tjh.dev
1{ lib
2, fetchFromGitHub
3, python3
4}:
5
6python3.pkgs.buildPythonApplication rec {
7 pname = "wapiti";
8 version = "3.1.7";
9 format = "setuptools";
10
11 src = fetchFromGitHub {
12 owner = "wapiti-scanner";
13 repo = pname;
14 rev = "refs/tags/${version}";
15 hash = "sha256-muAugc0BgVSER2LSRv7ATbCqpXID8/WH+hfhmtoS36o=";
16 };
17
18 propagatedBuildInputs = with python3.pkgs; [
19 aiocache
20 aiosqlite
21 arsenic
22 beautifulsoup4
23 brotli
24 browser-cookie3
25 cryptography
26 dnspython
27 httpcore
28 httpx
29 humanize
30 importlib-metadata
31 loguru
32 mako
33 markupsafe
34 mitmproxy
35 six
36 sqlalchemy
37 tld
38 yaswfp
39 ] ++ httpx.optional-dependencies.brotli
40 ++ httpx.optional-dependencies.socks;
41
42 nativeCheckInputs = with python3.pkgs; [
43 respx
44 pytest-asyncio
45 pytestCheckHook
46 ];
47
48 postPatch = ''
49 # Ignore pinned versions
50 sed -i -e "s/==[0-9.]*//;s/>=[0-9.]*//" setup.py
51 substituteInPlace setup.py \
52 --replace '"pytest-runner"' ""
53 substituteInPlace setup.cfg \
54 --replace " --cov --cov-report=xml" ""
55 '';
56
57 preCheck = ''
58 export HOME=$(mktemp -d);
59 '';
60
61 disabledTests = [
62 # Tests requires network access
63 "test_attr"
64 "test_bad_separator_used"
65 "test_blind"
66 "test_chunked_timeout"
67 "test_cookies_detection"
68 "test_cookies"
69 "test_csrf_cases"
70 "test_detection"
71 "test_direct"
72 "test_dom_detection"
73 "test_drop_cookies"
74 "test_escape_with_style"
75 "test_explorer_extract_links"
76 "test_explorer_filtering"
77 "test_false"
78 "test_frame"
79 "test_headers_detection"
80 "test_html_detection"
81 "test_implies_detection"
82 "test_inclusion_detection"
83 "test_merge_with_and_without_redirection"
84 "test_meta_detection"
85 "test_multi_detection"
86 "test_no_crash"
87 "test_options"
88 "test_out_of_band"
89 "test_partial_tag_name_escape"
90 "test_prefix_and_suffix_detection"
91 "test_qs_limit"
92 "test_rare_tag_and_event"
93 "test_redirect_detection"
94 "test_request_object"
95 "test_save_and_restore_state"
96 "test_script"
97 "test_ssrf"
98 "test_tag_name_escape"
99 "test_timeout"
100 "test_title_false_positive"
101 "test_title_positive"
102 "test_true_positive_request_count"
103 "test_unregistered_cname"
104 "test_url_detection"
105 "test_verify_dns"
106 "test_vulnerabilities"
107 "test_warning"
108 "test_whole"
109 "test_xss_inside_tag_input"
110 "test_xss_inside_tag_link"
111 "test_xss_uppercase_no_script"
112 "test_xss_with_strong_csp"
113 "test_xss_with_weak_csp"
114 "test_xxe"
115 # Requires a PHP installation
116 "test_cookies"
117 "test_loknop_lfi_to_rce"
118 "test_redirect"
119 "test_timesql"
120 "test_xss_inside_href_link"
121 "test_xss_inside_src_iframe"
122 # TypeError: Expected bytes or bytes-like object got: <class 'str'>
123 "test_persister_upload"
124 ];
125
126 disabledTestPaths = [
127 # Requires sslyze which is obsolete and was removed
128 "tests/attack/test_mod_ssl.py"
129 ];
130
131 pythonImportsCheck = [
132 "wapitiCore"
133 ];
134
135 meta = with lib; {
136 description = "Web application vulnerability scanner";
137 longDescription = ''
138 Wapiti allows you to audit the security of your websites or web applications.
139 It performs "black-box" scans (it does not study the source code) of the web
140 application by crawling the webpages of the deployed webapp, looking for
141 scripts and forms where it can inject data. Once it gets the list of URLs,
142 forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see
143 if a script is vulnerable.
144 '';
145 homepage = "https://wapiti-scanner.github.io/";
146 changelog = "https://github.com/wapiti-scanner/wapiti/blob/${version}/doc/ChangeLog_Wapiti";
147 license = with licenses; [ gpl2Only ];
148 maintainers = with maintainers; [ fab ];
149 };
150}