retire.js: Ignore video responses

To avoid things like:
"353477 [ZAP-PassiveScan-1] WARN
org.zaproxy.zap.extension.pscan.PassiveScanTask - Passive Scan rule
Vulnerable JS Library (Powered by Retire.js) took 6 seconds to scan
https://juice-shop.herokuapp.com/video?__ecma.String= video/mp4
10075518"

- CHANGELOG > Add change note.
- RetireScanRule > Skip responses that have a "video" related content
type.
- RetireScanRuleUnitTest > Updated to assert the latest behavior,
example alert, and valid references

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

addOns/retire/CHANGELOG.md

@@ -4,26 +4,21 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Changed
+- Will no longer evaluate responses with a "video" related content type.
 
 ## [0.29.0] - 2024-01-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.28.0] - 2023-12-04
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.27.0] - 2023-11-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.26.0] - 2023-10-12
 ### Changed
 - Update minimum ZAP version to 2.14.0.
@@ -39,26 +34,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Update minimum ZAP version to 2.13.0.
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.23.0] - 2023-06-02
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.22.0] - 2023-05-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.21.0] - 2023-04-04
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.20.0] - 2023-03-03
 ### Changed
 - Updated with upstream retire.js pattern changes.
@@ -73,14 +60,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.17.0] - 2022-11-14
 ### Changed
 - Updated with upstream retire.js pattern changes.
 
-
-
 ## [0.16.0] - 2022-10-27
 ### Changed
 - Update minimum ZAP version to 2.12.0.

addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java

@@ -61,16 +61,15 @@ public int getPluginId() {
 
     @Override
     public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
-        if (!getHelper().isPage200(msg) || getRepo() == null) {
-            return;
-        }
-        String uri = msg.getRequestHeader().getURI().toString();
-        if (!ResourceIdentificationUtils.isImage(msg) && !ResourceIdentificationUtils.isCss(msg)) {
-            Repo scanRepo = getRepo();
+        Repo scanRepo = getRepo();
+        if (!getHelper().isPage200(msg) || scanRepo == null) {
             if (scanRepo == null) {
                 LOGGER.error("\tThe Retire.js repository was null.");
-                return;
             }
+            return;
+        }
+        String uri = msg.getRequestHeader().getURI().toString();
+        if (!ResourceIdentificationUtils.isImage(msg) && !ResourceIdentificationUtils.isCss(msg) && !msg.getResponseHeader().hasContentType("video")) {
             Result result = scanRepo.scanJS(msg, source);
             if (result == null) {
                 LOGGER.debug("\tNo vulnerabilities found in record {} with URL {}", id, uri);

addOns/retire/src/test/java/org/zaproxy/addon/retire/RetireScanRuleUnitTest.java

@@ -27,12 +27,15 @@
 import static org.mockito.Mockito.any;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import org.apache.commons.httpclient.URI;
 import org.apache.commons.httpclient.URIException;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.ValueSource;
+import org.parosproxy.paros.core.scanner.Alert;
 import org.parosproxy.paros.network.HttpHeader;
 import org.parosproxy.paros.network.HttpMalformedHeaderException;
 import org.parosproxy.paros.network.HttpMessage;
@@ -77,11 +80,12 @@ void shouldIgnoreCssUrl() {
         assertEquals(0, alertsRaised.size());
     }
 
-    @Test
-    void shouldIgnoreCssResponse() {
+    @ParameterizedTest
+    @CsvSource({"text/css, .css", "text/css, .scss", "video/mp4, .mp4", "text/css, ''"})
+    void shouldIgnoreCertainResponseContentTypes(String contentType, String fileExt) {
         // Given
-        HttpMessage msg = createMessage("https://www.example.com/assets/styles.scss", null);
-        msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, "text/css");
+        HttpMessage msg = createMessage("https://www.example.com/assets/styles" + fileExt, null);
+        msg.getResponseHeader().addHeader(HttpHeader.CONTENT_TYPE, contentType);
         given(passiveScanData.isPage200(any())).willReturn(true);
         // When
         scanHttpResponseReceive(msg);
@@ -212,6 +216,20 @@ void shouldReturnExpectedMappings() {
                 is(equalTo(CommonAlertTag.OWASP_2017_A09_VULN_COMP.getValue())));
     }
 
+    @Test
+    void shouldHaveExpectedExampleAlert() {
+        // Given / When
+        List<Alert> alerts = rule.getExampleAlerts();
+        // Then
+        assertThat(alerts.size(), is(equalTo(1)));
+    }
+
+    @Test
+    @Override
+    public void shouldHaveValidReferences() {
+        super.shouldHaveValidReferences();
+    }
+
     private HttpMessage createMessage(String url, String body) {
         HttpMessage msg = new HttpMessage();
         if (url == null) {