Skip to content

[pull] main from zaproxy:main #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 4 commits into from
Jul 22, 2025
Merged

[pull] main from zaproxy:main #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fc9b578
scanners.md Update Time Based entries and reserved ID for SQLite
kingthorin Jul 22, 2025
d8c3934
SessionStructure - remove deprecated methods and add tests
psiinon Jul 22, 2025
8d68063
Merge pull request #9012 from psiinon/sstruct-tests
thc202 Jul 22, 2025
5806907
Merge pull request #9011 from kingthorin/doc-updt-rule-id
thc202 Jul 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions docs/scanners.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,15 +152,15 @@ Scan rules:
40016 Persistent XSS (Prime)
40017 Persistent XSS (Spider)
40018 SQL Injection
40019 SQL Injection MySQL (Timing Based)
40020 SQL Injection Hypersonic (Timing Based)
40021 SQL Injection Oracle (Timing Based)
40022 SQL Injection Postgresql (Timing Based)
40019 SQL Injection MySQL (Time Based)
40020 SQL Injection Hypersonic (Time Based)
40021 SQL Injection Oracle (Time Based)
40022 SQL Injection Postgresql (Time Based)
40023 Username Enumeration
40024 SQL Injection SQLite
40024 SQL Injection SQLite (Time Based)
40025 Proxy Disclosure
40026 Cross site scripting (DOM)
40027 SQL Injection MsSQL (Timing Based)
40027 SQL Injection MsSQL (Time Based)
40028 ELMAH Scanner
40029 trace.axd Scanner
40030 Backslash Powered Scanner
Expand Down Expand Up @@ -221,9 +221,9 @@ Scan rules:
90034 Cloud Metadata Attack
90035 Server Side Template Injection
90036 Server Side Template Injection (Blind)
90037 Command Injection (Timing Based)
90038 SQL Injection SQLite (Timing Based)
90039 NoSQL Injection MongoDB (Timing Based)
90037 Command Injection (Time Based)
90038 SQL Injection SQLite (For future use, non-Time Based attacks)
90039 NoSQL Injection MongoDB (Time Based)
90040 DNS add-on SPF rule

100000 Client/Server HTTP Error Response Codes [Script]
Expand Down
7 changes: 6 additions & 1 deletion zap/gradle/japicmp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ fieldExcludes: []
classExcludes:
- "org.parosproxy.paros.core.scanner.VariantAbstractRPCQuery$RPCParameter"
- "org.parosproxy.paros.core.scanner.VariantJSONQuery$SimpleStringReader"
methodExcludes: []
methodExcludes:
- "org.zaproxy.zap.model.SessionStructure#addPath(org.parosproxy.paros.model.Session,org.parosproxy.paros.model.HistoryReference,org.parosproxy.paros.network.HttpMessage)"
- "org.zaproxy.zap.model.SessionStructure#addPath(org.parosproxy.paros.model.Session,org.parosproxy.paros.model.HistoryReference,org.parosproxy.paros.network.HttpMessage,boolean)"
- "org.zaproxy.zap.model.SessionStructure#find(long,org.apache.commons.httpclient.URI,java.lang.String,java.lang.String)"
- "org.zaproxy.zap.model.SessionStructure#getNodeName(org.parosproxy.paros.network.HttpMessage)"
- "org.zaproxy.zap.model.SessionStructure#getRootNode()"
87 changes: 0 additions & 87 deletions zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,20 +53,6 @@ public class SessionStructure {

private static final Logger LOGGER = LogManager.getLogger(SessionStructure.class);

/**
* Adds the message to the Sites tree
*
* @param session the session
* @param ref the history reference
* @param msg the message
* @return the node added to the Sites Tree
* @deprecated Use {@link #addPath(Model, HistoryReference, HttpMessage)}
*/
@Deprecated
public static StructuralNode addPath(Session session, HistoryReference ref, HttpMessage msg) {
return addPath(session, ref, msg, false);
}

/**
* Adds the message to the Sites tree
*
Expand All @@ -80,23 +66,6 @@ public static StructuralNode addPath(Model model, HistoryReference ref, HttpMess
return addPath(model, ref, msg, false);
}

/**
* Adds the message to the Sites tree
*
* @param session the session
* @param ref the history reference
* @param msg the message
* @param newOnly Only return a SiteNode if one was newly created
* @return the SiteNode that corresponds to the HttpMessage, or null if newOnly and the node
* already exists
* @deprecated Use {@link #addPath(Model, HistoryReference, HttpMessage, boolean)}
*/
@Deprecated
public static StructuralNode addPath(
Session session, HistoryReference ref, HttpMessage msg, boolean newOnly) {
return addPath(Model.getSingleton(), ref, msg, newOnly);
}

/**
* Adds the message to the Sites tree
*
Expand Down Expand Up @@ -189,38 +158,6 @@ public static StructuralNode find(Model model, HttpMessage msg)
return new StructuralTableNode(rs);
}

/**
* Finds the node in the Site tree for the given request data
*
* @param sessionId the session id
* @param uri the URI
* @param method the method
* @param postData the POST data
* @return the site node or null if not found
* @throws DatabaseException
* @throws URIException
* @deprecated Use {@link #find(Model, URI, String, String)}
*/
@Deprecated
public static StructuralNode find(long sessionId, URI uri, String method, String postData)
throws DatabaseException, URIException {
Model model = Model.getSingleton();
if (!Constant.isLowMemoryOptionSet()) {
SiteNode node = model.getSession().getSiteTree().findNode(uri, method, postData);
if (node == null) {
return null;
}
return new StructuralSiteNode(node);
}

String nodeName = getNodeName(model, uri, method, postData, null);
RecordStructure rs = model.getDb().getTableStructure().find(sessionId, nodeName, method);
if (rs == null) {
return null;
}
return new StructuralTableNode(rs);
}

/**
* Finds the node in the Site tree for the given request data
*
Expand Down Expand Up @@ -284,19 +221,6 @@ private static String getNodeName(
return nodeUrl;
}

/**
* Returns the node name for the given message
*
* @param msg the message
* @return the node name
* @throws URIException
* @deprecated Use {@link #getNodeName(Model, HttpMessage)}
*/
@Deprecated
public static String getNodeName(HttpMessage msg) throws URIException {
return getNodeName(Model.getSingleton(), msg);
}

/**
* Returns the node name for the given message
*
Expand Down Expand Up @@ -697,17 +621,6 @@ private static String getScheme(URI uri) {
return scheme.toLowerCase(Locale.ROOT);
}

/**
* Returns the root node
*
* @return the root node
* @deprecated Use {@link #getRootNode(Model)}
*/
@Deprecated
public static StructuralNode getRootNode() {
return getRootNode(Model.getSingleton());
}

/**
* Returns the root node
*
Expand Down
132 changes: 127 additions & 5 deletions zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,14 +472,136 @@ void shouldReturnOverridenPathTree() throws Exception {
}
}

@Nested
static class NodeNameTests {

private Model model;
private Session session;
private VariantFactory factory;

HttpMessage getParams;
HttpMessage postParamsFormData;
HttpMessage postParamsJsonData;
HttpMessage postParamsXmlData;
HttpMessage postMultipartData;

@BeforeEach
void setup() throws Exception {
WithConfigsTest.setUpConstantMessages();
model = mock(Model.class);
session = new Session(model);
factory = new VariantFactory();
given(model.getSession()).willReturn(session);
given(model.getVariantFactory()).willReturn(factory);
getParams =
new HttpMessage(new URI("https://www.example.com/aaa/bbb?aa=bb&cc=dd", false));
postParamsFormData =
getPostMsgWithFormParams(
"https://www.example.com/ccc", "aa=bb&cc=dd", "ee=ff&gg=ee");
postParamsJsonData =
getPostMsg(
"https://www.example.com/ccc",
"aa=bb&cc=dd",
"{\"aaa\":\"bbb\", \"ccc\":\"ddd\", \"eee\":\"fff\"}",
"application/json");
postParamsXmlData =
getPostMsg(
"https://www.example.com/ccc",
"aa=bb&cc=dd",
"<aaa><bbb>BBB</bbb><ccc>CCC</ccc><ddd>DDD</ddd></aaa>",
"text/xml");
Control.initSingletonForTesting(model);
}

@AfterEach
void cleanUp() {
Constant.messages = null;
}

@Test
void shouldGetNodeName() throws URIException {
assertThat(
SessionStructure.getNodeName(model, getParams),
is(equalTo("https://www.example.com/aaa/bbb (aa,cc)")));
assertThat(
SessionStructure.getNodeName(model, postParamsFormData),
is(equalTo("https://www.example.com/ccc (aa,cc)(ee,gg)")));
// FIXME should have the JSON key names
assertThat(
SessionStructure.getNodeName(model, postParamsJsonData),
is(equalTo("https://www.example.com/ccc (aa,cc)")));
// FIXME should have the XML key names
assertThat(
SessionStructure.getNodeName(model, postParamsXmlData),
is(equalTo("https://www.example.com/ccc (aa,cc)")));
}

@Test
void shouldGetLeafName1() throws URIException {
assertThat(
SessionStructure.getLeafName(model, "test", getParams),
is(equalTo("GET:test(aa,cc)")));
assertThat(
SessionStructure.getLeafName(model, "test", postParamsFormData),
is(equalTo("POST:test(aa,cc)(ee,gg)")));
// FIXME should have the JSON key names
assertThat(
SessionStructure.getLeafName(model, "test", postParamsJsonData),
is(
equalTo(
"POST:test(aa,cc)({\"aaa\":\"bbb\", \"ccc\":\"ddd\", \"eee\":\"fff\"})")));
// FIXME should have the XML key names
assertThat(
SessionStructure.getLeafName(model, "test", postParamsXmlData),
is(equalTo("POST:test(aa,cc)(<aaa><bbb>BBB</bbb><ccc>CCC</ccc><ddd>DD...)")));
}

@Test
void shouldGetLeafName2() throws Exception {
assertThat(getLeafName2(getParams), is(equalTo("GET:test(aa,cc)")));
assertThat(getLeafName2(postParamsFormData), is(equalTo("POST:test(aa,cc)(ee,gg)")));
// FIXME should have the JSON key names
assertThat(
getLeafName2(postParamsJsonData),
is(
equalTo(
"POST:test(aa,cc)({\"aaa\":\"bbb\", \"ccc\":\"ddd\", \"eee\":\"fff\"})")));
// FIXME should have the XML key names
assertThat(
getLeafName2(postParamsXmlData),
is(equalTo("POST:test(aa,cc)(<aaa><bbb>BBB</bbb><ccc>CCC</ccc><ddd>DD...)")));
}

String getLeafName2(HttpMessage msg) throws Exception {
return SessionStructure.getLeafName(
model,
"test",
msg.getRequestHeader().getURI(),
msg.getRequestHeader().getMethod(),
msg.getRequestBody().toString());
}
}

private void createPostMsgWithFormParams(String uri, String queryParams, String formParams)
throws URIException {
msg.getRequestHeader().setMethod(HttpRequestHeader.POST);
msg = getPostMsgWithFormParams(uri, queryParams, formParams);
}

private static HttpMessage getPostMsgWithFormParams(
String uri, String queryParams, String formParams) throws URIException {
return getPostMsg(uri, queryParams, formParams, "application/x-www-form-urlencoded");
}

private static HttpMessage getPostMsg(
String uri, String queryParams, String formParams, String contentType)
throws URIException {
HttpMessage message = new HttpMessage();
message.getRequestHeader().setMethod(HttpRequestHeader.POST);
queryParams = queryParams == null ? "" : "?" + queryParams;
msg.getRequestHeader().setURI(new URI(uri + queryParams, true));
msg.getRequestHeader()
.setHeader(HttpHeader.CONTENT_TYPE, "application/x-www-form-urlencoded");
msg.setRequestBody(formParams);
message.getRequestHeader().setURI(new URI(uri + queryParams, true));
message.getRequestHeader().setHeader(HttpHeader.CONTENT_TYPE, contentType);
message.setRequestBody(formParams);
return message;
}

public static final class PathTreeVariant implements Variant {
Expand Down
Loading