From 969d1d15b0c4518a8f2bc74ba245e487f64a7e0c Mon Sep 17 00:00:00 2001 From: SOOS-MMalony <94386102+SOOS-MMalony@users.noreply.github.com> Date: Wed, 24 Apr 2024 10:12:28 -0700 Subject: [PATCH] PA-13820 Support regex for authVerificationURL (#112) * PA-13820 Support regex for authVerificationURL --- README.md | 2 +- package-lock.json | 4 ++-- package.json | 2 +- src/index.ts | 2 +- src/zap_hooks/helpers/auth.py | 5 +++-- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 354df40..92476ec 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ The basic command to run a baseline scan would look like: | `--authSubmitField` | | Submit button id to use when authentication is required | | `--authUsername` | | Username to use when authentication is required | | `--authUsernameField` | | Username input id to use when authentication is required | -| `--authVerificationURL` | | URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. | +| `--authVerificationURL` | | URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. Supports plain URL or regex URL.| | `--bearerToken` | | Bearer token to authenticate | | `--branchName` | | The name of the branch from the SCM System | | `--branchURI` | | The URI to the branch from the SCM System | diff --git a/package-lock.json b/package-lock.json index de24edc..15f2e94 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "soos-dast", - "version": "2.0.31", + "version": "2.0.32", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "soos-dast", - "version": "2.0.31", + "version": "2.0.32", "license": "MIT", "dependencies": { "@soos-io/api-client": "0.2.47", diff --git a/package.json b/package.json index 285588f..d204f24 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "soos-dast", - "version": "2.0.31", + "version": "2.0.32", "description": "SOOS DAST - The affordable no limit web vulnerability scanner", "main": "index.js", "scripts": { diff --git a/src/index.ts b/src/index.ts index 45240c8..b09f0b4 100644 --- a/src/index.ts +++ b/src/index.ts @@ -152,7 +152,7 @@ class SOOSDASTAnalysis { }); analysisArgumentParser.argumentParser.add_argument("--authVerificationURL", { - help: "URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated.", + help: "URL used to verify authentication success, should be an URL that is expected to throw 200/302 during any authFormType authentication. If authentication fails when this URL is provided, the scan will be terminated. Supports plain URL or regex URL.", required: false, }); diff --git a/src/zap_hooks/helpers/auth.py b/src/zap_hooks/helpers/auth.py index e00d6df..66fbc96 100644 --- a/src/zap_hooks/helpers/auth.py +++ b/src/zap_hooks/helpers/auth.py @@ -114,14 +114,15 @@ def validate_authentication_url(driver, url): log(f"Validating authentication url: {url}") url_found = False for request in driver.requests: - if request.response and url in request.url: + if request.response and (url in request.url or search(url, request.url) is not None): url_found = True - log(f"Checking response status code {request.response}") + log(f"Checking response status code {request.response} for {request.url}") if request.response.status_code not in [200, 302]: log(f"Status code is not 200/302 for {request.url}, it is {request.response.status_code}") sys.exit(1) else: log(f"Status code is {request.response.status_code} for {request.url}, authentication was successful") + break if not url_found: log(f"Authentication url {url} was not found, authentication failed.") sys.exit(1)