Reports: XML template fixes

Fixed issue where report was not generated via the API. Made more backwards compatible. Fixed issue where you could end up with report.xml.xml (applies to all reports). Signed-off-by: Simon Bennetts <psiinon@gmail.com>
zaproxy · Jun 3, 2021 · b81010f · b81010f
1 parent eb30e83
commit b81010f
Show file tree

Hide file tree

Showing 7 changed files with 289 additions and 70 deletions.
diff --git a/addOns/reports/CHANGELOG.md b/addOns/reports/CHANGELOG.md
@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Include all relevant alerts in XML report templates (Issue 6627).
+- Made XML reports more backwards compatible and fixed issue with generating it via the API.
 
 ## [0.3.0] - 2021-05-06
 ### Added

diff --git a/addOns/reports/src/main/java/org/zaproxy/addon/reports/ExtensionReports.java b/addOns/reports/src/main/java/org/zaproxy/addon/reports/ExtensionReports.java
@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.io.OutputStream;
 import java.io.Writer;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
@@ -39,6 +40,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
+import javax.swing.DefaultListModel;
 import javax.swing.ImageIcon;
 import javax.swing.JButton;
 import javax.swing.tree.DefaultTreeModel;
@@ -50,6 +52,9 @@
 import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.extension.ExtensionAdaptor;
 import org.parosproxy.paros.extension.ExtensionHook;
+import org.parosproxy.paros.model.Model;
+import org.parosproxy.paros.model.SiteMap;
+import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.thymeleaf.TemplateEngine;
 import org.thymeleaf.context.Context;
@@ -174,6 +179,20 @@ protected AlertNode cloneAlertNode(AlertNode alertNode) {
         return clone;
     }
 
+    public static DefaultListModel<String> getSitesModel() {
+        DefaultListModel<String> sitesModel = new DefaultListModel<>();
+        SiteMap siteMap = Model.getSingleton().getSession().getSiteTree();
+        SiteNode root = siteMap.getRoot();
+        if (root.getChildCount() > 0) {
+            SiteNode child = (SiteNode) root.getFirstChild();
+            while (child != null) {
+                sitesModel.addElement(child.getName());
+                child = (SiteNode) root.getChildAfter(child);
+            }
+        }
+        return sitesModel;
+    }
+
     public static boolean isIncluded(ReportData reportData, AlertNode alertNode) {
         Alert alert = alertNode.getUserObject();
         if (alert == null) {
@@ -219,20 +238,26 @@ public static boolean isIncluded(ReportData reportData, AlertNode alertNode) {
         return true;
     }
 
-    public AlertNode getFilteredAlertTree(ReportData reportData) {
-
-        AlertNode root = null;
-
+    private AlertNode getRootAlertNode()
+            throws NoSuchMethodException, SecurityException, IllegalAccessException,
+                    IllegalArgumentException, InvocationTargetException {
         ExtensionAlert extAlert =
                 Control.getSingleton().getExtensionLoader().getExtension(ExtensionAlert.class);
 
-        try {
-            Method treeModelMethod = extAlert.getClass().getDeclaredMethod("getTreeModel");
-            treeModelMethod.setAccessible(true);
+        Method treeModelMethod = extAlert.getClass().getDeclaredMethod("getTreeModel");
+        treeModelMethod.setAccessible(true);
+
+        DefaultTreeModel treeModel = (DefaultTreeModel) treeModelMethod.invoke(extAlert);
+
+        return (AlertNode) treeModel.getRoot();
+    }
 
-            DefaultTreeModel treeModel = (DefaultTreeModel) treeModelMethod.invoke(extAlert);
+    public AlertNode getFilteredAlertTree(ReportData reportData) {
+
+        AlertNode root = null;
 
-            root = (AlertNode) treeModel.getRoot();
+        try {
+            root = getRootAlertNode();
 
             AlertNode filteredRoot = cloneAlertNode(root);
             AlertNode child;

diff --git a/addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java b/addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java
@@ -48,8 +48,6 @@
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.model.Model;
-import org.parosproxy.paros.model.SiteMap;
-import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.zap.extension.alert.AlertNode;
 import org.zaproxy.zap.model.Context;
@@ -103,7 +101,6 @@ public class ReportDialog extends StandardFieldsDialog {
     private ExtensionReports extension = null;
     private JButton[] extraButtons = null;
     private DefaultListModel<Context> contextsModel;
-    private DefaultListModel<String> sitesModel;
 
     private JList<Context> contextsSelector;
     private JList<String> sitesSelector;
@@ -123,7 +120,6 @@ public void init() {
         this.removeAllFields();
         // Ensure the contexts and sites get re-read as they may well have changed
         this.contextsModel = null;
-        this.sitesModel = null;
         this.contextsSelector = null;
         this.sitesSelector = null;
 
@@ -390,25 +386,9 @@ public Component getListCellRendererComponent(
         return contextsSelector;
     }
 
-    private DefaultListModel<String> getSitesModel() {
-        if (sitesModel == null) {
-            sitesModel = new DefaultListModel<>();
-            SiteMap siteMap = Model.getSingleton().getSession().getSiteTree();
-            SiteNode root = siteMap.getRoot();
-            if (root.getChildCount() > 0) {
-                SiteNode child = (SiteNode) root.getFirstChild();
-                while (child != null) {
-                    sitesModel.addElement(child.getName());
-                    child = (SiteNode) root.getChildAfter(child);
-                }
-            }
-        }
-        return sitesModel;
-    }
-
     private JList<String> getSitesSelector() {
         if (sitesSelector == null) {
-            sitesSelector = new JList<>(getSitesModel());
+            sitesSelector = new JList<>(ExtensionReports.getSitesModel());
         }
         return sitesSelector;
     }
@@ -453,9 +433,10 @@ private ReportData getReportData(Template template) {
         reportData.setTheme(template.getThemeForName(getStringValue(FIELD_THEME)));
         if (reportData.getSites().isEmpty()) {
             // None selected so add all
+            DefaultListModel<String> sitesModel = ExtensionReports.getSitesModel();
             reportData.setSites(
-                    IntStream.range(0, getSitesModel().size())
-                            .mapToObj(getSitesModel()::get)
+                    IntStream.range(0, sitesModel.size())
+                            .mapToObj(sitesModel::get)
                             .collect(Collectors.toList()));
         }
         reportData.setIncludeConfidence(0, this.getBoolValue(FIELD_CONFIDENCE_0));

diff --git a/addOns/reports/src/main/java/org/zaproxy/addon/reports/automation/ReportJob.java b/addOns/reports/src/main/java/org/zaproxy/addon/reports/automation/ReportJob.java
@@ -28,6 +28,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+import javax.swing.DefaultListModel;
 import org.parosproxy.paros.CommandLine;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.control.Control;
@@ -72,9 +74,11 @@ public void runJob(
         // Work out the file name based on the pattern
         String fileName =
                 ExtensionReports.getNameFromPattern(
-                                reportFile, env.getUrlStringForContext(env.getDefaultContext()))
-                        + "."
-                        + template.getExtension();
+                        reportFile, env.getUrlStringForContext(env.getDefaultContext()));
+
+        if (!fileName.endsWith("." + template.getExtension())) {
+            fileName += "." + template.getExtension();
+        }
 
         File file;
         if (reportDir != null && reportDir.length() > 0) {
@@ -85,6 +89,11 @@ public void runJob(
         reportData.setTitle(this.reportTitle);
         reportData.setDescription(this.reportDesc);
         reportData.setContexts(env.getContexts());
+        DefaultListModel<String> sitesModel = ExtensionReports.getSitesModel();
+        reportData.setSites(
+                IntStream.range(0, sitesModel.size())
+                        .mapToObj(sitesModel::get)
+                        .collect(Collectors.toList()));
 
         List<String> list = getJobDataList(jobData, "risks", progress);
         if (list.isEmpty()) {

diff --git a/addOns/reports/src/main/zapHomeFiles/reports/traditional-xml/report.xml b/addOns/reports/src/main/zapHomeFiles/reports/traditional-xml/report.xml
@@ -18,7 +18,8 @@
 							th:text="${helper.getRiskString(alert.risk) + ' (' + helper.getConfidenceString(alert.confidence) + ')'}"></riskdesc>
 						<confidencedesc
 							th:text="${helper.getConfidenceString(alert.confidence)}"></confidencedesc>
-						<desc th:text="${alert.description}"></desc>
+						<desc
+							th:text="${helper.legacyEscapeParagraph(alert.description)}"></desc>
 						<instances>
 							<th:block th:each="instance: ${instances}">
 								<instance>
@@ -31,9 +32,12 @@
 							</th:block>
 						</instances>
 						<count th:text="${instances.size()}"></count>
-						<solution th:text="${alert.solution}"></solution>
-						<otherinfo th:text="${alert.otherinfo}"></otherinfo>
-						<reference th:text="${alert.reference}"></reference>
+						<solution
+							th:text="${helper.legacyEscapeParagraph(alert.solution)}"></solution>
+						<otherinfo
+							th:text="${helper.legacyEscapeParagraph(alert.otherinfo)}"></otherinfo>
+						<reference
+							th:text="${helper.legacyEscapeParagraph(alert.reference)}"></reference>
 						<cweid th:text="${alert.cweid}"></cweid>
 						<wascid th:text="${alert.wascid}"></wascid>
 						<sourceid th:text="${alert.sourceHistoryId}"></sourceid>