authhelper: Tweak auth report escaping

Signed-off-by: kingthorin <[email protected]>

addOns/authhelper/CHANGELOG.md

@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Correctly read the API parameters when setting up Browser Based Authentication.
+- Tweaked auth report output to ensure that values are properly escaped.
 
 ## [0.22.0] - 2025-02-12
 ### Added

addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReport.java

@@ -24,7 +24,6 @@
 import java.util.List;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
-import org.apache.commons.text.StringEscapeUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.parosproxy.paros.Constant;
@@ -215,11 +214,7 @@ public void handle(ReportData reportData) {
             env.addContext(authContext);
             AutomationPlan plan = new AutomationPlan(env, new ArrayList<>(), progress);
             try {
-                if (reportData.getTemplateName().endsWith("-json")) {
-                    ard.setAfEnv(StringEscapeUtils.escapeJson(plan.toYaml()));
-                } else {
-                    ard.setAfEnv(plan.toYaml());
-                }
+                ard.setAfEnv(plan.toYaml());
             } catch (IOException e) {
                 LOGGER.error(e.getMessage(), e);
             }

addOns/authhelper/src/main/javahelp/org/zaproxy/addon/authhelper/resources/help/contents/auth-report-json.html

@@ -120,22 +120,22 @@ <H3>Sample</H3>
 	,"summaryItems": [
 		{
 			"description": "Username field identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.username"
 		},
 		{
 			"description": "Password field identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.password"
 		},
 		{
 			"description": "Session Handling identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.session"
 		},
 		{
 			"description": "Verification URL identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.verif"
 		}
 	]
@@ -144,72 +144,72 @@ <H3>Sample</H3>
 		{
 			"key": "stats.auth.browser.foundfields",
 			"scope": "site",
-			"value": "1"
+			"value": 1
 		},
 		{
 			"key": "stats.auth.browser.passed",
 			"scope": "site",
-			"value": "1"
+			"value": 1
 		},
 		{
 			"key": "stats.auth.configure.session.header",
 			"scope": "global",
-			"value": "1"
+			"value": 1
 		},
 		{
 			"key": "stats.auth.configure.verification",
 			"scope": "global",
-			"value": "1"
+			"value": 1
 		},
 		{
 			"key": "stats.auth.detect.auth.json",
 			"scope": "global",
-			"value": "5"
+			"value": 5
 		},
 		{
 			"key": "stats.auth.detect.session.accesstoken",
 			"scope": "global",
-			"value": "5"
+			"value": 5
 		},
 		{
 			"key": "stats.auth.detect.session.authorization",
 			"scope": "global",
-			"value": "1"
+			"value": 1
 		},
 		{
 			"key": "stats.auth.detect.session.token",
 			"scope": "global",
-			"value": "7"
+			"value": 7
 		},
 		{
 			"key": "stats.auth.session.set.header",
 			"scope": "global",
-			"value": "20"
+			"value": 20
 		},
 		{
 			"key": "stats.auth.sessiontoken.accesstoken",
 			"scope": "site",
-			"value": "9"
+			"value": 9
 		},
 		{
 			"key": "stats.auth.sessiontoken.token",
 			"scope": "site",
-			"value": "6"
+			"value": 6
 		},
 		{
 			"key": "stats.auth.sessiontokens.max",
 			"scope": "global",
-			"value": "2"
+			"value": 2
 		},
 		{
 			"key": "stats.auth.state.loggedin",
 			"scope": "site",
-			"value": "2"
+			"value": 2
 		},
 		{
 			"key": "stats.auth.success",
 			"scope": "site",
-			"value": "1"
+			"value": 1
 		}
 	]
 }

addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/report.json

@@ -6,21 +6,21 @@
 	[#th:block th:if="${reportData.isIncludeSection('summary')}"]
 	,"summaryItems": [[#th:block th:each="sumItem, sumState: ${rptData.getSummaryItems()}"][#th:block th:if="${! sumState.first}"],[/th:block]
 		{
-			"description": "[(${sumItem.description})]",
-			"passed": "[(${sumItem.passed})]",
-			"key": "[(${sumItem.key})]"
+			"description": [[${sumItem.description}]],
+			"passed": [[${sumItem.passed}]],
+			"key": [[${sumItem.key}]]
 		}[/th:block]
 	]
 	[/th:block]
 	[#th:block th:if="${reportData.isIncludeSection('afenv')}"]
-	,"afEnv": "[(${rptData.getAfEnv()})]"
+	,"afEnv": [[${rptData.getAfEnv()}]]
 	[/th:block]
 	[#th:block th:if="${reportData.isIncludeSection('statistics')}"]
 	,"statistics": [[#th:block th:each="statItem, statState: ${rptData.getStatistics()}"][#th:block th:if="${! statState.first}"],[/th:block]
 		{
-			"key": "[(${statItem.key})]",
-			"scope": "[(${statItem.scope})]",
-			"value": "[(${statItem.value})]"
+			"key": [[${statItem.key}]],
+			"scope": [[${statItem.scope}]],
+			"value": [[${statItem.value}]]
 		}[/th:block]
 	]
 	[/th:block]

addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReportUnitTest.java

@@ -30,9 +30,12 @@
 
 import java.io.File;
 import java.nio.file.Files;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
-import org.apache.commons.text.StringEscapeUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -118,7 +121,7 @@ void shouldGenerateEmptyAuthJsonReport() throws Exception {
         assertThat(json.getString("@programName"), is(equalTo("ZAP")));
         assertThat(json.getString("@version"), is(equalTo("Test Build")));
         assertThat(json.getString("@generated").length(), is(greaterThan(20)));
-        assertThat(json.getString("afEnv"), is(equalTo("")));
+        assertThat(json.getString("afEnv"), is(equalTo("null")));
         assertThat(summaryItems.size(), is(equalTo(0)));
         assertThat(statistics.size(), is(equalTo(0)));
     }
@@ -156,7 +159,7 @@ void shouldGenerateFilledAuthJsonReport() throws Exception {
             password: [email protected]
             username: test123
           name: test""";
-        ard.setAfEnv(StringEscapeUtils.escapeJson(afEnv));
+        ard.setAfEnv(afEnv);
         ard.addSummaryItem(true, "summary.1", "First Item");
         ard.addSummaryItem(false, "summary.2", "Second Item");
         ard.addStatsItem("stats.auth.1", "global", 123);
@@ -197,6 +200,86 @@ void shouldGenerateFilledAuthJsonReport() throws Exception {
         assertThat(statistics.getJSONObject(2).getInt("value"), is(equalTo(5678)));
     }
 
+    @Test
+    void shouldGenerateFilledAuthJsonReportHandlingSpecialCharacters() throws Exception {
+        // Given
+        ExtensionReports extRep = new ExtensionReports();
+        String templateName = "auth-report-json";
+        Template template = getTemplateFromYamlFile(templateName);
+        File f = File.createTempFile(templateName, template.getExtension());
+        ReportData reportData = getGenericReportData(templateName);
+        reportData.setSections(template.getSections());
+        AuthReportData ard = new AuthReportData();
+        reportData.addReportObjects("authdata", ard);
+
+        ard.setSite("https://www.example.com");
+        String afEnv =
+                """
+                  env:
+                  contexts:
+                      name: 'some "quote" name'
+                """;
+        ard.setAfEnv(afEnv);
+        ard.addSummaryItem(true, "summary.1", "Bob's \"Item\"");
+        ard.addSummaryItem(true, "summary.\"2\"", "Foo bar");
+        ard.addStatsItem("stats.auth.1", "foo \"random\" bar", 123);
+        ard.addStatsItem("stats.foo.oops \"foo\" bar", "global", 0);
+        // When
+        File r = extRep.generateReport(reportData, template, f.getAbsolutePath(), false);
+        String report = Files.readString(r.toPath());
+
+        // Then
+        LocalDateTime localDateTime = LocalDateTime.now();
+        ZonedDateTime zonedDateTime = localDateTime.atZone(ZoneId.systemDefault());
+        String current = zonedDateTime.format(DateTimeFormatter.RFC_1123_DATE_TIME);
+        String expected =
+                """
+                {
+                \t\"@programName\": \"ZAP\",
+                \t\"@version\": \"Test Build\",
+                \t\"@generated\": \"@@@replace@@@\",
+                \t\"site\":  \"https:\\/\\/www.example.com\"
+                \t\
+                \t,\"summaryItems\": [
+                \t\t{
+                \t\t\t\"description\": \"Bob's \\\"Item\\\"\",
+                \t\t\t\"passed\": true,
+                \t\t\t\"key\": \"summary.1\"
+                \t\t},
+                \t\t{
+                \t\t\t\"description\": \"Foo bar\",
+                \t\t\t\"passed\": true,
+                \t\t\t\"key\": \"summary.\\\"2\\\"\"
+                \t\t}
+                \t]
+                \t
+                \t
+                \t,\"afEnv\": \"  env:\\n  contexts:\\n      name: 'some \\\"quote\\\" name'\\n\"
+                \t
+                \t
+                \t,\"statistics\": [
+                \t\t{
+                \t\t\t\"key\": \"stats.auth.1\",
+                \t\t\t\"scope\": \"foo \\\"random\\\" bar\",
+                \t\t\t\"value\": 123
+                \t\t},
+                \t\t{
+                \t\t\t\"key\": \"stats.foo.oops \\\"foo\\\" bar\",
+                \t\t\t\"scope\": \"global\",
+                \t\t\t\"value\": 0
+                \t\t}
+                \t]
+                \t
+                }
+
+                """
+                        .replace("@@@replace@@@", current);
+        report =
+                report.replaceAll(
+                        "[a-zA-Z]{3}, \\d{1,2} [a-zA-Z]{3} \\d{4} \\d{2}:\\d{2}:\\d{2}", current);
+        assertThat(report, is(equalTo(expected)));
+    }
+
     static Template getTemplateFromYamlFile(String templateName) throws Exception {
         return new Template(
                 TestUtils.getResourcePath(