Improve support for FreeBSD

[alonsobsd]

This patch fixes issues that occur when users try to change certain configurations, such as Selenium settings, on FreeBSD. Without it, the AJAX spider does not work correctly. In most cases, Linux routines can be used similarly on FreeBSD. I have added an isFreeBSD() function to be used when specific handling for FreeBSD is necessary.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[kingthorin]

A comment should be added to the leadin of the file, around line 128. You’ll see others to model it after.

[psiinon]

Checkmarx One – Scan Summary & Details – 29e702a8-25bc-457f-8e78-52f04bda18bb

New Issues (10)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Privacy_Violation	/zap/src/main/java/org/parosproxy/paros/network/HttpSenderParos.java: 583	details Method at line 583 of /zap/src/main/java/org/parosproxy/paros/network/HttpSenderParos.java sends user information outside the application. This ... ID: %2BFRHwWWCdftNQXZ5vBjh9oa372Q%3D Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 366	details Method at line 366 of /zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java sends user information outside the application. This may co... ID: N3nZUWT3zhBM01lQtRLJsFDIH2Y%3D Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 364	details Method at line 364 of /zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java sends user information outside the application. This may co... ID: csxH98sWVNHwA8oe5xXftI8KO1M%3D Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 364	details Method at line 364 of /zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java sends user information outside the application. This may co... ID: gNS93XjuOjerplTHJKafvXmS1%2FU%3D Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 364	details Method at line 364 of /zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java sends user information outside the application. This may co... ID: rf%2BRBQ%2B5U8Shen7IbKBvOuni4qo%3D Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 364	details Method at line 364 of /zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java sends user information outside the application. This may co... ID: 0iUCuiQ2yf4Efm2S4nXiY02KHIs%3D Attack Vector
	Log_Forging	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java: 978	details Method at line 978 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java gets user input from element getTe... ID: Ym1oSTkkUBoNJiDpno6ofduhabk%3D Attack Vector
	Log_Forging	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java: 831	details Method at line 831 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java gets user input from element getTe... ID: 079Cu3vYB%2B8m3djVchvuWmE0VDQ%3D Attack Vector
	Log_Forging	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java: 978	details Method at line 978 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java gets user input from element getTe... ID: %2FeB6SyKVdXl5bYN16lqu0Q9rXFw%3D Attack Vector
	Log_Forging	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java: 831	details Method at line 831 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java gets user input from element getTe... ID: %2F8cnJ1NM7g0wMLFQzSh31ha208o%3D Attack Vector

Fixed Issues (24)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Image Version Using 'latest'	/Dockerfile: 1
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 672
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 660
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 787
	Privacy_Violation	/zap/src/main/java/org/parosproxy/paros/core/proxy/ProxyThread.java: 917
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 669
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 669
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 612
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 612
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 612
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 612
	Privacy_Violation	/zap/src/test/java/org/parosproxy/paros/network/HttpMessageUnitTest.java: 612
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 789
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 789
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 789
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 789
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 787
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 787
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/model/SessionStructure.java: 787
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 700
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 700
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 700
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 700
	Privacy_Violation	/zap/src/test/java/org/zaproxy/zap/model/SessionStructureUnitTest.java: 700

---

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

[alonsobsd]

I have read the CLA Document and I hereby sign the CLA

[kingthorin]

Run ./gradlew :zap:spotlessApply to fix these violations.

[thc202]

What is this actually trying to fix?

[alonsobsd]

What is this actually trying to fix?

Well, some sections of zaproxy app that use isLinux not work on FreeBSD because there are not a isFreeBSD to evaluate. For example, when I try to change some settings as Selenium one on FreeBSD it is not working (not open) and it avoids to run AjaxSpider tests because it always try to use linux webdrivers embedded. As I wrote above, Linux functions/procedures could works without issues on FreeBSD. This is the reason for what I add freebsd to isLinux function. Take a look a the following: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276730 for more information.

[thc202]

That's an issue in the Selenium add-on (where it should be fixed), not core. (And to be clear not opposing to improve support for FreeBSD but we should fix the issues properly first.)

[alonsobsd]

That's an issue in the Selenium add-on (where it should be fixed), not core. (And to be clear not opposing to improve support for FreeBSD but we should fix the issues properly first.)

I think so, but isLinux() is part of core, right? and Selenium use it. E.x. https://github.com/zaproxy/zap-extensions/blob/main/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/FirefoxProfileManager.java , zap/src/main/java/org/zaproxy/zap/extension/autoupdate/ExtensionAutoUpdate.java and maybe some other extensions use it too. Or do you prefer replace all of them with isLinux and isFreeBSD ones?

[thc202]

The Selenium add-on exception referenced in the FreeBSD issue has been fixed in https://github.com/zaproxy/zap-extensions/pull/6252/files#diff-91668c143b89f41523fe09a9663affd88d94172bf1d73be092c0588e7966000cR66

If the logic done for Linux also works with FreeBSD I'm fine with changing isLinux() to check both. What I don't think we should do is add more isX methods to the Constant class, if we need to check for more OSes going forward we should do so through the Common Library add-on as to not depend on core releases (which happen less often than the add-ons, which can be changed anytime). So, my suggestion is to revert the addition of the new method.

Heads up to this change https://github.com/zaproxy/zap-extensions/pull/6661/files#diff-91668c143b89f41523fe09a9663affd88d94172bf1d73be092c0588e7966000cR145 This will start to (explicitly) call the Selenium Manager to get the path of the Firefox binary, I don't know if their Linux binary also works with FreeBSD.

[alonsobsd]

The Selenium add-on exception referenced in the FreeBSD issue has been fixed in https://github.com/zaproxy/zap-extensions/pull/6252/files#diff-91668c143b89f41523fe09a9663affd88d94172bf1d73be092c0588e7966000cR66

If the logic done for Linux also works with FreeBSD I'm fine with changing isLinux() to check both. What I don't think we should do is add more isX methods to the Constant class, if we need to check for more OSes going forward we should do so through the Common Library add-on as to not depend on core releases (which happen less often than the add-ons, which can be changed anytime). So, my suggestion is to revert the addition of the new method.

I have removed isFreeBSD method.

Heads up to this change https://github.com/zaproxy/zap-extensions/pull/6661/files#diff-91668c143b89f41523fe09a9663affd88d94172bf1d73be092c0588e7966000cR145 This will start to (explicitly) call the Selenium Manager to get the path of the Firefox binary, I don't know if their Linux binary also works with FreeBSD.

I seems like selenium-manager has not FreeBSD support. Maybe it works using linux compat on FreeBSD. Anyway, with this change I can modify some driver paths from zaproxy options.

Greetings

[thc202]

I seems like selenium-manager has not FreeBSD support. Maybe it works using linux compat on FreeBSD. Anyway, with this change I can modify some driver paths from zaproxy options.

Note that this is for the creation of a Firefox profile for/by the Client Side Integration add-on: https://www.zaproxy.org/docs/desktop/addons/client-side-integration/firefox-profile/ It does not use the Firefox binary from the Selenium options but I will look at changing to use it.

[thc202]

Thank you!