Search in sources :

Example 1 with GenericScanner2

use of org.zaproxy.zap.model.GenericScanner2 in project zaproxy by zaproxy.

the class SpiderAPI method handleApiAction.

@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    log.debug("Request for handleApiAction: " + name + " (params: " + params.toString() + ")");
    GenericScanner2 scan;
    int maxChildren = -1;
    Context context = null;
    switch(name) {
        case ACTION_START_SCAN:
            // The action is to start a new Scan
            String url = ApiUtils.getOptionalStringParam(params, PARAM_URL);
            if (params.containsKey(PARAM_MAX_CHILDREN)) {
                String maxChildrenStr = params.getString(PARAM_MAX_CHILDREN);
                if (maxChildrenStr != null && maxChildrenStr.length() > 0) {
                    try {
                        maxChildren = Integer.parseInt(maxChildrenStr);
                    } catch (NumberFormatException e) {
                        throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_MAX_CHILDREN);
                    }
                }
            }
            if (params.containsKey(PARAM_CONTEXT_NAME)) {
                String contextName = params.getString(PARAM_CONTEXT_NAME);
                if (!contextName.isEmpty()) {
                    context = ApiUtils.getContextByName(contextName);
                }
            }
            int scanId = scanURL(url, null, maxChildren, this.getParam(params, PARAM_RECURSE, true), context, getParam(params, PARAM_SUBTREE_ONLY, false));
            return new ApiResponseElement(name, Integer.toString(scanId));
        case ACTION_START_SCAN_AS_USER:
            // The action is to start a new Scan from the perspective of a user
            String urlUserScan = ApiUtils.getOptionalStringParam(params, PARAM_URL);
            int userID = ApiUtils.getIntParam(params, PARAM_USER_ID);
            ExtensionUserManagement usersExtension = (ExtensionUserManagement) Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.NAME);
            if (usersExtension == null) {
                throw new ApiException(Type.NO_IMPLEMENTOR, ExtensionUserManagement.NAME);
            }
            context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
            User user = usersExtension.getContextUserAuthManager(context.getIndex()).getUserById(userID);
            if (user == null) {
                throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
            }
            if (params.containsKey(PARAM_MAX_CHILDREN)) {
                String maxChildrenStr = params.getString(PARAM_MAX_CHILDREN);
                if (maxChildrenStr != null && maxChildrenStr.length() > 0) {
                    try {
                        maxChildren = Integer.parseInt(maxChildrenStr);
                    } catch (NumberFormatException e) {
                        throw new ApiException(Type.ILLEGAL_PARAMETER, PARAM_MAX_CHILDREN);
                    }
                }
            }
            scanId = scanURL(urlUserScan, user, maxChildren, this.getParam(params, PARAM_RECURSE, true), context, getParam(params, PARAM_SUBTREE_ONLY, false));
            return new ApiResponseElement(name, Integer.toString(scanId));
        case ACTION_PAUSE_SCAN:
            scan = getSpiderScan(params);
            if (scan == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
            }
            extension.pauseScan(scan.getScanId());
            break;
        case ACTION_RESUME_SCAN:
            scan = getSpiderScan(params);
            if (scan == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
            }
            extension.resumeScan(scan.getScanId());
            break;
        case ACTION_STOP_SCAN:
            // The action is to stop a pending scan
            scan = getSpiderScan(params);
            if (scan == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
            }
            extension.stopScan(scan.getScanId());
            break;
        case ACTION_REMOVE_SCAN:
            // Note that we're removing the scan with this call, not just getting it ;)
            scan = getSpiderScan(params);
            if (scan == null) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
            }
            extension.removeScan(scan.getScanId());
            break;
        case ACTION_PAUSE_ALL_SCANS:
            extension.pauseAllScans();
            break;
        case ACTION_RESUME_ALL_SCANS:
            extension.resumeAllScans();
            break;
        case ACTION_STOP_ALL_SCANS:
            extension.stopAllScans();
            break;
        case ACTION_REMOVE_ALL_SCANS:
            extension.removeAllScans();
            break;
        case ACTION_CLEAR_EXCLUDED_FROM_SCAN:
            try {
                Session session = Model.getSingleton().getSession();
                session.setExcludeFromSpiderRegexs(new ArrayList<String>());
            } catch (DatabaseException e) {
                throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
            }
            break;
        case ACTION_EXCLUDE_FROM_SCAN:
            String regex = params.getString(PARAM_REGEX);
            try {
                Session session = Model.getSingleton().getSession();
                session.addExcludeFromSpiderRegex(regex);
            } catch (DatabaseException e) {
                throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
            } catch (PatternSyntaxException e) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_REGEX);
            }
            break;
        case ACTION_ADD_DOMAIN_ALWAYS_IN_SCOPE:
            try {
                String value = params.getString(PARAM_VALUE);
                DomainAlwaysInScopeMatcher domainAlwaysInScope;
                if (getParam(params, PARAM_IS_REGEX, false)) {
                    domainAlwaysInScope = new DomainAlwaysInScopeMatcher(DomainAlwaysInScopeMatcher.createPattern(value));
                } else {
                    domainAlwaysInScope = new DomainAlwaysInScopeMatcher(value);
                }
                domainAlwaysInScope.setEnabled(getParam(params, PARAM_IS_ENABLED, true));
                List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
                domainsAlwaysInScope.add(domainAlwaysInScope);
                extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
            } catch (IllegalArgumentException e) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_VALUE, e);
            }
            break;
        case ACTION_MODIFY_DOMAIN_ALWAYS_IN_SCOPE:
            try {
                int idx = params.getInt(PARAM_IDX);
                if (idx < 0 || idx >= extension.getSpiderParam().getDomainsAlwaysInScope().size()) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                }
                DomainAlwaysInScopeMatcher oldDomain = extension.getSpiderParam().getDomainsAlwaysInScope().get(idx);
                String value = getParam(params, PARAM_VALUE, oldDomain.getValue());
                if (value.isEmpty()) {
                    value = oldDomain.getValue();
                }
                DomainAlwaysInScopeMatcher newDomain;
                if (getParam(params, PARAM_IS_REGEX, oldDomain.isRegex())) {
                    newDomain = new DomainAlwaysInScopeMatcher(DomainAlwaysInScopeMatcher.createPattern(value));
                } else {
                    newDomain = new DomainAlwaysInScopeMatcher(value);
                }
                newDomain.setEnabled(getParam(params, PARAM_IS_ENABLED, oldDomain.isEnabled()));
                if (oldDomain.equals(newDomain)) {
                    break;
                }
                List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
                domainsAlwaysInScope.set(idx, newDomain);
                extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
            } catch (JSONException e) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
            } catch (IllegalArgumentException e) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_VALUE, e);
            }
            break;
        case ACTION_REMOVE_DOMAIN_ALWAYS_IN_SCOPE:
            try {
                int idx = params.getInt(PARAM_IDX);
                if (idx < 0 || idx >= extension.getSpiderParam().getDomainsAlwaysInScope().size()) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                }
                List<DomainAlwaysInScopeMatcher> domainsAlwaysInScope = new ArrayList<>(extension.getSpiderParam().getDomainsAlwaysInScope());
                domainsAlwaysInScope.remove(idx);
                extension.getSpiderParam().setDomainsAlwaysInScope(domainsAlwaysInScope);
            } catch (JSONException e) {
                throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
            }
            break;
        case ACTION_ENABLE_ALL_DOMAINS_ALWAYS_IN_SCOPE:
            setDomainsAlwaysInScopeEnabled(true);
            break;
        case ACTION_DISABLE_ALL_DOMAINS_ALWAYS_IN_SCOPE:
            setDomainsAlwaysInScopeEnabled(false);
            break;
        default:
            throw new ApiException(ApiException.Type.BAD_ACTION);
    }
    return ApiResponseElement.OK;
}
Also used : Context(org.zaproxy.zap.model.Context) User(org.zaproxy.zap.users.User) ArrayList(java.util.ArrayList) JSONException(net.sf.json.JSONException) DomainAlwaysInScopeMatcher(org.zaproxy.zap.spider.DomainAlwaysInScopeMatcher) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) GenericScanner2(org.zaproxy.zap.model.GenericScanner2) ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement) DatabaseException(org.parosproxy.paros.db.DatabaseException) ApiException(org.zaproxy.zap.extension.api.ApiException) Session(org.parosproxy.paros.model.Session) PatternSyntaxException(java.util.regex.PatternSyntaxException)

Example 2 with GenericScanner2

use of org.zaproxy.zap.model.GenericScanner2 in project zaproxy by zaproxy.

the class SpiderAPI method getSpiderScan.

/**
	 * Returns the specified GenericScanner2 or the last scan available.
	 *
	 * @param params the parameters of the API call
	 * @return the GenericScanner2 with the given scan ID or, if not present, the last scan available
	 * @throws ApiException if there's no scan with the given scan ID
	 * @see #PARAM_SCAN_ID
	 */
private GenericScanner2 getSpiderScan(JSONObject params) throws ApiException {
    GenericScanner2 spiderScan;
    int id = getParam(params, PARAM_SCAN_ID, -1);
    if (id == -1) {
        spiderScan = extension.getLastScan();
    } else {
        spiderScan = extension.getScan(id);
    }
    if (spiderScan == null) {
        throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
    }
    return spiderScan;
}
Also used : GenericScanner2(org.zaproxy.zap.model.GenericScanner2) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 3 with GenericScanner2

use of org.zaproxy.zap.model.GenericScanner2 in project zaproxy by zaproxy.

the class SpiderAPI method handleApiView.

@Override
public ApiResponse handleApiView(String name, JSONObject params) throws ApiException {
    ApiResponse result;
    if (VIEW_STATUS.equals(name)) {
        SpiderScan scan = (SpiderScan) this.getSpiderScan(params);
        int progress = 0;
        if (scan != null) {
            if (scan.isStopped()) {
                progress = 100;
            } else {
                progress = scan.getProgress();
            }
        }
        result = new ApiResponseElement(name, Integer.toString(progress));
    } else if (VIEW_RESULTS.equals(name)) {
        result = new ApiResponseList(name);
        SpiderScan scan = (SpiderScan) this.getSpiderScan(params);
        if (scan != null) {
            synchronized (scan.getResults()) {
                for (String s : scan.getResults()) {
                    ((ApiResponseList) result).addItem(new ApiResponseElement("url", s));
                }
            }
        }
    } else if (VIEW_FULL_RESULTS.equals(name)) {
        ApiResponseList resultUrls = new ApiResponseList(name);
        SpiderScan scan = (SpiderScan) this.getSpiderScan(params);
        ApiResponseList resultList = new ApiResponseList("urlsInScope");
        synchronized (scan.getResourcesFound()) {
            for (SpiderResource sr : scan.getResourcesFound()) {
                Map<String, String> map = new HashMap<>();
                map.put("messageId", Integer.toString(sr.getHistoryId()));
                map.put("method", sr.getMethod());
                map.put("url", sr.getUri());
                map.put("statusCode", Integer.toString(sr.getStatusCode()));
                map.put("statusReason", sr.getStatusReason());
                resultList.addItem(new ApiResponseSet<String>("resource", map));
            }
        }
        resultUrls.addItem(resultList);
        resultList = new ApiResponseList("urlsOutOfScope");
        synchronized (scan.getResultsOutOfScope()) {
            for (String url : scan.getResultsOutOfScope()) {
                resultList.addItem(new ApiResponseElement("url", url));
            }
        }
        resultUrls.addItem(resultList);
        result = resultUrls;
    } else if (VIEW_EXCLUDED_FROM_SCAN.equals(name)) {
        result = new ApiResponseList(name);
        Session session = Model.getSingleton().getSession();
        List<String> regexs = session.getExcludeFromSpiderRegexs();
        for (String regex : regexs) {
            ((ApiResponseList) result).addItem(new ApiResponseElement("regex", regex));
        }
    } else if (VIEW_SCANS.equals(name)) {
        ApiResponseList resultList = new ApiResponseList(name);
        for (GenericScanner2 scan : extension.getAllScans()) {
            SpiderScan spiderScan = (SpiderScan) scan;
            Map<String, String> map = new HashMap<>();
            map.put("id", Integer.toString(spiderScan.getScanId()));
            map.put("progress", Integer.toString(spiderScan.getProgress()));
            map.put("state", spiderScan.getState());
            resultList.addItem(new ApiResponseSet<String>("scan", map));
        }
        result = resultList;
    } else if (VIEW_ALL_URLS.equals(name)) {
        ApiResponseList resultUrls = new ApiResponseList(name);
        Set<String> urlSet = new HashSet<String>();
        TableHistory tableHistory = extension.getModel().getDb().getTableHistory();
        List<Integer> ids = Collections.emptyList();
        try {
            ids = tableHistory.getHistoryIdsOfHistType(extension.getModel().getSession().getSessionId(), HistoryReference.TYPE_SPIDER, HistoryReference.TYPE_SPIDER_TASK);
        } catch (DatabaseException e) {
            throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
        }
        String url;
        for (Integer id : ids) {
            try {
                RecordHistory rh = tableHistory.read(id.intValue());
                if (rh != null) {
                    url = rh.getHttpMessage().getRequestHeader().getURI().toString();
                    if (urlSet.add(url)) {
                        resultUrls.addItem(new ApiResponseElement("url", url));
                    }
                }
            } catch (HttpMalformedHeaderException | DatabaseException e) {
                throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
            }
        }
        result = resultUrls;
    } else if (VIEW_DOMAINS_ALWAYS_IN_SCOPE.equals(name) || VIEW_OPTION_DOMAINS_ALWAYS_IN_SCOPE.equals(name)) {
        result = domainMatchersToApiResponseList(name, extension.getSpiderParam().getDomainsAlwaysInScope(), false);
    } else if (VIEW_OPTION_DOMAINS_ALWAYS_IN_SCOPE_ENABLED.equals(name)) {
        result = domainMatchersToApiResponseList(name, extension.getSpiderParam().getDomainsAlwaysInScope(), true);
    } else {
        throw new ApiException(ApiException.Type.BAD_VIEW);
    }
    return result;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) ApiResponseSet(org.zaproxy.zap.extension.api.ApiResponseSet) HashMap(java.util.HashMap) ApiResponse(org.zaproxy.zap.extension.api.ApiResponse) ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement) ApiResponseList(org.zaproxy.zap.extension.api.ApiResponseList) GenericScanner2(org.zaproxy.zap.model.GenericScanner2) ApiResponseList(org.zaproxy.zap.extension.api.ApiResponseList) ArrayList(java.util.ArrayList) List(java.util.List) TableHistory(org.parosproxy.paros.db.TableHistory) DatabaseException(org.parosproxy.paros.db.DatabaseException) RecordHistory(org.parosproxy.paros.db.RecordHistory) Session(org.parosproxy.paros.model.Session) ApiException(org.zaproxy.zap.extension.api.ApiException)

Example 4 with GenericScanner2

use of org.zaproxy.zap.model.GenericScanner2 in project zaproxy by zaproxy.

the class ActiveScanAPI method handleApiAction.

@SuppressWarnings({ "fallthrough" })
@Override
public ApiResponse handleApiAction(String name, JSONObject params) throws ApiException {
    log.debug("handleApiAction " + name + " " + params.toString());
    ScanPolicy policy;
    int policyId;
    User user = null;
    Context context = null;
    try {
        switch(name) {
            case ACTION_SCAN_AS_USER:
                // These are not mandatory parameters on purpose, to keep the same order
                // of the parameters while having PARAM_URL as (now) optional.
                validateParamExists(params, PARAM_CONTEXT_ID);
                validateParamExists(params, PARAM_USER_ID);
                int userID = ApiUtils.getIntParam(params, PARAM_USER_ID);
                ExtensionUserManagement usersExtension = Control.getSingleton().getExtensionLoader().getExtension(ExtensionUserManagement.class);
                if (usersExtension == null) {
                    throw new ApiException(Type.NO_IMPLEMENTOR, ExtensionUserManagement.NAME);
                }
                context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
                if (!context.isIncluded(params.getString(PARAM_URL))) {
                    throw new ApiException(Type.URL_NOT_IN_CONTEXT, PARAM_CONTEXT_ID);
                }
                user = usersExtension.getContextUserAuthManager(context.getIndex()).getUserById(userID);
                if (user == null) {
                    throw new ApiException(Type.USER_NOT_FOUND, PARAM_USER_ID);
                }
            // $FALL-THROUGH$
            case ACTION_SCAN:
                String url = ApiUtils.getOptionalStringParam(params, PARAM_URL);
                if (context == null && params.has(PARAM_CONTEXT_ID) && !params.getString(PARAM_CONTEXT_ID).isEmpty()) {
                    context = ApiUtils.getContextByParamId(params, PARAM_CONTEXT_ID);
                }
                boolean scanJustInScope = context != null ? false : this.getParam(params, PARAM_JUST_IN_SCOPE, false);
                String policyName = null;
                policy = null;
                try {
                    policyName = params.getString(PARAM_SCAN_POLICY_NAME);
                } catch (Exception e1) {
                // Ignore
                }
                try {
                    if (policyName != null && policyName.length() > 0) {
                        // Not specified, use the default one
                        log.debug("handleApiAction scan policy =" + policyName);
                        policy = controller.getPolicyManager().getPolicy(policyName);
                    }
                } catch (ConfigurationException e) {
                    throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_POLICY_NAME);
                }
                String method = this.getParam(params, PARAM_METHOD, HttpRequestHeader.GET);
                if (method.trim().length() == 0) {
                    method = HttpRequestHeader.GET;
                }
                if (!Arrays.asList(HttpRequestHeader.METHODS).contains(method)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_METHOD);
                }
                int scanId = scanURL(url, user, this.getParam(params, PARAM_RECURSE, true), scanJustInScope, method, this.getParam(params, PARAM_POST_DATA, ""), policy, context);
                return new ApiResponseElement(name, Integer.toString(scanId));
            case ACTION_PAUSE_SCAN:
                getActiveScan(params).pauseScan();
                break;
            case ACTION_RESUME_SCAN:
                getActiveScan(params).resumeScan();
                break;
            case ACTION_STOP_SCAN:
                getActiveScan(params).stopScan();
                break;
            case ACTION_REMOVE_SCAN:
                GenericScanner2 activeScan = controller.removeScan(Integer.valueOf(params.getInt(PARAM_SCAN_ID)));
                if (activeScan == null) {
                    throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_SCAN_ID);
                }
                break;
            case ACTION_PAUSE_ALL_SCANS:
                controller.pauseAllScans();
                break;
            case ACTION_RESUME_ALL_SCANS:
                controller.resumeAllScans();
                break;
            case ACTION_STOP_ALL_SCANS:
                controller.stopAllScans();
                break;
            case ACTION_REMOVE_ALL_SCANS:
                controller.removeAllScans();
                break;
            case ACTION_CLEAR_EXCLUDED_FROM_SCAN:
                try {
                    Session session = Model.getSingleton().getSession();
                    session.setExcludeFromScanRegexs(new ArrayList<String>());
                } catch (DatabaseException e) {
                    log.error(e.getMessage(), e);
                    throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
                }
                break;
            case ACTION_EXCLUDE_FROM_SCAN:
                String regex = params.getString(PARAM_REGEX);
                try {
                    Session session = Model.getSingleton().getSession();
                    session.addExcludeFromScanRegexs(regex);
                } catch (DatabaseException e) {
                    log.error(e.getMessage(), e);
                    throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
                } catch (PatternSyntaxException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_REGEX);
                }
                break;
            case ACTION_ENABLE_ALL_SCANNERS:
                policy = getScanPolicyFromParams(params);
                policy.getPluginFactory().setAllPluginEnabled(true);
                policy.save();
                break;
            case ACTION_DISABLE_ALL_SCANNERS:
                policy = getScanPolicyFromParams(params);
                policy.getPluginFactory().setAllPluginEnabled(false);
                policy.save();
                break;
            case ACTION_ENABLE_SCANNERS:
                policy = getScanPolicyFromParams(params);
                setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), true);
                policy.save();
                break;
            case ACTION_DISABLE_SCANNERS:
                policy = getScanPolicyFromParams(params);
                setScannersEnabled(policy, getParam(params, PARAM_IDS, "").split(","), false);
                policy.save();
                break;
            case ACTION_SET_ENABLED_POLICIES:
                policy = getScanPolicyFromParams(params);
                setEnabledPolicies(policy, getParam(params, PARAM_IDS, "").split(","));
                policy.save();
                break;
            case ACTION_SET_POLICY_ATTACK_STRENGTH:
                policyId = getPolicyIdFromParamId(params);
                policy = getScanPolicyFromParams(params);
                Plugin.AttackStrength attackStrength = getAttackStrengthFromParamAttack(params);
                for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
                    if (scanner.getCategory() == policyId) {
                        scanner.setAttackStrength(attackStrength);
                    }
                }
                policy.save();
                break;
            case ACTION_SET_POLICY_ALERT_THRESHOLD:
                policyId = getPolicyIdFromParamId(params);
                policy = getScanPolicyFromParams(params);
                Plugin.AlertThreshold alertThreshold1 = getAlertThresholdFromParamAlertThreshold(params);
                for (Plugin scanner : policy.getPluginFactory().getAllPlugin()) {
                    if (scanner.getCategory() == policyId) {
                        scanner.setAlertThreshold(alertThreshold1);
                    }
                }
                policy.save();
                break;
            case ACTION_SET_SCANNER_ATTACK_STRENGTH:
                policy = getScanPolicyFromParams(params);
                Plugin scanner = getScannerFromParamId(policy, params);
                scanner.setAttackStrength(getAttackStrengthFromParamAttack(params));
                policy.save();
                break;
            case ACTION_SET_SCANNER_ALERT_THRESHOLD:
                policy = getScanPolicyFromParams(params);
                AlertThreshold alertThreshold2 = getAlertThresholdFromParamAlertThreshold(params);
                getScannerFromParamId(policy, params).setAlertThreshold(alertThreshold2);
                policy.save();
                break;
            case ACTION_ADD_SCAN_POLICY:
                String newPolicyName = params.getString(PARAM_SCAN_POLICY_NAME);
                if (controller.getPolicyManager().getAllPolicyNames().contains(newPolicyName)) {
                    throw new ApiException(ApiException.Type.ALREADY_EXISTS, PARAM_SCAN_POLICY_NAME);
                }
                if (!controller.getPolicyManager().isLegalPolicyName(newPolicyName)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_SCAN_POLICY_NAME);
                }
                policy = controller.getPolicyManager().getTemplatePolicy();
                policy.setName(newPolicyName);
                setAlertThreshold(policy, params);
                setAttackStrength(policy, params);
                controller.getPolicyManager().savePolicy(policy);
                break;
            case ACTION_REMOVE_SCAN_POLICY:
                // Check it exists
                policy = getScanPolicyFromParams(params);
                if (controller.getPolicyManager().getAllPolicyNames().size() == 1) {
                    // Dont remove the last one
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, "You are not allowed to remove the last scan policy");
                }
                controller.getPolicyManager().deletePolicy(policy.getName());
                break;
            case ACTION_UPDATE_SCAN_POLICY:
                policy = getScanPolicyFromParams(params);
                if (!isParamsChanged(policy, params)) {
                    break;
                }
                updateAlertThreshold(policy, params);
                updateAttackStrength(policy, params);
                controller.getPolicyManager().savePolicy(policy);
                break;
            case ACTION_ADD_EXCLUDED_PARAM:
                int type = getParam(params, PARAM_TYPE, NameValuePair.TYPE_UNDEFINED);
                if (!ScannerParamFilter.getTypes().containsKey(type)) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
                }
                url = getParam(params, PARAM_URL, "*");
                if (url.isEmpty()) {
                    url = "*";
                }
                ScannerParamFilter excludedParam = new ScannerParamFilter(params.getString(PARAM_NAME), type, url);
                List<ScannerParamFilter> excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                excludedParams.add(excludedParam);
                controller.getScannerParam().setExcludedParamList(excludedParams);
                break;
            case ACTION_MODIFY_EXCLUDED_PARAM:
                try {
                    int idx = params.getInt(PARAM_IDX);
                    if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                    }
                    ScannerParamFilter oldExcludedParam = controller.getScannerParam().getExcludedParamList().get(idx);
                    String epName = getParam(params, PARAM_NAME, oldExcludedParam.getParamName());
                    if (epName.isEmpty()) {
                        epName = oldExcludedParam.getParamName();
                    }
                    type = getParam(params, PARAM_TYPE, oldExcludedParam.getType());
                    if (!ScannerParamFilter.getTypes().containsKey(type)) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_TYPE);
                    }
                    url = getParam(params, PARAM_URL, oldExcludedParam.getWildcardedUrl());
                    if (url.isEmpty()) {
                        url = "*";
                    }
                    ScannerParamFilter newExcludedParam = new ScannerParamFilter(epName, type, url);
                    if (oldExcludedParam.equals(newExcludedParam)) {
                        break;
                    }
                    excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                    excludedParams.set(idx, newExcludedParam);
                    controller.getScannerParam().setExcludedParamList(excludedParams);
                } catch (JSONException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
                }
                break;
            case ACTION_REMOVE_EXCLUDED_PARAM:
                try {
                    int idx = params.getInt(PARAM_IDX);
                    if (idx < 0 || idx >= controller.getScannerParam().getExcludedParamList().size()) {
                        throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX);
                    }
                    excludedParams = new ArrayList<>(controller.getScannerParam().getExcludedParamList());
                    excludedParams.remove(idx);
                    controller.getScannerParam().setExcludedParamList(excludedParams);
                } catch (JSONException e) {
                    throw new ApiException(ApiException.Type.ILLEGAL_PARAMETER, PARAM_IDX, e);
                }
                break;
            default:
                throw new ApiException(ApiException.Type.BAD_ACTION);
        }
    } catch (ConfigurationException e) {
        throw new ApiException(ApiException.Type.INTERNAL_ERROR, e.getMessage());
    }
    return ApiResponseElement.OK;
}
Also used : AlertThreshold(org.parosproxy.paros.core.scanner.Plugin.AlertThreshold) User(org.zaproxy.zap.users.User) ScannerParamFilter(org.parosproxy.paros.core.scanner.ScannerParamFilter) ArrayList(java.util.ArrayList) ConfigurationException(org.apache.commons.configuration.ConfigurationException) ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement) PatternSyntaxException(java.util.regex.PatternSyntaxException) Context(org.zaproxy.zap.model.Context) JSONException(net.sf.json.JSONException) URIException(org.apache.commons.httpclient.URIException) PatternSyntaxException(java.util.regex.PatternSyntaxException) ApiException(org.zaproxy.zap.extension.api.ApiException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) JSONException(net.sf.json.JSONException) DatabaseException(org.parosproxy.paros.db.DatabaseException) AlertThreshold(org.parosproxy.paros.core.scanner.Plugin.AlertThreshold) ExtensionUserManagement(org.zaproxy.zap.extension.users.ExtensionUserManagement) GenericScanner2(org.zaproxy.zap.model.GenericScanner2) DatabaseException(org.parosproxy.paros.db.DatabaseException) ApiException(org.zaproxy.zap.extension.api.ApiException) Session(org.parosproxy.paros.model.Session) Plugin(org.parosproxy.paros.core.scanner.Plugin)

Example 5 with GenericScanner2

use of org.zaproxy.zap.model.GenericScanner2 in project zaproxy by zaproxy.

the class ActiveScanAPI method handleApiView.

@Override
public ApiResponse handleApiView(String name, JSONObject params) throws ApiException {
    ApiResponse result;
    ActiveScan activeScan = null;
    ScanPolicy policy;
    int categoryId;
    switch(name) {
        case VIEW_STATUS:
            activeScan = getActiveScan(params);
            int progress = 0;
            if (activeScan != null) {
                progress = activeScan.getProgress();
            }
            result = new ApiResponseElement(name, String.valueOf(progress));
            break;
        case VIEW_SCANS:
            ApiResponseList resultList = new ApiResponseList(name);
            for (GenericScanner2 scan : controller.getAllScans()) {
                Map<String, String> map = new HashMap<>();
                map.put("id", Integer.toString(scan.getScanId()));
                map.put("progress", Integer.toString(scan.getProgress()));
                map.put("state", ((ActiveScan) scan).getState().name());
                resultList.addItem(new ApiResponseSet<String>("scan", map));
            }
            result = resultList;
            break;
        case VIEW_SCAN_PROGRESS:
            resultList = new ApiResponseList(name);
            activeScan = getActiveScan(params);
            if (activeScan != null) {
                for (HostProcess hp : activeScan.getHostProcesses()) {
                    ApiResponseList hpList = new ApiResponseList("HostProcess");
                    resultList.addItem(new ApiResponseElement("id", XMLStringUtil.escapeControlChrs(hp.getHostAndPort())));
                    for (Plugin plugin : hp.getCompleted()) {
                        long timeTaken = plugin.getTimeFinished().getTime() - plugin.getTimeStarted().getTime();
                        int reqs = hp.getPluginRequestCount(plugin.getId());
                        if (hp.isSkipped(plugin)) {
                            String skippedReason = hp.getSkippedReason(plugin);
                            if (skippedReason == null) {
                                skippedReason = Constant.messages.getString("ascan.progress.label.skipped");
                            } else {
                                skippedReason = Constant.messages.getString("ascan.progress.label.skippedWithReason", skippedReason);
                            }
                            hpList.addItem(createPluginProgressEntry(plugin, skippedReason, timeTaken, reqs));
                        } else {
                            hpList.addItem(createPluginProgressEntry(plugin, "Complete", timeTaken, reqs));
                        }
                    }
                    for (Plugin plugin : hp.getRunning()) {
                        int pc = hp.getTestCurrentCount(plugin) * 100 / hp.getTestTotalCount();
                        // That might happen if more nodes are being scanned that the ones enumerated at the beginning.
                        if (pc >= 100) {
                            pc = 99;
                        }
                        long timeTaken = new Date().getTime() - plugin.getTimeStarted().getTime();
                        int reqs = hp.getPluginRequestCount(plugin.getId());
                        hpList.addItem(createPluginProgressEntry(plugin, pc + "%", timeTaken, reqs));
                    }
                    for (Plugin plugin : hp.getPending()) {
                        if (hp.isSkipped(plugin)) {
                            String skippedReason = hp.getSkippedReason(plugin);
                            if (skippedReason == null) {
                                skippedReason = Constant.messages.getString("ascan.progress.label.skipped");
                            } else {
                                skippedReason = Constant.messages.getString("ascan.progress.label.skippedWithReason", skippedReason);
                            }
                            hpList.addItem(createPluginProgressEntry(plugin, skippedReason, 0, 0));
                        } else {
                            hpList.addItem(createPluginProgressEntry(plugin, "Pending", 0, 0));
                        }
                    }
                    resultList.addItem(hpList);
                }
            }
            result = resultList;
            break;
        case VIEW_MESSAGES_IDS:
            resultList = new ApiResponseList(name);
            activeScan = getActiveScan(params);
            if (activeScan != null) {
                synchronized (activeScan.getMessagesIds()) {
                    for (Integer id : activeScan.getMessagesIds()) {
                        resultList.addItem(new ApiResponseElement("id", id.toString()));
                    }
                }
            }
            result = resultList;
            break;
        case VIEW_ALERTS_IDS:
            resultList = new ApiResponseList(name);
            activeScan = getActiveScan(params);
            if (activeScan != null) {
                synchronized (activeScan.getAlertsIds()) {
                    for (Integer id : activeScan.getAlertsIds()) {
                        resultList.addItem(new ApiResponseElement("id", id.toString()));
                    }
                }
            }
            result = resultList;
            break;
        case VIEW_EXCLUDED_FROM_SCAN:
            result = new ApiResponseList(name);
            Session session = Model.getSingleton().getSession();
            List<String> regexs = session.getExcludeFromScanRegexs();
            for (String regex : regexs) {
                ((ApiResponseList) result).addItem(new ApiResponseElement("regex", regex));
            }
            break;
        case VIEW_SCANNERS:
            policy = getScanPolicyFromParams(params);
            List<Plugin> scanners = policy.getPluginFactory().getAllPlugin();
            categoryId = getParam(params, PARAM_CATEGORY_ID, -1);
            if (categoryId != -1 && !hasPolicyWithId(categoryId)) {
                throw new ApiException(ApiException.Type.DOES_NOT_EXIST, PARAM_CATEGORY_ID);
            }
            resultList = new ApiResponseList(name);
            for (Plugin scanner : scanners) {
                if (categoryId == -1 || categoryId == scanner.getCategory()) {
                    resultList.addItem(new ScannerApiResponse(policy, scanner));
                }
            }
            result = resultList;
            break;
        case VIEW_POLICIES:
            policy = getScanPolicyFromParams(params);
            String[] policies = Category.getAllNames();
            resultList = new ApiResponseList(name);
            for (String pluginName : policies) {
                categoryId = Category.getCategory(pluginName);
                Plugin.AttackStrength attackStrength = getPolicyAttackStrength(policy, categoryId);
                Plugin.AlertThreshold alertThreshold = getPolicyAlertThreshold(policy, categoryId);
                Map<String, String> map = new HashMap<>();
                map.put("id", String.valueOf(categoryId));
                map.put("name", pluginName);
                map.put("attackStrength", attackStrength == null ? "" : String.valueOf(attackStrength));
                map.put("alertThreshold", alertThreshold == null ? "" : String.valueOf(alertThreshold));
                map.put("enabled", String.valueOf(isPolicyEnabled(policy, categoryId)));
                resultList.addItem(new ApiResponseSet<String>("policy", map));
            }
            result = resultList;
            break;
        case VIEW_SCAN_POLICY_NAMES:
            resultList = new ApiResponseList(name);
            for (String policyName : controller.getPolicyManager().getAllPolicyNames()) {
                resultList.addItem(new ApiResponseElement("policy", policyName));
            }
            result = resultList;
            break;
        case VIEW_ATTACK_MODE_QUEUE:
            result = new ApiResponseElement(name, String.valueOf(controller.getAttackModeStackSize()));
            break;
        case VIEW_OPTION_EXCLUDED_PARAM_LIST:
        case VIEW_EXCLUDED_PARAMS:
            resultList = new ApiResponseList(name);
            List<ScannerParamFilter> excludedParams = controller.getScannerParam().getExcludedParamList();
            for (int i = 0; i < excludedParams.size(); i++) {
                resultList.addItem(new ExcludedParamApiResponse(excludedParams.get(i), i));
            }
            result = resultList;
            break;
        case VIEW_EXCLUDED_PARAM_TYPES:
            resultList = new ApiResponseList(name);
            for (Entry<Integer, String> type : ScannerParamFilter.getTypes().entrySet()) {
                Map<String, String> typeData = new HashMap<>();
                typeData.put("id", Integer.toString(type.getKey()));
                typeData.put("name", type.getValue());
                resultList.addItem(new ApiResponseSet<String>("type", typeData));
            }
            result = resultList;
            break;
        default:
            throw new ApiException(ApiException.Type.BAD_VIEW);
    }
    return result;
}
Also used : AlertThreshold(org.parosproxy.paros.core.scanner.Plugin.AlertThreshold) HashMap(java.util.HashMap) ScannerParamFilter(org.parosproxy.paros.core.scanner.ScannerParamFilter) ApiResponse(org.zaproxy.zap.extension.api.ApiResponse) ApiResponseElement(org.zaproxy.zap.extension.api.ApiResponseElement) ApiResponseList(org.zaproxy.zap.extension.api.ApiResponseList) Date(java.util.Date) HostProcess(org.parosproxy.paros.core.scanner.HostProcess) GenericScanner2(org.zaproxy.zap.model.GenericScanner2) Plugin(org.parosproxy.paros.core.scanner.Plugin) Session(org.parosproxy.paros.model.Session) ApiException(org.zaproxy.zap.extension.api.ApiException)

Aggregations

ApiException (org.zaproxy.zap.extension.api.ApiException)6 GenericScanner2 (org.zaproxy.zap.model.GenericScanner2)6 Session (org.parosproxy.paros.model.Session)4 ApiResponseElement (org.zaproxy.zap.extension.api.ApiResponseElement)4 ArrayList (java.util.ArrayList)3 DatabaseException (org.parosproxy.paros.db.DatabaseException)3 HashMap (java.util.HashMap)2 PatternSyntaxException (java.util.regex.PatternSyntaxException)2 JSONException (net.sf.json.JSONException)2 Plugin (org.parosproxy.paros.core.scanner.Plugin)2 AlertThreshold (org.parosproxy.paros.core.scanner.Plugin.AlertThreshold)2 ScannerParamFilter (org.parosproxy.paros.core.scanner.ScannerParamFilter)2 ApiResponse (org.zaproxy.zap.extension.api.ApiResponse)2 ApiResponseList (org.zaproxy.zap.extension.api.ApiResponseList)2 ExtensionUserManagement (org.zaproxy.zap.extension.users.ExtensionUserManagement)2 Context (org.zaproxy.zap.model.Context)2 User (org.zaproxy.zap.users.User)2 Date (java.util.Date)1 HashSet (java.util.HashSet)1 List (java.util.List)1