Fix issue 25

Draft Fix issue 25
wapiti-scanner · Aug 22, 2024 · 85097cb · 85097cb
1 parent 43037a0
commit 85097cb
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 16 deletions.
diff --git a/tests/parsers/test_swagger_parser.py b/tests/parsers/test_swagger_parser.py
@@ -76,18 +76,18 @@ def test_swagger_file_complexe():
     request_get.set_headers({'X-Request-Id': 'default'})
 
     params = '{"name": "default", "description": "default", "expires_at": "1337", "access": [{"resource": "default", "action": "default", "effect": "default"}]}'
-    request_post = Request("https://fakeSwagger.fr/api/v2.0/projects/default/robots", "POST", post_params=params, file_params=[])
+    request_post = Request("https://fakeSwagger.fr/api/v2.0/projects/default/robots", "POST", post_params=params, file_params=[], enctype="application/json")
     request_post.set_headers({'X-Request-Id': 'default'})
 
     request_delete = Request("https://fakeSwagger.fr/api/v2.0/users/1337", "DELETE", post_params="", file_params=[])
     request_delete.set_headers({'X-Request-Id': 'default'})
 
-    params = '{"id": "1337", "name": "default", "description": "default", "color": "default", "scope": "default", "project_id": "1337", "creation_time": "default", "update_time": "default"}'
-    request_put = Request("https://fakeSwagger.fr/api/v2.0/labels/1337", "PUT", post_params=params, file_params=[])
+    params = '{"id": "1337", "name": "default", "description": "default", "color": "default", "scope": "default", "project_id": "1337", "creation_time": "2024-08-16T16:03:08", "update_time": "2024-08-16T16:03:08"}'
+    request_put = Request("https://fakeSwagger.fr/api/v2.0/labels/1337", "PUT", post_params=params, file_params=[], enctype="application/json")
     request_put.set_headers({'X-Request-Id': 'default'})
 
     params = '{"id": "1337", "vendor_type": "default", "vendor_id": "1337", "status": "default", "status_message": "default", "metrics": {"task_count": "1337", "success_task_count": "1337", "error_task_count": "1337", "pending_task_count": "1337", "running_task_count": "1337", "scheduled_task_count": "1337", "stopped_task_count": "1337"}, "trigger": "default", "extra_attrs": {}, "start_time": "default", "end_time": "default"}'
-    request_patch = Request("https://fakeSwagger.fr/api/v2.0/projects/default/preheat/policies/default/executions/1337", "PATCH", post_params=params, file_params=[]) 
+    request_patch = Request("https://fakeSwagger.fr/api/v2.0/projects/default/preheat/policies/default/executions/1337", "PATCH", post_params=params, file_params=[], enctype="application/json")
     request_patch.set_headers({'X-Request-Id': 'default'})
 
     list_request = [request_header, request_get, request_post, request_delete, request_put, request_patch]
@@ -128,15 +128,16 @@ def test_openapi_file():
 
     request_delete = Request("https://fake.openapi.fr/v1/AdministrationSettings/MailAccount?id=1337", "DELETE", post_params="", file_params=[])
 
-    request_put = Request("https://fake.openapi.fr/v1/Alarms/1337", "PUT", post_params="", file_params=[])
+    params = '{"alarmState": "default", "confirmingUserName": "default", "confirmingDateTime": "2024-08-16T16:03:08", "confirmingNote": "default"}'
+    request_put = Request("https://fake.openapi.fr/v1/Alarms/1337", "PUT", post_params=params, file_params=[], enctype= "application/json")
 
-    params = '{"active": "true", "userName": "default", "emailAddress": "default", "role": "1337", "networksVisibility": "true"}'
-    request_put = Request("https://fake.openapi.fr/v1/AdministrationSettings/GroupUsers", "PUT", post_params=params, file_params=[])
+    params = '{"active": true, "userName": "default", "emailAddress": "default", "role": "1337", "networksVisibility": true}'
+    request_put2 = Request("https://fake.openapi.fr/v1/AdministrationSettings/GroupUsers", "PUT", post_params=params, file_params=[], enctype= "application/json")
 
-    params = '{"active": "true", "userName": "default", "emailAddress": "default", "role": "1337", "networksVisibility": "true"}'
-    request_patch = Request("https://fake.openapi.fr/v1/AdministrationSettings/GroupUsers", "PATCH", post_params=params, file_params=[])
+    params = '{"active": true, "userName": "default", "emailAddress": "default", "role": "1337", "networksVisibility": true}'
+    request_patch = Request("https://fake.openapi.fr/v1/AdministrationSettings/GroupUsers", "PATCH", post_params=params, file_params=[], enctype= "application/json")
 
-    list_request = [request_get, request_post, request_delete, request_put, request_patch]
+    list_request = [request_get, request_post, request_delete, request_patch, request_put, request_put2]
     requests = page.get_requests()
 
     for item in list_request:

diff --git a/wapitiCore/net/crawler.py b/wapitiCore/net/crawler.py
@@ -335,6 +335,10 @@ async def async_request(
         @rtype: Response
         """
         form_headers = {}
+
+        if not form.is_multipart:
+            form_headers = {"Content-Type": form.enctype}
+
         if isinstance(headers, dict) and headers:
             form_headers.update(headers)
 

diff --git a/wapitiCore/net/web.py b/wapitiCore/net/web.py
@@ -316,7 +316,7 @@ def __init__(
             self._method = method
 
         self._enctype = ""
-        if self._method == "POST":
+        if self._method in ["POST", "PUT", "PATCH"]:
             if enctype:
                 self._enctype = enctype.lower().strip()
             else:

diff --git a/wapitiCore/parsers/swagger.py b/wapitiCore/parsers/swagger.py
@@ -26,15 +26,17 @@
 from wapitiCore.net import Request
 from wapitiCore.main.log import logging
 
+
 class Swagger:
     AUTOFILL_VALUES = {
         "file": ("pix.gif", b"GIF89a", "image/gif"),
         "integer": "1337",
         "number": "13.37",
         "string": "default",
         "time": "13:37",
+        "date-time": "2024-08-16T16:03:08",
         "url": "https://wapiti-scanner.github.io/",
-        "boolean": "true",
+        "boolean": True,
         "object": {},
     }
 
@@ -138,7 +140,10 @@ def _parse_object(self, model_name):
                                 ref = self._check_properties(model_name[key]['items'])
                                 model[key]["array"] = self._parse_object(ref)
                     else:
-                        model[key] = model_name[key]['type']
+                        if 'format' in model_name[key] and 'date-time' in model_name[key]['format']:
+                            model[key] = model_name[key]['format']
+                        else:
+                            model[key] = model_name[key]['type']
                 else:
                     model[key] = model_name[key]
             except ValueError as e:
@@ -215,6 +220,8 @@ def _get_routes(self, swagger_dict: dict, base_url: str) -> dict:
                         request_route['params'] = []
                         if 'requestBody' in params:
                             request_route['params'] += self._check_params(params['requestBody']['content'])
+                        if 'parameters' in params:
+                            request_route['params'] += self._check_params(params['parameters'])
                         request_route['params'] += self._check_params(params)
                         request[route].append(request_route)
                     else:
@@ -246,7 +253,8 @@ def _get_parameters(self, swagger_dict: dict, route: str, url: str) -> list:
             for path in swagger_dict['paths']:
                 if route == path:
                     if 'parameters' in swagger_dict['paths'][path][method]:
-                        return swagger_dict['paths'][path][method]['parameters']
+                        if 'requestBody' not in swagger_dict['paths'][path][method]:
+                            return swagger_dict['paths'][path][method]['parameters']
                     return swagger_dict['paths'][path][method]
             return None
         except KeyError as e:
@@ -283,7 +291,10 @@ def _transform_query(self, route: str, param: dict, option: str):
             elif 'array' in param['type']:
                 option += self.AUTOFILL_VALUES[param['type']['array']]
             else:
-                option += self.AUTOFILL_VALUES[param['type']]
+                if isinstance(self.AUTOFILL_VALUES[param['type']], bool):
+                    option += str(self.AUTOFILL_VALUES[param['type']])
+                else:
+                    option += self.AUTOFILL_VALUES[param['type']]
         elif "in" in param:
             if param['in'] == "query":
                 if self.swagger_dict['basePath']:
@@ -309,6 +320,7 @@ def _transform_query(self, route: str, param: dict, option: str):
 
         return option
 
+
     def _transform_url(self, param: dict, url: str, route: str) -> str:
         name = param['name']
         if "{" in url:
@@ -372,6 +384,8 @@ def _create_request(self, routes: dict) -> list[Request]:
                     if 'in' in param:
                         if param['in'] == "path":
                             url = self._transform_url(param, url, route)
+                            if 'model' in param:
+                                data = self._transform_body(param)
                         elif param['in'] == "query":
                             option = self._transform_query(route, param, option)
                         elif param['in'] == "body" and 'model' in param:
@@ -382,7 +396,8 @@ def _create_request(self, routes: dict) -> list[Request]:
                             if not 'type' in param:
                                 param["type"] = "string"
                             header[param['name']] = self.AUTOFILL_VALUES[param['type']]
-            request = Request(path=url+option, method=urls[0]['method'], post_params=data, file_params=files)
+            request = Request(path=url+option, method=urls[0]['method'], post_params=data, file_params=files,
+                              enctype="application/json")
             request.set_headers(header)
             requests_list.append(request)
         return requests_list