property.py

from dataclasses import dataclass

import requests

from report import Reporter


@dataclass
class Submission:
    src: str
    form_name: str


class AppPropertyScanner:
    def __init__(
        self,
        session: requests.Session,
        reporter: Reporter,
        base_url,
        app_key,
        user=None,
        api_token=None,
    ):
        self.session = session
        self.reporter = reporter
        self.base_url = base_url
        self.app_key = app_key
        if user and api_token:
            self.session.auth = (user, api_token)

    def _get_properties(self, url):
        properties = self.session.get(url)
        try:
            properties.raise_for_status()
            properties = properties.json()["keys"]
        except:
            properties = []
        return properties

    def scan(self, db):
        properties = self._get_properties(
            f"{self.base_url}/rest/atlassian-connect/1/addons/{self.app_key}/properties"
        )
        if not properties:
            # try confluence next
            properties = self._get_properties(
                f"{self.base_url}/wiki/rest/atlassian-connect/1/addons/{self.app_key}/properties"
            )
            if not properties:
                return
        for prop in properties:
            try:
                prop_res = self.session.get(prop["self"]).json()
            except:
                continue
            for canary, submission in db.keys():
                if canary in prop_res["value"]:
                    self.reporter.add_vuln(
                        check_name="Secret scanner",
                        description=f"Found secret {canary} in {prop_res['self']}.",
                        recommendation="Store the secret server side, since app properties can be accessed by anyone.",
                        proof=f"Submitted in {submission.src}",
                        severity="High",
                    )
                    break