From 1fd663c6d2c92b80f49a06ddeb80199a5eee6e08 Mon Sep 17 00:00:00 2001
From: Chris Yoo <chris.yoo@nullify.cloud>
Date: Wed, 26 Mar 2025 12:04:27 +1100
Subject: [PATCH] parity between includeOnly and ignore

---
 examples/nullify.yaml        |  2 ++
 pkg/merger/merger_test.go    | 28 ++++++++++++++++------------
 pkg/models/attack_surface.go | 27 ++++++++-------------------
 tests/integration_test.go    | 14 ++++++++------
 tests/nullify.yaml           |  2 ++
 5 files changed, 36 insertions(+), 37 deletions(-)

diff --git a/examples/nullify.yaml b/examples/nullify.yaml
index c3f78ed..9172e30 100644
--- a/examples/nullify.yaml
+++ b/examples/nullify.yaml
@@ -122,6 +122,8 @@ attack_surface:
   hosts: [example.com, prod.hosting.com, 10.11.12.13, 10.0.0.*]
   include_only:
     - hosts: [live.prod.hosting.com]
+      transport_protocols: [tcp]
+      ports: [80, 443]
       http:
         methods: [GET, POST]
         paths: [/main, /api/**/create]
diff --git a/pkg/merger/merger_test.go b/pkg/merger/merger_test.go
index db89e74..879c536 100644
--- a/pkg/merger/merger_test.go
+++ b/pkg/merger/merger_test.go
@@ -373,18 +373,20 @@ func TestMergeConfigFiles(t *testing.T) {
 					Enable:               true,
 					EnableDNSEnumeration: true,
 					Hosts:                []string{"example.com", "prod.hosting.com", "10.11.12.13", "10.0.0.*"},
-					IncludeOnly: []models.AttackSurfaceIncludeOnly{
+					IncludeOnly: []models.AttackSurfaceScopingRule{
 						{
-							Hosts: []string{"live.prod.hosting.com"},
-							HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+							Hosts:              []string{"live.prod.hosting.com"},
+							TransportProtocols: []string{"tcp"},
+							Ports:              []string{"80", "443"},
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Methods: []string{"GET", "POST"},
 								Paths:   []string{"/main", "/api/**/create"},
 							},
 						},
 					},
-					Ignore: []models.AttackSurfaceIgnore{
+					Ignore: []models.AttackSurfaceScopingRule{
 						{
-							HTTP: &models.HTTPAttackSurfaceIgnore{
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Methods: []string{"DELETE"},
 							},
 						},
@@ -398,7 +400,7 @@ func TestMergeConfigFiles(t *testing.T) {
 						},
 						{
 							Hosts: []string{"dev.*", "staging.*"},
-							HTTP: &models.HTTPAttackSurfaceIgnore{
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Paths:   []string{"/auth"},
 								Methods: []string{"POST"},
 							},
@@ -416,18 +418,20 @@ func TestMergeConfigFiles(t *testing.T) {
 					Enable:               true,
 					EnableDNSEnumeration: true,
 					Hosts:                []string{"example.com", "prod.hosting.com", "10.11.12.13", "10.0.0.*"},
-					IncludeOnly: []models.AttackSurfaceIncludeOnly{
+					IncludeOnly: []models.AttackSurfaceScopingRule{
 						{
-							Hosts: []string{"live.prod.hosting.com"},
-							HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+							Hosts:              []string{"live.prod.hosting.com"},
+							TransportProtocols: []string{"tcp"},
+							Ports:              []string{"80", "443"},
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Methods: []string{"GET", "POST"},
 								Paths:   []string{"/main", "/api/**/create"},
 							},
 						},
 					},
-					Ignore: []models.AttackSurfaceIgnore{
+					Ignore: []models.AttackSurfaceScopingRule{
 						{
-							HTTP: &models.HTTPAttackSurfaceIgnore{
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Methods: []string{"DELETE"},
 							},
 						},
@@ -441,7 +445,7 @@ func TestMergeConfigFiles(t *testing.T) {
 						},
 						{
 							Hosts: []string{"dev.*", "staging.*"},
-							HTTP: &models.HTTPAttackSurfaceIgnore{
+							HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 								Paths:   []string{"/auth"},
 								Methods: []string{"POST"},
 							},
diff --git a/pkg/models/attack_surface.go b/pkg/models/attack_surface.go
index 6397215..64091cd 100644
--- a/pkg/models/attack_surface.go
+++ b/pkg/models/attack_surface.go
@@ -5,29 +5,18 @@ type AttackSurface struct {
 	Enable               bool                       `yaml:"enable"`
 	EnableDNSEnumeration bool                       `yaml:"enable_dns_enumeration"`
 	Hosts                []string                   `yaml:"hosts,omitempty"`
-	IncludeOnly          []AttackSurfaceIncludeOnly `yaml:"include_only,omitempty"`
-	Ignore               []AttackSurfaceIgnore      `yaml:"ignore,omitempty"`
+	IncludeOnly          []AttackSurfaceScopingRule `yaml:"include_only,omitempty"`
+	Ignore               []AttackSurfaceScopingRule `yaml:"ignore,omitempty"`
 }
 
-type AttackSurfaceIncludeOnly struct {
-	Hosts []string                      `yaml:"hosts,omitempty"`
-	HTTP  *HTTPAttackSurfaceIncludeOnly `yaml:"http,omitempty"`
+type AttackSurfaceScopingRule struct {
+	Hosts              []string                          `yaml:"hosts,omitempty"`
+	TransportProtocols []string                          `yaml:"transport_protocols,omitempty"`
+	Ports              []string                          `yaml:"ports,omitempty"`
+	HTTP               *HTTPAttackSurfaceScopingRuleHTTP `yaml:"http,omitempty"`
 }
 
-type HTTPAttackSurfaceIncludeOnly struct {
-	Methods []string `yaml:"methods,omitempty"`
-	Paths   []string `yaml:"paths,omitempty"`
-}
-
-type AttackSurfaceIgnore struct {
-	// empty fields are equivalent to *
-	Hosts              []string                 `yaml:"hosts,omitempty"`
-	TransportProtocols []string                 `yaml:"transport_protocols,omitempty"`
-	Ports              []string                 `yaml:"ports,omitempty"`
-	HTTP               *HTTPAttackSurfaceIgnore `yaml:"http,omitempty"`
-}
-
-type HTTPAttackSurfaceIgnore struct {
+type HTTPAttackSurfaceScopingRuleHTTP struct {
 	Methods []string `yaml:"methods,omitempty"`
 	Paths   []string `yaml:"paths,omitempty"`
 }
diff --git a/tests/integration_test.go b/tests/integration_test.go
index c6bdaee..69bb701 100644
--- a/tests/integration_test.go
+++ b/tests/integration_test.go
@@ -165,18 +165,20 @@ func TestIntegration(t *testing.T) {
 			Enable:               true,
 			EnableDNSEnumeration: true,
 			Hosts:                []string{"example.com", "prod.hosting.com", "10.11.12.13", "10.0.0.*"},
-			IncludeOnly: []models.AttackSurfaceIncludeOnly{
+			IncludeOnly: []models.AttackSurfaceScopingRule{
 				{
-					Hosts: []string{"live.prod.hosting.com"},
-					HTTP: &models.HTTPAttackSurfaceIncludeOnly{
+					Hosts:              []string{"live.prod.hosting.com"},
+					TransportProtocols: []string{"tcp"},
+					Ports:              []string{"80", "443"},
+					HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 						Methods: []string{"GET", "POST"},
 						Paths:   []string{"/main", "/api/**/create"},
 					},
 				},
 			},
-			Ignore: []models.AttackSurfaceIgnore{
+			Ignore: []models.AttackSurfaceScopingRule{
 				{
-					HTTP: &models.HTTPAttackSurfaceIgnore{
+					HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 						Methods: []string{"DELETE"},
 					},
 				},
@@ -190,7 +192,7 @@ func TestIntegration(t *testing.T) {
 				},
 				{
 					Hosts: []string{"dev.*", "staging.*"},
-					HTTP: &models.HTTPAttackSurfaceIgnore{
+					HTTP: &models.HTTPAttackSurfaceScopingRuleHTTP{
 						Paths:   []string{"/auth"},
 						Methods: []string{"POST"},
 					},
diff --git a/tests/nullify.yaml b/tests/nullify.yaml
index e87be14..8d4a48c 100644
--- a/tests/nullify.yaml
+++ b/tests/nullify.yaml
@@ -107,6 +107,8 @@ attack_surface:
   hosts: [example.com, prod.hosting.com, 10.11.12.13, 10.0.0.*]
   include_only:
     - hosts: [live.prod.hosting.com]
+      transport_protocols: [tcp]
+      ports: [80, 443]
       http:
         methods: [GET, POST]
         paths: [/main, /api/**/create]