Accessing the environment variable defined in automation yaml from scripts
1,177 views
Skip to first unread message
4ourth
Jun 26, 2023, 7:51:24 PM6/26/23
to OWASP ZAP User Group
Hi,
I am trying to access environment variables defined in the automation yaml file.
It's working when I am referring them in the same yaml, but how access them in my custom scripts? Are the variables defined in automation vars: section accessible in scripts and how to do it?
I have tried
# var System = Java.type("java.lang.System");
# print(System.getenv("PROJECT_NAME"))
# print(System.getenv("PROJECT_NAME"))
but it's not working.
Just referring to it with ScriptVars.getGlobalVar("PROJECT_NAME") also not working.
Could you suggest any solution?
Thank you!
psiinon
Jun 27, 2023, 3:52:10 AM6/27/23
to zaprox...@googlegroups.com
Your first attempt should work:
var System = Java.type("java.lang.System");
print(System.getenv("PROJECT_NaME"));
Global script vars do not access the sytem env vars.
How are you setting the env vars when you run ZAP?
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/97741cbf-b4ce-4597-b3d5-93d70711184bn%40googlegroups.com.
--
OWASP ZAP Project leader
4ourth
Jun 27, 2023, 9:22:15 AM6/27/23
to OWASP ZAP User Group
But now it's not working in Automation yaml file.
vars:
PROJECT_NAME: ${ZAP_PROJECT_NAME}
REPORT_PATH: "/zap/wrk"
SCRIPT_PATH: "/zap/wrk"
It's generating as a report name something like zap-report_${ZAP_PROJECT_NAME}__2023-06-27.json
Looks like I can use environment variables in scripts, but not in Automation yaml. And in scripts, I do not have access to environment vars defined in automation yaml. Is it right?
4ourth
Jun 27, 2023, 10:26:49 AM6/27/23
to OWASP ZAP User Group
ok, so looks like I can use environment variables directly in automation yaml, without previously redeclaring them in 'vars' section.
But then there is a question. From help : "They can be hardcoded, refer to other variables or refer to system environment variables in the same way as above, e.g. ‘${envvar}’. "
------- Example from help -------
vars:
myVarOne: CustomConfigVarOne
myVarTwo: ${myVarOne}.VarTwo
myVarOne: CustomConfigVarOne
myVarTwo: ${myVarOne}.VarTwo
------
but in my example, it's not working.
but in my example, it's not working.
psiinon
Jun 27, 2023, 10:32:39 AM6/27/23
to zaprox...@googlegroups.com
Can you share a PoC AF plan?
You can use inline scripts to print out the variables (or not as the case may be)
A simple way to reproduce the problem is what we are looking for :)
Cheers,
Simon
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/43dd3943-ed6a-42ef-86cc-f2e58329f871n%40googlegroups.com.
4ourth
Jun 27, 2023, 6:30:32 PM6/27/23
to OWASP ZAP User Group
Thank you for your advice, Simon. Using inline scripts really useful. I am generating a report file to understand if the variable is working or not:))
Here is my AF plan:
---
env:
contexts:
- name: "${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV}"
urls:
- "http://invoice.test.com"
includePaths:
- "http[s]?://invoice.test.com/.*"
excludePaths: []
authentication:
parameters: {}
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
technology:
exclude: []
users:
- credentials:
password: "1234"
username: "admin"
parameters:
failOnError: false
failOnWarning: false
progressToStdout: true
vars:
PROJECT_NAME: ${ZAP_PROJECT_NAME}
PROJECT_COUNTRY: ${ZAP_PROJECT_COUNTRY}
PROJECT_ENV: '${ZAP_PROJECT_ENV}'
REPORT_PATH: "/zap/wrk"
SCRIPT_PATH: "/zap/wrk"
jobs:
- parameters:
action: "add"
type: "standalone"
engine: "ECMAScript : Oracle Nashorn"
name: "send_scan_start_teams_notification.js"
file: "${SCRIPT_PATH}/scripts/send_scan_start_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
action: "run"
type: "standalone"
engine: ""
name: "send_scan_start_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
action: "add"
type: "extender"
engine: "ECMAScript : Oracle Nashorn"
name: "send_alerts_found_teams_notification.js"
file: "${SCRIPT_PATH}/scripts/send_alerts_found_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
scanOnlyInScope: true
enableTags: false
disableAllRules: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context:
maxDuration: 0
maxDepth: 0
maxChildren: 0
acceptCookies: false
handleODataParametersVisited: false
handleParameters: "IGNORE_COMPLETELY"
maxParseSizeBytes: 3000000
parseComments: false
parseGit: false
parseRobotsTxt: false
parseSitemapXml: false
parseSVNEntries: false
postForm: false
processForm: false
requestWaitTime: 0
sendRefererHeader: false
userAgent: ""
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
type: "stats"
name: "At least 100 URLs found"
name: "spider"
type: "spider"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
template: "traditional-json"
reportDir: "${REPORT_PATH}/reports"
reportFile: "zap-report_${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV}__{{yyyy-MM-dd}}"
reportTitle: "${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV} - ZAP Scanning Report"
reportDescription: ""
displayReport: false
risks:
- "low"
- "medium"
- "high"
confidences:
- "low"
- "medium"
- "high"
- "confirmed"
name: "report"
type: "report"
When I am using PROJECT_NAME from the [vars] section in the [reportFile] file field, it puts exactly "${ZAP_PROJECT_NAME}" value, but not the value of the defined with -e parameter environment variable. Although, when I am using directly ${ZAP_PROJECT_NAME} environment variable it works.
env:
contexts:
- name: "${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV}"
urls:
- "http://invoice.test.com"
includePaths:
- "http[s]?://invoice.test.com/.*"
excludePaths: []
authentication:
parameters: {}
verification:
method: "response"
pollFrequency: 60
pollUnits: "requests"
sessionManagement:
method: "cookie"
parameters: {}
technology:
exclude: []
users:
- credentials:
password: "1234"
username: "admin"
parameters:
failOnError: false
failOnWarning: false
progressToStdout: true
vars:
PROJECT_NAME: ${ZAP_PROJECT_NAME}
PROJECT_COUNTRY: ${ZAP_PROJECT_COUNTRY}
PROJECT_ENV: '${ZAP_PROJECT_ENV}'
REPORT_PATH: "/zap/wrk"
SCRIPT_PATH: "/zap/wrk"
jobs:
- parameters:
action: "add"
type: "standalone"
engine: "ECMAScript : Oracle Nashorn"
name: "send_scan_start_teams_notification.js"
file: "${SCRIPT_PATH}/scripts/send_scan_start_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
action: "run"
type: "standalone"
engine: ""
name: "send_scan_start_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
action: "add"
type: "extender"
engine: "ECMAScript : Oracle Nashorn"
name: "send_alerts_found_teams_notification.js"
file: "${SCRIPT_PATH}/scripts/send_alerts_found_teams_notification.js"
target: ""
inline: ""
name: "script"
type: "script"
- parameters:
scanOnlyInScope: true
enableTags: false
disableAllRules: false
rules: []
name: "passiveScan-config"
type: "passiveScan-config"
- parameters:
context:
maxDuration: 0
maxDepth: 0
maxChildren: 0
acceptCookies: false
handleODataParametersVisited: false
handleParameters: "IGNORE_COMPLETELY"
maxParseSizeBytes: 3000000
parseComments: false
parseGit: false
parseRobotsTxt: false
parseSitemapXml: false
parseSVNEntries: false
postForm: false
processForm: false
requestWaitTime: 0
sendRefererHeader: false
userAgent: ""
tests:
- onFail: "INFO"
statistic: "automation.spider.urls.added"
site: ""
operator: ">="
value: 100
type: "stats"
name: "At least 100 URLs found"
name: "spider"
type: "spider"
- parameters: {}
name: "passiveScan-wait"
type: "passiveScan-wait"
- parameters:
template: "traditional-json"
reportDir: "${REPORT_PATH}/reports"
reportFile: "zap-report_${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV}__{{yyyy-MM-dd}}"
reportTitle: "${ZAP_PROJECT_NAME}-${ZAP_PROJECT_COUNTRY}-${ZAP_PROJECT_ENV} - ZAP Scanning Report"
reportDescription: ""
displayReport: false
risks:
- "low"
- "medium"
- "high"
confidences:
- "low"
- "medium"
- "high"
- "confirmed"
name: "report"
type: "report"
When I am using PROJECT_NAME from the [vars] section in the [reportFile] file field, it puts exactly "${ZAP_PROJECT_NAME}" value, but not the value of the defined with -e parameter environment variable. Although, when I am using directly ${ZAP_PROJECT_NAME} environment variable it works.
4ourth
Jun 27, 2023, 6:42:55 PM6/27/23
to OWASP ZAP User Group
Actually, you gave me an idea! I can define variables in AF plan [vars] field, then using inline script set a global variable (with ScriptVars.setGlobalVar()) and then get and use it in other scripts by ScriptVars.getGlobalVar() function.
The idea is to define only AF plan for each environment and project and then run the same zap scan command and same scripts only replacing AF plan file, this way scripts will be able to get variables from AF plan and use them for example to send notifications about what project is scanning now.
The idea is to define only AF plan for each environment and project and then run the same zap scan command and same scripts only replacing AF plan file, this way scripts will be able to get variables from AF plan and use them for example to send notifications about what project is scanning now.
4ourth
Jun 28, 2023, 6:57:17 AM6/28/23
to OWASP ZAP User Group
I have tried, but it's also not working as expected. Looks like the script can't access the variable declared in [vars] section
<-- SNIP -->
vars:
PROJECT_NAME: ${ZAP_PROJECT_NAME}
REPORT_PATH: "/zap/wrk"
SCRIPT_PATH: "/zap/wrk"
jobs:
- parameters:
action: "add"
type: "standalone"
engine: "ECMAScript : Graal.js"
name: "inline-print-scan-info"
inline: |
print("====================> This is a simple example")
print(${REPORT_PATH})
name: "script"
type: "script"
- parameters:
action: "run"
type: "standalone"
name: "inline-print-scan-info"
name: "script"
type: "script"
And result in console:
Job script started
Job: script Start action: run
org.graalvm.polyglot.PolyglotException: SyntaxError: inline-print-scan-info:2:7 Expected , but found {
print(${REPORT_PATH})
^
inline-print-scan-info:2:20 Expected ; but found )
print(${REPORT_PATH})
^
psiinon
Jun 28, 2023, 8:23:28 AM6/28/23
to zaprox...@googlegroups.com
The ${VAR} format only works in yaml parameters, not in scripts.
If you want to use a param in a script the best option is to use an env var, eg:
---
env:
contexts:
- name: "Default Context"
urls:
- "https://example.com/"
jobs:
- parameters:
action: "add"
type: "standalone"
engine: "ECMAScript : Graal.js"
name: "print-env-vars.js"
inline: "print(Java.type(\"java.lang.System\").getenv(\"PATH\"));"
inline: "print(Java.type(\"java.lang.System\").getenv(\"PATH\"));"
name: "script"
type: "script"
- parameters:
action: "run"
type: "standalone"
name: "print-env-vars.js"
name: "script"
type: "script"
name: "script"
type: "script"
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/eebd848d-a4a2-40bd-a237-a504f8d5bc5bn%40googlegroups.com.
4ourth
Jun 29, 2023, 5:12:18 AM6/29/23
to OWASP ZAP User Group
Thank you very much, Simon.
Yes, with the environment variables it's working well. As I understand, variables declared in AF plan are not available from scripts.
psiinon
Jun 29, 2023, 6:50:54 AM6/29/23
to zaprox...@googlegroups.com
They are available, depending on the scripting language.
Unfortunatly Graal.js doesnt support them due to the way its class loaders work.
We're actively looking into solutuions to this, but for now using env vars in scripts is probably the easiest option.
Cheers,
Simon
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a63411b2-edb3-4596-b1d4-03307250652en%40googlegroups.com.
4ourth
Jul 4, 2023, 10:22:03 AM7/4/23
to OWASP ZAP User Group
Thank you, Simon
Will wait for updates. I have already implemented it on the env var level:)
Reply all
Reply to author
Forward
0 new messages