OpenAPI Parser

[samvny68]

Hi, hope you're doing good!!!

After the latest update from Burp the OpenAPI Parser is not working as expected. Before it used to.

When tried to import the swagger.json it gives an error. Cannot invoke "io.swagger.v3.oas.models.OpenAPI.getservers()" because "openAPI" is null.

Trying to import the swagger version 2.0 file

Can you please let us know what we can do here?

Thanks in Advance

[Captain404]

Same issue with me

[aress31]

@samvny68 could you please share the file with me for troubleshooting?

[samvny68]

Hi Alexandre,

Hope you are doing well. Due to the confidentiality around the document I cannot share it with you. Although I can share the details of the file it is swagger v2.0 file I have also tried converting it to openapi 3.0 and then feed the open Api parser. But still there is no luck. I have the BurpSuite Pro paid version installed on my system.

Any help would be highly appreciated.

Thanks and Regards Samson Vinay

On Sat, 12 Feb, 2022, 9:33 pm Alexandre Teyar, @.***> wrote:

@samvny68 https://github.com/samvny68 could you please share the file with me for troubleshooting?

— Reply to this email directly, view it on GitHub https://github.com/aress31/swurg/issues/74#issuecomment-1037270033, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALS5FQR2CHGFJFLUZMPLUULU22AGBANCNFSM5L3XIC6A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[falconws]

The same issue with me and can't share due to confidentiality. I've tested openapi v3 yaml file.

Same issue with me

[aress31]

@falconws the message is clear, you need a server field.

[falconws]

@falconws the message is clear, you need a server field.

My openapi.yaml file is

openapi: 3.0.0
info:
    ...omit
servers:
    - url: "..."
       description: ...
tags:
    - name: ...
    ... omit ...

So the servers field exists.

[yrjo]

same here, server field is there and the same issue as mentioned above, openapi: 3.0.2 bupr: newest version pro, 2022.2.4 (the same for the version before)

[aress31]

@yrjo please follow the instructions on the doc and let me know if it works.

• https://swagger.io/docs/specification/api-host-and-base-path/

[floyd-fuh]

@aress31 please read the error message again. It's not that "server" is null, but that "OpenAPI" is null. So the entire parsers does not seem to recognize it as a valid openapi file, so this must have been something bigger. In the extender tab - errors we get:

swurg.process.Loader -> Input length = 1
swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.OpenAPI.getServers()" because "openAPI" is null

When creating a local webserver quickly, sending the openapi yaml file through Burp and then sending the request/response via Context menu leads to:

burp.ContextMenuFactory -> Cannot invoke "String.equals(Object)" because the return value of "java.net.URI.getScheme()" is null

So I thought let's do some divide and conquer. I used the basic example from https://swagger.io/docs/specification/basic-structure/ as a "known good" state and then always copied over some parts of the yaml I wanted to test. Then it was a simple divide-and-conquer. Here's what I found out:

• I hate yaml
• YAML and unicode are no friends, just one example: https://stackoverflow.com/questions/45281596/dumping-unicode-with-yaml

I still don't even know if YAML supports unicode or not, so I also don't know if this extension has a bug or not, but here's what I did:

• Add a "servers" part because it is really missing in the YAML
• Replace “ with \"
• Replace ” with \" (that's not a typo, it's a different char!)
• Replace – with -
• Get annoyed by manually finding unicode characters and use grep --color='auto' -P -n "[^\x00-\x7F]" openapi.yaml instead
• Replace © with nothing
• Get annoyed that it still doesn't work because we now just get an exception attribute paths.'/test'(post).requestBody.content.'application/json;charset=utf-8'.schema.#/testing/Create is missing instead of the original one, probably because $ref is not supported (see https://swagger.io/docs/specification/using-ref/ ). Probably the problem was my hacky search-replace and divide-and-conquer stuff.
• Give up
• Start all over, add the "servers" part and do the unicode replacements above
• Get the error swurg.gui.ParserPanel$LoadButtonListener -> Cannot invoke "io.swagger.v3.oas.models.media.Content.entrySet()" because the return value of "io.swagger.v3.oas.models.responses.ApiResponse.getContent()" is null
• Give up again
• Start again, add the "servers" part and do the unicode replacements above, realize that the parser does not seem to like "Empty Response Body" as explained/defined on https://swagger.io/docs/specification/describing-responses/ and therefore replace all:

    responses:
      "200":
        description: Example

  with:

    responses:
      "200":
        description: Example
        content: {}

Finally, the openapi YAML file imports just fine.

So the final workaround:

• Remove all unicode
• Add a "servers" section
• Add an empty content dictionary for responses that do not have a content specified

[aress31]

@floyd-fuh could you please pull the latest version and try again to check if #81 and 4d53ce7 fixed the issue?

[aress31]

https://github.com/aress31/swurg/commit/044ac747e10d5e19d18f50a00583bc16b37440e1