Skip to content

Commit

Permalink
Merge pull request #6000 from thc202/zap/2.16-snapshot
Browse files Browse the repository at this point in the history
Update codebase to ZAP 2.16
  • Loading branch information
psiinon authored Dec 9, 2024
2 parents 57e93b9 + 35d7455 commit 0057bf3
Show file tree
Hide file tree
Showing 117 changed files with 301 additions and 325 deletions.
2 changes: 1 addition & 1 deletion addOns/accessControl/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.

## [10] - 2024-03-25
Expand Down
4 changes: 2 additions & 2 deletions addOns/addOns.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ subprojects {
}
}

val zapGav = "org.zaproxy:zap:2.15.0"
val zapGav = "org.zaproxy:zap:2.16.0-SNAPSHOT"
dependencies {
"zap"(zapGav)
}
Expand All @@ -174,7 +174,7 @@ subprojects {
)

manifest {
zapVersion.set("2.15.0")
zapVersion.set("2.16.0")

changesFile.set(tasks.named<ConvertMarkdownToHtml>("generateManifestChanges").flatMap { it.html })
repo.set("https://github.com/zaproxy/zap-extensions/")
Expand Down
1 change: 1 addition & 0 deletions addOns/alertFilters/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- Fields with default or missing values are omitted for the `alertFilter` job in saved Automation Framework plans.
- Depend on Passive Scanner add-on (Issue 7959).

Expand Down
2 changes: 1 addition & 1 deletion addOns/allinonenotes/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.

### Fixed
Expand Down
1 change: 1 addition & 0 deletions addOns/ascanrules/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
- Hidden File Finder
- User Agent Fuzzer
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ public class RemoteCodeExecutionCve20121823ScanRule extends AbstractAppPlugin

/** a random string (which remains constant across multiple runs, as long as Zap is not */
static final String RANDOM_STRING =
RandomStringUtils.random(20, "abcdefghijklmnopqrstuvwxyz0123456789");
RandomStringUtils.secure().next(20, "abcdefghijklmnopqrstuvwxyz0123456789");

private static final String ATTACK_PARAM =
"?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -498,9 +498,10 @@ public void scan(HttpMessage originalMessage, String paramName, String originalP
// a potential SQL injection causing payload.
HttpMessage msgParseDelay = getNewMsg();
String parseDelayCheckParameter =
RandomStringUtils.random(
newTimeBasedInjectionValue.length(),
RANDOM_PARAMETER_CHARS);
RandomStringUtils.secure()
.next(
newTimeBasedInjectionValue.length(),
RANDOM_PARAMETER_CHARS);
setParameter(msgParseDelay, paramName, parseDelayCheckParameter);
sendAndReceive(msgParseDelay);
countTimeBasedRequests++;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,8 @@ private void efficientScan(HttpMessage msg, String paramName, String value) {
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
}

String referenceValue = RandomStringUtils.random(errorPolyglots[0].length(), alphabet);
String referenceValue =
RandomStringUtils.secure().next(errorPolyglots[0].length(), alphabet);
HttpMessage refMsg = getNewMsg();
setParameter(refMsg, paramName, referenceValue);
try {
Expand Down
1 change: 1 addition & 0 deletions addOns/ascanrulesAlpha/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.

## [48] - 2024-09-02
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,8 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) {
// to see if a placebo attack has the same effect
// the parameter will be the same length as the actual attack, but will contain purely
// alphanumeric characters
String placeboAttack = RandomStringUtils.randomAlphanumeric(errorAttack.length());
String placeboAttack =
RandomStringUtils.secure().nextAlphanumeric(errorAttack.length());
HttpMessage placeboAttackMsg = getNewMsg();
this.setParameter(placeboAttackMsg, paramname, placeboAttack);
sendAndReceive(placeboAttackMsg);
Expand Down Expand Up @@ -286,7 +287,7 @@ public void scan(HttpMessage originalmsg, String paramname, String paramvalue) {
// in output substantially DIFFERENT to the original
// get a random parameter value the same length as the original!
String randomparameterAttack =
RandomStringUtils.random(paramvalue.length(), RANDOM_PARAMETER_CHARS);
RandomStringUtils.secure().next(paramvalue.length(), RANDOM_PARAMETER_CHARS);
LOGGER.debug("The random parameter chosen was [{}]", randomparameterAttack);

HttpMessage randomParamMsg1 = getNewMsg();
Expand Down
1 change: 1 addition & 0 deletions addOns/ascanrulesBeta/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- The following scan rules now use more specific CWE IDs:
- Proxy Disclosure (Issue 8713)
- Possible Username Enumeration (Issue 8715)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -461,9 +461,7 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
}
String filename = originalMessage.getRequestHeader().getURI().getName();

String randomfilename =
RandomStringUtils.random(
filename.length(), "abcdefghijklmnopqrstuvwxyz0123456789");
String randomfilename = random(filename.length());
String randomfilepath = temppath.substring(0, slashposition) + "/" + randomfilename;

LOGGER.debug("Trying non-existent file: {}", randomfilepath);
Expand Down Expand Up @@ -506,10 +504,7 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
// If the parent folder name is really short a collision is likely
// Default to a reasonable length, which may have the inverse effect but we'll
// chance it
String randomparentfoldername =
RandomStringUtils.random(
Math.max(parentfoldername.length(), 4),
"abcdefghijklmnopqrstuvwxyz0123456789");
String randomparentfoldername = random(Math.max(parentfoldername.length(), 4));

// replace the parent folder name with the random one, and build it back into a
// string
Expand Down Expand Up @@ -808,6 +803,10 @@ private void findBackupFile(HttpMessage originalMessage) throws Exception {
}
}

private static String random(int count) {
return RandomStringUtils.secure().next(count, "abcdefghijklmnopqrstuvwxyz0123456789");
}

private static void setMessageCookies(HttpMessage newMsg, HttpMessage originalMsg) {
try {
newMsg.setCookieParams(originalMsg.getCookieParams());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
*/
public class CorsScanRule extends AbstractAppPlugin implements CommonActiveScanRuleInfo {
private static final Logger LOGGER = LogManager.getLogger(CorsScanRule.class);
private static final String RANDOM_NAME = RandomStringUtils.random(8, true, true);
private static final String RANDOM_NAME = RandomStringUtils.secure().next(8, true, true);
private static final Map<String, String> ALERT_TAGS;

static {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -364,8 +364,8 @@ private void testTraceOrTrack(String method) throws Exception {
// TRACE is supported in 1.0. TRACK is presumably the same, since it is
// a alias for TRACE. Typical Microsoft.
msg.getRequestHeader().setVersion(HttpRequestHeader.HTTP10);
String randomcookiename = RandomStringUtils.randomAlphanumeric(15);
String randomcookievalue = RandomStringUtils.randomAlphanumeric(40);
String randomcookiename = randomAlphanumeric(15);
String randomcookievalue = randomAlphanumeric(40);
TreeSet<HtmlParameter> cookies = msg.getCookieParams();
cookies.add(
new HtmlParameter(HtmlParameter.Type.cookie, randomcookiename, randomcookievalue));
Expand Down Expand Up @@ -539,10 +539,10 @@ private void testHttpMethod(String httpMethod) throws Exception {

if (httpMethod.equals(HttpRequestHeader.PUT)
|| httpMethod.equals(HttpRequestHeader.PATCH)) {
String randomKey = RandomStringUtils.randomAlphanumeric(15);
String randomValue = RandomStringUtils.randomAlphanumeric(15);
String randomKey = randomAlphanumeric(15);
String randomValue = randomAlphanumeric(15);
String randomResource =
RandomStringUtils.random(10, "abcdefghijklmnopqrstuvwxyz0123456789");
RandomStringUtils.secure().next(10, "abcdefghijklmnopqrstuvwxyz0123456789");
String requestBody = '"' + randomKey + "\":\"" + randomValue + '"';
String newURI = msg.getRequestHeader().getURI().toString();
if (newURI.endsWith("/")) {
Expand Down Expand Up @@ -637,4 +637,8 @@ private void testHttpMethod(String httpMethod) throws Exception {
} catch (Exception e) {
}
}

private static String randomAlphanumeric(int count) {
return RandomStringUtils.secure().nextAlphanumeric(count);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -256,8 +256,8 @@ public void scan() {
tracemsg.setRequestHeader(traceRequestHeader);
// create a random cookie, and set it up, so we can detect if the TRACE is enabled (in
// which case, it should echo it back in the response)
String randomcookiename = RandomStringUtils.randomAlphanumeric(15);
String randomcookievalue = RandomStringUtils.randomAlphanumeric(40);
String randomcookiename = randomAlphanumeric(15);
String randomcookievalue = randomAlphanumeric(40);
TreeSet<HtmlParameter> cookies = tracemsg.getCookieParams();
cookies.add(
new HtmlParameter(
Expand Down Expand Up @@ -391,7 +391,7 @@ public void scan() {
int step2numberOfNodesForMethod = 0;
String[] nodeServersForMethod = new String[MAX_FORWARDS_MAXIMUM + 2];
String previousServerDetails =
RandomStringUtils.random(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
RandomStringUtils.secure().next(15, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
int previousResponseStatusCode = 0;
int responseStatusCode = 0;
boolean httpHandled =
Expand Down Expand Up @@ -454,8 +454,8 @@ public void scan() {

// create a random cookie, and set it up, so we can detect if the TRACE is
// enabled (in which case, it should echo it back in the response)
String randomcookiename2 = RandomStringUtils.randomAlphanumeric(15);
String randomcookievalue2 = RandomStringUtils.randomAlphanumeric(40);
String randomcookiename2 = randomAlphanumeric(15);
String randomcookievalue2 = randomAlphanumeric(40);
TreeSet<HtmlParameter> cookies2 = mfMethodMsg.getCookieParams();
cookies2.add(
new HtmlParameter(
Expand Down Expand Up @@ -579,7 +579,7 @@ public void scan() {
// yes, I know TRACK requests should *not* be cached, but not all servers are
// compliant.
String randompiece =
RandomStringUtils.random(5, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
RandomStringUtils.secure().next(5, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
trackRequestHeader.setURI(
new URI(
trackURI.getScheme()
Expand Down Expand Up @@ -765,6 +765,10 @@ public void scan() {
}
}

private static String randomAlphanumeric(int count) {
return RandomStringUtils.secure().nextAlphanumeric(count);
}

private static String getPath(URI uri) {
String path = uri.getEscapedPath();
if (path != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -164,11 +164,11 @@ public class RelativePathConfusionScanRule extends AbstractAppPlugin
* same URL (in Attack mode, for instance) yielding new vulnerabilities via different random
* file paths.
*/
private static final String RANDOM_ATTACK_PATH =
"/"
+ RandomStringUtils.random(5, RANDOM_PARAMETER_CHARS)
+ "/"
+ RandomStringUtils.random(5, RANDOM_PARAMETER_CHARS);
private static final String RANDOM_ATTACK_PATH = "/" + random(5) + "/" + random(5);

private static String random(int count) {
return RandomStringUtils.secure().next(count, RANDOM_PARAMETER_CHARS);
}

private static final Map<String, String> ALERT_TAGS;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public class SourceCodeDisclosureFileInclusionScanRule extends AbstractAppParamP

// use a random file name which is very unlikely to exist
private static final String NON_EXISTANT_FILENAME =
RandomStringUtils.random(38, "abcdefghijklmnopqrstuvwxyz");
RandomStringUtils.secure().next(38, "abcdefghijklmnopqrstuvwxyz");

// the prefixes to try for source file inclusion
private String[] LOCAL_SOURCE_FILE_TARGET_PREFIXES = {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,8 @@ public void scan() {

// get a random user name the same length as the original!
String invalidUsername =
RandomStringUtils.randomAlphabetic(currentHtmlParameter.getValue().length())
RandomStringUtils.secure()
.nextAlphabetic(currentHtmlParameter.getValue().length())
.toLowerCase(Locale.ROOT);

LOGGER.debug("The invalid username chosen was [{}]", invalidUsername);
Expand Down
1 change: 1 addition & 0 deletions addOns/authhelper/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.16.0.
- Depend on Passive Scanner add-on (Issue 7959).
- Address deprecation warnings with newer Selenium version (4.27).

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@
import org.zaproxy.addon.authhelper.HeaderBasedSessionManagementMethodType.HeaderBasedSessionManagementMethod;
import org.zaproxy.zap.authentication.AuthenticationMethod;
import org.zaproxy.zap.authentication.AuthenticationMethod.AuthCheckingStrategy;
import org.zaproxy.zap.extension.pscan.PassiveScanActions;
import org.zaproxy.zap.extension.pscan.PassiveScanData;
import org.zaproxy.zap.extension.pscan.PassiveScanTaskHelper;
import org.zaproxy.zap.model.Context;
import org.zaproxy.zap.network.HttpRequestBody;
import org.zaproxy.zap.network.HttpResponseBody;
Expand Down Expand Up @@ -113,10 +113,9 @@ void shouldSetHeaderBasedSessionManagment() throws Exception {
AuthUtils.recordSessionToken(
new SessionToken(SessionToken.HEADER_SOURCE, "Authorization", token));
PassiveScanData helper = mock(PassiveScanData.class);
PassiveScanTaskHelper taskHelper = mock(PassiveScanTaskHelper.class);
SessionDetectionScanRule rule = this.createScanner();
rule.setHelper(helper);
rule.setTaskHelper(taskHelper);
rule.setPassiveScanActions(mock(PassiveScanActions.class));

// When
rule.scanHttpResponseReceive(msg, 1, null);
Expand Down Expand Up @@ -168,10 +167,9 @@ void shouldCacheSessionToken() throws Exception {
AuthUtils.recordSessionToken(
new SessionToken(SessionToken.HEADER_SOURCE, "Authorization", token));
PassiveScanData helper = mock(PassiveScanData.class);
PassiveScanTaskHelper taskHelper = mock(PassiveScanTaskHelper.class);
SessionDetectionScanRule rule = this.createScanner();
rule.setHelper(helper);
rule.setTaskHelper(taskHelper);
rule.setPassiveScanActions(mock(PassiveScanActions.class));

// When
rule.scanHttpResponseReceive(msg, 1, null);
Expand Down
2 changes: 1 addition & 1 deletion addOns/authstats/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.

## [2] - 2021-10-07
Expand Down
1 change: 1 addition & 0 deletions addOns/automation/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Add exitStatus job (Issue #6928)

### Changed
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.
- Updated automation framework documentation and templates for `activeScan` job to reflect changes to the default value of threadPerHost parameter
- Update help for the "requestor" job.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1159,7 +1159,7 @@ protected void addTests(Object testsObj, AutomationProgress progress) {
@Override
public void logTestsToProgress(AutomationProgress progress) {
if (testsAdded && testsLogError) {
testsLoggedString = RandomStringUtils.randomAlphanumeric(20);
testsLoggedString = RandomStringUtils.secure().nextAlphanumeric(20);
progress.error(testsLoggedString);
}
}
Expand Down
2 changes: 1 addition & 1 deletion addOns/beanshell/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
- Maintenance changes.
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.
- Dependency updates.

## [7] - 2021-10-07
Expand Down
2 changes: 1 addition & 1 deletion addOns/browserView/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.

## [6] - 2023-03-13
### Added
Expand Down
3 changes: 2 additions & 1 deletion addOns/bruteforce/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased

### Changed
- Update minimum ZAP version to 2.16.0.

## [16] - 2024-05-07
### Added
Expand Down
2 changes: 1 addition & 1 deletion addOns/bugtracker/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## Unreleased
### Changed
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.
- Maintenance changes.

### Fixed
Expand Down
2 changes: 1 addition & 1 deletion addOns/callgraph/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Unreleased
### Changed
- Maintenance changes.
- Update minimum ZAP version to 2.15.0.
- Update minimum ZAP version to 2.16.0.

## [5] - 2021-10-07
### Added
Expand Down
Loading

0 comments on commit 0057bf3

Please sign in to comment.