Merge pull request #5915 from thc202/value-provider

Move `ValueGenerator` from core and rename it
zaproxy · Nov 14, 2024 · 651c280 · 651c280
2 parents 9cfe4f8 + d38b4c5
commit 651c280
Show file tree

Hide file tree

Showing 48 changed files with 513 additions and 385 deletions.
diff --git a/addOns/commonlib/CHANGELOG.md b/addOns/commonlib/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Changed
 - Dependency updates.
+- Let the Value Generator add-on provide the custom values through this add-on (Issue 8016).
 
 ## [1.28.0] - 2024-09-24
 ### Changed

diff --git a/addOns/commonlib/commonlib.gradle.kts b/addOns/commonlib/commonlib.gradle.kts
@@ -14,21 +14,6 @@ zapAddOn {
             baseName.set("help%LC%.helpset")
             localeToken.set("%LC%")
         }
-
-        extensions {
-            register("org.zaproxy.addon.commonlib.formhandler.ExtensionCommonlibFormHandler") {
-                classnames {
-                    allowed.set(listOf("org.zaproxy.addon.commonlib.formhandler"))
-                }
-                dependencies {
-                    addOns {
-                        register("formhandler") {
-                            version.set(">=6.0.0 & < 7.0.0")
-                        }
-                    }
-                }
-            }
-        }
     }
 }
 
@@ -40,8 +25,6 @@ crowdin {
 }
 
 dependencies {
-    zapAddOn("formhandler")
-
     api(platform("com.fasterxml.jackson:jackson-bom:2.17.0"))
     api("com.fasterxml.jackson.core:jackson-databind")
     api("com.fasterxml.jackson.dataformat:jackson-dataformat-xml")

diff --git a/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/DefaultValueProvider.java b/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/DefaultValueProvider.java
@@ -0,0 +1,164 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.commonlib;
+
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import net.htmlparser.jericho.FormControlType;
+import org.apache.commons.httpclient.URI;
+
+/**
+ * Default implementation of the {@link ValueProvider}.
+ *
+ * <p>Generally it should not be used directly it should be used the one from {@link
+ * ExtensionCommonlib#getValueProvider()}.
+ *
+ * @since 1.29.0
+ */
+public class DefaultValueProvider implements ValueProvider {
+
+    private static final String ATTR_TYPE = "type";
+    private static final String DEFAULT_NUMBER_VALUE = "1";
+    private static final String DEFAULT_TEXT_VALUE =
+            org.parosproxy.paros.Constant.PROGRAM_NAME_SHORT;
+    private static final String DEFAULT_PASS_VALUE = DEFAULT_TEXT_VALUE;
+    private static final String DEFAULT_FILE_VALUE = "test_file.txt";
+    private static final String DEFAULT_EMPTY_VALUE = "";
+
+    private Date defaultDate;
+
+    /**
+     * Gets the default {@code Date}, to be used for default values of date fields.
+     *
+     * @return the date, never {@code null}.
+     * @see #setDefaultDate(Date)
+     */
+    public Date getDefaultDate() {
+        if (defaultDate == null) {
+            return new Date();
+        }
+        return defaultDate;
+    }
+
+    public void setDefaultDate(Date date) {
+        this.defaultDate = date;
+    }
+
+    /**
+     * Generates accurate field values for following types:
+     *
+     * <ul>
+     *   <li>Text/Password/Search - DEFAULT_TEXT_VALUE
+     *   <li>number/range - if min is defined, then use min. If max is defined use max, otherwise
+     *       DEFAULT_NUMBER_VALUE
+     *   <li>url - http://www.example.com
+     *   <li>email - [email protected]
+     *   <li>color - #ffffff
+     *   <li>tel - 9999999999
+     *   <li>date/datetime/time/month/week/datetime-local - current date in the proper format
+     *   <li>file - DEFAULT_FILE_VALUE
+     * </ul>
+     *
+     * @return the default String value for each control type
+     */
+    @Override
+    public String getValue(
+            URI uri,
+            String url,
+            String fieldId,
+            String defaultValue,
+            List<String> definedValues,
+            Map<String, String> envAttributes,
+            Map<String, String> fieldAttributes) {
+
+        // If there is a default value provided, return it
+        if (!defaultValue.isEmpty()) {
+            return defaultValue;
+        }
+
+        if (fieldAttributes.get("Control Type").equalsIgnoreCase(FormControlType.TEXT.toString())) {
+            // Converted FormControlType to String to allow for case insensitive comparison
+            // If the control type was reduced to a TEXT type by the Jericho library, check the
+            // HTML5 type and use proper values
+            String type = fieldAttributes.get(ATTR_TYPE);
+            if (type == null || type.equalsIgnoreCase("text")) {
+                return DEFAULT_TEXT_VALUE;
+            }
+            if (type.equalsIgnoreCase("number") || type.equalsIgnoreCase("range")) {
+                String min = fieldAttributes.get("min");
+                if (min != null) {
+                    return min;
+                }
+                String max = fieldAttributes.get("max");
+                if (max != null) {
+                    return max;
+                }
+                return DEFAULT_NUMBER_VALUE;
+            }
+            if (type.equalsIgnoreCase("url")) {
+                return "http://www.example.com";
+            }
+            if (type.equalsIgnoreCase("email")) {
+                return "[email protected]";
+            }
+            if (type.equalsIgnoreCase("color")) {
+                return "#ffffff";
+            }
+            if (type.equalsIgnoreCase("tel")) {
+                return "9999999999";
+            }
+            if (type.equalsIgnoreCase("datetime")) {
+                SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
+                return format.format(getDefaultDate());
+            }
+            if (type.equalsIgnoreCase("datetime-local")) {
+                SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
+                return format.format(getDefaultDate());
+            }
+            if (type.equalsIgnoreCase("date")) {
+                SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd");
+                return format.format(getDefaultDate());
+            }
+            if (type.equalsIgnoreCase("time")) {
+                SimpleDateFormat format = new SimpleDateFormat("HH:mm:ss");
+                return format.format(getDefaultDate());
+            }
+            if (type.equalsIgnoreCase("month")) {
+                SimpleDateFormat format = new SimpleDateFormat("yyyy-MM");
+                return format.format(getDefaultDate());
+            }
+            if (type.equalsIgnoreCase("week")) {
+                SimpleDateFormat format = new SimpleDateFormat("yyyy-'W'ww");
+                return format.format(getDefaultDate());
+            }
+        } else if (fieldAttributes
+                .get("Control Type")
+                .equalsIgnoreCase(FormControlType.PASSWORD.toString())) {
+            return DEFAULT_PASS_VALUE;
+        } else if (fieldAttributes
+                .get("Control Type")
+                .equalsIgnoreCase(FormControlType.FILE.toString())) {
+            return DEFAULT_FILE_VALUE;
+        }
+        return DEFAULT_EMPTY_VALUE;
+    }
+}
diff --git a/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ExtensionCommonlib.java b/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ExtensionCommonlib.java
@@ -30,12 +30,11 @@
 import org.parosproxy.paros.model.Session;
 import org.zaproxy.addon.commonlib.internal.vulns.LegacyVulnerabilities;
 import org.zaproxy.addon.commonlib.ui.ProgressPanel;
-import org.zaproxy.zap.model.DefaultValueGenerator;
 import org.zaproxy.zap.model.ValueGenerator;
 
 public class ExtensionCommonlib extends ExtensionAdaptor {
 
-    private static final ValueGenerator DEFAULT_VALUE_GENERATOR = new DefaultValueGenerator();
+    private static final ValueProvider DEFAULT_VALUE_PROVIDER = new DefaultValueProvider();
 
     private ValueGenerator valueGeneratorImpl;
 
@@ -58,7 +57,38 @@ public class ExtensionCommonlib extends ExtensionAdaptor {
                             envAttributes,
                             fieldAttributes);
                 }
-                return DEFAULT_VALUE_GENERATOR.getValue(
+                return DEFAULT_VALUE_PROVIDER.getValue(
+                        uri,
+                        url,
+                        fieldId,
+                        defaultValue,
+                        definedValues,
+                        envAttributes,
+                        fieldAttributes);
+            };
+
+    private ValueProvider valueProviderImpl;
+
+    private final ValueProvider valueProviderWrapper =
+            (URI uri,
+                    String url,
+                    String fieldId,
+                    String defaultValue,
+                    List<String> definedValues,
+                    Map<String, String> envAttributes,
+                    Map<String, String> fieldAttributes) -> {
+                var local = valueProviderImpl;
+                if (local != null) {
+                    return local.getValue(
+                            uri,
+                            url,
+                            fieldId,
+                            defaultValue,
+                            definedValues,
+                            envAttributes,
+                            fieldAttributes);
+                }
+                return DEFAULT_VALUE_PROVIDER.getValue(
                         uri,
                         url,
                         fieldId,
@@ -118,17 +148,35 @@ public String getUIName() {
      * Gets the value generator.
      *
      * @return the value generator, never {@code null}.
-     * @since 2.17.0
+     * @since 1.17.0
+     * @deprecated (1.29.0) Use {@link #getValueProvider()} instead, to stop using core interface.
      */
+    @Deprecated(since = "1.29.0", forRemoval = true)
     public ValueGenerator getValueGenerator() {
         return valueGeneratorWrapper;
     }
 
+    /**
+     * Gets the value generator.
+     *
+     * @return the value generator, never {@code null}.
+     * @since 1.29.0
+     */
+    public ValueProvider getValueProvider() {
+        return valueProviderWrapper;
+    }
+
     /** <strong>Note:</strong> Not part of the public API. */
+    @Deprecated(forRemoval = true)
     public void setCustomValueGenerator(ValueGenerator generator) {
         this.valueGeneratorImpl = generator;
     }
 
+    /** <strong>Note:</strong> Not part of the public API. */
+    public void setCustomValueProvider(ValueProvider provider) {
+        this.valueProviderImpl = provider;
+    }
+
     private class SessionChangedListenerImpl implements SessionChangedListener {
 
         @Override

diff --git a/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ValueProvider.java b/addOns/commonlib/src/main/java/org/zaproxy/addon/commonlib/ValueProvider.java
@@ -0,0 +1,53 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2024 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.addon.commonlib;
+
+import java.util.List;
+import java.util.Map;
+import org.apache.commons.httpclient.URI;
+
+/**
+ * A provider of values.
+ *
+ * @since 1.29.0
+ * @see ExtensionCommonlib#getValueProvider()
+ */
+public interface ValueProvider {
+
+    /**
+     * Gets a value for the given field name.
+     *
+     * @param uri the uri
+     * @param url the resolved URL
+     * @param fieldId the name associated with the current field
+     * @param defaultValue the value of 'value attribute' if it has one
+     * @param definedValues the predefined values for the field, if present
+     * @param envAttributes all attributes of the current form
+     * @param fieldAttributes all attributes of the current field
+     */
+    String getValue(
+            URI uri,
+            String url,
+            String fieldId,
+            String defaultValue,
+            List<String> definedValues,
+            Map<String, String> envAttributes,
+            Map<String, String> fieldAttributes);
+}