update owasp zap

docker-compose.owaspzap.ci.yml

@@ -0,0 +1,20 @@
+version: "3"
+
+services:
+  zap:
+    image: kiy0taka/zap2docker-eccube
+    command: bash -c "zap.sh -cmd -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && sleep infinity"
+    volumes:
+      - ./zap/policies:/home/zap/.ZAP/policies/
+      - ./zap:/zap/wrk/
+    depends_on:
+      - ec-cube
+    networks:
+      - backend
+      - default
+    tty: true
+    healthcheck:
+      test: echo 'zap'
+      interval: 3s
+      timeout: 3s
+      retries: 3

zap/add_CancelDeletionEventSubscriber.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+echo '<?php
+namespace Eccube\Doctrine\EventSubscriber;
+use Doctrine\Common\EventSubscriber;
+use Doctrine\ORM\Event\LifecycleEventArgs;
+use Doctrine\ORM\Events;
+class CancelDeletionEventSubscriber implements EventSubscriber
+{
+  public function getSubscribedEvents()
+  {
+    return [Events::preRemove];
+  }
+  public function preRemove(LifecycleEventArgs $event)
+  {
+    $event->getEntityManager()->detach($event->getEntity());
+  }
+}' > CancelDeletionEventSubscriber.php
+sed -i.bak -e 's_$fs->remove_// $fs->remove_' src/Eccube/Controller/Admin/Content/PageController.php

zap/automation/template.yml

@@ -0,0 +1,117 @@
+env:
+
+  contexts :
+
+    - name: admin
+      urls:
+        - 'https://ec-cube/admin'
+      includePaths:
+        - '\Qhttps://ec-cube/admin\E.*'
+      excludePaths:
+      authentication:
+        method: 'form'
+        parameters:
+          loginPageUrl: https://ec-cube/admin/login
+          loginRequestUrl: https://ec-cube/admin/login
+          loginRequestBody: _csrf_token=xxx&login_id={%username%}&password={%password%}
+        verification:
+          method: 'poll'
+          loggedOutRegex: '\Q<button type="submit" class="btn btn-primary btn-lg btn-block">ログイン</button>\E'
+          pollFrequency: 1000
+          pollUnits: 'requests'
+          pollUrl: 'https://ec-cube/admin/login'
+      users:
+      - name: admin
+        credentials:
+          username: admin
+          password: password
+
+    - name: default
+      urls:
+        - https://ec-cube
+        - http://mailcatcher:1080
+
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+
+jobs:
+
+  - type: script
+    parameters:
+      action: add
+      type: standalone
+      name: configure_tech
+      file: /zap/wrk/scripts/configure_tech.js
+
+  - type: script
+    parameters:
+      action: run
+      type: standalone
+      name: configure_tech
+
+${ZA_FORCE_ADMIN_CONFIG}
+${ZA_BEFORE_SCRIPT_CONFIG}
+
+  - type: script
+    parameters:
+      action: add
+      type: sequence
+      name: target
+      file: /zap/wrk/scripts/${ZA_TARGET}.zst
+
+  - type: script
+    parameters:
+      action: run
+      type: sequence
+      name: target
+
+  - type: sequence
+    parameters:
+      action: activeScan
+      name: target
+      user: ${ZA_USER}
+      context: ${ZA_CONTEXT}
+      threadPerHost: ${ZA_THREAD_PER_HOST}
+
+  - type: passiveScan-wait
+
+  - type: report
+    parameters:
+      reportDir: /tmp/report
+      reportFile: ZAP-Report-${ZA_TARGET}
+      reportTitle: ${ZA_TARGET}
+
+  - type: script
+    parameters:
+      action: add
+      type: standalone
+      name: dump_alerts
+      file: /zap/wrk/scripts/dump_alerts.js
+
+  - type: script
+    parameters:
+      action: run
+      type: standalone
+      name: dump_alerts
+
+  - type: script
+    parameters:
+      action: add
+      type: standalone
+      name: assert_no_high_risks
+      file: /zap/wrk/scripts/assert_no_high_risks.js
+
+  - type: script
+    parameters:
+      action: run
+      type: standalone
+      name: assert_no_high_risks
+    tests:
+      - name: 'High risk alert count'
+        type: stats
+        statistic: stats.scan.high.alerts
+        operator: '=='
+        value: 0
+        onFail: 'error'

zap/delete_data.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+MAX_MEMBER_ID=$(psql -t -c 'select max(id) from dtb_member;')
+MAX_TAG_ID=$(psql -t -c 'select max(id) from dtb_tag;')
+
+while true
+do
+    psql -c "
+delete from dtb_page_layout where page_id in (select id from dtb_page where create_date between now() - interval '24:00' and now() - interval '00:00:05');
+delete from dtb_page where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_delivery_fee where delivery_id in (select id from dtb_delivery where create_date between now() - interval '24:00' and now() - interval '00:00:05');
+delete from dtb_payment_option where delivery_id in (select id from dtb_delivery where create_date between now() - interval '24:00' and now() - interval '00:00:05');
+delete from dtb_delivery where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_payment where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_block_position where layout_id in (select id from dtb_layout where create_date between now() - interval '24:00' and now() - interval '00:00:05');
+delete from dtb_block where create_date between now() - interval '24:00' and now() - interval '00:00:06' and id not in (select distinct block_id from dtb_block_position);
+delete from dtb_layout where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_category where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_class_category where class_name_id in (select id from dtb_class_name where create_date between now() - interval '24:00' and now() - interval '00:00:05');
+delete from dtb_class_name where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_member where create_date between now() - interval '24:00' and now() - interval '00:00:06' and id > ${MAX_MEMBER_ID};
+delete from dtb_template where create_date between now() - interval '24:00' and now() - interval '00:00:06';
+delete from dtb_tag where id > ${MAX_TAG_ID};";
+    sleep 5
+done

zap/delete_files.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+LATEST_FILE=$(find /var/www/html/html/ -printf '%T+ %p\n' | sort -r | head -n 1 | cut -d' ' -f 2)
+
+while true
+do
+    find /var/www/html/html/ -newer $LATEST_FILE -mmin +0.1 -type f -exec rm {} +
+    sleep 10
+done

zap/generate_automation_config.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+cd $(dirname $0)
+
+while getopts "t:c:b:n:" OPT
+do
+    case $OPT in
+        t) ZA_TARGET=${OPTARG} ;;
+        c) ZA_CONTEXT=${OPTARG} ;;
+        b) ZA_BEFORE_SCRIPT=${OPTARG} ;;
+        n) ZA_THREAD_PER_HOST=${OPTARG} ;;
+    esac
+done
+
+ZA_THREAD_PER_HOST=${ZA_THREAD_PER_HOST:-10}
+
+if [[ -z "${ZA_CONTEXT}" ]]; then
+    if [[ ${ZA_TARGET} =~ 'admin' ]]; then
+        ZA_CONTEXT=admin
+        ZA_USER=admin
+        ZA_FORCE_ADMIN_CONFIG="
+  - type: script
+    parameters:
+      action: add
+      type: standalone
+      name: forceuser
+      file: /zap/wrk/scripts/forceuser.groovy
+
+  - type: script
+    parameters:
+      action: run
+      type: standalone
+      name: forceuser
+"
+    else
+        ZA_CONTEXT=default
+    fi
+fi
+
+ZA_BEFORE_SCRIPT=$(echo ${ZA_BEFORE_SCRIPT} | sed 's/ //g')
+
+echo "
+CONTEXT: ${ZA_CONTEXT}
+USER: ${ZA_USER}
+THREAD_PER_HOST: ${ZA_THREAD_PER_HOST}
+TARGET: ${ZA_TARGET}
+BEFORE_SCRIPT: ${ZA_BEFORE_SCRIPT}
+"
+
+if [[ -n ${ZA_BEFORE_SCRIPT} ]]; then
+    ZA_BEFORE_SCRIPT_CONFIG="
+  - type: script
+    parameters:
+      action: add
+      type: sequence
+      name: before_script
+      file: /zap/wrk/scripts/${ZA_BEFORE_SCRIPT}
+  - type: script
+    parameters:
+      action: run
+      type: sequence
+      name: before_script"
+fi
+
+TEMPLATE=$(sed 's/"/\\"/g' automation/template.yml)
+eval "echo \"${TEMPLATE}\"" > automation/${ZA_TARGET}.yml