Open raphaelahrens opened 6 months ago
Another advantage of this approach would be that code elements in the threats, could be marked as code and will not interfere with the formatting in the report.
An example of this is in SC04, which includes examples of jjencode
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
and a bypass via the window
this['al' + 'ert'](1)
When running
python3 tm.py --report docs/basic_template.md | pandoc > /dev/null
we get the error
[WARNING] Could not convert TeX math =($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+, rendering as TeX:
=($_=!''+$)[_/_]+$_[+$])])()[_
^
unexpected '$'
expecting "\\bangle", "\\brace", "\\brack", "\\choose", "\\displaystyle", "\\textstyle", "\\scriptstyle", "\\scriptscriptstyle", "{", "\\operatorname", letter, digit, ".",
"!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\\left", "\\", "\\hyperref" or end of input
For the first line but for this['al' + 'ert'](1)
this turned into
<a href="1">'al' + 'ert'</a>
I have implemented a prototype
Do you know if this issue is going to be fixed? because I am also facing the same issue.
@pentestguy what issue do you mean?
The same issue is below
[WARNING] Could not convert TeX math =($=!''+$)[/]+$[+$])])()[[/]+[+~$]+$[]+, rendering as TeX: =($=!''+$)[/]+$[+$])])()[ ^ unexpected '$' expecting "\bangle", "\brace", "\brack", "\choose", "\displaystyle", "\textstyle", "\scriptstyle", "\scriptscriptstyle", "{", "\operatorname", letter, digit, ".", "!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\left", "\", "\hyperref" or end of input
So I looked through the threats recently and again and again I find it difficult to read through the JSON document.
What bothers me the most is the combination of text in details, mitigation, and example with the metadata like id condtion severity and target.
It makes the text hard to read and the metadata difficult to find.
Now I had the idea to have a markdown file for each threat in the style of pandoc with the yaml_metadata_extension.
The result could look similar to this
Of course this file would not be parseable by pytm with the restriction that it should only depend on python stdlib. But what could be done is that the threats are stored in markdown files from which the threatlib.json could be generated.
What do you think about this idea?