Add ZAP fuzz test (#1970)

.azure-pipelines-templates/common.yml

@@ -32,6 +32,9 @@ jobs:
           - template: push_perf_data.yml
           - template: metrics.yml
 
+      - ${{ if eq(parameters.suffix, 'Fuzz') }}:
+          - template: publish_zap_report.yml
+
       - ${{ if eq(parameters.suffix, 'Release') }}:
           - template: publish_tls_report.yml
           - template: install.yml

.azure-pipelines-templates/matrix.yml

@@ -26,6 +26,8 @@ parameters:
       cmake_args: "-DCMAKE_BUILD_TYPE=Debug -DBUILD_SMALLBANK=OFF"
     perf:
       cmake_args: '-DBUILD_UNIT_TESTS=OFF -DDISTRIBUTE_PERF_TESTS="`../.nodes.sh`"'
+    fuzz:
+      cmake_args: "-DBUILD_UNIT_TESTS=OFF -DZAP_TEST=ON"
 
   test:
     NoSGX:
@@ -34,6 +36,8 @@ parameters:
       ctest_args: '-LE "benchmark|perf|tlstest"'
     perf:
       ctest_args: '-L "benchmark|perf"'
+    fuzz:
+      ctest_args: '-L "zaptest"'
 
 jobs:
   - template: checks.yml
@@ -62,6 +66,17 @@ jobs:
       artifact_name: "SGX_Perf"
       ctest_filter: "${{ parameters.test.perf.ctest_args }}"
 
+  # Fuzzing
+  - template: common.yml
+    parameters:
+      target: NoSGX
+      # Perf env to launch a Docker container inside tests.
+      env: ${{ parameters.env.Perf }}
+      cmake_args: "${{ parameters.build.common.cmake_args }} ${{ parameters.build.fuzz.cmake_args }} ${{ parameters.build.NoSGX.cmake_args }}"
+      suffix: "Fuzz"
+      artifact_name: "NoSGX_Fuzz"
+      ctest_filter: "${{ parameters.test.fuzz.ctest_args }}"
+
   # Release
   - ${{ if eq(parameters.perf_or_release, 'release') }}:
       - template: common.yml

.azure-pipelines-templates/publish_zap_report.yml

@@ -0,0 +1,6 @@
+steps:
+  - task: PublishPipelineArtifact@1
+    condition: succeededOrFailed()
+    inputs:
+      artifactName: "ZAP report"
+      targetPath: build/zap_report.html

CMakeLists.txt

@@ -52,6 +52,9 @@ set(CONSENSUSES cft bft)
 option(BUILD_TESTS "Build tests" ON)
 option(BUILD_UNIT_TESTS "Build unit tests" ON)
 option(TLS_TEST "TLS Test using https://github.com/drwetter/testssl.sh" OFF)
+option(ZAP_TEST
+       "ZAP fuzz test using https://www.zaproxy.org/docs/docker/api-scan/" OFF
+)
 option(BUILD_SMALLBANK "Build SmallBank sample app and clients" ON)
 
 # Build common library for CCF enclaves
@@ -779,6 +782,19 @@ if(BUILD_TESTS)
     )
   endif()
 
+  if(ZAP_TEST)
+    configure_file(
+      ${CMAKE_SOURCE_DIR}/tests/zap.config ${CMAKE_BINARY_DIR}/zap.config
+      COPYONLY
+    )
+    add_e2e_test(
+      NAME zaptest_cft
+      PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/zap.py
+      CONSENSUS cft
+      LABEL zaptest
+    )
+  endif()
+
   add_e2e_test(
     NAME schema_test_cft
     PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/schema.py

tests/zap.config

@@ -0,0 +1,17 @@
+# zap-api-scan rule configuration file
+# Active scan rules set to IGNORE will not be run which will speed up the scan
+# Only the rule identifiers are used - the names are just for info
+
+# All rules not mentioned below are reported with level WARN
+
+# To be fixed
+100000	INFO	(A Server Error response code was returned by the server)
+100001	INFO	(Unexpected Content-Type was returned)
+
+# Not applicable to CCF
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10021	IGNORE	(X-Content-Type-Options Header Missing)
+10035	IGNORE	(Strict-Transport-Security Header Not Set)
+40012	IGNORE	(Cross Site Scripting (Reflected))
+90022	IGNORE	(Application Error Disclosure)
+10062	IGNORE	(PII Disclosure)

tests/zap.py

@@ -0,0 +1,55 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the Apache 2.0 License.
+import infra.network
+import infra.proc
+import infra.net
+import suite.test_requirements as reqs
+import infra.e2e_args
+import subprocess
+
+
+@reqs.description("HTTP fuzzing with ZAP")
+@reqs.at_least_n_nodes(1)
+def test(network, args):
+    node = network.nodes[0]
+    openapi_endpoint = f"https://{node.host}:{node.rpc_port}/node/api"
+
+    args = [
+        "docker",
+        "run",
+        "--rm",
+        "--network",
+        "host",
+        "-v",
+        f"{args.binary_dir}:/zap/wrk",
+        "-t",
+        "owasp/zap2docker-stable",
+        "zap-api-scan.py",
+        "-t",
+        openapi_endpoint,
+        "-f",
+        "openapi",
+        "-c",
+        "zap.config",
+        "-l",
+        "INFO",
+        "-r",
+        "zap_report.html",
+    ]
+
+    subprocess.run(args, check=True)
+
+
+def run(args):
+    with infra.network.network(
+        args.nodes, args.binary_dir, args.debug_nodes, args.perf_nodes, pdb=args.pdb
+    ) as network:
+        network.start_and_join(args)
+        test(network, args)
+
+
+if __name__ == "__main__":
+    args = infra.e2e_args.cli_args()
+    args.package = "liblogging"
+    args.nodes = ["local://localhost"]
+    run(args)