Merge branch 'main' into split-sqli-helper-functions

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      gha:
+        applies-to: version-updates
+        patterns:
+        - "*"

.github/workflows/ci.yml

@@ -23,8 +23,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
-      - uses: gradle/actions/wrapper-validation@v3
-      - uses: gradle/actions/setup-gradle@v3
+      - uses: gradle/actions/setup-gradle@v4
         with:
           gradle-home-cache-includes: |
             caches

.github/workflows/codeql.yml

@@ -31,7 +31,7 @@ jobs:
         uses: github/codeql-action/autobuild@v3
 
       - if: matrix.language == 'java'
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@v4
         with:
           cache-read-only: true
           gradle-home-cache-includes: |

addOns/accessControl/CHANGELOG.md

@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Changed
 - Update minimum ZAP version to 2.15.0.
+- Maintenance changes.
 
 ## [10] - 2024-03-25
 ### Changed

addOns/accessControl/src/main/javahelp/org/zaproxy/zap/extension/accessControl/resources/help/contents/concepts.html

@@ -97,7 +97,7 @@ <H3 id="id-10102">Access Control Issue - Improper Authorization</H3>
 
 <H2>API</H2>
 
-The Addon exposes the following API endpoints:
+The add-on exposes the following API endpoints:
 
 <H3>Actions</H3>
 	<H4>scan</H4>

addOns/accessControl/src/main/resources/org/zaproxy/zap/extension/accessControl/resources/Messages_fr_FR.properties

@@ -64,7 +64,7 @@ accessControl.scanResult.valid = Valide
 
 accessControl.toolbar.button.options = Options
 accessControl.toolbar.button.pause = Pause
-accessControl.toolbar.button.report = Generate Report
+accessControl.toolbar.button.report = G\u00e9n\u00e9rer le rapport
 accessControl.toolbar.button.start = D\u00e9marrer
 accessControl.toolbar.button.stop = Arr\u00eat
 accessControl.toolbar.button.unpause = Reprendre

addOns/ascanrules/CHANGELOG.md

@@ -4,7 +4,10 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Updated help with specific Category identifiers for use with the Custom Payloads add-on for rules:
+    - Hidden File Finder
+    - User Agent Fuzzer
 
 ## [69] - 2024-10-23
 ### Changed

addOns/ascanrules/src/main/javahelp/org/zaproxy/zap/extension/ascanrules/resources/help/contents/ascanrules.html

@@ -178,7 +178,9 @@ <H2 id="id-40035">Hidden File Finder</H2>
 The original included set of payloads were based on <a href="https://github.com/hannob/snallygaster">Snallygaster</a> by Hanno Böck.
 Such payloads are verified by checking response code, and content. If the response code is 200 (Ok) then additional content checks are performed to increase alert confidence.
 If the response code is 401 (Unauthorized) or 403 (Forbidden) or the content checks are un-successful then an alert is raised with lower confidence (at LOW Threshold).
-<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel. 
+<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own hidden file paths (payloads) in the Custom Payloads options panel. 
+<br>
+The Custom Payloads category for this rule is: <code>Hidden-File</code>.<br>
 For custom payloads only the response status code is checked. If there is a requirement to include a content check then it is also possible to add payloads to 
 the <code>json/hidden_files.json</code> file in ZAP's user directory (in which case they will be treated as included payloads).
 <p>
@@ -443,7 +445,9 @@ <H2 id="id-40029">Trace.axd Information Leak</H2>
 
 <H2 id="id-10104">User Agent Fuzzer</H2>
 This active scan rule checks for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). The rule compares the response statuscode and the hashcode of the response body with the original response.<br>
-<strong>Note:</strong> If the Custom Payloads addon is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
+<strong>Note:</strong> If the Custom Payloads add-on is installed you can add your own User Agent strings (payloads) in the Custom Payloads options panel.
+<br>
+The Custom Payloads category for this rule is: <code>User-Agent</code>.
 <p>
 Latest code: <a href="https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/UserAgentScanRule.java">UserAgentScanRule.java</a>
 <br>

addOns/authhelper/CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 
 
+## [0.16.0] - 2024-11-06
+### Fixed
+- Address concurrency issue while passive scanning with the Session Management Response Identified scan rule (Issue 8187).
+
 ## [0.15.1] - 2024-09-02
 ### Changed
 - Restored stats removed in previous release as these could be used in AF tests.
@@ -109,6 +113,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 - Support of authentication request identification and configuration.
 
+[0.16.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.16.0
 [0.15.1]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.15.1
 [0.15.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.15.0
 [0.14.0]: https://github.com/zaproxy/zap-extensions/releases/authhelper-v0.14.0

addOns/authhelper/gradle.properties

@@ -1,2 +1,2 @@
-version=0.16.0
+version=0.17.0
 release=false

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java

@@ -22,6 +22,7 @@
 import java.net.HttpCookie;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -109,7 +110,8 @@ public class AuthUtils {
      * These are session tokens that have been seen in responses but not yet seen in use. When they
      * are seen in use then they are removed.
      */
-    private static Map<String, SessionToken> knownTokenMap = new HashMap<>();
+    private static Map<String, SessionToken> knownTokenMap =
+            Collections.synchronizedMap(new HashMap<>());
 
     /**
      * The best verification request we have found for a context. There will only be a verification
@@ -665,24 +667,21 @@ public static SessionToken getSessionToken(String value) {
     }
 
     public static SessionToken containsSessionToken(String value) {
-        Optional<Entry<String, SessionToken>> entry =
-                knownTokenMap.entrySet().stream()
-                        .filter(m -> value.contains(m.getKey()))
-                        .findFirst();
+        Optional<Entry<String, SessionToken>> entry;
+        synchronized (knownTokenMap) {
+            entry =
+                    knownTokenMap.entrySet().stream()
+                            .filter(m -> value.contains(m.getKey()))
+                            .findFirst();
+        }
         if (entry.isPresent()) {
             return entry.get().getValue();
         }
         return null;
     }
 
-    public static void removeSessionToken(SessionToken token) {
-        Optional<Entry<String, SessionToken>> entry =
-                knownTokenMap.entrySet().stream()
-                        .filter(m -> m.getValue().equals(token))
-                        .findFirst();
-        if (entry.isPresent()) {
-            knownTokenMap.remove(token.getValue());
-        }
+    static void removeSessionToken(SessionToken token) {
+        knownTokenMap.remove(token.getValue());
     }
 
     public static void clean() {

addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthUtilsUnitTest.java

@@ -30,6 +30,11 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import org.apache.commons.httpclient.URI;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -60,6 +65,36 @@ void setUp() throws Exception {
         AuthUtils.clean();
     }
 
+    @Test
+    void shouldCheckContainsSessionTokenWhileAddingAndRemoving() throws Exception {
+        // Given
+        AtomicBoolean concurrentModification = new AtomicBoolean();
+        CountDownLatch cdl = new CountDownLatch(2500);
+        ScheduledExecutorService executor = Executors.newScheduledThreadPool(3);
+        SessionToken token = new SessionToken("source", "key", "value");
+        executor.scheduleAtFixedRate(
+                () -> AuthUtils.recordSessionToken(token), 0, 1, TimeUnit.MILLISECONDS);
+        executor.scheduleAtFixedRate(
+                () -> AuthUtils.removeSessionToken(token), 0, 1, TimeUnit.MILLISECONDS);
+        // When
+        executor.scheduleAtFixedRate(
+                () -> {
+                    try {
+                        AuthUtils.containsSessionToken(token.getValue());
+                    } catch (Exception e) {
+                        concurrentModification.set(true);
+                    }
+                    cdl.countDown();
+                },
+                0,
+                1,
+                TimeUnit.MILLISECONDS);
+        // Then
+        cdl.await(5000, TimeUnit.SECONDS);
+        executor.shutdownNow();
+        assertThat(concurrentModification.get(), is(equalTo(false)));
+    }
+
     @Test
     void shouldReturnUserTextField() throws Exception {
         // Given

addOns/automation/CHANGELOG.md

@@ -6,8 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ## Unreleased
 ### Added
 - Active scan policy job.
+- Add job to configure the active scanner, `activeScan-config`.
+- Allow to enable/disable jobs (Issue 5845).
 
 ### Changed
+- Updated automation framework documentation and templates for `activeScan` job to reflect changes to the default value of threadPerHost parameter
 - Update help for the "requestor" job.
 - Update help to indicate that job order is important (Issue 8675).
 - Fields with default or missing values are omitted for the following automation jobs in saved plans:
@@ -18,6 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Fixed
 - Templates generated with `-autogenmin` or `-autogenmax` were invalid in some cases.
 - Allow to choose one thread for the `activeScan` job through the GUI.
+- Active Scan jobs will once again use the default policy if neither a policy nor a policyDefinition has been set.
 
 ## [0.43.0] - 2024-10-07
 ### Fixed

addOns/automation/src/main/java/org/zaproxy/addon/automation/AutomationJob.java

@@ -49,6 +49,7 @@ public abstract class AutomationJob implements Comparable<AutomationJob> {
     private static final int ZERO_TESTS = 0;
 
     public enum Status {
+        NOT_ENABLED,
         NOT_STARTED,
         RUNNING,
         COMPLETED
@@ -62,6 +63,7 @@ public enum Status {
     private AutomationPlan plan;
     private long timeStarted;
     private long timeFinished;
+    private boolean enabled = true;
 
     public enum Order {
         RUN_FIRST,
@@ -123,6 +125,14 @@ public String getSummary() {
         return EMPTY_SUMMARY;
     }
 
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
     public int addDefaultTests(AutomationProgress progress) {
         return ZERO_TESTS;
     }

addOns/automation/src/main/java/org/zaproxy/addon/automation/AutomationPlan.java

@@ -130,6 +130,18 @@ public AutomationPlan(ExtensionAutomation ext, File file) throws IOException {
                                             "automation.error.job.data", paramsObj));
                             continue;
                         }
+
+                        Object jobEnabled = jobData.get("enabled");
+                        if (jobEnabled != null) {
+                            if (jobEnabled instanceof Boolean) {
+                                job.setEnabled((Boolean) jobEnabled);
+                            } else {
+                                progress.warn(
+                                        Constant.messages.getString(
+                                                "automation.error.job.enabled", jobEnabled));
+                            }
+                        }
+
                         job.setEnv(env);
                         job.setJobData(jobData);
                         job.verifyParameters(progress);

addOns/automation/src/main/java/org/zaproxy/addon/automation/ExtensionAutomation.java

@@ -62,6 +62,7 @@
 import org.yaml.snakeyaml.Yaml;
 import org.zaproxy.addon.automation.gui.AutomationPanel;
 import org.zaproxy.addon.automation.gui.OptionsPanel;
+import org.zaproxy.addon.automation.jobs.ActiveScanConfigJob;
 import org.zaproxy.addon.automation.jobs.ActiveScanJob;
 import org.zaproxy.addon.automation.jobs.ActiveScanPolicyJob;
 import org.zaproxy.addon.automation.jobs.DelayJob;
@@ -70,6 +71,7 @@
 import org.zaproxy.zap.ZAP;
 import org.zaproxy.zap.ZAP.ProcessType;
 import org.zaproxy.zap.eventBus.Event;
+import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
 import org.zaproxy.zap.extension.script.ScriptVars;
 import org.zaproxy.zap.utils.Stats;
 
@@ -128,6 +130,11 @@ public void init() {
         registerAutomationJob(new org.zaproxy.addon.automation.jobs.AddOnJob());
         registerAutomationJob(new RequestorJob());
         registerAutomationJob(new DelayJob());
+        registerAutomationJob(
+                new ActiveScanConfigJob(
+                        Control.getSingleton()
+                                .getExtensionLoader()
+                                .getExtension(ExtensionActiveScan.class)));
         registerAutomationJob(new ActiveScanJob());
         registerAutomationJob(new ActiveScanPolicyJob());
         registerAutomationJob(new ParamsJob());
@@ -369,6 +376,14 @@ public AutomationProgress runPlan(AutomationPlan plan, boolean resetProgress) {
         }
 
         for (AutomationJob job : jobsToRun) {
+
+            if (!job.isEnabled()) {
+                progress.info(
+                        Constant.messages.getString("automation.info.jobdisabled", job.getType()));
+                job.setStatus(AutomationJob.Status.NOT_ENABLED);
+                continue;
+            }
+
             job.applyParameters(progress);
             progress.info(Constant.messages.getString("automation.info.jobstart", job.getType()));
             job.setStatus(AutomationJob.Status.RUNNING);