-
Notifications
You must be signed in to change notification settings - Fork 648
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6198 from ji-eunsoo/dev/zap
zapシナリオ追加
- Loading branch information
Showing
81 changed files
with
19,600 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,260 @@ | ||
name: OWASP ZAP | ||
on: | ||
workflow_dispatch: | ||
|
||
jobs: | ||
prune: | ||
name: Prune Docker images | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- name: Prune Docker images | ||
run: docker image prune --force | ||
|
||
build: | ||
name: Build | ||
needs: prune | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@master | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v2 | ||
|
||
- name: Container Build | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: . | ||
tags: ec-cube | ||
outputs: type=docker,dest=/tmp/ec-cube.tar | ||
|
||
- name: Upload image | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: ec-cube | ||
path: /tmp/ec-cube.tar | ||
|
||
scan: | ||
name: Scan | ||
needs: build | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
target: | ||
- admin_authority | ||
- admin_class_category_csv | ||
- admin_class_name_csv | ||
- admin_content_block | ||
- admin_content_cache | ||
- admin_content_file | ||
- admin_content_layout | ||
- admin_customer_delivery | ||
- admin_customer_edit | ||
- admin_customer_list | ||
- admin_delivery | ||
- admin_js_css | ||
- admin_log | ||
- admin_login_history | ||
- admin_mail | ||
- admin_mail_edit | ||
- admin_masterdata | ||
- admin_member_edit | ||
- admin_member_setting | ||
- admin_news | ||
- admin_order_edit | ||
- admin_order_edit_search | ||
- admin_order_list | ||
- admin_order_mail | ||
- admin_page | ||
- admin_payment | ||
- admin_product_category | ||
- admin_product_class_name | ||
- admin_product_csv | ||
- admin_product_copy | ||
- admin_product_edit | ||
- admin_product_edit_class | ||
- admin_product_tag | ||
- admin_product_view | ||
- admin_shipping_csv | ||
- admin_shop_setting | ||
- admin_system | ||
- admin_tax | ||
- admin_template | ||
- entry | ||
- front_block | ||
- front_contact | ||
- front_help | ||
- front_mypage | ||
- front_new_item | ||
- front_product | ||
- front_sitemap | ||
- guest_cart | ||
- guest_front | ||
- guest_shopping | ||
- guest_shopping_customer_edit | ||
- guest_shopping_shipping_edit | ||
- guest_shopping_shipping_multiple | ||
- mypage_change | ||
- mypage_delivery | ||
- mypage_favorite | ||
- mypage_order | ||
- plugin_coupon_admin_coupon | ||
- plugin_coupon_guest_shopping | ||
- plugin_mailmagazine_send | ||
- plugin_mailmagazine_template | ||
- plugin_product_review | ||
- plugin_recommend | ||
- plugin_related_product | ||
- plugin_sales_report | ||
include: | ||
- target: admin_authority | ||
thread_per_host: 1 | ||
- target: admin_customer_delivery | ||
before_script: admin_create_customer.zst | ||
- target: admin_content_cache | ||
thread_per_host: 1 | ||
- target: admin_js_css | ||
thread_per_host: 1 | ||
- target: admin_mail | ||
thread_per_host: 1 | ||
- target: admin_masterdata | ||
thread_per_host: 1 | ||
- target: admin_member_setting | ||
context: default | ||
- target: admin_order_edit_search | ||
before_script: admin_create_customers.zst | ||
- target: admin_shop_setting | ||
thread_per_host: 1 | ||
- target: admin_system | ||
thread_per_host: 1 | ||
- target: admin_template | ||
thread_per_host: 1 | ||
- target: entry | ||
thread_per_host: 1 | ||
- target: mypage_delivery | ||
before_script: admin_create_customer.zst | ||
- target: mypage_order | ||
before_script: admin_create_customer.zst | ||
- target: plugin_coupon_admin_coupon | ||
thread_per_host: 1 | ||
- target: plugin_coupon_guest_shopping | ||
before_script: plugin_coupon_admin_create_coupon.zst | ||
- target: plugin_mailmagazine_send | ||
before_script: plugin_mailmagazine_create_customers.zst | ||
- target: plugin_related_product | ||
thread_per_host: 1 | ||
|
||
steps: | ||
|
||
- name: Maximize build space | ||
run: | | ||
sudo rm -rf /usr/local/lib/android | ||
sudo rm -rf /usr/share/dotnet | ||
sudo rm -rf /opt/ghc | ||
- name: Checkout | ||
uses: actions/checkout@master | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v2 | ||
|
||
- name: Download image | ||
uses: actions/download-artifact@v3 | ||
with: | ||
name: ec-cube | ||
path: /tmp | ||
|
||
- name: Load image | ||
run: | | ||
docker load --input /tmp/ec-cube.tar | ||
docker tag ec-cube ghcr.io/ec-cube/ec-cube-php:8.1-apache | ||
- name: Run containers | ||
env: | ||
APP_ENV: prod | ||
APP_DEBUG: 0 | ||
run: | | ||
docker compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.owaspzap.ci.yml up -d --wait | ||
docker compose cp zap/delete_data.sh postgres:/ | ||
docker compose exec -d -e PGUSER=dbuser -e PGDATABASE=eccubedb postgres /delete_data.sh | ||
docker compose cp zap/delete_files.sh ec-cube:/ | ||
docker compose exec -d ec-cube /delete_files.sh | ||
- name: Set up plugins | ||
env: | ||
APP_ENV: prod | ||
APP_DEBUG: 0 | ||
run: | | ||
for code in Api42 Coupon42 MailMagazine42 ProductReview42 Recommend42 RelatedProduct42 SalesReport42 Securitychecker42 SiteKit42 | ||
do | ||
docker compose exec -u www-data:www-data ec-cube bin/console eccube:composer:require "ec-cube/${code,,}" | ||
docker compose exec -u www-data:www-data ec-cube bin/console eccube:plugin:enable --code ${code} | ||
done | ||
- name: Disable rate limiter | ||
run: | | ||
docker compose exec -u www-data:www-data ec-cube sed -i -e "s/eccube_login_throttling_max_attempts: 5/eccube_login_throttling_max_attempts: 1024/" -e "s/eccube_login_throttling_interval: '30 minutes'/eccube_login_throttling_interval: '1 minutes'/" app/config/eccube/packages/eccube.yaml | ||
docker compose exec -u www-data:www-data ec-cube rm -f app/config/eccube/packages/prod/eccube_rate_limiter.yaml | ||
docker compose exec -u www-data:www-data ec-cube sed -i -e 's/30 min/1 min/g' app/config/eccube/packages/eccube_rate_limiter.yaml | ||
docker compose exec -u www-data:www-data ec-cube bin/console cache:clear | ||
docker compose exec -u www-data:www-data ec-cube bin/console debug:container --parameter eccube_login_throttling_max_attempts | ||
docker compose exec -u www-data:www-data ec-cube bin/console debug:container --parameter eccube_login_throttling_interval | ||
docker compose exec -u www-data:www-data ec-cube bin/console debug:config eccube | ||
- name: Generate automation config | ||
env: | ||
ZAP_CONTEXT: "${{ matrix.context }}" | ||
ZAP_THREAD_PER_HOST: "${{ matrix.thread_per_host }}" | ||
ZAP_BEFORE_SCRIPT: "${{ matrix.before_script }}" | ||
run: | | ||
zap/generate_automation_config.sh \ | ||
-t ${{ matrix.target }} \ | ||
${ZAP_BEFORE_SCRIPT:+"-b ${ZAP_BEFORE_SCRIPT}"} \ | ||
${ZAP_CONTEXT:+"-c ${ZAP_CONTEXT}"} \ | ||
${ZAP_THREAD_PER_HOST:+"-n ${ZAP_THREAD_PER_HOST}"} | ||
cat zap/automation/${{ matrix.target }}.yml | ||
- name: Autorun | ||
run: docker compose exec -it zap ./zap.sh -cmd -configfile /zap/wrk/options.properties -autorun wrk/automation/${{ matrix.target }}.yml | ||
|
||
- name: Copy report | ||
if: ${{ always() }} | ||
run: | | ||
docker compose cp zap:/tmp/report /tmp | ||
docker compose cp zap:/tmp/alerts.json /tmp | ||
- name: Upload report | ||
if: ${{ always() }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: zap-${{ matrix.target }}-report | ||
path: /tmp/report | ||
|
||
- name: Upload alerts | ||
if: ${{ always() }} | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: zap-${{ matrix.target }}-report | ||
path: /tmp/alerts.json | ||
|
||
merge: | ||
name: Merge alerts | ||
needs: scan | ||
if: ${{ always() }} | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- name: Download all artifacts | ||
uses: actions/download-artifact@v3 | ||
with: | ||
path: artifacts | ||
- name: Merge alerts | ||
run: | | ||
find . | ||
jq -s add **/alerts.json > all_alerts.json | ||
working-directory: artifacts | ||
- name: Upload alerts | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: all_alerts | ||
path: artifacts/all_alerts.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
version: "3" | ||
|
||
services: | ||
zap: | ||
image: kiy0taka/zap2docker-eccube | ||
command: bash -c "zap.sh -cmd -configfile /zap/wrk/options.properties -certpubdump /zap/wrk/owasp_zap_root_ca.cer && sleep infinity" | ||
volumes: | ||
- ./zap/policies:/home/zap/.ZAP/policies/ | ||
- ./zap:/zap/wrk/ | ||
depends_on: | ||
- ec-cube | ||
networks: | ||
- backend | ||
- default | ||
tty: true | ||
healthcheck: | ||
test: echo 'zap' | ||
interval: 3s | ||
timeout: 3s | ||
retries: 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
|
||
echo '<?php | ||
namespace Eccube\Doctrine\EventSubscriber; | ||
use Doctrine\Common\EventSubscriber; | ||
use Doctrine\ORM\Event\LifecycleEventArgs; | ||
use Doctrine\ORM\Events; | ||
class CancelDeletionEventSubscriber implements EventSubscriber | ||
{ | ||
public function getSubscribedEvents() | ||
{ | ||
return [Events::preRemove]; | ||
} | ||
public function preRemove(LifecycleEventArgs $event) | ||
{ | ||
$event->getEntityManager()->detach($event->getEntity()); | ||
} | ||
}' > CancelDeletionEventSubscriber.php | ||
sed -i.bak -e 's_$fs->remove_// $fs->remove_' src/Eccube/Controller/Admin/Content/PageController.php |
Oops, something went wrong.