diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..b647c053 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,14 @@ +name: Build +on: + pull_request: + branches: + - main + +jobs: + + build: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v2 + - name: Gradle build + run: ./gradlew build diff --git a/README.md b/README.md index 45366c83..11cf4797 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,8 @@ In PowerShell, with administrative privileges: 2. add the new gradle directory to `$env:PATH` 2. Run the gradle build: 1. `.\gradlew.bat --no-daemon build` -3. Update the `spring.datasource.url` in your local [application.properties](https://github.com/kaakaww/javaspringvulny/blob/main/src/main/resources/application.properties) file from `spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE` to an absolute path. - 1. For instance: `spring.datasource.url=jdbc:h2:file:C:/Users/Dan/projects/javaspringvulny/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE`. +3. Update the `spring.datasource.url` in your local [application.yaml](https://github.com/kaakaww/javaspringvulny/blob/main/src/main/resources/application.properties) file from `spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE` to an absolute path. + 1. For instance: `spring.datasource.url: jdbc:h2:file:C:/Users/Dan/projects/javaspringvulny/db/vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE`. ### Run @@ -69,7 +69,7 @@ Once the app starts up, you can reach it at [https://localhost:9000](https://loc You can log in to the application with the following credentials: ``` - username: user + username: janesmith password: password ``` diff --git a/azure-pipelines.yml b/azure-pipelines.yml index b9702309..02580c1e 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -51,15 +51,6 @@ steps: dockerComposeFile: docker-compose.yml action: Run services - # specific path replacement for in-memory database on windows in azure-pipelines - - powershell: | - $file = 'src/main/resources/application.properties' - $find = 'spring.datasource.url=jdbc:h2:file:${PWD}/db/vulny;' - $replace = "spring.datasource.url=jdbc:h2:file:D:\\a\\1\\db\\vulny;" - (Get-Content $file).replace($find, $replace) | Set-Content $file - condition: eq(variables['imageName'], 'windows-latest') - displayName: Configure JavaSpringVulny for windows - # azure pipelines default jdk is 8, so we upgrade to 11 to run JavaSpringVulny # the hawkscan msi bundles java with it, so this step isn't necesarry for running HawkScan - task: JavaToolInstaller@0 @@ -70,6 +61,7 @@ steps: # start javaspringVulny in the background - powershell: | + $Env:SPRING_PROFILES_ACTIVE = 'windows' start-process ./gradlew.bat bootRun displayName: Start JavaSpringVulny on windows with gradle in the background condition: eq(variables['imageName'], 'windows-latest') diff --git a/docker-compose.yml b/docker-compose.yml index c3b8b99f..acc94b11 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,7 @@ services: container_name: javavulny environment: SPRING_PROFILES_ACTIVE: postgresql + SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/postgres ports: - "9000:9000" links: diff --git a/hawkscripts/README.md b/hawkscripts/README.md new file mode 100644 index 00000000..5731d3eb --- /dev/null +++ b/hawkscripts/README.md @@ -0,0 +1,33 @@ + +## Hawkscripts + +A directory of kotlin scripts to customize [HawkScan](https://docs.stackhawk.com/stackhawk-cli/#install-with-zip-file) with +[IntelliJ IDE](https://www.jetbrains.com/idea/download) support via gradle. + +To enable IDE support... + +1. Open a shell in the root of the javaspringvulny repository and run... + ```shell + ./gradlew :hawkscripts:download + ``` + This will download the hawk scripts sdk zip into the `hawkscripts/build` directory as + required by the dependencies defined in [hawkscripts.gradle.kts](hawkscripts.gradle.kts). +1. Start the [IntelliJ IDE](https://www.jetbrains.com/idea/download) +1. Open javaspringvulny as a new gradle project + + ![intellij-new-project-1.png](help-images%2Fintellij-new-project-1.png) + + ![intellij-new-project-2.png](help-images%2Fintellij-new-project-2.png) + + ![intellij-new-project-3.png](help-images%2Fintellij-new-project-3.png) + +1. **Wait for the indexer!** + ![intellij-new-project-4.png](help-images%2Fintellij-new-project-4.png) + +When indexing is complete open any of the `.kts` files in the +defined source directories `authentication, session, httpsender, active, proxy` +to see activated code highlighting, auto-completion, and inline compilation errors. + +Use the [hawk perch]() and [hawk validate auth --watch]() to +develop and test authentication and session scripts against your +running web API's. \ No newline at end of file diff --git a/hawkscripts/authentication/form-auth-multi.kts b/hawkscripts/authentication/form-auth-multi.kts index 230078fc..95e75cad 100644 --- a/hawkscripts/authentication/form-auth-multi.kts +++ b/hawkscripts/authentication/form-auth-multi.kts @@ -33,11 +33,6 @@ fun authenticate( logger.info("host ${talon.talonHawkScanConf.hawkscanConf.app.cleanHost()}") val mapper = ObjectMapper() - /*val payload = JSONObject().apply { - put("username", credentials.getParam("username")) - put("password", credentials.getParam("password")) - }.toString()*/ - val payload = mapper.writeValueAsString( mapOf( "username" to credentials.getParam("username"), diff --git a/hawkscripts/hawkscripts.gradle.kts b/hawkscripts/hawkscripts.gradle.kts index e733e0b8..851de948 100644 --- a/hawkscripts/hawkscripts.gradle.kts +++ b/hawkscripts/hawkscripts.gradle.kts @@ -1,11 +1,24 @@ -import org.jetbrains.kotlin.konan.file.File.Companion.userHome +import java.net.HttpURLConnection +import java.net.URL +import java.nio.file.Files +import kotlin.math.roundToLong plugins { kotlin("jvm") version "1.8.22" } val kotlinVersion = "1.7.20" -val hawkScriptSdkVersion = "3.4.2" +val hawkScriptSdkVersion = lazy { sdkVersion() } +val sdkZipName = lazy { "hawkscript-sdk-${hawkScriptSdkVersion.value}.zip" } +val hawkScriptSDKZip = lazy { "$buildDir/${sdkZipName.value}" } + +tasks.compileKotlin.configure { + if (!File(hawkScriptSDKZip.value).exists()) { + logger.warn("hawkscripts sdk zip ${hawkScriptSDKZip.value} not found") + logger.lifecycle("Run ./gradlew :hawkscripts:download to enable kotlin scripting support for IntelliJ") + } + enabled = File(hawkScriptSDKZip.value).exists() +} kotlin { sourceSets { @@ -30,6 +43,73 @@ repositories { dependencies { compileOnly("org.jetbrains.kotlin:kotlin-stdlib:$kotlinVersion") compileOnly("org.jetbrains.kotlin:kotlin-script-runtime:$kotlinVersion") - // change to location of the hawkscript-sdk-/ directory. - compileOnly(zipTree("$userHome/Downloads/hawkscript-sdk-$hawkScriptSdkVersion.zip")) + compileOnly(zipTree(hawkScriptSDKZip.value)) +} +tasks.register("download") { + + group = "StackHawk" + description = "Download the latest hawk scripting sdk zip" + + doLast { + + Files.createDirectories(buildDir.toPath()) + val localSdkZip = File("$buildDir/${sdkZipName.value}") + if (!localSdkZip.exists()) { + val hawkscriptSdkUrl = URL("https://download.stackhawk.com/hawk/sdk/${sdkZipName.value}") + val zipConn = hawkscriptSdkUrl.openConnection() as HttpURLConnection + zipConn.connect() + if ((200..299).contains(zipConn.responseCode)) { + logger.lifecycle("Downloading $hawkscriptSdkUrl -> $localSdkZip") + val delay = 1000L + var curLen = 0 + val len = zipConn.getHeaderField("Content-Length").toLong() + val input = zipConn.inputStream + localSdkZip.outputStream().use { output -> + var buf = ByteArray(8192) + var c = input.read(buf, 0, buf.size) + var lastPct = 0L + while (c != -1) { + curLen += c + output.write(buf, 0, c) + c = input.read(buf, 0, buf.size) + val pc = ((curLen.toDouble() / len.toDouble()) * 100).roundToLong() + if ((System.currentTimeMillis() % delay) == 0L && lastPct != pc) { + logger.lifecycle("${sdkZipName.value} [${curLen / 1024 / 1024}mb] ${pc}%") + lastPct = pc + } + } + val pc = ((curLen.toDouble() / len.toDouble()) * 100).roundToLong() + logger.lifecycle("${sdkZipName.value} [${curLen / 1024 / 1024}mb] ${pc}%") + } + } else { + logger.error("Error downloading $hawkscriptSdkUrl ${zipConn.responseMessage}") + } + } else { + logger.lifecycle("latest hawkscan sdk already found: ${"$buildDir/${sdkZipName.value}"}") + } + + } +} + +fun sdkVersion(): String { + val verFile = File("$buildDir/hawkscriptsdk.version") + val ret = if (verFile.exists()) { + verFile.readText() + } else { + downloadSdkVersion() + verFile.readText() + } + return ret } + +fun downloadSdkVersion() { + Files.createDirectories(buildDir.toPath()) + val hawkscanVersionUrl = URL("https://api.stackhawk.com/hawkscan/version") + val verisionConn = hawkscanVersionUrl.openConnection() as HttpURLConnection + verisionConn.connect() + val version = String(verisionConn.inputStream.readAllBytes()) + File("$buildDir/hawkscriptsdk.version").outputStream().use { + it.write(version.toByteArray()) + } +} + diff --git a/hawkscripts/help-images/intellij-new-project-1.png b/hawkscripts/help-images/intellij-new-project-1.png new file mode 100644 index 00000000..b01fcbb7 Binary files /dev/null and b/hawkscripts/help-images/intellij-new-project-1.png differ diff --git a/hawkscripts/help-images/intellij-new-project-2.png b/hawkscripts/help-images/intellij-new-project-2.png new file mode 100644 index 00000000..7fa228a6 Binary files /dev/null and b/hawkscripts/help-images/intellij-new-project-2.png differ diff --git a/hawkscripts/help-images/intellij-new-project-3.png b/hawkscripts/help-images/intellij-new-project-3.png new file mode 100644 index 00000000..94b3171d Binary files /dev/null and b/hawkscripts/help-images/intellij-new-project-3.png differ diff --git a/hawkscripts/help-images/intellij-new-project-4.png b/hawkscripts/help-images/intellij-new-project-4.png new file mode 100644 index 00000000..af8956cd Binary files /dev/null and b/hawkscripts/help-images/intellij-new-project-4.png differ diff --git a/src/main/resources/application-windows.properties b/src/main/resources/application-windows.properties deleted file mode 100644 index 8800762a..00000000 --- a/src/main/resources/application-windows.properties +++ /dev/null @@ -1,2 +0,0 @@ - -spring.datasource.url=jdbc:h2:file:D:\\a\\1\\db\\vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE diff --git a/src/main/resources/application-windows.yaml b/src/main/resources/application-windows.yaml new file mode 100644 index 00000000..85535b36 --- /dev/null +++ b/src/main/resources/application-windows.yaml @@ -0,0 +1,4 @@ + +spring: + datasource: + url: jdbc:h2:file:D:\\a\\1\\db\\vulny;DB_CLOSE_ON_EXIT=FALSE;AUTO_RECONNECT=TRUE diff --git a/stackhawk.d/stackhawk-auth-json-token.yml b/stackhawk.d/stackhawk-auth-json-token.yml index 5c8a38ba..b2cf5611 100644 --- a/stackhawk.d/stackhawk-auth-json-token.yml +++ b/stackhawk.d/stackhawk-auth-json-token.yml @@ -10,7 +10,7 @@ app: loginPath: /api/jwt/auth/signin usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" tokenExtraction: type: TOKEN_PATH diff --git a/stackhawk.d/stackhawk-custom-spider-curl.yml b/stackhawk.d/stackhawk-custom-spider-curl.yml index df8baf2c..fd7c58ac 100644 --- a/stackhawk.d/stackhawk-custom-spider-curl.yml +++ b/stackhawk.d/stackhawk-custom-spider-curl.yml @@ -16,7 +16,7 @@ app: loginPagePath: /login usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" cookieAuthorization: cookieNames: diff --git a/stackhawk.d/stackhawk-custom-spider-newman.yml b/stackhawk.d/stackhawk-custom-spider-newman.yml index 83494050..ff13d8ad 100644 --- a/stackhawk.d/stackhawk-custom-spider-newman.yml +++ b/stackhawk.d/stackhawk-custom-spider-newman.yml @@ -16,7 +16,7 @@ app: loginPagePath: /login usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" cookieAuthorization: cookieNames: diff --git a/stackhawk.d/stackhawk-jsv-form-cookie.yml b/stackhawk.d/stackhawk-jsv-form-cookie.yml index b9c4ee94..5a7fe628 100644 --- a/stackhawk.d/stackhawk-jsv-form-cookie.yml +++ b/stackhawk.d/stackhawk-jsv-form-cookie.yml @@ -18,7 +18,7 @@ app: loginPagePath: /login usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" cookieAuthorization: cookieNames: diff --git a/stackhawk.d/stackhawk-jsv-json-token.yml b/stackhawk.d/stackhawk-jsv-json-token.yml index 4f84791a..de2576d0 100644 --- a/stackhawk.d/stackhawk-jsv-json-token.yml +++ b/stackhawk.d/stackhawk-jsv-json-token.yml @@ -15,7 +15,7 @@ app: loginPath: /api/jwt/auth/signin usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" tokenAuthorization: type: HEADER diff --git a/stackhawk.d/stackhawk-openapi.yml b/stackhawk.d/stackhawk-openapi.yml index 4df5392a..f733a5b0 100644 --- a/stackhawk.d/stackhawk-openapi.yml +++ b/stackhawk.d/stackhawk-openapi.yml @@ -13,7 +13,7 @@ app: loginPath: /api/jwt/auth/signin usernameField: username passwordField: password - scanUsername: "user" + scanUsername: "janesmith" scanPassword: "password" tokenAuthorization: type: HEADER diff --git a/stackhawk.yml b/stackhawk.yml index a2f87327..efc01f1f 100644 --- a/stackhawk.yml +++ b/stackhawk.yml @@ -28,6 +28,3 @@ app: testPath: path: /search success: "HTTP.*200.*" - waitForAppTarget: - pollDelay: 500 - waitTimeoutMillis: 5000