[pull] main from zaproxy:main

docker/CHANGELOG.md

@@ -1,6 +1,9 @@
 # Changelog
 All notable changes to the docker containers will be documented in this file.
 
+### 2025-11-21
+- Updated `Alert_on_HTTP_Response_Code_Errors.js` to work with GraalVM JavaScript engine.
+
 ### 2025-11-03
 - Set statsId and readonly for scan policies.
 

docker/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js

@@ -76,9 +76,7 @@ function responseReceived(msg, initiator, helper) {
 			alert.setDescription("A response code of " + code + " was returned by the server.\n" +
 				"This may indicate that the application is failing to handle unexpected input correctly.\n" +
 				"Raised by the 'Alert on HTTP Response Code Error' script");
-			// Use a regex to extract the evidence from the response header
-			var regex = new RegExp("^HTTP.*" + code)
-			alert.setEvidence(msg.getResponseHeader().toString().match(regex))
+			alert.setEvidence(code.toString())
 			alert.setCweId(388)	// CWE CATEGORY: Error Handling
 			alert.setWascId(20)	// WASC  Improper Input Handling
 			extensionAlert.alertFound(alert , ref)

zap/src/main/java/org/parosproxy/paros/control/Control.java

@@ -90,6 +90,8 @@
 // ZAP: 2022/02/24 Remove code deprecated in 2.5.0
 // ZAP: 2022/09/21 Use format specifiers instead of concatenation when logging.
 // ZAP: 2023/01/10 Tidy up logger.
+// ZAP: 2025/11/21 From now on we will not be recording changes here as the files have changed so
+// much.
 package org.parosproxy.paros.control;
 
 import java.awt.Desktop;
@@ -113,6 +115,7 @@
 import org.zaproxy.zap.control.AddOnLoader;
 import org.zaproxy.zap.control.ControlOverrides;
 import org.zaproxy.zap.control.ExtensionFactory;
+import org.zaproxy.zap.utils.ErrorUtils;
 import org.zaproxy.zap.utils.ZapHtmlLabel;
 
 /** Overall control with interaction on model and view. */
@@ -522,7 +525,9 @@ public void run() {
                     .getTableSession()
                     .insert(session.getSessionId(), session.getSessionName());
         } catch (DatabaseException e) {
-            LOGGER.error(e.getMessage(), e);
+            if (!ErrorUtils.handleDiskSpaceException(e)) {
+                LOGGER.error(e.getMessage(), e);
+            }
         }
 
         return session;

zap/src/main/java/org/parosproxy/paros/core/scanner/Scanner.java

@@ -60,6 +60,8 @@
 // ZAP: 2023/05/30 Stop HostProcess to stop the Analyser.
 // ZAP: 2024/11/20 Include ID of the scan in relevant log messages.
 // ZAP: 2025/11/03 Record stats for built-in policies.
+// ZAP: 2025/11/21 From now on we will not be recording changes here as the files have changed so
+// much.
 package org.parosproxy.paros.core.scanner;
 
 import java.security.InvalidParameterException;
@@ -215,9 +217,10 @@ public void start(Target target) {
             Stats.incCounter(ASCAN_SCAN_STARTED_USER_STATS);
         }
         Stats.incCounter(
-                "stats.ascan.started.policy." + this.scanPolicy.getStatsId() != null
-                        ? this.scanPolicy.getStatsId()
-                        : "user");
+                "stats.ascan.started.policy."
+                        + (this.scanPolicy.getStatsId() != null
+                                ? this.scanPolicy.getStatsId()
+                                : "user"));
     }
 
     public void stop() {

zap/src/main/java/org/parosproxy/paros/extension/history/ProxyListenerLog.java

@@ -39,6 +39,8 @@
 // ZAP: 2020/11/26 Use Log4j 2 classes for logging.
 // ZAP: 2023/01/10 Tidy up logger.
 // ZAP: 2023/08/22 Do not modify the requests being proxied (Issue 7353).
+// ZAP: 2025/11/21 From now on we will not be recording changes here as the files have changed so
+// much.
 package org.parosproxy.paros.extension.history;
 
 import java.awt.EventQueue;
@@ -56,6 +58,7 @@
 import org.parosproxy.paros.network.HttpMessage;
 import org.parosproxy.paros.network.HttpStatusCode;
 import org.zaproxy.zap.model.SessionStructure;
+import org.zaproxy.zap.utils.ErrorUtils;
 
 public class ProxyListenerLog implements ProxyListener, ConnectRequestProxyListener {
 
@@ -148,8 +151,9 @@ private HistoryReference createHistoryReference(HttpMessage message, int type) {
         try {
             return new HistoryReference(model.getSession(), type, message);
         } catch (Exception e) {
-            // ZAP: Log exceptions
-            LOGGER.warn(e.getMessage(), e);
+            if (!ErrorUtils.handleDiskSpaceException(e)) {
+                LOGGER.warn(e.getMessage(), e);
+            }
         }
         return null;
     }

zap/src/main/java/org/parosproxy/paros/model/HistoryReference.java

@@ -68,6 +68,8 @@
 // ZAP: 2022/09/21 Use format specifiers instead of concatenation when logging.
 // ZAP: 2023/01/10 Tidy up logger.
 // ZAP: 2025/10/01 Alert handling tweaks.
+// ZAP: 2025/11/21 From now on we will not be recording changes here as the files have changed so
+// much.
 package org.parosproxy.paros.model;
 
 import java.util.ArrayList;
@@ -94,6 +96,7 @@
 import org.zaproxy.zap.ZAP;
 import org.zaproxy.zap.eventBus.Event;
 import org.zaproxy.zap.model.Target;
+import org.zaproxy.zap.utils.ErrorUtils;
 
 /**
  * This class abstracts a reference to a http message stored in database. It reads the whole http
@@ -595,7 +598,9 @@ private boolean insertTagDb(String tag) {
             staticTableTag.insert(historyId, tag);
             return true;
         } catch (DatabaseException e) {
-            LOGGER.error("Failed to persist tag: {}", e.getMessage(), e);
+            if (!ErrorUtils.handleDiskSpaceException(e)) {
+                LOGGER.error("Failed to persist tag: {}", e.getMessage(), e);
+            }
         }
         return false;
     }
@@ -643,7 +648,9 @@ public void setNote(String note) {
             httpMessageCachedData.setNote(note != null && note.length() > 0);
             notifyEvent(HistoryReferenceEventPublisher.EVENT_NOTE_SET);
         } catch (DatabaseException e) {
-            LOGGER.error(e.getMessage(), e);
+            if (!ErrorUtils.handleDiskSpaceException(e)) {
+                LOGGER.error("Failed to persist tag: {}", e.getMessage(), e);
+            }
         }
     }
 

zap/src/main/java/org/zaproxy/zap/ZAP.java

@@ -191,12 +191,21 @@ private static void updateStats(Throwable e) {
             try {
                 String baseKey = "stats.error.core.uncaught";
                 Stats.incCounter(baseKey);
-                Stats.incCounter(baseKey + "." + e.getClass().getSimpleName());
+                Stats.incCounter(baseKey + "." + e.getClass().getSimpleName() + getSource(e));
             } catch (Throwable ignore) {
                 // Already handling an earlier error...
             }
         }
 
+        private static String getSource(Throwable t) {
+            StackTraceElement[] trace = t.getStackTrace();
+            if (trace == null || trace.length == 0) {
+                return "";
+            }
+            StackTraceElement top = trace[0];
+            return "(" + top.getFileName() + ":" + top.getLineNumber() + ")";
+        }
+
         private boolean isLoggerConfigured() {
             if (loggerConfigured) {
                 return true;

zap/src/main/java/org/zaproxy/zap/extension/alert/ExtensionAlert.java

@@ -71,6 +71,7 @@
 import org.zaproxy.zap.extension.help.ExtensionHelp;
 import org.zaproxy.zap.model.SessionStructure;
 import org.zaproxy.zap.model.Target;
+import org.zaproxy.zap.utils.ErrorUtils;
 import org.zaproxy.zap.utils.ThreadUtils;
 import org.zaproxy.zap.view.popup.MenuWeights;
 
@@ -233,6 +234,10 @@ public void alertFound(Alert alert, HistoryReference ref) {
 
             writeAlertToDB(alert, ref);
         } catch (Exception e) {
+            if (ErrorUtils.handleDiskSpaceException(e)) {
+                // No point doing anything else
+                return;
+            }
             LOGGER.error(e.getMessage(), e);
         }
 

zap/src/main/java/org/zaproxy/zap/extension/anticsrf/ExtensionAntiCSRF.java

@@ -55,6 +55,7 @@
 import org.parosproxy.paros.network.HttpMalformedHeaderException;
 import org.parosproxy.paros.network.HttpMessage;
 import org.zaproxy.zap.extension.pscan.ExtensionPassiveScan;
+import org.zaproxy.zap.utils.ErrorUtils;
 
 /**
  * An {@code Extension} that handles anti-csrf tokens.
@@ -253,7 +254,9 @@ public void registerAntiCsrfToken(AntiCsrfToken token) {
                 token.setHistoryReferenceId(hRef.getHistoryId());
                 valueToToken.put(getURLEncode(token.getValue()), token);
             } catch (HttpMalformedHeaderException | DatabaseException e) {
-                LOGGER.error("Failed to persist the message: ", e);
+                if (!ErrorUtils.handleDiskSpaceException(e)) {
+                    LOGGER.error("Failed to persist the message: ", e);
+                }
             }
         }
     }
@@ -424,7 +427,9 @@ public void sessionChanged(Session session) {
                 }
             }
         } catch (DatabaseException | HttpMalformedHeaderException e) {
-            LOGGER.error(e.getMessage(), e);
+            if (!ErrorUtils.handleDiskSpaceException(e)) {
+                LOGGER.error(e.getMessage(), e);
+            }
         }
     }
 

zap/src/main/java/org/zaproxy/zap/extension/ascan/ActiveScan.java

@@ -46,6 +46,7 @@
 import org.zaproxy.zap.extension.ruleconfig.RuleConfigParam;
 import org.zaproxy.zap.model.GenericScanner2;
 import org.zaproxy.zap.model.Target;
+import org.zaproxy.zap.utils.ErrorUtils;
 
 public class ActiveScan extends org.parosproxy.paros.core.scanner.Scanner
         implements GenericScanner2, ScannerListener {
@@ -82,7 +83,6 @@ public static enum State {
     private static final Logger LOGGER = LogManager.getLogger(ActiveScan.class);
 
     private boolean persistTemporaryMessages;
-    private boolean warnDbFull = true;
 
     @Deprecated
     public ActiveScan(
@@ -299,14 +299,12 @@ public void notifyNewMessage(final HttpMessage msg) {
                 msg.setHistoryRef(null);
                 hRefs.add(hRef.getHistoryId());
             } catch (HttpMalformedHeaderException | DatabaseException e) {
-                if (hasCause(e, "Data File size limit is reached")) {
-                    if (warnDbFull) {
-                        warnDbFull = false;
-                        LOGGER.warn("Unable to persist temporary message, database is full.", e);
-                    }
-                } else {
-                    LOGGER.error(e.getMessage(), e);
+                if (ErrorUtils.handleDiskSpaceException(e)) {
+                    // Its serious, stop the scans
+                    this.getHostProcesses().forEach(HostProcess::stop);
+                    return;
                 }
+                LOGGER.error(e.getMessage(), e);
             }
         } else {
             hRefs.add(hRef.getHistoryId());
@@ -322,18 +320,6 @@ public void notifyNewMessage(final HttpMessage msg) {
         }
     }
 
-    private static boolean hasCause(Exception e, String wantedMessage) {
-        Throwable cause = e.getCause();
-        if (cause == null) {
-            return false;
-        }
-        String message = cause.getMessage();
-        if (message == null) {
-            return false;
-        }
-        return message.contains(wantedMessage);
-    }
-
     private void addHistoryReferenceInEdt(final HistoryReference hRef) {
         EventQueue.invokeLater(
                 new Runnable() {

zap/src/main/java/org/zaproxy/zap/extension/params/ExtensionParams.java

@@ -57,6 +57,7 @@
 import org.zaproxy.zap.extension.httpsessions.ExtensionHttpSessions;
 import org.zaproxy.zap.extension.pscan.ExtensionPassiveScan;
 import org.zaproxy.zap.extension.search.ExtensionSearch;
+import org.zaproxy.zap.utils.ErrorUtils;
 import org.zaproxy.zap.utils.ThreadUtils;
 import org.zaproxy.zap.view.SiteMapListener;
 import org.zaproxy.zap.view.SiteMapTreeCellRenderer;
@@ -79,8 +80,6 @@ public class ExtensionParams extends ExtensionAdaptor
     private ExtensionHttpSessions extensionHttpSessions;
     private ParamScanner paramScanner;
 
-    private boolean warnDbFull = true;
-
     public ExtensionParams() {
         super(NAME);
         this.setOrder(58);
@@ -198,8 +197,6 @@ protected ParamsPanel getParamsPanel() {
 
     @Override
     public void sessionChanged(final Session session) {
-        warnDbFull = true;
-
         if (EventQueue.isDispatchThread()) {
             sessionChangedEventHandler(session);
 
@@ -385,35 +382,18 @@ private void persist(HtmlParameterStats param) {
                                 setToString(param.getValues()));
             }
         } catch (DatabaseException e) {
-            if (hasCause(e, "truncation")) {
+            if (ErrorUtils.hasCause(e, "truncation")) {
                 LOGGER.warn("Could not add or update param: {}", param.getName());
                 LOGGER.warn(
                         "It is likely that the length of one of the data elements exceeded the column size.");
                 LOGGER.warn(e.getMessage());
                 LOGGER.debug(e.getMessage(), e);
-            } else if (hasCause(e, "Data File size limit is reached")) {
-                if (warnDbFull) {
-                    warnDbFull = false;
-                    LOGGER.warn("Unable to persist parameter, database is full.", e);
-                }
-            } else {
+            } else if (!ErrorUtils.handleDiskSpaceException(e)) {
                 LOGGER.error(e.getMessage(), e);
             }
         }
     }
 
-    private static boolean hasCause(Exception e, String wantedMessage) {
-        Throwable cause = e.getCause();
-        if (cause == null) {
-            return false;
-        }
-        String message = cause.getMessage();
-        if (message == null) {
-            return false;
-        }
-        return message.contains(wantedMessage);
-    }
-
     public boolean onHttpResponseReceive(HttpMessage msg) {
 
         // Check we know the site