PyPI - pyntcli - Versions diffs - 0.1.71__py3-none-any.whl → 0.1.73__py3-none-any.whl - Mend

pyntcli 0.1.71py3-none-any.whl → 0.1.73py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

pyntcli/__init__.py +1 -1
pyntcli/commands/burp.py +311 -0
pyntcli/commands/command.py +154 -63
pyntcli/commands/har.py +62 -25
pyntcli/commands/listen.py +140 -71
pyntcli/commands/newman.py +81 -33
pyntcli/commands/postman.py +1 -1
pyntcli/commands/pynt_cmd.py +2 -1
pyntcli/commands/root.py +44 -23
pyntcli/main.py +28 -20
pyntcli/transport/pynt_requests.py +21 -9
pyntcli/ui/ui_thread.py +4 -0
{pyntcli-0.1.71.dist-info → pyntcli-0.1.73.dist-info}/METADATA +2 -1
{pyntcli-0.1.71.dist-info → pyntcli-0.1.73.dist-info}/RECORD +17 -16
{pyntcli-0.1.71.dist-info → pyntcli-0.1.73.dist-info}/WHEEL +1 -1
{pyntcli-0.1.71.dist-info → pyntcli-0.1.73.dist-info}/entry_points.txt +0 -0
{pyntcli-0.1.71.dist-info → pyntcli-0.1.73.dist-info}/top_level.txt +0 -0

pyntcli/__init__.py CHANGED Viewed

	@@ -1 +1 @@
1	- __version__ = "0.1.71"
1	+ __version__ = "0.1.73"

pyntcli/commands/burp.py ADDED Viewed

@@ -0,0 +1,311 @@
+import argparse
+from copy import deepcopy
+import os
+import webbrowser
+from http import HTTPStatus
+import time
+import tempfile
+import json
+from subprocess import Popen, PIPE
+from functools import partial
+import xmltodict
+import base64
+from xml.parsers.expat import ExpatError
+from pyntcli.pynt_docker import pynt_container
+from pyntcli.ui import ui_thread
+from pyntcli.commands import util, sub_command
+from pyntcli.ui import report as cli_reporter
+from pyntcli.transport import pynt_requests
+methods = [
+    "get",
+    "post",
+    "put",
+    "delete",
+    "patch",
+    "options",
+    "head",
+    "trace",
+    "connect",
+]
+def is_valid_method(method: str):
+    if method.lower() in methods:
+        return True
+    return False
+def replay_req(item, proxy_port):
+    url = item["url"]
+    decoded_req = base64.b64decode(item["request"]["#text"]).decode("utf-8")
+    method = decoded_req.split("\r\n")[0].split(" ")[0]
+    if not is_valid_method(method):
+        return
+    lines = decoded_req.split("\r\n")
+    if len(lines) < 2:
+        return
+    headers = {}
+    for line in lines[1:]:
+        if not line:
+            break
+        if ": " not in line:
+            break
+        key, value = line.split(": ")
+        headers[key] = value
+    body = decoded_req.split("\r\n\r\n")[1]
+    pynt_requests.request_from_xml(
+        method=method,
+        url=url,
+        headers=headers,
+        data=body,
+        proxies={
+            "http": "0.0.0.0:{}".format(proxy_port),
+            "https": "0.0.0.0:{}".format(proxy_port),
+        },
+    )
+def run_burp_xml(doc, proxy_port):
+    items = doc["items"]["item"]
+    if isinstance(items, dict):
+        replay_req(item=items, proxy_port=proxy_port)
+    else:
+        [replay_req(i, proxy_port=proxy_port) for i in doc["items"]["item"]]
+def parse_xml(xml_path):
+    try:
+        with open(xml_path) as fd:
+            return xmltodict.parse(fd.read())
+    except ExpatError:
+        return None
+def is_valid_xml(doc) -> bool:
+    return "items" in doc
+def burp_usage():
+    return (
+        ui_thread.PrinterText(
+            "Burp integration to Pynt. Run a security scan with a given burp xml output file."
+        )
+        .with_line("")
+        .with_line("Usage:", style=ui_thread.PrinterText.HEADER)
+        .with_line("\tpynt burp [OPTIONS]")
+        .with_line("")
+        .with_line("Options:", style=ui_thread.PrinterText.HEADER)
+        .with_line("\t--xml - Path to the xml to run tests on")
+        .with_line("\t--port - Set the port pynt will listen to (DEFAULT: 5001)")
+        .with_line("\t--ca-path - The path to the CA file in PEM format")
+        .with_line(
+            "\t--proxy-port - Set the port proxied traffic should be routed to (DEFAULT: 6666)"
+        )
+        .with_line(
+            "\t--report - If present will save the generated report in this path."
+        )
+        .with_line("\t--insecure - Use when target uses self signed certificates")
+        .with_line(
+            "\t--application-id - Attach the scan to an application, you can find the ID in your applications area at app.pynt.io"
+        )
+        .with_line(
+            "\t--host-ca - Path to the CA file in PEM format to enable SSL certificate verification for pynt when running through a VPN."
+        )
+        .with_line(
+            "\t--return-error - 'all-findings' (warnings, or errors), 'errors-only', 'never' (default), "
+        )
+    )
+class BurpCommand(sub_command.PyntSubCommand):
+    def __init__(self, name) -> None:
+        super().__init__(name)
+        self.scan_id = ""
+        self.proxy_sleep_interval = 2
+        self.proxy_healthcheck_buffer = 10
+        self.proxy_server_base_url = "http://localhost:{}/api"
+    def print_usage(self, *args):
+        ui_thread.print(burp_usage())
+    def add_cmd(self, parent: argparse._SubParsersAction) -> argparse.ArgumentParser:
+        burp_cmd = parent.add_parser(self.name)
+        burp_cmd.add_argument("--port", "-p", help="", type=int, default=5001)
+        burp_cmd.add_argument("--proxy-port", help="", type=int, default=6666)
+        burp_cmd.add_argument("--xml", help="", default="", required=True)
+        burp_cmd.add_argument("--ca-path", type=str, default="")
+        burp_cmd.add_argument("--report", type=str, default="")
+        burp_cmd.add_argument(
+            "--return-error",
+            choices=["all-findings", "errors-only", "never"],
+            default="never",
+        )
+        burp_cmd.print_usage = self.print_usage
+        burp_cmd.print_help = self.print_usage
+        return burp_cmd
+    def _updated_environment(self, args):
+        env_copy = deepcopy(os.environ)
+        return env_copy.update(
+            {
+                "HTTP_PROXY": "http://localhost:{}".format(args.proxy_port),
+                "HTTPS_PROXY": "http://localhost:{}".format(args.proxy_port),
+            }
+        )
+    def _start_proxy(self, args):
+        res = pynt_requests.put(
+            self.proxy_server_base_url.format(args.port) + "/proxy/start"
+        )
+        res.raise_for_status()
+        self.scan_id = res.json()["scanId"]
+    def _stop_proxy(self, args):
+        start = time.time()
+        while start + self.proxy_healthcheck_buffer > time.time():
+            res = pynt_requests.put(
+                self.proxy_server_base_url.format(args.port) + "/proxy/stop",
+                json={"scanId": self.scan_id},
+            )
+            if res.status_code == HTTPStatus.OK:
+                return
+            time.sleep(self.proxy_sleep_interval)
+        raise TimeoutError()
+    def _get_report(self, args, report_format):
+        while True:
+            res = pynt_requests.get(
+                self.proxy_server_base_url.format(args.port)
+                + "/report?format={}".format(report_format),
+                params={"scanId": self.scan_id},
+            )
+            if res.status_code == HTTPStatus.OK:
+                return res.text
+            if res.status_code == HTTPStatus.ACCEPTED:
+                time.sleep(self.proxy_sleep_interval)
+                continue
+            if res.status_code == 517:  # pynt did not recieve any requests
+                ui_thread.print(
+                    ui_thread.PrinterText(
+                        res.json()["message"], ui_thread.PrinterText.WARNING
+                    )
+                )
+                return
+            ui_thread.print("Error in polling for scan report: {}".format(res.text))
+            return
+    def run_cmd(self, args: argparse.Namespace):
+        container = pynt_container.get_container_with_arguments(
+            args,
+            pynt_container.PyntDockerPort(args.port, args.port, "--port"),
+            pynt_container.PyntDockerPort(
+                args.proxy_port, args.proxy_port, "--proxy-port"
+            ),
+        )
+        if "ca_path" in args and args.ca_path:
+            if not os.path.isfile(args.ca_path):
+                ui_thread.print(
+                    ui_thread.PrinterText(
+                        "Could not find the provided ca path, please provide with a valid path",
+                        ui_thread.PrinterText.WARNING,
+                    )
+                )
+                return
+            ca_name = os.path.basename(args.ca_path)
+            container.docker_arguments += ["--ca-path", ca_name]
+            container.mounts.append(
+                pynt_container.create_mount(
+                    os.path.abspath(args.ca_path), "/etc/pynt/{}".format(ca_name)
+                )
+            )
+        if not os.path.isfile(args.xml):
+            ui_thread.print(
+                ui_thread.PrinterText(
+                    "Could not find the provided xml path, please provide with a valid xml path",
+                    ui_thread.PrinterText.WARNING,
+                )
+            )
+            return
+        doc = parse_xml(args.xml)
+        if not doc:
+            ui_thread.print(
+                ui_thread.PrinterText(
+                    "Invalid file format. please provide a valid xml",
+                    ui_thread.PrinterText.WARNING,
+                )
+            )
+            return
+        if not is_valid_xml(doc):
+            ui_thread.print(
+                ui_thread.PrinterText(
+                    "Invalid xml file. please provide a valid xml output generated from burp",
+                    ui_thread.PrinterText.WARNING,
+                )
+            )
+            return
+        proxy_docker = pynt_container.PyntContainer(
+            image_name=pynt_container.PYNT_DOCKER_IMAGE,
+            tag="proxy-latest",
+            detach=True,
+            base_container=container,
+        )
+        proxy_docker.run()
+        ui_thread.print_generator(proxy_docker.stdout)
+        util.wait_for_healthcheck("http://localhost:{}".format(args.port))
+        self._start_proxy(args)
+        run_burp_xml(doc, args.proxy_port)
+        self._stop_proxy(args)
+        with ui_thread.progress(
+            "ws://localhost:{}/progress?scanId={}".format(args.port, self.scan_id),
+            partial(lambda *args: None),
+            "scan in progress...",
+            100,
+        ):
+            html_report = self._get_report(args, "html")
+            html_report_path = os.path.join(
+                tempfile.gettempdir(), "pynt_report_{}.html".format(int(time.time()))
+            )
+            json_report = self._get_report(args, "json")
+            json_report_path = os.path.join(
+                tempfile.gettempdir(), "pynt_report_{}.json".format(int(time.time()))
+            )
+            if "report" in args and args.report:
+                full_path = os.path.abspath(args.report)
+                html_report_path = util.get_user_report_path(full_path, "html")
+                json_report_path = util.get_user_report_path(full_path, "json")
+            if html_report:
+                with open(html_report_path, "w") as html_file:
+                    html_file.write(html_report)
+                webbrowser.open("file://{}".format(html_report_path))
+            if json_report:
+                with open(json_report_path, "w") as json_file:
+                    json_file.write(json_report)
+                reporter = cli_reporter.PyntReporter(json_report_path)
+                reporter.print_summary()
+            if json_report:
+                json_obj = json.loads(json_report)
+                if json_obj:
+                    util.check_for_findings_or_warnings(args, json_obj)

pyntcli/commands/command.py CHANGED Viewed

@@ -16,127 +16,219 @@ from pyntcli.ui import report as cli_reporter
 from pyntcli.transport import pynt_requests
 def command_usage():
-    return ui_thread.PrinterText("Command integration to Pynt. Run a security scan with a given command.") \
-        .with_line("") \
-        .with_line("Usage:",style=ui_thread.PrinterText.HEADER) \
-        .with_line("\tpynt command [OPTIONS]") \
-        .with_line("") \
-        .with_line("Options:",style=ui_thread.PrinterText.HEADER) \
-        .with_line("\t--cmd - The command that runs the functional tests") \
-        .with_line("\t--port - Set the port pynt will listen to (DEFAULT: 5001)") \
-        .with_line("\t--allow-errors - If present will allow command to fail and continue execution") \
-        .with_line("\t--ca-path - The path to the CA file in PEM format") \
-        .with_line("\t--proxy-port - Set the port proxied traffic should be routed to (DEFAULT: 6666)") \
-        .with_line("\t--report - If present will save the generated report in this path.") \
-        .with_line("\t--insecure - use when target uses self signed certificates") \
-        .with_line("\t--host-ca - path to the CA file in PEM format to enable SSL certificate verification for pynt when running through a VPN.") \
-        .with_line("\t--return-error - 'all-findings' (warnings, or errors), 'errors-only', 'never' (default), ")
-class CommandSubCommand(sub_command.PyntSubCommand):
+    return (
+        ui_thread.PrinterText(
+            "Command integration to Pynt. Run a security scan with a given command."
+        )
+        .with_line("")
+        .with_line("Usage:", style=ui_thread.PrinterText.HEADER)
+        .with_line("\tpynt command [OPTIONS]")
+        .with_line("")
+        .with_line("Options:", style=ui_thread.PrinterText.HEADER)
+        .with_line("\t--cmd - The command that runs the functional tests")
+        .with_line(
+            '\t--captured-domains - Pynt will scan only these domains and subdomains. For all domains write "*"'
+        )
+        .with_line("\t--port - Set the port pynt will listen to (DEFAULT: 5001)")
+        .with_line(
+            "\t--allow-errors - If present will allow command to fail and continue execution"
+        )
+        .with_line("\t--ca-path - The path to the CA file in PEM format")
+        .with_line(
+            "\t--proxy-port - Set the port proxied traffic should be routed to (DEFAULT: 6666)"
+        )
+        .with_line(
+            "\t--report - If present will save the generated report in this path."
+        )
+        .with_line("\t--insecure - Use when target uses self signed certificates")
+        .with_line(
+            "\t--application-id - Attach the scan to an application, you can find the ID in your applications area at app.pynt.io"
+        )
+        .with_line(
+            "\t--host-ca - Path to the CA file in PEM format to enable SSL certificate verification for pynt when running through a VPN."
+        )
+        .with_line(
+            "\t--return-error - 'all-findings' (warnings, or errors), 'errors-only', 'never' (default), "
+        )
+    )
+class CommandSubCommand(sub_command.PyntSubCommand):
     def __init__(self, name) -> None:
         super().__init__(name)
         self.scan_id = ""
         self.proxy_sleep_interval = 2
         self.proxy_healthcheck_buffer = 10
         self.proxy_server_base_url = "http://localhost:{}/api"
     def print_usage(self, *args):
         ui_thread.print(command_usage())
     def add_cmd(self, parent: argparse._SubParsersAction) -> argparse.ArgumentParser:
         proxy_cmd = parent.add_parser(self.name)
         proxy_cmd.add_argument("--port", "-p", help="", type=int, default=5001)
-        proxy_cmd.add_argument("--proxy-port", help="", type=int, default=6666)
+        proxy_cmd.add_argument("--proxy-port", help="", type=int, default=6666)
         proxy_cmd.add_argument("--cmd", help="", default="", required=True)
+        proxy_cmd.add_argument(
+            "--captured-domains", nargs="+", help="", default="", required=False
+        )
         proxy_cmd.add_argument("--allow-errors", action="store_true")
         proxy_cmd.add_argument("--ca-path", type=str, default="")
         proxy_cmd.add_argument("--report", type=str, default="")
-        proxy_cmd.add_argument('--return-error', choices=['all-findings', 'errors-only', 'never'], default='never')
+        proxy_cmd.add_argument(
+            "--return-error",
+            choices=["all-findings", "errors-only", "never"],
+            default="never",
+        )
         proxy_cmd.print_usage = self.print_usage
         proxy_cmd.print_help = self.print_usage
         return proxy_cmd
     def _updated_environment(self, args):
         env_copy = deepcopy(os.environ)
-        return env_copy.update({"HTTP_PROXY": "http://localhost:{}".format(args.proxy_port),
-                                "HTTPS_PROXY": "http://localhost:{}".format(args.proxy_port)})
+        return env_copy.update(
+            {
+                "HTTP_PROXY": "http://localhost:{}".format(args.proxy_port),
+                "HTTPS_PROXY": "http://localhost:{}".format(args.proxy_port),
+            }
+        )
     def _start_proxy(self, args):
-        res = pynt_requests.put(self.proxy_server_base_url.format(args.port) + "/proxy/start")
+        res = pynt_requests.put(
+            self.proxy_server_base_url.format(args.port) + "/proxy/start"
+        )
         res.raise_for_status()
         self.scan_id = res.json()["scanId"]
     def _stop_proxy(self, args):
         start = time.time()
-        while start + self.proxy_healthcheck_buffer > time.time():
-            res = pynt_requests.put(self.proxy_server_base_url.format(args.port) + "/proxy/stop", json={"scanId": self.scan_id})
-            if res.status_code == HTTPStatus.OK:
-                return
+        while start + self.proxy_healthcheck_buffer > time.time():
+            res = pynt_requests.put(
+                self.proxy_server_base_url.format(args.port) + "/proxy/stop",
+                json={"scanId": self.scan_id},
+            )
+            if res.status_code == HTTPStatus.OK:
+                return
             time.sleep(self.proxy_sleep_interval)
         raise TimeoutError()
-    def _get_report(self, args,report_format):
-        while True:
-            res = pynt_requests.get(self.proxy_server_base_url.format(args.port) + "/report?format={}".format(report_format), params={"scanId": self.scan_id})
+    def _get_report(self, args, report_format):
+        while True:
+            res = pynt_requests.get(
+                self.proxy_server_base_url.format(args.port)
+                + "/report?format={}".format(report_format),
+                params={"scanId": self.scan_id},
+            )
             if res.status_code == HTTPStatus.OK:
                 return res.text
             if res.status_code == HTTPStatus.ACCEPTED:
                 time.sleep(self.proxy_sleep_interval)
                 continue
-            if res.status_code == 517: #pynt did not recieve any requests
-                ui_thread.print(ui_thread.PrinterText(res.json()["message"], ui_thread.PrinterText.WARNING))
-                return
+            if res.status_code == 517:  # pynt did not recieve any requests
+                ui_thread.print(
+                    ui_thread.PrinterText(
+                        res.json()["message"], ui_thread.PrinterText.WARNING
+                    )
+                )
+                return
             ui_thread.print("Error in polling for scan report: {}".format(res.text))
-            return
+            return
     def run_cmd(self, args: argparse.Namespace):
-        container = pynt_container.get_container_with_arguments(args, pynt_container.PyntDockerPort(args.port, args.port, "--port"),
-                                                                                                pynt_container.PyntDockerPort(args.proxy_port, args.proxy_port, "--proxy-port"))
+        container = pynt_container.get_container_with_arguments(
+            args,
+            pynt_container.PyntDockerPort(args.port, args.port, "--port"),
+            pynt_container.PyntDockerPort(
+                args.proxy_port, args.proxy_port, "--proxy-port"
+            ),
+        )
+        if args.captured_domains:
+            for host in args.captured_domains:
+                container.docker_arguments += ["--host-targets", host]
         if "ca_path" in args and args.ca_path:
             if not os.path.isfile(args.ca_path):
-                ui_thread.print(ui_thread.PrinterText("Could not find the provided ca path, please provide with a valid path", ui_thread.PrinterText.WARNING))
+                ui_thread.print(
+                    ui_thread.PrinterText(
+                        "Could not find the provided ca path, please provide with a valid path",
+                        ui_thread.PrinterText.WARNING,
+                    )
+                )
                 return
             ca_name = os.path.basename(args.ca_path)
             container.docker_arguments += ["--ca-path", ca_name]
-            container.mounts.append(pynt_container.create_mount(os.path.abspath(args.ca_path), "/etc/pynt/{}".format(ca_name)))
-        proxy_docker = pynt_container.PyntContainer(image_name=pynt_container.PYNT_DOCKER_IMAGE,
-                                    tag="proxy-latest",
-                                    detach=True,
-                                    base_container=container)
+            container.mounts.append(
+                pynt_container.create_mount(
+                    os.path.abspath(args.ca_path), "/etc/pynt/{}".format(ca_name)
+                )
+            )
+        proxy_docker = pynt_container.PyntContainer(
+            image_name=pynt_container.PYNT_DOCKER_IMAGE,
+            tag="proxy-latest",
+            detach=True,
+            base_container=container,
+        )
         proxy_docker.run()
         ui_thread.print_generator(proxy_docker.stdout)
         util.wait_for_healthcheck("http://localhost:{}".format(args.port))
-        self._start_proxy(args)
-        user_process = Popen(args.cmd, shell=True, stdout=PIPE, stderr=PIPE, env=self._updated_environment(args))
+        if args.captured_domains:
+            ui_thread.print(
+                "\nWill scan APIs that belong to {} domains only".format(
+                    args.captured_domains
+                )
+            )
+        self._start_proxy(args)
+        user_process = Popen(
+            args.cmd,
+            shell=True,
+            stdout=PIPE,
+            stderr=PIPE,
+            env=self._updated_environment(args),
+        )
         ui_thread.print_generator(user_process.stdout)
         ui_thread.print_generator(user_process.stderr)
         rc = user_process.wait()
         if rc != 0 and not args.allow_errors:
             proxy_docker.stop()
-            ui_thread.print(ui_thread.PrinterText("Command finished with error return code {}, If you wish Pynt to run anyway, run with --allow-errors".format(rc)))
+            ui_thread.print(
+                ui_thread.PrinterText(
+                    "Command finished with error return code {}, If you wish Pynt to run anyway, run with --allow-errors".format(
+                        rc
+                    )
+                )
+            )
             return
         self._stop_proxy(args)
-        with ui_thread.progress("ws://localhost:{}/progress?scanId={}".format(args.port, self.scan_id),partial(lambda *args: None), "scan in progress...", 100):
-            html_report = self._get_report(args,"html")
-            html_report_path = os.path.join(tempfile.gettempdir(), "pynt_report_{}.html".format(int(time.time())))
-            json_report = self._get_report(args,"json")
-            json_report_path = os.path.join(tempfile.gettempdir(), "pynt_report_{}.json".format(int(time.time())))
+        with ui_thread.progress(
+            "ws://localhost:{}/progress?scanId={}".format(args.port, self.scan_id),
+            partial(lambda *args: None),
+            "scan in progress...",
+            100,
+        ):
+            html_report = self._get_report(args, "html")
+            html_report_path = os.path.join(
+                tempfile.gettempdir(), "pynt_report_{}.html".format(int(time.time()))
+            )
+            json_report = self._get_report(args, "json")
+            json_report_path = os.path.join(
+                tempfile.gettempdir(), "pynt_report_{}.json".format(int(time.time()))
+            )
             if "report" in args and args.report:
                 full_path = os.path.abspath(args.report)
-                html_report_path = util.get_user_report_path(full_path,"html")
-                json_report_path = util.get_user_report_path(full_path,"json")
+                html_report_path = util.get_user_report_path(full_path, "html")
+                json_report_path = util.get_user_report_path(full_path, "json")
             if html_report:
                 with open(html_report_path, "w") as html_file:
@@ -153,4 +245,3 @@ class CommandSubCommand(sub_command.PyntSubCommand):
                 json_obj = json.loads(json_report)
                 if json_obj:
                     util.check_for_findings_or_warnings(args, json_obj)

pyntcli 0.1.71__py3-none-any.whl → 0.1.73__py3-none-any.whl

pyntcli 0.1.71py3-none-any.whl → 0.1.73py3-none-any.whl