Skip to content

DAST throws an error when no URLs are imported on an API scan

Summary

When a DAST API scan is executed, DAST imports an OpenAPI specification. The specification is parsed by ZAP and URL endpoints definitions. These endpoints are imported as URLs.

Unfortunately, when the number of imported URLs is zero, DAST throws an exception.

Steps to reproduce

Run a DAST scan, using the following OpenAPI specification:

{
  "swagger": "2.0",
  "info": {
    "title": "API",
    "description": "API with no URLs",
    "version": "1.0.0"
  },
  "host": "hostname",
  "schemes": ["http"],
  "paths": {},
  "definitions": {}
}

What is the current bug behavior?

DAST throws an exception.

2020-05-20 16:36:24,659 Number of Imported URLs: 0
2020-05-20 16:36:24,659 Trigger hook: urls_imported, args: 2
2020-05-20 16:36:24,659 Unexpected error: <class 'IndexError'>
 Traceback (most recent call last):
   File "/zap/zap_api_scan_original.py", line 392, in main
     trigger_hook('urls_imported', zap, urls)
   File "/zap/zap_common.py", line 111, in trigger_hook
     response = hook_fn(*args_list, **kwargs)
   File "/zap/custom_hooks.py", line 43, in urls_imported
     self.zaproxy.new_session(zap, urls[0])
 IndexError: list index out of range

What is the expected correct behavior?

DAST should import zero URLs, and continue.

Possible fixes

https://gitlab.com/gitlab-org/security-products/dast/-/blob/24938c67addf1a109129aae877bfb5c56010f0bf/src/custom_hooks.py#L43