hackerone-client 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +20 -3
- data/fixtures/vcr_cassettes/report.yml +12 -0
- data/lib/hackerone/client/report.rb +7 -24
- data/lib/hackerone/client/version.rb +1 -1
- data/lib/hackerone/client/weakness.rb +43 -0
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: eae8f2a0596bfea4752e9fb67a56da8dea4901a9
|
4
|
+
data.tar.gz: b891bace9cba415e442d4c6cdbfb095e29da0a6b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f667e613c0300b4c883b235b6f419c746f6145a0e95c7cf1c7273d71fced66f8f20f57a4299ff43d9346b0ad88da992b0bbf0c45cf140118a1cdb989126e45a9
|
7
|
+
data.tar.gz: 67528f88aba28f56c2a8d30dae45f6441e1e39309906521fad94809721bab05612db096fa9ca6b2583fd7be1c1dc17dc61dec20cf45e57141896a374e9b67516
|
data/README.md
CHANGED
@@ -1,9 +1,26 @@
|
|
1
1
|
# Hackerone::Client
|
2
2
|
|
3
|
-
A limited client library for interacting with HackerOne. Currently only supports
|
3
|
+
A limited client library for interacting with HackerOne. Currently only supports a few operations:
|
4
4
|
|
5
|
-
|
6
|
-
|
5
|
+
```ruby
|
6
|
+
client = HackerOne::Client::Api.new("github")
|
7
|
+
|
8
|
+
# GET`/reports` returns all reports in the "new" state for a given program
|
9
|
+
client.reports
|
10
|
+
|
11
|
+
# GET `/report/{id}` returns report data for a given report
|
12
|
+
client.report(id)
|
13
|
+
|
14
|
+
# POST '/report/{id}/state_change change the state of a report
|
15
|
+
# `state` can be one of new, triaged, needs-more-info, resolved, not-applicable, informative, duplicate, spam
|
16
|
+
client.state_change(id, state)
|
17
|
+
|
18
|
+
# POST '/report/{id}/add_report_reference add a "reference" e.g. internal issue number
|
19
|
+
client.add_report_reference(id, reference)
|
20
|
+
|
21
|
+
# Triage an issue (add a reference and set state to :triaged)
|
22
|
+
client.triage(id, reference)
|
23
|
+
```
|
7
24
|
|
8
25
|
## Usage
|
9
26
|
|
@@ -207,6 +207,18 @@ http_interactions:
|
|
207
207
|
}
|
208
208
|
]
|
209
209
|
},
|
210
|
+
"weakness": {
|
211
|
+
"data": {
|
212
|
+
"id": "1",
|
213
|
+
"type": "weakness",
|
214
|
+
"attributes": {
|
215
|
+
"name": "Cleartext Storage of Sensitive Information",
|
216
|
+
"description": "",
|
217
|
+
"external_id": "CWE-312",
|
218
|
+
"created_at": "2016-01-28T13:34:08.945Z"
|
219
|
+
}
|
220
|
+
}
|
221
|
+
},
|
210
222
|
"activities": {
|
211
223
|
"data": [
|
212
224
|
{
|
@@ -1,23 +1,9 @@
|
|
1
|
+
require_relative './weakness'
|
2
|
+
|
1
3
|
module HackerOne
|
2
4
|
module Client
|
3
5
|
class Report
|
4
6
|
PAYOUT_ACTIVITY_KEY = "activity-bounty-awarded"
|
5
|
-
CLASSIFICATION_MAPPING = {
|
6
|
-
"None Applicable" => "A0-Other",
|
7
|
-
"Denial of Service" => "A0-Other",
|
8
|
-
"Memory Corruption" => "A0-Other",
|
9
|
-
"Cryptographic Issue" => "A0-Other",
|
10
|
-
"Privilege Escalation" => "A0-Other",
|
11
|
-
"UI Redressing (Clickjacking)" => "A0-Other",
|
12
|
-
"Command Injection" => "A1-Injection",
|
13
|
-
"Remote Code Execution" => "A1-Injection",
|
14
|
-
"SQL Injection" => "A1-Injection",
|
15
|
-
"Authentication" => "A2-AuthSession",
|
16
|
-
"Cross-Site Scripting (XSS)" => "A3-XSS",
|
17
|
-
"Information Disclosure" => "A6-DataExposure",
|
18
|
-
"Cross-Site Request Forgery (CSRF)" => "A8-CSRF",
|
19
|
-
"Unvalidated / Open Redirect" => "A10-Redirects"
|
20
|
-
}
|
21
7
|
|
22
8
|
def initialize(report)
|
23
9
|
@report = report
|
@@ -69,15 +55,12 @@ module HackerOne
|
|
69
55
|
attributes[:vulnerability_information]
|
70
56
|
end
|
71
57
|
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
def classification_label
|
76
|
-
owasp_mapping = vulnerability_types.map do |vuln_type|
|
77
|
-
CLASSIFICATION_MAPPING[vuln_type[:attributes][:name]]
|
78
|
-
end.flatten.first
|
58
|
+
def weakness
|
59
|
+
@weakness ||= Weakness.new relationships[:weakness][:data][:attributes]
|
60
|
+
end
|
79
61
|
|
80
|
-
|
62
|
+
def classification_label
|
63
|
+
weakness.to_owasp
|
81
64
|
end
|
82
65
|
|
83
66
|
# Bounty writeups just use the key, and not the label value.
|
@@ -0,0 +1,43 @@
|
|
1
|
+
module HackerOne
|
2
|
+
module Client
|
3
|
+
class Weakness
|
4
|
+
class << self
|
5
|
+
def extract_cwe_number(cwe)
|
6
|
+
fail StandardError::ArgumentError unless cwe.upcase.start_with?('CWE-')
|
7
|
+
|
8
|
+
cwe.split('CWE-').last.to_i
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
12
|
+
OWASP_TOP_10_2013_TO_CWE = {
|
13
|
+
'A1-Injection' => [77, 78, 88, 89, 90, 91, 564],
|
14
|
+
'A2-AuthSession' =>
|
15
|
+
[287, 613, 522, 256, 384, 472, 346, 441, 523, 620, 640, 319, 311],
|
16
|
+
'A3-XSS' => [79],
|
17
|
+
'A4-DirectObjRef' => [639, 99, 22],
|
18
|
+
'A5-Misconfig' => [16, 2, 215, 548, 209],
|
19
|
+
'A6-DataExposure' => [312, 319, 310, 326, 320, 311, 325, 328, 327],
|
20
|
+
'A7-MissingACL' => [285, 287],
|
21
|
+
'A8-CSRF' => [352, 642, 613, 346, 441],
|
22
|
+
'A9-KnownVuln' => [],
|
23
|
+
'A10-Redirects' => [601],
|
24
|
+
}.freeze
|
25
|
+
|
26
|
+
OWASP_DEFAULT = 'A0-Other'.freeze
|
27
|
+
|
28
|
+
def initialize(weakness)
|
29
|
+
@attributes = weakness
|
30
|
+
end
|
31
|
+
|
32
|
+
def to_owasp
|
33
|
+
OWASP_TOP_10_2013_TO_CWE.map do |owasp, cwes|
|
34
|
+
owasp if cwes.include?(self.class.extract_cwe_number(to_cwe))
|
35
|
+
end.compact.first || OWASP_DEFAULT
|
36
|
+
end
|
37
|
+
|
38
|
+
def to_cwe
|
39
|
+
@attributes[:external_id]
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hackerone-client
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-03-
|
11
|
+
date: 2017-03-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -142,6 +142,7 @@ files:
|
|
142
142
|
- lib/hackerone/client.rb
|
143
143
|
- lib/hackerone/client/report.rb
|
144
144
|
- lib/hackerone/client/version.rb
|
145
|
+
- lib/hackerone/client/weakness.rb
|
145
146
|
homepage: https://github.com/oreoshake/hackerone-client
|
146
147
|
licenses:
|
147
148
|
- MIT
|