feat: Adds owasp rules to vacuum

functions/core/falsy.go

@@ -5,6 +5,7 @@ package core
 
 import (
 	"fmt"
+
 	"github.com/daveshanley/vacuum/model"
 	"github.com/pb33f/libopenapi/utils"
 	"gopkg.in/yaml.v3"
@@ -39,7 +40,7 @@ func (f Falsy) RunRule(nodes []*yaml.Node, context model.RuleFunctionContext) []
 
 		fieldNode, fieldNodeValue := utils.FindKeyNode(context.RuleAction.Field, node.Content)
 		if (fieldNode != nil && fieldNodeValue != nil) &&
-			(fieldNodeValue.Value != "" && fieldNodeValue.Value != "false" && fieldNodeValue.Value != "0") {
+			(fieldNodeValue.Value != "" && fieldNodeValue.Value != "false" && fieldNodeValue.Value != "0" || (fieldNodeValue.Value == "" && fieldNodeValue.Content != nil)) {
 			results = append(results, model.RuleFunctionResult{
 				Message:   fmt.Sprintf("%s: '%s' must be falsy", context.Rule.Description, context.RuleAction.Field),
 				StartNode: node,

functions/core/falsy_test.go

@@ -1,10 +1,11 @@
 package core
 
 import (
+	"testing"
+
 	"github.com/daveshanley/vacuum/model"
 	"github.com/pb33f/libopenapi/utils"
 	"github.com/stretchr/testify/assert"
-	"testing"
 )
 
 func TestFalsy_RunRule_Fail(t *testing.T) {
@@ -16,12 +17,15 @@ tags:
   - name: "non-falsy tag 2"
     description: 1
   - name: "non-falsy tag 3"
-    description: "hello"`
+    description: "hello"
+  - name: "non-falsy tag 4"
+    description:
+      hello: goodbye`
 
 	path := "$.tags[*]"
 
 	nodes, _ := utils.FindNodes([]byte(sampleYaml), path)
-	assert.Len(t, nodes, 3)
+	assert.Len(t, nodes, 4)
 
 	rule := buildCoreTestRule(path, model.SeverityError, "falsy", "description", nil)
 	ctx := buildCoreTestContext(model.CastToRuleAction(rule.Then), nil)
@@ -31,7 +35,7 @@ tags:
 	tru := Falsy{}
 	res := tru.RunRule(nodes, ctx)
 
-	assert.Len(t, res, 3)
+	assert.Len(t, res, 4)
 }
 
 func TestFalsy_RunRule_Fail_NoNodes(t *testing.T) {
@@ -72,12 +76,14 @@ tags:
  - name: "falsy tag 3"
    description: ""
  - name: "falsy Tag 4"
-   description: "0"`
+   description: "0"
+ - name: "falsy Tag 5"
+   description:`
 
 	path := "$.tags[*]"
 
 	nodes, _ := utils.FindNodes([]byte(sampleYaml), path)
-	assert.Len(t, nodes, 4)
+	assert.Len(t, nodes, 5)
 
 	rule := buildCoreTestRule(path, model.SeverityError, "Falsy", "description", nil)
 	ctx := buildCoreTestContext(model.CastToRuleAction(rule.Then), nil)

functions/core/schema.go

@@ -5,6 +5,7 @@ package core
 
 import (
 	"fmt"
+
 	"github.com/daveshanley/vacuum/model"
 	"github.com/daveshanley/vacuum/parser"
 	validationErrors "github.com/pb33f/libopenapi-validator/errors"
@@ -81,6 +82,13 @@ func (sch Schema) RunRule(nodes []*yaml.Node, context model.RuleFunctionContext)
 		schema = highBase.NewSchema(&lowSchema)
 	}
 
+	// use the current node to validate (field not needed)
+	forceValidationOnCurrentNode := utils.ExtractValueFromInterfaceMap("forceValidationOnCurrentNode", context.Options)
+	if _, ok := forceValidationOnCurrentNode.(bool); ok && len(nodes) > 0 {
+		results = append(results, validateNodeAgainstSchema(schema, nodes[0], context, 0)...)
+		return results
+	}
+
 	for x, node := range nodes {
 		if x%2 == 0 && len(nodes) > 1 {
 			continue

functions/functions.go

@@ -4,11 +4,13 @@
 package functions
 
 import (
+	"sync"
+
 	"github.com/daveshanley/vacuum/functions/core"
 	openapi_functions "github.com/daveshanley/vacuum/functions/openapi"
+	"github.com/daveshanley/vacuum/functions/owasp"
 	"github.com/daveshanley/vacuum/model"
 	"github.com/daveshanley/vacuum/plugin"
-	"sync"
 )
 
 type customFunction struct {
@@ -92,6 +94,11 @@ func MapBuiltinFunctions() Functions {
 		funcs["pathsKebabCase"] = openapi_functions.PathsKebabCase{}
 		funcs["oasOpErrorResponse"] = openapi_functions.Operation4xResponse{}
 
+		// add owasp functions used by the owasp rules
+		funcs["owaspHeaderDefinition"] = owasp.HeaderDefinition{}
+		funcs["owaspDefineErrorDefinition"] = owasp.DefineErrorDefinition{}
+		funcs["owaspCheckSecurity"] = owasp.CheckSecurity{}
+
 	})
 
 	return functionsSingleton

functions/functions_test.go

@@ -1,11 +1,12 @@
 package functions
 
 import (
-	"github.com/stretchr/testify/assert"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestMapBuiltinFunctions(t *testing.T) {
 	funcs := MapBuiltinFunctions()
-	assert.Len(t, funcs.GetAllFunctions(), 42)
+	assert.Len(t, funcs.GetAllFunctions(), 45)
 }

functions/owasp/check_security.go

@@ -0,0 +1,115 @@
+package owasp
+
+import (
+	"fmt"
+
+	"github.com/daveshanley/vacuum/model"
+	"github.com/pb33f/libopenapi/utils"
+	"golang.org/x/exp/slices"
+	"gopkg.in/yaml.v3"
+)
+
+type CheckSecurity struct {
+}
+
+// GetSchema returns a model.RuleFunctionSchema defining the schema of the CheckSecurity rule.
+func (cd CheckSecurity) GetSchema() model.RuleFunctionSchema {
+	return model.RuleFunctionSchema{Name: "check_security"}
+}
+
+// RunRule will execute the CheckSecurity rule, based on supplied context and a supplied []*yaml.Node slice.
+func (cd CheckSecurity) RunRule(nodes []*yaml.Node, context model.RuleFunctionContext) []model.RuleFunctionResult {
+	if len(nodes) <= 0 {
+		return nil
+	}
+
+	var nullable bool
+	nullableMap := utils.ExtractValueFromInterfaceMap("nullable", context.Options)
+	if castedNullable, ok := nullableMap.(bool); ok {
+		nullable = castedNullable
+	}
+
+	var methods []string
+	methodsMap := utils.ExtractValueFromInterfaceMap("methods", context.Options)
+	if castedMethods, ok := methodsMap.([]string); ok {
+		methods = castedMethods
+	}
+
+	// security at the global level replaces if not defined at the operation level
+	_, valueOfSecurityGlobalNode := utils.FindFirstKeyNode("security", nodes, 0)
+
+	var results []model.RuleFunctionResult
+	_, valueOfPathNode := utils.FindFirstKeyNode("paths", nodes, 0)
+	if valueOfPathNode == nil {
+		return nil
+	}
+
+	for i := 1; i < len(valueOfPathNode.Content); i += 2 {
+		for j := 0; j < len(valueOfPathNode.Content[i].Content); j += 2 {
+			if slices.Contains([]string{
+				"get",
+				"head",
+				"post",
+				"put",
+				"patch",
+				"delete",
+				"options",
+				"trace",
+			}, valueOfPathNode.Content[i].Content[j].Value) && slices.Contains(methods, valueOfPathNode.Content[i].Content[j].Value) && len(valueOfPathNode.Content[i].Content) > j+1 {
+				operation := valueOfPathNode.Content[i].Content[j+1]
+				results = append(results, checkSecurityRule(operation, valueOfSecurityGlobalNode, nullable, valueOfPathNode.Content[i-1].Value, valueOfPathNode.Content[i].Content[j].Value, context)...)
+			}
+		}
+	}
+
+	return results
+}
+
+func checkSecurityRule(operation *yaml.Node, valueOfSecurityGlobalNode *yaml.Node, nullable bool, pathPrefix, method string, context model.RuleFunctionContext) []model.RuleFunctionResult {
+	_, valueOfSecurityNode := utils.FindFirstKeyNode("security", operation.Content, 0)
+	if valueOfSecurityNode == nil { // if not defined at the operation level, use global
+		valueOfSecurityNode = valueOfSecurityGlobalNode
+	}
+	if valueOfSecurityNode == nil {
+		return []model.RuleFunctionResult{
+			{
+				Message:   fmt.Sprintf("security' was not defined: for path %q in method %q.", pathPrefix, method),
+				StartNode: operation,
+				EndNode:   operation,
+				Path:      fmt.Sprintf("$.paths.%s.%s", pathPrefix, method),
+				Rule:      context.Rule,
+			},
+		}
+	}
+	if len(valueOfSecurityNode.Content) == 0 {
+		return []model.RuleFunctionResult{
+			{
+				Message:   fmt.Sprintf("'security' is empty: for path %q in method %q.", pathPrefix, method),
+				StartNode: valueOfSecurityNode,
+				EndNode:   valueOfSecurityNode,
+				Path:      fmt.Sprintf("$.paths.%s.%s.security", pathPrefix, method),
+				Rule:      context.Rule,
+			},
+		}
+	}
+	if valueOfSecurityNode.Kind == yaml.SequenceNode {
+		var results []model.RuleFunctionResult
+		for k := 0; k < len(valueOfSecurityNode.Content); k++ {
+			if valueOfSecurityNode.Content[k].Kind != yaml.MappingNode {
+				continue
+			}
+			if len(valueOfSecurityNode.Content[k].Content) == 0 && !nullable {
+				results = append(results, model.RuleFunctionResult{
+					Message:   fmt.Sprintf("'security' has null elements: for path %q in method %q with element.", pathPrefix, method),
+					StartNode: valueOfSecurityNode.Content[k],
+					EndNode:   utils.FindLastChildNodeWithLevel(valueOfSecurityNode.Content[k], 0),
+					Path:      fmt.Sprintf("$.paths.%s.%s.security", pathPrefix, method),
+					Rule:      context.Rule,
+				})
+			}
+		}
+		return results
+	}
+
+	return nil
+}

functions/owasp/check_security_test.go

@@ -0,0 +1,55 @@
+package owasp
+
+import (
+	"testing"
+
+	"github.com/daveshanley/vacuum/model"
+	"github.com/pb33f/libopenapi/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCheckSecurity_GetSchema(t *testing.T) {
+	def := CheckSecurity{}
+	assert.Equal(t, "check_security", def.GetSchema().Name)
+}
+
+func TestCheckSecurity_RunRule(t *testing.T) {
+	def := CheckSecurity{}
+	res := def.RunRule(nil, model.RuleFunctionContext{})
+	assert.Len(t, res, 0)
+}
+
+func TestCheckSecurity_SecurityMissing(t *testing.T) {
+
+	yml := `openapi: 3.0.1
+info:
+  version: "1.2.3"
+  title: "securitySchemes"
+paths:
+  /security-gloabl-ok-put:
+    put:
+      responses: {}
+  /security-ok-put:
+    put:
+      responses: {}
+components:
+  securitySchemes:
+    BasicAuth:
+      type: http
+      scheme: basic`
+
+	path := "$"
+
+	nodes, _ := utils.FindNodes([]byte(yml), path)
+
+	rule := buildOpenApiTestRuleAction(path, "check_security", "", nil)
+	ctx := buildOpenApiTestContext(model.CastToRuleAction(rule.Then), map[string]interface{}{
+		"methods": []string{"put"},
+	})
+
+	def := CheckSecurity{}
+	res := def.RunRule(nodes, ctx)
+
+	assert.Len(t, res, 2)
+
+}

functions/owasp/define_error_definition.go

@@ -0,0 +1,45 @@
+package owasp
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/daveshanley/vacuum/model"
+	"github.com/pb33f/libopenapi/utils"
+	"gopkg.in/yaml.v3"
+)
+
+type DefineErrorDefinition struct {
+}
+
+// GetSchema returns a model.RuleFunctionSchema defining the schema of the DefineError rule.
+func (cd DefineErrorDefinition) GetSchema() model.RuleFunctionSchema {
+	return model.RuleFunctionSchema{Name: "define_error_definition"}
+}
+
+// RunRule will execute the DefineError rule, based on supplied context and a supplied []*yaml.Node slice.
+func (cd DefineErrorDefinition) RunRule(nodes []*yaml.Node, context model.RuleFunctionContext) []model.RuleFunctionResult {
+
+	if len(nodes) <= 0 {
+		return nil
+	}
+
+	var responseCode string
+	for i, node := range nodes[0].Content {
+		if i%2 == 0 {
+			responseCode = node.Value
+		} else if responseCode == "400" || responseCode == "422" || strings.ToUpper(responseCode) == "4XX" {
+			return []model.RuleFunctionResult{}
+		}
+	}
+
+	return []model.RuleFunctionResult{
+		{
+			Message:   "Error '400', '422' or '4XX' was not defined",
+			StartNode: nodes[0],
+			EndNode:   utils.FindLastChildNodeWithLevel(nodes[0], 0),
+			Path:      fmt.Sprintf("%s", context.Given),
+			Rule:      context.Rule,
+		},
+	}
+}