dradis-csv 4.4.0 → 4.5.0

data/lib/dradis-csv.rb

@@ -1,9 +1,7 @@
+require 'csv'
 
 # Hook to the framework base clases
 require 'dradis-plugins'
 
-# Load supporting CSV classes
-require 'csv'
-
 # Load this add-on's engine
 require 'dradis/plugins/csv'

data/spec/features/upload_spec.rb

@@ -0,0 +1,267 @@
+require 'rails_helper'
+
+# To run, execute from Dradis main app folder:
+#   bin/rspec [dradis-plugins path]/spec/features/upload_spec.rb
+
+describe 'upload feature', js: true do
+  before do
+    login_to_project_as_user
+    visit project_upload_path(@project)
+  end
+
+  context 'uploading a CSV file' do
+    let(:file_path) { File.expand_path('../fixtures/files/simple.csv', __dir__) }
+    before do
+      @headers = CSV.open(file_path, &:readline)
+
+      select 'Dradis::Plugins::CSV', from: 'uploader'
+
+      within('.custom-file') do
+        page.find('#file', visible: false).attach_file(file_path)
+      end
+
+      find('body.upload.new', wait: 30)
+    end
+
+    it 'redirects to the mapping page' do
+      expect(current_path).to eq(csv.new_project_upload_path(@project))
+    end
+
+    it 'lists the fields in the table' do
+      within('tbody') do
+        @headers.each do |header|
+          expect(page).to have_selector('td', text: header)
+        end
+      end
+    end
+
+    context 'mapping CSV columns' do
+      context 'when identifier not selected' do
+        it 'shows a validation message on the page' do
+          within all('tbody tr')[3] do
+            select 'Evidence Field'
+          end
+
+          click_button 'Import CSV'
+          expect(page).to have_text('An Issue ID must be selected.')
+        end
+      end
+
+      context 'when there are evidence type but no node type selected' do
+        it 'shows a validation message on the page' do
+          within all('tbody tr')[2] do
+            select 'Issue ID'
+          end
+
+          within all('tbody tr')[3] do
+            select 'Evidence Field'
+          end
+
+          click_button 'Import CSV'
+          expect(page).to have_text('A Node Label must be selected to import evidence records.')
+        end
+      end
+
+      context 'when project does not have RTP' do
+        it 'imports all columns as fields' do
+          select 'Issue ID', from: 'mappings[field_attributes][0][type]'
+          select 'Node', from: 'mappings[field_attributes][3][type]'
+          select 'Evidence Field', from: 'mappings[field_attributes][4][type]'
+          select 'Evidence Field', from: 'mappings[field_attributes][5][type]'
+
+          perform_enqueued_jobs do
+            click_button 'Import CSV'
+
+            find('#console .log', wait: 30, match: :first)
+
+            expect(page).to have_text('Worker process completed.')
+
+            issue = Issue.last
+            expect(issue.fields).to eq({ 'Description' => 'Test CSV', 'Title' => 'SQL Injection', 'VulnerabilityCategory' =>'High', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+            node = issue.affected.first
+            expect(node.label).to eq('10.0.0.1')
+
+            evidence = node.evidence.first
+            expect(evidence.fields).to eq({ 'Label' => '10.0.0.1', 'Title' => 'SQL Injection', 'Location' => '10.0.0.1', 'Port' => '443' })
+          end
+        end
+      end
+
+      context 'when project have RTP' do
+        before do
+          rtp = create(:report_template_properties, evidence_fields: evidence_fields, issue_fields: issue_fields)
+          @project.update(report_template_properties: rtp)
+
+          page.refresh
+        end
+
+        context 'without fields' do
+          let (:evidence_fields) { [] }
+          let (:issue_fields) { [] }
+
+          it 'creates records with fields from the headers' do
+            select 'Issue ID', from: 'mappings[field_attributes][0][type]'
+            select 'Node', from: 'mappings[field_attributes][3][type]'
+            select 'Evidence Field', from: 'mappings[field_attributes][4][type]'
+            select 'Evidence Field', from: 'mappings[field_attributes][5][type]'
+
+            perform_enqueued_jobs do
+              click_button 'Import CSV'
+
+              find('#console .log', wait: 30, match: :first)
+
+              expect(page).to have_text('Worker process completed.')
+
+              issue = Issue.last
+              expect(issue.fields).to eq({ 'Description' => 'Test CSV', 'Title' => 'SQL Injection', 'Vulnerability Category' =>'High', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+              node = issue.affected.first
+              expect(node.label).to eq('10.0.0.1')
+
+              evidence = node.evidence.first
+              expect(evidence.fields).to eq({ 'Label' => '10.0.0.1', 'Location' => '10.0.0.1', 'Title' => 'SQL Injection', 'Port' => '443' })
+            end
+          end
+        end
+
+        context 'with fields' do
+          let (:evidence_fields) {
+            [
+              { name: 'Location', type: :string, default: true },
+              { name: 'Port', type: :string, default: true}
+            ]
+          }
+
+          let (:issue_fields) {
+            [
+              { name: 'Title', type: :string, default: true },
+              { name: 'Description', type: :string, default: true},
+              { name: 'Severity', type: :string, default: true}
+            ]
+          }
+
+          it 'shows the available fields for the selected type' do
+            select 'Issue Field', from: 'mappings[field_attributes][1][type]'
+
+            issue_fields.each do |field|
+              expect(page).to have_selector('option', text: field[:name])
+            end
+
+            select 'Evidence Field', from: 'mappings[field_attributes][4][type]'
+
+            evidence_fields.each do |field|
+              expect(page).to have_selector('option', text: field[:name])
+            end
+          end
+
+          it 'can select which columns to import' do
+            select 'Issue ID', from: 'mappings[field_attributes][0][type]'
+
+            select 'Issue Field', from: 'mappings[field_attributes][1][type]'
+            select 'Title', from: 'mappings[field_attributes][1][field]'
+
+            select 'Issue Field', from: 'mappings[field_attributes][2][type]'
+            select 'Description', from: 'mappings[field_attributes][2][field]'
+
+            select 'Node', from: 'mappings[field_attributes][3][type]'
+
+            select 'Evidence Field', from: 'mappings[field_attributes][4][type]'
+            select 'Location', from: 'mappings[field_attributes][4][field]'
+
+            select 'Evidence Field', from: 'mappings[field_attributes][5][type]'
+            select 'Port', from: 'mappings[field_attributes][5][field]'
+
+            select 'Issue Field', from: 'mappings[field_attributes][6][type]'
+            select 'Severity', from: 'mappings[field_attributes][6][field]'
+
+            perform_enqueued_jobs do
+              click_button 'Import CSV'
+
+              find('#console .log', wait: 30, match: :first)
+
+              expect(page).to have_text('Worker process completed.')
+
+              issue = Issue.last
+              expect(issue.fields).to eq({ 'Description' => 'Test CSV', 'Title' => 'SQL Injection', 'Severity' => 'High', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+              node = issue.affected.first
+              expect(node.label).to eq('10.0.0.1')
+
+              evidence = node.evidence.first
+              expect(evidence.fields).to eq({ 'Label' => '10.0.0.1', 'Location' => '10.0.0.1', 'Title' => 'SQL Injection', 'Port' => '443' })
+            end
+          end
+        end
+
+        context 'when no evidence fields' do
+          let (:evidence_fields) { [] }
+          let (:issue_fields) { [] }
+
+          it 'still creates evidence record' do
+            within all('tbody tr')[1] do
+              select 'Node'
+            end
+
+            within all('tbody tr')[2] do
+              select 'Issue ID'
+            end
+
+            within all('tbody tr')[5] do
+              select 'Issue Field'
+            end
+
+            perform_enqueued_jobs do
+              click_button 'Import CSV'
+
+              find('#console .log', wait: 30, match: :first)
+
+              expect(page).to have_text('Worker process completed.')
+
+              issue = Issue.last
+              expect(issue.fields).to include({ 'Title' => 'SQL Injection', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+              node = issue.affected.first
+              expect(node.label).to eq('10.0.0.1')
+
+              evidence = node.evidence.first
+              expect(evidence.content).to eq('')
+            end
+          end
+        end
+      end
+    end
+  end
+
+  context 'uploading a malformed CSV file' do
+    let(:file_path) { File.expand_path('../fixtures/files/simple_malformed.csv', __dir__) }
+    before do
+      select 'Dradis::Plugins::CSV', from: 'uploader'
+
+      within('.custom-file') do
+        page.find('#file', visible: false).attach_file(file_path)
+      end
+    end
+
+    it 'redirects to upload manager' do
+      expect(page).to have_text('The uploaded file is not a valid CSV file')
+      expect(current_path).to eq(main_app.project_upload_manager_path(@project))
+    end
+  end
+
+  context 'uploading any file other than CSV' do
+    let(:file_path) { Rails.root.join('spec/fixtures/files/rails.png') }
+    before do
+      select 'Dradis::Plugins::CSV', from: 'uploader'
+
+      within('.custom-file') do
+        page.find('#file', visible: false).attach_file(file_path)
+      end
+    end
+
+    it 'redirects to upload manager' do
+      expect(page).to have_text('The uploaded file is not a CSV file.')
+      expect(current_path).to eq(main_app.project_upload_manager_path(@project))
+    end
+  end
+end

data/spec/fixtures/files/simple.csv

@@ -0,0 +1,2 @@
+"Id","Title","Description","Host","Location","Port","Vulnerability Category"
+"1","SQL Injection","Test CSV","10.0.0.1","10.0.0.1","443","High"

data/spec/fixtures/files/simple_malformed.csv

@@ -0,0 +1,2 @@
+"Id";"Title";"Description";"Host";"Location";"Port"
+"1";"SQL Injection";"Test CSV";"10.0.0.1";"10.0.0.1";"443"

data/spec/jobs/dradis/plugins/csv/mapping_import_job_spec.rb

@@ -0,0 +1,30 @@
+require 'rails_helper'
+
+RSpec.describe Dradis::Plugins::CSV::MappingImportJob do
+  let(:file) { File.expand_path('../../../.../../../fixtures/files/simple.csv', __dir__) }
+
+  let(:perform_job) do
+    described_class.new.perform(
+      default_user_id: create(:user).id,
+      file: file,
+      mappings: {},
+      project_id: create(:project).id,
+      uid: 1
+    )
+  end
+
+  describe '#perform' do
+    it 'calls Importer#import_csv' do
+      dbl = double('Importer')
+      allow(Dradis::Plugins::CSV::Importer).to receive(:new).and_return(dbl)
+      expect(dbl).to receive(:import_csv).and_return(true)
+
+      perform_job
+    end
+
+    it 'writes a known final line in the log' do
+      perform_job
+      expect(Log.last.text).to eq 'Worker process completed.'
+    end
+  end
+end

data/spec/lib/dradis/plugins/csv/importer_spec.rb

@@ -0,0 +1,140 @@
+require 'rails_helper'
+
+RSpec.describe Dradis::Plugins::CSV::Importer do
+  let(:file) { File.expand_path('../../../.../../../fixtures/files/simple.csv', __dir__) }
+  let(:project) { create(:project) }
+
+  let(:instance) do
+    described_class.new(
+      default_user_id: create(:user).id,
+      logger: Log.new(uid: 1),
+      plugin: Dradis::Plugins::CSV,
+      project_id: project.id
+    )
+  end
+
+  let(:import_csv) do
+    instance.import_csv(file: file, mappings: mappings)
+  end
+
+  describe '#import_csv' do
+    context 'when project has RTP' do
+      let(:mappings) do
+        {
+          '0' => { 'type' => 'identifier' },
+          '1' => { 'type' => 'issue', 'field' => 'MyTitle' },
+          '3' => { 'type' => 'node', 'field' => '' },
+          '4' => { 'type' => 'evidence', 'field' => 'MyLocation' },
+          '5' => { 'type' => 'evidence', 'field' => '' }
+        }
+      end
+
+      before do
+        project.update(report_template_properties: create(:report_template_properties))
+      end
+
+      it 'uses the field as Dradis Field' do
+        import_csv
+
+        issue = Issue.first
+        expect(issue.fields).to eq({ 'MyTitle' => 'SQL Injection', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+        node = issue.affected.first
+        expect(node.label).to eq('10.0.0.1')
+
+        evidence = node.evidence.first
+        expect(evidence.fields).to eq({ 'Label' => '10.0.0.1', 'Title' => '(No #[Title]# field)', 'MyLocation' => '10.0.0.1' })
+      end
+    end
+
+    context 'when project does not have RTP' do
+      let(:mappings) do
+        {
+          '0' => { 'type' => 'identifier' },
+          '1' => { 'type' => 'issue', 'field' => 'MyTitle' },
+          '3' => { 'type' => 'node', 'field' => '' },
+          '4' => { 'type' => 'evidence', 'field' => 'MyLocation' },
+          '5' => { 'type' => 'evidence', 'field' => '' },
+          '6' => { 'type' => 'issue', 'field' => '' }
+        }
+      end
+
+      it 'uses the column name as Dradis Field' do
+        import_csv
+
+        issue = Issue.first
+        expect(issue.fields).to eq({ 'Title' => 'SQL Injection', 'VulnerabilityCategory' => 'High', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+        node = issue.affected.first
+        expect(node.label).to eq('10.0.0.1')
+
+        evidence = node.evidence.first
+        expect(evidence.fields).to eq({ 'Label' => '10.0.0.1', 'Location' => '10.0.0.1', 'Port' => '443', 'Title' => 'SQL Injection' })
+      end
+
+      it 'strips out whitespace from column header' do
+        import_csv
+
+        issue = Issue.first
+        expect(issue.fields.keys).to include('VulnerabilityCategory')
+      end
+    end
+
+    context 'when mapping does not have a node type' do
+      let(:mappings) do
+        {
+          '0' => { 'type' => 'identifier' },
+          '1' => { 'type' => 'issue' },
+          '4' => { 'type' => 'evidence' }
+        }
+      end
+
+      it 'does not create node and evidence' do
+        import_csv
+
+        issue = Issue.last
+        expect(issue.affected.length).to eq(0)
+        expect(issue.evidence.length).to eq(0)
+      end
+    end
+
+    context 'when no identifier is passed in' do
+      let(:mappings) do
+        {
+          '1' => { 'type' => 'issue' },
+          '4' => { 'type' => 'evidence' }
+        }
+      end
+
+      it 'uses filename and row index as csv_id' do
+        import_csv
+
+        issue = Issue.last
+        expect(issue.fields).to eq({ 'Title' => 'SQL Injection', 'plugin' => 'csv', 'plugin_id' => 'simple.csv-0' })
+      end
+    end
+
+    context 'when no evidence fields' do
+      let(:mappings) do
+        {
+          '0' => { 'type' => 'identifier' },
+          '1' => { 'type' => 'issue', 'field' => 'MyTitle' },
+          '3' => { 'type' => 'node', 'field' => '' }
+        }
+      end
+
+      it 'still creates evidence record' do
+        import_csv
+
+        issue = Issue.first
+        expect(issue.fields).to eq({ 'Title' => 'SQL Injection', 'plugin' => 'csv', 'plugin_id' => '1' })
+
+        node = issue.affected.first
+        expect(node.label).to eq('10.0.0.1')
+
+        evidence = node.evidence.first
+        expect(evidence.content).to eq('')
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-csv
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.5.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-13 00:00:00.000000000 Z
+date: 2022-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dradis-plugins
@@ -26,34 +26,6 @@ dependencies:
         version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.6'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '10.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '10.0'
-- !ruby/object:Gem::Dependency
-  name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,17 +38,13 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: This plugin allows you to export your Dradis results in CSV format.
+description: This add-on allows you to upload and parse CSV output into Dradis.
 email:
 - etd@nomejortu.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/issue_template.md"
-- ".github/pull_request_template.md"
-- ".gitignore"
-- ".rspec"
 - CHANGELOG.md
 - CHANGELOG.template
 - CONTRIBUTING.md
@@ -84,20 +52,28 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/controllers/dradis/plugins/csv/base_controller.rb
-- app/views/dradis/plugins/csv/export/_index-content.html.erb
-- app/views/dradis/plugins/csv/export/_index-tabs.html.erb
+- app/assets/javascripts/dradis/plugins/csv/manifests/tylium.js
+- app/assets/javascripts/dradis/plugins/csv/upload.js
+- app/assets/stylesheets/dradis/plugins/csv/manifests/tylium.scss
+- app/assets/stylesheets/dradis/plugins/csv/upload.scss
+- app/controllers/dradis/plugins/csv/upload_controller.rb
+- app/jobs/dradis/plugins/csv/mapping_import_job.rb
+- app/views/dradis/plugins/csv/upload/create.js.erb
+- app/views/dradis/plugins/csv/upload/new.html.erb
+- config/initializers/inflections.rb
 - config/routes.rb
 - dradis-csv.gemspec
 - lib/dradis-csv.rb
 - lib/dradis/plugins/csv.rb
 - lib/dradis/plugins/csv/engine.rb
-- lib/dradis/plugins/csv/exporter.rb
 - lib/dradis/plugins/csv/gem_version.rb
+- lib/dradis/plugins/csv/importer.rb
 - lib/dradis/plugins/csv/version.rb
-- lib/tasks/thorfile.rb
-- spec/csv_export_spec.rb
-- spec/spec_helper.rb
+- spec/features/upload_spec.rb
+- spec/fixtures/files/simple.csv
+- spec/fixtures/files/simple_malformed.csv
+- spec/jobs/dradis/plugins/csv/mapping_import_job_spec.rb
+- spec/lib/dradis/plugins/csv/importer_spec.rb
 homepage: http://dradisframework.org
 licenses:
 - GPL-2
@@ -117,10 +93,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.2.28
 signing_key: 
 specification_version: 4
-summary: CSV export plugin for the Dradis Framework.
+summary: CSV add-on for the Dradis Framework.
 test_files:
-- spec/csv_export_spec.rb
-- spec/spec_helper.rb
+- spec/features/upload_spec.rb
+- spec/fixtures/files/simple.csv
+- spec/fixtures/files/simple_malformed.csv
+- spec/jobs/dradis/plugins/csv/mapping_import_job_spec.rb
+- spec/lib/dradis/plugins/csv/importer_spec.rb

data/.github/issue_template.md

@@ -1,16 +0,0 @@
-### Steps to reproduce
-
-Help us help you, how can we reproduce the problem?
-
-### Expected behavior
-Tell us what should happen
-
-### Actual behavior
-Tell us what happens instead
-
-### System configuration
-**Dradis version**:
-
-**Ruby version**:
-
-**OS version**:

data/.github/pull_request_template.md

@@ -1,36 +0,0 @@
-### Summary
-
-Provide a general description of the code changes in your pull
-request... were there any bugs you had fixed? If so, mention them. If
-these bugs have open GitHub issues, be sure to tag them here as well,
-to keep the conversation linked together.
-
-
-### Other Information
-
-If there's anything else that's important and relevant to your pull
-request, mention that information here. This could include
-benchmarks, or other information.
-
-Thanks for contributing to Dradis!
-
-
-### Copyright assignment
-
-Collaboration is difficult with commercial closed source but we want
-to keep as much of the OSS ethos as possible available to users
-who want to fix it themselves.
-
-In order to unambiguously own and sell Dradis Framework commercial
-products, we must have the copyright associated with the entire
-codebase. Any code you create which is merged must be owned by us.
-That's not us trying to be a jerks, that's just the way it works.
-
-Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
-file for the details.
-
-You can delete this section, but the following sentence needs to
-remain in the PR's description:
-
-> I assign all rights, including copyright, to any future Dradis
-> work by myself to Security Roots.

data/.gitignore

@@ -1,8 +0,0 @@
-
-# Bundler config
-Gemfile.lock
-/.bundle/
-/vendor/bundle/
-
-# Gem artifacts
-/pkg/

data/.rspec

@@ -1,2 +0,0 @@
---color
--f d

data/app/controllers/dradis/plugins/csv/base_controller.rb

@@ -1,19 +0,0 @@
-module Dradis
-  module Plugins
-    module CSV
-      class BaseController < Dradis::Plugins::Export::BaseController
-
-        def index
-          exporter = Dradis::Plugins::CSV::Exporter.new(export_options)
-          csv      = exporter.export
-
-          send_data csv,
-            disposition: 'inline',
-            filename: "dradis_report-#{Time.now.to_i}.csv",
-            type: 'text/csv'
-        end
-      end
-
-    end
-  end
-end

data/app/views/dradis/plugins/csv/export/_index-content.html.erb

@@ -1,10 +0,0 @@
-<%= content_tag :div, id: 'plugin-csv', class: 'tab-pane fade' do %>
-
-  <%= form_tag project_export_manager_path(current_project), target: '_blank' do %>
-    <%= hidden_field_tag :plugin, :csv %>
-    <%= hidden_field_tag :route, :root %>
-
-    <h4 class="header-underline mb-0">Ready when you are!</h4>
-    <button id="export-button" class="btn btn-lg btn-primary mt-4">Export</button>
-  <% end %>
-<% end%>