Change validation for gemini.health

Add loggedOutIndicator as alternative
Change attackFields validation for name & value
Remove csrf property name from zap setAuthenticationMethod post data

Author: binarymist

src/api/app/do/sut.js

@@ -36,6 +36,7 @@ internals.sutSchema = Joi.object({
   port: Joi.number().port().required(),
   browser: Joi.string().valid(...internals.configSchemaProps.sut._cvtProperties.browser.format).lowercase().default(config.get('sut.browser')), // eslint-disable-line no-underscore-dangle
   loggedInIndicator: Joi.string(),
+  loggedOutIndicator: Joi.string(),
   context: Joi.object({ // Zap context
     iD: Joi.number().integer().positive(),
     name: Joi.string().token()
@@ -69,8 +70,8 @@ internals.sutSchema = Joi.object({
     id: Joi.string().min(2).regex(/^\/[-\w/]{1,200}$/).required(),
     attributes: Joi.object({
       attackFields: Joi.array().items(Joi.object({
-        name: Joi.string().min(2).regex(/^[a-z0-9_-]+/i).required(),
-        value: Joi.string().empty('').default(''),
+        name: Joi.string().min(1).max(100).regex(/^[a-z0-9._-]+/i).required(),
+        value: [Joi.string().empty('').default(''), Joi.boolean(), Joi.number()],
         visible: Joi.boolean()
       })),
       method: Joi.string().valid(...internals.configSchemaProps.sut._cvtProperties.method.format).uppercase().default(config.get('sut.method')), // eslint-disable-line no-underscore-dangle

src/steps/app_scan_steps.js

@@ -96,11 +96,17 @@ Given('the application is spidered for each appScanner resourceObject', async fu
   const {
     authentication: { route: loginRoute, usernameFieldLocater, passwordFieldLocater },
     loggedInIndicator,
+    loggedOutIndicator,
     testSession: { id: testSessionId, attributes: { username, password }, relationships: { data: testSessionResourceIdentifiers } },
     context: { name: contextName }
-  } = this.sut.getProperties(['authentication', 'loggedInIndicator', 'testSession', 'context']);
+  } = this.sut.getProperties(['authentication', 'loggedInIndicator', 'loggedOutIndicator', 'testSession', 'context']);
   const { percentEncode } = this.sut.getBrowser();
 
+  const loggedInOutIndicator = {
+    command: loggedInIndicator ? 'setLoggedInIndicator' : 'setLoggedOutIndicator',
+    value: loggedInIndicator || loggedOutIndicator
+  };
+
   const { maxDepth, threadCount, maxChildren } = this.zap.getProperties('spider');
   const zaproxy = this.zap.getZaproxy();
   const enabled = true;
@@ -134,15 +140,13 @@ Given('the application is spidered for each appScanner resourceObject', async fu
       });
   }, []);
 
-  // Only the 'userName' onwards must be URL encoded. URL encoding entire line doesn't work.
-  // https://github.com/zaproxy/zaproxy/wiki/FAQformauth
-  await zaproxy.authentication.setAuthenticationMethod(contextId, authenticationMethod, `loginUrl=${sutBaseUrl}${loginRoute}&loginRequestData=${usernameFieldLocater}%3D%7B%25username%25%7D%26${passwordFieldLocater}%3D%7B%25password%25%7D%26_csrf%3D`)
+  // Only the 'userName' onwards must be URL encoded. URL encoding entire line doesn't (or at least didn't used to) work.
+  await zaproxy.authentication.setAuthenticationMethod(contextId, authenticationMethod, `loginUrl=${sutBaseUrl}${loginRoute}&loginRequestData=${usernameFieldLocater}%3D%7B%25username%25%7D%26${passwordFieldLocater}%3D%7B%25password%25%7D`)
     .then(
       (resp) => this.publisher.pubLog({ testSessionId, logLevel: 'info', textData: `Set authentication method to "${authenticationMethod}", for Test Session with id: "${testSessionId}". Response was: ${JSON.stringify(resp)}.`, tagObj: { tags: [`pid-${process.pid}`, 'app_scan_steps'] } }),
       (err) => `Error occurred while attempting to set authentication method to "${authenticationMethod}", for Test Session with id: "${testSessionId}". Error was: ${err.message}.`
     );
-  // https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication
-  await zaproxy.authentication.setLoggedInIndicator(contextId, loggedInIndicator)
+  await zaproxy.authentication[loggedInOutIndicator.command](contextId, loggedInOutIndicator.value)
     .then(
       (resp) => this.publisher.pubLog({ testSessionId, logLevel: 'info', textData: `Set logged in indicator "${loggedInIndicator}", for Test Session with id: "${testSessionId}". Response was: ${JSON.stringify(resp)}.`, tagObj: { tags: [`pid-${process.pid}`, 'app_scan_steps'] } }),
       (err) => `Error occurred while attempting to set logged in indicator to "${loggedInIndicator}", for test session with id: "${testSessionId}". Error was: ${err.message}.`
@@ -164,7 +168,7 @@ Given('the application is spidered for each appScanner resourceObject', async fu
       (resp) => this.publisher.pubLog({ testSessionId, logLevel: 'info', textData: `Set forced user with Id "${internals.userId}", for Test Session with id: "${testSessionId}". Response was: ${JSON.stringify(resp)}.`, tagObj: { tags: [`pid-${process.pid}`, 'app_scan_steps'] } }),
       (err) => `Error occurred while attempting to set forced user "${internals.userId}", for Test Session with id: "${testSessionId}". Error was: ${err.message}.`
     );
-  await zaproxy.users.setAuthenticationCredentials(contextId, internals.userId, `username=${username}&password=${percentEncode(password)}`)
+  await zaproxy.users.setAuthenticationCredentials(contextId, internals.userId, `username=${percentEncode(username)}&password=${percentEncode(password)}`)
     .then(
       (resp) => this.publisher.pubLog({ testSessionId, logLevel: 'info', textData: `Set authentication credentials, for Test Session with id: "${testSessionId}". Response was: ${JSON.stringify(resp)}.`, tagObj: { tags: [`pid-${process.pid}`, 'app_scan_steps'] } }),
       (err) => `Error occurred while attempting to set authentication credentials, for Test Session with id: "${testSessionId}". Error was: ${err.message}.`