Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Source Code Disclosure (WEB-INF folder) fails with Java 9+ #4038

Closed
thc202 opened this issue Nov 14, 2017 · 4 comments
Closed

Source Code Disclosure (WEB-INF folder) fails with Java 9+ #4038

thc202 opened this issue Nov 14, 2017 · 4 comments
Labels
add-on bug third-party

Comments

@thc202
Copy link
Member

thc202 commented Nov 14, 2017
edited
Loading

The scanner "Source Code Disclosure - /WEB-INF folder" fails to run with Java 9:

113913 [ZAP-ActiveScanner-0] ERROR org.zaproxy.zap.ZAP$UncaughtExceptionLogger  - Exception in thread "ZAP-ActiveScanner-0"
java.lang.NoClassDefFoundError: sun/misc/URLClassPath
	at com.strobel.assembler.metadata.ClasspathTypeLoader.<init>(ClasspathTypeLoader.java:66)
	at com.strobel.assembler.metadata.ClasspathTypeLoader.<init>(ClasspathTypeLoader.java:42)
	at com.strobel.assembler.InputTypeLoader.<init>(InputTypeLoader.java:45)
	at com.strobel.decompiler.Decompiler.decompile(Decompiler.java:39)
	at org.zaproxy.zap.extension.ascanrulesBeta.SourceCodeDisclosureWEBINF.scan(SourceCodeDisclosureWEBINF.java:212)
	at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:379)
	at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: java.lang.ClassNotFoundException
	at org.zaproxy.zap.control.AddOnClassLoader.findClass(AddOnClassLoader.java:256)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:563)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:496)
	... 7 more

This is a known issue with the library:
https://bitbucket.org/mstrobel/procyon/issues/320/java-9-sunmiscurlclasspath-and mstrobel/procyon#12

Add-on:
Active scanner rules (beta), version 21.

Related to #2602.
@alfsb alfsb mentioned this issue Nov 14, 2017
Open
13 tasks
thc202 added a commit to thc202/zaproxy that referenced this issue Nov 14, 2017
@thc202
Notify AbstractPlugin completed, always
8c2b3b5 
Change AbstractPlugin to notify that it completed in a finally block, to
ensure the parent is notified always thus preventing it from "hanging"
after an uncaught exception (e.g. NoClassDefFoundError).

Related to zaproxy#4038 - Source Code Disclosure (WEB-INF folder) fails with
Java 9
@thc202 thc202 mentioned this issue Nov 14, 2017
Merged
@kingthorin
Copy link
Member

kingthorin commented May 29, 2018
edited
Loading

https://github.com/zaproxy/zap-extensions/blob/f7a191734e7a56b5a98337ef6dea62795ac071ba/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWEBINF.java#L221-L222

thc202 added a commit to thc202/zap-extensions that referenced this issue Jul 12, 2018
@thc202
Add Java 9 to Travis CI builds (beta)
bfd508c 
Change .travis.yml to also run the build with Java 9.
Change build.xml file to include a Messages.properties file on the
classpath as it's required by core.
Disable SourceCodeDisclosureWEBINFUnitTest on Java 9+ because of an
issue in the used library (i.e. zaproxy/zaproxy#4038).

Part of zaproxy/zaproxy#2602 - Java 9
@thc202 thc202 mentioned this issue Jul 12, 2018
Merged
thc202 added a commit to thc202/zap-extensions that referenced this issue Jul 18, 2018
@thc202
ascanrulesBeta: skip WEB-INF disclosure on Java 9+
759f5e0 
Change SourceCodeDisclosureWEBINF to skip on Java 9+, it does not work.
Add a note to the help of the scanner.
Update changes in ZapAddOn.xml file.

Related to zaproxy/zaproxy#4038 Source Code Disclosure (WEB-INF folder)
fails with Java 9
@thc202 thc202 mentioned this issue Jul 18, 2018
Merged
@thc202 thc202 changed the title Source Code Disclosure (WEB-INF folder) fails with Java 9 Source Code Disclosure (WEB-INF folder) fails with Java 9+ Mar 15, 2019
@kingthorin
Copy link
Member

Note the project has moved from BitBucket to GitHub:
mstrobel/procyon#12

@kingthorin kingthorin mentioned this issue May 29, 2021
Merged
@thc202
Copy link
Member Author

thc202 commented May 30, 2021

Fixed in zaproxy/zap-extensions#2338.

@thc202 thc202 closed this as completed May 30, 2021
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
efe1b7c 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
88a2167 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
@kingthorin kingthorin mentioned this issue May 30, 2021
Merged
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
ce9506e 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038 / zaproxy#2338
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
c49c6e9 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038 / zaproxy#2338
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
1299e2b 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038 / zaproxy#2338
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
kingthorin added a commit to kingthorin/zap-extensions that referenced this issue May 30, 2021
@kingthorin
fix: ascanrules: Source Code Disclosure WEB-INF no longer skipped
62c1290 
See:
- mstrobel/procyon#12
- zaproxy/zaproxy#4038 / zaproxy#2338
  - Related to zaproxy/zaproxy#2602
- Reverts zaproxy#1723

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Aug 29, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
add-on bug third-party
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thc202 @kingthorin