Closed nrathaus closed 1 month ago
I believe an issue with many of the false negative I am seeing:
def fill_params(params: list[dict], is_v3: bool) -> list[dict]: """fills params for OAS/swagger specs""" schema_params = [] for index in range(len(params)): param_type = ( params[index].get("schema", {}).get("type") if is_v3 else params[index].get("type") ) param_is_required = params[index].get("required") param_in = params[index].get("in") param_name = params[index].get("name", "") param_value = fuzz_type_value(param_type=param_type, param_name=param_name) if params[index].get("schema"): schema_type = params[index].get("schema", {}).get("type") if schema_type == "object": schema_obj = params[index].get("schema", {}).get("properties", {}) filled_schema_params = fill_schema_params( schema_obj, param_in, param_is_required ) else: filled_schema_params = [ { "in": param_in, "name": param_name, "required": param_is_required, "value": param_value, } ] schema_params.append(filled_schema_params) else: params[index]["value"] = param_value
This code does:
string
params
example
I don't quite understand if this overwriting is intentional or not
Further the code could be easily written as: for index, _ in enumerate(params):
for index, _ in enumerate(params):
Instead of: for index in range(len(params)):
for index in range(len(params)):
I believe the minimal fix to get it working would be to, change this:
filled_schema_params = [ { "in": param_in, "name": param_name, "required": param_is_required, "value": param_value, } ]
To this:
filled_schema_params = [ { "in": param_in, "name": param_name, "required": param_is_required, "value": param_value, "type": param_type } ]
https://github.com/OWASP/OFFAT/pull/99
respective PR has been merged and It should reduce no. of false positives as mentioned.
I believe an issue with many of the false negative I am seeing:
This code does:
string
attribute - causing feature calls to theparams
to not see it as a stringexample
field if it existsI don't quite understand if this overwriting is intentional or not
Further the code could be easily written as:
for index, _ in enumerate(params):
Instead of:
for index in range(len(params)):
I believe the minimal fix to get it working would be to, change this:
To this: