Fix the out of scope issue with swagger option

bretfourbe · Jun 28, 2024 · 3a0f685 · 3a0f685
1 parent f8284cb
commit 3a0f685
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 9 deletions.
diff --git a/tests/cli/test_options.py b/tests/cli/test_options.py
@@ -270,7 +270,8 @@ async def test_use_web_creds(mock_async_try_form_login, _, __):
 # Test swagger option with a valid url
 @pytest.mark.asyncio
 @mock.patch("wapitiCore.main.wapiti.Wapiti.browse")
-async def test_swagger_valid_url(mock_browse):
+@mock.patch("wapitiCore.main.wapiti.Wapiti.attack")
+async def test_swagger_valid_url(mock_browse, _):
     testargs = [
         "wapiti",
         "-u", "https://petstore.swagger.io",
@@ -285,7 +286,8 @@ async def test_swagger_valid_url(mock_browse):
 # Test swagger option with an invalid url or when option break
 @pytest.mark.asyncio
 @mock.patch("wapitiCore.main.wapiti.Wapiti.browse")
-async def test_swagger_invalid_url(mock_browse):
+@mock.patch("wapitiCore.main.wapiti.Wapiti.attack")
+async def test_swagger_invalid_url(mock_browse, _):
     testargs = [
         "wapiti",
         "-u", "http://testphp.vulnweb.com",
@@ -299,6 +301,24 @@ async def test_swagger_invalid_url(mock_browse):
         mock_browse.assert_called_once()
 
 
+@pytest.mark.asyncio
+@mock.patch("wapitiCore.main.wapiti.Wapiti.browse")
+@mock.patch("wapitiCore.main.wapiti.Wapiti.attack")
+@mock.patch("wapitiCore.controller.wapiti.Wapiti.add_start_url")
+async def test_out_of_scope_swagger(mock_add_start_url, _, __):
+    """Test with out of scope swagger"""
+    testsagrs = [
+        "wapiti",
+        "--url", "http://testphp.vulnweb.com/",
+        "--swagger", "./tests/data/openapi3.yaml",
+        "-m", ""
+    ]
+
+    with mock.patch.object(sys, "argv", testsagrs):
+        await wapiti_main()
+        mock_add_start_url.assert_not_called()
+
+
 @pytest.mark.asyncio
 @mock.patch("wapitiCore.main.wapiti.Wapiti.browse")
 @mock.patch("wapitiCore.main.wapiti.Wapiti.attack")

diff --git a/wapitiCore/main/wapiti.py b/wapitiCore/main/wapiti.py
@@ -194,8 +194,14 @@ async def wapiti_main():
 
     if args.swagger_uri:
         swagger = Swagger(swagger_url=args.swagger_uri, base_url=url)
+        nb_out = 0
         for request in swagger.get_requests():
-            wap.add_start_url(request)
+            if wap.target_scope.check(request):
+                wap.add_start_url(request)
+            else:
+                nb_out += 1
+        if nb_out > 0:
+            logging.warning(f"[!] {nb_out} out of scope requests from the Swagger file are not added.")
 
     try:
         for start_url in args.starting_urls:

diff --git a/wapitiCore/parsers/swagger.py b/wapitiCore/parsers/swagger.py
@@ -60,7 +60,7 @@ def __init__(self, swagger_url: str = None, base_url: str = None) -> None:
             logging.error("[-] Error: No URL or file")
 
         if self.swagger_dict:
-            self.routes = self._get_routes(self.swagger_dict, swagger_url, base_url)
+            self.routes = self._get_routes(self.swagger_dict, base_url)
 
 
     @staticmethod
@@ -196,11 +196,9 @@ def is_valid_url(url) -> bool:
             return False
 
 
-    def _get_routes(self, swagger_dict: dict, swagger_url: str, base_url: str) -> dict:
-        if Swagger.is_valid_url(swagger_url):
-            url = swagger_url
-        else:
-            url = base_url
+    def _get_routes(self, swagger_dict: dict, base_url: str) -> dict:
+        # We use the url from the -u unless the swagger file has one
+        url = base_url
         request = {}
         base_path = self._get_base_url(swagger_dict, url)
         for path in swagger_dict['paths']: