Support gRPC testing with API Fuzzer
Problem to solve
As a user I want to perform security testing of gRPC based web APIs.
gRPC is a high performance web API technology from Google used by leading technology companies. It's usage is becoming more widespread, especially for micro service implementations. It operates using a binary protocol that requires specialized support to be tested.
Proposal
This issue would add gRPC support, not HTTP/2. While gRPC is commonly used with HTTP/2, it is not a requirement.
Experimental support for gRPC exists in the api-fuzzing-src:feature/grpc2
branch.
gRPC services are defined using Protocol Buffers IDL language. These service definitions are then compiled into communication stubs in a chosen language. The gRPC compiler also supports outputting the service definition in a JSON format that can be loaded at runtime.
The experimental support for gRPC uses the JSON format to understand a gRPC service call dynamically at runtime.
Process:
- User provides IDL language
.proto
files that describe the target service - API Fuzzer converts the IDL files into JSON files. This conversion is performed using a new service running in the container. The service uses the Google gRPC SDK to compile IDL files into JSON.
- API Fuzzer loads the JSON files into the c# gRPC library and perform calls to gRPC services
It may be possible to replace the service in step 2 with the newer gRPC library for .Net core 3.1. Alternatively the user could be required to pre-compile the IDL.
MIKE: The existing exploratory support for gRPC needs to be reviewed to determine what additional work is needed. The current architecture of gRPC support needs to be reviewed, specifically if the compiler service can be removed with .NET Core native gRPC support.
MIKE: Found a native C# proto parser
- https://www.nuget.org/packages/protobuf-net.Reflection/
- https://github.com/protobuf-net/protobuf-net/blob/main/src/protobuf-net.Reflection/Parsers.cs
- https://stackoverflow.com/questions/62575156/how-to-parse-proto-file-into-a-filedescriptor-in-c/62579246#62579246
/cc @sethgitlab @stkerr
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.