authhelper: Tweak auth report escaping

Signed-off-by: kingthorin <[email protected]>
zaproxy · Feb 21, 2025 · e17f553 · e17f553
1 parent a86b697
commit e17f553
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 13 deletions.
diff --git a/addOns/authhelper/CHANGELOG.md b/addOns/authhelper/CHANGELOG.md
@@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - Correctly read the API parameters when setting up Browser Based Authentication.
+- Tweaked auth report output to ensure that values are properly escaped.
 
 ## [0.22.0] - 2025-02-12
 ### Added

diff --git a/.../main/javahelp/org/zaproxy/addon/authhelper/resources/help/contents/auth-report-json.html b/.../main/javahelp/org/zaproxy/addon/authhelper/resources/help/contents/auth-report-json.html
@@ -120,22 +120,22 @@ <H3>Sample</H3>
 	,"summaryItems": [
 		{
 			"description": "Username field identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.username"
 		},
 		{
 			"description": "Password field identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.password"
 		},
 		{
 			"description": "Session Handling identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.session"
 		},
 		{
 			"description": "Verification URL identified",
-			"passed": "true",
+			"passed": true,
 			"key": "auth.summary.verif"
 		}
 	]

diff --git a/addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/report.json b/addOns/authhelper/src/main/zapHomeFiles/reports/auth-report-json/report.json
@@ -6,21 +6,21 @@
 	[#th:block th:if="${reportData.isIncludeSection('summary')}"]
 	,"summaryItems": [[#th:block th:each="sumItem, sumState: ${rptData.getSummaryItems()}"][#th:block th:if="${! sumState.first}"],[/th:block]
 		{
-			"description": "[(${sumItem.description})]",
-			"passed": "[(${sumItem.passed})]",
-			"key": "[(${sumItem.key})]"
+			"description": [[${sumItem.description}]],
+			"passed": [[${sumItem.passed}]],
+			"key": [[${sumItem.key}]]
 		}[/th:block]
 	]
 	[/th:block]
 	[#th:block th:if="${reportData.isIncludeSection('afenv')}"]
-	,"afEnv": "[(${rptData.getAfEnv()})]"
+	,"afEnv": [[${rptData.getAfEnv()}]]
 	[/th:block]
 	[#th:block th:if="${reportData.isIncludeSection('statistics')}"]
 	,"statistics": [[#th:block th:each="statItem, statState: ${rptData.getStatistics()}"][#th:block th:if="${! statState.first}"],[/th:block]
 		{
-			"key": "[(${statItem.key})]",
-			"scope": "[(${statItem.scope})]",
-			"value": "[(${statItem.value})]"
+			"key": [[${statItem.key}]],
+			"scope": [[${statItem.scope}]],
+			"value": [[${statItem.value}]]
 		}[/th:block]
 	]
 	[/th:block]

diff --git a/.../src/test/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReportUnitTest.java b/.../src/test/java/org/zaproxy/addon/authhelper/report/ExtensionAuthhelperReportUnitTest.java
@@ -30,6 +30,10 @@
 
 import java.io.File;
 import java.nio.file.Files;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
 import net.sf.json.JSONArray;
 import net.sf.json.JSONObject;
 import org.apache.commons.text.StringEscapeUtils;
@@ -118,7 +122,7 @@ void shouldGenerateEmptyAuthJsonReport() throws Exception {
         assertThat(json.getString("@programName"), is(equalTo("ZAP")));
         assertThat(json.getString("@version"), is(equalTo("Test Build")));
         assertThat(json.getString("@generated").length(), is(greaterThan(20)));
-        assertThat(json.getString("afEnv"), is(equalTo("")));
+        assertThat(json.getString("afEnv"), is(equalTo("null")));
         assertThat(summaryItems.size(), is(equalTo(0)));
         assertThat(statistics.size(), is(equalTo(0)));
     }
@@ -172,7 +176,7 @@ void shouldGenerateFilledAuthJsonReport() throws Exception {
 
         // Then
         assertThat(json.getString("site"), is(equalTo("https://www.example.com")));
-        assertThat(json.getString("afEnv"), is(equalTo(afEnv)));
+        assertThat(json.getString("afEnv"), is(equalTo(StringEscapeUtils.escapeJson(afEnv))));
         assertThat(summaryItems.size(), is(equalTo(2)));
         assertThat(summaryItems.getJSONObject(0), is(notNullValue()));
         assertThat(summaryItems.getJSONObject(0).getBoolean("passed"), is(equalTo(true)));
@@ -197,6 +201,47 @@ void shouldGenerateFilledAuthJsonReport() throws Exception {
         assertThat(statistics.getJSONObject(2).getInt("value"), is(equalTo(5678)));
     }
 
+    @Test
+    void shouldGenerateFilledAuthJsonReportHandlingSpecialCharacters() throws Exception {
+        // Given
+        ExtensionReports extRep = new ExtensionReports();
+        String templateName = "auth-report-json";
+        Template template = getTemplateFromYamlFile(templateName);
+        File f = File.createTempFile(templateName, template.getExtension());
+        ReportData reportData = getGenericReportData(templateName);
+        reportData.setSections(template.getSections());
+        AuthReportData ard = new AuthReportData();
+        reportData.addReportObjects("authdata", ard);
+
+        ard.setSite("https://www.example.com");
+        String afEnv =
+                """
+                  env:
+                  contexts:
+                      name: placeholder
+                """;
+        ard.setAfEnv(StringEscapeUtils.escapeJson(afEnv));
+        ard.addSummaryItem(true, "summary.1", "Bob's \"Item\"");
+        ard.addStatsItem("stats.auth.1", "global", 123);
+        ard.addStatsItem("stats.other.1", "site", 456);
+        ard.addStatsItem("stats.foo.oops \"foo\" bar", "global", 0);
+        // When
+        File r = extRep.generateReport(reportData, template, f.getAbsolutePath(), false);
+        String report = new String(Files.readAllBytes(r.toPath()));
+
+        // Then
+        LocalDateTime localDateTime = LocalDateTime.now();
+        ZonedDateTime zonedDateTime = localDateTime.atZone(ZoneId.systemDefault());
+        String current = zonedDateTime.format(DateTimeFormatter.RFC_1123_DATE_TIME);
+        String expected =
+                "{\n\t\"@programName\": \"ZAP\",\n\t\"@version\": \"Test Build\",\n\t\"@generated\": \"@@@replace@@@\",\n\t\"site\":  \"https:\\/\\/www.example.com\"\n\t\n\t,\"summaryItems\": [\n\t\t{\n\t\t\t\"description\": \"Bob's \\\"Item\\\"\",\n\t\t\t\"passed\": true,\n\t\t\t\"key\": \"summary.1\"\n\t\t}\n\t]\n\t\n\t\n\t,\"afEnv\": \"  env:\\\\n  contexts:\\\\n      name: placeholder\\\\n\"\n\t\n\t\n\t,\"statistics\": [\n\t\t{\n\t\t\t\"key\": \"stats.auth.1\",\n\t\t\t\"scope\": \"global\",\n\t\t\t\"value\": 123\n\t\t},\n\t\t{\n\t\t\t\"key\": \"stats.foo.oops \\\"foo\\\" bar\",\n\t\t\t\"scope\": \"global\",\n\t\t\t\"value\": 0\n\t\t},\n\t\t{\n\t\t\t\"key\": \"stats.other.1\",\n\t\t\t\"scope\": \"site\",\n\t\t\t\"value\": 456\n\t\t}\n\t]\n\t\n}\n"
+                        .replace("@@@replace@@@", current);
+        report =
+                report.replaceAll(
+                        "[a-zA-Z]{3}, \\d{1,2} [a-zA-Z]{3} \\d{4} \\d{2}:\\d{2}:\\d{2}", current);
+        assertThat(report, is(equalTo(expected)));
+    }
+
     static Template getTemplateFromYamlFile(String templateName) throws Exception {
         return new Template(
                 TestUtils.getResourcePath(