From 7003a0e4a1269db53916f72d3e44a1b848bd82fb Mon Sep 17 00:00:00 2001 From: Guy Levinger Date: Mon, 16 May 2022 17:45:34 +0300 Subject: [PATCH] Dev (#25) * added check and stuff * Working on adding a new active test and diving into schemes. * slow progress on active tests * refactor structure for crates.io deployment. added `auth.rs` - unused * removed misconfigured tests from active tests * fixed version numbers * fixed version numbers 2 * Update main.rs * Update Cargo.toml * Update Cargo.toml * Update checks.rs Co-authored-by: raz Co-authored-by: raz --- Cargo.lock | 340 ++++++++++-------- Cargo.toml | 48 +++ cli/Cargo.toml | 4 +- cli/src/auth.rs | 172 +++++++++ cli/src/lib.rs | 2 + cli/src/main.rs | 2 +- swagger/src/lib.rs | 2 +- swagger/src/main.rs | 14 +- swagger/src/scan/active/additional_checks.rs | 18 +- swagger/src/scan/active/mod.rs | 4 +- swagger/src/scan/checks.rs | 7 +- swagger/src/scan/macros.rs | 4 +- swagger/src/scan/mod.rs | 4 +- swagger/src/scan/passive/additional_checks.rs | 68 ++-- swagger/src/scan/print.rs | 13 +- swagger/src/schema.rs | 3 + swagger/swagger3.json | 10 + 17 files changed, 501 insertions(+), 214 deletions(-) create mode 100644 cli/src/auth.rs diff --git a/Cargo.lock b/Cargo.lock index 0983ac6..ea3f434 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -81,10 +81,12 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "cherrybomb" -version = "0.6.0" +version = "0.7.0" dependencies = [ "attacker", + "base64", "clap", + "cli", "colored", "decider", "dirs", @@ -94,9 +96,14 @@ dependencies = [ "hyper", "hyper-rustls 0.23.0 (git+https://github.com/rustls/hyper-rustls)", "mapper", + "regex", + "reqwest", "serde", "serde_json", + "serde_with", "serde_yaml", + "strum", + "strum_macros", "swagger", "tokio", "url", @@ -105,16 +112,16 @@ dependencies = [ [[package]] name = "clap" -version = "3.1.8" +version = "3.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "71c47df61d9e16dc010b55dba1952a57d8c215dbb533fd13cdd13369aac73b1c" +checksum = "d2dbdf4bdacb33466e854ce889eee8dfd5729abf7ccd7664d0a2d60cd384440b" dependencies = [ "atty", "bitflags", "clap_derive", + "clap_lex", "indexmap", "lazy_static", - "os_str_bytes", "strsim", "termcolor", "textwrap", @@ -122,9 +129,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "3.1.7" +version = "3.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a3aab4734e083b809aaf5794e14e756d1c798d2c69c7f7de7a09a2f5214993c1" +checksum = "25320346e922cffe59c0bbc5410c8d8784509efb321488971081313cb1e1a33c" dependencies = [ "heck 0.4.0", "proc-macro-error", @@ -133,6 +140,39 @@ dependencies = [ "syn", ] +[[package]] +name = "clap_lex" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a37c35f1112dad5e6e0b1adaff798507497a18fceeb30cceb3bae7d1427b9213" +dependencies = [ + "os_str_bytes", +] + +[[package]] +name = "cli" +version = "0.7.0" +dependencies = [ + "attacker", + "clap", + "colored", + "decider", + "dirs", + "futures", + "futures-util", + "httparse", + "hyper", + "hyper-rustls 0.23.0 (git+https://github.com/rustls/hyper-rustls)", + "mapper", + "serde", + "serde_json", + "serde_yaml", + "swagger", + "tokio", + "url", + "uuid", +] + [[package]] name = "colored" version = "2.0.0" @@ -162,9 +202,9 @@ checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" [[package]] name = "darling" -version = "0.13.1" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0d720b8683f8dd83c65155f0530560cba68cd2bf395f6513a483caee57ff7f4" +checksum = "a01d95850c592940db9b8194bc39f4bc0e89dee5c4265e4b1807c34a9aba453c" dependencies = [ "darling_core", "darling_macro", @@ -172,9 +212,9 @@ dependencies = [ [[package]] name = "darling_core" -version = "0.13.1" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a340f241d2ceed1deb47ae36c4144b2707ec7dd0b649f894cb39bb595986324" +checksum = "859d65a907b6852c9361e3185c862aae7fafd2887876799fa55f5f99dc40d610" dependencies = [ "fnv", "ident_case", @@ -186,9 +226,9 @@ dependencies = [ [[package]] name = "darling_macro" -version = "0.13.1" +version = "0.13.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72c41b3b7352feb3211a0d743dc5700a4e3b60f51bd2b368892d1e0f9a95f44b" +checksum = "9c972679f83bdf9c42bd905396b6c3588a843a17f0f16dfcfa3e2c5d57441835" dependencies = [ "darling_core", "quote", @@ -226,9 +266,9 @@ dependencies = [ [[package]] name = "encoding_rs" -version = "0.8.30" +version = "0.8.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7896dc8abb250ffdda33912550faa54c88ec8b998dec0b2c55ab224921ce11df" +checksum = "9852635589dc9f9ea1b6fe9f05b50ef208c85c834a562f0c6abb1c475736ec2b" dependencies = [ "cfg-if", ] @@ -340,9 +380,9 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.5" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d39cd93900197114fa1fcb7ae84ca742095eed9442088988ae74fa744e930e77" +checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" dependencies = [ "cfg-if", "libc", @@ -351,9 +391,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.3.12" +version = "0.3.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62eeb471aa3e3c9197aa4bfeabfe02982f6dc96f750486c0bb0009ac58b26d2b" +checksum = "37a82c6d637fc9515a4694bbf1cb2457b79d81ce52b3108bdeea58b07dd34a57" dependencies = [ "bytes", "fnv", @@ -400,9 +440,9 @@ dependencies = [ [[package]] name = "http" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31f4c6746584866f0feabcc69893c5b51beef3831656a968ed7ae254cdc4fd03" +checksum = "ff8670570af52249509a86f5e3e18a08c60b177071826898fde8997cf5f6bfbb" dependencies = [ "bytes", "fnv", @@ -422,9 +462,9 @@ dependencies = [ [[package]] name = "httparse" -version = "1.6.0" +version = "1.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9100414882e15fb7feccb4897e5f0ff0ff1ca7d1a86a23208ada4d7a18e6c6c4" +checksum = "496ce29bb5a52785b44e0f7ca2847ae0bb839c9bd28f69acac9b99d461c0c04c" [[package]] name = "httpdate" @@ -472,7 +512,7 @@ dependencies = [ [[package]] name = "hyper-rustls" version = "0.23.0" -source = "git+https://github.com/rustls/hyper-rustls#56c60ed3f5497caebb3335a4bb9b69cf9f2f69c0" +source = "git+https://github.com/rustls/hyper-rustls#cfaff38c1c0f82526f3addb1524600dd7b81f19c" dependencies = [ "http", "hyper", @@ -502,9 +542,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "1.8.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "282a6247722caba404c065016bbfa522806e51714c34f5dfc3e4a3a46fcb4223" +checksum = "0f647032dfaa1f8b6dc29bd3edb7bbef4861b8b8007ebb118d6db284fd59f6ee" dependencies = [ "autocfg", "hashbrown", @@ -512,21 +552,21 @@ dependencies = [ [[package]] name = "ipnet" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35e70ee094dc02fd9c13fdad4940090f22dbd6ac7c9e7094a46cf0232a50bc7c" +checksum = "879d54834c8c76457ef4293a689b2a8c59b076067ad77b15efafbb05f92a592b" [[package]] name = "itoa" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35" +checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" [[package]] name = "js-sys" -version = "0.3.56" +version = "0.3.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a38fc24e30fd564ce974c02bf1d337caddff65be6cc4735a1f7eab22a7440f04" +checksum = "671a26f820db17c2a2750743f1dd03bafd15b98c9f30c7c2628c024c05d73397" dependencies = [ "wasm-bindgen", ] @@ -539,9 +579,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.121" +version = "0.2.125" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "efaa7b300f3b5fe8eb6bf21ce3895e1751d9665086af2d64b42f19701015ff4f" +checksum = "5916d2ae698f6de9bfb891ad7a8d65c09d232dc58cc4ac433c7da3b2fd84bc2b" [[package]] name = "linked-hash-map" @@ -551,18 +591,19 @@ checksum = "7fb9b38af92608140b86b693604b9ffcc5824240a484d1ecd4795bacb2fe88f3" [[package]] name = "lock_api" -version = "0.4.6" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88943dd7ef4a2e5a4bfa2753aaab3013e34ce2533d1996fb18ef591e315e2b3b" +checksum = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53" dependencies = [ + "autocfg", "scopeguard", ] [[package]] name = "log" -version = "0.4.16" +version = "0.4.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6389c490849ff5bc16be905ae24bc913a9c8892e19b2341dbc175e14c341c2b8" +checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" dependencies = [ "cfg-if", ] @@ -587,9 +628,9 @@ checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" [[package]] name = "memchr" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "308cc39be01b73d0d18f82a0e7b2a3df85245f84af96fdddc5d202d27e47b86a" +checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" [[package]] name = "mime" @@ -599,34 +640,14 @@ checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d" [[package]] name = "mio" -version = "0.8.2" +version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52da4364ffb0e4fe33a9841a98a3f3014fb964045ce4f7a45a398243c8d6b0c9" +checksum = "713d550d9b44d89174e066b7a6217ae06234c10cb47819a88290d2b353c31799" dependencies = [ "libc", "log", - "miow", - "ntapi", "wasi 0.11.0+wasi-snapshot-preview1", - "winapi", -] - -[[package]] -name = "miow" -version = "0.3.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b9f1c5b025cda876f66ef43a113f91ebc9f4ccef34843000e0adf6ebbab84e21" -dependencies = [ - "winapi", -] - -[[package]] -name = "ntapi" -version = "0.3.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28774a7fd2fbb4f0babd8237ce554b73af68021b5f695a3cebd6c59bac0980f" -dependencies = [ - "winapi", + "windows-sys", ] [[package]] @@ -653,12 +674,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "os_str_bytes" -version = "6.0.0" +version = "6.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e22443d1643a904602595ba1cd8f7d896afe56d26712531c5ff73a15b2fbf64" -dependencies = [ - "memchr", -] +checksum = "029d8d0b2f198229de29dca79676f2738ff952edf3fde542eb8bf94d8c21b435" [[package]] name = "parking_lot" @@ -672,9 +690,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.1" +version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28141e0cc4143da2443301914478dc976a61ffdb3f043058310c70df2fed8954" +checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" dependencies = [ "cfg-if", "libc", @@ -691,9 +709,9 @@ checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" [[package]] name = "pin-project-lite" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e280fbe77cc62c91527259e9442153f4688736748d24660126286329742b4c6c" +checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" [[package]] name = "pin-utils" @@ -733,18 +751,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.36" +version = "1.0.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c7342d5883fbccae1cc37a2353b09c87c9b0f3afd73f5fb9bba687a1f733b029" +checksum = "9027b48e9d4c9175fa2218adf3557f91c1137021739951d4932f5f8268ac48aa" dependencies = [ "unicode-xid", ] [[package]] name = "quote" -version = "1.0.16" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4af2ec4714533fcdf07e886f17025ace8b997b9ce51204ee69b6da831c3da57" +checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1" dependencies = [ "proc-macro2", ] @@ -781,18 +799,18 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.2.11" +version = "0.2.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8380fe0152551244f0747b1bf41737e0f8a74f97a14ccefd1148187271634f3c" +checksum = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" dependencies = [ "bitflags", ] [[package]] name = "redox_users" -version = "0.4.2" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7776223e2696f1aa4c6b0170e83212f47296a00424305117d013dfe86fb0fe55" +checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" dependencies = [ "getrandom", "redox_syscall", @@ -871,9 +889,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.20.4" +version = "0.20.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921" +checksum = "a024a432ae760ab3bff924ad91ce1cfa52cb57ed16e1ef32d0d249cfee1a6c13" dependencies = [ "log", "ring", @@ -883,30 +901,30 @@ dependencies = [ [[package]] name = "rustls-native-certs" -version = "0.6.1" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ca9ebdfa27d3fc180e42879037b5338ab1c040c06affd00d8338598e7800943" +checksum = "0167bac7a9f490495f3c33013e7722b53cb087ecbe082fb0c6387c96f634ea50" dependencies = [ "openssl-probe", - "rustls-pemfile 0.2.1", + "rustls-pemfile 1.0.0", "schannel", "security-framework", ] [[package]] name = "rustls-pemfile" -version = "0.2.1" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" +checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360" dependencies = [ "base64", ] [[package]] name = "rustls-pemfile" -version = "0.3.0" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360" +checksum = "e7522c9de787ff061458fe9a829dc790a3f5b22dc571694fc5883f448b94d9a9" dependencies = [ "base64", ] @@ -919,9 +937,9 @@ checksum = "f2cc38e8fa666e2de3c4aba7edeb5ffc5246c1c2ed0e3d17e560aeeba736b23f" [[package]] name = "ryu" -version = "1.0.9" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f" +checksum = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" [[package]] name = "schannel" @@ -974,18 +992,18 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.136" +version = "1.0.137" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce31e24b01e1e524df96f1c2fdd054405f8d7376249a5110886fb4b658484789" +checksum = "61ea8d54c77f8315140a05f4c7237403bf38b72704d031543aa1d16abbf517d1" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.136" +version = "1.0.137" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08597e7152fcd306f41838ed3e37be9eaeed2b61c42e2117266a554fab4662f9" +checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be" dependencies = [ "proc-macro2", "quote", @@ -994,9 +1012,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.79" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e8d9fa5c3b304765ce1fd9c4c8a3de2c8db365a5b91be52f186efc675681d95" +checksum = "9b7ce2b32a1aed03c558dc61a5cd328f15aff2dbc17daad8fb8af04d2100e15c" dependencies = [ "itoa", "ryu", @@ -1017,9 +1035,9 @@ dependencies = [ [[package]] name = "serde_with" -version = "1.12.0" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec1e6ec4d8950e5b1e894eac0d360742f3b1407a6078a604a731c4b3f49cefbc" +checksum = "b827f2113224f3f19a665136f006709194bdfdcb1fdc1e4b2b5cbac8e0cced54" dependencies = [ "rustversion", "serde", @@ -1028,9 +1046,9 @@ dependencies = [ [[package]] name = "serde_with_macros" -version = "1.5.1" +version = "1.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12e47be9471c72889ebafb5e14d5ff930d89ae7a67bbdb5f8abb564f845a927e" +checksum = "e182d6ec6f05393cc0e5ed1bf81ad6db3a8feedf8ee515ecdd369809bcce8082" dependencies = [ "darling", "proc-macro2", @@ -1040,9 +1058,9 @@ dependencies = [ [[package]] name = "serde_yaml" -version = "0.8.23" +version = "0.8.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4a521f2940385c165a24ee286aa8599633d162077a54bdcae2a6fd5a7bfa7a0" +checksum = "707d15895415db6628332b737c838b88c598522e4dc70647e59b72312924aebc" dependencies = [ "indexmap", "ryu", @@ -1061,9 +1079,9 @@ dependencies = [ [[package]] name = "slab" -version = "0.4.5" +version = "0.4.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9def91fd1e018fe007022791f865d0ccc9b3a0d5001e01aabb8b40e46000afb5" +checksum = "eb703cfe953bccee95685111adeedb76fabe4e97549a58d16f03ea7b9367bb32" [[package]] name = "smallvec" @@ -1134,9 +1152,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.89" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea297be220d52398dcc07ce15a209fce436d361735ac1db700cab3b6cdfb9f54" +checksum = "a07e33e919ebcd69113d5be0e4d70c5707004ff45188910106854f38b960df4a" dependencies = [ "proc-macro2", "quote", @@ -1160,18 +1178,18 @@ checksum = "b1141d4d61095b28419e22cb0bbf02755f5e54e0526f97f1e3d1d160e60885fb" [[package]] name = "thiserror" -version = "1.0.30" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "854babe52e4df1653706b98fcfc05843010039b406875930a70e4d9644e5c417" +checksum = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.30" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa32fd3f627f367fe16f893e2597ae3c05020f8bba2666a4e6ea73d377e5714b" +checksum = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a" dependencies = [ "proc-macro2", "quote", @@ -1180,9 +1198,9 @@ dependencies = [ [[package]] name = "tinyvec" -version = "1.5.1" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c1c1d5a42b6245520c249549ec267180beaffcc0615401ac8e31853d4b6d8d2" +checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" dependencies = [ "tinyvec_macros", ] @@ -1195,9 +1213,9 @@ checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" [[package]] name = "tokio" -version = "1.17.0" +version = "1.18.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2af73ac49756f3f7c01172e34a23e5d0216f6c32333757c2c61feb2bbff5a5ee" +checksum = "4903bf0427cf68dddd5aa6a93220756f8be0c34fcfa9f5e6191e103e15a31395" dependencies = [ "bytes", "libc", @@ -1226,9 +1244,9 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.23.3" +version = "0.23.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4151fda0cf2798550ad0b34bcfc9b9dcc2a9d2471c895c68f3a8818e54f2389e" +checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" dependencies = [ "rustls", "tokio", @@ -1237,16 +1255,16 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.6.9" +version = "0.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e99e1983e5d376cd8eb4b66604d2e99e79f5bd988c3055891dcd8c9e2604cc0" +checksum = "f988a1a1adc2fb21f9c12aa96441da33a1728193ae0b95d2be22dbd17fcb4e5c" dependencies = [ "bytes", "futures-core", "futures-sink", - "log", "pin-project-lite", "tokio", + "tracing", ] [[package]] @@ -1257,20 +1275,32 @@ checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" [[package]] name = "tracing" -version = "0.1.32" +version = "0.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a1bdf54a7c28a2bbf701e1d2233f6c77f473486b94bee4f9678da5a148dca7f" +checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09" dependencies = [ "cfg-if", "pin-project-lite", + "tracing-attributes", "tracing-core", ] +[[package]] +name = "tracing-attributes" +version = "0.1.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc6b8ad3567499f98a1db7a752b07a7c8c7c7c34c332ec00effb2b0027974b7c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "tracing-core" -version = "0.1.23" +version = "0.1.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa31669fa42c09c34d94d8165dd2012e8ff3c66aca50f3bb226b68f216f2706c" +checksum = "f54c8ca710e81886d498c2fd3331b56c93aa248d49de2222ad2742247c60072f" dependencies = [ "lazy_static", ] @@ -1283,9 +1313,9 @@ checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" [[package]] name = "unicode-bidi" -version = "0.3.7" +version = "0.3.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a01404663e3db436ed2746d9fefef640d868edae3cceb81c3b8d5732fda678f" +checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" [[package]] name = "unicode-normalization" @@ -1304,9 +1334,9 @@ checksum = "7e8820f5d777f6224dc4be3632222971ac30164d4a258d595640799554ebfd99" [[package]] name = "unicode-xid" -version = "0.2.2" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" +checksum = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04" [[package]] name = "untrusted" @@ -1366,9 +1396,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.79" +version = "0.2.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25f1af7423d8588a3d840681122e72e6a24ddbcb3f0ec385cac0d12d24256c06" +checksum = "27370197c907c55e3f1a9fbe26f44e937fe6451368324e009cba39e139dc08ad" dependencies = [ "cfg-if", "wasm-bindgen-macro", @@ -1376,9 +1406,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.79" +version = "0.2.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b21c0df030f5a177f3cba22e9bc4322695ec43e7257d865302900290bcdedca" +checksum = "53e04185bfa3a779273da532f5025e33398409573f348985af9a1cbf3774d3f4" dependencies = [ "bumpalo", "lazy_static", @@ -1391,9 +1421,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.29" +version = "0.4.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2eb6ec270a31b1d3c7e266b999739109abce8b6c87e4b31fcfcd788b65267395" +checksum = "6f741de44b75e14c35df886aff5f1eb73aa114fa5d4d00dcd37b5e01259bf3b2" dependencies = [ "cfg-if", "js-sys", @@ -1403,9 +1433,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.79" +version = "0.2.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f4203d69e40a52ee523b2529a773d5ffc1dc0071801c87b3d270b471b80ed01" +checksum = "17cae7ff784d7e83a2fe7611cfe766ecf034111b49deb850a3dc7699c08251f5" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -1413,9 +1443,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.79" +version = "0.2.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfa8a30d46208db204854cadbb5d4baf5fcf8071ba5bf48190c3e59937962ebc" +checksum = "99ec0dc7a4756fffc231aab1b9f2f578d23cd391390ab27f952ae0c9b3ece20b" dependencies = [ "proc-macro2", "quote", @@ -1426,15 +1456,15 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.79" +version = "0.2.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d958d035c4438e28c70e4321a2911302f10135ce78a9c7834c0cab4123d06a2" +checksum = "d554b7f530dee5964d9a9468d95c1f8b8acae4f282807e7d27d4b03099a46744" [[package]] name = "web-sys" -version = "0.3.56" +version = "0.3.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c060b319f29dd25724f09a2ba1418f142f539b2be99fbf4d2d5a8f7330afb8eb" +checksum = "7b17e741662c70c8bd24ac5c5b18de314a2c26c32bf8346ee1e6f53de919c283" dependencies = [ "js-sys", "wasm-bindgen", @@ -1452,9 +1482,9 @@ dependencies = [ [[package]] name = "webpki-roots" -version = "0.22.2" +version = "0.22.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "552ceb903e957524388c4d3475725ff2c8b7960922063af6ce53c9a43da07449" +checksum = "44d8de8415c823c8abd270ad483c6feeac771fad964890779f9a8cb24fbbc1bf" dependencies = [ "webpki", ] @@ -1492,9 +1522,9 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "windows-sys" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3df6e476185f92a12c072be4a189a0210dcdcf512a1891d6dff9edb874deadc6" +checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2" dependencies = [ "windows_aarch64_msvc", "windows_i686_gnu", @@ -1505,33 +1535,33 @@ dependencies = [ [[package]] name = "windows_aarch64_msvc" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8e92753b1c443191654ec532f14c199742964a061be25d77d7a96f09db20bf5" +checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47" [[package]] name = "windows_i686_gnu" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a711c68811799e017b6038e0922cb27a5e2f43a2ddb609fe0b6f3eeda9de615" +checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6" [[package]] name = "windows_i686_msvc" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "146c11bb1a02615db74680b32a68e2d61f553cc24c4eb5b4ca10311740e44172" +checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024" [[package]] name = "windows_x86_64_gnu" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c912b12f7454c6620635bbff3450962753834be2a594819bd5e945af18ec64bc" +checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1" [[package]] name = "windows_x86_64_msvc" -version = "0.32.0" +version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "504a2476202769977a040c6364301a3f65d0cc9e3fb08600b2bda150a0488316" +checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680" [[package]] name = "winreg" diff --git a/Cargo.toml b/Cargo.toml index 058c239..b530517 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,3 +1,25 @@ +[package] +name = "cherrybomb" +version = "0.6.1" +authors = ["BLST Security"] +description = """ +Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications. +""" +documentation = "https://github.com/blst-security/cherrybomb" +homepage = "https://blstsecurity.com/" +repository = "https://github.com/blst-security/cherrybomb" +keywords = ["API","security","OAS","Open API Specefication", "specifications", "CLI", "OpenAPI", "OAS", "business logic", "scanning"] +categories = ["command-line-utilities","web-programming"] +license = "Apache-2.0" +edition = "2021" + + + +[[bin]] +name = "cherrybomb" +path = "cli/src/main.rs" +test = false + [workspace] members = [ @@ -7,6 +29,32 @@ members = [ "attacker", "swagger", ] +[dependencies] +cli = {version="0.6",path="cli"} +mapper = {path="./mapper"} +attacker = {path="./attacker"} +decider = {path="./decider"} + swagger = {path="./swagger"} +clap = { version = "^3", features = ["derive"] } +uuid = { version = "0.8", features = ["v4","serde"] } +serde = { version = "^1.0", features = ["derive"] } +serde_json = "1.0" +tokio = { version = "^1.0", features = ["full"] } +futures = "0.3" +futures-util = { version = "^0.3", default-features = false, features = ["alloc"] } +colored = "2.0.0" +url = { version = "2" } +hyper = { version = "^0.14", features = ["http2"] } +hyper-rustls = { git = "https://github.com/rustls/hyper-rustls", features = ["http2"] } +httparse = "1.5.1" +dirs="^4" +serde_yaml="^0.8" +reqwest = { version = "^0.11",default_features = false, features = ["json","rustls-tls"] } +strum = "0.23" +strum_macros = "0.23" +base64 = "0.13.0" +regex = "1" +serde_with = "1.11.0" [profile.release] opt-level = 3 diff --git a/cli/Cargo.toml b/cli/Cargo.toml index 119e59e..74606d6 100644 --- a/cli/Cargo.toml +++ b/cli/Cargo.toml @@ -1,6 +1,6 @@ [package] -name = "cherrybomb" -version = "0.6.0" +name = "cli" +version = "0.6.1" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/cli/src/auth.rs b/cli/src/auth.rs new file mode 100644 index 0000000..6eba802 --- /dev/null +++ b/cli/src/auth.rs @@ -0,0 +1,172 @@ +use colored::*; +use hyper::{body, Body, Client, Method, Request}; +use hyper_rustls::HttpsConnectorBuilder; +use std::fs::File; +use std::io::{Read,Write}; +use std::path::Path; + + +const TOKEN_FILE:&str = ".cherrybomb/token.txt"; +async fn sign_up(filename:&Path,dir:&Path)->bool{ + /* + match set_current_dir(dirs::home_dir().unwrap()){ + Ok(_)=>(), + Err(e)=>{ + println!("{:?}",e); + panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + } + };*/ + let mut file = match File::create(filename) { + Ok(f) => f, + Err(_) => { + match std::fs::create_dir(dir){ + Ok(_)=>{ + match File::create(filename) { + Ok(f)=>f, + Err(e)=>{ + //println!("{:?}",e); + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + } + } + Err(e)=>{ + //println!("{:?}",e); + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + } + } + }; + let res = match reqwest::get("https://cherrybomb.blstsecurity.com/token").await{ + Ok(r)=>{ + match r.text().await{ + Ok(t)=>t, + Err(_)=>{ + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + } + }, + Err(e)=>{ + //println!("{:?}",e); + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + }; + let json: serde_json::Value = match serde_json::from_str(&res) { + Ok(j) => j, + Err(_) => { + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + }; + match file.write_all(json["client_token"].to_string().as_bytes()){ + Ok(_)=>(), + Err(_)=>{ + //panic!("Could not generate a CLI token, please contact BLST at support@blstsecurity.com"); + return false; + } + } + true +} +async fn get_token()->String{ + let mut filename = dirs::home_dir().unwrap(); + filename.push(TOKEN_FILE); + let dir = dirs::home_dir().unwrap(); + let mut file = match File::open(&filename) { + Ok(f) => f, + Err(_) => { + if sign_up(&filename,&dir).await{ + match File::open(&filename) { + Ok(f)=>f, + Err(_)=>{ + panic!("Could not validate the CLI token, please contact BLST at support@blstsecurity.com"); + } + } + }else{ + panic!("Could not validate the CLI token, please contact BLST at support@blstsecurity.com"); + } + /* + println!( + "{}", + "file \"token.txt\" not found, make sure that you have it in this directory".red() + ); + println!("{}", "to get your token go to your user details dashboard at https://www.blstsecurity.com/cherrybomb/UserDetails".purple().bold()); + return false; + */ + } + }; + let mut token = String::new(); + match file.read_to_string(&mut token) { + Ok(_) => (), + Err(_) => { + //panic!("Could not validate the CLI token, please contact BLST at support@blstsecurity.com"); + return String::new(); + /* + println!( + "{}", + "could not read the data from \"token.txt\", make sure the data is valid".red() + ); + println!("{}", "to get your token go to your user details dashboard at https://www.blstsecurity.com/cherrybomb/UserDetails".purple().bold());*/ + } + } + token +} +pub async fn get_access(action: &str) -> bool { + let token = get_token().await; + let connector = HttpsConnectorBuilder::new() + .with_native_roots() + .https_only() + .enable_http1() + .enable_http2() + .build(); + let client = Client::builder().build(connector); + let req = Request::builder() + .method(Method::POST) + .uri("https://cherrybomb.blstsecurity.com/auth") + .body(Body::from(format!( + "{{\"client_token\":{},\"action\":\"{}\"}}", + token, action + ).replace("\n",""))) + .unwrap(); + let r = match client.request(req).await { + Ok(r) => r, + Err(_) => { + //println!("{}", "authentication request failed".red()); + return false; + } + }; + let txt = body::to_bytes(r.into_body()).await.unwrap(); + let json: serde_json::Value = match serde_json::from_slice(&txt) { + Ok(j) => j, + Err(_) => { + //panic!("Invalid CLI token, please contact BLST at support@blstsecurity.com"); + return false; + /* + println!("{}", "client_token not valid".red()); + println!("{}", "to get your token go to your user details dashboard at https://www.blstsecurity.com/cherrybomb/UserDetails".purple().bold());*/ + } + }; + match json["opt_in"].as_bool() { + Some(b) => { + if b { + true + } else { + //panic!("Invalid CLI token, please contact BLST at support@blstsecurity.com"); + //println!("{}", json["msg"].to_string().red()); + false + } + } + None => { + //panic!("Invalid CLI token, please contact BLST at support@blstsecurity.com"); + false + /* + println!( + "{}", + "error while parsing the response from the authenticator".red() + ); + false*/ + } + } +} \ No newline at end of file diff --git a/cli/src/lib.rs b/cli/src/lib.rs index 721e6c5..700d0c4 100644 --- a/cli/src/lib.rs +++ b/cli/src/lib.rs @@ -7,3 +7,5 @@ mod utils; pub use utils::*; mod config; pub use config::*; +mod auth; +pub use auth::*; diff --git a/cli/src/main.rs b/cli/src/main.rs index 1ba5317..23e1885 100644 --- a/cli/src/main.rs +++ b/cli/src/main.rs @@ -2,7 +2,7 @@ use clap::{Parser,Subcommand}; use std::str::FromStr; use std::fmt; use colored::*; -use cherrybomb::*; +use cli::*; use attacker::{Authorization, Verbosity}; use mapper::digest::Header; use futures::executor::block_on; diff --git a/swagger/src/lib.rs b/swagger/src/lib.rs index f4a8355..71e9ee7 100644 --- a/swagger/src/lib.rs +++ b/swagger/src/lib.rs @@ -76,7 +76,7 @@ pub struct Link { #[serde(rename = "operationRef")] pub operation_ref: Option, #[serde(rename = "operationId")] - pub oeration_id: Option, + pub operation_id: Option, pub parameters: Option, //Any #[serde(rename = "requestBody")] diff --git a/swagger/src/main.rs b/swagger/src/main.rs index 2e958e4..26a6cef 100644 --- a/swagger/src/main.rs +++ b/swagger/src/main.rs @@ -7,7 +7,7 @@ async fn main() { //let f_names = ["swagger2.json","swagger3.json","swagger4.json","swagger5.json","swagger6.json","swagger7.json"]; //for f_name in f_names{ let swagger_value: serde_json::Value = - serde_json::from_str(&std::fs::read_to_string(f_name).unwrap()).unwrap(); + serde_yaml::from_str(&std::fs::read_to_string(f_name).unwrap()).unwrap(); /* let version = swagger_value["openapi"].to_string().trim().replace("\"",""); let swagger = if version.starts_with("3.1"){ @@ -23,21 +23,21 @@ async fn main() { serde_json::from_str::(&std::fs::read_to_string(f_name).unwrap()).unwrap();*/ // println!("{:?}",swagger.paths.unwrap().get("/users").unwrap().get.as_ref().unwrap().security.as_ref().unwrap()); //} - /* + let mut a = ActiveScan::::new(swagger_value).unwrap(); use futures::executor; executor::block_on(a.run(ActiveScanType::Full,&Authorization::None)); a.print(0); - */ - let mut a = PassiveSwaggerScan::::new(swagger_value.clone()).unwrap(); - a.run(PassiveScanType::Full); + + //let mut a = PassiveSwaggerScan::::new(swagger_value.clone()).unwrap(); + //a.run(PassiveScanType::Full); //println!("{:?}",serde_json::to_string(&a).unwrap()); //a.print(1); - let t = EpTable::new::(&swagger_value); + //let t = EpTable::new::(&swagger_value); //let t = ParamTable::new::(&swagger_value); //println!("{:?}",serde_json::to_string(&t).unwrap()); - t.print(); + //t.print(); //print_checks_table(&a); //print_alerts_table(&a); //let _sw = swagger_str.convert_to_map(swagger_value); diff --git a/swagger/src/scan/active/additional_checks.rs b/swagger/src/scan/active/additional_checks.rs index 478a9f4..195134d 100644 --- a/swagger/src/scan/active/additional_checks.rs +++ b/swagger/src/scan/active/additional_checks.rs @@ -1,30 +1,30 @@ use super::*; +use serde_json::json; impl ActiveScan { - pub async fn check_default(&self,auth:&Authorization) -> Vec { + pub async fn check_default(&self, auth: &Authorization) -> Vec { let mut alerts = vec![]; let mut logs = AttackLog::default(); for (path, item) in self.oas.get_paths() { let urls = get_path_urls(&item, self.oas.servers()); for url in urls { - /* let req = AttackRequest::builder() - .uri(&url.1,&path) + .uri(&url.1, &path) .method(url.0) .headers(vec![]) .parameters(vec![]) .auth(auth.clone()) .build(); - if let Ok(res) = req.send_request(true).await{ + if let Ok(res) = req.send_request(true).await { logs.requests.push(req); logs.responses.push(res); - }else{ - println!("FUCK"); - }*/ - alerts.push(Alert::with_certainty(Level::Low,"description","https://thingy".to_string(),Certainty::Certain)); + } else { + println!("request failed"); + } + alerts.push(Alert::with_certainty(Level::Low, "description", "https://thingy".to_string(), Certainty::Certain)); } } //println!("{:?}",logs); alerts } -} +} \ No newline at end of file diff --git a/swagger/src/scan/active/mod.rs b/swagger/src/scan/active/mod.rs index 67eec53..5fd3de8 100644 --- a/swagger/src/scan/active/mod.rs +++ b/swagger/src/scan/active/mod.rs @@ -72,11 +72,11 @@ impl Deserialize<'de>> ActiveScan { pub fn print(&self, verbosity: u8) { match verbosity { 0 => { - print_checks_table(&self.checks); + //print_checks_table(&self.checks); print_attack_alerts_table(&self.checks); }, 1 => { - print_checks_table(&self.checks); + //print_checks_table(&self.checks); }, 2 => print_failed_checks_table(&self.checks), _ => (), diff --git a/swagger/src/scan/checks.rs b/swagger/src/scan/checks.rs index 19d2ee2..1827207 100644 --- a/swagger/src/scan/checks.rs +++ b/swagger/src/scan/checks.rs @@ -41,7 +41,7 @@ impl Check for PassiveChecks { } } } -/* + impl Check for ActiveChecks { fn alerts_text(&self) -> ColoredString { match self.inner().len() { @@ -67,7 +67,7 @@ impl Check for ActiveChecks { "PASSED" } } -}*/ +} impl_passive_checks![ //name in enum check function check name check description (CheckServerUrl,check_server_url,"SERVER URL","Checks for server url misconfigurations"), @@ -88,5 +88,6 @@ impl_passive_checks![ (CheckArrAttrs,check_arr_attrs,"ARRAY ATTRIBUTES","Checks for the definion of array type attributes - max_items, min_items"), (CheckObjAttrs,check_obj_attrs,"OBJECT ATTRIBUTES","Checks for the definion of object type attributes - max_properties, properties"), (CheckValidResponses,check_valid_responses,"VALID RESPONSES","Checks for valid responses codes"), - (CheckMethodPermissions, check_method_permissions, "METHOD PERMISSIONS", "Checks for correct permission cofiguration for GET/PUT/POST requests") + (CheckMethodPermissions, check_method_permissions, "METHOD PERMISSIONS", "Checks for correct permission configuration for GET/PUT/POST requests"), + (CheckContainsOperation, check_contains_operation, "CONTAINS OPERATION", "Checks that each path contains at least one operation") ]; diff --git a/swagger/src/scan/macros.rs b/swagger/src/scan/macros.rs index 8078828..f6dbe0e 100644 --- a/swagger/src/scan/macros.rs +++ b/swagger/src/scan/macros.rs @@ -49,7 +49,7 @@ macro_rules! impl_passive_checks{ } } } -/* + #[macro_export] macro_rules! impl_active_checks{ ( $( ($check:ident,$check_func:ident,$name:literal,$desc:literal )),* ) => { @@ -92,4 +92,4 @@ macro_rules! impl_active_checks{ } } } -}*/ +} diff --git a/swagger/src/scan/mod.rs b/swagger/src/scan/mod.rs index 0f83ef5..1086b08 100644 --- a/swagger/src/scan/mod.rs +++ b/swagger/src/scan/mod.rs @@ -3,8 +3,8 @@ mod checks; pub use checks::*; pub mod passive; pub use passive::*; -//pub mod active; -//pub use active::*; +pub mod active; +pub use active::*; mod macros; mod print; use colored::*; diff --git a/swagger/src/scan/passive/additional_checks.rs b/swagger/src/scan/passive/additional_checks.rs index ca81381..03a8539 100644 --- a/swagger/src/scan/passive/additional_checks.rs +++ b/swagger/src/scan/passive/additional_checks.rs @@ -7,14 +7,23 @@ impl PassiveSwaggerScan { for (m, op) in item.get_ops() { let statuses = op .responses() - .iter() - .map(|(k, _v)| k.clone()) + .keys() + .cloned() .collect::>(); + for status in statuses { - if status.parse::().is_err() && status != "default" { + if let Ok(res) = status.parse::() { + if res < 100 || res > 599 { + alerts.push(Alert::new( + Level::Low, + "Responses have an invalid or unrecognized status code", + format!("swagger path:{} operation:{} status:{}", path, m, status), + )); + } + } else if status != "default" { alerts.push(Alert::new( Level::Low, - "Responses have an ivalid or unrecognized status code", + "Responses have an invalid or unrecognized status code", format!("swagger path:{} operation:{} status:{}", path, m, status), )); } @@ -23,53 +32,53 @@ impl PassiveSwaggerScan { } alerts } - fn get_check(security:&Option>,path:&str)->Vec{ + fn get_check(security: &Option>, path: &str) -> Vec { let mut alerts = vec![]; match security { Some(x) => { for i in x { let y = i.values().flatten().cloned().collect::>(); for item in y { - if !item.starts_with("read"){ - alerts.push(Alert::new(Level::Medium,"Request GET has to be only read permission",format!("swagger path:{} method:{}",path,Method::GET))); + if !item.starts_with("read") { + alerts.push(Alert::new(Level::Medium, "Request GET has to be only read permission", format!("swagger path:{} method:{}", path, Method::GET))); } } } - }, + } None => (), }; alerts } - fn put_check(security:&Option>,path:&str)->Vec{ - let mut alerts=vec![]; + fn put_check(security: &Option>, path: &str) -> Vec { + let mut alerts = vec![]; match security { Some(x) => { for i in x { let y = i.values().flatten().cloned().collect::>(); for item in y { - if !item.starts_with("write"){ - alerts.push(Alert::new(Level::Medium,"Request PUT has to be only write permission",format!("swagger path:{} method:{}",path,Method::PUT))); + if !item.starts_with("write") { + alerts.push(Alert::new(Level::Medium, "Request PUT has to be only write permission", format!("swagger path:{} method:{}", path, Method::PUT))); } } } - }, + } None => (), } alerts } - fn post_check(security:&Option>,path:&str)->Vec{ - let mut alerts=vec![]; + fn post_check(security: &Option>, path: &str) -> Vec { + let mut alerts = vec![]; match security { Some(x) => { for i in x { let y = i.values().flatten().cloned().collect::>(); for item in y { - if !item.starts_with("write:") && !item.starts_with("read:") { - alerts.push(Alert::new(Level::Low,"Request POST has to be with read and write permissions",format!("swagger path:{} method:{}",path,Method::POST))); + if !item.starts_with("write:") && !item.starts_with("read:") { + alerts.push(Alert::new(Level::Low, "Request POST has to be with read and write permissions", format!("swagger path:{} method:{}", path, Method::POST))); } } } - }, + } None => (), } alerts @@ -77,15 +86,26 @@ impl PassiveSwaggerScan { pub fn check_method_permissions(&self) -> Vec { let mut alerts: Vec = vec![]; for (path, item) in &self.swagger.get_paths() { - for(m,op) in item.get_ops(){ - match m{ - Method::GET=>alerts.extend(Self::get_check(&op.security,path)), - Method::PUT=>alerts.extend(Self::put_check(&op.security,path)), - Method::POST=>alerts.extend(Self::post_check(&op.security,path)), - _=>(), + for (m, op) in item.get_ops() { + match m { + Method::GET => alerts.extend(Self::get_check(&op.security, path)), + Method::PUT => alerts.extend(Self::put_check(&op.security, path)), + Method::POST => alerts.extend(Self::post_check(&op.security, path)), + _ => (), }; } } alerts } + + pub fn check_contains_operation(&self) -> Vec { + let mut alerts: Vec = vec![]; + for (path, item) in &self.swagger.get_paths() { + if item.get_ops().len() == 0 { + alerts.push(Alert::new(Level::Low, "Path has no operations" + , format!("swagger path:{} ", path))); + } + } + alerts + } } diff --git a/swagger/src/scan/print.rs b/swagger/src/scan/print.rs index a38cadd..e985dd9 100644 --- a/swagger/src/scan/print.rs +++ b/swagger/src/scan/print.rs @@ -69,7 +69,7 @@ pub fn print_alerts_table(checks: &[PassiveChecks]) { } } } -/* + pub fn print_attack_alerts_table(checks: &[ActiveChecks]) { println!( "{:pad$}| SEVERITY | CERTAINTY |{:thing$}|DESCRIPTION\n{:-) -> fmt::Result { @@ -122,7 +123,7 @@ impl fmt::Display for PassiveChecks { } } } -/* + impl fmt::Display for ActiveChecks { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { if self.result() == "PASSED" { @@ -155,7 +156,7 @@ impl fmt::Display for ActiveChecks { write!(f, "") } } -}*/ +} impl fmt::Display for Alert { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { if self.certainty==Certainty::Passive{ diff --git a/swagger/src/schema.rs b/swagger/src/schema.rs index 9b9d764..3c2d4e8 100644 --- a/swagger/src/schema.rs +++ b/swagger/src/schema.rs @@ -60,6 +60,7 @@ pub struct Schema { pub max_length: Option, #[serde(rename = "minLength")] pub min_length: Option, + //String - STAY AWAY!(regex) pub pattern: Option, #[serde(rename = "maxItem")] pub max_items: Option, @@ -71,6 +72,7 @@ pub struct Schema { pub max_properties: Option, #[serde(rename = "minProperties")] pub min_properties: Option, + //Array pub items: Option>, pub required: Option>, #[serde(rename = "enum")] @@ -84,6 +86,7 @@ pub struct Schema { #[serde(rename = "anyOf")] pub any_of: Option>, pub not: Option>, + //object pub properties: Option>, #[serde(rename = "additionalProperties")] pub additional_properties: Option, diff --git a/swagger/swagger3.json b/swagger/swagger3.json index 5f9cb67..a03cb90 100644 --- a/swagger/swagger3.json +++ b/swagger/swagger3.json @@ -125,6 +125,16 @@ } ], "responses": { + "677": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/bussinessLine" + } + } + } + }, "200": { "description": "OK", "content": {