hackerone-client 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +20 -3
- data/fixtures/vcr_cassettes/report.yml +12 -0
- data/lib/hackerone/client/report.rb +7 -24
- data/lib/hackerone/client/version.rb +1 -1
- data/lib/hackerone/client/weakness.rb +43 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eae8f2a0596bfea4752e9fb67a56da8dea4901a9
|
|
4
|
+
data.tar.gz: b891bace9cba415e442d4c6cdbfb095e29da0a6b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f667e613c0300b4c883b235b6f419c746f6145a0e95c7cf1c7273d71fced66f8f20f57a4299ff43d9346b0ad88da992b0bbf0c45cf140118a1cdb989126e45a9
|
|
7
|
+
data.tar.gz: 67528f88aba28f56c2a8d30dae45f6441e1e39309906521fad94809721bab05612db096fa9ca6b2583fd7be1c1dc17dc61dec20cf45e57141896a374e9b67516
|
data/README.md
CHANGED
|
@@ -1,9 +1,26 @@
|
|
|
1
1
|
# Hackerone::Client
|
|
2
2
|
|
|
3
|
-
A limited client library for interacting with HackerOne. Currently only supports
|
|
3
|
+
A limited client library for interacting with HackerOne. Currently only supports a few operations:
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
5
|
+
```ruby
|
|
6
|
+
client = HackerOne::Client::Api.new("github")
|
|
7
|
+
|
|
8
|
+
# GET`/reports` returns all reports in the "new" state for a given program
|
|
9
|
+
client.reports
|
|
10
|
+
|
|
11
|
+
# GET `/report/{id}` returns report data for a given report
|
|
12
|
+
client.report(id)
|
|
13
|
+
|
|
14
|
+
# POST '/report/{id}/state_change change the state of a report
|
|
15
|
+
# `state` can be one of new, triaged, needs-more-info, resolved, not-applicable, informative, duplicate, spam
|
|
16
|
+
client.state_change(id, state)
|
|
17
|
+
|
|
18
|
+
# POST '/report/{id}/add_report_reference add a "reference" e.g. internal issue number
|
|
19
|
+
client.add_report_reference(id, reference)
|
|
20
|
+
|
|
21
|
+
# Triage an issue (add a reference and set state to :triaged)
|
|
22
|
+
client.triage(id, reference)
|
|
23
|
+
```
|
|
7
24
|
|
|
8
25
|
## Usage
|
|
9
26
|
|
|
@@ -207,6 +207,18 @@ http_interactions:
|
|
|
207
207
|
}
|
|
208
208
|
]
|
|
209
209
|
},
|
|
210
|
+
"weakness": {
|
|
211
|
+
"data": {
|
|
212
|
+
"id": "1",
|
|
213
|
+
"type": "weakness",
|
|
214
|
+
"attributes": {
|
|
215
|
+
"name": "Cleartext Storage of Sensitive Information",
|
|
216
|
+
"description": "",
|
|
217
|
+
"external_id": "CWE-312",
|
|
218
|
+
"created_at": "2016-01-28T13:34:08.945Z"
|
|
219
|
+
}
|
|
220
|
+
}
|
|
221
|
+
},
|
|
210
222
|
"activities": {
|
|
211
223
|
"data": [
|
|
212
224
|
{
|
|
@@ -1,23 +1,9 @@
|
|
|
1
|
+
require_relative './weakness'
|
|
2
|
+
|
|
1
3
|
module HackerOne
|
|
2
4
|
module Client
|
|
3
5
|
class Report
|
|
4
6
|
PAYOUT_ACTIVITY_KEY = "activity-bounty-awarded"
|
|
5
|
-
CLASSIFICATION_MAPPING = {
|
|
6
|
-
"None Applicable" => "A0-Other",
|
|
7
|
-
"Denial of Service" => "A0-Other",
|
|
8
|
-
"Memory Corruption" => "A0-Other",
|
|
9
|
-
"Cryptographic Issue" => "A0-Other",
|
|
10
|
-
"Privilege Escalation" => "A0-Other",
|
|
11
|
-
"UI Redressing (Clickjacking)" => "A0-Other",
|
|
12
|
-
"Command Injection" => "A1-Injection",
|
|
13
|
-
"Remote Code Execution" => "A1-Injection",
|
|
14
|
-
"SQL Injection" => "A1-Injection",
|
|
15
|
-
"Authentication" => "A2-AuthSession",
|
|
16
|
-
"Cross-Site Scripting (XSS)" => "A3-XSS",
|
|
17
|
-
"Information Disclosure" => "A6-DataExposure",
|
|
18
|
-
"Cross-Site Request Forgery (CSRF)" => "A8-CSRF",
|
|
19
|
-
"Unvalidated / Open Redirect" => "A10-Redirects"
|
|
20
|
-
}
|
|
21
7
|
|
|
22
8
|
def initialize(report)
|
|
23
9
|
@report = report
|
|
@@ -69,15 +55,12 @@ module HackerOne
|
|
|
69
55
|
attributes[:vulnerability_information]
|
|
70
56
|
end
|
|
71
57
|
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
def classification_label
|
|
76
|
-
owasp_mapping = vulnerability_types.map do |vuln_type|
|
|
77
|
-
CLASSIFICATION_MAPPING[vuln_type[:attributes][:name]]
|
|
78
|
-
end.flatten.first
|
|
58
|
+
def weakness
|
|
59
|
+
@weakness ||= Weakness.new relationships[:weakness][:data][:attributes]
|
|
60
|
+
end
|
|
79
61
|
|
|
80
|
-
|
|
62
|
+
def classification_label
|
|
63
|
+
weakness.to_owasp
|
|
81
64
|
end
|
|
82
65
|
|
|
83
66
|
# Bounty writeups just use the key, and not the label value.
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
module HackerOne
|
|
2
|
+
module Client
|
|
3
|
+
class Weakness
|
|
4
|
+
class << self
|
|
5
|
+
def extract_cwe_number(cwe)
|
|
6
|
+
fail StandardError::ArgumentError unless cwe.upcase.start_with?('CWE-')
|
|
7
|
+
|
|
8
|
+
cwe.split('CWE-').last.to_i
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
OWASP_TOP_10_2013_TO_CWE = {
|
|
13
|
+
'A1-Injection' => [77, 78, 88, 89, 90, 91, 564],
|
|
14
|
+
'A2-AuthSession' =>
|
|
15
|
+
[287, 613, 522, 256, 384, 472, 346, 441, 523, 620, 640, 319, 311],
|
|
16
|
+
'A3-XSS' => [79],
|
|
17
|
+
'A4-DirectObjRef' => [639, 99, 22],
|
|
18
|
+
'A5-Misconfig' => [16, 2, 215, 548, 209],
|
|
19
|
+
'A6-DataExposure' => [312, 319, 310, 326, 320, 311, 325, 328, 327],
|
|
20
|
+
'A7-MissingACL' => [285, 287],
|
|
21
|
+
'A8-CSRF' => [352, 642, 613, 346, 441],
|
|
22
|
+
'A9-KnownVuln' => [],
|
|
23
|
+
'A10-Redirects' => [601],
|
|
24
|
+
}.freeze
|
|
25
|
+
|
|
26
|
+
OWASP_DEFAULT = 'A0-Other'.freeze
|
|
27
|
+
|
|
28
|
+
def initialize(weakness)
|
|
29
|
+
@attributes = weakness
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def to_owasp
|
|
33
|
+
OWASP_TOP_10_2013_TO_CWE.map do |owasp, cwes|
|
|
34
|
+
owasp if cwes.include?(self.class.extract_cwe_number(to_cwe))
|
|
35
|
+
end.compact.first || OWASP_DEFAULT
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def to_cwe
|
|
39
|
+
@attributes[:external_id]
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hackerone-client
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Neil Matatall
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-03-
|
|
11
|
+
date: 2017-03-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -142,6 +142,7 @@ files:
|
|
|
142
142
|
- lib/hackerone/client.rb
|
|
143
143
|
- lib/hackerone/client/report.rb
|
|
144
144
|
- lib/hackerone/client/version.rb
|
|
145
|
+
- lib/hackerone/client/weakness.rb
|
|
145
146
|
homepage: https://github.com/oreoshake/hackerone-client
|
|
146
147
|
licenses:
|
|
147
148
|
- MIT
|