OpenAPI Scan for yaml references

213 views
Skip to first unread message

Philip Whitby

unread,
Mar 2, 2022, 9:20:57 AM3/2/22
to OWASP ZAP User Group
I am new to this group, so please point me in the direction if this has been previously answered (I have had a search around this group).

I am trying to run an API scan against an OpenAPI v3 service. 

The service contains references to another file, in this case schema.yaml:
$ref: 'schema.yaml#/components

Using the automation capability, it only seems possible to define one file, and attempting this throws the following exception:

Automation plan failures:
        Job openapi target: http://docker.for.mac.localhost:8082/openapi.yaml error: Unable to load RELATIVE ref: ./schema.yaml path: .

Frustratingly the OpenAPI adds a number of URLs, but then the plan fails out.

Any guidance is much appreciated.

Thanks

Phil

Philip Whitby

unread,
Mar 2, 2022, 1:03:28 PM3/2/22
to OWASP ZAP User Group
I managed to resolve the references using speccy - that seems to have unblocked me here. thanks.

Simon Bennetts

unread,
Mar 3, 2022, 5:01:17 AM3/3/22
to OWASP ZAP User Group
Thanks for letting us know.
Can you tell us what you needed to do in a bit more detail?
That would help other people who hit this problem.

Cheers,

Simon

Philip Whitby

unread,
Mar 3, 2022, 6:16:04 AM3/3/22
to OWASP ZAP User Group
Hi Simon,

The issue was that the API was serving independent files, so there were both an openapi.yaml file and then a schema.yaml, 
running the following command using npm speccy:

speccy resolve openapi.yml -o openapi_resolved.yml

Resolved to openapi_resolved.yml

combined these into one file. I will work with our API developers to make sure that it the file served out off the server in future, so we can reference the URL rather than the file.

After making this change I was able to load the file into Postman, and according to speccy all is correct with the file against specification....

However, I still am unable to use this file with Zap!

Both using automation, and trying in the client to directly import the file, I get a nullpointerexception 

Failed to parse OpenAPI definition.

java.lang.NullPointerException
        at org.zaproxy.zap.extension.openapi.generators.DataGenerator.getDefaultValue(DataGenerator.java:103)
        at org.zaproxy.zap.extension.openapi.generators.DataGenerator.generateValue(DataGenerator.java:170)
        at org.zaproxy.zap.extension.openapi.generators.DataGenerator.generateBodyValue(DataGenerator.java:166)
        at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generateJsonPrimitiveValue(BodyGenerator.java:200)
        at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generate(BodyGenerator.java:119)
        at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generateFromArraySchema(BodyGenerator.java:147)
        at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generate(BodyGenerator.java:105)
        at org.zaproxy.zap.extension.openapi.generators.BodyGenerator.generate(BodyGenerator.java:94)
        at org.zaproxy.zap.extension.openapi.converter.swagger.RequestModelConverter.generateBody(RequestModelConverter.java:71)
        at org.zaproxy.zap.extension.openapi.converter.swagger.RequestModelConverter.convert(RequestModelConverter.java:47)
        at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.convertToRequest(SwaggerConverter.java:191)
        at org.zaproxy.zap.extension.openapi.converter.swagger.SwaggerConverter.getRequestModels(SwaggerConverter.java:185)
        at org.zaproxy.zap.extension.openapi.ExtensionOpenApi$1.run(ExtensionOpenApi.java:365)
Failed to parse OpenAPI definition.

java.lang.NullPointerException


Having looked at the code, (and updating to latest weekly release, I am still hitting this error. It seems as though there is an issue with the schema is not being for nulls at this point:


private static String getDefaultValue(Schema<?> schema) {

if (schema.getDefault() != null) {

String strValue = schema.getDefault().toString();

if (!strValue.isEmpty()) {

return strValue;

}

}
<< SNIP >>

maybe there is something further upstream that should check this, but rewriting to:

if (schema != null && schema.getDefault() != null) {

would be safer (it's a decade since I wrote java :)).

Is this something better looked into in a git issue?

Happy to try to work this through. Our yaml file is pretty complex so I haven't dug too deep into this issue,

Cheers
Phil

Philip Whitby

unread,
Mar 3, 2022, 9:14:44 AM3/3/22
to OWASP ZAP User Group
Further information, by deleting the 'get' and 'patch' operations of one of my endpoints, I have managed to discover the correct number of urls.
However then I get a less helpful 'null' output from the active scanner and in the output window of the UI.. 
Automation plan failures:
        Job openapi target: http://docker.for.mac.localhost:8082/api/asset/ error: null

Simon Bennetts

unread,
Mar 3, 2022, 11:57:41 AM3/3/22
to OWASP ZAP User Group
An NPE is always a bug :)
Please raise an issue with the full stack trace.
If you can supply a minimal OpenAPI spec which causes the NPE then that would be great.
Fixing the NPE should be easy as per your suggestion, but without a test case we would have to wait for you to try it again to see if the fix actually means you can import the definition correctly.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages