EAS-2582 : Map Scopes to OAuth

Author: gersbach

README.md

@@ -21,6 +21,8 @@ Arguments:
     -f, --function <FUNCTION>         A specific function to scan. Must be an entrypoint specified in `manifest.yml`
     -h, --help                        Print help information
     -V, --version                     Print version information
+    --check-permissions               Runs the permission checker
+    --graphql-schema-path <LOCATION>  Uses the graphql schema in location; othwerwise selects ~/.config dir  
 ```
 
 ## Installation
@@ -64,6 +66,12 @@ until then you can test `fsrt` by manually invoking:
 fsrt ./test-apps/jira-damn-vulnerable-forge-app
 ```
 
+Testing with a GraphQl Schema:
+
+```sh
+cargo test --features graphql_schema
+```
+
 ## Contributions
 
 Contributions to FSRT are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details.

crates/fsrt/Cargo.toml

@@ -8,6 +8,9 @@ license.workspace = true
 [lints]
 workspace = true
 
+[features]
+graphql_schema = []
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]

crates/fsrt/src/main.rs

@@ -20,7 +20,7 @@ use std::{
 
 use graphql_parser::{
     query::{Mutation, Query, SelectionSet},
-    schema::ObjectType,
+    schema::{EnumType, EnumValue, ObjectType},
 };
 
 use graphql_parser::{
@@ -118,7 +118,7 @@ impl fmt::Display for Error {
 }
 
 struct PermissionsAndNextSelection<'a, 'b> {
-    permission_vec: Vec<String>,
+    permission_vec: Vec<&'a str>,
     next_selection: NextSelection<'a, 'b>,
 }
 
@@ -130,7 +130,7 @@ struct NextSelection<'a, 'b> {
 fn parse_grapqhql_schema<'a: 'b, 'b>(
     schema_doc: &'a [graphql_parser::schema::Definition<'a, &'a str>],
     query_doc: &'b [graphql_parser::query::Definition<'b, &'b str>],
-) -> Vec<String> {
+) -> Vec<&'a str> {
     let mut permission_list = vec![];
 
     // dequeue of (parsed_query_selection: SelectionSet, schema_type_field: Field)
@@ -272,7 +272,7 @@ fn get_type_or_typex_with_name<'a, 'b>(
         .flatten()
 }
 
-fn get_field_directives<'a>(field: &'a graphql_parser::schema::Field<'_, &'a str>) -> Vec<String> {
+fn get_field_directives<'a>(field: &'a graphql_parser::schema::Field<'_, &'a str>) -> Vec<&'a str> {
     let mut perm_vec = vec![];
     field.directives.iter().for_each(|directive| {
         if directive.name == "scopes" {
@@ -281,7 +281,7 @@ fn get_field_directives<'a>(field: &'a graphql_parser::schema::Field<'_, &'a str
                     if let query::Value::List(val) = &arg.1 {
                         val.iter().for_each(|val| {
                             if let query::Value::Enum(en) = val {
-                                perm_vec.push(en.to_string());
+                                perm_vec.push(*en);
                             }
                         });
                     }
@@ -295,7 +295,7 @@ fn get_field_directives<'a>(field: &'a graphql_parser::schema::Field<'_, &'a str
 fn check_graphql_and_perms<'a>(
     val: &'a Value,
     path: &'a graphql_parser::schema::Document<'a, &'a str>,
-) -> Vec<String> {
+) -> Vec<&'a str> {
     let mut operations = vec![];
 
     match val {
@@ -618,6 +618,40 @@ pub(crate) fn scan_directory<'a>(
         &mut path.to_owned()
     };
 
+    let mut scope_path = path.clone();
+
+    scope_path.push("schema/shared/agg-shared-scopes.nadel");
+
+    let scope_map = fs::read_to_string(&scope_path).unwrap_or_default();
+
+    let ast = parse_schema::<&str>(&scope_map).unwrap_or_default();
+
+    let mut scope_name_to_oauth = HashMap::new();
+
+    ast.definitions.iter().for_each(|val| {
+        if let graphql_parser::schema::Definition::TypeDefinition(TypeDefinition::Enum(
+            EnumType { values, .. },
+        )) = val
+        {
+            values.iter().for_each(
+                |EnumValue {
+                     directives, name, ..
+                 }| {
+                    if let Some(directive) = directives.first() {
+                        if let graphql_parser::schema::Value::String(oauth_scope) = &directive
+                            .arguments
+                            .first()
+                            .expect("Should only be one directive")
+                            .1
+                        {
+                            scope_name_to_oauth.insert(name, oauth_scope);
+                        }
+                    }
+                },
+            )
+        }
+    });
+
     path.push("schema/*/*.nadel");
 
     let joined_schema = glob(path.to_str().unwrap_or_default())
@@ -629,21 +663,21 @@ pub(crate) fn scan_directory<'a>(
     let ast = parse_schema::<&str>(&joined_schema);
 
     if let std::result::Result::Ok(doc) = ast {
-        let mut used_graphql_perms: Vec<String> = definition_analysis_interp
+        let mut used_graphql_perms: Vec<&str> = definition_analysis_interp
             .value_manager
             .varid_to_value_with_proj
             .values()
             .flat_map(|val| check_graphql_and_perms(val, &doc))
             .collect();
 
-        let graphql_perms_varid: Vec<String> = definition_analysis_interp
+        let graphql_perms_varid: Vec<&str> = definition_analysis_interp
             .value_manager
             .varid_to_value
             .values()
             .flat_map(|val| check_graphql_and_perms(val, &doc))
             .collect();
 
-        let graphql_perms_defid: Vec<String> = definition_analysis_interp
+        let graphql_perms_defid: Vec<&str> = definition_analysis_interp
             .value_manager
             .defid_to_value
             .values()
@@ -653,10 +687,21 @@ pub(crate) fn scan_directory<'a>(
         used_graphql_perms.extend_from_slice(&graphql_perms_defid);
         used_graphql_perms.extend_from_slice(&graphql_perms_varid);
 
-        let final_perms: Vec<&String> = perm_interp
+        let oauth_scopes: HashSet<&&String> = used_graphql_perms
+            .iter()
+            .filter_map(|val| {
+                if !scope_name_to_oauth.contains_key(&val) {
+                    warn!("Scope is not contained in the scope definitions")
+                }
+
+                scope_name_to_oauth.get(&val)
+            })
+            .collect();
+
+        let final_perms: HashSet<&String> = perm_interp
             .permissions
             .iter()
-            .filter(|f| !used_graphql_perms.contains(&**f))
+            .filter(|f| !oauth_scopes.contains(&f))
             .collect();
 
         if run_permission_checker && !final_perms.is_empty() {

crates/fsrt/src/test.rs

@@ -17,6 +17,7 @@ trait ReportExt {
 
     fn contains_secret_vuln(&self, expected_len: usize) -> bool;
 
+    #[cfg(feature = "graphql_schema")]
     fn contains_perm_vuln(&self, expected_len: usize) -> bool;
 
     fn contains_vulns(&self, expected_len: i32) -> bool;
@@ -48,6 +49,7 @@ impl ReportExt for Report {
             == expected_len
     }
 
+    #[cfg(feature = "graphql_schema")]
     #[inline]
     fn contains_perm_vuln(&self, expected_len: usize) -> bool {
         self.into_vulns()
@@ -336,7 +338,6 @@ fn secret_vuln_object() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {scan_result:?}");
     assert!(scan_result.contains_secret_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
@@ -635,13 +636,12 @@ fn basic_authz_vuln() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("vuln, {:#?}", scan_result);
     assert!(scan_result.contains_authz_vuln(1));
     assert!(scan_result.contains_vulns(1));
 }
 
+#[cfg(feature = "graphql_schema")]
 #[test]
-#[ignore]
 fn excess_scope() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
@@ -663,13 +663,13 @@ fn excess_scope() {
         .push("read:component:compass".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_perm_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
 
+#[cfg(feature = "graphql_schema")]
 #[test]
-fn correct_scopes() {
+fn graphql_correct_scopes() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
         import ForgeUI, { render, Macro } from '@forge/ui';
@@ -706,16 +706,15 @@ fn correct_scopes() {
         .test_manifest
         .permissions
         .scopes
-        .push("read:component:compass".into());
+        .push("compass:atlassian-external".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(0))
 }
 
+#[cfg(feature = "graphql_schema")]
 #[test]
-#[ignore]
-fn excess_scope_with_fragments() {
+fn graphql_excess_scope_with_fragments() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
         import ForgeUI, { render, Macro } from '@forge/ui';
@@ -740,13 +739,13 @@ fn excess_scope_with_fragments() {
         .push("read:component:compass".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_perm_vuln(1));
     assert!(scan_result.contains_vulns(1))
 }
 
+#[cfg(feature = "graphql_schema")]
 #[test]
-fn correct_scopes_with_fragment() {
+fn graphql_correct_scopes_with_fragment() {
     let mut test_forge_project = MockForgeProject::files_from_string(
         "// src/index.tsx
         import ForgeUI, { render, Macro } from '@forge/ui';
@@ -769,10 +768,9 @@ fn correct_scopes_with_fragment() {
         .test_manifest
         .permissions
         .scopes
-        .push("read:component:compass".into());
+        .push("compass:atlassian-external".into());
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(0))
 }
 
@@ -887,6 +885,5 @@ fn authz_function_called_in_object_bitbucket() {
     );
 
     let scan_result = scan_directory_test(test_forge_project);
-    println!("scan_result {:#?}", scan_result);
     assert!(scan_result.contains_vulns(1))
 }