def test_creates_vuln_with_command_object_with_tool(session, service):
host_data_ = host_data.copy()
service_data_ = service_data.copy()
vuln_web_data_ = vuln_data.copy()
service_data_['vulnerabilities'] = [vuln_web_data_]
host_data_['services'] = [service_data_]
command = new_empty_command(service.workspace)
bc.bulk_create(
service.workspace,
command,
dict(
command=command_data,
hosts=[host_data_]
)
)
assert count(Vulnerability, service.workspace) == 1
vuln = service.workspace.vulnerabilities[0]
assert vuln.tool == vuln_data['tool']
def test_sanitize_request_and_response(session, workspace, host):
invalid_request_text = 'GET /exampla.do HTTP/1.0\n \x89\n\x1a SOME_TEXT'
invalid_response_text = '<html> \x89\n\x1a SOME_TEXT</html>'
sanitized_request_text = 'GET /exampla.do HTTP/1.0\n \n SOME_TEXT'
sanitized_response_text = '<html> \n SOME_TEXT</html>'
host_data_ = host_data.copy()
service_data_ = service_data.copy()
vuln_web_data_ = vuln_web_data.copy()
vuln_web_data_['name'] = 'test'
vuln_web_data_['severity'] = 'low'
vuln_web_data_['request'] = invalid_request_text
vuln_web_data_['response'] = invalid_response_text
service_data_['vulnerabilities'] = [vuln_web_data_]
host_data_['services'] = [service_data_]
command = new_empty_command(workspace)
bc.bulk_create(workspace, command,
dict(command=command_data, hosts=[host_data_]))
vuln = VulnerabilityWeb.query.filter(
VulnerabilityWeb.workspace == workspace).one()
assert vuln.request == sanitized_request_text
assert vuln.response == sanitized_response_text
def test_create_vuln_with_custom_fields(session, workspace):
custom_field_schema = CustomFieldsSchemaFactory(
field_name='changes',
field_type='list',
field_display_name='Changes',
table_name='vulnerability'
)
session.add(custom_field_schema)
session.commit()
host_data_ = host_data.copy()
vuln_data_ = vuln_data.copy()
vuln_data_['custom_fields'] = {'changes': ['1', '2', '3']}
host_data_['vulnerabilities'] = [vuln_data_]
command = new_empty_command(workspace)
bc.bulk_create(workspace, command, dict(hosts=[host_data_],
command=command_data.copy()))
assert count(Host, workspace) == 1
assert count(Vulnerability, workspace) == 1
assert count(Command, workspace) == 1
for vuln in Vulnerability.query.filter(Vulnerability.workspace == workspace):
assert vuln.custom_fields['changes'] == ['1', '2', '3']
def test_create_duplicated_hosts(session, workspace):
assert count(Host, workspace) == 0
bc.bulk_create(workspace, None, dict(hosts=[host_data, host_data]))
db.session.commit()
assert count(Host, workspace) == 1
def test_creates_command_object_on_duplicates(session, command, service,
vulnerability_factory,
vulnerability_web_factory,
credential_factory):
vuln_host = vulnerability_factory.create(workspace=service.workspace,
host=service.host,
service=None)
vuln_service = vulnerability_factory.create(workspace=service.workspace,
service=service,
host=None)
vuln_web = vulnerability_web_factory.create(workspace=service.workspace,
service=service)
host_cred = credential_factory.create(workspace=service.workspace,
host=service.host,
service=None)
session.add(command)
session.add(service)
session.add(vuln_host)
session.add(vuln_service)
session.add(vuln_web)
session.add(host_cred)
session.commit()
assert command.workspace == service.workspace
assert len(command.workspace.command_objects) == 0
objects_with_command_object = [
('host', service.host),
('service', service),
('vulnerability', vuln_host),
('vulnerability', vuln_service),
('vulnerability', vuln_web),
# ('credential', host_cred), # Commented because unique constraint of credential is not working
]
for (table_name, obj) in objects_with_command_object:
assert obj.id is not None and command.id is not None
db.session.add(
CommandObject(
object_type=table_name,
object_id=obj.id,
command=command,
created_persistent=True,
workspace=command.workspace,
))
session.commit()
data = {
'hosts': [{
'ip':
service.host.ip,
'description':
service.host.description,
'vulnerabilities': [{
'name': vuln_host.name,
'severity': 'high',
'desc': vuln_host.description,
'type': 'Vulnerability',
}],
'credentials': [{
'name': host_cred.name,
'username': host_cred.username,
}],
'services': [{
'name':
service.name,
'protocol':
service.protocol,
'port':
service.port,
'vulnerabilities': [
{
'name': vuln_service.name,
'severity': 'high',
'desc': vuln_service.description,
'type': 'Vulnerability',
},
{
'name': vuln_web.name,
'severity': 'high',
'desc': vuln_web.description,
'type': 'VulnerabilityWeb',
'method': vuln_web.method,
'pname': vuln_web.parameter_name,
'path': vuln_web.path,
'website': vuln_web.website,
},
]
}]
}]
}
data['command'] = command_data.copy()
command2 = new_empty_command(command.workspace)
bc.bulk_create(command.workspace, command2, data)
assert count(Command, command.workspace) == 2
new_command = Command.query.filter_by(tool='pytest').one()
for (table_name, obj) in objects_with_command_object:
assert obj.id is not None and new_command.id is not None
CommandObject.query.filter(
CommandObject.workspace == command.workspace,
CommandObject.command == new_command,
CommandObject.object_type == table_name,
CommandObject.object_id == obj.id,
CommandObject.created_persistent == false(),
).one()
def send_report_request(self, workspace_name, report_json):
logger.info("Send Report data to workspace [%s]", workspace_name)
from faraday.server.web import app # pylint:disable=import-outside-toplevel
with app.app_context():
ws = Workspace.query.filter_by(name=workspace_name).one()
bulk_create(ws, report_json, False)
def test_create_duplicated_hosts(session, workspace):
assert count(Host, workspace) == 0
command = new_empty_command(workspace)
bc.bulk_create(workspace, command, dict(hosts=[host_data, host_data], command=command_data.copy()))
db.session.commit()
assert count(Host, workspace) == 1
