diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json deleted file mode 100644 index 0c9ca9b558d..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/metadata.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "id": "4a1f3d75-ab73-41b2-83e7-06a93dc3a75a", - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "category": "Access Control", - "descriptionText": "There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated", - "descriptionUrl": "https://swagger.io/specification/#oauth-flow-object", - "platform": "OpenAPI", - "descriptionID": "94ccaa01", - "cwe": "" -} \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/query.rego b/assets/queries/openAPI/3.0/implicit_flow_oauth2/query.rego deleted file mode 100644 index ccb3190e1f8..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/query.rego +++ /dev/null @@ -1,21 +0,0 @@ -package Cx - -import data.generic.openapi as openapi_lib -import data.generic.common as common_lib - -CxPolicy[result] { - doc := input.document[i] - openapi_lib.check_openapi(doc) == "3.0" - - sec_scheme := doc.components.securitySchemes[key] - sec_scheme.type == "oauth2" - common_lib.valid_key(sec_scheme.flows, "implicit") - - result := { - "documentId": doc.id, - "searchKey": sprintf("components.securitySchemes.%s.flows.implicit", [key]), - "issueType": "IncorrectValue", - "keyExpectedValue": "OAuth2 security schema flow should not use implicit flow", - "keyActualValue": "OAuth2 security schema flow is using implicit flow", - } -} diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative1.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative1.json deleted file mode 100644 index 69830c26f30..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative1.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API Overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": { - "examples": { - "foo": { - "value": { - "versions": [ - { - "status": "CURRENT", - "updated": "2011-01-21T11:33:21Z", - "id": "v2.0", - "links": [ - { - "href": "http://127.0.0.1:8774/v2/", - "rel": "self" - } - ] - } - ] - } - } - } - } - } - } - } - } - } - }, - "components": { - "securitySchemes": { - "oAuth2AuthCodeNeg2": { - "type": "oauth2", - "description": "For more information, see https://api.my.company.com/docs/oauth", - "flows": { - "authorizationCode": { - "authorizationUrl": "https://api.my.company.com/oauth/authorize", - "tokenUrl": "https://api.my.company.com/oauth/token", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - } - } - } - } - } -} diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative2.yaml b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative2.yaml deleted file mode 100644 index 6f01783a8f9..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/negative2.yaml +++ /dev/null @@ -1,36 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API Overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - '200': - description: 200 response - content: - application/json: - examples: - foo: - value: - versions: - - status: CURRENT - updated: '2011-01-21T11:33:21Z' - id: v2.0 - links: - - href: http://127.0.0.1:8774/v2/ - rel: self -components: - securitySchemes: - oAuth2AuthCodeNeg2: - type: oauth2 - description: For more information, see https://api.my.company.com/docs/oauth - flows: - authorizationCode: - authorizationUrl: https://api.my.company.com/oauth/authorize - tokenUrl: https://api.my.company.com/oauth/token - scopes: - write:api: modify apis in your account - read:api: read your apis diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive1.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive1.json deleted file mode 100644 index 569d376b322..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive1.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": null - } - } - } - } - } - }, - "components": { - "securitySchemes": { - "oAuth2AuthCode": { - "type": "oauth2", - "description": "For more information, see https://api.my.company.com/docs/oauth", - "flows": { - "implicit": { - "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - } - } - } - } - } -} diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive2.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive2.json deleted file mode 100644 index 57d09592700..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive2.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": null - } - } - } - } - } - }, - "components": { - "securitySchemes": { - "oAuth2AuthCode": { - "type": "oauth2", - "description": "For more information, see https://api.my.company.com/docs/oauth", - "flows": { - "authorizationCode": { - "authorizationUrl": "https://api.my.company.com/oauth/authorize", - "tokenUrl": "https://api.my.company.com/oauth/token", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - }, - "implicit": { - "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - } - } - } - } - } -} diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive3.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive3.json deleted file mode 100644 index d6164913999..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive3.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Simple API overview", - "version": "1.0.0" - }, - "paths": { - "/": { - "get": { - "operationId": "listVersionsv2", - "summary": "List API versions", - "responses": { - "200": { - "description": "200 response", - "content": { - "application/json": null - } - } - } - } - } - }, - "components": { - "securitySchemes": { - "oAuth2AuthCode": { - "type": "oauth2", - "description": "For more information, see https://api.my.company.com/docs/oauth", - "flows": { - "authorizationCode": { - "authorizationUrl": "https://api.my.company.com/oauth/authorize", - "tokenUrl": "https://api.my.company.com/oauth/token", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - } - } - }, - "oAuth2AuthCode2": { - "type": "oauth2", - "description": "For more information, see https://api.my.company.com/docs/oauth", - "flows": { - "implicit": { - "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", - "scopes": { - "write:api": "modify apis in your account", - "read:api": "read your apis" - } - } - } - } - } - } -} diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive4.yaml b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive4.yaml deleted file mode 100644 index f5b75446987..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive4.yaml +++ /dev/null @@ -1,25 +0,0 @@ -openapi: 3.0.0 -info: - title: Simple API overview - version: 1.0.0 -paths: - "/": - get: - operationId: listVersionsv2 - summary: List API versions - responses: - '200': - description: 200 response - content: - application/json: -components: - securitySchemes: - oAuth2AuthCode: - type: oauth2 - description: For more information, see https://api.my.company.com/docs/oauth - flows: - implicit: - authorizationUrl: https://api.invalid.company.com/oauth/authorize - scopes: - write:api: modify apis in your account - read:api: read your apis diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive_expected_result.json b/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive_expected_result.json deleted file mode 100644 index 64c21da6dc5..00000000000 --- a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive_expected_result.json +++ /dev/null @@ -1,38 +0,0 @@ -[ - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 29, - "filename": "positive1.json" - }, - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 37, - "filename": "positive2.json" - }, - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 43, - "filename": "positive3.json" - }, - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 21, - "filename": "positive4.yaml" - }, - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 27, - "filename": "positive5.yaml" - }, - { - "queryName": "Implicit Flow in OAuth2 (v3)", - "severity": "MEDIUM", - "line": 31, - "filename": "positive6.yaml" - } -] diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego index b00c5277cf0..9525c56cb8b 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/query.rego @@ -1,21 +1,21 @@ package Cx import data.generic.openapi as openapi_lib +import data.generic.common as common_lib CxPolicy[result] { doc := input.document[i] openapi_lib.check_openapi(doc) == "3.0" - security_scheme := doc.components.securitySchemes[name] + security_scheme := doc.components.securitySchemes[key] security_scheme.type == "oauth2" - flow := security_scheme.flows[flow_object] - flow_object == "implicit" + common_lib.valid_key(security_scheme.flows, "implicit") result := { "documentId": doc.id, - "searchKey": sprintf("components.securitySchemes.{{%s}}.flows.implicit", [name]), + "searchKey": sprintf("components.securitySchemes.{{%s}}.flows.implicit", [key]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("components.securitySchemes.{{%s}}.flows do not contain an 'implicit' flow", [name]), - "keyActualValue": sprintf("components.securitySchemes.{{%s}}.flows contain an 'implicit' flow", [name]), + "keyExpectedValue": sprintf("components.securitySchemes.{{%s}}.flows should not use 'implicit' flow", [key]), + "keyActualValue": sprintf("components.securitySchemes.{{%s}}.flows is using 'implicit' flow", [key]), } } diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive3.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive3.json new file mode 100644 index 00000000000..31bd7645176 --- /dev/null +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive3.json @@ -0,0 +1,49 @@ +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCode": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + }, + "implicit": { + "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } + } + \ No newline at end of file diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive5.yaml b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive4.yaml similarity index 100% rename from assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive5.yaml rename to assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive4.yaml diff --git a/assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive6.yaml b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive5.yaml similarity index 100% rename from assets/queries/openAPI/3.0/implicit_flow_oauth2/test/positive6.yaml rename to assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive5.yaml diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index 527d8749356..c3483dcaf82 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -10,5 +10,23 @@ "severity": "MEDIUM", "line": 34, "filename": "positive2.yaml" + }, + { + "queryName": "OAuth2 With Implicit Flow", + "severity": "MEDIUM", + "line": 37, + "filename": "positive3.json" + }, + { + "queryName": "OAuth2 With Implicit Flow", + "severity": "MEDIUM", + "line": 27, + "filename": "positive4.yaml" + }, + { + "queryName": "OAuth2 With Implicit Flow", + "severity": "MEDIUM", + "line": 31, + "filename": "positive5.yaml" } ]