Merge pull request #3179 from thc202/openapi/xml-warn

openapi: do not generate JSON for XML content

Author: psiinon

addOns/openapi/CHANGELOG.md

@@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 - Use path and operation servers ([Issue #6754](https://github.com/zaproxy/zaproxy/issues/6754)).
 
+### Changed
+- Warn when request has content `application/xml`, not supported (Related to [Issue #6767](https://github.com/zaproxy/zaproxy/issues/6767)).
+
 ## [22] - 2021-09-16
 ### Changed
 - Maintenance changes.

addOns/openapi/src/main/java/org/zaproxy/zap/extension/openapi/converter/swagger/RequestModelConverter.java

@@ -19,12 +19,14 @@
  */
 package org.zaproxy.zap.extension.openapi.converter.swagger;
 
+import io.swagger.v3.oas.models.Operation;
 import io.swagger.v3.oas.models.media.Content;
 import io.swagger.v3.oas.models.media.Encoding;
 import io.swagger.v3.oas.models.media.Schema;
 import io.swagger.v3.oas.models.parameters.RequestBody;
 import java.util.List;
 import java.util.Map;
+import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.network.HttpHeaderField;
 import org.zaproxy.zap.extension.openapi.generators.Generators;
 import org.zaproxy.zap.extension.openapi.generators.HeadersGenerator;
@@ -33,6 +35,7 @@
 
 public class RequestModelConverter {
 
+    private static final String CONTENT_APPLICATION_XML = "application/xml";
     private OperationModel operationModel;
     private Generators generators;
 
@@ -58,7 +61,8 @@ private String generatePath() {
     }
 
     private String generateBody() {
-        RequestBody requestBody = operationModel.getOperation().getRequestBody();
+        Operation operation = operationModel.getOperation();
+        RequestBody requestBody = operation.getRequestBody();
         if (requestBody != null) {
             Content content = requestBody.getContent();
             Schema<?> schema;
@@ -81,6 +85,15 @@ private String generateBody() {
                 return generators.getBodyGenerator().generateMultiPart(schema, encoding);
             }
 
+            if (content.containsKey(CONTENT_APPLICATION_XML)) {
+                generators.addErrorMessage(
+                        Constant.messages.getString(
+                                "openapi.unsupportedcontent",
+                                operation.getOperationId(),
+                                CONTENT_APPLICATION_XML));
+                return "";
+            }
+
             if (!content.isEmpty()) {
                 schema = content.entrySet().iterator().next().getValue().getSchema();
                 return generators.getBodyGenerator().generate(schema);

addOns/openapi/src/main/javahelp/org/zaproxy/zap/extension/openapi/resources/help/contents/openapi.html

@@ -9,6 +9,8 @@
 <BODY>
 <H1>OpenAPI Support</H1>
 This add-on allows you to spider and import OpenAPI (Swagger) definitions, versions 1.2, 2.0, and 3.0.
+<br>
+<strong>Note:</strong> Generation of XML content is currently not supported.
 <br><br>
 The add-on will automatically detect any OpenAPI definitions and spider them as long as they are in scope.
 <br><br>

addOns/openapi/src/main/resources/org/zaproxy/zap/extension/openapi/resources/Messages.properties

@@ -79,3 +79,4 @@ openapi.swaggerconverter.targeturl.invalid = Failed to create/normalise the targ
 openapi.swaggerconverter.targeturl.missingcomponents = The target URL does not have the scheme or authority component:\n{0}
 
 openapi.unsupportedscheme = The scheme of the URL is not HTTP or HTTPS:\n{0}
+openapi.unsupportedcontent = Not generating request body for operation {0}, the content {1} is not supported.

addOns/openapi/src/test/java/org/zaproxy/zap/extension/openapi/v3/BodyGeneratorUnitTest.java

@@ -19,6 +19,9 @@
  */
 package org.zaproxy.zap.extension.openapi.v3;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.contains;
+import static org.hamcrest.Matchers.isEmptyString;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -31,16 +34,31 @@
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import org.apache.commons.io.IOUtils;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.parosproxy.paros.Constant;
+import org.zaproxy.zap.extension.openapi.ExtensionOpenApi;
 import org.zaproxy.zap.extension.openapi.converter.swagger.OperationModel;
 import org.zaproxy.zap.extension.openapi.converter.swagger.RequestModelConverter;
 import org.zaproxy.zap.extension.openapi.generators.BodyGenerator;
 import org.zaproxy.zap.extension.openapi.generators.Generators;
+import org.zaproxy.zap.testutils.TestUtils;
 
-class BodyGeneratorUnitTest {
+class BodyGeneratorUnitTest extends TestUtils {
     Generators generators;
 
+    @BeforeAll
+    static void setUp() {
+        mockMessages(new ExtensionOpenApi());
+    }
+
+    @AfterAll
+    static void cleanUp() {
+        Constant.messages = null;
+    }
+
     @BeforeEach
     void init() {
         generators = new Generators(null);
@@ -674,6 +692,22 @@ void shouldGenerateBodyWithNoSchema() throws IOException {
         assertEquals("", request);
     }
 
+    @Test
+    void shouldNotGenerateContentForApplicationXml() throws IOException {
+        // Given
+        OpenAPI definition = parseResource("openapi_xml_bodies.yaml");
+        OperationModel operationModel =
+                new OperationModel("/xml", definition.getPaths().get("/xml").getPost(), null);
+        // When
+        String content = new RequestModelConverter().convert(operationModel, generators).getBody();
+        // Then
+        assertThat(content, isEmptyString());
+        assertThat(
+                generators.getErrorMessages(),
+                contains(
+                        "Not generating request body for operation xml, the content application/xml is not supported."));
+    }
+
     private OpenAPI parseResource(String fileName) throws IOException {
         ParseOptions options = new ParseOptions();
         options.setResolveFully(true);

addOns/openapi/src/test/resources/org/zaproxy/zap/extension/openapi/v3/openapi_xml_bodies.yaml

@@ -0,0 +1,26 @@
+openapi: 3.0.0
+info:
+  title: XML bodies
+  version: 1.0.0
+servers:
+  - url: http://localhost:@@@PORT@@@/
+paths:
+  /xml:
+    post:
+      operationId: xml
+      requestBody:
+        content:
+          'application/xml':
+            schema:
+              properties:
+                value-string:
+                  type: string
+                value-boolean:
+                  type: boolean
+                value-integer:
+                  type: integer
+      responses:
+        default:
+          description:
+          content:
+            text/plain: {}