RubyGems - dradis-burp - Versions diffs - 3.18.0 - Mend

dradis-burp 3.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml +7 -0
data/.github/issue_template.md +16 -0
data/.github/pull_request_template.md +36 -0
data/.gitignore +10 -0
data/.rspec +2 -0
data/CHANGELOG.md +57 -0
data/CONTRIBUTING.md +3 -0
data/Gemfile +23 -0
data/LICENSE +339 -0
data/README.md +29 -0
data/Rakefile +1 -0
data/dradis-burp.gemspec +34 -0
data/lib/burp/html/issue.rb +157 -0
data/lib/burp/issue.rb +43 -0
data/lib/burp/xml/issue.rb +127 -0
data/lib/dradis-burp.rb +10 -0
data/lib/dradis/plugins/burp.rb +12 -0
data/lib/dradis/plugins/burp/engine.rb +25 -0
data/lib/dradis/plugins/burp/field_processor.rb +27 -0
data/lib/dradis/plugins/burp/gem_version.rb +19 -0
data/lib/dradis/plugins/burp/html/importer.rb +144 -0
data/lib/dradis/plugins/burp/version.rb +13 -0
data/lib/dradis/plugins/burp/xml/importer.rb +144 -0
data/lib/tasks/thorfile.rb +30 -0
data/spec/burp_upload_spec.rb +220 -0
data/spec/fixtures/files/burp.html +229 -0
data/spec/fixtures/files/burp.xml +100 -0
data/spec/fixtures/files/burp_issue_severity.xml +118 -0
data/spec/fixtures/files/invalid-utf-issue.xml +21 -0
data/spec/fixtures/files/without-base64.xml +709 -0
data/spec/spec_helper.rb +9 -0
data/templates/evidence.fields +8 -0
data/templates/evidence.sample +76 -0
data/templates/evidence.template +20 -0
data/templates/html_evidence.fields +13 -0
data/templates/html_evidence.sample +36 -0
data/templates/html_evidence.template +50 -0
data/templates/issue.fields +8 -0
data/templates/issue.sample +23 -0
data/templates/issue.template +30 -0
metadata +174 -0

data/lib/dradis/plugins/burp/field_processor.rb ADDED

@@ -0,0 +1,27 @@
+module Dradis
+  module Plugins
+    module Burp
+      class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+        def post_initialize(args={})
+          @burp_object =
+            if data.is_a?(Nokogiri::XML::Element)
+              ::Burp::Xml::Issue.new(data)
+            elsif data.is_a?(Nokogiri::XML::NodeSet)
+              ::Burp::Html::Issue.new(data)
+            end
+        end
+        def value(args={})
+          field = args[:field]
+          # fields in the template are of the form <foo>.<field>, where <foo>
+          # is common across all fields for a given template (and meaningless).
+          _, name = field.split('.')
+          @burp_object.try(name) || 'n/a'
+        end
+      end
+    end
+  end
+end

data/lib/dradis/plugins/burp/gem_version.rb ADDED

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Burp
+      # Returns the version of the currently loaded Frontend as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+      module VERSION
+        MAJOR = 3
+        MINOR = 18
+        TINY = 0
+        PRE = nil
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/burp/html/importer.rb ADDED

@@ -0,0 +1,144 @@
+module Dradis::Plugins::Burp
+  # This module knows how to parse Burp HTML format.
+  module Html
+    def self.meta
+      package = Dradis::Plugins::Burp
+      {
+        name:        package::Engine::plugin_name,
+        description: 'Upload Burp Scanner output file (.html)',
+        version:     package.version
+      }
+    end
+    class Importer < Dradis::Plugins::Upload::Importer
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Burp
+        super(args)
+      end
+      def import(params = {})
+        logger.info { 'Parsing Burp Scanner HTML output file...' }
+        @doc = Nokogiri::HTML(File.read(params[:file]))
+        logger.info { 'Done.' }
+        # Issue headers are like: <span class="BODH0" id="X">
+        issue_headers = @doc.xpath("//span[contains(@class, 'BODH0')]")
+        if issue_headers.count.zero?
+          error = "Document doesn't seem to be in the Burp Scanner HTML format."
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+        issue_headers.each do |header|
+          issue_id = header.attr('id')
+          html     = extract_html_fragment_for(issue_id)
+          process_html_issue(html)
+        end
+        logger.info { 'Burp Scanner results successfully imported' }
+        true
+      end
+      def process_html_issue(html_issue)
+        header     = html_issue.first
+        title      = header.text.gsub(/^\d+\.\S/, '')
+        burp_id =
+          if (link = header.css('a').first)
+            link.attr('href')[/\/([0-9a-f]+)_.*/, 1].to_i(16)
+          else
+            title
+          end
+        issue_id   = html_issue.attr('id').value
+        issue_text =
+          template_service.process_template(
+            template: 'issue',
+            data: html_issue
+          )
+        logger.info { "Processing issue #{issue_id}: #{title}" }
+        issue = content_service.create_issue(text: issue_text, id: burp_id)
+        # Evidence headers are like:
+        #   <span class="BODH1" id="X.Y">
+        # where:
+        #   X is the issue index
+        #   Y is the evidence index
+        evidence_headers = html_issue.xpath(
+          "//span[contains(@class, 'BODH1') and starts-with(@id, '#{issue_id}.')]"
+        )
+        # If there are no evidence headers inside this issue, this is a
+        # "single evidence" case: our evidence html is the issue html itself
+        if evidence_headers.count.zero?
+          process_html_evidence(html_issue, issue)
+        else
+          evidence_headers.each do |header|
+            evidence_id = header.attr('id')
+            html = extract_html_fragment_for(evidence_id)
+            process_html_evidence(html, issue)
+          end
+        end
+      end
+      def process_html_evidence(html_evidence, issue)
+        evidence_id = html_evidence.attr('id').value
+        logger.info { "Processing evidence #{evidence_id}" }
+        host_td    = html_evidence.search("td:starts-with('Host:')").first
+        host_label = host_td.next_element.text.split('//').last
+        host       = content_service.create_node(label: host_label, type: :host)
+        evidence_text =
+          template_service.process_template(
+            template: 'html_evidence',
+            data: html_evidence
+          )
+        content_service.create_evidence(
+          issue: issue,
+          node: host,
+          content: evidence_text
+        )
+      end
+      # Html for an issue and evidence is not nested inside an html element.
+      #
+      # An issue is the html fragment from <span id="X"> (where X is a single
+      # integer number: 1, 2, 3...) until the next span like that or the end of
+      # the file.
+      #
+      # An evidence is the html fragment from <span id="X.Y"> (where X is the
+      # issue index and Y the evidence index: 1.1, 1.2,...,2.1, 2.2,...) until
+      # the next evidence span (id="X.Z"), the next issue span (id="Y"), or the
+      # end of the file.
+      #
+      # This method extracts all the html related to as specific issue id or
+      # evidence id.
+      def extract_html_fragment_for(id)
+        next_id = if /\d+\.\d+/ =~ id
+                    id_parts = id.split('.')
+                    "#{id_parts[0]}.#{id_parts[1].to_i + 1}"
+                  else
+                    id.to_i + 1
+                  end
+        start_element = @doc.xpath("//span[@id='#{id}']")
+        return nil if start_element.empty?
+        ending_element = @doc.xpath("//span[@id='#{next_id}']")
+        if ending_element.empty? && /\d+\.\d+/ =~ id
+          next_id = id.split('.')[0].to_i + 1
+          ending_element = @doc.xpath("//span[@id='#{next_id}']")
+        end
+        xpath = "//*[preceding-sibling::span[@id='#{id}']"
+        xpath += " and following-sibling::span[@id='#{next_id}']" unless ending_element.empty?
+        xpath += ']'
+        start_element + @doc.xpath(xpath)
+      end
+    end
+  end
+end

data/lib/dradis/plugins/burp/version.rb ADDED

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+module Dradis
+  module Plugins
+    module Burp
+      # Returns the version of the currently loaded Action Mailer as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/dradis/plugins/burp/xml/importer.rb ADDED

@@ -0,0 +1,144 @@
+module Dradis::Plugins::Burp
+  # This module knows how to parse Burp XML format.
+  module Xml
+    def self.meta
+      package = Dradis::Plugins::Burp
+      {
+        name:        package::Engine::plugin_name,
+        description: 'Upload Burp Scanner output file (.xml)',
+        version:     package.version
+      }
+    end
+    class Importer < Dradis::Plugins::Upload::Importer
+      BURP_EXTENSION_TYPE = '134217728'.freeze
+      BURP_SEVERITIES     = ['Information', 'Low', 'Medium', 'High'].freeze
+      def initialize(args={})
+        args[:plugin] = Dradis::Plugins::Burp
+        super(args)
+      end
+      def import(params = {})
+        file_content = File.read(params[:file])
+        if file_content =~ /base64="false"/
+          error =  "Burp input contains HTTP request / response data that hasn't been Base64-encoded.\n"
+          error << 'Please re-export your scanner results making sure the Base-64 encode option is selected.'
+          logger.fatal{ error }
+          content_service.create_note text: error
+          return false
+        end
+        logger.info { 'Parsing Burp Scanner XML output file...' }
+        doc = Nokogiri::XML(file_content)
+        logger.info { 'Done.' }
+        if doc.root.name != 'issues'
+          error = 'Document doesn\'t seem to be in the Burp Scanner XML format.'
+          logger.fatal { error }
+          content_service.create_note text: error
+          return false
+        end
+        # This will be filled in by the Processor while iterating over the issues
+        @issues     = []
+        @severities = Hash.new(0)
+        # We need to look ahead through all issues to bring the highest severity
+        # of each instance to the Issue level.
+        doc.xpath('issues/issue').each do |xml_issue|
+          issue_id       = issue_id_for(xml_issue)
+          issue_severity = BURP_SEVERITIES.index(xml_issue.at('severity').text)
+          @severities[issue_id] = issue_severity if issue_severity > @severities[issue_id]
+          @issues << xml_issue
+        end
+        @issues.each { |xml_issue| process_issue(xml_issue) }
+        logger.info { 'Burp Scanner results successfully imported' }
+        true
+      end
+      private
+      def create_issue(affected_host:, id:, xml_issue:)
+        xml_evidence = xml_issue.clone
+        # Ensure that the Issue contains the highest Severity value
+        xml_issue.at('severity').content = BURP_SEVERITIES[@severities[id]]
+        issue_text =
+          template_service.process_template(
+            template: 'issue',
+            data: xml_issue
+          )
+        if issue_text.include?(::Burp::INVALID_UTF_REPLACE)
+          logger.info do
+            "\tdetected invalid UTF-8 bytes in your issue. " \
+            "Replacing them with '#{::Burp::INVALID_UTF_REPLACE}'."
+          end
+        end
+        issue = content_service.create_issue(text: issue_text, id: id)
+        logger.info do
+          "\tadding evidence for this instance to #{affected_host.label}."
+        end
+        evidence_text =
+          template_service.process_template(
+            template: 'evidence',
+            data: xml_evidence
+          )
+        if evidence_text.include?(::Burp::INVALID_UTF_REPLACE)
+          logger.info do
+            "\tdetected invalid UTF-8 bytes in your evidence. " \
+            "Replacing them with '#{::Burp::INVALID_UTF_REPLACE}'."
+          end
+        end
+        content_service.create_evidence(
+          issue: issue,
+          node: affected_host,
+          content: evidence_text
+        )
+      end
+      # Burp extensions don't follow the "unique type for every Issue" logic
+      # so we have to deal with them separately
+      def issue_id_for(xml_issue)
+        if xml_issue.at('type').text == BURP_EXTENSION_TYPE
+          xml_issue.at('name').text.gsub!(' ', '')
+        else
+          xml_issue.at('type').text.to_i
+        end
+      end
+      # Creates the Nodes/properties
+      def process_issue(xml_issue)
+        host_url   = xml_issue.at('host').text
+        host_label = xml_issue.at('host')['ip']
+        host_label = host_url if host_label.empty?
+        issue_id   = issue_id_for(xml_issue)
+        affected_host = content_service.create_node(label: host_label, type: :host)
+        affected_host.set_property(:hostname, host_url)
+        affected_host.save
+        logger.info { "Adding #{xml_issue.at('name').text} (#{issue_id})"}
+        logger.info { "\taffects: #{host_label}" }
+        create_issue(
+          affected_host: affected_host,
+          id: issue_id,
+          xml_issue: xml_issue
+        )
+      end
+    end
+  end
+end

data/lib/tasks/thorfile.rb ADDED

@@ -0,0 +1,30 @@
+class BurpTasks < Thor
+  include Rails.application.config.dradis.thor_helper_module
+  namespace "dradis:plugins:burp"
+  desc "upload FILE", "upload Burp XML or HTML results"
+  def upload(file_path)
+    require 'config/environment'
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit(-1)
+    end
+    detect_and_set_project_scope
+    importer =
+      if File.extname(file_path) == '.xml'
+        Dradis::Plugins::Burp::Xml::Importer.new(task_options)
+      elsif File.extname(file_path) == '.html'
+        Dradis::Plugins::Burp::Html::Importer.new(task_options)
+      else
+        $stderr.puts "** Unsupported file. Must be .xml or .html"
+        exit(-2)
+      end
+    importer.import(file: file_path)
+  end
+end

data/spec/burp_upload_spec.rb ADDED

@@ -0,0 +1,220 @@
+require 'spec_helper'
+require 'ostruct'
+describe 'Burp upload plugin' do
+  describe Burp::Xml::Issue do
+    it 'handles invalid utf-8 bytes' do
+      doc = Nokogiri::XML(File.read('spec/fixtures/files/invalid-utf-issue.xml'))
+      xml_issue = doc.xpath('issues/issue').first
+      issue = Burp::Xml::Issue.new(xml_issue)
+      expect{ issue.request.encode('utf-8') }.to_not raise_error
+    end
+  end
+  describe  Dradis::Plugins::Burp::Xml::Importer do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+      # Init services
+      plugin = Dradis::Plugins::Burp::Xml
+      @content_service = Dradis::Plugins::ContentService::Base.new(
+        logger: Logger.new(STDOUT),
+        plugin: plugin
+      )
+      @importer = plugin::Importer.new(
+        content_service: @content_service,
+      )
+      # Stub dradis-plugins methods
+      #
+      # They return their argument hashes as objects mimicking
+      # Nodes, Issues, etc
+      allow(@content_service).to receive(:create_node) do |args|
+        obj = OpenStruct.new(args)
+        obj.define_singleton_method(:set_property) { |_, __| }
+        obj
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+    end
+    it 'creates nodes, issues, and evidence as needed' do
+      # Host node
+      #
+      # create_node should be called once for each issue in the xml,
+      # but ContentService knows it's already created and NOOPs
+      expect(@content_service).to receive(:create_node)
+      .with(hash_including label: '10.0.0.1')
+      .exactly(4).times
+      # create_issue should be called once for each issue in the xml
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 1")
+        expect(args[:id]).to eq(8781630)
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 2")
+        expect(args[:id]).to eq(8781631)
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 2")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+      # Issue 3 is an Extension finding so we need to confirm
+      # that it triggers process_extension_issues instead of process_burp_issues
+      # and the plugin_id is not set to the Type (134217728)
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 3")
+        expect(args[:id]).to eq("Issue3")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 3")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 4")
+        expect(args[:id]).to eq(8781633)
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 4")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+      # Run the import
+      @importer.import(file: 'spec/fixtures/files/burp.xml')
+    end
+    it 'returns the highest <severity> at the Issue level' do
+      # create_issue should be called once for each issue in the xml
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:id]).to eq(8781630)
+        expect(args[:text]).to include("#[Title]#\nIssue 1")
+        expect(args[:text]).to include("#[Severity]#\nCritical")
+        OpenStruct.new(args)
+      end
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Severity]#\nInformation")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq('10.0.0.1')
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Severity]#\nHigh")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq('10.0.0.1')
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Severity]#\nMedium")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq('10.0.0.1')
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Severity]#\nCritical")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq('10.0.0.1')
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("#[Severity]#\nLow")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq('10.0.0.1')
+      end.once
+      # Run the import
+      @importer.import(file: 'spec/fixtures/files/burp_issue_severity.xml')
+    end
+  end
+  describe  Dradis::Plugins::Burp::Html::Importer do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+      # Init services
+      plugin = Dradis::Plugins::Burp::Html
+      @content_service = Dradis::Plugins::ContentService::Base.new(
+        logger: Logger.new(STDOUT),
+        plugin: plugin
+      )
+      @importer = plugin::Importer.new(
+        content_service: @content_service,
+      )
+      # Stub dradis-plugins methods
+      #
+      # They return their argument hashes as objects mimicking
+      # Nodes, Issues, etc
+      allow(@content_service).to receive(:create_node) do |args|
+        obj = OpenStruct.new(args)
+        obj.define_singleton_method(:set_property) { |_, __| }
+        obj
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+    end
+    it "creates nodes, issues, and evidence as needed" do
+      # Host node
+      #
+      # create_node should be called once for each issue in the xml,
+      # but ContentService knows it's already created and NOOPs
+      expect(@content_service).to receive(:create_node)
+      .with(hash_including label: 'github.com/dradis/dradis-burp')
+      .exactly(1).times
+      # # create_issue should be called once for each issue in the xml
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nStrict transport security not enforced")
+        expect(args[:id]).to eq(16777984)
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
+        expect(args[:issue].text).to include("#[Title]#\nStrict transport security not enforced")
+        expect(args[:node].label).to eq("github.com/dradis/dradis-burp")
+      end.once
+      # Run the import
+      @importer.import(file: 'spec/fixtures/files/burp.html')
+    end
+  end
+end