From 163210e8909aa639fd78987276e9f5dd215b9083 Mon Sep 17 00:00:00 2001 From: notshivansh Date: Tue, 3 Dec 2024 00:58:00 +0530 Subject: [PATCH] remove nashorn --- .../workflow_test/InputArgumentsDialog.jsx | 7 -- .../components/react/InputArgumentsDialog.jsx | 7 -- .../testing/workflow_node_executor/Utils.java | 31 +------ .../akto/testing/ApiWorkflowExecutorTest.java | 93 ------------------- .../akto/dto/testing/AuthMechanismTests.java | 2 - .../java/com/akto/testing/ApiExecutor.java | 75 --------------- .../src/main/java/com/akto/testing/Utils.java | 46 +-------- 7 files changed, 2 insertions(+), 259 deletions(-) diff --git a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/workflow_test/InputArgumentsDialog.jsx b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/workflow_test/InputArgumentsDialog.jsx index 6a679a0323..7cb353bbcb 100644 --- a/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/workflow_test/InputArgumentsDialog.jsx +++ b/apps/dashboard/web/polaris_web/web/src/apps/dashboard/pages/testing/workflow_test/InputArgumentsDialog.jsx @@ -81,13 +81,6 @@ const RequestEditor = ({sampleApiCall, updatedSampleData, onChangeApiRequest, te - -
-
Test Validator Code
-
- -
-
) diff --git a/apps/dashboard/web/src/apps/dashboard/views/testing/components/react/InputArgumentsDialog.jsx b/apps/dashboard/web/src/apps/dashboard/views/testing/components/react/InputArgumentsDialog.jsx index 9dc2165df1..6949b033ed 100644 --- a/apps/dashboard/web/src/apps/dashboard/views/testing/components/react/InputArgumentsDialog.jsx +++ b/apps/dashboard/web/src/apps/dashboard/views/testing/components/react/InputArgumentsDialog.jsx @@ -88,13 +88,6 @@ const RequestEditor = ({sampleApiCall, updatedSampleData, onChangeApiRequest, te - -
-
Test Validator Code
-
- -
-
) diff --git a/apps/testing/src/main/java/com/akto/testing/workflow_node_executor/Utils.java b/apps/testing/src/main/java/com/akto/testing/workflow_node_executor/Utils.java index 95eccdb072..84d9b9e9df 100644 --- a/apps/testing/src/main/java/com/akto/testing/workflow_node_executor/Utils.java +++ b/apps/testing/src/main/java/com/akto/testing/workflow_node_executor/Utils.java @@ -10,11 +10,6 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; -import javax.script.ScriptException; - -import com.akto.dto.ApiInfo; import com.akto.dto.testing.*; import com.akto.test_editor.execution.Memory; import org.apache.commons.lang3.StringUtils; @@ -501,31 +496,7 @@ public static OriginalHttpRequest buildHttpRequest(WorkflowUpdatedSampleData upd public static String executeCode(String ogPayload, Map valuesMap) throws Exception { - ScriptEngineManager factory = new ScriptEngineManager(); - String variablesReplacedPayload = replaceVariables(ogPayload,valuesMap, true); - - String regex = "\\#\\[(.*?)]#"; - Pattern p = Pattern.compile(regex); - Matcher matcher = p.matcher(variablesReplacedPayload); - StringBuffer sb = new StringBuffer(); - - // create a Nashorn script engine - ScriptEngine engine = factory.getEngineByName("nashorn"); - - while (matcher.find()) { - String code = matcher.group(1); - code = code.trim(); - if (!code.endsWith(";")) code = code+";"; - try { - Object val = engine.eval(code); - matcher.appendReplacement(sb, val.toString()); - } catch (final ScriptException se) { - } - - } - - matcher.appendTail(sb); - return sb.toString(); + return replaceVariables(ogPayload,valuesMap, true); } diff --git a/apps/testing/src/test/java/com/akto/testing/ApiWorkflowExecutorTest.java b/apps/testing/src/test/java/com/akto/testing/ApiWorkflowExecutorTest.java index 741ff44a2c..3d2a0e1570 100644 --- a/apps/testing/src/test/java/com/akto/testing/ApiWorkflowExecutorTest.java +++ b/apps/testing/src/test/java/com/akto/testing/ApiWorkflowExecutorTest.java @@ -3,18 +3,12 @@ import com.akto.MongoBasedTest; import com.akto.dao.OtpTestDataDao; import com.akto.dao.context.Context; -import com.akto.dao.testing.LoginFlowStepsDao; import com.akto.dto.OriginalHttpRequest; import com.akto.dto.api_workflow.Node; import com.akto.dto.testing.LoginFlowParams; -import com.akto.dto.testing.LoginFlowStepsData; import com.akto.dto.testing.WorkflowNodeDetails; import com.akto.dto.testing.WorkflowUpdatedSampleData; import com.akto.dto.testing.WorkflowTestResult.NodeResult; -import com.akto.dto.type.RequestTemplate; -import com.akto.log.LoggerMaker.LogDb; -import com.akto.runtime.URLAggregator; -import com.akto.types.BasicDBListL; import com.mongodb.BasicDBList; import com.mongodb.BasicDBObject; import com.mongodb.client.model.Filters; @@ -25,14 +19,10 @@ import java.util.*; -import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; - import static org.junit.Assert.*; public class ApiWorkflowExecutorTest extends MongoBasedTest { - @Test public void testCombineQueryParams2() { String query1 = ""; @@ -41,39 +31,6 @@ public void testCombineQueryParams2() { assertEquals("blah", combinedQuery); } - @Test - public void testExecuteCode() throws Exception { - ApiWorkflowExecutor apiWorkflowExecutor = new ApiWorkflowExecutor(); - Map valuesMap = new HashMap<>(); - valuesMap.put("x1.response.body.user.name", "avneesh"); - valuesMap.put("x1.response.body.user.age", 99); - - String payload = "{\"user_name\": \"${x1.response.body.user.name}\", \"user_age\": ${x1.response.body.user.age}}"; - String result = com.akto.testing.workflow_node_executor.Utils.executeCode(payload, valuesMap); - assertEquals("{\"user_name\": \"avneesh\", \"user_age\": 99}", result); - - - payload = "{\"user_name\": '#[\"${x1.response.body.user.name}\".toUpperCase()]#', \"user_age\": #[${x1.response.body.user.age} + 1]#}"; - result = com.akto.testing.workflow_node_executor.Utils.executeCode(payload, valuesMap); - assertEquals("{\"user_name\": 'AVNEESH', \"user_age\": 100}", result); - - valuesMap.put("x1.response.body.url", "https://api.razorpay.com:443/v1/payments/pay_K6FMfsnyloigxs/callback/941349c12d0e001436ace03ee711367413b176bb/rzp_test_1DP5mmOlF5G5ag"); - - String urlPayload = "#[ var a = '${x1.response.body.url}'; var b = a.split('/'); b[5] = 'avneesh'; b.join('/'); ]#"; - result = com.akto.testing.workflow_node_executor.Utils.executeCode(urlPayload, valuesMap); - assertEquals("https://api.razorpay.com:443/v1/payments/avneesh/callback/941349c12d0e001436ace03ee711367413b176bb/rzp_test_1DP5mmOlF5G5ag", result); - - urlPayload = "#[ '${x1.response.body.url}'.replace(new RegExp('pay_.*?/'), 'avneesh/') ]#"; - result = com.akto.testing.workflow_node_executor.Utils.executeCode(urlPayload, valuesMap); - assertEquals("https://api.razorpay.com:443/v1/payments/avneesh/callback/941349c12d0e001436ace03ee711367413b176bb/rzp_test_1DP5mmOlF5G5ag", result); - - valuesMap.put("x2.response.body.sentence", "This is sentence with a 'random' quote"); - payload = "#[ '${x2.response.body.sentence}'.replace(new RegExp('random'), 'avneesh') ]#"; - result = com.akto.testing.workflow_node_executor.Utils.executeCode(payload, valuesMap); - assertEquals("This is sentence with a 'avneesh' quote", result); - - } - @Test public void testPopulateValuesMap() { ApiWorkflowExecutor apiWorkflowExecutor = new ApiWorkflowExecutor(); @@ -131,56 +88,6 @@ public void testBuildHttpRequest() throws Exception { assertEquals(originalHttpRequest.getUrl(), "https://stud.akto.io/stud_10"); } - - @Test - public void testValidateTest() { - ScriptEngineManager factory = new ScriptEngineManager(); - ApiWorkflowExecutor apiWorkflowExecutor = new ApiWorkflowExecutor(); - Map valuesMap = new HashMap<>(); - - String testValidatorCode = "${x1.response.status_code} === 200"; - valuesMap.put("x1.response.status_code", 401); - boolean vulnerable = validateTest(testValidatorCode, valuesMap); - assertTrue(vulnerable); - - testValidatorCode = "'${x1.request.body.user_name}' === '${x1.response.body.user_name}'"; - valuesMap.put("x1.request.body.user_name", "Avneesh"); - valuesMap.put("x1.response.body.user_name", "Ankush"); - vulnerable = validateTest(testValidatorCode, valuesMap); - assertTrue(vulnerable); - - testValidatorCode = "'${x1.request.body.CTO}' === 'Ankush'"; - valuesMap.put("x1.request.body.CTO", "Ankush"); - vulnerable = validateTest(testValidatorCode, valuesMap); - assertFalse(vulnerable); - - String p = "Razorpay - Payment in progress

Payment
Redirecting...
Click here to proceed
"; - testValidatorCode = "'${x1.response.body}'.indexOf('\"error\"') < 0"; - valuesMap.put("x1.response.body", p); - vulnerable = validateTest(testValidatorCode, valuesMap); - assertTrue(vulnerable); - } - - public boolean validateTest(String testValidatorCode, Map valuesMap) { - ScriptEngineManager factory = new ScriptEngineManager(); - if (testValidatorCode == null) return false; - testValidatorCode = testValidatorCode.trim(); - - boolean vulnerable = false; - if (testValidatorCode.length() == 0) return false; - - ScriptEngine engine = factory.getEngineByName("nashorn"); - try { - String code = com.akto.testing.workflow_node_executor.Utils.replaceVariables(testValidatorCode, valuesMap, true); - Object o = engine.eval(code); - vulnerable = ! (boolean) o; - } catch (Exception e) { - ; - } - - return vulnerable; - } - private BasicDBObject generateValue(String host, String endpoint, String method) { BasicDBObject value = new BasicDBObject(); value.put("host", host); diff --git a/libs/dao/src/test/java/com/akto/dto/testing/AuthMechanismTests.java b/libs/dao/src/test/java/com/akto/dto/testing/AuthMechanismTests.java index 0638a4ed8b..ba8541f894 100644 --- a/libs/dao/src/test/java/com/akto/dto/testing/AuthMechanismTests.java +++ b/libs/dao/src/test/java/com/akto/dto/testing/AuthMechanismTests.java @@ -1,6 +1,5 @@ package com.akto.dto.testing; -import com.akto.dto.HttpRequestParams; import com.akto.dto.OriginalHttpRequest; import org.junit.Test; @@ -28,7 +27,6 @@ private void validate(OriginalHttpRequest request, String key, List modi private void validateBodyAuthOperations(OriginalHttpRequest request, String key, String modifiedValue, String removeExpectedValue, Boolean modified, Boolean hardcoded) { String value = "Value"; - String finalKey = key.toLowerCase().trim(); AuthMechanism authMechanism = new AuthMechanism(); if (hardcoded) { authMechanism.setAuthParams(Collections.singletonList(new HardcodedAuthParam(AuthParam.Location.BODY, key, value, false))); diff --git a/libs/utils/src/main/java/com/akto/testing/ApiExecutor.java b/libs/utils/src/main/java/com/akto/testing/ApiExecutor.java index b5b4faa6bb..abe28cc3b9 100644 --- a/libs/utils/src/main/java/com/akto/testing/ApiExecutor.java +++ b/libs/utils/src/main/java/com/akto/testing/ApiExecutor.java @@ -2,7 +2,6 @@ import com.akto.dao.context.Context; import com.akto.dao.test_editor.TestEditorEnums; -import com.akto.dao.testing.config.TestScriptsDao; import com.akto.dto.OriginalHttpRequest; import com.akto.dto.OriginalHttpResponse; import com.akto.dto.CollectionConditions.ConditionsType; @@ -28,13 +27,6 @@ import java.net.URISyntaxException; import java.net.URL; import java.util.*; -import java.util.concurrent.locks.Condition; - -import javax.script.ScriptContext; -import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; -import javax.script.SimpleScriptContext; -import jdk.nashorn.api.scripting.ScriptObjectMirror; public class ApiExecutor { private static final LoggerMaker loggerMaker = new LoggerMaker(ApiExecutor.class); @@ -422,73 +414,6 @@ private static void calculateFinalRequestFromAdvancedSettings(OriginalHttpReques ); } - private static void calculateHashAndAddAuth(OriginalHttpRequest originalHttpRequest, boolean executeScript) { - if (!executeScript) { - return; - } - int accountId = Context.accountId.get(); - try { - String script; - TestScript testScript = testScriptMap.getOrDefault(accountId, null); - int lastTestScriptFetched = lastFetchedMap.getOrDefault(accountId, 0); - if (Context.now() - lastTestScriptFetched > 5 * 60) { - testScript = TestScriptsDao.instance.fetchTestScript(); - lastTestScriptFetched = Context.now(); - testScriptMap.put(accountId, testScript); - lastFetchedMap.put(accountId, Context.now()); - } - if (testScript != null && testScript.getJavascript() != null) { - script = testScript.getJavascript(); - } else { - // loggerMaker.infoAndAddToDb("returning from calculateHashAndAddAuth, no test script present"); - return; - } - loggerMaker.infoAndAddToDb("Starting calculateHashAndAddAuth"); - - ScriptEngineManager manager = new ScriptEngineManager(); - ScriptEngine engine = manager.getEngineByName("nashorn"); - - SimpleScriptContext sctx = ((SimpleScriptContext) engine.get("context")); - sctx.setAttribute("method", originalHttpRequest.getMethod(), ScriptContext.ENGINE_SCOPE); - sctx.setAttribute("headers", originalHttpRequest.getHeaders(), ScriptContext.ENGINE_SCOPE); - sctx.setAttribute("url", originalHttpRequest.getPath(), ScriptContext.ENGINE_SCOPE); - sctx.setAttribute("payload", originalHttpRequest.getBody(), ScriptContext.ENGINE_SCOPE); - sctx.setAttribute("queryParams", originalHttpRequest.getQueryParams(), ScriptContext.ENGINE_SCOPE); - engine.eval(script); - - String method = (String) sctx.getAttribute("method"); - Map headers = (Map) sctx.getAttribute("headers"); - String url = (String) sctx.getAttribute("url"); - String payload = (String) sctx.getAttribute("payload"); - String queryParams = (String) sctx.getAttribute("queryParams"); - - Map> hs = new HashMap<>(); - for (String key: headers.keySet()) { - try { - ScriptObjectMirror scm = ((ScriptObjectMirror) headers.get(key)); - List val = new ArrayList<>(); - for (int i = 0; i < scm.size(); i++) { - val.add((String) scm.get(Integer.toString(i))); - } - hs.put(key, val); - } catch (Exception e) { - hs.put(key, (List) headers.get(key)); - } - } - - originalHttpRequest.setBody(payload); - originalHttpRequest.setMethod(method); - originalHttpRequest.setUrl(url); - originalHttpRequest.setHeaders(hs); - originalHttpRequest.setQueryParams(queryParams); - - } catch (Exception e) { - loggerMaker.errorAndAddToDb("error in calculateHashAndAddAuth " + e.getMessage() + " url " + originalHttpRequest.getUrl()); - e.printStackTrace(); - return; - } - } - private static OriginalHttpResponse sendWithRequestBody(OriginalHttpRequest request, Request.Builder builder, boolean followRedirects, boolean debug, List testLogs, boolean skipSSRFCheck, String requestProtocol) throws Exception { Map> headers = request.getHeaders(); if (headers == null) { diff --git a/libs/utils/src/main/java/com/akto/testing/Utils.java b/libs/utils/src/main/java/com/akto/testing/Utils.java index 1331605fb7..76a26a5d94 100644 --- a/libs/utils/src/main/java/com/akto/testing/Utils.java +++ b/libs/utils/src/main/java/com/akto/testing/Utils.java @@ -10,10 +10,6 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; -import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; -import javax.script.ScriptException; - import com.akto.dto.ApiInfo.ApiInfoKey; import com.akto.dto.CollectionConditions.ConditionsType; import com.akto.dto.OriginalHttpRequest; @@ -187,36 +183,10 @@ public static OriginalHttpRequest buildHttpRequest(WorkflowUpdatedSampleData upd return request; } - private static final ScriptEngineManager factory = new ScriptEngineManager(); - public static String executeCode(String ogPayload, Map valuesMap) throws Exception { - String variablesReplacedPayload = replaceVariables(ogPayload,valuesMap, true); - - String regex = "\\#\\[(.*?)]#"; - Pattern p = Pattern.compile(regex); - Matcher matcher = p.matcher(variablesReplacedPayload); - StringBuffer sb = new StringBuffer(); - - // create a Nashorn script engine - ScriptEngine engine = factory.getEngineByName("nashorn"); - - while (matcher.find()) { - String code = matcher.group(1); - code = code.trim(); - if (!code.endsWith(";")) code = code+";"; - try { - Object val = engine.eval(code); - matcher.appendReplacement(sb, val.toString()); - } catch (final ScriptException se) { - } - - } - - matcher.appendTail(sb); - return sb.toString(); + return replaceVariables(ogPayload,valuesMap, true); } - public static String replaceVariables(String payload, Map valuesMap, boolean escapeString) throws Exception { String regex = "\\$\\{((x|step)\\d+\\.[\\w\\-\\[\\].]+|AKTO\\.changes_info\\..*?)\\}"; Pattern p = Pattern.compile(regex); @@ -259,20 +229,6 @@ public static boolean validateTest(String testValidatorCode, Map boolean vulnerable = false; if (testValidatorCode.length() == 0) return false; - ScriptEngine engine = factory.getEngineByName("nashorn"); - try { - String code = replaceVariables(testValidatorCode, valuesMap, true); - loggerMaker.infoAndAddToDb("*******************************************************************", LogDb.TESTING); - loggerMaker.infoAndAddToDb("TEST VALIDATOR CODE:", LogDb.TESTING); - loggerMaker.infoAndAddToDb(code, LogDb.TESTING); - Object o = engine.eval(code); - loggerMaker.infoAndAddToDb("TEST VALIDATOR RESULT: " + o.toString(), LogDb.TESTING); - loggerMaker.infoAndAddToDb("*******************************************************************", LogDb.TESTING); - vulnerable = ! (boolean) o; - } catch (Exception e) { - ; - } - return vulnerable; }