GZip de-compression causes loss of newlines #1584
Comments
thc202
added a commit
to thc202/zaproxy
that referenced
this issue
Sep 4, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
thc202
added a commit
to thc202/zaproxy
that referenced
this issue
Sep 8, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
vladidx
pushed a commit
to vladidx/zaproxy
that referenced
this issue
Oct 7, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
vladidx
pushed a commit
to vladidx/zaproxy
that referenced
this issue
Oct 7, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
vladidx
pushed a commit
to vladidx/zaproxy
that referenced
this issue
Dec 16, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
vladidx
added a commit
to vladidx/zaproxy
that referenced
this issue
Dec 16, 2020
* Add `IS_CONTAINERIZED` env var to containerized check (zaproxy#6108) This should allow the container to function correctly in all container runtimes, as it is not bound to a specific implementation Signed-off-by: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> * Added date-time to html report (zaproxy#6084) Signed-off-by: stefantobler <toblerlstefan@gmail.com> * Depreciate methods returning a Map of params Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add workflow to build/push main Docker images The workflow will build and push the stable and bare Docker images on repository dispatch and manually. Signed-off-by: thc202 <thc202@gmail.com> * Run tests of packaged scans Add workflow to run the tests of packaged scans, when files in `docker` directory are changed. Update tox configuration to run the tests and just use the Python version available (specified by the workflow). Ignore tox working directory (`.tox`). Change `suite.py` to work from any directory not just when executed from the tests directory. Signed-off-by: thc202 <thc202@gmail.com> * Correct file pattern in Test Packaged Scans Include all files under docker directory, not just in the docker directory. Signed-off-by: thc202 <thc202@gmail.com> * Include Common Library add-on in core package The Common Library add-on is a dependency of other (included) add-ons (e.g. passive scan rules), the size of the package increases from 36.9 to 40.2MiB. Signed-off-by: thc202 <thc202@gmail.com> * Test common hooks of packaged scans Test that the hooks are properly loaded, using a file and env var. Add tests to verify that the common hooks are triggered when and with the expected values. Signed-off-by: thc202 <thc202@gmail.com> * Use importlib to load the hooks for packaged scans The `imp` module is deprecated by `importlib` module. Add tests to verify the expected behaviour when the hooks file has errors. Signed-off-by: thc202 <thc202@gmail.com> * Correctly read HTTP bodies Correct length check when reading chunks of the body. Fix zaproxy#6138. Signed-off-by: thc202 <thc202@gmail.com> * Catch NPE on panel level when saving/validating Move the catch of the NullPointerException from the container panel to the individual panels to still allow to validate/save other panels that do not have issues. Make the error generic now used for save/validate and provide the details of the exception for easier report. Related to zaproxy#6136. Improvement of zaproxy#5306. Signed-off-by: thc202 <thc202@gmail.com> * Update user guide link in CONTRIBUTING doc Link to the site instead of the wiki. Signed-off-by: thc202 <thc202@gmail.com> * Stats: Ignore charset and boundary when counting Content-Types - StatsPassiveScanner > Extract the content type and charset if present. - StatsPassiveScannerUnitTest > UnitTest to assert the new behavior. Fixes zaproxy#5952 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Update webswing The previous link is now 404ing :( Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Test common functions of packaged scans Test the following common functions: - `zap_spider` - `zap_ajax_spider` - `zap_active_scan` - `zap_wait_for_passive_scan` - `zap_import_context` Change a log statement in `zap_ajax_spider` to not concatenate the log message to cope with mocked objects. Change `zap_import_context` to check that the ID of the context was returned (int) instead of a specific error message, not the same for all possible errors. Signed-off-by: thc202 <thc202@gmail.com> * Scan with context in Docker scripts Use global variables for the context name and ID to use in the spiders and active scan, avoiding the need to change the function calls and breaking existing hooks. Change import context function to obtain the name of the imported context. Update tests to match the new behaviour. Signed-off-by: beldcode <philip.berthold@tutanota.com> * Tag Scanner Unit Test & Maintenance - RegexAutoTagScannerUnitTest > Add initial basic unittests. - StatsPassiveScannerUnitTest > Moved to correct test package location. (In follow-up to zaproxy#6137) Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix JUnit build Otherwise fails with `java.lang.BootstrapMethodError: java.lang.NoClassDefFoundError: org/junit/platform/engine/EngineDiscoveryListener` when running the junit tests in Eclipse Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Properly decode gzip in UI and decode request Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com> * Add support for site modifiers Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update Scanners.md added new entry: 40037 CustomActiveScanForZAP * Update docs/scanners.md Thanks. Co-authored-by: kingthorin <kingthorin@users.noreply.github.com> * spelling: occurrences * Handle "markoccurrences" fix in Constant.java - Tested by calling the new method in the `else if (isDevMode() || isDailyBuild()) {` block. - Added UnitTest. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Improve error message when starting packaged scans Fail immediately if the spider scans were not started to provide better error message, show: `Failed to start the scan, check the log/output for more details.` instead of, e.g.: `invalid literal for int() with base 10: 'does_not_exist'`. when checking the status of the scan. Correct `suite.py` to exit with expected code when tests fail. Signed-off-by: thc202 <thc202@gmail.com> * spelling: component * Request Id for Cross-Origin Resource Policy Scan Rule Signed-off-by: Cotonne <cotonne@users.noreply.github.com> * Wire in site mod changes Not sure how this got left out - it was there in my original PR otherwise this would never have worked :/ Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Correct incremental delay in scheduled executor Check the number of queued tasks not the total number of tasks submitted when increasing the delay, otherwise it would not work properly when the tasks are executed/submitted periodically in batches (instead of all at once). Fix zaproxy#5701. Signed-off-by: thc202 <thc202@gmail.com> * Add GraphQL Add-on to Weekly Release Signed-off-by: ricekot <ricekot@gmail.com> * Add new NameValuePair Type for GraphQL Inline Args Signed-off-by: ricekot <ricekot@gmail.com> * Initial CustomPages Implementation Add support for custom error page definitions associated with a Context. Expose those details and functionality to Passive and Active scanners (rules). Assume that if a context with custom pages is setup the user wants those details to be leveraged. Default behavior is to check custom pages and fallback to status code checking (based on the applicable custom page definition type and related status codes). Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Upgrade SQLite to 3.32.3.2 Signed-off-by: Cameron Swords <cam.swords@gmail.com> * Fix WebSwing URLs The old one no longer works, this one is as per https://www.webswing.org/downloads Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Custom Pages analyzer fallback & clean code - In AbstractPlugin.isPage404 fallback to use Analyser.isFileExist. In Abstractplugin.isFileExist check isPage200 first then use Analyser. - Tweak various references to CustomPageType -> CustomPage.Type. Signed-off-by: Kingthorin <kingthorin@users.noreply.github.com> * Add option to not fix the content length Fixes zaproxy#560 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add option to delete site notes from Search tab Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add gradle dependency check task & upgrade dependencies - Similar to: zaproxy/zap-extensions#2308 `./gradlew dependencyUpdates`, should appear under the "help" Gradle Tasks grouping in Eclipse. - Update most dependencies, with minor code tweaks to address moved or deprecated classes/functionality. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Test extraction of anti-csrf tokens from response Add tests for `ExtensionAntiCSRF#getTokensFromResponse(HttpMessage)` and `#getTokensFromResponse(HttpMessage, Source)`. Signed-off-by: thc202 <thc202@gmail.com> * Fix title caps and typo Signed-off-by: Jasper Vandemalle <jasper.vandemalle@gmail.com> * Use user's context during authentication Use the context from the user being authenticated instead of getting the context form the login URL. The login URL does not need and might not be included in the context. Fix zaproxy#6223. Signed-off-by: thc202 <thc202@gmail.com> * Test anti-csrf token replacement in auth request Extract the methods to `PostBasedAuthenticationMethodType` to be easier to test. Assert the expected behaviour when replacing the tokens. Signed-off-by: thc202 <thc202@gmail.com> * Use icon for authentication requests Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Cope with session mgmt type not present Fixes zaproxy#6206 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update Log4j to 2.x Depend on the new major version and use 1.x bridge. Configure Log4j 2 to use a single logger context for ZAP, to use the same log configuration for everything (core, add-ons, dependencies). Use two Log4j 2 configurations for main code, one during bootstrap and another for remaining lifecycle: - The bootstrap configuration is automatically loaded by Log4j, from the file `log4j2.properties`, which just logs errors to std out. - The other configuration, bundled as `log4j2-home.properties`, is copied to ZAP home as `log4j2.properties` and is loaded once the home is known. This configuration is the equivalent Log4j 1 configuration also copied/loaded from the ZAP home. Use a specific configuration for the tests (`log4j2-test.properties`, log set to off by default), to not require to tweak the log manually throughout the tests. Remove usages of Log4j 1 `NullAppender` in the tests, the class does not exist in the Log4j 1.x bridge, also, superseded by the configuration. Migrate the following classes to use the new Log4j 2 APIs: - `Constant`, to load the configuration; - `SplashScreen`, to show the info/error log events; - `ExtensionLog4j`, to show and count error log events; - `ZAP.UncaughtExceptionLogger`, to log the uncaught exceptions; - `ZapBootstrap`, to disable the std out log when specified. Remove usage of Log4j 1 configuration in `DaemonBootstrap` and `GuiBootstrap`, no longer needed and would have no effect. Change `CommandLineBootstrap` to disable the std out log if not already. Deprecate `ZapOutputWriter`, no longer used nor functional. Remove `ZAP#JERICHO_LOGGER_PROVIDER`, the logger provider is no longer needed, Jericho includes a provider for Log4j 2. Exclude it from binary compatibility checks (was not part of the API). Close zaproxy#6196. Signed-off-by: thc202 <thc202@gmail.com> * Custom Pages add initial unittests Add UnitTests for new `AbstractPlugin` functionality, `CustomPageMatcherLocation`, `CustomPage.Type`, `DefaultCustomPage` encode/decode functionality. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fixed capitalization and typo Signed-off-by: Christian Koidl <christian@koidl.me> * workflows: Address set-env deprecation Per: GHSA-mfwh-5m23-j46w - https://github.com/actions/toolkit/blob/main/docs/commands.md#set-an-environment-variable Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fixed Capitalization Signed-off-by: Mohammed Abdul Aziz Syed <msyed@godaddy.com> * Added Content-Type application/health+json to list of expected. Signed-off-by: Mateusz Bojanowski <bojanowski.mateusz@gmail.com> * Add pscan max size in bytes option Partly addresses zaproxy#3813 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Be more lenient when importing a context Just require the name when importing a context, preventing exceptions if the optional fields are not present. Part of zaproxy#6206. Signed-off-by: thc202 <thc202@gmail.com> * Restore active scanning everything in scope Do not create a `Target` with invalid start node (i.e. null node), just ignore it (has no special meaning). Prevent constructing a `StructuralSiteNode` with a null node, to fail early as possible. Fix zaproxy#6102. Signed-off-by: thc202 <thc202@gmail.com> * Add partial CSRF token search Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add CSRF default token Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add tests for HostProcess Test mainly `traverse` and `canScanNode` logic. Initialise the list of start nodes in the constructor to avoid exceptions when running without start nodes. Signed-off-by: thc202 <thc202@gmail.com> * Restore and hardcode error messages in Base64 The error messages were removed as part of the deprecation of core encoder but the `Base64` class is still in use by scan rules (e.g. `Base64Disclosure`), which would cause some warns/errors to be logged when decoding malformed base 64 data. Signed-off-by: thc202 <thc202@gmail.com> * Address random test failures Change `ExtensionSessionManagementUnitTest` to reset the state of the `ScriptBasedSessionManagementMethodType` by setting the script extension to null (none), it could be already initialised by other test causing them to fail (trying to register the script type again). Change `PausableScheduledThreadPoolExecutorUnitTest` to run the tasks with more delay to give more time for the tasks to execute in case of slowdowns. Signed-off-by: thc202 <thc202@gmail.com> * Add tests for BreakpointMessageHandler2 Test the `isBreakpoint` method. Signed-off-by: thc202 <thc202@gmail.com> * Add support for dynamic Look and Feel switching Fixes zaproxy#6201 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Upgrade to FlatLaf 0.43 Trying to stay on top of this for 2.10 release. Some of the tabbedpane and otehr changes seemed good to have. https://github.com/JFormDesigner/FlatLaf/releases/tag/0.43 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Address some glitches when changing look and feel Update global pop up menus, otherwise some of them could still be shown with previous look and feel. Change help button in param panels to have an empty border instead of null, to prevent the look and feel change from resetting it. Related to help button (but not UI glitch), use the same help icon already loaded by the help extension (and in the extension itself). Replace toolbar used as spacer which could be detached after changing the look and feel. Part of zaproxy#6201. Signed-off-by: thc202 <thc202@gmail.com> * Add domxss add-on to weekly release Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Release actions - stop using docker Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Test FilterResult Assert the expected behaviour of `FilterResult`. Signed-off-by: thc202 <thc202@gmail.com> * 5898 added import from file button to regular expression panels Signed-off-by: Christian Koidl <christian@koidl.me> * ScanProgressDialog - Set fewer elements with hardcoded colors/attributes Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix Report Write Failure When Path Contained '#' Signed-off-by: ricekot <ricekot@gmail.com> * Set SNI when resolving with SOCKS proxy The default SSL socket implementation does not automatically add the SNI hostname if the address is unresolved. Signed-off-by: thc202 <thc202@gmail.com> * Fix exception while loading session Change `SiteMap` to not try to get the leaf name when finding a branch (e.g. no method). Change `Session` to fail earlier if the required parameters are not provided when getting the leaf name. Fix zaproxy#6265. Signed-off-by: thc202 <thc202@gmail.com> * Check if Log4j legacy conf backup already exists Avoid logging an error when the backup already exists, which would happen after running older and newer ZAP versions using the same home. Signed-off-by: thc202 <thc202@gmail.com> * Add OneTouchExapandable control to Sites Tree/Request&Response panels - WorkbenchPanel > Set the horizontal split to show the OneTouchExpandable control and don't set the divider width (was previously setting 3, default in nimbus and flatlaf seems to be 5 which allow the controls to show fully). Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Add Alert reference field Add new alertRef field to alerts. This is to allow us to tell the difference between different alerts raised by the same rule. By default is will be the plugin id - rules will need to be changed to append a qualifier for each of the alerts they raise. Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Warn when unable to save malformed HTTP message Change models to throw an exception if unable to create the HTTP headers instead of just logging a warning and continue, to allow to show the error to the user. Change Manual Request Editor and Break to warn if the data was not actually set into the message. Warn when unable to switch components, views, and HTTP method. Fix zaproxy#4235. Signed-off-by: thc202 <thc202@gmail.com> * Allow to instantiate AbstractFrame Do not require to extend the class to use it, it's not needed. Signed-off-by: thc202 <thc202@gmail.com> * PassiveScanData add unit tests & active scan status code fallbacks - Clarify/tweak handling of Custom Page checks for active scanning. Fallback to using status codes if there isn't a context in play. - Add UnitTests for PassiveScanData and status code fallback for passive scan handling. - Re-implement `HttpStatusCode.isClientError`/`HttpStatusCode.isServerError` to take advantage of Custom Pages and Analyser as applicable for both ascan and pscan. - For `isPage404`/`isPage500`/`isClientError`/`isServerError` check `CustomPage.Type.OK_200` first. In `isPage200` check `CustomPage.Type.ERROR_500` or `CustomPage.Type.NOTFOUND_404` first (both ascan and pscan, in case the user is trying to override something). - Fix "Cusotm" > "Custom" typos in PassiveScanData and AbstractPlugin. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Use the whole message to get the leaf name Provide the whole message when available to get the leaf name, allowing to use other message components if/when needed without adding/changing the method. Signed-off-by: thc202 <thc202@gmail.com> * Address exceptions related to parameter parsing Do not allow null values as the older method didn't allow them, which was causing exceptions in scan rules, also, catch exception thrown when decoding name/value, for same reason. Provide a method that does not decode and allows null values. Signed-off-by: thc202 <thc202@gmail.com> * Add Custom Page unit tests for HostProcess Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Support authentication polling (zaproxy#6163) Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add convenience methods for identifying CSS related messages - HttpRequestHeader > Add isCss() method, refactor isImage() method, add private isSpecificyType(Pattern) method. - HttpResponseHeader > Add isCss() method. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix bug that makes zap test same request twice Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add auth header define in envvars Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Tweak browser page for browser launch Reported via slack. Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add GraphQL to Docker Packaged API Scan Signed-off-by: ricekot <ricekot@gmail.com> * Update FlatLaf Update to latest version, 0.44. Signed-off-by: thc202 <thc202@gmail.com> * Add graaljs to weekly Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Fix NPE importing context with no poll data Signed-off-by: Simon Bennetts <psiinon@gmail.com> * CustomPages: Add core isSuccess Method(s) - Add `isSuccess(HttpMessage)` in `AbstractPlugin` and `PassiveScanData`. - Add Unit Tests for the new method. - Tweak javadoc for `isClientError(HttpMessage)` and `isServerError(HttpMessage)` in both classes as well. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Add zap_tune function and zap_tuned hook Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Manual Request response send Add a Send button to the manual req editor response panel in tab mode and set the parent for the warning dialogs - otherwise on some OSs these are shown against the main tab and the dialog gets hidden Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Guard against invalid message views Validate that the view has the required properties to fail sooner. Signed-off-by: thc202 <thc202@gmail.com> * Do not recompile the scripts if not changed Add `ScriptsCache` which caches scripts of a given type and interface until they are disabled or the contents changed. Cache scripts in: - `VariantFactory`, for Sites tree usage; - `ScriptsActiveScanner`; - `ScriptsPassiveScanner`; - `HttpSenderScriptListener`; - `ProxyListenerScript`. Fix zaproxy#6010. Signed-off-by: thc202 <thc202@gmail.com> * Support packaged authenticated scans Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Stop using Log4j 1.x where possible Use Log4j 2 classes for logging. Deprecate public APIs using Log4j 1.x classes. Remove `ZapOutputWriter` as it's no longer needed (internal and Log4j 1.x specific class). Suppress breaking changes done to internal classes. Signed-off-by: thc202 <thc202@gmail.com> * Fix Req/Resp highlighting in dark mode Part of zaproxy#5542 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Log params at Debug Level (zaproxy#6322) * Log params at Debug Level Signed-off-by: Damien Cuenot <damien.cuenot.c@thalesdigital.io> * Tweak panel search and find dialog more friendly w/ dark LaFs - HighlighterUtils > Add public getHightlightColor() method which uses DisplayUtils.getHighLightColor() when a dark LaF is in use. (Currently this means a dark orange is used). - Have other usages of the public constant highlight color use this method. - TabbedPaneSearch > Prevent IndexOutOfBoundsException by not adding tab's for which the index is -1 (hidden/disabled). - FindDialog (CTRL + F) > Set the selection color based on DisplayUtils.getHighlightColor() before selecting the matched string. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Remove PacScript Remove `PacScript` and related resources/dependencies, it will be moved to Graal JS add-on (per Nashorn deprecation and removal in newer Java versions). Related to zaproxy#265 and zaproxy#4851. Signed-off-by: thc202 <thc202@gmail.com> * Auth multi-user fix and new API endpoints Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Correct anti-csrf form generation Escape URI and parameters' names/values when generating the HTML form. Fix zaproxy#6121. Signed-off-by: thc202 <thc202@gmail.com> * Update dependencies Update the following dependencies: - Bouncy Castle, 1.66 → 1.67; - Log4j, 2.13.3 → 2.14.0; - JFreeChart, 1.5.0 → 1.5.1; - Mockito, 3.5.13 → 3.6.28. Signed-off-by: thc202 <thc202@gmail.com> * fix/Dockerfile: Use ARG directive instead of ENV Since DEBIAN_FRONTEND is only used to do installations, use ARG command instead of ENV so that the parameter does not persist after the build process has been completed Signed-off-by: natebwangsut <nate.bwangsut@gmail.com> * Refactor SiteStructure and Session Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update scanners.md Signed-off-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> * Do not update Content-Length in byte models The Content-Length is now updated optionally based on the UI option. Extract method that finds the header limit and correct line feed case. Signed-off-by: thc202 <thc202@gmail.com> * Update FlatLaf Update to latest version, 0.45. Signed-off-by: thc202 <thc202@gmail.com> * Update scanners.md Signed-off-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> * Add buttons in break panel to select types of requests intercepted Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add node for URLs ending with a slash This allows us to differentiate between https://www.example.com/a and https://www.example.com/a/ The main impact is to the active scanner as this works off the sites tree - if you select the new "/" node then it will have no children and therefore not recurse as most people will want. So now if you specify a URL wit ha trailing slash then the slash will be ignored if you specify 'recurse'. Will require a corresponding change to the Quick Start add-on Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add content encodings to HTTP bodies Encode/decode in `HttpBody` to allow to use the content transparently throughout the codebase (e.g. `toString()`). Support GZIP and deflate content codings. Fix zaproxy#408. Signed-off-by: thc202 <thc202@gmail.com> * Update default and common user agents Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update email used in certs Use the address of the ZAP dev list instead of the (archived) OWASP ZAP list. Signed-off-by: thc202 <thc202@gmail.com> * Common user agents: Fix tabs and spaces Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add target to ajaxSpider.scan_as_user call Signed-off-by: Viktor Smirnov <viktor.smirnov@planhat.com> * Custom Pages: Add Help Index Per: zaproxy/zap-core-help#335 Part of: zaproxy#9 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Avoid NPE when checking for AuthenticationScriptV2 Check if the script is null (i.e. does not implement the interface) before trying to call its methods. Signed-off-by: thc202 <thc202@gmail.com> * Added support for dynamic technologies Signed-off-by: t4skforce <t4skforce1337@gmail.com> * Update Webswing and Java in stable Update Webswing to latest version (20.2.1), to work with Java 11. Update Webswing's ZAP config. Update Java to version 11 in stable. Signed-off-by: thc202 <thc202@gmail.com> * Update for 2.10 add-ons WIP Cant update the help add-on until its published, and that may have some changes (eg to the release notes). Add-ons added for this release: * domxss * encoder * formhandler * graaljs * graphql * retire Signed-off-by: Simon Bennetts <psiinon@gmail.com> Co-authored-by: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Co-authored-by: stefantobler <toblerlstefan@gmail.com> Co-authored-by: Simon Bennetts <psiinon@gmail.com> Co-authored-by: thc202 <thc202@gmail.com> Co-authored-by: kingthorin <kingthorin@users.noreply.github.com> Co-authored-by: beldcode <philip.berthold@tutanota.com> Co-authored-by: gdgd009xcd <patsz.g1owq@gmail.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Cotonne <cotonne@users.noreply.github.com> Co-authored-by: ricekot <ricekot@gmail.com> Co-authored-by: Cameron Swords <cam.swords@gmail.com> Co-authored-by: Jasper Vandemalle <jasper.vandemalle@gmail.com> Co-authored-by: Christian Koidl <christian@koidl.me> Co-authored-by: Mohammed Abdul Aziz Syed <msyed@godaddy.com> Co-authored-by: Mateusz Bojanowski <bojanowski.mateusz@gmail.com> Co-authored-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> Co-authored-by: Damien Cuenot <11711525+dcuenot@users.noreply.github.com> Co-authored-by: natebwangsut <nate.bwangsut@gmail.com> Co-authored-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Co-authored-by: Viktor Smirnov <viktor.smirnov@planhat.com> Co-authored-by: t4skforce <t4skforce1337@gmail.com>
vladidx
pushed a commit
to vladidx/zaproxy
that referenced
this issue
Dec 16, 2020
Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com>
vladidx
added a commit
to vladidx/zaproxy
that referenced
this issue
Dec 16, 2020
* Add `IS_CONTAINERIZED` env var to containerized check (zaproxy#6108) This should allow the container to function correctly in all container runtimes, as it is not bound to a specific implementation Signed-off-by: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> * Added date-time to html report (zaproxy#6084) Signed-off-by: stefantobler <toblerlstefan@gmail.com> * Depreciate methods returning a Map of params Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add workflow to build/push main Docker images The workflow will build and push the stable and bare Docker images on repository dispatch and manually. Signed-off-by: thc202 <thc202@gmail.com> * Run tests of packaged scans Add workflow to run the tests of packaged scans, when files in `docker` directory are changed. Update tox configuration to run the tests and just use the Python version available (specified by the workflow). Ignore tox working directory (`.tox`). Change `suite.py` to work from any directory not just when executed from the tests directory. Signed-off-by: thc202 <thc202@gmail.com> * Correct file pattern in Test Packaged Scans Include all files under docker directory, not just in the docker directory. Signed-off-by: thc202 <thc202@gmail.com> * Include Common Library add-on in core package The Common Library add-on is a dependency of other (included) add-ons (e.g. passive scan rules), the size of the package increases from 36.9 to 40.2MiB. Signed-off-by: thc202 <thc202@gmail.com> * Test common hooks of packaged scans Test that the hooks are properly loaded, using a file and env var. Add tests to verify that the common hooks are triggered when and with the expected values. Signed-off-by: thc202 <thc202@gmail.com> * Use importlib to load the hooks for packaged scans The `imp` module is deprecated by `importlib` module. Add tests to verify the expected behaviour when the hooks file has errors. Signed-off-by: thc202 <thc202@gmail.com> * Correctly read HTTP bodies Correct length check when reading chunks of the body. Fix zaproxy#6138. Signed-off-by: thc202 <thc202@gmail.com> * Catch NPE on panel level when saving/validating Move the catch of the NullPointerException from the container panel to the individual panels to still allow to validate/save other panels that do not have issues. Make the error generic now used for save/validate and provide the details of the exception for easier report. Related to zaproxy#6136. Improvement of zaproxy#5306. Signed-off-by: thc202 <thc202@gmail.com> * Update user guide link in CONTRIBUTING doc Link to the site instead of the wiki. Signed-off-by: thc202 <thc202@gmail.com> * Stats: Ignore charset and boundary when counting Content-Types - StatsPassiveScanner > Extract the content type and charset if present. - StatsPassiveScannerUnitTest > UnitTest to assert the new behavior. Fixes zaproxy#5952 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Update webswing The previous link is now 404ing :( Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Test common functions of packaged scans Test the following common functions: - `zap_spider` - `zap_ajax_spider` - `zap_active_scan` - `zap_wait_for_passive_scan` - `zap_import_context` Change a log statement in `zap_ajax_spider` to not concatenate the log message to cope with mocked objects. Change `zap_import_context` to check that the ID of the context was returned (int) instead of a specific error message, not the same for all possible errors. Signed-off-by: thc202 <thc202@gmail.com> * Scan with context in Docker scripts Use global variables for the context name and ID to use in the spiders and active scan, avoiding the need to change the function calls and breaking existing hooks. Change import context function to obtain the name of the imported context. Update tests to match the new behaviour. Signed-off-by: beldcode <philip.berthold@tutanota.com> * Tag Scanner Unit Test & Maintenance - RegexAutoTagScannerUnitTest > Add initial basic unittests. - StatsPassiveScannerUnitTest > Moved to correct test package location. (In follow-up to zaproxy#6137) Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix JUnit build Otherwise fails with `java.lang.BootstrapMethodError: java.lang.NoClassDefFoundError: org/junit/platform/engine/EngineDiscoveryListener` when running the junit tests in Eclipse Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Properly decode gzip in UI and decode request Do not gzip decode reading lines, read byte chunks instead to not lose the new line characters. Change request view models (body and header+body) to decode the body, like done for the response. Extract common code to `HttpPanelViewModelUtils` and change the models accordingly. Normalise behaviour when setting data with null message, by ignoring the data being set. Fix zaproxy#1351 - Decode gzip'ed content in Request tab Fix zaproxy#1584 - GZip de-compression causes loss of newlines Signed-off-by: thc202 <thc202@gmail.com> * Add support for site modifiers Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update Scanners.md added new entry: 40037 CustomActiveScanForZAP * Update docs/scanners.md Thanks. Co-authored-by: kingthorin <kingthorin@users.noreply.github.com> * spelling: occurrences * Handle "markoccurrences" fix in Constant.java - Tested by calling the new method in the `else if (isDevMode() || isDailyBuild()) {` block. - Added UnitTest. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Improve error message when starting packaged scans Fail immediately if the spider scans were not started to provide better error message, show: `Failed to start the scan, check the log/output for more details.` instead of, e.g.: `invalid literal for int() with base 10: 'does_not_exist'`. when checking the status of the scan. Correct `suite.py` to exit with expected code when tests fail. Signed-off-by: thc202 <thc202@gmail.com> * spelling: component * Request Id for Cross-Origin Resource Policy Scan Rule Signed-off-by: Cotonne <cotonne@users.noreply.github.com> * Wire in site mod changes Not sure how this got left out - it was there in my original PR otherwise this would never have worked :/ Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Correct incremental delay in scheduled executor Check the number of queued tasks not the total number of tasks submitted when increasing the delay, otherwise it would not work properly when the tasks are executed/submitted periodically in batches (instead of all at once). Fix zaproxy#5701. Signed-off-by: thc202 <thc202@gmail.com> * Add GraphQL Add-on to Weekly Release Signed-off-by: ricekot <ricekot@gmail.com> * Add new NameValuePair Type for GraphQL Inline Args Signed-off-by: ricekot <ricekot@gmail.com> * Initial CustomPages Implementation Add support for custom error page definitions associated with a Context. Expose those details and functionality to Passive and Active scanners (rules). Assume that if a context with custom pages is setup the user wants those details to be leveraged. Default behavior is to check custom pages and fallback to status code checking (based on the applicable custom page definition type and related status codes). Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Upgrade SQLite to 3.32.3.2 Signed-off-by: Cameron Swords <cam.swords@gmail.com> * Fix WebSwing URLs The old one no longer works, this one is as per https://www.webswing.org/downloads Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Custom Pages analyzer fallback & clean code - In AbstractPlugin.isPage404 fallback to use Analyser.isFileExist. In Abstractplugin.isFileExist check isPage200 first then use Analyser. - Tweak various references to CustomPageType -> CustomPage.Type. Signed-off-by: Kingthorin <kingthorin@users.noreply.github.com> * Add option to not fix the content length Fixes zaproxy#560 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add option to delete site notes from Search tab Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add gradle dependency check task & upgrade dependencies - Similar to: zaproxy/zap-extensions#2308 `./gradlew dependencyUpdates`, should appear under the "help" Gradle Tasks grouping in Eclipse. - Update most dependencies, with minor code tweaks to address moved or deprecated classes/functionality. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Test extraction of anti-csrf tokens from response Add tests for `ExtensionAntiCSRF#getTokensFromResponse(HttpMessage)` and `#getTokensFromResponse(HttpMessage, Source)`. Signed-off-by: thc202 <thc202@gmail.com> * Fix title caps and typo Signed-off-by: Jasper Vandemalle <jasper.vandemalle@gmail.com> * Use user's context during authentication Use the context from the user being authenticated instead of getting the context form the login URL. The login URL does not need and might not be included in the context. Fix zaproxy#6223. Signed-off-by: thc202 <thc202@gmail.com> * Test anti-csrf token replacement in auth request Extract the methods to `PostBasedAuthenticationMethodType` to be easier to test. Assert the expected behaviour when replacing the tokens. Signed-off-by: thc202 <thc202@gmail.com> * Use icon for authentication requests Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Cope with session mgmt type not present Fixes zaproxy#6206 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update Log4j to 2.x Depend on the new major version and use 1.x bridge. Configure Log4j 2 to use a single logger context for ZAP, to use the same log configuration for everything (core, add-ons, dependencies). Use two Log4j 2 configurations for main code, one during bootstrap and another for remaining lifecycle: - The bootstrap configuration is automatically loaded by Log4j, from the file `log4j2.properties`, which just logs errors to std out. - The other configuration, bundled as `log4j2-home.properties`, is copied to ZAP home as `log4j2.properties` and is loaded once the home is known. This configuration is the equivalent Log4j 1 configuration also copied/loaded from the ZAP home. Use a specific configuration for the tests (`log4j2-test.properties`, log set to off by default), to not require to tweak the log manually throughout the tests. Remove usages of Log4j 1 `NullAppender` in the tests, the class does not exist in the Log4j 1.x bridge, also, superseded by the configuration. Migrate the following classes to use the new Log4j 2 APIs: - `Constant`, to load the configuration; - `SplashScreen`, to show the info/error log events; - `ExtensionLog4j`, to show and count error log events; - `ZAP.UncaughtExceptionLogger`, to log the uncaught exceptions; - `ZapBootstrap`, to disable the std out log when specified. Remove usage of Log4j 1 configuration in `DaemonBootstrap` and `GuiBootstrap`, no longer needed and would have no effect. Change `CommandLineBootstrap` to disable the std out log if not already. Deprecate `ZapOutputWriter`, no longer used nor functional. Remove `ZAP#JERICHO_LOGGER_PROVIDER`, the logger provider is no longer needed, Jericho includes a provider for Log4j 2. Exclude it from binary compatibility checks (was not part of the API). Close zaproxy#6196. Signed-off-by: thc202 <thc202@gmail.com> * Custom Pages add initial unittests Add UnitTests for new `AbstractPlugin` functionality, `CustomPageMatcherLocation`, `CustomPage.Type`, `DefaultCustomPage` encode/decode functionality. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fixed capitalization and typo Signed-off-by: Christian Koidl <christian@koidl.me> * workflows: Address set-env deprecation Per: GHSA-mfwh-5m23-j46w - https://github.com/actions/toolkit/blob/main/docs/commands.md#set-an-environment-variable Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fixed Capitalization Signed-off-by: Mohammed Abdul Aziz Syed <msyed@godaddy.com> * Added Content-Type application/health+json to list of expected. Signed-off-by: Mateusz Bojanowski <bojanowski.mateusz@gmail.com> * Add pscan max size in bytes option Partly addresses zaproxy#3813 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Be more lenient when importing a context Just require the name when importing a context, preventing exceptions if the optional fields are not present. Part of zaproxy#6206. Signed-off-by: thc202 <thc202@gmail.com> * Restore active scanning everything in scope Do not create a `Target` with invalid start node (i.e. null node), just ignore it (has no special meaning). Prevent constructing a `StructuralSiteNode` with a null node, to fail early as possible. Fix zaproxy#6102. Signed-off-by: thc202 <thc202@gmail.com> * Add partial CSRF token search Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add CSRF default token Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add tests for HostProcess Test mainly `traverse` and `canScanNode` logic. Initialise the list of start nodes in the constructor to avoid exceptions when running without start nodes. Signed-off-by: thc202 <thc202@gmail.com> * Restore and hardcode error messages in Base64 The error messages were removed as part of the deprecation of core encoder but the `Base64` class is still in use by scan rules (e.g. `Base64Disclosure`), which would cause some warns/errors to be logged when decoding malformed base 64 data. Signed-off-by: thc202 <thc202@gmail.com> * Address random test failures Change `ExtensionSessionManagementUnitTest` to reset the state of the `ScriptBasedSessionManagementMethodType` by setting the script extension to null (none), it could be already initialised by other test causing them to fail (trying to register the script type again). Change `PausableScheduledThreadPoolExecutorUnitTest` to run the tasks with more delay to give more time for the tasks to execute in case of slowdowns. Signed-off-by: thc202 <thc202@gmail.com> * Add tests for BreakpointMessageHandler2 Test the `isBreakpoint` method. Signed-off-by: thc202 <thc202@gmail.com> * Add support for dynamic Look and Feel switching Fixes zaproxy#6201 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Upgrade to FlatLaf 0.43 Trying to stay on top of this for 2.10 release. Some of the tabbedpane and otehr changes seemed good to have. https://github.com/JFormDesigner/FlatLaf/releases/tag/0.43 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Address some glitches when changing look and feel Update global pop up menus, otherwise some of them could still be shown with previous look and feel. Change help button in param panels to have an empty border instead of null, to prevent the look and feel change from resetting it. Related to help button (but not UI glitch), use the same help icon already loaded by the help extension (and in the extension itself). Replace toolbar used as spacer which could be detached after changing the look and feel. Part of zaproxy#6201. Signed-off-by: thc202 <thc202@gmail.com> * Add domxss add-on to weekly release Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Release actions - stop using docker Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Test FilterResult Assert the expected behaviour of `FilterResult`. Signed-off-by: thc202 <thc202@gmail.com> * 5898 added import from file button to regular expression panels Signed-off-by: Christian Koidl <christian@koidl.me> * ScanProgressDialog - Set fewer elements with hardcoded colors/attributes Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix Report Write Failure When Path Contained '#' Signed-off-by: ricekot <ricekot@gmail.com> * Set SNI when resolving with SOCKS proxy The default SSL socket implementation does not automatically add the SNI hostname if the address is unresolved. Signed-off-by: thc202 <thc202@gmail.com> * Fix exception while loading session Change `SiteMap` to not try to get the leaf name when finding a branch (e.g. no method). Change `Session` to fail earlier if the required parameters are not provided when getting the leaf name. Fix zaproxy#6265. Signed-off-by: thc202 <thc202@gmail.com> * Check if Log4j legacy conf backup already exists Avoid logging an error when the backup already exists, which would happen after running older and newer ZAP versions using the same home. Signed-off-by: thc202 <thc202@gmail.com> * Add OneTouchExapandable control to Sites Tree/Request&Response panels - WorkbenchPanel > Set the horizontal split to show the OneTouchExpandable control and don't set the divider width (was previously setting 3, default in nimbus and flatlaf seems to be 5 which allow the controls to show fully). Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Add Alert reference field Add new alertRef field to alerts. This is to allow us to tell the difference between different alerts raised by the same rule. By default is will be the plugin id - rules will need to be changed to append a qualifier for each of the alerts they raise. Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Warn when unable to save malformed HTTP message Change models to throw an exception if unable to create the HTTP headers instead of just logging a warning and continue, to allow to show the error to the user. Change Manual Request Editor and Break to warn if the data was not actually set into the message. Warn when unable to switch components, views, and HTTP method. Fix zaproxy#4235. Signed-off-by: thc202 <thc202@gmail.com> * Allow to instantiate AbstractFrame Do not require to extend the class to use it, it's not needed. Signed-off-by: thc202 <thc202@gmail.com> * PassiveScanData add unit tests & active scan status code fallbacks - Clarify/tweak handling of Custom Page checks for active scanning. Fallback to using status codes if there isn't a context in play. - Add UnitTests for PassiveScanData and status code fallback for passive scan handling. - Re-implement `HttpStatusCode.isClientError`/`HttpStatusCode.isServerError` to take advantage of Custom Pages and Analyser as applicable for both ascan and pscan. - For `isPage404`/`isPage500`/`isClientError`/`isServerError` check `CustomPage.Type.OK_200` first. In `isPage200` check `CustomPage.Type.ERROR_500` or `CustomPage.Type.NOTFOUND_404` first (both ascan and pscan, in case the user is trying to override something). - Fix "Cusotm" > "Custom" typos in PassiveScanData and AbstractPlugin. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Use the whole message to get the leaf name Provide the whole message when available to get the leaf name, allowing to use other message components if/when needed without adding/changing the method. Signed-off-by: thc202 <thc202@gmail.com> * Address exceptions related to parameter parsing Do not allow null values as the older method didn't allow them, which was causing exceptions in scan rules, also, catch exception thrown when decoding name/value, for same reason. Provide a method that does not decode and allows null values. Signed-off-by: thc202 <thc202@gmail.com> * Add Custom Page unit tests for HostProcess Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Support authentication polling (zaproxy#6163) Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add convenience methods for identifying CSS related messages - HttpRequestHeader > Add isCss() method, refactor isImage() method, add private isSpecificyType(Pattern) method. - HttpResponseHeader > Add isCss() method. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Fix bug that makes zap test same request twice Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add auth header define in envvars Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Tweak browser page for browser launch Reported via slack. Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add GraphQL to Docker Packaged API Scan Signed-off-by: ricekot <ricekot@gmail.com> * Update FlatLaf Update to latest version, 0.44. Signed-off-by: thc202 <thc202@gmail.com> * Add graaljs to weekly Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Fix NPE importing context with no poll data Signed-off-by: Simon Bennetts <psiinon@gmail.com> * CustomPages: Add core isSuccess Method(s) - Add `isSuccess(HttpMessage)` in `AbstractPlugin` and `PassiveScanData`. - Add Unit Tests for the new method. - Tweak javadoc for `isClientError(HttpMessage)` and `isServerError(HttpMessage)` in both classes as well. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Add zap_tune function and zap_tuned hook Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Manual Request response send Add a Send button to the manual req editor response panel in tab mode and set the parent for the warning dialogs - otherwise on some OSs these are shown against the main tab and the dialog gets hidden Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Guard against invalid message views Validate that the view has the required properties to fail sooner. Signed-off-by: thc202 <thc202@gmail.com> * Do not recompile the scripts if not changed Add `ScriptsCache` which caches scripts of a given type and interface until they are disabled or the contents changed. Cache scripts in: - `VariantFactory`, for Sites tree usage; - `ScriptsActiveScanner`; - `ScriptsPassiveScanner`; - `HttpSenderScriptListener`; - `ProxyListenerScript`. Fix zaproxy#6010. Signed-off-by: thc202 <thc202@gmail.com> * Support packaged authenticated scans Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Stop using Log4j 1.x where possible Use Log4j 2 classes for logging. Deprecate public APIs using Log4j 1.x classes. Remove `ZapOutputWriter` as it's no longer needed (internal and Log4j 1.x specific class). Suppress breaking changes done to internal classes. Signed-off-by: thc202 <thc202@gmail.com> * Fix Req/Resp highlighting in dark mode Part of zaproxy#5542 Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Log params at Debug Level (zaproxy#6322) * Log params at Debug Level Signed-off-by: Damien Cuenot <damien.cuenot.c@thalesdigital.io> * Tweak panel search and find dialog more friendly w/ dark LaFs - HighlighterUtils > Add public getHightlightColor() method which uses DisplayUtils.getHighLightColor() when a dark LaF is in use. (Currently this means a dark orange is used). - Have other usages of the public constant highlight color use this method. - TabbedPaneSearch > Prevent IndexOutOfBoundsException by not adding tab's for which the index is -1 (hidden/disabled). - FindDialog (CTRL + F) > Set the selection color based on DisplayUtils.getHighlightColor() before selecting the matched string. Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Remove PacScript Remove `PacScript` and related resources/dependencies, it will be moved to Graal JS add-on (per Nashorn deprecation and removal in newer Java versions). Related to zaproxy#265 and zaproxy#4851. Signed-off-by: thc202 <thc202@gmail.com> * Auth multi-user fix and new API endpoints Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Correct anti-csrf form generation Escape URI and parameters' names/values when generating the HTML form. Fix zaproxy#6121. Signed-off-by: thc202 <thc202@gmail.com> * Update dependencies Update the following dependencies: - Bouncy Castle, 1.66 → 1.67; - Log4j, 2.13.3 → 2.14.0; - JFreeChart, 1.5.0 → 1.5.1; - Mockito, 3.5.13 → 3.6.28. Signed-off-by: thc202 <thc202@gmail.com> * fix/Dockerfile: Use ARG directive instead of ENV Since DEBIAN_FRONTEND is only used to do installations, use ARG command instead of ENV so that the parameter does not persist after the build process has been completed Signed-off-by: natebwangsut <nate.bwangsut@gmail.com> * Refactor SiteStructure and Session Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update scanners.md Signed-off-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> * Do not update Content-Length in byte models The Content-Length is now updated optionally based on the UI option. Extract method that finds the header limit and correct line feed case. Signed-off-by: thc202 <thc202@gmail.com> * Update FlatLaf Update to latest version, 0.45. Signed-off-by: thc202 <thc202@gmail.com> * Update scanners.md Signed-off-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> * Add buttons in break panel to select types of requests intercepted Signed-off-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> * Add node for URLs ending with a slash This allows us to differentiate between https://www.example.com/a and https://www.example.com/a/ The main impact is to the active scanner as this works off the sites tree - if you select the new "/" node then it will have no children and therefore not recurse as most people will want. So now if you specify a URL wit ha trailing slash then the slash will be ignored if you specify 'recurse'. Will require a corresponding change to the Quick Start add-on Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add content encodings to HTTP bodies Encode/decode in `HttpBody` to allow to use the content transparently throughout the codebase (e.g. `toString()`). Support GZIP and deflate content codings. Fix zaproxy#408. Signed-off-by: thc202 <thc202@gmail.com> * Update default and common user agents Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Update email used in certs Use the address of the ZAP dev list instead of the (archived) OWASP ZAP list. Signed-off-by: thc202 <thc202@gmail.com> * Common user agents: Fix tabs and spaces Signed-off-by: Simon Bennetts <psiinon@gmail.com> * Add target to ajaxSpider.scan_as_user call Signed-off-by: Viktor Smirnov <viktor.smirnov@planhat.com> * Custom Pages: Add Help Index Per: zaproxy/zap-core-help#335 Part of: zaproxy#9 Signed-off-by: kingthorin <kingthorin@users.noreply.github.com> * Avoid NPE when checking for AuthenticationScriptV2 Check if the script is null (i.e. does not implement the interface) before trying to call its methods. Signed-off-by: thc202 <thc202@gmail.com> * Added support for dynamic technologies Signed-off-by: t4skforce <t4skforce1337@gmail.com> * Update Webswing and Java in stable Update Webswing to latest version (20.2.1), to work with Java 11. Update Webswing's ZAP config. Update Java to version 11 in stable. Signed-off-by: thc202 <thc202@gmail.com> * Update for 2.10 add-ons WIP Cant update the help add-on until its published, and that may have some changes (eg to the release notes). Add-ons added for this release: * domxss * encoder * formhandler * graaljs * graphql * retire Signed-off-by: Simon Bennetts <psiinon@gmail.com> Co-authored-by: Jannik Hollenbach <13718901+J12934@users.noreply.github.com> Co-authored-by: stefantobler <toblerlstefan@gmail.com> Co-authored-by: Simon Bennetts <psiinon@gmail.com> Co-authored-by: thc202 <thc202@gmail.com> Co-authored-by: kingthorin <kingthorin@users.noreply.github.com> Co-authored-by: beldcode <philip.berthold@tutanota.com> Co-authored-by: gdgd009xcd <patsz.g1owq@gmail.com> Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> Co-authored-by: Cotonne <cotonne@users.noreply.github.com> Co-authored-by: ricekot <ricekot@gmail.com> Co-authored-by: Cameron Swords <cam.swords@gmail.com> Co-authored-by: Jasper Vandemalle <jasper.vandemalle@gmail.com> Co-authored-by: Christian Koidl <christian@koidl.me> Co-authored-by: Mohammed Abdul Aziz Syed <msyed@godaddy.com> Co-authored-by: Mateusz Bojanowski <bojanowski.mateusz@gmail.com> Co-authored-by: Diogo Silva <diogo.m.r.silva@tecnico.ulisboa.pt> Co-authored-by: Damien Cuenot <11711525+dcuenot@users.noreply.github.com> Co-authored-by: natebwangsut <nate.bwangsut@gmail.com> Co-authored-by: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Co-authored-by: Viktor Smirnov <viktor.smirnov@planhat.com> Co-authored-by: t4skforce <t4skforce1337@gmail.com>
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Original issue reported on code.google.com by
colm.p.oflahertyon 2015-03-30 23:49:59The text was updated successfully, but these errors were encountered: