grpc: skip non-gRPC responses in the variant

Check that the response is valid gRPC before trying to decode it, otherwise it would lead to unnecessary warns as the response is not gRPC. Signed-off-by: thc202 <thc202@gmail.com>
zaproxy · Jul 1, 2024 · 4c1d5cb · 4c1d5cb
1 parent c229767
commit 4c1d5cb
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/addOns/grpc/CHANGELOG.md b/addOns/grpc/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Fixed
+- Do not try to decode non-gRPC responses when active scanning, which would lead to unnecessary warnings.
 
 ## [0.1.0] - 2024-06-11
 

diff --git a/addOns/grpc/src/main/java/org/zaproxy/addon/grpc/internal/VariantGrpc.java b/addOns/grpc/src/main/java/org/zaproxy/addon/grpc/internal/VariantGrpc.java
@@ -30,6 +30,8 @@
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.core.scanner.NameValuePair;
 import org.parosproxy.paros.core.scanner.Variant;
+import org.parosproxy.paros.network.HttpBody;
+import org.parosproxy.paros.network.HttpHeader;
 import org.parosproxy.paros.network.HttpMessage;
 
 public class VariantGrpc implements Variant {
@@ -44,7 +46,7 @@ public class VariantGrpc implements Variant {
 
     @Override
     public void setMessage(HttpMessage msg) {
-        if (isValidGrpcMessage(msg)) {
+        if (isValidGrpcMessage(msg.getRequestHeader(), msg.getRequestBody())) {
             try {
                 byte[] body = Base64.getDecoder().decode(msg.getRequestBody().getBytes());
                 byte[] payload = DecoderUtils.extractPayload(body);
@@ -92,9 +94,8 @@ private void parseContent(List<String> decodedList, String commonPrefixForNested
         }
     }
 
-    private boolean isValidGrpcMessage(HttpMessage msg) {
-        return msg.getRequestHeader().hasContentType("application/grpc")
-                && !msg.getRequestBody().toString().isEmpty();
+    private static boolean isValidGrpcMessage(HttpHeader header, HttpBody body) {
+        return header.hasContentType("application/grpc") && !body.toString().isEmpty();
     }
 
     @Override
@@ -179,6 +180,10 @@ public String setEscapedParameter(
 
     @Override
     public void decodeResponseBody(HttpMessage msg) {
+        if (!isValidGrpcMessage(msg.getResponseHeader(), msg.getResponseBody())) {
+            return;
+        }
+
         try {
             byte[] body =
                     DecoderUtils.splitMessageBodyAndStatusCode(msg.getResponseBody().getBytes());