Add XPath handling and move Semver to search package (#395)

* Add XPath handling and move Semver to search package

Author: terrorbyte

framework.go

@@ -72,6 +72,7 @@ import (
 	"time"
 
 	"github.com/Masterminds/semver"
+
 	"github.com/vulncheck-oss/go-exploit/c2"
 	"github.com/vulncheck-oss/go-exploit/c2/channel"
 	"github.com/vulncheck-oss/go-exploit/cli"
@@ -433,6 +434,9 @@ func StoreVersion(conf *config.Config, version string) {
 // Provide a version string and a constraint and if the semver is within the constraint a boolean
 // response of whether the version is constrained or not will occur. Any errors from the constraint
 // or version will propagate through the framework errors and the value will be false.
+//
+// Deprecated: The location of the version checking in this package made little sense, with the
+// addition of the search package this function should be used from that package.
 func CheckSemVer(version string, constraint string) bool {
 	c, err := semver.NewConstraint(constraint)
 	if err != nil {

go.mod

@@ -4,6 +4,7 @@ go 1.24.1
 
 require (
 	github.com/Masterminds/semver v1.5.0
+	github.com/antchfx/htmlquery v1.3.4
 	github.com/lor00x/goldap v0.0.0-20240304151906-8d785c64d1c8
 	github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906
 	golang.org/x/crypto v0.39.0
@@ -13,7 +14,9 @@ require (
 )
 
 require (
+	github.com/antchfx/xpath v1.3.3 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect

go.sum

@@ -1,7 +1,14 @@
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/antchfx/htmlquery v1.3.4 h1:Isd0srPkni2iNTWCwVj/72t7uCphFeor5Q8nCzj1jdQ=
+github.com/antchfx/htmlquery v1.3.4/go.mod h1:K9os0BwIEmLAvTqaNSua8tXLWRWZpocZIH73OzWQbwM=
+github.com/antchfx/xpath v1.3.3 h1:tmuPQa1Uye0Ym1Zn65vxPgfltWb/Lxu2jeqIGteJSRs=
+github.com/antchfx/xpath v1.3.3/go.mod h1:i54GszH55fYfBmoZXapTHN8T8tkcHfRgLyVwwqzXNcs=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -17,23 +24,87 @@ github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906 h1:qHFp1iRg6qE8xYel3bQT9x70pyxsdPLbJnM40HG3Oig=
 github.com/vjeantet/ldapserver v1.0.2-0.20240305064909-a417792e2906/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
 golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
 golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
 golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 modernc.org/cc/v4 v4.26.1 h1:+X5NtzVBn0KgsBCBe+xkDC7twLb/jNVj9FPgiwSQO3s=
 modernc.org/cc/v4 v4.26.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=

search/search_test.go

@@ -0,0 +1,100 @@
+package search_test
+
+import (
+	"testing"
+
+	"github.com/vulncheck-oss/go-exploit/search"
+)
+
+var htmlTestOIDC = `<html><head><meta http-equiv='X-UA-Compatible' content='IE=edge' /><base target='_self'/></head><html><form method='post' action='https://xp0.sc/identity/signin'><input type='hidden' name='code' value='23431FCD6CA15658D8267B3A8013D2F013AA32CF38B20E59EA9C1529DFAF44FD-1' />
+<input type='hidden' name='id_token' value='eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4OEI4MEQ5RDMzRDZDNkY2MDgzMjY2MENCMzdEREJCRDdGNDFFMjVSUzI1NiIsIng1dCI6IktJdUEyZE05Ykc5Z2d5Wmd5emZkdTlmMEhpVSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3hwMC5pZGVudGl0eXNlcnZlciIsIm5iZiI6MTc1MDcxOTYzMywiaWF0IjoxNzUwNzE5NjMzLCJleHAiOjE3NTA3MjExMzMsImF1ZCI6IlNpdGVjb3JlIiwiYW1yIjpbInB3ZCJdLCJub25jZSI6IjYzODg2MzE0ODM4NzM0MDYwMy5ZVFl3TnpFMk5UZ3RNR1V3WXkwMFl6TXpMVGcwTURZdE1tVXdZVFJqT1dJNFlUVTNZbVZoWkdNM05qSXRNamRrWVMwMFlUWmlMV0V3TXprdE1qYzJNRFU0T1dObU1UZzEiLCJhdF9oYXNoIjoiTlFnT0xERm5EQWZCYXJ3RS1hQzIzQSIsImNfaGFzaCI6IlZRdVhKZ1hsdE8zUlZYWXFWZnJ4V1EiLCJzaWQiOiJFOTU2RjYyNEFEMUNDMjVGQUY1MEM4NjNDNEEzQ0ZBQSIsInN1YiI6IjQ4MjZkOGY3NTZkNDQ1ZGM5YTE5MmE5MzVhYjA4MjQ4IiwiYXV0aF90aW1lIjoxNzUwNzE5NDkwLCJpZHAiOiJsb2NhbCJ9.QJTHf8jiXVkVY95NS_pV2dZcbFuohQyQNEIU7MM4VPxFNTN7toAoOGLCMuncGJHfHu2IA0lnj0OMK11eS-4ONiJ4Qzq08M2hP-5kv0XFiSgJeoAG-8AEEzTdO6Ag_IznEpStKmGxoq7ojrDUZrsgg5e7FSxnJiFtWinvUJrGvrjQ0XIvMMMTLgxlXlSXf3dy6t93Kge8CI3tVUKqfQ_EfTxf7CJ2dm2vcDgRxDj0qc7edIuSq9_w55Aj6o0mToNfyqlhx3q8emSfQSutGj4Hp3zHYWeoD6OhrHhn5lB1OJ4Jq8zvh_SUC5pL1mCpTL7C2crlvywQBTYCv4smaxLz1Q' />
+<input type='hidden' name='access_token' value='eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4OEI4MEQ5RDMzRDZDNkY2MDgzMjY2MENCMzdEREJCRDdGNDFFMjVSUzI1NiIsIng1dCI6IktJdUEyZE05Ykc5Z2d5Wmd5emZkdTlmMEhpVSIsInR5cCI6ImF0K2p3dCJ9.eyJpc3MiOiJodHRwczovL3hwMC5pZGVudGl0eXNlcnZlciIsIm5iZiI6MTc1MDcxOTYzMywiaWF0IjoxNzUwNzE5NjMzLCJleHAiOjE3NTA3MjMyMzMsImF1ZCI6Imh0dHBzOi8veHAwLmlkZW50aXR5c2VydmVyL3Jlc291cmNlcyIsInNjb3BlIjpbIm9wZW5pZCIsInNpdGVjb3JlLnByb2ZpbGUiXSwiYW1yIjpbInB3ZCJdLCJjbGllbnRfaWQiOiJTaXRlY29yZSIsInN1YiI6IjQ4MjZkOGY3NTZkNDQ1ZGM5YTE5MmE5MzVhYjA4MjQ4IiwiYXV0aF90aW1lIjoxNzUwNzE5NDkwLCJpZHAiOiJsb2NhbCIsInNpZCI6IkU5NTZGNjI0QUQxQ0MyNUZBRjUwQzg2M0M0QTNDRkFBIiwianRpIjoiMjcxMEY1MDRBMTZBMjY1OUVDNUQzMDhDQ0RFQUM2RDgifQ.KRYVImxWFfCG482guoXBi86EuirC6g4HuqZP4mJrug0Z7fTgnXL6RuDkJ-AwR3ok9o5kDI71y5Eo7IVx50VQnhvsgeelHIF_XN1_oOrPg3wB5Aj7VWSiimHEAb1Nf5iMDzZJVMeyiRKcv-AYizR7b9dpePoQNb6xiRHClELWK5_gS1sLh28matOhvnB9aYte2ycdUxMbcwi8TaKPtrvFitp4LSmQbJXDfAAV3KId2OwJ8t6Y3LN8PxPMMjG1y1wl3fI1o-y09X9mQ-9UPnNTViyPMy9Q-TP9GzirEro6TlK2i0lkeuaFldsfVT0I-xGCrECKT0yXF4YkYESG5pY2sg' />
+<input type='hidden' name='token_type' value='Bearer' />
+<input type='hidden' name='expires_in' value='3600' />
+<input type='hidden' name='scope' value='openid sitecore.profile' />
+<input type='hidden' name='state' value='OpenIdConnect.AuthenticationProperties=POHfd7aul1EaHTEMbw6KaGMlXt3HbsjWv5zXk0cC6JXcLuCVeyp-dN8jqrWF7GM976vk64kCVEQ1hitngF-m6_qOnywZuEwq67v2Li3WLXcZA4uH8CpUAF5xhYAVKU0E0tx6Wtd6gbrT_s-oQc8-RgfZuE7uTSzS7lyjA4P3uBCIOt0kbQ3IRFBeYVUPDe2RyOzAPtghNVdFsPGXgv2SNoZj4rSX27uvCkcalg0tuRI' />
+<input type='hidden' name='session_state' value='OH1VzekymvxjsmB3e2EckAKOYVApIi5E-5KeXY4gc0U.6D0FC8F5AC27A7E35229745BB9FE1108' />
+<noscript><button>Click to continue</button></noscript></form><script>window.addEventListener('load', function(){document.forms[0].submit();});</script></html>`
+
+func TestCheckSemVer_Full(t *testing.T) {
+	if !search.CheckSemVer("1.0.0", "<= 1.0.0") {
+		t.Error("Constraint should have passed")
+	}
+	if search.CheckSemVer("1.0.0", "> 1.0.0") {
+		t.Error("Constraint should not have passed")
+	}
+}
+
+func TestCheckSemVer_BadVersion(t *testing.T) {
+	if search.CheckSemVer("uwu", "<= 1.0.0") {
+		t.Error("Version was invalid, should not have passed")
+	}
+	if search.CheckSemVer("1.0.0 ", "<= 1.0.0") {
+		t.Error("Version was invalid, should not have passed")
+	}
+}
+
+func TestCheckSemVer_BadConstraint(t *testing.T) {
+	if search.CheckSemVer("1.0.0", "<== 1.0.0") {
+		t.Error("Constraint was invalid, should not have passed")
+	}
+	if search.CheckSemVer("1.0.0", "xp") {
+		t.Error("Constraint was invalid, should not have passed")
+	}
+}
+
+func TestXPath_Node(t *testing.T) {
+	c, ok := search.XPath(htmlTestOIDC, `//script`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if c != `window.addEventListener('load', function(){document.forms[0].submit();});` {
+		t.Error("XPath node value did not match")
+	}
+}
+
+func TestXPath_NodeMultiple(t *testing.T) {
+	c, ok := search.XPath(htmlTestOIDC, `//input/@value`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if c != `23431FCD6CA15658D8267B3A8013D2F013AA32CF38B20E59EA9C1529DFAF44FD-1` {
+		t.Error("XPath node value did not match")
+	}
+}
+
+func TestXPathAll_NodeMultiple(t *testing.T) {
+	c, ok := search.XPathAll(htmlTestOIDC, `//input/@value`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if len(c) != 8 {
+		t.Error("Unexpected amount of matched nodes")
+	}
+}
+
+func TestXPath_Attributes(t *testing.T) {
+	var c string
+	var ok bool
+	c, ok = search.XPath(htmlTestOIDC, `//input[@name="code"]/@value`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if c != `23431FCD6CA15658D8267B3A8013D2F013AA32CF38B20E59EA9C1529DFAF44FD-1` {
+		t.Error("XPath `code` did not match")
+	}
+	c, ok = search.XPath(htmlTestOIDC, `//input[@name="id_token"]/@value`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if c != `eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4OEI4MEQ5RDMzRDZDNkY2MDgzMjY2MENCMzdEREJCRDdGNDFFMjVSUzI1NiIsIng1dCI6IktJdUEyZE05Ykc5Z2d5Wmd5emZkdTlmMEhpVSIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3hwMC5pZGVudGl0eXNlcnZlciIsIm5iZiI6MTc1MDcxOTYzMywiaWF0IjoxNzUwNzE5NjMzLCJleHAiOjE3NTA3MjExMzMsImF1ZCI6IlNpdGVjb3JlIiwiYW1yIjpbInB3ZCJdLCJub25jZSI6IjYzODg2MzE0ODM4NzM0MDYwMy5ZVFl3TnpFMk5UZ3RNR1V3WXkwMFl6TXpMVGcwTURZdE1tVXdZVFJqT1dJNFlUVTNZbVZoWkdNM05qSXRNamRrWVMwMFlUWmlMV0V3TXprdE1qYzJNRFU0T1dObU1UZzEiLCJhdF9oYXNoIjoiTlFnT0xERm5EQWZCYXJ3RS1hQzIzQSIsImNfaGFzaCI6IlZRdVhKZ1hsdE8zUlZYWXFWZnJ4V1EiLCJzaWQiOiJFOTU2RjYyNEFEMUNDMjVGQUY1MEM4NjNDNEEzQ0ZBQSIsInN1YiI6IjQ4MjZkOGY3NTZkNDQ1ZGM5YTE5MmE5MzVhYjA4MjQ4IiwiYXV0aF90aW1lIjoxNzUwNzE5NDkwLCJpZHAiOiJsb2NhbCJ9.QJTHf8jiXVkVY95NS_pV2dZcbFuohQyQNEIU7MM4VPxFNTN7toAoOGLCMuncGJHfHu2IA0lnj0OMK11eS-4ONiJ4Qzq08M2hP-5kv0XFiSgJeoAG-8AEEzTdO6Ag_IznEpStKmGxoq7ojrDUZrsgg5e7FSxnJiFtWinvUJrGvrjQ0XIvMMMTLgxlXlSXf3dy6t93Kge8CI3tVUKqfQ_EfTxf7CJ2dm2vcDgRxDj0qc7edIuSq9_w55Aj6o0mToNfyqlhx3q8emSfQSutGj4Hp3zHYWeoD6OhrHhn5lB1OJ4Jq8zvh_SUC5pL1mCpTL7C2crlvywQBTYCv4smaxLz1Q` {
+		t.Error("XPath `id_token` did not match")
+	}
+	c, ok = search.XPath(htmlTestOIDC, `//input[@name="access_token"]/@value`)
+	if !ok {
+		t.Error("Could not find HTML attribute")
+	}
+	if c != `eyJhbGciOiJSUzI1NiIsImtpZCI6IjI4OEI4MEQ5RDMzRDZDNkY2MDgzMjY2MENCMzdEREJCRDdGNDFFMjVSUzI1NiIsIng1dCI6IktJdUEyZE05Ykc5Z2d5Wmd5emZkdTlmMEhpVSIsInR5cCI6ImF0K2p3dCJ9.eyJpc3MiOiJodHRwczovL3hwMC5pZGVudGl0eXNlcnZlciIsIm5iZiI6MTc1MDcxOTYzMywiaWF0IjoxNzUwNzE5NjMzLCJleHAiOjE3NTA3MjMyMzMsImF1ZCI6Imh0dHBzOi8veHAwLmlkZW50aXR5c2VydmVyL3Jlc291cmNlcyIsInNjb3BlIjpbIm9wZW5pZCIsInNpdGVjb3JlLnByb2ZpbGUiXSwiYW1yIjpbInB3ZCJdLCJjbGllbnRfaWQiOiJTaXRlY29yZSIsInN1YiI6IjQ4MjZkOGY3NTZkNDQ1ZGM5YTE5MmE5MzVhYjA4MjQ4IiwiYXV0aF90aW1lIjoxNzUwNzE5NDkwLCJpZHAiOiJsb2NhbCIsInNpZCI6IkU5NTZGNjI0QUQxQ0MyNUZBRjUwQzg2M0M0QTNDRkFBIiwianRpIjoiMjcxMEY1MDRBMTZBMjY1OUVDNUQzMDhDQ0RFQUM2RDgifQ.KRYVImxWFfCG482guoXBi86EuirC6g4HuqZP4mJrug0Z7fTgnXL6RuDkJ-AwR3ok9o5kDI71y5Eo7IVx50VQnhvsgeelHIF_XN1_oOrPg3wB5Aj7VWSiimHEAb1Nf5iMDzZJVMeyiRKcv-AYizR7b9dpePoQNb6xiRHClELWK5_gS1sLh28matOhvnB9aYte2ycdUxMbcwi8TaKPtrvFitp4LSmQbJXDfAAV3KId2OwJ8t6Y3LN8PxPMMjG1y1wl3fI1o-y09X9mQ-9UPnNTViyPMy9Q-TP9GzirEro6TlK2i0lkeuaFldsfVT0I-xGCrECKT0yXF4YkYESG5pY2sg` {
+		t.Error("XPath `access_token` did not match")
+	}
+}

search/semver.go

@@ -0,0 +1,27 @@
+package search
+
+import (
+	"github.com/Masterminds/semver"
+	"github.com/vulncheck-oss/go-exploit/output"
+)
+
+// Compare a version to a semantic version constraint using the [Masterminds semver constraints](https://github.com/Masterminds/semver?tab=readme-ov-file#checking-version-constraints).
+// Provide a version string and a constraint and if the semver is within the constraint a boolean
+// response of whether the version is constrained or not will occur. Any errors from the constraint
+// or version will propagate through the framework errors and the value will be false.
+func CheckSemVer(version string, constraint string) bool {
+	c, err := semver.NewConstraint(constraint)
+	if err != nil {
+		output.PrintfFrameworkError("Invalid constraint: %s", err.Error())
+
+		return false
+	}
+	v, err := semver.NewVersion(version)
+	if err != nil {
+		output.PrintfFrameworkError("Invalid version: %s", err.Error())
+
+		return false
+	}
+
+	return c.Check(v)
+}