From 5b199c97b42f26c199c7fb28c529b7158cf1083e Mon Sep 17 00:00:00 2001 From: kingthorin Date: Tue, 16 Jul 2024 13:25:28 -0400 Subject: [PATCH] scan rules: Clean code tweaks - Add static modifier where applicable. - CHANGELOG > Add maintenance note (if there wasn't already one present). - pscanrules > Made resource message methods private again where example alerts have been implemented, or removed them where there was only a single usage (inlining the Contstant resource message usage). --- addOns/ascanrules/CHANGELOG.md | 3 +- .../ascanrules/BufferOverflowScanRule.java | 2 +- .../ascanrules/CommandInjectionScanRule.java | 2 +- .../ascanrules/DirectoryBrowsingScanRule.java | 2 +- .../ascanrules/ExternalRedirectScanRule.java | 4 +- .../ascanrules/FormatStringScanRule.java | 2 +- .../ascanrules/PaddingOracleScanRule.java | 2 +- .../ascanrules/PathTraversalScanRule.java | 6 +-- .../SourceCodeDisclosureWebInfScanRule.java | 4 +- .../ascanrules/Spring4ShellScanRule.java | 6 +-- .../ExternalRedirectScanRuleUnitTest.java | 4 +- .../HiddenFilesScanRuleUnitTest.java | 2 +- .../ascanrules/XxeScanRuleUnitTest.java | 2 +- addOns/ascanrulesAlpha/CHANGELOG.md | 1 + .../ExampleFileActiveScanRule.java | 8 +--- .../BackupFileDisclosureScanRule.java | 2 +- .../HttpParameterPollutionScanRule.java | 2 +- .../IntegerOverflowScanRule.java | 8 ++-- .../ProxyDisclosureScanRule.java | 8 +--- .../RelativePathConfusionScanRule.java | 2 +- .../SessionFixationScanRule.java | 2 +- .../ascanrulesBeta/SlackerCookieScanRule.java | 21 +++++---- ...ceCodeDisclosureFileInclusionScanRule.java | 4 +- .../SourceCodeDisclosureGitScanRule.java | 4 +- .../UsernameEnumerationScanRule.java | 2 +- .../CsrfTokenScanRuleUnitTest.java | 4 +- .../pscanrules/AntiClickjackingScanRule.java | 4 +- .../pscanrules/BigRedirectsScanRule.java | 8 +--- .../pscanrules/CharsetMismatchScanRule.java | 8 ++-- .../ContentSecurityPolicyMissingScanRule.java | 2 +- .../ContentSecurityPolicyScanRule.java | 6 +-- .../CookieLooselyScopedScanRule.java | 5 +- .../CrossDomainMisconfigurationScanRule.java | 11 +---- .../CsrfCountermeasuresScanRule.java | 4 +- .../pscanrules/DirectoryBrowsingScanRule.java | 33 ++----------- .../pscanrules/HashDisclosureScanRule.java | 21 +++------ .../pscanrules/HeartBleedScanRule.java | 26 +++-------- .../pscanrules/InfoSessionIdUrlScanRule.java | 6 +-- ...ormationDisclosureDebugErrorsScanRule.java | 2 +- .../InformationDisclosureInUrlScanRule.java | 8 ++-- ...InformationDisclosureReferrerScanRule.java | 14 +++--- ...nDisclosureSuspiciousCommentsScanRule.java | 6 +-- .../pscanrules/InsecureFormLoadScanRule.java | 16 ++----- .../pscanrules/InsecureFormPostScanRule.java | 16 ++----- .../InsecureJsfViewStatePassiveScanRule.java | 6 +-- .../pscanrules/LinkTargetScanRule.java | 18 ++------ .../ModernAppDetectionScanRule.java | 12 +---- .../zap/extension/pscanrules/PiiScanRule.java | 2 +- .../RetrievedFromCacheScanRule.java | 18 ++------ .../StrictTransportSecurityScanRule.java | 6 +-- .../UserControlledCharsetScanRule.java | 19 ++------ .../UserControlledCookieScanRule.java | 26 ++--------- .../UserControlledHTMLAttributesScanRule.java | 46 +++++-------------- ...UserControlledJavascriptEventScanRule.java | 38 +++++---------- .../UserControlledOpenRedirectScanRule.java | 24 ++-------- .../pscanrules/UsernameIdorScanRule.java | 26 +++-------- .../pscanrules/ViewstateScanRule.java | 8 +--- ...XBackendServerInformationLeakScanRule.java | 12 +---- .../XChromeLoggerDataInfoLeakScanRule.java | 20 ++------ .../pscanrules/XDebugTokenScanRule.java | 4 +- .../XPoweredByHeaderInfoLeakScanRule.java | 4 +- ...ContentSecurityPolicyScanRuleUnitTest.java | 8 ++-- .../ContentTypeMissingScanRuleUnitTest.java | 2 +- .../CookieLooselyScopedScanRuleUnitTest.java | 2 +- .../CsrfCountermeasuresScanRuleUnitTest.java | 2 +- .../DirectoryBrowsingScanRuleUnitTest.java | 2 +- .../HashDisclosureScanRuleUnitTest.java | 2 +- ...vateAddressDisclosureScanRuleUnitTest.java | 4 +- .../InfoSessionIdUrlScanRuleUnitTest.java | 2 +- .../InsecureFormLoadScanRuleUnitTest.java | 2 +- .../InsecureFormPostScanRuleUnitTest.java | 2 +- ...reJsfViewStatePassiveScanRuleUnitTest.java | 3 +- .../LinkTargetScanRuleUnitTest.java | 2 +- .../pscanrules/PiiScanRuleUnitTest.java | 2 +- .../RetrievedFromCacheScanRuleUnitTest.java | 2 +- .../ServerHeaderInfoLeakScanRuleUnitTest.java | 2 +- ...rictTransportSecurityScanRuleUnitTest.java | 2 +- .../pscanrules/ViewStateScanRuleUnitTest.java | 2 +- .../XAspNetVersionScanRuleUnitTest.java | 2 +- ...ServerInformationLeakScanRuleUnitTest.java | 2 +- ...omeLoggerDataInfoLeakScanRuleUnitTest.java | 2 +- .../XDebugTokenScanRuleUnitTest.java | 2 +- addOns/pscanrulesAlpha/CHANGELOG.md | 1 + .../ExampleFilePassiveScanRule.java | 26 ++--------- .../FullPathDisclosureScanRule.java | 19 ++------ ...tchMetadataRequestHeadersScanRuleTest.java | 4 +- .../FullPathDisclosureScanRuleUnitTest.java | 2 +- addOns/pscanrulesBeta/CHANGELOG.md | 3 ++ .../pscanrulesBeta/CacheableScanRule.java | 2 +- .../pscanrulesBeta/JsFunctionScanRule.java | 18 ++------ .../extension/pscanrulesBeta/JsoScanRule.java | 2 +- .../SourceCodeDisclosureScanRule.java | 21 +++------ ...SubResourceIntegrityAttributeScanRule.java | 4 +- .../CacheableScanRuleUnitTest.java | 4 +- .../InPageBannerInfoLeakScanRuleUnitTest.java | 2 +- .../JsFunctionScanRuleUnitTest.java | 3 +- ...letParameterPollutionScanRuleUnitTest.java | 3 +- .../SourceCodeDisclosureScanRuleUnitTest.java | 6 +-- 98 files changed, 245 insertions(+), 520 deletions(-) diff --git a/addOns/ascanrules/CHANGELOG.md b/addOns/ascanrules/CHANGELOG.md index 1c1c3534e21..215aca84a53 100644 --- a/addOns/ascanrules/CHANGELOG.md +++ b/addOns/ascanrules/CHANGELOG.md @@ -4,7 +4,8 @@ All notable changes to this add-on will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased - +### Changed +- Maintenance changes. ## [67] - 2024-07-22 diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java index c193ccea6dc..9092934fe8d 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflowScanRule.java @@ -169,7 +169,7 @@ public int getWascId() { return 7; } - private String randomCharacterString(int length) { + private static String randomCharacterString(int length) { StringBuilder sb1 = new StringBuilder(length + 1); int counter = 0; int character = 0; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java index 0c09e878408..9442f8200d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java @@ -366,7 +366,7 @@ public int getRisk() { return Alert.RISK_HIGH; } - private String getOtherInfo(TestType testType, String testValue) { + private static String getOtherInfo(TestType testType, String testValue) { return Constant.messages.getString( MESSAGE_PREFIX + "otherinfo." + testType.getNameKey(), testValue); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java index 92cfeff183d..5bc72d6f7d0 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/DirectoryBrowsingScanRule.java @@ -95,7 +95,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private void checkIfDirectory(HttpMessage msg) throws URIException { + private static void checkIfDirectory(HttpMessage msg) throws URIException { URI uri = msg.getRequestHeader().getURI(); uri.setQuery(null); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java index da5c9d1add9..292036d408b 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRule.java @@ -342,7 +342,7 @@ private static boolean isRedirectHost(String value, boolean escaped) throws URIE * @param msg the current message where reflected redirection should be check into * @return get back the redirection type if exists */ - private int isRedirected(String payload, HttpMessage msg) { + private static int isRedirected(String payload, HttpMessage msg) { // (1) Check if redirection by "Location" header // http://en.wikipedia.org/wiki/HTTP_location @@ -471,7 +471,7 @@ private static boolean isRedirectPresent(Pattern pattern, String value) { * @param type the redirection type * @return a string representing the reason of this redirection */ - private String getRedirectionReason(int type) { + private static String getRedirectionReason(int type) { switch (type) { case REDIRECT_LOCATION_HEADER: return Constant.messages.getString(MESSAGE_PREFIX + "reason.location.header"); diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java index 352b6926f6e..fdeb28aad5f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/FormatStringScanRule.java @@ -105,7 +105,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java index e68a1949d73..2cda7d20c4c 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PaddingOracleScanRule.java @@ -267,7 +267,7 @@ private String getEmptyValueResponse(String paramName) throws IOException { * @param value the value that need to be checked * @return true if it seems to be encrypted */ - private boolean isEncrypted(byte[] value) { + private static boolean isEncrypted(byte[] value) { // Make sure we have a reasonable sized string // (encrypted strings tend to be long, and short strings tend to break our numbers) diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java index 1c9365068ff..18888009c67 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/PathTraversalScanRule.java @@ -608,7 +608,7 @@ private boolean sendAndCheckPayload( return false; } - private String getContentsToMatch(HttpMessage message) { + private static String getContentsToMatch(HttpMessage message) { return message.getResponseHeader().isHtml() ? StringEscapeUtils.unescapeHtml4(message.getResponseBody().toString()) : message.getResponseHeader().toString() + message.getResponseBody().toString(); @@ -700,7 +700,7 @@ public String match(String contents) { return matchWinDirectories(contents); } - private String matchNixDirectories(String contents) { + private static String matchNixDirectories(String contents) { Pattern procPattern = Pattern.compile("(?:^|\\W)proc(?:\\W|$)", Pattern.CASE_INSENSITIVE); Pattern etcPattern = Pattern.compile("(?:^|\\W)etc(?:\\W|$)", Pattern.CASE_INSENSITIVE); @@ -727,7 +727,7 @@ private String matchNixDirectories(String contents) { return null; } - private String matchWinDirectories(String contents) { + private static String matchWinDirectories(String contents) { if (contents.contains("Windows") && Pattern.compile("Program\\sFiles").matcher(contents).find()) { return "Windows"; diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java index a4405761998..97c5c05b964 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SourceCodeDisclosureWebInfScanRule.java @@ -277,7 +277,7 @@ private HttpMessage createHttpMessage(URI uri) throws HttpMalformedHeaderExcepti * @return * @throws URIException */ - private URI getClassURI(URI hostURI, String classname) throws URIException { + private static URI getClassURI(URI hostURI, String classname) throws URIException { return new URI( hostURI.getScheme() + "://" @@ -288,7 +288,7 @@ private URI getClassURI(URI hostURI, String classname) throws URIException { false); } - private URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { + private static URI getPropsFileURI(URI hostURI, String propsfilename) throws URIException { return new URI( hostURI.getScheme() + "://" diff --git a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java index e93dad2bf66..8999dd7130f 100644 --- a/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java +++ b/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/Spring4ShellScanRule.java @@ -76,11 +76,11 @@ public String getDescription() { return Constant.messages.getString("ascanrules.spring4shell.desc"); } - private boolean is400Response(HttpMessage msg) { + private static boolean is400Response(HttpMessage msg) { return !msg.getResponseHeader().isEmpty() && msg.getResponseHeader().getStatusCode() == 400; } - private void setGetPayload(HttpMessage msg, String payload) throws URIException { + private static void setGetPayload(HttpMessage msg, String payload) throws URIException { msg.getRequestHeader().setMethod("GET"); URI uri = msg.getRequestHeader().getURI(); String query = uri.getEscapedQuery(); @@ -92,7 +92,7 @@ private void setGetPayload(HttpMessage msg, String payload) throws URIException uri.setEscapedQuery(query); } - private void setPostPayload(HttpMessage msg, String payload) { + private static void setPostPayload(HttpMessage msg, String payload) { msg.getRequestHeader().setMethod("POST"); String body = msg.getRequestBody().toString(); if (body.isEmpty() diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java index bff7b0fbede..24daf07ef57 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/ExternalRedirectScanRuleUnitTest.java @@ -80,11 +80,11 @@ private enum PayloadHandling { CONCAT_PATH }; - private NanoServerHandler createHttpRedirectHandler(String path, String header) { + private static NanoServerHandler createHttpRedirectHandler(String path, String header) { return createHttpRedirectHandler(path, header, PayloadHandling.NEITHER); } - private NanoServerHandler createHttpRedirectHandler( + private static NanoServerHandler createHttpRedirectHandler( String path, String header, PayloadHandling payloadHandling) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java index 7757fc3ade8..861c1a3021e 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/HiddenFilesScanRuleUnitTest.java @@ -110,7 +110,7 @@ void checkNoPathsHaveLeadingSlash() { } } - private void assertNoLeadingSlash(String message, String path) { + private static void assertNoLeadingSlash(String message, String path) { assertThat(message.replace(REPLACE_TOKEN, path), !path.startsWith("/"), is(true)); } diff --git a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java index f11016f177b..4f42a45b56f 100644 --- a/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java +++ b/addOns/ascanrules/src/test/java/org/zaproxy/zap/extension/ascanrules/XxeScanRuleUnitTest.java @@ -314,7 +314,7 @@ void shouldAlertOnlyIfCertainTagValuesArePresent() assertThat(alert.getConfidence(), equalTo(Alert.CONFIDENCE_MEDIUM)); } - private NanoServerHandler createNanoHandler( + private static NanoServerHandler createNanoHandler( String path, NanoHTTPD.Response.IStatus status, String responseBody) { return new NanoServerHandler(path) { @Override diff --git a/addOns/ascanrulesAlpha/CHANGELOG.md b/addOns/ascanrulesAlpha/CHANGELOG.md index 91c530cc62c..7f9a492ee9b 100644 --- a/addOns/ascanrulesAlpha/CHANGELOG.md +++ b/addOns/ascanrulesAlpha/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased ### Changed - Update minimum ZAP version to 2.15.0. +- Maintenance changes. ### Fixed - Alert text for various rules has been updated to more consistently use periods and spaces in a uniform manner. diff --git a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java index c15d6bc3a5a..2263629a46f 100644 --- a/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java +++ b/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java @@ -80,10 +80,6 @@ public String getDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "desc"); } - private String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "other"); - } - @Override public String getSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "soln"); @@ -159,7 +155,7 @@ public void scan(HttpMessage msg, String param, String value) { .setConfidence(Alert.CONFIDENCE_MEDIUM) .setParam(param) .setAttack(attack) - .setOtherInfo(getOtherInfo()) + .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "other")) .setEvidence(evidence) .setMessage(testMsg) .raise(); @@ -194,7 +190,7 @@ private String doesResponseContainString(HttpBody body, String str) { return null; } - private List loadFile(String file) { + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java index bd38f756cae..db8d6ff8cbd 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/BackupFileDisclosureScanRule.java @@ -426,7 +426,7 @@ public List getExampleAlerts() { .build()); } - private boolean isEmptyResponse(byte[] response) { + private static boolean isEmptyResponse(byte[] response) { return response.length == 0; } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java index 80e72d88054..8cf6ae1f787 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java @@ -242,7 +242,7 @@ public TreeSet getParams(Source s, List inputTags) { * @param url found in the body of the targeted page * @return a hashmap of the query string */ - private Map> getUrlParameters(String url) { + private static Map> getUrlParameters(String url) { Map> params = new HashMap<>(); if (url != null) { diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java index 1df32cea8c7..b7660f88fc7 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/IntegerOverflowScanRule.java @@ -85,7 +85,7 @@ public String getReference() { return Constant.messages.getString(MESSAGE_PREFIX + "refs"); } - private String getError(char c) { + private static String getError(char c) { return Constant.messages.getString(MESSAGE_PREFIX + "error" + c); } @@ -145,7 +145,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String randomIntegerString(int length) { + private static String randomIntegerString(int length) { int numbercounter = 0; int character = 0; @@ -169,7 +169,7 @@ private String randomIntegerString(int length) { return sb1.toString(); } - private String singleString(int length, char c) // Single Character String + private static String singleString(int length, char c) // Single Character String { int numbercounter = 0; @@ -241,7 +241,7 @@ private AlertBuilder buildAlert( .setUri(url) .setParam(param) .setAttack(attack) - .setOtherInfo(this.getError(type)) + .setOtherInfo(IntegerOverflowScanRule.getError(type)) .setEvidence(evidence); } } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java index 22806d92d88..bf40d0ee843 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/ProxyDisclosureScanRule.java @@ -752,7 +752,7 @@ public void scan() { Constant.messages.getString( MESSAGE_PREFIX + "desc", step2numberOfNodes - 1 + silentProxySet.size())) - .setAttack(getAttack()) + .setAttack(Constant.messages.getString(MESSAGE_PREFIX + "attack")) .setOtherInfo(extraInfo) .setMessage(getBaseMsg()) .raise(); @@ -765,7 +765,7 @@ public void scan() { } } - private String getPath(URI uri) { + private static String getPath(URI uri) { String path = uri.getEscapedPath(); if (path != null) { return path; @@ -773,10 +773,6 @@ private String getPath(URI uri) { return "/"; } - private String getAttack() { - return Constant.messages.getString(MESSAGE_PREFIX + "attack"); - } - @Override public int getRisk() { return Alert.RISK_MEDIUM; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java index 025ed92afe8..80c018e2ffc 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/RelativePathConfusionScanRule.java @@ -645,7 +645,7 @@ private AlertBuilder buildAlert(String attack, String otherInfo, String evidence .setEvidence(evidence); } - private Matcher matchStyles(String body) { + private static Matcher matchStyles(String body) { // remove all " and ' for proper matching url('somefile.png') String styleBody = body.replaceAll("['\"]", ""); return STYLE_URL_LOAD.matcher(styleBody); diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java index 921f492f022..2b2796df2d1 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SessionFixationScanRule.java @@ -1317,7 +1317,7 @@ private static void logSessionFixation( * @param cookieName * @return the HtmlParameter representing the cookie, or null if no matching cookie was found */ - private HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { + private static HtmlParameter getResponseCookie(HttpMessage message, String cookieName) { TreeSet cookieBackParams = message.getResponseHeader().getCookieParams(); if (cookieBackParams.isEmpty()) { // no cookies diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java index 18126b09cd4..5ee4f58f1cb 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java @@ -212,7 +212,7 @@ private AlertBuilder createAlert(int risk, String otherInfo) { return newAlert().setRisk(risk).setConfidence(Alert.CONFIDENCE_LOW).setOtherInfo(otherInfo); } - private StringBuilder createOtherInfoText( + private static StringBuilder createOtherInfoText( Set cookiesThatMakeADifference, Set cookiesThatDoNOTMakeADifference) { StringBuilder otherInfoBuff = @@ -228,7 +228,7 @@ private StringBuilder createOtherInfoText( return otherInfoBuff; } - private void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { + private static void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { Iterator itYes = cookieSet.iterator(); while (itYes.hasNext()) { formatCookiesList(otherInfoBuff, itYes); @@ -236,7 +236,7 @@ private void listCookies(Set cookieSet, StringBuilder otherInfoBuff) { otherInfoBuff.append(getEOL()); } - private int calculateRisk( + private static int calculateRisk( Set cookiesThatDoNOTMakeADifference, StringBuilder otherInfoBuff) { int riskLevel = Alert.RISK_INFO; for (String cookie : cookiesThatDoNOTMakeADifference) { @@ -252,27 +252,28 @@ private int calculateRisk( return riskLevel; } - private String getSessionDestroyedText(String cookie) { + private static String getSessionDestroyedText(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.destroyed", cookie); } - private String getAffectResponseYes() { + private static String getAffectResponseYes() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.yes"); } - private String getAffectResponseNo() { + private static String getAffectResponseNo() { return Constant.messages.getString("ascanbeta.cookieslack.affect.response.no"); } - private String getSeparator() { + private static String getSeparator() { return Constant.messages.getString("ascanbeta.cookieslack.separator"); } - private String getEOL() { + private static String getEOL() { return Constant.messages.getString("ascanbeta.cookieslack.endline"); } - private void formatCookiesList(StringBuilder otherInfoBuff, Iterator cookieIterator) { + private static void formatCookiesList( + StringBuilder otherInfoBuff, Iterator cookieIterator) { otherInfoBuff.append(cookieIterator.next()); if (cookieIterator.hasNext()) { @@ -280,7 +281,7 @@ private void formatCookiesList(StringBuilder otherInfoBuff, Iterator coo } } - private String getSessionCookieWarning(String cookie) { + private static String getSessionCookieWarning(String cookie) { return Constant.messages.getString("ascanbeta.cookieslack.session.warning", cookie); } diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java index 2d5b8c7fddd..ed3be4e0fa3 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureFileInclusionScanRule.java @@ -448,7 +448,7 @@ private boolean isEmptyOrTooSimilar(HttpMessage msg, int matchPercentage) { * @param fileExtension * @return */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; @@ -502,7 +502,7 @@ public Map getAlertTags() { * @param b * @return */ - private int calcLengthMatchPercentage(int a, int b) { + private static int calcLengthMatchPercentage(int a, int b) { if (a == 0 && b == 0) return 100; if (a == 0 || b == 0) return 0; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java index 3d09aa0fd62..3408532793f 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/SourceCodeDisclosureGitScanRule.java @@ -107,7 +107,7 @@ public String getReference() { return VULN.getReferencesAsString(); } - private String getEvidence(String filename, String gitURIs) { + private static String getEvidence(String filename, String gitURIs) { return Constant.messages.getString( "ascanbeta.sourcecodedisclosure.gitbased.evidence", filename, gitURIs); } @@ -158,7 +158,7 @@ public void scan() { * @param fileExtension * @return */ - private boolean dataMatchesExtension(byte[] data, String fileExtension) { + private static boolean dataMatchesExtension(byte[] data, String fileExtension) { if (fileExtension != null) { if (fileExtension.equals("JSP")) { if (PATTERN_JSP.matcher(new String(data)).find()) return true; diff --git a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java index c02435aaf7f..db041d35f3d 100644 --- a/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java +++ b/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/UsernameEnumerationScanRule.java @@ -730,7 +730,7 @@ public String longestCommonSubsequence(String a, String b) { return hirshberg.getLCS(a, b); } - private boolean shouldContinue(List contextList) { + private static boolean shouldContinue(List contextList) { boolean hasAuth = false; for (Context context : contextList) { if (context.getAuthenticationMethod() instanceof FormBasedAuthenticationMethod) { diff --git a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java index a8ae32fb1a5..bdc1692d360 100644 --- a/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java +++ b/addOns/ascanrulesBeta/src/test/java/org/zaproxy/zap/extension/ascanrulesBeta/CsrfTokenScanRuleUnitTest.java @@ -370,7 +370,7 @@ public boolean isInScope() { return msg; } - private void setUpHttpSessionsParam() { + private static void setUpHttpSessionsParam() { HttpSessionsParam sessionOptions = new HttpSessionsParam(); sessionOptions.load(new ZapXmlConfiguration()); Model.getSingleton().getOptionsParam().addParamSet(sessionOptions); @@ -385,7 +385,7 @@ private HttpMessage getAntiCSRFCompatibleMessage() throws HttpMalformedHeaderExc + ">"); } - private HtmlParameter getCookieAs(String cookieName) { + private static HtmlParameter getCookieAs(String cookieName) { return new HtmlParameter( HtmlParameter.Type.cookie, cookieName, "FF4F838FDA9E1974DEEB4020AB6127FD"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java index 371cbb2bebb..5dee57c4402 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java @@ -172,7 +172,7 @@ public int getWascId() { return 15; // WASC-15: Application Misconfiguration } - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { switch (currentVT) { case XFO_MISSING: return Constant.messages.getString(MESSAGE_PREFIX + "missing." + element); @@ -197,7 +197,7 @@ private String getAlertElement(VulnType currentVT, String element) { * {@code null}. * @see RFC 7034 Section 4 */ - private String getMetaXFOEvidence(Source source) { + private static String getMetaXFOEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java index 6b8bf77ee8d..8b88ce57f8f 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/BigRedirectsScanRule.java @@ -100,7 +100,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param redirectURILength the length of the URI in the redirect response Location header * @return predictedResponseSize */ - private int getPredictedResponseSize(int redirectURILength) { + private static int getPredictedResponseSize(int redirectURILength) { int predictedResponseSize = redirectURILength + 300; LOGGER.debug("Original Response Location Header URI Length: {}", redirectURILength); LOGGER.debug("Predicted Response Size: {}", predictedResponseSize); @@ -111,7 +111,7 @@ private AlertBuilder createBaseAlert(String ref) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setCweId(201) .setWascId(13) .setAlertRef(String.valueOf(PLUGIN_ID) + ref); @@ -155,10 +155,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java index 065bc3d9d39..dfb3de6b136 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java @@ -213,7 +213,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // FIX: This will match Atom and RSS feeds now, which set text/html but // use <?xml> in content - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -224,12 +224,12 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(HttpMessage message, Source source) { + private static boolean isResponseXML(HttpMessage message, Source source) { // Return true if source or response is identified as XML return source.isXML() || message.getResponseHeader().isXml(); } - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -303,7 +303,7 @@ public int getWascId() { return 15; // WASC-15: Application Misconfiguration } - private String getExtraInfo( + private static String getExtraInfo( String firstCharset, String secondCharset, MismatchType mismatchType) { String extraInfo = ""; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java index c1d17f2c8cc..7a701544eae 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyMissingScanRule.java @@ -87,7 +87,7 @@ public String getName() { return getAlertAttribute("name"); } - private String getAlertAttribute(String key) { + private static String getAlertAttribute(String key) { return Constant.messages.getString(MESSAGE_PREFIX + key); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java index 679f6c89aec..b942ee339f6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRule.java @@ -376,7 +376,7 @@ private static boolean allowsUnsafeEval(Policy policy, FetchDirectiveKind source return false; } - private String getCspNoticesString(List notices) { + private static String getCspNoticesString(List notices) { if (notices.isEmpty()) { return ""; } @@ -431,7 +431,7 @@ private static List getNotices( * @param header The header field(s) to be found * @return list of the matched headers */ - private List getHeaderField(HttpMessage msg, String header) { + private static List getHeaderField(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); @@ -446,7 +446,7 @@ private List getHeaderField(HttpMessage msg, String header) { return matchedHeaders; } - private List getAllowedWildcardSources(String policyText) { + private static List getAllowedWildcardSources(String policyText) { List allowedSources = new ArrayList<>(); Policy pol = Policy.parseSerializedCSP(policyText, PolicyErrorConsumer.ignored); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java index 27c4fbdf7a1..0f289532046 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRule.java @@ -86,7 +86,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * Determines whether the specified cookie is loosely scoped by * checking it's Domain attribute value against the host */ - private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { + private static boolean isLooselyScopedCookie(HttpCookie cookie, String host) { // preconditions assert cookie != null; assert host != null; @@ -138,7 +138,8 @@ private boolean isLooselyScopedCookie(HttpCookie cookie, String host) { return true; } - private boolean isCookieAndHostHaveTheSameDomain(String[] cookieDomains, String[] hostDomains) { + private static boolean isCookieAndHostHaveTheSameDomain( + String[] cookieDomains, String[] hostDomains) { if (cookieDomains == null || hostDomains == null || cookieDomains[0].equalsIgnoreCase("null") diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java index ef6a7ed81a4..f0d5ebf1faa 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CrossDomainMisconfigurationScanRule.java @@ -137,7 +137,7 @@ private AlertBuilder buildAlert(String header, String corsAllowOriginValue) { return newAlert() .setRisk(getRisk()) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(Constant.messages.getString(MESSAGE_PREFIX + "extrainfo")) .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) @@ -189,15 +189,6 @@ public int getPluginId() { return 10098; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java index 4e89306f279..e3332da06da 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRule.java @@ -208,12 +208,12 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { LOGGER.debug("\tScan of record {} took {} ms", id, System.currentTimeMillis() - start); } - private String getExtraInfo(String tokenNamesFlattened, String formDetails) { + private static String getExtraInfo(String tokenNamesFlattened, String formDetails) { return Constant.messages.getString( "pscanrules.noanticsrftokens.alert.extrainfo", tokenNamesFlattened, formDetails); } - private boolean formOnIgnoreList(Element formElement, List ignoreList) { + private static boolean formOnIgnoreList(Element formElement, List ignoreList) { String id = formElement.getAttributeValue("id"); String name = formElement.getAttributeValue("name"); for (String ignore : ignoreList) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java index aa3b6b703e3..0b9f1dc89f6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRule.java @@ -116,10 +116,10 @@ private AlertBuilder buildAlert(String server, String evidence) { .setName(getName()) .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getExtraInfo(server)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(548) // Information Exposure Through Directory Listing .setWascId(16); // Directory Indexing @@ -140,33 +140,6 @@ public int getPluginId() { return 10033; } - /** - * get the description of the alert - * - * @return - */ - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - /** - * get the solution for the alert - * - * @return - */ - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - /** - * gets references for the alert - * - * @return - */ - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private static String getExtraInfo(String server) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", server); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java index 6e22ba06f25..c5d2ff08a7a 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRule.java @@ -262,9 +262,12 @@ private AlertBuilder buildAlert(String evidence, HashAlert hashAlert) { .setName(getName() + " - " + hashAlert.getDescription()) .setRisk(hashAlert.getRisk()) .setConfidence(hashAlert.getConfidence()) - .setDescription(getDescription() + " - " + hashAlert.getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription( + Constant.messages.getString(MESSAGE_PREFIX + "desc") + + " - " + + hashAlert.getDescription()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(200) // Information Exposure, .setWascId(13); // Information Leakage @@ -275,18 +278,6 @@ public int getPluginId() { return 10097; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java index 73b09ea89b7..233e7f99175 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java @@ -116,10 +116,12 @@ private AlertBuilder buildAlert(String fullVersionString) { return newAlert() .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) - .setOtherInfo(getExtraInfo(fullVersionString)) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", fullVersionString)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(fullVersionString) .setCweId(119) // CWE 119: Failure to Constrain Operations within the Bounds of a // Memory Buffer @@ -131,22 +133,6 @@ public int getPluginId() { return 10034; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfo(String opensslVersion) { - return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", opensslVersion); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java index 07098091a80..69a79314a72 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRule.java @@ -248,17 +248,17 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { }; // The name of this sub-alert - private String getRefererAlert() { + private static String getRefererAlert() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.alert"); } // The description of this sub-alert - private String getRefererDescription() { + private static String getRefererDescription() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.desc"); } // The solution of this sub-alert - private String getRefererSolution() { + private static String getRefererSolution() { return Constant.messages.getString(MESSAGE_PREFIX + "referrer.soln"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java index 5afec2b02b8..7d47ecfca8b 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureDebugErrorsScanRule.java @@ -99,7 +99,7 @@ private String doesResponseContainsDebugErrorMessage(HttpBody body) { return null; } - private List loadFile(Path path) { + private static List loadFile(Path path) { List strings = new ArrayList<>(); BufferedReader reader = null; File f = path.toFile(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java index 3c05616ae10..a6425df642d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureInUrlScanRule.java @@ -99,7 +99,7 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } @@ -190,17 +190,17 @@ public int getPluginId() { return PLUGIN_ID; } - private boolean isEmailAddress(String emailAddress) { + private static boolean isEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); return matcher.find(); } - private boolean isCreditCard(String creditCard) { + private static boolean isCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); return matcher.find(); } - private boolean isUsSSN(String usSSN) { + private static boolean isUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); return matcher.find(); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java index 9da73283517..835b3cfedd6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureReferrerScanRule.java @@ -102,11 +102,11 @@ public void scanHttpRequestSend(HttpMessage msg, int id) { } } - private String getSsnOtherInfo() { + private static String getSsnOtherInfo() { return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.ssn"); } - private boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { + private static boolean isRequestedURLSameDomainAsHTTPReferrer(String host, String referrerURL) { boolean result = false; if (referrerURL.startsWith("/")) { result = true; @@ -151,7 +151,7 @@ private AlertBuilder buildCcAlert(String evidence, String other, BinRecord binRe .setWascId(getWascId()); } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) @@ -175,7 +175,7 @@ private String getBinRecString(BinRecord binRec) { return recString.toString(); } - private List loadFile(String file) { + private static List loadFile(String file) { List strings = new ArrayList<>(); File f = new File(Constant.getZapHome() + File.separator + file); if (!f.exists()) { @@ -251,7 +251,7 @@ public int getWascId() { return 13; // WASC Id - Info leakage } - private String doesContainEmailAddress(String emailAddress) { + private static String doesContainEmailAddress(String emailAddress) { Matcher matcher = emailAddressPattern.matcher(emailAddress); if (matcher.find()) { return matcher.group(); @@ -259,7 +259,7 @@ private String doesContainEmailAddress(String emailAddress) { return null; } - private String doesContainCreditCard(String creditCard) { + private static String doesContainCreditCard(String creditCard) { Matcher matcher = creditCardPattern.matcher(creditCard); if (matcher.find()) { String candidate = matcher.group(); @@ -270,7 +270,7 @@ private String doesContainCreditCard(String creditCard) { return null; } - private String doesContainUsSSN(String usSSN) { + private static String doesContainUsSSN(String usSSN) { Matcher matcher = usSSNPattern.matcher(usSSN); if (matcher.find()) { return matcher.group(); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java index a512ac12823..e07472d4e8d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InformationDisclosureSuspiciousCommentsScanRule.java @@ -179,7 +179,7 @@ private static void recordAlertSummary( alertMap.computeIfAbsent(summary.getPattern(), k -> new ArrayList<>()).add(summary); } - private String truncateString(String str) { + private static String truncateString(String str) { if (str.length() > MAX_ELEMENT_CHRS_TO_REPORT) { return str.substring(0, MAX_ELEMENT_CHRS_TO_REPORT); } @@ -205,7 +205,7 @@ private List getPatterns() { return patterns; } - private List initPatterns() { + private static List initPatterns() { List targetPatterns = new ArrayList<>(); for (String payload : payloadProvider.get()) { targetPatterns.add(compilePayload(payload)); @@ -213,7 +213,7 @@ private List initPatterns() { return targetPatterns; } - private Pattern compilePayload(String payload) { + private static Pattern compilePayload(String payload) { return Pattern.compile("\\b" + payload + "\\b", Pattern.CASE_INSENSITIVE); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java index 7140919f5c5..636dfca4b85 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { return HttpHeader.HTTPS.equals(msg.getRequestHeader().getURI().getScheme()); } @@ -81,7 +81,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -96,9 +96,9 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getExtraInfoMessage(url, formElement)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -109,14 +109,6 @@ public int getPluginId() { return 10041; } - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java index 995ebe573bf..37944493dd9 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java @@ -71,7 +71,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private boolean isHttps(HttpMessage msg) { + private static boolean isHttps(HttpMessage msg) { String scheme = msg.getRequestHeader().getURI().getScheme(); if ("https".equals(scheme)) { return true; @@ -86,7 +86,7 @@ private boolean isHttps(HttpMessage msg) { // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -101,9 +101,9 @@ private AlertBuilder buildAlert(String url, String formElement, String evidence) return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getExtraInfoMessage(url, formElement)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(319) // CWE-319: Cleartext Transmission of Sensitive Information .setWascId(15); // WASC-15: Application Misconfiguration @@ -114,14 +114,6 @@ public int getPluginId() { return 10042; } - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage(String url, String formElement) { return Constant.messages.getString(MESSAGE_PREFIX + "extrainfo", url, formElement); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java index f80181c3283..40b3ad2cd64 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java @@ -132,7 +132,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @return {@code true} if {@code viewState} is cryptographically secure, and {@code false} * otherwise (there might be false positives and false negatives) */ - private boolean isViewStateSecure(String viewState, String charset) { + private static boolean isViewStateSecure(String viewState, String charset) { if (viewState == null || viewState.equals("")) { return true; } @@ -185,7 +185,7 @@ private static byte[] decompress(byte[] value) throws IOException { return output.toByteArray(); } - private boolean isRawViewStateSecure(String viewState) { + private static boolean isRawViewStateSecure(String viewState) { if (viewState == null || viewState.equals("")) { return true; } @@ -217,7 +217,7 @@ private void raiseAlert(HttpMessage msg, int id, String viewState) { // jsf server side implementation in com.sun.faces.renderkit.ServerSideStateHelper // two id's separated by : - private boolean isViewStateStoredOnServer(String val) { + private static boolean isViewStateStoredOnServer(String val) { return val != null && val.contains(":"); } diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java index a0749f64730..7eedbfdbfa1 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRule.java @@ -141,9 +141,9 @@ private AlertBuilder buildAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence); } @@ -177,18 +177,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java index d027328f1c8..c3f261dc44d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ModernAppDetectionScanRule.java @@ -93,9 +93,9 @@ private AlertBuilder buildAlert(String otherInfo, String evidence) { return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(otherInfo) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence); } @@ -104,14 +104,6 @@ public int getPluginId() { return 10109; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java index 6e1140cedc1..fcb096cf5d3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/PiiScanRule.java @@ -180,7 +180,7 @@ private AlertBuilder createAlert(String evidence, String cardType, BinRecord bin .setWascId(13); // WASC-13: Information Leakage } - private String getBinRecString(BinRecord binRec) { + private static String getBinRecString(BinRecord binRec) { StringBuilder recString = new StringBuilder(75); recString .append(Constant.messages.getString(MESSAGE_PREFIX + "bin.field")) diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java index 91eb6de5a4b..ce479db48e6 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRule.java @@ -137,9 +137,9 @@ private AlertBuilder buildAlert(String evidence, boolean compliant) { return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) // If compliant Other Info: "Age" header implies a HTTP/1.1 compliant cache server. .setOtherInfo( @@ -160,18 +160,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java index f9e8029e65b..932403e6929 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/StrictTransportSecurityScanRule.java @@ -193,7 +193,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getAlertElement(VulnType currentVT, String element) { + private static String getAlertElement(VulnType currentVT, String element) { String elementValue = ""; switch (currentVT) { case HSTS_MISSING: @@ -234,7 +234,7 @@ private String getAlertElement(VulnType currentVT, String element) { return elementValue; } - private int getRisk(VulnType currentVT) { + private static int getRisk(VulnType currentVT) { switch (currentVT) { case HSTS_MISSING: case HSTS_MAX_AGE_DISABLED: @@ -259,7 +259,7 @@ private int getRisk(VulnType currentVT) { * return {@code null}. * @see RFC 6797 Section 8.5 */ - private String getMetaHSTSEvidence(Source source) { + private static String getMetaHSTSEvidence(Source source) { List metaElements = source.getAllElements(HTMLElementName.META); String httpEquiv; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java index 51e8531a6d8..034076b1d73 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCharsetScanRule.java @@ -119,7 +119,7 @@ private void checkMetaContentCharset( } // TODO: taken from CharsetMismatchScanner. Extract into helper method - private String getBodyContentCharset(String bodyContentType) { + private static String getBodyContentCharset(String bodyContentType) { // preconditions assert bodyContentType != null; @@ -176,7 +176,7 @@ private void checkContentTypeCharset(HttpMessage msg, int id, Set // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -187,7 +187,7 @@ private boolean isResponseHTML(HttpMessage message, Source source) { || contentType.indexOf("application/xhtml") != -1; } - private boolean isResponseXML(Source source) { + private static boolean isResponseXML(Source source) { return source.isXML(); } @@ -195,10 +195,10 @@ private AlertBuilder buildAlert(String tag, String attr, HtmlParameter param, St return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo(getExtraInfoMessage(tag, attr, param, charset)) - .setSolution(getSolutionMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -216,15 +216,6 @@ public Map getAlertTags() { /* * Rule-associated messages */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - private static String getExtraInfoMessage( String tag, String attr, HtmlParameter param, String charset) { return Constant.messages.getString( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java index f351d641c23..14abffee17e 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java @@ -99,7 +99,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { // Cookies are commonly URL encoded, maybe other encodings. // TODO: apply other decodings? htmlDecode, etc. - private String decodeCookie(String cookie, String charset) { + private static String decodeCookie(String cookie, String charset) { if (charset != null) { try { return URLDecoder.decode(cookie, charset); @@ -158,11 +158,11 @@ private AlertBuilder buildAlert(HttpMessage msg, HtmlParameter param, String coo return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo(getExtraInfoMessage(msg, param, cookie)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(565) // CWE-565: Reliance on Cookies without Validation and Integrity // Checking .setWascId(20); // WASC-20: Improper Input Handling @@ -178,23 +178,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { + private static String getExtraInfoMessage(HttpMessage msg, HtmlParameter param, String cookie) { String introMessage = ""; if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { introMessage = Constant.messages.getString(MESSAGE_PREFIX + "extrainfo.get"); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java index e9d9a2c52f5..dc3393500f8 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledHTMLAttributesScanRule.java @@ -232,7 +232,7 @@ private void checkHtmlAttribute( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message, Source source) { + private static boolean isResponseHTML(HttpMessage message, Source source) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -252,13 +252,19 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) .setOtherInfo( - getExtraInfoMessage( - url, htmlElement, htmlAttribute, param, userControlledValue)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", + url, + htmlElement, + htmlAttribute, + param.getName(), + param.getValue(), + userControlledValue)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -273,34 +279,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( - String url, String tag, String attr, HtmlParameter param, String userControlledValue) { - return Constant.messages.getString( - MESSAGE_PREFIX + "extrainfo", - url, - tag, - attr, - param.getName(), - param.getValue(), - userControlledValue); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java index 957e0da14d5..8b53b35a881 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledJavascriptEventScanRule.java @@ -161,7 +161,7 @@ private void checkJavascriptEvent( // TODO: these methods have been extracted from CharsetMismatchScanner // I think we should create helper methods for them - private boolean isResponseHTML(HttpMessage message) { + private static boolean isResponseHTML(HttpMessage message) { String contentType = message.getResponseHeader().getHeader(HttpHeader.CONTENT_TYPE); if (contentType == null) { return false; @@ -177,11 +177,17 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_INFO) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(param.getName()) - .setOtherInfo(getExtraInfoMessage(url, attribute, attributeValue, param)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "extrainfo", + url, + attribute, + attributeValue, + param.getValue())) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(20) // CWE-20: Improper Input Validation .setWascId(20); // WASC-20: Improper Input Handling } @@ -196,28 +202,6 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( - String url, String attribute, String attributeValue, HtmlParameter param) { - return Constant.messages.getString( - MESSAGE_PREFIX + "extrainfo", url, attribute, attributeValue, param.getValue()); - } - @Override public List getExampleAlerts() { return List.of( diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java index 188c6d2f617..c8538fe23c3 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UserControlledOpenRedirectScanRule.java @@ -138,11 +138,11 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(Alert.RISK_HIGH) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescriptionMessage()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setParam(paramName) .setOtherInfo(getExtraInfoMessage(msg, paramName, paramValue, responseLocation)) - .setSolution(getSolutionMessage()) - .setReference(getReferenceMessage()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setCweId(601) // CWE-601: URL Redirection to Untrusted Site ('Open Redirect') .setWascId(38); // WASC-38: URL Redirector Abuse } @@ -157,23 +157,7 @@ public Map getAlertTags() { return ALERT_TAGS; } - /* - * Rule-associated messages - */ - - private String getDescriptionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolutionMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReferenceMessage() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getExtraInfoMessage( + private static String getExtraInfoMessage( HttpMessage msg, String paramName, String paramValue, String responseLocation) { StringBuilder extraInfoSB = new StringBuilder(); if ("GET".equalsIgnoreCase(msg.getRequestHeader().getMethod())) { diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java index 98994e35363..ee3fcd72906 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/UsernameIdorScanRule.java @@ -118,10 +118,12 @@ private AlertBuilder buildAlert( return newAlert() .setRisk(getRisk()) .setConfidence(Alert.CONFIDENCE_HIGH) - .setDescription(getDescription(username)) - .setOtherInfo(getOtherinfo(hashType, evidence)) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc", username)) + .setOtherInfo( + Constant.messages.getString( + MESSAGE_PREFIX + "otherinfo", hashType, evidence)) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(getCweId()) .setWascId(getWascId()); @@ -153,22 +155,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - public String getDescription(String username) { - return Constant.messages.getString(MESSAGE_PREFIX + "desc", username); - } - - public String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - public String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getOtherinfo(String hashType, String hashValue) { - return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo", hashType, hashValue); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java index 2815457d6a4..56e1170898d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/ViewstateScanRule.java @@ -89,7 +89,7 @@ private AlertBuilder alertViewstateAnalyzerResult(ViewstateAnalyzerResult var) { .setConfidence(Alert.CONFIDENCE_MEDIUM) .setDescription(var.pattern.getAlertDescription()) .setOtherInfo(var.getResultExtract().toString()) - .setSolution(getSolution()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setCweId(getCweId()) .setWascId(getWascId()) .setAlertRef(PLUGIN_ID + "-" + var.getAlertRef()); @@ -185,10 +185,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; @@ -202,7 +198,7 @@ public int getWascId() { return 14; // WASC-14 - Server Misconfiguration } - private Map getHiddenFields(Source source) { + private static Map getHiddenFields(Source source) { List result = source.getAllStartTags("input"); // Searching for name only tags only makes sense for Asp.Net 1.1 websites diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java index be9a905b5b2..2d33dc2b9cc 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XBackendServerInformationLeakScanRule.java @@ -67,8 +67,8 @@ private AlertBuilder createAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription()) - .setSolution(getSolution()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) .setEvidence(evidence) .setCweId(200) .setWascId(13); @@ -84,14 +84,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - @Override public Map getAlertTags() { return ALERT_TAGS; diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java index fd4711a7bc5..558824ae5bc 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XChromeLoggerDataInfoLeakScanRule.java @@ -83,19 +83,7 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - - private String getOtherInfo(String headerValue) { + private static String getOtherInfo(String headerValue) { try { byte[] decodedByteArray = Base64.getDecoder().decode(headerValue); return Constant.messages.getString(MESSAGE_PREFIX + "otherinfo.msg") @@ -117,10 +105,10 @@ private AlertBuilder createAlert(String xcldField) { return newAlert() .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_HIGH) - .setDescription(getDescription()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) .setOtherInfo(getOtherInfo(xcldField)) - .setSolution(getSolution()) - .setReference(getReference()) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(xcldField) .setCweId(200) .setWascId(13); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java index b09b7dbc543..c418bb3226d 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XDebugTokenScanRule.java @@ -88,7 +88,7 @@ private AlertBuilder buildAlert(String evidence) { * @param header the name of the header field being looked for * @return boolean status of existence */ - private boolean responseHasHeader(HttpMessage msg, String header) { + private static boolean responseHasHeader(HttpMessage msg, String header) { return !msg.getResponseHeader().getHeaderValues(header).isEmpty(); } @@ -99,7 +99,7 @@ private boolean responseHasHeader(HttpMessage msg, String header) { * @param header the name of the header field(s) to be collected * @return list of the matched headers */ - private List getHeaders(HttpMessage msg, String header) { + private static List getHeaders(HttpMessage msg, String header) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); diff --git a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java index 983d2454934..a68fcad6808 100644 --- a/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java +++ b/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/XPoweredByHeaderInfoLeakScanRule.java @@ -69,7 +69,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { * @param msg Response Http message * @return boolean status of existence */ - private boolean isXPoweredByHeaderExist(HttpMessage msg) { + private static boolean isXPoweredByHeaderExist(HttpMessage msg) { return !msg.getResponseHeader().getHeaderValues(HEADER_NAME).isEmpty(); } @@ -79,7 +79,7 @@ private boolean isXPoweredByHeaderExist(HttpMessage msg) { * @param msg Response Http message * @return list of the matched headers */ - private List getXPoweredByHeaders(HttpMessage msg) { + private static List getXPoweredByHeaders(HttpMessage msg) { List matchedHeaders = new ArrayList<>(); String headers = msg.getResponseHeader().toString(); String[] headerElements = headers.split("\\r\\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java index e7dd549c311..b3e1f1fd107 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentSecurityPolicyScanRuleUnitTest.java @@ -653,15 +653,15 @@ void shouldAlertOnReasonableCspWhichIncludesPrefetchsrc() { is(equalTo("Warnings:\nThe prefetch-src directive has been deprecated\n"))); } - private HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { + private static HttpMessage createHttpMessageWithReasonableCsp(String cspHeaderName) { return createHttpMessage(cspHeaderName, REASONABLE_POLICY); } - private HttpMessage createHttpMessage(String cspPolicy) { + private static HttpMessage createHttpMessage(String cspPolicy) { return createHttpMessage(HttpFieldsNames.CONTENT_SECURITY_POLICY, cspPolicy); } - private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { + private static HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { HttpMessage msg = new HttpMessage(); String header = @@ -689,7 +689,7 @@ private HttpMessage createHttpMessage(String cspHeaderName, String cspPolicy) { return msg; } - private HttpMessage createHttpMessage() { + private static HttpMessage createHttpMessage() { HttpMessage msg = new HttpMessage(); try { msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java index 48fb837d3d1..0d5036b5517 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/ContentTypeMissingScanRuleUnitTest.java @@ -40,7 +40,7 @@ protected ContentTypeMissingScanRule createScanner() { return new ContentTypeMissingScanRule(); } - private HttpMessage createMessage() throws HttpMalformedHeaderException { + private static HttpMessage createMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java index d982fcd9d06..6aeb3efcee8 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CookieLooselyScopedScanRuleUnitTest.java @@ -62,7 +62,7 @@ protected CookieLooselyScopedScanRule createScanner() { return rule; } - private HttpMessage createBasicMessage() throws HttpMalformedHeaderException { + private static HttpMessage createBasicMessage() throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java index 90e9e5462c7..b5e3482f203 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/CsrfCountermeasuresScanRuleUnitTest.java @@ -461,7 +461,7 @@ void formWithoutAntiCsrfToken() { "
"); } - private HttpMessage createScopedMessage(boolean isInScope) throws URIException { + private static HttpMessage createScopedMessage(boolean isInScope) throws URIException { HttpMessage newMsg = new HttpMessage() { @Override diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java index 3666a88d064..51af0ccd859 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/DirectoryBrowsingScanRuleUnitTest.java @@ -37,7 +37,7 @@ class DirectoryBrowsingScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java index 278c10fca07..b32a67dcca3 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/HashDisclosureScanRuleUnitTest.java @@ -177,7 +177,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String hashVal) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n"); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java index a336b10c23d..9e7373a71fb 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRuleUnitTest.java @@ -408,11 +408,11 @@ private static void validateAlert(String requestUri, Alert alert) { assertThat(alert.getUri(), equalTo(requestUri)); } - private HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessage(String body) throws HttpMalformedHeaderException { return createHttpMessage(URI, body); } - private HttpMessage createHttpMessage(String requestUri, String body) + private static HttpMessage createHttpMessage(String requestUri, String body) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); requestUri = requestUri.startsWith("http") ? requestUri : "http://" + requestUri; diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java index f7bf99d6a24..732469852ba 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InfoSessionIdUrlScanRuleUnitTest.java @@ -483,7 +483,7 @@ void ignoreExposureToBookmark() throws HttpMalformedHeaderException, URIExceptio assertEquals(1, alertsRaised.size()); } - private void setUpHttpSessionsParam() { + private static void setUpHttpSessionsParam() { OptionsParam options = Model.getSingleton().getOptionsParam(); options.load(new ZapXmlConfiguration()); HttpSessionsParam httpSessions = new HttpSessionsParam(); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java index b01a4d3ee6a..74ee4f81b6a 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormLoadScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java index 2015f5b042c..e161e9be743 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InsecureFormPostScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("https://example.com", false)); diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java index ae86dd38ee2..ef0894c5bf1 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRuleUnitTest.java @@ -264,7 +264,8 @@ private static byte[] gzipCompress(byte[] value) throws IOException { return output.toByteArray(); } - private void setTextHtmlResponseHeader(HttpMessage msg) throws HttpMalformedHeaderException { + private static void setTextHtmlResponseHeader(HttpMessage msg) + throws HttpMalformedHeaderException { msg.setResponseHeader( "HTTP/1.1 200 OK\r\n" + "Server: Apache-Coyote/1.1\r\n" diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java index ae99a55752b..046b3afabb4 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/LinkTargetScanRuleUnitTest.java @@ -71,7 +71,7 @@ protected LinkTargetScanRule createScanner() { return rule; } - private String getHeader(String contentType, int bodyLength) { + private static String getHeader(String contentType, int bodyLength) { return "HTTP/1.1 200 OK\r\n" + "Content-Type: " + contentType diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java index d6f6b523f97..d7fa17312a5 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/PiiScanRuleUnitTest.java @@ -484,7 +484,7 @@ public void shouldHaveValidReferences() { super.shouldHaveValidReferences(); } - private HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { + private static HttpMessage createMsg(String cardNumber) throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET https://www.example.com/test/ HTTP/1.1"); msg.setResponseHeader( diff --git a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java index b49f01c1192..918609b785b 100644 --- a/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java +++ b/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/RetrievedFromCacheScanRuleUnitTest.java @@ -38,7 +38,7 @@ class RetrievedFromCacheScanRuleUnitTest extends PassiveScannerTest loadFile(String file) { + private static List loadFile(String file) { /* * ZAP will have already extracted the file from the add-on and put it underneath the 'ZAP home' directory */ @@ -161,20 +161,4 @@ public int getPluginId() { public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getOtherInfo() { - return Constant.messages.getString(MESSAGE_PREFIX + "other"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } } diff --git a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java index eb84d994601..8aae2333a89 100644 --- a/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java +++ b/addOns/pscanrulesAlpha/src/main/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRule.java @@ -82,27 +82,14 @@ public Map getAlertTags() { return ALERT_TAGS; } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - private AlertBuilder buildAlert(String evidence) { return newAlert() .setConfidence(Alert.CONFIDENCE_LOW) .setRisk(Alert.RISK_LOW) .setEvidence(evidence) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) - .setSolution(getSolution()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setWascId(13) // WASC-13 Information Leakage .setCweId(209); // CWE-209: Generation of Error Message Containing Sensitive // Information diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java index aca648a79ec..1d28a8d70f5 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FetchMetadataRequestHeadersScanRuleTest.java @@ -229,7 +229,7 @@ protected FetchMetadataRequestHeadersScanRule createScanner() { return new FetchMetadataRequestHeadersScanRule(); } - private String generateRequestForMissingCase(String missingHeader) { + private static String generateRequestForMissingCase(String missingHeader) { switch (missingHeader) { case "Sec-Fetch-Site": return HTTP_METHOD + SFM_VALID_HEADER + SFD_VALID_HEADER + SFU_VALID_HEADER; @@ -248,7 +248,7 @@ private String generateRequestForMissingCase(String missingHeader) { } } - private String generateRequestForInvalidCase(String invalidHeader) { + private static String generateRequestForInvalidCase(String invalidHeader) { switch (invalidHeader) { case "Sec-Fetch-Site": return HTTP_METHOD diff --git a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java index 6e356ccfc02..bbd244f6899 100644 --- a/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesAlpha/src/test/java/org/zaproxy/zap/extension/pscanrulesAlpha/FullPathDisclosureScanRuleUnitTest.java @@ -156,7 +156,7 @@ protected FullPathDisclosureScanRule createScanner() { return new FullPathDisclosureScanRule(); } - private HttpMessage createMessage(String body, Integer status) throws URIException { + private static HttpMessage createMessage(String body, Integer status) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/CHANGELOG.md b/addOns/pscanrulesBeta/CHANGELOG.md index 8bfce7a1c1b..2f254b302a8 100644 --- a/addOns/pscanrulesBeta/CHANGELOG.md +++ b/addOns/pscanrulesBeta/CHANGELOG.md @@ -7,6 +7,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ### Fixed - A possible false positive condition with the Dangerous JS Functions scan rule with substrings in certain circumstances (Issue 8553). +### Change +- Maintenance changes. + ## [40] - 2024-07-24 ### Removed - Polyfill scan rule, promoted to release. diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java index dc357fb94df..10855532a8b 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java @@ -692,7 +692,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private Long extractAgeValue(String directiveToken, int tokenLength) { + private static Long extractAgeValue(String directiveToken, int tokenLength) { int commaLocation = directiveToken.indexOf(",", tokenLength); return Long.parseLong( directiveToken.substring( diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java index 04e8b1b7ce7..bb19492d250 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRule.java @@ -149,9 +149,9 @@ private AlertBuilder buildAlert(String evidence) { return newAlert() .setRisk(Alert.RISK_LOW) .setConfidence(Alert.CONFIDENCE_LOW) - .setDescription(getDescription()) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription(Constant.messages.getString(MESSAGE_PREFIX + "desc")) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(749); // CWE-749: Exposed Dangerous Method or Function } @@ -192,18 +192,6 @@ public String getName() { return Constant.messages.getString(MESSAGE_PREFIX + "name"); } - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } - @Override public int getPluginId() { return PLUGIN_ID; diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java index f37f0c45498..b819007d69e 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/JsoScanRule.java @@ -125,7 +125,7 @@ private AlertBuilder createAlert(String evidence) { .setCweId(502); // CWE-502: Deserialization of Untrusted Data } - private boolean hasJsoMagicSequence(String value) { + private static boolean hasJsoMagicSequence(String value) { return hasJsoBase64MagicSequence(value) || hasUriEncodedMagicSequence(value); } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java index b35040a49f5..c9516270523 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRule.java @@ -692,9 +692,12 @@ private AlertBuilder createAlert(String programmingLanguage, String evidence) { .setName(getName() + " - " + programmingLanguage) .setRisk(Alert.RISK_MEDIUM) .setConfidence(Alert.CONFIDENCE_MEDIUM) - .setDescription(getDescription() + " - " + programmingLanguage) - .setSolution(getSolution()) - .setReference(getReference()) + .setDescription( + Constant.messages.getString(MESSAGE_PREFIX + "desc") + + " - " + + programmingLanguage) + .setSolution(Constant.messages.getString(MESSAGE_PREFIX + "soln")) + .setReference(Constant.messages.getString(MESSAGE_PREFIX + "refs")) .setEvidence(evidence) .setCweId(540) // Information Exposure Through Source Code .setWascId(13); // WASC-13: Information Leakage @@ -714,16 +717,4 @@ public int getPluginId() { public Map getAlertTags() { return ALERT_TAGS; } - - private String getDescription() { - return Constant.messages.getString(MESSAGE_PREFIX + "desc"); - } - - private String getSolution() { - return Constant.messages.getString(MESSAGE_PREFIX + "soln"); - } - - private String getReference() { - return Constant.messages.getString(MESSAGE_PREFIX + "refs"); - } } diff --git a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java index a38e200b832..b7faaf92ae0 100644 --- a/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java +++ b/addOns/pscanrulesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SubResourceIntegrityAttributeScanRule.java @@ -128,7 +128,7 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) { } } - private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { + private static String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap tree) { String src = element.getAttributeValue("src"); if (src == null) { return ""; @@ -155,7 +155,7 @@ private String calculateIntegrityHash(HttpMessage msg, Element element, SiteMap return integrityHash; } - private String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { + private static String getOtherInfo(HttpMessage msg, Element element, SiteMap tree) { String integrityHash = calculateIntegrityHash(msg, element, tree); if (integrityHash.isEmpty()) { return ""; diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java index d17a37c8d39..870c7b2b969 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRuleUnitTest.java @@ -45,7 +45,7 @@ */ class CacheableScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage() throws URIException { + private static HttpMessage createMessage() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); @@ -55,7 +55,7 @@ private HttpMessage createMessage() throws URIException { return msg; } - private HttpMessage createMessageBasicAuthorization() throws URIException { + private static HttpMessage createMessageBasicAuthorization() throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setMethod("GET"); requestHeader.setURI(new URI("https://example.com/fred/", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java index ef0daceea43..10de1d47bbc 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/InPageBannerInfoLeakScanRuleUnitTest.java @@ -40,7 +40,7 @@ class InPageBannerInfoLeakScanRuleUnitTest extends PassiveScannerTest { - private HttpMessage createMessage(String banner) throws URIException { + private static HttpMessage createMessage(String banner) throws URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); requestHeader.setURI(new URI("http://example.com", false)); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java index e308bb8f4e4..87d07769ca7 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/JsFunctionScanRuleUnitTest.java @@ -267,7 +267,8 @@ void shouldReturnExpectedExampleAlert() { assertThat(alert.getConfidence(), is(equalTo(Alert.CONFIDENCE_LOW))); } - private HttpMessage createHttpMessageWithRespBody(String responseBody, String contentType) + private static HttpMessage createHttpMessageWithRespBody( + String responseBody, String contentType) throws HttpMalformedHeaderException, URIException { HttpRequestHeader requestHeader = new HttpRequestHeader(); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java index 673bb59a749..29a17cc7c55 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRuleUnitTest.java @@ -222,7 +222,8 @@ private void assertNumberOfAlertsRaised(int expected) { assertEquals(expected, alertsRaised.size()); } - private HttpMessage createHttpMessageFromHtml(String html) throws HttpMalformedHeaderException { + private static HttpMessage createHttpMessageFromHtml(String html) + throws HttpMalformedHeaderException { HttpMessage msg = new HttpMessage(); msg.setRequestHeader("GET " + URI + " HTTP/1.1"); msg.setResponseHeader("HTTP/1.1 200\r\n"); diff --git a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java index abd47568f53..4f56dd483d5 100644 --- a/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java +++ b/addOns/pscanrulesBeta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SourceCodeDisclosureScanRuleUnitTest.java @@ -243,11 +243,11 @@ void shouldHaveExpectedExamples() { assertThat(example.getName(), is(equalTo("Source Code Disclosure - PHP"))); } - private String wrapWithHTML(String code) { + private static String wrapWithHTML(String code) { return CODE_HTML + code + CODE_HTML; } - private void assertAlertAttributes(Alert alert, String evidence, final String language) { + private static void assertAlertAttributes(Alert alert, String evidence, final String language) { assertThat(alert.getRisk(), is(Alert.RISK_MEDIUM)); assertThat(alert.getConfidence(), is(Alert.CONFIDENCE_MEDIUM)); assertThat(alert.getName(), is(getLocalisedString("name") + " - " + language)); @@ -261,7 +261,7 @@ private void assertAlertAttributes(Alert alert, String evidence, final String la assertThat(alert.getWascId(), is(13)); } - private String getLocalisedString(String key, Object... params) { + private static String getLocalisedString(String key, Object... params) { return Constant.messages.getString("pscanbeta.sourcecodedisclosure." + key, params); } }