Skip to content

Commit

Permalink
second batch of reviews
Browse files Browse the repository at this point in the history
  • Loading branch information
@TmmmmmR
TmmmmmR committed Nov 12, 2024
1 parent 75ebe35 commit 006f974
Show file tree
Hide file tree
Showing 274 changed files with 91 additions and 4,446 deletions.
5 changes: 2 additions & 3 deletions addOns/llm/src/main/java/org/zaproxy/addon/llm/ExtensionLlm.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,6 @@ public void hook(ExtensionHook extensionHook) {
extensionHook.getHookMenu().addImportMenuItem(getMenuLLM());
extensionHook.getHookMenu().addPopupMenuItem(getCheckLlmMenu());
extensionHook.addOptionsParamSet(getOptionsParam());
// change to a message
getView().getOptionsDialog().addParamPanel(ROOT, getOptionsPanel(), true);

extensionHook.addSessionListener(
Expand Down Expand Up @@ -114,10 +113,10 @@ private ZapMenuItem getMenuLLM() {
if (menuLLM == null) {
menuLLM =
new ZapMenuItem(
"llm.topmenu.import.importSwagger",
"llm.topmenu.import.importOpenAPI",
getView().getMenuShortcutKeyStroke(KeyEvent.VK_J, 0, false));
menuLLM.setToolTipText(
Constant.messages.getString("llm.topmenu.import.importSwagger.tooltip"));
Constant.messages.getString("llm.topmenu.import.importOpenAPI.tooltip"));
menuLLM.addActionListener(
e -> {
if (importDialog == null) {
Expand Down
5 changes: 2 additions & 3 deletions addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmAssistant.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,22 @@

public interface LlmAssistant {
@UserMessage(
"Given the following swagger generate list of chained HTTP request to simulate a real world user : {{swagger}} ")
"GGiven the following OpenAPI definition, generate a list of chained HTTP requests to simulate a real world user : {{swagger}} ")
HttpRequestList extractHttpRequests(String swagger);

@UserMessage(
"As software architect, and based on your previous answer, generate other potential missing endpoints that are not mentioned in the swagger file. For example, if there is GET /product/1, suggest DELETE /product/1 if it's not mentioned")
HttpRequestList complete();

@SystemMessage(
"You are a web application security expert in review false positives. Answer only in JSON.")
"You are a web application security expert reviewing false positives. Answer only in JSON.")
@UserMessage(
"Your task is to review the following finding from ZAP (Zed Attack Proxy).\n"
+ "The confidence level is a pull down field which allows you to specify how confident you are in the validity of the finding : \n"
+ "- 0 if it's False Positive\n"
+ "- 1 if it's Low\n"
+ "- 2 if it's Medium\n"
+ "- 3 if it's High\n"
+ "- 4 if it's Confirmed\n"
+ "\n"
+ "The alert is described as follows : {{description}}\n"
+ "\n"
Expand Down
21 changes: 11 additions & 10 deletions addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ public class LlmCommunicationService {
private LlmOptionsParam llmOptionsParam;

private static final Logger LOGGER = LogManager.getLogger(LlmCommunicationService.class);
private static final String AI_REVIEWED_TAG_KEY = "AI-Reviewed";
private static final String AI_REVIEWED_TAG_VALUE = "1";
private static final String AI_REVIEWD_TAG_KEY = "AI-Reviewed";
private static final String AI_REVIEWD_TAG_VALUE = "1";

public String endpoint;
private String apiKey;
Expand Down Expand Up @@ -90,13 +90,14 @@ public LlmCommunicationService(String modelName, String apiKey, String endpoint)

private Integer importHttpCalls(String swaggercontent) throws IOException {
HttpRequestList listHttpRequest = llmAssistant.extractHttpRequests(swaggercontent);
if (listHttpRequest == null)
if (listHttpRequest == null) {
throw new RuntimeException("An issue occurred hy trying to get response from LLM");
}
requestor.run(listHttpRequest);
return listHttpRequest.getRequests().size();
}

public Integer importSwaggerFromUrl(String urlString) {
public Integer importOpenapiFromUrl(String urlString) {
Integer endpointCount = 0;
try {
URL url = new URL(urlString);
Expand All @@ -114,24 +115,24 @@ public Integer importSwaggerFromUrl(String urlString) {
new BufferedReader(new InputStreamReader((connection.getInputStream())));
String openApiDefinition = br.lines().collect(Collectors.joining());

// Use the existing importSwagger method
// Use the existing importOpenapi method
endpointCount = importHttpCalls(openApiDefinition);

connection.disconnect();
} catch (Exception e) {
e.printStackTrace();
LOGGER.error(e.getMessage());
}
return endpointCount;
}

public Integer importSwaggerFromFile(String filePath) {
public Integer importOpenapiFromFile(String filePath) {
Integer endpointCount = 0;

try {
// Read the file content into a String
String openApiDefinition = new String(Files.readAllBytes(Paths.get(filePath)));

// Use the existing importSwagger method
// Use the existing importOpenapi method
endpointCount = importHttpCalls(openApiDefinition);

} catch (Exception e) {
Expand All @@ -145,7 +146,7 @@ public void reviewAlert(Alert alert) {
Alert updatedAlert = alert;
Alert originalAlert = updatedAlert.newInstance();

if (!alert.getTags().containsKey(AI_REVIEWED_TAG_KEY)) {
if (!alert.getTags().containsKey(AI_REVIEWD_TAG_KEY)) {
Confidence conf_llm;
LOGGER.debug("Reviewing alert :" + alert.getName());
LOGGER.debug("Confidence level from ZAP : " + alert.getConfidence());
Expand All @@ -160,7 +161,7 @@ public void reviewAlert(Alert alert) {
"LLM Explanation : " + conf_llm.getExplanation() + "\n" + alert.getOtherInfo());
Map<String, String> alertTags = alert.getTags();

alertTags.putIfAbsent(AI_REVIEWED_TAG_KEY, AI_REVIEWED_TAG_VALUE);
alertTags.putIfAbsent(AI_REVIEWD_TAG_KEY, AI_REVIEWD_TAG_VALUE);
updatedAlert.setTags(alertTags);

try {
Expand Down
62 changes: 28 additions & 34 deletions addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/ImportDialog.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,12 @@ public class ImportDialog extends AbstractDialog {
private static final long serialVersionUID = -7074394202143400215L;

private final ExtensionLlm extLlm;
private JTextField fieldSwagger;
private JTextField fieldOpenapi;
private JButton buttonChooseFile;
private JButton buttonCancel;
private JButton buttonImport;
private JProgressBar progressBar;
private LlmOptionsParam llmOptionsParam;

public ImportDialog(JFrame parent, final ExtensionLlm extLlm) {
super(parent, true);
Expand All @@ -79,12 +80,12 @@ public ImportDialog(JFrame parent, final ExtensionLlm extLlm) {
var labelWsdl =
new ZapHtmlLabel(
"<html>"
+ Constant.messages.getString("llm.importDialog.labelSwagger")
+ Constant.messages.getString("llm.importDialog.labelOpenAPI")
+ "<font color=red>*</font></html>");
fieldsPanel.add(
labelWsdl, LayoutHelper.getGBC(0, fieldsRow, 1, 0.5, new Insets(0, 0, 4, 4)));
fieldsPanel.add(
getSwaggerField(),
getOpenapiField(),
LayoutHelper.getGBC(1, fieldsRow, 1, 0.5, new Insets(0, 4, 4, 4)));
fieldsPanel.add(
getChooseFileButton(),
Expand All @@ -111,11 +112,11 @@ public ImportDialog(JFrame parent, final ExtensionLlm extLlm) {
setDefaultCloseOperation(DISPOSE_ON_CLOSE);
}

private boolean importSwagger()
private boolean importOpenapi()
throws IOException, URISyntaxException, ApiException, DatabaseException {

String swaggerLocation = getSwaggerField().getText();
LlmOptionsParam llmOptionsParam = extLlm.getOptionsParam();
String openapiLocation = getOpenapiField().getText();
llmOptionsParam = extLlm.getOptionsParam();
Integer endpointCount = 0;

if (StringUtils.isEmpty(llmOptionsParam.getApiKey())) {
Expand All @@ -134,40 +135,39 @@ private boolean importSwagger()
new LlmCommunicationService(
llmOptionsParam.getModelName(), llmOptionsParam.getApiKey(), llmOptionsParam.getEndpoint());

if (StringUtils.isEmpty(swaggerLocation)) {
if (StringUtils.isEmpty(openapiLocation)) {
ThreadUtils.invokeAndWaitHandled(
() -> {
showWarningDialog(
Constant.messages.getString(
"llm.importDialog.error.missingSwagger"));
getSwaggerField().requestFocusInWindow();
"llm.importDialog.error.missingOpenapi"));
getOpenapiField().requestFocusInWindow();
});
return false;
}

try {
new URL(swaggerLocation).toURI();
new URI(swaggerLocation, true);
// implement logic here
endpointCount = llmCommunicationService.importSwaggerFromUrl(swaggerLocation);
new URL(openapiLocation).toURI();
new URI(openapiLocation, true);
endpointCount = llmCommunicationService.importOpenapiFromUrl(openapiLocation);

return true;
} catch (URIException | MalformedURLException | URISyntaxException e) {
// Not a valid URI, try to import as a file
endpointCount = llmCommunicationService.importSwaggerFromFile(swaggerLocation);
endpointCount = llmCommunicationService.importOpenapiFromFile(openapiLocation);
}

var file = new File(swaggerLocation);
var file = new File(openapiLocation);
if (!file.canRead()) {
ThreadUtils.invokeAndWaitHandled(
() -> {
showWarningFileNotFound(swaggerLocation);
getSwaggerField().requestFocusInWindow();
showWarningFileNotFound(openapiLocation);
getOpenapiField().requestFocusInWindow();
});
return false;
}

endpointCount = llmCommunicationService.importSwaggerFromFile(swaggerLocation);
endpointCount = llmCommunicationService.importOpenapiFromFile(openapiLocation);

showMessageDialog(
Constant.messages.getString("llm.importDialog.import.success", endpointCount));
Expand All @@ -185,12 +185,12 @@ private static void setContextMenu(JTextField field) {
field.setComponentPopupMenu(jPopupMenu);
}

private JTextField getSwaggerField() {
if (fieldSwagger == null) {
fieldSwagger = new JTextField(25);
setContextMenu(fieldSwagger);
private JTextField getOpenapiField() {
if (fieldOpenapi == null) {
fieldOpenapi = new JTextField(25);
setContextMenu(fieldOpenapi);
}
return fieldSwagger;
return fieldOpenapi;
}

private JButton getChooseFileButton() {
Expand All @@ -213,7 +213,7 @@ private JButton getChooseFileButton() {
if (state == JFileChooser.APPROVE_OPTION) {
String filename = fileChooser.getSelectedFile().getAbsolutePath();
try {
getSwaggerField().setText(filename);
getOpenapiField().setText(filename);
Model.getSingleton()
.getOptionsParam()
.setUserDirectory(fileChooser.getCurrentDirectory());
Expand Down Expand Up @@ -248,20 +248,14 @@ private JButton getImportButton() {
new Thread(
() -> {
try {
if (importSwagger()) {
if (importOpenapi()) {
ThreadUtils.invokeAndWaitHandled(
() -> {
dispose();
showProgressBar(false);
});
}
} catch (IOException ex) {
throw new RuntimeException(ex);
} catch (URISyntaxException ex) {
throw new RuntimeException(ex);
} catch (ApiException ex) {
throw new RuntimeException(ex);
} catch (DatabaseException ex) {
} catch (Exception ex) {
throw new RuntimeException(ex);
}
},
Expand Down Expand Up @@ -296,7 +290,7 @@ private void showProgressBar(boolean show) {
getProgressBar().setVisible(show);

getImportButton().setEnabled(!show);
getSwaggerField().setEnabled(!show);
getOpenapiField().setEnabled(!show);
getChooseFileButton().setEnabled(!show);
}

Expand All @@ -310,6 +304,6 @@ private JProgressBar getProgressBar() {
}

public void clearFields() {
getSwaggerField().setText("");
getOpenapiField().setText("");
}
}
15 changes: 7 additions & 8 deletions addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/settings/LlmOptionsPanel.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public class LlmOptionsPanel extends AbstractParamPanel {
private JTextField apiKeyTextField;
private JTextField llmendpointTextField;

private JComboBox<String> llmModelsComboBox; // Added JComboBox for LLM models
private JComboBox<String> llmModelsComboBox;

public LlmOptionsPanel() {
super();
Expand All @@ -53,13 +53,13 @@ private void initComponents() {
super.setName(Constant.messages.getString("llm.options.title"));

JLabel llmApiKey = new JLabel(Constant.messages.getString("llm.options.label.apikey"));
this.apiKeyTextField = new JPasswordField(); // Initialize as JPasswordField
this.apiKeyTextField = new JPasswordField();

JLabel llmendpoint = new JLabel(Constant.messages.getString("llm.options.label.endpoint"));
this.llmendpointTextField = new JTextField(); // Initialize as JPasswordField
this.llmendpointTextField = new JTextField();

JLabel llmModelsLabel = new JLabel("Select LLM Model:"); // Label for the combo box
this.llmModelsComboBox = new JComboBox<>(new String[] {"gpt-4o"}); //
JLabel llmModelsLabel = new JLabel("Select LLM Model:");
this.llmModelsComboBox = new JComboBox<>(new String[] {"gpt-4o"});

GroupLayout layout = new GroupLayout(this);
super.setLayout(layout);
Expand All @@ -77,7 +77,7 @@ private void initComponents() {
.addComponent(llmendpoint)
.addComponent(this.llmendpointTextField))
.addGroup(
layout.createSequentialGroup() // Add horizontal group for combo box
layout.createSequentialGroup()
.addComponent(llmModelsLabel)
.addComponent(this.llmModelsComboBox)));

Expand All @@ -94,8 +94,7 @@ private void initComponents() {
.addGroup(
layout.createParallelGroup(
GroupLayout.Alignment
.BASELINE) // Add vertical group for combo
// box
.BASELINE)
.addComponent(llmModelsLabel)
.addComponent(this.llmModelsComboBox)));
}
Expand Down
1 change: 0 additions & 1 deletion addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/settings/LlmOptionsParam.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@ public class LlmOptionsParam extends VersionedAbstractParam {
private String modelName;

public String getApiKey() {
// System.out.println("API KEY FROM attribute" + this.apiKey);
return this.apiKey;
}

Expand Down
2 changes: 1 addition & 1 deletion addOns/llm/src/main/java/org/zaproxy/addon/llm/utils/HistoryPersister.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
*
* ZAP is an HTTP/HTTPS proxy for assessing web application security.
*
* Copyright 2023 The ZAP Development Team
* Copyright 2024 The ZAP Development Team
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
2 changes: 1 addition & 1 deletion addOns/llm/src/main/java/org/zaproxy/addon/llm/utils/Requestor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
*
* ZAP is an HTTP/HTTPS proxy for assessing web application security.
*
* Copyright 2023 The ZAP Development Team
* Copyright 2024 The ZAP Development Team
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
13 changes: 5 additions & 8 deletions addOns/llm/src/main/javahelp/org/zaproxy/addon/llm/resources/help/contents/about.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,22 @@
<HTML>
<HEAD>
<TITLE>
Simple Example - About
ZAP LLM - About
</TITLE>
</HEAD>
<BODY>
<H1>Simple Example - About</H1>
<H1>ZAP LLM - About</H1>

<H2>Source Code</H2>
<a href="https://github.com/zaproxy/zap-extensions/tree/main/addOns/simpleexample">https://github.com/zaproxy/zap-extensions/tree/main/addOns/simpleexample</a>
<a href="https://github.com/zaproxy/zap-extensions/tree/main/addOns/simpleexample">https://github.com/zaproxy/zap-extensions/tree/main/addOns/llm</a>

<H2>Authors</H2>
ZAP Dev Team

<H2>History</H2>

<H3>Version 2</H3>
Updated to include example 'about' page.

<H3>Version 1</H3>
First Version
<H3>Version 0.0.1</H3>
First Version to perform API sequencing and alert review

</BODY>
</HTML>
Loading

0 comments on commit 006f974

Please sign in to comment.