Merge pull request #6541 from psiinon/automation/ascanexc

kingthorin · web-flow · commit ad254e06d9d2 · 2025-06-30T06:32:23.000-04:00
automation: Support exclude regexs in ascan config
diff --git a/addOns/automation/CHANGELOG.md b/addOns/automation/CHANGELOG.md
@@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- Support for exclude regexes to active scan config job.
 
 ## [0.50.0] - 2025-06-20
 ### Added
diff --git a/addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java b/addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java
@@ -24,14 +24,11 @@
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.databind.json.JsonMapper;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
 import java.util.stream.Collectors;
 import lombok.Getter;
 import lombok.Setter;
@@ -190,10 +187,12 @@ public ContextWrapper(
                             Constant.messages.getString("automation.error.context.url.deprecated"));
                     break;
                 case "includePaths":
-                    data.setIncludePaths(verifyRegexes(value, "badincludelist", progress));
+                    data.setIncludePaths(
+                            JobUtils.verifyRegexes(value, cdata.getKey().toString(), progress));
                     break;
                 case "excludePaths":
-                    data.setExcludePaths(verifyRegexes(value, "badexcludelist", progress));
+                    data.setExcludePaths(
+                            JobUtils.verifyRegexes(value, cdata.getKey().toString(), progress));
                     break;
                 case "authentication":
                     data.setAuthentication(new AuthenticationData(value, progress));
@@ -307,31 +306,6 @@ private void validateUrl(String url, AutomationProgress progress) {
         }
     }
 
-    private List<String> verifyRegexes(Object value, String key, AutomationProgress progress) {
-        if (!(value instanceof ArrayList<?>)) {
-            progress.error(Constant.messages.getString("automation.error.context." + key, value));
-            return Collections.emptyList();
-        }
-        ArrayList<String> regexes = new ArrayList<>();
-        for (Object regex : (ArrayList<?>) value) {
-            String regexStr = regex.toString();
-            regexes.add(regexStr);
-            try {
-                if (!JobUtils.containsVars(regexStr)) {
-                    // Only validate the regex if it doesnt contain vars
-                    Pattern.compile(regexStr);
-                }
-            } catch (PatternSyntaxException e) {
-                progress.error(
-                        Constant.messages.getString(
-                                "automation.error.context.badregex",
-                                regex.toString(),
-                                e.getMessage()));
-            }
-        }
-        return regexes;
-    }
-
     public Context getContext() {
         return this.context;
     }
diff --git a/addOns/automation/src/main/java/org/zaproxy/addon/automation/gui/ActiveScanConfigJobDialog.java b/addOns/automation/src/main/java/org/zaproxy/addon/automation/gui/ActiveScanConfigJobDialog.java
@@ -19,6 +19,10 @@
  */
 package org.zaproxy.addon.automation.gui;
 
+import java.util.List;
+import java.util.regex.Pattern;
+import java.util.stream.Stream;
+import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.addon.automation.jobs.ActiveScanConfigJob;
 import org.zaproxy.addon.automation.jobs.ActiveScanConfigJob.InputVectors;
@@ -32,7 +36,9 @@ public class ActiveScanConfigJobDialog extends StandardFieldsDialog {
     private static final long serialVersionUID = 1L;
 
     private static final String[] TAB_LABELS = {
-        "automation.dialog.tab.params", "automation.dialog.ascanconfig.tab.iv"
+        "automation.dialog.tab.params",
+        "automation.dialog.ascanconfig.tab.iv",
+        "automation.dialog.ascanconfig.tab.exclude"
     };
 
     private static final String TITLE = "automation.dialog.ascanconfig.title";
@@ -78,6 +84,8 @@ public class ActiveScanConfigJobDialog extends StandardFieldsDialog {
 
     private static final String SCRIPTS_PARAM = "automation.dialog.ascanconfig.iv.scripts";
 
+    private static final String EXCLUDE_PARAM = "automation.dialog.ascanconfig.exclude";
+
     private ActiveScanConfigJob job;
 
     public ActiveScanConfigJobDialog(ActiveScanConfigJob job) {
@@ -182,6 +190,15 @@ public ActiveScanConfigJobDialog(ActiveScanConfigJob job) {
         addCheckBoxField(1, SCRIPTS_PARAM, iv.isScripts());
 
         addPadding(1);
+
+        this.addMultilineField(2, EXCLUDE_PARAM, listToString(job.getData().getExcludePaths()));
+    }
+
+    private String listToString(List<String> list) {
+        if (list != null) {
+            return String.join("\n", list);
+        }
+        return "";
     }
 
     @Override
@@ -227,12 +244,32 @@ public void save() {
 
         iv.setScripts(getBoolValue(SCRIPTS_PARAM));
 
+        job.getData().setExcludePaths(stringParamToList(EXCLUDE_PARAM));
+
         job.resetAndSetChanged();
     }
 
+    private List<String> stringParamToList(String param) {
+        // Return a list of the trimmed and non empty strings
+        return Stream.of(this.getStringValue(param).split("\n"))
+                .map(String::trim)
+                .filter(item -> !item.isEmpty())
+                .toList();
+    }
+
     @Override
     public String validateFields() {
-        // Nothing to do
+        for (String str : stringParamToList(EXCLUDE_PARAM)) {
+            if (!JobUtils.containsVars(str)) {
+                // Can only validate strings that dont contain env vars
+                try {
+                    Pattern.compile(str);
+                } catch (Exception e) {
+                    return Constant.messages.getString(
+                            "automation.dialog.ascanconfig.error.excregex", str);
+                }
+            }
+        }
         return null;
     }
 }
diff --git a/addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanConfigJob.java b/addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/ActiveScanConfigJob.java
@@ -23,12 +23,18 @@
 import com.fasterxml.jackson.databind.JsonMappingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.json.JsonMapper;
+import java.util.ArrayList;
 import java.util.BitSet;
+import java.util.List;
 import java.util.Map;
 import lombok.Getter;
 import lombok.Setter;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
 import org.parosproxy.paros.core.scanner.ScannerParam;
+import org.parosproxy.paros.db.DatabaseException;
+import org.parosproxy.paros.model.Model;
 import org.zaproxy.addon.automation.AutomationData;
 import org.zaproxy.addon.automation.AutomationEnvironment;
 import org.zaproxy.addon.automation.AutomationJob;
@@ -48,6 +54,8 @@ public class ActiveScanConfigJob extends AutomationJob {
     public static final String JOB_NAME = "activeScan-config";
     private static final String OPTIONS_METHOD_NAME = "getScannerParam";
 
+    private static final Logger LOGGER = LogManager.getLogger(ActiveScanConfigJob.class);
+
     private ExtensionActiveScan ascan;
 
     private Parameters parameters = new Parameters();
@@ -82,6 +90,11 @@ public void verifyParameters(AutomationProgress progress) {
                     updateValue(data.getInputVectors(), jobData, key, progress);
                     break;
 
+                case "excludePaths":
+                    data.setExcludePaths(
+                            JobUtils.verifyRegexes(jobData.get(key), key.toString(), progress));
+                    break;
+
                 case "name":
                 case "type":
                     break;
@@ -177,7 +190,13 @@ private static int toInt(BitSet bitSet) {
 
     @Override
     public void runJob(AutomationEnvironment env, AutomationProgress progress) {
-        // Nothing to do, work done earlier in applyParameters.
+        try {
+            Model.getSingleton().getSession().setExcludeFromScanRegexs(data.getExcludePaths());
+        } catch (DatabaseException e) {
+            progress.error(
+                    Constant.messages.getString("automation.dialog.error.misc", e.getMessage()));
+            LOGGER.error(e.getMessage(), e);
+        }
     }
 
     @Override
@@ -245,6 +264,7 @@ public void showDialog() {
     public static class Data extends JobData {
         private final Parameters parameters;
         private final InputVectors inputVectors;
+        @Setter private List<String> excludePaths = new ArrayList<>();
 
         public Data(AutomationJob job, Parameters parameters, InputVectors inputVectors) {
             super(job);
diff --git a/addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/JobUtils.java b/addOns/automation/src/main/java/org/zaproxy/addon/automation/jobs/JobUtils.java
@@ -37,6 +37,8 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import org.apache.commons.lang3.ClassUtils;
@@ -758,4 +760,32 @@ public static boolean isAbsoluteLiteralPath(String path) {
     public static boolean containsVars(String str) {
         return str.contains("${");
     }
+
+    public static List<String> verifyRegexes(
+            Object value, String key, AutomationProgress progress) {
+        if (!(value instanceof ArrayList<?>)) {
+            progress.error(
+                    Constant.messages.getString("automation.error.regex.badlist", key, value));
+            return Collections.emptyList();
+        }
+        ArrayList<String> regexes = new ArrayList<>();
+        for (Object regex : (ArrayList<?>) value) {
+            String regexStr = regex.toString();
+            regexes.add(regexStr);
+            try {
+                if (!JobUtils.containsVars(regexStr)) {
+                    // Only validate the regex if it doesnt contain vars
+                    Pattern.compile(regexStr);
+                }
+            } catch (PatternSyntaxException e) {
+                progress.error(
+                        Constant.messages.getString(
+                                "automation.error.regex.badregex",
+                                regex.toString(),
+                                key,
+                                e.getMessage()));
+            }
+        }
+        return regexes;
+    }
 }
diff --git a/addOns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help/contents/job-ascanconfig.html b/addOns/automation/src/main/javahelp/org/zaproxy/addon/automation/resources/help/contents/job-ascanconfig.html
@@ -44,8 +44,11 @@ <H2>YAML</H2>
         enabled:                           # Bool: If enabled. Default: false
         encodeCookieValues:                # Bool: If cookie values should be encoded. Default: false
       scripts:                             # Bool: If Input Vector scripts should be used. Default: true
+    excludePaths:                          # An optional list of regexes to exclude
 </pre>
 
+Note that the 'excludePaths' will overwrite any existing session "Exclude from Scanner" paths.
+
 </BODY>
 </HTML>
 
diff --git a/addOns/automation/src/main/resources/org/zaproxy/addon/automation/resources/Messages.properties b/addOns/automation/src/main/resources/org/zaproxy/addon/automation/resources/Messages.properties
@@ -87,7 +87,9 @@ automation.dialog.ascan.threads = Threads Per Host:
 automation.dialog.ascan.title = Active Scan Job
 
 automation.dialog.ascanconfig.defaultpolicy = Default Policy:
+automation.dialog.ascanconfig.error.excregex = Invalid ''Exclude'' RegEx: {0}
 automation.dialog.ascanconfig.error.field = Job {0}: Error reading {1}, cause: {2}
+automation.dialog.ascanconfig.exclude = Exclude RegExs:
 automation.dialog.ascanconfig.handleanticsrf = Handle Anti CSRF Tokens
 automation.dialog.ascanconfig.injectid = Inject Scan Rule ID:
 automation.dialog.ascanconfig.iv.cookie = Cookie Data
@@ -110,6 +112,7 @@ automation.dialog.ascanconfig.maxalertsperrule = Max Alerts Per Rule:
 automation.dialog.ascanconfig.maxruleduration = Max Rule Duration (in mins):
 automation.dialog.ascanconfig.maxscanduration = Max Scan Duration (in mins):
 automation.dialog.ascanconfig.summary = Active Scan Config
+automation.dialog.ascanconfig.tab.exclude = Exclude
 automation.dialog.ascanconfig.tab.iv = Input Vectors
 automation.dialog.ascanconfig.threads = Threads Per Host:
 automation.dialog.ascanconfig.title = Active Scan Config Job
@@ -125,8 +128,8 @@ automation.dialog.button.remove = Remove
 
 automation.dialog.context.error.badname = You must supply a name
 automation.dialog.context.error.badurl = Invalid URL: {0}
-automation.dialog.context.error.excregex = Invalid 'Exclude' RegEx: {0}
-automation.dialog.context.error.incregex = Invalid 'Include' RegEx: {0}
+automation.dialog.context.error.excregex = Invalid ''Exclude'' RegEx: {0}
+automation.dialog.context.error.incregex = Invalid ''Include'' RegEx: {0}
 automation.dialog.context.error.nourls = You must specify at least one URL
 automation.dialog.context.exclude = Exclude RegExs:
 automation.dialog.context.include = Include RegExs:
@@ -294,9 +297,6 @@ automation.error.badconfidence = Invalid confidence for job {0} : {1}
 automation.error.badrisk = Invalid risk for job {0} : {1}
 automation.error.badurl = Invalid URL for job {0} : {1}
 
-automation.error.context.badexcludelist = Exclude regexes should be a list: {0}
-automation.error.context.badincludelist = Incude regexes should be a list: {0}
-automation.error.context.badregex = Invalid value for regex: {0} : {1}
 automation.error.context.badstructuralparametername = You must supply a Structural Parameter name that contains only alpha numeric characters: {0}
 automation.error.context.badstructuralparameterslist = Context Structural Parameters should be a list: {0}
 automation.error.context.badstructure = Context structure should be a map: {0}
@@ -356,6 +356,8 @@ automation.error.options.method = Failed to access {0} methods for {1} : {2}
 automation.error.options.methods = Failed to access {0} methods for {1}
 automation.error.options.unknown = Unrecognised parameter for job {0} : {1}
 automation.error.read = Cannot read file: {0}
+automation.error.regex.badlist = Regexes for key {0} should be a list: {1}
+automation.error.regex.badregex = Invalid regex: {0} for key {1} : {2}
 automation.error.requestor.badcode = Job {0} has invalid response code {1} for request: {2}
 automation.error.requestor.badheader = Headers should be a list: {0}
 automation.error.requestor.badlist = Requests should be a list: {0}
diff --git a/addOns/automation/src/main/resources/org/zaproxy/addon/automation/resources/activeScan-config-max.yaml b/addOns/automation/src/main/resources/org/zaproxy/addon/automation/resources/activeScan-config-max.yaml
@@ -29,3 +29,4 @@
         enabled:                           # Bool: If enabled. Default: false
         encodeCookieValues:                # Bool: If cookie values should be encoded. Default: false
       scripts:                             # Bool: If Input Vector scripts should be used. Default: true
+    excludePaths:                          # An optional list of regexes to exclude
diff --git a/addOns/automation/src/test/java/org/zaproxy/addon/automation/AutomationEnvironmentUnitTest.java b/addOns/automation/src/test/java/org/zaproxy/addon/automation/AutomationEnvironmentUnitTest.java
@@ -380,9 +380,7 @@ void shouldFailIfBadIncludeRegexList() {
         // Then
         assertThat(progress.hasErrors(), is(equalTo(true)));
         assertThat(progress.getErrors().size(), is(equalTo(1)));
-        assertThat(
-                progress.getErrors().get(0),
-                is(equalTo("!automation.error.context.badincludelist!")));
+        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.regex.badlist!")));
     }
 
     @Test
@@ -407,9 +405,7 @@ void shouldFailIfBadExcludeRegexList() {
         // Then
         assertThat(progress.hasErrors(), is(equalTo(true)));
         assertThat(progress.getErrors().size(), is(equalTo(1)));
-        assertThat(
-                progress.getErrors().get(0),
-                is(equalTo("!automation.error.context.badexcludelist!")));
+        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.regex.badlist!")));
     }
 
     @Test
@@ -435,7 +431,7 @@ void shouldFailIfBadIncludeRegexValue() {
         // Then
         assertThat(progress.hasErrors(), is(equalTo(true)));
         assertThat(progress.getErrors().size(), is(equalTo(1)));
-        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.context.badregex!")));
+        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.regex.badregex!")));
     }
 
     @Test
@@ -461,7 +457,7 @@ void shouldFailIfBadExcludeRegexValue() {
         // Then
         assertThat(progress.hasErrors(), is(equalTo(true)));
         assertThat(progress.getErrors().size(), is(equalTo(1)));
-        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.context.badregex!")));
+        assertThat(progress.getErrors().get(0), is(equalTo("!automation.error.regex.badregex!")));
     }
 
     @Test
diff --git a/addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanConfigJobUnitTest.java b/addOns/automation/src/test/java/org/zaproxy/addon/automation/jobs/ActiveScanConfigJobUnitTest.java
diff --git a/addOns/automation/src/test/resources/org/zaproxy/addon/automation/resources/template-max.yaml b/addOns/automation/src/test/resources/org/zaproxy/addon/automation/resources/template-max.yaml
