Prefer `_OPENAPI` variable URL over contents of OpenAPI documents
Problem
When determining the URL to test for API Security, the contents of the OpenAPI document are used over the URL in the _OPENAPI
variable. Instead, the variable should be used over the document contents.
This issue is about how we calculate the target URL when when DAST_API_HOST_OVERRIDE
/DAST_API_TARGET_URL
/environment_url.txt
isn't provided.
Proposal
Change the order of precedence in the runner
code.
- Combine variable url with OpenAPI v2
basePath
- Combine variable url with OpenAPI v3 server url's path
- Server URL:
http://myfancyservice/api/v1
+FUZZAPI_OPENAPI=http://target/swagger
-->http://target/api/v1
- Server URL:
- Use openapi url directly (removing last path element)
- Example:
http://target/api/openapispec
-->http://target/api
withopenapispec
removed.
- Example:
- If the openapi variable doesn't contain a URL, use the document's url's when possible
Tasks
-
Update runner
logic to calculate target url -
Create/update unit tests for each scenario -
E2e test for each case -
Release new container image
Edited by Herber Madrigal