diff --git a/pkg/parser/parser.go b/pkg/parser/parser.go index 182af9d..58fde91 100644 --- a/pkg/parser/parser.go +++ b/pkg/parser/parser.go @@ -132,7 +132,10 @@ func (p *Parser) Parse(filename string, isUrl bool) (err error) { return err } p.Doc = &OpenApi{} - p.Doc.SetDoc(doc) + if err := p.Doc.SetDoc(doc); err != nil { + log.Error().Err(err).Msgf("failed to set doc values") + return err + } } else { var doc openapi2.T @@ -140,7 +143,10 @@ func (p *Parser) Parse(filename string, isUrl bool) (err error) { return err } p.Doc = &Swagger{} - p.Doc.SetDoc(&doc) + if err := p.Doc.SetDoc(&doc); err != nil { + log.Error().Err(err).Msgf("failed to set doc values") + return err + } } return nil diff --git a/pkg/tgen/const.go b/pkg/tgen/const.go new file mode 100644 index 0000000..eff560f --- /dev/null +++ b/pkg/tgen/const.go @@ -0,0 +1,9 @@ +package tgen + +const ( + Path = "path" + Query = "query" + Header = "header" + Cookie = "cookie" + Body = "body" +) diff --git a/pkg/tgen/payloadInjection.go b/pkg/tgen/payloadInjection.go index df92c2e..1e7e8d5 100644 --- a/pkg/tgen/payloadInjection.go +++ b/pkg/tgen/payloadInjection.go @@ -9,10 +9,16 @@ import ( // injects payload in HTTP parser.param based on type/value // It's being used in `injectParamIntoApiTest` function -func injectParamInParam(params *[]parser.Param, payload string) { - for i := range *params { +func injectParamInParam(params []parser.Param, payload, injectIn string) []parser.Param { + // inject payload in key + injectedParams := append(params, parser.Param{ + Name: payload, + In: injectIn, + Type: []string{"string"}, + }) + + for _, param := range injectedParams { var paramType string - param := &(*params)[i] if len(param.Type) == 0 && param.Value == nil { log.Warn().Msgf("skipping payload %s injection for %v since type/value is missing", payload, param) continue @@ -28,28 +34,32 @@ func injectParamInParam(params *[]parser.Param, payload string) { param.Value = payload } } + + return injectedParams } // generates Api tests by injecting payloads in values func injectParamIntoApiTest(url string, docParams []*parser.DocHttpParams, queryParams map[string]string, headers map[string]string, testName string, injectionConfig InjectionConfig) []*ApiTest { var tests []*ApiTest + docPrms := docParams // TODO: only inject payloads if any payload is accepted by the endpoint, else ignore injection // as this will reduce number of tests generated and increase efficiency for _, payload := range injectionConfig.Payloads { // TODO: implement injection in both key or value at a time - for _, docParam := range docParams { + for _, docParam := range docPrms { // inject payloads into string before converting it to map[string]string if injectionConfig.InBody { - injectParamInParam(&(docParam.BodyParams), payload.InjText) + docParam.BodyParams = injectParamInParam(docParam.BodyParams, payload.InjText, Body) + } if injectionConfig.InQuery { - injectParamInParam(&(docParam.QueryParams), payload.InjText) + docParam.QueryParams = injectParamInParam(docParam.QueryParams, payload.InjText, Query) } if injectionConfig.InCookie { - injectParamInParam(&(docParam.CookieParams), payload.InjText) + docParam.CookieParams = injectParamInParam(docParam.CookieParams, payload.InjText, Cookie) } if injectionConfig.InHeader { - injectParamInParam(&(docParam.HeaderParams), payload.InjText) + docParam.HeaderParams = injectParamInParam(docParam.HeaderParams, payload.InjText, Header) } // parse maps diff --git a/pkg/tgen/struct.go b/pkg/tgen/struct.go index 775902a..7d8b816 100644 --- a/pkg/tgen/struct.go +++ b/pkg/tgen/struct.go @@ -47,6 +47,11 @@ type Payload struct { Regex string // regex to be used for post processing } +// Struct used for injecting payloads as per configuration +type PayloadConfig struct { + In string // body, +} + // For Post runner type DataLeakPattern struct { Name string `json:"name" yaml:"name"` diff --git a/pkg/trunner/postrunner/dataleak_test.go b/pkg/trunner/postrunner/dataleak_test.go index 2796802..2e9d4d3 100644 --- a/pkg/trunner/postrunner/dataleak_test.go +++ b/pkg/trunner/postrunner/dataleak_test.go @@ -9,14 +9,12 @@ import ( "github.com/dmdhrumilmistry/fasthttpclient/client" "github.com/owasp-offat/offat/pkg/tgen" "github.com/owasp-offat/offat/pkg/trunner/postrunner" - - "github.com/dlclark/regexp2" ) // Mock utility function for FindAllString -var mockFindAllString = func(re *regexp2.Regexp, target string) []string { - return []string{} -} +// var mockFindAllString = func(re *regexp2.Regexp, target string) []string { +// return []string{} +// } // Test cases for UpdateDataLeakResult func TestUpdateDataLeakResult(t *testing.T) { diff --git a/pkg/trunner/runner.go b/pkg/trunner/runner.go index 631ec4b..64037fa 100644 --- a/pkg/trunner/runner.go +++ b/pkg/trunner/runner.go @@ -8,6 +8,7 @@ import ( c "github.com/dmdhrumilmistry/fasthttpclient/client" "github.com/k0kubun/go-ansi" "github.com/owasp-offat/offat/pkg/tgen" + "github.com/rs/zerolog/log" "github.com/schollz/progressbar/v3" "golang.org/x/term" ) @@ -45,10 +46,12 @@ func RunApiTests(t *tgen.TGenHandler, client c.ClientInterface, apiTests []*tgen wg.Add(1) go func(apiTest *tgen.ApiTest) { defer wg.Done() - defer bar.Add(1) - resp, err := client.Do(apiTest.Request.Uri, apiTest.Request.Method, apiTest.Request.QueryParams, apiTest.Request.Headers, apiTest.Request.Body) apiTest.Response = c.NewConcurrentResponse(resp, err) + + if err := bar.Add(1); err != nil { + log.Error().Err(err).Msg("Failed to add to bar") + } }(apiTest) }