Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ascanrules: Refactor sqli scan rule into helper functions #5868

Merged
merged 1 commit into from
Nov 25, 2024
Merged

ascanrules: Refactor sqli scan rule into helper functions #5868

merged 1 commit into from
Nov 25, 2024

Conversation

FiveOFive
Copy link
Contributor

@FiveOFive FiveOFive commented Oct 31, 2024
edited by kingthorin
Loading

Overview

Cleaning up sql injection scan rule code ahead of making updates for false positives in zaproxy/zaproxy#8652. This change is just to split the different types of sql injection tests into helper functions. No logic changes. This makes it easier to tell what types of sql injection tests the rule is running and to find the code for each one.

May want to merge these other PRs with unit tests first:

Related Issues

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

@thc202 thc202 changed the title Refactor sqli scan rule into helper functions ascanrules: Refactor sqli scan rule into helper functions Oct 31, 2024
@FiveOFive FiveOFive mentioned this pull request Nov 15, 2024
Open
1 task
@thc202 thc202 mentioned this pull request Nov 16, 2024
Merged
8 tasks
@FiveOFive
Copy link
Contributor Author

Fix merged commit and rebased with main. This is just copy/pasting the different types of sql injection logic into helper functions. Unfortunately, the git diff doesn't seem to pick it up the changes as cleanly as it could and it looks messier than it is. Not sure what's up with that.

@thc202
Copy link
Member

thc202 commented Nov 19, 2024

Needs to ignore whitespace changes: https://github.com/zaproxy/zap-extensions/pull/5868/files?diff=unified&w=1

thc202
thc202 reviewed Nov 19, 2024
View reviewed changes
addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java Outdated
prefixStrings = new String[] {"", origParamValue};
} else {
prefixStrings = new String[] {""};
testErrorBasedSqlInjection(param, origParamValue);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is changing the behaviour, the returns that would return from the scan method are now just returning from the extracted methods (and flow continues here), I didn't check the whole code yet but at least it should have isStop checks between them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Updated to skip remaining cases if either isStop() of sqlInjectionFoundForUrl

@thc202
Copy link
Member

thc202 commented Nov 25, 2024

Thank you!

@kingthorin kingthorin merged commit e56eaab into zaproxy:main Nov 25, 2024
10 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Nov 25, 2024
@kingthorin
Copy link
Member

🎉
Thank you!!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kingthorin kingthorin kingthorin approved these changes

@thc202 thc202 thc202 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@FiveOFive @thc202 @kingthorin