Address potential classloader performance issues in JS scripts #504

kingthorin · 2025-12-12T16:45:42Z

No description provided.

kingthorin · 2025-12-12T16:46:41Z

Note I used const in all the changes but didn't change/reduce other use of var. I can I just wasn't sure if it should be the same PR.

psiinon · 2025-12-12T16:47:59Z

Checkmarx One – Scan Summary & Details – fc6b0dca-a0ad-49eb-906d-c19efb0bba81

New Issues (5)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
Last User Is 'root'	/docker-wrapper: 10	details Leaving the last user as root can cause security risks. Change to another user after running the commands that need privileges `ID: 48tNdC6UziXyOGUccQZn3tPPzi4%3D`
MAINTAINER Instruction Being Used	/docker-wrapper: 3	details The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sh... `ID: nlHBIHIr9RZHoVXOgGxJ9hQCHFA%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 31	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: z89ONTXYaYdPcNUEzfFqPVDqGfU%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 34	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: wmF9HbZcEd4Px83a0Vg%2BO%2F%2B%2B4BU%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 35	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: ivv4LqDvobLaIQBf4po7RJO0z9E%3D`

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

kingthorin · 2025-12-16T12:27:32Z

The CX failure is unrelated to the changes.

thc202 · 2025-12-17T18:58:32Z

httpfuzzerprocessor/addCacheBusting.js

@@ -1,12 +1,13 @@
+const HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
+const URL_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.url;


Why not Java.type usage?

I wasn't sure if it needed it. I should have commented asking.

It does not need it, but for consistency and good practices.

thc202 · 2025-12-17T18:58:39Z

httpfuzzerprocessor/unexpected_responses.js

 // This script needs Diff add-on

-var DiffTool = Java.type("org.zaproxy.zap.extension.diff.diff_match_patch");
+const DiffTool = Java.type("org.zaproxy.zap.extension.diff.diff_match_patch");


thc202 · 2025-12-17T18:58:44Z

httpsender/Alert on HTTP Response Code Errors.js

-      // Use a regex to extract the evidence from the response header
-      var regex = new RegExp("^HTTP.*" + code);


These unrelated changes should have their respective note in the changelog.

thc202 · 2025-12-17T18:59:06Z

passive/Report non static sites.js

 */
 function appliesToHistoryType(historyType) {
  // For example, to just scan spider messages:
  // return historyType == org.parosproxy.paros.model.HistoryReference.TYPE_SPIDER;


This should be updated as well.

thc202 · 2025-12-17T18:59:09Z

standalone/historySourceTagger.js

 // if they don't already have a tag that starts with TAG_PREFIX as defined below.
 // Author: kingthorin
 // 20160207: Initial release
+// 20251212: Maintenance changes


What does this add?

🤷‍♂️ was just trying to be consistent, happy to drop it (them?)

thc202 · 2025-12-17T18:59:30Z

targeted/json_csrf_poc_generator.js

 // released under the Apache v2.0 license.
 //You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 //Author : @haseebeqx
+const CONTENT_TYPE = Java.type(


I'd have expected the Java.type on the HttpHeader (more common usage and avoids loading the class more than once like in the xml script).

Address potential classloader performance issues

80916f9

Signed-off-by: kingthorin <kingthorin@users.noreply.github.com>

kingthorin force-pushed the adjust-java-type-usage branch from 39d4e87 to 80916f9 Compare December 12, 2025 16:53

kingthorin changed the title ~~Address potential classloader performance issues~~ Address potential classloader performance issues in JS scripts Dec 12, 2025

thc202 reviewed Dec 17, 2025

View reviewed changes

		@@ -1,12 +1,13 @@
		const HtmlParameter = Java.type("org.parosproxy.paros.network.HtmlParameter");
		const URL_TYPE = org.parosproxy.paros.network.HtmlParameter.Type.url;

		// Use a regex to extract the evidence from the response header
		var regex = new RegExp("^HTTP.*" + code);

Uh oh!

Address potential classloader performance issues in JS scripts #504

Are you sure you want to change the base?

Address potential classloader performance issues in JS scripts #504

Uh oh!

Conversation

kingthorin commented Dec 12, 2025

Uh oh!

kingthorin commented Dec 12, 2025

Uh oh!

psiinon commented Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kingthorin commented Dec 16, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

psiinon commented Dec 12, 2025 •

edited

Loading