Merge pull request #269 from noir-cr/improve-test-code

Add /token endpoint for authentication for testcode
owasp-noir · Mar 29, 2024 · ff6d794 · ff6d794
2 parents 3969584 + 27b1b5f
commit ff6d794
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/spec/functional_test/fixtures/crystal_kemal/src/testapp.cr b/spec/functional_test/fixtures/crystal_kemal/src/testapp.cr
@@ -10,6 +10,12 @@ post "/query" do
   env.params.body["query"].as(String)
 end
 
+get "/token" do
+  env.params.body["client_id"].as(String)
+  env.params.body["redirect_url"].as(String)
+  env.params.body["grant_type"].as(String)
+end
+
 ws "/socket" do |socket|
   socket.send "Hello from Kemal!"
 end

diff --git a/spec/functional_test/testers/crystal_kemal_spec.cr b/spec/functional_test/testers/crystal_kemal_spec.cr
@@ -7,11 +7,16 @@ extected_endpoints = [
     Param.new("query", "", "form"),
     Param.new("my_auth", "", "cookie"),
   ]),
+  Endpoint.new("/token", "GET", [
+    Param.new("grant_type", "", "form"),
+    Param.new("redirect_url", "", "form"),
+    Param.new("client_id", "", "form"),
+  ]),
   Endpoint.new("/1.html", "GET"),
   Endpoint.new("/2.html", "GET"),
 ]
 
 FunctionalTester.new("fixtures/crystal_kemal/", {
   :techs     => 1,
-  :endpoints => 5,
+  :endpoints => 6,
 }, extected_endpoints).test_all
diff --git a/src/output_builder/common.cr b/src/output_builder/common.cr
@@ -31,8 +31,13 @@ class OutputBuilderCommon < OutputBuilder
         r_buffer += "\n  ○ body: #{r_body}"
       end
 
-      if baked[:tags].size > 0
-        r_tags = baked[:tags].join(" ").colorize(:light_magenta).toggle(@is_color)
+      tags = baked[:tags]
+      endpoint.tags.each do |tag|
+        tags << tag.name.to_s
+      end
+
+      if tags.size > 0
+        r_tags = tags.join(" ").colorize(:light_magenta).toggle(@is_color)
         r_buffer += "\n  ○ tags: #{r_tags}"
       end
 

diff --git a/src/tagger/taggers/oauth.cr b/src/tagger/taggers/oauth.cr
@@ -2,7 +2,7 @@ require "../../models/tagger"
 require "../../models/endpoint"
 
 class OAuthTagger < Tagger
-  WORDS = ["grant_type", "code", "redirect_uri", "client_id", "client_secret"]
+  WORDS = ["grant_type", "code", "redirect_uri", "redirect_url", "client_id", "client_secret"]
 
   def initialize(options : Hash(Symbol, String))
     super
@@ -17,8 +17,12 @@ class OAuthTagger < Tagger
         tmp_params.push param.name.to_s
       end
 
+      words_set = Set.new(WORDS)
+      tmp_params_set = Set.new(tmp_params)
+      intersection = words_set & tmp_params_set
+
       # Check that at least three parameters match.
-      check = (WORDS & tmp_params).size >= 3
+      check = intersection.size.to_i >= 3
 
       if check
         tag = Tag.new("oauth", "Suspected OAuth endpoint for granting 3rd party access.", "Oauth")