Skip to content

Use swagger as the source for targets #4833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
donnd-t wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Use swagger as the source for targets #4833

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9a34282
get operations with query parameters
donnd-t Sep 14, 2021
caaf7c4
path injections
donnd-t Sep 15, 2021
f6201da
extra swagger validations
donnd-t Sep 15, 2021
4aeed81
support operations that have a request body
donnd-t Sep 17, 2021
8f13e35
refactor swagger code to separate module
donnd-t Sep 17, 2021
59e8bb9
refactor
donnd-t Sep 17, 2021
f031e00
show warning when example is missing
donnd-t Sep 17, 2021
65187de
show warning when example is missing
donnd-t Sep 17, 2021
1141f21
added support for headers
donnd-t Nov 2, 2021
5ab5f58
support for nested payloads
donnd-t Nov 3, 2021
35cb10f
support for swagger 2.0 metadata
donnd-t Nov 12, 2021
051eb12
support for swagger v2 body specs
donnd-t Nov 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
refactor
  • Loading branch information
@donnd-t
donnd-t committed Sep 17, 2021
commit 59e8bb94f2dffd3d668db98bced4c64229092e82
87 changes: 53 additions & 34 deletions lib/core/swagger.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,47 @@
from lib.core.data import logger
from lib.core.exception import SqlmapSyntaxException

def _operationParameters(parameters, types):
return list(filter(lambda p: (p["in"] in types), parameters))
class Operation:

def _operationQueryString(parameters):
queryParameters = _operationParameters(parameters, ["query"])
if len(queryParameters) < 1:
return None
queryString = ""
for qp in queryParameters:
queryString += "&%s=%s" %(qp["name"], qp["example"])
def __init__(self, op):
self.op = op

def tags(self):
return self.op["tags"]

def parameters(self):
return self.op["parameters"]

return queryString.replace('&', '', 1)
def parametersForTypes(self, types):
return list(filter(lambda p: (p["in"] in types), self.parameters()))

def bodyRef(self):
if "requestBody" in self.op:
return self.op["requestBody"]["content"]["application/json"]["schema"]["$ref"]
return None

def _operationPath(path, parameters):
pathParameters = _operationParameters(parameters, ["path"])
if len(pathParameters) < 1:
return path
parameterPath = path
for p in pathParameters:
parameterPath = parameterPath.replace("{%s}" %p["name"], "%s*" %p["example"])
return parameterPath
# header injection is not currently supported
def injectable(self, body):
return len(self.parametersForTypes(["query", "path"])) > 0 or body

def queryString(self):
queryParameters = self.parametersForTypes(["query"])
if len(queryParameters) < 1:
return None
queryString = ""
for qp in queryParameters:
queryString += "&%s=%s" %(qp["name"], qp["example"])

return queryString.replace('&', '', 1)

def path(self, path):
pathParameters = self.parametersForTypes(["path"])
if len(pathParameters) < 1:
return path
parameterPath = path
for p in pathParameters:
parameterPath = parameterPath.replace("{%s}" %p["name"], "%s*" %p["example"])
return parameterPath

def _ref(swagger, refPath):
paths = refPath.replace("#/", "", 1).split('/')
Expand All @@ -39,21 +59,21 @@ def _ref(swagger, refPath):
r = r[p]
return r

def _body(swagger, refPath):
body = {}
def _example(swagger, refPath):
example = {}
ref = _ref(swagger, refPath)
if "type" in ref and ref["type"] == "object" and "properties" in ref:
properties = ref["properties"]
for prop in properties:
if "example" in properties[prop]:
value = properties[prop]["example"]
body[prop] = value
example[prop] = value
elif "$ref" in properties[prop]:
body[prop] = _body(swagger, properties[prop]["$ref"])
example[prop] = _example(swagger, properties[prop]["$ref"])
elif properties[prop]["type"] == "array" and "$ref" in properties[prop]["items"]:
body[prop] = [ _body(swagger, properties[prop]["items"]["$ref"]) ]
example[prop] = [ _example(swagger, properties[prop]["items"]["$ref"]) ]

return body
return example

def parse(content, tags):
"""
Expand Down Expand Up @@ -81,19 +101,18 @@ def parse(content, tags):

for path in swagger["paths"]:
for operation in swagger["paths"][path]:
op = swagger["paths"][path][operation]
op = Operation(swagger["paths"][path][operation])

# skip any operations without one of our tags
if tags is not None and not any(tag in op["tags"] for tag in tags):
if tags is not None and not any(tag in op.tags() for tag in tags):
continue

body = {}
if "requestBody" in op:
ref = op["requestBody"]["content"]["application/json"]["schema"]["$ref"]
body = _body(swagger, ref)
bodyRef = op.bodyRef()
if bodyRef:
body = _example(swagger, bodyRef)

# header injection is not currently supported
if (len(_operationParameters(op["parameters"], ["query", "path"]))) < 1 and not body:
if not op.injectable(body):
logger.info("excluding path '%s', operation '%s' as there are no parameters to inject" %(path, operation))
continue

Expand All @@ -102,8 +121,8 @@ def parse(content, tags):
data = None
cookie = None

parameterPath = _operationPath(path, op["parameters"])
qs = _operationQueryString(op["parameters"])
parameterPath = op.path(path)
qs = op.queryString()
url = "%s%s" % (server, parameterPath)
method = operation.upper()
if body:
Expand All @@ -112,7 +131,7 @@ def parse(content, tags):
if qs is not None:
url += "?" + qs

logger.debug("swagger url '%s', method '%s', data '%s', cookie '%s'" %(url, method, data, cookie))
logger.debug("including url '%s', method '%s', data '%s', cookie '%s'" %(url, method, data, cookie))
yield (url, method, data, cookie, None)

except json.decoder.JSONDecodeError:
Expand Down