Enhance the OpenAPI plugin to accept user-provided values for parameters #17339
Conversation
|
I have tested it with a couple of applications - it worked well. |
| Loads parameter values from YAML. | ||
| :param string: Definition of parameter values in YAML. | ||
| """ | ||
| content = yaml.load(string) |
There was a problem hiding this comment.
User might enter an invalid YAML, that case should be handled.
There was a problem hiding this comment.
Okay, I'll add a try-except block to catch YAMLError and wrap the exception in to ParameterValueParsingError.
w3af/plugins/crawl/open_api.py
Outdated
| h = ('This option sets a path to a YAML file which contains parameter values' | ||
| ' which should be used in testing API endpoints. If no parameter values are provided,' | ||
| ' the plugin tries to guess them.') | ||
| o = opt_factory('parameter_values_location', self._parameter_values_location, d, INPUT_FILE, help=h) |
There was a problem hiding this comment.
Maybe the YAML format validation should be done here? That could be done by changing the INPUT_FILE type to YAML_INPUT_FILE and creating the logic for handling that.
It should be fairly easy, take a look at:
There was a problem hiding this comment.
Hmm, that may be nice. Although input_file_option.py doesn't look that simple at first glance :) Okay, I'll see what I can do here.
There was a problem hiding this comment.
Yeah, input_file_option.py doesn't look simple, but yaml_file_option.py should be simple :-)
Take a look at the other files in the same directory, those will give you ideas on how simple the inputs can actually be.
w3af/plugins/crawl/open_api.py
Outdated
| h = ('This option sets a path to a YAML file which contains parameter values' | ||
| ' which should be used in testing API endpoints. If no parameter values are provided,' | ||
| ' the plugin tries to guess them.') | ||
| o = opt_factory('parameter_values_location', self._parameter_values_location, d, INPUT_FILE, help=h) |
There was a problem hiding this comment.
parameter_values_location should be changed to parameter_values_file (that is how input files are usually named)
w3af/w3af/plugins/output/text_file.py
Line 297 in 356b14b
w3af/w3af/plugins/output/xml_file.py
Line 153 in 356b14b
There was a problem hiding this comment.
Sure, no problem. Then, custom_spec_location should be probably renamed to custom_spec_file
w3af/plugins/crawl/open_api.py
Outdated
| - 1234567 | ||
| - name: birth-date | ||
| values: | ||
| - 2000-01-02 |
There was a problem hiding this comment.
I believe that this feature requires its own documentation in https://github.com/andresriancho/w3af/blob/develop/doc/sphinx/scan-rest-apis.rst
I would make the example in get_long_desc shorter, and reference users to the documentation with something like: "For more information and examples about this feature read the framework documentation at https://docs.w3af.org"
There was a problem hiding this comment.
Okay, I'll update both description and docs. In fact, the docs need to be updated with descriptions of the recent changes/features. I hope I can find time to do that.
|
I need to work harder on merging your PR. If I don't do that I'll end up in a branch merge nightmare. Sorry for not being more responsive with these PRs. I was on vacations. Will try to merge all these amazing things you've been working on to |
|
Thanks for your comments. Let's work on them one by one, and I'll resolve possible conflicts which may appear. Then, it should be easier to merge them to |
…meter of the crawl.open_api plugin
…crawl.open_api plugin
|
I have updated the patch:
|
|
@andresriancho When you have some time, could you please take a look at this pull request? I have also updated other pull requests and added several comments - looking for a review. Thanks! |
This is a patch for #17315
Main changes:
parameter_values_locationconfiguration option for the OpenAPI plugin. The option allows to set a path to a YAML file which contains context-specific parameter values.ParameterValuesclass which can load context-specific parameter values from a YAML file. The file contains a mapping{ path, parameter name } -> list of values. Currently, it doesn't use an HTTP method but it can be easily updated. Forin: bodyparameter type, a user can specify a JSON payload, but it's not currently possible to specify a value for a particular field in the JSON payload.ParameterHandlerto use context-specific parameter values. If a user provided custom parameter values, then the class prefers them, and tries to enumerate all possible combinations of the specified parameters.get_uri()method.I am testing the feature on a couple of applications but would like to start a review now to get feedback earlier.