Skip to content

Use swagger as the source for targets #4833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
donnd-t wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Use swagger as the source for targets #4833

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9a34282
get operations with query parameters
donnd-t Sep 14, 2021
caaf7c4
path injections
donnd-t Sep 15, 2021
f6201da
extra swagger validations
donnd-t Sep 15, 2021
4aeed81
support operations that have a request body
donnd-t Sep 17, 2021
8f13e35
refactor swagger code to separate module
donnd-t Sep 17, 2021
59e8bb9
refactor
donnd-t Sep 17, 2021
f031e00
show warning when example is missing
donnd-t Sep 17, 2021
65187de
show warning when example is missing
donnd-t Sep 17, 2021
1141f21
added support for headers
donnd-t Nov 2, 2021
5ab5f58
support for nested payloads
donnd-t Nov 3, 2021
35cb10f
support for swagger 2.0 metadata
donnd-t Nov 12, 2021
051eb12
support for swagger v2 body specs
donnd-t Nov 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
support for swagger 2.0 metadata
  • Loading branch information
@donnd-t
donnd-t committed Nov 12, 2021
commit 35cb10fd69b3dc644899d009f308e26f7b747564
49 changes: 41 additions & 8 deletions lib/core/swagger.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ def _example(swagger, objOrRefPath):

def parse(content, tags):
"""
Parses Swagger OpenAPI 3.x.x JSON documents
Parses Swagger 2.x and OpenAPI 3.x.x JSON documents

Target injectable parameter values are generated from the "example" properties.
Only property-level "example" is supported. The "examples" property is not supported.
Expand All @@ -119,21 +119,54 @@ def parse(content, tags):
try:
swagger = json.loads(content)

openapiv3 = False
swaggerv2 = False

# extra validations
if "openapi" not in swagger or not swagger["openapi"].startswith("3."):
errMsg = "swagger must be OpenAPI 3.x.x!"
raise SqlmapSyntaxException(errMsg)
if "openapi" in swagger and swagger["openapi"].startswith("3."):
openapiv3 = True

if "swagger" in swagger and swagger["swagger"].startswith("2."):
swaggerv2 = True

if ("servers" not in swagger or
if not (openapiv3 or swaggerv2):
errMsg = "swagger must be either Swagger 2.x or OpenAPI 3.x.x!"
raise SqlmapSyntaxException(errMsg)

if (openapiv3 and
("servers" not in swagger or
not isinstance(swagger["servers"], list) or
len(swagger["servers"]) < 1 or
"url" not in swagger["servers"][0]):
"url" not in swagger["servers"][0])):
errMsg = "swagger server is missing!"
raise SqlmapSyntaxException(errMsg)

if swaggerv2 and "host" not in swagger:
errMsg = "swagger server is missing!"
raise SqlmapSyntaxException(errMsg)

server = swagger["servers"][0]["url"]
if openapiv3:
# only one server supported
server = swagger["servers"][0]["url"]

logger.info("swagger OpenAPI version '%s', server '%s'" %(swagger["openapi"], server))
elif swaggerv2:
logger.info("swagger version '%s'" %swagger["swagger"])

basePath = ""
if "basePath" in swagger:
basePath = swagger["basePath"]

scheme = "https"
if ("schemes" in swagger and
isinstance(swagger["schemes"], list) and
len(swagger["schemes"]) > 0):
scheme = swagger["schemes"][0]

server = "%s://%s%s" % (scheme, swagger["host"], basePath)

logger.info("swagger version '%s', server '%s'" %(swagger["swagger"], server))

logger.info("swagger OpenAPI version '%s', server '%s'" %(swagger["openapi"], server))

for path in swagger["paths"]:
for method in swagger["paths"][path]:
Expand Down