From 709eaedac36389a8862996a5e452b8486ba4351a Mon Sep 17 00:00:00 2001 From: Jeremy Bonghwan Choi Date: Mon, 23 Oct 2023 16:09:48 +1000 Subject: [PATCH] add slash to the openapi targeturl when it doesn't have (#151) --- scanners/zap/zap.py | 19 ++++++++++++------- tests/scanners/zap/test_setup_podman.py | 5 +++++ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/scanners/zap/zap.py b/scanners/zap/zap.py index da1e6a30..2979de30 100644 --- a/scanners/zap/zap.py +++ b/scanners/zap/zap.py @@ -366,10 +366,7 @@ def _setup_zap_automation(self): af_context = find_context(self.automation_config) app_url = self.config.get("application.url") if app_url and isinstance(app_url, str): - if not app_url.endswith("/"): - # For some unknonw reason, ZAP appears to behave weirdly if the URL is just the hostname without '/' - app_url = app_url + "/" - af_context["urls"].append(app_url) + af_context["urls"].append(self._append_slash_to_url(app_url)) else: logging.error("Configuration: ZAP requires an application.url entry") raise KeyError("Missing `application.url` in configuration") @@ -413,6 +410,12 @@ def _setup_import_urls(self): job["parameters"]["fileName"] = dest self.automation_config["jobs"].append(job) + def _append_slash_to_url(self, url): + # For some unknown reason, ZAP appears to behave weirdly if the URL is just the hostname without '/' + if not url.endswith("/"): + url = url + "/" + return url + def _setup_api(self): """Prepare an openapi job and append it to the job list""" @@ -433,9 +436,11 @@ def _setup_api(self): else: logging.warning("No API defined in the config, in apiScan.api") # default target: main URL, or can be overridden in apiScan - openapi["parameters"]["targetUrl"] = self.my_conf( - "apiScan.target" - ) or self.config.get("application.url") + + openapi["parameters"]["targetUrl"] = self._append_slash_to_url( + self.my_conf("apiScan.target") or self.config.get("application.url") + ) + openapi["parameters"]["context"] = Zap.DEFAULT_CONTEXT self.automation_config["jobs"].append(openapi) diff --git a/tests/scanners/zap/test_setup_podman.py b/tests/scanners/zap/test_setup_podman.py index f2518a6a..75106540 100644 --- a/tests/scanners/zap/test_setup_podman.py +++ b/tests/scanners/zap/test_setup_podman.py @@ -33,6 +33,11 @@ def test_setup_basic(test_config): == "http://example.com/" ) + for item in test_zap.automation_config["jobs"]: + if item["type"] == "openapi": + assert item["parameters"]["targetUrl"] == "http://example.com/" + break + # Test that a passive scan is added with all rules actively disabled for item in test_zap.automation_config["jobs"]: if item["type"] == "passiveScan-config":