ascanrules: refactor expression and boolean based sqli to use ComparableResponse #5974
+753
−307
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Start using ComparableResponse for expression based and boolean based sql injection response comparisons. Use a custom comparison function that is very close to the previous comparison*. The reasoning for this is to not couple this refactor to new logic that risks introducing false positives/negatives. I'll send separate PRs for adding some heuristics that handle existing false positive cases that I know of and it should be easy for any ZAP contributor to make further improvements to the heuristics.
This change is on top of #5867 and #5797 which add unit tests to ensure the existing behavior is not broken. After those are merged, I'll rebase, squash, and signoff the final commit here.
unstripped1 == unstripped2
thenstrip(unstripped1, param1, param2) == strip(unstripped2, param1, param2)
the 3 inputs to the strip function are exactly the same in both cases so the results must be the same too.Related Issues
zaproxy/zaproxy#8652
Checklist
./gradlew spotlessApply
for code formattingFor more details, please refer to the developer rules and guidelines.