burp-retire-js
burp-retire-js copied to clipboard
ScannerFacade#getFilename not working properly on Windows
The ScannerFacade#getFilename method uses a hard-coded '/' as path separator, causing the method not to work properly on Windows, as windows uses backslashes as path separator.
private static String getFilename(String path) {
int lastSlash = path.lastIndexOf('/');
if(lastSlash < 0) lastSlash = 0;
return path.substring(lastSlash+1);
}
In this code, the lastSlash
variable will always be 0, as a Windows path (or filename) cannot contain forward slashes.
It probably should use something like File.pathSeparator
instead of the hard-coded '/'.
In which context (Burp, ZAP or Maven) are you getting the bug ? I assume it must be with the Maven integration.
@h3xstream Sorry for taking that long to respond; only seeing your question now.
This happens to me when I run the DependencyCheck Gradle plugin on my project. Retirejs is unable to parse the filename/version number for one of my dependencies correctly because of this, leading to a false positive.
To be more specific: when com.h3xstream.retirejs.repo.ScannerFacade#getFilename
is handed a path like c:\a\b\123\myapp\libs\somelib.min.js,
it returns :\a\b\123\myapp\libs\somelib.min.js,
. Subsequently VulnerabilitiesRepository#findByFileName
wrongfully assumes the library version is 123.