diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java index c193ccea6dc..9092934fe8d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java @@ -169,7 +169,7 @@ public int getWascId() { return 7; } - private String randomCharacterString(int length) { + private static String randomCharacterString(int length) { StringBuilder sb1 = new StringBuilder(length + 1); int counter = 0; int character = 0; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 0c09e878408..9442f8200d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -366,7 +366,7 @@ public int getRisk() { return Alert.RISK_HIGH; } - private String getOtherInfo(TestType testType, String testValue) { + private static String getOtherInfo(TestType testType, String testValue) { return Constant.messages.getString( MESSAGE_PREFIX + "otherinfo." + testType.getNameKey(), testValue); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java index 92cfeff183d..5bc72d6f7d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java @@ -95,7 +95,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private void checkIfDirectory(HttpMessage msg) throws URIException { + private static void checkIfDirectory(HttpMessage msg) throws URIException { URI uri = msg.getRequestHeader().getURI(); uri.setQuery(null); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java index da5c9d1add9..292036d408b 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java @@ -342,7 +342,7 @@ private static boolean isRedirectHost(String value, boolean escaped) throws URIE * @param msg the current message where reflected redirection should be check into * @return get back the redirection type if exists */ - private int isRedirected(String payload, HttpMessage msg) { + private static int isRedirected(String payload, HttpMessage msg) { // (1) Check if redirection by "Location" header // http://en.wikipedia.org/wiki/HTTP_location @@ -471,7 +471,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) { * @param type the redirection type * @return a string representing the reason of this redirection */ - private String getRedirectionReason(int type) { + private static String getRedirectionReason(int type) { switch (type) { case REDIRECT_LOCATION_HEADER: return Constant.messages.getString(MESSAGE_PREFIX + "reason.location.header"); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java index 352b6926f6e..fdeb28aad5f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java @@ -105,7 +105,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java index e68a1949d73..2cda7d20c4c 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java @@ -267,7 +267,7 @@ private String getEmptyValueResponse(String paramName) throws IOException { * @param value the value that need to be checked * @return true if it seems to be encrypted */ - private boolean isEncrypted(byte[] value) { + private static boolean isEncrypted(byte[] value) { // Make sure we have a reasonable sized string // (encrypted strings tend to be long, and short strings tend to break our numbers) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java index 1c9365068ff..18888009c67 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java @@ -608,7 +608,7 @@ private boolean sendAndCheckPayload( return false; } - private String getContentsToMatch(HttpMessage message) { + private static String getContentsToMatch(HttpMessage message) { return message.getResponseHeader().isHtml() ? StringEscapeUtils.unescapeHtml4(message.getResponseBody().toString()) : message.getResponseHeader().toString() + message.getResponseBody().toString(); @@ -700,7 +700,7 @@ public String match(String contents) { return matchWinDirectories(contents); } - private String matchNixDirectories(String contents) { + private static String matchNixDirectories(String contents) { Pattern procPattern = Pattern.compile("(?:^|\\W)proc(?:\\W|$)", Pattern.CASE_INSENSITIVE); Pattern etcPattern = Pattern.compile("(?:^|\\W)etc(?:\\W|$)", Pattern.CASE_INSENSITIVE); @@ -727,7 +727,7 @@ private String matchNixDirectories(String contents) { return null; } - private String matchWinDirectories(String contents) { + private static String matchWinDirectories(String contents) { if (contents.contains("Windows") && Pattern.compile("Program\\sFiles").matcher(contents).find()) { return "Windows"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java index a4405761998..97c5c05b964 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java @@ -277,7 +277,7 @@ private HttpMessage createHttpMessage(URI uri) throws HttpMalformedHeaderExcepti * @return * @throws URIException */ - private URI getClassURI(URI hostURI, String classname) throws URIException { + private static URI getClassURI(URI hostURI, String classname) throws URIException { return new URI( hostURI.getScheme() + "://" @@ -288,7 +288,7 @@ private URI getClassURI(URI hostURI, String classname) throws URIException { false); } - private URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { + private static URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { return new URI( hostURI.getScheme() + "://" diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java index e93dad2bf66..8999dd7130f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java @@ -76,11 +76,11 @@ public String getDescription() { return Constant.messages.getString("ascanrules.spring4shell.desc"); } - private boolean is400Response(HttpMessage msg) { + private static boolean is400Response(HttpMessage msg) { return !msg.getResponseHeader().isEmpty() && msg.getResponseHeader().getStatusCode() == 400; } - private void setGetPayload(HttpMessage msg, String payload) throws URIException { + private static void setGetPayload(HttpMessage msg, String payload) throws URIException { msg.getRequestHeader().setMethod("GET"); URI uri = msg.getRequestHeader().getURI(); String query = uri.getEscapedQuery(); @@ -92,7 +92,7 @@ private void setGetPayload(HttpMessage msg, String payload) throws URIException uri.setEscapedQuery(query); } - private void setPostPayload(HttpMessage msg, String payload) { + private static void setPostPayload(HttpMessage msg, String payload) { msg.getRequestHeader().setMethod("POST"); String body = msg.getRequestBody().toString(); if (body.isEmpty() diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java index bff7b0fbede..24daf07ef57 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java @@ -80,11 +80,11 @@ private enum PayloadHandling { CONCAT_PATH }; - private NanoServerHandler createHttpRedirectHandler(String path, String header) { + private static NanoServerHandler createHttpRedirectHandler(String path, String header) { return createHttpRedirectHandler(path, header, PayloadHandling.NEITHER); } - private NanoServerHandler createHttpRedirectHandler( + private static NanoServerHandler createHttpRedirectHandler( String path, String header, PayloadHandling payloadHandling) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java index 7757fc3ade8..861c1a3021e 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java @@ -110,7 +110,7 @@ void checkNoPathsHaveLeadingSlash() { } } - private void assertNoLeadingSlash(String message, String path) { + private static void assertNoLeadingSlash(String message, String path) { assertThat(message.replace(REPLACE_TOKEN, path), !path.startsWith("/"), is(true)); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java index f11016f177b..4f42a45b56f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java @@ -314,7 +314,7 @@ void shouldAlertOnlyIfCertainTagValuesArePresent() assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM)); } - private NanoServerHandler createNanoHandler( + private static NanoServerHandler createNanoHandler( String path, NanoHTTPD.Response.IStatus status, String responseBody) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md index aa87452afd3..30d6692889f 100644 --- a/addOns/ascanrulesAlpha/CHANGELOG.md +++ b/addOns/ascanrulesAlpha/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Maintenance changes. ## [48] - 2024-09-02 ### Changed diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java index c15d6bc3a5a..66b168905a0 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java @@ -43,7 +43,8 @@ * * @author psiinon */ -public class ExampleFileActiveScanRule extends AbstractAppParamPlugin { +public class ExampleFileActiveScanRule extends AbstractAppParamPlugin + implements CommonActiveScanRuleInfo { /** Prefix for internationalized messages used by this rule */ private static final String MESSAGE_PREFIX = "ascanalpha.examplefile."; @@ -80,7 +81,7 @@ public String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getOtherInfo() { + private static String getOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "other"); } @@ -155,14 +156,7 @@ public void scan(HttpMessage msg, String param, String value) { String evidence; if ((evidence = doesResponseContainString(msg.getResponseBody(), attack)) != null) { // Raise an alert - newAlert() - .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setParam(param) - .setAttack(attack) - .setOtherInfo(getOtherInfo()) - .setEvidence(evidence) - .setMessage(testMsg) - .raise(); + createAlert(param, attack, evidence).setMessage(testMsg).raise(); return; } } @@ -194,7 +188,16 @@ private String doesResponseContainString(HttpBody body, String str) { return null; } - private List loadFile(String file) { + private AlertBuilder createAlert(String param, String attack, String evidence) { + return newAlert() + .setConfidence(Alert.CONFIDENCE_MEDIUM) + .setParam(param) + .setAttack(attack) + .setOtherInfo(getOtherInfo()) + .setEvidence(evidence); + } + + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ @@ -244,4 +247,9 @@ public int getWascId() { // The WASC ID return 0; } + + @Override + public List getExampleAlerts() { + return List.of(createAlert("foo", "