PA-12765 Add excludeUrlsFile param (#97)

* PA-12765 Add excludeUrls param

* change param to be a file instead of comma separated list

README.md

@@ -54,6 +54,7 @@ The basic command to run a baseline scan would look like:
 | `--commitHash` |  | The commit hash value from the SCM System |
 | `--contextFile` |  | Context file which will be loaded prior to scanning the target |
 | `--debug` |  | Enable debug logging for ZAP. |
+| `--excludeUrlsFile` | | Path to a file containing regex URLs to exclude, one per line. eg `--excludeUrlsFile=exclude_urls.txt`
 | `--disableRules` |  | Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/ |
 | `--fullScanMinutes` |  | Number of minutes for the spider to run |
 | `--logLevel` |  | Minimum level to show logs: DEBUG INFO, WARN, FAIL, ERROR. |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "soos-dast",
-  "version": "2.0.20",
+  "version": "2.0.21",
   "description": "SOOS DAST - The affordable no limit web vulnerability scanner",
   "main": "index.js",
   "scripts": {

src/index.ts

@@ -45,6 +45,7 @@ export interface SOOSDASTAnalysisArgs extends IBaseScanArguments {
   contextFile: string;
   debug: boolean;
   disableRules: string;
+  excludeUrlsFile: string;
   fullScanMinutes: number;
   oauthParameters: string;
   oauthTokenUrl: string;
@@ -183,6 +184,11 @@ class SOOSDASTAnalysis {
       nargs: "*",
     });
 
+    analysisArgumentParser.argumentParser.add_argument("--excludeUrlsFile", {
+      help: "Path to a file containing regex URLs to exclude, one per line.",
+      required: false,
+    });
+
     analysisArgumentParser.argumentParser.add_argument("--fullScanMinutes", {
       help: "Number of minutes for the spider to run.",
       required: false,

src/utilities/ZAPCommandGenerator.ts

@@ -55,6 +55,7 @@ export class ZAPCommandGenerator {
     this.addEnvironmentVariable("CUSTOM_COOKIES", this.config.requestCookies);
     this.addEnvironmentVariable("CUSTOM_HEADER", this.config.requestHeaders);
     this.addEnvironmentVariable("DISABLE_RULES", this.config.disableRules);
+    this.addEnvironmentVariable("EXCLUDE_URLS_FILE", this.config.excludeUrlsFile);
     this.addEnvironmentVariable("OAUTH_PARAMETERS", this.config.oauthParameters);
     this.addEnvironmentVariable("OAUTH_TOKEN_URL", this.config.oauthTokenUrl);
     if (this.config.debug) this.addEnvironmentVariable("DEBUG_MODE", this.config.debug);

src/zap_hooks/helpers/configuration.py

@@ -37,6 +37,7 @@ class DASTConfig:
     oauth_parameters: Optional[str] = None
     disable_rules: Optional[str] = None
     debug_mode: Optional[bool] = False
+    exclude_urls_file: Optional[str] = None
 
     def __init__(self):
         self.extra_zap_params = None
@@ -73,6 +74,7 @@ def load_config(self, extra_zap_params):
             self.oauth_parameters = self._get_hook_param_list(os.environ.get('OAUTH_PARAMETERS')) or EMPTY_STRING
             self.disable_rules = self._get_hook_param_list(os.environ.get('DISABLE_RULES')) or None
             self.debug_mode = os.environ.get('DEBUG_MODE') or False
+            self.exclude_urls_file = os.environ.get('EXCLUDE_URLS_FILE') or None
 
         except Exception as error:
             log(f"error in start_docker_zap: {traceback.print_exc()}", log_level=LogLevel.ERROR)

src/zap_hooks/soos_zap_hook.py

@@ -53,6 +53,14 @@ def zap_started(zap, target):
             serialize_and_save(zap.core, 'wrk/core_data_started.json')
             serialize_and_save(zap.pscan, 'wrk/pscan_data_started.json')
             serialize_and_save(zap.context, 'wrk/context_data_started.json')
+        if config.exclude_urls_file:
+            exclude_urls_file_path = f"wrk/{config.exclude_urls_file}"
+            with open(exclude_urls_file_path) as f:
+                for line in f:
+                    url = line.strip()
+                    log(f"Excluding url on spider: {url}")
+                    zap.spider.exclude_from_scan(url)
+
     except Exception:
         exit_app(f"error in zap_started: {traceback.print_exc()}")