diff --git a/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py b/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py index 68d93ac9650..f033c00c398 100644 --- a/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py +++ b/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py @@ -19,12 +19,13 @@ def __init__(self) -> None: def scan_entity_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[CheckResult, dict[str, Any]]: # type:ignore[override] # return type is different than the base class schemes = conf.get("schemes") if schemes and isinstance(schemes, list): - if "http" not in schemes and "wp" not in schemes: + if "http" not in schemes and "ws" not in schemes: return CheckResult.PASSED, conf servers = conf.get("servers") if servers and isinstance(servers, list): - if not any(server['url'].startswith('http://') for server in servers): + if not any(server['url'].startswith('http://') for server in servers) and \ + not any(server['url'].startswith('ws://') for server in servers): return CheckResult.PASSED, conf components = conf.get("components") diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.json b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.json new file mode 100644 index 00000000000..7b777b2a2ed --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.json @@ -0,0 +1,56 @@ +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "servers": [ + { + "url": "wss://localhost:8000", + "description": "Local server" + }, + { + "url": "ws://example.com", + "description": "Example" + } + ], + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey2": [], + "apiKey3": [] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } + } +} diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.yaml b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.yaml new file mode 100644 index 00000000000..1243bd8988a --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/fail5.yaml @@ -0,0 +1,35 @@ +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +servers: + - url: wss://localhost:8000 + description: Local server + - url: ws://example.com + description: example +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + '200': + description: 200 response + operationId: addPet + security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.json b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.json new file mode 100644 index 00000000000..aaf0919d252 --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.json @@ -0,0 +1,41 @@ +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "wss" + ], + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey3": [] + } + ] + } + } + }, + "securityDefinitions": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } +} \ No newline at end of file diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.yaml b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.yaml new file mode 100644 index 00000000000..c97ca16ff9d --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass5.yaml @@ -0,0 +1,26 @@ +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - wss +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + "200": + description: 200 response + operationId: addPet + security: + - apiKey1: [] + apiKey3: [] +securityDefinitions: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey3: + type: apiKey + name: X-API-Key + in: query diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.json b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.json new file mode 100644 index 00000000000..ce5807cbcd3 --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.json @@ -0,0 +1,52 @@ +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "servers": [ + { + "url": "wss://example.com/socket", + "description": "Local server" + } + ], + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey2": [], + "apiKey3": [] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } + } +} diff --git a/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.yaml b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.yaml new file mode 100644 index 00000000000..986e6b74a4b --- /dev/null +++ b/tests/openapi/checks/resource/generic/example_ClearTextAPIKey/pass6.yaml @@ -0,0 +1,33 @@ +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +servers: + - url: wss://example.com/socket + description: Local server +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + '200': + description: 200 response + operationId: addPet + security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query diff --git a/tests/openapi/checks/resource/generic/test_ClearTextAPIKey.py b/tests/openapi/checks/resource/generic/test_ClearTextAPIKey.py index 422249b5160..93d24a2ac5b 100644 --- a/tests/openapi/checks/resource/generic/test_ClearTextAPIKey.py +++ b/tests/openapi/checks/resource/generic/test_ClearTextAPIKey.py @@ -27,6 +27,10 @@ def test_summary(self): "/pass3.json", "/pass4.yaml", "/pass4.json", + "/pass5.yaml", + "/pass5.json", + "/pass6.yaml", + "/pass6.json", } failing_resources = { "/fail.yaml", @@ -37,6 +41,8 @@ def test_summary(self): "/fail3.json", "/fail4.yaml", "/fail4.json", + "/fail5.yaml", + "/fail5.json", } passed_check_resources = {c.file_path for c in report.passed_checks}