| commit | 6ac03211fdf431d9eaf8e6c6590c48166499dff6 | [log] [tgz] |
|---|---|---|
| author | Trilok Tourani <ttourani@google.com> | Sat Aug 15 00:37:03 2020 +0000 |
| committer | David Clements <clementsd@google.com> | Thu Aug 20 18:48:48 2020 +0000 |
| tree | 1873d2a04edd338dcdf3dd3c5dd3893702157eb1 | |
| parent | 2f08ea127bfc220f1d3bd556764fdd6ab7316193 [diff] |
b/163142235 Update README with library and command line usage Change-Id: I395fb47362d814345c510744154f3babb3431e1a
This project aids in heightening API designers and developers awareness of the security state of their OpenAPI Specification (OAS) APIs with respect to six of the OWASP top 10 vulnerabilities. This will be accomplished by providing a command line application and a library of security tooling that analyzes the OAS document.
oas-cli : The command line tool with the main class to check security validation of specifications.oas-core : The core library with features like parsing, traversing, and validating an OpenAPI Specification.oas-test : This module contains any shared testing implementations like marker interfaces for integration tests.The command line tool can be invoked like:
java -jar api-security-tools.jar --file openApiSpecification.json
It performs:
If there are any errors in the usage of the extensions, then the error type and message will be shown along with the extension path.
./gradlew build
This will
The core library is responsible to traverse a YAML or JSON document and search for extensions. Every Extension can then be validated using custom validators.
An example is shown below.
Let's start by configuring the guice dependencies.
/**
* Guice module that installs all required bindings.
*/
public class MainModule extends AbstractModule {
@Override
protected void configure() {
install(new ExtendedValidatorMainModule());
install(new BaseParserModule());
binder().requireExplicitBindings();
}
}
Create a simple validator that implements ExtensionValidator
class CustomValidator implements ExtensionValidator {
public CustomValidator() {}
@Override
public ImmutableSet<ExtensionValidationMessage> validate(Extension extension) {
// validation logic
// extension.getExtensionPath(), extension.getExtensionContent(), extension.getExtensionName()
}
}
Inject the required dependencies into your class.
public class ExtensionValidationExample {
private BaseParser baseParser;
private ExtendedValidator extendedValidator;
private TraversalHelperFactory traversalHelperFactory;
@Inject
ExtensionValidationExample(BaseParser baseParser,
ExtendedValidator extendedValidator,
TraversalHelperFactory traversalHelperFactory) {
this.baseParser =baseParser;
this.extendedValidator = extendedValidator;
this.traversalHelperFactory = traversalHelperFactory;
}
void validate(File file) {
OpenApi3 openApi = baseParser.parse(file);
// Send traversal command for openapi object
TraversalHelper traversalHelper = traversalHelperFactory.create(ImmutableList.of());
traversalHelper.sendOpenApiTraversal(openApiSpec);
ImmutableSet<Extension> extensions = traversalHelper.traverse()
CustomValidator customValidator = new CustomValidator();
// Validate an extension
if(!extensions.isEmpty()) {
ImmutableSet<ExtensionValidationMessage> errors = extensions.iterator().next().validate(customValidator);
System.out.println("Found %d extension validation errors.\n\n", errors.size());
}
}
}
Run it using:
ExtensionValidationExample extensionValidation = Guice.createInjector(new MainModule()).getInstance(ExtensionValidationExample.class); extensionValidation.validate(file);
Copyright 2020 Google LLC.
Licensed under the Apache License, Version 2.0