more flexible include_only and ignore rules

chrisyoonullify · chrisyoonullify · commit e3d4935118e8 · 2025-02-11T10:23:45.000+11:00
diff --git a/examples/nullify.yaml b/examples/nullify.yaml
@@ -62,7 +62,28 @@ code:
         - config-file-parser
         - dast-action
         - cli
-    - rule_ids: [ python-sql-injection ]
+    - rule_ids: [ python-sqlAttackSurface: &models.AttackSurface{
+			Enable:               true,
+			EnableDNSEnumeration: true,
+			DomainNames:          []string{"172.36.255.7", "example.com"},
+			PathPrefixes:         []string{"/vuln"},
+			Ignore: []models.AttackSurfaceIgnore{
+				{
+					HTTPMethods: []string{"DELETE"},
+				},
+				{
+					HTTPMethods: []string{"jira.example.com"},
+				},
+				{
+					DomainNames: []string{"*.testing.example.com"},
+					Ports:       []int{8080, 8088, 9999},
+				},
+				{
+					DomainNames: []string{"dev.*", "staging.*"},
+					HTTPMethods: []string{"POST", "PUT"},
+				},
+			},
+		},-injection ]
       reason: This code won't be going live until next year but we should fix it before then
       expiry: "2021-12-31"
 dependencies:
@@ -112,10 +133,21 @@ integrations:
       name: John Smith
 attack_surface:
   enable: true
-  enable_dns_enumeration: false
-  domain_names: [172.36.255.7,example.com]
-  ignore_domain_names: []
-  path_prefixes: [/vuln]
-  ignore_methods: [POST,DELETE]
-  ignore_ports: [8080]
-  schemes: ["http","https"]
+  enable_dns_enumeration: true
+  ip_addresses: [10.11.12.13, 100.110.120.0/24, 10.0.0.1-254]
+  domain_names: [example.com, prod.hosting.com]
+  include_only:
+    - domain_names: [live.prod.hosting.com]
+      http:
+        paths: [/main, /api/**/create]
+  ignore:
+    - http:
+        methods: [DELETE]
+    - domain_names: [jira.example.com, "*.testing.example.com"]
+    - ip_addresses: [100.110.120.130]
+      transport_protocols: [tcp]
+      ports: [22, 8080, 9990-9999]
+    - domain_names: ["dev.*", "staging.*"]
+      http:
+        paths: [/auth]
+        methods: [POST]
diff --git a/pkg/merger/merger_test.go b/pkg/merger/merger_test.go
@@ -340,12 +340,38 @@ func TestMergeConfigFiles(t *testing.T) {
 				AttackSurface: &models.AttackSurface{
 					Enable:               true,
 					EnableDNSEnumeration: true,
-					DomainNames:          []string{"example.com"},
-					IgnoreDomainNames:    []string{"example2.com"},
-					PathPrefixes:         []string{"/vuln"},
-					IgnoreMethods:        []string{"POST", "DELETE"},
-					IgnorePorts:          []int{8080},
-					Schemes:              []string{"http", "https"},
+					IPAddresses:          []string{"10.11.12.13", "100.110.120.0/24", "10.0.0.1-254"},
+					DomainNames:          []string{"example.com", "prod.hosting.com"},
+					IncludeOnly: []models.AttackSurfaceIncludeOnly{
+						{
+							DomainNames: []string{"live.prod.hosting.com"},
+							HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+								Paths: []string{"/main", "/api/**/create"},
+							},
+						},
+					},
+					Ignore: []models.AttackSurfaceIgnore{
+						{
+							HTTP: &models.HTTPAttackSurfaceIgnore{
+								Methods: []string{"DELETE"},
+							},
+						},
+						{
+							DomainNames: []string{"jira.example.com", "*.testing.example.com"},
+						},
+						{
+							IPAddresses:        []string{"100.110.120.130"},
+							TransportProtocols: []string{"tcp"},
+							Ports:              []string{"22", "8080", "9990-9999"},
+						},
+						{
+							DomainNames: []string{"dev.*", "staging.*"},
+							HTTP: &models.HTTPAttackSurfaceIgnore{
+								Paths:   []string{"/auth"},
+								Methods: []string{"POST"},
+							},
+						},
+					},
 				},
 			},
 			repoConfig: nil,
@@ -357,12 +383,38 @@ func TestMergeConfigFiles(t *testing.T) {
 				AttackSurface: &models.AttackSurface{
 					Enable:               true,
 					EnableDNSEnumeration: true,
-					DomainNames:          []string{"example.com"},
-					IgnoreDomainNames:    []string{"example2.com"},
-					PathPrefixes:         []string{"/vuln"},
-					IgnoreMethods:        []string{"POST", "DELETE"},
-					IgnorePorts:          []int{8080},
-					Schemes:              []string{"http", "https"},
+					IPAddresses:          []string{"10.11.12.13", "100.110.120.0/24", "10.0.0.1-254"},
+					DomainNames:          []string{"example.com", "prod.hosting.com"},
+					IncludeOnly: []models.AttackSurfaceIncludeOnly{
+						{
+							DomainNames: []string{"live.prod.hosting.com"},
+							HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+								Paths: []string{"/main", "/api/**/create"},
+							},
+						},
+					},
+					Ignore: []models.AttackSurfaceIgnore{
+						{
+							HTTP: &models.HTTPAttackSurfaceIgnore{
+								Methods: []string{"DELETE"},
+							},
+						},
+						{
+							DomainNames: []string{"jira.example.com", "*.testing.example.com"},
+						},
+						{
+							IPAddresses:        []string{"100.110.120.130"},
+							TransportProtocols: []string{"tcp"},
+							Ports:              []string{"22", "8080", "9990-9999"},
+						},
+						{
+							DomainNames: []string{"dev.*", "staging.*"},
+							HTTP: &models.HTTPAttackSurfaceIgnore{
+								Paths:   []string{"/auth"},
+								Methods: []string{"POST"},
+							},
+						},
+					},
 				},
 			},
 		},
diff --git a/pkg/models/attack_surface.go b/pkg/models/attack_surface.go
@@ -2,12 +2,33 @@ package models
 
 type AttackSurface struct {
 	// global only
-	Enable               bool     `yaml:"enable"`
-	EnableDNSEnumeration bool     `yaml:"enable_dns_enumeration"`
-	DomainNames          []string `yaml:"domain_names,omitempty"`
-	IgnoreDomainNames    []string `yaml:"ignore_domain_names,omitempty"`
-	PathPrefixes         []string `yaml:"path_prefixes,omitempty"`
-	IgnoreMethods        []string `yaml:"ignore_methods,omitempty"`
-	IgnorePorts          []int    `yaml:"ignore_ports,omitempty"`
-	Schemes              []string `yaml:"schemes"`
+	Enable               bool                       `yaml:"enable"`
+	EnableDNSEnumeration bool                       `yaml:"enable_dns_enumeration"`
+	IPAddresses          []string                   `yaml:"ip_addresses,omitempty"`
+	DomainNames          []string                   `yaml:"domain_names,omitempty"`
+	IncludeOnly          []AttackSurfaceIncludeOnly `yaml:"include_only,omitempty"`
+	Ignore               []AttackSurfaceIgnore      `yaml:"ignore,omitempty"`
+}
+
+type AttackSurfaceIncludeOnly struct {
+	DomainNames []string                      `yaml:"domain_names,omitempty"`
+	HTTP        *HTTPAttackSurfaceIncludeOnly `yaml:"http,omitempty"`
+}
+
+type HTTPAttackSurfaceIncludeOnly struct {
+	Paths []string `yaml:"paths,omitempty"`
+}
+
+type AttackSurfaceIgnore struct {
+	// empty fields are equivalent to *
+	IPAddresses        []string                 `yaml:"ip_addresses,omitempty"`
+	DomainNames        []string                 `yaml:"domain_names,omitempty"`
+	TransportProtocols []string                 `yaml:"transport_protocols,omitempty"`
+	Ports              []string                 `yaml:"ports,omitempty"`
+	HTTP               *HTTPAttackSurfaceIgnore `yaml:"http,omitempty"`
+}
+
+type HTTPAttackSurfaceIgnore struct {
+	Methods []string `yaml:"methods,omitempty"`
+	Paths   []string `yaml:"paths,omitempty"`
 }
diff --git a/tests/integration_test.go b/tests/integration_test.go
@@ -156,12 +156,38 @@ func TestIntegration(t *testing.T) {
 		AttackSurface: &models.AttackSurface{
 			Enable:               true,
 			EnableDNSEnumeration: true,
-			DomainNames:          []string{"172.36.255.7", "example.com"},
-			IgnoreDomainNames:    []string{"jira.example.com"},
-			PathPrefixes:         []string{"/vuln"},
-			IgnoreMethods:        []string{"POST", "DELETE"},
-			IgnorePorts:          []int{8080},
-			Schemes:              []string{"http", "https"},
+			IPAddresses:          []string{"10.11.12.13", "100.110.120.0/24", "10.0.0.1-254"},
+			DomainNames:          []string{"example.com", "prod.hosting.com"},
+			IncludeOnly: []models.AttackSurfaceIncludeOnly{
+				{
+					DomainNames: []string{"live.prod.hosting.com"},
+					HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+						Paths: []string{"/main", "/api/**/create"},
+					},
+				},
+			},
+			Ignore: []models.AttackSurfaceIgnore{
+				{
+					HTTP: &models.HTTPAttackSurfaceIgnore{
+						Methods: []string{"DELETE"},
+					},
+				},
+				{
+					DomainNames: []string{"jira.example.com", "*.testing.example.com"},
+				},
+				{
+					IPAddresses:        []string{"100.110.120.130"},
+					TransportProtocols: []string{"tcp"},
+					Ports:              []string{"22", "8080", "9990-9999"},
+				},
+				{
+					DomainNames: []string{"dev.*", "staging.*"},
+					HTTP: &models.HTTPAttackSurfaceIgnore{
+						Paths:   []string{"/auth"},
+						Methods: []string{"POST"},
+					},
+				},
+			},
 		},
 	}
 
diff --git a/tests/nullify.yaml b/tests/nullify.yaml
@@ -97,9 +97,20 @@ integrations:
 attack_surface:
   enable: true
   enable_dns_enumeration: true
-  domain_names: [172.36.255.7,example.com]
-  ignore_domain_names: [jira.example.com]
-  path_prefixes: [/vuln]
-  ignore_methods: [POST,DELETE]
-  ignore_ports: [8080]
-  schemes: ["http","https"]
+  ip_addresses: [10.11.12.13, 100.110.120.0/24, 10.0.0.1-254]
+  domain_names: [example.com, prod.hosting.com]
+  include_only:
+    - domain_names: [live.prod.hosting.com]
+      http:
+        paths: [/main, /api/**/create]
+  ignore:
+    - http:
+        methods: [DELETE]
+    - domain_names: [jira.example.com, "*.testing.example.com"]
+    - ip_addresses: [100.110.120.130]
+      transport_protocols: [tcp]
+      ports: [22, 8080, 9990-9999]
+    - domain_names: ["dev.*", "staging.*"]
+      http:
+        paths: [/auth]
+        methods: [POST]
