From e7261fc75f9e6efd9943cf2df65e38a21906553f Mon Sep 17 00:00:00 2001
From: Darkiros <romain.loisel@aol.fr>
Date: Tue, 25 Jun 2024 14:23:50 +0200
Subject: [PATCH] Fix the out of scope issue with swagger option

---
 tests/cli/test_options.py     | 15 +++++++++++++++
 wapitiCore/main/wapiti.py     |  8 +++++++-
 wapitiCore/parsers/swagger.py |  6 ++----
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/tests/cli/test_options.py b/tests/cli/test_options.py
index 9c46dca96..1903095cd 100644
--- a/tests/cli/test_options.py
+++ b/tests/cli/test_options.py
@@ -455,3 +455,18 @@ async def test_basic_usage(_, __):
 
     with mock.patch.object(sys, "argv", testsagrs):
         await wapiti_main()
+
+@pytest.mark.asyncio
+@mock.patch("wapitiCore.controller.wapiti.Wapiti.add_start_url")
+async def test_out_of_scope_swagger(mock_add_start_url):
+    """Test with out of scope swagger"""
+    testsagrs = [
+        "wapiti",
+        "--url", "http://testphp.vulnweb.com/",
+        "--swagger", "./tests/data/openapi3.yaml",
+        "-m", ""
+    ]
+
+    with mock.patch.object(sys, "argv", testsagrs):
+        await wapiti_main()
+        mock_add_start_url.assert_not_called()
\ No newline at end of file
diff --git a/wapitiCore/main/wapiti.py b/wapitiCore/main/wapiti.py
index 50239291d..4b124381d 100755
--- a/wapitiCore/main/wapiti.py
+++ b/wapitiCore/main/wapiti.py
@@ -194,8 +194,14 @@ async def wapiti_main():
 
     if args.swagger_uri:
         swagger = Swagger(swagger_url=args.swagger_uri, base_url=url)
+        nb_out = 0
         for request in swagger.get_requests():
-            wap.add_start_url(request)
+            if wap.target_scope.check(request):
+                wap.add_start_url(request)
+            else: 
+                nb_out += 1
+        if nb_out > 0:
+            logging.warning(f"[!] {nb_out} out of scope requests from the Swagger file are not added.")
 
     try:
         for start_url in args.starting_urls:
diff --git a/wapitiCore/parsers/swagger.py b/wapitiCore/parsers/swagger.py
index 89199b09e..8d2e03d98 100644
--- a/wapitiCore/parsers/swagger.py
+++ b/wapitiCore/parsers/swagger.py
@@ -197,10 +197,8 @@ def is_valid_url(url) -> bool:
 
 
     def _get_routes(self, swagger_dict: dict, swagger_url: str, base_url: str) -> dict:
-        if Swagger.is_valid_url(swagger_url):
-            url = swagger_url
-        else:
-            url = base_url
+        # We use the url from the -u unless the swagger file has one
+        url = base_url
         request = {}
         base_path = self._get_base_url(swagger_dict, url)
         for path in swagger_dict['paths']: