pscanrulesBeta: fix isolation scan rule isPage200 check #5957
Conversation
|
All contributors have signed the CLA ✍️ ✅ |
|
It is my understanding that this check is intended to filter out any non-success pages. I also thought it would make sense that non-200 custom pages should be filtered out, but the If this understanding is wrong, the failing test ( |
atezet
force-pushed
the
fix-isolation-scan-rule
branch
from
f599284
to
d2744e7
Compare
|
I have read the CLA Document and I hereby sign the CLA |
atezet
force-pushed
the
fix-isolation-scan-rule
branch
from
d2744e7
to
956a685
Compare
thc202
changed the title
| HttpMessage msg = new HttpMessage(); | ||
| msg.setRequestHeader("GET / HTTP/1.1"); | ||
| msg.setResponseHeader("HTTP/1.1 200 OK\r\n"); | ||
| given(passiveScanData.isPage200(any())).willReturn(true); |
There was a problem hiding this comment.
As you noticed elsewhere this is unnecessary because a simple status code check is done first.
There was a problem hiding this comment.
Made some more changes, adding back a different mock. This conversation is irrelevant now.
| HttpMessage msg = new HttpMessage(); | ||
| msg.setRequestHeader("GET / HTTP/1.1"); | ||
| msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Content-Type: text/html"); | ||
| given(passiveScanData.isPage200(any())).willReturn(false); |
There was a problem hiding this comment.
Removed this whole test, as this was meant to trigger a path that never existed (see earlier comment)
There was a problem hiding this comment.
Then set 404 instead of 200 🙂
There was a problem hiding this comment.
I tried to replicate the Custom Pages example, but that didn't work in the old situation. I re-added the test, as this version using PassiveScanData.isSuccess actually works!
It's actually a lot more involved than that, but yes it ultimately falls back to purely 200 if the user hasn't set any custom pages and analyzer wasn't able to identify the 404 handling. |
| if (!HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode()) | ||
| // Specs don't state that errors pages should be excluded. However, successful responses are | ||
| // associated to a resource that should be protected, while error pages are not. Therefore, | ||
| // only consider HTTP Status code 2XX to avoid a False Positive | ||
| if (HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode()) | ||
| || getHelper().isPage200(msg)) { |
There was a problem hiding this comment.
The correct is to call !isSuccess(msg).
There was a problem hiding this comment.
So, I changed the flow from if !A return else do_something() to if A do_something(). This because A here was what is causing the bug; namely that if isPage200(...) the HttpMessage is skipped. So I believe this should either be:
if (!HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode())
&& !getHelper().isPage200(msg)) {
return;
}
rules.forEach(...);
or (what I wrote)
if (HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode())
|| getHelper().isPage200(msg)) {
rules.forEach(...);
}
That is; only scan pages that have status code 200-299 or are configured as non-standard error handling conditions as "page200" (see https://www.zaproxy.org/docs/desktop/start/features/custompages/). We could discuss whether this is what we want it to be, but at least we won't have so many false negatives as we have now.
There was a problem hiding this comment.
Might be that the UI is not that clear but I highlighted the original code, which would be lines 91 to 92. I'm saying that the original code should have been (and should be) !isSuccess(msg). Note that isSuccess(HttpMessage) is other method than HttpStatusCode.isSuccess(HttpMessage), and isPage200 is already taken into account in the former.
There was a problem hiding this comment.
Ah, thanks that makes sense. Shall I change my PR up s.t. it uses isSuccess(msg)? I think that this is exactly what I was aiming for all along
There was a problem hiding this comment.
Changed it! Also fixed the tests by (re)adding mocks/stubs for isSuccess as it didn't seem to work otherwise
atezet
force-pushed
the
fix-isolation-scan-rule
branch
from
2500a96
to
6de769c
Compare
|
No New Or Fixed Issues Found |
Overview
Fix a bug in the site isolation scan rule.
Related Issues
zaproxy/zaproxy#8735
Checklist
./gradlew spotlessApplyfor code formattingFor more details, please refer to the developer rules and guidelines.