pscanrules: add examples alerts to X Chrome logger (#4705)

Signed-off-by: ciceroff <cicero.barrozo13@gmail.com>
zaproxy · Jun 29, 2023 · 04d6b68 · 04d6b68
1 parent d3bacd0
commit 04d6b68
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 12 deletions.
diff --git a/addOns/pscanrules/CHANGELOG.md b/addOns/pscanrules/CHANGELOG.md
@@ -5,7 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 ### Added
-- The X-Backend-Server Scan Rule now includes example alert functionality for documentation generation purposes (Issue 6119).
+- The following now include example alert functionality for documentation generation purposes (Issue 6119):
+    - X-Backend-Server Scan Rule
+    - X-ChromeLogger-Data Header Information Leak Scan Rule
 
 ## [49] - 2023-06-06
 ### Changed

diff --git a/...src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java b/...src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java
@@ -70,17 +70,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
 
         if (!loggerHeaders.isEmpty()) { // Header(s) Found
             for (String xcldField : loggerHeaders) {
-                newAlert()
-                        .setRisk(Alert.RISK_MEDIUM)
-                        .setConfidence(Alert.CONFIDENCE_HIGH)
-                        .setDescription(getDescription())
-                        .setOtherInfo(getOtherInfo(xcldField))
-                        .setSolution(getSolution())
-                        .setReference(getReference())
-                        .setEvidence(xcldField)
-                        .setCweId(200)
-                        .setWascId(13)
-                        .raise();
+                createAlert(xcldField).raise();
             }
         }
         LOGGER.debug("\tScan of record {} took {}ms", id, System.currentTimeMillis() - start);
@@ -125,4 +115,33 @@ private String getOtherInfo(String headerValue) {
     public Map<String, String> getAlertTags() {
         return ALERT_TAGS;
     }
+
+    private AlertBuilder createAlert(String xcldField) {
+        return newAlert()
+                .setRisk(Alert.RISK_MEDIUM)
+                .setConfidence(Alert.CONFIDENCE_HIGH)
+                .setDescription(getDescription())
+                .setOtherInfo(getOtherInfo(xcldField))
+                .setSolution(getSolution())
+                .setReference(getReference())
+                .setEvidence(xcldField)
+                .setCweId(200)
+                .setWascId(13);
+    }
+
+    @Override
+    public List<Alert> getExampleAlerts() {
+        return List.of(
+                createAlert(
+                                "eyJ2ZXJzaW9uIjoiNC4wIiwiY29sdW"
+                                        + "1ucyI6WyJsYWJlbCIsImxvZyIsImJhY2t0cmFjZSIsInR5cGUiXSwicm93cyI"
+                                        + "6W1sicmVxdWVzdCIsIk1hdGNoZWQgcm91dGUgXCJhcHBfc2VjdXJpdHlfbG9n"
+                                        + "aW5cIiAocGFyYW1ldGVyczogXCJfY29udHJvbGxlclwiOiBcIkJhY2tFbmRcX"
+                                        + "EFwcEJ1bmRsZVxcQ29udHJvbGxlclxcU2VjdXJpdHlDb250cm9sbGVyOjpsb2"
+                                        + "dpbkFjdGlvblwiLCBcIl9yb3V0ZVwiOiBcImFwcF9zZWN1cml0eV9sb2dpblw"
+                                        + "iKSIsInVua25vd24iLCJpbmZvIl0sWyJzZWN1cml0eSIsIlBvcHVsYXRlZCBT"
+                                        + "ZWN1cml0eUNvbnRleHQgd2l0aCBhbiBhbm9ueW1vdXMgVG9rZW4iLCJ1bmtub"
+                                        + "3duIiwiaW5mbyJdXSwicmVxdWVzdF91cmkiOiJcL2xvZ2luIn0=")
+                        .build());
+    }
 }
diff --git a/.../java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java b/.../java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRuleUnitTest.java
@@ -26,10 +26,12 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
+import java.util.List;
 import java.util.Map;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
 import org.junit.jupiter.api.Test;
+import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.network.HttpMessage;
 import org.parosproxy.paros.network.HttpRequestHeader;
 import org.zaproxy.addon.commonlib.CommonAlertTag;
@@ -150,4 +152,24 @@ void shouldReturnExpectedMappings() {
                 tags.get(CommonAlertTag.WSTG_V42_INFO_05_CONTENT_LEAK.getTag()),
                 is(equalTo(CommonAlertTag.WSTG_V42_INFO_05_CONTENT_LEAK.getValue())));
     }
+
+    @Test
+    void shouldReturnExpectedExampleAlert() {
+        // Given / When
+        List<Alert> alerts = rule.getExampleAlerts();
+
+        // Then
+        assertThat(alerts.size(), is(equalTo(1)));
+
+        Alert alert = alerts.get(0);
+        Map<String, String> tags1 = alert.getTags();
+        assertThat(tags1.size(), is(equalTo(3)));
+        assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_HIGH)));
+        assertThat(
+                tags1.containsKey(CommonAlertTag.OWASP_2017_A03_DATA_EXPOSED.getTag()),
+                is(equalTo(true)));
+        assertThat(
+                tags1.containsKey(CommonAlertTag.OWASP_2021_A04_INSECURE_DESIGN.getTag()),
+                is(equalTo(true)));
+    }
 }