api-tester 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 52c7685df4c907ec1841e6b73414281b003670bb
-  data.tar.gz: 4d277569d088a704d840ad7e6c187bee4eeb0629
+  metadata.gz: 9f452ab5e2f25081c381aa5dc6d7ccbdfdd6608a
+  data.tar.gz: 7163a87ef8dc52d647c38c07d7fe2c1e4229c655
 SHA512:
-  metadata.gz: 9ea181c7075b97cad1fbfbdfa235a0ab2fcda488a7bdc99efbe981b4bee6cbf69ec98c3024d6cb5cf321004b4bb2e2b4558ca611f9f5fc5628306cdad5dbf541
-  data.tar.gz: d9ad6635b7521e596478c47bea98ceb5c778a18b12a3bb33f5bb50941ec60cf70aaf7f8c90b2ba8e25581ddcf4f85cec93b5da9c0d963cebff67522b85577cc1
+  metadata.gz: 99de80ccecd3293437b1b994608288d57da394d096dc1ca828b47b4b416907dd2b7b32cf2441cf035a1142efc47de9fe55d921b63246c8624fdffcaafa9b2b68
+  data.tar.gz: 18def5e09e3080fc1b6806cf2d98f497bd1cd228f4b5225c39144c325ad7a726d64aa2373a7628b0e11e3da13686681ad5e1ad46bfc1cff1c15e96cde3b18c6c

data/README.md

@@ -8,6 +8,9 @@ for prime time! To isolate your project from the changes, be sure to specify whi
 This gem is intended to enable easy creation of tests for
 RESTful API services when given a contract.
 
+When using, be sure to follow the documentation for the version of the gem you use. The documentation below
+relates to the unpublished gem version actively under development
+
 Check out [API Tester Example](https://github.com/araneforseti/example_api-tester) for an example in action
 
 # Feature Plan
@@ -73,9 +76,9 @@ stable release
 
 Define your contract and endpoints using
 ```ruby
-require 'api-tester/definition/api_contract'
+require 'api-tester/definition/contract'
 require 'api-tester/definition/endpoint'
-contract = ApiTester::ApiContract.new "API Name"
+contract = ApiTester::Contract.new "API Name"
 endpoint = ApiTester::Endpoint.new "Some name which is currently unused", "http://yourbase.com/api/endpoint"
 ```
 
@@ -108,7 +111,7 @@ request = ApiTester::Request.new.add_field(ApiTester::Field.new "fieldName")
 expected_response = ApiTester::Response.new(200).add_field(ApiTester::Field.new "fieldName")
 endpoint = ApiTester::Endpoint.new "Unused Name", "http://yourbase.com/api/endpoint"
 endpoint.add_method ApiTester::SupportedVerbs::GET, expected_response, request
-contract = ApiContract.new "API Name"
+contract = Contract.new "API Name"
 contract.add_endpoint endpoint
 config = ApiTester::Config().with_module(Format.new)
 expect(ApiTester.go(contract, config)).to be true
@@ -169,9 +172,10 @@ Do you want to do something with the definition which this gem currently does no
 You can create your own test module and add it to the config instance class!
 Just make sure it adheres to the following interface:
 ```ruby
-module Name
-  def self.go contract, reports
-    # Your test code here - the reports object is where the reports are all stored
+module CustomModule
+  def self.go contract
+    # Your test code here    
+    # the contract object is the full definition created
   end
 
   def self.order
@@ -179,6 +183,8 @@ module Name
     # Otherwise this can just be any number
   end
 end  
+
+config.with_module(CustomModule)
 ```
 
 # Reporting
@@ -186,10 +192,10 @@ Right now the default reporting mechanism prints out to
 the console all the issues which were found. You can
 create your own reporting class (so long as it responds
 to the same methods) or just extend the current one and
-override the print method. Then set the tester's report
-tool:
+override the print method. Then set the report
+tool in the config:
 ```ruby
-tester.with_reporter(new_reporter)
+config.with_reporter(new_reporter)
 ```
 
 # Development

data/api-tester.gemspec

@@ -34,6 +34,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "webmock", "~> 3.4"
+  spec.add_development_dependency "pry", "~> 0.11"
 
   spec.add_runtime_dependency "rest-client", "~> 2.0"
+  spec.add_runtime_dependency "injection_vulnerability_library", "0.0.2"
 end

data/changelog.txt

@@ -1,3 +1,10 @@
+0.3.1
+
+- Adding ability to change headers for request objects
+- Removing the reports from the sub modules and making them just return their reports
+- Adjusted modules to use the full contract instead of endpoints
+- Created module to check for server information being broadcast
+
 0.3.0
 
 - Making modules actually be modules

data/lib/api-tester.rb

@@ -1,11 +1,9 @@
 module ApiTester
-  def self.go definition, config
+  def self.go contract, config
     reporter = config.reporter
 
-    definition.endpoints.each do |endpoint|
-      config.modules.sort_by{ |mod| mod.order }.each do |mod|
-        mod.go endpoint, reporter
-      end
+    config.modules.sort_by{ |mod| mod.order }.each do |mod|
+      reporter.add_reports mod.go contract
     end
 
     reporter.print

data/lib/api-tester/definition/{api_contract.rb → contract.rb}

@@ -1,5 +1,5 @@
 module ApiTester
-  class ApiContract
+  class Contract
     attr_accessor :name
     attr_accessor :endpoints
 

data/lib/api-tester/definition/endpoint.rb

@@ -1,7 +1,8 @@
 require 'api-tester/definition/response'
-require 'api-tester/definition/api_method'
+require 'api-tester/definition/method'
 require 'api-tester/test_helper'
 require 'rest-client'
+require 'json'
 
 module ApiTester
   class Endpoint
@@ -33,10 +34,23 @@ module ApiTester
       temp_url
     end
 
+    def default_call
+      self.test_helper.before
+      method_defaults = self.methods[0].default_request
+      method_defaults[:url] = self.url
+      begin
+        response = RestClient::Request.execute(method_defaults)
+      rescue RestClient::ExceptionWithResponse => e
+        response = e.response
+      end
+      self.test_helper.after
+      response
+    end
+
     def call method, payload={}, headers={}
       self.test_helper.before
       begin
-        response = RestClient::Request.execute(method: method.verb, url: self.url, payload: payload, headers: headers)
+        response = RestClient::Request.execute(method: method.verb, url: self.url, payload: payload.to_json, headers: headers)
       rescue RestClient::ExceptionWithResponse => e
         response = e.response
       end
@@ -45,7 +59,7 @@ module ApiTester
     end
 
     def add_method verb, response, request=Request.new()
-      self.methods << ApiTester::ApiMethod.new(verb, response, request)
+      self.methods << ApiTester::Method.new(verb, response, request)
       self
     end
 

data/lib/api-tester/definition/{api_method.rb → method.rb}

@@ -1,5 +1,5 @@
 module ApiTester
-  class ApiMethod
+  class Method
     attr_accessor :request
     attr_accessor :expected_response
     attr_accessor :verb
@@ -9,5 +9,9 @@ module ApiTester
       self.request = request
       self.expected_response = response
     end
+
+    def default_request
+      {:method => self.verb, :payload => request.default_payload, :headers => request.default_headers}
+    end
   end
 end

data/lib/api-tester/definition/request.rb

@@ -28,7 +28,7 @@ module ApiTester
     end
 
     def default_headers
-      {content_type: :json, accept: :json}
+      self.headers || {content_type: :json, accept: :json}
     end
 
     def cases

data/lib/api-tester/modules/extra_verbs.rb

@@ -2,18 +2,21 @@
 
 module ApiTester
   module ExtraVerbs
-    def self.go(endpoint, report)
+    def self.go contract
       reports = []
-      extras = ApiTester::SupportedVerbs.all - endpoint.verbs
-      extras.each do |verb|
-        verb_case = BoundaryCase.new("Verb check with #{verb} for #{endpoint.name}", {}, {})
-        method = ApiTester::ApiMethod.new verb, ApiTester::Response.new, ApiTester::Request.new
-        response = endpoint.call method, verb_case.payload, verb_case.headers
-        test = VerbClass.new response, verb_case.payload, endpoint.not_allowed_response, endpoint.url, verb
-        reports.concat test.check
+
+      contract.endpoints.each do |endpoint|
+        extras = ApiTester::SupportedVerbs.all - endpoint.verbs
+        extras.each do |verb|
+          verb_case = BoundaryCase.new("Verb check with #{verb} for #{endpoint.name}", {}, {})
+          method = ApiTester::Method.new verb, ApiTester::Response.new, ApiTester::Request.new
+          response = endpoint.call method, verb_case.payload, verb_case.headers
+          test = VerbClass.new response, verb_case.payload, endpoint.not_allowed_response, endpoint.url, verb
+          reports.concat test.check
+        end
       end
-      report.reports.concat reports
-      reports == []
+
+      reports
     end
 
     def self.order

data/lib/api-tester/modules/format.rb

@@ -3,19 +3,20 @@ require 'api-tester/method_case_test'
 
 module ApiTester
   class Format
-    def self.go definition, report
+    def self.go contract
       reports = []
-      definition.methods.each do |method|
-        cases = method.request.cases
-        cases.each do |format_case|
-          response = definition.call method, format_case.payload, format_case.headers
-          test = FormatTest.new response, format_case.payload, definition.bad_request_response, definition.url, method.verb
-          reports.concat test.check
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          cases = method.request.cases
+          cases.each do |format_case|
+            response = endpoint.call method, format_case.payload, format_case.headers
+            test = FormatTest.new response, format_case.payload, endpoint.bad_request_response, endpoint.url, method.verb
+            reports.concat test.check
+          end
         end
       end
 
-      report.reports.concat reports
-      reports == []
+      reports
     end
 
     def self.order

data/lib/api-tester/modules/good_case.rb

@@ -3,22 +3,23 @@ require 'api-tester/method_case_test'
 
 module ApiTester
   class GoodCase
-      def self.go endpoint, report
-          reports = []
-          endpoint.methods.each do |method|
-              default_case = BoundaryCase.new endpoint.url, method.request.default_payload, method.request.default_headers
-              response = endpoint.call method, default_case.payload, default_case.headers
-              test = GoodCaseTest.new response, endpoint.url, method
-              reports.concat test.check
-          end
+    def self.go contract
+      reports = []
 
-          report.reports.concat reports
-          reports == []
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          default_case = BoundaryCase.new endpoint.url, method.request.default_payload, method.request.default_headers
+          response = endpoint.call method, default_case.payload, default_case.headers
+          test = GoodCaseTest.new response, endpoint.url, method
+          reports.concat test.check
+        end
       end
+      reports
+    end
 
-      def self.order
-          1
-      end
+    def self.order
+        1
+    end
   end
 
 

data/lib/api-tester/modules/injection_module.rb

@@ -0,0 +1,66 @@
+require "injection_vulnerability_library"
+
+module ApiTester
+  module InjectionModule
+    def self.go contract
+      reports = []
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          reports.concat inject_payload endpoint, method
+        end
+      end
+      reports
+    end
+
+    def self.inject_payload endpoint, method
+      reports = []
+      sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities
+
+      method.request.fields.each do |field|
+        sql_injections.each do |injection|
+          injection_value = "#{field.default_value}#{injection}"
+          payload = method.request.altered_payload(field.name, injection_value)
+          response = endpoint.call method, payload, method.request.default_headers          
+          if(!check_response(response, endpoint)) then
+            reports << InjectionReport.new("sql", endpoint.url, payload, response)
+          end
+        end
+      end
+
+      reports
+    end
+
+    def self.check_response(response, endpoint)
+      response.code == 200 || check_error(response, endpoint)
+    end
+
+    def self.check_error response, endpoint
+      evaluator = ApiTester::ResponseEvaluator.new response.body, endpoint.bad_request_response
+      missing_fields = evaluator.missing_fields
+      extra_fields = evaluator.extra_fields
+      response.code == endpoint.bad_request_response.code && missing_fields.size == 0 && extra_fields.size == 0
+    end
+  end
+end
+
+class InjectionReport
+  attr_accessor :injection_type
+  attr_accessor :url
+  attr_accessor :payload
+  attr_accessor :response
+
+  def initialize injection_type, url, payload, response
+    self.injection_type = injection_type
+    self.url = url
+    self.payload = payload
+    self.response = response
+  end
+
+  def print
+    puts "Found potential #{self.injection_type}: "
+    puts "   Requested #{self.url} with payload:"
+    puts "      #{self.payload}"
+    puts '   Received: '
+    puts "      #{self.response}"
+  end
+end

data/lib/api-tester/modules/server_information.rb

@@ -0,0 +1,39 @@
+require 'pry'
+
+module ApiTester
+  module ServerInformation
+    def self.go contract
+      reports = []
+      endpoint = contract.endpoints[0]
+      response = endpoint.default_call
+
+      [:server, :x_powered_by, :x_aspnetmvc_version, :x_aspnet_version].each do |server_key|
+        if response.headers[server_key] then
+          reports << ServerBroadcastReport.new(response.headers[server_key], server_key)
+        end
+      end
+
+      reports
+    end
+
+    def self.order
+      10
+    end
+  end
+end
+
+class ServerBroadcastReport
+  attr_accessor :server_info
+  attr_accessor :server_key
+
+  def initialize server_info, server_key
+    self.server_info = server_info
+    self.server_key = server_key
+  end
+
+  def print
+    puts "Found server information being broadcast in headers:"
+    puts "   #{self.server_info}"
+    puts "     as #{self.server_key}"
+  end
+end

data/lib/api-tester/modules/typo.rb

@@ -3,43 +3,45 @@ require 'api-tester/util/supported_verbs'
 
 module ApiTester
   class Typo
-      def self.go(endpoint, report)
-          reports = []
-          allowances(endpoint).each do |verbs|
-              reports.concat check_typo_url(endpoint)
-          end
-
-          report.reports.concat reports
-          reports == []
+    def self.go contract
+      reports = []
+
+      contract.endpoints.each do |endpoint|
+        allowances(endpoint).each do |verbs|
+            reports.concat check_typo_url(endpoint)
+        end
       end
 
-      def self.check_typo_url endpoint
-          bad_url = "#{endpoint.url}gibberishadsfasdf"
-          bad_endpoint = ApiTester::Endpoint.new "Bad URL", bad_url
-          typo_case = BoundaryCase.new("Typo URL check", {}, {})
-          method = ApiTester::ApiMethod.new ApiTester::SupportedVerbs::GET, ApiTester::Response.new(200), ApiTester::Request.new
-          response = bad_endpoint.call method, typo_case.payload, typo_case.headers
+      reports
+    end
 
-          test = TypoClass.new response, typo_case.payload, endpoint.not_found_response, bad_url, ApiTester::SupportedVerbs::GET
-          test.check
-      end
+    def self.check_typo_url endpoint
+      bad_url = "#{endpoint.url}gibberishadsfasdf"
+      bad_endpoint = ApiTester::Endpoint.new "Bad URL", bad_url
+      typo_case = BoundaryCase.new("Typo URL check", {}, {})
+      method = ApiTester::Method.new ApiTester::SupportedVerbs::GET, ApiTester::Response.new(200), ApiTester::Request.new
+      response = bad_endpoint.call method, typo_case.payload, typo_case.headers
 
-      def self.allowances(endpoint)
-          allowances = []
-          endpoint.methods.each do |method|
-              allowances << method.verb
-          end
-          allowances.uniq
-      end
+      test = TypoClass.new response, typo_case.payload, endpoint.not_found_response, bad_url, ApiTester::SupportedVerbs::GET
+      test.check
+    end
 
-      def self.order
-        4
+    def self.allowances(endpoint)
+      allowances = []
+      endpoint.methods.each do |method|
+          allowances << method.verb
       end
+      allowances.uniq
+    end
+
+    def self.order
+      4
+    end
   end
 
   class TypoClass < MethodCaseTest
-      def initialize response, payload, expected_response, url, verb
-          super response, payload, expected_response, url, verb, "TypoModule"
-      end
+    def initialize response, payload, expected_response, url, verb
+      super response, payload, expected_response, url, verb, "TypoModule"
+    end
   end
 end

data/lib/api-tester/modules/unused_fields.rb

@@ -2,19 +2,20 @@ require 'api-tester/reporter/missing_response_field_report'
 
 module ApiTester
   class UnusedFields
-    def self.go definition, report
+    def self.go contract
       reports = []
 
-      definition.methods.each do |method|
-        method.expected_response.body.each do |field|
-          if field.is_seen == 0
-            reports << MissingResponseFieldReport.new(definition.url, method.verb, field.name, "UnusedFieldsModule")
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          method.expected_response.body.each do |field|
+            if field.is_seen == 0
+              reports << MissingResponseFieldReport.new(endpoint.url, method.verb, field.name, "UnusedFieldsModule")
+            end
           end
         end
       end
 
-      report.reports.concat reports
-      reports == []
+      reports
     end
 
     def self.order

data/lib/api-tester/reporter/api_report.rb

@@ -17,6 +17,10 @@ module ApiTester
       self.reports << report
     end
 
+    def add_reports reports
+      self.reports.concat reports
+    end
+
     def print
       if self.reports.size > 0
         puts "Issues discovered: #{self.reports.size}"

data/lib/api-tester/version.rb

@@ -1,3 +1,3 @@
 module ApiTester
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: api-tester
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - arane
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-05-23 00:00:00.000000000 Z
+date: 2018-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
 - !ruby/object:Gem::Dependency
   name: rest-client
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: injection_vulnerability_library
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.2
 description: Tool to test APIs which will eventually do boundary testing and other
   sorts of testing automatically given a contract
 email:
@@ -101,9 +129,8 @@ files:
 - changelog.txt
 - lib/api-tester.rb
 - lib/api-tester/config.rb
-- lib/api-tester/definition/api_contract.rb
-- lib/api-tester/definition/api_method.rb
 - lib/api-tester/definition/boundary_case.rb
+- lib/api-tester/definition/contract.rb
 - lib/api-tester/definition/endpoint.rb
 - lib/api-tester/definition/fields/array_field.rb
 - lib/api-tester/definition/fields/boolean_field.rb
@@ -112,12 +139,15 @@ files:
 - lib/api-tester/definition/fields/field.rb
 - lib/api-tester/definition/fields/number_field.rb
 - lib/api-tester/definition/fields/object_field.rb
+- lib/api-tester/definition/method.rb
 - lib/api-tester/definition/request.rb
 - lib/api-tester/definition/response.rb
 - lib/api-tester/method_case_test.rb
 - lib/api-tester/modules/extra_verbs.rb
 - lib/api-tester/modules/format.rb
 - lib/api-tester/modules/good_case.rb
+- lib/api-tester/modules/injection_module.rb
+- lib/api-tester/modules/server_information.rb
 - lib/api-tester/modules/typo.rb
 - lib/api-tester/modules/unused_fields.rb
 - lib/api-tester/reporter/api_report.rb