Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authhelper: cookie handling tweak + session bug fix #6249

Merged
merged 1 commit into from
Mar 5, 2025
Merged

authhelper: cookie handling tweak + session bug fix #6249

merged 1 commit into from
Mar 5, 2025

Conversation

psiinon
Copy link
Member

@psiinon psiinon commented Mar 5, 2025
edited
Loading

Overview

  • Bug where some of the data structures were not being reset when the session changed.

Checklist

  • Update help
  • Update changelog
  • Run ./gradlew spotlessApply for code formatting
  • Write tests
  • Check code coverage
  • Sign-off commits
  • Squash commits
  • Use a descriptive title

For more details, please refer to the developer rules and guidelines.

kingthorin
kingthorin reviewed Mar 5, 2025
View reviewed changes
...elper/src/main/java/org/zaproxy/addon/authhelper/HeaderBasedSessionManagementMethodType.java Outdated
Comment on lines 212 to 232

Map<String, String> trackedCookies =
Arrays.asList(hbSession.getHttpState().getCookies()).stream()
.collect(Collectors.toMap(c -> c.getName(), c -> c.getValue()));

List<HttpCookie> cookies = message.getRequestHeader().getHttpCookies();
for (Pair<String, String> header : hbSession.getHeaders()) {
if (HttpHeader.COOKIE.equalsIgnoreCase(header.first)) {
String[] kv = header.second.split("=");
if (!trackedCookies.containsKey(kv[0])) {
cookies.add(new HttpCookie(kv[0], kv[1]));
} else {
LOGGER.debug(
"processMessageToMatchSession {} ignoring tracked cookie {} ",
message.getRequestHeader().getURI(),
kv[0]);
}
continue;
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this use CookieUtils or something instead of kinda re-inventing the wheel so to speak?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What part is reinventing the wheel?
Its doing some very specific things here, and I couldnt see any existing code which does the same things.
Very happy to use existing code if you can point out anything suitable 😁

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just the splitting and array handling. I agree it isn't complex code I just think we already have handling in commonlib, maybe I'm wrong and not digging enough

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The values returned from HttpHeaderBasedSession.getHeaders() are not strictly speaking headers, they are config values. If the first string is HttpHeader.COOKIE then the value should be key=value, not a full cookie header string.
We could use CookieUtils to parse it, but I dont think thats strictly necessary or even strictly correct.

@psiinon psiinon force-pushed the authhelper-cookie-fix branch from f0bb8b3 to 8b40589 Compare March 5, 2025 16:30
@thc202
Copy link
Member

thc202 commented Mar 5, 2025

Thank you!

@psiinon
Copy link
Member Author

psiinon commented Mar 5, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsa8218448-d5c6-4c6b-a256-344fd8626559

Great job, no security vulnerabilities found in this Pull Request

@kingthorin kingthorin merged commit 24acf38 into zaproxy:main Mar 5, 2025
9 of 10 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Mar 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@psiinon @thc202 @kingthorin