Search in sources :

Example 26 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ContextGeneralPanel method saveContextData.

@Override
public void saveContextData(Session session) {
    Context context = session.getContext(this.getContextId());
    saveDataInContext(context);
    String name = getTxtName().getText();
    if (!this.getName().equals(getPanelName(this.getContextId(), name)) && View.isInitialised()) {
        View.getSingleton().renameContext(context);
    }
}
Also used : Context(org.zaproxy.zap.model.Context)

Example 27 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ContextListPanel method initParam.

@Override
public void initParam(Object obj) {
    Session session = (Session) obj;
    List<Object[]> values = new ArrayList<>();
    List<Context> contexts = session.getContexts();
    for (Context context : contexts) {
        values.add(new Object[] { context.getId(), context.getName(), context.isInScope() });
    }
    this.model.setValues(values);
}
Also used : Context(org.zaproxy.zap.model.Context) ArrayList(java.util.ArrayList) Session(org.parosproxy.paros.model.Session)

Example 28 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ContextCreateDialog method save.

@Override
public void save() {
    Context ctx = Model.getSingleton().getSession().getNewContext(this.getStringValue(NAME_FIELD));
    ctx.setDescription(this.getStringValue(DESC_FIELD));
    ctx.setInScope(this.getBoolValue(IN_SCOPE_FIELD));
    if (topNode != null) {
        try {
            ctx.addIncludeInContextRegex(new StructuralSiteNode(topNode).getRegexPattern());
        } catch (DatabaseException e) {
        // Ignore
        }
    }
    Model.getSingleton().getSession().saveContext(ctx);
}
Also used : Context(org.zaproxy.zap.model.Context) StructuralSiteNode(org.zaproxy.zap.model.StructuralSiteNode) DatabaseException(org.parosproxy.paros.db.DatabaseException)

Example 29 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ContextIncludePanel method saveContextData.

@Override
public void saveContextData(Session session) throws Exception {
    Context context = session.getContext(getContextId());
    context.setIncludeInContextRegexs(regexesPanel.getRegexes());
}
Also used : Context(org.zaproxy.zap.model.Context)

Example 30 with Context

use of org.zaproxy.zap.model.Context in project zaproxy by zaproxy.

the class ActiveScanAPI method handleApiAction.

@SuppressWarnings({ "fallthrough" })
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    log.debug("handleApiAction " + name + " " + params.toString());
    ScanPolicy policy;
    int policyId;
    User user = null;
    Context context = null;
    try {
        switch(name) {
            case ACTION_SCAN_AS_USER:
                // These are not mandatory parameters on purpose, to keep the same order
                // of the parameters while having PARAM_URL as (now) optional.
                validateParamExists(params, PARAM_CONTEXT_ID);
                validateParamExists(params, PARAM_USER_ID);
                int userID = ApiUtils.getIntParam(params, PARAM_USER_ID);
                ExtensionUserManagement usersExtension = Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.class);
                if (usersExtension == null) {
                    throw new ApiException(Type.NO_IMPLEMENTOR, ExtensionUserManagement.NAME);
                }
                context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
                user = usersExtension.getContextUserAuthManager(context.getId()).getUserById(userID);
                if (user == null) {
                    throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
                }
            // $FALL-THROUGH$
            case ACTION_SCAN:
                String url = ApiUtils.getOptionalStringParam(params, PARAM_URL);
                if (context == null && params.has(PARAM_CONTEXT_ID) && !params.getString(PARAM_CONTEXT_ID).isEmpty()) {
                    context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
                }
                boolean scanJustInScope = context != null ? false : this.getParam(params, PARAM_JUST_IN_SCOPE, false);
                String policyName = null;
                policy = null;
                try {
                    policyName = params.getString(PARAM_SCAN_POLICY_NAME);
                } catch (Exception e1) {
                // Ignore
                }
                try {
                    if (policyName != null && policyName.length() > 0) {
                        // Not specified, use the default one
                        log.debug("handleApiAction scan policy =" + policyName);
                        policy = controller.getPolicyManager().getPolicy(policyName);
                    }
                } catch (ConfigurationException e) {
                    throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_POLICY_NAME);
                }
                String method = this.getParam(params, PARAM_METHOD, HttpRequestHeader.GET);
                if (method.trim().length() == 0) {
                    method = HttpRequestHeader.GET;
                }
                if (!Arrays.asList(HttpRequestHeader.METHODS).contains(method)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_METHOD);
                }
                int scanId = scanURL(url, user, this.getParam(params, PARAM_RECURSE, true), scanJustInScope, method, this.getParam(params, PARAM_POST_DATA, ""), policy, context);
                return new ApiResponseElement(name, Integer.toString(scanId));
            case ACTION_PAUSE_SCAN:
                getActiveScan(params).pauseScan();
                break;
            case ACTION_RESUME_SCAN:
                getActiveScan(params).resumeScan();
                break;
            case ACTION_STOP_SCAN:
                getActiveScan(params).stopScan();
                break;
            case ACTION_REMOVE_SCAN:
                ActiveScan activeScan = controller.removeScan(params.getInt(PARAM_SCAN_ID));
                if (activeScan == null) {
                    throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
                }
                break;
            case ACTION_PAUSE_ALL_SCANS:
                controller.pauseAllScans();
                break;
            case ACTION_RESUME_ALL_SCANS:
                controller.resumeAllScans();
                break;
            case ACTION_STOP_ALL_SCANS:
                controller.stopAllScans();
                break;
            case ACTION_REMOVE_ALL_SCANS:
                controller.removeAllScans();
                break;
            case ACTION_CLEAR_EXCLUDED_FROM_SCAN:
                try {
                    Session session = Model.getSingleton().getSession();
                    session.setExcludeFromScanRegexs(new ArrayList<>());
                } catch (DatabaseException e) {
                    log.error(e.getMessage(), e);
                    throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
                }
                break;
            case ACTION_EXCLUDE_FROM_SCAN:
                String regex = params.getString(PARAM_REGEX);
                try {
                    Session session = Model.getSingleton().getSession();
                    session.addExcludeFromScanRegexs(regex);
                } catch (DatabaseException e) {
                    log.error(e.getMessage(), e);
                    throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
                } catch (PatternSyntaxException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_REGEX);
                }
                break;
            case ACTION_ENABLE_ALL_SCANNERS:
                policy = getScanPolicyFromParams(params);
                policy.getPluginFactory().setAllPluginEnabled(true);
                policy.save();
                break;
            case ACTION_DISABLE_ALL_SCANNERS:
                policy = getScanPolicyFromParams(params);
                policy.getPluginFactory().setAllPluginEnabled(false);
                policy.save();
                break;
            case ACTION_ENABLE_SCANNERS:
                policy = getScanPolicyFromParams(params);
                setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), true);
                policy.save();
                break;
            case ACTION_DISABLE_SCANNERS:
                policy = getScanPolicyFromParams(params);
                setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), false);
                policy.save();
                break;
            case ACTION_SET_ENABLED_POLICIES:
                policy = getScanPolicyFromParams(params);
                setEnabledPolicies(policy, getParam(params, PARAM_IDS, "").split(","));
                policy.save();
                break;
            case ACTION_SET_POLICY_ATTACK_STRENGTH:
                policyId = getPolicyIdFromParamId(params);
                policy = getScanPolicyFromParams(params);
                Plugin.AttackStrength attackStrength = getAttackStrengthFromParamAttack(params);
                for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
                    if (scanner.getCategory() == policyId) {
                        scanner.setAttackStrength(attackStrength);
                    }
                }
                policy.save();
                break;
            case ACTION_SET_POLICY_ALERT_THRESHOLD:
                policyId = getPolicyIdFromParamId(params);
                policy = getScanPolicyFromParams(params);
                Plugin.AlertThreshold alertThreshold1 = getAlertThresholdFromParamAlertThreshold(params);
                for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
                    if (scanner.getCategory() == policyId) {
                        scanner.setAlertThreshold(alertThreshold1);
                    }
                }
                policy.save();
                break;
            case ACTION_SET_SCANNER_ATTACK_STRENGTH:
                policy = getScanPolicyFromParams(params);
                Plugin scanner = getScannerFromParamId(policy, params);
                scanner.setAttackStrength(getAttackStrengthFromParamAttack(params));
                policy.save();
                break;
            case ACTION_SET_SCANNER_ALERT_THRESHOLD:
                policy = getScanPolicyFromParams(params);
                AlertThreshold alertThreshold2 = getAlertThresholdFromParamAlertThreshold(params);
                getScannerFromParamId(policy, params).setAlertThreshold(alertThreshold2);
                policy.save();
                break;
            case ACTION_ADD_SCAN_POLICY:
                String newPolicyName = params.getString(PARAM_SCAN_POLICY_NAME);
                if (controller.getPolicyManager().getAllPolicyNames().contains(newPolicyName)) {
                    throw new ApiException(ApiException.Type.ALREADY_EXISTS, PARAM_SCAN_POLICY_NAME);
                }
                if (!controller.getPolicyManager().isLegalPolicyName(newPolicyName)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_SCAN_POLICY_NAME);
                }
                policy = controller.getPolicyManager().getTemplatePolicy();
                policy.setName(newPolicyName);
                setAlertThreshold(policy, params);
                setAttackStrength(policy, params);
                controller.getPolicyManager().savePolicy(policy);
                break;
            case ACTION_REMOVE_SCAN_POLICY:
                // Check it exists
                policy = getScanPolicyFromParams(params);
                if (controller.getPolicyManager().getAllPolicyNames().size() == 1) {
                    // Dont remove the last one
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "You are not allowed to remove the last scan policy");
                }
                controller.getPolicyManager().deletePolicy(policy.getName());
                break;
            case ACTION_UPDATE_SCAN_POLICY:
                policy = getScanPolicyFromParams(params);
                if (!isParamsChanged(policy, params)) {
                    break;
                }
                updateAlertThreshold(policy, params);
                updateAttackStrength(policy, params);
                controller.getPolicyManager().savePolicy(policy);
                break;
            case ACTION_IMPORT_SCAN_POLICY:
                File file = new File(params.getString(PARAM_PATH));
                if (!file.exists()) {
                    throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_PATH);
                }
                if (!file.isFile()) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_PATH);
                }
                ScanPolicy scanPolicy;
                try {
                    scanPolicy = new ScanPolicy(new ZapXmlConfiguration(file));
                } catch (IllegalArgumentException | ConfigurationException e) {
                    throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, file.toString(), e);
                }
                String scanPolicyName = scanPolicy.getName();
                if (scanPolicyName.isEmpty()) {
                    scanPolicyName = file.getName();
                }
                if (controller.getPolicyManager().getAllPolicyNames().contains(scanPolicyName)) {
                    throw new ApiException(ApiException.Type.ALREADY_EXISTS, scanPolicyName);
                }
                if (!controller.getPolicyManager().isLegalPolicyName(scanPolicyName)) {
                    throw new ApiException(ApiException.Type.BAD_EXTERNAL_DATA, scanPolicyName);
                }
                try {
                    controller.getPolicyManager().savePolicy(scanPolicy);
                } catch (ConfigurationException e) {
                    throw new ApiException(ApiException.Type.INTERNAL_ERROR, e);
                }
                break;
            case ACTION_ADD_EXCLUDED_PARAM:
                int type = getParam(params, PARAM_TYPE, NameValuePair.TYPE_UNDEFINED);
                if (!ScannerParamFilter.getTypes().containsKey(type)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
                }
                url = getParam(params, PARAM_URL, "*");
                if (url.isEmpty()) {
                    url = "*";
                }
                ScannerParamFilter excludedParam = new ScannerParamFilter(params.getString(PARAM_NAME), type, url);
                List<ScannerParamFilter> excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                excludedParams.add(excludedParam);
                controller.getScannerParam().setExcludedParamList(excludedParams);
                break;
            case ACTION_MODIFY_EXCLUDED_PARAM:
                try {
                    int idx = params.getInt(PARAM_IDX);
                    if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                    }
                    ScannerParamFilter oldExcludedParam = controller.getScannerParam().getExcludedParamList().get(idx);
                    String epName = getParam(params, PARAM_NAME, oldExcludedParam.getParamName());
                    if (epName.isEmpty()) {
                        epName = oldExcludedParam.getParamName();
                    }
                    type = getParam(params, PARAM_TYPE, oldExcludedParam.getType());
                    if (!ScannerParamFilter.getTypes().containsKey(type)) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
                    }
                    url = getParam(params, PARAM_URL, oldExcludedParam.getWildcardedUrl());
                    if (url.isEmpty()) {
                        url = "*";
                    }
                    ScannerParamFilter newExcludedParam = new ScannerParamFilter(epName, type, url);
                    if (oldExcludedParam.equals(newExcludedParam)) {
                        break;
                    }
                    excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                    excludedParams.set(idx, newExcludedParam);
                    controller.getScannerParam().setExcludedParamList(excludedParams);
                } catch (JSONException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
                }
                break;
            case ACTION_REMOVE_EXCLUDED_PARAM:
                try {
                    int idx = params.getInt(PARAM_IDX);
                    if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                    }
                    excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                    excludedParams.remove(idx);
                    controller.getScannerParam().setExcludedParamList(excludedParams);
                } catch (JSONException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
                }
                break;
            case ACTION_SKIP_SCANNER:
                int pluginId = getParam(params, PARAM_SCANNER_ID, -1);
                if (pluginId == -1) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_SCANNER_ID);
                }
                String reason = Constant.messages.getString("ascan.progress.label.skipped.reason.user");
                getActiveScan(params).getHostProcesses().forEach(hp -> hp.pluginSkipped(pluginId, reason));
                break;
            default:
                throw new ApiException(ApiException.Type.BAD_ACTION);
        }
    } catch (ConfigurationException e) {
        throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
    }
    return ApiResponseElement.OK;
}
Also used : AlertThreshold(org.parosproxy.paros.core.scanner.Plugin.AlertThreshold) User(org.zaproxy.zap.users.User) ScannerParamFilter(org.parosproxy.paros.core.scanner.ScannerParamFilter) ArrayList(java.util.ArrayList) ConfigurationException(org.apache.commons.configuration.ConfigurationException) ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement) PatternSyntaxException(java.util.regex.PatternSyntaxException) Context(org.zaproxy.zap.model.Context) JSONException(net.sf.json.JSONException) URIException(org.apache.commons.httpclient.URIException) PatternSyntaxException(java.util.regex.PatternSyntaxException) ApiException(org.zaproxy.zap.extension.api.ApiException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) JSONException(net.sf.json.JSONException) DatabaseException(org.parosproxy.paros.db.DatabaseException) AlertThreshold(org.parosproxy.paros.core.scanner.Plugin.AlertThreshold) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) ZapXmlConfiguration(org.zaproxy.zap.utils.ZapXmlConfiguration) DatabaseException(org.parosproxy.paros.db.DatabaseException) File(java.io.File) ApiException(org.zaproxy.zap.extension.api.ApiException) Session(org.parosproxy.paros.model.Session) Plugin(org.parosproxy.paros.core.scanner.Plugin)

Aggregations

Context (org.zaproxy.zap.model.Context)89 ApiException (org.zaproxy.zap.extension.api.ApiException)22 Test (org.junit.jupiter.api.Test)21 ZapXmlConfiguration (org.zaproxy.zap.utils.ZapXmlConfiguration)17 WithConfigsTest (org.zaproxy.zap.WithConfigsTest)16 User (org.zaproxy.zap.users.User)15 JSONObject (net.sf.json.JSONObject)14 Configuration (org.apache.commons.configuration.Configuration)14 Session (org.parosproxy.paros.model.Session)14 ApiDynamicActionImplementor (org.zaproxy.zap.extension.api.ApiDynamicActionImplementor)13 RecordContext (org.parosproxy.paros.db.RecordContext)12 DatabaseException (org.parosproxy.paros.db.DatabaseException)10 ConfigurationException (org.apache.commons.configuration.ConfigurationException)9 HttpMessage (org.parosproxy.paros.network.HttpMessage)9 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)9 ArrayList (java.util.ArrayList)8 JMenuItem (javax.swing.JMenuItem)7 ExtensionPopupMenuItem (org.parosproxy.paros.extension.ExtensionPopupMenuItem)7 SiteNode (org.parosproxy.paros.model.SiteNode)7 IOException (java.io.IOException)6