Enhance the OpenAPI plugin to accept user-provided values for parameters

[artem-smotrakov]

This is a patch for #17315

Main changes:

• Added parameter_values_location configuration option for the OpenAPI plugin. The option allows to set a path to a YAML file which contains context-specific parameter values.
• Added ParameterValues class which can load context-specific parameter values from a YAML file. The file contains a mapping { path, parameter name } -> list of values . Currently, it doesn't use an HTTP method but it can be easily updated. For in: body parameter type, a user can specify a JSON payload, but it's not currently possible to specify a value for a particular field in the JSON payload.
• Updated ParameterHandler to use context-specific parameter values. If a user provided custom parameter values, then the class prefers them, and tries to enumerate all possible combinations of the specified parameters.
• Fixed a possible null-dereference in get_uri() method.
• Added a couple of tests.

I am testing the feature on a couple of applications but would like to start a review now to get feedback earlier.

[artem-smotrakov]

I have tested it with a couple of applications - it worked well.

[andresriancho]

Awesome!

[andresriancho]

User might enter an invalid YAML, that case should be handled.

[artem-smotrakov]

Okay, I'll add a try-except block to catch YAMLError and wrap the exception in to ParameterValueParsingError.

[andresriancho]

Maybe the YAML format validation should be done here? That could be done by changing the INPUT_FILE type to YAML_INPUT_FILE and creating the logic for handling that.

It should be fairly easy, take a look at:

• https://github.com/andresriancho/w3af/blob/master/w3af/core/data/options/input_file_option.py
• https://github.com/andresriancho/w3af/blob/356b14b975039706f4fd7f4f5db5b114cd75f14e/w3af/core/data/options/tests/test_input_file_option.py

• w3af/w3af/core/data/options/opt_factory.py

  Line 43 in 356b14b

  LIST, REGEX, COMBO, INPUT_FILE, QUERY_STRING, HEADER,

[artem-smotrakov]

Hmm, that may be nice. Although input_file_option.py doesn't look that simple at first glance :) Okay, I'll see what I can do here.

[andresriancho]

Yeah, input_file_option.py doesn't look simple, but yaml_file_option.py should be simple :-)

Take a look at the other files in the same directory, those will give you ideas on how simple the inputs can actually be.

[andresriancho]

parameter_values_location should be changed to parameter_values_file (that is how input files are usually named)

w3af/w3af/plugins/output/text_file.py

Line 297 in 356b14b

o = opt_factory('output_file', self._output_file_name, d, OUTPUT_FILE)

w3af/w3af/plugins/output/xml_file.py

Line 153 in 356b14b

o = opt_factory('output_file', self._file_name, d, OUTPUT_FILE)

[artem-smotrakov]

Sure, no problem. Then, custom_spec_location should be probably renamed to custom_spec_file

[andresriancho]

Yes please

[andresriancho]

I believe that this feature requires its own documentation in https://github.com/andresriancho/w3af/blob/develop/doc/sphinx/scan-rest-apis.rst

I would make the example in get_long_desc shorter, and reference users to the documentation with something like: "For more information and examples about this feature read the framework documentation at https://docs.w3af.org"

[artem-smotrakov]

Okay, I'll update both description and docs. In fact, the docs need to be updated with descriptions of the recent changes/features. I hope I can find time to do that.

[andresriancho]

I need to work harder on merging your PR. If I don't do that I'll end up in a branch merge nightmare.

Sorry for not being more responsive with these PRs. I was on vacations. Will try to merge all these amazing things you've been working on to develop as soon as the comments are solved.

[artem-smotrakov]

Thanks for your comments. Let's work on them one by one, and I'll resolve possible conflicts which may appear. Then, it should be easier to merge them to develop.

[artem-smotrakov]

I have updated the patch:

• Renamed configuration parameters in the crawl.open_api plugin.
• Added YAML_INPUT_FILE option type.
• Updated docs and description for the crawl.open_api plugin.
• The crawl.open_api plugin now expects an invalid YAML file.
• Added TestOpenAPICustomParameterValues for the new configuration option.
• Added TestOpenAPICustomSpec for custom_spec_file configuration option.

[artem-smotrakov]

@andresriancho When you have some time, could you please take a look at this pull request? I have also updated other pull requests and added several comments - looking for a review. Thanks!