Project Icon

cherrybomb

API规范验证与安全测试的开源CLI工具

Cherrybomb是一款用Rust开发的开源CLI工具,专注于API规范验证和安全测试。它通过分析OpenAPI文件,帮助开发人员在早期发现并防止API实现错误。Cherrybomb能够检查API规范的最佳实践,验证OAS规则合规性,并测试常见问题和漏洞。通过生成详细的问题报告,Cherrybomb助力开发者快速定位和修复API中的错误,有效降低安全风险,确保API功能符合预期。

cherry_bomb_v1.0

Stop half-done API specifications

Maintained by blst security

docs

Discord Shield

💣 What is Cherrybomb?

Cherrybomb is an CLI tool written in Rust that helps prevent incorrect code implementation early in development. It works by validating and testing your API using an OpenAPI file. Its main goal is to reduce security errors and ensure your API functions as intended.

🔨 How does it work?

Cherrybomb makes sure your API is working correctly. It checks your API's spec file (OpenAPI Specification) for good practices and makes sure it follows the OAS rules. Then, it tests your API for common issues and vulnerabilities. If any problems are found, Cherrybomb gives you a detailed report with the exact location of the problem so you can fix it easily.

🐾 Get Started

Installation

Linux/MacOS:

curl https://cherrybomb.blstsecurity.com/install | /bin/bash

The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.

(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

Containerized version

You can get Cherrybomb through its containerized version which is hosted on AWS ECR, and requires an API key that you can get on that addess(the loading is a bit slow) - https://cicd.blstsecurity.com/

docker run --mount type=bind,source=[PATH TO OAS],destination=/home public.ecr.aws/blst-security/cherrybomb:latest cherrybomb -f /home/[OAS NAME] --api-key=[API-KEY]

Get it from crates.io


cargo install cherrybomb

If you don't have cargo installed, you can install it from here

Building from Sources

You can also build Cherrybomb from sources by cloning this repo, and building it using cargo.


git clone https://github.com/blst-security/cherrybomb && cd cherrybomb

The main branch's Cargo.toml file uses cherrybomb-engine and cherrybomb-oas from crates.io.

if you want build those from source too, you can change the following files:

(remove the version number and replace with the path to the local repo)

cherrybomb/Cargo.toml:
cherrybomb-engine = version => { path = "cherrybomb-engine" }
cherrybomb/cherrybomb-engine/Cargo.toml:
cherrybomb-oas = version => { path = "../cherrybomb-oas" }
cargo build --release
sudo mv ./target/release/cherrybomb /usr/local/bin # or any other directory in your PATH

Profile

Profiles allow you to choose the type of check you want to use.

- info: only generates param and endpoint tables
- normal:  both active and passive
- intrusive: active and intrusive [in development]
- passive: only passive tests
- full: all the options

Config

With a configuration file, you can easily edit, view, Cherrybomb's options. The config file allows you to set the running profile, location of the oas file, the verbosity and ignore the TLS error.

Config also allows you to override the server's URL with an array of servers, and add security to the request [in development].

Notice that CLI arguments parameter will override config options if both are set.

You can also add or remove checks from a profile using passive/active-include/exclude. [in development]

cherrybomb --config  <CONFIG_FILE>

Structure of config file:

{
"file" : "open-api.json",
"verbosity" : "normal, 
"profile" : " "Normal",
"passive_include" : ["check1, checks2"],
"active_include": ["check3, check4"],
"servers_override" , ["http://server/"],
"security":  [{
    "auth_type": "Basic",
    "auth_value" : token_value,
    "auth_scope" : scope_name
    }],
"ignore_tls_errors" : true, 
"no_color" : false,
}

Usage

After installing, verify it's working by running

cherrybomb --version

OpenAPI specification

cherrybomb --file <PATH> --profile passive

Passive Output example:

passive_output

Generate Info Table

cherrybomb --file <PATH> --profile info

Parameter table output:

parameter_output

Endpoint table output:

endpoint_output

🍻 Integration

You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our website, sign up, go through the CI pipeline integration wizard, and copy the groovy/GitHub actions snippet built for you.


Example:

CI pipeline builder output

💪 Support

Get help

If you have any questions, please send us a message to support@blstsecurity.com or ask us on our discord server.

You are also welcome to open an Issue here on GitHub.

项目侧边栏1项目侧边栏2
推荐项目
Project Cover

豆包MarsCode

豆包 MarsCode 是一款革命性的编程助手,通过AI技术提供代码补全、单测生成、代码解释和智能问答等功能,支持100+编程语言,与主流编辑器无缝集成,显著提升开发效率和代码质量。

Project Cover

AI写歌

Suno AI是一个革命性的AI音乐创作平台,能在短短30秒内帮助用户创作出一首完整的歌曲。无论是寻找创作灵感还是需要快速制作音乐,Suno AI都是音乐爱好者和专业人士的理想选择。

Project Cover

有言AI

有言平台提供一站式AIGC视频创作解决方案,通过智能技术简化视频制作流程。无论是企业宣传还是个人分享,有言都能帮助用户快速、轻松地制作出专业级别的视频内容。

Project Cover

Kimi

Kimi AI助手提供多语言对话支持,能够阅读和理解用户上传的文件内容,解析网页信息,并结合搜索结果为用户提供详尽的答案。无论是日常咨询还是专业问题,Kimi都能以友好、专业的方式提供帮助。

Project Cover

阿里绘蛙

绘蛙是阿里巴巴集团推出的革命性AI电商营销平台。利用尖端人工智能技术,为商家提供一键生成商品图和营销文案的服务,显著提升内容创作效率和营销效果。适用于淘宝、天猫等电商平台,让商品第一时间被种草。

Project Cover

吐司

探索Tensor.Art平台的独特AI模型,免费访问各种图像生成与AI训练工具,从Stable Diffusion等基础模型开始,轻松实现创新图像生成。体验前沿的AI技术,推动个人和企业的创新发展。

Project Cover

SubCat字幕猫

SubCat字幕猫APP是一款创新的视频播放器,它将改变您观看视频的方式!SubCat结合了先进的人工智能技术,为您提供即时视频字幕翻译,无论是本地视频还是网络流媒体,让您轻松享受各种语言的内容。

Project Cover

美间AI

美间AI创意设计平台,利用前沿AI技术,为设计师和营销人员提供一站式设计解决方案。从智能海报到3D效果图,再到文案生成,美间让创意设计更简单、更高效。

Project Cover

稿定AI

稿定设计 是一个多功能的在线设计和创意平台,提供广泛的设计工具和资源,以满足不同用户的需求。从专业的图形设计师到普通用户,无论是进行图片处理、智能抠图、H5页面制作还是视频剪辑,稿定设计都能提供简单、高效的解决方案。该平台以其用户友好的界面和强大的功能集合,帮助用户轻松实现创意设计。

投诉举报邮箱: service@vectorlightyear.com
@2024 懂AI·鲁ICP备2024100362号-6·鲁公网安备37021002001498号