graphql: Add tech detection for GraphQL Engines #5843
Conversation
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
|
I did try adding this to |
kingthorin
force-pushed
the
gql-td
branch
6 times, most recently
from
98ca05d to
5a9f162
Compare
...ns/graphql/src/main/java/org/zaproxy/addon/graphql/techdetection/ExtensionTechDetection.java
Outdated
Show resolved
Hide resolved
|
I should probably add some more tests. But, I'd be glad to have any feedback in the meantime. |
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
...ns/graphql/src/main/java/org/zaproxy/addon/graphql/techdetection/ExtensionTechDetection.java
Outdated
Show resolved
Hide resolved
...ns/graphql/src/main/java/org/zaproxy/addon/graphql/techdetection/ExtensionTechDetection.java
Outdated
Show resolved
Hide resolved
...ns/graphql/src/main/java/org/zaproxy/addon/graphql/techdetection/ExtensionTechDetection.java
Outdated
Show resolved
Hide resolved
kingthorin
force-pushed
the
gql-td
branch
3 times, most recently
from
d8a916e to
7bd1a00
Compare
addOns/graphql/src/test/java/org/zaproxy/addon/graphql/GraphQlFingerprinterUnitTest.java
Show resolved
Hide resolved
| Object[] arguments = new Object[2]; | ||
| GraphQlFingerprinter.setAppConsumer( | ||
| (site, engine) -> { | ||
| arguments[0] = site.toString(); | ||
| arguments[1] = engine; | ||
| }); |
There was a problem hiding this comment.
Used an array because of the whole lambda 'must be final or effectively final' restriction.
There was a problem hiding this comment.
I guess alternatively I could have created an assertion method that accepts the two values?
addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/ExtensionWappalyzer.java
Show resolved
Hide resolved
|
Rebased current and deconflicted. |
|
Previous review has been addressed |
|
Rebased current and deconflicted, again. |
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
|
Rebased current and deconflicted, yet again. |
|
|
||
| private final Requestor requestor; | ||
| private final Map<String, HttpMessage> queryCache; | ||
|
|
||
| private HttpMessage lastQueryMsg; | ||
| private String matchedString; | ||
| private static BiConsumer<URI, Engine> appConsumer = DEFAULT_APP_CONSUMER; |
There was a problem hiding this comment.
I know I'm late to review but a few notes on the appConsumer...
- The
Engine(DiscoveredGraphQlEngine?) could include the URI - The appConsumer (
discoveredEnginesListener?) could be a functional interface. - GraphQlFingerprinter could keep a list of listeners instead of a single listener.
- The
raiseFingerPrintingAlertmethod can also be added as a listener.
This should make the fingerprinter flexible even for future features that rely on GraphQL engines. That being said I'm good with the PR as-is too and this could even be done in a follow-up PR.
There was a problem hiding this comment.
I see the vision. I'll tweak for the first item.
I think I'll hold on the listener implementation for another PR. (This one has been dragging I'd like to just get it merged 😇)
There was a problem hiding this comment.
Isn't a Consumer already a functional interface? Is there a reason to not just simply use a list of Consumers?
If I'm right it wouldn't be too hard to change for this PR.
There was a problem hiding this comment.
@ricekot I'm pretty sure I'm right the more I think about this.
I can create List<Consumer> consumers; Instead of the existing default consumer being noop I could turn it into raiseFingerPrintingAlert being the default. If/when the conditions are proper then the Tech Detection consumer can be added. Instead of calling each separately as things currently are I can do something like: consumers.forEach(consumer -> consumer.accept(discoveredGraphQlEngine));
There was a problem hiding this comment.
There are reasons/benefits to use a custom interface rather than Consumer (or any variant of), e.g. if in the future there's the need to add other methods or parameters. If you use Consumer you will not be able to do that, with the custom interface you can rely on default methods.
Never late :) I was not thinking this would be used by/for other purposes in the future, if that's the intent we should expose the functionality through the extension not as static methods in "internal" classes, proper JavaDoc should be added and so on. (Unless you mean as internal functionality?)
There was a problem hiding this comment.
Okay I can make a custom interface, thanks for talking through it!
I believe it would only be used 'internally' to the add-on but @ricekot feel free to correct me if you see it differently.
There was a problem hiding this comment.
Unless you mean as internal functionality?
I meant generally but at the moment I can't think of ways this would be used outside the add-on.
...hql/src/main/java/org/zaproxy/addon/graphql/techdetection/ExtensionTechDetectionGraphQl.java
Outdated
Show resolved
Hide resolved
kingthorin
force-pushed
the
gql-td
branch
3 times, most recently
from
d0c49b0 to
f64c3ec
Compare
kingthorin
force-pushed
the
gql-td
branch
4 times, most recently
from
79e1915 to
29efe57
Compare
|
Hey crew, is this implementation better? |
|
@ricekot does this implementation seem better? |
|
Bump |
This comment was marked as outdated.
This comment was marked as outdated.
addOns/graphql/src/test/java/org/zaproxy/addon/graphql/GraphQlFingerprinterUnitTest.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/test/java/org/zaproxy/addon/graphql/GraphQlFingerprinterUnitTest.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/test/java/org/zaproxy/addon/graphql/GraphQlFingerprinterUnitTest.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/test/java/org/zaproxy/addon/graphql/GraphQlFingerprinterUnitTest.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/main/javahelp/org/zaproxy/addon/graphql/resources/help/contents/alerts.html
Outdated
Show resolved
Hide resolved
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
kingthorin
force-pushed
the
gql-td
branch
2 times, most recently
from
5488bfd to
558c1bb
Compare
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
addOns/graphql/src/main/java/org/zaproxy/addon/graphql/GraphQlFingerprinter.java
Outdated
Show resolved
Hide resolved
addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/ExtensionWappalyzer.java
Show resolved
Hide resolved
|
Feedback addressed. |
|
This one still pending #5843 (comment) |
addOns/wappalyzer/src/main/java/org/zaproxy/zap/extension/wappalyzer/ExtensionWappalyzer.java
Show resolved
Hide resolved
- CHANGELOG > Added note. - build file > Added dependency. - GraphQlFingerprinter > Updated to add Technology matches when GraphQL engines are fingerprinted. - GraphQlFingerprinterUnitTest > Updated for new handling. - DiscoveredGraphQlEngineHandler > An interface to be implemented for consumption/handling of discovered GraphQL engines. - ExtensionTechDetection > Added to facilitate optional dependence. - ExtensionTechDetectionUnitTest > Tests :) - Messages.properties > Added key/value pairs to support the optional dependency. - alert.html > Added note about the new functionality. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
|
Ok I think I got all those now too. |
|
Thank you! |
Overview
Ex: See the Apollo entry:
This seems to be a decent place for testing: https://countries.trevorblades.com/graphql
(Note if you do serial imports you will hit a limit and need to wait a min or so.)
Related Issues
N/A
Checklist
./gradlew spotlessApplyfor code formatting