Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release 2.0.0 #299

Draft
wants to merge 148 commits into
base: develop
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
148 commits
Select commit Hold shift + click to select a range
dae3d7a
Restructure directories
pablosnt Jul 8, 2023
598c5c5
Fix broken references to requirements.txt
pablosnt Jul 8, 2023
6a92c04
Fix broken references to backend directory
pablosnt Jul 8, 2023
545bc9f
Merge pull request #232 from pablosnt/feature/restructuration
pablosnt Jul 9, 2023
e54ce4c
Update Python version used by MyPy job
pablosnt Jul 9, 2023
56653fa
Debug generated EXE
pablosnt Jul 9, 2023
8fed1d9
Debug generated EXE
pablosnt Jul 9, 2023
92f528a
Fix generation of Desktop UI in Windows
pablosnt Jul 9, 2023
71a6afb
Merge pull request #238 from pablosnt/bugfix/pipelines
pablosnt Jul 9, 2023
6236b40
Initial refactoring and code optimization
pablosnt Aug 8, 2023
2d6714e
Improve input validation, add target blacklist configuration, and add…
pablosnt Aug 16, 2023
1cb640c
Add user model, authentication, authorization, security middleware an…
pablosnt Sep 6, 2023
e563783
Validate expiration for API tokens
pablosnt Sep 6, 2023
3e8437e
Add tool and configuration models
pablosnt Sep 11, 2023
7ec559b
Add process and step models
pablosnt Sep 11, 2023
c811148
Remove commented code
pablosnt Sep 11, 2023
80a20bf
Add tasks, executions and tasks modules
pablosnt Sep 21, 2023
281c842
Save tool version and installation status in database
pablosnt Sep 22, 2023
87f39f5
Migration of tool parsers, executors and queues
pablosnt Oct 8, 2023
9ae444b
Fix drf-spectacular warnings related to the Enums naming
pablosnt Oct 8, 2023
6bf5a6f
Add new integrations schema, Defect-Dojo and NVD NIST integration
pablosnt Oct 16, 2023
728976c
Add new notifications schema, Mail and Telegram
pablosnt Oct 19, 2023
7cb7eae
Improve filter fields
pablosnt Oct 20, 2023
b5b43da
Improve notifications of executions via mail
pablosnt Oct 20, 2023
f523809
Update Defect-Dojo scan types for supported tools
pablosnt Oct 20, 2023
1d056ea
Invalidate tokens before login, after logout and password changes, as…
pablosnt Oct 20, 2023
b21abd9
Fix fixtures loading after migrations
pablosnt Nov 12, 2023
a1c4728
Optimization and adaption of Telegram bot to the version 20.6
pablosnt Nov 13, 2023
34b54f9
Some Python syntax improvement
pablosnt Nov 14, 2023
2d3191a
Fix unexpected behavior on migrations management
pablosnt Nov 14, 2023
70fcb85
Send mail messages in a thread to don't stop the main execution
pablosnt Nov 14, 2023
0a69748
Remove old and useless code
pablosnt Nov 14, 2023
7c6c7b0
Some improvements: encrypt credentials stored on database, fix queues…
pablosnt Nov 16, 2023
35ce848
Initial unit tests for API operations and fixes for all the problems …
pablosnt Nov 29, 2023
59b44a2
Add config.yaml to the .gitignore to prevent the encryption key exposure
pablosnt Nov 29, 2023
76aefef
Unit tests for tool parsers and fixes for all the problems found
pablosnt Dec 1, 2023
7f4d455
Unit tests for task and executions and fixes for all the problems found
pablosnt Dec 2, 2023
68c860e
Update gitignore
pablosnt Dec 2, 2023
1171c85
Unit tests for findings and fixes for all the problems found
pablosnt Dec 4, 2023
79f5058
Fix unique findings creation
pablosnt Dec 4, 2023
49b87cd
Unit tests for NVD NIST integration
pablosnt Dec 4, 2023
438d158
Unit tests for SMTP settings API
pablosnt Dec 4, 2023
ea980aa
Setup a timeout for the SMTP connection
pablosnt Dec 4, 2023
0b98119
Unit tests for Telegram settings API
pablosnt Dec 5, 2023
657b342
Unit tests for Telegram chats API
pablosnt Dec 5, 2023
f62e504
Improve Telegram chats coverage
pablosnt Dec 5, 2023
5d0cee2
Unit tests for Defect-Dojo settings API
pablosnt Dec 5, 2023
fa0013d
Unit tests for Defect-Dojo entities creation API
pablosnt Dec 5, 2023
aac0c7f
Prevent errors in unit tests
pablosnt Dec 5, 2023
48e17a3
Fix some errors in unit tests
pablosnt Dec 5, 2023
3c0852a
Check Defect-Dojo availability without retries when connection fails
pablosnt Dec 6, 2023
d06d51b
Remove debug input
pablosnt Dec 6, 2023
241a084
Prevent errors introduced by the framework
pablosnt Dec 6, 2023
9480c20
Split Telegram and Defect-Dojo tests in different files
pablosnt Dec 6, 2023
98edf16
Unit tests for Defect-Dojo synchronization API
pablosnt Dec 6, 2023
07d5516
Tests files restructuring, shared findings for testing and unit tests…
pablosnt Dec 6, 2023
367a24f
Fix some errors in unit tests
pablosnt Dec 6, 2023
5703aad
Initial unit tests for BaseExecutor
pablosnt Dec 6, 2023
b047d89
More test cases for BaseExecutor
pablosnt Dec 6, 2023
e02d249
Move Wordlist model reference from fallback to model field in the rel…
pablosnt Dec 6, 2023
1015cec
Unit tests for GobusterExecutor
pablosnt Dec 7, 2023
a577286
Mock _get_url method to avoid connectivity errors from GitHub Actions
pablosnt Dec 7, 2023
c8fbb35
Unit tests for executions generation from tool and process task
pablosnt Dec 7, 2023
046d2ab
Fix some errors and improve some unit tests
pablosnt Dec 7, 2023
c283842
Optimize tests structure
pablosnt Dec 7, 2023
a7d56ec
Unit tests for executions generation from findings and user-provided …
pablosnt Dec 8, 2023
ea084b9
Fix errors after restructuring
pablosnt Dec 8, 2023
c80e786
Improve __str__ methods in models
pablosnt Dec 8, 2023
3e21f20
Adapt unit tests to latest __str__ changes
pablosnt Dec 8, 2023
1450b38
Only encrypt and decrypt database fields when the encryption key is c…
pablosnt Dec 8, 2023
ecdded4
New management commands to handle encryption key in the config file a…
pablosnt Dec 8, 2023
5f4f2b2
Configure encryption key for the unit tests execution
pablosnt Dec 8, 2023
f2445a0
Store hashed OTPs in database instead of plain text ones
pablosnt Dec 8, 2023
e37a467
Override permission_classes in those views with different permissions…
pablosnt Dec 8, 2023
fbc24b4
Skip Telegram bot and notifications code from the unit tests coverage…
pablosnt Dec 8, 2023
0dfa33f
Try to execute unit tests without Redis
pablosnt Dec 8, 2023
5dee8b3
Install Redis before unit tests execution, improve authentication par…
pablosnt Dec 8, 2023
4a125d8
Improve unit tests coverage
pablosnt Dec 8, 2023
c78bd87
Fix filters by multiple database fields at once
pablosnt Dec 8, 2023
fe7473d
Fix Project.__str__ test
pablosnt Dec 8, 2023
e8b210e
Improve unit tests coverage
pablosnt Dec 8, 2023
a23ff5a
Improve unit tests coverage
pablosnt Dec 8, 2023
99e43cd
Improve unit tests coverage
pablosnt Dec 8, 2023
e32c2d7
Improve unit tests coverage and fix some errors
pablosnt Dec 8, 2023
6d57efa
Raise controlled exception when an invalid intensity value is provided
pablosnt Dec 8, 2023
96544c7
Fix unit test error
pablosnt Dec 8, 2023
bd2a55b
Test OPTIONS request and ignore some lines in the coverage check
pablosnt Dec 8, 2023
b91d784
Improve coverage in input validation tests
pablosnt Dec 8, 2023
4798a57
Improve unit tests coverage for notifications scope
pablosnt Dec 8, 2023
412eb61
Remove debugging inputs
pablosnt Dec 8, 2023
1df3e54
Remove debugging prints
pablosnt Dec 8, 2023
85441b4
Fix error in target validator
pablosnt Dec 8, 2023
3d6bc24
Disable some tests for debugging
pablosnt Dec 8, 2023
26787d6
Improve unit tests coverage
pablosnt Dec 9, 2023
f19766a
Get target blacklist dynamically for each validation
pablosnt Dec 9, 2023
3483dc7
Improve unit tests coverage for PasswordValidator and TargetBlacklist
pablosnt Dec 9, 2023
d460013
Fix error in TargetBlacklist test
pablosnt Dec 9, 2023
76dcebb
Fix error in TargetBlacklist test
pablosnt Dec 9, 2023
b34ac96
Improve unit tests coverage in findings models
pablosnt Dec 9, 2023
82c8514
Improve unit tests coverage in findings models
pablosnt Dec 9, 2023
a1cac74
Notify Telegram users when their session is closed automatically due …
pablosnt Dec 9, 2023
1e3371e
Apply TargetPort path filter as filter instead of within the Path parser
pablosnt Dec 9, 2023
a0ce00f
Fix Telegram notifications
pablosnt Dec 9, 2023
755f2ba
Fix Telegram notifications
pablosnt Dec 9, 2023
17ed68d
Fix Telegram notifications
pablosnt Dec 9, 2023
c49519a
Fix Telegram notifications
pablosnt Dec 9, 2023
8924dc8
Improve error and invalid tokens handling by the Telegram bot
pablosnt Dec 10, 2023
99a49f9
Fix background email sending
pablosnt Dec 10, 2023
12762b3
Fix Redis queues, Defect-Dojo integration, Telegram notifications and…
pablosnt Dec 26, 2023
fbeb4ca
Upgrade all dependencies except Django
pablosnt Dec 26, 2023
196054c
Upgrade Django to 5.0 version
pablosnt Dec 26, 2023
688e75b
Keep support for old Dirsearch report format and fix Nikto and findin…
pablosnt Dec 26, 2023
7f22357
Fix Dirsearch parser
pablosnt Dec 26, 2023
d7b6a95
Fix config path in Dockerfiles
pablosnt Dec 26, 2023
e5eb108
Decrease required coverage
pablosnt Dec 26, 2023
d45a125
Update hashes for third party GitHub actions
pablosnt Dec 26, 2023
3433ef4
Fix config path in Dockerfile
pablosnt Dec 26, 2023
3bede31
Fix tests path in Dockerfile
pablosnt Dec 26, 2023
00d039a
Fix config directory in Dockerfile
pablosnt Dec 26, 2023
dab3d2b
Update CHANGELOG with the release preview
pablosnt Dec 27, 2023
2d8033f
Add Bandit scans to SAST workflow
pablosnt Dec 27, 2023
0848c46
Fix artifact upload
pablosnt Dec 27, 2023
b28dad2
Merge pull request #261 from pablosnt/cicd/bandit
pablosnt Dec 27, 2023
c1b4ccd
Union of backend and frontend scans in the same workflow and addition…
pablosnt Dec 27, 2023
8732db4
Improve legitify scans
pablosnt Dec 27, 2023
3a0012b
Merge branch 'feature/backend-optimization' into cicd/code-style
pablosnt Dec 27, 2023
4c9e564
Merge pull request #262 from pablosnt/cicd/code-style
pablosnt Dec 27, 2023
4adc500
Merge pull request #250 from pablosnt/feature/backend-optimization
pablosnt Dec 27, 2023
dd395f5
Fix issues detected by CI/CD tools (#263)
pablosnt Dec 30, 2023
070fffa
Download original reports generated by tools (#264)
pablosnt Dec 30, 2023
1db438a
Custom proxy configuration for executions (#265)
pablosnt Dec 30, 2023
5638f1e
New endpoint to get RQ status and stats (#266)
pablosnt Dec 30, 2023
d6fdd86
Pentesting notes feature (#268)
pablosnt Jan 3, 2024
8381e9f
Integrations API to handle all integrations supported (#270)
pablosnt Jan 3, 2024
5c4e54a
Integration with HackTricks to link findings to wiki resources (#272)
pablosnt Jan 4, 2024
690cfcd
Reporting feature to generate JSON, XML and PDF reports (#274)
pablosnt Mar 21, 2024
8094764
Rename queues without the "-queue" value (#278)
pablosnt Mar 21, 2024
645a1f7
Add new security scans to CI/CD (#280)
pablosnt Mar 21, 2024
dedaa42
Findings management (#285)
pablosnt Mar 24, 2024
dd1ad55
Update NVD NIST API calls to use the API version 2.0 (#291)
pablosnt Mar 27, 2024
054c3d7
Hide authentication details in execution output, error and reports (#…
pablosnt Mar 27, 2024
6b0d6d1
Customization of HTTP headers (#296)
pablosnt Mar 29, 2024
f1edbfa
Update CHANGELOG
pablosnt Mar 29, 2024
d61ea47
Merge remote-tracking branch 'origin/migration/2.0.0' into migration/…
pablosnt Mar 29, 2024
1bb62b0
Improve input validation
pablosnt Mar 30, 2024
2d13322
Remove scheduled_in and scheduled_time_unit from tasks (#305)
pablosnt Mar 31, 2024
970b88d
Multi Factor Authentication (#306)
pablosnt Apr 4, 2024
2a1bb7c
Alert System (#307)
pablosnt Apr 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Mock _get_url method to avoid connectivity errors from GitHub Actions
  • Loading branch information
pablosnt committed Dec 7, 2023
commit a577286b946e3a9864d9f46a2792e5482bd56a61
Empty file.
9 changes: 9 additions & 0 deletions src/backend/tests/executors/mock.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from typing import Any


def get_url(*args: Any, **kwargs: Any) -> str:
url = f"http://{args[1]}"
if len(args) > 2:
url += f":{args[2]}"
url += args[3] if len(args) > 3 else "/"
return url
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from typing import List
from unittest import mock

from authentications.enums import AuthenticationType
from authentications.models import Authentication
Expand All @@ -11,9 +12,8 @@
from input_types.models import InputType
from parameters.models import InputTechnology, InputVulnerability
from target_ports.models import TargetPort
from targets.enums import TargetType
from targets.models import Target
from tasks.models import Task
from tests.executors.mock import get_url
from tests.framework import RekonoTest
from tools.enums import Intensity as IntensityEnum
from tools.enums import Stage
Expand Down Expand Up @@ -85,11 +85,6 @@ def setUp(self) -> None:
status=Status.REQUESTED,
)
self._setup_findings(self.execution)
# scanme.nmap.org: connectivity is needed to build a valid URL from host, port and path
self.host.address = "45.33.32.156"
self.host.save(update_fields=["address"])
self.path.path = "/images"
self.path.save(update_fields=["path"])
self.osint.data = "10.10.10.11"
self.osint.data_type = OSINTDataType.IP
self.osint.save(update_fields=["data", "data_type"])
Expand Down Expand Up @@ -129,21 +124,24 @@ def _success_get_arguments(
)
)

@mock.patch("framework.models.BaseInput._get_url", get_url)
def test_get_arguments_only_findings(self) -> None:
self._success_get_arguments(
"-p 10.10.10.11 -p http://45.33.32.156:80/images -p 80 -p /images -p WordPress -p admin -p CVE-2023-1111 -p ReverseShell",
"-p 10.10.10.11 -p http://10.10.10.10:80/index.php -p 80 -p /index.php -p WordPress -p admin -p CVE-2023-1111 -p ReverseShell",
self.findings,
)

@mock.patch("framework.models.BaseInput._get_url", get_url)
def test_get_arguments_only_required_findings(self) -> None:
self._success_get_arguments(
"-p http://45.33.32.156:80/ -p 80 -p WordPress -p CVE-2023-1111",
"-p http://10.10.10.10:80/ -p 80 -p WordPress -p CVE-2023-1111",
[self.host, self.port, self.technology, self.vulnerability],
)

@mock.patch("framework.models.BaseInput._get_url", get_url)
def test_get_arguments_multiple_ports(self) -> None:
self._success_get_arguments(
"-p http://45.33.32.156:80/ -p 80,443 -p WordPress -p CVE-2023-1111",
"-p http://10.10.10.10:80/ -p 80,443 -p WordPress -p CVE-2023-1111",
[
self.host,
self.port,
Expand All @@ -155,12 +153,12 @@ def test_get_arguments_multiple_ports(self) -> None:
],
)

@mock.patch("framework.models.BaseInput._get_url", get_url)
def test_get_arguments_no_findings(self) -> None:
self.target.target = "scanme.nmap.org"
self.target.type = TargetType.DOMAIN
self.target.save(update_fields=["target", "type"])
self.target.target = "10.10.10.12"
self.target.save(update_fields=["target"])
target_port = TargetPort.objects.create(
target=self.target, port=80, path="/images"
target=self.target, port=80, path="/login.php"
)
Authentication.objects.create(
name="root",
Expand All @@ -180,7 +178,7 @@ def test_get_arguments_no_findings(self) -> None:
path=self.data_dir / "wordlists" / "endpoints_wordlist.txt",
)
self._success_get_arguments(
f"-p http://scanme.nmap.org:80/images -p 80 -p /images -p Joomla -p CVE-2023-2222 -p root -p {wordlist.path}",
f"-p http://10.10.10.12:80/login.php -p 80 -p /login.php -p Joomla -p CVE-2023-2222 -p root -p {wordlist.path}",
[],
[target_port],
[input_vulnerability],
Expand All @@ -191,61 +189,10 @@ def test_get_arguments_no_findings(self) -> None:
def test_get_arguments_no_base_inputs(self) -> None:
self.assertFalse(self.executor.check_arguments([], [], [], [], []))

@mock.patch("framework.models.BaseInput._get_url", get_url)
def test_get_arguments_missing_one_required_finding(self) -> None:
self.assertFalse(
self.executor.check_arguments(
[self.osint, self.host, self.port, self.technology], [], [], [], []
)
)


class GobusterExecutorTest(RekonoTest):
def setUp(self) -> None:
super().setUp()
self._setup_project()
self.endpoints_wordlist = Wordlist.objects.create(
name="endpoints",
type=WordlistType.ENDPOINT,
path=self.data_dir / "wordlists" / "endpoints_wordlist.txt",
)
self.subdomains_wordlist = Wordlist.objects.create(
name="subdomains",
type=WordlistType.SUBDOMAIN,
path=self.data_dir / "wordlists" / "subdomains_wordlist.txt",
)

def _setup_executor(self, target: str) -> None:
self.target = Target.objects.create(
project=self.project, target=target, type=Target.get_type(target)
)
self.configuration = Configuration.objects.get(
tool__name="Gobuster", default=True
)
self.task = Task.objects.create(
target=self.target,
configuration=self.configuration,
executor=self.auditor1,
)
self.execution = Execution.objects.create(
task=self.task,
configuration=self.configuration,
status=Status.REQUESTED,
)
self.executor = self.configuration.tool.get_executor_class()(self.execution)

def _test_check_arguments(
self, target: str, wordlist: Wordlist, expected: bool
) -> None:
self._setup_executor(target)
self.assertEqual(
expected, self.executor.check_arguments([], [], [], [], [wordlist])
)

def test_check_arguments_no_domain_target(self) -> None:
self._test_check_arguments("10.10.10.10", self.subdomains_wordlist, False)

def test_check_arguments_no_wordlist(self) -> None:
self._test_check_arguments("scanme.nmap.org", self.endpoints_wordlist, False)

def test_check_arguments(self) -> None:
self._test_check_arguments("scanme.nmap.org", self.subdomains_wordlist, True)
60 changes: 60 additions & 0 deletions src/backend/tests/executors/test_gobuster.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
from executions.enums import Status
from executions.models import Execution
from targets.models import Target
from tasks.models import Task
from tests.framework import RekonoTest
from tools.models import Configuration
from wordlists.enums import WordlistType
from wordlists.models import Wordlist


class GobusterExecutorTest(RekonoTest):
def setUp(self) -> None:
super().setUp()
self._setup_project()
self.endpoints_wordlist = Wordlist.objects.create(
name="endpoints",
type=WordlistType.ENDPOINT,
path=self.data_dir / "wordlists" / "endpoints_wordlist.txt",
)
self.subdomains_wordlist = Wordlist.objects.create(
name="subdomains",
type=WordlistType.SUBDOMAIN,
path=self.data_dir / "wordlists" / "subdomains_wordlist.txt",
)

def _setup_executor(self, target: str) -> None:
self.target = Target.objects.create(
project=self.project, target=target, type=Target.get_type(target)
)
self.configuration = Configuration.objects.get(
tool__name="Gobuster", default=True
)
self.task = Task.objects.create(
target=self.target,
configuration=self.configuration,
executor=self.auditor1,
)
self.execution = Execution.objects.create(
task=self.task,
configuration=self.configuration,
status=Status.REQUESTED,
)
self.executor = self.configuration.tool.get_executor_class()(self.execution)

def _test_check_arguments(
self, target: str, wordlist: Wordlist, expected: bool
) -> None:
self._setup_executor(target)
self.assertEqual(
expected, self.executor.check_arguments([], [], [], [], [wordlist])
)

def test_check_arguments_no_domain_target(self) -> None:
self._test_check_arguments("10.10.10.10", self.subdomains_wordlist, False)

def test_check_arguments_no_wordlist(self) -> None:
self._test_check_arguments("scanme.nmap.org", self.endpoints_wordlist, False)

def test_check_arguments(self) -> None:
self._test_check_arguments("scanme.nmap.org", self.subdomains_wordlist, True)
Loading