Merge pull request #72 from cerberauth/fix-validate-operation

fix: validation operation properly before scanning url

Author: emmanuelgautier

internal/auth/bearer.go

@@ -44,10 +44,13 @@ func NewAuthorizationBearerSecurityScheme(name string, value *string) *BearerSec
 
 func (ss *BearerSecurityScheme) GetHeaders() http.Header {
 	header := http.Header{}
-	if ss.ValidValue != nil {
-		header.Set(AuthorizationHeader, fmt.Sprintf("%s %s", BearerPrefix, ss.GetAttackValue().(string)))
+	attackValue := ss.GetAttackValue().(string)
+	if attackValue == "" && ss.ValidValue != nil {
+		attackValue = *ss.ValidValue
 	}
 
+	header.Set(AuthorizationHeader, fmt.Sprintf("%s %s", BearerPrefix, attackValue))
+
 	return header
 }
 

scan/jwt/not_verified.go

@@ -32,22 +32,26 @@ func NotVerifiedScanHandler(operation *request.Operation, ss auth.SecurityScheme
 	}
 
 	ss.SetAttackValue(ss.GetValidValue())
-	vsa1, err := scan.ScanURL(operation, &ss)
+	attemptOne, err := scan.ScanURL(operation, &ss)
 	if err != nil {
 		return r, err
 	}
-	r.AddScanAttempt(vsa1)
+	r.AddScanAttempt(attemptOne)
+
+	if scan.DetectNotExpectedResponse(attemptOne.Response) == nil {
+		return r, nil
+	}
 
 	ss.SetAttackValue(newToken)
-	vsa2, err := scan.ScanURL(operation, &ss)
+	attemptTwo, err := scan.ScanURL(operation, &ss)
 	if err != nil {
 		return r, err
 	}
 
-	r.AddScanAttempt(vsa2)
+	r.AddScanAttempt(attemptTwo)
 	r.End()
 
-	if vsa1.Response.StatusCode == vsa2.Response.StatusCode {
+	if attemptOne.Response.StatusCode == attemptTwo.Response.StatusCode {
 		r.AddVulnerabilityReport(&report.VulnerabilityReport{
 			SeverityLevel: NotVerifiedVulnerabilitySeverityLevel,
 			Name:          NotVerifiedVulnerabilityName,

scan/jwt/not_verified_test.go

@@ -68,3 +68,24 @@ func TestNotVerifiedScanHandlerWithNotVerifiedJWT(t *testing.T) {
 	assert.Equal(t, 2, httpmock.GetTotalCallCount())
 	assert.True(t, report.HasVulnerabilityReport())
 }
+
+func TestNotVerifiedScanHandlerWhenHTTPCodeIs401(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+	securityScheme := auth.NewAuthorizationBearerSecurityScheme("token", &token)
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromMultipleResponses(
+		[]*http.Response{
+			httpmock.NewBytesResponse(401, nil),
+			httpmock.NewBytesResponse(401, nil),
+		}, t.Log),
+	)
+	report, err := jwt.NotVerifiedScanHandler(operation, securityScheme)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 1, httpmock.GetTotalCallCount())
+	assert.False(t, report.HasVulnerabilityReport())
+}

scan/scan.go

@@ -88,7 +88,8 @@ func (s *Scan) Execute() (*report.Reporter, []error, error) {
 }
 
 func (s *Scan) ValidateOperation(operation *request.Operation) error {
-	attempt, err := scan.ScanURL(operation, &operation.SecuritySchemes[0])
+	securityScheme := operation.SecuritySchemes[0] // TODO: handle multiple security schemes
+	attempt, err := scan.ScanURL(operation, &securityScheme)
 	if err != nil {
 		return err
 	}
@@ -97,6 +98,10 @@ func (s *Scan) ValidateOperation(operation *request.Operation) error {
 		return attempt.Err
 	}
 
+	if scan.DetectNotExpectedResponse(attempt.Response) == nil {
+		return fmt.Errorf("operation validation failed because of unexpected response: %d", attempt.Response.StatusCode)
+	}
+
 	return nil
 }
 

scan/scan_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/cerberauth/vulnapi/internal/request"
 	"github.com/cerberauth/vulnapi/report"
 	"github.com/cerberauth/vulnapi/scan"
+	"github.com/jarcoal/httpmock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -61,3 +62,29 @@ func TestNewScanWithReporter(t *testing.T) {
 		Reporter:   reporter,
 	}, s)
 }
+
+func TestScanValidateOperation(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromResponse(httpmock.NewStringResponse(200, "OK")))
+
+	s, err := scan.NewURLScan(operation.Method, operation.RequestURI, nil, nil, nil)
+
+	err = s.ValidateOperation(operation)
+	assert.NoError(t, err)
+}
+
+func TestScanValidateOperationWhenRequestHasInternalServerError(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	operation := request.NewOperation("http://localhost:8080/", "GET", nil, nil, nil)
+	httpmock.RegisterResponder(operation.Method, operation.Request.URL.String(), httpmock.ResponderFromResponse(httpmock.NewStringResponse(500, "Internal Server Error")))
+
+	s, err := scan.NewURLScan(operation.Method, operation.RequestURI, nil, nil, nil)
+
+	err = s.ValidateOperation(operation)
+	assert.Error(t, err)
+}