fixes to 129 and 137

cherrybomb-engine/Cargo.toml

@@ -13,7 +13,7 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-cherrybomb-oas = "^0.1"
+cherrybomb-oas = {path="../cherrybomb-oas"}
 anyhow = "1.0.66"
 thiserror = "1.0.37"
 serde_json = "^1.0"
@@ -25,3 +25,4 @@ strum_macros = "0.23" # legacy
 url="^2" #legacy
 base64 = "0.13" #legacy
 reqwest = { version = "^0.11",default_features = false, features = ["json","rustls-tls"] } #legacy
+serde_path_to_error = "0.1.14"

cherrybomb-engine/src/lib.rs

@@ -17,6 +17,7 @@ use std::vec;
 use strum::IntoEnumIterator;
 use serde_yaml;
 use anyhow::anyhow;
+use serde_path_to_error::deserialize;
 
 fn verbose_print(config: &Config, required: Option<Verbosity>, message: &str) {
     let required = required.unwrap_or(Verbosity::Normal);
@@ -52,6 +53,11 @@ pub async fn run(config: &mut Config) -> anyhow::Result<Value> {
             }
             _ => return Err(anyhow::Error::msg("Unsupported config file extension")),
         };
+        let r :Result<OAS3_1,_> = deserialize(&oas_json);
+        let oas = match r {
+            Ok(oas) => oas,
+            Err(e) => return Err(anyhow::Error::msg(format!("Error creating OAS struct: {}", e))),
+        };
         let oas: OAS3_1 = match serde_json::from_value(oas_json.clone().into()) {
             Ok(oas) => oas,
             Err(e) => return Err(anyhow::Error::msg(format!("Error creating OAS struct: {}", e))),

cherrybomb-engine/src/scan/active/active_scanner.rs

@@ -212,7 +212,7 @@ impl<T: OAS + Serialize + for<'de> Deserialize<'de>> ActiveScan<T> {
 
     pub fn gen_default_value(schema: Box<Schema>) -> Value {
         let ret: Value = if let Some(data_type) = schema.schema_type {
-            match data_type.as_str() {
+            match data_type.as_str().as_str() {
                 "string" => {
                     if let Some(num) = schema.min_length {
                         json!(iter::repeat(['B', 'L', 'S', 'T'])

cherrybomb-engine/src/scan/active/additional_checks.rs

@@ -4,6 +4,7 @@ use crate::active::utils::create_payload;
 use crate::scan::Level;
 use cherrybomb_oas::legacy::legacy_oas::OAS;
 use cherrybomb_oas::legacy::utils::Method;
+use cherrybomb_oas::legacy::schema::SchemaTypes;
 use serde::Serialize;
 use serde_json::{json, Value};
 use std::collections::{HashMap, HashSet};
@@ -856,10 +857,11 @@ impl<T: OAS + Serialize> ActiveScan<T> {
                         {
                             let mut _value_to_send = "2".to_string();
                             let mut var_int: i32 = 2;
-                            if types == *"integer".to_string() {
+                            let type_str = "integer".to_string();
+                            if matches!(types, SchemaTypes::Str(type_str)) {
                                 if let Some(val) = i.inner(&self.oas_value).examples {
                                     if let Some((_ex, val)) = val.into_iter().next() {
-                                        _value_to_send = val.value.to_string();
+                                        _value_to_send = val.inner(&self.oas_value).value.to_string();
                                         var_int = _value_to_send.parse::<i32>().unwrap();
                                     }
                                 }

cherrybomb-engine/src/scan/active/utils.rs

@@ -146,14 +146,14 @@ pub fn create_payload_for_get(
                     if let Some(value) = parameter.examples {
                         // if there is an example
                         if let Some((_ex, val)) = value.into_iter().next() {
-                            option_example_value = Some(val.value.to_string());
+                            option_example_value = Some(val.inner(swagger).value.to_string());
                         }
                     }
                     if let Some(schema_ref) = parameter.schema {
                         // dbg!(&schema_ref);
                         if let Some(schema_type) = schema_ref.inner(swagger).schema_type {
                             // let val_to_path:String;
-                            match schema_type.as_str() {
+                            match schema_type.as_str().as_str() {
                                 "string" => {
                                     let mut example_value = "randomString".to_string();
                                     if let Some(val) = option_example_value {
@@ -224,11 +224,11 @@ pub fn create_payload_for_get(
                             if let Some(values) = parameter.examples {
                                 if let Some((_ex, val)) = values.into_iter().next() {
                                     //take example as value
-                                    final_value = val.value.to_string();
+                                    final_value = val.inner(swagger).value.to_string();
                                     params_vec.push(RequestParameter {
                                         name: param_name,
                                         dm: QuePay::Query,
-                                        value: val.value.to_string(),
+                                        value:final_value.clone(),
                                     });
                                 } else {
                                     //if no examples insert randonstring

cherrybomb-engine/src/scan/passive/utils.rs

@@ -230,9 +230,9 @@ pub fn param_enum_rec(param: &Param, loc: String) -> Vec<Alert> {
 }
 pub fn additional_properties_test(schema: &Schema, location: String) -> Vec<Alert> {
     let tp = if let Some(t) = &schema.schema_type {
-        t
+        t.as_str()
     } else {
-        ""
+        String::new()
     };
     let mut alerts = vec![];
     match tp.to_lowercase().as_str() {
@@ -343,9 +343,9 @@ pub fn get_all_params_by_type(
 ) -> Vec<(Schema, String)> {
     let mut schemas = vec![];
     let s_tp = if let Some(t) = &schema.schema_type {
-        t
+        t.as_str()
     } else {
-        ""
+        String::new()
     };
     if s_tp == tp {
         schemas.push((schema.clone(), location.clone()));

cherrybomb-oas/src/legacy/legacy_oas.rs

@@ -48,7 +48,7 @@ pub struct Server {
 pub type Security = HashMap<String, Vec<String>>;
 pub type Callback = HashMap<String, HashMap<String, PathItem>>;
 pub type Content = HashMap<String, MediaType>;
-pub type Examples = HashMap<String, Example>;
+pub type Examples = HashMap<String, ExampleRef>;
 pub type EncodingMap = HashMap<String, Encoding>;
 //Practicaly Any
 //type Schema = Value;

cherrybomb-oas/src/legacy/param.rs

@@ -95,7 +95,7 @@ impl ParamInt {
         }
     }
 }
-#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Default)]
 pub struct ParamString {
     min_length: i64,
     max_length: i64,
@@ -137,7 +137,7 @@ impl Default for ParamValue {
 impl ParamValue {
     pub fn from(schema: &Schema) -> Self {
         let v = if let Some(t) = schema.schema_type.clone() {
-            t
+            t.as_str().to_lowercase()
         } else {
             String::new()
         };
@@ -327,7 +327,7 @@ impl Param {
     }
     pub fn schema_rec(swagger: &Value, schema: Schema, required: bool) -> Self {
         let p_type = if let Some(t) = schema.schema_type.clone() {
-            t
+            t.as_str().to_lowercase()
         } else {
             String::new()
         };
@@ -382,7 +382,7 @@ impl Param {
         }
         for schema in schemas {
             let p_type = if let Some(t) = schema.schema_type.clone() {
-                t
+                t.as_str().to_lowercase()
             } else {
                 String::new()
             };

cherrybomb-oas/src/legacy/path.rs

@@ -67,7 +67,7 @@ impl Operation {
                         vec![]
                     };
                     let p_type = if let Some(t) = inner.schema_type.clone() {
-                        t
+                        t.as_str().to_lowercase()
                     } else {
                         String::new()
                     };

cherrybomb-oas/src/legacy/refs.rs

@@ -197,3 +197,23 @@ impl CallbackRef {
         }
     }
 }
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[serde(untagged)]
+pub enum ExampleRef {
+    Ref(Reference),
+    Example(Box<Example>),
+}
+impl Default for ExampleRef {
+    fn default() -> Self {
+        Self::Ref(Reference::default())
+    }
+}
+#[allow(unused)]
+impl ExampleRef {
+    pub fn inner(&self, swagger: &Value) -> Example {
+        match self {
+            Self::Example(p) => *p.clone(),
+            Self::Ref(r) => r.get::<Example>(swagger),
+        }
+    }
+}

cherrybomb-oas/src/legacy/schema.rs

@@ -2,13 +2,15 @@ use super::refs::*;
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use std::collections::HashMap;
+use std::fmt;
 
-#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 #[serde(untagged)]
 pub enum SchemaStrInt {
     Int(i64),
     Str(String),
     Bool(bool),
+    Float(f64),
 }
 impl Default for SchemaStrInt {
     fn default() -> Self {
@@ -26,6 +28,27 @@ impl Default for AddProps {
         Self::Bool(true)
     }
 }
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(untagged)]
+pub enum SchemaTypes {
+    Str(String),
+    Arr(Vec<String>),
+    Obj(HashMap<String,String>),
+}
+impl SchemaTypes{
+    pub fn as_str(&self)->String{
+        match self{
+            Self::Str(s) => s.to_string(),
+            Self::Arr(v) => v[0].to_string(),
+            Self::Obj(h) => h.get("type").unwrap().to_string(),
+        }
+    }
+}
+impl fmt::Display for SchemaTypes {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self.as_str())
+    }
+}
 #[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq)]
 pub struct Schema {
     pub title: Option<String>,
@@ -41,9 +64,9 @@ pub struct Schema {
     pub min_length: Option<i64>,
     //String - STAY AWAY!(regex)
     pub pattern: Option<String>,
-    #[serde(rename = "maxItem")]
+    #[serde(rename = "maxItems")]
     pub max_items: Option<i64>,
-    #[serde(rename = "minItem")]
+    #[serde(rename = "minItems")]
     pub min_items: Option<i64>,
     #[serde(rename = "uniqueItem")]
     pub unique_items: Option<String>,
@@ -57,7 +80,7 @@ pub struct Schema {
     #[serde(rename = "enum")]
     pub schema_enum: Option<Vec<Option<SchemaStrInt>>>,
     #[serde(rename = "type")]
-    pub schema_type: Option<String>,
+    pub schema_type: Option<SchemaTypes>,
     #[serde(rename = "allOf")]
     pub all_of: Option<Vec<SchemaRef>>,
     #[serde(rename = "oneOf")]