Merge pull request #117984 from fabaff/wapiti

2021-04-01 01:35:08 +02:00 · 2021-04-01 01:35:08 +02:00 · 59d78cf030
parent 4a2a8d0ea2 be91fea7b7
commit 59d78cf030
4 changed files with 140 additions and 0 deletions
--- a/pkgs/development/python-modules/yaswfp/default.nix
+++ b/pkgs/development/python-modules/yaswfp/default.nix
@ -0,0 +1,30 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "yaswfp";
+  version = "unstable-20210331";
+
+  src = fetchFromGitHub {
+    owner = "facundobatista";
+    repo = pname;
+    rev = "2a2cc6ca4c0b4d52bd2e658fb5f80fdc0db4924c";
+    sha256 = "1dxdz89hlycy1rnn269fwl1f0qxgxqarkc0ivs2m77f8xba2qgj9";
+  };
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [ "yaswfp" ];
+
+  meta = with lib; {
+    description = "Python SWF Parser";
+    homepage = "https://github.com/facundobatista/yaswfp";
+    license = with licenses; [ gpl3Only ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
--- a/pkgs/tools/security/wapiti/default.nix
+++ b/pkgs/tools/security/wapiti/default.nix
@ -0,0 +1,106 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "wapiti";
+  version = "3.0.4";
+
+  src = fetchFromGitHub {
+    owner = "wapiti-scanner";
+    repo = pname;
+    rev = version;
+    sha256 = "0wnz4nq1q5y74ksb1kcss9vdih0kbrmnkfbyc2ngd9id1ixfamxb";
+  };
+
+  nativeBuildInputs = with python3.pkgs; [
+    pytest-runner
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    beautifulsoup4
+    browser-cookie3
+    Mako
+    markupsafe
+    pysocks
+    requests
+    six
+    tld
+    yaswfp
+  ] ++ lib.optionals (python3.pythonOlder "3.8") [ importlib-metadata ];
+
+  checkInputs = with python3.pkgs; [
+    responses
+    pytestCheckHook
+  ];
+
+  postPatch = ''
+    # Is already fixed in the repo. Will be part of the next release
+    substituteInPlace setup.py \
+      --replace "importlib_metadata==2.0.0" "importlib_metadata"
+  '';
+
+  disabledTests = [
+    # Tests requires network access
+    "test_attr"
+    "test_bad_separator_used"
+    "test_blind"
+    "test_chunked_timeout"
+    "test_cookies_detection"
+    "test_csrf_cases"
+    "test_detection"
+    "test_direct"
+    "test_escape_with_style"
+    "test_explorer_filtering"
+    "test_false"
+    "test_frame"
+    "test_headers_detection"
+    "test_html_detection"
+    "test_implies_detection"
+    "test_inclusion_detection"
+    "test_meta_detection"
+    "test_no_crash"
+    "test_options"
+    "test_out_of_band"
+    "test_partial_tag_name_escape"
+    "test_prefix_and_suffix_detection"
+    "test_qs_limit"
+    "test_rare_tag_and_event"
+    "test_redirect_detection"
+    "test_request_object"
+    "test_script"
+    "test_ssrf"
+    "test_tag_name_escape"
+    "test_timeout"
+    "test_title_false_positive"
+    "test_title_positive"
+    "test_true_positive_request_count"
+    "test_url_detection"
+    "test_warning"
+    "test_whole"
+    "test_xss_inside_tag_input"
+    "test_xss_inside_tag_link"
+    "test_xss_uppercase_no_script"
+    "test_xss_with_strong_csp"
+    "test_xss_with_weak_csp"
+    "test_xxe"
+  ];
+
+  pythonImportsCheck = [ "wapitiCore" ];
+
+  meta = with lib; {
+    description = "Web application vulnerability scanner";
+    longDescription = ''
+      Wapiti allows you to audit the security of your websites or web applications.
+      It performs "black-box" scans (it does not study the source code) of the web
+      application by crawling the webpages of the deployed webapp, looking for
+      scripts and forms where it can inject data. Once it gets the list of URLs,
+      forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see
+      if a script is vulnerable.
+    '';
+    homepage = "https://wapiti-scanner.github.io/";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -26296,6 +26296,8 @@ in
    pythonPackages = python3Packages;
  };

+  wapiti = callPackage ../tools/security/wapiti { };
+
  way-cooler = throw ("way-cooler is abandoned by its author: " +
    "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html");

--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -9028,6 +9028,8 @@ in {

  yarl = callPackage ../development/python-modules/yarl { };

+  yaswfp = callPackage ../development/python-modules/yaswfp { };
+
  yattag = callPackage ../development/python-modules/yattag { };

  ydiff = callPackage ../development/python-modules/ydiff { };