Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use tostring to match url #64

Merged
merged 3 commits into from
Mar 12, 2024
Merged

fix: use tostring to match url #64

merged 3 commits into from
Mar 12, 2024

Conversation

mnaumanali94
Copy link
Collaborator

Fixes #63

@mnaumanali94 mnaumanali94 requested review from P0lip and a team March 11, 2024 06:49
frankkilcommins
frankkilcommins approved these changes Mar 11, 2024
View reviewed changes
Copy link

@frankkilcommins frankkilcommins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - should we have a test to cover each of these type given scenarios (future issue to harden test suite perhaps)

P0lip
P0lip reviewed Mar 11, 2024
View reviewed changes
Copy link
Contributor

@P0lip P0lip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about this?

Subject: [PATCH] fix: tweak api7:2023-concerning-url-parameter
---
Index: src/ruleset.ts
<+>UTF-8
===================================================================
diff --git a/src/ruleset.ts b/src/ruleset.ts
--- a/src/ruleset.ts	(revision d233da88b881d1486cc9aa762b77c99d2e44e47b)
+++ b/src/ruleset.ts	(date 1710170011929)
@@ -1,6 +1,5 @@
 import {
   defined,
-  undefined,
   truthy,
   pattern,
   schema,
@@ -16,6 +15,9 @@
   formats: [oas2, oas3],
 
   aliases: {
+    PathItem: ['$.paths[*]'],
+    OperationObject: ['#PathItem[get,put,post,delete,options,head,patch,trace]'],
+
     ArrayProperties: {
       targets: [
         {
@@ -716,10 +718,15 @@
       description:
         "Using external resource based on user input for webhooks, file fetching from URLs, custom SSO, URL previews, or redirects, can lead to a wide variety of security issues.\n\nLearn more about Server Side Request Forgery here: https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/",
       severity: DiagnosticSeverity.Information,
-      given:
-        '$.paths..parameters[*][?(@property === "name" && (@ === "callback" || @ === "redirect" || @.match(/(_url|Url|-url)$/)))]^',
+      given: [
+        '#PathItem.parameters[*].name',
+        '#OperationObject.parameters[*].name',
+      ],
       then: {
-        function: undefined,
+        function: pattern,
+        functionOptions: {
+          notMatch: /(^(callback|redirect)|(_url|Url|-url))$/,
+        }
       },
     },

@mnaumanali94 mnaumanali94 requested a review from P0lip March 12, 2024 14:45
P0lip
P0lip reviewed Mar 12, 2024
View reviewed changes
src/ruleset.ts Outdated Show resolved Hide resolved
@mnaumanali94 @P0lip
Update src/ruleset.ts
498656a 
Co-authored-by: Jakub Rożek <[email protected]>
@mnaumanali94 mnaumanali94 enabled auto-merge (squash) March 12, 2024 15:49
@mnaumanali94 mnaumanali94 merged commit 913348e into main Mar 12, 2024
1 check passed
@mnaumanali94 mnaumanali94 deleted the fix-63 branch March 12, 2024 15:49
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankkilcommins frankkilcommins frankkilcommins approved these changes

@P0lip P0lip P0lip approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using Ruleset 2.0.0 receive scope.sandbox.value.match is not a function
3 participants
@mnaumanali94 @P0lip @frankkilcommins