Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZAP import accepts types other than "url" #269

Merged
merged 4 commits into from
Dec 16, 2024
Merged

ZAP import accepts types other than "url" #269

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aa4583a
ZAP import accepts types other than "url"
Dec 6, 2024
42e2f7b
fix indentation
Dec 6, 2024
95bca94
update configVersion schema to 6 to handle importUrlsFromFile change
Dec 11, 2024
b6cb94f
re-linting the changes
Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions config/config-template-zap-long.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,10 @@ scanners:
apiUrl: "<URL to openAPI>"
# alternative to apiURL: apiFile: "<local path to openAPI file>"

# A list of URLs can also be provided, from a text file (1 URL per line)
importUrlsFromFile: "<path to import URL>"
# A list of URLs can also be provided, type supported: 'har', 'modsec2', 'url' (default), 'zap_messages'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this require a config schema version change?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not if we keep backward compatibility: we can simply suggest only the new method, while keeping the old one valid for historical purpose.
[quick additional note: backward compatibility was removed based on next conversation]

importUrlsFromFile:
type: "url"
fileName: "<path to import URL>"

graphql:
endpoint: "<URL to GraphQL API endpoint>"
Expand Down
48 changes: 40 additions & 8 deletions scanners/zap/zap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -376,17 +376,49 @@ def _setup_zap_automation(self):

def _setup_import_urls(self):
"""If importUrlsFromFile exists:
prepare an import job for URLs importUrlsFromFile _must_ be an existing file on the host
Its content is a text file: a list of GET URLs, each of which will be scanned
Prepare a URL import job. All ZAP's import job are supported: 'har', 'modsec2', 'url' (default), 'zap_messages'

2 possibilities:
1- [for backward compatibility] if importUrlsFromFile is a string:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to migrate between config versions, rather than try to handle two different schemas? I believe there is migration code already but I haven't looked closely

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a new commit for this purpose

it must point to an existing file on the host

2- importUrlsFromFile is a dictionary: { "type": "<type>", "fileName": "<path/to/file>"}

The filename of the import will always be copied in the `container_work_dir` as importUrls.txt
"""
job = {"name": "import", "type": "import", "parameters": {"type": "url"}}
# Basic job config. The `type` parameter will be set later
job = {
"name": "import",
"type": "import",
"parameters": {"fileName": f"{self.container_work_dir}/importUrls.txt"},
}

types = ("har", "modsec2", "url", "zap_messages")

orig = self.my_conf("importUrlsFromFile")
if not orig:
source = "" # Location of the import file on the host

conf = self.my_conf("importUrlsFromFile")
if not conf:
return
dest = f"{self.container_work_dir}/importUrls.txt"
self._include_file(orig, dest)
job["parameters"]["fileName"] = dest
if isinstance(conf, str):
# Backward compatibility with previous behavior
source = conf
job["parameters"]["type"] = "url"

elif isinstance(conf, dict):
# "importUrlsFromFile" = { type, fileName }
source = self.my_conf("importUrlsFromFile.fileName")
if not source:
raise ValueError("ZAP config error: importUrlsFromFile must have a `fileName` entry")
job["parameters"]["type"] = self.my_conf("importUrlsFromFile.type", "url")

else:
raise ValueError("ZAP config error: importUrlsFromFile must be a dictionary")

if not job["parameters"]["type"] in types:
raise ValueError(f"ZAP config error: importUrlsFromFile.type must be within {types}")

self._include_file(source, job["parameters"]["fileName"])
self.automation_config["jobs"].append(job)

def _setup_export_site_tree(self):
Expand Down
39 changes: 37 additions & 2 deletions tests/scanners/zap/test_setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,12 +206,47 @@ def test_setup_authentication_auth_rtoken_preauth(test_config):


def test_setup_import_urls(test_config):
# trick: set this very file as import
test_config.set("scanners.zap.importUrlsFromFile", __file__)
# trick: use is the current pytest as import file

# 1- Test backward compatible behaviour
test_config.set("scanners.zap.importUrlsFromFile", __file__)
test_zap = ZapNone(config=test_config)
test_zap.setup()
assert Path(test_zap.host_work_dir, "importUrls.txt").is_file()
for item in test_zap.automation_config["jobs"]:
if item["type"] == "import":
assert item["parameters"]["type"] == "url"
break
else:
assert False

# 2- Test new config style, with type "har"
test_config.set("scanners.zap.importUrlsFromFile", {"type": "har", "fileName": __file__})
test_zap = ZapNone(config=test_config)
test_zap.setup()
for item in test_zap.automation_config["jobs"]:
if item["type"] == "import":
assert item["parameters"]["type"] == "har"
break
else:
assert False

# 3- Test new config style, defaulting to "url" type
test_config.set("scanners.zap.importUrlsFromFile", {"fileName": __file__})
test_zap = ZapNone(config=test_config)
test_zap.setup()
for item in test_zap.automation_config["jobs"]:
if item["type"] == "import":
assert item["parameters"]["type"] == "url"
break
else:
assert False

# 4- Test new config style, with an unexisting type
test_config.set("scanners.zap.importUrlsFromFile", {"type": "doesntexist", "fileName": __file__})
test_zap = ZapNone(config=test_config)
with pytest.raises(ValueError) as exc:
test_zap.setup()


def test_setup_exclude_urls(test_config):
Expand Down
Loading