Skip to content

Commit

Permalink
Merge pull request #449 from owasp-noir/dev
Browse files Browse the repository at this point in the history
Release v0.18.2
  • Loading branch information
hahwul authored Nov 6, 2024
2 parents ab1db56 + 233b2c4 commit 319c585
Show file tree
Hide file tree
Showing 12 changed files with 56 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ If applicable, add screenshots to help explain your problem.

**Versions**
- OS: [e.g. macos, linux]
- Version [e.g. v0.18.1]
- Version [e.g. v0.18.2]

**Additional context**
Add any other context about the problem here.
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,3 +105,7 @@ Noir is open-source project and made it with ❤️
if you want contribute this project, please see [CONTRIBUTING.md](./CONTRIBUTING.md) and Pull-Request with cool your contents.

[![](./CONTRIBUTORS.svg)](https://github.com/owasp-noir/noir/graphs/contributors)

*PassiveScan Rule contributors*

[![](https://raw.githubusercontent.com/owasp-noir/noir-passive-rules/refs/heads/main/CONTRIBUTORS.svg)](https://github.com/owasp-noir/noir-passive-rules/graphs/contributors)
3 changes: 2 additions & 1 deletion docs/_advanced/tips/community-articles.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ layout: page
---

* [Hello Noir 👋🏼 by HAHWUL](https://www.hahwul.com/2023/08/03/hello-noir/)
* [API Attack Surface Detection using Noir by DANA EPP](https://danaepp.com/api-attack-surface-detection-using-noir)
* [API Attack Surface Detection using Noir by DANA EPP](https://danaepp.com/api-attack-surface-detection-using-noir)
* [Exploring OWASP Noir's PassiveScan by HAHWUL](https://www.hahwul.com/2024/11/03/passivescan-in-owasp-noir/)
4 changes: 4 additions & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ Happy contributing!

![](https://raw.githubusercontent.com/owasp-noir/noir/refs/heads/main/CONTRIBUTORS.svg)

*PassiveScan Rule contributors*

[![](https://raw.githubusercontent.com/owasp-noir/noir-passive-rules/refs/heads/main/CONTRIBUTORS.svg)](https://github.com/owasp-noir/noir-passive-rules/graphs/contributors)

### Code of Conduct
OWASP Noir is committed to fostering a welcoming community.

Expand Down
2 changes: 1 addition & 1 deletion shard.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Project Metadata
name: noir
version: 0.18.1
version: 0.18.2
authors:
- hahwul <hahwul@gmail.com>
- ksg97031 <ksg97031@gmail.com>
Expand Down
2 changes: 1 addition & 1 deletion snap/snapcraft.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: noir
base: core20
version: 0.18.1
version: 0.18.2
summary: Attack surface detector that identifies endpoints by static analysis.
description: |
Noir is an open-source project specializing in identifying attack surfaces for enhanced whitebox security testing and security pipeline.
Expand Down
7 changes: 5 additions & 2 deletions spec/functional_test/fixtures/ruby/rails/config/routes.rb
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
Rails.application.routes.draw do
resources :posts
# Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html

# Defines the root path route ("/")
# root "articles#index"
end
get "up" => "rails/health#show", as: :rails_health_check
get "service-worker" => "rails/pwa#service_worker", as: :pwa_service_worker
get "manifest" => "rails/pwa#manifest", as: :pwa_manifest
end
3 changes: 3 additions & 0 deletions spec/functional_test/testers/ruby/rails_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ extected_endpoints = [
Param.new("X-API-KEY", "", "header"),
]),
Endpoint.new("/posts/1", "DELETE"),
Endpoint.new("/up", "GET"),
Endpoint.new("/service-worker", "GET"),
Endpoint.new("/manifest", "GET"),
]

FunctionalTester.new("fixtures/ruby/rails/", {
Expand Down
17 changes: 15 additions & 2 deletions src/completions.cr
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ def generate_zsh_completion_script
_arguments \\
'-b[Set base path]:path:_files' \\
'-u[Set base URL for endpoints]:URL:_urls' \\
'-f[Set output format]:format:(plain yaml json jsonl markdown-table curl httpie oas2 oas3 only-url only-param only-header only-cookie)' \\
'-f[Set output format]:format:(plain yaml json jsonl markdown-table curl httpie oas2 oas3 only-url only-param only-header only-cookie only-tag)' \\
'-o[Write result to file]:path:_files' \\
'--set-pvalue[Specifies the value of the identified parameter]:value:' \\
'--set-pvalue-header[Specifies the value of the identified parameter for headers]:value:' \\
Expand All @@ -19,6 +19,8 @@ _arguments \\
'--include-path[Include file path in the plain result]' \\
'--no-color[Disable color output]' \\
'--no-log[Displaying only the results]' \\
'-P[Perform a passive scan for security issues using rules from the specified path]' \\
'--passive-scan-path[Specify the path for the rules used in the passive security scan]:path:_files' \\
'-T[Activates all taggers for full analysis coverage]' \\
'--use-taggers[Activates specific taggers]:values:' \\
'--list-taggers[Lists all available taggers]' \\
Expand All @@ -34,6 +36,7 @@ _arguments \\
'--list-techs[Show all technologies]' \\
'--config-file[Specify the path to a configuration file in YAML format]:path:_files' \\
'--concurrency[Set concurrency]:concurrency:' \\
'--generate-completion[Generate Zsh/Bash/Fish completion script]:completion:(zsh bash fish)' \\
'-d[Show debug messages]' \\
'-v[Show version]' \\
'--build-info[Show version and Build info]' \\
Expand Down Expand Up @@ -65,6 +68,8 @@ _noir_completions() {
--include-path
--no-color
--no-log
-P --passive-scan
--passive-scan-path
-T --use-all-taggers
--use-taggers
--list-taggers
Expand All @@ -80,6 +85,7 @@ _noir_completions() {
--list-techs
--config-file
--concurrency
--generate-completion
-d --debug
-v --version
--build-info
Expand All @@ -88,13 +94,17 @@ _noir_completions() {
case "${prev}" in
-f|--format)
COMPREPLY=( $(compgen -W "plain yaml json jsonl markdown-table curl httpie oas2 oas3 only-url only-param only-header only-cookie" -- "${cur}") )
COMPREPLY=( $(compgen -W "plain yaml json jsonl markdown-table curl httpie oas2 oas3 only-url only-param only-header only-cookie only-tag" -- "${cur}") )
return 0
;;
--send-proxy|--send-es|--with-headers|--use-matchers|--use-filters|--diff-path|--config-file|--set-pvalue|--techs|--exclude-techs|-o|-b|-u)
COMPREPLY=( $(compgen -f -- "${cur}") )
return 0
;;
--generate-completion)
COMPREPLY=( $(compgen -W "zsh bash fish" -- "${cur}") )
return 0
;;
*)
;;
esac
Expand Down Expand Up @@ -133,6 +143,8 @@ complete -c noir -n '__fish_noir_needs_command' -a '--exclude-codes' -d 'Exclude
complete -c noir -n '__fish_noir_needs_command' -a '--include-path' -d 'Include file path in the plain result'
complete -c noir -n '__fish_noir_needs_command' -a '--no-color' -d 'Disable color output'
complete -c noir -n '__fish_noir_needs_command' -a '--no-log' -d 'Displaying only the results'
complete -c noir -n '__fish_noir_needs_command' -a '-P' -d 'Perform a passive scan for security issues using rules from the specified path'
complete -c noir -n '__fish_noir_needs_command' -a '--passive-scan-path' -d 'Specify the path for the rules used in the passive security scan'
complete -c noir -n '__fish_noir_needs_command' -a '-T' -d 'Activates all taggers for full analysis coverage'
complete -c noir -n '__fish_noir_needs_command' -a '--use-taggers' -d 'Activates specific taggers'
complete -c noir -n '__fish_noir_needs_command' -a '--list-taggers' -d 'Lists all available taggers'
Expand All @@ -148,6 +160,7 @@ complete -c noir -n '__fish_noir_needs_command' -a '--exclude-techs' -d 'Specify
complete -c noir -n '__fish_noir_needs_command' -a '--list-techs' -d 'Show all technologies'
complete -c noir -n '__fish_noir_needs_command' -a '--config-file' -d 'Specify the path to a configuration file in YAML format'
complete -c noir -n '__fish_noir_needs_command' -a '--concurrency' -d 'Set concurrency'
complete -c noir -n '__fish_noir_needs_command' -a '--generate-completion' -d 'Generate Zsh/Bash/Fish completion script'
complete -c noir -n '__fish_noir_needs_command' -a '-d' -d 'Show debug messages'
complete -c noir -n '__fish_noir_needs_command' -a '-v' -d 'Show version'
complete -c noir -n '__fish_noir_needs_command' -a '--build-info' -d 'Show version and Build info'
Expand Down
4 changes: 4 additions & 0 deletions src/models/logger.cr
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ class NoirLogger
end

def heading(message)
if @no_log
return
end

prefix = "".colorize(:yellow).toggle(@color_mode)
STDERR.puts "#{prefix} #{message}"
end
Expand Down
11 changes: 11 additions & 0 deletions src/models/noir.cr
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ class NoirRunner

@endpoints.each do |endpoint|
tiny_tmp = endpoint

# Remove space in param name
if endpoint.params.size > 0
tiny_tmp.params = [] of Param
endpoint.params.each do |param|
Expand All @@ -149,6 +151,15 @@ class NoirRunner
end
end

# Check start with slash
if tiny_tmp.url[0] != "/"
tiny_tmp.url = "/#{tiny_tmp.url}"
end

# Check double slash
tiny_tmp.url = tiny_tmp.url.gsub_repeatedly("//", "/")

# Duplicate check
if tiny_tmp.url != ""
is_new = true
final.each do |dup|
Expand Down
7 changes: 5 additions & 2 deletions src/noir.cr
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ require "./options.cr"
require "./techs/techs.cr"

module Noir
VERSION = "0.18.1"
VERSION = "0.18.2"
end

# Run options parser
Expand Down Expand Up @@ -54,7 +54,10 @@ if noir_options["exclude_codes"] != ""
end

# Run Noir
banner()
if noir_options["nolog"] == false
banner()
end

app = NoirRunner.new noir_options
start_time = Time.monotonic

Expand Down

0 comments on commit 319c585

Please sign in to comment.