Add functionalities to solve logging issues found in pentest

* Field existance check * Print stack trace enable/disable configuration field
buerokratt · Jun 4, 2024 · bcfcee6 · bcfcee6
1 parent c5bc63f
commit bcfcee6
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 5 deletions.
diff --git a/src/main/java/ee/buerokratt/ruuter/controller/CustomExceptionHandler.java b/src/main/java/ee/buerokratt/ruuter/controller/CustomExceptionHandler.java
@@ -0,0 +1,4 @@
+package ee.buerokratt.ruuter.controller;
+
+public class CustomExceptionHandler {
+}
diff --git a/src/main/java/ee/buerokratt/ruuter/domain/DslInstance.java b/src/main/java/ee/buerokratt/ruuter/domain/DslInstance.java
@@ -14,6 +14,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 
 import java.util.HashMap;
@@ -94,7 +95,11 @@ private void executeStep(String stepName, List<String> stepNames) {
 
                 if (getProperties().getStopInCaseOfException() != null && getProperties().getStopInCaseOfException()) {
                     Thread.currentThread().interrupt();
-                    throw new StepExecutionException(name, e);
+                    if (properties.getLogging().getPrintStackTrace() != null && properties.getLogging().getPrintStackTrace())
+                        throw new StepExecutionException(name, e);
+                    else {
+                        log.error("%s: %s".formatted(name, e.getMessage()));
+                    }
                 }
             }
 

diff --git a/src/main/java/ee/buerokratt/ruuter/domain/Logging.java b/src/main/java/ee/buerokratt/ruuter/domain/Logging.java
@@ -16,4 +16,6 @@ public class Logging {
     private Boolean displayResponseContent;
 
     private Boolean meaningfulErrors;
+
+    private Boolean printStackTrace;
 }
diff --git a/src/main/java/ee/buerokratt/ruuter/domain/steps/DeclarationStep.java b/src/main/java/ee/buerokratt/ruuter/domain/steps/DeclarationStep.java
@@ -1,5 +1,6 @@
 package ee.buerokratt.ruuter.domain.steps;
 
+import com.fasterxml.jackson.annotation.JsonAlias;
 import ee.buerokratt.ruuter.domain.DslInstance;
 import lombok.*;
 import lombok.extern.slf4j.Slf4j;
@@ -37,22 +38,23 @@ public String getType() {
         return "declare";
     }
 
+
     public List<String> getAllowedBody() {
-        if (allowedBody == null) {
+        if (allowedBody == null && allowlist != null && allowlist.body != null) {
             allowedBody = allowlist.body.stream().map(field -> field.getField()).toList();
         }
         return allowedBody;
     }
 
     public List<String> getAllowedHeader() {
-        if (allowedHeader == null) {
+        if (allowedHeader == null && allowlist != null && allowlist.header != null) {
             allowedHeader = allowlist.header.stream().map(field -> field.getField()).toList();
         }
         return allowedHeader;
     }
 
     public List<String> getAllowedParams() {
-        if (allowedParams == null) {
+        if (allowedParams == null && allowlist != null && allowlist.params != null) {
             allowedParams = allowlist.params.stream().map(field -> field.getField()).toList();
         }
         return allowedParams;
@@ -61,8 +63,8 @@ public List<String> getAllowedParams() {
     @Getter
     public class AllowList {
         List<DslField> body;
+        @JsonAlias("headers")
         List<DslField> header;
         List<DslField> params;
     }
-
 }
diff --git a/src/main/java/ee/buerokratt/ruuter/service/DslService.java b/src/main/java/ee/buerokratt/ruuter/service/DslService.java
@@ -6,6 +6,7 @@
 import ee.buerokratt.ruuter.domain.steps.DslStep;
 import ee.buerokratt.ruuter.helper.*;
 import ee.buerokratt.ruuter.helper.exception.LoadDslsException;
+import ee.buerokratt.ruuter.service.exception.StepExecutionException;
 import ee.buerokratt.ruuter.util.FileUtils;
 import ee.buerokratt.ruuter.util.LoggingUtils;
 import io.swagger.v3.oas.models.OpenAPI;
@@ -140,8 +141,13 @@ public DslInstance execute(String dslName, String requestType, Map<String, Objec
 
             if (dsl.getDeclaration() != null) {
                 requestBody = filterFields(requestBody, dsl.getDeclaration().getAllowedBody());
+                if (requestType.toUpperCase() == "POST")
+                    checkFields(requestBody, dsl.getDeclaration().getAllowedBody());
+
                 requestHeaders = filterFields(requestHeaders, dsl.getDeclaration().getAllowedHeader());
                 requestQuery = filterFields(requestQuery, dsl.getDeclaration().getAllowedParams());
+                if (requestType.toUpperCase() == "GET")
+                    checkFields(requestQuery, dsl.getDeclaration().getAllowedBody());
             }
             log.debug("body after: "+ LoggingUtils.mapDeepToString(requestBody));
         } else {
@@ -234,6 +240,21 @@ <V> Map<String, V> filterFields(Map<String, V> requestFields, List<String> allow
             .collect(toMap(Map.Entry::getKey, Map.Entry::getValue));
     }
 
+    <V> void checkFields(Map<String, V> requestFields, List<String> requestedFields) {
+        requestedFields.forEach((field) -> {
+                if (!requestFields.containsKey(field)) {
+                    String message = "Field missing: %s".formatted(field);
+                    if (properties.getLogging().getPrintStackTrace() != null && properties.getLogging().getPrintStackTrace())
+                        throw new StepExecutionException("declare", new Exception(message));
+                    else {
+                        log.error(message);
+                        Thread.currentThread().interrupt();
+                    }
+                }
+            }
+        );
+    }
+
     public OpenAPI getOpenAPISpec() {
         if (openApiBuilder == null)
             throw new RuntimeException("OpenAPI spec not generated");