协议的写法
- url = `${protocol}${url}`
- } else if (url.startsWith("/")) { //文件位于网站根目录
- url = `${origin}${url}`
- } else if (url.startsWith("./")) { //使用相对路径
- url = href.slice(0, href.lastIndexOf("/")) + url.slice(1)
- } else if (!url.startsWith("http")) { //相对路径的js文件加上origin 构造完整url
- url = href.slice(0, href.lastIndexOf("/")) + "/" + url
- }
- if (url.includes("?")) { //针对那些后面有query的文件 比如index.js?max_age=31536000
- url = url.slice(0, url.indexOf("?"))
- }
- if ((url.endsWith(".js") && !url.endsWith(".min.js")) || (url.endsWith(".css") && !url.endsWith(".min.css"))) { //加上.map构造出sourcemap文件路径
- url = `${url}.map`
- console.log(url)
- fetch(url).then(res => {
- if (res.status == 200) {
- console.log(`------bingo------\n${url} 疑似存在sourcemap文件泄露\n`)
- }
- }).catch(e => {
- console.log(`fetch ${url} 失败: ${e}`)
- })
- }
- }
- var sms = () => {
- const scripts = document.querySelectorAll("script")
- const links = document.querySelectorAll("link")
- const { protocol, origin, href } = window.location //包含协议和域名
- for (let { src } of scripts) {
- judge(src, protocol, origin, href)
- }
- for (let { href: src } of links) {
- judge(src, protocol, origin, href)
- }
- }
- window.sms = sms
