zap-extensions icon indicating copy to clipboard operation
zap-extensions copied to clipboard
verified publisher icon zaproxy

ascanrules: Address SSTI false positive

Open kingthorin opened this issue 1 year ago • 3 comments

Overview

  • CHANGELOG > Fix note
  • SstiScanRule > Adjust logic to prevent False Positives.
  • SstiScanRuleUnitTest > Updated for adjusted logic.

Related Issues

  • Fixes zaproxy/zaproxy#8622

Checklist

  • [na] Update help
  • [x] Update changelog
  • [x] Run ./gradlew spotlessApply for code formatting
  • [x] Write tests
  • [x] Check code coverage
  • [x] Sign-off commits
  • [x] Squash commits
  • [x] Use a descriptive title

kingthorin avatar Oct 09 '24 13:10 kingthorin

Have you tested this against the "Websites Vulnerable to SSTI" app?

psiinon avatar Oct 09 '24 14:10 psiinon

Yup, sorry I meant to mention that. Yes I did grab the docker image and test before/after. Everything is still found that was originally.

kingthorin avatar Oct 09 '24 14:10 kingthorin

Tweaked and de-conflicted.

kingthorin avatar Oct 14 '24 12:10 kingthorin

Would love to see this merged. This is something we're still seeing quite frequently, and it looks like @kingthorin has done the work to solve it.

rbliss avatar Dec 12 '24 18:12 rbliss

Pending comments and needs rebase.

thc202 avatar Dec 12 '24 18:12 thc202

Logo Checkmarx One – Scan Summary & Details7754e854-a0df-4e0a-af58-c7c2c15b9a8a

Fixed Issues

Severity Issue Source File / Package
HIGH Cx89601373-08db Npm-debug-3.2.7
HIGH Cx89601373-08db Npm-debug-2.6.9

psiinon avatar Dec 12 '24 20:12 psiinon

Thank you!

@psiinon do you want to check again?

thc202 avatar Dec 13 '24 06:12 thc202