fluidasserts.utils.generic module

Asserts generic meta-method.

class fluidasserts.utils.generic.FluidAsserts(*, risk, kind, message)

Bases: object

Generic context manager to assert security assumptions.

Examples
  • Static Application Security Testing (SAST) check

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    from fluidasserts import SAST, HIGH
    from fluidasserts.utils.generic import FluidAsserts
    
    with FluidAsserts(risk=HIGH,
                      kind=SAST,
                      message='This is a custom test!') as creator:
    
        # lines 4 and 8 are vulnerable
        creator.set_open(where='Repo/Folder/File.py',
                         specific=[4, 8])
    
        # lines 7 and 23 are ok
        creator.set_closed(where='Repo/Folder/File.py',
                           specific=[7, 23])
    

    Once you run your exploit with Asserts you’ll get:

    status: OPEN
    message: This is a custom test!
    vulnerabilities:
    - where: Repo/Folder/File.py
      specific: 4, 8
    secure-units:
    - where: Repo/Folder/File.py
      specific: 7, 23
    parameters:
      risk: high
      kind: SAST
      message: This is a custom test!
    vulnerable_incidences: 2
    when: 2020-06-18T23:47:37+0000
    
  • Dynamic Application Security Testing (DAST) check

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    from fluidasserts import DAST, MEDIUM
    from fluidasserts.utils.generic import FluidAsserts
    
    with FluidAsserts(risk=MEDIUM,
                      kind=DAST,
                      message='This is a custom test!') as creator:
    
        creator.set_open(where='https://fluidattacks.com/integrates',
                         specific=['HTTP/Header/X-Frame-Options is missing'])
    
        creator.set_closed(where='https://fluidattacks.com/web',
                           specific=['HTTP/Header/X-Frame-Options is set'])
    

    Once you run your exploit with Asserts you’ll get:

    status: OPEN
    message: This is a custom test!
    vulnerabilities:
    - where: https://fluidattacks.com/integrates
      specific: HTTP/Header/X-Frame-Options is missing
    secure-units:
    - where: https://fluidattacks.com/web
      specific: HTTP/Header/X-Frame-Options is set
    parameters:
      risk: medium
      kind: DAST
      message: This is a custom test!
    vulnerable_incidences: 1
    when: 2020-06-18T23:47:35+0000
    
  • Errors inside the exploit automatically mark the check as UNKNOWN:

    1
    2
    3
    4
    5
    6
    7
    8
    from fluidasserts import DAST, LOW
    from fluidasserts.utils.generic import FluidAsserts
    
    with FluidAsserts(risk=LOW,
                      kind=DAST,
                      message='This will fail :( but gracefully :)') as creator:
    
        raise Exception('There is no Internet Connection!')
    

    Once you run your exploit with Asserts you’ll get:

    status: UNKNOWN
    message: 'An error occurred: There is no Internet Connection!'
    parameters:
      risk: low
      kind: DAST
      message: This will fail :( but gracefully :)
    vulnerable_incidences: 0
    when: 2020-06-18T23:47:36+0000
    

Just in case you need it, the resultant fluidasserts.Result object can be accessed at:

creator.result

Initialize the parameters for the context manager.

set_closed(*, where, specific)

Add a cardinality with status CLOSED.

Parameters
  • where (str) – Location of the cardinality, a path for Static (SAST) checks, a url or host:port for Dynamic (DAST) checks.

  • specific (typing.List[typing.Union[int, str]]) – The vulnerable line for SAST Checks or the input field for dynamic checks.

set_open(*, where, specific)

Add a cardinality with status OPEN.

Parameters
  • where (str) – Location of the cardinality, a path for Static (SAST) checks, a url or host:port for Dynamic (DAST) checks.

  • specific (typing.List[typing.Union[int, str]]) – The vulnerable line for SAST Checks or the input field for dynamic checks.

fluidasserts.utils.generic.add_finding(finding)

Print finding as part of the Asserts output.

Parameters

finding (str) – Current project context.

Return type

bool

fluidasserts.utils.generic.check_function(func, *args, metadata=None, **kwargs)

Run arbitrary code and return results in Asserts format.

This is useful for verifying very specific scenarios.

Parameters

func (typing.Callable) – Callable function that will return True if the

vulnerability is found open or False (or any Python null value) if found closed. :param *args: Positional parameters that will be passed to func. :param *kwargs: Keyword parameters that will be passed to func.

Return type

bool

fluidasserts.utils.generic.get_dir_paths(path, exclude=())

Return a tuple of full paths to files recursively from path.

Return type

tuple

fluidasserts.utils.generic.get_paths(path, exclude=(), endswith=())

Return a tuple of full paths to files recursively from path.

Return type

tuple

fluidasserts.utils.generic.get_sha256(path)

Get SHA256 digest of a file or a directory.

Parameters

path (str) – Path to the file to digest.

Return type

str