Merge pull request #5252 from kingthorin/retire-vid

psiinon · web-flow · commit 53b3a6f1e171 · 2024-01-29T11:38:43.000Z
retire: Only target relevant responses
diff --git a/addOns/retire/CHANGELOG.md b/addOns/retire/CHANGELOG.md
@@ -4,26 +4,21 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Now only targets relevant responses (HTML and JS).
 
 ## [0.29.0] - 2024-01-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.28.0] - 2023-12-04
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.27.0] - 2023-11-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.26.0] - 2023-10-12
 ### Changed
 - Update minimum ZAP version to 2.14.0.
@@ -39,26 +34,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Update minimum ZAP version to 2.13.0.
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.23.0] - 2023-06-02
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.22.0] - 2023-05-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.21.0] - 2023-04-04
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.20.0] - 2023-03-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
@@ -73,14 +60,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.17.0] - 2022-11-14
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.16.0] - 2022-10-27
 ### Changed
 - Update minimum ZAP version to 2.12.0.
diff --git a/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java b/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java
@@ -33,7 +33,6 @@
 import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.network.HttpMessage;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
-import org.zaproxy.addon.commonlib.ResourceIdentificationUtils;
 import org.zaproxy.addon.retire.model.Repo;
 import org.zaproxy.zap.extension.pscan.PluginPassiveScanner;
 
@@ -61,16 +60,15 @@ public int getPluginId() {
 
     @Override
     public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
-        if (!getHelper().isPage200(msg) || getRepo() == null) {
-            return;
-        }
-        String uri = msg.getRequestHeader().getURI().toString();
-        if (!ResourceIdentificationUtils.isImage(msg) && !ResourceIdentificationUtils.isCss(msg)) {
-            Repo scanRepo = getRepo();
+        Repo scanRepo = getRepo();
+        if (!getHelper().isPage200(msg) || scanRepo == null) {
             if (scanRepo == null) {
                 LOGGER.error("\tThe Retire.js repository was null.");
-                return;
             }
+            return;
+        }
+        String uri = msg.getRequestHeader().getURI().toString();
+        if (msg.getResponseHeader().isHtml() || msg.getResponseHeader().isJavaScript()) {
             Result result = scanRepo.scanJS(msg, source);
             if (result == null) {
                 LOGGER.debug("\tNo vulnerabilities found in record {} with URL {}", id, uri);
diff --git a/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java b/addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java
@@ -27,17 +27,21 @@
 import static org.mockito.Mockito.any;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.ValueSource;
+import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.network.HttpHeader;
 import org.parosproxy.paros.network.HttpMalformedHeaderException;
 import org.parosproxy.paros.network.HttpMessage;
 import org.parosproxy.paros.network.HttpRequestHeader;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
+import org.zaproxy.addon.commonlib.http.HttpFieldsNames;
 import org.zaproxy.addon.retire.model.Repo;
 
 class RetireScanRuleUnitTest extends PassiveScannerTest<RetireScanRule> {
@@ -66,34 +70,22 @@ void shouldIgnoreNon200OkMessages() {
         assertEquals(0, alertsRaised.size());
     }
 
-    @Test
-    void shouldIgnoreCssUrl() {
-        // Given
-        HttpMessage msg = createMessage("https://www.example.com/assets/styles.css", null);
-        given(passiveScanData.isPage200(any())).willReturn(true);
-        // When
-        scanHttpResponseReceive(msg);
-        // Then
-        assertEquals(0, alertsRaised.size());
-    }
-
-    @Test
-    void shouldIgnoreCssResponse() {
-        // Given
-        HttpMessage msg = createMessage("https://www.example.com/assets/styles.scss", null);
-        msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, "text/css");
-        given(passiveScanData.isPage200(any())).willReturn(true);
-        // When
-        scanHttpResponseReceive(msg);
-        // Then
-        assertEquals(0, alertsRaised.size());
-    }
-
-    @Test
-    void shouldIgnoreImageResponse() {
+    @ParameterizedTest
+    @CsvSource({
+        "text/css, style.css",
+        "text/css, style.scss",
+        "'', style.css",
+        "text/css, ''",
+        "text/css, styles",
+        "video/mp4, foo.mp4",
+        "image/gif, ''",
+        "image/gif, foo.gif",
+        "'', image/gif"
+    })
+    void shouldIgnoreIrrelevantResponseContentTypes(String contentType, String file) {
         // Given
-        HttpMessage msg = createMessage("https://www.example.com/assets/image.gif", null);
-        msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, "image/gif");
+        HttpMessage msg = createMessage("https://www.example.com/assets/" + file, null);
+        msg.getResponseHeader().setHeader(HttpHeader.CONTENT_TYPE, contentType);
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -106,6 +98,7 @@ void shouldRaiseAlertOnVulnerableUrl() {
         // Given
         HttpMessage msg =
                 createMessage("http://example.com/ajax/libs/angularjs/1.2.19/angular.min.js", null);
+        msg.getResponseHeader().setHeader(HttpFieldsNames.CONTENT_TYPE, "text/javascript");
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -122,6 +115,7 @@ void shouldRaiseAlertOnVulnerableUrl() {
     void shouldRaiseAlertOnVulnerableFilename(String fileName) {
         // Given
         HttpMessage msg = createMessage("http://example.com/CommonElements/js/" + fileName, null);
+        msg.getResponseHeader().setHeader(HttpFieldsNames.CONTENT_TYPE, "text/javascript");
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -143,6 +137,7 @@ void shouldRaiseAlertOnVulnerableContent() {
                         + " * Licensed under the MIT license\n"
                         + " */";
         HttpMessage msg = createMessage("http://example.com/angular.min.js", content);
+        msg.getResponseHeader().setHeader(HttpFieldsNames.CONTENT_TYPE, "text/javascript");
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -166,6 +161,7 @@ void shouldRaiseAlertOnHashOfVulnerableContent() {
                         + " * Licensed under the MIT license\n"
                         + " */";
         HttpMessage msg = createMessage("http://example.com/hash.js", content);
+        msg.getResponseHeader().setHeader(HttpFieldsNames.CONTENT_TYPE, "text/javascript");
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -212,6 +208,20 @@ void shouldReturnExpectedMappings() {
                 is(equalTo(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getValue())));
     }
 
+    @Test
+    void shouldHaveExpectedExampleAlert() {
+        // Given / When
+        List<Alert> alerts = rule.getExampleAlerts();
+        // Then
+        assertThat(alerts.size(), is(equalTo(1)));
+    }
+
+    @Test
+    @Override
+    public void shouldHaveValidReferences() {
+        super.shouldHaveValidReferences();
+    }
+
     private HttpMessage createMessage(String url, String body) {
         HttpMessage msg = new HttpMessage();
         if (url == null) {
@@ -233,6 +243,7 @@ private HttpMessage createMessage(String url, String body) {
         } catch (HttpMalformedHeaderException e) {
             // Nothing to do
         }
+        msg.getResponseHeader().setHeader(HttpFieldsNames.CONTENT_TYPE, "text/html");
         msg.setResponseBody(body);
 
         return msg;
