Skip to content

Commit

Permalink
graphql: Add example alerts
Browse files Browse the repository at this point in the history
Signed-off-by: ricekot <[email protected]>
  • Loading branch information
ricekot committed Sep 1, 2023
1 parent 8a4828f commit 7680e63
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 35 deletions.
3 changes: 3 additions & 0 deletions addOns/graphql/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
### Added
- The add-on now includes example alert functionality for documentation generation purposes (Issue 6119).

### Changed
- Dependency updates.
- Maintenance changes.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.control.Control;
import org.parosproxy.paros.control.Control.Mode;
import org.parosproxy.paros.core.scanner.Alert;
import org.parosproxy.paros.extension.CommandLineArgument;
import org.parosproxy.paros.extension.CommandLineListener;
import org.parosproxy.paros.extension.Extension;
Expand All @@ -40,12 +41,13 @@
import org.parosproxy.paros.model.Session;
import org.parosproxy.paros.network.HttpSender;
import org.zaproxy.addon.commonlib.ExtensionCommonlib;
import org.zaproxy.zap.extension.alert.ExampleAlertProvider;
import org.zaproxy.zap.extension.script.ExtensionScript;
import org.zaproxy.zap.model.ValueGenerator;
import org.zaproxy.zap.view.ZapMenuItem;

public class ExtensionGraphQl extends ExtensionAdaptor
implements CommandLineListener, SessionChangedListener {
implements CommandLineListener, SessionChangedListener, ExampleAlertProvider {

public static final String NAME = "ExtensionGraphQl";

Expand Down Expand Up @@ -285,4 +287,11 @@ public boolean handleFile(File file) {
// Not supported
return false;
}

@Override
public List<Alert> getExampleAlerts() {
return List.of(
GraphQlParser.createIntrospectionAlert().build(),
GraphQlFingerprinter.createFingerprintingAlert("example").build());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -144,33 +144,37 @@ boolean errorContains(String substring, String errorField) {
return false;
}

static Alert.Builder createFingerprintingAlert(String engineId) {
final String enginePrefix = "graphql.engine." + engineId + ".";
return Alert.builder()
.setPluginId(ExtensionGraphQl.TOOL_ALERT_ID)
.setAlertRef(FINGERPRINTING_ALERT_REF)
.setName(Constant.messages.getString("graphql.fingerprinting.alert.name"))
.setDescription(
Constant.messages.getString(
"graphql.fingerprinting.alert.desc",
Constant.messages.getString(enginePrefix + "name"),
Constant.messages.getString(enginePrefix + "technologies")))
.setReference(Constant.messages.getString(enginePrefix + "docsUrl"))
.setConfidence(Alert.CONFIDENCE_HIGH)
.setRisk(Alert.RISK_INFO)
.setCweId(205)
.setWascId(45)
.setSource(Alert.Source.TOOL)
.setTags(FINGERPRINTING_ALERT_TAGS);
}

private void raiseFingerprintingAlert(String engineId) {
var extAlert =
Control.getSingleton().getExtensionLoader().getExtension(ExtensionAlert.class);
if (extAlert == null) {
return;
}
final String enginePrefix = "graphql.engine." + engineId + ".";
Alert alert =
Alert.builder()
.setPluginId(ExtensionGraphQl.TOOL_ALERT_ID)
.setAlertRef(FINGERPRINTING_ALERT_REF)
.setName(Constant.messages.getString("graphql.fingerprinting.alert.name"))
.setDescription(
Constant.messages.getString(
"graphql.fingerprinting.alert.desc",
Constant.messages.getString(enginePrefix + "name"),
Constant.messages.getString(enginePrefix + "technologies")))
.setReference(Constant.messages.getString(enginePrefix + "docsUrl"))
.setConfidence(Alert.CONFIDENCE_HIGH)
.setRisk(Alert.RISK_INFO)
createFingerprintingAlert(engineId)
.setEvidence(matchedString)
.setMessage(lastQueryMsg)
.setUri(requestor.getEndpointUrl().toString())
.setEvidence(matchedString)
.setCweId(205)
.setWascId(45)
.setSource(Alert.Source.TOOL)
.setTags(FINGERPRINTING_ALERT_TAGS)
.build();
extAlert.alertFound(alert, null);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -188,29 +188,30 @@ private void generate(String schema) {
}
}

static Alert.Builder createIntrospectionAlert() {
return Alert.builder()
.setPluginId(ExtensionGraphQl.TOOL_ALERT_ID)
.setAlertRef(INTROSPECTION_ALERT_REF)
.setName(Constant.messages.getString("graphql.introspection.alert.name"))
.setDescription(Constant.messages.getString("graphql.introspection.alert.desc"))
.setReference(Constant.messages.getString("graphql.introspection.alert.ref"))
.setSolution(Constant.messages.getString("graphql.introspection.alert.soln"))
.setConfidence(Alert.CONFIDENCE_HIGH)
.setRisk(Alert.RISK_INFO)
.setCweId(16)
.setWascId(15)
.setSource(Alert.Source.TOOL)
.setTags(INTROSPECTION_ALERT_TAGS);
}

private void raiseIntrospectionAlert(HttpMessage msg) {
var extAlert =
Control.getSingleton().getExtensionLoader().getExtension(ExtensionAlert.class);
if (extAlert == null) {
return;
}
Alert alert =
Alert.builder()
.setPluginId(ExtensionGraphQl.TOOL_ALERT_ID)
.setAlertRef(INTROSPECTION_ALERT_REF)
.setName(Constant.messages.getString("graphql.introspection.alert.name"))
.setDescription(
Constant.messages.getString("graphql.introspection.alert.desc"))
.setReference(
Constant.messages.getString("graphql.introspection.alert.ref"))
.setSolution(
Constant.messages.getString("graphql.introspection.alert.soln"))
.setConfidence(Alert.CONFIDENCE_HIGH)
.setRisk(Alert.RISK_INFO)
.setCweId(16)
.setWascId(15)
.setSource(Alert.Source.TOOL)
.setTags(INTROSPECTION_ALERT_TAGS)
createIntrospectionAlert()
.setHistoryRef(msg.getHistoryRef())
.setMessage(msg)
.build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ graphql.engine.directus.docsUrl = https://github.com/directus/directus
graphql.engine.directus.name = Directus
graphql.engine.directus.technologies = TypeScript

graphql.engine.example.docsUrl = https://example.com/graphql-engine-reference
graphql.engine.example.name = Example GraphQL Engine
graphql.engine.example.technologies = "Example Technology 1" and "Example Technology 2"

graphql.engine.gqlgen.docsUrl = https://github.com/99designs/gqlgen
graphql.engine.gqlgen.name = gqlgen
graphql.engine.gqlgen.technologies = Golang
Expand Down

0 comments on commit 7680e63

Please sign in to comment.