A wrapper around grep to avoid typing common patterns.
This repo was abandoned by the great tomnomnom. I will try to add some rules and keep it updated (at least the installation instructions)
If you've got Go installed and configured you can install gf with:
go install github.com/pdelteil/gf@latest
Tested with go version go1.21.3. If you have an older version try updating using this.
# installation path of module
export GO111MODULE=on
module_path=$(go list -m -f '{{.Dir}}' github.com/pdelteil/gf@latest)
echo "source $module_path/gf-completion.bash" >> ~/.bashrc
source ~/.bashrc
#copy example pattern files to `~/.gf`
cp -r $module_path/patterns/* ~/.gf
gf php-errors file
gf -list
gf -dump pattern
gf -save pattern-name flags 'search-pattern'
With the flag dump you can check the resulting command created by a pattern:
gf -dump xss
grep -iE "(q=|s=|search=|lang=|keyword=|query=|page=|keywords=|year=|view=|email=|type=|name=|p=|callback=|jsonp=|api_key=|api=|password=|email=|emailto=|token=|username=|csrf_token=|unsubscribe_token=|id=|item=|page_id=|month=|immagine=|list_type=|url=|terms=|categoryid=|key=|l=|begindate=|enddate=)" .
When auditing code bases, looking at the output of meg, or just generally dealing with large amounts of data. I often end up using fairly complex patterns like this one:
▶ grep -HnrE '(\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)|php://(input|stdin))' *
So the above command becomes simply:
▶ gf php-sources
The pattern definitions are stored in ~/.gf as little JSON files:
▶ cat ~/.gf/php-sources.json
{
"flags": "-HnrE",
"pattern": "(\\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)|php://(input|stdin))"
}
To help reduce pattern length and complexity, you can specify a list of multiple patterns:
▶ cat ~/.gf/php-sources-multiple.json
{
"flags": "-HnrE",
"patterns": [
"\\$_(POST|GET|COOKIE|REQUEST|SERVER|FILES)",
"php://(input|stdin)"
]
}
There are some more example pattern files in the pattern directory.
You can use the -save flag to create pattern files from the command line:
▶ gf -save php-serialized -HnrE '(a:[0-9]+:{|O:[0-9]+:"|s:[0-9]+:")'
There's an auto-complete script included, so you can hit 'tab' to show you what your options are:
▶ gf <tab>
base64 debug-pages fw php-curl php-errors php-sinks php-sources sec takeovers urls
There are some amazing code searching engines out there that can be a better replacement for grep.
A good example is the silver searcher.
It's faster and presents the results in a more visually digestible manner.
In order to utilize a different engine, add engine: <other tool> to the relevant pattern file:
# Using the silver searcher instead of grep for the aws-keys pattern:
# 1. Adding "ag" engine
# 2. Removing the E flag which is irrelevant for ag
{
"engine": "ag",
"flags": "-Hanr",
"pattern": "([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}"
}- Note: Different engines use different flags, so in the example above, the flag
Ehas to be removed from theaws-keys.jsonfile in order for ag to run.
Interested in new pattern files! Bug fixes are also welcome as always :)