hackerone-client 0.6.0 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -3
- data/README.md +5 -0
- data/fixtures/vcr_cassettes/common_responses.yml +167 -0
- data/lib/hackerone/client/program.rb +11 -0
- data/lib/hackerone/client/resource_helper.rb +35 -0
- data/lib/hackerone/client/version.rb +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 19b5c8045568698cffb058a287be354b48252d72
|
4
|
+
data.tar.gz: 1a839adb7d84c5c61ac7f019f31a752425c9c3fc
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: eddbaa770af39b40503c29ced0b963b40c673fff48312114f806c040d13fddfd6f24d1cfac1c06f74c6b45ddf3561c9d1228e087ec41d0b2a4144821b0d83350
|
7
|
+
data.tar.gz: 0ddc584b516d072e2c8e32f216be16d4e16dc38d39ee99b0e52bf89737a79ec948ccd044c8ef4bf5b1a919c35ffda3a795695955ef46151279af744d88c5b4a0
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## [0.7.0] - 2017-08-28
|
2
|
+
|
3
|
+
- Feature: retrieve common responses (@esjee)
|
4
|
+
|
1
5
|
## [0.6.0] - 2017-07-24
|
2
6
|
|
3
7
|
- Feature: comments (internal or not) can be added to reports
|
@@ -7,14 +11,14 @@
|
|
7
11
|
- Bugfix: structured scopes were not being populated correctly resulting in nil results for all attributes
|
8
12
|
|
9
13
|
## [0.5.1] - 2017-06-26
|
10
|
-
|
14
|
+
|
11
15
|
- [Structure scope](https://api.hackerone.com/docs/v1#structured-scope) data added to report object
|
12
16
|
|
13
17
|
## [0.5.0] - 2017-06-23
|
14
|
-
|
18
|
+
|
15
19
|
- `report.assign_to_user` and `report.assign_to_group` (@esjee)
|
16
20
|
|
17
21
|
## [0.4.0] - 2017-04-21
|
18
|
-
|
22
|
+
|
19
23
|
- `client.reporters` to return all reporters for a given project (@esjee)
|
20
24
|
- `HackerOne::Client::Program.find(program_name)` to return information about a given program (@esjee)
|
data/README.md
CHANGED
@@ -31,6 +31,11 @@ client.triage(id, reference)
|
|
31
31
|
|
32
32
|
# GET `/{program}/reporters` returns a list of unique reporters that have reported to your program
|
33
33
|
client.reporters
|
34
|
+
|
35
|
+
program = HackerOne::Client::Program.find("insert-program-name-here")
|
36
|
+
|
37
|
+
# returns all common responses
|
38
|
+
program.common_responses
|
34
39
|
```
|
35
40
|
|
36
41
|
## Usage
|
@@ -0,0 +1,167 @@
|
|
1
|
+
---
|
2
|
+
http_interactions:
|
3
|
+
- request:
|
4
|
+
method: get
|
5
|
+
uri: https://api.hackerone.com/v1/programs/18969/common_responses?page%5Bnumber%5D=1&page%5Bsize%5D=100
|
6
|
+
body:
|
7
|
+
encoding: US-ASCII
|
8
|
+
string: ''
|
9
|
+
headers:
|
10
|
+
Authorization:
|
11
|
+
- Basic NOPE
|
12
|
+
User-Agent:
|
13
|
+
- Faraday v0.13.0
|
14
|
+
Content-Type:
|
15
|
+
- application/json
|
16
|
+
Accept-Encoding:
|
17
|
+
- gzip;q=1.0,deflate;q=0.6,identity;q=0.3
|
18
|
+
Accept:
|
19
|
+
- "*/*"
|
20
|
+
response:
|
21
|
+
status:
|
22
|
+
code: 200
|
23
|
+
message: OK
|
24
|
+
headers:
|
25
|
+
Date:
|
26
|
+
- Mon, 28 Aug 2017 11:20:40 GMT
|
27
|
+
Content-Type:
|
28
|
+
- application/json; charset=utf-8
|
29
|
+
Transfer-Encoding:
|
30
|
+
- chunked
|
31
|
+
Connection:
|
32
|
+
- keep-alive
|
33
|
+
Set-Cookie:
|
34
|
+
- __cfduid=dafee7223f650cd1e244d455e37ea169f1503919239; expires=Tue, 28-Aug-18
|
35
|
+
11:20:39 GMT; path=/; Domain=api.hackerone.com; HttpOnly
|
36
|
+
X-Request-Id:
|
37
|
+
- 21d28136-7750-4557-83fb-e359b93a941b
|
38
|
+
Etag:
|
39
|
+
- W/"9b1e2aa1721b777df242b64b310c51bb"
|
40
|
+
Cache-Control:
|
41
|
+
- max-age=0, private, must-revalidate
|
42
|
+
Strict-Transport-Security:
|
43
|
+
- max-age=31536000; includeSubDomains; preload
|
44
|
+
Content-Security-Policy:
|
45
|
+
- 'default-src ''none''; base-uri ''self''; block-all-mixed-content; child-src
|
46
|
+
www.youtube-nocookie.com; connect-src ''self'' www.google-analytics.com errors.hackerone.net;
|
47
|
+
font-src ''self''; form-action ''self''; frame-ancestors ''none''; img-src
|
48
|
+
''self'' data: cover-photos.hackerone-user-content.com hackathon-photos.hackerone-user-content.com
|
49
|
+
profile-photos.hackerone-user-content.com hackerone-attachments.s3.amazonaws.com;
|
50
|
+
media-src ''self'' hackerone-attachments.s3.amazonaws.com; script-src ''self''
|
51
|
+
www.google-analytics.com; style-src ''self'' ''unsafe-inline''; report-uri
|
52
|
+
https://errors.hackerone.net/api/30/csp-report/?sentry_key=61c1e2f50d21487c97a071737701f598'
|
53
|
+
Referrer-Policy:
|
54
|
+
- origin-when-cross-origin
|
55
|
+
X-Content-Type-Options:
|
56
|
+
- nosniff
|
57
|
+
X-Download-Options:
|
58
|
+
- noopen
|
59
|
+
X-Frame-Options:
|
60
|
+
- DENY
|
61
|
+
X-Permitted-Cross-Domain-Policies:
|
62
|
+
- none
|
63
|
+
X-Xss-Protection:
|
64
|
+
- 1; mode=block
|
65
|
+
Public-Key-Pins-Report-Only:
|
66
|
+
- pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
|
67
|
+
pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=";
|
68
|
+
pin-sha256="cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A="; pin-sha256="bIlWcjiKq1mftH/xd7Hw1JO77Cr+Gv+XYcGUQWwO+A4=";
|
69
|
+
pin-sha256="tXD+dGAP8rGY4PW1be90cOYEwg7pZ4G+yPZmIZWPTSg="; max-age=600; includeSubDomains;
|
70
|
+
report-uri="https://hackerone.report-uri.io/r/default/hpkp/reportOnly"
|
71
|
+
Server:
|
72
|
+
- cloudflare-nginx
|
73
|
+
Cf-Ray:
|
74
|
+
- 3956e1efab7972f5-AMS
|
75
|
+
body:
|
76
|
+
encoding: ASCII-8BIT
|
77
|
+
string: '{"data":[{"id":"108878","attributes":{"title":"Vulnerability Scanner
|
78
|
+
False Positive","message":"Automated vulnerability scanners commonly have
|
79
|
+
low priority issues and/or false positives. Before submitting the results
|
80
|
+
from a scanner, please take a moment to confirm that the reported issues are
|
81
|
+
actually valid and exploitable. Please reply if you have a working proof-of-concept
|
82
|
+
or reason to believe that this issue is exploitable.\n"}},{"id":"108879","attributes":{"title":"No
|
83
|
+
Security Implications","message":"Based on your initial description, there
|
84
|
+
do not appear to be any security implications as a direct result of this behavior.
|
85
|
+
If you disagree, please reply with additional information describing your
|
86
|
+
reasoning. Including a working proof-of-concept can be incredibly helpful
|
87
|
+
in our assessment of these claims.\n"}},{"id":"108880","attributes":{"title":"Language
|
88
|
+
Barrier","message":"Sorry, I''m having a difficult time understanding this
|
89
|
+
report. Please reply with a proof of concept and more technical details about
|
90
|
+
the vulnerability, the impact of this vulnerability and any suggested fixes
|
91
|
+
for this vulnerability. Including screenshots or a short video can be worth
|
92
|
+
a thousand words. If you don''t speak English, feel free to leave your report
|
93
|
+
in your own language, and we''ll try our best to find someone who can help
|
94
|
+
translate.\n"}},{"id":"108881","attributes":{"title":"Logout cross-site request
|
95
|
+
forgery","message":"For better or worse, the design of HTTP cookies means
|
96
|
+
that no single website can prevent its users from being logged out; consequently,
|
97
|
+
application-specific ways of achieving this goal will likely not qualify.
|
98
|
+
You may be interested in personal blog posts from Chris Evans (https://scarybeastsecurity.blogspot.com/2010/01/logout-xsrf-significant-web-app-bug.html)
|
99
|
+
and Michal Zalewski (https://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html)
|
100
|
+
for more background.\n"}},{"id":"108882","attributes":{"title":"Open Redirect","message":"We
|
101
|
+
recognize that the address bar is the only reliable security indicator in
|
102
|
+
modern browsers. As a result, we typically do not treat arbitrary URL redirection
|
103
|
+
behavior (\"Open Redirects\") as a security vulnerability unless you are able
|
104
|
+
to demonstrate risks that do not depend upon social engineering.\n"}},{"id":"108883","attributes":{"title":"Strict-Transport-Security
|
105
|
+
Not Necessary On This Domain","message":"Automated vulnerability scanners
|
106
|
+
commonly have low priority issues and/or false positives. Before submitting
|
107
|
+
the results from a scanner, please take a moment to confirm that the reported
|
108
|
+
issues are actually valid and exploitable. In this specific case, the `Strict-Transport-Security`
|
109
|
+
header is not suitable for the domain in question because it is intentionally
|
110
|
+
accessible over both HTTP and HTTPS. If we ever migrate to 100% HTTPS on this
|
111
|
+
domain, we''ll consider enabling the header at that time.\n"}},{"id":"108884","attributes":{"title":"Cookie
|
112
|
+
Missing HttpOnly","message":"Automated vulnerability scanners commonly have
|
113
|
+
low priority issues and/or false positives. Before submitting the results
|
114
|
+
from a scanner, please take a moment to confirm that the reported issues are
|
115
|
+
actually valid and exploitable. In this specific case, many cookies intentionally
|
116
|
+
lack the `HttpOnly` flag so that they can be accessed from JavaScript. This
|
117
|
+
only introduces a potential risk if the cookie in question contains session
|
118
|
+
data or other sensitive information.\n"}},{"id":"108885","attributes":{"title":"Cookie
|
119
|
+
Missing Secure","message":"Automated vulnerability scanners commonly have
|
120
|
+
low priority issues and/or false positives. Before submitting the results
|
121
|
+
from a scanner, please take a moment to confirm that the reported issues are
|
122
|
+
actually valid and exploitable. In this specific case, many cookies intentionally
|
123
|
+
lack the `secure` flag so that they can be accessed from HTTP pages. This
|
124
|
+
only introduces a potential risk if the cookie in question contains sensitive
|
125
|
+
information that must be served over HTTPS.\n"}},{"id":"108886","attributes":{"title":"X-XSS-Protection","message":"Automated
|
126
|
+
vulnerability scanners commonly have low priority issues and/or false positives.
|
127
|
+
Before submitting the results from a scanner, please take a moment to confirm
|
128
|
+
that the reported issues are actually valid and exploitable. In this specific
|
129
|
+
case, we believe that the default state of the `X-XSS-Protection` header is
|
130
|
+
sufficient for our purposes. Please reply if you have a working proof-of-concept
|
131
|
+
that could be mitigated by an adjustment to our header.\n"}},{"id":"108887","attributes":{"title":"X-Content-Type-Options:
|
132
|
+
nosniff","message":"Automated vulnerability scanners commonly have low priority
|
133
|
+
issues and/or false positives. Before submitting the results from a scanner,
|
134
|
+
please take a moment to confirm that the reported issues are actually valid
|
135
|
+
and exploitable. In this specific case, the `X-Content-Type-Options: nosniff`
|
136
|
+
header is only necessary on endpoints that serve untrusted user content. Please
|
137
|
+
reply if you have a working proof-of-concept or reason to believe that this
|
138
|
+
issue is exploitable.\n"}},{"id":"108888","attributes":{"title":"X-Frame-Options
|
139
|
+
/ Clickjacking","message":"The lack of X-Frame-Options does not always indicate
|
140
|
+
that a security vulnerability is present. This is an optional header that
|
141
|
+
is only necessary on endpoints where there UI is rendered to invoke state
|
142
|
+
changing actions. We recommend reading this informative post by David Ross:
|
143
|
+
https://plus.google.com/u/0/+DavidRossX/posts/jVrtTRd5yKP\n"}},{"id":"108889","attributes":{"title":"Autocomplete","message":"We
|
144
|
+
intentionally leave autocomplete enabled as we believe that all modern browsers
|
145
|
+
now handle local form completion in a reasonably sane manner. Autocomplete
|
146
|
+
enables individuals to use stronger passwords and makes them less susceptible
|
147
|
+
to phishing attacks. These benefits greatly outweigh the minor risk here.
|
148
|
+
If you disagree, we encourage you to also read this post: https://blog.0xbadc0de.be/archives/124\n"}},{"id":"108890","attributes":{"title":"SSL
|
149
|
+
- RC4 / BEAST Information","message":"Automated vulnerability scanners commonly
|
150
|
+
have low priority issues and/or false positives. Before submitting the results
|
151
|
+
from a scanner, please take a moment to confirm that the reported issues are
|
152
|
+
actually valid and exploitable. In this instance, we intentionally use RC4
|
153
|
+
when the client is connecting with TLS 1.0 and earlier as an effective mitigation
|
154
|
+
against the \"BEAST\" attack. For clients that support TLS 1.1 and higher,
|
155
|
+
we prioritize non-RC4 ciphers. We believe that this is consistent with current
|
156
|
+
industry best practices. For more information, please review this post: https://blog.cloudflare.com/killing-rc4\nThis
|
157
|
+
combination most effectively balances the competing risks associated with
|
158
|
+
weaker RC4 ciphers and the BEAST attack scenario.\n"}},{"id":"108891","attributes":{"title":"Video
|
159
|
+
Without Content","message":"Using a video to demonstrate a potential issue
|
160
|
+
should only be necessary in rare situations and should always be accompanied
|
161
|
+
with a text description of the issue as well. Please update this report with
|
162
|
+
step-by-step instructions to reproduce the core components of the issue. If
|
163
|
+
you don''t speak English, feel free to leave your report in your own language,
|
164
|
+
and we''ll try our best to find someone who can help translate.\n"}}],"links":{}}'
|
165
|
+
http_version:
|
166
|
+
recorded_at: Mon, 28 Aug 2017 11:20:40 GMT
|
167
|
+
recorded_with: VCR 3.0.3
|
@@ -1,6 +1,10 @@
|
|
1
|
+
require_relative './resource_helper'
|
2
|
+
|
1
3
|
module HackerOne
|
2
4
|
module Client
|
3
5
|
class Program
|
6
|
+
include ResourceHelper
|
7
|
+
|
4
8
|
delegate :handle, to: :attributes
|
5
9
|
|
6
10
|
def self.find(program_handle_we_want)
|
@@ -37,6 +41,13 @@ module HackerOne
|
|
37
41
|
groups.find { |group| group.name == groupname }
|
38
42
|
end
|
39
43
|
|
44
|
+
def common_responses(page_number: 1, page_size: 100)
|
45
|
+
make_get_request(
|
46
|
+
"programs/#{id}/common_responses",
|
47
|
+
params: { page: { number: page_number, size: page_size } }
|
48
|
+
)
|
49
|
+
end
|
50
|
+
|
40
51
|
private
|
41
52
|
|
42
53
|
def members
|
@@ -0,0 +1,35 @@
|
|
1
|
+
module HackerOne
|
2
|
+
module Client
|
3
|
+
module ResourceHelper
|
4
|
+
def parse_response(response)
|
5
|
+
HackerOne::Client::Api.parse_response(response)
|
6
|
+
end
|
7
|
+
|
8
|
+
def make_post_request(url, request_body:)
|
9
|
+
response = HackerOne::Client::Api.hackerone_api_connection.post do |req|
|
10
|
+
req.headers['Content-Type'] = 'application/json'
|
11
|
+
req.url url
|
12
|
+
req.body = { data: request_body }.to_json
|
13
|
+
end
|
14
|
+
|
15
|
+
parse_response(response)
|
16
|
+
end
|
17
|
+
|
18
|
+
def make_get_request(url, params: {})
|
19
|
+
response = HackerOne::Client::Api.hackerone_api_connection.get do |req|
|
20
|
+
req.headers['Content-Type'] = 'application/json'
|
21
|
+
req.url url
|
22
|
+
req.params = params
|
23
|
+
end
|
24
|
+
|
25
|
+
parse_response(response)
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def api_connection
|
31
|
+
HackerOne::Client::Api.hackerone_api_connection
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hackerone-client
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Neil Matatall
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-08-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -142,6 +142,7 @@ files:
|
|
142
142
|
- fixtures/vcr_cassettes/assign_report_to_nobody_no_permission.yml
|
143
143
|
- fixtures/vcr_cassettes/assign_report_to_user.yml
|
144
144
|
- fixtures/vcr_cassettes/assign_report_to_user_no_permission.yml
|
145
|
+
- fixtures/vcr_cassettes/common_responses.yml
|
145
146
|
- fixtures/vcr_cassettes/empty_report_list.yml
|
146
147
|
- fixtures/vcr_cassettes/missing_report.yml
|
147
148
|
- fixtures/vcr_cassettes/programs.yml
|
@@ -159,6 +160,7 @@ files:
|
|
159
160
|
- lib/hackerone/client/program.rb
|
160
161
|
- lib/hackerone/client/report.rb
|
161
162
|
- lib/hackerone/client/reporter.rb
|
163
|
+
- lib/hackerone/client/resource_helper.rb
|
162
164
|
- lib/hackerone/client/structured_scope.rb
|
163
165
|
- lib/hackerone/client/user.rb
|
164
166
|
- lib/hackerone/client/version.rb
|
@@ -183,7 +185,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
183
185
|
version: '0'
|
184
186
|
requirements: []
|
185
187
|
rubyforge_project:
|
186
|
-
rubygems_version: 2.
|
188
|
+
rubygems_version: 2.4.5.1
|
187
189
|
signing_key:
|
188
190
|
specification_version: 4
|
189
191
|
summary: A limited client for the HackerOne API
|