cherrybomb icon indicating copy to clipboard operation
cherrybomb copied to clipboard

Published 20 hours ago verified publisher icon blst-security

Parameters without schema causing crash

Open DJ4ddi opened this issue 1 year ago • 1 comments

Describe the bug When analyzing an OAS JSON file that has parameters which are missing a schema, the application crashes with the following error:

thread 'main' panicked at 'external ref', /home/aha/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cherrybomb-oas-0.1.0/src/legacy/refs.rs:30:13
stack backtrace:
   0: rust_begin_unwind
             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/std/src/panicking.rs:578:5
   1: core::panicking::panic_fmt
             at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library/core/src/panicking.rs:67:14
   2: cherrybomb_oas::legacy::refs::SchemaRef::inner
   3: cherrybomb_oas::legacy::param::Param::schema_to_params
   4: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold
   5: cherrybomb_engine::scan::passive::utils::get_params
   6: cherrybomb_engine::scan::checks::<impl cherrybomb_engine::scan::passive::passive_scanner::PassiveSwaggerScan<T>>::run_check
   7: cherrybomb_engine::scan::passive::passive_scanner::PassiveSwaggerScan<T>::run
   8: cherrybomb_engine::run_passive_profile
   9: tokio::runtime::park::CachedParkThread::block_on
  10: tokio::runtime::context::runtime::enter_runtime
  11: tokio::runtime::runtime::Runtime::block_on
  12: cherrybomb::main

Example parameter:

{
  "name": "UnknownIdentifier",
  "in": "header",
  "required": true
}

To fix the crash, the parameter can be changed as follows:

{
  "name": "UnknownIdentifier",
  "in": "header",
  "required": true,
  "schema": { "type": "string" }
}

To Reproduce

  1. Create an OpenAPI spec with missing schema properties (or use mine: MyBackend.zip)
  2. Run the analysis with cherrybomb --file MyBackend.json --profile passive.
  3. Observe how the analysis fails with the error mentioned above.

Expected behavior I would expect a warning for this parameter that indicates a missing schema.

Desktop:

  • OS: Ubuntu 22.04.2 LTS
  • Version 1.0.0

Additional context I understand that arbitrarily missing fields aren't necessarily suitable for emitting warnings. However, this particular example was generated by Swagger/Swashbuckle and is reported as valid by other tools.

DJ4ddi avatar Jul 11 '23 15:07 DJ4ddi

For now, most of our checks which rely on parameter based analysis, require schema as a prerequisite in order to preform them. For the newer version(which is coming soon), I will add an adaptive way to determine whether or not a check should be preformed on each parameter.

GuyL99 avatar Jul 11 '23 17:07 GuyL99