api-tester 0.1.0 → 1.1.1

data/lib/api-tester/modules/injection_module.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'injection_vulnerability_library'
+
+module ApiTester
+  # Tests injection cases
+  module InjectionModule
+    def self.go(contract)
+      reports = []
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          reports.concat inject_payload contract.base_url, endpoint, method
+        end
+      end
+      reports
+    end
+
+    def self.inject_payload(base_url, endpoint, method)
+      reports = []
+      sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities
+
+      method.request.fields.each do |field|
+        sql_injections.each do |injection|
+          injection_value = "#{field.default_value}#{injection}"
+          payload = method.request.altered_payload field_name: field.name,
+                                                   value: injection_value
+          response = endpoint.call base_url: base_url,
+                                   method: method,
+                                   payload: payload,
+                                   headers: method.request.default_headers
+          next if check_response(response, endpoint)
+
+          reports << InjectionReport.new('sql',
+                                         endpoint.url,
+                                         payload,
+                                         response)
+        end
+      end
+
+      reports
+    end
+
+    def self.check_response(response, endpoint)
+      response.code == 200 || check_error(response, endpoint)
+    end
+
+    def self.check_error(response, endpoint)
+      evaluator = ApiTester::ResponseEvaluator.new(
+        actual_body: response.body,
+        expected_fields: endpoint.bad_request_response
+      )
+      missing_fields = evaluator.missing_fields
+      extra_fields = evaluator.extra_fields
+      response.code == endpoint.bad_request_response.code &&
+        missing_fields.size.zero? && extra_fields.size.zero?
+    end
+  end
+end
+
+# Report for InjectionModule
+class InjectionReport
+  attr_accessor :injection_type
+  attr_accessor :url
+  attr_accessor :payload
+  attr_accessor :response
+
+  def initialize(injection_type, url, payload, response)
+    self.injection_type = injection_type
+    self.url = url
+    self.payload = payload
+    self.response = response
+  end
+
+  def print
+    puts "Found potential #{injection_type}: "
+    puts "   Requested #{url} with payload:"
+    puts "      #{payload}"
+    puts '   Received: '
+    puts "      #{response}"
+  end
+end

data/lib/api-tester/modules/required_fields.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module ApiTester
+  # Ensures the fields marked as required in contract are guarded
+  module RequiredFields
+    def self.go(contract)
+      reports = []
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          request_def = method.request
+          required_fields = request_def.fields.keep_if(&:required)
+          combinations = (1..required_fields.size).flat_map { |size| required_fields.combination(size).to_a }
+          combinations.each do |remove_fields|
+            fields = remove_fields.map do |field|
+              { name: field.name, value: nil }
+            end
+            payload = request_def.altered_payload_with fields
+            response = endpoint.call base_url: contract.base_url,
+                                     method: method,
+                                     payload: payload,
+                                     headers: request_def.default_headers
+            test = RequiredFieldsTest.new response: response,
+                                          payload: payload,
+                                          expected_response: endpoint.bad_request_response,
+                                          url: endpoint.url,
+                                          verb: method.verb
+            reports.concat test.check
+          end
+        end
+      end
+
+      reports
+    end
+
+    def self.order
+      5
+    end
+  end
+
+  # Test layout used for RequiredFieldsModule
+  class RequiredFieldsTest < MethodCaseTest
+    def initialize(response:, payload:, expected_response:, url:, verb:)
+      super response: response,
+            payload: payload,
+            expected_response: expected_response,
+            url: url,
+            verb: verb,
+            module_name: 'RequiredFieldsModule'
+    end
+  end
+end

data/lib/api-tester/modules/server_information.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module ApiTester
+  # Module for ensuring the server isn't broadcasting information about itself
+  module ServerInformation
+    def self.go(contract)
+      reports = []
+      endpoint = contract.endpoints[0]
+      response = endpoint.default_call contract.base_url
+
+      %i[server x_powered_by x_aspnetmvc_version x_aspnet_version].each do |key|
+        if response.headers[key]
+          reports << ServerBroadcastReport.new(response.headers[key],
+                                               key)
+        end
+      end
+
+      reports
+    end
+
+    def self.order
+      10
+    end
+  end
+end
+
+# Report used by module
+class ServerBroadcastReport
+  attr_accessor :server_info
+  attr_accessor :server_key
+
+  def initialize(server_info, server_key)
+    self.server_info = server_info
+    self.server_key = server_key
+  end
+
+  def print
+    puts 'Found server information being broadcast in headers:'
+    puts "   #{server_info}"
+    puts "     as #{server_key}"
+  end
+end

data/lib/api-tester/modules/typo.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'api-tester/reporter/status_code_report'
+require 'api-tester/util/supported_verbs'
+
+module ApiTester
+  # Module checking various not found scenarios
+  module Typo
+    def self.go(contract)
+      reports = []
+
+      contract.endpoints.each do |endpoint|
+        allowances(endpoint).each do
+          reports.concat check_typo_url(contract.base_url, endpoint)
+        end
+      end
+
+      reports
+    end
+
+    def self.check_typo_url(base_url, endpoint)
+      bad_url = "#{endpoint.url}gibberishadsfasdf"
+      bad_endpoint = ApiTester::Endpoint.new name: 'Bad URL',
+                                             relative_url: bad_url
+      typo_case = BoundaryCase.new description: 'Typo URL check',
+                                   payload: {},
+                                   headers: {}
+      method = ApiTester::Method.new verb: ApiTester::SupportedVerbs::GET,
+                                     response: ApiTester::Response.new(
+                                       status_code: 200
+                                     ),
+                                     request: ApiTester::Request.new
+      response = bad_endpoint.call base_url: base_url,
+                                   method: method,
+                                   payload: typo_case.payload,
+                                   headers: typo_case.headers
+
+      test = TypoClass.new response,
+                           typo_case.payload,
+                           endpoint.not_found_response,
+                           bad_url,
+                           ApiTester::SupportedVerbs::GET
+      test.check
+    end
+
+    def self.allowances(endpoint)
+      allowances = []
+      endpoint.methods.each do |method|
+        allowances << method.verb
+      end
+      allowances.uniq
+    end
+
+    def self.order
+      4
+    end
+  end
+
+  # Test layout for TypoModule
+  class TypoClass < MethodCaseTest
+    def initialize(response, payload, expected_response, url, verb)
+      super response: response,
+            payload: payload,
+            expected_response: expected_response,
+            url: url,
+            verb: verb,
+            module_name: 'TypoModule'
+    end
+  end
+end

data/lib/api-tester/modules/unexpected_fields.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'pry'
+
+module ApiTester
+  # Module checking nothing shows up in response which is not defined in contract
+  module UnexpectedFields
+    def self.go(contract)
+      reports = []
+
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          default_case = BoundaryCase.new description: endpoint.url,
+                                          payload: method.request.default_payload,
+                                          headers: method.request.default_headers
+          response = endpoint.call base_url: contract.base_url,
+                                   method: method,
+                                   payload: default_case.payload,
+                                   headers: default_case.headers
+          test = UnexpectedFieldsTest.new response, endpoint.url, method
+          reports.concat test.check
+        end
+      end
+      reports
+    end
+
+    def self.order
+      90
+    end
+  end
+
+  # Test layout for UnexpectedFields module
+  class UnexpectedFieldsTest < MethodCaseTest
+    def initialize(response, url, method)
+      super response: response,
+            payload: method.request.default_payload,
+            expected_response: method.expected_response,
+            url: url,
+            verb: method.verb,
+            module_name: 'UnexpectedFieldsModule'
+    end
+
+    def check
+      evaluator = ApiTester::ResponseEvaluator.new actual_body: json_parse(response.body),
+                                                   expected_fields: expected_response
+      response_fields = evaluator.response_field_array
+      expected_fields = evaluator.expected_fields
+      increment_fields evaluator.seen_fields
+      extra = response_fields - expected_fields
+      extra.each do |extra_field|
+        report = Report.new description: "UnexpectedFieldsModule - Found unexpected field #{extra_field}",
+                            url: url,
+                            request: payload,
+                            expected_response: expected_response,
+                            actual_response: response
+        reports << report
+      end
+      reports
+    end
+  end
+end

data/lib/api-tester/modules/unused_fields.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'api-tester/reporter/missing_field_report'
+
+module ApiTester
+  # Ensures all fields defined in contract are returned during test suite
+  module UnusedFields
+    def self.go(contract)
+      reports = []
+
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          method.expected_response.body.each do |field|
+            next unless field.is_seen.zero?
+
+            reports << MissingFieldReport.new(url: endpoint.url,
+                                              verb: method.verb,
+                                              expected_field: field.name,
+                                              description: 'UnusedFieldsModule')
+          end
+        end
+      end
+
+      reports
+    end
+
+    def self.order
+      99
+    end
+  end
+end

data/lib/api-tester/reporter/api_report.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'api-tester/reporter/report'
+
+module ApiTester
+  # class for dealing with reports generated by the modules during test suite
+  class ApiReport
+    attr_accessor :reports
+
+    def initialize
+      self.reports = []
+    end
+
+    def add_new(url:, request:, expected_response:, actual_response:, description: 'case')
+      report = Report.new description,
+                          url,
+                          request,
+                          expected_response,
+                          actual_response
+      reports << report
+    end
+
+    def add_new_report(report)
+      reports << report
+    end
+
+    def add_reports(reports)
+      reports.each do |report|
+        add_new_report(report)
+      end
+    end
+
+    def print
+      if reports.size.zero?
+        puts 'No issues found'
+      else
+        puts "Issues discovered: #{reports.size}"
+        reports.each do |report|
+          report.print
+          puts '\n'
+          puts '\n'
+        end
+        puts "Total issues: #{reports.size}"
+      end
+    end
+  end
+end

data/lib/api-tester/reporter/missing_field_report.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ApiTester
+  # Report used for when response is missing a field
+  class MissingFieldReport
+    attr_accessor :url
+    attr_accessor :verb
+    attr_accessor :expected_field
+    attr_accessor :description
+
+    def initialize(url:, verb:, expected_field:, description:)
+      self.url = url
+      self.verb = verb
+      self.expected_field = expected_field
+      self.description = description
+    end
+
+    def print
+      puts "#{description}:"
+      puts "   #{verb} #{url} is missing response field:"
+      puts "      #{expected_field}"
+    end
+  end
+end

data/lib/api-tester/reporter/report.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module ApiTester
+  # Standard report format for differing responses
+  class Report
+    attr_accessor :description
+    attr_accessor :url
+    attr_accessor :request
+    attr_accessor :expected_response
+    attr_accessor :actual_response
+
+    def initialize(description:, url:, request:, expected_response:, actual_response:)
+      self.description = description
+      self.url = url
+      self.request = request
+      self.expected_response = expected_response
+      self.actual_response = actual_response
+    end
+
+    def print
+      puts "#{description}: "
+      puts "   Requested #{url} with payload:"
+      puts "      #{request.to_json}"
+      puts '   Expecting: '
+      puts '      ' + expected_response.to_s
+      puts '   Receiving: '
+      puts "      #{actual_response}"
+    end
+  end
+end