dradis-burp 3.0.2

data/lib/burp/issue.rb

@@ -0,0 +1,149 @@
+module Burp
+  # This class represents each of the /issues/issue elements in the Burp
+  # Scanner XML document.
+  #
+  # It provides a convenient way to access the information scattered all over
+  # the XML in attributes and nested tags.
+  #
+  # Instead of providing separate methods for each supported property we rely
+  # on Ruby's #method_missing to do most of the work.
+  class Issue
+    # Accepts an XML node from Nokogiri::XML.
+    def initialize(xml_node)
+      @xml = xml_node
+    end
+
+    # List of supported tags. They can be attributes, simple descendants or
+    # collections (e.g. <references/>, <tags/>)
+    def supported_tags
+      [
+        # attributes
+
+        # simple tags
+        :serial_number, :type, :name, :host, :path, :location, :severity,
+        :confidence, :background, :remediation_background, :detail,
+        :remediation_detail,
+
+        # nested tags
+        :request, :response
+      ]
+    end
+
+    # This allows external callers (and specs) to check for implemented
+    # properties
+    def respond_to?(method, include_private=false)
+      return true if supported_tags.include?(method.to_sym)
+      super
+    end
+
+    # This method is invoked by Ruby when a method that is not defined in this
+    # instance is called.
+    #
+    # In our case we inspect the @method@ parameter and try to find the
+    # attribute, simple descendent or collection that it maps to in the XML
+    # tree.
+    def method_missing(method, *args)
+
+      # We could remove this check and return nil for any non-recognized tag.
+      # The problem would be that it would make tricky to debug problems with
+      # typos. For instance: <>.potr would return nil instead of raising an
+      # exception
+      unless supported_tags.include?(method)
+        super
+        return
+      end
+
+      # First we try the attributes. In Ruby we use snake_case, but in XML
+      # CamelCase is used for some attributes
+      translations_table = {
+        :background => 'issueBackground',
+        :detail => 'issueDetail',
+        :remediation_background => 'remediationBackground',
+        :remediation_detail => 'remediationDetail',
+        :serial_number => 'serialNumber'
+      }
+
+      method_name = translations_table.fetch(method, method.to_s)
+
+      # no attributes in the <issue> node
+      # return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
+
+      # Then we try simple children tags: name, type, ...
+      tag = @xml.xpath("./#{method_name}").first
+      if tag && !tag.text.blank?
+        if tags_with_html_content.include?(method)
+          return cleanup_html(tag.text)
+        else
+          return tag.text
+        end
+      end
+
+      if (['request', 'response'].include?(method_name))
+        requestresponse_child(method_name)
+      else
+        # nothing found, the tag is valid but not present in this ReportItem
+        return nil
+      end
+    end
+
+    private
+
+    def cleanup_html(source)
+      result = source.dup
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
+
+      result.gsub!(/<b>(.*?)<\/b>/, '*\1*')
+      result.gsub!(/<br\/>/, "\n")
+      result.gsub!(/<br>/, "\n")
+      result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
+      result.gsub!(/<h2>(.*?)<\/h2>/, '*\1*')
+      result.gsub!(/<i>(.*?)<\/i>/, '\1')
+      result.gsub!(/<p>(.*?)<\/p>/, '\1')
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{ $1 }\n\np.  \n" }
+
+      result.gsub!(/<ul>/, "\n")
+      result.gsub!(/<\/ul>/, "\n")
+      result.gsub!(/<li>/, "\n* ")
+      result.gsub!(/<\/li>/, "\n")
+
+      result
+    end
+
+    # Some of the values have embedded HTML content that we need to strip
+    def tags_with_html_content
+      [:background, :detail, :remediation_background, :remediation_detail]
+    end
+
+    def requestresponse_child(field)
+      return 'n/a' unless @xml.at('requestresponse') && @xml.at("requestresponse/#{field}")
+
+      xml_node = @xml.at("requestresponse/#{field}")
+      result = "[unprocessable #{field}]"
+
+      if xml_node['base64'] == 'true'
+        result = Base64::strict_decode64(xml_node.text)
+
+        # don't pass binary data to the DB.
+        if result =~ /\0/
+          header, _ = result.split("\r\n\r\n")
+          result = header << "\r\n\r\n" << '[Binary Data Not Displayed]'
+        end
+      else
+        result = xml_node.text
+      end
+
+      # Just in case a null byte was left by Burp
+      result.gsub!(/\0/,'&#00;')
+
+      # We truncate the request/response because it can be pretty big.
+      # If it is > 1M MySQL will die when trying to INSERT
+      #
+      # TODO: maybe add a reference to this node's XPATH so the user can go
+      # back to the burp scanner file and look up the original request/response
+      result.truncate(50000, omission: '... (truncated)')
+    end
+  end
+end

data/lib/dradis-burp.rb

@@ -0,0 +1,8 @@
+# Hook to the framework base clases
+require 'dradis-plugins'
+
+# Load this add-on's engine
+require 'dradis/plugins/burp'
+
+# Load supporting Burp classes
+require 'burp/issue'

data/lib/dradis/plugins/burp.rb

@@ -0,0 +1,11 @@
+module Dradis
+  module Plugins
+    module Burp
+    end
+  end
+end
+
+require 'dradis/plugins/burp/engine'
+require 'dradis/plugins/burp/field_processor'
+require 'dradis/plugins/burp/importer'
+require 'dradis/plugins/burp/version'

data/lib/dradis/plugins/burp/engine.rb

@@ -0,0 +1,22 @@
+module Dradis
+  module Plugins
+    module Burp
+      class Engine < ::Rails::Engine
+        isolate_namespace Dradis::Plugins::Burp
+
+        include ::Dradis::Plugins::Base
+        description 'Processes Burp Scanner XML output'
+        provides :upload
+
+        # Configuring the gem
+        # class Configuration < Core::Configurator
+        #   configure :namespace => 'burp'
+        #   setting :category, :default => 'Burp Scanner output'
+        #   setting :author, :default => 'Burp Scanner plugin'
+        # end
+
+      end
+    end
+  end
+end
+

data/lib/dradis/plugins/burp/field_processor.rb

@@ -0,0 +1,23 @@
+module Dradis
+  module Plugins
+    module Burp
+      class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
+
+        def post_initialize(args={})
+          @burp_object = ::Burp::Issue.new(data)
+        end
+
+        def value(args={})
+          field = args[:field]
+          # fields in the template are of the form <foo>.<field>, where <foo>
+          # is common across all fields for a given template (and meaningless).
+          _, name = field.split('.')
+
+          @burp_object.try(name) || 'n/a'
+        end
+
+      end
+    end
+  end
+end
+

data/lib/dradis/plugins/burp/gem_version.rb

@@ -0,0 +1,19 @@
+module Dradis
+  module Plugins
+    module Burp
+      # Returns the version of the currently loaded Frontend as a <tt>Gem::Version</tt>
+      def self.gem_version
+        Gem::Version.new VERSION::STRING
+      end
+
+      module VERSION
+        MAJOR = 3
+        MINOR = 0
+        TINY = 2
+        PRE = nil
+
+        STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
+      end
+    end
+  end
+end

data/lib/dradis/plugins/burp/importer.rb

@@ -0,0 +1,79 @@
+module Dradis::Plugins::Burp
+  class Importer < Dradis::Plugins::Upload::Importer
+
+    # The framework will call this function if the user selects this plugin from
+    # the dropdown list and uploads a file.
+    # @returns true if the operation was successful, false otherwise
+    def import(params = {})
+      file_content = File.read( params[:file] )
+
+      if file_content =~ /base64="false"/
+        error =  "Burp input contains HTTP request / response data that hasn't been Base64-encoded.\n"
+        error << "Please re-export your scanner results making sure the Base-64 encode option is selected."
+
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+      logger.info{ 'Parsing Burp Scanner output file...' }
+      doc = Nokogiri::XML( file_content )
+      logger.info{'Done.'}
+
+      if doc.root.name != 'issues'
+        error = "Document doesn't seem to be in the Burp Scanner XML format."
+        logger.fatal{ error }
+        content_service.create_note text: error
+        return false
+      end
+
+      # This will be filled in by the Processor while iterating over the issues
+      hosts         = []
+      affected_host = nil
+      issue_text    = nil
+      evidence_text = nil
+
+      doc.xpath('issues/issue').each do |xml_issue|
+        issue_name = xml_issue.at('name').text
+        issue_type = xml_issue.at('type').text.to_i
+
+        logger.info{ "Adding #{ issue_name } (#{ issue_type })" }
+
+        host_label = xml_issue.at('host')['ip']
+        host_label = xml_issue.at('host').text if host_label.empty?
+        affected_host = content_service.create_node(label: host_label, type: :host)
+        logger.info{ "\taffects: #{ host_label }" }
+
+        if !hosts.include?(affected_host.label)
+          hosts << affected_host.label
+          url = xml_issue.at('host').text
+          host_description = "\#[HostInfo]\#\n#{ url }\n\n"
+          content_service.create_note(text: host_description, node: affected_host)
+        end
+
+        issue_text = template_service.process_template(
+          template: 'issue',
+          data: xml_issue)
+
+        issue = content_service.create_issue(
+          text: issue_text,
+          id: issue_type)
+
+        logger.info{ "\tadding evidence for this instance to #{ affected_host.label }."}
+
+        evidence_text = template_service.process_template(
+          template: 'evidence',
+          data: xml_issue)
+
+        content_service.create_evidence(
+          issue: issue,
+          node: affected_host,
+          content: evidence_text)
+
+      end
+      logger.info{ 'Burp Scanner results successfully imported' }
+      return true
+    end
+
+  end
+end

data/lib/dradis/plugins/burp/version.rb

@@ -0,0 +1,13 @@
+require_relative 'gem_version'
+
+module Dradis
+  module Plugins
+    module Burp
+      # Returns the version of the currently loaded Action Mailer as a
+      # <tt>Gem::Version</tt>.
+      def self.version
+        gem_version
+      end
+    end
+  end
+end

data/lib/tasks/thorfile.rb

@@ -0,0 +1,40 @@
+class BurpTasks < Thor
+  include Core::Pro::ProjectScopedTask if defined?(::Core::Pro)
+
+  namespace "dradis:plugins:burp"
+
+  desc "upload FILE", "upload Burp XML results"
+  def upload(file_path)
+    require 'config/environment'
+
+    logger = Logger.new(STDOUT)
+    logger.level = Logger::DEBUG
+
+    unless File.exists?(file_path)
+      $stderr.puts "** the file [#{file_path}] does not exist"
+      exit -1
+    end
+
+    content_service = nil
+    template_service = nil
+
+    template_service = Dradis::Plugins::TemplateService.new(plugin: Dradis::Plugins::Burp)
+    if defined?(Dradis::Pro)
+      detect_and_set_project_scope
+      content_service = Dradis::Pro::Plugins::ContentService.new(plugin: Dradis::Plugins::Burp)
+    else
+      content_service = Dradis::Plugins::ContentService.new(plugin: Dradis::Plugins::Burp)
+    end
+
+    importer = Dradis::Plugins::Burp::Importer.new(
+                logger: logger,
+       content_service: content_service,
+      template_service: template_service
+    )
+
+    importer.import(file: file_path)
+
+    logger.close
+  end
+
+end

data/spec/burp_upload_spec.rb

@@ -0,0 +1,108 @@
+require 'spec_helper'
+require 'ostruct'
+
+describe 'Burp upload plugin' do
+
+  describe Burp::Issue do
+    pending "create some unit tests for the Burp::Issue wrapper class"
+  end
+
+  describe "Importer" do
+    before(:each) do
+      # Stub template service
+      templates_dir = File.expand_path('../../templates', __FILE__)
+      expect_any_instance_of(Dradis::Plugins::TemplateService)
+      .to receive(:default_templates_dir).and_return(templates_dir)
+
+      # Init services
+      plugin = Dradis::Plugins::Burp
+
+      @content_service = Dradis::Plugins::ContentService.new(plugin: plugin)
+      template_service = Dradis::Plugins::TemplateService.new(plugin: plugin)
+
+      @importer = plugin::Importer.new(
+        content_service: @content_service,
+        template_service: template_service
+      )
+
+      # Stub dradis-plugins methods
+      #
+      # They return their argument hashes as objects mimicking
+      # Nodes, Issues, etc
+      allow(@content_service).to receive(:create_node) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_note) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_issue) do |args|
+        OpenStruct.new(args)
+      end
+      allow(@content_service).to receive(:create_evidence) do |args|
+        OpenStruct.new(args)
+      end
+    end
+
+    it "creates nodes, issues, notes and an evidences as needed" do
+
+      # Host node and basic host info note
+      #
+      # create_node should be called once for each issue in the xml,
+      # but ContentService knows it's already created and NOOPs
+      expect(@content_service).to receive(:create_node)
+      .with(hash_including label: '10.0.0.1')
+      .exactly(4).times
+      # create_note should be calld just once
+      expect(@content_service).to receive(:create_note) do |args|
+        expect(args[:text]).to include("#[HostInfo]#\nhttp://www.test.com")
+        OpenStruct.new(args)
+      end.once
+
+      # create_issue should be called once for each issue in the xml
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 1")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 1")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 2")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 2")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 3")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 3")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include("#[Title]#\nIssue 4")
+        OpenStruct.new(args)
+      end.once
+      expect(@content_service).to receive(:create_evidence) do |args|
+        expect(args[:content]).to include("Lorem ipsum dolor sit amet")
+        expect(args[:issue].text).to include("#[Title]#\nIssue 4")
+        expect(args[:node].label).to eq("10.0.0.1")
+      end.once
+
+
+      # Run the import
+      @importer.import(file: 'spec/fixtures/files/burp.xml')
+    end
+
+  end
+end