Fix NoneType, check for X- paths to exclude.

Signed-off-by: Caroline Russell <caroline@appthreat.dev>
AppThreat · Mar 12, 2024 · aafd4c7 · aafd4c7
1 parent d80e657
commit aafd4c7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 14 deletions.
diff --git a/atom_tools/lib/converter.py b/atom_tools/lib/converter.py
@@ -1,6 +1,7 @@
 """
 Classes and functions used to convert slices.
 """
+import contextlib
 import json.encoder
 import logging
 import re
@@ -391,10 +392,10 @@ def create_paths_item(self, filename: str, paths_dict: Dict) -> Dict:
         calls = paths_dict[1].get('calls')
         call_line_numbers = paths_dict[1].get('line_nos')
         target_line_number = None
-        try:
-            target_line_number = self.target_line_nums[filename][paths_dict[0]]
-        except:
-            pass
+        if self.target_line_nums:
+            with contextlib.suppress(KeyError):
+                target_line_number = self.target_line_nums[filename][paths_dict[0]]
+
         paths_object: Dict = {}
 
         for ep in set(endpoints):
@@ -564,7 +565,7 @@ def extract_endpoints(self, method: str) -> List[str]:
         if not method or not (matches := re.findall(regex.endpoints, method)):
             return []
         matches = self._filter_matches(matches, method)
-        return [v for v in matches if v and v not in exclusions]
+        return [v for v in matches if v and v not in exclusions and not v.lower().startswith('/x-')]
 
     def _filter_matches(self, matches: List[str], code: str) -> List[str]:
         """

diff --git a/test/test_converter.py b/test/test_converter.py
@@ -59,7 +59,6 @@ def test_populate_endpoints(js_usages_1, js_usages_2):
                                                    "app.delete('/api/Products/:id',security.denyAll())": {'endpoints': ['/api/Products/:id']},
                                                    "app.delete('/api/Quantitys/:id',security.denyAll())": {'endpoints': ['/api/Quantitys/:id']},
                                                    "app.delete('/api/Recycles/:id',security.denyAll())": {'endpoints': ['/api/Recycles/:id']},
-                                                   "app.disable('x-powered-by')": {'endpoints': ['/x-powered-by']},
                                                    "app.enable('trustproxy')": {'endpoints': ['/trustproxy']},
                                                    "app.get('/api/Addresss',security.appendUserId(),address.getAddress())": {'endpoints': ['/api/Addresss']},
                                                    "app.get('/api/Addresss/:id',security.appendUserId(),address.getAddressById())": {'endpoints': ['/api/Addresss/:id']},
@@ -205,17 +204,15 @@ def test_populate_endpoints(js_usages_1, js_usages_2):
                                                    "app.use('/rest/basket/:id',security.isAuthorized())": {'endpoints': ['/rest/basket/:id']},
                                                    "app.use('/rest/basket/:id/order',security.isAuthorized())": {'endpoints': ['/rest/basket/:id/order']},
                                                    "app.use('/rest/user/authentication-details',security.isAuthorized())": {'endpoints': ['/rest/user/authentication-details']},
-                                                   "app.use('/rest/user/reset-password',newRateLimit({\rwindowMs:5*60*1000,\rmax:100,\rkeyGenerator({headers,ip}:{headers:any,ip:any}){returnheaders['X-Forwarded-For']||ip}//vuln-code-snippetvuln-lineresetPasswordMortyChallenge\r}))": {'endpoints': ['/rest/user/reset-password',
-                                                                                                                                                                                                                                                                                                          '/X-Forwarded-For']},
+                                                   "app.use('/rest/user/reset-password',newRateLimit({\rwindowMs:5*60*1000,\rmax:100,\rkeyGenerator({headers,ip}:{headers:any,ip:any}){returnheaders['X-Forwarded-For']||ip}//vuln-code-snippetvuln-lineresetPasswordMortyChallenge\r}))": {'endpoints': ['/rest/user/reset-password']},
                                                    "app.use('/solve/challenges/server-side',verify.serverSideChallenges())": {'endpoints': ['/solve/challenges/server-side']},
                                                    "app.use('/support/logs',serveIndexMiddleware,serveIndex('logs',{icons:true,view:'details'}))": {'endpoints': ['/support/logs',
                                                                                                                                                                   '/logs',
                                                                                                                                                                   '/details']},
                                                    "app.use('/support/logs',verify.accessControlChallenges())": {'endpoints': ['/support/logs']},
                                                    "app.use('/support/logs/:file',logFileServer())": {'endpoints': ['/support/logs/:file']},
                                                    "app.use((req:Request,res:Response,next:NextFunction)=>{\rreq.url=req.url.replace(/[/]+/g,'/')\rnext()\r})": {'endpoints': ['/']},
-                                                   "app.use((req:Request,res:Response,next:NextFunction)=>{\rres.append('X-Recruiting',config.get('application.securityTxt.hiring'))\rnext()\r})": {'endpoints': ['/X-Recruiting',
-                                                                                                                                                                                                                  '/application.securityTxt.hiring']},
+                                                   "app.use((req:Request,res:Response,next:NextFunction)=>{\rres.append('X-Recruiting',config.get('application.securityTxt.hiring'))\rnext()\r})": {'endpoints': ['/application.securityTxt.hiring']},
                                                    "app.use(['/.well-known/security.txt','/security.txt'],securityTxt({\rcontact:config.get('application.securityTxt.contact'),\rencryption:config.get('application.securityTxt.encryption'),\racknowledgements:config.get('application.securityTxt.acknowledgements'),\r'Preferred-Languages':[...newSet(locales.map((locale:{key:string})=>locale.key.substr(0,2)))].join(','),\rhiring:config.get('application.securityTxt.hiring'),\rexpires:securityTxtExpiration.toUTCString()\r}))": {'endpoints': ['/.well-known/security.txt',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            '/security.txt',
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            '/application.securityTxt.contact',
@@ -238,8 +235,6 @@ def test_populate_endpoints(js_usages_1, js_usages_2):
     '/Noanswerfound!',
     '/Noquestionfound!',
     '/Preferred-Languages',
-    '/X-Forwarded-For',
-    '/X-Recruiting',
     '/api-docs',
     '/api/Addresss',
     '/api/Addresss/{id}',
@@ -365,7 +360,6 @@ def test_populate_endpoints(js_usages_1, js_usages_2):
     '/video',
     '/viewengine',
     '/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility',
-    '/x-powered-by',
     '/{regex_param_1}/{file}']
     assert list(
         result['/rest/continue-code-findIt/apply/{continueCode}'].keys()) == ['parameters', 'put', 'x-atom-usages']
@@ -690,7 +684,7 @@ def test_convert_usages(java_usages_1, java_usages_2, js_usages_1, js_usages_2,
  '/xstream': {'post': {'responses': {}},
               'x-atom-usages': {'call': {'src\\main\\java\\org\\joychou\\controller\\XStreamRce.java': [23]},
                                 'target': {'src\\main\\java\\org\\joychou\\controller\\XStreamRce.java': 23}}}}
-    assert len(js_usages_1.convert_usages()) == 137
+    assert len(js_usages_1.convert_usages()) == 134
     assert len(js_usages_2.convert_usages()) == 21
     assert py_usages_2.convert_usages() == {'/': {},
  '/127.0.0.1': {},